xref: /openbmc/linux/net/wireless/nl80211.c (revision 3c6ee770) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  * Copyright 2015-2017	Intel Deutschland GmbH
7  * Copyright (C) 2018 Intel Corporation
8  */
9 
10 #include <linux/if.h>
11 #include <linux/module.h>
12 #include <linux/err.h>
13 #include <linux/slab.h>
14 #include <linux/list.h>
15 #include <linux/if_ether.h>
16 #include <linux/ieee80211.h>
17 #include <linux/nl80211.h>
18 #include <linux/rtnetlink.h>
19 #include <linux/netlink.h>
20 #include <linux/nospec.h>
21 #include <linux/etherdevice.h>
22 #include <net/net_namespace.h>
23 #include <net/genetlink.h>
24 #include <net/cfg80211.h>
25 #include <net/sock.h>
26 #include <net/inet_connection_sock.h>
27 #include "core.h"
28 #include "nl80211.h"
29 #include "reg.h"
30 #include "rdev-ops.h"
31 
32 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
33 				   struct genl_info *info,
34 				   struct cfg80211_crypto_settings *settings,
35 				   int cipher_limit);
36 
37 /* the netlink family */
38 static struct genl_family nl80211_fam;
39 
40 /* multicast groups */
41 enum nl80211_multicast_groups {
42 	NL80211_MCGRP_CONFIG,
43 	NL80211_MCGRP_SCAN,
44 	NL80211_MCGRP_REGULATORY,
45 	NL80211_MCGRP_MLME,
46 	NL80211_MCGRP_VENDOR,
47 	NL80211_MCGRP_NAN,
48 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
49 };
50 
51 static const struct genl_multicast_group nl80211_mcgrps[] = {
52 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
53 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
54 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
55 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
56 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
57 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
58 #ifdef CONFIG_NL80211_TESTMODE
59 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
60 #endif
61 };
62 
63 /* returns ERR_PTR values */
64 static struct wireless_dev *
65 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
66 {
67 	struct cfg80211_registered_device *rdev;
68 	struct wireless_dev *result = NULL;
69 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
70 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
71 	u64 wdev_id;
72 	int wiphy_idx = -1;
73 	int ifidx = -1;
74 
75 	ASSERT_RTNL();
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
88 		struct wireless_dev *wdev;
89 
90 		if (wiphy_net(&rdev->wiphy) != netns)
91 			continue;
92 
93 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
94 			continue;
95 
96 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
97 			if (have_ifidx && wdev->netdev &&
98 			    wdev->netdev->ifindex == ifidx) {
99 				result = wdev;
100 				break;
101 			}
102 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
103 				result = wdev;
104 				break;
105 			}
106 		}
107 
108 		if (result)
109 			break;
110 	}
111 
112 	if (result)
113 		return result;
114 	return ERR_PTR(-ENODEV);
115 }
116 
117 static struct cfg80211_registered_device *
118 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
119 {
120 	struct cfg80211_registered_device *rdev = NULL, *tmp;
121 	struct net_device *netdev;
122 
123 	ASSERT_RTNL();
124 
125 	if (!attrs[NL80211_ATTR_WIPHY] &&
126 	    !attrs[NL80211_ATTR_IFINDEX] &&
127 	    !attrs[NL80211_ATTR_WDEV])
128 		return ERR_PTR(-EINVAL);
129 
130 	if (attrs[NL80211_ATTR_WIPHY])
131 		rdev = cfg80211_rdev_by_wiphy_idx(
132 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
133 
134 	if (attrs[NL80211_ATTR_WDEV]) {
135 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
136 		struct wireless_dev *wdev;
137 		bool found = false;
138 
139 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
140 		if (tmp) {
141 			/* make sure wdev exists */
142 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
143 				if (wdev->identifier != (u32)wdev_id)
144 					continue;
145 				found = true;
146 				break;
147 			}
148 
149 			if (!found)
150 				tmp = NULL;
151 
152 			if (rdev && tmp != rdev)
153 				return ERR_PTR(-EINVAL);
154 			rdev = tmp;
155 		}
156 	}
157 
158 	if (attrs[NL80211_ATTR_IFINDEX]) {
159 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
160 
161 		netdev = __dev_get_by_index(netns, ifindex);
162 		if (netdev) {
163 			if (netdev->ieee80211_ptr)
164 				tmp = wiphy_to_rdev(
165 					netdev->ieee80211_ptr->wiphy);
166 			else
167 				tmp = NULL;
168 
169 			/* not wireless device -- return error */
170 			if (!tmp)
171 				return ERR_PTR(-EINVAL);
172 
173 			/* mismatch -- return error */
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 
177 			rdev = tmp;
178 		}
179 	}
180 
181 	if (!rdev)
182 		return ERR_PTR(-ENODEV);
183 
184 	if (netns != wiphy_net(&rdev->wiphy))
185 		return ERR_PTR(-ENODEV);
186 
187 	return rdev;
188 }
189 
190 /*
191  * This function returns a pointer to the driver
192  * that the genl_info item that is passed refers to.
193  *
194  * The result of this can be a PTR_ERR and hence must
195  * be checked with IS_ERR() for errors.
196  */
197 static struct cfg80211_registered_device *
198 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
199 {
200 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
201 }
202 
203 static int validate_ie_attr(const struct nlattr *attr,
204 			    struct netlink_ext_ack *extack)
205 {
206 	const u8 *pos;
207 	int len;
208 
209 	pos = nla_data(attr);
210 	len = nla_len(attr);
211 
212 	while (len) {
213 		u8 elemlen;
214 
215 		if (len < 2)
216 			goto error;
217 		len -= 2;
218 
219 		elemlen = pos[1];
220 		if (elemlen > len)
221 			goto error;
222 
223 		len -= elemlen;
224 		pos += 2 + elemlen;
225 	}
226 
227 	return 0;
228 error:
229 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
230 	return -EINVAL;
231 }
232 
233 /* policy for the attributes */
234 static const struct nla_policy
235 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
236 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
237 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
238 					.len = U8_MAX },
239 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
240 					     .len = U8_MAX },
241 };
242 
243 static const struct nla_policy
244 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
245 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
246 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
247 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
248 		NLA_POLICY_MAX(NLA_U8, 15),
249 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
250 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
251 		NLA_POLICY_MAX(NLA_U8, 15),
252 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
253 		NLA_POLICY_MAX(NLA_U8, 15),
254 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
255 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
256 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
257 };
258 
259 static const struct nla_policy
260 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
261 	[NL80211_PMSR_TYPE_FTM] =
262 		NLA_POLICY_NESTED(NL80211_PMSR_FTM_REQ_ATTR_MAX,
263 				  nl80211_pmsr_ftm_req_attr_policy),
264 };
265 
266 static const struct nla_policy
267 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
268 	[NL80211_PMSR_REQ_ATTR_DATA] =
269 		NLA_POLICY_NESTED(NL80211_PMSR_TYPE_MAX,
270 				  nl80211_pmsr_req_data_policy),
271 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
272 };
273 
274 static const struct nla_policy
275 nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
276 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
277 	/*
278 	 * we could specify this again to be the top-level policy,
279 	 * but that would open us up to recursion problems ...
280 	 */
281 	[NL80211_PMSR_PEER_ATTR_CHAN] = { .type = NLA_NESTED },
282 	[NL80211_PMSR_PEER_ATTR_REQ] =
283 		NLA_POLICY_NESTED(NL80211_PMSR_REQ_ATTR_MAX,
284 				  nl80211_pmsr_req_attr_policy),
285 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
286 };
287 
288 static const struct nla_policy
289 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
290 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
291 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
292 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
293 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
294 	[NL80211_PMSR_ATTR_PEERS] =
295 		NLA_POLICY_NESTED_ARRAY(NL80211_PMSR_PEER_ATTR_MAX,
296 					nl80211_psmr_peer_attr_policy),
297 };
298 
299 const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
300 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
301 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
302 				      .len = 20-1 },
303 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
304 
305 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
306 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
307 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
308 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
309 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
310 
311 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
312 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
313 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
314 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
315 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
316 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
317 
318 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
319 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
320 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
321 
322 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
323 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
324 
325 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
326 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
327 				    .len = WLAN_MAX_KEY_LEN },
328 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 5),
329 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
330 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
331 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
332 	[NL80211_ATTR_KEY_TYPE] =
333 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
334 
335 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
336 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
337 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
338 				       .len = IEEE80211_MAX_DATA_LEN },
339 	[NL80211_ATTR_BEACON_TAIL] =
340 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
341 				       IEEE80211_MAX_DATA_LEN),
342 	[NL80211_ATTR_STA_AID] =
343 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
344 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
345 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
346 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
347 					       .len = NL80211_MAX_SUPP_RATES },
348 	[NL80211_ATTR_STA_PLINK_ACTION] =
349 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
350 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
351 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
352 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
353 				   .len = IEEE80211_MAX_MESH_ID_LEN },
354 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
355 
356 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
357 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
358 
359 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
360 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
361 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
362 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
363 					   .len = NL80211_MAX_SUPP_RATES },
364 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
365 
366 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
367 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
368 
369 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
370 
371 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
372 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
373 						   validate_ie_attr,
374 						   IEEE80211_MAX_DATA_LEN),
375 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
376 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
377 
378 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
379 				.len = IEEE80211_MAX_SSID_LEN },
380 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
381 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
382 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
383 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
384 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
385 						  NL80211_MFP_NO,
386 						  NL80211_MFP_OPTIONAL),
387 	[NL80211_ATTR_STA_FLAGS2] = {
388 		.len = sizeof(struct nl80211_sta_flag_update),
389 	},
390 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
391 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
392 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
393 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
394 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
395 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
396 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
397 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
398 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
399 	[NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN },
400 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
401 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
402 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
403 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
404 				 .len = IEEE80211_MAX_DATA_LEN },
405 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
406 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
407 						   NL80211_PS_DISABLED,
408 						   NL80211_PS_ENABLED),
409 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
410 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
411 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
412 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
413 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
414 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
415 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
416 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
417 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
418 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
419 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
420 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
421 	[NL80211_ATTR_STA_PLINK_STATE] =
422 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
423 	[NL80211_ATTR_MESH_PEER_AID] =
424 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
425 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
426 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
427 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
428 	[NL80211_ATTR_HIDDEN_SSID] =
429 		NLA_POLICY_RANGE(NLA_U32,
430 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
431 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
432 	[NL80211_ATTR_IE_PROBE_RESP] =
433 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
434 				       IEEE80211_MAX_DATA_LEN),
435 	[NL80211_ATTR_IE_ASSOC_RESP] =
436 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
437 				       IEEE80211_MAX_DATA_LEN),
438 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
439 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
440 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
441 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
442 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
443 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
444 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
445 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
446 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
447 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
448 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
449 				      .len = IEEE80211_MAX_DATA_LEN },
450 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
451 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
452 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
453 		.len = NL80211_HT_CAPABILITY_LEN
454 	},
455 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
456 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
457 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
458 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
459 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
460 	[NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
461 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
462 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
463 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
464 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
465 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
466 		NLA_POLICY_RANGE(NLA_U32,
467 				 NL80211_MESH_POWER_UNKNOWN + 1,
468 				 NL80211_MESH_POWER_MAX),
469 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
470 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
471 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
472 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
473 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
474 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
475 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
476 		.len = NL80211_VHT_CAPABILITY_LEN,
477 	},
478 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
479 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
480 				  .len = IEEE80211_MAX_DATA_LEN },
481 	[NL80211_ATTR_PEER_AID] =
482 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
483 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
484 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
485 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
486 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
487 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
488 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
489 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
490 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
491 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
492 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
493 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
494 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
495 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
496 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
497 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
498 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
499 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
500 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
501 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
502 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
503 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
504 	[NL80211_ATTR_USER_PRIO] =
505 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
506 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
507 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
508 	[NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
509 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
510 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
511 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
512 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
513 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
514 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
515 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
516 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
517 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
518 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
519 	},
520 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = { .len = ETH_ALEN },
521 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
522 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
523 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
524 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
525 				    .len = FILS_MAX_KEK_LEN },
526 	[NL80211_ATTR_FILS_NONCES] = { .len = 2 * FILS_NONCE_LEN },
527 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
528 	[NL80211_ATTR_BSSID] = { .len = ETH_ALEN },
529 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
530 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
531 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
532 	},
533 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
534 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
535 					     .len = FILS_ERP_MAX_USERNAME_LEN },
536 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
537 					  .len = FILS_ERP_MAX_REALM_LEN },
538 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
539 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
540 					.len = FILS_ERP_MAX_RRK_LEN },
541 	[NL80211_ATTR_FILS_CACHE_ID] = { .len = 2 },
542 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
543 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
544 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
545 
546 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
547 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
548 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
549 	[NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY,
550 					 .len = NL80211_HE_MAX_CAPABILITY_LEN },
551 
552 	[NL80211_ATTR_FTM_RESPONDER] = {
553 		.type = NLA_NESTED,
554 		.validation_data = nl80211_ftm_responder_policy,
555 	},
556 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
557 	[NL80211_ATTR_PEER_MEASUREMENTS] =
558 		NLA_POLICY_NESTED(NL80211_PMSR_FTM_REQ_ATTR_MAX,
559 				  nl80211_pmsr_attr_policy),
560 };
561 
562 /* policy for the key attributes */
563 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
564 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
565 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
566 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
567 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
568 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
569 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
570 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
571 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
572 };
573 
574 /* policy for the key default flags */
575 static const struct nla_policy
576 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
577 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
578 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
579 };
580 
581 #ifdef CONFIG_PM
582 /* policy for WoWLAN attributes */
583 static const struct nla_policy
584 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
585 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
586 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
587 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
588 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
589 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
590 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
591 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
592 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
593 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
594 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
595 };
596 
597 static const struct nla_policy
598 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
599 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
600 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
601 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
602 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
603 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
604 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
605 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
606 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
607 	},
608 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
609 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
610 	},
611 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
612 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
613 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
614 };
615 #endif /* CONFIG_PM */
616 
617 /* policy for coalesce rule attributes */
618 static const struct nla_policy
619 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
620 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
621 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
622 		NLA_POLICY_RANGE(NLA_U32,
623 				 NL80211_COALESCE_CONDITION_MATCH,
624 				 NL80211_COALESCE_CONDITION_NO_MATCH),
625 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
626 };
627 
628 /* policy for GTK rekey offload attributes */
629 static const struct nla_policy
630 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
631 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
632 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
633 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
634 };
635 
636 static const struct nla_policy
637 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
638 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
639 						 .len = IEEE80211_MAX_SSID_LEN },
640 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = { .len = ETH_ALEN },
641 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
642 };
643 
644 static const struct nla_policy
645 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
646 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
647 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
648 };
649 
650 static const struct nla_policy
651 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
652 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
653 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
654 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
655 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
656 	},
657 };
658 
659 /* policy for NAN function attributes */
660 static const struct nla_policy
661 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
662 	[NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
663 	[NL80211_NAN_FUNC_SERVICE_ID] = {
664 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
665 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
666 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
667 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
668 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
669 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
670 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = { .len = ETH_ALEN },
671 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
672 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
673 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
674 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
675 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
676 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
677 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
678 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
679 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
680 };
681 
682 /* policy for Service Response Filter attributes */
683 static const struct nla_policy
684 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
685 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
686 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
687 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
688 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
689 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
690 };
691 
692 /* policy for packet pattern attributes */
693 static const struct nla_policy
694 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
695 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
696 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
697 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
698 };
699 
700 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
701 			      struct cfg80211_registered_device **rdev,
702 			      struct wireless_dev **wdev)
703 {
704 	int err;
705 
706 	if (!cb->args[0]) {
707 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
708 				  genl_family_attrbuf(&nl80211_fam),
709 				  nl80211_fam.maxattr, nl80211_policy, NULL);
710 		if (err)
711 			return err;
712 
713 		*wdev = __cfg80211_wdev_from_attrs(
714 					sock_net(cb->skb->sk),
715 					genl_family_attrbuf(&nl80211_fam));
716 		if (IS_ERR(*wdev))
717 			return PTR_ERR(*wdev);
718 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
719 		/* 0 is the first index - add 1 to parse only once */
720 		cb->args[0] = (*rdev)->wiphy_idx + 1;
721 		cb->args[1] = (*wdev)->identifier;
722 	} else {
723 		/* subtract the 1 again here */
724 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
725 		struct wireless_dev *tmp;
726 
727 		if (!wiphy)
728 			return -ENODEV;
729 		*rdev = wiphy_to_rdev(wiphy);
730 		*wdev = NULL;
731 
732 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
733 			if (tmp->identifier == cb->args[1]) {
734 				*wdev = tmp;
735 				break;
736 			}
737 		}
738 
739 		if (!*wdev)
740 			return -ENODEV;
741 	}
742 
743 	return 0;
744 }
745 
746 /* message building helper */
747 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
748 		     int flags, u8 cmd)
749 {
750 	/* since there is no private header just add the generic one */
751 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
752 }
753 
754 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
755 				     const struct ieee80211_reg_rule *rule)
756 {
757 	int j;
758 	struct nlattr *nl_wmm_rules =
759 		nla_nest_start(msg, NL80211_FREQUENCY_ATTR_WMM);
760 
761 	if (!nl_wmm_rules)
762 		goto nla_put_failure;
763 
764 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
765 		struct nlattr *nl_wmm_rule = nla_nest_start(msg, j);
766 
767 		if (!nl_wmm_rule)
768 			goto nla_put_failure;
769 
770 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
771 				rule->wmm_rule.client[j].cw_min) ||
772 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
773 				rule->wmm_rule.client[j].cw_max) ||
774 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
775 			       rule->wmm_rule.client[j].aifsn) ||
776 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
777 			        rule->wmm_rule.client[j].cot))
778 			goto nla_put_failure;
779 
780 		nla_nest_end(msg, nl_wmm_rule);
781 	}
782 	nla_nest_end(msg, nl_wmm_rules);
783 
784 	return 0;
785 
786 nla_put_failure:
787 	return -ENOBUFS;
788 }
789 
790 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
791 				   struct ieee80211_channel *chan,
792 				   bool large)
793 {
794 	/* Some channels must be completely excluded from the
795 	 * list to protect old user-space tools from breaking
796 	 */
797 	if (!large && chan->flags &
798 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
799 		return 0;
800 
801 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
802 			chan->center_freq))
803 		goto nla_put_failure;
804 
805 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
806 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
807 		goto nla_put_failure;
808 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
809 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
810 			goto nla_put_failure;
811 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
812 			goto nla_put_failure;
813 	}
814 	if (chan->flags & IEEE80211_CHAN_RADAR) {
815 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
816 			goto nla_put_failure;
817 		if (large) {
818 			u32 time;
819 
820 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
821 
822 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
823 					chan->dfs_state))
824 				goto nla_put_failure;
825 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
826 					time))
827 				goto nla_put_failure;
828 			if (nla_put_u32(msg,
829 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
830 					chan->dfs_cac_ms))
831 				goto nla_put_failure;
832 		}
833 	}
834 
835 	if (large) {
836 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
837 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
838 			goto nla_put_failure;
839 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
840 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
841 			goto nla_put_failure;
842 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
843 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
844 			goto nla_put_failure;
845 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
846 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
847 			goto nla_put_failure;
848 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
849 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
850 			goto nla_put_failure;
851 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
852 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
853 			goto nla_put_failure;
854 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
855 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
856 			goto nla_put_failure;
857 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
858 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
859 			goto nla_put_failure;
860 	}
861 
862 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
863 			DBM_TO_MBM(chan->max_power)))
864 		goto nla_put_failure;
865 
866 	if (large) {
867 		const struct ieee80211_reg_rule *rule =
868 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
869 
870 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
871 			if (nl80211_msg_put_wmm_rules(msg, rule))
872 				goto nla_put_failure;
873 		}
874 	}
875 
876 	return 0;
877 
878  nla_put_failure:
879 	return -ENOBUFS;
880 }
881 
882 static bool nl80211_put_txq_stats(struct sk_buff *msg,
883 				  struct cfg80211_txq_stats *txqstats,
884 				  int attrtype)
885 {
886 	struct nlattr *txqattr;
887 
888 #define PUT_TXQVAL_U32(attr, memb) do {					  \
889 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
890 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
891 		return false;						  \
892 	} while (0)
893 
894 	txqattr = nla_nest_start(msg, attrtype);
895 	if (!txqattr)
896 		return false;
897 
898 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
899 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
900 	PUT_TXQVAL_U32(FLOWS, flows);
901 	PUT_TXQVAL_U32(DROPS, drops);
902 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
903 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
904 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
905 	PUT_TXQVAL_U32(COLLISIONS, collisions);
906 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
907 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
908 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
909 	nla_nest_end(msg, txqattr);
910 
911 #undef PUT_TXQVAL_U32
912 	return true;
913 }
914 
915 /* netlink command implementations */
916 
917 struct key_parse {
918 	struct key_params p;
919 	int idx;
920 	int type;
921 	bool def, defmgmt;
922 	bool def_uni, def_multi;
923 };
924 
925 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
926 				 struct key_parse *k)
927 {
928 	struct nlattr *tb[NL80211_KEY_MAX + 1];
929 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
930 				   nl80211_key_policy, info->extack);
931 	if (err)
932 		return err;
933 
934 	k->def = !!tb[NL80211_KEY_DEFAULT];
935 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
936 
937 	if (k->def) {
938 		k->def_uni = true;
939 		k->def_multi = true;
940 	}
941 	if (k->defmgmt)
942 		k->def_multi = true;
943 
944 	if (tb[NL80211_KEY_IDX])
945 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
946 
947 	if (tb[NL80211_KEY_DATA]) {
948 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
949 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
950 	}
951 
952 	if (tb[NL80211_KEY_SEQ]) {
953 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
954 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
955 	}
956 
957 	if (tb[NL80211_KEY_CIPHER])
958 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
959 
960 	if (tb[NL80211_KEY_TYPE])
961 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
962 
963 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
964 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
965 
966 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
967 				       tb[NL80211_KEY_DEFAULT_TYPES],
968 				       nl80211_key_default_policy,
969 				       info->extack);
970 		if (err)
971 			return err;
972 
973 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
974 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
975 	}
976 
977 	return 0;
978 }
979 
980 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
981 {
982 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
983 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
984 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
985 	}
986 
987 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
988 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
989 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
990 	}
991 
992 	if (info->attrs[NL80211_ATTR_KEY_IDX])
993 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
994 
995 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
996 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
997 
998 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
999 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1000 
1001 	if (k->def) {
1002 		k->def_uni = true;
1003 		k->def_multi = true;
1004 	}
1005 	if (k->defmgmt)
1006 		k->def_multi = true;
1007 
1008 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1009 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1010 
1011 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1012 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1013 		int err = nla_parse_nested(kdt,
1014 					   NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1015 					   info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1016 					   nl80211_key_default_policy,
1017 					   info->extack);
1018 		if (err)
1019 			return err;
1020 
1021 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1022 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1023 	}
1024 
1025 	return 0;
1026 }
1027 
1028 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1029 {
1030 	int err;
1031 
1032 	memset(k, 0, sizeof(*k));
1033 	k->idx = -1;
1034 	k->type = -1;
1035 
1036 	if (info->attrs[NL80211_ATTR_KEY])
1037 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1038 	else
1039 		err = nl80211_parse_key_old(info, k);
1040 
1041 	if (err)
1042 		return err;
1043 
1044 	if (k->def && k->defmgmt) {
1045 		GENL_SET_ERR_MSG(info, "key with def && defmgmt is invalid");
1046 		return -EINVAL;
1047 	}
1048 
1049 	if (k->defmgmt) {
1050 		if (k->def_uni || !k->def_multi) {
1051 			GENL_SET_ERR_MSG(info, "defmgmt key must be mcast");
1052 			return -EINVAL;
1053 		}
1054 	}
1055 
1056 	if (k->idx != -1) {
1057 		if (k->defmgmt) {
1058 			if (k->idx < 4 || k->idx > 5) {
1059 				GENL_SET_ERR_MSG(info,
1060 						 "defmgmt key idx not 4 or 5");
1061 				return -EINVAL;
1062 			}
1063 		} else if (k->def) {
1064 			if (k->idx < 0 || k->idx > 3) {
1065 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1066 				return -EINVAL;
1067 			}
1068 		} else {
1069 			if (k->idx < 0 || k->idx > 5) {
1070 				GENL_SET_ERR_MSG(info, "key idx not 0-5");
1071 				return -EINVAL;
1072 			}
1073 		}
1074 	}
1075 
1076 	return 0;
1077 }
1078 
1079 static struct cfg80211_cached_keys *
1080 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1081 		       struct genl_info *info, bool *no_ht)
1082 {
1083 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1084 	struct key_parse parse;
1085 	struct nlattr *key;
1086 	struct cfg80211_cached_keys *result;
1087 	int rem, err, def = 0;
1088 	bool have_key = false;
1089 
1090 	nla_for_each_nested(key, keys, rem) {
1091 		have_key = true;
1092 		break;
1093 	}
1094 
1095 	if (!have_key)
1096 		return NULL;
1097 
1098 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1099 	if (!result)
1100 		return ERR_PTR(-ENOMEM);
1101 
1102 	result->def = -1;
1103 
1104 	nla_for_each_nested(key, keys, rem) {
1105 		memset(&parse, 0, sizeof(parse));
1106 		parse.idx = -1;
1107 
1108 		err = nl80211_parse_key_new(info, key, &parse);
1109 		if (err)
1110 			goto error;
1111 		err = -EINVAL;
1112 		if (!parse.p.key)
1113 			goto error;
1114 		if (parse.idx < 0 || parse.idx > 3) {
1115 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1116 			goto error;
1117 		}
1118 		if (parse.def) {
1119 			if (def) {
1120 				GENL_SET_ERR_MSG(info,
1121 						 "only one key can be default");
1122 				goto error;
1123 			}
1124 			def = 1;
1125 			result->def = parse.idx;
1126 			if (!parse.def_uni || !parse.def_multi)
1127 				goto error;
1128 		} else if (parse.defmgmt)
1129 			goto error;
1130 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1131 						     parse.idx, false, NULL);
1132 		if (err)
1133 			goto error;
1134 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1135 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1136 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1137 			err = -EINVAL;
1138 			goto error;
1139 		}
1140 		result->params[parse.idx].cipher = parse.p.cipher;
1141 		result->params[parse.idx].key_len = parse.p.key_len;
1142 		result->params[parse.idx].key = result->data[parse.idx];
1143 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1144 
1145 		/* must be WEP key if we got here */
1146 		if (no_ht)
1147 			*no_ht = true;
1148 	}
1149 
1150 	if (result->def < 0) {
1151 		err = -EINVAL;
1152 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1153 		goto error;
1154 	}
1155 
1156 	return result;
1157  error:
1158 	kfree(result);
1159 	return ERR_PTR(err);
1160 }
1161 
1162 static int nl80211_key_allowed(struct wireless_dev *wdev)
1163 {
1164 	ASSERT_WDEV_LOCK(wdev);
1165 
1166 	switch (wdev->iftype) {
1167 	case NL80211_IFTYPE_AP:
1168 	case NL80211_IFTYPE_AP_VLAN:
1169 	case NL80211_IFTYPE_P2P_GO:
1170 	case NL80211_IFTYPE_MESH_POINT:
1171 		break;
1172 	case NL80211_IFTYPE_ADHOC:
1173 	case NL80211_IFTYPE_STATION:
1174 	case NL80211_IFTYPE_P2P_CLIENT:
1175 		if (!wdev->current_bss)
1176 			return -ENOLINK;
1177 		break;
1178 	case NL80211_IFTYPE_UNSPECIFIED:
1179 	case NL80211_IFTYPE_OCB:
1180 	case NL80211_IFTYPE_MONITOR:
1181 	case NL80211_IFTYPE_NAN:
1182 	case NL80211_IFTYPE_P2P_DEVICE:
1183 	case NL80211_IFTYPE_WDS:
1184 	case NUM_NL80211_IFTYPES:
1185 		return -EINVAL;
1186 	}
1187 
1188 	return 0;
1189 }
1190 
1191 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1192 							struct nlattr *tb)
1193 {
1194 	struct ieee80211_channel *chan;
1195 
1196 	if (tb == NULL)
1197 		return NULL;
1198 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
1199 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1200 		return NULL;
1201 	return chan;
1202 }
1203 
1204 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1205 {
1206 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
1207 	int i;
1208 
1209 	if (!nl_modes)
1210 		goto nla_put_failure;
1211 
1212 	i = 0;
1213 	while (ifmodes) {
1214 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1215 			goto nla_put_failure;
1216 		ifmodes >>= 1;
1217 		i++;
1218 	}
1219 
1220 	nla_nest_end(msg, nl_modes);
1221 	return 0;
1222 
1223 nla_put_failure:
1224 	return -ENOBUFS;
1225 }
1226 
1227 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1228 					  struct sk_buff *msg,
1229 					  bool large)
1230 {
1231 	struct nlattr *nl_combis;
1232 	int i, j;
1233 
1234 	nl_combis = nla_nest_start(msg,
1235 				NL80211_ATTR_INTERFACE_COMBINATIONS);
1236 	if (!nl_combis)
1237 		goto nla_put_failure;
1238 
1239 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1240 		const struct ieee80211_iface_combination *c;
1241 		struct nlattr *nl_combi, *nl_limits;
1242 
1243 		c = &wiphy->iface_combinations[i];
1244 
1245 		nl_combi = nla_nest_start(msg, i + 1);
1246 		if (!nl_combi)
1247 			goto nla_put_failure;
1248 
1249 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
1250 		if (!nl_limits)
1251 			goto nla_put_failure;
1252 
1253 		for (j = 0; j < c->n_limits; j++) {
1254 			struct nlattr *nl_limit;
1255 
1256 			nl_limit = nla_nest_start(msg, j + 1);
1257 			if (!nl_limit)
1258 				goto nla_put_failure;
1259 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1260 					c->limits[j].max))
1261 				goto nla_put_failure;
1262 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1263 						c->limits[j].types))
1264 				goto nla_put_failure;
1265 			nla_nest_end(msg, nl_limit);
1266 		}
1267 
1268 		nla_nest_end(msg, nl_limits);
1269 
1270 		if (c->beacon_int_infra_match &&
1271 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1272 			goto nla_put_failure;
1273 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1274 				c->num_different_channels) ||
1275 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1276 				c->max_interfaces))
1277 			goto nla_put_failure;
1278 		if (large &&
1279 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1280 				c->radar_detect_widths) ||
1281 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1282 				c->radar_detect_regions)))
1283 			goto nla_put_failure;
1284 		if (c->beacon_int_min_gcd &&
1285 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1286 				c->beacon_int_min_gcd))
1287 			goto nla_put_failure;
1288 
1289 		nla_nest_end(msg, nl_combi);
1290 	}
1291 
1292 	nla_nest_end(msg, nl_combis);
1293 
1294 	return 0;
1295 nla_put_failure:
1296 	return -ENOBUFS;
1297 }
1298 
1299 #ifdef CONFIG_PM
1300 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1301 					struct sk_buff *msg)
1302 {
1303 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1304 	struct nlattr *nl_tcp;
1305 
1306 	if (!tcp)
1307 		return 0;
1308 
1309 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1310 	if (!nl_tcp)
1311 		return -ENOBUFS;
1312 
1313 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1314 			tcp->data_payload_max))
1315 		return -ENOBUFS;
1316 
1317 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1318 			tcp->data_payload_max))
1319 		return -ENOBUFS;
1320 
1321 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1322 		return -ENOBUFS;
1323 
1324 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1325 				sizeof(*tcp->tok), tcp->tok))
1326 		return -ENOBUFS;
1327 
1328 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1329 			tcp->data_interval_max))
1330 		return -ENOBUFS;
1331 
1332 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1333 			tcp->wake_payload_max))
1334 		return -ENOBUFS;
1335 
1336 	nla_nest_end(msg, nl_tcp);
1337 	return 0;
1338 }
1339 
1340 static int nl80211_send_wowlan(struct sk_buff *msg,
1341 			       struct cfg80211_registered_device *rdev,
1342 			       bool large)
1343 {
1344 	struct nlattr *nl_wowlan;
1345 
1346 	if (!rdev->wiphy.wowlan)
1347 		return 0;
1348 
1349 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1350 	if (!nl_wowlan)
1351 		return -ENOBUFS;
1352 
1353 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1354 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1355 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1356 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1357 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1358 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1359 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1360 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1361 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1362 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1363 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1364 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1365 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1366 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1367 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1368 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1369 		return -ENOBUFS;
1370 
1371 	if (rdev->wiphy.wowlan->n_patterns) {
1372 		struct nl80211_pattern_support pat = {
1373 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1374 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1375 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1376 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1377 		};
1378 
1379 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1380 			    sizeof(pat), &pat))
1381 			return -ENOBUFS;
1382 	}
1383 
1384 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1385 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1386 			rdev->wiphy.wowlan->max_nd_match_sets))
1387 		return -ENOBUFS;
1388 
1389 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1390 		return -ENOBUFS;
1391 
1392 	nla_nest_end(msg, nl_wowlan);
1393 
1394 	return 0;
1395 }
1396 #endif
1397 
1398 static int nl80211_send_coalesce(struct sk_buff *msg,
1399 				 struct cfg80211_registered_device *rdev)
1400 {
1401 	struct nl80211_coalesce_rule_support rule;
1402 
1403 	if (!rdev->wiphy.coalesce)
1404 		return 0;
1405 
1406 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1407 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1408 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1409 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1410 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1411 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1412 
1413 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1414 		return -ENOBUFS;
1415 
1416 	return 0;
1417 }
1418 
1419 static int
1420 nl80211_send_iftype_data(struct sk_buff *msg,
1421 			 const struct ieee80211_sband_iftype_data *iftdata)
1422 {
1423 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1424 
1425 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1426 				iftdata->types_mask))
1427 		return -ENOBUFS;
1428 
1429 	if (he_cap->has_he) {
1430 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1431 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1432 			    he_cap->he_cap_elem.mac_cap_info) ||
1433 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1434 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1435 			    he_cap->he_cap_elem.phy_cap_info) ||
1436 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1437 			    sizeof(he_cap->he_mcs_nss_supp),
1438 			    &he_cap->he_mcs_nss_supp) ||
1439 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1440 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1441 			return -ENOBUFS;
1442 	}
1443 
1444 	return 0;
1445 }
1446 
1447 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1448 				      struct ieee80211_supported_band *sband)
1449 {
1450 	struct nlattr *nl_rates, *nl_rate;
1451 	struct ieee80211_rate *rate;
1452 	int i;
1453 
1454 	/* add HT info */
1455 	if (sband->ht_cap.ht_supported &&
1456 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1457 		     sizeof(sband->ht_cap.mcs),
1458 		     &sband->ht_cap.mcs) ||
1459 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1460 			 sband->ht_cap.cap) ||
1461 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1462 			sband->ht_cap.ampdu_factor) ||
1463 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1464 			sband->ht_cap.ampdu_density)))
1465 		return -ENOBUFS;
1466 
1467 	/* add VHT info */
1468 	if (sband->vht_cap.vht_supported &&
1469 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1470 		     sizeof(sband->vht_cap.vht_mcs),
1471 		     &sband->vht_cap.vht_mcs) ||
1472 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1473 			 sband->vht_cap.cap)))
1474 		return -ENOBUFS;
1475 
1476 	if (sband->n_iftype_data) {
1477 		struct nlattr *nl_iftype_data =
1478 			nla_nest_start(msg, NL80211_BAND_ATTR_IFTYPE_DATA);
1479 		int err;
1480 
1481 		if (!nl_iftype_data)
1482 			return -ENOBUFS;
1483 
1484 		for (i = 0; i < sband->n_iftype_data; i++) {
1485 			struct nlattr *iftdata;
1486 
1487 			iftdata = nla_nest_start(msg, i + 1);
1488 			if (!iftdata)
1489 				return -ENOBUFS;
1490 
1491 			err = nl80211_send_iftype_data(msg,
1492 						       &sband->iftype_data[i]);
1493 			if (err)
1494 				return err;
1495 
1496 			nla_nest_end(msg, iftdata);
1497 		}
1498 
1499 		nla_nest_end(msg, nl_iftype_data);
1500 	}
1501 
1502 	/* add bitrates */
1503 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1504 	if (!nl_rates)
1505 		return -ENOBUFS;
1506 
1507 	for (i = 0; i < sband->n_bitrates; i++) {
1508 		nl_rate = nla_nest_start(msg, i);
1509 		if (!nl_rate)
1510 			return -ENOBUFS;
1511 
1512 		rate = &sband->bitrates[i];
1513 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1514 				rate->bitrate))
1515 			return -ENOBUFS;
1516 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1517 		    nla_put_flag(msg,
1518 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1519 			return -ENOBUFS;
1520 
1521 		nla_nest_end(msg, nl_rate);
1522 	}
1523 
1524 	nla_nest_end(msg, nl_rates);
1525 
1526 	return 0;
1527 }
1528 
1529 static int
1530 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1531 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1532 {
1533 	u16 stypes;
1534 	struct nlattr *nl_ftypes, *nl_ifs;
1535 	enum nl80211_iftype ift;
1536 	int i;
1537 
1538 	if (!mgmt_stypes)
1539 		return 0;
1540 
1541 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1542 	if (!nl_ifs)
1543 		return -ENOBUFS;
1544 
1545 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1546 		nl_ftypes = nla_nest_start(msg, ift);
1547 		if (!nl_ftypes)
1548 			return -ENOBUFS;
1549 		i = 0;
1550 		stypes = mgmt_stypes[ift].tx;
1551 		while (stypes) {
1552 			if ((stypes & 1) &&
1553 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1554 					(i << 4) | IEEE80211_FTYPE_MGMT))
1555 				return -ENOBUFS;
1556 			stypes >>= 1;
1557 			i++;
1558 		}
1559 		nla_nest_end(msg, nl_ftypes);
1560 	}
1561 
1562 	nla_nest_end(msg, nl_ifs);
1563 
1564 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1565 	if (!nl_ifs)
1566 		return -ENOBUFS;
1567 
1568 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1569 		nl_ftypes = nla_nest_start(msg, ift);
1570 		if (!nl_ftypes)
1571 			return -ENOBUFS;
1572 		i = 0;
1573 		stypes = mgmt_stypes[ift].rx;
1574 		while (stypes) {
1575 			if ((stypes & 1) &&
1576 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1577 					(i << 4) | IEEE80211_FTYPE_MGMT))
1578 				return -ENOBUFS;
1579 			stypes >>= 1;
1580 			i++;
1581 		}
1582 		nla_nest_end(msg, nl_ftypes);
1583 	}
1584 	nla_nest_end(msg, nl_ifs);
1585 
1586 	return 0;
1587 }
1588 
1589 #define CMD(op, n)							\
1590 	 do {								\
1591 		if (rdev->ops->op) {					\
1592 			i++;						\
1593 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1594 				goto nla_put_failure;			\
1595 		}							\
1596 	} while (0)
1597 
1598 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1599 					struct sk_buff *msg)
1600 {
1601 	int i = 0;
1602 
1603 	/*
1604 	 * do *NOT* add anything into this function, new things need to be
1605 	 * advertised only to new versions of userspace that can deal with
1606 	 * the split (and they can't possibly care about new features...
1607 	 */
1608 	CMD(add_virtual_intf, NEW_INTERFACE);
1609 	CMD(change_virtual_intf, SET_INTERFACE);
1610 	CMD(add_key, NEW_KEY);
1611 	CMD(start_ap, START_AP);
1612 	CMD(add_station, NEW_STATION);
1613 	CMD(add_mpath, NEW_MPATH);
1614 	CMD(update_mesh_config, SET_MESH_CONFIG);
1615 	CMD(change_bss, SET_BSS);
1616 	CMD(auth, AUTHENTICATE);
1617 	CMD(assoc, ASSOCIATE);
1618 	CMD(deauth, DEAUTHENTICATE);
1619 	CMD(disassoc, DISASSOCIATE);
1620 	CMD(join_ibss, JOIN_IBSS);
1621 	CMD(join_mesh, JOIN_MESH);
1622 	CMD(set_pmksa, SET_PMKSA);
1623 	CMD(del_pmksa, DEL_PMKSA);
1624 	CMD(flush_pmksa, FLUSH_PMKSA);
1625 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1626 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1627 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1628 	CMD(mgmt_tx, FRAME);
1629 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1630 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1631 		i++;
1632 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1633 			goto nla_put_failure;
1634 	}
1635 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1636 	    rdev->ops->join_mesh) {
1637 		i++;
1638 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1639 			goto nla_put_failure;
1640 	}
1641 	CMD(set_wds_peer, SET_WDS_PEER);
1642 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1643 		CMD(tdls_mgmt, TDLS_MGMT);
1644 		CMD(tdls_oper, TDLS_OPER);
1645 	}
1646 	if (rdev->wiphy.max_sched_scan_reqs)
1647 		CMD(sched_scan_start, START_SCHED_SCAN);
1648 	CMD(probe_client, PROBE_CLIENT);
1649 	CMD(set_noack_map, SET_NOACK_MAP);
1650 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1651 		i++;
1652 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1653 			goto nla_put_failure;
1654 	}
1655 	CMD(start_p2p_device, START_P2P_DEVICE);
1656 	CMD(set_mcast_rate, SET_MCAST_RATE);
1657 #ifdef CONFIG_NL80211_TESTMODE
1658 	CMD(testmode_cmd, TESTMODE);
1659 #endif
1660 
1661 	if (rdev->ops->connect || rdev->ops->auth) {
1662 		i++;
1663 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1664 			goto nla_put_failure;
1665 	}
1666 
1667 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1668 		i++;
1669 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1670 			goto nla_put_failure;
1671 	}
1672 
1673 	return i;
1674  nla_put_failure:
1675 	return -ENOBUFS;
1676 }
1677 
1678 static int
1679 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1680 			   struct sk_buff *msg)
1681 {
1682 	struct nlattr *ftm;
1683 
1684 	if (!cap->ftm.supported)
1685 		return 0;
1686 
1687 	ftm = nla_nest_start(msg, NL80211_PMSR_TYPE_FTM);
1688 	if (!ftm)
1689 		return -ENOBUFS;
1690 
1691 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1692 		return -ENOBUFS;
1693 	if (cap->ftm.non_asap &&
1694 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1695 		return -ENOBUFS;
1696 	if (cap->ftm.request_lci &&
1697 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1698 		return -ENOBUFS;
1699 	if (cap->ftm.request_civicloc &&
1700 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1701 		return -ENOBUFS;
1702 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1703 			cap->ftm.preambles))
1704 		return -ENOBUFS;
1705 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
1706 			cap->ftm.bandwidths))
1707 		return -ENOBUFS;
1708 	if (cap->ftm.max_bursts_exponent >= 0 &&
1709 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
1710 			cap->ftm.max_bursts_exponent))
1711 		return -ENOBUFS;
1712 	if (cap->ftm.max_ftms_per_burst &&
1713 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
1714 			cap->ftm.max_ftms_per_burst))
1715 		return -ENOBUFS;
1716 
1717 	nla_nest_end(msg, ftm);
1718 	return 0;
1719 }
1720 
1721 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
1722 				  struct sk_buff *msg)
1723 {
1724 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
1725 	struct nlattr *pmsr, *caps;
1726 
1727 	if (!cap)
1728 		return 0;
1729 
1730 	/*
1731 	 * we don't need to clean up anything here since the caller
1732 	 * will genlmsg_cancel() if we fail
1733 	 */
1734 
1735 	pmsr = nla_nest_start(msg, NL80211_ATTR_PEER_MEASUREMENTS);
1736 	if (!pmsr)
1737 		return -ENOBUFS;
1738 
1739 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
1740 		return -ENOBUFS;
1741 
1742 	if (cap->report_ap_tsf &&
1743 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
1744 		return -ENOBUFS;
1745 
1746 	if (cap->randomize_mac_addr &&
1747 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
1748 		return -ENOBUFS;
1749 
1750 	caps = nla_nest_start(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
1751 	if (!caps)
1752 		return -ENOBUFS;
1753 
1754 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
1755 		return -ENOBUFS;
1756 
1757 	nla_nest_end(msg, caps);
1758 	nla_nest_end(msg, pmsr);
1759 
1760 	return 0;
1761 }
1762 
1763 struct nl80211_dump_wiphy_state {
1764 	s64 filter_wiphy;
1765 	long start;
1766 	long split_start, band_start, chan_start, capa_start;
1767 	bool split;
1768 };
1769 
1770 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1771 			      enum nl80211_commands cmd,
1772 			      struct sk_buff *msg, u32 portid, u32 seq,
1773 			      int flags, struct nl80211_dump_wiphy_state *state)
1774 {
1775 	void *hdr;
1776 	struct nlattr *nl_bands, *nl_band;
1777 	struct nlattr *nl_freqs, *nl_freq;
1778 	struct nlattr *nl_cmds;
1779 	enum nl80211_band band;
1780 	struct ieee80211_channel *chan;
1781 	int i;
1782 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1783 				rdev->wiphy.mgmt_stypes;
1784 	u32 features;
1785 
1786 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1787 	if (!hdr)
1788 		return -ENOBUFS;
1789 
1790 	if (WARN_ON(!state))
1791 		return -EINVAL;
1792 
1793 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1794 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1795 			   wiphy_name(&rdev->wiphy)) ||
1796 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1797 			cfg80211_rdev_list_generation))
1798 		goto nla_put_failure;
1799 
1800 	if (cmd != NL80211_CMD_NEW_WIPHY)
1801 		goto finish;
1802 
1803 	switch (state->split_start) {
1804 	case 0:
1805 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1806 			       rdev->wiphy.retry_short) ||
1807 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1808 			       rdev->wiphy.retry_long) ||
1809 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1810 				rdev->wiphy.frag_threshold) ||
1811 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1812 				rdev->wiphy.rts_threshold) ||
1813 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1814 			       rdev->wiphy.coverage_class) ||
1815 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1816 			       rdev->wiphy.max_scan_ssids) ||
1817 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1818 			       rdev->wiphy.max_sched_scan_ssids) ||
1819 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1820 				rdev->wiphy.max_scan_ie_len) ||
1821 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1822 				rdev->wiphy.max_sched_scan_ie_len) ||
1823 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1824 			       rdev->wiphy.max_match_sets) ||
1825 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1826 				rdev->wiphy.max_sched_scan_plans) ||
1827 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1828 				rdev->wiphy.max_sched_scan_plan_interval) ||
1829 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1830 				rdev->wiphy.max_sched_scan_plan_iterations))
1831 			goto nla_put_failure;
1832 
1833 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1834 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1835 			goto nla_put_failure;
1836 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1837 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1838 			goto nla_put_failure;
1839 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1840 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1841 			goto nla_put_failure;
1842 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1843 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1844 			goto nla_put_failure;
1845 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1846 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1847 			goto nla_put_failure;
1848 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1849 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1850 			goto nla_put_failure;
1851 		state->split_start++;
1852 		if (state->split)
1853 			break;
1854 		/* fall through */
1855 	case 1:
1856 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1857 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1858 			    rdev->wiphy.cipher_suites))
1859 			goto nla_put_failure;
1860 
1861 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1862 			       rdev->wiphy.max_num_pmkids))
1863 			goto nla_put_failure;
1864 
1865 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1866 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1867 			goto nla_put_failure;
1868 
1869 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1870 				rdev->wiphy.available_antennas_tx) ||
1871 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1872 				rdev->wiphy.available_antennas_rx))
1873 			goto nla_put_failure;
1874 
1875 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1876 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1877 				rdev->wiphy.probe_resp_offload))
1878 			goto nla_put_failure;
1879 
1880 		if ((rdev->wiphy.available_antennas_tx ||
1881 		     rdev->wiphy.available_antennas_rx) &&
1882 		    rdev->ops->get_antenna) {
1883 			u32 tx_ant = 0, rx_ant = 0;
1884 			int res;
1885 
1886 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1887 			if (!res) {
1888 				if (nla_put_u32(msg,
1889 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1890 						tx_ant) ||
1891 				    nla_put_u32(msg,
1892 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1893 						rx_ant))
1894 					goto nla_put_failure;
1895 			}
1896 		}
1897 
1898 		state->split_start++;
1899 		if (state->split)
1900 			break;
1901 		/* fall through */
1902 	case 2:
1903 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1904 					rdev->wiphy.interface_modes))
1905 				goto nla_put_failure;
1906 		state->split_start++;
1907 		if (state->split)
1908 			break;
1909 		/* fall through */
1910 	case 3:
1911 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1912 		if (!nl_bands)
1913 			goto nla_put_failure;
1914 
1915 		for (band = state->band_start;
1916 		     band < NUM_NL80211_BANDS; band++) {
1917 			struct ieee80211_supported_band *sband;
1918 
1919 			sband = rdev->wiphy.bands[band];
1920 
1921 			if (!sband)
1922 				continue;
1923 
1924 			nl_band = nla_nest_start(msg, band);
1925 			if (!nl_band)
1926 				goto nla_put_failure;
1927 
1928 			switch (state->chan_start) {
1929 			case 0:
1930 				if (nl80211_send_band_rateinfo(msg, sband))
1931 					goto nla_put_failure;
1932 				state->chan_start++;
1933 				if (state->split)
1934 					break;
1935 				/* fall through */
1936 			default:
1937 				/* add frequencies */
1938 				nl_freqs = nla_nest_start(
1939 					msg, NL80211_BAND_ATTR_FREQS);
1940 				if (!nl_freqs)
1941 					goto nla_put_failure;
1942 
1943 				for (i = state->chan_start - 1;
1944 				     i < sband->n_channels;
1945 				     i++) {
1946 					nl_freq = nla_nest_start(msg, i);
1947 					if (!nl_freq)
1948 						goto nla_put_failure;
1949 
1950 					chan = &sband->channels[i];
1951 
1952 					if (nl80211_msg_put_channel(
1953 							msg, &rdev->wiphy, chan,
1954 							state->split))
1955 						goto nla_put_failure;
1956 
1957 					nla_nest_end(msg, nl_freq);
1958 					if (state->split)
1959 						break;
1960 				}
1961 				if (i < sband->n_channels)
1962 					state->chan_start = i + 2;
1963 				else
1964 					state->chan_start = 0;
1965 				nla_nest_end(msg, nl_freqs);
1966 			}
1967 
1968 			nla_nest_end(msg, nl_band);
1969 
1970 			if (state->split) {
1971 				/* start again here */
1972 				if (state->chan_start)
1973 					band--;
1974 				break;
1975 			}
1976 		}
1977 		nla_nest_end(msg, nl_bands);
1978 
1979 		if (band < NUM_NL80211_BANDS)
1980 			state->band_start = band + 1;
1981 		else
1982 			state->band_start = 0;
1983 
1984 		/* if bands & channels are done, continue outside */
1985 		if (state->band_start == 0 && state->chan_start == 0)
1986 			state->split_start++;
1987 		if (state->split)
1988 			break;
1989 		/* fall through */
1990 	case 4:
1991 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1992 		if (!nl_cmds)
1993 			goto nla_put_failure;
1994 
1995 		i = nl80211_add_commands_unsplit(rdev, msg);
1996 		if (i < 0)
1997 			goto nla_put_failure;
1998 		if (state->split) {
1999 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2000 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2001 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2002 				CMD(channel_switch, CHANNEL_SWITCH);
2003 			CMD(set_qos_map, SET_QOS_MAP);
2004 			if (rdev->wiphy.features &
2005 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2006 				CMD(add_tx_ts, ADD_TX_TS);
2007 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2008 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2009 		}
2010 #undef CMD
2011 
2012 		nla_nest_end(msg, nl_cmds);
2013 		state->split_start++;
2014 		if (state->split)
2015 			break;
2016 		/* fall through */
2017 	case 5:
2018 		if (rdev->ops->remain_on_channel &&
2019 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2020 		    nla_put_u32(msg,
2021 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2022 				rdev->wiphy.max_remain_on_channel_duration))
2023 			goto nla_put_failure;
2024 
2025 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2026 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2027 			goto nla_put_failure;
2028 
2029 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2030 			goto nla_put_failure;
2031 		state->split_start++;
2032 		if (state->split)
2033 			break;
2034 		/* fall through */
2035 	case 6:
2036 #ifdef CONFIG_PM
2037 		if (nl80211_send_wowlan(msg, rdev, state->split))
2038 			goto nla_put_failure;
2039 		state->split_start++;
2040 		if (state->split)
2041 			break;
2042 #else
2043 		state->split_start++;
2044 #endif
2045 		/* fall through */
2046 	case 7:
2047 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2048 					rdev->wiphy.software_iftypes))
2049 			goto nla_put_failure;
2050 
2051 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2052 						   state->split))
2053 			goto nla_put_failure;
2054 
2055 		state->split_start++;
2056 		if (state->split)
2057 			break;
2058 		/* fall through */
2059 	case 8:
2060 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2061 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2062 				rdev->wiphy.ap_sme_capa))
2063 			goto nla_put_failure;
2064 
2065 		features = rdev->wiphy.features;
2066 		/*
2067 		 * We can only add the per-channel limit information if the
2068 		 * dump is split, otherwise it makes it too big. Therefore
2069 		 * only advertise it in that case.
2070 		 */
2071 		if (state->split)
2072 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2073 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2074 			goto nla_put_failure;
2075 
2076 		if (rdev->wiphy.ht_capa_mod_mask &&
2077 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2078 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2079 			    rdev->wiphy.ht_capa_mod_mask))
2080 			goto nla_put_failure;
2081 
2082 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2083 		    rdev->wiphy.max_acl_mac_addrs &&
2084 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2085 				rdev->wiphy.max_acl_mac_addrs))
2086 			goto nla_put_failure;
2087 
2088 		/*
2089 		 * Any information below this point is only available to
2090 		 * applications that can deal with it being split. This
2091 		 * helps ensure that newly added capabilities don't break
2092 		 * older tools by overrunning their buffers.
2093 		 *
2094 		 * We still increment split_start so that in the split
2095 		 * case we'll continue with more data in the next round,
2096 		 * but break unconditionally so unsplit data stops here.
