xref: /openbmc/linux/net/wireless/nl80211.c (revision 47010c04) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2022 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
460 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
461 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
462 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
463 				      .len = 20-1 },
464 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
465 
466 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
467 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
468 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
469 						NL80211_EDMG_CHANNELS_MIN,
470 						NL80211_EDMG_CHANNELS_MAX),
471 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
472 						NL80211_EDMG_BW_CONFIG_MIN,
473 						NL80211_EDMG_BW_CONFIG_MAX),
474 
475 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
476 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
477 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
478 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
479 
480 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
481 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
482 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
483 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
484 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
485 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
486 
487 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
488 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
489 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
490 
491 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
492 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
493 
494 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
495 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
496 				    .len = WLAN_MAX_KEY_LEN },
497 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
498 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
499 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
500 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
501 	[NL80211_ATTR_KEY_TYPE] =
502 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
503 
504 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
505 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
506 	[NL80211_ATTR_BEACON_HEAD] =
507 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
508 				       IEEE80211_MAX_DATA_LEN),
509 	[NL80211_ATTR_BEACON_TAIL] =
510 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
511 				       IEEE80211_MAX_DATA_LEN),
512 	[NL80211_ATTR_STA_AID] =
513 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
514 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
515 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
516 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
517 					       .len = NL80211_MAX_SUPP_RATES },
518 	[NL80211_ATTR_STA_PLINK_ACTION] =
519 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
520 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
521 		NLA_POLICY_RANGE(NLA_U8,
522 				 NL80211_TX_POWER_AUTOMATIC,
523 				 NL80211_TX_POWER_FIXED),
524 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
525 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
526 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
527 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
528 				   .len = IEEE80211_MAX_MESH_ID_LEN },
529 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
530 
531 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
532 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
533 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
534 
535 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
536 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
537 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
538 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
539 					   .len = NL80211_MAX_SUPP_RATES },
540 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
541 
542 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
543 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
544 
545 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
546 
547 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
548 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
549 						   validate_ie_attr,
550 						   IEEE80211_MAX_DATA_LEN),
551 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
552 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
553 
554 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
555 				.len = IEEE80211_MAX_SSID_LEN },
556 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
557 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
558 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
559 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
560 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
561 						  NL80211_MFP_NO,
562 						  NL80211_MFP_OPTIONAL),
563 	[NL80211_ATTR_STA_FLAGS2] = {
564 		.len = sizeof(struct nl80211_sta_flag_update),
565 	},
566 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
567 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
568 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
569 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
570 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
571 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
572 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
573 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
574 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
575 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
576 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
577 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
578 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
579 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
580 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
581 				 .len = IEEE80211_MAX_DATA_LEN },
582 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
583 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
584 						   NL80211_PS_DISABLED,
585 						   NL80211_PS_ENABLED),
586 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
587 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
588 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
589 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
590 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
591 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
592 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
593 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
594 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
595 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
596 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
597 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
598 	[NL80211_ATTR_STA_PLINK_STATE] =
599 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
600 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
601 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
602 	[NL80211_ATTR_MESH_PEER_AID] =
603 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
604 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
605 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
606 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
607 	[NL80211_ATTR_HIDDEN_SSID] =
608 		NLA_POLICY_RANGE(NLA_U32,
609 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
610 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
611 	[NL80211_ATTR_IE_PROBE_RESP] =
612 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
613 				       IEEE80211_MAX_DATA_LEN),
614 	[NL80211_ATTR_IE_ASSOC_RESP] =
615 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
616 				       IEEE80211_MAX_DATA_LEN),
617 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
618 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
619 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
620 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
621 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
622 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
623 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
624 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
625 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
626 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
627 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
628 				      .len = IEEE80211_MAX_DATA_LEN },
629 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
630 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
631 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
632 		.len = NL80211_HT_CAPABILITY_LEN
633 	},
634 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
635 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
636 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
637 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
638 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
639 
640 	/* need to include at least Auth Transaction and Status Code */
641 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
642 
643 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
644 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
645 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
646 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
647 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
648 		NLA_POLICY_RANGE(NLA_U32,
649 				 NL80211_MESH_POWER_UNKNOWN + 1,
650 				 NL80211_MESH_POWER_MAX),
651 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
652 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
653 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
654 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
655 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
656 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
657 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
658 		.len = NL80211_VHT_CAPABILITY_LEN,
659 	},
660 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
661 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
662 				  .len = IEEE80211_MAX_DATA_LEN },
663 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
664 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
665 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
666 	[NL80211_ATTR_PEER_AID] =
667 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
668 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
669 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
670 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
671 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
672 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
673 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
674 	/*
675 	 * The value of the Length field of the Supported Operating
676 	 * Classes element is between 2 and 253.