2097 		 */
2098 		state->split_start++;
2099 		break;
2100 	case 9:
2101 		if (rdev->wiphy.extended_capabilities &&
2102 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2103 			     rdev->wiphy.extended_capabilities_len,
2104 			     rdev->wiphy.extended_capabilities) ||
2105 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2106 			     rdev->wiphy.extended_capabilities_len,
2107 			     rdev->wiphy.extended_capabilities_mask)))
2108 			goto nla_put_failure;
2109 
2110 		if (rdev->wiphy.vht_capa_mod_mask &&
2111 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2112 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2113 			    rdev->wiphy.vht_capa_mod_mask))
2114 			goto nla_put_failure;
2115 
2116 		state->split_start++;
2117 		break;
2118 	case 10:
2119 		if (nl80211_send_coalesce(msg, rdev))
2120 			goto nla_put_failure;
2121 
2122 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2123 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2124 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2125 			goto nla_put_failure;
2126 
2127 		if (rdev->wiphy.max_ap_assoc_sta &&
2128 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2129 				rdev->wiphy.max_ap_assoc_sta))
2130 			goto nla_put_failure;
2131 
2132 		state->split_start++;
2133 		break;
2134 	case 11:
2135 		if (rdev->wiphy.n_vendor_commands) {
2136 			const struct nl80211_vendor_cmd_info *info;
2137 			struct nlattr *nested;
2138 
2139 			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
2140 			if (!nested)
2141 				goto nla_put_failure;
2142 
2143 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2144 				info = &rdev->wiphy.vendor_commands[i].info;
2145 				if (nla_put(msg, i + 1, sizeof(*info), info))
2146 					goto nla_put_failure;
2147 			}
2148 			nla_nest_end(msg, nested);
2149 		}
2150 
2151 		if (rdev->wiphy.n_vendor_events) {
2152 			const struct nl80211_vendor_cmd_info *info;
2153 			struct nlattr *nested;
2154 
2155 			nested = nla_nest_start(msg,
2156 						NL80211_ATTR_VENDOR_EVENTS);
2157 			if (!nested)
2158 				goto nla_put_failure;
2159 
2160 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2161 				info = &rdev->wiphy.vendor_events[i];
2162 				if (nla_put(msg, i + 1, sizeof(*info), info))
2163 					goto nla_put_failure;
2164 			}
2165 			nla_nest_end(msg, nested);
2166 		}
2167 		state->split_start++;
2168 		break;
2169 	case 12:
2170 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2171 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2172 			       rdev->wiphy.max_num_csa_counters))
2173 			goto nla_put_failure;
2174 
2175 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2176 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2177 			goto nla_put_failure;
2178 
2179 		if (rdev->wiphy.max_sched_scan_reqs &&
2180 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2181 				rdev->wiphy.max_sched_scan_reqs))
2182 			goto nla_put_failure;
2183 
2184 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2185 			    sizeof(rdev->wiphy.ext_features),
2186 			    rdev->wiphy.ext_features))
2187 			goto nla_put_failure;
2188 
2189 		if (rdev->wiphy.bss_select_support) {
2190 			struct nlattr *nested;
2191 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2192 
2193 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_SELECT);
2194 			if (!nested)
2195 				goto nla_put_failure;
2196 
2197 			i = 0;
2198 			while (bss_select_support) {
2199 				if ((bss_select_support & 1) &&
2200 				    nla_put_flag(msg, i))
2201 					goto nla_put_failure;
2202 				i++;
2203 				bss_select_support >>= 1;
2204 			}
2205 			nla_nest_end(msg, nested);
2206 		}
2207 
2208 		state->split_start++;
2209 		break;
2210 	case 13:
2211 		if (rdev->wiphy.num_iftype_ext_capab &&
2212 		    rdev->wiphy.iftype_ext_capab) {
2213 			struct nlattr *nested_ext_capab, *nested;
2214 
2215 			nested = nla_nest_start(msg,
2216 						NL80211_ATTR_IFTYPE_EXT_CAPA);
2217 			if (!nested)
2218 				goto nla_put_failure;
2219 
2220 			for (i = state->capa_start;
2221 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2222 				const struct wiphy_iftype_ext_capab *capab;
2223 
2224 				capab = &rdev->wiphy.iftype_ext_capab[i];
2225 
2226 				nested_ext_capab = nla_nest_start(msg, i);
2227 				if (!nested_ext_capab ||
2228 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2229 						capab->iftype) ||
2230 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2231 					    capab->extended_capabilities_len,
2232 					    capab->extended_capabilities) ||
2233 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2234 					    capab->extended_capabilities_len,
2235 					    capab->extended_capabilities_mask))
2236 					goto nla_put_failure;
2237 
2238 				nla_nest_end(msg, nested_ext_capab);
2239 				if (state->split)
2240 					break;
2241 			}
2242 			nla_nest_end(msg, nested);
2243 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2244 				state->capa_start = i + 1;
2245 				break;
2246 			}
2247 		}
2248 
2249 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2250 				rdev->wiphy.nan_supported_bands))
2251 			goto nla_put_failure;
2252 
2253 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2254 					    NL80211_EXT_FEATURE_TXQS)) {
2255 			struct cfg80211_txq_stats txqstats = {};
2256 			int res;
2257 
2258 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2259 			if (!res &&
2260 			    !nl80211_put_txq_stats(msg, &txqstats,
2261 						   NL80211_ATTR_TXQ_STATS))
2262 				goto nla_put_failure;
2263 
2264 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2265 					rdev->wiphy.txq_limit))
2266 				goto nla_put_failure;
2267 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2268 					rdev->wiphy.txq_memory_limit))
2269 				goto nla_put_failure;
2270 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2271 					rdev->wiphy.txq_quantum))
2272 				goto nla_put_failure;
2273 		}
2274 
2275 		state->split_start++;
2276 		break;
2277 	case 14:
2278 		if (nl80211_send_pmsr_capa(rdev, msg))
2279 			goto nla_put_failure;
2280 
2281 		/* done */
2282 		state->split_start = 0;
2283 		break;
2284 	}
2285  finish:
2286 	genlmsg_end(msg, hdr);
2287 	return 0;
2288 
2289  nla_put_failure:
2290 	genlmsg_cancel(msg, hdr);
2291 	return -EMSGSIZE;
2292 }
2293 
2294 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2295 				    struct netlink_callback *cb,
2296 				    struct nl80211_dump_wiphy_state *state)
2297 {
2298 	struct nlattr **tb = genl_family_attrbuf(&nl80211_fam);
2299 	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize, tb,
2300 			      nl80211_fam.maxattr, nl80211_policy, NULL);
2301 	/* ignore parse errors for backward compatibility */
2302 	if (ret)
2303 		return 0;
2304 
2305 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2306 	if (tb[NL80211_ATTR_WIPHY])
2307 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2308 	if (tb[NL80211_ATTR_WDEV])
2309 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2310 	if (tb[NL80211_ATTR_IFINDEX]) {
2311 		struct net_device *netdev;
2312 		struct cfg80211_registered_device *rdev;
2313 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2314 
2315 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2316 		if (!netdev)
2317 			return -ENODEV;
2318 		if (netdev->ieee80211_ptr) {
2319 			rdev = wiphy_to_rdev(
2320 				netdev->ieee80211_ptr->wiphy);
2321 			state->filter_wiphy = rdev->wiphy_idx;
2322 		}
2323 	}
2324 
2325 	return 0;
2326 }
2327 
2328 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2329 {
2330 	int idx = 0, ret;
2331 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2332 	struct cfg80211_registered_device *rdev;
2333 
2334 	rtnl_lock();
2335 	if (!state) {
2336 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2337 		if (!state) {
2338 			rtnl_unlock();
2339 			return -ENOMEM;
2340 		}
2341 		state->filter_wiphy = -1;
2342 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2343 		if (ret) {
2344 			kfree(state);
2345 			rtnl_unlock();
2346 			return ret;
2347 		}
2348 		cb->args[0] = (long)state;
2349 	}
2350 
2351 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2352 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2353 			continue;
2354 		if (++idx <= state->start)
2355 			continue;
2356 		if (state->filter_wiphy != -1 &&
2357 		    state->filter_wiphy != rdev->wiphy_idx)
2358 			continue;
2359 		/* attempt to fit multiple wiphy data chunks into the skb */
2360 		do {
2361 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2362 						 skb,
2363 						 NETLINK_CB(cb->skb).portid,
2364 						 cb->nlh->nlmsg_seq,
2365 						 NLM_F_MULTI, state);
2366 			if (ret < 0) {
2367 				/*
2368 				 * If sending the wiphy data didn't fit (ENOBUFS
2369 				 * or EMSGSIZE returned), this SKB is still
2370 				 * empty (so it's not too big because another
2371 				 * wiphy dataset is already in the skb) and
2372 				 * we've not tried to adjust the dump allocation
2373 				 * yet ... then adjust the alloc size to be
2374 				 * bigger, and return 1 but with the empty skb.
2375 				 * This results in an empty message being RX'ed
2376 				 * in userspace, but that is ignored.
2377 				 *
2378 				 * We can then retry with the larger buffer.
2379 				 */
2380 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2381 				    !skb->len && !state->split &&
2382 				    cb->min_dump_alloc < 4096) {
2383 					cb->min_dump_alloc = 4096;
2384 					state->split_start = 0;
2385 					rtnl_unlock();
2386 					return 1;
2387 				}
2388 				idx--;
2389 				break;
2390 			}
2391 		} while (state->split_start > 0);
2392 		break;
2393 	}
2394 	rtnl_unlock();
2395 
2396 	state->start = idx;
2397 
2398 	return skb->len;
2399 }
2400 
2401 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2402 {
2403 	kfree((void *)cb->args[0]);
2404 	return 0;
2405 }
2406 
2407 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2408 {
2409 	struct sk_buff *msg;
2410 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2411 	struct nl80211_dump_wiphy_state state = {};
2412 
2413 	msg = nlmsg_new(4096, GFP_KERNEL);
2414 	if (!msg)
2415 		return -ENOMEM;
2416 
2417 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2418 			       info->snd_portid, info->snd_seq, 0,
2419 			       &state) < 0) {
2420 		nlmsg_free(msg);
2421 		return -ENOBUFS;
2422 	}
2423 
2424 	return genlmsg_reply(msg, info);
2425 }
2426 
2427 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2428 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2429 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2430 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2431 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2432 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2433 };
2434 
2435 static int parse_txq_params(struct nlattr *tb[],
2436 			    struct ieee80211_txq_params *txq_params)
2437 {
2438 	u8 ac;
2439 
2440 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2441 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2442 	    !tb[NL80211_TXQ_ATTR_AIFS])
2443 		return -EINVAL;
2444 
2445 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2446 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2447 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2448 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2449 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2450 
2451 	if (ac >= NL80211_NUM_ACS)
2452 		return -EINVAL;
2453 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2454 	return 0;
2455 }
2456 
2457 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2458 {
2459 	/*
2460 	 * You can only set the channel explicitly for WDS interfaces,
2461 	 * all others have their channel managed via their respective
2462 	 * "establish a connection" command (connect, join, ...)
2463 	 *
2464 	 * For AP/GO and mesh mode, the channel can be set with the
2465 	 * channel userspace API, but is only stored and passed to the
2466 	 * low-level driver when the AP starts or the mesh is joined.
2467 	 * This is for backward compatibility, userspace can also give
2468 	 * the channel in the start-ap or join-mesh commands instead.
2469 	 *
2470 	 * Monitors are special as they are normally slaved to
2471 	 * whatever else is going on, so they have their own special
2472 	 * operation to set the monitor channel if possible.
2473 	 */
2474 	return !wdev ||
2475 		wdev->iftype == NL80211_IFTYPE_AP ||
2476 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2477 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2478 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2479 }
2480 
2481 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2482 			  struct genl_info *info,
2483 			  struct cfg80211_chan_def *chandef)
2484 {
2485 	struct netlink_ext_ack *extack = info->extack;
2486 	struct nlattr **attrs = info->attrs;
2487 	u32 control_freq;
2488 
2489 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2490 		return -EINVAL;
2491 
2492 	control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);
2493 
2494 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2495 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2496 	chandef->center_freq1 = control_freq;
2497 	chandef->center_freq2 = 0;
2498 
2499 	/* Primary channel not allowed */
2500 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2501 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2502 				    "Channel is disabled");
2503 		return -EINVAL;
2504 	}
2505 
2506 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2507 		enum nl80211_channel_type chantype;
2508 
2509 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2510 
2511 		switch (chantype) {
2512 		case NL80211_CHAN_NO_HT:
2513 		case NL80211_CHAN_HT20:
2514 		case NL80211_CHAN_HT40PLUS:
2515 		case NL80211_CHAN_HT40MINUS:
2516 			cfg80211_chandef_create(chandef, chandef->chan,
2517 						chantype);
2518 			/* user input for center_freq is incorrect */
2519 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2520 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2521 				NL_SET_ERR_MSG_ATTR(extack,
2522 						    attrs[NL80211_ATTR_CENTER_FREQ1],
2523 						    "bad center frequency 1");
2524 				return -EINVAL;
2525 			}
2526 			/* center_freq2 must be zero */
2527 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2528 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2529 				NL_SET_ERR_MSG_ATTR(extack,
2530 						    attrs[NL80211_ATTR_CENTER_FREQ2],
2531 						    "center frequency 2 can't be used");
2532 				return -EINVAL;
2533 			}
2534 			break;
2535 		default:
2536 			NL_SET_ERR_MSG_ATTR(extack,
2537 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2538 					    "invalid channel type");
2539 			return -EINVAL;
2540 		}
2541 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2542 		chandef->width =
2543 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2544 		if (attrs[NL80211_ATTR_CENTER_FREQ1])
2545 			chandef->center_freq1 =
2546 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2547 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
2548 			chandef->center_freq2 =
2549 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2550 	}
2551 
2552 	if (!cfg80211_chandef_valid(chandef)) {
2553 		NL_SET_ERR_MSG(extack, "invalid channel definition");
2554 		return -EINVAL;
2555 	}
2556 
2557 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2558 				     IEEE80211_CHAN_DISABLED)) {
2559 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
2560 		return -EINVAL;
2561 	}
2562 
2563 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2564 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2565 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
2566 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
2567 		return -EINVAL;
2568 	}
2569 
2570 	return 0;
2571 }
2572 
2573 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2574 				 struct net_device *dev,
2575 				 struct genl_info *info)
2576 {
2577 	struct cfg80211_chan_def chandef;
2578 	int result;
2579 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2580 	struct wireless_dev *wdev = NULL;
2581 
2582 	if (dev)
2583 		wdev = dev->ieee80211_ptr;
2584 	if (!nl80211_can_set_dev_channel(wdev))
2585 		return -EOPNOTSUPP;
2586 	if (wdev)
2587 		iftype = wdev->iftype;
2588 
2589 	result = nl80211_parse_chandef(rdev, info, &chandef);
2590 	if (result)
2591 		return result;
2592 
2593 	switch (iftype) {
2594 	case NL80211_IFTYPE_AP:
2595 	case NL80211_IFTYPE_P2P_GO:
2596 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2597 						   iftype)) {
2598 			result = -EINVAL;
2599 			break;
2600 		}
2601 		if (wdev->beacon_interval) {
2602 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2603 			    !(rdev->wiphy.features &
2604 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2605 				result = -EBUSY;
2606 				break;
2607 			}
2608 
2609 			/* Only allow dynamic channel width changes */
2610 			if (chandef.chan != wdev->preset_chandef.chan) {
2611 				result = -EBUSY;
2612 				break;
2613 			}
2614 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2615 			if (result)
2616 				break;
2617 		}
2618 		wdev->preset_chandef = chandef;
2619 		result = 0;
2620 		break;
2621 	case NL80211_IFTYPE_MESH_POINT:
2622 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2623 		break;
2624 	case NL80211_IFTYPE_MONITOR:
2625 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2626 		break;
2627 	default:
2628 		result = -EINVAL;
2629 	}
2630 
2631 	return result;
2632 }
2633 
2634 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2635 {
2636 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2637 	struct net_device *netdev = info->user_ptr[1];
2638 
2639 	return __nl80211_set_channel(rdev, netdev, info);
2640 }
2641 
2642 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2643 {
2644 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2645 	struct net_device *dev = info->user_ptr[1];
2646 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2647 	const u8 *bssid;
2648 
2649 	if (!info->attrs[NL80211_ATTR_MAC])
2650 		return -EINVAL;
2651 
2652 	if (netif_running(dev))
2653 		return -EBUSY;
2654 
2655 	if (!rdev->ops->set_wds_peer)
2656 		return -EOPNOTSUPP;
2657 
2658 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2659 		return -EOPNOTSUPP;
2660 
2661 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2662 	return rdev_set_wds_peer(rdev, dev, bssid);
2663 }
2664 
2665 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2666 {
2667 	struct cfg80211_registered_device *rdev;
2668 	struct net_device *netdev = NULL;
2669 	struct wireless_dev *wdev;
2670 	int result = 0, rem_txq_params = 0;
2671 	struct nlattr *nl_txq_params;
2672 	u32 changed;
2673 	u8 retry_short = 0, retry_long = 0;
2674 	u32 frag_threshold = 0, rts_threshold = 0;
2675 	u8 coverage_class = 0;
2676 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
2677 
2678 	ASSERT_RTNL();
2679 
2680 	/*
2681 	 * Try to find the wiphy and netdev. Normally this
2682 	 * function shouldn't need the netdev, but this is
2683 	 * done for backward compatibility -- previously
2684 	 * setting the channel was done per wiphy, but now
2685 	 * it is per netdev. Previous userland like hostapd
2686 	 * also passed a netdev to set_wiphy, so that it is
2687 	 * possible to let that go to the right netdev!
2688 	 */
2689 
2690 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2691 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2692 
2693 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2694 		if (netdev && netdev->ieee80211_ptr)
2695 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2696 		else
2697 			netdev = NULL;
2698 	}
2699 
2700 	if (!netdev) {
2701 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2702 						  info->attrs);
2703 		if (IS_ERR(rdev))
2704 			return PTR_ERR(rdev);
2705 		wdev = NULL;
2706 		netdev = NULL;
2707 		result = 0;
2708 	} else
2709 		wdev = netdev->ieee80211_ptr;
2710 
2711 	/*
2712 	 * end workaround code, by now the rdev is available
2713 	 * and locked, and wdev may or may not be NULL.
2714 	 */
2715 
2716 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2717 		result = cfg80211_dev_rename(
2718 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2719 
2720 	if (result)
2721 		return result;
2722 
2723 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2724 		struct ieee80211_txq_params txq_params;
2725 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2726 
2727 		if (!rdev->ops->set_txq_params)
2728 			return -EOPNOTSUPP;
2729 
2730 		if (!netdev)
2731 			return -EINVAL;
2732 
2733 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2734 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2735 			return -EINVAL;
2736 
2737 		if (!netif_running(netdev))
2738 			return -ENETDOWN;
2739 
2740 		nla_for_each_nested(nl_txq_params,
2741 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2742 				    rem_txq_params) {
2743 			result = nla_parse_nested(tb, NL80211_TXQ_ATTR_MAX,
2744 						  nl_txq_params,
2745 						  txq_params_policy,
2746 						  info->extack);
2747 			if (result)
2748 				return result;
2749 			result = parse_txq_params(tb, &txq_params);
2750 			if (result)
2751 				return result;
2752 
2753 			result = rdev_set_txq_params(rdev, netdev,
2754 						     &txq_params);
2755 			if (result)
2756 				return result;
2757 		}
2758 	}
2759 
2760 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2761 		result = __nl80211_set_channel(
2762 			rdev,
2763 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2764 			info);
2765 		if (result)
2766 			return result;
2767 	}
2768 
2769 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2770 		struct wireless_dev *txp_wdev = wdev;
2771 		enum nl80211_tx_power_setting type;
2772 		int idx, mbm = 0;
2773 
2774 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2775 			txp_wdev = NULL;
2776 
2777 		if (!rdev->ops->set_tx_power)
2778 			return -EOPNOTSUPP;
2779 
2780 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2781 		type = nla_get_u32(info->attrs[idx]);
2782 
2783 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2784 		    (type != NL80211_TX_POWER_AUTOMATIC))
2785 			return -EINVAL;
2786 
2787 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2788 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2789 			mbm = nla_get_u32(info->attrs[idx]);
2790 		}
2791 
2792 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2793 		if (result)
2794 			return result;
2795 	}
2796 
2797 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2798 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2799 		u32 tx_ant, rx_ant;
2800 
2801 		if ((!rdev->wiphy.available_antennas_tx &&
2802 		     !rdev->wiphy.available_antennas_rx) ||
2803 		    !rdev->ops->set_antenna)
2804 			return -EOPNOTSUPP;
2805 
2806 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2807 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2808 
2809 		/* reject antenna configurations which don't match the
2810 		 * available antenna masks, except for the "all" mask */
2811 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2812 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2813 			return -EINVAL;
2814 
2815 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2816 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2817 
2818 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2819 		if (result)
2820 			return result;
2821 	}
2822 
2823 	changed = 0;
2824 
2825 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2826 		retry_short = nla_get_u8(
2827 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2828 
2829 		changed |= WIPHY_PARAM_RETRY_SHORT;
2830 	}
2831 
2832 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2833 		retry_long = nla_get_u8(
2834 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2835 
2836 		changed |= WIPHY_PARAM_RETRY_LONG;
2837 	}
2838 
2839 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2840 		frag_threshold = nla_get_u32(
2841 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2842 		if (frag_threshold < 256)
2843 			return -EINVAL;
2844 
2845 		if (frag_threshold != (u32) -1) {
2846 			/*
2847 			 * Fragments (apart from the last one) are required to
2848 			 * have even length. Make the fragmentation code
2849 			 * simpler by stripping LSB should someone try to use
2850 			 * odd threshold value.
2851 			 */
2852 			frag_threshold &= ~0x1;
2853 		}
2854 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2855 	}
2856 
2857 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2858 		rts_threshold = nla_get_u32(
2859 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2860 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2861 	}
2862 
2863 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2864 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2865 			return -EINVAL;
2866 
2867 		coverage_class = nla_get_u8(
2868 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2869 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2870 	}
2871 
2872 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2873 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2874 			return -EOPNOTSUPP;
2875 
2876 		changed |= WIPHY_PARAM_DYN_ACK;
2877 	}
2878 
2879 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
2880 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2881 					     NL80211_EXT_FEATURE_TXQS))
2882 			return -EOPNOTSUPP;
2883 		txq_limit = nla_get_u32(
2884 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
2885 		changed |= WIPHY_PARAM_TXQ_LIMIT;
2886 	}
2887 
2888 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
2889 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2890 					     NL80211_EXT_FEATURE_TXQS))
2891 			return -EOPNOTSUPP;
2892 		txq_memory_limit = nla_get_u32(
2893 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
2894 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
2895 	}
2896 
2897 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
2898 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2899 					     NL80211_EXT_FEATURE_TXQS))
2900 			return -EOPNOTSUPP;
2901 		txq_quantum = nla_get_u32(
2902 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
2903 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
2904 	}
2905 
2906 	if (changed) {
2907 		u8 old_retry_short, old_retry_long;
2908 		u32 old_frag_threshold, old_rts_threshold;
2909 		u8 old_coverage_class;
2910 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
2911 
2912 		if (!rdev->ops->set_wiphy_params)
2913 			return -EOPNOTSUPP;
2914 
2915 		old_retry_short = rdev->wiphy.retry_short;
2916 		old_retry_long = rdev->wiphy.retry_long;
2917 		old_frag_threshold = rdev->wiphy.frag_threshold;
2918 		old_rts_threshold = rdev->wiphy.rts_threshold;
2919 		old_coverage_class = rdev->wiphy.coverage_class;
2920 		old_txq_limit = rdev->wiphy.txq_limit;
2921 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
2922 		old_txq_quantum = rdev->wiphy.txq_quantum;
2923 
2924 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2925 			rdev->wiphy.retry_short = retry_short;
2926 		if (changed & WIPHY_PARAM_RETRY_LONG)
2927 			rdev->wiphy.retry_long = retry_long;
2928 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2929 			rdev->wiphy.frag_threshold = frag_threshold;
2930 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2931 			rdev->wiphy.rts_threshold = rts_threshold;
2932 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2933 			rdev->wiphy.coverage_class = coverage_class;
2934 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
2935 			rdev->wiphy.txq_limit = txq_limit;
2936 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
2937 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
2938 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
2939 			rdev->wiphy.txq_quantum = txq_quantum;
2940 
2941 		result = rdev_set_wiphy_params(rdev, changed);
2942 		if (result) {
2943 			rdev->wiphy.retry_short = old_retry_short;
2944 			rdev->wiphy.retry_long = old_retry_long;
2945 			rdev->wiphy.frag_threshold = old_frag_threshold;
2946 			rdev->wiphy.rts_threshold = old_rts_threshold;
2947 			rdev->wiphy.coverage_class = old_coverage_class;
2948 			rdev->wiphy.txq_limit = old_txq_limit;
2949 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
2950 			rdev->wiphy.txq_quantum = old_txq_quantum;
2951 			return result;
2952 		}
2953 	}
2954 	return 0;
2955 }
2956 
2957 static int nl80211_send_chandef(struct sk_buff *msg,
2958 				const struct cfg80211_chan_def *chandef)
2959 {
2960 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2961 		return -EINVAL;
2962 
2963 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2964 			chandef->chan->center_freq))
2965 		return -ENOBUFS;
2966 	switch (chandef->width) {
2967 	case NL80211_CHAN_WIDTH_20_NOHT:
2968 	case NL80211_CHAN_WIDTH_20:
2969 	case NL80211_CHAN_WIDTH_40:
2970 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2971 				cfg80211_get_chandef_type(chandef)))
2972 			return -ENOBUFS;
2973 		break;
2974 	default:
2975 		break;
2976 	}
2977 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2978 		return -ENOBUFS;
2979 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2980 		return -ENOBUFS;
2981 	if (chandef->center_freq2 &&
2982 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2983 		return -ENOBUFS;
2984 	return 0;
2985 }
2986 
2987 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2988 			      struct cfg80211_registered_device *rdev,
2989 			      struct wireless_dev *wdev,
2990 			      enum nl80211_commands cmd)
2991 {
2992 	struct net_device *dev = wdev->netdev;
2993 	void *hdr;
2994 
2995 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
2996 		cmd != NL80211_CMD_DEL_INTERFACE &&
2997 		cmd != NL80211_CMD_SET_INTERFACE);
2998 
2999 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3000 	if (!hdr)
3001 		return -1;
3002 
3003 	if (dev &&
3004 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3005 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3006 		goto nla_put_failure;
3007 
3008 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3009 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3010 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3011 			      NL80211_ATTR_PAD) ||
3012 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3013 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3014 			rdev->devlist_generation ^
3015 			(cfg80211_rdev_list_generation << 2)) ||
3016 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3017 		goto nla_put_failure;
3018 
3019 	if (rdev->ops->get_channel) {
3020 		int ret;
3021 		struct cfg80211_chan_def chandef;
3022 
3023 		ret = rdev_get_channel(rdev, wdev, &chandef);
3024 		if (ret == 0) {
3025 			if (nl80211_send_chandef(msg, &chandef))
3026 				goto nla_put_failure;
3027 		}
3028 	}
3029 
3030 	if (rdev->ops->get_tx_power) {
3031 		int dbm, ret;
3032 
3033 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3034 		if (ret == 0 &&
3035 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3036 				DBM_TO_MBM(dbm)))
3037 			goto nla_put_failure;
3038 	}
3039 
3040 	wdev_lock(wdev);
3041 	switch (wdev->iftype) {
3042 	case NL80211_IFTYPE_AP:
3043 		if (wdev->ssid_len &&
3044 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3045 			goto nla_put_failure_locked;
3046 		break;
3047 	case NL80211_IFTYPE_STATION:
3048 	case NL80211_IFTYPE_P2P_CLIENT:
3049 	case NL80211_IFTYPE_ADHOC: {
3050 		const u8 *ssid_ie;
3051 		if (!wdev->current_bss)
3052 			break;
3053 		rcu_read_lock();
3054 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3055 					       WLAN_EID_SSID);
3056 		if (ssid_ie &&
3057 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3058 			goto nla_put_failure_rcu_locked;
3059 		rcu_read_unlock();
3060 		break;
3061 		}
3062 	default:
3063 		/* nothing */
3064 		break;
3065 	}
3066 	wdev_unlock(wdev);
3067 
3068 	if (rdev->ops->get_txq_stats) {
3069 		struct cfg80211_txq_stats txqstats = {};
3070 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3071 
3072 		if (ret == 0 &&
3073 		    !nl80211_put_txq_stats(msg, &txqstats,
3074 					   NL80211_ATTR_TXQ_STATS))
3075 			goto nla_put_failure;
3076 	}
3077 
3078 	genlmsg_end(msg, hdr);
3079 	return 0;
3080 
3081  nla_put_failure_rcu_locked:
3082 	rcu_read_unlock();
3083  nla_put_failure_locked:
3084 	wdev_unlock(wdev);
3085  nla_put_failure:
3086 	genlmsg_cancel(msg, hdr);
3087 	return -EMSGSIZE;
3088 }
3089 
3090 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3091 {
3092 	int wp_idx = 0;
3093 	int if_idx = 0;
3094 	int wp_start = cb->args[0];
3095 	int if_start = cb->args[1];
3096 	int filter_wiphy = -1;
3097 	struct cfg80211_registered_device *rdev;
3098 	struct wireless_dev *wdev;
3099 	int ret;
3100 
3101 	rtnl_lock();
3102 	if (!cb->args[2]) {
3103 		struct nl80211_dump_wiphy_state state = {
3104 			.filter_wiphy = -1,
3105 		};
3106 
3107 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3108 		if (ret)
3109 			goto out_unlock;
3110 
3111 		filter_wiphy = state.filter_wiphy;
3112 
3113 		/*
3114 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3115 		 * value needed to determine that parsing is necessary.
3116 		 */
3117 		if (filter_wiphy >= 0)
3118 			cb->args[2] = filter_wiphy + 1;
3119 		else
3120 			cb->args[2] = -1;
3121 	} else if (cb->args[2] > 0) {
3122 		filter_wiphy = cb->args[2] - 1;
3123 	}
3124 
3125 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3126 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3127 			continue;
3128 		if (wp_idx < wp_start) {
3129 			wp_idx++;
3130 			continue;
3131 		}
3132 
3133 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3134 			continue;
3135 
3136 		if_idx = 0;
3137 
3138 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3139 			if (if_idx < if_start) {
3140 				if_idx++;
3141 				continue;
3142 			}
3143 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3144 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3145 					       rdev, wdev,
3146 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3147 				goto out;
3148 			}
3149 			if_idx++;
3150 		}
3151 
3152 		wp_idx++;
3153 	}
3154  out:
3155 	cb->args[0] = wp_idx;
3156 	cb->args[1] = if_idx;
3157 
3158 	ret = skb->len;
3159  out_unlock:
3160 	rtnl_unlock();
3161 
3162 	return ret;
3163 }
3164 
3165 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3166 {
3167 	struct sk_buff *msg;
3168 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3169 	struct wireless_dev *wdev = info->user_ptr[1];
3170 
3171 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3172 	if (!msg)
3173 		return -ENOMEM;
3174 
3175 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3176 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3177 		nlmsg_free(msg);
3178 		return -ENOBUFS;
3179 	}
3180 
3181 	return genlmsg_reply(msg, info);
3182 }
3183 
3184 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3185 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3186 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3187 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3188 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3189 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3190 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3191 };
3192 
3193 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3194 {
3195 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3196 	int flag;
3197 
3198 	*mntrflags = 0;
3199 
3200 	if (!nla)
3201 		return -EINVAL;
3202 
3203 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX, nla,
3204 			     mntr_flags_policy, NULL))
3205 		return -EINVAL;
3206 
3207 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3208 		if (flags[flag])
3209 			*mntrflags |= (1<<flag);
3210 
3211 	*mntrflags |= MONITOR_FLAG_CHANGED;
3212 
3213 	return 0;
3214 }
3215 
3216 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3217 				     enum nl80211_iftype type,
3218 				     struct genl_info *info,
3219 				     struct vif_params *params)
3220 {
3221 	bool change = false;
3222 	int err;
3223 
3224 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3225 		if (type != NL80211_IFTYPE_MONITOR)
3226 			return -EINVAL;
3227 
3228 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3229 					  &params->flags);
3230 		if (err)
3231 			return err;
3232 
3233 		change = true;
3234 	}
3235 
3236 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3237 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3238 		return -EOPNOTSUPP;
3239 
3240 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3241 		const u8 *mumimo_groups;
3242 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3243 
3244 		if (type != NL80211_IFTYPE_MONITOR)
3245 			return -EINVAL;
3246 
3247 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3248 			return -EOPNOTSUPP;
3249 
3250 		mumimo_groups =
3251 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3252 
3253 		/* bits 0 and 63 are reserved and must be zero */
3254 		if ((mumimo_groups[0] & BIT(0)) ||
3255 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3256 			return -EINVAL;
3257 
3258 		params->vht_mumimo_groups = mumimo_groups;
3259 		change = true;
3260 	}
3261 
3262 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3263 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3264 
3265 		if (type != NL80211_IFTYPE_MONITOR)
3266 			return -EINVAL;
3267 
3268 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3269 			return -EOPNOTSUPP;
3270 
3271 		params->vht_mumimo_follow_addr =
3272 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3273 		change = true;
3274 	}
3275 
3276 	return change ? 1 : 0;
3277 }
3278 
3279 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3280 			       struct net_device *netdev, u8 use_4addr,
3281 			       enum nl80211_iftype iftype)
3282 {
3283 	if (!use_4addr) {
3284 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
3285 			return -EBUSY;
3286 		return 0;
3287 	}
3288 
3289 	switch (iftype) {
3290 	case NL80211_IFTYPE_AP_VLAN:
3291 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3292 			return 0;
3293 		break;
3294 	case NL80211_IFTYPE_STATION:
3295 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3296 			return 0;
3297 		break;
3298 	default:
3299 		break;
3300 	}
3301 
3302 	return -EOPNOTSUPP;
3303 }
3304 
3305 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3306 {
3307 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3308 	struct vif_params params;
3309 	int err;
3310 	enum nl80211_iftype otype, ntype;
3311 	struct net_device *dev = info->user_ptr[1];
3312 	bool change = false;
3313 
3314 	memset(&params, 0, sizeof(params));
3315 
3316 	otype = ntype = dev->ieee80211_ptr->iftype;
3317 
3318 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3319 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3320 		if (otype != ntype)
3321 			change = true;
3322 	}
3323 
3324 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3325 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3326 
3327 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3328 			return -EINVAL;
3329 		if (netif_running(dev))
3330 			return -EBUSY;
3331 
3332 		wdev_lock(wdev);
3333 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3334 			     IEEE80211_MAX_MESH_ID_LEN);
3335 		wdev->mesh_id_up_len =
3336 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3337 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3338 		       wdev->mesh_id_up_len);
3339 		wdev_unlock(wdev);
3340 	}
3341 
3342 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3343 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3344 		change = true;
3345 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3346 		if (err)
3347 			return err;
3348 	} else {
3349 		params.use_4addr = -1;
3350 	}
3351 
3352 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3353 	if (err < 0)
3354 		return err;
3355 	if (err > 0)
3356 		change = true;
3357 
3358 	if (change)
3359 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3360 	else
3361 		err = 0;
3362 
3363 	if (!err && params.use_4addr != -1)
3364 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3365 
3366 	if (change && !err) {
3367 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3368 
3369 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3370 	}
3371 
3372 	return err;
3373 }
3374 
3375 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3376 {
3377 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3378 	struct vif_params params;
3379 	struct wireless_dev *wdev;
3380 	struct sk_buff *msg;
3381 	int err;
3382 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3383 
3384 	/* to avoid failing a new interface creation due to pending removal */
3385 	cfg80211_destroy_ifaces(rdev);
3386 
3387 	memset(&params, 0, sizeof(params));
3388 
3389 	if (!info->attrs[NL80211_ATTR_IFNAME])
3390 		return -EINVAL;
3391 
3392 	if (info->attrs[NL80211_ATTR_IFTYPE])
3393 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3394 
3395 	if (!rdev->ops->add_virtual_intf ||
3396 	    !(rdev->wiphy.interface_modes & (1 << type)))
3397 		return -EOPNOTSUPP;
3398 
3399 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3400 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3401 	    info->attrs[NL80211_ATTR_MAC]) {
3402 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3403 			   ETH_ALEN);
3404 		if (!is_valid_ether_addr(params.macaddr))
3405 			return -EADDRNOTAVAIL;
3406 	}
3407 
3408 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3409 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3410 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3411 		if (err)
3412 			return err;
3413 	}
3414 
3415 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3416 	if (err < 0)
3417 		return err;
3418 
3419 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3420 	if (!msg)
3421 		return -ENOMEM;
3422 
3423 	wdev = rdev_add_virtual_intf(rdev,
3424 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3425 				NET_NAME_USER, type, &params);
3426 	if (WARN_ON(!wdev)) {
3427 		nlmsg_free(msg);
3428 		return -EPROTO;
3429 	} else if (IS_ERR(wdev)) {
3430 		nlmsg_free(msg);
3431 		return PTR_ERR(wdev);
3432 	}
3433 
3434 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3435 		wdev->owner_nlportid = info->snd_portid;
3436 
3437 	switch (type) {
3438 	case NL80211_IFTYPE_MESH_POINT:
3439 		if (!info->attrs[NL80211_ATTR_MESH_ID])
3440 			break;
3441 		wdev_lock(wdev);
3442 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3443 			     IEEE80211_MAX_MESH_ID_LEN);
3444 		wdev->mesh_id_up_len =
3445 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3446 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3447 		       wdev->mesh_id_up_len);
3448 		wdev_unlock(wdev);
3449 		break;
3450 	case NL80211_IFTYPE_NAN:
3451 	case NL80211_IFTYPE_P2P_DEVICE:
3452 		/*
3453 		 * P2P Device and NAN do not have a netdev, so don't go
3454 		 * through the netdev notifier and must be added here
3455 		 */
3456 		cfg80211_init_wdev(rdev, wdev);
3457 		break;
3458 	default:
3459 		break;
3460 	}
3461 
3462 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3463 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3464 		nlmsg_free(msg);
3465 		return -ENOBUFS;
3466 	}
3467 
3468 	return genlmsg_reply(msg, info);
3469 }
3470 
3471 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3472 {
3473 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3474 	struct wireless_dev *wdev = info->user_ptr[1];
3475 
3476 	if (!rdev->ops->del_virtual_intf)
3477 		return -EOPNOTSUPP;
3478 
3479 	/*
3480 	 * If we remove a wireless device without a netdev then clear
3481 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
3482 	 * to check if it needs to do dev_put(). Otherwise it crashes
3483 	 * since the wdev has been freed, unlike with a netdev where
3484 	 * we need the dev_put() for the netdev to really be freed.
3485 	 */
3486 	if (!wdev->netdev)
3487 		info->user_ptr[1] = NULL;
3488 
3489 	return rdev_del_virtual_intf(rdev, wdev);
3490 }
3491 
3492 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3493 {
3494 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3495 	struct net_device *dev = info->user_ptr[1];
3496 	u16 noack_map;
3497 
3498 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3499 		return -EINVAL;
3500 
3501 	if (!rdev->ops->set_noack_map)
3502 		return -EOPNOTSUPP;
3503 
3504 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3505 
3506 	return rdev_set_noack_map(rdev, dev, noack_map);
3507 }
3508 
3509 struct get_key_cookie {
3510 	struct sk_buff *msg;
3511 	int error;
3512 	int idx;
3513 };
3514 
3515 static void get_key_callback(void *c, struct key_params *params)
3516 {
3517 	struct nlattr *key;
3518 	struct get_key_cookie *cookie = c;
3519 
3520 	if ((params->key &&
3521 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3522 		     params->key_len, params->key)) ||
3523 	    (params->seq &&
3524 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3525 		     params->seq_len, params->seq)) ||
3526 	    (params->cipher &&
3527 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3528 			 params->cipher)))
3529 		goto nla_put_failure;
3530 
3531 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
3532 	if (!key)
3533 		goto nla_put_failure;
3534 
3535 	if ((params->key &&
3536 	     nla_put(cookie->msg, NL80211_KEY_DATA,
3537 		     params->key_len, params->key)) ||
3538 	    (params->seq &&
3539 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3540 		     params->seq_len, params->seq)) ||
3541 	    (params->cipher &&
3542 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3543 			 params->cipher)))
3544 		goto nla_put_failure;
3545 
3546 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3547 		goto nla_put_failure;
3548 
3549 	nla_nest_end(cookie->msg, key);
3550 
3551 	return;
3552  nla_put_failure:
3553 	cookie->error = 1;
3554 }
3555 
3556 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3557 {
3558 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3559 	int err;
3560 	struct net_device *dev = info->user_ptr[1];
3561 	u8 key_idx = 0;
3562 	const u8 *mac_addr = NULL;
3563 	bool pairwise;
3564 	struct get_key_cookie cookie = {
3565 		.error = 0,
3566 	};
3567 	void *hdr;
3568 	struct sk_buff *msg;
3569 
3570 	if (info->attrs[NL80211_ATTR_KEY_IDX])
3571 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3572 
3573 	if (info->attrs[NL80211_ATTR_MAC])
3574 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3575 
3576 	pairwise = !!mac_addr;
3577 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3578 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3579 
3580 		if (kt != NL80211_KEYTYPE_GROUP &&
3581 		    kt != NL80211_KEYTYPE_PAIRWISE)
3582 			return -EINVAL;
3583 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3584 	}
3585 
3586 	if (!rdev->ops->get_key)
3587 		return -EOPNOTSUPP;
3588 
3589 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3590 		return -ENOENT;
3591 
3592 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3593 	if (!msg)
3594 		return -ENOMEM;
3595 
3596 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3597 			     NL80211_CMD_NEW_KEY);
3598 	if (!hdr)
3599 		goto nla_put_failure;
3600 
3601 	cookie.msg = msg;
3602 	cookie.idx = key_idx;
3603 
3604 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3605 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3606 		goto nla_put_failure;
3607 	if (mac_addr &&
3608 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3609 		goto nla_put_failure;
3610 
3611 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3612 			   get_key_callback);
3613 
3614 	if (err)
3615 		goto free_msg;
3616 
3617 	if (cookie.error)
3618 		goto nla_put_failure;
3619 
3620 	genlmsg_end(msg, hdr);
3621 	return genlmsg_reply(msg, info);
3622 
3623  nla_put_failure:
3624 	err = -ENOBUFS;
3625  free_msg:
3626 	nlmsg_free(msg);
3627 	return err;
3628 }
3629 
3630 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3631 {
3632 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3633 	struct key_parse key;
3634 	int err;
3635 	struct net_device *dev = info->user_ptr[1];
3636 
3637 	err = nl80211_parse_key(info, &key);
3638 	if (err)
3639 		return err;
3640 
3641 	if (key.idx < 0)
3642 		return -EINVAL;
3643 
3644 	/* only support setting default key */
3645 	if (!key.def && !key.defmgmt)
3646 		return -EINVAL;
3647 
3648 	wdev_lock(dev->ieee80211_ptr);
3649 
3650 	if (key.def) {
3651 		if (!rdev->ops->set_default_key) {
3652 			err = -EOPNOTSUPP;
3653 			goto out;
3654 		}
3655 
3656 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3657 		if (err)
3658 			goto out;
3659 
3660 		err = rdev_set_default_key(rdev, dev, key.idx,
3661 						 key.def_uni, key.def_multi);
3662 
3663 		if (err)
3664 			goto out;
3665 
3666 #ifdef CONFIG_CFG80211_WEXT
3667 		dev->ieee80211_ptr->wext.default_key = key.idx;
3668 #endif
3669 	} else {
3670 		if (key.def_uni || !key.def_multi) {
3671 			err = -EINVAL;
3672 			goto out;
3673 		}
3674 
3675 		if (!rdev->ops->set_default_mgmt_key) {
3676 			err = -EOPNOTSUPP;
3677 			goto out;
3678 		}
3679 
3680 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3681 		if (err)
3682 			goto out;
3683 
3684 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3685 		if (err)
3686 			goto out;
3687 
3688 #ifdef CONFIG_CFG80211_WEXT
3689 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3690 #endif
3691 	}
3692 
3693  out:
3694 	wdev_unlock(dev->ieee80211_ptr);
3695 
3696 	return err;
3697 }
3698 
3699 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3700 {
3701 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3702 	int err;
3703 	struct net_device *dev = info->user_ptr[1];
3704 	struct key_parse key;
3705 	const u8 *mac_addr = NULL;
3706 
3707 	err = nl80211_parse_key(info, &key);
3708 	if (err)
3709 		return err;
3710 
3711 	if (!key.p.key)
3712 		return -EINVAL;
3713 
3714 	if (info->attrs[NL80211_ATTR_MAC])
3715 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3716 
3717 	if (key.type == -1) {
3718 		if (mac_addr)
3719 			key.type = NL80211_KEYTYPE_PAIRWISE;
3720 		else
3721 			key.type = NL80211_KEYTYPE_GROUP;
3722 	}
3723 
3724 	/* for now */
3725 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3726 	    key.type != NL80211_KEYTYPE_GROUP)
3727 		return -EINVAL;
3728 
3729 	if (!rdev->ops->add_key)
3730 		return -EOPNOTSUPP;
3731 
3732 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3733 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3734 					   mac_addr))
3735 		return -EINVAL;
3736 
3737 	wdev_lock(dev->ieee80211_ptr);
3738 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3739 	if (!err)
3740 		err = rdev_add_key(rdev, dev, key.idx,
3741 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3742 				    mac_addr, &key.p);
3743 	wdev_unlock(dev->ieee80211_ptr);
3744 
3745 	return err;
3746 }
3747 
3748 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3749 {
3750 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3751 	int err;
3752 	struct net_device *dev = info->user_ptr[1];
3753 	u8 *mac_addr = NULL;
3754 	struct key_parse key;
3755 
3756 	err = nl80211_parse_key(info, &key);
3757 	if (err)
3758 		return err;
3759 
3760 	if (info->attrs[NL80211_ATTR_MAC])
3761 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3762 
3763 	if (key.type == -1) {
3764 		if (mac_addr)
3765 			key.type = NL80211_KEYTYPE_PAIRWISE;
3766 		else
3767 			key.type = NL80211_KEYTYPE_GROUP;
3768 	}
3769 
3770 	/* for now */
3771 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3772 	    key.type != NL80211_KEYTYPE_GROUP)
3773 		return -EINVAL;
3774 
3775 	if (!rdev->ops->del_key)
3776 		return -EOPNOTSUPP;
3777 
3778 	wdev_lock(dev->ieee80211_ptr);
3779 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3780 
3781 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3782 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3783 		err = -ENOENT;
3784 
3785 	if (!err)
3786 		err = rdev_del_key(rdev, dev, key.idx,
3787 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3788 				   mac_addr);
3789 
3790 #ifdef CONFIG_CFG80211_WEXT
3791 	if (!err) {
3792 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3793 			dev->ieee80211_ptr->wext.default_key = -1;
3794 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3795 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3796 	}
3797 #endif
3798 	wdev_unlock(dev->ieee80211_ptr);
3799 
3800 	return err;
3801 }
3802 
3803 /* This function returns an error or the number of nested attributes */
3804 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3805 {
3806 	struct nlattr *attr;
3807 	int n_entries = 0, tmp;
3808 
3809 	nla_for_each_nested(attr, nl_attr, tmp) {
3810 		if (nla_len(attr) != ETH_ALEN)
3811 			return -EINVAL;
3812 
3813 		n_entries++;
3814 	}
3815 
3816 	return n_entries;
3817 }
3818 
3819 /*
3820  * This function parses ACL information and allocates memory for ACL data.
3821  * On successful return, the calling function is responsible to free the
3822  * ACL buffer returned by this function.
3823  */
3824 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3825 						struct genl_info *info)
3826 {
3827 	enum nl80211_acl_policy acl_policy;
3828 	struct nlattr *attr;
3829 	struct cfg80211_acl_data *acl;
3830 	int i = 0, n_entries, tmp;
3831 
3832 	if (!wiphy->max_acl_mac_addrs)
3833 		return ERR_PTR(-EOPNOTSUPP);
3834 
3835 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3836 		return ERR_PTR(-EINVAL);
3837 
3838 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3839 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3840 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3841 		return ERR_PTR(-EINVAL);
3842 
3843 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3844 		return ERR_PTR(-EINVAL);
3845 
3846 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3847 	if (n_entries < 0)
3848 		return ERR_PTR(n_entries);
3849 
3850 	if (n_entries > wiphy->max_acl_mac_addrs)
3851 		return ERR_PTR(-ENOTSUPP);
3852 
3853 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3854 		      GFP_KERNEL);
3855 	if (!acl)
3856 		return ERR_PTR(-ENOMEM);
3857 
3858 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3859 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3860 		i++;
3861 	}
3862 
3863 	acl->n_acl_entries = n_entries;
3864 	acl->acl_policy = acl_policy;
3865 
3866 	return acl;
3867 }
3868 
3869 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3870 {
3871 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3872 	struct net_device *dev = info->user_ptr[1];
3873 	struct cfg80211_acl_data *acl;
3874 	int err;
3875 
3876 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3877 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3878 		return -EOPNOTSUPP;
3879 
3880 	if (!dev->ieee80211_ptr->beacon_interval)
3881 		return -EINVAL;
3882 
3883 	acl = parse_acl_data(&rdev->wiphy, info);
3884 	if (IS_ERR(acl))
3885 		return PTR_ERR(acl);
3886 
3887 	err = rdev_set_mac_acl(rdev, dev, acl);
3888 
3889 	kfree(acl);
3890 
3891 	return err;
3892 }
3893 
3894 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
3895 			   u8 *rates, u8 rates_len)
3896 {
3897 	u8 i;
3898 	u32 mask = 0;
3899 
3900 	for (i = 0; i < rates_len; i++) {
3901 		int rate = (rates[i] & 0x7f) * 5;
3902 		int ridx;
3903 
3904 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
3905 			struct ieee80211_rate *srate =
3906 				&sband->bitrates[ridx];
3907 			if (rate == srate->bitrate) {
3908 				mask |= 1 << ridx;
3909 				break;
3910 			}
3911 		}
3912 		if (ridx == sband->n_bitrates)
3913 			return 0; /* rate not found */
3914 	}
3915 
3916 	return mask;
3917 }
3918 
3919 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
3920 			       u8 *rates, u8 rates_len,
3921 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
3922 {
3923 	u8 i;
3924 
3925 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
3926 
3927 	for (i = 0; i < rates_len; i++) {
3928 		int ridx, rbit;
3929 
3930 		ridx = rates[i] / 8;
3931 		rbit = BIT(rates[i] % 8);
3932 
3933 		/* check validity */
3934 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
3935 			return false;
3936 
3937 		/* check availability */
3938 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
3939 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
3940 			mcs[ridx] |= rbit;
3941 		else
3942 			return false;
3943 	}
3944 
3945 	return true;
3946 }
3947 
3948 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
3949 {
3950 	u16 mcs_mask = 0;
3951 
3952 	switch (vht_mcs_map) {
3953 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
3954 		break;
3955 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
3956 		mcs_mask = 0x00FF;
3957 		break;
3958 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
3959 		mcs_mask = 0x01FF;
3960 		break;
3961 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
3962 		mcs_mask = 0x03FF;
3963 		break;
3964 	default:
3965 		break;
3966 	}
3967 
3968 	return mcs_mask;
3969 }
3970 
3971 static void vht_build_mcs_mask(u16 vht_mcs_map,
3972 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
3973 {
3974 	u8 nss;
3975 
3976 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
3977 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
3978 		vht_mcs_map >>= 2;
3979 	}
3980 }
3981 
3982 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
3983 			     struct nl80211_txrate_vht *txrate,
3984 			     u16 mcs[NL80211_VHT_NSS_MAX])
3985 {
3986 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
3987 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
3988 	u8 i;
3989 
3990 	if (!sband->vht_cap.vht_supported)
3991 		return false;
3992 
3993 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
3994 
3995 	/* Build vht_mcs_mask from VHT capabilities */
3996 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
3997 
3998 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
3999 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4000 			mcs[i] = txrate->mcs[i];
4001 		else
4002 			return false;
4003 	}
4004 
4005 	return true;
4006 }
4007 
4008 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
4009 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
4010 				    .len = NL80211_MAX_SUPP_RATES },
4011 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
4012 				.len = NL80211_MAX_SUPP_HT_RATES },
4013 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
4014 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
4015 };
4016 
4017 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4018 					 struct cfg80211_bitrate_mask *mask)
4019 {
4020 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4021 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4022 	int rem, i;
4023 	struct nlattr *tx_rates;
4024 	struct ieee80211_supported_band *sband;
4025 	u16 vht_tx_mcs_map;
4026 
4027 	memset(mask, 0, sizeof(*mask));
4028 	/* Default to all rates enabled */
4029 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4030 		sband = rdev->wiphy.bands[i];
4031 
4032 		if (!sband)
4033 			continue;
4034 
4035 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4036 		memcpy(mask->control[i].ht_mcs,
4037 		       sband->ht_cap.mcs.rx_mask,
4038 		       sizeof(mask->control[i].ht_mcs));
4039 
4040 		if (!sband->vht_cap.vht_supported)
4041 			continue;
4042 
4043 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4044 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4045 	}
4046 
4047 	/* if no rates are given set it back to the defaults */
4048 	if (!info->attrs[NL80211_ATTR_TX_RATES])
4049 		goto out;
4050 
4051 	/* The nested attribute uses enum nl80211_band as the index. This maps
4052 	 * directly to the enum nl80211_band values used in cfg80211.
4053 	 */
4054 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4055 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
4056 		enum nl80211_band band = nla_type(tx_rates);
4057 		int err;
4058 
4059 		if (band < 0 || band >= NUM_NL80211_BANDS)
4060 			return -EINVAL;
4061 		sband = rdev->wiphy.bands[band];
4062 		if (sband == NULL)
4063 			return -EINVAL;
4064 		err = nla_parse_nested(tb, NL80211_TXRATE_MAX, tx_rates,
4065 				       nl80211_txattr_policy, info->extack);
4066 		if (err)
4067 			return err;
4068 		if (tb[NL80211_TXRATE_LEGACY]) {
4069 			mask->control[band].legacy = rateset_to_mask(
4070 				sband,
4071 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4072 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4073 			if ((mask->control[band].legacy == 0) &&
4074 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4075 				return -EINVAL;
4076 		}
4077 		if (tb[NL80211_TXRATE_HT]) {
4078 			if (!ht_rateset_to_mask(
4079 					sband,
4080 					nla_data(tb[NL80211_TXRATE_HT]),
4081 					nla_len(tb[NL80211_TXRATE_HT]),
4082 					mask->control[band].ht_mcs))
4083 				return -EINVAL;
4084 		}
4085 		if (tb[NL80211_TXRATE_VHT]) {
4086 			if (!vht_set_mcs_mask(
4087 					sband,
4088 					nla_data(tb[NL80211_TXRATE_VHT]),
4089 					mask->control[band].vht_mcs))
4090 				return -EINVAL;
4091 		}
4092 		if (tb[NL80211_TXRATE_GI]) {
4093 			mask->control[band].gi =
4094 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4095 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4096 				return -EINVAL;
4097 		}
4098 
4099 		if (mask->control[band].legacy == 0) {
4100 			/* don't allow empty legacy rates if HT or VHT
4101 			 * are not even supported.
4102 			 */
4103 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4104 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
4105 				return -EINVAL;
4106 
4107 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4108 				if (mask->control[band].ht_mcs[i])
4109 					goto out;
4110 
4111 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4112 				if (mask->control[band].vht_mcs[i])
4113 					goto out;
4114 
4115 			/* legacy and mcs rates may not be both empty */
4116 			return -EINVAL;
4117 		}
4118 	}
4119 
4120 out:
4121 	return 0;
4122 }
4123 
4124 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4125 				   enum nl80211_band band,
4126 				   struct cfg80211_bitrate_mask *beacon_rate)
4127 {
4128 	u32 count_ht, count_vht, i;
4129 	u32 rate = beacon_rate->control[band].legacy;
4130 
4131 	/* Allow only one rate */
4132 	if (hweight32(rate) > 1)
4133 		return -EINVAL;
4134 
4135 	count_ht = 0;
4136 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4137 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4138 			return -EINVAL;
4139 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4140 			count_ht++;
4141 			if (count_ht > 1)
4142 				return -EINVAL;
4143 		}
4144 		if (count_ht && rate)
4145 			return -EINVAL;
4146 	}
4147 
4148 	count_vht = 0;
4149 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4150 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4151 			return -EINVAL;
4152 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4153 			count_vht++;
4154 			if (count_vht > 1)
4155 				return -EINVAL;
4156 		}
4157 		if (count_vht && rate)
4158 			return -EINVAL;
4159 	}
4160 
4161 	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4162 		return -EINVAL;
4163 
4164 	if (rate &&
4165 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4166 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4167 		return -EINVAL;
4168 	if (count_ht &&
4169 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4170 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4171 		return -EINVAL;
4172 	if (count_vht &&
4173 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4174 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4175 		return -EINVAL;
4176 
4177 	return 0;
4178 }
4179 
4180 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4181 				struct nlattr *attrs[],
4182 				struct cfg80211_beacon_data *bcn)
4183 {
4184 	bool haveinfo = false;
4185 	int err;
4186 
4187 	memset(bcn, 0, sizeof(*bcn));
4188 
4189 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4190 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4191 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4192 		if (!bcn->head_len)
4193 			return -EINVAL;
4194 		haveinfo = true;
4195 	}
4196 
4197 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4198 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4199 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4200 		haveinfo = true;
4201 	}
4202 
4203 	if (!haveinfo)
4204 		return -EINVAL;
4205 
4206 	if (attrs[NL80211_ATTR_IE]) {
4207 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4208 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4209 	}
4210 
4211 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4212 		bcn->proberesp_ies =
4213 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4214 		bcn->proberesp_ies_len =
4215 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4216 	}
4217 
4218 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4219 		bcn->assocresp_ies =
4220 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4221 		bcn->assocresp_ies_len =
4222 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4223 	}
4224 
4225 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
4226 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4227 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4228 	}
4229 
4230 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4231 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4232 
4233 		err = nla_parse_nested(tb, NL80211_FTM_RESP_ATTR_MAX,
4234 				       attrs[NL80211_ATTR_FTM_RESPONDER],
4235 				       NULL, NULL);
4236 		if (err)
4237 			return err;
4238 
4239 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4240 		    wiphy_ext_feature_isset(&rdev->wiphy,
4241 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4242 			bcn->ftm_responder = 1;
4243 		else
4244 			return -EOPNOTSUPP;
4245 
4246 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4247 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4248 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4249 		}
4250 
4251 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4252 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4253 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4254 		}
4255 	} else {
4256 		bcn->ftm_responder = -1;
4257 	}
4258 
4259 	return 0;
4260 }
4261 
4262 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4263 					    const u8 *rates)
4264 {
4265 	int i;
4266 
4267 	if (!rates)
4268 		return;
4269 
4270 	for (i = 0; i < rates[1]; i++) {
4271 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4272 			params->ht_required = true;
4273 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4274 			params->vht_required = true;
4275 	}
4276 }
4277 
4278 /*
4279  * Since the nl80211 API didn't include, from the beginning, attributes about
4280  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4281  * benefit of drivers that rebuild IEs in the firmware.
4282  */
4283 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4284 {
4285 	const struct cfg80211_beacon_data *bcn = &params->beacon;
4286 	size_t ies_len = bcn->tail_len;
4287 	const u8 *ies = bcn->tail;
4288 	const u8 *rates;
4289 	const u8 *cap;
4290 
4291 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4292 	nl80211_check_ap_rate_selectors(params, rates);
4293 
4294 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4295 	nl80211_check_ap_rate_selectors(params, rates);
4296 
4297 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4298 	if (cap && cap[1] >= sizeof(*params->ht_cap))
4299 		params->ht_cap = (void *)(cap + 2);
4300 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4301 	if (cap && cap[1] >= sizeof(*params->vht_cap))
4302 		params->vht_cap = (void *)(cap + 2);
4303 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
4304 	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
4305 		params->he_cap = (void *)(cap + 3);
4306 }
4307 
4308 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4309 				   struct cfg80211_ap_settings *params)
4310 {
4311 	struct wireless_dev *wdev;
4312 	bool ret = false;
4313 
4314 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4315 		if (wdev->iftype != NL80211_IFTYPE_AP &&
4316 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
4317 			continue;
4318 
4319 		if (!wdev->preset_chandef.chan)
4320 			continue;
4321 
4322 		params->chandef = wdev->preset_chandef;
4323 		ret = true;
4324 		break;
4325 	}
4326 
4327 	return ret;
4328 }
4329 
4330 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4331 				    enum nl80211_auth_type auth_type,
4332 				    enum nl80211_commands cmd)
4333 {
4334 	if (auth_type > NL80211_AUTHTYPE_MAX)
4335 		return false;
4336 
4337 	switch (cmd) {
4338 	case NL80211_CMD_AUTHENTICATE:
4339 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4340 		    auth_type == NL80211_AUTHTYPE_SAE)
4341 			return false;
4342 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4343 					     NL80211_EXT_FEATURE_FILS_STA) &&
4344 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4345 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4346 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
4347 			return false;
4348 		return true;
4349 	case NL80211_CMD_CONNECT:
4350 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4351 		    auth_type == NL80211_AUTHTYPE_SAE)
4352 			return false;
4353 
4354 		/* FILS with SK PFS or PK not supported yet */
4355 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4356 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4357 			return false;
4358 		if (!wiphy_ext_feature_isset(
4359 			    &rdev->wiphy,
4360 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4361 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
4362 			return false;
4363 		return true;
4364 	case NL80211_CMD_START_AP:
4365 		/* SAE not supported yet */
4366 		if (auth_type == NL80211_AUTHTYPE_SAE)
4367 			return false;
4368 		/* FILS not supported yet */
4369 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4370 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4371 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4372 			return false;
4373 		return true;
4374 	default:
4375 		return false;
4376 	}
4377 }
4378 
4379 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4380 {
4381 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4382 	struct net_device *dev = info->user_ptr[1];
4383 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4384 	struct cfg80211_ap_settings params;
4385 	int err;
4386 
4387 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4388 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4389 		return -EOPNOTSUPP;
4390 
4391 	if (!rdev->ops->start_ap)
4392 		return -EOPNOTSUPP;
4393 
4394 	if (wdev->beacon_interval)
4395 		return -EALREADY;
4396 
4397 	memset(&params, 0, sizeof(params));
4398 
4399 	/* these are required for START_AP */
4400 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
4401 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
4402 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
4403 		return -EINVAL;
4404 
4405 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
4406 	if (err)
4407 		return err;
4408 
4409 	params.beacon_interval =
4410 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4411 	params.dtim_period =
4412 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
4413 
4414 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
4415 					   params.beacon_interval);
4416 	if (err)
4417 		return err;
4418 
4419 	/*
4420 	 * In theory, some of these attributes should be required here
4421 	 * but since they were not used when the command was originally
4422 	 * added, keep them optional for old user space programs to let
4423 	 * them continue to work with drivers that do not need the
4424 	 * additional information -- drivers must check!
4425 	 */
4426 	if (info->attrs[NL80211_ATTR_SSID]) {
4427 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4428 		params.ssid_len =
4429 			nla_len(info->attrs[NL80211_ATTR_SSID]);
4430 		if (params.ssid_len == 0 ||
4431 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
4432 			return -EINVAL;
4433 	}
4434 
4435 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
4436 		params.hidden_ssid = nla_get_u32(
4437 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
4438 
4439 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4440 
4441 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
4442 		params.auth_type = nla_get_u32(
4443 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
4444 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
4445 					     NL80211_CMD_START_AP))
4446 			return -EINVAL;
4447 	} else
4448 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
4449 
4450 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
4451 				      NL80211_MAX_NR_CIPHER_SUITES);
4452 	if (err)
4453 		return err;
4454 
4455 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
4456 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
4457 			return -EOPNOTSUPP;
4458 		params.inactivity_timeout = nla_get_u16(
4459 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
4460 	}
4461 
4462 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4463 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4464 			return -EINVAL;
4465 		params.p2p_ctwindow =
4466 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4467 		if (params.p2p_ctwindow != 0 &&
4468 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4469 			return -EINVAL;
4470 	}
4471 
4472 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4473 		u8 tmp;
4474 
4475 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4476 			return -EINVAL;
4477 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4478 		params.p2p_opp_ps = tmp;
4479 		if (params.p2p_opp_ps != 0 &&
4480 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4481 			return -EINVAL;
4482 	}
4483 
4484 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4485 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
4486 		if (err)
4487 			return err;
4488 	} else if (wdev->preset_chandef.chan) {
4489 		params.chandef = wdev->preset_chandef;
4490 	} else if (!nl80211_get_ap_channel(rdev, &params))
4491 		return -EINVAL;
4492 
4493 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
4494 					   wdev->iftype))
4495 		return -EINVAL;
4496 
4497 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
4498 		err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
4499 		if (err)
4500 			return err;
4501 
4502 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
4503 					      &params.beacon_rate);
4504 		if (err)
4505 			return err;
4506 	}
4507 
4508 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
4509 		params.smps_mode =
4510 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
4511 		switch (params.smps_mode) {
4512 		case NL80211_SMPS_OFF:
4513 			break;
4514 		case NL80211_SMPS_STATIC:
4515 			if (!(rdev->wiphy.features &
4516 			      NL80211_FEATURE_STATIC_SMPS))
4517 				return -EINVAL;
4518 			break;
4519 		case NL80211_SMPS_DYNAMIC:
4520 			if (!(rdev->wiphy.features &
4521 			      NL80211_FEATURE_DYNAMIC_SMPS))
4522 				return -EINVAL;
4523 			break;
4524 		default:
4525 			return -EINVAL;
4526 		}
4527 	} else {
4528 		params.smps_mode = NL80211_SMPS_OFF;
4529 	}
4530 
4531 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
4532 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
4533 		return -EOPNOTSUPP;
4534 
4535 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
4536 		params.acl = parse_acl_data(&rdev->wiphy, info);
4537 		if (IS_ERR(params.acl))
4538 			return PTR_ERR(params.acl);
4539 	}
4540 
4541 	nl80211_calculate_ap_params(&params);
4542 
4543 	wdev_lock(wdev);
4544 	err = rdev_start_ap(rdev, dev, &params);
4545 	if (!err) {
4546 		wdev->preset_chandef = params.chandef;
4547 		wdev->beacon_interval = params.beacon_interval;
4548 		wdev->chandef = params.chandef;
4549 		wdev->ssid_len = params.ssid_len;
4550 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
4551 
4552 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4553 			wdev->conn_owner_nlportid = info->snd_portid;
4554 	}
4555 	wdev_unlock(wdev);
4556 
4557 	kfree(params.acl);
4558 
4559 	return err;
4560 }
4561 
4562 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
4563 {
4564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4565 	struct net_device *dev = info->user_ptr[1];
4566 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4567 	struct cfg80211_beacon_data params;
4568 	int err;
4569 
4570 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4571 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4572 		return -EOPNOTSUPP;
4573 
4574 	if (!rdev->ops->change_beacon)
4575 		return -EOPNOTSUPP;
4576 
4577 	if (!wdev->beacon_interval)
4578 		return -EINVAL;
4579 
4580 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
4581 	if (err)
4582 		return err;
4583 
4584 	wdev_lock(wdev);
4585 	err = rdev_change_beacon(rdev, dev, &params);
4586 	wdev_unlock(wdev);
4587 
4588 	return err;
4589 }
4590 
4591 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
4592 {
4593 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4594 	struct net_device *dev = info->user_ptr[1];
4595 
4596 	return cfg80211_stop_ap(rdev, dev, false);
4597 }
4598 
4599 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
4600 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
4601 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
4602 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
4603 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
4604 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
4605 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
4606 };
4607 
4608 static int parse_station_flags(struct genl_info *info,
4609 			       enum nl80211_iftype iftype,
4610 			       struct station_parameters *params)
4611 {
4612 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
4613 	struct nlattr *nla;
4614 	int flag;
4615 
4616 	/*
4617 	 * Try parsing the new attribute first so userspace
4618 	 * can specify both for older kernels.
4619 	 */
4620 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
4621 	if (nla) {
4622 		struct nl80211_sta_flag_update *sta_flags;
4623 
4624 		sta_flags = nla_data(nla);
4625 		params->sta_flags_mask = sta_flags->mask;
4626 		params->sta_flags_set = sta_flags->set;
4627 		params->sta_flags_set &= params->sta_flags_mask;
4628 		if ((params->sta_flags_mask |
4629 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
4630 			return -EINVAL;
4631 		return 0;
4632 	}
4633 
4634 	/* if present, parse the old attribute */
4635 
4636 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
4637 	if (!nla)
4638 		return 0;
4639 
4640 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX, nla,
4641 			     sta_flags_policy, info->extack))
4642 		return -EINVAL;
4643 
4644 	/*
4645 	 * Only allow certain flags for interface types so that
4646 	 * other attributes are silently ignored. Remember that
4647 	 * this is backward compatibility code with old userspace
4648 	 * and shouldn't be hit in other cases anyway.
4649 	 */
4650 	switch (iftype) {
4651 	case NL80211_IFTYPE_AP:
4652 	case NL80211_IFTYPE_AP_VLAN:
4653 	case NL80211_IFTYPE_P2P_GO:
4654 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4655 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4656 					 BIT(NL80211_STA_FLAG_WME) |
4657 					 BIT(NL80211_STA_FLAG_MFP);
4658 		break;
4659 	case NL80211_IFTYPE_P2P_CLIENT:
4660 	case NL80211_IFTYPE_STATION:
4661 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4662 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
4663 		break;
4664 	case NL80211_IFTYPE_MESH_POINT:
4665 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4666 					 BIT(NL80211_STA_FLAG_MFP) |
4667 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
4668 		break;
4669 	default:
4670 		return -EINVAL;
4671 	}
4672 
4673 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
4674 		if (flags[flag]) {
4675 			params->sta_flags_set |= (1<<flag);
4676 
4677 			/* no longer support new API additions in old API */
4678 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
4679 				return -EINVAL;
4680 		}
4681 	}
4682 
4683 	return 0;
4684 }
4685 
4686 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
4687 {
4688 	struct nlattr *rate;
4689 	u32 bitrate;
4690 	u16 bitrate_compat;
4691 	enum nl80211_rate_info rate_flg;
4692 
4693 	rate = nla_nest_start(msg, attr);
4694 	if (!rate)
4695 		return false;
4696 
4697 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
4698 	bitrate = cfg80211_calculate_bitrate(info);
4699 	/* report 16-bit bitrate only if we can */
4700 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
4701 	if (bitrate > 0 &&
4702 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
4703 		return false;
4704 	if (bitrate_compat > 0 &&
4705 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
4706 		return false;
4707 
4708 	switch (info->bw) {
4709 	case RATE_INFO_BW_5:
4710 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
4711 		break;
4712 	case RATE_INFO_BW_10:
4713 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
4714 		break;
4715 	default:
4716 		WARN_ON(1);
4717 		/* fall through */
4718 	case RATE_INFO_BW_20:
4719 		rate_flg = 0;
4720 		break;
4721 	case RATE_INFO_BW_40:
4722 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
4723 		break;
4724 	case RATE_INFO_BW_80:
4725 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
4726 		break;
4727 	case RATE_INFO_BW_160:
4728 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
4729 		break;
4730 	case RATE_INFO_BW_HE_RU:
4731 		rate_flg = 0;
4732 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
4733 	}
4734 
4735 	if (rate_flg && nla_put_flag(msg, rate_flg))
4736 		return false;
4737 
4738 	if (info->flags & RATE_INFO_FLAGS_MCS) {
4739 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
4740 			return false;
4741 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4742 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4743 			return false;
4744 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
4745 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
4746 			return false;
4747 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
4748 			return false;
4749 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4750 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4751 			return false;
4752 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
4753 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
4754 			return false;
4755 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
4756 			return false;
4757 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
4758 			return false;
4759 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
4760 			return false;
4761 		if (info->bw == RATE_INFO_BW_HE_RU &&
4762 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
4763 			       info->he_ru_alloc))
4764 			return false;
4765 	}
4766 
4767 	nla_nest_end(msg, rate);
4768 	return true;
4769 }
4770 
4771 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
4772 			       int id)
4773 {
4774 	void *attr;
4775 	int i = 0;
4776 
4777 	if (!mask)
4778 		return true;
4779 
4780 	attr = nla_nest_start(msg, id);
4781 	if (!attr)
4782 		return false;
4783 
4784 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
4785 		if (!(mask & BIT(i)))
4786 			continue;
4787 
4788 		if (nla_put_u8(msg, i, signal[i]))
4789 			return false;
4790 	}
4791 
4792 	nla_nest_end(msg, attr);
4793 
4794 	return true;
4795 }
4796 
4797 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
4798 				u32 seq, int flags,
4799 				struct cfg80211_registered_device *rdev,
4800 				struct net_device *dev,
4801 				const u8 *mac_addr, struct station_info *sinfo)
4802 {
4803 	void *hdr;
4804 	struct nlattr *sinfoattr, *bss_param;
4805 
4806 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4807 	if (!hdr)
4808 		return -1;
4809 
4810 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4811 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
4812 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
4813 		goto nla_put_failure;
4814 
4815 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
4816 	if (!sinfoattr)
4817 		goto nla_put_failure;
4818 
4819 #define PUT_SINFO(attr, memb, type) do {				\
4820 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
4821 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
4822 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
4823 			     sinfo->memb))				\
4824 		goto nla_put_failure;					\
4825 	} while (0)
4826 #define PUT_SINFO_U64(attr, memb) do {					\
4827 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
4828 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
4829 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
4830 		goto nla_put_failure;					\
4831 	} while (0)
4832 
4833 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
4834 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
4835 
4836 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
4837 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
4838 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
4839 			(u32)sinfo->rx_bytes))
4840 		goto nla_put_failure;
4841 
4842 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
4843 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
4844 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
4845 			(u32)sinfo->tx_bytes))
4846 		goto nla_put_failure;
4847 
4848 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
4849 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
4850 	PUT_SINFO(LLID, llid, u16);
4851 	PUT_SINFO(PLID, plid, u16);
4852 	PUT_SINFO(PLINK_STATE, plink_state, u8);
4853 	PUT_SINFO_U64(RX_DURATION, rx_duration);
4854 
4855 	switch (rdev->wiphy.signal_type) {
4856 	case CFG80211_SIGNAL_TYPE_MBM:
4857 		PUT_SINFO(SIGNAL, signal, u8);
4858 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
4859 		break;
4860 	default:
4861 		break;
4862 	}
4863 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
4864 		if (!nl80211_put_signal(msg, sinfo->chains,
4865 					sinfo->chain_signal,
4866 					NL80211_STA_INFO_CHAIN_SIGNAL))
4867 			goto nla_put_failure;
4868 	}
4869 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
4870 		if (!nl80211_put_signal(msg, sinfo->chains,
4871 					sinfo->chain_signal_avg,
4872 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
4873 			goto nla_put_failure;
4874 	}
4875 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
4876 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
4877 					  NL80211_STA_INFO_TX_BITRATE))
4878 			goto nla_put_failure;
4879 	}
4880 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
4881 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
4882 					  NL80211_STA_INFO_RX_BITRATE))
4883 			goto nla_put_failure;
4884 	}
4885 
4886 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
4887 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
4888 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
4889 	PUT_SINFO(TX_FAILED, tx_failed, u32);
4890 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
4891 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
4892 	PUT_SINFO(LOCAL_PM, local_pm, u32);
4893 	PUT_SINFO(PEER_PM, peer_pm, u32);
4894 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
4895 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
4896 
4897 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
4898 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
4899 		if (!bss_param)
4900 			goto nla_put_failure;
4901 
4902 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
4903 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
4904 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
4905 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
4906 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
4907 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
4908 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
4909 			       sinfo->bss_param.dtim_period) ||
4910 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
4911 				sinfo->bss_param.beacon_interval))
4912 			goto nla_put_failure;
4913 
4914 		nla_nest_end(msg, bss_param);
4915 	}
4916 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
4917 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
4918 		    sizeof(struct nl80211_sta_flag_update),
4919 		    &sinfo->sta_flags))
4920 		goto nla_put_failure;
4921 
4922 	PUT_SINFO_U64(T_OFFSET, t_offset);
4923 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
4924 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
4925 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
4926 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
4927 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
4928 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4929 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
4930 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
4931 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
4932 	}
4933 
4934 #undef PUT_SINFO
4935 #undef PUT_SINFO_U64
4936 
4937 	if (sinfo->pertid) {
4938 		struct nlattr *tidsattr;
4939 		int tid;
4940 
4941 		tidsattr = nla_nest_start(msg, NL80211_STA_INFO_TID_STATS);
4942 		if (!tidsattr)
4943 			goto nla_put_failure;
4944 
4945 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
4946 			struct cfg80211_tid_stats *tidstats;
4947 			struct nlattr *tidattr;
4948 
4949 			tidstats = &sinfo->pertid[tid];
4950 
4951 			if (!tidstats->filled)
4952 				continue;
4953 
4954 			tidattr = nla_nest_start(msg, tid + 1);
4955 			if (!tidattr)
4956 				goto nla_put_failure;
4957 
4958 #define PUT_TIDVAL_U64(attr, memb) do {					\
4959 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
4960 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
4961 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
4962 		goto nla_put_failure;					\
4963 	} while (0)
4964 
4965 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
4966 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
4967 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
4968 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
4969 
4970 #undef PUT_TIDVAL_U64
4971 			if ((tidstats->filled &
4972 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
4973 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
4974 						   NL80211_TID_STATS_TXQ_STATS))
4975 				goto nla_put_failure;
4976 
4977 			nla_nest_end(msg, tidattr);
4978 		}
4979 
4980 		nla_nest_end(msg, tidsattr);
4981 	}
4982 
4983 	nla_nest_end(msg, sinfoattr);
4984 
4985 	if (sinfo->assoc_req_ies_len &&
4986 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
4987 		    sinfo->assoc_req_ies))
4988 		goto nla_put_failure;
4989 
4990 	cfg80211_sinfo_release_content(sinfo);
4991 	genlmsg_end(msg, hdr);
4992 	return 0;
4993 
4994  nla_put_failure:
4995 	cfg80211_sinfo_release_content(sinfo);
4996 	genlmsg_cancel(msg, hdr);
4997 	return -EMSGSIZE;
4998 }
4999 
5000 static int nl80211_dump_station(struct sk_buff *skb,
5001 				struct netlink_callback *cb)
5002 {
5003 	struct station_info sinfo;
5004 	struct cfg80211_registered_device *rdev;
5005 	struct wireless_dev *wdev;
5006 	u8 mac_addr[ETH_ALEN];
5007 	int sta_idx = cb->args[2];
5008 	int err;
5009 
5010 	rtnl_lock();
5011 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5012 	if (err)
5013 		goto out_err;
5014 
5015 	if (!wdev->netdev) {
5016 		err = -EINVAL;
5017 		goto out_err;
5018 	}
5019 
5020 	if (!rdev->ops->dump_station) {
5021 		err = -EOPNOTSUPP;
5022 		goto out_err;
5023 	}
5024 
5025 	while (1) {
5026 		memset(&sinfo, 0, sizeof(sinfo));
5027 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5028 					mac_addr, &sinfo);
5029 		if (err == -ENOENT)
5030 			break;
5031 		if (err)
5032 			goto out_err;
5033 
5034 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
5035 				NETLINK_CB(cb->skb).portid,
5036 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5037 				rdev, wdev->netdev, mac_addr,
5038 				&sinfo) < 0)
5039 			goto out;
5040 
5041 		sta_idx++;
5042 	}
5043 
5044  out:
5045 	cb->args[2] = sta_idx;
5046 	err = skb->len;
5047  out_err:
5048 	rtnl_unlock();
5049 
5050 	return err;
5051 }
5052 
5053 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
5054 {
5055 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5056 	struct net_device *dev = info->user_ptr[1];
5057 	struct station_info sinfo;
5058 	struct sk_buff *msg;
5059 	u8 *mac_addr = NULL;
5060 	int err;
5061 
5062 	memset(&sinfo, 0, sizeof(sinfo));
5063 
5064 	if (!info->attrs[NL80211_ATTR_MAC])
5065 		return -EINVAL;
5066 
5067 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5068 
5069 	if (!rdev->ops->get_station)
5070 		return -EOPNOTSUPP;
5071 
5072 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
5073 	if (err)
5074 		return err;
5075 
5076 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5077 	if (!msg) {
5078 		cfg80211_sinfo_release_content(&sinfo);
5079 		return -ENOMEM;
5080 	}
5081 
5082 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
5083 				 info->snd_portid, info->snd_seq, 0,
5084 				 rdev, dev, mac_addr, &sinfo) < 0) {
5085 		nlmsg_free(msg);
5086 		return -ENOBUFS;
5087 	}
5088 
5089 	return genlmsg_reply(msg, info);
5090 }
5091 
5092 int cfg80211_check_station_change(struct wiphy *wiphy,
5093 				  struct station_parameters *params,
5094 				  enum cfg80211_station_type statype)
5095 {
5096 	if (params->listen_interval != -1 &&
5097 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5098 		return -EINVAL;
5099 
5100 	if (params->support_p2p_ps != -1 &&
5101 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5102 		return -EINVAL;
5103 
5104 	if (params->aid &&
5105 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
5106 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5107 		return -EINVAL;
5108 
5109 	/* When you run into this, adjust the code below for the new flag */
5110 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5111 
5112 	switch (statype) {
5113 	case CFG80211_STA_MESH_PEER_KERNEL:
5114 	case CFG80211_STA_MESH_PEER_USER:
5115 		/*
5116 		 * No ignoring the TDLS flag here -- the userspace mesh
5117 		 * code doesn't have the bug of including TDLS in the
5118 		 * mask everywhere.
5119 		 */
5120 		if (params->sta_flags_mask &
5121 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5122 				  BIT(NL80211_STA_FLAG_MFP) |
5123 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
5124 			return -EINVAL;
5125 		break;
5126 	case CFG80211_STA_TDLS_PEER_SETUP:
5127 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5128 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5129 			return -EINVAL;
5130 		/* ignore since it can't change */
5131 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5132 		break;
5133 	default:
5134 		/* disallow mesh-specific things */
5135 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
5136 			return -EINVAL;
5137 		if (params->local_pm)
5138 			return -EINVAL;
5139 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5140 			return -EINVAL;
5141 	}
5142 
5143 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5144 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5145 		/* TDLS can't be set, ... */
5146 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5147 			return -EINVAL;
5148 		/*
5149 		 * ... but don't bother the driver with it. This works around
5150 		 * a hostapd/wpa_supplicant issue -- it always includes the
5151 		 * TLDS_PEER flag in the mask even for AP mode.
5152 		 */
5153 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5154 	}
5155 
5156 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5157 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5158 		/* reject other things that can't change */
5159 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5160 			return -EINVAL;
5161 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5162 			return -EINVAL;
5163 		if (params->supported_rates)
5164 			return -EINVAL;
5165 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
5166 		    params->he_capa)
5167 			return -EINVAL;
5168 	}
5169 
5170 	if (statype != CFG80211_STA_AP_CLIENT &&
5171 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5172 		if (params->vlan)
5173 			return -EINVAL;
5174 	}
5175 
5176 	switch (statype) {
5177 	case CFG80211_STA_AP_MLME_CLIENT:
5178 		/* Use this only for authorizing/unauthorizing a station */
5179 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5180 			return -EOPNOTSUPP;
5181 		break;
5182 	case CFG80211_STA_AP_CLIENT:
5183 	case CFG80211_STA_AP_CLIENT_UNASSOC:
5184 		/* accept only the listed bits */
5185 		if (params->sta_flags_mask &
5186 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5187 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5188 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
5189 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5190 				  BIT(NL80211_STA_FLAG_WME) |
5191 				  BIT(NL80211_STA_FLAG_MFP)))
5192 			return -EINVAL;
5193 
5194 		/* but authenticated/associated only if driver handles it */
5195 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5196 		    params->sta_flags_mask &
5197 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5198 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
5199 			return -EINVAL;
5200 		break;
5201 	case CFG80211_STA_IBSS:
5202 	case CFG80211_STA_AP_STA:
5203 		/* reject any changes other than AUTHORIZED */
5204 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
5205 			return -EINVAL;
5206 		break;
5207 	case CFG80211_STA_TDLS_PEER_SETUP:
5208 		/* reject any changes other than AUTHORIZED or WME */
5209 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5210 					       BIT(NL80211_STA_FLAG_WME)))
5211 			return -EINVAL;
5212 		/* force (at least) rates when authorizing */
5213 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
5214 		    !params->supported_rates)
5215 			return -EINVAL;
5216 		break;
5217 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5218 		/* reject any changes */
5219 		return -EINVAL;
5220 	case CFG80211_STA_MESH_PEER_KERNEL:
5221 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5222 			return -EINVAL;
5223 		break;
5224 	case CFG80211_STA_MESH_PEER_USER:
5225 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
5226 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
5227 			return -EINVAL;
5228 		break;
5229 	}
5230 
5231 	/*
5232 	 * Older kernel versions ignored this attribute entirely, so don't
5233 	 * reject attempts to update it but mark it as unused instead so the
5234 	 * driver won't look at the data.
5235 	 */
5236 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
5237 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
5238 		params->opmode_notif_used = false;
5239 
5240 	return 0;
5241 }
5242 EXPORT_SYMBOL(cfg80211_check_station_change);
5243 
5244 /*
5245  * Get vlan interface making sure it is running and on the right wiphy.
5246  */
5247 static struct net_device *get_vlan(struct genl_info *info,
5248 				   struct cfg80211_registered_device *rdev)
5249 {
5250 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
5251 	struct net_device *v;
5252 	int ret;
5253 
5254 	if (!vlanattr)
5255 		return NULL;
5256 
5257 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
5258 	if (!v)
5259 		return ERR_PTR(-ENODEV);
5260 
5261 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
5262 		ret = -EINVAL;
5263 		goto error;
5264 	}
5265 
5266 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5267 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5268 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5269 		ret = -EINVAL;
5270 		goto error;
5271 	}
5272 
5273 	if (!netif_running(v)) {
5274 		ret = -ENETDOWN;
5275 		goto error;
5276 	}
5277 
5278 	return v;
5279  error:
5280 	dev_put(v);
5281 	return ERR_PTR(ret);
5282 }
5283 
5284 static const struct nla_policy
5285 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5286 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5287 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5288 };
5289 
5290 static int nl80211_parse_sta_wme(struct genl_info *info,
5291 				 struct station_parameters *params)
5292 {
5293 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5294 	struct nlattr *nla;
5295 	int err;
5296 
5297 	/* parse WME attributes if present */
5298 	if (!info->attrs[NL80211_ATTR_STA_WME])
5299 		return 0;
5300 
5301 	nla = info->attrs[NL80211_ATTR_STA_WME];
5302 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
5303 			       nl80211_sta_wme_policy, info->extack);
5304 	if (err)
5305 		return err;
5306 
5307 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5308 		params->uapsd_queues = nla_get_u8(
5309 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
5310 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5311 		return -EINVAL;
5312 
5313 	if (tb[NL80211_STA_WME_MAX_SP])
5314 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5315 
5316 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5317 		return -EINVAL;
5318 
5319 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5320 
5321 	return 0;
5322 }
5323 
5324 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5325 				      struct station_parameters *params)
5326 {
5327 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5328 		params->supported_channels =
5329 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5330 		params->supported_channels_len =
5331 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5332 		/*
5333 		 * Need to include at least one (first channel, number of
5334 		 * channels) tuple for each subband, and must have proper
5335 		 * tuples for the rest of the data as well.
5336 		 */
5337 		if (params->supported_channels_len < 2)
5338 			return -EINVAL;
5339 		if (params->supported_channels_len % 2)
5340 			return -EINVAL;
5341 	}
5342 
5343 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5344 		params->supported_oper_classes =
5345 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5346 		params->supported_oper_classes_len =
5347 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5348 		/*
5349 		 * The value of the Length field of the Supported Operating
5350 		 * Classes element is between 2 and 253.
5351 		 */
5352 		if (params->supported_oper_classes_len < 2 ||
5353 		    params->supported_oper_classes_len > 253)
5354 			return -EINVAL;
5355 	}
5356 	return 0;
5357 }
5358 
5359 static int nl80211_set_station_tdls(struct genl_info *info,
5360 				    struct station_parameters *params)
5361 {
5362 	int err;
5363 	/* Dummy STA entry gets updated once the peer capabilities are known */
5364 	if (info->attrs[NL80211_ATTR_PEER_AID])
5365 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5366 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5367 		params->ht_capa =
5368 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5369 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5370 		params->vht_capa =
5371 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5372 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5373 		params->he_capa =
5374 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5375 		params->he_capa_len =
5376 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5377 
5378 		if (params->he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5379 			return -EINVAL;
5380 	}
5381 
5382 	err = nl80211_parse_sta_channel_info(info, params);
5383 	if (err)
5384 		return err;
5385 
5386 	return nl80211_parse_sta_wme(info, params);
5387 }
5388 
5389 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
5390 {
5391 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5392 	struct net_device *dev = info->user_ptr[1];
5393 	struct station_parameters params;
5394 	u8 *mac_addr;
5395 	int err;
5396 
5397 	memset(&params, 0, sizeof(params));
5398 
5399 	if (!rdev->ops->change_station)
5400 		return -EOPNOTSUPP;
5401 
5402 	/*
5403 	 * AID and listen_interval properties can be set only for unassociated
5404 	 * station. Include these parameters here and will check them in
5405 	 * cfg80211_check_station_change().
5406 	 */
5407 	if (info->attrs[NL80211_ATTR_STA_AID])
5408 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5409 
5410 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5411 		params.listen_interval =
5412 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5413 	else
5414 		params.listen_interval = -1;
5415 
5416 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
5417 		params.support_p2p_ps =
5418 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5419 	else
5420 		params.support_p2p_ps = -1;
5421 
5422 	if (!info->attrs[NL80211_ATTR_MAC])
5423 		return -EINVAL;
5424 
5425 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5426 
5427 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
5428 		params.supported_rates =
5429 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5430 		params.supported_rates_len =
5431 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5432 	}
5433 
5434 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5435 		params.capability =
5436 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5437 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5438 	}
5439 
5440 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5441 		params.ext_capab =
5442 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5443 		params.ext_capab_len =
5444 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5445 	}
5446 
5447 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5448 		return -EINVAL;
5449 
5450 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5451 		params.plink_action =
5452 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5453 
5454 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
5455 		params.plink_state =
5456 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
5457 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
5458 			params.peer_aid = nla_get_u16(
5459 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
5460 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
5461 	}
5462 
5463 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
5464 		params.local_pm = nla_get_u32(
5465 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
5466 
5467 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5468 		params.opmode_notif_used = true;
5469 		params.opmode_notif =
5470 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5471 	}
5472 
5473 	/* Include parameters for TDLS peer (will check later) */
5474 	err = nl80211_set_station_tdls(info, &params);
5475 	if (err)
5476 		return err;
5477 
5478 	params.vlan = get_vlan(info, rdev);
5479 	if (IS_ERR(params.vlan))
5480 		return PTR_ERR(params.vlan);
5481 
5482 	switch (dev->ieee80211_ptr->iftype) {
5483 	case NL80211_IFTYPE_AP:
5484 	case NL80211_IFTYPE_AP_VLAN:
5485 	case NL80211_IFTYPE_P2P_GO:
5486 	case NL80211_IFTYPE_P2P_CLIENT:
5487 	case NL80211_IFTYPE_STATION:
5488 	case NL80211_IFTYPE_ADHOC:
5489 	case NL80211_IFTYPE_MESH_POINT:
5490 		break;
5491 	default:
5492 		err = -EOPNOTSUPP;
5493 		goto out_put_vlan;
5494 	}
5495 
5496 	/* driver will call cfg80211_check_station_change() */
5497 	err = rdev_change_station(rdev, dev, mac_addr, &params);
5498 
5499  out_put_vlan:
5500 	if (params.vlan)
5501 		dev_put(params.vlan);
5502 
5503 	return err;
5504 }
5505 
5506 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
5507 {
5508 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5509 	int err;
5510 	struct net_device *dev = info->user_ptr[1];
5511 	struct station_parameters params;
5512 	u8 *mac_addr = NULL;
5513 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5514 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
5515 
5516 	memset(&params, 0, sizeof(params));
5517 
5518 	if (!rdev->ops->add_station)
5519 		return -EOPNOTSUPP;
5520 
5521 	if (!info->attrs[NL80211_ATTR_MAC])
5522 		return -EINVAL;
5523 
5524 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5525 		return -EINVAL;
5526 
5527 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
5528 		return -EINVAL;
5529 
5530 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
5531 	    !info->attrs[NL80211_ATTR_PEER_AID])
5532 		return -EINVAL;
5533 
5534 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5535 	params.supported_rates =
5536 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5537 	params.supported_rates_len =
5538 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5539 	params.listen_interval =
5540 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5541 
5542 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
5543 		params.support_p2p_ps =
5544 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5545 	} else {
5546 		/*
5547 		 * if not specified, assume it's supported for P2P GO interface,
5548 		 * and is NOT supported for AP interface
5549 		 */
5550 		params.support_p2p_ps =
5551 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
5552 	}
5553 
5554 	if (info->attrs[NL80211_ATTR_PEER_AID])
5555 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5556 	else
5557 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5558 
5559 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5560 		params.capability =
5561 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5562 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5563 	}
5564 
5565 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5566 		params.ext_capab =
5567 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5568 		params.ext_capab_len =
5569 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5570 	}
5571 
5572 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5573 		params.ht_capa =
5574 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5575 
5576 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5577 		params.vht_capa =
5578 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5579 
5580 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5581 		params.he_capa =
5582 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5583 		params.he_capa_len =
5584 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5585 
5586 		/* max len is validated in nla policy */
5587 		if (params.he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5588 			return -EINVAL;
5589 	}
5590 
5591 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5592 		params.opmode_notif_used = true;
5593 		params.opmode_notif =
5594 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5595 	}
5596 
5597 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5598 		params.plink_action =
5599 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5600 
5601 	err = nl80211_parse_sta_channel_info(info, &params);
5602 	if (err)
5603 		return err;
5604 
5605 	err = nl80211_parse_sta_wme(info, &params);
5606 	if (err)
5607 		return err;
5608 
5609 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5610 		return -EINVAL;
5611 
5612 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
5613 	 * as userspace might just pass through the capabilities from the IEs
5614 	 * directly, rather than enforcing this restriction and returning an
5615 	 * error in this case.
5616 	 */
5617 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
5618 		params.ht_capa = NULL;
5619 		params.vht_capa = NULL;
5620 
5621 		/* HE requires WME */
5622 		if (params.he_capa_len)
5623 			return -EINVAL;
5624 	}
5625 
5626 	/* When you run into this, adjust the code below for the new flag */
5627 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5628 
5629 	switch (dev->ieee80211_ptr->iftype) {
5630 	case NL80211_IFTYPE_AP:
5631 	case NL80211_IFTYPE_AP_VLAN:
5632 	case NL80211_IFTYPE_P2P_GO:
5633 		/* ignore WME attributes if iface/sta is not capable */
5634 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
5635 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
5636 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5637 
5638 		/* TDLS peers cannot be added */
5639 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5640 		    info->attrs[NL80211_ATTR_PEER_AID])
5641 			return -EINVAL;
5642 		/* but don't bother the driver with it */
5643 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5644 
5645 		/* allow authenticated/associated only if driver handles it */
5646 		if (!(rdev->wiphy.features &
5647 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5648 		    params.sta_flags_mask & auth_assoc)
5649 			return -EINVAL;
5650 
5651 		/* Older userspace, or userspace wanting to be compatible with
5652 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
5653 		 * and assoc flags in the mask, but assumes the station will be
5654 		 * added as associated anyway since this was the required driver
5655 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
5656 		 * introduced.
5657 		 * In order to not bother drivers with this quirk in the API
5658 		 * set the flags in both the mask and set for new stations in
5659 		 * this case.
5660 		 */
5661 		if (!(params.sta_flags_mask & auth_assoc)) {
5662 			params.sta_flags_mask |= auth_assoc;
5663 			params.sta_flags_set |= auth_assoc;
5664 		}
5665 
5666 		/* must be last in here for error handling */
5667 		params.vlan = get_vlan(info, rdev);
5668 		if (IS_ERR(params.vlan))
5669 			return PTR_ERR(params.vlan);
5670 		break;
5671 	case NL80211_IFTYPE_MESH_POINT:
5672 		/* ignore uAPSD data */
5673 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5674 
5675 		/* associated is disallowed */
5676 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
5677 			return -EINVAL;
5678 		/* TDLS peers cannot be added */
5679 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5680 		    info->attrs[NL80211_ATTR_PEER_AID])
5681 			return -EINVAL;
5682 		break;
5683 	case NL80211_IFTYPE_STATION:
5684 	case NL80211_IFTYPE_P2P_CLIENT:
5685 		/* ignore uAPSD data */
5686 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5687 
5688 		/* these are disallowed */
5689 		if (params.sta_flags_mask &
5690 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
5691 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
5692 			return -EINVAL;
5693 		/* Only TDLS peers can be added */
5694 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5695 			return -EINVAL;
5696 		/* Can only add if TDLS ... */
5697 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
5698 			return -EOPNOTSUPP;
5699 		/* ... with external setup is supported */
5700 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
5701 			return -EOPNOTSUPP;
5702 		/*
5703 		 * Older wpa_supplicant versions always mark the TDLS peer
5704 		 * as authorized, but it shouldn't yet be.
5705 		 */
5706 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
5707 		break;
5708 	default:
5709 		return -EOPNOTSUPP;
5710 	}
5711 
5712 	/* be aware of params.vlan when changing code here */
5713 
5714 	err = rdev_add_station(rdev, dev, mac_addr, &params);
5715 
5716 	if (params.vlan)
5717 		dev_put(params.vlan);
5718 	return err;
5719 }
5720 
5721 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
5722 {
5723 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5724 	struct net_device *dev = info->user_ptr[1];
5725 	struct station_del_parameters params;
5726 
5727 	memset(&params, 0, sizeof(params));
5728 
5729 	if (info->attrs[NL80211_ATTR_MAC])
5730 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
5731 
5732 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5733 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5734 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
5735 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5736 		return -EINVAL;
5737 
5738 	if (!rdev->ops->del_station)
5739 		return -EOPNOTSUPP;
5740 
5741 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
5742 		params.subtype =
5743 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
5744 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
5745 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
5746 			return -EINVAL;
5747 	} else {
5748 		/* Default to Deauthentication frame */
5749 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
5750 	}
5751 
5752 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
5753 		params.reason_code =
5754 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5755 		if (params.reason_code == 0)
5756 			return -EINVAL; /* 0 is reserved */
5757 	} else {
5758 		/* Default to reason code 2 */
5759 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
5760 	}
5761 
5762 	return rdev_del_station(rdev, dev, &params);
5763 }
5764 
5765 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
5766 				int flags, struct net_device *dev,
5767 				u8 *dst, u8 *next_hop,
5768 				struct mpath_info *pinfo)
5769 {
5770 	void *hdr;
5771 	struct nlattr *pinfoattr;
5772 
5773 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
5774 	if (!hdr)
5775 		return -1;
5776 
5777 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5778 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
5779 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
5780 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
5781 		goto nla_put_failure;
5782 
5783 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
5784 	if (!pinfoattr)
5785 		goto nla_put_failure;
5786 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
5787 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
5788 			pinfo->frame_qlen))
5789 		goto nla_put_failure;
5790 	if (((pinfo->filled & MPATH_INFO_SN) &&
5791 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
5792 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
5793 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
5794 			 pinfo->metric)) ||
5795 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
5796 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
5797 			 pinfo->exptime)) ||
5798 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
5799 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
5800 			pinfo->flags)) ||
5801 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
5802 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
5803 			 pinfo->discovery_timeout)) ||
5804 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
5805 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
5806 			pinfo->discovery_retries)))
5807 		goto nla_put_failure;
5808 
5809 	nla_nest_end(msg, pinfoattr);
5810 
5811 	genlmsg_end(msg, hdr);
5812 	return 0;
5813 
5814  nla_put_failure:
5815 	genlmsg_cancel(msg, hdr);
5816 	return -EMSGSIZE;
5817 }
5818 
5819 static int nl80211_dump_mpath(struct sk_buff *skb,
5820 			      struct netlink_callback *cb)
5821 {
5822 	struct mpath_info pinfo;
5823 	struct cfg80211_registered_device *rdev;
5824 	struct wireless_dev *wdev;
5825 	u8 dst[ETH_ALEN];
5826 	u8 next_hop[ETH_ALEN];
5827 	int path_idx = cb->args[2];
5828 	int err;
5829 
5830 	rtnl_lock();
5831 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5832 	if (err)
5833 		goto out_err;
5834 
5835 	if (!rdev->ops->dump_mpath) {
5836 		err = -EOPNOTSUPP;
5837 		goto out_err;
5838 	}
5839 
5840 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
5841 		err = -EOPNOTSUPP;
5842 		goto out_err;
5843 	}
5844 
5845 	while (1) {
5846 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
5847 				      next_hop, &pinfo);
5848 		if (err == -ENOENT)
5849 			break;
5850 		if (err)
5851 			goto out_err;
5852 
5853 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
5854 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
5855 				       wdev->netdev, dst, next_hop,
5856 				       &pinfo) < 0)
5857 			goto out;
5858 
5859 		path_idx++;
5860 	}
5861 
5862  out:
5863 	cb->args[2] = path_idx;
5864 	err = skb->len;
5865  out_err:
5866 	rtnl_unlock();
5867 	return err;
5868 }
5869 
5870 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
5871 {
5872 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5873 	int err;
5874 	struct net_device *dev = info->user_ptr[1];
5875 	struct mpath_info pinfo;
5876 	struct sk_buff *msg;
5877 	u8 *dst = NULL;
5878 	u8 next_hop[ETH_ALEN];
5879 
5880 	memset(&pinfo, 0, sizeof(pinfo));
5881 
5882 	if (!info->attrs[NL80211_ATTR_MAC])
5883 		return -EINVAL;
5884 
5885 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5886 
5887 	if (!rdev->ops->get_mpath)
5888 		return -EOPNOTSUPP;
5889 
5890 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5891 		return -EOPNOTSUPP;
5892 
5893 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
5894 	if (err)
5895 		return err;
5896 
5897 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5898 	if (!msg)
5899 		return -ENOMEM;
5900 
5901 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
5902 				 dev, dst, next_hop, &pinfo) < 0) {
5903 		nlmsg_free(msg);
5904 		return -ENOBUFS;
5905 	}
5906 
5907 	return genlmsg_reply(msg, info);
5908 }
5909 
5910 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
5911 {
5912 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5913 	struct net_device *dev = info->user_ptr[1];
5914 	u8 *dst = NULL;
5915 	u8 *next_hop = NULL;
5916 
5917 	if (!info->attrs[NL80211_ATTR_MAC])
5918 		return -EINVAL;
5919 
5920 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
5921 		return -EINVAL;
5922 
5923 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5924 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
5925 
5926 	if (!rdev->ops->change_mpath)
5927 		return -EOPNOTSUPP;
5928 
5929 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5930 		return -EOPNOTSUPP;
5931 
5932 	return rdev_change_mpath(rdev, dev, dst, next_hop);
5933 }
5934 
5935 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
5936 {
5937 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5938 	struct net_device *dev = info->user_ptr[1];
5939 	u8 *dst = NULL;
5940 	u8 *next_hop = NULL;
5941 
5942 	if (!info->attrs[NL80211_ATTR_MAC])
5943 		return -EINVAL;
5944 
5945 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
5946 		return -EINVAL;
5947 
5948 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5949 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
5950 
5951 	if (!rdev->ops->add_mpath)
5952 		return -EOPNOTSUPP;
5953 
5954 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5955 		return -EOPNOTSUPP;
5956 
5957 	return rdev_add_mpath(rdev, dev, dst, next_hop);
5958 }
5959 
5960 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
5961 {
5962 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5963 	struct net_device *dev = info->user_ptr[1];
5964 	u8 *dst = NULL;
5965 
5966 	if (info->attrs[NL80211_ATTR_MAC])
5967 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5968 
5969 	if (!rdev->ops->del_mpath)
5970 		return -EOPNOTSUPP;
5971 
5972 	return rdev_del_mpath(rdev, dev, dst);
5973 }
5974 
5975 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
5976 {
5977 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5978 	int err;
5979 	struct net_device *dev = info->user_ptr[1];
5980 	struct mpath_info pinfo;
5981 	struct sk_buff *msg;
5982 	u8 *dst = NULL;
5983 	u8 mpp[ETH_ALEN];
5984 
5985 	memset(&pinfo, 0, sizeof(pinfo));
5986 
5987 	if (!info->attrs[NL80211_ATTR_MAC])
5988 		return -EINVAL;
5989 
5990 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5991 
5992 	if (!rdev->ops->get_mpp)
5993 		return -EOPNOTSUPP;
5994 
5995 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5996 		return -EOPNOTSUPP;
5997 
5998 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
5999 	if (err)
6000 		return err;
6001 
6002 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6003 	if (!msg)
6004 		return -ENOMEM;
6005 
6006 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6007 			       dev, dst, mpp, &pinfo) < 0) {
6008 		nlmsg_free(msg);
6009 		return -ENOBUFS;
6010 	}
6011 
6012 	return genlmsg_reply(msg, info);
6013 }
6014 
6015 static int nl80211_dump_mpp(struct sk_buff *skb,
6016 			    struct netlink_callback *cb)
6017 {
6018 	struct mpath_info pinfo;
6019 	struct cfg80211_registered_device *rdev;
6020 	struct wireless_dev *wdev;
6021 	u8 dst[ETH_ALEN];
6022 	u8 mpp[ETH_ALEN];
6023 	int path_idx = cb->args[2];
6024 	int err;
6025 
6026 	rtnl_lock();
6027 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6028 	if (err)
6029 		goto out_err;
6030 
6031 	if (!rdev->ops->dump_mpp) {
6032 		err = -EOPNOTSUPP;
6033 		goto out_err;
6034 	}
6035 
6036 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6037 		err = -EOPNOTSUPP;
6038 		goto out_err;
6039 	}
6040 
6041 	while (1) {
6042 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
6043 				    mpp, &pinfo);
6044 		if (err == -ENOENT)
6045 			break;
6046 		if (err)
6047 			goto out_err;
6048 
6049 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6050 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6051 				       wdev->netdev, dst, mpp,
6052 				       &pinfo) < 0)
6053 			goto out;
6054 
6055 		path_idx++;
6056 	}
6057 
6058  out:
6059 	cb->args[2] = path_idx;
6060 	err = skb->len;
6061  out_err:
6062 	rtnl_unlock();
6063 	return err;
6064 }
6065 
6066 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
6067 {
6068 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6069 	struct net_device *dev = info->user_ptr[1];
6070 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6071 	struct bss_parameters params;
6072 	int err;
6073 
6074 	memset(&params, 0, sizeof(params));
6075 	/* default to not changing parameters */
6076 	params.use_cts_prot = -1;
6077 	params.use_short_preamble = -1;
6078 	params.use_short_slot_time = -1;
6079 	params.ap_isolate = -1;
6080 	params.ht_opmode = -1;
6081 	params.p2p_ctwindow = -1;
6082 	params.p2p_opp_ps = -1;
6083 
6084 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
6085 		params.use_cts_prot =
6086 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
6087 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
6088 		params.use_short_preamble =
6089 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
6090 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
6091 		params.use_short_slot_time =
6092 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
6093 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6094 		params.basic_rates =
6095 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6096 		params.basic_rates_len =
6097 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6098 	}
6099 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
6100 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
6101 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
6102 		params.ht_opmode =
6103 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
6104 
6105 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6106 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6107 			return -EINVAL;
6108 		params.p2p_ctwindow =
6109 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6110 		if (params.p2p_ctwindow != 0 &&
6111 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
6112 			return -EINVAL;
6113 	}
6114 
6115 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6116 		u8 tmp;
6117 
6118 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6119 			return -EINVAL;
6120 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6121 		params.p2p_opp_ps = tmp;
6122 		if (params.p2p_opp_ps &&
6123 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
6124 			return -EINVAL;
6125 	}
6126 
6127 	if (!rdev->ops->change_bss)
6128 		return -EOPNOTSUPP;
6129 
6130 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6131 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6132 		return -EOPNOTSUPP;
6133 
6134 	wdev_lock(wdev);
6135 	err = rdev_change_bss(rdev, dev, &params);
6136 	wdev_unlock(wdev);
6137 
6138 	return err;
6139 }
6140 
6141 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
6142 {
6143 	char *data = NULL;
6144 	bool is_indoor;
6145 	enum nl80211_user_reg_hint_type user_reg_hint_type;
6146 	u32 owner_nlportid;
6147 
6148 	/*
6149 	 * You should only get this when cfg80211 hasn't yet initialized
6150 	 * completely when built-in to the kernel right between the time
6151 	 * window between nl80211_init() and regulatory_init(), if that is
6152 	 * even possible.