677 	 */
678 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
679 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
680 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
681 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
682 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
683 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
684 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
685 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
686 						  IEEE80211_QOS_MAP_LEN_MIN,
687 						  IEEE80211_QOS_MAP_LEN_MAX),
688 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
689 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
690 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
691 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
692 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
693 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
694 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
695 	[NL80211_ATTR_USER_PRIO] =
696 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
697 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
698 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
699 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
700 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
701 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
702 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
703 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
704 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
705 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
706 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
707 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
708 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
709 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
710 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
711 	},
712 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
713 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
714 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
715 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
716 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
717 				    .len = FILS_MAX_KEK_LEN },
718 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
719 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
720 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
721 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
722 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
723 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
724 	},
725 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
726 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
727 					     .len = FILS_ERP_MAX_USERNAME_LEN },
728 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
729 					  .len = FILS_ERP_MAX_REALM_LEN },
730 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
731 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
732 					.len = FILS_ERP_MAX_RRK_LEN },
733 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
734 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
735 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
736 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
737 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
738 
739 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
740 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
741 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
742 	[NL80211_ATTR_HE_CAPABILITY] =
743 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
744 				       NL80211_HE_MAX_CAPABILITY_LEN),
745 	[NL80211_ATTR_FTM_RESPONDER] =
746 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
747 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
748 	[NL80211_ATTR_PEER_MEASUREMENTS] =
749 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
750 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
751 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
752 					.len = SAE_PASSWORD_MAX_LEN },
753 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
754 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
755 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
756 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
757 	[NL80211_ATTR_TID_CONFIG] =
758 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
759 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
760 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
761 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
762 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
763 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
764 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
765 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
766 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
767 	[NL80211_ATTR_FILS_DISCOVERY] =
768 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
769 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
770 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
771 	[NL80211_ATTR_S1G_CAPABILITY] =
772 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
773 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
774 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
775 	[NL80211_ATTR_SAE_PWE] =
776 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
777 				 NL80211_SAE_PWE_BOTH),
778 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
779 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
780 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
781 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
782 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
783 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
784 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
785 	[NL80211_ATTR_MBSSID_CONFIG] =
786 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
787 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
788 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
789 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
790 	[NL80211_ATTR_EHT_CAPABILITY] =
791 		NLA_POLICY_RANGE(NLA_BINARY,
792 				 NL80211_EHT_MIN_CAPABILITY_LEN,
793 				 NL80211_EHT_MAX_CAPABILITY_LEN),
794 };
795 
796 /* policy for the key attributes */
797 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
798 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
799 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
800 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
801 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
802 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
803 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
804 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
805 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
806 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
807 };
808 
809 /* policy for the key default flags */
810 static const struct nla_policy
811 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
812 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
813 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
814 };
815 
816 #ifdef CONFIG_PM
817 /* policy for WoWLAN attributes */
818 static const struct nla_policy
819 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
820 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
821 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
822 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