6153 	 */
6154 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
6155 		return -EINPROGRESS;
6156 
6157 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
6158 		user_reg_hint_type =
6159 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
6160 	else
6161 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
6162 
6163 	switch (user_reg_hint_type) {
6164 	case NL80211_USER_REG_HINT_USER:
6165 	case NL80211_USER_REG_HINT_CELL_BASE:
6166 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6167 			return -EINVAL;
6168 
6169 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6170 		return regulatory_hint_user(data, user_reg_hint_type);
6171 	case NL80211_USER_REG_HINT_INDOOR:
6172 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
6173 			owner_nlportid = info->snd_portid;
6174 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
6175 		} else {
6176 			owner_nlportid = 0;
6177 			is_indoor = true;
6178 		}
6179 
6180 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
6181 	default:
6182 		return -EINVAL;
6183 	}
6184 }
6185 
6186 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
6187 {
6188 	return reg_reload_regdb();
6189 }
6190 
6191 static int nl80211_get_mesh_config(struct sk_buff *skb,
6192 				   struct genl_info *info)
6193 {
6194 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6195 	struct net_device *dev = info->user_ptr[1];
6196 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6197 	struct mesh_config cur_params;
6198 	int err = 0;
6199 	void *hdr;
6200 	struct nlattr *pinfoattr;
6201 	struct sk_buff *msg;
6202 
6203 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6204 		return -EOPNOTSUPP;
6205 
6206 	if (!rdev->ops->get_mesh_config)
6207 		return -EOPNOTSUPP;
6208 
6209 	wdev_lock(wdev);
6210 	/* If not connected, get default parameters */
6211 	if (!wdev->mesh_id_len)
6212 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
6213 	else
6214 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
6215 	wdev_unlock(wdev);
6216 
6217 	if (err)
6218 		return err;
6219 
6220 	/* Draw up a netlink message to send back */
6221 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6222 	if (!msg)
6223 		return -ENOMEM;
6224 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6225 			     NL80211_CMD_GET_MESH_CONFIG);
6226 	if (!hdr)
6227 		goto out;
6228 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
6229 	if (!pinfoattr)
6230 		goto nla_put_failure;
6231 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6232 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
6233 			cur_params.dot11MeshRetryTimeout) ||
6234 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6235 			cur_params.dot11MeshConfirmTimeout) ||
6236 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
6237 			cur_params.dot11MeshHoldingTimeout) ||
6238 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
6239 			cur_params.dot11MeshMaxPeerLinks) ||
6240 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
6241 		       cur_params.dot11MeshMaxRetries) ||
6242 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
6243 		       cur_params.dot11MeshTTL) ||
6244 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
6245 		       cur_params.element_ttl) ||
6246 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6247 		       cur_params.auto_open_plinks) ||
6248 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6249 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
6250 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6251 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
6252 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
6253 			cur_params.path_refresh_time) ||
6254 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6255 			cur_params.min_discovery_timeout) ||
6256 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6257 			cur_params.dot11MeshHWMPactivePathTimeout) ||
6258 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6259 			cur_params.dot11MeshHWMPpreqMinInterval) ||
6260 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6261 			cur_params.dot11MeshHWMPperrMinInterval) ||
6262 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6263 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
6264 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
6265 		       cur_params.dot11MeshHWMPRootMode) ||
6266 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6267 			cur_params.dot11MeshHWMPRannInterval) ||
6268 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6269 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
6270 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
6271 		       cur_params.dot11MeshForwarding) ||
6272 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
6273 			cur_params.rssi_threshold) ||
6274 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
6275 			cur_params.ht_opmode) ||
6276 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6277 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
6278 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6279 			cur_params.dot11MeshHWMProotInterval) ||
6280 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6281 			cur_params.dot11MeshHWMPconfirmationInterval) ||
6282 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
6283 			cur_params.power_mode) ||
6284 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
6285 			cur_params.dot11MeshAwakeWindowDuration) ||
6286 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
6287 			cur_params.plink_timeout) ||
6288 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
6289 		       cur_params.dot11MeshConnectedToMeshGate))
6290 		goto nla_put_failure;
6291 	nla_nest_end(msg, pinfoattr);
6292 	genlmsg_end(msg, hdr);
6293 	return genlmsg_reply(msg, info);
6294 
6295  nla_put_failure:
6296  out:
6297 	nlmsg_free(msg);
6298 	return -ENOBUFS;
6299 }
6300 
6301 static const struct nla_policy
6302 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
6303 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
6304 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6305 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
6306 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6307 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
6308 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6309 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
6310 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
6311 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
6312 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6313 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6314 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
6315 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
6316 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
6317 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
6318 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
6319 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
6320 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
6321 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
6322 		NLA_POLICY_MIN(NLA_U16, 1),
6323 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
6324 		NLA_POLICY_MIN(NLA_U16, 1),
6325 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
6326 		NLA_POLICY_MIN(NLA_U16, 1),
6327 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
6328 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
6329 		NLA_POLICY_MIN(NLA_U16, 1),
6330 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
6331 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
6332 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
6333 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
6334 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
6335 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
6336 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
6337 		NLA_POLICY_MIN(NLA_U16, 1),
6338 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
6339 		NLA_POLICY_MIN(NLA_U16, 1),
6340 	[NL80211_MESHCONF_POWER_MODE] =
6341 		NLA_POLICY_RANGE(NLA_U32,
6342 				 NL80211_MESH_POWER_ACTIVE,
6343 				 NL80211_MESH_POWER_MAX),
6344 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
6345 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
6346 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
6347 };
6348 
6349 static const struct nla_policy
6350 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
6351 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
6352 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
6353 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
6354 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
6355 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
6356 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
6357 	[NL80211_MESH_SETUP_IE] =
6358 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
6359 				       IEEE80211_MAX_DATA_LEN),
6360 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
6361 };
6362 
6363 static int nl80211_parse_mesh_config(struct genl_info *info,
6364 				     struct mesh_config *cfg,
6365 				     u32 *mask_out)
6366 {
6367 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
6368 	u32 mask = 0;
6369 	u16 ht_opmode;
6370 
6371 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
6372 do {									\
6373 	if (tb[attr]) {							\
6374 		cfg->param = fn(tb[attr]);				\
6375 		mask |= BIT((attr) - 1);				\
6376 	}								\
6377 } while (0)
6378 
6379 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
6380 		return -EINVAL;
6381 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
6382 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
6383 			     nl80211_meshconf_params_policy, info->extack))
6384 		return -EINVAL;
6385 
6386 	/* This makes sure that there aren't more than 32 mesh config
6387 	 * parameters (otherwise our bitfield scheme would not work.) */
6388 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
6389 
6390 	/* Fill in the params struct */
6391 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
6392 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
6393 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
6394 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
6395 				  nla_get_u16);
6396 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
6397 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
6398 				  nla_get_u16);
6399 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
6400 				  NL80211_MESHCONF_MAX_PEER_LINKS,
6401 				  nla_get_u16);
6402 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
6403 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
6404 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
6405 				  NL80211_MESHCONF_TTL, nla_get_u8);
6406 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
6407 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
6408 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
6409 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6410 				  nla_get_u8);
6411 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
6412 				  mask,
6413 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6414 				  nla_get_u32);
6415 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
6416 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6417 				  nla_get_u8);
6418 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
6419 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
6420 				  nla_get_u32);
6421 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
6422 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
6423 		return -EINVAL;
6424 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
6425 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6426 				  nla_get_u16);
6427 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
6428 				  mask,
6429 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6430 				  nla_get_u32);
6431 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
6432 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
6433 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
6434 		return -EINVAL;
6435 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
6436 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6437 				  nla_get_u16);
6438 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
6439 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6440 				  nla_get_u16);
6441 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6442 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
6443 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6444 				  nla_get_u16);
6445 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
6446 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
6447 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
6448 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6449 				  nla_get_u16);
6450 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
6451 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6452 				  nla_get_u8);
6453 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
6454 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
6455 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
6456 				  NL80211_MESHCONF_RSSI_THRESHOLD,
6457 				  nla_get_s32);
6458 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
6459 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
6460 				  nla_get_u8);
6461 	/*
6462 	 * Check HT operation mode based on
6463 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
6464 	 */
6465 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
6466 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
6467 
6468 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
6469 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
6470 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
6471 			return -EINVAL;
6472 
6473 		/* NON_HT_STA bit is reserved, but some programs set it */
6474 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
6475 
6476 		cfg->ht_opmode = ht_opmode;
6477 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
6478 	}
6479 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6480 				  dot11MeshHWMPactivePathToRootTimeout, mask,
6481 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6482 				  nla_get_u32);
6483 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
6484 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
6485 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
6486 		return -EINVAL;
6487 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
6488 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6489 				  nla_get_u16);
6490 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
6491 				  mask,
6492 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6493 				  nla_get_u16);
6494 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
6495 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
6496 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
6497 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
6498 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
6499 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
6500 	if (mask_out)
6501 		*mask_out = mask;
6502 
6503 	return 0;
6504 
6505 #undef FILL_IN_MESH_PARAM_IF_SET
6506 }
6507 
6508 static int nl80211_parse_mesh_setup(struct genl_info *info,
6509 				     struct mesh_setup *setup)
6510 {
6511 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6512 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
6513 
6514 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
6515 		return -EINVAL;
6516 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
6517 			     info->attrs[NL80211_ATTR_MESH_SETUP],
6518 			     nl80211_mesh_setup_params_policy, info->extack))
6519 		return -EINVAL;
6520 
6521 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
6522 		setup->sync_method =
6523 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
6524 		 IEEE80211_SYNC_METHOD_VENDOR :
6525 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
6526 
6527 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
6528 		setup->path_sel_proto =
6529 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
6530 		 IEEE80211_PATH_PROTOCOL_VENDOR :
6531 		 IEEE80211_PATH_PROTOCOL_HWMP;
6532 
6533 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
6534 		setup->path_metric =
6535 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
6536 		 IEEE80211_PATH_METRIC_VENDOR :
6537 		 IEEE80211_PATH_METRIC_AIRTIME;
6538 
6539 	if (tb[NL80211_MESH_SETUP_IE]) {
6540 		struct nlattr *ieattr =
6541 			tb[NL80211_MESH_SETUP_IE];
6542 		setup->ie = nla_data(ieattr);
6543 		setup->ie_len = nla_len(ieattr);
6544 	}
6545 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
6546 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
6547 		return -EINVAL;
6548 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
6549 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
6550 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
6551 	if (setup->is_secure)
6552 		setup->user_mpm = true;
6553 
6554 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
6555 		if (!setup->user_mpm)
6556 			return -EINVAL;
6557 		setup->auth_id =
6558 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
6559 	}
6560 
6561 	return 0;
6562 }
6563 
6564 static int nl80211_update_mesh_config(struct sk_buff *skb,
6565 				      struct genl_info *info)
6566 {
6567 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6568 	struct net_device *dev = info->user_ptr[1];
6569 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6570 	struct mesh_config cfg;
6571 	u32 mask;
6572 	int err;
6573 
6574 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6575 		return -EOPNOTSUPP;
6576 
6577 	if (!rdev->ops->update_mesh_config)
6578 		return -EOPNOTSUPP;
6579 
6580 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
6581 	if (err)
6582 		return err;
6583 
6584 	wdev_lock(wdev);
6585 	if (!wdev->mesh_id_len)
6586 		err = -ENOLINK;
6587 
6588 	if (!err)
6589 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
6590 
6591 	wdev_unlock(wdev);
6592 
6593 	return err;
6594 }
6595 
6596 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
6597 			      struct sk_buff *msg)
6598 {
6599 	struct nlattr *nl_reg_rules;
6600 	unsigned int i;
6601 
6602 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
6603 	    (regdom->dfs_region &&
6604 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
6605 		goto nla_put_failure;
6606 
6607 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
6608 	if (!nl_reg_rules)
6609 		goto nla_put_failure;
6610 
6611 	for (i = 0; i < regdom->n_reg_rules; i++) {
6612 		struct nlattr *nl_reg_rule;
6613 		const struct ieee80211_reg_rule *reg_rule;
6614 		const struct ieee80211_freq_range *freq_range;
6615 		const struct ieee80211_power_rule *power_rule;
6616 		unsigned int max_bandwidth_khz;
6617 
6618 		reg_rule = &regdom->reg_rules[i];
6619 		freq_range = &reg_rule->freq_range;
6620 		power_rule = &reg_rule->power_rule;
6621 
6622 		nl_reg_rule = nla_nest_start(msg, i);
6623 		if (!nl_reg_rule)
6624 			goto nla_put_failure;
6625 
6626 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
6627 		if (!max_bandwidth_khz)
6628 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
6629 								  reg_rule);
6630 
6631 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
6632 				reg_rule->flags) ||
6633 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
6634 				freq_range->start_freq_khz) ||
6635 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
6636 				freq_range->end_freq_khz) ||
6637 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
6638 				max_bandwidth_khz) ||
6639 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
6640 				power_rule->max_antenna_gain) ||
6641 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
6642 				power_rule->max_eirp) ||
6643 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
6644 				reg_rule->dfs_cac_ms))
6645 			goto nla_put_failure;
6646 
6647 		nla_nest_end(msg, nl_reg_rule);
6648 	}
6649 
6650 	nla_nest_end(msg, nl_reg_rules);
6651 	return 0;
6652 
6653 nla_put_failure:
6654 	return -EMSGSIZE;
6655 }
6656 
6657 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
6658 {
6659 	const struct ieee80211_regdomain *regdom = NULL;
6660 	struct cfg80211_registered_device *rdev;
6661 	struct wiphy *wiphy = NULL;
6662 	struct sk_buff *msg;
6663 	void *hdr;
6664 
6665 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6666 	if (!msg)
6667 		return -ENOBUFS;
6668 
6669 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6670 			     NL80211_CMD_GET_REG);
6671 	if (!hdr)
6672 		goto put_failure;
6673 
6674 	if (info->attrs[NL80211_ATTR_WIPHY]) {
6675 		bool self_managed;
6676 
6677 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
6678 		if (IS_ERR(rdev)) {
6679 			nlmsg_free(msg);
6680 			return PTR_ERR(rdev);
6681 		}
6682 
6683 		wiphy = &rdev->wiphy;
6684 		self_managed = wiphy->regulatory_flags &
6685 			       REGULATORY_WIPHY_SELF_MANAGED;
6686 		regdom = get_wiphy_regdom(wiphy);
6687 
6688 		/* a self-managed-reg device must have a private regdom */
6689 		if (WARN_ON(!regdom && self_managed)) {
6690 			nlmsg_free(msg);
6691 			return -EINVAL;
6692 		}
6693 
6694 		if (regdom &&
6695 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6696 			goto nla_put_failure;
6697 	}
6698 
6699 	if (!wiphy && reg_last_request_cell_base() &&
6700 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6701 			NL80211_USER_REG_HINT_CELL_BASE))
6702 		goto nla_put_failure;
6703 
6704 	rcu_read_lock();
6705 
6706 	if (!regdom)
6707 		regdom = rcu_dereference(cfg80211_regdomain);
6708 
6709 	if (nl80211_put_regdom(regdom, msg))
6710 		goto nla_put_failure_rcu;
6711 
6712 	rcu_read_unlock();
6713 
6714 	genlmsg_end(msg, hdr);
6715 	return genlmsg_reply(msg, info);
6716 
6717 nla_put_failure_rcu:
6718 	rcu_read_unlock();
6719 nla_put_failure:
6720 put_failure:
6721 	nlmsg_free(msg);
6722 	return -EMSGSIZE;
6723 }
6724 
6725 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
6726 			       u32 seq, int flags, struct wiphy *wiphy,
6727 			       const struct ieee80211_regdomain *regdom)
6728 {
6729 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6730 				   NL80211_CMD_GET_REG);
6731 
6732 	if (!hdr)
6733 		return -1;
6734 
6735 	genl_dump_check_consistent(cb, hdr);
6736 
6737 	if (nl80211_put_regdom(regdom, msg))
6738 		goto nla_put_failure;
6739 
6740 	if (!wiphy && reg_last_request_cell_base() &&
6741 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6742 			NL80211_USER_REG_HINT_CELL_BASE))
6743 		goto nla_put_failure;
6744 
6745 	if (wiphy &&
6746 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6747 		goto nla_put_failure;
6748 
6749 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
6750 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
6751 		goto nla_put_failure;
6752 
6753 	genlmsg_end(msg, hdr);
6754 	return 0;
6755 
6756 nla_put_failure:
6757 	genlmsg_cancel(msg, hdr);
6758 	return -EMSGSIZE;
6759 }
6760 
6761 static int nl80211_get_reg_dump(struct sk_buff *skb,
6762 				struct netlink_callback *cb)
6763 {
6764 	const struct ieee80211_regdomain *regdom = NULL;
6765 	struct cfg80211_registered_device *rdev;
6766 	int err, reg_idx, start = cb->args[2];
6767 
6768 	rtnl_lock();
6769 
6770 	if (cfg80211_regdomain && start == 0) {
6771 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6772 					  NLM_F_MULTI, NULL,
6773 					  rtnl_dereference(cfg80211_regdomain));
6774 		if (err < 0)
6775 			goto out_err;
6776 	}
6777 
6778 	/* the global regdom is idx 0 */
6779 	reg_idx = 1;
6780 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
6781 		regdom = get_wiphy_regdom(&rdev->wiphy);
6782 		if (!regdom)
6783 			continue;
6784 
6785 		if (++reg_idx <= start)
6786 			continue;
6787 
6788 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6789 					  NLM_F_MULTI, &rdev->wiphy, regdom);
6790 		if (err < 0) {
6791 			reg_idx--;
6792 			break;
6793 		}
6794 	}
6795 
6796 	cb->args[2] = reg_idx;
6797 	err = skb->len;
6798 out_err:
6799 	rtnl_unlock();
6800 	return err;
6801 }
6802 
6803 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
6804 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
6805 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
6806 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
6807 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
6808 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
6809 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
6810 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
6811 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
6812 };
6813 
6814 static int parse_reg_rule(struct nlattr *tb[],
6815 	struct ieee80211_reg_rule *reg_rule)
6816 {
6817 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
6818 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
6819 
6820 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
6821 		return -EINVAL;
6822 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
6823 		return -EINVAL;
6824 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
6825 		return -EINVAL;
6826 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
6827 		return -EINVAL;
6828 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
6829 		return -EINVAL;
6830 
6831 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
6832 
6833 	freq_range->start_freq_khz =
6834 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
6835 	freq_range->end_freq_khz =
6836 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
6837 	freq_range->max_bandwidth_khz =
6838 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
6839 
6840 	power_rule->max_eirp =
6841 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
6842 
6843 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
6844 		power_rule->max_antenna_gain =
6845 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
6846 
6847 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
6848 		reg_rule->dfs_cac_ms =
6849 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
6850 
6851 	return 0;
6852 }
6853 
6854 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
6855 {
6856 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
6857 	struct nlattr *nl_reg_rule;
6858 	char *alpha2;
6859 	int rem_reg_rules, r;
6860 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
6861 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
6862 	struct ieee80211_regdomain *rd;
6863 
6864 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6865 		return -EINVAL;
6866 
6867 	if (!info->attrs[NL80211_ATTR_REG_RULES])
6868 		return -EINVAL;
6869 
6870 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6871 
6872 	if (info->attrs[NL80211_ATTR_DFS_REGION])
6873 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
6874 
6875 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6876 			    rem_reg_rules) {
6877 		num_rules++;
6878 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
6879 			return -EINVAL;
6880 	}
6881 
6882 	if (!reg_is_valid_request(alpha2))
6883 		return -EINVAL;
6884 
6885 	size_of_regd = sizeof(struct ieee80211_regdomain) +
6886 		       num_rules * sizeof(struct ieee80211_reg_rule);
6887 
6888 	rd = kzalloc(size_of_regd, GFP_KERNEL);
6889 	if (!rd)
6890 		return -ENOMEM;
6891 
6892 	rd->n_reg_rules = num_rules;
6893 	rd->alpha2[0] = alpha2[0];
6894 	rd->alpha2[1] = alpha2[1];
6895 
6896 	/*
6897 	 * Disable DFS master mode if the DFS region was
6898 	 * not supported or known on this kernel.
6899 	 */
6900 	if (reg_supported_dfs_region(dfs_region))
6901 		rd->dfs_region = dfs_region;
6902 
6903 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6904 			    rem_reg_rules) {
6905 		r = nla_parse_nested(tb, NL80211_REG_RULE_ATTR_MAX,
6906 				     nl_reg_rule, reg_rule_policy,
6907 				     info->extack);
6908 		if (r)
6909 			goto bad_reg;
6910 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
6911 		if (r)
6912 			goto bad_reg;
6913 
6914 		rule_idx++;
6915 
6916 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
6917 			r = -EINVAL;
6918 			goto bad_reg;
6919 		}
6920 	}
6921 
6922 	/* set_regdom takes ownership of rd */
6923 	return set_regdom(rd, REGD_SOURCE_CRDA);
6924  bad_reg:
6925 	kfree(rd);
6926 	return r;
6927 }
6928 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
6929 
6930 static int validate_scan_freqs(struct nlattr *freqs)
6931 {
6932 	struct nlattr *attr1, *attr2;
6933 	int n_channels = 0, tmp1, tmp2;
6934 
6935 	nla_for_each_nested(attr1, freqs, tmp1)
6936 		if (nla_len(attr1) != sizeof(u32))
6937 			return 0;
6938 
6939 	nla_for_each_nested(attr1, freqs, tmp1) {
6940 		n_channels++;
6941 		/*
6942 		 * Some hardware has a limited channel list for
6943 		 * scanning, and it is pretty much nonsensical
6944 		 * to scan for a channel twice, so disallow that
6945 		 * and don't require drivers to check that the
6946 		 * channel list they get isn't longer than what
6947 		 * they can scan, as long as they can scan all
6948 		 * the channels they registered at once.
6949 		 */
6950 		nla_for_each_nested(attr2, freqs, tmp2)
6951 			if (attr1 != attr2 &&
6952 			    nla_get_u32(attr1) == nla_get_u32(attr2))
6953 				return 0;
6954 	}
6955 
6956 	return n_channels;
6957 }
6958 
6959 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
6960 {
6961 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
6962 }
6963 
6964 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
6965 			    struct cfg80211_bss_selection *bss_select)
6966 {
6967 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
6968 	struct nlattr *nest;
6969 	int err;
6970 	bool found = false;
6971 	int i;
6972 
6973 	/* only process one nested attribute */
6974 	nest = nla_data(nla);
6975 	if (!nla_ok(nest, nla_len(nest)))
6976 		return -EINVAL;
6977 
6978 	err = nla_parse_nested(attr, NL80211_BSS_SELECT_ATTR_MAX, nest,
6979 			       nl80211_bss_select_policy, NULL);
6980 	if (err)
6981 		return err;
6982 
6983 	/* only one attribute may be given */
6984 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
6985 		if (attr[i]) {
6986 			if (found)
6987 				return -EINVAL;
6988 			found = true;
6989 		}
6990 	}
6991 
6992 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
6993 
6994 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
6995 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
6996 
6997 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
6998 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
6999 		bss_select->param.band_pref =
7000 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
7001 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
7002 			return -EINVAL;
7003 	}
7004 
7005 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
7006 		struct nl80211_bss_select_rssi_adjust *adj_param;
7007 
7008 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
7009 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
7010 		bss_select->param.adjust.band = adj_param->band;
7011 		bss_select->param.adjust.delta = adj_param->delta;
7012 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
7013 			return -EINVAL;
7014 	}
7015 
7016 	/* user-space did not provide behaviour attribute */
7017 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
7018 		return -EINVAL;
7019 
7020 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
7021 		return -EINVAL;
7022 
7023 	return 0;
7024 }
7025 
7026 int nl80211_parse_random_mac(struct nlattr **attrs,
7027 			     u8 *mac_addr, u8 *mac_addr_mask)
7028 {
7029 	int i;
7030 
7031 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
7032 		eth_zero_addr(mac_addr);
7033 		eth_zero_addr(mac_addr_mask);
7034 		mac_addr[0] = 0x2;
7035 		mac_addr_mask[0] = 0x3;
7036 
7037 		return 0;
7038 	}
7039 
7040 	/* need both or none */
7041 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
7042 		return -EINVAL;
7043 
7044 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
7045 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
7046 
7047 	/* don't allow or configure an mcast address */
7048 	if (!is_multicast_ether_addr(mac_addr_mask) ||
7049 	    is_multicast_ether_addr(mac_addr))
7050 		return -EINVAL;
7051 
7052 	/*
7053 	 * allow users to pass a MAC address that has bits set outside
7054 	 * of the mask, but don't bother drivers with having to deal
7055 	 * with such bits
7056 	 */
7057 	for (i = 0; i < ETH_ALEN; i++)
7058 		mac_addr[i] &= mac_addr_mask[i];
7059 
7060 	return 0;
7061 }
7062 
7063 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
7064 {
7065 	ASSERT_WDEV_LOCK(wdev);
7066 
7067 	if (!cfg80211_beaconing_iface_active(wdev))
7068 		return true;
7069 
7070 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
7071 		return true;
7072 
7073 	return regulatory_pre_cac_allowed(wdev->wiphy);
7074 }
7075 
7076 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
7077 				    enum nl80211_ext_feature_index feat)
7078 {
7079 	if (!(flags & flag))
7080 		return true;
7081 	if (wiphy_ext_feature_isset(wiphy, feat))
7082 		return true;
7083 	return false;
7084 }
7085 
7086 static int
7087 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
7088 			 void *request, struct nlattr **attrs,
7089 			 bool is_sched_scan)
7090 {
7091 	u8 *mac_addr, *mac_addr_mask;
7092 	u32 *flags;
7093 	enum nl80211_feature_flags randomness_flag;
7094 
7095 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
7096 		return 0;
7097 
7098 	if (is_sched_scan) {
7099 		struct cfg80211_sched_scan_request *req = request;
7100 
7101 		randomness_flag = wdev ?
7102 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
7103 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
7104 		flags = &req->flags;
7105 		mac_addr = req->mac_addr;
7106 		mac_addr_mask = req->mac_addr_mask;
7107 	} else {
7108 		struct cfg80211_scan_request *req = request;
7109 
7110 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
7111 		flags = &req->flags;
7112 		mac_addr = req->mac_addr;
7113 		mac_addr_mask = req->mac_addr_mask;
7114 	}
7115 
7116 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
7117 
7118 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
7119 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
7120 	    !nl80211_check_scan_feat(wiphy, *flags,
7121 				     NL80211_SCAN_FLAG_LOW_SPAN,
7122 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
7123 	    !nl80211_check_scan_feat(wiphy, *flags,
7124 				     NL80211_SCAN_FLAG_LOW_POWER,
7125 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
7126 	    !nl80211_check_scan_feat(wiphy, *flags,
7127 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
7128 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
7129 	    !nl80211_check_scan_feat(wiphy, *flags,
7130 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
7131 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
7132 	    !nl80211_check_scan_feat(wiphy, *flags,
7133 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
7134 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
7135 	    !nl80211_check_scan_feat(wiphy, *flags,
7136 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
7137 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
7138 	    !nl80211_check_scan_feat(wiphy, *flags,
7139 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
7140 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
7141 	    !nl80211_check_scan_feat(wiphy, *flags,
7142 				     NL80211_SCAN_FLAG_RANDOM_SN,
7143 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
7144 	    !nl80211_check_scan_feat(wiphy, *flags,
7145 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
7146 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
7147 		return -EOPNOTSUPP;
7148 
7149 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
7150 		int err;
7151 
7152 		if (!(wiphy->features & randomness_flag) ||
7153 		    (wdev && wdev->current_bss))
7154 			return -EOPNOTSUPP;
7155 
7156 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
7157 		if (err)
7158 			return err;
7159 	}
7160 
7161 	return 0;
7162 }
7163 
7164 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
7165 {
7166 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7167 	struct wireless_dev *wdev = info->user_ptr[1];
7168 	struct cfg80211_scan_request *request;
7169 	struct nlattr *attr;
7170 	struct wiphy *wiphy;
7171 	int err, tmp, n_ssids = 0, n_channels, i;
7172 	size_t ie_len;
7173 
7174 	wiphy = &rdev->wiphy;
7175 
7176 	if (wdev->iftype == NL80211_IFTYPE_NAN)
7177 		return -EOPNOTSUPP;
7178 
7179 	if (!rdev->ops->scan)
7180 		return -EOPNOTSUPP;
7181 
7182 	if (rdev->scan_req || rdev->scan_msg) {
7183 		err = -EBUSY;
7184 		goto unlock;
7185 	}
7186 
7187 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7188 		n_channels = validate_scan_freqs(
7189 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7190 		if (!n_channels) {
7191 			err = -EINVAL;
7192 			goto unlock;
7193 		}
7194 	} else {
7195 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7196 	}
7197 
7198 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
7199 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
7200 			n_ssids++;
7201 
7202 	if (n_ssids > wiphy->max_scan_ssids) {
7203 		err = -EINVAL;
7204 		goto unlock;
7205 	}
7206 
7207 	if (info->attrs[NL80211_ATTR_IE])
7208 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7209 	else
7210 		ie_len = 0;
7211 
7212 	if (ie_len > wiphy->max_scan_ie_len) {
7213 		err = -EINVAL;
7214 		goto unlock;
7215 	}
7216 
7217 	request = kzalloc(sizeof(*request)
7218 			+ sizeof(*request->ssids) * n_ssids
7219 			+ sizeof(*request->channels) * n_channels
7220 			+ ie_len, GFP_KERNEL);
7221 	if (!request) {
7222 		err = -ENOMEM;
7223 		goto unlock;
7224 	}
7225 
7226 	if (n_ssids)
7227 		request->ssids = (void *)&request->channels[n_channels];
7228 	request->n_ssids = n_ssids;
7229 	if (ie_len) {
7230 		if (n_ssids)
7231 			request->ie = (void *)(request->ssids + n_ssids);
7232 		else
7233 			request->ie = (void *)(request->channels + n_channels);
7234 	}
7235 
7236 	i = 0;
7237 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7238 		/* user specified, bail out if channel not found */
7239 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
7240 			struct ieee80211_channel *chan;
7241 
7242 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7243 
7244 			if (!chan) {
7245 				err = -EINVAL;
7246 				goto out_free;
7247 			}
7248 
7249 			/* ignore disabled channels */
7250 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7251 				continue;
7252 
7253 			request->channels[i] = chan;
7254 			i++;
7255 		}
7256 	} else {
7257 		enum nl80211_band band;
7258 
7259 		/* all channels */
7260 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7261 			int j;
7262 
7263 			if (!wiphy->bands[band])
7264 				continue;
7265 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7266 				struct ieee80211_channel *chan;
7267 
7268 				chan = &wiphy->bands[band]->channels[j];
7269 
7270 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7271 					continue;
7272 
7273 				request->channels[i] = chan;
7274 				i++;
7275 			}
7276 		}
7277 	}
7278 
7279 	if (!i) {
7280 		err = -EINVAL;
7281 		goto out_free;
7282 	}
7283 
7284 	request->n_channels = i;
7285 
7286 	wdev_lock(wdev);
7287 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
7288 		struct ieee80211_channel *chan;
7289 
7290 		if (request->n_channels != 1) {
7291 			wdev_unlock(wdev);
7292 			err = -EBUSY;
7293 			goto out_free;
7294 		}
7295 
7296 		chan = request->channels[0];
7297 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
7298 			wdev_unlock(wdev);
7299 			err = -EBUSY;
7300 			goto out_free;
7301 		}
7302 	}
7303 	wdev_unlock(wdev);
7304 
7305 	i = 0;
7306 	if (n_ssids) {
7307 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
7308 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7309 				err = -EINVAL;
7310 				goto out_free;
7311 			}
7312 			request->ssids[i].ssid_len = nla_len(attr);
7313 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
7314 			i++;
7315 		}
7316 	}
7317 
7318 	if (info->attrs[NL80211_ATTR_IE]) {
7319 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7320 		memcpy((void *)request->ie,
7321 		       nla_data(info->attrs[NL80211_ATTR_IE]),
7322 		       request->ie_len);
7323 	}
7324 
7325 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7326 		if (wiphy->bands[i])
7327 			request->rates[i] =
7328 				(1 << wiphy->bands[i]->n_bitrates) - 1;
7329 
7330 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
7331 		nla_for_each_nested(attr,
7332 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
7333 				    tmp) {
7334 			enum nl80211_band band = nla_type(attr);
7335 
7336 			if (band < 0 || band >= NUM_NL80211_BANDS) {
7337 				err = -EINVAL;
7338 				goto out_free;
7339 			}
7340 
7341 			if (!wiphy->bands[band])
7342 				continue;
7343 
7344 			err = ieee80211_get_ratemask(wiphy->bands[band],
7345 						     nla_data(attr),
7346 						     nla_len(attr),
7347 						     &request->rates[band]);
7348 			if (err)
7349 				goto out_free;
7350 		}
7351 	}
7352 
7353 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
7354 		if (!wiphy_ext_feature_isset(wiphy,
7355 					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
7356 			err = -EOPNOTSUPP;
7357 			goto out_free;
7358 		}
7359 
7360 		request->duration =
7361 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
7362 		request->duration_mandatory =
7363 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
7364 	}
7365 
7366 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
7367 				       false);
7368 	if (err)
7369 		goto out_free;
7370 
7371 	request->no_cck =
7372 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7373 
7374 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
7375 	 * BSSID to scan for. This was problematic because that same attribute
7376 	 * was already used for another purpose (local random MAC address). The
7377 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
7378 	 * compatibility with older userspace components, also use the
7379 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
7380 	 * the specific BSSID use case instead of the random MAC address
7381 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
7382 	 */
7383 	if (info->attrs[NL80211_ATTR_BSSID])
7384 		memcpy(request->bssid,
7385 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
7386 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
7387 		 info->attrs[NL80211_ATTR_MAC])
7388 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
7389 		       ETH_ALEN);
7390 	else
7391 		eth_broadcast_addr(request->bssid);
7392 
7393 	request->wdev = wdev;
7394 	request->wiphy = &rdev->wiphy;
7395 	request->scan_start = jiffies;
7396 
7397 	rdev->scan_req = request;
7398 	err = rdev_scan(rdev, request);
7399 
7400 	if (!err) {
7401 		nl80211_send_scan_start(rdev, wdev);
7402 		if (wdev->netdev)
7403 			dev_hold(wdev->netdev);
7404 	} else {
7405  out_free:
7406 		rdev->scan_req = NULL;
7407 		kfree(request);
7408 	}
7409 
7410  unlock:
7411 	return err;
7412 }
7413 
7414 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
7415 {
7416 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7417 	struct wireless_dev *wdev = info->user_ptr[1];
7418 
7419 	if (!rdev->ops->abort_scan)
7420 		return -EOPNOTSUPP;
7421 
7422 	if (rdev->scan_msg)
7423 		return 0;
7424 
7425 	if (!rdev->scan_req)
7426 		return -ENOENT;
7427 
7428 	rdev_abort_scan(rdev, wdev);
7429 	return 0;
7430 }
7431 
7432 static int
7433 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
7434 			       struct cfg80211_sched_scan_request *request,
7435 			       struct nlattr **attrs)
7436 {
7437 	int tmp, err, i = 0;
7438 	struct nlattr *attr;
7439 
7440 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7441 		u32 interval;
7442 
7443 		/*
7444 		 * If scan plans are not specified,
7445 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
7446 		 * case one scan plan will be set with the specified scan
7447 		 * interval and infinite number of iterations.
7448 		 */
7449 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
7450 		if (!interval)
7451 			return -EINVAL;
7452 
7453 		request->scan_plans[0].interval =
7454 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
7455 		if (!request->scan_plans[0].interval)
7456 			return -EINVAL;
7457 
7458 		if (request->scan_plans[0].interval >
7459 		    wiphy->max_sched_scan_plan_interval)
7460 			request->scan_plans[0].interval =
7461 				wiphy->max_sched_scan_plan_interval;
7462 
7463 		return 0;
7464 	}
7465 
7466 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
7467 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
7468 
7469 		if (WARN_ON(i >= n_plans))
7470 			return -EINVAL;
7471 
7472 		err = nla_parse_nested(plan, NL80211_SCHED_SCAN_PLAN_MAX,
7473 				       attr, nl80211_plan_policy, NULL);
7474 		if (err)
7475 			return err;
7476 
7477 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
7478 			return -EINVAL;
7479 
7480 		request->scan_plans[i].interval =
7481 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
7482 		if (!request->scan_plans[i].interval ||
7483 		    request->scan_plans[i].interval >
7484 		    wiphy->max_sched_scan_plan_interval)
7485 			return -EINVAL;
7486 
7487 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
7488 			request->scan_plans[i].iterations =
7489 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
7490 			if (!request->scan_plans[i].iterations ||
7491 			    (request->scan_plans[i].iterations >
7492 			     wiphy->max_sched_scan_plan_iterations))
7493 				return -EINVAL;
7494 		} else if (i < n_plans - 1) {
7495 			/*
7496 			 * All scan plans but the last one must specify
7497 			 * a finite number of iterations
7498 			 */
7499 			return -EINVAL;
7500 		}
7501 
7502 		i++;
7503 	}
7504 
7505 	/*
7506 	 * The last scan plan must not specify the number of
7507 	 * iterations, it is supposed to run infinitely
7508 	 */
7509 	if (request->scan_plans[n_plans - 1].iterations)
7510 		return  -EINVAL;
7511 
7512 	return 0;
7513 }
7514 
7515 static struct cfg80211_sched_scan_request *
7516 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
7517 			 struct nlattr **attrs, int max_match_sets)
7518 {
7519 	struct cfg80211_sched_scan_request *request;
7520 	struct nlattr *attr;
7521 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
7522 	enum nl80211_band band;
7523 	size_t ie_len;
7524 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
7525 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
7526 
7527 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7528 		n_channels = validate_scan_freqs(
7529 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7530 		if (!n_channels)
7531 			return ERR_PTR(-EINVAL);
7532 	} else {
7533 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7534 	}
7535 
7536 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
7537 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7538 				    tmp)
7539 			n_ssids++;
7540 
7541 	if (n_ssids > wiphy->max_sched_scan_ssids)
7542 		return ERR_PTR(-EINVAL);
7543 
7544 	/*
7545 	 * First, count the number of 'real' matchsets. Due to an issue with
7546 	 * the old implementation, matchsets containing only the RSSI attribute
7547 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
7548 	 * RSSI for all matchsets, rather than their own matchset for reporting
7549 	 * all APs with a strong RSSI. This is needed to be compatible with
7550 	 * older userspace that treated a matchset with only the RSSI as the
7551 	 * global RSSI for all other matchsets - if there are other matchsets.
7552 	 */
7553 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7554 		nla_for_each_nested(attr,
7555 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7556 				    tmp) {
7557 			struct nlattr *rssi;
7558 
7559 			err = nla_parse_nested(tb,
7560 					       NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7561 					       attr, nl80211_match_policy,
7562 					       NULL);
7563 			if (err)
7564 				return ERR_PTR(err);
7565 
7566 			/* SSID and BSSID are mutually exclusive */
7567 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
7568 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
7569 				return ERR_PTR(-EINVAL);
7570 
7571 			/* add other standalone attributes here */
7572 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
7573 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
7574 				n_match_sets++;
7575 				continue;
7576 			}
7577 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7578 			if (rssi)
7579 				default_match_rssi = nla_get_s32(rssi);
7580 		}
7581 	}
7582 
7583 	/* However, if there's no other matchset, add the RSSI one */
7584 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
7585 		n_match_sets = 1;
7586 
7587 	if (n_match_sets > max_match_sets)
7588 		return ERR_PTR(-EINVAL);
7589 
7590 	if (attrs[NL80211_ATTR_IE])
7591 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
7592 	else
7593 		ie_len = 0;
7594 
7595 	if (ie_len > wiphy->max_sched_scan_ie_len)
7596 		return ERR_PTR(-EINVAL);
7597 
7598 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7599 		/*
7600 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
7601 		 * each scan plan already specifies its own interval
7602 		 */
7603 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7604 			return ERR_PTR(-EINVAL);
7605 
7606 		nla_for_each_nested(attr,
7607 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
7608 			n_plans++;
7609 	} else {
7610 		/*
7611 		 * The scan interval attribute is kept for backward
7612 		 * compatibility. If no scan plans are specified and sched scan
7613 		 * interval is specified, one scan plan will be set with this
7614 		 * scan interval and infinite number of iterations.
7615 		 */
7616 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7617 			return ERR_PTR(-EINVAL);
7618 
7619 		n_plans = 1;
7620 	}
7621 
7622 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
7623 		return ERR_PTR(-EINVAL);
7624 
7625 	if (!wiphy_ext_feature_isset(
7626 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
7627 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
7628 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
7629 		return ERR_PTR(-EINVAL);
7630 
7631 	request = kzalloc(sizeof(*request)
7632 			+ sizeof(*request->ssids) * n_ssids
7633 			+ sizeof(*request->match_sets) * n_match_sets
7634 			+ sizeof(*request->scan_plans) * n_plans
7635 			+ sizeof(*request->channels) * n_channels
7636 			+ ie_len, GFP_KERNEL);
7637 	if (!request)
7638 		return ERR_PTR(-ENOMEM);
7639 
7640 	if (n_ssids)
7641 		request->ssids = (void *)&request->channels[n_channels];
7642 	request->n_ssids = n_ssids;
7643 	if (ie_len) {
7644 		if (n_ssids)
7645 			request->ie = (void *)(request->ssids + n_ssids);
7646 		else
7647 			request->ie = (void *)(request->channels + n_channels);
7648 	}
7649 
7650 	if (n_match_sets) {
7651 		if (request->ie)
7652 			request->match_sets = (void *)(request->ie + ie_len);
7653 		else if (n_ssids)
7654 			request->match_sets =
7655 				(void *)(request->ssids + n_ssids);
7656 		else
7657 			request->match_sets =
7658 				(void *)(request->channels + n_channels);
7659 	}
7660 	request->n_match_sets = n_match_sets;
7661 
7662 	if (n_match_sets)
7663 		request->scan_plans = (void *)(request->match_sets +
7664 					       n_match_sets);
7665 	else if (request->ie)
7666 		request->scan_plans = (void *)(request->ie + ie_len);
7667 	else if (n_ssids)
7668 		request->scan_plans = (void *)(request->ssids + n_ssids);
7669 	else
7670 		request->scan_plans = (void *)(request->channels + n_channels);
7671 
7672 	request->n_scan_plans = n_plans;
7673 
7674 	i = 0;
7675 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7676 		/* user specified, bail out if channel not found */
7677 		nla_for_each_nested(attr,
7678 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
7679 				    tmp) {
7680 			struct ieee80211_channel *chan;
7681 
7682 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7683 
7684 			if (!chan) {
7685 				err = -EINVAL;
7686 				goto out_free;
7687 			}
7688 
7689 			/* ignore disabled channels */
7690 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7691 				continue;
7692 
7693 			request->channels[i] = chan;
7694 			i++;
7695 		}
7696 	} else {
7697 		/* all channels */
7698 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7699 			int j;
7700 
7701 			if (!wiphy->bands[band])
7702 				continue;
7703 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7704 				struct ieee80211_channel *chan;
7705 
7706 				chan = &wiphy->bands[band]->channels[j];
7707 
7708 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7709 					continue;
7710 
7711 				request->channels[i] = chan;
7712 				i++;
7713 			}
7714 		}
7715 	}
7716 
7717 	if (!i) {
7718 		err = -EINVAL;
7719 		goto out_free;
7720 	}
7721 
7722 	request->n_channels = i;
7723 
7724 	i = 0;
7725 	if (n_ssids) {
7726 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7727 				    tmp) {
7728 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7729 				err = -EINVAL;
7730 				goto out_free;
7731 			}
7732 			request->ssids[i].ssid_len = nla_len(attr);
7733 			memcpy(request->ssids[i].ssid, nla_data(attr),
7734 			       nla_len(attr));
7735 			i++;
7736 		}
7737 	}
7738 
7739 	i = 0;
7740 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7741 		nla_for_each_nested(attr,
7742 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7743 				    tmp) {
7744 			struct nlattr *ssid, *bssid, *rssi;
7745 
7746 			err = nla_parse_nested(tb,
7747 					       NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7748 					       attr, nl80211_match_policy,
7749 					       NULL);
7750 			if (err)
7751 				goto out_free;
7752 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
7753 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
7754 			if (ssid || bssid) {
7755 				if (WARN_ON(i >= n_match_sets)) {
7756 					/* this indicates a programming error,
7757 					 * the loop above should have verified
7758 					 * things properly
7759 					 */
7760 					err = -EINVAL;
7761 					goto out_free;
7762 				}
7763 
7764 				if (ssid) {
7765 					if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
7766 						err = -EINVAL;
7767 						goto out_free;
7768 					}
7769 					memcpy(request->match_sets[i].ssid.ssid,
7770 					       nla_data(ssid), nla_len(ssid));
7771 					request->match_sets[i].ssid.ssid_len =
7772 						nla_len(ssid);
7773 				}
7774 				if (bssid) {
7775 					if (nla_len(bssid) != ETH_ALEN) {
7776 						err = -EINVAL;
7777 						goto out_free;
7778 					}
7779 					memcpy(request->match_sets[i].bssid,
7780 					       nla_data(bssid), ETH_ALEN);
7781 				}
7782 
7783 				/* special attribute - old implementation w/a */
7784 				request->match_sets[i].rssi_thold =
7785 					default_match_rssi;
7786 				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7787 				if (rssi)
7788 					request->match_sets[i].rssi_thold =
7789 						nla_get_s32(rssi);
7790 			}
7791 			i++;
7792 		}
7793 
7794 		/* there was no other matchset, so the RSSI one is alone */
7795 		if (i == 0 && n_match_sets)
7796 			request->match_sets[0].rssi_thold = default_match_rssi;
7797 
7798 		request->min_rssi_thold = INT_MAX;
7799 		for (i = 0; i < n_match_sets; i++)
7800 			request->min_rssi_thold =
7801 				min(request->match_sets[i].rssi_thold,
7802 				    request->min_rssi_thold);
7803 	} else {
7804 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
7805 	}
7806 
7807 	if (ie_len) {
7808 		request->ie_len = ie_len;
7809 		memcpy((void *)request->ie,
7810 		       nla_data(attrs[NL80211_ATTR_IE]),
7811 		       request->ie_len);
7812 	}
7813 
7814 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
7815 	if (err)
7816 		goto out_free;
7817 
7818 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
7819 		request->delay =
7820 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
7821 
7822 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
7823 		request->relative_rssi = nla_get_s8(
7824 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
7825 		request->relative_rssi_set = true;
7826 	}
7827 
7828 	if (request->relative_rssi_set &&
7829 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
7830 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
7831 
7832 		rssi_adjust = nla_data(
7833 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
7834 		request->rssi_adjust.band = rssi_adjust->band;
7835 		request->rssi_adjust.delta = rssi_adjust->delta;
7836 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
7837 			err = -EINVAL;
7838 			goto out_free;
7839 		}
7840 	}
7841 
7842 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
7843 	if (err)
7844 		goto out_free;
7845 
7846 	request->scan_start = jiffies;
7847 
7848 	return request;
7849 
7850 out_free:
7851 	kfree(request);
7852 	return ERR_PTR(err);
7853 }
7854 
7855 static int nl80211_start_sched_scan(struct sk_buff *skb,
7856 				    struct genl_info *info)
7857 {
7858 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7859 	struct net_device *dev = info->user_ptr[1];
7860 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7861 	struct cfg80211_sched_scan_request *sched_scan_req;
7862 	bool want_multi;
7863 	int err;
7864 
7865 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
7866 		return -EOPNOTSUPP;
7867 
7868 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
7869 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
7870 	if (err)
7871 		return err;
7872 
7873 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
7874 						  info->attrs,
7875 						  rdev->wiphy.max_match_sets);
7876 
7877 	err = PTR_ERR_OR_ZERO(sched_scan_req);
7878 	if (err)
7879 		goto out_err;
7880 
7881 	/* leave request id zero for legacy request
7882 	 * or if driver does not support multi-scheduled scan
7883 	 */
7884 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1) {
7885 		while (!sched_scan_req->reqid)
7886 			sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
7887 	}
7888 
7889 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
7890 	if (err)
7891 		goto out_free;
7892 
7893 	sched_scan_req->dev = dev;
7894 	sched_scan_req->wiphy = &rdev->wiphy;
7895 
7896 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
7897 		sched_scan_req->owner_nlportid = info->snd_portid;
7898 
7899 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
7900 
7901 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
7902 	return 0;
7903 
7904 out_free:
7905 	kfree(sched_scan_req);
7906 out_err:
7907 	return err;
7908 }
7909 
7910 static int nl80211_stop_sched_scan(struct sk_buff *skb,
7911 				   struct genl_info *info)
7912 {
7913 	struct cfg80211_sched_scan_request *req;
7914 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7915 	u64 cookie;
7916 
7917 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
7918 		return -EOPNOTSUPP;
7919 
7920 	if (info->attrs[NL80211_ATTR_COOKIE]) {
7921 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7922 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
7923 	}
7924 
7925 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
7926 				     struct cfg80211_sched_scan_request,
7927 				     list);
7928 	if (!req || req->reqid ||
7929 	    (req->owner_nlportid &&
7930 	     req->owner_nlportid != info->snd_portid))
7931 		return -ENOENT;
7932 
7933 	return cfg80211_stop_sched_scan_req(rdev, req, false);
7934 }
7935 
7936 static int nl80211_start_radar_detection(struct sk_buff *skb,
7937 					 struct genl_info *info)
7938 {
7939 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7940 	struct net_device *dev = info->user_ptr[1];
7941 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7942 	struct wiphy *wiphy = wdev->wiphy;
7943 	struct cfg80211_chan_def chandef;
7944 	enum nl80211_dfs_regions dfs_region;
7945 	unsigned int cac_time_ms;
7946 	int err;
7947 
7948 	dfs_region = reg_get_dfs_region(wiphy);
7949 	if (dfs_region == NL80211_DFS_UNSET)
7950 		return -EINVAL;
7951 
7952 	err = nl80211_parse_chandef(rdev, info, &chandef);
7953 	if (err)
7954 		return err;
7955 
7956 	if (netif_carrier_ok(dev))
7957 		return -EBUSY;
7958 
7959 	if (wdev->cac_started)
7960 		return -EBUSY;
7961 
7962 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
7963 	if (err < 0)
7964 		return err;
7965 
7966 	if (err == 0)
7967 		return -EINVAL;
7968 
7969 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
7970 		return -EINVAL;
7971 
7972 	/* CAC start is offloaded to HW and can't be started manually */
7973 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
7974 		return -EOPNOTSUPP;
7975 
7976 	if (!rdev->ops->start_radar_detection)
7977 		return -EOPNOTSUPP;
7978 
7979 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
7980 	if (WARN_ON(!cac_time_ms))
7981 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
7982 
7983 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
7984 	if (!err) {
7985 		wdev->chandef = chandef;
7986 		wdev->cac_started = true;
7987 		wdev->cac_start_time = jiffies;
7988 		wdev->cac_time_ms = cac_time_ms;
7989 	}
7990 	return err;
7991 }
7992 
7993 static int nl80211_notify_radar_detection(struct sk_buff *skb,
7994 					  struct genl_info *info)
7995 {
7996 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7997 	struct net_device *dev = info->user_ptr[1];
7998 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7999 	struct wiphy *wiphy = wdev->wiphy;
8000 	struct cfg80211_chan_def chandef;
8001 	enum nl80211_dfs_regions dfs_region;
8002 	int err;
8003 
8004 	dfs_region = reg_get_dfs_region(wiphy);
8005 	if (dfs_region == NL80211_DFS_UNSET) {
8006 		GENL_SET_ERR_MSG(info,
8007 				 "DFS Region is not set. Unexpected Radar indication");
8008 		return -EINVAL;
8009 	}
8010 
8011 	err = nl80211_parse_chandef(rdev, info, &chandef);
8012 	if (err) {
8013 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
8014 		return err;
8015 	}
8016 
8017 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8018 	if (err < 0) {
8019 		GENL_SET_ERR_MSG(info, "chandef is invalid");
8020 		return err;
8021 	}
8022 
8023 	if (err == 0) {
8024 		GENL_SET_ERR_MSG(info,
8025 				 "Unexpected Radar indication for chandef/iftype");
8026 		return -EINVAL;
8027 	}
8028 
8029 	/* Do not process this notification if radar is already detected
8030 	 * by kernel on this channel, and return success.
8031 	 */
8032 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
8033 		return 0;
8034 
8035 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
8036 
8037 	cfg80211_sched_dfs_chan_update(rdev);
8038 
8039 	memcpy(&rdev->radar_chandef, &chandef, sizeof(chandef));
8040 
8041 	/* Propagate this notification to other radios as well */
8042 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
8043 
8044 	return 0;
8045 }
8046 
8047 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
8048 {
8049 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8050 	struct net_device *dev = info->user_ptr[1];
8051 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8052 	struct cfg80211_csa_settings params;
8053 	/* csa_attrs is defined static to avoid waste of stack size - this
8054 	 * function is called under RTNL lock, so this should not be a problem.
8055 	 */
8056 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
8057 	int err;
8058 	bool need_new_beacon = false;
8059 	bool need_handle_dfs_flag = true;
8060 	int len, i;
8061 	u32 cs_count;
8062 
8063 	if (!rdev->ops->channel_switch ||
8064 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
8065 		return -EOPNOTSUPP;
8066 
8067 	switch (dev->ieee80211_ptr->iftype) {
8068 	case NL80211_IFTYPE_AP:
8069 	case NL80211_IFTYPE_P2P_GO:
8070 		need_new_beacon = true;
8071 		/* For all modes except AP the handle_dfs flag needs to be
8072 		 * supplied to tell the kernel that userspace will handle radar
8073 		 * events when they happen. Otherwise a switch to a channel
8074 		 * requiring DFS will be rejected.
8075 		 */
8076 		need_handle_dfs_flag = false;
8077 
8078 		/* useless if AP is not running */
8079 		if (!wdev->beacon_interval)
8080 			return -ENOTCONN;
8081 		break;
8082 	case NL80211_IFTYPE_ADHOC:
8083 		if (!wdev->ssid_len)
8084 			return -ENOTCONN;
8085 		break;
8086 	case NL80211_IFTYPE_MESH_POINT:
8087 		if (!wdev->mesh_id_len)
8088 			return -ENOTCONN;
8089 		break;
8090 	default:
8091 		return -EOPNOTSUPP;
8092 	}
8093 
8094 	memset(&params, 0, sizeof(params));
8095 	params.beacon_csa.ftm_responder = -1;
8096 
8097 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8098 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
8099 		return -EINVAL;
8100 
8101 	/* only important for AP, IBSS and mesh create IEs internally */
8102 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
8103 		return -EINVAL;
8104 
8105 	/* Even though the attribute is u32, the specification says
8106 	 * u8, so let's make sure we don't overflow.
8107 	 */
8108 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
8109 	if (cs_count > 255)
8110 		return -EINVAL;
8111 
8112 	params.count = cs_count;
8113 
8114 	if (!need_new_beacon)
8115 		goto skip_beacons;
8116 
8117 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
8118 	if (err)
8119 		return err;
8120 
8121 	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
8122 			       info->attrs[NL80211_ATTR_CSA_IES],
8123 			       nl80211_policy, info->extack);
8124 	if (err)
8125 		return err;
8126 
8127 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
8128 	if (err)
8129 		return err;
8130 
8131 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
8132 		return -EINVAL;
8133 
8134 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8135 	if (!len || (len % sizeof(u16)))
8136 		return -EINVAL;
8137 
8138 	params.n_counter_offsets_beacon = len / sizeof(u16);
8139 	if (rdev->wiphy.max_num_csa_counters &&
8140 	    (params.n_counter_offsets_beacon >
8141 	     rdev->wiphy.max_num_csa_counters))
8142 		return -EINVAL;
8143 
8144 	params.counter_offsets_beacon =
8145 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8146 
8147 	/* sanity checks - counters should fit and be the same */
8148 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
8149 		u16 offset = params.counter_offsets_beacon[i];
8150 
8151 		if (offset >= params.beacon_csa.tail_len)
8152 			return -EINVAL;
8153 
8154 		if (params.beacon_csa.tail[offset] != params.count)
8155 			return -EINVAL;
8156 	}
8157 
8158 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
8159 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8160 		if (!len || (len % sizeof(u16)))
8161 			return -EINVAL;
8162 
8163 		params.n_counter_offsets_presp = len / sizeof(u16);
8164 		if (rdev->wiphy.max_num_csa_counters &&
8165 		    (params.n_counter_offsets_presp >
8166 		     rdev->wiphy.max_num_csa_counters))
8167 			return -EINVAL;
8168 
8169 		params.counter_offsets_presp =
8170 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8171 
8172 		/* sanity checks - counters should fit and be the same */
8173 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
8174 			u16 offset = params.counter_offsets_presp[i];
8175 
8176 			if (offset >= params.beacon_csa.probe_resp_len)
8177 				return -EINVAL;
8178 
8179 			if (params.beacon_csa.probe_resp[offset] !=
8180 			    params.count)
8181 				return -EINVAL;
8182 		}
8183 	}
8184 
8185 skip_beacons:
8186 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
8187 	if (err)
8188 		return err;
8189 
8190 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
8191 					   wdev->iftype))
8192 		return -EINVAL;
8193 
8194 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
8195 					    &params.chandef,
8196 					    wdev->iftype);
8197 	if (err < 0)
8198 		return err;
8199 
8200 	if (err > 0) {
8201 		params.radar_required = true;
8202 		if (need_handle_dfs_flag &&
8203 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
8204 			return -EINVAL;
8205 		}
8206 	}
8207 
8208 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
8209 		params.block_tx = true;
8210 
8211 	wdev_lock(wdev);
8212 	err = rdev_channel_switch(rdev, dev, &params);
8213 	wdev_unlock(wdev);
8214 
8215 	return err;
8216 }
8217 
8218 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
8219 			    u32 seq, int flags,
8220 			    struct cfg80211_registered_device *rdev,
8221 			    struct wireless_dev *wdev,
8222 			    struct cfg80211_internal_bss *intbss)
8223 {
8224 	struct cfg80211_bss *res = &intbss->pub;
8225 	const struct cfg80211_bss_ies *ies;
8226 	void *hdr;
8227 	struct nlattr *bss;
8228 
8229 	ASSERT_WDEV_LOCK(wdev);
8230 
8231 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8232 			     NL80211_CMD_NEW_SCAN_RESULTS);
8233 	if (!hdr)
8234 		return -1;
8235 
8236 	genl_dump_check_consistent(cb, hdr);
8237 
8238 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
8239 		goto nla_put_failure;
8240 	if (wdev->netdev &&
8241 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
8242 		goto nla_put_failure;
8243 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
8244 			      NL80211_ATTR_PAD))
8245 		goto nla_put_failure;
8246 
8247 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
8248 	if (!bss)
8249 		goto nla_put_failure;
8250 	if ((!is_zero_ether_addr(res->bssid) &&
8251 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
8252 		goto nla_put_failure;
8253 
8254 	rcu_read_lock();
8255 	/* indicate whether we have probe response data or not */
8256 	if (rcu_access_pointer(res->proberesp_ies) &&
8257 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
8258 		goto fail_unlock_rcu;
8259 
8260 	/* this pointer prefers to be pointed to probe response data
8261 	 * but is always valid
8262 	 */
8263 	ies = rcu_dereference(res->ies);
8264 	if (ies) {
8265 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
8266 				      NL80211_BSS_PAD))
8267 			goto fail_unlock_rcu;
8268 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
8269 					ies->len, ies->data))
8270 			goto fail_unlock_rcu;
8271 	}
8272 
8273 	/* and this pointer is always (unless driver didn't know) beacon data */
8274 	ies = rcu_dereference(res->beacon_ies);
8275 	if (ies && ies->from_beacon) {
8276 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
8277 				      NL80211_BSS_PAD))
8278 			goto fail_unlock_rcu;
8279 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
8280 					ies->len, ies->data))
8281 			goto fail_unlock_rcu;
8282 	}
8283 	rcu_read_unlock();
8284 
8285 	if (res->beacon_interval &&
8286 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
8287 		goto nla_put_failure;
8288 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
8289 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
8290 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
8291 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
8292 			jiffies_to_msecs(jiffies - intbss->ts)))
8293 		goto nla_put_failure;
8294 
8295 	if (intbss->parent_tsf &&
8296 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
8297 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
8298 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
8299 		     intbss->parent_bssid)))
8300 		goto nla_put_failure;
8301 
8302 	if (intbss->ts_boottime &&
8303 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
8304 			      intbss->ts_boottime, NL80211_BSS_PAD))
8305 		goto nla_put_failure;
8306 
8307 	if (!nl80211_put_signal(msg, intbss->pub.chains,
8308 				intbss->pub.chain_signal,
8309 				NL80211_BSS_CHAIN_SIGNAL))
8310 		goto nla_put_failure;
8311 
8312 	switch (rdev->wiphy.signal_type) {
8313 	case CFG80211_SIGNAL_TYPE_MBM:
8314 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
8315 			goto nla_put_failure;
8316 		break;
8317 	case CFG80211_SIGNAL_TYPE_UNSPEC:
8318 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
8319 			goto nla_put_failure;
8320 		break;
8321 	default:
8322 		break;
8323 	}
8324 
8325 	switch (wdev->iftype) {
8326 	case NL80211_IFTYPE_P2P_CLIENT:
8327 	case NL80211_IFTYPE_STATION:
8328 		if (intbss == wdev->current_bss &&
8329 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8330 				NL80211_BSS_STATUS_ASSOCIATED))
8331 			goto nla_put_failure;
8332 		break;
8333 	case NL80211_IFTYPE_ADHOC:
8334 		if (intbss == wdev->current_bss &&
8335 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8336 				NL80211_BSS_STATUS_IBSS_JOINED))
8337 			goto nla_put_failure;
8338 		break;
8339 	default:
8340 		break;
8341 	}
8342 
8343 	nla_nest_end(msg, bss);
8344 
8345 	genlmsg_end(msg, hdr);
8346 	return 0;
8347 
8348  fail_unlock_rcu:
8349 	rcu_read_unlock();
8350  nla_put_failure:
8351 	genlmsg_cancel(msg, hdr);
8352 	return -EMSGSIZE;
8353 }
8354 
8355 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
8356 {
8357 	struct cfg80211_registered_device *rdev;
8358 	struct cfg80211_internal_bss *scan;
8359 	struct wireless_dev *wdev;
8360 	int start = cb->args[2], idx = 0;
8361 	int err;
8362 
8363 	rtnl_lock();
8364 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8365 	if (err) {
8366 		rtnl_unlock();
8367 		return err;
8368 	}
8369 
8370 	wdev_lock(wdev);
8371 	spin_lock_bh(&rdev->bss_lock);
8372 
8373 	/*
8374 	 * dump_scan will be called multiple times to break up the scan results
8375 	 * into multiple messages.  It is unlikely that any more bss-es will be
8376 	 * expired after the first call, so only call only call this on the
8377 	 * first dump_scan invocation.
8378 	 */
8379 	if (start == 0)
8380 		cfg80211_bss_expire(rdev);
8381 
8382 	cb->seq = rdev->bss_generation;
8383 
8384 	list_for_each_entry(scan, &rdev->bss_list, list) {
8385 		if (++idx <= start)
8386 			continue;
8387 		if (nl80211_send_bss(skb, cb,
8388 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8389 				rdev, wdev, scan) < 0) {
8390 			idx--;
8391 			break;
8392 		}
8393 	}
8394 
8395 	spin_unlock_bh(&rdev->bss_lock);
8396 	wdev_unlock(wdev);
8397 
8398 	cb->args[2] = idx;
8399 	rtnl_unlock();
8400 
8401 	return skb->len;
8402 }
8403 
8404 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
8405 			       int flags, struct net_device *dev,
8406 			       bool allow_radio_stats,
8407 			       struct survey_info *survey)
8408 {
8409 	void *hdr;
8410 	struct nlattr *infoattr;
8411 
8412 	/* skip radio stats if userspace didn't request them */
8413 	if (!survey->channel && !allow_radio_stats)
8414 		return 0;
8415 
8416 	hdr = nl80211hdr_put(msg, portid, seq, flags,
8417 			     NL80211_CMD_NEW_SURVEY_RESULTS);
8418 	if (!hdr)
8419 		return -ENOMEM;
8420 
8421 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
8422 		goto nla_put_failure;
8423 
8424 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
8425 	if (!infoattr)
8426 		goto nla_put_failure;
8427 
8428 	if (survey->channel &&
8429 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
8430 			survey->channel->center_freq))
8431 		goto nla_put_failure;
8432 
8433 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
8434 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
8435 		goto nla_put_failure;
8436 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
8437 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
8438 		goto nla_put_failure;
8439 	if ((survey->filled & SURVEY_INFO_TIME) &&
8440 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
8441 			survey->time, NL80211_SURVEY_INFO_PAD))
8442 		goto nla_put_failure;
8443 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
8444 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
8445 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
8446 		goto nla_put_failure;
8447 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
8448 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
8449 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
8450 		goto nla_put_failure;
8451 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
8452 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
8453 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
8454 		goto nla_put_failure;
8455 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
8456 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
8457 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
8458 		goto nla_put_failure;
8459 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
8460 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
8461 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
8462 		goto nla_put_failure;
8463 
8464 	nla_nest_end(msg, infoattr);
8465 
8466 	genlmsg_end(msg, hdr);
8467 	return 0;
8468 
8469  nla_put_failure:
8470 	genlmsg_cancel(msg, hdr);
8471 	return -EMSGSIZE;
8472 }
8473 
8474 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
8475 {
8476 	struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
8477 	struct survey_info survey;
8478 	struct cfg80211_registered_device *rdev;
8479 	struct wireless_dev *wdev;
8480 	int survey_idx = cb->args[2];
8481 	int res;
8482 	bool radio_stats;
8483 
8484 	rtnl_lock();
8485 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8486 	if (res)
8487 		goto out_err;
8488 
8489 	/* prepare_wdev_dump parsed the attributes */
8490 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
8491 
8492 	if (!wdev->netdev) {
8493 		res = -EINVAL;
8494 		goto out_err;
8495 	}
8496 
8497 	if (!rdev->ops->dump_survey) {
8498 		res = -EOPNOTSUPP;
8499 		goto out_err;
8500 	}
8501 
8502 	while (1) {
8503 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
8504 		if (res == -ENOENT)
8505 			break;
8506 		if (res)
8507 			goto out_err;
8508 
8509 		/* don't send disabled channels, but do send non-channel data */
8510 		if (survey.channel &&
8511 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
8512 			survey_idx++;
8513 			continue;
8514 		}
8515 
8516 		if (nl80211_send_survey(skb,
8517 				NETLINK_CB(cb->skb).portid,
8518 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8519 				wdev->netdev, radio_stats, &survey) < 0)
8520 			goto out;
8521 		survey_idx++;
8522 	}
8523 
8524  out:
8525 	cb->args[2] = survey_idx;
8526 	res = skb->len;
8527  out_err:
8528 	rtnl_unlock();
8529 	return res;
8530 }
8531 
8532 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
8533 {
8534 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
8535 				  NL80211_WPA_VERSION_2));
8536 }
8537 
8538 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
8539 {
8540 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8541 	struct net_device *dev = info->user_ptr[1];
8542 	struct ieee80211_channel *chan;
8543 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
8544 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
8545 	enum nl80211_auth_type auth_type;
8546 	struct key_parse key;
8547 	bool local_state_change;
8548 
8549 	if (!info->attrs[NL80211_ATTR_MAC])
8550 		return -EINVAL;
8551 
8552 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
8553 		return -EINVAL;
8554 
8555 	if (!info->attrs[NL80211_ATTR_SSID])
8556 		return -EINVAL;
8557 
8558 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8559 		return -EINVAL;
8560 
8561 	err = nl80211_parse_key(info, &key);
8562 	if (err)
8563 		return err;
8564 
8565 	if (key.idx >= 0) {
8566 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
8567 			return -EINVAL;
8568 		if (!key.p.key || !key.p.key_len)
8569 			return -EINVAL;
8570 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
8571 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
8572 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
8573 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
8574 			return -EINVAL;
8575 		if (key.idx > 3)
8576 			return -EINVAL;
8577 	} else {
8578 		key.p.key_len = 0;
8579 		key.p.key = NULL;
8580 	}
8581 
8582 	if (key.idx >= 0) {
8583 		int i;
8584 		bool ok = false;
8585 
8586 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
8587 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
8588 				ok = true;
8589 				break;
8590 			}
8591 		}
8592 		if (!ok)
8593 			return -EINVAL;
8594 	}
8595 
8596 	if (!rdev->ops->auth)
8597 		return -EOPNOTSUPP;
8598 
8599 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8600 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8601 		return -EOPNOTSUPP;
8602 
8603 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8604 	chan = nl80211_get_valid_chan(&rdev->wiphy,
8605 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8606 	if (!chan)
8607 		return -EINVAL;
8608 
8609 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8610 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8611 
8612 	if (info->attrs[NL80211_ATTR_IE]) {
8613 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8614 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8615 	}
8616 
8617 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
8618 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
8619 		return -EINVAL;
8620 
8621 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
8622 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
8623 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
8624 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
8625 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
8626 		return -EINVAL;
8627 
8628 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
8629 		if (auth_type != NL80211_AUTHTYPE_SAE &&
8630 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
8631 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
8632 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
8633 			return -EINVAL;
8634 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
8635 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
8636 		/* need to include at least Auth Transaction and Status Code */
8637 		if (auth_data_len < 4)
8638 			return -EINVAL;
8639 	}
8640 
8641 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8642 
8643 	/*
8644 	 * Since we no longer track auth state, ignore
8645 	 * requests to only change local state.
8646 	 */
8647 	if (local_state_change)
8648 		return 0;
8649 
8650 	wdev_lock(dev->ieee80211_ptr);
8651 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
8652 				 ssid, ssid_len, ie, ie_len,
8653 				 key.p.key, key.p.key_len, key.idx,
8654 				 auth_data, auth_data_len);
8655 	wdev_unlock(dev->ieee80211_ptr);
8656 	return err;
8657 }
8658 
8659 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
8660 				     struct genl_info *info)
8661 {
8662 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8663 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
8664 		return -EINVAL;
8665 	}
8666 
8667 	if (!rdev->ops->tx_control_port ||
8668 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8669 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
8670 		return -EOPNOTSUPP;
8671 
8672 	return 0;
8673 }
8674 
8675 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
8676 				   struct genl_info *info,
8677 				   struct cfg80211_crypto_settings *settings,
8678 				   int cipher_limit)
8679 {
8680 	memset(settings, 0, sizeof(*settings));
8681 
8682 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
8683 
8684 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
8685 		u16 proto;
8686 
8687 		proto = nla_get_u16(
8688 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
8689 		settings->control_port_ethertype = cpu_to_be16(proto);
8690 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
8691 		    proto != ETH_P_PAE)
8692 			return -EINVAL;
8693 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
8694 			settings->control_port_no_encrypt = true;
8695 	} else
8696 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
8697 
8698 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
8699 		int r = validate_pae_over_nl80211(rdev, info);
8700 
8701 		if (r < 0)
8702 			return r;
8703 
8704 		settings->control_port_over_nl80211 = true;
8705 	}
8706 
8707 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
8708 		void *data;
8709 		int len, i;
8710 
8711 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
8712 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
8713 		settings->n_ciphers_pairwise = len / sizeof(u32);
8714 
8715 		if (len % sizeof(u32))
8716 			return -EINVAL;
8717 
8718 		if (settings->n_ciphers_pairwise > cipher_limit)
8719 			return -EINVAL;
8720 
8721 		memcpy(settings->ciphers_pairwise, data, len);
8722 
8723 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
8724 			if (!cfg80211_supported_cipher_suite(
8725 					&rdev->wiphy,
8726 					settings->ciphers_pairwise[i]))
8727 				return -EINVAL;
8728 	}
8729 
8730 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
8731 		settings->cipher_group =
8732 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
8733 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
8734 						     settings->cipher_group))
8735 			return -EINVAL;
8736 	}
8737 
8738 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
8739 		settings->wpa_versions =
8740 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
8741 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
8742 			return -EINVAL;
8743 	}
8744 
8745 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
8746 		void *data;
8747 		int len;
8748 
8749 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
8750 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
8751 		settings->n_akm_suites = len / sizeof(u32);
8752 
8753 		if (len % sizeof(u32))
8754 			return -EINVAL;
8755 
8756 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
8757 			return -EINVAL;
8758 
8759 		memcpy(settings->akm_suites, data, len);
8760 	}
8761 
8762 	if (info->attrs[NL80211_ATTR_PMK]) {
8763 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
8764 			return -EINVAL;
8765 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8766 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK))
8767 			return -EINVAL;
8768 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
8769 	}
8770 
8771 	return 0;
8772 }
8773 
8774 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
8775 {
8776 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8777 	struct net_device *dev = info->user_ptr[1];
8778 	struct ieee80211_channel *chan;
8779 	struct cfg80211_assoc_request req = {};
8780 	const u8 *bssid, *ssid;
8781 	int err, ssid_len = 0;
8782 
8783 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
8784 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
8785 		return -EPERM;
8786 
8787 	if (!info->attrs[NL80211_ATTR_MAC] ||
8788 	    !info->attrs[NL80211_ATTR_SSID] ||
8789 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
8790 		return -EINVAL;
8791 
8792 	if (!rdev->ops->assoc)
8793 		return -EOPNOTSUPP;
8794 
8795 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8796 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8797 		return -EOPNOTSUPP;
8798 
8799 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8800 
8801 	chan = nl80211_get_valid_chan(&rdev->wiphy,
8802 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8803 	if (!chan)
8804 		return -EINVAL;
8805 
8806 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8807 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8808 
8809 	if (info->attrs[NL80211_ATTR_IE]) {
8810 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8811 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8812 	}
8813 
8814 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
8815 		enum nl80211_mfp mfp =
8816 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
8817 		if (mfp == NL80211_MFP_REQUIRED)
8818 			req.use_mfp = true;
8819 		else if (mfp != NL80211_MFP_NO)
8820 			return -EINVAL;
8821 	}
8822 
8823 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
8824 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
8825 
8826 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
8827 		req.flags |= ASSOC_REQ_DISABLE_HT;
8828 
8829 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8830 		memcpy(&req.ht_capa_mask,
8831 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
8832 		       sizeof(req.ht_capa_mask));
8833 
8834 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
8835 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8836 			return -EINVAL;
8837 		memcpy(&req.ht_capa,
8838 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
8839 		       sizeof(req.ht_capa));
8840 	}
8841 
8842 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
8843 		req.flags |= ASSOC_REQ_DISABLE_VHT;
8844 
8845 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8846 		memcpy(&req.vht_capa_mask,
8847 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
8848 		       sizeof(req.vht_capa_mask));
8849 
8850 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
8851 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8852 			return -EINVAL;
8853 		memcpy(&req.vht_capa,
8854 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
8855 		       sizeof(req.vht_capa));
8856 	}
8857 
8858 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
8859 		if (!((rdev->wiphy.features &
8860 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
8861 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
8862 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8863 					     NL80211_EXT_FEATURE_RRM))
8864 			return -EINVAL;
8865 		req.flags |= ASSOC_REQ_USE_RRM;
8866 	}
8867 
8868 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
8869 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
8870 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
8871 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
8872 			return -EINVAL;
8873 		req.fils_nonces =
8874 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
8875 	}
8876 
8877 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
8878 	if (!err) {
8879 		wdev_lock(dev->ieee80211_ptr);
8880 
8881 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
8882 					  ssid, ssid_len, &req);
8883 
8884 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8885 			dev->ieee80211_ptr->conn_owner_nlportid =
8886 				info->snd_portid;
8887 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
8888 			       bssid, ETH_ALEN);
8889 		}
8890 
8891 		wdev_unlock(dev->ieee80211_ptr);
8892 	}
8893 
8894 	return err;
8895 }
8896 
8897 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
8898 {
8899 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8900 	struct net_device *dev = info->user_ptr[1];
8901 	const u8 *ie = NULL, *bssid;
8902 	int ie_len = 0, err;
8903 	u16 reason_code;
8904 	bool local_state_change;
8905 
8906 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
8907 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
8908 		return -EPERM;
8909 
8910 	if (!info->attrs[NL80211_ATTR_MAC])
8911 		return -EINVAL;
8912 
8913 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
8914 		return -EINVAL;
8915 
8916 	if (!rdev->ops->deauth)
8917 		return -EOPNOTSUPP;
8918 
8919 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8920 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8921 		return -EOPNOTSUPP;
8922 
8923 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8924 
8925 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8926 	if (reason_code == 0) {
8927 		/* Reason Code 0 is reserved */
8928 		return -EINVAL;
8929 	}
8930 
8931 	if (info->attrs[NL80211_ATTR_IE]) {
8932 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8933 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8934 	}
8935 
8936 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8937 
8938 	wdev_lock(dev->ieee80211_ptr);
8939 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
8940 				   local_state_change);
8941 	wdev_unlock(dev->ieee80211_ptr);
8942 	return err;
8943 }
8944 
8945 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
8946 {
8947 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8948 	struct net_device *dev = info->user_ptr[1];
8949 	const u8 *ie = NULL, *bssid;
8950 	int ie_len = 0, err;
8951 	u16 reason_code;
8952 	bool local_state_change;
8953 
8954 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
8955 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
8956 		return -EPERM;
8957 
8958 	if (!info->attrs[NL80211_ATTR_MAC])
8959 		return -EINVAL;
8960 
8961 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
8962 		return -EINVAL;
8963 
8964 	if (!rdev->ops->disassoc)
8965 		return -EOPNOTSUPP;
8966 
8967 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8968 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8969 		return -EOPNOTSUPP;
8970 
8971 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8972 
8973 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8974 	if (reason_code == 0) {
8975 		/* Reason Code 0 is reserved */
8976 		return -EINVAL;
8977 	}
8978 
8979 	if (info->attrs[NL80211_ATTR_IE]) {
8980 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8981 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8982 	}
8983 
8984 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8985 
8986 	wdev_lock(dev->ieee80211_ptr);
8987 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
8988 				     local_state_change);
8989 	wdev_unlock(dev->ieee80211_ptr);
8990 	return err;
8991 }
8992 
8993 static bool
8994 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
8995 			 int mcast_rate[NUM_NL80211_BANDS],
8996 			 int rateval)
8997 {
8998 	struct wiphy *wiphy = &rdev->wiphy;
8999 	bool found = false;
9000 	int band, i;
9001 
9002 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
9003 		struct ieee80211_supported_band *sband;
9004 
9005 		sband = wiphy->bands[band];
9006 		if (!sband)
9007 			continue;
9008 
9009 		for (i = 0; i < sband->n_bitrates; i++) {
9010 			if (sband->bitrates[i].bitrate == rateval) {
9011 				mcast_rate[band] = i + 1;
9012 				found = true;
9013 				break;
9014 			}
9015 		}
9016 	}
9017 
9018 	return found;
9019 }
9020 
9021 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
9022 {
9023 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9024 	struct net_device *dev = info->user_ptr[1];
9025 	struct cfg80211_ibss_params ibss;
9026 	struct wiphy *wiphy;
9027 	struct cfg80211_cached_keys *connkeys = NULL;
9028 	int err;
9029 
9030 	memset(&ibss, 0, sizeof(ibss));
9031 
9032 	if (!info->attrs[NL80211_ATTR_SSID] ||
9033 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9034 		return -EINVAL;
9035 
9036 	ibss.beacon_interval = 100;
9037 
9038 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
9039 		ibss.beacon_interval =
9040 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9041 
9042 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
9043 					   ibss.beacon_interval);
9044 	if (err)
9045 		return err;
9046 
9047 	if (!rdev->ops->join_ibss)
9048 		return -EOPNOTSUPP;
9049 
9050 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9051 		return -EOPNOTSUPP;
9052 
9053 	wiphy = &rdev->wiphy;
9054 
9055 	if (info->attrs[NL80211_ATTR_MAC]) {
9056 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9057 
9058 		if (!is_valid_ether_addr(ibss.bssid))
9059 			return -EINVAL;
9060 	}
9061 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9062 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9063 
9064 	if (info->attrs[NL80211_ATTR_IE]) {
9065 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9066 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9067 	}
9068 
9069 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
9070 	if (err)
9071 		return err;
9072 
9073 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
9074 				     NL80211_IFTYPE_ADHOC))
9075 		return -EINVAL;
9076 
9077 	switch (ibss.chandef.width) {
9078 	case NL80211_CHAN_WIDTH_5:
9079 	case NL80211_CHAN_WIDTH_10:
9080 	case NL80211_CHAN_WIDTH_20_NOHT:
9081 		break;
9082 	case NL80211_CHAN_WIDTH_20:
9083 	case NL80211_CHAN_WIDTH_40:
9084 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9085 			return -EINVAL;
9086 		break;
9087 	case NL80211_CHAN_WIDTH_80:
9088 	case NL80211_CHAN_WIDTH_80P80:
9089 	case NL80211_CHAN_WIDTH_160:
9090 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9091 			return -EINVAL;
9092 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9093 					     NL80211_EXT_FEATURE_VHT_IBSS))
9094 			return -EINVAL;
9095 		break;
9096 	default:
9097 		return -EINVAL;
9098 	}
9099 
9100 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
9101 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
9102 
9103 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9104 		u8 *rates =
9105 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9106 		int n_rates =
9107 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9108 		struct ieee80211_supported_band *sband =
9109 			wiphy->bands[ibss.chandef.chan->band];
9110 
9111 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9112 					     &ibss.basic_rates);
9113 		if (err)
9114 			return err;
9115 	}
9116 
9117 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9118 		memcpy(&ibss.ht_capa_mask,
9119 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9120 		       sizeof(ibss.ht_capa_mask));
9121 
9122 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9123 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9124 			return -EINVAL;
9125 		memcpy(&ibss.ht_capa,
9126 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9127 		       sizeof(ibss.ht_capa));
9128 	}
9129 
9130 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9131 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
9132 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9133 		return -EINVAL;
9134 
9135 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9136 		bool no_ht = false;
9137 
9138 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
9139 		if (IS_ERR(connkeys))
9140 			return PTR_ERR(connkeys);
9141 
9142 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
9143 		    no_ht) {
9144 			kzfree(connkeys);
9145 			return -EINVAL;
9146 		}
9147 	}
9148 
9149 	ibss.control_port =
9150 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
9151 
9152 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9153 		int r = validate_pae_over_nl80211(rdev, info);
9154 
9155 		if (r < 0) {
9156 			kzfree(connkeys);
9157 			return r;
9158 		}
9159 
9160 		ibss.control_port_over_nl80211 = true;
9161 	}
9162 
9163 	ibss.userspace_handles_dfs =
9164 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
9165 
9166 	wdev_lock(dev->ieee80211_ptr);
9167 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
9168 	if (err)
9169 		kzfree(connkeys);
9170 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9171 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9172 	wdev_unlock(dev->ieee80211_ptr);
9173 
9174 	return err;
9175 }
9176 
9177 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
9178 {
9179 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9180 	struct net_device *dev = info->user_ptr[1];
9181 
9182 	if (!rdev->ops->leave_ibss)
9183 		return -EOPNOTSUPP;
9184 
9185 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9186 		return -EOPNOTSUPP;
9187 
9188 	return cfg80211_leave_ibss(rdev, dev, false);
9189 }
9190 
9191 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
9192 {
9193 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9194 	struct net_device *dev = info->user_ptr[1];
9195 	int mcast_rate[NUM_NL80211_BANDS];
9196 	u32 nla_rate;
9197 	int err;
9198 
9199 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
9200 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
9201 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
9202 		return -EOPNOTSUPP;
9203 
9204 	if (!rdev->ops->set_mcast_rate)
9205 		return -EOPNOTSUPP;
9206 
9207 	memset(mcast_rate, 0, sizeof(mcast_rate));
9208 
9209 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
9210 		return -EINVAL;
9211 
9212 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
9213 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
9214 		return -EINVAL;
9215 
9216 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
9217 
9218 	return err;
9219 }
9220 
9221 static struct sk_buff *
9222 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
9223 			    struct wireless_dev *wdev, int approxlen,
9224 			    u32 portid, u32 seq, enum nl80211_commands cmd,
9225 			    enum nl80211_attrs attr,
9226 			    const struct nl80211_vendor_cmd_info *info,
9227 			    gfp_t gfp)
9228 {
9229 	struct sk_buff *skb;
9230 	void *hdr;
9231 	struct nlattr *data;
9232 
9233 	skb = nlmsg_new(approxlen + 100, gfp);
9234 	if (!skb)
9235 		return NULL;
9236 
9237 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
9238 	if (!hdr) {
9239 		kfree_skb(skb);
9240 		return NULL;
9241 	}
9242 
9243 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
9244 		goto nla_put_failure;
9245 
9246 	if (info) {
9247 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
9248 				info->vendor_id))
9249 			goto nla_put_failure;
9250 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
9251 				info->subcmd))
9252 			goto nla_put_failure;
9253 	}
9254 
9255 	if (wdev) {
9256 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
9257 				      wdev_id(wdev), NL80211_ATTR_PAD))
9258 			goto nla_put_failure;
9259 		if (wdev->netdev &&
9260 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
9261 				wdev->netdev->ifindex))
9262 			goto nla_put_failure;
9263 	}
9264 
9265 	data = nla_nest_start(skb, attr);
9266 	if (!data)
9267 		goto nla_put_failure;
9268 
9269 	((void **)skb->cb)[0] = rdev;
9270 	((void **)skb->cb)[1] = hdr;
9271 	((void **)skb->cb)[2] = data;
9272 
9273 	return skb;
9274 
9275  nla_put_failure:
9276 	kfree_skb(skb);
9277 	return NULL;
9278 }
9279 
9280 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
9281 					   struct wireless_dev *wdev,
9282 					   enum nl80211_commands cmd,
9283 					   enum nl80211_attrs attr,
9284 					   int vendor_event_idx,
9285 					   int approxlen, gfp_t gfp)
9286 {
9287 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9288 	const struct nl80211_vendor_cmd_info *info;
9289 
9290 	switch (cmd) {
9291 	case NL80211_CMD_TESTMODE:
9292 		if (WARN_ON(vendor_event_idx != -1))
9293 			return NULL;
9294 		info = NULL;
9295 		break;
9296 	case NL80211_CMD_VENDOR:
9297 		if (WARN_ON(vendor_event_idx < 0 ||
9298 			    vendor_event_idx >= wiphy->n_vendor_events))
9299 			return NULL;
9300 		info = &wiphy->vendor_events[vendor_event_idx];
9301 		break;
9302 	default:
9303 		WARN_ON(1);
9304 		return NULL;
9305 	}
9306 
9307 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, 0, 0,
9308 					   cmd, attr, info, gfp);
9309 }
9310 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
9311 
9312 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
9313 {
9314 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9315 	void *hdr = ((void **)skb->cb)[1];
9316 	struct nlattr *data = ((void **)skb->cb)[2];
9317 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
9318 
9319 	/* clear CB data for netlink core to own from now on */
9320 	memset(skb->cb, 0, sizeof(skb->cb));
9321 
9322 	nla_nest_end(skb, data);
9323 	genlmsg_end(skb, hdr);
9324 
9325 	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
9326 		mcgrp = NL80211_MCGRP_VENDOR;
9327 
9328 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
9329 				mcgrp, gfp);
9330 }
9331 EXPORT_SYMBOL(__cfg80211_send_event_skb);
9332 
9333 #ifdef CONFIG_NL80211_TESTMODE
9334 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
9335 {
9336 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9337 	struct wireless_dev *wdev =
9338 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9339 	int err;
9340 
9341 	if (!rdev->ops->testmode_cmd)
9342 		return -EOPNOTSUPP;
9343 
9344 	if (IS_ERR(wdev)) {
9345 		err = PTR_ERR(wdev);
9346 		if (err != -EINVAL)
9347 			return err;
9348 		wdev = NULL;
9349 	} else if (wdev->wiphy != &rdev->wiphy) {
9350 		return -EINVAL;
9351 	}
9352 
9353 	if (!info->attrs[NL80211_ATTR_TESTDATA])
9354 		return -EINVAL;
9355 
9356 	rdev->cur_cmd_info = info;
9357 	err = rdev_testmode_cmd(rdev, wdev,
9358 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
9359 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
9360 	rdev->cur_cmd_info = NULL;
9361 
9362 	return err;
9363 }
9364 
9365 static int nl80211_testmode_dump(struct sk_buff *skb,
9366 				 struct netlink_callback *cb)
9367 {
9368 	struct cfg80211_registered_device *rdev;
9369 	int err;
9370 	long phy_idx;
9371 	void *data = NULL;
9372 	int data_len = 0;
9373 
9374 	rtnl_lock();
9375 
9376 	if (cb->args[0]) {
9377 		/*
9378 		 * 0 is a valid index, but not valid for args[0],
9379 		 * so we need to offset by 1.
9380 		 */
9381 		phy_idx = cb->args[0] - 1;
9382 
9383 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
9384 		if (!rdev) {
9385 			err = -ENOENT;
9386 			goto out_err;
9387 		}
9388 	} else {
9389 		struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
9390 
9391 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
9392 				  attrbuf, nl80211_fam.maxattr,
9393 				  nl80211_policy, NULL);
9394 		if (err)
9395 			goto out_err;
9396 
9397 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
9398 		if (IS_ERR(rdev)) {
9399 			err = PTR_ERR(rdev);
9400 			goto out_err;
9401 		}
9402 		phy_idx = rdev->wiphy_idx;
9403 
9404 		if (attrbuf[NL80211_ATTR_TESTDATA])
9405 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
9406 	}
9407 
9408 	if (cb->args[1]) {
9409 		data = nla_data((void *)cb->args[1]);
9410 		data_len = nla_len((void *)cb->args[1]);
9411 	}
9412 
9413 	if (!rdev->ops->testmode_dump) {
9414 		err = -EOPNOTSUPP;
9415 		goto out_err;
9416 	}
9417 
9418 	while (1) {
9419 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
9420 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
9421 					   NL80211_CMD_TESTMODE);
9422 		struct nlattr *tmdata;
9423 
9424 		if (!hdr)
9425 			break;
9426 
9427 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
9428 			genlmsg_cancel(skb, hdr);
9429 			break;
9430 		}
9431 
9432 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
9433 		if (!tmdata) {
9434 			genlmsg_cancel(skb, hdr);
9435 			break;
9436 		}
9437 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
9438 		nla_nest_end(skb, tmdata);
9439 
9440 		if (err == -ENOBUFS || err == -ENOENT) {
9441 			genlmsg_cancel(skb, hdr);
9442 			break;
9443 		} else if (err) {
9444 			genlmsg_cancel(skb, hdr);
9445 			goto out_err;
9446 		}
9447 
9448 		genlmsg_end(skb, hdr);
9449 	}
9450 
9451 	err = skb->len;
9452 	/* see above */
9453 	cb->args[0] = phy_idx + 1;
9454  out_err:
9455 	rtnl_unlock();
9456 	return err;
9457 }
9458 #endif
9459 
9460 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
9461 {
9462 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9463 	struct net_device *dev = info->user_ptr[1];
9464 	struct cfg80211_connect_params connect;
9465 	struct wiphy *wiphy;
9466 	struct cfg80211_cached_keys *connkeys = NULL;
9467 	int err;
9468 
9469 	memset(&connect, 0, sizeof(connect));
9470 
9471 	if (!info->attrs[NL80211_ATTR_SSID] ||
9472 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9473 		return -EINVAL;
9474 
9475 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9476 		connect.auth_type =
9477 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9478 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
9479 					     NL80211_CMD_CONNECT))
9480 			return -EINVAL;
9481 	} else
9482 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
9483 
9484 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
9485 
9486 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
9487 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9488 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
9489 		return -EINVAL;
9490 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
9491 
9492 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
9493 				      NL80211_MAX_NR_CIPHER_SUITES);
9494 	if (err)
9495 		return err;
9496 
9497 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9498 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9499 		return -EOPNOTSUPP;
9500 
9501 	wiphy = &rdev->wiphy;
9502 
9503 	connect.bg_scan_period = -1;
9504 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
9505 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
9506 		connect.bg_scan_period =
9507 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
9508 	}
9509 
9510 	if (info->attrs[NL80211_ATTR_MAC])
9511 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9512 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
9513 		connect.bssid_hint =
9514 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
9515 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9516 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9517 
9518 	if (info->attrs[NL80211_ATTR_IE]) {
9519 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9520 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9521 	}
9522 
9523 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9524 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9525 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
9526 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9527 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
9528 			return -EOPNOTSUPP;
9529 	} else {
9530 		connect.mfp = NL80211_MFP_NO;
9531 	}
9532 
9533 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9534 		connect.prev_bssid =
9535 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9536 
9537 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9538 		connect.channel = nl80211_get_valid_chan(
9539 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9540 		if (!connect.channel)
9541 			return -EINVAL;
9542 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
9543 		connect.channel_hint = nl80211_get_valid_chan(
9544 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
9545 		if (!connect.channel_hint)
9546 			return -EINVAL;
9547 	}
9548 
9549 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9550 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
9551 		if (IS_ERR(connkeys))
9552 			return PTR_ERR(connkeys);
9553 	}
9554 
9555 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9556 		connect.flags |= ASSOC_REQ_DISABLE_HT;
9557 
9558 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9559 		memcpy(&connect.ht_capa_mask,
9560 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9561 		       sizeof(connect.ht_capa_mask));
9562 
9563 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9564 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
9565 			kzfree(connkeys);
9566 			return -EINVAL;
9567 		}
9568 		memcpy(&connect.ht_capa,
9569 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9570 		       sizeof(connect.ht_capa));
9571 	}
9572 
9573 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9574 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
9575 
9576 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9577 		memcpy(&connect.vht_capa_mask,
9578 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9579 		       sizeof(connect.vht_capa_mask));
9580 
9581 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9582 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
9583 			kzfree(connkeys);
9584 			return -EINVAL;
9585 		}
9586 		memcpy(&connect.vht_capa,
9587 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9588 		       sizeof(connect.vht_capa));
9589 	}
9590 
9591 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9592 		if (!((rdev->wiphy.features &
9593 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9594 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9595 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9596 					     NL80211_EXT_FEATURE_RRM)) {
9597 			kzfree(connkeys);
9598 			return -EINVAL;
9599 		}
9600 		connect.flags |= ASSOC_REQ_USE_RRM;
9601 	}
9602 
9603 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
9604 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
9605 		kzfree(connkeys);
9606 		return -EOPNOTSUPP;
9607 	}
9608 
9609 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
9610 		/* bss selection makes no sense if bssid is set */
9611 		if (connect.bssid) {
9612 			kzfree(connkeys);
9613 			return -EINVAL;
9614 		}
9615 
9616 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
9617 				       wiphy, &connect.bss_select);
9618 		if (err) {
9619 			kzfree(connkeys);
9620 			return err;
9621 		}
9622 	}
9623 
9624 	if (wiphy_ext_feature_isset(&rdev->wiphy,
9625 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
9626 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
9627 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
9628 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
9629 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9630 		connect.fils_erp_username =
9631 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9632 		connect.fils_erp_username_len =
9633 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9634 		connect.fils_erp_realm =
9635 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9636 		connect.fils_erp_realm_len =
9637 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9638 		connect.fils_erp_next_seq_num =
9639 			nla_get_u16(
9640 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
9641 		connect.fils_erp_rrk =
9642 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9643 		connect.fils_erp_rrk_len =
9644 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9645 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
9646 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
9647 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
9648 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9649 		kzfree(connkeys);
9650 		return -EINVAL;
9651 	}
9652 
9653 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
9654 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9655 			kzfree(connkeys);
9656 			GENL_SET_ERR_MSG(info,
9657 					 "external auth requires connection ownership");
9658 			return -EINVAL;
9659 		}
9660 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
9661 	}
9662 
9663 	wdev_lock(dev->ieee80211_ptr);
9664 
9665 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
9666 			       connect.prev_bssid);
9667 	if (err)
9668 		kzfree(connkeys);
9669 
9670 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9671 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9672 		if (connect.bssid)
9673 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9674 			       connect.bssid, ETH_ALEN);
9675 		else
9676 			memset(dev->ieee80211_ptr->disconnect_bssid,
9677 			       0, ETH_ALEN);
9678 	}
9679 
9680 	wdev_unlock(dev->ieee80211_ptr);
9681 
9682 	return err;
9683 }
9684 
9685 static int nl80211_update_connect_params(struct sk_buff *skb,
9686 					 struct genl_info *info)
9687 {
9688 	struct cfg80211_connect_params connect = {};
9689 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9690 	struct net_device *dev = info->user_ptr[1];
9691 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9692 	bool fils_sk_offload;
9693 	u32 auth_type;
9694 	u32 changed = 0;
9695 	int ret;
9696 
9697 	if (!rdev->ops->update_connect_params)
9698 		return -EOPNOTSUPP;
9699 
9700 	if (info->attrs[NL80211_ATTR_IE]) {
9701 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9702 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9703 		changed |= UPDATE_ASSOC_IES;
9704 	}
9705 
9706 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
9707 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
9708 
9709 	/*
9710 	 * when driver supports fils-sk offload all attributes must be
9711 	 * provided. So the else covers "fils-sk-not-all" and
9712 	 * "no-fils-sk-any".
9713 	 */
9714 	if (fils_sk_offload &&
9715 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
9716 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
9717 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
9718 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9719 		connect.fils_erp_username =
9720 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9721 		connect.fils_erp_username_len =
9722 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9723 		connect.fils_erp_realm =
9724 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9725 		connect.fils_erp_realm_len =
9726 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9727 		connect.fils_erp_next_seq_num =
9728 			nla_get_u16(
9729 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
9730 		connect.fils_erp_rrk =
9731 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9732 		connect.fils_erp_rrk_len =
9733 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9734 		changed |= UPDATE_FILS_ERP_INFO;
9735 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
9736 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
9737 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
9738 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9739 		return -EINVAL;
9740 	}
9741 
9742 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9743 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9744 		if (!nl80211_valid_auth_type(rdev, auth_type,
9745 					     NL80211_CMD_CONNECT))
9746 			return -EINVAL;
9747 
9748 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
9749 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
9750 			return -EINVAL;
9751 
9752 		connect.auth_type = auth_type;
9753 		changed |= UPDATE_AUTH_TYPE;
9754 	}
9755 
9756 	wdev_lock(dev->ieee80211_ptr);
9757 	if (!wdev->current_bss)
9758 		ret = -ENOLINK;
9759 	else
9760 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
9761 	wdev_unlock(dev->ieee80211_ptr);
9762 
9763 	return ret;
9764 }
9765 
9766 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
9767 {
9768 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9769 	struct net_device *dev = info->user_ptr[1];
9770 	u16 reason;
9771 	int ret;
9772 
9773 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9774 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9775 		return -EPERM;
9776 
9777 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9778 		reason = WLAN_REASON_DEAUTH_LEAVING;
9779 	else
9780 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9781 
9782 	if (reason == 0)
9783 		return -EINVAL;
9784 
9785 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9786 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9787 		return -EOPNOTSUPP;
9788 
9789 	wdev_lock(dev->ieee80211_ptr);
9790 	ret = cfg80211_disconnect(rdev, dev, reason, true);
9791 	wdev_unlock(dev->ieee80211_ptr);
9792 	return ret;
9793 }
9794 
9795 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
9796 {
9797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9798 	struct net *net;
9799 	int err;
9800 
9801 	if (info->attrs[NL80211_ATTR_PID]) {
9802 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
9803 
9804 		net = get_net_ns_by_pid(pid);
9805 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
9806 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
9807 
9808 		net = get_net_ns_by_fd(fd);
9809 	} else {
9810 		return -EINVAL;
9811 	}
9812 
9813 	if (IS_ERR(net))
9814 		return PTR_ERR(net);
9815 
9816 	err = 0;
9817 
9818 	/* check if anything to do */
9819 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
9820 		err = cfg80211_switch_netns(rdev, net);
9821 
9822 	put_net(net);
9823 	return err;
9824 }
9825 
9826 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
9827 {
9828 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9829 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
9830 			struct cfg80211_pmksa *pmksa) = NULL;
9831 	struct net_device *dev = info->user_ptr[1];
9832 	struct cfg80211_pmksa pmksa;
9833 
9834 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
9835 
9836 	if (!info->attrs[NL80211_ATTR_PMKID])
9837 		return -EINVAL;
9838 
9839 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
9840 
9841 	if (info->attrs[NL80211_ATTR_MAC]) {
9842 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9843 	} else if (info->attrs[NL80211_ATTR_SSID] &&
9844 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
9845 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
9846 		    info->attrs[NL80211_ATTR_PMK])) {
9847 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9848 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9849 		pmksa.cache_id =
9850 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
9851 	} else {
9852 		return -EINVAL;
9853 	}
9854 	if (info->attrs[NL80211_ATTR_PMK]) {
9855 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9856 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
9857 	}
9858 
9859 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9860 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9861 		return -EOPNOTSUPP;
9862 
9863 	switch (info->genlhdr->cmd) {
9864 	case NL80211_CMD_SET_PMKSA:
9865 		rdev_ops = rdev->ops->set_pmksa;
9866 		break;
9867 	case NL80211_CMD_DEL_PMKSA:
9868 		rdev_ops = rdev->ops->del_pmksa;
9869 		break;
9870 	default:
9871 		WARN_ON(1);
9872 		break;
9873 	}
9874 
9875 	if (!rdev_ops)
9876 		return -EOPNOTSUPP;
9877 
9878 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
9879 }
9880 
9881 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
9882 {
9883 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9884 	struct net_device *dev = info->user_ptr[1];
9885 
9886 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9887 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9888 		return -EOPNOTSUPP;
9889 
9890 	if (!rdev->ops->flush_pmksa)
9891 		return -EOPNOTSUPP;
9892 
9893 	return rdev_flush_pmksa(rdev, dev);
9894 }
9895 
9896 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
9897 {
9898 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9899 	struct net_device *dev = info->user_ptr[1];
9900 	u8 action_code, dialog_token;
9901 	u32 peer_capability = 0;
9902 	u16 status_code;
9903 	u8 *peer;
9904 	bool initiator;
9905 
9906 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
9907 	    !rdev->ops->tdls_mgmt)
9908 		return -EOPNOTSUPP;
9909 
9910 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
9911 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
9912 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
9913 	    !info->attrs[NL80211_ATTR_IE] ||
9914 	    !info->attrs[NL80211_ATTR_MAC])
9915 		return -EINVAL;
9916 
9917 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9918 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
9919 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
9920 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
9921 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
9922 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
9923 		peer_capability =
9924 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
9925 
9926 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
9927 			      dialog_token, status_code, peer_capability,
9928 			      initiator,
9929 			      nla_data(info->attrs[NL80211_ATTR_IE]),
9930 			      nla_len(info->attrs[NL80211_ATTR_IE]));
9931 }
9932 
9933 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
9934 {
9935 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9936 	struct net_device *dev = info->user_ptr[1];
9937 	enum nl80211_tdls_operation operation;
9938 	u8 *peer;
9939 
9940 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
9941 	    !rdev->ops->tdls_oper)
9942 		return -EOPNOTSUPP;
9943 
9944 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
9945 	    !info->attrs[NL80211_ATTR_MAC])
9946 		return -EINVAL;
9947 
9948 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
9949 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9950 
9951 	return rdev_tdls_oper(rdev, dev, peer, operation);
9952 }
9953 
9954 static int nl80211_remain_on_channel(struct sk_buff *skb,
9955 				     struct genl_info *info)
9956 {
9957 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9958 	struct wireless_dev *wdev = info->user_ptr[1];
9959 	struct cfg80211_chan_def chandef;
9960 	const struct cfg80211_chan_def *compat_chandef;
9961 	struct sk_buff *msg;
9962 	void *hdr;
9963 	u64 cookie;
9964 	u32 duration;
9965 	int err;
9966 
9967 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9968 	    !info->attrs[NL80211_ATTR_DURATION])
9969 		return -EINVAL;
9970 
9971 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
9972 
9973 	if (!rdev->ops->remain_on_channel ||
9974 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
9975 		return -EOPNOTSUPP;
9976 
9977 	/*
9978 	 * We should be on that channel for at least a minimum amount of
9979 	 * time (10ms) but no longer than the driver supports.
9980 	 */
9981 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
9982 	    duration > rdev->wiphy.max_remain_on_channel_duration)
9983 		return -EINVAL;
9984 
9985 	err = nl80211_parse_chandef(rdev, info, &chandef);
9986 	if (err)
9987 		return err;
9988 
9989 	wdev_lock(wdev);
9990 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
9991 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
9992 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
9993 							     &chandef);
9994 		if (compat_chandef != &chandef) {
9995 			wdev_unlock(wdev);
9996 			return -EBUSY;
9997 		}
9998 	}
9999 	wdev_unlock(wdev);
10000 
10001 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10002 	if (!msg)
10003 		return -ENOMEM;
10004 
10005 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10006 			     NL80211_CMD_REMAIN_ON_CHANNEL);
10007 	if (!hdr) {
10008 		err = -ENOBUFS;
10009 		goto free_msg;
10010 	}
10011 
10012 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
10013 				     duration, &cookie);
10014 
10015 	if (err)
10016 		goto free_msg;
10017 
10018 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10019 			      NL80211_ATTR_PAD))
10020 		goto nla_put_failure;
10021 
10022 	genlmsg_end(msg, hdr);
10023 
10024 	return genlmsg_reply(msg, info);
10025 
10026  nla_put_failure:
10027 	err = -ENOBUFS;
10028  free_msg:
10029 	nlmsg_free(msg);
10030 	return err;
10031 }
10032 
10033 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
10034 					    struct genl_info *info)
10035 {
10036 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10037 	struct wireless_dev *wdev = info->user_ptr[1];
10038 	u64 cookie;
10039 
10040 	if (!info->attrs[NL80211_ATTR_COOKIE])
10041 		return -EINVAL;
10042 
10043 	if (!rdev->ops->cancel_remain_on_channel)
10044 		return -EOPNOTSUPP;
10045 
10046 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10047 
10048 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
10049 }
10050 
10051 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
10052 				       struct genl_info *info)
10053 {
10054 	struct cfg80211_bitrate_mask mask;
10055 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10056 	struct net_device *dev = info->user_ptr[1];
10057 	int err;
10058 
10059 	if (!rdev->ops->set_bitrate_mask)
10060 		return -EOPNOTSUPP;
10061 
10062 	err = nl80211_parse_tx_bitrate_mask(info, &mask);
10063 	if (err)
10064 		return err;
10065 
10066 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
10067 }
10068 
10069 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
10070 {
10071 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10072 	struct wireless_dev *wdev = info->user_ptr[1];
10073 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
10074 
10075 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
10076 		return -EINVAL;
10077 
10078 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
10079 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
10080 
10081 	switch (wdev->iftype) {
10082 	case NL80211_IFTYPE_STATION:
10083 	case NL80211_IFTYPE_ADHOC:
10084 	case NL80211_IFTYPE_P2P_CLIENT:
10085 	case NL80211_IFTYPE_AP:
10086 	case NL80211_IFTYPE_AP_VLAN:
10087 	case NL80211_IFTYPE_MESH_POINT:
10088 	case NL80211_IFTYPE_P2P_GO:
10089 	case NL80211_IFTYPE_P2P_DEVICE:
10090 		break;
10091 	case NL80211_IFTYPE_NAN:
10092 	default:
10093 		return -EOPNOTSUPP;
10094 	}
10095 
10096 	/* not much point in registering if we can't reply */
10097 	if (!rdev->ops->mgmt_tx)
10098 		return -EOPNOTSUPP;
10099 
10100 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
10101 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10102 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
10103 }
10104 
10105 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
10106 {
10107 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10108 	struct wireless_dev *wdev = info->user_ptr[1];
10109 	struct cfg80211_chan_def chandef;
10110 	int err;
10111 	void *hdr = NULL;
10112 	u64 cookie;
10113 	struct sk_buff *msg = NULL;
10114 	struct cfg80211_mgmt_tx_params params = {
10115 		.dont_wait_for_ack =
10116 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
10117 	};
10118 
10119 	if (!info->attrs[NL80211_ATTR_FRAME])
10120 		return -EINVAL;
10121 
10122 	if (!rdev->ops->mgmt_tx)
10123 		return -EOPNOTSUPP;
10124 
10125 	switch (wdev->iftype) {
10126 	case NL80211_IFTYPE_P2P_DEVICE:
10127 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10128 			return -EINVAL;
10129 	case NL80211_IFTYPE_STATION:
10130 	case NL80211_IFTYPE_ADHOC:
10131 	case NL80211_IFTYPE_P2P_CLIENT:
10132 	case NL80211_IFTYPE_AP:
10133 	case NL80211_IFTYPE_AP_VLAN:
10134 	case NL80211_IFTYPE_MESH_POINT:
10135 	case NL80211_IFTYPE_P2P_GO:
10136 		break;
10137 	case NL80211_IFTYPE_NAN:
10138 	default:
10139 		return -EOPNOTSUPP;
10140 	}
10141 
10142 	if (info->attrs[NL80211_ATTR_DURATION]) {
10143 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10144 			return -EINVAL;
10145 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10146 
10147 		/*
10148 		 * We should wait on the channel for at least a minimum amount
10149 		 * of time (10ms) but no longer than the driver supports.
10150 		 */
10151 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10152 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
10153 			return -EINVAL;
10154 	}
10155 
10156 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
10157 
10158 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10159 		return -EINVAL;
10160 
10161 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10162 
10163 	/* get the channel if any has been specified, otherwise pass NULL to
10164 	 * the driver. The latter will use the current one
10165 	 */
10166 	chandef.chan = NULL;
10167 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10168 		err = nl80211_parse_chandef(rdev, info, &chandef);
10169 		if (err)
10170 			return err;
10171 	}
10172 
10173 	if (!chandef.chan && params.offchan)
10174 		return -EINVAL;
10175 
10176 	wdev_lock(wdev);
10177 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
10178 		wdev_unlock(wdev);
10179 		return -EBUSY;
10180 	}
10181 	wdev_unlock(wdev);
10182 
10183 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
10184 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
10185 
10186 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
10187 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10188 		int i;
10189 
10190 		if (len % sizeof(u16))
10191 			return -EINVAL;
10192 
10193 		params.n_csa_offsets = len / sizeof(u16);
10194 		params.csa_offsets =
10195 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10196 
10197 		/* check that all the offsets fit the frame */
10198 		for (i = 0; i < params.n_csa_offsets; i++) {
10199 			if (params.csa_offsets[i] >= params.len)
10200 				return -EINVAL;
10201 		}
10202 	}
10203 
10204 	if (!params.dont_wait_for_ack) {
10205 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10206 		if (!msg)
10207 			return -ENOMEM;
10208 
10209 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10210 				     NL80211_CMD_FRAME);
10211 		if (!hdr) {
10212 			err = -ENOBUFS;
10213 			goto free_msg;
10214 		}
10215 	}
10216 
10217 	params.chan = chandef.chan;
10218 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
10219 	if (err)
10220 		goto free_msg;
10221 
10222 	if (msg) {
10223 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10224 				      NL80211_ATTR_PAD))
10225 			goto nla_put_failure;
10226 
10227 		genlmsg_end(msg, hdr);
10228 		return genlmsg_reply(msg, info);
10229 	}
10230 
10231 	return 0;
10232 
10233  nla_put_failure:
10234 	err = -ENOBUFS;
10235  free_msg:
10236 	nlmsg_free(msg);
10237 	return err;
10238 }
10239 
10240 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
10241 {
10242 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10243 	struct wireless_dev *wdev = info->user_ptr[1];
10244 	u64 cookie;
10245 
10246 	if (!info->attrs[NL80211_ATTR_COOKIE])
10247 		return -EINVAL;
10248 
10249 	if (!rdev->ops->mgmt_tx_cancel_wait)
10250 		return -EOPNOTSUPP;
10251 
10252 	switch (wdev->iftype) {
10253 	case NL80211_IFTYPE_STATION:
10254 	case NL80211_IFTYPE_ADHOC:
10255 	case NL80211_IFTYPE_P2P_CLIENT:
10256 	case NL80211_IFTYPE_AP:
10257 	case NL80211_IFTYPE_AP_VLAN:
10258 	case NL80211_IFTYPE_P2P_GO:
10259 	case NL80211_IFTYPE_P2P_DEVICE:
10260 		break;
10261 	case NL80211_IFTYPE_NAN:
10262 	default:
10263 		return -EOPNOTSUPP;
10264 	}
10265 
10266 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10267 
10268 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
10269 }
10270 
10271 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
10272 {
10273 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10274 	struct wireless_dev *wdev;
10275 	struct net_device *dev = info->user_ptr[1];
10276 	u8 ps_state;
10277 	bool state;
10278 	int err;
10279 
10280 	if (!info->attrs[NL80211_ATTR_PS_STATE])
10281 		return -EINVAL;
10282 
10283 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
10284 
10285 	wdev = dev->ieee80211_ptr;
10286 
10287 	if (!rdev->ops->set_power_mgmt)
10288 		return -EOPNOTSUPP;
10289 
10290 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
10291 
10292 	if (state == wdev->ps)
10293 		return 0;
10294 
10295 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
10296 	if (!err)
10297 		wdev->ps = state;
10298 	return err;
10299 }
10300 
10301 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
10302 {
10303 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10304 	enum nl80211_ps_state ps_state;
10305 	struct wireless_dev *wdev;
10306 	struct net_device *dev = info->user_ptr[1];
10307 	struct sk_buff *msg;
10308 	void *hdr;
10309 	int err;
10310 
10311 	wdev = dev->ieee80211_ptr;
10312 
10313 	if (!rdev->ops->set_power_mgmt)
10314 		return -EOPNOTSUPP;
10315 
10316 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10317 	if (!msg)
10318 		return -ENOMEM;
10319 
10320 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10321 			     NL80211_CMD_GET_POWER_SAVE);
10322 	if (!hdr) {
10323 		err = -ENOBUFS;
10324 		goto free_msg;
10325 	}
10326 
10327 	if (wdev->ps)
10328 		ps_state = NL80211_PS_ENABLED;
10329 	else
10330 		ps_state = NL80211_PS_DISABLED;
10331 
10332 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
10333 		goto nla_put_failure;
10334 
10335 	genlmsg_end(msg, hdr);
10336 	return genlmsg_reply(msg, info);
10337 
10338  nla_put_failure:
10339 	err = -ENOBUFS;
10340  free_msg:
10341 	nlmsg_free(msg);
10342 	return err;
10343 }
10344 
10345 static const struct nla_policy
10346 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
10347 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
10348 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
10349 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
10350 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
10351 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
10352 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
10353 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
10354 };
10355 
10356 static int nl80211_set_cqm_txe(struct genl_info *info,
10357 			       u32 rate, u32 pkts, u32 intvl)
10358 {
10359 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10360 	struct net_device *dev = info->user_ptr[1];
10361 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10362 
10363 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
10364 		return -EINVAL;
10365 
10366 	if (!rdev->ops->set_cqm_txe_config)
10367 		return -EOPNOTSUPP;
10368 
10369 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10370 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10371 		return -EOPNOTSUPP;
10372 
10373 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
10374 }
10375 
10376 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
10377 				    struct net_device *dev)
10378 {
10379 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10380 	s32 last, low, high;
10381 	u32 hyst;
10382 	int i, n, low_index;
10383 	int err;
10384 
10385 	/* RSSI reporting disabled? */
10386 	if (!wdev->cqm_config)
10387 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
10388 
10389 	/*
10390 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
10391 	 * event has been received yet, we should receive an event after a
10392 	 * connection is established and enough beacons received to calculate
10393 	 * the average.