823 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
824 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
825 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
826 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
827 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
828 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
829 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
830 };
831 
832 static const struct nla_policy
833 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
834 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
835 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
836 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
837 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
838 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
839 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
840 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
841 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
842 	},
843 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
844 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
845 	},
846 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
847 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
848 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
849 };
850 #endif /* CONFIG_PM */
851 
852 /* policy for coalesce rule attributes */
853 static const struct nla_policy
854 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
855 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
856 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
857 		NLA_POLICY_RANGE(NLA_U32,
858 				 NL80211_COALESCE_CONDITION_MATCH,
859 				 NL80211_COALESCE_CONDITION_NO_MATCH),
860 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
861 };
862 
863 /* policy for GTK rekey offload attributes */
864 static const struct nla_policy
865 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
866 	[NL80211_REKEY_DATA_KEK] = {
867 		.type = NLA_BINARY,
868 		.len = NL80211_KEK_EXT_LEN
869 	},
870 	[NL80211_REKEY_DATA_KCK] = {
871 		.type = NLA_BINARY,
872 		.len = NL80211_KCK_EXT_LEN
873 	},
874 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
875 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
876 };
877 
878 static const struct nla_policy
879 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
880 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
881 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
882 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
883 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
884 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
885 };
886 
887 static const struct nla_policy
888 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
889 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
890 						 .len = IEEE80211_MAX_SSID_LEN },
891 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
892 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
893 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
894 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
895 };
896 
897 static const struct nla_policy
898 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
899 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
900 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
901 };
902 
903 static const struct nla_policy
904 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
905 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
906 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
907 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
908 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
909 	},
910 };
911 
912 /* policy for NAN function attributes */
913 static const struct nla_policy
914 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
915 	[NL80211_NAN_FUNC_TYPE] =
916 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
917 	[NL80211_NAN_FUNC_SERVICE_ID] = {
918 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
919 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
920 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
921 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
922 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
923 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
924 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
925 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
926 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
927 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
928 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
929 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
930 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
931 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
932 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
933 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
934 };
935 
936 /* policy for Service Response Filter attributes */
937 static const struct nla_policy
938 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
939 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
940 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
941 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
942 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
943 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
944 };
945 
946 /* policy for packet pattern attributes */
947 static const struct nla_policy
948 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
949 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
950 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
951 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
952 };
953 
954 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
955 				     struct cfg80211_registered_device **rdev,
956 				     struct wireless_dev **wdev,
957 				     struct nlattr **attrbuf)
958 {
959 	int err;
960 
961 	if (!cb->args[0]) {
962 		struct nlattr **attrbuf_free = NULL;
963 
964 		if (!attrbuf) {
965 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
966 					  GFP_KERNEL);
967 			if (!attrbuf)
968 				return -ENOMEM;
969 			attrbuf_free = attrbuf;
970 		}
971 
972 		err = nlmsg_parse_deprecated(cb->nlh,
973 					     GENL_HDRLEN + nl80211_fam.hdrsize,
974 					     attrbuf, nl80211_fam.maxattr,
975 					     nl80211_policy, NULL);
976 		if (err) {
977 			kfree(attrbuf_free);
978 			return err;
979 		}
980 
981 		rtnl_lock();
982 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
983 						   attrbuf);
984 		kfree(attrbuf_free);
985 		if (IS_ERR(*wdev)) {
986 			rtnl_unlock();
987 			return PTR_ERR(*wdev);
988 		}
989 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
990 		mutex_lock(&(*rdev)->wiphy.mtx);
991 		rtnl_unlock();
992 		/* 0 is the first index - add 1 to parse only once */
993 		cb->args[0] = (*rdev)->wiphy_idx + 1;
994 		cb->args[1] = (*wdev)->identifier;
995 	} else {
996 		/* subtract the 1 again here */
997 		struct wiphy *wiphy;
998 		struct wireless_dev *tmp;
999 
1000 		rtnl_lock();
1001 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1002 		if (!wiphy) {
1003 			rtnl_unlock();
1004 			return -ENODEV;
1005 		}
1006 		*rdev = wiphy_to_rdev(wiphy);
1007 		*wdev = NULL;
1008 
1009 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1010 			if (tmp->identifier == cb->args[1]) {
1011 				*wdev = tmp;
1012 				break;
1013 			}
1014 		}
1015 
1016 		if (!*wdev) {