10394 	 */
10395 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
10396 	    rdev->ops->get_station) {
10397 		struct station_info sinfo = {};
10398 		u8 *mac_addr;
10399 
10400 		mac_addr = wdev->current_bss->pub.bssid;
10401 
10402 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
10403 		if (err)
10404 			return err;
10405 
10406 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
10407 			wdev->cqm_config->last_rssi_event_value =
10408 				(s8) sinfo.rx_beacon_signal_avg;
10409 	}
10410 
10411 	last = wdev->cqm_config->last_rssi_event_value;
10412 	hyst = wdev->cqm_config->rssi_hyst;
10413 	n = wdev->cqm_config->n_rssi_thresholds;
10414 
10415 	for (i = 0; i < n; i++)
10416 		if (last < wdev->cqm_config->rssi_thresholds[i])
10417 			break;
10418 
10419 	low_index = i - 1;
10420 	if (low_index >= 0) {
10421 		low_index = array_index_nospec(low_index, n);
10422 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
10423 	} else {
10424 		low = S32_MIN;
10425 	}
10426 	if (i < n) {
10427 		i = array_index_nospec(i, n);
10428 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
10429 	} else {
10430 		high = S32_MAX;
10431 	}
10432 
10433 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
10434 }
10435 
10436 static int nl80211_set_cqm_rssi(struct genl_info *info,
10437 				const s32 *thresholds, int n_thresholds,
10438 				u32 hysteresis)
10439 {
10440 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10441 	struct net_device *dev = info->user_ptr[1];
10442 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10443 	int i, err;
10444 	s32 prev = S32_MIN;
10445 
10446 	/* Check all values negative and sorted */
10447 	for (i = 0; i < n_thresholds; i++) {
10448 		if (thresholds[i] > 0 || thresholds[i] <= prev)
10449 			return -EINVAL;
10450 
10451 		prev = thresholds[i];
10452 	}
10453 
10454 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10455 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10456 		return -EOPNOTSUPP;
10457 
10458 	wdev_lock(wdev);
10459 	cfg80211_cqm_config_free(wdev);
10460 	wdev_unlock(wdev);
10461 
10462 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
10463 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
10464 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
10465 
10466 		return rdev_set_cqm_rssi_config(rdev, dev,
10467 						thresholds[0], hysteresis);
10468 	}
10469 
10470 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
10471 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
10472 		return -EOPNOTSUPP;
10473 
10474 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
10475 		n_thresholds = 0;
10476 
10477 	wdev_lock(wdev);
10478 	if (n_thresholds) {
10479 		struct cfg80211_cqm_config *cqm_config;
10480 
10481 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
10482 				     n_thresholds * sizeof(s32), GFP_KERNEL);
10483 		if (!cqm_config) {
10484 			err = -ENOMEM;
10485 			goto unlock;
10486 		}
10487 
10488 		cqm_config->rssi_hyst = hysteresis;
10489 		cqm_config->n_rssi_thresholds = n_thresholds;
10490 		memcpy(cqm_config->rssi_thresholds, thresholds,
10491 		       n_thresholds * sizeof(s32));
10492 
10493 		wdev->cqm_config = cqm_config;
10494 	}
10495 
10496 	err = cfg80211_cqm_rssi_update(rdev, dev);
10497 
10498 unlock:
10499 	wdev_unlock(wdev);
10500 
10501 	return err;
10502 }
10503 
10504 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
10505 {
10506 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
10507 	struct nlattr *cqm;
10508 	int err;
10509 
10510 	cqm = info->attrs[NL80211_ATTR_CQM];
10511 	if (!cqm)
10512 		return -EINVAL;
10513 
10514 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
10515 			       nl80211_attr_cqm_policy, info->extack);
10516 	if (err)
10517 		return err;
10518 
10519 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
10520 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
10521 		const s32 *thresholds =
10522 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10523 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10524 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
10525 
10526 		if (len % 4)
10527 			return -EINVAL;
10528 
10529 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
10530 					    hysteresis);
10531 	}
10532 
10533 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
10534 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
10535 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
10536 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
10537 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
10538 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
10539 
10540 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
10541 	}
10542 
10543 	return -EINVAL;
10544 }
10545 
10546 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
10547 {
10548 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10549 	struct net_device *dev = info->user_ptr[1];
10550 	struct ocb_setup setup = {};
10551 	int err;
10552 
10553 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10554 	if (err)
10555 		return err;
10556 
10557 	return cfg80211_join_ocb(rdev, dev, &setup);
10558 }
10559 
10560 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
10561 {
10562 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10563 	struct net_device *dev = info->user_ptr[1];
10564 
10565 	return cfg80211_leave_ocb(rdev, dev);
10566 }
10567 
10568 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
10569 {
10570 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10571 	struct net_device *dev = info->user_ptr[1];
10572 	struct mesh_config cfg;
10573 	struct mesh_setup setup;
10574 	int err;
10575 
10576 	/* start with default */
10577 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
10578 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
10579 
10580 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
10581 		/* and parse parameters if given */
10582 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
10583 		if (err)
10584 			return err;
10585 	}
10586 
10587 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
10588 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
10589 		return -EINVAL;
10590 
10591 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
10592 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
10593 
10594 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10595 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
10596 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10597 			return -EINVAL;
10598 
10599 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
10600 		setup.beacon_interval =
10601 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10602 
10603 		err = cfg80211_validate_beacon_int(rdev,
10604 						   NL80211_IFTYPE_MESH_POINT,
10605 						   setup.beacon_interval);
10606 		if (err)
10607 			return err;
10608 	}
10609 
10610 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
10611 		setup.dtim_period =
10612 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
10613 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
10614 			return -EINVAL;
10615 	}
10616 
10617 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
10618 		/* parse additional setup parameters if given */
10619 		err = nl80211_parse_mesh_setup(info, &setup);
10620 		if (err)
10621 			return err;
10622 	}
10623 
10624 	if (setup.user_mpm)
10625 		cfg.auto_open_plinks = false;
10626 
10627 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10628 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10629 		if (err)
10630 			return err;
10631 	} else {
10632 		/* __cfg80211_join_mesh() will sort it out */
10633 		setup.chandef.chan = NULL;
10634 	}
10635 
10636 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10637 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10638 		int n_rates =
10639 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10640 		struct ieee80211_supported_band *sband;
10641 
10642 		if (!setup.chandef.chan)
10643 			return -EINVAL;
10644 
10645 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
10646 
10647 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10648 					     &setup.basic_rates);
10649 		if (err)
10650 			return err;
10651 	}
10652 
10653 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
10654 		err = nl80211_parse_tx_bitrate_mask(info, &setup.beacon_rate);
10655 		if (err)
10656 			return err;
10657 
10658 		if (!setup.chandef.chan)
10659 			return -EINVAL;
10660 
10661 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
10662 					      &setup.beacon_rate);
10663 		if (err)
10664 			return err;
10665 	}
10666 
10667 	setup.userspace_handles_dfs =
10668 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10669 
10670 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10671 		int r = validate_pae_over_nl80211(rdev, info);
10672 
10673 		if (r < 0)
10674 			return r;
10675 
10676 		setup.control_port_over_nl80211 = true;
10677 	}
10678 
10679 	wdev_lock(dev->ieee80211_ptr);
10680 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
10681 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
10682 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10683 	wdev_unlock(dev->ieee80211_ptr);
10684 
10685 	return err;
10686 }
10687 
10688 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
10689 {
10690 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10691 	struct net_device *dev = info->user_ptr[1];
10692 
10693 	return cfg80211_leave_mesh(rdev, dev);
10694 }
10695 
10696 #ifdef CONFIG_PM
10697 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
10698 					struct cfg80211_registered_device *rdev)
10699 {
10700 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
10701 	struct nlattr *nl_pats, *nl_pat;
10702 	int i, pat_len;
10703 
10704 	if (!wowlan->n_patterns)
10705 		return 0;
10706 
10707 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
10708 	if (!nl_pats)
10709 		return -ENOBUFS;
10710 
10711 	for (i = 0; i < wowlan->n_patterns; i++) {
10712 		nl_pat = nla_nest_start(msg, i + 1);
10713 		if (!nl_pat)
10714 			return -ENOBUFS;
10715 		pat_len = wowlan->patterns[i].pattern_len;
10716 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
10717 			    wowlan->patterns[i].mask) ||
10718 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
10719 			    wowlan->patterns[i].pattern) ||
10720 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
10721 				wowlan->patterns[i].pkt_offset))
10722 			return -ENOBUFS;
10723 		nla_nest_end(msg, nl_pat);
10724 	}
10725 	nla_nest_end(msg, nl_pats);
10726 
10727 	return 0;
10728 }
10729 
10730 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
10731 				   struct cfg80211_wowlan_tcp *tcp)
10732 {
10733 	struct nlattr *nl_tcp;
10734 
10735 	if (!tcp)
10736 		return 0;
10737 
10738 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
10739 	if (!nl_tcp)
10740 		return -ENOBUFS;
10741 
10742 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
10743 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
10744 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
10745 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
10746 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
10747 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
10748 		    tcp->payload_len, tcp->payload) ||
10749 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
10750 			tcp->data_interval) ||
10751 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
10752 		    tcp->wake_len, tcp->wake_data) ||
10753 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
10754 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
10755 		return -ENOBUFS;
10756 
10757 	if (tcp->payload_seq.len &&
10758 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
10759 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
10760 		return -ENOBUFS;
10761 
10762 	if (tcp->payload_tok.len &&
10763 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
10764 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
10765 		    &tcp->payload_tok))
10766 		return -ENOBUFS;
10767 
10768 	nla_nest_end(msg, nl_tcp);
10769 
10770 	return 0;
10771 }
10772 
10773 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
10774 				  struct cfg80211_sched_scan_request *req)
10775 {
10776 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
10777 	int i;
10778 
10779 	if (!req)
10780 		return 0;
10781 
10782 	nd = nla_nest_start(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
10783 	if (!nd)
10784 		return -ENOBUFS;
10785 
10786 	if (req->n_scan_plans == 1 &&
10787 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
10788 			req->scan_plans[0].interval * 1000))
10789 		return -ENOBUFS;
10790 
10791 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
10792 		return -ENOBUFS;
10793 
10794 	if (req->relative_rssi_set) {
10795 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
10796 
10797 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
10798 			       req->relative_rssi))
10799 			return -ENOBUFS;
10800 
10801 		rssi_adjust.band = req->rssi_adjust.band;
10802 		rssi_adjust.delta = req->rssi_adjust.delta;
10803 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
10804 			    sizeof(rssi_adjust), &rssi_adjust))
10805 			return -ENOBUFS;
10806 	}
10807 
10808 	freqs = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
10809 	if (!freqs)
10810 		return -ENOBUFS;
10811 
10812 	for (i = 0; i < req->n_channels; i++) {
10813 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
10814 			return -ENOBUFS;
10815 	}
10816 
10817 	nla_nest_end(msg, freqs);
10818 
10819 	if (req->n_match_sets) {
10820 		matches = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_MATCH);
10821 		if (!matches)
10822 			return -ENOBUFS;
10823 
10824 		for (i = 0; i < req->n_match_sets; i++) {
10825 			match = nla_nest_start(msg, i);
10826 			if (!match)
10827 				return -ENOBUFS;
10828 
10829 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
10830 				    req->match_sets[i].ssid.ssid_len,
10831 				    req->match_sets[i].ssid.ssid))
10832 				return -ENOBUFS;
10833 			nla_nest_end(msg, match);
10834 		}
10835 		nla_nest_end(msg, matches);
10836 	}
10837 
10838 	scan_plans = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
10839 	if (!scan_plans)
10840 		return -ENOBUFS;
10841 
10842 	for (i = 0; i < req->n_scan_plans; i++) {
10843 		scan_plan = nla_nest_start(msg, i + 1);
10844 		if (!scan_plan)
10845 			return -ENOBUFS;
10846 
10847 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
10848 				req->scan_plans[i].interval) ||
10849 		    (req->scan_plans[i].iterations &&
10850 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
10851 				 req->scan_plans[i].iterations)))
10852 			return -ENOBUFS;
10853 		nla_nest_end(msg, scan_plan);
10854 	}
10855 	nla_nest_end(msg, scan_plans);
10856 
10857 	nla_nest_end(msg, nd);
10858 
10859 	return 0;
10860 }
10861 
10862 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
10863 {
10864 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10865 	struct sk_buff *msg;
10866 	void *hdr;
10867 	u32 size = NLMSG_DEFAULT_SIZE;
10868 
10869 	if (!rdev->wiphy.wowlan)
10870 		return -EOPNOTSUPP;
10871 
10872 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
10873 		/* adjust size to have room for all the data */
10874 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
10875 			rdev->wiphy.wowlan_config->tcp->payload_len +
10876 			rdev->wiphy.wowlan_config->tcp->wake_len +
10877 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
10878 	}
10879 
10880 	msg = nlmsg_new(size, GFP_KERNEL);
10881 	if (!msg)
10882 		return -ENOMEM;
10883 
10884 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10885 			     NL80211_CMD_GET_WOWLAN);
10886 	if (!hdr)
10887 		goto nla_put_failure;
10888 
10889 	if (rdev->wiphy.wowlan_config) {
10890 		struct nlattr *nl_wowlan;
10891 
10892 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
10893 		if (!nl_wowlan)
10894 			goto nla_put_failure;
10895 
10896 		if ((rdev->wiphy.wowlan_config->any &&
10897 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
10898 		    (rdev->wiphy.wowlan_config->disconnect &&
10899 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
10900 		    (rdev->wiphy.wowlan_config->magic_pkt &&
10901 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
10902 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
10903 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
10904 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
10905 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
10906 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
10907 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
10908 		    (rdev->wiphy.wowlan_config->rfkill_release &&
10909 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
10910 			goto nla_put_failure;
10911 
10912 		if (nl80211_send_wowlan_patterns(msg, rdev))
10913 			goto nla_put_failure;
10914 
10915 		if (nl80211_send_wowlan_tcp(msg,
10916 					    rdev->wiphy.wowlan_config->tcp))
10917 			goto nla_put_failure;
10918 
10919 		if (nl80211_send_wowlan_nd(
10920 			    msg,
10921 			    rdev->wiphy.wowlan_config->nd_config))
10922 			goto nla_put_failure;
10923 
10924 		nla_nest_end(msg, nl_wowlan);
10925 	}
10926 
10927 	genlmsg_end(msg, hdr);
10928 	return genlmsg_reply(msg, info);
10929 
10930 nla_put_failure:
10931 	nlmsg_free(msg);
10932 	return -ENOBUFS;
10933 }
10934 
10935 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
10936 				    struct nlattr *attr,
10937 				    struct cfg80211_wowlan *trig)
10938 {
10939 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
10940 	struct cfg80211_wowlan_tcp *cfg;
10941 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
10942 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
10943 	u32 size;
10944 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
10945 	int err, port;
10946 
10947 	if (!rdev->wiphy.wowlan->tcp)
10948 		return -EINVAL;
10949 
10950 	err = nla_parse_nested(tb, MAX_NL80211_WOWLAN_TCP, attr,
10951 			       nl80211_wowlan_tcp_policy, NULL);
10952 	if (err)
10953 		return err;
10954 
10955 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
10956 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
10957 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
10958 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
10959 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
10960 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
10961 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
10962 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
10963 		return -EINVAL;
10964 
10965 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
10966 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
10967 		return -EINVAL;
10968 
10969 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
10970 			rdev->wiphy.wowlan->tcp->data_interval_max ||
10971 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
10972 		return -EINVAL;
10973 
10974 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
10975 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
10976 		return -EINVAL;
10977 
10978 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
10979 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
10980 		return -EINVAL;
10981 
10982 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
10983 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
10984 
10985 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
10986 		tokens_size = tokln - sizeof(*tok);
10987 
10988 		if (!tok->len || tokens_size % tok->len)
10989 			return -EINVAL;
10990 		if (!rdev->wiphy.wowlan->tcp->tok)
10991 			return -EINVAL;
10992 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
10993 			return -EINVAL;
10994 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
10995 			return -EINVAL;
10996 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
10997 			return -EINVAL;
10998 		if (tok->offset + tok->len > data_size)
10999 			return -EINVAL;
11000 	}
11001 
11002 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
11003 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
11004 		if (!rdev->wiphy.wowlan->tcp->seq)
11005 			return -EINVAL;
11006 		if (seq->len == 0 || seq->len > 4)
11007 			return -EINVAL;
11008 		if (seq->len + seq->offset > data_size)
11009 			return -EINVAL;
11010 	}
11011 
11012 	size = sizeof(*cfg);
11013 	size += data_size;
11014 	size += wake_size + wake_mask_size;
11015 	size += tokens_size;
11016 
11017 	cfg = kzalloc(size, GFP_KERNEL);
11018 	if (!cfg)
11019 		return -ENOMEM;
11020 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
11021 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
11022 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
11023 	       ETH_ALEN);
11024 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
11025 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
11026 	else
11027 		port = 0;
11028 #ifdef CONFIG_INET
11029 	/* allocate a socket and port for it and use it */
11030 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
11031 			    IPPROTO_TCP, &cfg->sock, 1);
11032 	if (err) {
11033 		kfree(cfg);
11034 		return err;
11035 	}
11036 	if (inet_csk_get_port(cfg->sock->sk, port)) {
11037 		sock_release(cfg->sock);
11038 		kfree(cfg);
11039 		return -EADDRINUSE;
11040 	}
11041 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
11042 #else
11043 	if (!port) {
11044 		kfree(cfg);
11045 		return -EINVAL;
11046 	}
11047 	cfg->src_port = port;
11048 #endif
11049 
11050 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
11051 	cfg->payload_len = data_size;
11052 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
11053 	memcpy((void *)cfg->payload,
11054 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
11055 	       data_size);
11056 	if (seq)
11057 		cfg->payload_seq = *seq;
11058 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
11059 	cfg->wake_len = wake_size;
11060 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
11061 	memcpy((void *)cfg->wake_data,
11062 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
11063 	       wake_size);
11064 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
11065 			 data_size + wake_size;
11066 	memcpy((void *)cfg->wake_mask,
11067 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
11068 	       wake_mask_size);
11069 	if (tok) {
11070 		cfg->tokens_size = tokens_size;
11071 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
11072 	}
11073 
11074 	trig->tcp = cfg;
11075 
11076 	return 0;
11077 }
11078 
11079 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
11080 				   const struct wiphy_wowlan_support *wowlan,
11081 				   struct nlattr *attr,
11082 				   struct cfg80211_wowlan *trig)
11083 {
11084 	struct nlattr **tb;
11085 	int err;
11086 
11087 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
11088 	if (!tb)
11089 		return -ENOMEM;
11090 
11091 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
11092 		err = -EOPNOTSUPP;
11093 		goto out;
11094 	}
11095 
11096 	err = nla_parse_nested(tb, NL80211_ATTR_MAX, attr, nl80211_policy,
11097 			       NULL);
11098 	if (err)
11099 		goto out;
11100 
11101 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
11102 						   wowlan->max_nd_match_sets);
11103 	err = PTR_ERR_OR_ZERO(trig->nd_config);
11104 	if (err)
11105 		trig->nd_config = NULL;
11106 
11107 out:
11108 	kfree(tb);
11109 	return err;
11110 }
11111 
11112 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
11113 {
11114 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11115 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
11116 	struct cfg80211_wowlan new_triggers = {};
11117 	struct cfg80211_wowlan *ntrig;
11118 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
11119 	int err, i;
11120 	bool prev_enabled = rdev->wiphy.wowlan_config;
11121 	bool regular = false;
11122 
11123 	if (!wowlan)
11124 		return -EOPNOTSUPP;
11125 
11126 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
11127 		cfg80211_rdev_free_wowlan(rdev);
11128 		rdev->wiphy.wowlan_config = NULL;
11129 		goto set_wakeup;
11130 	}
11131 
11132 	err = nla_parse_nested(tb, MAX_NL80211_WOWLAN_TRIG,
11133 			       info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
11134 			       nl80211_wowlan_policy, info->extack);
11135 	if (err)
11136 		return err;
11137 
11138 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
11139 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
11140 			return -EINVAL;
11141 		new_triggers.any = true;
11142 	}
11143 
11144 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
11145 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
11146 			return -EINVAL;
11147 		new_triggers.disconnect = true;
11148 		regular = true;
11149 	}
11150 
11151 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
11152 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
11153 			return -EINVAL;
11154 		new_triggers.magic_pkt = true;
11155 		regular = true;
11156 	}
11157 
11158 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
11159 		return -EINVAL;
11160 
11161 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
11162 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
11163 			return -EINVAL;
11164 		new_triggers.gtk_rekey_failure = true;
11165 		regular = true;
11166 	}
11167 
11168 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
11169 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
11170 			return -EINVAL;
11171 		new_triggers.eap_identity_req = true;
11172 		regular = true;
11173 	}
11174 
11175 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
11176 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
11177 			return -EINVAL;
11178 		new_triggers.four_way_handshake = true;
11179 		regular = true;
11180 	}
11181 
11182 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
11183 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
11184 			return -EINVAL;
11185 		new_triggers.rfkill_release = true;
11186 		regular = true;
11187 	}
11188 
11189 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
11190 		struct nlattr *pat;
11191 		int n_patterns = 0;
11192 		int rem, pat_len, mask_len, pkt_offset;
11193 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11194 
11195 		regular = true;
11196 
11197 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11198 				    rem)
11199 			n_patterns++;
11200 		if (n_patterns > wowlan->n_patterns)
11201 			return -EINVAL;
11202 
11203 		new_triggers.patterns = kcalloc(n_patterns,
11204 						sizeof(new_triggers.patterns[0]),
11205 						GFP_KERNEL);
11206 		if (!new_triggers.patterns)
11207 			return -ENOMEM;
11208 
11209 		new_triggers.n_patterns = n_patterns;
11210 		i = 0;
11211 
11212 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11213 				    rem) {
11214 			u8 *mask_pat;
11215 
11216 			err = nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
11217 					       nl80211_packet_pattern_policy,
11218 					       info->extack);
11219 			if (err)
11220 				goto error;
11221 
11222 			err = -EINVAL;
11223 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
11224 			    !pat_tb[NL80211_PKTPAT_PATTERN])
11225 				goto error;
11226 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11227 			mask_len = DIV_ROUND_UP(pat_len, 8);
11228 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11229 				goto error;
11230 			if (pat_len > wowlan->pattern_max_len ||
11231 			    pat_len < wowlan->pattern_min_len)
11232 				goto error;
11233 
11234 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
11235 				pkt_offset = 0;
11236 			else
11237 				pkt_offset = nla_get_u32(
11238 					pat_tb[NL80211_PKTPAT_OFFSET]);
11239 			if (pkt_offset > wowlan->max_pkt_offset)
11240 				goto error;
11241 			new_triggers.patterns[i].pkt_offset = pkt_offset;
11242 
11243 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11244 			if (!mask_pat) {
11245 				err = -ENOMEM;
11246 				goto error;
11247 			}
11248 			new_triggers.patterns[i].mask = mask_pat;
11249 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11250 			       mask_len);
11251 			mask_pat += mask_len;
11252 			new_triggers.patterns[i].pattern = mask_pat;
11253 			new_triggers.patterns[i].pattern_len = pat_len;
11254 			memcpy(mask_pat,
11255 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11256 			       pat_len);
11257 			i++;
11258 		}
11259 	}
11260 
11261 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
11262 		regular = true;
11263 		err = nl80211_parse_wowlan_tcp(
11264 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
11265 			&new_triggers);
11266 		if (err)
11267 			goto error;
11268 	}
11269 
11270 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
11271 		regular = true;
11272 		err = nl80211_parse_wowlan_nd(
11273 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
11274 			&new_triggers);
11275 		if (err)
11276 			goto error;
11277 	}
11278 
11279 	/* The 'any' trigger means the device continues operating more or less
11280 	 * as in its normal operation mode and wakes up the host on most of the
11281 	 * normal interrupts (like packet RX, ...)
11282 	 * It therefore makes little sense to combine with the more constrained
11283 	 * wakeup trigger modes.
11284 	 */
11285 	if (new_triggers.any && regular) {
11286 		err = -EINVAL;
11287 		goto error;
11288 	}
11289 
11290 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
11291 	if (!ntrig) {
11292 		err = -ENOMEM;
11293 		goto error;
11294 	}
11295 	cfg80211_rdev_free_wowlan(rdev);
11296 	rdev->wiphy.wowlan_config = ntrig;
11297 
11298  set_wakeup:
11299 	if (rdev->ops->set_wakeup &&
11300 	    prev_enabled != !!rdev->wiphy.wowlan_config)
11301 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
11302 
11303 	return 0;
11304  error:
11305 	for (i = 0; i < new_triggers.n_patterns; i++)
11306 		kfree(new_triggers.patterns[i].mask);
11307 	kfree(new_triggers.patterns);
11308 	if (new_triggers.tcp && new_triggers.tcp->sock)
11309 		sock_release(new_triggers.tcp->sock);
11310 	kfree(new_triggers.tcp);
11311 	kfree(new_triggers.nd_config);
11312 	return err;
11313 }
11314 #endif
11315 
11316 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
11317 				       struct cfg80211_registered_device *rdev)
11318 {
11319 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
11320 	int i, j, pat_len;
11321 	struct cfg80211_coalesce_rules *rule;
11322 
11323 	if (!rdev->coalesce->n_rules)
11324 		return 0;
11325 
11326 	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
11327 	if (!nl_rules)
11328 		return -ENOBUFS;
11329 
11330 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
11331 		nl_rule = nla_nest_start(msg, i + 1);
11332 		if (!nl_rule)
11333 			return -ENOBUFS;
11334 
11335 		rule = &rdev->coalesce->rules[i];
11336 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
11337 				rule->delay))
11338 			return -ENOBUFS;
11339 
11340 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
11341 				rule->condition))
11342 			return -ENOBUFS;
11343 
11344 		nl_pats = nla_nest_start(msg,
11345 				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
11346 		if (!nl_pats)
11347 			return -ENOBUFS;
11348 
11349 		for (j = 0; j < rule->n_patterns; j++) {
11350 			nl_pat = nla_nest_start(msg, j + 1);
11351 			if (!nl_pat)
11352 				return -ENOBUFS;
11353 			pat_len = rule->patterns[j].pattern_len;
11354 			if (nla_put(msg, NL80211_PKTPAT_MASK,
11355 				    DIV_ROUND_UP(pat_len, 8),
11356 				    rule->patterns[j].mask) ||
11357 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11358 				    rule->patterns[j].pattern) ||
11359 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11360 					rule->patterns[j].pkt_offset))
11361 				return -ENOBUFS;
11362 			nla_nest_end(msg, nl_pat);
11363 		}
11364 		nla_nest_end(msg, nl_pats);
11365 		nla_nest_end(msg, nl_rule);
11366 	}
11367 	nla_nest_end(msg, nl_rules);
11368 
11369 	return 0;
11370 }
11371 
11372 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
11373 {
11374 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11375 	struct sk_buff *msg;
11376 	void *hdr;
11377 
11378 	if (!rdev->wiphy.coalesce)
11379 		return -EOPNOTSUPP;
11380 
11381 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11382 	if (!msg)
11383 		return -ENOMEM;
11384 
11385 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11386 			     NL80211_CMD_GET_COALESCE);
11387 	if (!hdr)
11388 		goto nla_put_failure;
11389 
11390 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
11391 		goto nla_put_failure;
11392 
11393 	genlmsg_end(msg, hdr);
11394 	return genlmsg_reply(msg, info);
11395 
11396 nla_put_failure:
11397 	nlmsg_free(msg);
11398 	return -ENOBUFS;
11399 }
11400 
11401 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
11402 {
11403 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
11404 	int i, j;
11405 	struct cfg80211_coalesce_rules *rule;
11406 
11407 	if (!coalesce)
11408 		return;
11409 
11410 	for (i = 0; i < coalesce->n_rules; i++) {
11411 		rule = &coalesce->rules[i];
11412 		for (j = 0; j < rule->n_patterns; j++)
11413 			kfree(rule->patterns[j].mask);
11414 		kfree(rule->patterns);
11415 	}
11416 	kfree(coalesce->rules);
11417 	kfree(coalesce);
11418 	rdev->coalesce = NULL;
11419 }
11420 
11421 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
11422 				       struct nlattr *rule,
11423 				       struct cfg80211_coalesce_rules *new_rule)
11424 {
11425 	int err, i;
11426 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11427 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
11428 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
11429 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11430 
11431 	err = nla_parse_nested(tb, NL80211_ATTR_COALESCE_RULE_MAX, rule,
11432 			       nl80211_coalesce_policy, NULL);
11433 	if (err)
11434 		return err;
11435 
11436 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
11437 		new_rule->delay =
11438 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
11439 	if (new_rule->delay > coalesce->max_delay)
11440 		return -EINVAL;
11441 
11442 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
11443 		new_rule->condition =
11444 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
11445 
11446 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
11447 		return -EINVAL;
11448 
11449 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11450 			    rem)
11451 		n_patterns++;
11452 	if (n_patterns > coalesce->n_patterns)
11453 		return -EINVAL;
11454 
11455 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
11456 				     GFP_KERNEL);
11457 	if (!new_rule->patterns)
11458 		return -ENOMEM;
11459 
11460 	new_rule->n_patterns = n_patterns;
11461 	i = 0;
11462 
11463 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11464 			    rem) {
11465 		u8 *mask_pat;
11466 
11467 		err = nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
11468 				       nl80211_packet_pattern_policy, NULL);
11469 		if (err)
11470 			return err;
11471 
11472 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
11473 		    !pat_tb[NL80211_PKTPAT_PATTERN])
11474 			return -EINVAL;
11475 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11476 		mask_len = DIV_ROUND_UP(pat_len, 8);
11477 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11478 			return -EINVAL;
11479 		if (pat_len > coalesce->pattern_max_len ||
11480 		    pat_len < coalesce->pattern_min_len)
11481 			return -EINVAL;
11482 
11483 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
11484 			pkt_offset = 0;
11485 		else
11486 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
11487 		if (pkt_offset > coalesce->max_pkt_offset)
11488 			return -EINVAL;
11489 		new_rule->patterns[i].pkt_offset = pkt_offset;
11490 
11491 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11492 		if (!mask_pat)
11493 			return -ENOMEM;
11494 
11495 		new_rule->patterns[i].mask = mask_pat;
11496 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11497 		       mask_len);
11498 
11499 		mask_pat += mask_len;
11500 		new_rule->patterns[i].pattern = mask_pat;
11501 		new_rule->patterns[i].pattern_len = pat_len;
11502 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11503 		       pat_len);
11504 		i++;
11505 	}
11506 
11507 	return 0;
11508 }
11509 
11510 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
11511 {
11512 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11513 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11514 	struct cfg80211_coalesce new_coalesce = {};
11515 	struct cfg80211_coalesce *n_coalesce;
11516 	int err, rem_rule, n_rules = 0, i, j;
11517 	struct nlattr *rule;
11518 	struct cfg80211_coalesce_rules *tmp_rule;
11519 
11520 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
11521 		return -EOPNOTSUPP;
11522 
11523 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
11524 		cfg80211_rdev_free_coalesce(rdev);
11525 		rdev_set_coalesce(rdev, NULL);
11526 		return 0;
11527 	}
11528 
11529 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11530 			    rem_rule)
11531 		n_rules++;
11532 	if (n_rules > coalesce->n_rules)
11533 		return -EINVAL;
11534 
11535 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
11536 				     GFP_KERNEL);
11537 	if (!new_coalesce.rules)
11538 		return -ENOMEM;
11539 
11540 	new_coalesce.n_rules = n_rules;
11541 	i = 0;
11542 
11543 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11544 			    rem_rule) {
11545 		err = nl80211_parse_coalesce_rule(rdev, rule,
11546 						  &new_coalesce.rules[i]);
11547 		if (err)
11548 			goto error;
11549 
11550 		i++;
11551 	}
11552 
11553 	err = rdev_set_coalesce(rdev, &new_coalesce);
11554 	if (err)
11555 		goto error;
11556 
11557 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
11558 	if (!n_coalesce) {
11559 		err = -ENOMEM;
11560 		goto error;
11561 	}
11562 	cfg80211_rdev_free_coalesce(rdev);
11563 	rdev->coalesce = n_coalesce;
11564 
11565 	return 0;
11566 error:
11567 	for (i = 0; i < new_coalesce.n_rules; i++) {
11568 		tmp_rule = &new_coalesce.rules[i];
11569 		for (j = 0; j < tmp_rule->n_patterns; j++)
11570 			kfree(tmp_rule->patterns[j].mask);
11571 		kfree(tmp_rule->patterns);
11572 	}
11573 	kfree(new_coalesce.rules);
11574 
11575 	return err;
11576 }
11577 
11578 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
11579 {
11580 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11581 	struct net_device *dev = info->user_ptr[1];
11582 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11583 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
11584 	struct cfg80211_gtk_rekey_data rekey_data;
11585 	int err;
11586 
11587 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
11588 		return -EINVAL;
11589 
11590 	err = nla_parse_nested(tb, MAX_NL80211_REKEY_DATA,
11591 			       info->attrs[NL80211_ATTR_REKEY_DATA],
11592 			       nl80211_rekey_policy, info->extack);
11593 	if (err)
11594 		return err;
11595 
11596 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
11597 	    !tb[NL80211_REKEY_DATA_KCK])
11598 		return -EINVAL;
11599 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
11600 		return -ERANGE;
11601 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
11602 		return -ERANGE;
11603 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
11604 		return -ERANGE;
11605 
11606 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
11607 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
11608 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
11609 
11610 	wdev_lock(wdev);
11611 	if (!wdev->current_bss) {
11612 		err = -ENOTCONN;
11613 		goto out;
11614 	}
11615 
11616 	if (!rdev->ops->set_rekey_data) {
11617 		err = -EOPNOTSUPP;
11618 		goto out;
11619 	}
11620 
11621 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
11622  out:
11623 	wdev_unlock(wdev);
11624 	return err;
11625 }
11626 
11627 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
11628 					     struct genl_info *info)
11629 {
11630 	struct net_device *dev = info->user_ptr[1];
11631 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11632 
11633 	if (wdev->iftype != NL80211_IFTYPE_AP &&
11634 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
11635 		return -EINVAL;
11636 
11637 	if (wdev->ap_unexpected_nlportid)
11638 		return -EBUSY;
11639 
11640 	wdev->ap_unexpected_nlportid = info->snd_portid;
11641 	return 0;
11642 }
11643 
11644 static int nl80211_probe_client(struct sk_buff *skb,
11645 				struct genl_info *info)
11646 {
11647 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11648 	struct net_device *dev = info->user_ptr[1];
11649 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11650 	struct sk_buff *msg;
11651 	void *hdr;
11652 	const u8 *addr;
11653 	u64 cookie;
11654 	int err;
11655 
11656 	if (wdev->iftype != NL80211_IFTYPE_AP &&
11657 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
11658 		return -EOPNOTSUPP;
11659 
11660 	if (!info->attrs[NL80211_ATTR_MAC])
11661 		return -EINVAL;
11662 
11663 	if (!rdev->ops->probe_client)
11664 		return -EOPNOTSUPP;
11665 
11666 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11667 	if (!msg)
11668 		return -ENOMEM;
11669 
11670 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11671 			     NL80211_CMD_PROBE_CLIENT);
11672 	if (!hdr) {
11673 		err = -ENOBUFS;
11674 		goto free_msg;
11675 	}
11676 
11677 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
11678 
11679 	err = rdev_probe_client(rdev, dev, addr, &cookie);
11680 	if (err)
11681 		goto free_msg;
11682 
11683 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11684 			      NL80211_ATTR_PAD))
11685 		goto nla_put_failure;
11686 
11687 	genlmsg_end(msg, hdr);
11688 
11689 	return genlmsg_reply(msg, info);
11690 
11691  nla_put_failure:
11692 	err = -ENOBUFS;
11693  free_msg:
11694 	nlmsg_free(msg);
11695 	return err;
11696 }
11697 
11698 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
11699 {
11700 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11701 	struct cfg80211_beacon_registration *reg, *nreg;
11702 	int rv;
11703 
11704 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
11705 		return -EOPNOTSUPP;
11706 
11707 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
11708 	if (!nreg)
11709 		return -ENOMEM;
11710 
11711 	/* First, check if already registered. */
11712 	spin_lock_bh(&rdev->beacon_registrations_lock);
11713 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
11714 		if (reg->nlportid == info->snd_portid) {
11715 			rv = -EALREADY;
11716 			goto out_err;
11717 		}
11718 	}
11719 	/* Add it to the list */
11720 	nreg->nlportid = info->snd_portid;
11721 	list_add(&nreg->list, &rdev->beacon_registrations);
11722 
11723 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11724 
11725 	return 0;
11726 out_err:
11727 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11728 	kfree(nreg);
11729 	return rv;
11730 }
11731 
11732 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
11733 {
11734 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11735 	struct wireless_dev *wdev = info->user_ptr[1];
11736 	int err;
11737 
11738 	if (!rdev->ops->start_p2p_device)
11739 		return -EOPNOTSUPP;
11740 
11741 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
11742 		return -EOPNOTSUPP;
11743 
11744 	if (wdev_running(wdev))
11745 		return 0;
11746 
11747 	if (rfkill_blocked(rdev->rfkill))
11748 		return -ERFKILL;
11749 
11750 	err = rdev_start_p2p_device(rdev, wdev);
11751 	if (err)
11752 		return err;
11753 
11754 	wdev->is_running = true;
11755 	rdev->opencount++;
11756 
11757 	return 0;
11758 }
11759 
11760 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
11761 {
11762 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11763 	struct wireless_dev *wdev = info->user_ptr[1];
11764 
11765 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
11766 		return -EOPNOTSUPP;
11767 
11768 	if (!rdev->ops->stop_p2p_device)
11769 		return -EOPNOTSUPP;
11770 
11771 	cfg80211_stop_p2p_device(rdev, wdev);
11772 
11773 	return 0;
11774 }
11775 
11776 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
11777 {
11778 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11779 	struct wireless_dev *wdev = info->user_ptr[1];
11780 	struct cfg80211_nan_conf conf = {};
11781 	int err;
11782 
11783 	if (wdev->iftype != NL80211_IFTYPE_NAN)
11784 		return -EOPNOTSUPP;
11785 
11786 	if (wdev_running(wdev))
11787 		return -EEXIST;
11788 
11789 	if (rfkill_blocked(rdev->rfkill))
11790 		return -ERFKILL;
11791 
11792 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
11793 		return -EINVAL;
11794 
11795 	conf.master_pref =
11796 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
11797 
11798 	if (info->attrs[NL80211_ATTR_BANDS]) {
11799 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
11800 
11801 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
11802 			return -EOPNOTSUPP;
11803 
11804 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
11805 			return -EINVAL;
11806 
11807 		conf.bands = bands;
11808 	}
11809 
11810 	err = rdev_start_nan(rdev, wdev, &conf);
11811 	if (err)
11812 		return err;
11813 
11814 	wdev->is_running = true;
11815 	rdev->opencount++;
11816 
11817 	return 0;
11818 }
11819 
11820 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
11821 {
11822 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11823 	struct wireless_dev *wdev = info->user_ptr[1];
11824 
11825 	if (wdev->iftype != NL80211_IFTYPE_NAN)
11826 		return -EOPNOTSUPP;
11827 
11828 	cfg80211_stop_nan(rdev, wdev);
11829 
11830 	return 0;
11831 }
11832 
11833 static int validate_nan_filter(struct nlattr *filter_attr)
11834 {
11835 	struct nlattr *attr;
11836 	int len = 0, n_entries = 0, rem;
11837 
11838 	nla_for_each_nested(attr, filter_attr, rem) {
11839 		len += nla_len(attr);
11840 		n_entries++;
11841 	}
11842 
11843 	if (len >= U8_MAX)
11844 		return -EINVAL;
11845 
11846 	return n_entries;
11847 }
11848 
11849 static int handle_nan_filter(struct nlattr *attr_filter,
11850 			     struct cfg80211_nan_func *func,
11851 			     bool tx)
11852 {
11853 	struct nlattr *attr;
11854 	int n_entries, rem, i;
11855 	struct cfg80211_nan_func_filter *filter;
11856 
11857 	n_entries = validate_nan_filter(attr_filter);
11858 	if (n_entries < 0)
11859 		return n_entries;
11860 
11861 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
11862 
11863 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
11864 	if (!filter)
11865 		return -ENOMEM;
11866 
11867 	i = 0;
11868 	nla_for_each_nested(attr, attr_filter, rem) {
11869 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
11870 		filter[i].len = nla_len(attr);
11871 		i++;
11872 	}
11873 	if (tx) {
11874 		func->num_tx_filters = n_entries;
11875 		func->tx_filters = filter;
11876 	} else {
11877 		func->num_rx_filters = n_entries;
11878 		func->rx_filters = filter;
11879 	}
11880 
11881 	return 0;
11882 }
11883 
11884 static int nl80211_nan_add_func(struct sk_buff *skb,
11885 				struct genl_info *info)
11886 {
11887 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11888 	struct wireless_dev *wdev = info->user_ptr[1];
11889 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
11890 	struct cfg80211_nan_func *func;
11891 	struct sk_buff *msg = NULL;
11892 	void *hdr = NULL;
11893 	int err = 0;
11894 
11895 	if (wdev->iftype != NL80211_IFTYPE_NAN)
11896 		return -EOPNOTSUPP;
11897 
11898 	if (!wdev_running(wdev))
11899 		return -ENOTCONN;
11900 
11901 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
11902 		return -EINVAL;
11903 
11904 	err = nla_parse_nested(tb, NL80211_NAN_FUNC_ATTR_MAX,
11905 			       info->attrs[NL80211_ATTR_NAN_FUNC],
11906 			       nl80211_nan_func_policy, info->extack);
11907 	if (err)
11908 		return err;
11909 
11910 	func = kzalloc(sizeof(*func), GFP_KERNEL);
11911 	if (!func)
11912 		return -ENOMEM;
11913 
11914 	func->cookie = cfg80211_assign_cookie(rdev);
11915 
11916 	if (!tb[NL80211_NAN_FUNC_TYPE] ||
11917 	    nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]) > NL80211_NAN_FUNC_MAX_TYPE) {
11918 		err = -EINVAL;
11919 		goto out;
11920 	}
11921 
11922 
11923 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
11924 
11925 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
11926 		err = -EINVAL;
11927 		goto out;
11928 	}
11929 
11930 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
11931 	       sizeof(func->service_id));
11932 
11933 	func->close_range =
11934 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
11935 
11936 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
11937 		func->serv_spec_info_len =
11938 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
11939 		func->serv_spec_info =
11940 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
11941 				func->serv_spec_info_len,
11942 				GFP_KERNEL);
11943 		if (!func->serv_spec_info) {
11944 			err = -ENOMEM;
11945 			goto out;
11946 		}
11947 	}
11948 
11949 	if (tb[NL80211_NAN_FUNC_TTL])
11950 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
11951 
11952 	switch (func->type) {
11953 	case NL80211_NAN_FUNC_PUBLISH:
11954 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
11955 			err = -EINVAL;
11956 			goto out;
11957 		}
11958 
11959 		func->publish_type =
11960 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
11961 		func->publish_bcast =
11962 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
11963 
11964 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
11965 			func->publish_bcast) {
11966 			err = -EINVAL;
11967 			goto out;
11968 		}
11969 		break;
11970 	case NL80211_NAN_FUNC_SUBSCRIBE:
11971 		func->subscribe_active =
11972 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
11973 		break;
11974 	case NL80211_NAN_FUNC_FOLLOW_UP:
11975 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
11976 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
11977 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
11978 			err = -EINVAL;
11979 			goto out;
11980 		}
11981 
11982 		func->followup_id =
11983 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
11984 		func->followup_reqid =
11985 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
11986 		memcpy(func->followup_dest.addr,
11987 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
11988 		       sizeof(func->followup_dest.addr));
11989 		if (func->ttl) {
11990 			err = -EINVAL;
11991 			goto out;
11992 		}
11993 		break;
11994 	default:
11995 		err = -EINVAL;
11996 		goto out;
11997 	}
11998 
11999 	if (tb[NL80211_NAN_FUNC_SRF]) {
12000 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
12001 
12002 		err = nla_parse_nested(srf_tb, NL80211_NAN_SRF_ATTR_MAX,
12003 				       tb[NL80211_NAN_FUNC_SRF],
12004 				       nl80211_nan_srf_policy, info->extack);
12005 		if (err)
12006 			goto out;
12007 
12008 		func->srf_include =
12009 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
12010 
12011 		if (srf_tb[NL80211_NAN_SRF_BF]) {
12012 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
12013 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
12014 				err = -EINVAL;
12015 				goto out;
12016 			}
12017 
12018 			func->srf_bf_len =
12019 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
12020 			func->srf_bf =
12021 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
12022 					func->srf_bf_len, GFP_KERNEL);
12023 			if (!func->srf_bf) {
12024 				err = -ENOMEM;
12025 				goto out;
12026 			}
12027 
12028 			func->srf_bf_idx =
12029 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
12030 		} else {
12031 			struct nlattr *attr, *mac_attr =
12032 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
12033 			int n_entries, rem, i = 0;
12034 
12035 			if (!mac_attr) {
12036 				err = -EINVAL;
12037 				goto out;
12038 			}
12039 
12040 			n_entries = validate_acl_mac_addrs(mac_attr);
12041 			if (n_entries <= 0) {
12042 				err = -EINVAL;
12043 				goto out;
12044 			}
12045 
12046 			func->srf_num_macs = n_entries;
12047 			func->srf_macs =
12048 				kcalloc(n_entries, sizeof(*func->srf_macs),
12049 					GFP_KERNEL);
12050 			if (!func->srf_macs) {
12051 				err = -ENOMEM;
12052 				goto out;
12053 			}
12054 
12055 			nla_for_each_nested(attr, mac_attr, rem)
12056 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
12057 				       sizeof(*func->srf_macs));
12058 		}
12059 	}
12060 
12061 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
12062 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
12063 					func, true);
12064 		if (err)
12065 			goto out;
12066 	}
12067 
12068 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
12069 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
12070 					func, false);
12071 		if (err)
12072 			goto out;
12073 	}
12074 
12075 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12076 	if (!msg) {
12077 		err = -ENOMEM;
12078 		goto out;
12079 	}
12080 
12081 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12082 			     NL80211_CMD_ADD_NAN_FUNCTION);
12083 	/* This can't really happen - we just allocated 4KB */
12084 	if (WARN_ON(!hdr)) {
12085 		err = -ENOMEM;
12086 		goto out;
12087 	}
12088 
12089 	err = rdev_add_nan_func(rdev, wdev, func);
12090 out:
12091 	if (err < 0) {
12092 		cfg80211_free_nan_func(func);
12093 		nlmsg_free(msg);
12094 		return err;
12095 	}
12096 
12097 	/* propagate the instance id and cookie to userspace  */
12098 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
12099 			      NL80211_ATTR_PAD))
12100 		goto nla_put_failure;
12101 
12102 	func_attr = nla_nest_start(msg, NL80211_ATTR_NAN_FUNC);
12103 	if (!func_attr)
12104 		goto nla_put_failure;
12105 
12106 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
12107 		       func->instance_id))
12108 		goto nla_put_failure;
12109 
12110 	nla_nest_end(msg, func_attr);
12111 
12112 	genlmsg_end(msg, hdr);
12113 	return genlmsg_reply(msg, info);
12114 
12115 nla_put_failure:
12116 	nlmsg_free(msg);
12117 	return -ENOBUFS;
12118 }
12119 
12120 static int nl80211_nan_del_func(struct sk_buff *skb,
12121 			       struct genl_info *info)
12122 {
12123 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12124 	struct wireless_dev *wdev = info->user_ptr[1];
12125 	u64 cookie;
12126 
12127 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12128 		return -EOPNOTSUPP;
12129 
12130 	if (!wdev_running(wdev))
12131 		return -ENOTCONN;
12132 
12133 	if (!info->attrs[NL80211_ATTR_COOKIE])
12134 		return -EINVAL;
12135 
12136 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12137 
12138 	rdev_del_nan_func(rdev, wdev, cookie);
12139 
12140 	return 0;
12141 }
12142 
12143 static int nl80211_nan_change_config(struct sk_buff *skb,
12144 				     struct genl_info *info)
12145 {
12146 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12147 	struct wireless_dev *wdev = info->user_ptr[1];
12148 	struct cfg80211_nan_conf conf = {};
12149 	u32 changed = 0;
12150 
12151 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12152 		return -EOPNOTSUPP;
12153 
12154 	if (!wdev_running(wdev))
12155 		return -ENOTCONN;
12156 
12157 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
12158 		conf.master_pref =
12159 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12160 		if (conf.master_pref <= 1 || conf.master_pref == 255)
12161 			return -EINVAL;
12162 
12163 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
12164 	}
12165 
12166 	if (info->attrs[NL80211_ATTR_BANDS]) {
12167 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12168 
12169 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12170 			return -EOPNOTSUPP;
12171 
12172 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12173 			return -EINVAL;
12174 
12175 		conf.bands = bands;
12176 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
12177 	}
12178 
12179 	if (!changed)
12180 		return -EINVAL;
12181 
12182 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
12183 }
12184 
12185 void cfg80211_nan_match(struct wireless_dev *wdev,
12186 			struct cfg80211_nan_match_params *match, gfp_t gfp)
12187 {
12188 	struct wiphy *wiphy = wdev->wiphy;
12189 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12190 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
12191 	struct sk_buff *msg;
12192 	void *hdr;
12193 
12194 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
12195 		return;
12196 
12197 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12198 	if (!msg)
12199 		return;
12200 
12201 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
12202 	if (!hdr) {
12203 		nlmsg_free(msg);
12204 		return;
12205 	}
12206 
12207 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12208 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12209 					 wdev->netdev->ifindex)) ||
12210 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12211 			      NL80211_ATTR_PAD))
12212 		goto nla_put_failure;
12213 
12214 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
12215 			      NL80211_ATTR_PAD) ||
12216 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
12217 		goto nla_put_failure;
12218 
12219 	match_attr = nla_nest_start(msg, NL80211_ATTR_NAN_MATCH);
12220 	if (!match_attr)
12221 		goto nla_put_failure;
12222 
12223 	local_func_attr = nla_nest_start(msg, NL80211_NAN_MATCH_FUNC_LOCAL);
12224 	if (!local_func_attr)
12225 		goto nla_put_failure;
12226 
12227 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
12228 		goto nla_put_failure;
12229 
12230 	nla_nest_end(msg, local_func_attr);
12231 
12232 	peer_func_attr = nla_nest_start(msg, NL80211_NAN_MATCH_FUNC_PEER);
12233 	if (!peer_func_attr)
12234 		goto nla_put_failure;
12235 
12236 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
12237 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
12238 		goto nla_put_failure;
12239 
12240 	if (match->info && match->info_len &&
12241 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
12242 		    match->info))
12243 		goto nla_put_failure;
12244 
12245 	nla_nest_end(msg, peer_func_attr);
12246 	nla_nest_end(msg, match_attr);
12247 	genlmsg_end(msg, hdr);
12248 
12249 	if (!wdev->owner_nlportid)
12250 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12251 					msg, 0, NL80211_MCGRP_NAN, gfp);
12252 	else
12253 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12254 				wdev->owner_nlportid);
12255 
12256 	return;
12257 
12258 nla_put_failure:
12259 	nlmsg_free(msg);
12260 }
12261 EXPORT_SYMBOL(cfg80211_nan_match);
12262 
12263 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
12264 				  u8 inst_id,
12265 				  enum nl80211_nan_func_term_reason reason,
12266 				  u64 cookie, gfp_t gfp)
12267 {
12268 	struct wiphy *wiphy = wdev->wiphy;
12269 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12270 	struct sk_buff *msg;
12271 	struct nlattr *func_attr;
12272 	void *hdr;
12273 
12274 	if (WARN_ON(!inst_id))
12275 		return;
12276 
12277 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12278 	if (!msg)
12279 		return;
12280 
12281 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
12282 	if (!hdr) {
12283 		nlmsg_free(msg);
12284 		return;
12285 	}
12286 
12287 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12288 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12289 					 wdev->netdev->ifindex)) ||
12290 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12291 			      NL80211_ATTR_PAD))
12292 		goto nla_put_failure;
12293 
12294 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12295 			      NL80211_ATTR_PAD))
12296 		goto nla_put_failure;
12297 
12298 	func_attr = nla_nest_start(msg, NL80211_ATTR_NAN_FUNC);
12299 	if (!func_attr)
12300 		goto nla_put_failure;
12301 
12302 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
12303 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
12304 		goto nla_put_failure;
12305 
12306 	nla_nest_end(msg, func_attr);
12307 	genlmsg_end(msg, hdr);
12308 
12309 	if (!wdev->owner_nlportid)
12310 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12311 					msg, 0, NL80211_MCGRP_NAN, gfp);
12312 	else
12313 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12314 				wdev->owner_nlportid);
12315 
12316 	return;
12317 
12318 nla_put_failure:
12319 	nlmsg_free(msg);
12320 }
12321 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
12322 
12323 static int nl80211_get_protocol_features(struct sk_buff *skb,
12324 					 struct genl_info *info)
12325 {
12326 	void *hdr;
12327 	struct sk_buff *msg;
12328 
12329 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12330 	if (!msg)
12331 		return -ENOMEM;
12332 
12333 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12334 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
12335 	if (!hdr)
12336 		goto nla_put_failure;
12337 
12338 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
12339 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
12340 		goto nla_put_failure;
12341 
12342 	genlmsg_end(msg, hdr);
12343 	return genlmsg_reply(msg, info);
12344 
12345  nla_put_failure:
12346 	kfree_skb(msg);
12347 	return -ENOBUFS;
12348 }
12349 
12350 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
12351 {
12352 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12353 	struct cfg80211_update_ft_ies_params ft_params;
12354 	struct net_device *dev = info->user_ptr[1];
12355 
12356 	if (!rdev->ops->update_ft_ies)
12357 		return -EOPNOTSUPP;
12358 
12359 	if (!info->attrs[NL80211_ATTR_MDID] ||
12360 	    !info->attrs[NL80211_ATTR_IE])
12361 		return -EINVAL;
12362 
12363 	memset(&ft_params, 0, sizeof(ft_params));
12364 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
12365 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12366 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12367 
12368 	return rdev_update_ft_ies(rdev, dev, &ft_params);
12369 }
12370 
12371 static int nl80211_crit_protocol_start(struct sk_buff *skb,
12372 				       struct genl_info *info)
12373 {
12374 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12375 	struct wireless_dev *wdev = info->user_ptr[1];
12376 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
12377 	u16 duration;
12378 	int ret;
12379 
12380 	if (!rdev->ops->crit_proto_start)
12381 		return -EOPNOTSUPP;
12382 
12383 	if (WARN_ON(!rdev->ops->crit_proto_stop))
12384 		return -EINVAL;
12385 
12386 	if (rdev->crit_proto_nlportid)
12387 		return -EBUSY;
12388 
12389 	/* determine protocol if provided */
12390 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
12391 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
12392 
12393 	if (proto >= NUM_NL80211_CRIT_PROTO)
12394 		return -EINVAL;
12395 
12396 	/* timeout must be provided */
12397 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
12398 		return -EINVAL;
12399 
12400 	duration =
12401 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
12402 
12403 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
12404 		return -ERANGE;
12405 
12406 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
12407 	if (!ret)
12408 		rdev->crit_proto_nlportid = info->snd_portid;
12409 
12410 	return ret;
12411 }
12412 
12413 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
12414 				      struct genl_info *info)
12415 {
12416 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12417 	struct wireless_dev *wdev = info->user_ptr[1];
12418 
12419 	if (!rdev->ops->crit_proto_stop)
12420 		return -EOPNOTSUPP;
12421 
12422 	if (rdev->crit_proto_nlportid) {
12423 		rdev->crit_proto_nlportid = 0;
12424 		rdev_crit_proto_stop(rdev, wdev);
12425 	}
12426 	return 0;
12427 }
12428 
12429 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
12430 {
12431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12432 	struct wireless_dev *wdev =
12433 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
12434 	int i, err;
12435 	u32 vid, subcmd;
12436 
12437 	if (!rdev->wiphy.vendor_commands)
12438 		return -EOPNOTSUPP;
12439 
12440 	if (IS_ERR(wdev)) {
12441 		err = PTR_ERR(wdev);
12442 		if (err != -EINVAL)
12443 			return err;
12444 		wdev = NULL;
12445 	} else if (wdev->wiphy != &rdev->wiphy) {
12446 		return -EINVAL;
12447 	}
12448 
12449 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
12450 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
12451 		return -EINVAL;
12452 
12453 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
12454 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
12455 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
12456 		const struct wiphy_vendor_command *vcmd;
12457 		void *data = NULL;
12458 		int len = 0;
12459 
12460 		vcmd = &rdev->wiphy.vendor_commands[i];
12461 
12462 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12463 			continue;
12464 
12465 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12466 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12467 			if (!wdev)
12468 				return -EINVAL;
12469 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12470 			    !wdev->netdev)
12471 				return -EINVAL;
12472 
12473 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12474 				if (!wdev_running(wdev))
12475 					return -ENETDOWN;
12476 			}
12477 
12478 			if (!vcmd->doit)
12479 				return -EOPNOTSUPP;
12480 		} else {
12481 			wdev = NULL;
12482 		}
12483 
12484 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
12485 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12486 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12487 		}
12488 
12489 		rdev->cur_cmd_info = info;
12490 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
12491 							  data, len);
12492 		rdev->cur_cmd_info = NULL;
12493 		return err;
12494 	}
12495 
12496 	return -EOPNOTSUPP;
12497 }
12498 
12499 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
12500 				       struct netlink_callback *cb,
12501 				       struct cfg80211_registered_device **rdev,
12502 				       struct wireless_dev **wdev)
12503 {
12504 	struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
12505 	u32 vid, subcmd;
12506 	unsigned int i;
12507 	int vcmd_idx = -1;
12508 	int err;
12509 	void *data = NULL;
12510 	unsigned int data_len = 0;
12511 
12512 	if (cb->args[0]) {
12513 		/* subtract the 1 again here */
12514 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
12515 		struct wireless_dev *tmp;
12516 
12517 		if (!wiphy)
12518 			return -ENODEV;
12519 		*rdev = wiphy_to_rdev(wiphy);
12520 		*wdev = NULL;
12521 
12522 		if (cb->args[1]) {
12523 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
12524 				if (tmp->identifier == cb->args[1] - 1) {
12525 					*wdev = tmp;
12526 					break;
12527 				}
12528 			}
12529 		}
12530 
12531 		/* keep rtnl locked in successful case */
12532 		return 0;
12533 	}
12534 
12535 	err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize, attrbuf,
12536 			  nl80211_fam.maxattr, nl80211_policy, NULL);
12537 	if (err)
12538 		return err;
12539 
12540 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
12541 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD])
12542 		return -EINVAL;
12543 
12544 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
12545 	if (IS_ERR(*wdev))
12546 		*wdev = NULL;
12547 
12548 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
12549 	if (IS_ERR(*rdev))
12550 		return PTR_ERR(*rdev);
12551 
12552 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
12553 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
12554 
12555 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
12556 		const struct wiphy_vendor_command *vcmd;
12557 
12558 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
12559 
12560 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12561 			continue;
12562 
12563 		if (!vcmd->dumpit)
12564 			return -EOPNOTSUPP;
12565 
12566 		vcmd_idx = i;
12567 		break;
12568 	}
12569 
12570 	if (vcmd_idx < 0)
12571 		return -EOPNOTSUPP;
12572 
12573 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
12574 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
12575 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
12576 	}
12577 
12578 	/* 0 is the first index - add 1 to parse only once */
12579 	cb->args[0] = (*rdev)->wiphy_idx + 1;
12580 	/* add 1 to know if it was NULL */
12581 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
12582 	cb->args[2] = vcmd_idx;
12583 	cb->args[3] = (unsigned long)data;
12584 	cb->args[4] = data_len;
12585 
12586 	/* keep rtnl locked in successful case */
12587 	return 0;
12588 }
12589 
12590 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
12591 				   struct netlink_callback *cb)
12592 {
12593 	struct cfg80211_registered_device *rdev;
12594 	struct wireless_dev *wdev;
12595 	unsigned int vcmd_idx;
12596 	const struct wiphy_vendor_command *vcmd;
12597 	void *data;
12598 	int data_len;
12599 	int err;
12600 	struct nlattr *vendor_data;
12601 
12602 	rtnl_lock();
12603 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
12604 	if (err)
12605 		goto out;
12606 
12607 	vcmd_idx = cb->args[2];
12608 	data = (void *)cb->args[3];
12609 	data_len = cb->args[4];
12610 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
12611 
12612 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12613 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12614 		if (!wdev) {
12615 			err = -EINVAL;
12616 			goto out;
12617 		}
12618 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12619 		    !wdev->netdev) {
12620 			err = -EINVAL;
12621 			goto out;
12622 		}
12623 
12624 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12625 			if (!wdev_running(wdev)) {
12626 				err = -ENETDOWN;
12627 				goto out;
12628 			}
12629 		}
12630 	}
12631 
12632 	while (1) {
12633 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
12634 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
12635 					   NL80211_CMD_VENDOR);
12636 		if (!hdr)
12637 			break;
12638 
12639 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12640 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
12641 					       wdev_id(wdev),
12642 					       NL80211_ATTR_PAD))) {
12643 			genlmsg_cancel(skb, hdr);
12644 			break;
12645 		}
12646 
12647 		vendor_data = nla_nest_start(skb, NL80211_ATTR_VENDOR_DATA);
12648 		if (!vendor_data) {
12649 			genlmsg_cancel(skb, hdr);
12650 			break;
12651 		}
12652 
12653 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
12654 				   (unsigned long *)&cb->args[5]);
12655 		nla_nest_end(skb, vendor_data);
12656 
12657 		if (err == -ENOBUFS || err == -ENOENT) {
12658 			genlmsg_cancel(skb, hdr);
12659 			break;
12660 		} else if (err) {
12661 			genlmsg_cancel(skb, hdr);
12662 			goto out;
12663 		}
12664 
12665 		genlmsg_end(skb, hdr);
12666 	}
12667 
12668 	err = skb->len;
12669  out:
12670 	rtnl_unlock();
12671 	return err;
12672 }
12673 
12674 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
12675 					   enum nl80211_commands cmd,
12676 					   enum nl80211_attrs attr,
12677 					   int approxlen)
12678 {
12679 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12680 
12681 	if (WARN_ON(!rdev->cur_cmd_info))
12682 		return NULL;
12683 
12684 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
12685 					   rdev->cur_cmd_info->snd_portid,
12686 					   rdev->cur_cmd_info->snd_seq,
12687 					   cmd, attr, NULL, GFP_KERNEL);
12688 }
12689 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
12690 
12691 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
12692 {
12693 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
12694 	void *hdr = ((void **)skb->cb)[1];
12695 	struct nlattr *data = ((void **)skb->cb)[2];
12696 
12697 	/* clear CB data for netlink core to own from now on */
12698 	memset(skb->cb, 0, sizeof(skb->cb));
12699 
12700 	if (WARN_ON(!rdev->cur_cmd_info)) {
12701 		kfree_skb(skb);
12702 		return -EINVAL;
12703 	}
12704 
12705 	nla_nest_end(skb, data);
12706 	genlmsg_end(skb, hdr);
12707 	return genlmsg_reply(skb, rdev->cur_cmd_info);
12708 }
12709 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
12710 
12711 static int nl80211_set_qos_map(struct sk_buff *skb,
12712 			       struct genl_info *info)
12713 {
12714 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12715 	struct cfg80211_qos_map *qos_map = NULL;
12716 	struct net_device *dev = info->user_ptr[1];
12717 	u8 *pos, len, num_des, des_len, des;
12718 	int ret;
12719 
12720 	if (!rdev->ops->set_qos_map)
12721 		return -EOPNOTSUPP;
12722 
12723 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
12724 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
12725 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
12726 
12727 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
12728 		    len > IEEE80211_QOS_MAP_LEN_MAX)
12729 			return -EINVAL;
12730 
12731 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
12732 		if (!qos_map)
12733 			return -ENOMEM;
12734 
12735 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
12736 		if (num_des) {
12737 			des_len = num_des *
12738 				sizeof(struct cfg80211_dscp_exception);
12739 			memcpy(qos_map->dscp_exception, pos, des_len);
12740 			qos_map->num_des = num_des;
12741 			for (des = 0; des < num_des; des++) {
12742 				if (qos_map->dscp_exception[des].up > 7) {
12743 					kfree(qos_map);
12744 					return -EINVAL;
12745 				}
12746 			}
12747 			pos += des_len;
12748 		}
12749 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
12750 	}
12751 
12752 	wdev_lock(dev->ieee80211_ptr);
12753 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
12754 	if (!ret)
12755 		ret = rdev_set_qos_map(rdev, dev, qos_map);
12756 	wdev_unlock(dev->ieee80211_ptr);
12757 
12758 	kfree(qos_map);
12759 	return ret;
12760 }
12761 
12762 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
12763 {
12764 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12765 	struct net_device *dev = info->user_ptr[1];
12766 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12767 	const u8 *peer;
12768 	u8 tsid, up;
12769 	u16 admitted_time = 0;
12770 	int err;
12771 
12772 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
12773 		return -EOPNOTSUPP;
12774 
12775 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
12776 	    !info->attrs[NL80211_ATTR_USER_PRIO])
12777 		return -EINVAL;
12778 
12779 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
12780 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
12781 
12782 	/* WMM uses TIDs 0-7 even for TSPEC */
12783 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
12784 		/* TODO: handle 802.11 TSPEC/admission control
12785 		 * need more attributes for that (e.g. BA session requirement);
12786 		 * change the WMM adminssion test above to allow both then
12787 		 */
12788 		return -EINVAL;
12789 	}
12790 
12791 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12792 
12793 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
12794 		admitted_time =
12795 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
12796 		if (!admitted_time)
12797 			return -EINVAL;
12798 	}
12799 
12800 	wdev_lock(wdev);
12801 	switch (wdev->iftype) {
12802 	case NL80211_IFTYPE_STATION:
12803 	case NL80211_IFTYPE_P2P_CLIENT:
12804 		if (wdev->current_bss)
12805 			break;
12806 		err = -ENOTCONN;
12807 		goto out;
12808 	default:
12809 		err = -EOPNOTSUPP;
12810 		goto out;
12811 	}
12812 
12813 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
12814 
12815  out:
12816 	wdev_unlock(wdev);
12817 	return err;
12818 }
12819 
12820 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
12821 {
12822 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12823 	struct net_device *dev = info->user_ptr[1];
12824 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12825 	const u8 *peer;
12826 	u8 tsid;
12827 	int err;
12828 
12829 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
12830 		return -EINVAL;
12831 
12832 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
12833 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12834 
12835 	wdev_lock(wdev);
12836 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
12837 	wdev_unlock(wdev);
12838 
12839 	return err;
12840 }
12841 
12842 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
12843 				       struct genl_info *info)
12844 {
12845 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12846 	struct net_device *dev = info->user_ptr[1];
12847 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12848 	struct cfg80211_chan_def chandef = {};
12849 	const u8 *addr;
12850 	u8 oper_class;
12851 	int err;
12852 
12853 	if (!rdev->ops->tdls_channel_switch ||
12854 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
12855 		return -EOPNOTSUPP;
12856 
12857 	switch (dev->ieee80211_ptr->iftype) {
12858 	case NL80211_IFTYPE_STATION:
12859 	case NL80211_IFTYPE_P2P_CLIENT:
12860 		break;
12861 	default:
12862 		return -EOPNOTSUPP;
12863 	}
12864 
12865 	if (!info->attrs[NL80211_ATTR_MAC] ||
12866 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
12867 		return -EINVAL;
12868 
12869 	err = nl80211_parse_chandef(rdev, info, &chandef);
12870 	if (err)
12871 		return err;
12872 
12873 	/*
12874 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
12875 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
12876 	 * specification is not defined for them.
12877 	 */
12878 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
12879 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
12880 	    chandef.width != NL80211_CHAN_WIDTH_20)
12881 		return -EINVAL;
12882 
12883 	/* we will be active on the TDLS link */
12884 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
12885 					   wdev->iftype))
12886 		return -EINVAL;
12887 
12888 	/* don't allow switching to DFS channels */
12889 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
12890 		return -EINVAL;
12891 
12892 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12893 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
12894 
12895 	wdev_lock(wdev);
12896 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
12897 	wdev_unlock(wdev);
12898 
12899 	return err;
12900 }
12901 
12902 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
12903 					      struct genl_info *info)
12904 {
12905 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12906 	struct net_device *dev = info->user_ptr[1];
12907 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12908 	const u8 *addr;
12909 
12910 	if (!rdev->ops->tdls_channel_switch ||
12911 	    !rdev->ops->tdls_cancel_channel_switch ||
12912 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
12913 		return -EOPNOTSUPP;
12914 
12915 	switch (dev->ieee80211_ptr->iftype) {
12916 	case NL80211_IFTYPE_STATION:
12917 	case NL80211_IFTYPE_P2P_CLIENT:
12918 		break;
12919 	default:
12920 		return -EOPNOTSUPP;
12921 	}
12922 
12923 	if (!info->attrs[NL80211_ATTR_MAC])
12924 		return -EINVAL;
12925 
12926 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12927 
12928 	wdev_lock(wdev);
12929 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
12930 	wdev_unlock(wdev);
12931 
12932 	return 0;
12933 }
12934 
12935 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
12936 					    struct genl_info *info)
12937 {
12938 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12939 	struct net_device *dev = info->user_ptr[1];
12940 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12941 	const struct nlattr *nla;
12942 	bool enabled;
12943 
12944 	if (!rdev->ops->set_multicast_to_unicast)
12945 		return -EOPNOTSUPP;
12946 
12947 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12948 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12949 		return -EOPNOTSUPP;
12950 
12951 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
12952 	enabled = nla_get_flag(nla);
12953 
12954 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
12955 }
12956 
12957 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
12958 {
12959 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12960 	struct net_device *dev = info->user_ptr[1];
12961 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12962 	struct cfg80211_pmk_conf pmk_conf = {};
12963 	int ret;
12964 
12965 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12966 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12967 		return -EOPNOTSUPP;
12968 
12969 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12970 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12971 		return -EOPNOTSUPP;
12972 
12973 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
12974 		return -EINVAL;
12975 
12976 	wdev_lock(wdev);
12977 	if (!wdev->current_bss) {
12978 		ret = -ENOTCONN;
12979 		goto out;
12980 	}
12981 
12982 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
12983 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
12984 		ret = -EINVAL;
12985 		goto out;
12986 	}
12987 
12988 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12989 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12990 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
12991 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
12992 		ret = -EINVAL;
12993 		goto out;
12994 	}
12995 
12996 	if (info->attrs[NL80211_ATTR_PMKR0_NAME]) {
12997 		int r0_name_len = nla_len(info->attrs[NL80211_ATTR_PMKR0_NAME]);
12998 
12999 		if (r0_name_len != WLAN_PMK_NAME_LEN) {
13000 			ret = -EINVAL;
13001 			goto out;
13002 		}
13003 
13004 		pmk_conf.pmk_r0_name =
13005 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13006 	}
13007 
13008 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
13009 out:
13010 	wdev_unlock(wdev);
13011 	return ret;
13012 }
13013 
13014 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
13015 {
13016 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13017 	struct net_device *dev = info->user_ptr[1];
13018 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13019 	const u8 *aa;
13020 	int ret;
13021 
13022 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13023 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13024 		return -EOPNOTSUPP;
13025 
13026 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13027 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13028 		return -EOPNOTSUPP;
13029 
13030 	if (!info->attrs[NL80211_ATTR_MAC])
13031 		return -EINVAL;
13032 
13033 	wdev_lock(wdev);
13034 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13035 	ret = rdev_del_pmk(rdev, dev, aa);
13036 	wdev_unlock(wdev);
13037 
13038 	return ret;
13039 }
13040 
13041 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
13042 {
13043 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13044 	struct net_device *dev = info->user_ptr[1];
13045 	struct cfg80211_external_auth_params params;
13046 
13047 	if (!rdev->ops->external_auth)
13048 		return -EOPNOTSUPP;
13049 
13050 	if (!info->attrs[NL80211_ATTR_SSID])
13051 		return -EINVAL;
13052 
13053 	if (!info->attrs[NL80211_ATTR_BSSID])
13054 		return -EINVAL;
13055 
13056 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
13057 		return -EINVAL;
13058 
13059 	memset(&params, 0, sizeof(params));
13060 
13061 	params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13062 	if (params.ssid.ssid_len == 0 ||
13063 	    params.ssid.ssid_len > IEEE80211_MAX_SSID_LEN)
13064 		return -EINVAL;
13065 	memcpy(params.ssid.ssid, nla_data(info->attrs[NL80211_ATTR_SSID]),
13066 	       params.ssid.ssid_len);
13067 
13068 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
13069 	       ETH_ALEN);
13070 
13071 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13072 
13073 	return rdev_external_auth(rdev, dev, &params);
13074 }
13075 
13076 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
13077 {
13078 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13079 	struct net_device *dev = info->user_ptr[1];
13080 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13081 	const u8 *buf;
13082 	size_t len;
13083 	u8 *dest;
13084 	u16 proto;
13085 	bool noencrypt;
13086 	int err;
13087 
13088 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13089 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
13090 		return -EOPNOTSUPP;
13091 
13092 	if (!rdev->ops->tx_control_port)
13093 		return -EOPNOTSUPP;
13094 
13095 	if (!info->attrs[NL80211_ATTR_FRAME] ||
13096 	    !info->attrs[NL80211_ATTR_MAC] ||
13097 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
13098 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
13099 		return -EINVAL;
13100 	}
13101 
13102 	wdev_lock(wdev);
13103 
13104 	switch (wdev->iftype) {
13105 	case NL80211_IFTYPE_AP:
13106 	case NL80211_IFTYPE_P2P_GO:
13107 	case NL80211_IFTYPE_MESH_POINT:
13108 		break;
13109 	case NL80211_IFTYPE_ADHOC:
13110 	case NL80211_IFTYPE_STATION:
13111 	case NL80211_IFTYPE_P2P_CLIENT:
13112 		if (wdev->current_bss)
13113 			break;
13114 		err = -ENOTCONN;
13115 		goto out;
13116 	default:
13117 		err = -EOPNOTSUPP;
13118 		goto out;
13119 	}
13120 
13121 	wdev_unlock(wdev);
13122 
13123 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13124 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13125 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13126 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
13127 	noencrypt =
13128 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
13129 
13130 	return rdev_tx_control_port(rdev, dev, buf, len,
13131 				    dest, cpu_to_be16(proto), noencrypt);
13132 
13133  out:
13134 	wdev_unlock(wdev);
13135 	return err;
13136 }
13137 
13138 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
13139 					   struct genl_info *info)
13140 {
13141 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13142 	struct net_device *dev = info->user_ptr[1];
13143 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13144 	struct cfg80211_ftm_responder_stats ftm_stats = {};
13145 	struct sk_buff *msg;
13146 	void *hdr;
13147 	struct nlattr *ftm_stats_attr;
13148 	int err;
13149 
13150 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
13151 		return -EOPNOTSUPP;
13152 
13153 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
13154 	if (err)
13155 		return err;
13156 
13157 	if (!ftm_stats.filled)
13158 		return -ENODATA;
13159 
13160 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13161 	if (!msg)
13162 		return -ENOMEM;
13163 
13164 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13165 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
13166 	if (!hdr)
13167 		return -ENOBUFS;
13168 
13169 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
13170 		goto nla_put_failure;
13171 
13172 	ftm_stats_attr = nla_nest_start(msg, NL80211_ATTR_FTM_RESPONDER_STATS);
13173 	if (!ftm_stats_attr)
13174 		goto nla_put_failure;
13175 
13176 #define SET_FTM(field, name, type)					 \
13177 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13178 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
13179 			     ftm_stats.field))				 \
13180 		goto nla_put_failure; } while (0)
13181 #define SET_FTM_U64(field, name)					 \
13182 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13183 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
13184 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
13185 		goto nla_put_failure; } while (0)
13186 
13187 	SET_FTM(success_num, SUCCESS_NUM, u32);
13188 	SET_FTM(partial_num, PARTIAL_NUM, u32);
13189 	SET_FTM(failed_num, FAILED_NUM, u32);
13190 	SET_FTM(asap_num, ASAP_NUM, u32);
13191 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
13192 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
13193 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
13194 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
13195 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
13196 #undef SET_FTM
13197 
13198 	nla_nest_end(msg, ftm_stats_attr);
13199 
13200 	genlmsg_end(msg, hdr);
13201 	return genlmsg_reply(msg, info);
13202 
13203 nla_put_failure:
13204 	nlmsg_free(msg);
13205 	return -ENOBUFS;
13206 }
13207 
13208 #define NL80211_FLAG_NEED_WIPHY		0x01
13209 #define NL80211_FLAG_NEED_NETDEV	0x02
13210 #define NL80211_FLAG_NEED_RTNL		0x04
13211 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
13212 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
13213 					 NL80211_FLAG_CHECK_NETDEV_UP)
13214 #define NL80211_FLAG_NEED_WDEV		0x10
13215 /* If a netdev is associated, it must be UP, P2P must be started */
13216 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
13217 					 NL80211_FLAG_CHECK_NETDEV_UP)
13218 #define NL80211_FLAG_CLEAR_SKB		0x20
13219 
13220 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
13221 			    struct genl_info *info)
13222 {
13223 	struct cfg80211_registered_device *rdev;
13224 	struct wireless_dev *wdev;
13225 	struct net_device *dev;
13226 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
13227 
13228 	if (rtnl)
13229 		rtnl_lock();
13230 
13231 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
13232 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
13233 		if (IS_ERR(rdev)) {
13234 			if (rtnl)
13235 				rtnl_unlock();
13236 			return PTR_ERR(rdev);
13237 		}
13238 		info->user_ptr[0] = rdev;
13239 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
13240 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13241 		ASSERT_RTNL();
13242 
13243 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
13244 						  info->attrs);
13245 		if (IS_ERR(wdev)) {
13246 			if (rtnl)
13247 				rtnl_unlock();
13248 			return PTR_ERR(wdev);
13249 		}
13250 
13251 		dev = wdev->netdev;
13252 		rdev = wiphy_to_rdev(wdev->wiphy);
13253 
13254 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
13255 			if (!dev) {
13256 				if (rtnl)
13257 					rtnl_unlock();
13258 				return -EINVAL;
13259 			}
13260 
13261 			info->user_ptr[1] = dev;
13262 		} else {
13263 			info->user_ptr[1] = wdev;
13264 		}
13265 
13266 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
13267 		    !wdev_running(wdev)) {
13268 			if (rtnl)
13269 				rtnl_unlock();
13270 			return -ENETDOWN;
13271 		}
13272 
13273 		if (dev)
13274 			dev_hold(dev);
13275 
13276 		info->user_ptr[0] = rdev;
13277 	}
13278 
13279 	return 0;
13280 }
13281 
13282 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
13283 			      struct genl_info *info)
13284 {
13285 	if (info->user_ptr[1]) {
13286 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13287 			struct wireless_dev *wdev = info->user_ptr[1];
13288 
13289 			if (wdev->netdev)
13290 				dev_put(wdev->netdev);
13291 		} else {
13292 			dev_put(info->user_ptr[1]);
13293 		}
13294 	}
13295 
13296 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
13297 		rtnl_unlock();
13298 
13299 	/* If needed, clear the netlink message payload from the SKB
13300 	 * as it might contain key data that shouldn't stick around on
13301 	 * the heap after the SKB is freed. The netlink message header
13302 	 * is still needed for further processing, so leave it intact.
13303 	 */
13304 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
13305 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
13306 
13307 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
13308 	}
13309 }
13310 
13311 static const struct genl_ops nl80211_ops[] = {
13312 	{
13313 		.cmd = NL80211_CMD_GET_WIPHY,
13314 		.doit = nl80211_get_wiphy,
13315 		.dumpit = nl80211_dump_wiphy,
13316 		.done = nl80211_dump_wiphy_done,
13317 		.policy = nl80211_policy,
13318 		/* can be retrieved by unprivileged users */
13319 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13320 				  NL80211_FLAG_NEED_RTNL,
13321 	},
13322 	{
13323 		.cmd = NL80211_CMD_SET_WIPHY,
13324 		.doit = nl80211_set_wiphy,
13325 		.policy = nl80211_policy,
13326 		.flags = GENL_UNS_ADMIN_PERM,
13327 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13328 	},
13329 	{
13330 		.cmd = NL80211_CMD_GET_INTERFACE,
13331 		.doit = nl80211_get_interface,
13332 		.dumpit = nl80211_dump_interface,
13333 		.policy = nl80211_policy,
13334 		/* can be retrieved by unprivileged users */
13335 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13336 				  NL80211_FLAG_NEED_RTNL,
13337 	},
13338 	{
13339 		.cmd = NL80211_CMD_SET_INTERFACE,
13340 		.doit = nl80211_set_interface,
13341 		.policy = nl80211_policy,
13342 		.flags = GENL_UNS_ADMIN_PERM,
13343 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13344 				  NL80211_FLAG_NEED_RTNL,
13345 	},
13346 	{
13347 		.cmd = NL80211_CMD_NEW_INTERFACE,
13348 		.doit = nl80211_new_interface,
13349 		.policy = nl80211_policy,
13350 		.flags = GENL_UNS_ADMIN_PERM,
13351 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13352 				  NL80211_FLAG_NEED_RTNL,
13353 	},
13354 	{
13355 		.cmd = NL80211_CMD_DEL_INTERFACE,
13356 		.doit = nl80211_del_interface,
13357 		.policy = nl80211_policy,
13358 		.flags = GENL_UNS_ADMIN_PERM,
13359 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13360 				  NL80211_FLAG_NEED_RTNL,
13361 	},
13362 	{
13363 		.cmd = NL80211_CMD_GET_KEY,
13364 		.doit = nl80211_get_key,
13365 		.policy = nl80211_policy,
13366 		.flags = GENL_UNS_ADMIN_PERM,
13367 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13368 				  NL80211_FLAG_NEED_RTNL,
13369 	},
13370 	{
13371 		.cmd = NL80211_CMD_SET_KEY,
13372 		.doit = nl80211_set_key,
13373 		.policy = nl80211_policy,
13374 		.flags = GENL_UNS_ADMIN_PERM,
13375 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13376 				  NL80211_FLAG_NEED_RTNL |
13377 				  NL80211_FLAG_CLEAR_SKB,
13378 	},
13379 	{
13380 		.cmd = NL80211_CMD_NEW_KEY,
13381 		.doit = nl80211_new_key,
13382 		.policy = nl80211_policy,
13383 		.flags = GENL_UNS_ADMIN_PERM,
13384 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13385 				  NL80211_FLAG_NEED_RTNL |
13386 				  NL80211_FLAG_CLEAR_SKB,
13387 	},
13388 	{
13389 		.cmd = NL80211_CMD_DEL_KEY,
13390 		.doit = nl80211_del_key,
13391 		.policy = nl80211_policy,
13392 		.flags = GENL_UNS_ADMIN_PERM,
13393 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13394 				  NL80211_FLAG_NEED_RTNL,
13395 	},
13396 	{
13397 		.cmd = NL80211_CMD_SET_BEACON,
13398 		.policy = nl80211_policy,
13399 		.flags = GENL_UNS_ADMIN_PERM,
13400 		.doit = nl80211_set_beacon,
13401 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13402 				  NL80211_FLAG_NEED_RTNL,
13403 	},
13404 	{
13405 		.cmd = NL80211_CMD_START_AP,
13406 		.policy = nl80211_policy,
13407 		.flags = GENL_UNS_ADMIN_PERM,
13408 		.doit = nl80211_start_ap,
13409 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13410 				  NL80211_FLAG_NEED_RTNL,
13411 	},
13412 	{
13413 		.cmd = NL80211_CMD_STOP_AP,
13414 		.policy = nl80211_policy,
13415 		.flags = GENL_UNS_ADMIN_PERM,
13416 		.doit = nl80211_stop_ap,
13417 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13418 				  NL80211_FLAG_NEED_RTNL,
13419 	},
13420 	{
13421 		.cmd = NL80211_CMD_GET_STATION,
13422 		.doit = nl80211_get_station,
13423 		.dumpit = nl80211_dump_station,
13424 		.policy = nl80211_policy,
13425 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13426 				  NL80211_FLAG_NEED_RTNL,
13427 	},
13428 	{
13429 		.cmd = NL80211_CMD_SET_STATION,
13430 		.doit = nl80211_set_station,
13431 		.policy = nl80211_policy,
13432 		.flags = GENL_UNS_ADMIN_PERM,
13433 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13434 				  NL80211_FLAG_NEED_RTNL,
13435 	},
13436 	{
13437 		.cmd = NL80211_CMD_NEW_STATION,
13438 		.doit = nl80211_new_station,
13439 		.policy = nl80211_policy,
13440 		.flags = GENL_UNS_ADMIN_PERM,
13441 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13442 				  NL80211_FLAG_NEED_RTNL,
13443 	},
13444 	{
13445 		.cmd = NL80211_CMD_DEL_STATION,
13446 		.doit = nl80211_del_station,
13447 		.policy = nl80211_policy,
13448 		.flags = GENL_UNS_ADMIN_PERM,
13449 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13450 				  NL80211_FLAG_NEED_RTNL,
13451 	},
13452 	{
13453 		.cmd = NL80211_CMD_GET_MPATH,
13454 		.doit = nl80211_get_mpath,
13455 		.dumpit = nl80211_dump_mpath,
13456 		.policy = nl80211_policy,
13457 		.flags = GENL_UNS_ADMIN_PERM,
13458 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13459 				  NL80211_FLAG_NEED_RTNL,
13460 	},
13461 	{
13462 		.cmd = NL80211_CMD_GET_MPP,
13463 		.doit = nl80211_get_mpp,
13464 		.dumpit = nl80211_dump_mpp,
13465 		.policy = nl80211_policy,
13466 		.flags = GENL_UNS_ADMIN_PERM,
13467 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13468 				  NL80211_FLAG_NEED_RTNL,
13469 	},
13470 	{
13471 		.cmd = NL80211_CMD_SET_MPATH,
13472 		.doit = nl80211_set_mpath,
13473 		.policy = nl80211_policy,
13474 		.flags = GENL_UNS_ADMIN_PERM,
13475 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13476 				  NL80211_FLAG_NEED_RTNL,
13477 	},
13478 	{
13479 		.cmd = NL80211_CMD_NEW_MPATH,
13480 		.doit = nl80211_new_mpath,
13481 		.policy = nl80211_policy,
13482 		.flags = GENL_UNS_ADMIN_PERM,
13483 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13484 				  NL80211_FLAG_NEED_RTNL,
13485 	},
13486 	{
13487 		.cmd = NL80211_CMD_DEL_MPATH,
13488 		.doit = nl80211_del_mpath,
13489 		.policy = nl80211_policy,
13490 		.flags = GENL_UNS_ADMIN_PERM,
13491 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13492 				  NL80211_FLAG_NEED_RTNL,
13493 	},
13494 	{
13495 		.cmd = NL80211_CMD_SET_BSS,
13496 		.doit = nl80211_set_bss,
13497 		.policy = nl80211_policy,
13498 		.flags = GENL_UNS_ADMIN_PERM,
13499 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13500 				  NL80211_FLAG_NEED_RTNL,
13501 	},
13502 	{
13503 		.cmd = NL80211_CMD_GET_REG,
13504 		.doit = nl80211_get_reg_do,
13505 		.dumpit = nl80211_get_reg_dump,
13506 		.policy = nl80211_policy,
13507 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13508 		/* can be retrieved by unprivileged users */
13509 	},
13510 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
13511 	{
13512 		.cmd = NL80211_CMD_SET_REG,
13513 		.doit = nl80211_set_reg,
13514 		.policy = nl80211_policy,
13515 		.flags = GENL_ADMIN_PERM,
13516 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13517 	},
13518 #endif
13519 	{
13520 		.cmd = NL80211_CMD_REQ_SET_REG,
13521 		.doit = nl80211_req_set_reg,
13522 		.policy = nl80211_policy,
13523 		.flags = GENL_ADMIN_PERM,
13524 	},
13525 	{
13526 		.cmd = NL80211_CMD_RELOAD_REGDB,
13527 		.doit = nl80211_reload_regdb,
13528 		.policy = nl80211_policy,
13529 		.flags = GENL_ADMIN_PERM,
13530 	},
13531 	{
13532 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
13533 		.doit = nl80211_get_mesh_config,
13534 		.policy = nl80211_policy,
13535 		/* can be retrieved by unprivileged users */
13536 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13537 				  NL80211_FLAG_NEED_RTNL,
13538 	},
13539 	{
13540 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
13541 		.doit = nl80211_update_mesh_config,
13542 		.policy = nl80211_policy,
13543 		.flags = GENL_UNS_ADMIN_PERM,
13544 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13545 				  NL80211_FLAG_NEED_RTNL,
13546 	},
13547 	{
13548 		.cmd = NL80211_CMD_TRIGGER_SCAN,
13549 		.doit = nl80211_trigger_scan,
13550 		.policy = nl80211_policy,
13551 		.flags = GENL_UNS_ADMIN_PERM,
13552 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13553 				  NL80211_FLAG_NEED_RTNL,
13554 	},
13555 	{
13556 		.cmd = NL80211_CMD_ABORT_SCAN,
13557 		.doit = nl80211_abort_scan,
13558 		.policy = nl80211_policy,
13559 		.flags = GENL_UNS_ADMIN_PERM,
13560 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13561 				  NL80211_FLAG_NEED_RTNL,
13562 	},
13563 	{
13564 		.cmd = NL80211_CMD_GET_SCAN,
13565 		.policy = nl80211_policy,
13566 		.dumpit = nl80211_dump_scan,
13567 	},
13568 	{
13569 		.cmd = NL80211_CMD_START_SCHED_SCAN,
13570 		.doit = nl80211_start_sched_scan,
13571 		.policy = nl80211_policy,
13572 		.flags = GENL_UNS_ADMIN_PERM,
13573 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13574 				  NL80211_FLAG_NEED_RTNL,
13575 	},
13576 	{
13577 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
13578 		.doit = nl80211_stop_sched_scan,
13579 		.policy = nl80211_policy,
13580 		.flags = GENL_UNS_ADMIN_PERM,
13581 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13582 				  NL80211_FLAG_NEED_RTNL,
13583 	},
13584 	{
13585 		.cmd = NL80211_CMD_AUTHENTICATE,
13586 		.doit = nl80211_authenticate,
13587 		.policy = nl80211_policy,
13588 		.flags = GENL_UNS_ADMIN_PERM,
13589 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13590 				  NL80211_FLAG_NEED_RTNL |
13591 				  NL80211_FLAG_CLEAR_SKB,
13592 	},
13593 	{
13594 		.cmd = NL80211_CMD_ASSOCIATE,
13595 		.doit = nl80211_associate,
13596 		.policy = nl80211_policy,
13597 		.flags = GENL_UNS_ADMIN_PERM,
13598 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13599 				  NL80211_FLAG_NEED_RTNL,
13600 	},
13601 	{
13602 		.cmd = NL80211_CMD_DEAUTHENTICATE,
13603 		.doit = nl80211_deauthenticate,
13604 		.policy = nl80211_policy,
13605 		.flags = GENL_UNS_ADMIN_PERM,
13606 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13607 				  NL80211_FLAG_NEED_RTNL,
13608 	},
13609 	{
13610 		.cmd = NL80211_CMD_DISASSOCIATE,
13611 		.doit = nl80211_disassociate,
13612 		.policy = nl80211_policy,
13613 		.flags = GENL_UNS_ADMIN_PERM,
13614 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13615 				  NL80211_FLAG_NEED_RTNL,
13616 	},
13617 	{
13618 		.cmd = NL80211_CMD_JOIN_IBSS,
13619 		.doit = nl80211_join_ibss,
13620 		.policy = nl80211_policy,
13621 		.flags = GENL_UNS_ADMIN_PERM,
13622 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13623 				  NL80211_FLAG_NEED_RTNL,
13624 	},
13625 	{
13626 		.cmd = NL80211_CMD_LEAVE_IBSS,
13627 		.doit = nl80211_leave_ibss,
13628 		.policy = nl80211_policy,
13629 		.flags = GENL_UNS_ADMIN_PERM,
13630 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13631 				  NL80211_FLAG_NEED_RTNL,
13632 	},
13633 #ifdef CONFIG_NL80211_TESTMODE
13634 	{
13635 		.cmd = NL80211_CMD_TESTMODE,
13636 		.doit = nl80211_testmode_do,
13637 		.dumpit = nl80211_testmode_dump,
13638 		.policy = nl80211_policy,
13639 		.flags = GENL_UNS_ADMIN_PERM,
13640 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13641 				  NL80211_FLAG_NEED_RTNL,
13642 	},
13643 #endif
13644 	{
13645 		.cmd = NL80211_CMD_CONNECT,
13646 		.doit = nl80211_connect,
13647 		.policy = nl80211_policy,
13648 		.flags = GENL_UNS_ADMIN_PERM,
13649 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13650 				  NL80211_FLAG_NEED_RTNL,
13651 	},
13652 	{
13653 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
13654 		.doit = nl80211_update_connect_params,
13655 		.policy = nl80211_policy,
13656 		.flags = GENL_ADMIN_PERM,
13657 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13658 				  NL80211_FLAG_NEED_RTNL,
13659 	},
13660 	{
13661 		.cmd = NL80211_CMD_DISCONNECT,
13662 		.doit = nl80211_disconnect,
13663 		.policy = nl80211_policy,
13664 		.flags = GENL_UNS_ADMIN_PERM,
13665 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13666 				  NL80211_FLAG_NEED_RTNL,
13667 	},
13668 	{
13669 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
13670 		.doit = nl80211_wiphy_netns,
13671 		.policy = nl80211_policy,
13672 		.flags = GENL_UNS_ADMIN_PERM,
13673 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13674 				  NL80211_FLAG_NEED_RTNL,
13675 	},
13676 	{
13677 		.cmd = NL80211_CMD_GET_SURVEY,
13678 		.policy = nl80211_policy,
13679 		.dumpit = nl80211_dump_survey,
13680 	},
13681 	{
13682 		.cmd = NL80211_CMD_SET_PMKSA,
13683 		.doit = nl80211_setdel_pmksa,
13684 		.policy = nl80211_policy,
13685 		.flags = GENL_UNS_ADMIN_PERM,
13686 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13687 				  NL80211_FLAG_NEED_RTNL,
13688 	},
13689 	{
13690 		.cmd = NL80211_CMD_DEL_PMKSA,
13691 		.doit = nl80211_setdel_pmksa,
13692 		.policy = nl80211_policy,
13693 		.flags = GENL_UNS_ADMIN_PERM,
13694 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13695 				  NL80211_FLAG_NEED_RTNL,
13696 	},
13697 	{
13698 		.cmd = NL80211_CMD_FLUSH_PMKSA,
13699 		.doit = nl80211_flush_pmksa,
13700 		.policy = nl80211_policy,
13701 		.flags = GENL_UNS_ADMIN_PERM,
13702 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13703 				  NL80211_FLAG_NEED_RTNL,
13704 	},
13705 	{
13706 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
13707 		.doit = nl80211_remain_on_channel,
13708 		.policy = nl80211_policy,
13709 		.flags = GENL_UNS_ADMIN_PERM,
13710 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13711 				  NL80211_FLAG_NEED_RTNL,
13712 	},
13713 	{
13714 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
13715 		.doit = nl80211_cancel_remain_on_channel,
13716 		.policy = nl80211_policy,
13717 		.flags = GENL_UNS_ADMIN_PERM,
13718 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13719 				  NL80211_FLAG_NEED_RTNL,
13720 	},
13721 	{
13722 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
13723 		.doit = nl80211_set_tx_bitrate_mask,
13724 		.policy = nl80211_policy,
13725 		.flags = GENL_UNS_ADMIN_PERM,
13726 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13727 				  NL80211_FLAG_NEED_RTNL,
13728 	},
13729 	{
13730 		.cmd = NL80211_CMD_REGISTER_FRAME,
13731 		.doit = nl80211_register_mgmt,
13732 		.policy = nl80211_policy,
13733 		.flags = GENL_UNS_ADMIN_PERM,
13734 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13735 				  NL80211_FLAG_NEED_RTNL,
13736 	},
13737 	{
13738 		.cmd = NL80211_CMD_FRAME,
13739 		.doit = nl80211_tx_mgmt,
13740 		.policy = nl80211_policy,
13741 		.flags = GENL_UNS_ADMIN_PERM,
13742 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13743 				  NL80211_FLAG_NEED_RTNL,
13744 	},
13745 	{
13746 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
13747 		.doit = nl80211_tx_mgmt_cancel_wait,
13748 		.policy = nl80211_policy,
13749 		.flags = GENL_UNS_ADMIN_PERM,
13750 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13751 				  NL80211_FLAG_NEED_RTNL,
13752 	},
13753 	{
13754 		.cmd = NL80211_CMD_SET_POWER_SAVE,
13755 		.doit = nl80211_set_power_save,
13756 		.policy = nl80211_policy,
13757 		.flags = GENL_UNS_ADMIN_PERM,
13758 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13759 				  NL80211_FLAG_NEED_RTNL,
13760 	},
13761 	{
13762 		.cmd = NL80211_CMD_GET_POWER_SAVE,
13763 		.doit = nl80211_get_power_save,
13764 		.policy = nl80211_policy,
13765 		/* can be retrieved by unprivileged users */
13766 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13767 				  NL80211_FLAG_NEED_RTNL,
13768 	},
13769 	{
13770 		.cmd = NL80211_CMD_SET_CQM,
13771 		.doit = nl80211_set_cqm,
13772 		.policy = nl80211_policy,
13773 		.flags = GENL_UNS_ADMIN_PERM,
13774 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13775 				  NL80211_FLAG_NEED_RTNL,
13776 	},
13777 	{
13778 		.cmd = NL80211_CMD_SET_CHANNEL,
13779 		.doit = nl80211_set_channel,
13780 		.policy = nl80211_policy,
13781 		.flags = GENL_UNS_ADMIN_PERM,
13782 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13783 				  NL80211_FLAG_NEED_RTNL,
13784 	},
13785 	{
13786 		.cmd = NL80211_CMD_SET_WDS_PEER,
13787 		.doit = nl80211_set_wds_peer,
13788 		.policy = nl80211_policy,
13789 		.flags = GENL_UNS_ADMIN_PERM,
13790 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13791 				  NL80211_FLAG_NEED_RTNL,
13792 	},
13793 	{
13794 		.cmd = NL80211_CMD_JOIN_MESH,
13795 		.doit = nl80211_join_mesh,
13796 		.policy = nl80211_policy,
13797 		.flags = GENL_UNS_ADMIN_PERM,
13798 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13799 				  NL80211_FLAG_NEED_RTNL,
13800 	},
13801 	{
13802 		.cmd = NL80211_CMD_LEAVE_MESH,
13803 		.doit = nl80211_leave_mesh,
13804 		.policy = nl80211_policy,
13805 		.flags = GENL_UNS_ADMIN_PERM,
13806 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13807 				  NL80211_FLAG_NEED_RTNL,
13808 	},
13809 	{
13810 		.cmd = NL80211_CMD_JOIN_OCB,
13811 		.doit = nl80211_join_ocb,
13812 		.policy = nl80211_policy,
13813 		.flags = GENL_UNS_ADMIN_PERM,
13814 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13815 				  NL80211_FLAG_NEED_RTNL,
13816 	},
13817 	{
13818 		.cmd = NL80211_CMD_LEAVE_OCB,
13819 		.doit = nl80211_leave_ocb,
13820 		.policy = nl80211_policy,
13821 		.flags = GENL_UNS_ADMIN_PERM,
13822 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13823 				  NL80211_FLAG_NEED_RTNL,
13824 	},
13825 #ifdef CONFIG_PM
13826 	{
13827 		.cmd = NL80211_CMD_GET_WOWLAN,
13828 		.doit = nl80211_get_wowlan,
13829 		.policy = nl80211_policy,
13830 		/* can be retrieved by unprivileged users */
13831 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13832 				  NL80211_FLAG_NEED_RTNL,
13833 	},
13834 	{
13835 		.cmd = NL80211_CMD_SET_WOWLAN,
13836 		.doit = nl80211_set_wowlan,
13837 		.policy = nl80211_policy,
13838 		.flags = GENL_UNS_ADMIN_PERM,
13839 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13840 				  NL80211_FLAG_NEED_RTNL,
13841 	},
13842 #endif
13843 	{
13844 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
13845 		.doit = nl80211_set_rekey_data,
13846 		.policy = nl80211_policy,
13847 		.flags = GENL_UNS_ADMIN_PERM,
13848 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13849 				  NL80211_FLAG_NEED_RTNL |
13850 				  NL80211_FLAG_CLEAR_SKB,
13851 	},
13852 	{
13853 		.cmd = NL80211_CMD_TDLS_MGMT,
13854 		.doit = nl80211_tdls_mgmt,
13855 		.policy = nl80211_policy,
13856 		.flags = GENL_UNS_ADMIN_PERM,
13857 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13858 				  NL80211_FLAG_NEED_RTNL,
13859 	},
13860 	{
13861 		.cmd = NL80211_CMD_TDLS_OPER,
13862 		.doit = nl80211_tdls_oper,
13863 		.policy = nl80211_policy,
13864 		.flags = GENL_UNS_ADMIN_PERM,
13865 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13866 				  NL80211_FLAG_NEED_RTNL,
13867 	},
13868 	{
13869 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
13870 		.doit = nl80211_register_unexpected_frame,
13871 		.policy = nl80211_policy,
13872 		.flags = GENL_UNS_ADMIN_PERM,
13873 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13874 				  NL80211_FLAG_NEED_RTNL,
13875 	},
13876 	{
13877 		.cmd = NL80211_CMD_PROBE_CLIENT,
13878 		.doit = nl80211_probe_client,
13879 		.policy = nl80211_policy,
13880 		.flags = GENL_UNS_ADMIN_PERM,
13881 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13882 				  NL80211_FLAG_NEED_RTNL,
13883 	},
13884 	{
13885 		.cmd = NL80211_CMD_REGISTER_BEACONS,
13886 		.doit = nl80211_register_beacons,
13887 		.policy = nl80211_policy,
13888 		.flags = GENL_UNS_ADMIN_PERM,
13889 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13890 				  NL80211_FLAG_NEED_RTNL,
13891 	},
13892 	{
13893 		.cmd = NL80211_CMD_SET_NOACK_MAP,
13894 		.doit = nl80211_set_noack_map,
13895 		.policy = nl80211_policy,
13896 		.flags = GENL_UNS_ADMIN_PERM,
13897 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13898 				  NL80211_FLAG_NEED_RTNL,
13899 	},
13900 	{
13901 		.cmd = NL80211_CMD_START_P2P_DEVICE,
13902 		.doit = nl80211_start_p2p_device,
13903 		.policy = nl80211_policy,
13904 		.flags = GENL_UNS_ADMIN_PERM,
13905 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13906 				  NL80211_FLAG_NEED_RTNL,
13907 	},
13908 	{
13909 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
13910 		.doit = nl80211_stop_p2p_device,
13911 		.policy = nl80211_policy,
13912 		.flags = GENL_UNS_ADMIN_PERM,
13913 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13914 				  NL80211_FLAG_NEED_RTNL,
13915 	},
13916 	{
13917 		.cmd = NL80211_CMD_START_NAN,
13918 		.doit = nl80211_start_nan,
13919 		.policy = nl80211_policy,
13920 		.flags = GENL_ADMIN_PERM,
13921 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13922 				  NL80211_FLAG_NEED_RTNL,
13923 	},
13924 	{
13925 		.cmd = NL80211_CMD_STOP_NAN,
13926 		.doit = nl80211_stop_nan,
13927 		.policy = nl80211_policy,
13928 		.flags = GENL_ADMIN_PERM,
13929 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13930 				  NL80211_FLAG_NEED_RTNL,
13931 	},
13932 	{
13933 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
13934 		.doit = nl80211_nan_add_func,
13935 		.policy = nl80211_policy,
13936 		.flags = GENL_ADMIN_PERM,
13937 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13938 				  NL80211_FLAG_NEED_RTNL,
13939 	},
13940 	{
13941 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
13942 		.doit = nl80211_nan_del_func,
13943 		.policy = nl80211_policy,
13944 		.flags = GENL_ADMIN_PERM,
13945 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13946 				  NL80211_FLAG_NEED_RTNL,
13947 	},
13948 	{
13949 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
13950 		.doit = nl80211_nan_change_config,
13951 		.policy = nl80211_policy,
13952 		.flags = GENL_ADMIN_PERM,
13953 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13954 				  NL80211_FLAG_NEED_RTNL,
13955 	},
13956 	{
13957 		.cmd = NL80211_CMD_SET_MCAST_RATE,
13958 		.doit = nl80211_set_mcast_rate,
13959 		.policy = nl80211_policy,
13960 		.flags = GENL_UNS_ADMIN_PERM,
13961 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13962 				  NL80211_FLAG_NEED_RTNL,
13963 	},
13964 	{
13965 		.cmd = NL80211_CMD_SET_MAC_ACL,
13966 		.doit = nl80211_set_mac_acl,
13967 		.policy = nl80211_policy,
13968 		.flags = GENL_UNS_ADMIN_PERM,
13969 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13970 				  NL80211_FLAG_NEED_RTNL,
13971 	},
13972 	{
13973 		.cmd = NL80211_CMD_RADAR_DETECT,
13974 		.doit = nl80211_start_radar_detection,
13975 		.policy = nl80211_policy,
13976 		.flags = GENL_UNS_ADMIN_PERM,
13977 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13978 				  NL80211_FLAG_NEED_RTNL,
13979 	},
13980 	{
13981 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
13982 		.doit = nl80211_get_protocol_features,
13983 		.policy = nl80211_policy,
13984 	},
13985 	{
13986 		.cmd = NL80211_CMD_UPDATE_FT_IES,
13987 		.doit = nl80211_update_ft_ies,
13988 		.policy = nl80211_policy,
13989 		.flags = GENL_UNS_ADMIN_PERM,
13990 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13991 				  NL80211_FLAG_NEED_RTNL,
13992 	},
13993 	{
13994 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
13995 		.doit = nl80211_crit_protocol_start,
13996 		.policy = nl80211_policy,
13997 		.flags = GENL_UNS_ADMIN_PERM,
13998 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13999 				  NL80211_FLAG_NEED_RTNL,
14000 	},
14001 	{
14002 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
14003 		.doit = nl80211_crit_protocol_stop,
14004 		.policy = nl80211_policy,
14005 		.flags = GENL_UNS_ADMIN_PERM,
14006 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14007 				  NL80211_FLAG_NEED_RTNL,
14008 	},
14009 	{
14010 		.cmd = NL80211_CMD_GET_COALESCE,
14011 		.doit = nl80211_get_coalesce,
14012 		.policy = nl80211_policy,
14013 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14014 				  NL80211_FLAG_NEED_RTNL,
14015 	},
14016 	{
14017 		.cmd = NL80211_CMD_SET_COALESCE,
14018 		.doit = nl80211_set_coalesce,
14019 		.policy = nl80211_policy,
14020 		.flags = GENL_UNS_ADMIN_PERM,
14021 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14022 				  NL80211_FLAG_NEED_RTNL,
14023 	},
14024 	{
14025 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
14026 		.doit = nl80211_channel_switch,
14027 		.policy = nl80211_policy,
14028 		.flags = GENL_UNS_ADMIN_PERM,
14029 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14030 				  NL80211_FLAG_NEED_RTNL,
14031 	},
14032 	{
14033 		.cmd = NL80211_CMD_VENDOR,
14034 		.doit = nl80211_vendor_cmd,
14035 		.dumpit = nl80211_vendor_cmd_dump,
14036 		.policy = nl80211_policy,
14037 		.flags = GENL_UNS_ADMIN_PERM,
14038 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14039 				  NL80211_FLAG_NEED_RTNL,
14040 	},
14041 	{
14042 		.cmd = NL80211_CMD_SET_QOS_MAP,
14043 		.doit = nl80211_set_qos_map,
14044 		.policy = nl80211_policy,
14045 		.flags = GENL_UNS_ADMIN_PERM,
14046 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14047 				  NL80211_FLAG_NEED_RTNL,
14048 	},
14049 	{
14050 		.cmd = NL80211_CMD_ADD_TX_TS,
14051 		.doit = nl80211_add_tx_ts,
14052 		.policy = nl80211_policy,
14053 		.flags = GENL_UNS_ADMIN_PERM,
14054 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14055 				  NL80211_FLAG_NEED_RTNL,
14056 	},
14057 	{
14058 		.cmd = NL80211_CMD_DEL_TX_TS,
14059 		.doit = nl80211_del_tx_ts,
14060 		.policy = nl80211_policy,
14061 		.flags = GENL_UNS_ADMIN_PERM,
14062 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14063 				  NL80211_FLAG_NEED_RTNL,
14064 	},
14065 	{
14066 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
14067 		.doit = nl80211_tdls_channel_switch,
14068 		.policy = nl80211_policy,
14069 		.flags = GENL_UNS_ADMIN_PERM,
14070 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14071 				  NL80211_FLAG_NEED_RTNL,
14072 	},
14073 	{
14074 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
14075 		.doit = nl80211_tdls_cancel_channel_switch,
14076 		.policy = nl80211_policy,
14077 		.flags = GENL_UNS_ADMIN_PERM,
14078 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14079 				  NL80211_FLAG_NEED_RTNL,
14080 	},
14081 	{
14082 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
14083 		.doit = nl80211_set_multicast_to_unicast,
14084 		.policy = nl80211_policy,
14085 		.flags = GENL_UNS_ADMIN_PERM,
14086 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14087 				  NL80211_FLAG_NEED_RTNL,
14088 	},
14089 	{
14090 		.cmd = NL80211_CMD_SET_PMK,
14091 		.doit = nl80211_set_pmk,
14092 		.policy = nl80211_policy,
14093 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14094 				  NL80211_FLAG_NEED_RTNL,
14095 	},
14096 	{
14097 		.cmd = NL80211_CMD_DEL_PMK,
14098 		.doit = nl80211_del_pmk,
14099 		.policy = nl80211_policy,
14100 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14101 				  NL80211_FLAG_NEED_RTNL,
14102 	},
14103 	{
14104 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
14105 		.doit = nl80211_external_auth,
14106 		.policy = nl80211_policy,
14107 		.flags = GENL_ADMIN_PERM,
14108 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14109 				  NL80211_FLAG_NEED_RTNL,
14110 	},
14111 	{
14112 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
14113 		.doit = nl80211_tx_control_port,
14114 		.policy = nl80211_policy,
14115 		.flags = GENL_UNS_ADMIN_PERM,
14116 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14117 				  NL80211_FLAG_NEED_RTNL,
14118 	},
14119 	{
14120 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
14121 		.doit = nl80211_get_ftm_responder_stats,
14122 		.policy = nl80211_policy,
14123 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14124 				  NL80211_FLAG_NEED_RTNL,
14125 	},
14126 	{
14127 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
14128 		.doit = nl80211_pmsr_start,
14129 		.policy = nl80211_policy,
14130 		.flags = GENL_UNS_ADMIN_PERM,
14131 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14132 				  NL80211_FLAG_NEED_RTNL,
14133 	},
14134 	{
14135 		.cmd = NL80211_CMD_NOTIFY_RADAR,
14136 		.doit = nl80211_notify_radar_detection,
14137 		.policy = nl80211_policy,
14138 		.flags = GENL_UNS_ADMIN_PERM,
14139 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14140 				  NL80211_FLAG_NEED_RTNL,
14141 	},
14142 };
14143 
14144 static struct genl_family nl80211_fam __ro_after_init = {
14145 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
14146 	.hdrsize = 0,			/* no private header */
14147 	.version = 1,			/* no particular meaning now */
14148 	.maxattr = NL80211_ATTR_MAX,
14149 	.netnsok = true,
14150 	.pre_doit = nl80211_pre_doit,
14151 	.post_doit = nl80211_post_doit,
14152 	.module = THIS_MODULE,
14153 	.ops = nl80211_ops,
14154 	.n_ops = ARRAY_SIZE(nl80211_ops),
14155 	.mcgrps = nl80211_mcgrps,
14156 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
14157 };
14158 
14159 /* notification functions */
14160 
14161 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
14162 			  enum nl80211_commands cmd)
14163 {
14164 	struct sk_buff *msg;
14165 	struct nl80211_dump_wiphy_state state = {};
14166 
14167 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
14168 		cmd != NL80211_CMD_DEL_WIPHY);
14169 
14170 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14171 	if (!msg)
14172 		return;
14173 
14174 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
14175 		nlmsg_free(msg);
14176 		return;
14177 	}
14178 
14179 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14180 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
14181 }
14182 
14183 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
14184 				struct wireless_dev *wdev,
14185 				enum nl80211_commands cmd)
14186 {
14187 	struct sk_buff *msg;
14188 
14189 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14190 	if (!msg)
14191 		return;
14192 
14193 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
14194 		nlmsg_free(msg);
14195 		return;
14196 	}
14197 
14198 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14199 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
14200 }
14201 
14202 static int nl80211_add_scan_req(struct sk_buff *msg,
14203 				struct cfg80211_registered_device *rdev)
14204 {
14205 	struct cfg80211_scan_request *req = rdev->scan_req;
14206 	struct nlattr *nest;
14207 	int i;
14208 
14209 	if (WARN_ON(!req))
14210 		return 0;
14211 
14212 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
14213 	if (!nest)
14214 		goto nla_put_failure;
14215 	for (i = 0; i < req->n_ssids; i++) {
14216 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
14217 			goto nla_put_failure;
14218 	}
14219 	nla_nest_end(msg, nest);
14220 
14221 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14222 	if (!nest)
14223 		goto nla_put_failure;
14224 	for (i = 0; i < req->n_channels; i++) {
14225 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14226 			goto nla_put_failure;
14227 	}
14228 	nla_nest_end(msg, nest);
14229 
14230 	if (req->ie &&
14231 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
14232 		goto nla_put_failure;
14233 
14234 	if (req->flags &&
14235 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
14236 		goto nla_put_failure;
14237 
14238 	if (req->info.scan_start_tsf &&
14239 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
14240 			       req->info.scan_start_tsf, NL80211_BSS_PAD) ||
14241 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
14242 		     req->info.tsf_bssid)))
14243 		goto nla_put_failure;
14244 
14245 	return 0;
14246  nla_put_failure:
14247 	return -ENOBUFS;
14248 }
14249 
14250 static int nl80211_prep_scan_msg(struct sk_buff *msg,
14251 				 struct cfg80211_registered_device *rdev,
14252 				 struct wireless_dev *wdev,
14253 				 u32 portid, u32 seq, int flags,
14254 				 u32 cmd)
14255 {
14256 	void *hdr;
14257 
14258 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
14259 	if (!hdr)
14260 		return -1;
14261 
14262 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14263 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14264 					 wdev->netdev->ifindex)) ||
14265 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14266 			      NL80211_ATTR_PAD))
14267 		goto nla_put_failure;
14268 
14269 	/* ignore errors and send incomplete event anyway */
14270 	nl80211_add_scan_req(msg, rdev);
14271 
14272 	genlmsg_end(msg, hdr);
14273 	return 0;
14274 
14275  nla_put_failure:
14276 	genlmsg_cancel(msg, hdr);
14277 	return -EMSGSIZE;
14278 }
14279 
14280 static int
14281 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
14282 			    struct cfg80211_sched_scan_request *req, u32 cmd)
14283 {
14284 	void *hdr;
14285 
14286 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14287 	if (!hdr)
14288 		return -1;
14289 
14290 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
14291 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
14292 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
14293 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
14294 			      NL80211_ATTR_PAD))
14295 		goto nla_put_failure;
14296 
14297 	genlmsg_end(msg, hdr);
14298 	return 0;
14299 
14300  nla_put_failure:
14301 	genlmsg_cancel(msg, hdr);
14302 	return -EMSGSIZE;
14303 }
14304 
14305 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
14306 			     struct wireless_dev *wdev)
14307 {
14308 	struct sk_buff *msg;
14309 
14310 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14311 	if (!msg)
14312 		return;
14313 
14314 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14315 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
14316 		nlmsg_free(msg);
14317 		return;
14318 	}
14319 
14320 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14321 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14322 }
14323 
14324 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
14325 				       struct wireless_dev *wdev, bool aborted)
14326 {
14327 	struct sk_buff *msg;
14328 
14329 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14330 	if (!msg)
14331 		return NULL;
14332 
14333 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14334 				  aborted ? NL80211_CMD_SCAN_ABORTED :
14335 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
14336 		nlmsg_free(msg);
14337 		return NULL;
14338 	}
14339 
14340 	return msg;
14341 }
14342 
14343 /* send message created by nl80211_build_scan_msg() */
14344 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
14345 			   struct sk_buff *msg)
14346 {
14347 	if (!msg)
14348 		return;
14349 
14350 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14351 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14352 }
14353 
14354 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
14355 {
14356 	struct sk_buff *msg;
14357 
14358 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14359 	if (!msg)
14360 		return;
14361 
14362 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
14363 		nlmsg_free(msg);
14364 		return;
14365 	}
14366 
14367 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
14368 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14369 }
14370 
14371 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
14372 					  struct regulatory_request *request)
14373 {
14374 	/* Userspace can always count this one always being set */
14375 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
14376 		goto nla_put_failure;
14377 
14378 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
14379 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14380 			       NL80211_REGDOM_TYPE_WORLD))
14381 			goto nla_put_failure;
14382 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
14383 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14384 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
14385 			goto nla_put_failure;
14386 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
14387 		   request->intersect) {
14388 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14389 			       NL80211_REGDOM_TYPE_INTERSECTION))
14390 			goto nla_put_failure;
14391 	} else {
14392 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14393 			       NL80211_REGDOM_TYPE_COUNTRY) ||
14394 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
14395 				   request->alpha2))
14396 			goto nla_put_failure;
14397 	}
14398 
14399 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
14400 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
14401 
14402 		if (wiphy &&
14403 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
14404 			goto nla_put_failure;
14405 
14406 		if (wiphy &&
14407 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
14408 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
14409 			goto nla_put_failure;
14410 	}
14411 
14412 	return true;
14413 
14414 nla_put_failure:
14415 	return false;
14416 }
14417 
14418 /*
14419  * This can happen on global regulatory changes or device specific settings
14420  * based on custom regulatory domains.
14421  */
14422 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
14423 				     struct regulatory_request *request)
14424 {
14425 	struct sk_buff *msg;
14426 	void *hdr;
14427 
14428 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14429 	if (!msg)
14430 		return;
14431 
14432 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
14433 	if (!hdr) {
14434 		nlmsg_free(msg);
14435 		return;
14436 	}
14437 
14438 	if (nl80211_reg_change_event_fill(msg, request) == false)
14439 		goto nla_put_failure;
14440 
14441 	genlmsg_end(msg, hdr);
14442 
14443 	rcu_read_lock();
14444 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
14445 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
14446 	rcu_read_unlock();
14447 
14448 	return;
14449 
14450 nla_put_failure:
14451 	nlmsg_free(msg);
14452 }
14453 
14454 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
14455 				    struct net_device *netdev,
14456 				    const u8 *buf, size_t len,
14457 				    enum nl80211_commands cmd, gfp_t gfp,
14458 				    int uapsd_queues)
14459 {
14460 	struct sk_buff *msg;
14461 	void *hdr;
14462 
14463 	msg = nlmsg_new(100 + len, gfp);
14464 	if (!msg)
14465 		return;
14466 
14467 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14468 	if (!hdr) {
14469 		nlmsg_free(msg);
14470 		return;
14471 	}
14472 
14473 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14474 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14475 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
14476 		goto nla_put_failure;
14477 
14478 	if (uapsd_queues >= 0) {
14479 		struct nlattr *nla_wmm =
14480 			nla_nest_start(msg, NL80211_ATTR_STA_WME);
14481 		if (!nla_wmm)
14482 			goto nla_put_failure;
14483 
14484 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
14485 			       uapsd_queues))
14486 			goto nla_put_failure;
14487 
14488 		nla_nest_end(msg, nla_wmm);
14489 	}
14490 
14491 	genlmsg_end(msg, hdr);
14492 
14493 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14494 				NL80211_MCGRP_MLME, gfp);
14495 	return;
14496 
14497  nla_put_failure:
14498 	nlmsg_free(msg);
14499 }
14500 
14501 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
14502 			  struct net_device *netdev, const u8 *buf,
14503 			  size_t len, gfp_t gfp)
14504 {
14505 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14506 				NL80211_CMD_AUTHENTICATE, gfp, -1);
14507 }
14508 
14509 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
14510 			   struct net_device *netdev, const u8 *buf,
14511 			   size_t len, gfp_t gfp, int uapsd_queues)
14512 {
14513 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14514 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
14515 }
14516 
14517 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
14518 			 struct net_device *netdev, const u8 *buf,
14519 			 size_t len, gfp_t gfp)
14520 {
14521 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14522 				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
14523 }
14524 
14525 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
14526 			   struct net_device *netdev, const u8 *buf,
14527 			   size_t len, gfp_t gfp)
14528 {
14529 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14530 				NL80211_CMD_DISASSOCIATE, gfp, -1);
14531 }
14532 
14533 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
14534 				  size_t len)
14535 {
14536 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14537 	struct wiphy *wiphy = wdev->wiphy;
14538 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14539 	const struct ieee80211_mgmt *mgmt = (void *)buf;
14540 	u32 cmd;
14541 
14542 	if (WARN_ON(len < 2))
14543 		return;
14544 
14545 	if (ieee80211_is_deauth(mgmt->frame_control))
14546 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
14547 	else
14548 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
14549 
14550 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
14551 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
14552 }
14553 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
14554 
14555 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
14556 				      struct net_device *netdev, int cmd,
14557 				      const u8 *addr, gfp_t gfp)
14558 {
14559 	struct sk_buff *msg;
14560 	void *hdr;
14561 
14562 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14563 	if (!msg)
14564 		return;
14565 
14566 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14567 	if (!hdr) {
14568 		nlmsg_free(msg);
14569 		return;
14570 	}
14571 
14572 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14573 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14574 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
14575 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
14576 		goto nla_put_failure;
14577 
14578 	genlmsg_end(msg, hdr);
14579 
14580 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14581 				NL80211_MCGRP_MLME, gfp);
14582 	return;
14583 
14584  nla_put_failure:
14585 	nlmsg_free(msg);
14586 }
14587 
14588 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
14589 			       struct net_device *netdev, const u8 *addr,
14590 			       gfp_t gfp)
14591 {
14592 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
14593 				  addr, gfp);
14594 }
14595 
14596 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
14597 				struct net_device *netdev, const u8 *addr,
14598 				gfp_t gfp)
14599 {
14600 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
14601 				  addr, gfp);
14602 }
14603 
14604 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
14605 				 struct net_device *netdev,
14606 				 struct cfg80211_connect_resp_params *cr,
14607 				 gfp_t gfp)
14608 {
14609 	struct sk_buff *msg;
14610 	void *hdr;
14611 
14612 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
14613 			cr->fils.kek_len + cr->fils.pmk_len +
14614 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
14615 	if (!msg)
14616 		return;
14617 
14618 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
14619 	if (!hdr) {
14620 		nlmsg_free(msg);
14621 		return;
14622 	}
14623 
14624 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14625 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14626 	    (cr->bssid &&
14627 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
14628 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
14629 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
14630 			cr->status) ||
14631 	    (cr->status < 0 &&
14632 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
14633 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
14634 			  cr->timeout_reason))) ||
14635 	    (cr->req_ie &&
14636 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
14637 	    (cr->resp_ie &&
14638 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
14639 		     cr->resp_ie)) ||
14640 	    (cr->fils.update_erp_next_seq_num &&
14641 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
14642 			 cr->fils.erp_next_seq_num)) ||
14643 	    (cr->status == WLAN_STATUS_SUCCESS &&
14644 	     ((cr->fils.kek &&
14645 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
14646 		       cr->fils.kek)) ||
14647 	      (cr->fils.pmk &&
14648 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
14649 	      (cr->fils.pmkid &&
14650 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
14651 		goto nla_put_failure;
14652 
14653 	genlmsg_end(msg, hdr);
14654 
14655 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14656 				NL80211_MCGRP_MLME, gfp);
14657 	return;
14658 
14659  nla_put_failure:
14660 	nlmsg_free(msg);
14661 }
14662 
14663 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
14664 			 struct net_device *netdev,
14665 			 struct cfg80211_roam_info *info, gfp_t gfp)
14666 {
14667 	struct sk_buff *msg;
14668 	void *hdr;
14669 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
14670 
14671 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
14672 			info->fils.kek_len + info->fils.pmk_len +
14673 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
14674 	if (!msg)
14675 		return;
14676 
14677 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
14678 	if (!hdr) {
14679 		nlmsg_free(msg);
14680 		return;
14681 	}
14682 
14683 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14684 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14685 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
14686 	    (info->req_ie &&
14687 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
14688 		     info->req_ie)) ||
14689 	    (info->resp_ie &&
14690 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
14691 		     info->resp_ie)) ||
14692 	    (info->fils.update_erp_next_seq_num &&
14693 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
14694 			 info->fils.erp_next_seq_num)) ||
14695 	    (info->fils.kek &&
14696 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
14697 		     info->fils.kek)) ||
14698 	    (info->fils.pmk &&
14699 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
14700 	    (info->fils.pmkid &&
14701 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
14702 		goto nla_put_failure;
14703 
14704 	genlmsg_end(msg, hdr);
14705 
14706 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14707 				NL80211_MCGRP_MLME, gfp);
14708 	return;
14709 
14710  nla_put_failure:
14711 	nlmsg_free(msg);
14712 }
14713 
14714 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
14715 				  struct net_device *netdev, const u8 *bssid)
14716 {
14717 	struct sk_buff *msg;
14718 	void *hdr;
14719 
14720 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14721 	if (!msg)
14722 		return;
14723 
14724 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
14725 	if (!hdr) {
14726 		nlmsg_free(msg);
14727 		return;
14728 	}
14729 
14730 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
14731 		goto nla_put_failure;
14732 
14733 	genlmsg_end(msg, hdr);
14734 
14735 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14736 				NL80211_MCGRP_MLME, GFP_KERNEL);
14737 	return;
14738 
14739  nla_put_failure:
14740 	nlmsg_free(msg);
14741 }
14742 
14743 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
14744 			       struct net_device *netdev, u16 reason,
14745 			       const u8 *ie, size_t ie_len, bool from_ap)
14746 {
14747 	struct sk_buff *msg;
14748 	void *hdr;
14749 
14750 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
14751 	if (!msg)
14752 		return;
14753 
14754 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
14755 	if (!hdr) {
14756 		nlmsg_free(msg);
14757 		return;
14758 	}
14759 
14760 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14761 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14762 	    (reason &&
14763 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
14764 	    (from_ap &&
14765 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
14766 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
14767 		goto nla_put_failure;
14768 
14769 	genlmsg_end(msg, hdr);
14770 
14771 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14772 				NL80211_MCGRP_MLME, GFP_KERNEL);
14773 	return;
14774 
14775  nla_put_failure:
14776 	nlmsg_free(msg);
14777 }
14778 
14779 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
14780 			     struct net_device *netdev, const u8 *bssid,
14781 			     gfp_t gfp)
14782 {
14783 	struct sk_buff *msg;
14784 	void *hdr;
14785 
14786 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14787 	if (!msg)
14788 		return;
14789 
14790 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
14791 	if (!hdr) {
14792 		nlmsg_free(msg);
14793 		return;
14794 	}
14795 
14796 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14797 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14798 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
14799 		goto nla_put_failure;
14800 
14801 	genlmsg_end(msg, hdr);
14802 
14803 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14804 				NL80211_MCGRP_MLME, gfp);
14805 	return;
14806 
14807  nla_put_failure:
14808 	nlmsg_free(msg);
14809 }
14810 
14811 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
14812 					const u8 *ie, u8 ie_len,
14813 					int sig_dbm, gfp_t gfp)
14814 {
14815 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14816 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
14817 	struct sk_buff *msg;
14818 	void *hdr;
14819 
14820 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
14821 		return;
14822 
14823 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
14824 
14825 	msg = nlmsg_new(100 + ie_len, gfp);
14826 	if (!msg)
14827 		return;
14828 
14829 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
14830 	if (!hdr) {
14831 		nlmsg_free(msg);
14832 		return;
14833 	}
14834 
14835 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14836 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
14837 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
14838 	    (ie_len && ie &&
14839 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
14840 	    (sig_dbm &&
14841 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
14842 		goto nla_put_failure;
14843 
14844 	genlmsg_end(msg, hdr);
14845 
14846 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14847 				NL80211_MCGRP_MLME, gfp);
14848 	return;
14849 
14850  nla_put_failure:
14851 	nlmsg_free(msg);
14852 }
14853 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
14854 
14855 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
14856 				 struct net_device *netdev, const u8 *addr,
14857 				 enum nl80211_key_type key_type, int key_id,
14858 				 const u8 *tsc, gfp_t gfp)
14859 {
14860 	struct sk_buff *msg;
14861 	void *hdr;
14862 
14863 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14864 	if (!msg)
14865 		return;
14866 
14867 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
14868 	if (!hdr) {
14869 		nlmsg_free(msg);
14870 		return;
14871 	}
14872 
14873 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14874 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14875 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
14876 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
14877 	    (key_id != -1 &&
14878 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
14879 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
14880 		goto nla_put_failure;
14881 
14882 	genlmsg_end(msg, hdr);
14883 
14884 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14885 				NL80211_MCGRP_MLME, gfp);
14886 	return;
14887 
14888  nla_put_failure:
14889 	nlmsg_free(msg);
14890 }
14891 
14892 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
14893 				    struct ieee80211_channel *channel_before,
14894 				    struct ieee80211_channel *channel_after)
14895 {
14896 	struct sk_buff *msg;
14897 	void *hdr;
14898 	struct nlattr *nl_freq;
14899 
14900 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
14901 	if (!msg)
14902 		return;
14903 
14904 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
14905 	if (!hdr) {
14906 		nlmsg_free(msg);
14907 		return;
14908 	}
14909 
14910 	/*
14911 	 * Since we are applying the beacon hint to a wiphy we know its
14912 	 * wiphy_idx is valid
14913 	 */
14914 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
14915 		goto nla_put_failure;
14916 
14917 	/* Before */
14918 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
14919 	if (!nl_freq)
14920 		goto nla_put_failure;
14921 
14922 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
14923 		goto nla_put_failure;
14924 	nla_nest_end(msg, nl_freq);
14925 
14926 	/* After */
14927 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
14928 	if (!nl_freq)
14929 		goto nla_put_failure;
14930 
14931 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
14932 		goto nla_put_failure;
14933 	nla_nest_end(msg, nl_freq);
14934 
14935 	genlmsg_end(msg, hdr);
14936 
14937 	rcu_read_lock();
14938 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
14939 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
14940 	rcu_read_unlock();
14941 
14942 	return;
14943 
14944 nla_put_failure:
14945 	nlmsg_free(msg);
14946 }
14947 
14948 static void nl80211_send_remain_on_chan_event(
14949 	int cmd, struct cfg80211_registered_device *rdev,
14950 	struct wireless_dev *wdev, u64 cookie,
14951 	struct ieee80211_channel *chan,
14952 	unsigned int duration, gfp_t gfp)
14953 {
14954 	struct sk_buff *msg;
14955 	void *hdr;
14956 
14957 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14958 	if (!msg)
14959 		return;
14960 
14961 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14962 	if (!hdr) {
14963 		nlmsg_free(msg);
14964 		return;
14965 	}
14966 
14967 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14968 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14969 					 wdev->netdev->ifindex)) ||
14970 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14971 			      NL80211_ATTR_PAD) ||
14972 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
14973 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
14974 			NL80211_CHAN_NO_HT) ||
14975 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14976 			      NL80211_ATTR_PAD))
14977 		goto nla_put_failure;
14978 
14979 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
14980 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
14981 		goto nla_put_failure;
14982 
14983 	genlmsg_end(msg, hdr);
14984 
14985 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14986 				NL80211_MCGRP_MLME, gfp);
14987 	return;
14988 
14989  nla_put_failure:
14990 	nlmsg_free(msg);
14991 }
14992 
14993 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
14994 			       struct ieee80211_channel *chan,
14995 			       unsigned int duration, gfp_t gfp)
14996 {
14997 	struct wiphy *wiphy = wdev->wiphy;
14998 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14999 
15000 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
15001 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
15002 					  rdev, wdev, cookie, chan,
15003 					  duration, gfp);
15004 }
15005 EXPORT_SYMBOL(cfg80211_ready_on_channel);
15006 
15007 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
15008 					struct ieee80211_channel *chan,
15009 					gfp_t gfp)
15010 {
15011 	struct wiphy *wiphy = wdev->wiphy;
15012 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15013 
15014 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
15015 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15016 					  rdev, wdev, cookie, chan, 0, gfp);
15017 }
15018 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
15019 
15020 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
15021 		      struct station_info *sinfo, gfp_t gfp)
15022 {
15023 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15024 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15025 	struct sk_buff *msg;
15026 
15027 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
15028 
15029 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15030 	if (!msg)
15031 		return;
15032 
15033 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
15034 				 rdev, dev, mac_addr, sinfo) < 0) {
15035 		nlmsg_free(msg);
15036 		return;
15037 	}
15038 
15039 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15040 				NL80211_MCGRP_MLME, gfp);
15041 }
15042 EXPORT_SYMBOL(cfg80211_new_sta);
15043 
15044 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
15045 			    struct station_info *sinfo, gfp_t gfp)
15046 {
15047 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15048 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15049 	struct sk_buff *msg;
15050 	struct station_info empty_sinfo = {};
15051 
15052 	if (!sinfo)
15053 		sinfo = &empty_sinfo;
15054 
15055 	trace_cfg80211_del_sta(dev, mac_addr);
15056 
15057 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15058 	if (!msg) {
15059 		cfg80211_sinfo_release_content(sinfo);
15060 		return;
15061 	}
15062 
15063 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
15064 				 rdev, dev, mac_addr, sinfo) < 0) {
15065 		nlmsg_free(msg);
15066 		return;
15067 	}
15068 
15069 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15070 				NL80211_MCGRP_MLME, gfp);
15071 }
15072 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
15073 
15074 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
15075 			  enum nl80211_connect_failed_reason reason,
15076 			  gfp_t gfp)
15077 {
15078 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15079 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15080 	struct sk_buff *msg;
15081 	void *hdr;
15082 
15083 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
15084 	if (!msg)
15085 		return;
15086 
15087 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
15088 	if (!hdr) {
15089 		nlmsg_free(msg);
15090 		return;
15091 	}
15092 
15093 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15094 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
15095 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
15096 		goto nla_put_failure;
15097 
15098 	genlmsg_end(msg, hdr);
15099 
15100 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15101 				NL80211_MCGRP_MLME, gfp);
15102 	return;
15103 
15104  nla_put_failure:
15105 	nlmsg_free(msg);
15106 }
15107 EXPORT_SYMBOL(cfg80211_conn_failed);
15108 
15109 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
15110 				       const u8 *addr, gfp_t gfp)
15111 {
15112 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15113 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15114 	struct sk_buff *msg;
15115 	void *hdr;
15116 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
15117 
15118 	if (!nlportid)
15119 		return false;
15120 
15121 	msg = nlmsg_new(100, gfp);
15122 	if (!msg)
15123 		return true;
15124 
15125 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15126 	if (!hdr) {
15127 		nlmsg_free(msg);
15128 		return true;
15129 	}
15130 
15131 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15132 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15133 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
15134 		goto nla_put_failure;
15135 
15136 	genlmsg_end(msg, hdr);
15137 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15138 	return true;
15139 
15140  nla_put_failure:
15141 	nlmsg_free(msg);
15142 	return true;
15143 }
15144 
15145 bool cfg80211_rx_spurious_frame(struct net_device *dev,
15146 				const u8 *addr, gfp_t gfp)
15147 {
15148 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15149 	bool ret;
15150 
15151 	trace_cfg80211_rx_spurious_frame(dev, addr);
15152 
15153 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15154 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
15155 		trace_cfg80211_return_bool(false);
15156 		return false;
15157 	}
15158 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
15159 					 addr, gfp);
15160 	trace_cfg80211_return_bool(ret);
15161 	return ret;
15162 }
15163 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
15164 
15165 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
15166 					const u8 *addr, gfp_t gfp)
15167 {
15168 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15169 	bool ret;
15170 
15171 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
15172 
15173 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15174 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
15175 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
15176 		trace_cfg80211_return_bool(false);
15177 		return false;
15178 	}
15179 	ret = __nl80211_unexpected_frame(dev,
15180 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
15181 					 addr, gfp);
15182 	trace_cfg80211_return_bool(ret);
15183 	return ret;
15184 }
15185 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
15186 
15187 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
15188 		      struct wireless_dev *wdev, u32 nlportid,
15189 		      int freq, int sig_dbm,
15190 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
15191 {
15192 	struct net_device *netdev = wdev->netdev;
15193 	struct sk_buff *msg;
15194 	void *hdr;
15195 
15196 	msg = nlmsg_new(100 + len, gfp);
15197 	if (!msg)
15198 		return -ENOMEM;
15199 
15200 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
15201 	if (!hdr) {
15202 		nlmsg_free(msg);
15203 		return -ENOMEM;
15204 	}
15205 
15206 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15207 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15208 					netdev->ifindex)) ||
15209 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15210 			      NL80211_ATTR_PAD) ||
15211 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
15212 	    (sig_dbm &&
15213 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
15214 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15215 	    (flags &&
15216 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
15217 		goto nla_put_failure;
15218 
15219 	genlmsg_end(msg, hdr);
15220 
15221 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15222 
15223  nla_put_failure:
15224 	nlmsg_free(msg);
15225 	return -ENOBUFS;
15226 }
15227 
15228 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
15229 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
15230 {
15231 	struct wiphy *wiphy = wdev->wiphy;
15232 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15233 	struct net_device *netdev = wdev->netdev;
15234 	struct sk_buff *msg;
15235 	void *hdr;
15236 
15237 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
15238 
15239 	msg = nlmsg_new(100 + len, gfp);
15240 	if (!msg)
15241 		return;
15242 
15243 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
15244 	if (!hdr) {
15245 		nlmsg_free(msg);
15246 		return;
15247 	}
15248 
15249 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15250 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15251 				   netdev->ifindex)) ||
15252 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15253 			      NL80211_ATTR_PAD) ||
15254 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15255 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15256 			      NL80211_ATTR_PAD) ||
15257 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
15258 		goto nla_put_failure;
15259 
15260 	genlmsg_end(msg, hdr);
15261 
15262 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15263 				NL80211_MCGRP_MLME, gfp);
15264 	return;
15265 
15266  nla_put_failure:
15267 	nlmsg_free(msg);
15268 }
15269 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
15270 
15271 static int __nl80211_rx_control_port(struct net_device *dev,
15272 				     struct sk_buff *skb,
15273 				     bool unencrypted, gfp_t gfp)
15274 {
15275 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15276 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15277 	struct ethhdr *ehdr = eth_hdr(skb);
15278 	const u8 *addr = ehdr->h_source;
15279 	u16 proto = be16_to_cpu(skb->protocol);
15280 	struct sk_buff *msg;
15281 	void *hdr;
15282 	struct nlattr *frame;
15283 
15284 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
15285 
15286 	if (!nlportid)
15287 		return -ENOENT;
15288 
15289 	msg = nlmsg_new(100 + skb->len, gfp);
15290 	if (!msg)
15291 		return -ENOMEM;
15292 
15293 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
15294 	if (!hdr) {
15295 		nlmsg_free(msg);
15296 		return -ENOBUFS;
15297 	}
15298 
15299 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15300 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15301 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15302 			      NL80211_ATTR_PAD) ||
15303 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15304 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
15305 	    (unencrypted && nla_put_flag(msg,
15306 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
15307 		goto nla_put_failure;
15308 
15309 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
15310 	if (!frame)
15311 		goto nla_put_failure;
15312 
15313 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
15314 	genlmsg_end(msg, hdr);
15315 
15316 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15317 
15318  nla_put_failure:
15319 	nlmsg_free(msg);
15320 	return -ENOBUFS;
15321 }
15322 
15323 bool cfg80211_rx_control_port(struct net_device *dev,
15324 			      struct sk_buff *skb, bool unencrypted)
15325 {
15326 	int ret;
15327 
15328 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
15329 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
15330 	trace_cfg80211_return_bool(ret == 0);
15331 	return ret == 0;
15332 }
15333 EXPORT_SYMBOL(cfg80211_rx_control_port);
15334 
15335 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
15336 					    const char *mac, gfp_t gfp)
15337 {
15338 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15339 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15340 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15341 	void **cb;
15342 
15343 	if (!msg)
15344 		return NULL;
15345 
15346 	cb = (void **)msg->cb;
15347 
15348 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
15349 	if (!cb[0]) {
15350 		nlmsg_free(msg);
15351 		return NULL;
15352 	}
15353 
15354 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15355 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15356 		goto nla_put_failure;
15357 
15358 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
15359 		goto nla_put_failure;
15360 
15361 	cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
15362 	if (!cb[1])
15363 		goto nla_put_failure;
15364 
15365 	cb[2] = rdev;
15366 
15367 	return msg;
15368  nla_put_failure:
15369 	nlmsg_free(msg);
15370 	return NULL;
15371 }
15372 
15373 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
15374 {
15375 	void **cb = (void **)msg->cb;
15376 	struct cfg80211_registered_device *rdev = cb[2];
15377 
15378 	nla_nest_end(msg, cb[1]);
15379 	genlmsg_end(msg, cb[0]);
15380 
15381 	memset(msg->cb, 0, sizeof(msg->cb));
15382 
15383 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15384 				NL80211_MCGRP_MLME, gfp);
15385 }
15386 
15387 void cfg80211_cqm_rssi_notify(struct net_device *dev,
15388 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
15389 			      s32 rssi_level, gfp_t gfp)
15390 {
15391 	struct sk_buff *msg;
15392 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15393 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15394 
15395 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
15396 
15397 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
15398 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
15399 		return;
15400 
15401 	if (wdev->cqm_config) {
15402 		wdev->cqm_config->last_rssi_event_value = rssi_level;
15403 
15404 		cfg80211_cqm_rssi_update(rdev, dev);
15405 
15406 		if (rssi_level == 0)
15407 			rssi_level = wdev->cqm_config->last_rssi_event_value;
15408 	}
15409 
15410 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15411 	if (!msg)
15412 		return;
15413 
15414 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
15415 			rssi_event))
15416 		goto nla_put_failure;
15417 
15418 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
15419 				      rssi_level))
15420 		goto nla_put_failure;
15421 
15422 	cfg80211_send_cqm(msg, gfp);
15423 
15424 	return;
15425 
15426  nla_put_failure:
15427 	nlmsg_free(msg);
15428 }
15429 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
15430 
15431 void cfg80211_cqm_txe_notify(struct net_device *dev,
15432 			     const u8 *peer, u32 num_packets,
15433 			     u32 rate, u32 intvl, gfp_t gfp)
15434 {
15435 	struct sk_buff *msg;
15436 
15437 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
15438 	if (!msg)
15439 		return;
15440 
15441 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
15442 		goto nla_put_failure;
15443 
15444 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
15445 		goto nla_put_failure;
15446 
15447 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
15448 		goto nla_put_failure;
15449 
15450 	cfg80211_send_cqm(msg, gfp);
15451 	return;
15452 
15453  nla_put_failure:
15454 	nlmsg_free(msg);
15455 }
15456 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
15457 
15458 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
15459 				 const u8 *peer, u32 num_packets, gfp_t gfp)
15460 {
15461 	struct sk_buff *msg;
15462 
15463 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
15464 
15465 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
15466 	if (!msg)
15467 		return;
15468 
15469 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
15470 		goto nla_put_failure;
15471 
15472 	cfg80211_send_cqm(msg, gfp);
15473 	return;
15474 
15475  nla_put_failure:
15476 	nlmsg_free(msg);
15477 }
15478 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
15479 
15480 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
15481 {
15482 	struct sk_buff *msg;
15483 
15484 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15485 	if (!msg)
15486 		return;
15487 
15488 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
15489 		goto nla_put_failure;
15490 
15491 	cfg80211_send_cqm(msg, gfp);
15492 	return;
15493 
15494  nla_put_failure:
15495 	nlmsg_free(msg);
15496 }
15497 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
15498 
15499 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
15500 				     struct net_device *netdev, const u8 *bssid,
15501 				     const u8 *replay_ctr, gfp_t gfp)
15502 {
15503 	struct sk_buff *msg;
15504 	struct nlattr *rekey_attr;
15505 	void *hdr;
15506 
15507 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15508 	if (!msg)
15509 		return;
15510 
15511 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
15512 	if (!hdr) {
15513 		nlmsg_free(msg);
15514 		return;
15515 	}
15516 
15517 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15518 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15519 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15520 		goto nla_put_failure;
15521 
15522 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
15523 	if (!rekey_attr)
15524 		goto nla_put_failure;
15525 
15526 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
15527 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
15528 		goto nla_put_failure;
15529 
15530 	nla_nest_end(msg, rekey_attr);
15531 
15532 	genlmsg_end(msg, hdr);
15533 
15534 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15535 				NL80211_MCGRP_MLME, gfp);
15536 	return;
15537 
15538  nla_put_failure:
15539 	nlmsg_free(msg);
15540 }
15541 
15542 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
15543 			       const u8 *replay_ctr, gfp_t gfp)
15544 {
15545 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15546 	struct wiphy *wiphy = wdev->wiphy;
15547 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15548 
15549 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
15550 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
15551 }
15552 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
15553 
15554 static void
15555 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
15556 			       struct net_device *netdev, int index,
15557 			       const u8 *bssid, bool preauth, gfp_t gfp)
15558 {
15559 	struct sk_buff *msg;
15560 	struct nlattr *attr;
15561 	void *hdr;
15562 
15563 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15564 	if (!msg)
15565 		return;
15566 
15567 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
15568 	if (!hdr) {
15569 		nlmsg_free(msg);
15570 		return;
15571 	}
15572 
15573 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15574 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
15575 		goto nla_put_failure;
15576 
15577 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
15578 	if (!attr)
15579 		goto nla_put_failure;
15580 
15581 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
15582 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
15583 	    (preauth &&
15584 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
15585 		goto nla_put_failure;
15586 
15587 	nla_nest_end(msg, attr);
15588 
15589 	genlmsg_end(msg, hdr);
15590 
15591 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15592 				NL80211_MCGRP_MLME, gfp);
15593 	return;
15594 
15595  nla_put_failure:
15596 	nlmsg_free(msg);
15597 }
15598 
15599 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
15600 				     const u8 *bssid, bool preauth, gfp_t gfp)
15601 {
15602 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15603 	struct wiphy *wiphy = wdev->wiphy;
15604 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15605 
15606 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
15607 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
15608 }
15609 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
15610 
15611 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
15612 				     struct net_device *netdev,
15613 				     struct cfg80211_chan_def *chandef,
15614 				     gfp_t gfp,
15615 				     enum nl80211_commands notif,
15616 				     u8 count)
15617 {
15618 	struct sk_buff *msg;
15619 	void *hdr;
15620 
15621 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15622 	if (!msg)
15623 		return;
15624 
15625 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
15626 	if (!hdr) {
15627 		nlmsg_free(msg);
15628 		return;
15629 	}
15630 
15631 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
15632 		goto nla_put_failure;
15633 
15634 	if (nl80211_send_chandef(msg, chandef))
15635 		goto nla_put_failure;
15636 
15637 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
15638 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
15639 			goto nla_put_failure;
15640 
15641 	genlmsg_end(msg, hdr);
15642 
15643 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15644 				NL80211_MCGRP_MLME, gfp);
15645 	return;
15646 
15647  nla_put_failure:
15648 	nlmsg_free(msg);
15649 }
15650 
15651 void cfg80211_ch_switch_notify(struct net_device *dev,
15652 			       struct cfg80211_chan_def *chandef)
15653 {
15654 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15655 	struct wiphy *wiphy = wdev->wiphy;
15656 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15657 
15658 	ASSERT_WDEV_LOCK(wdev);
15659 
15660 	trace_cfg80211_ch_switch_notify(dev, chandef);
15661 
15662 	wdev->chandef = *chandef;
15663 	wdev->preset_chandef = *chandef;
15664 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
15665 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
15666 }
15667 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
15668 
15669 void cfg80211_ch_switch_started_notify(struct net_device *dev,
15670 				       struct cfg80211_chan_def *chandef,
15671 				       u8 count)
15672 {
15673 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15674 	struct wiphy *wiphy = wdev->wiphy;
15675 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15676 
15677 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
15678 
15679 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
15680 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
15681 }
15682 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
15683 
15684 void
15685 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
15686 		     const struct cfg80211_chan_def *chandef,
15687 		     enum nl80211_radar_event event,
15688 		     struct net_device *netdev, gfp_t gfp)
15689 {
15690 	struct sk_buff *msg;
15691 	void *hdr;
15692 
15693 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15694 	if (!msg)
15695 		return;
15696 
15697 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
15698 	if (!hdr) {
15699 		nlmsg_free(msg);
15700 		return;
15701 	}
15702 
15703 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
15704 		goto nla_put_failure;
15705 
15706 	/* NOP and radar events don't need a netdev parameter */
15707 	if (netdev) {
15708 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
15709 
15710 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15711 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15712 				      NL80211_ATTR_PAD))
15713 			goto nla_put_failure;
15714 	}
15715 
15716 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
15717 		goto nla_put_failure;
15718 
15719 	if (nl80211_send_chandef(msg, chandef))
15720 		goto nla_put_failure;
15721 
15722 	genlmsg_end(msg, hdr);
15723 
15724 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15725 				NL80211_MCGRP_MLME, gfp);
15726 	return;
15727 
15728  nla_put_failure:
15729 	nlmsg_free(msg);
15730 }
15731 
15732 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
15733 				       struct sta_opmode_info *sta_opmode,
15734 				       gfp_t gfp)
15735 {
15736 	struct sk_buff *msg;
15737 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15738 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15739 	void *hdr;
15740 
15741 	if (WARN_ON(!mac))
15742 		return;
15743 
15744 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15745 	if (!msg)
15746 		return;
15747 
15748 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
15749 	if (!hdr) {
15750 		nlmsg_free(msg);
15751 		return;
15752 	}
15753 
15754 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
15755 		goto nla_put_failure;
15756 
15757 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15758 		goto nla_put_failure;
15759 
15760 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
15761 		goto nla_put_failure;
15762 
15763 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
15764 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
15765 		goto nla_put_failure;
15766 
15767 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
15768 	    nla_put_u8(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
15769 		goto nla_put_failure;
15770 
15771 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
15772 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
15773 		goto nla_put_failure;
15774 
15775 	genlmsg_end(msg, hdr);
15776 
15777 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15778 				NL80211_MCGRP_MLME, gfp);
15779 
15780 	return;
15781 
15782 nla_put_failure:
15783 	nlmsg_free(msg);
15784 }
15785 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
15786 
15787 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
15788 			   u64 cookie, bool acked, s32 ack_signal,
15789 			   bool is_valid_ack_signal, gfp_t gfp)
15790 {
15791 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15792 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15793 	struct sk_buff *msg;
15794 	void *hdr;
15795 
15796 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
15797 
15798 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15799 
15800 	if (!msg)
15801 		return;
15802 
15803 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
15804 	if (!hdr) {
15805 		nlmsg_free(msg);
15806 		return;
15807 	}
15808 
15809 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15810 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15811 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15812 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15813 			      NL80211_ATTR_PAD) ||
15814 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
15815 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
15816 						ack_signal)))
15817 		goto nla_put_failure;
15818 
15819 	genlmsg_end(msg, hdr);
15820 
15821 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15822 				NL80211_MCGRP_MLME, gfp);
15823 	return;
15824 
15825  nla_put_failure:
15826 	nlmsg_free(msg);
15827 }
15828 EXPORT_SYMBOL(cfg80211_probe_status);
15829 
15830 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
15831 				 const u8 *frame, size_t len,
15832 				 int freq, int sig_dbm)
15833 {
15834 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15835 	struct sk_buff *msg;
15836 	void *hdr;
15837 	struct cfg80211_beacon_registration *reg;
15838 
15839 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
15840 
15841 	spin_lock_bh(&rdev->beacon_registrations_lock);
15842 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
15843 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
15844 		if (!msg) {
15845 			spin_unlock_bh(&rdev->beacon_registrations_lock);
15846 			return;
15847 		}
15848 
15849 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
15850 		if (!hdr)
15851 			goto nla_put_failure;
15852 
15853 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15854 		    (freq &&
15855 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
15856 		    (sig_dbm &&
15857 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
15858 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
15859 			goto nla_put_failure;
15860 
15861 		genlmsg_end(msg, hdr);
15862 
15863 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
15864 	}
15865 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15866 	return;
15867 
15868  nla_put_failure:
15869 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15870 	nlmsg_free(msg);
15871 }
15872 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
15873 
15874 #ifdef CONFIG_PM
15875 static int cfg80211_net_detect_results(struct sk_buff *msg,
15876 				       struct cfg80211_wowlan_wakeup *wakeup)
15877 {
15878 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
15879 	struct nlattr *nl_results, *nl_match, *nl_freqs;
15880 	int i, j;
15881 
15882 	nl_results = nla_nest_start(
15883 		msg, NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
15884 	if (!nl_results)
15885 		return -EMSGSIZE;
15886 
15887 	for (i = 0; i < nd->n_matches; i++) {
15888 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
15889 
15890 		nl_match = nla_nest_start(msg, i);
15891 		if (!nl_match)
15892 			break;
15893 
15894 		/* The SSID attribute is optional in nl80211, but for
15895 		 * simplicity reasons it's always present in the
15896 		 * cfg80211 structure.  If a driver can't pass the
15897 		 * SSID, that needs to be changed.  A zero length SSID
15898 		 * is still a valid SSID (wildcard), so it cannot be
15899 		 * used for this purpose.
15900 		 */
15901 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
15902 			    match->ssid.ssid)) {
15903 			nla_nest_cancel(msg, nl_match);
15904 			goto out;
15905 		}
15906 
15907 		if (match->n_channels) {
15908 			nl_freqs = nla_nest_start(
15909 				msg, NL80211_ATTR_SCAN_FREQUENCIES);
15910 			if (!nl_freqs) {
15911 				nla_nest_cancel(msg, nl_match);
15912 				goto out;
15913 			}
15914 
15915 			for (j = 0; j < match->n_channels; j++) {
15916 				if (nla_put_u32(msg, j, match->channels[j])) {
15917 					nla_nest_cancel(msg, nl_freqs);
15918 					nla_nest_cancel(msg, nl_match);
15919 					goto out;
15920 				}
15921 			}
15922 
15923 			nla_nest_end(msg, nl_freqs);
15924 		}
15925 
15926 		nla_nest_end(msg, nl_match);
15927 	}
15928 
15929 out:
15930 	nla_nest_end(msg, nl_results);
15931 	return 0;
15932 }
15933 
15934 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
15935 				   struct cfg80211_wowlan_wakeup *wakeup,
15936 				   gfp_t gfp)
15937 {
15938 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15939 	struct sk_buff *msg;
15940 	void *hdr;
15941 	int size = 200;
15942 
15943 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
15944 
15945 	if (wakeup)
15946 		size += wakeup->packet_present_len;
15947 
15948 	msg = nlmsg_new(size, gfp);
15949 	if (!msg)
15950 		return;
15951 
15952 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
15953 	if (!hdr)
15954 		goto free_msg;
15955 
15956 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15957 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15958 			      NL80211_ATTR_PAD))
15959 		goto free_msg;
15960 
15961 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15962 					wdev->netdev->ifindex))
15963 		goto free_msg;
15964 
15965 	if (wakeup) {
15966 		struct nlattr *reasons;
15967 
15968 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
15969 		if (!reasons)
15970 			goto free_msg;
15971 
15972 		if (wakeup->disconnect &&
15973 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
15974 			goto free_msg;
15975 		if (wakeup->magic_pkt &&
15976 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
15977 			goto free_msg;
15978 		if (wakeup->gtk_rekey_failure &&
15979 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
15980 			goto free_msg;
15981 		if (wakeup->eap_identity_req &&
15982 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
15983 			goto free_msg;
15984 		if (wakeup->four_way_handshake &&
15985 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
15986 			goto free_msg;
15987 		if (wakeup->rfkill_release &&
15988 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
15989 			goto free_msg;
15990 
15991 		if (wakeup->pattern_idx >= 0 &&
15992 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
15993 				wakeup->pattern_idx))
15994 			goto free_msg;
15995 
15996 		if (wakeup->tcp_match &&
15997 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
15998 			goto free_msg;
15999 
16000 		if (wakeup->tcp_connlost &&
16001 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
16002 			goto free_msg;
16003 
16004 		if (wakeup->tcp_nomoretokens &&
16005 		    nla_put_flag(msg,
16006 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
16007 			goto free_msg;
16008 
16009 		if (wakeup->packet) {
16010 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
16011 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
16012 
16013 			if (!wakeup->packet_80211) {
16014 				pkt_attr =
16015 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
16016 				len_attr =
16017 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
16018 			}
16019 
16020 			if (wakeup->packet_len &&
16021 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
16022 				goto free_msg;
16023 
16024 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
16025 				    wakeup->packet))
16026 				goto free_msg;
16027 		}
16028 
16029 		if (wakeup->net_detect &&
16030 		    cfg80211_net_detect_results(msg, wakeup))
16031 				goto free_msg;
16032 
16033 		nla_nest_end(msg, reasons);
16034 	}
16035 
16036 	genlmsg_end(msg, hdr);
16037 
16038 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16039 				NL80211_MCGRP_MLME, gfp);
16040 	return;
16041 
16042  free_msg:
16043 	nlmsg_free(msg);
16044 }
16045 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
16046 #endif
16047 
16048 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
16049 				enum nl80211_tdls_operation oper,
16050 				u16 reason_code, gfp_t gfp)
16051 {
16052 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16053 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16054 	struct sk_buff *msg;
16055 	void *hdr;
16056 
16057 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
16058 					 reason_code);
16059 
16060 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16061 	if (!msg)
16062 		return;
16063 
16064 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
16065 	if (!hdr) {
16066 		nlmsg_free(msg);
16067 		return;
16068 	}
16069 
16070 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16071 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16072 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
16073 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
16074 	    (reason_code > 0 &&
16075 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
16076 		goto nla_put_failure;
16077 
16078 	genlmsg_end(msg, hdr);
16079 
16080 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16081 				NL80211_MCGRP_MLME, gfp);
16082 	return;
16083 
16084  nla_put_failure:
16085 	nlmsg_free(msg);
16086 }
16087 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
16088 
16089 static int nl80211_netlink_notify(struct notifier_block * nb,
16090 				  unsigned long state,
16091 				  void *_notify)
16092 {
16093 	struct netlink_notify *notify = _notify;
16094 	struct cfg80211_registered_device *rdev;
16095 	struct wireless_dev *wdev;
16096 	struct cfg80211_beacon_registration *reg, *tmp;
16097 
16098 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
16099 		return NOTIFY_DONE;
16100 
16101 	rcu_read_lock();
16102 
16103 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
16104 		struct cfg80211_sched_scan_request *sched_scan_req;
16105 
16106 		list_for_each_entry_rcu(sched_scan_req,
16107 					&rdev->sched_scan_req_list,
16108 					list) {
16109 			if (sched_scan_req->owner_nlportid == notify->portid) {
16110 				sched_scan_req->nl_owner_dead = true;
16111 				schedule_work(&rdev->sched_scan_stop_wk);
16112 			}
16113 		}
16114 
16115 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
16116 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
16117 
16118 			if (wdev->owner_nlportid == notify->portid) {
16119 				wdev->nl_owner_dead = true;
16120 				schedule_work(&rdev->destroy_work);
16121 			} else if (wdev->conn_owner_nlportid == notify->portid) {
16122 				schedule_work(&wdev->disconnect_wk);
16123 			}
16124 
16125 			cfg80211_release_pmsr(wdev, notify->portid);
16126 		}
16127 
16128 		spin_lock_bh(&rdev->beacon_registrations_lock);
16129 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
16130 					 list) {
16131 			if (reg->nlportid == notify->portid) {
16132 				list_del(&reg->list);
16133 				kfree(reg);
16134 				break;
16135 			}
16136 		}
16137 		spin_unlock_bh(&rdev->beacon_registrations_lock);
16138 	}
16139 
16140 	rcu_read_unlock();
16141 
16142 	/*
16143 	 * It is possible that the user space process that is controlling the
16144 	 * indoor setting disappeared, so notify the regulatory core.
16145 	 */
16146 	regulatory_netlink_notify(notify->portid);
16147 	return NOTIFY_OK;
16148 }
16149 
16150 static struct notifier_block nl80211_netlink_notifier = {
16151 	.notifier_call = nl80211_netlink_notify,
16152 };
16153 
16154 void cfg80211_ft_event(struct net_device *netdev,
16155 		       struct cfg80211_ft_event_params *ft_event)
16156 {
16157 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
16158 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16159 	struct sk_buff *msg;
16160 	void *hdr;
16161 
16162 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
16163 
16164 	if (!ft_event->target_ap)
16165 		return;
16166 
16167 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
16168 			GFP_KERNEL);
16169 	if (!msg)
16170 		return;
16171 
16172 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
16173 	if (!hdr)
16174 		goto out;
16175 
16176 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16177 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16178 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
16179 		goto out;
16180 
16181 	if (ft_event->ies &&
16182 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
16183 		goto out;
16184 	if (ft_event->ric_ies &&
16185 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
16186 		    ft_event->ric_ies))
16187 		goto out;
16188 
16189 	genlmsg_end(msg, hdr);
16190 
16191 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16192 				NL80211_MCGRP_MLME, GFP_KERNEL);
16193 	return;
16194  out:
16195 	nlmsg_free(msg);
16196 }
16197 EXPORT_SYMBOL(cfg80211_ft_event);
16198 
16199 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
16200 {
16201 	struct cfg80211_registered_device *rdev;
16202 	struct sk_buff *msg;
16203 	void *hdr;
16204 	u32 nlportid;
16205 
16206 	rdev = wiphy_to_rdev(wdev->wiphy);
16207 	if (!rdev->crit_proto_nlportid)
16208 		return;
16209 
16210 	nlportid = rdev->crit_proto_nlportid;
16211 	rdev->crit_proto_nlportid = 0;
16212 
16213 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16214 	if (!msg)
16215 		return;
16216 
16217 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
16218 	if (!hdr)
16219 		goto nla_put_failure;
16220 
16221 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16222 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16223 			      NL80211_ATTR_PAD))
16224 		goto nla_put_failure;
16225 
16226 	genlmsg_end(msg, hdr);
16227 
16228 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16229 	return;
16230 
16231  nla_put_failure:
16232 	nlmsg_free(msg);
16233 }
16234 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
16235 
16236 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
16237 {
16238 	struct wiphy *wiphy = wdev->wiphy;
16239 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16240 	struct sk_buff *msg;
16241 	void *hdr;
16242 
16243 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16244 	if (!msg)
16245 		return;
16246 
16247 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
16248 	if (!hdr)
16249 		goto out;
16250 
16251 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16252 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
16253 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16254 			      NL80211_ATTR_PAD))
16255 		goto out;
16256 
16257 	genlmsg_end(msg, hdr);
16258 
16259 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
16260 				NL80211_MCGRP_MLME, GFP_KERNEL);
16261 	return;
16262  out:
16263 	nlmsg_free(msg);
16264 }
16265 
16266 int cfg80211_external_auth_request(struct net_device *dev,
16267 				   struct cfg80211_external_auth_params *params,
16268 				   gfp_t gfp)
16269 {
16270 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16271 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16272 	struct sk_buff *msg;
16273 	void *hdr;
16274 
16275 	if (!wdev->conn_owner_nlportid)
16276 		return -EINVAL;
16277 
16278 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16279 	if (!msg)
16280 		return -ENOMEM;
16281 
16282 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
16283 	if (!hdr)
16284 		goto nla_put_failure;
16285 
16286 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16287 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16288 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
16289 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
16290 			params->action) ||
16291 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
16292 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
16293 		    params->ssid.ssid))
16294 		goto nla_put_failure;
16295 
16296 	genlmsg_end(msg, hdr);
16297 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16298 			wdev->conn_owner_nlportid);
16299 	return 0;
16300 
16301  nla_put_failure:
16302 	nlmsg_free(msg);
16303 	return -ENOBUFS;
16304 }
16305 EXPORT_SYMBOL(cfg80211_external_auth_request);
16306 
16307 /* initialisation/exit functions */
16308 
16309 int __init nl80211_init(void)
16310 {
16311 	int err;
16312 
16313 	err = genl_register_family(&nl80211_fam);
16314 	if (err)
16315 		return err;
16316 
16317 	err = netlink_register_notifier(&nl80211_netlink_notifier);
16318 	if (err)
16319 		goto err_out;
16320 
16321 	return 0;
16322  err_out:
16323 	genl_unregister_family(&nl80211_fam);
16324 	return err;
16325 }
16326 
16327 void nl80211_exit(void)
16328 {
16329 	netlink_unregister_notifier(&nl80211_netlink_notifier);
16330 	genl_unregister_family(&nl80211_fam);
16331 }
16332