1017 			rtnl_unlock();
1018 			return -ENODEV;
1019 		}
1020 		mutex_lock(&(*rdev)->wiphy.mtx);
1021 		rtnl_unlock();
1022 	}
1023 
1024 	return 0;
1025 }
1026 
1027 /* message building helper */
1028 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1029 		     int flags, u8 cmd)
1030 {
1031 	/* since there is no private header just add the generic one */
1032 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1033 }
1034 
1035 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1036 				     const struct ieee80211_reg_rule *rule)
1037 {
1038 	int j;
1039 	struct nlattr *nl_wmm_rules =
1040 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1041 
1042 	if (!nl_wmm_rules)
1043 		goto nla_put_failure;
1044 
1045 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1046 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1047 
1048 		if (!nl_wmm_rule)
1049 			goto nla_put_failure;
1050 
1051 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1052 				rule->wmm_rule.client[j].cw_min) ||
1053 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1054 				rule->wmm_rule.client[j].cw_max) ||
1055 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1056 			       rule->wmm_rule.client[j].aifsn) ||
1057 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1058 			        rule->wmm_rule.client[j].cot))
1059 			goto nla_put_failure;
1060 
1061 		nla_nest_end(msg, nl_wmm_rule);
1062 	}
1063 	nla_nest_end(msg, nl_wmm_rules);
1064 
1065 	return 0;
1066 
1067 nla_put_failure:
1068 	return -ENOBUFS;
1069 }
1070 
1071 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1072 				   struct ieee80211_channel *chan,
1073 				   bool large)
1074 {
1075 	/* Some channels must be completely excluded from the
1076 	 * list to protect old user-space tools from breaking
1077 	 */
1078 	if (!large && chan->flags &
1079 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1080 		return 0;
1081 	if (!large && chan->freq_offset)
1082 		return 0;
1083 
1084 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1085 			chan->center_freq))
1086 		goto nla_put_failure;
1087 
1088 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1089 		goto nla_put_failure;
1090 
1091 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1092 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1093 		goto nla_put_failure;
1094 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1095 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1096 			goto nla_put_failure;
1097 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1098 			goto nla_put_failure;
1099 	}
1100 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1101 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1102 			goto nla_put_failure;
1103 		if (large) {
1104 			u32 time;
1105 
1106 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1107 
1108 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1109 					chan->dfs_state))
1110 				goto nla_put_failure;
1111 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1112 					time))
1113 				goto nla_put_failure;
1114 			if (nla_put_u32(msg,
1115 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1116 					chan->dfs_cac_ms))
1117 				goto nla_put_failure;
1118 		}
1119 	}
1120 
1121 	if (large) {
1122 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1123 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1124 			goto nla_put_failure;
1125 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1126 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1127 			goto nla_put_failure;
1128 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1129 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1130 			goto nla_put_failure;
1131 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1132 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1133 			goto nla_put_failure;
1134 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1135 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1136 			goto nla_put_failure;
1137 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1138 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1139 			goto nla_put_failure;
1140 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1141 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1142 			goto nla_put_failure;
1143 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1144 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1145 			goto nla_put_failure;
1146 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1147 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1148 			goto nla_put_failure;
1149 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1150 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1151 			goto nla_put_failure;
1152 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1153 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1154 			goto nla_put_failure;
1155 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1156 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1157 			goto nla_put_failure;
1158 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1159 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1160 			goto nla_put_failure;
1161 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1162 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1163 			goto nla_put_failure;
1164 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1165 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1166 			goto nla_put_failure;
1167 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1168 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1169 			goto nla_put_failure;
1170 	}
1171 
1172 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1173 			DBM_TO_MBM(chan->max_power)))
1174 		goto nla_put_failure;
1175 
1176 	if (large) {
1177 		const struct ieee80211_reg_rule *rule =
1178 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1179 
1180 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1181 			if (nl80211_msg_put_wmm_rules(msg, rule))
1182 				goto nla_put_failure;
1183 		}
1184 	}
1185 
1186 	return 0;
1187 
1188  nla_put_failure:
1189 	return -ENOBUFS;
1190 }
1191 
1192 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1193 				  struct cfg80211_txq_stats *txqstats,
1194 				  int attrtype)
1195 {
1196 	struct nlattr *txqattr;
1197 
1198 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1199 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1200 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1201 		return false;						  \
1202 	} while (0)
1203 
1204 	txqattr = nla_nest_start_noflag(msg, attrtype);
1205 	if (!txqattr)
1206 		return false;
1207 
1208 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1209 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1210 	PUT_TXQVAL_U32(FLOWS, flows);
1211 	PUT_TXQVAL_U32(DROPS, drops);
1212 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1213 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1214 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1215 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1216 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1217 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1218 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1219 	nla_nest_end(msg, txqattr);
1220 
1221 #undef PUT_TXQVAL_U32
1222 	return true;
1223 }
1224 
1225 /* netlink command implementations */
1226 
1227 struct key_parse {
1228 	struct key_params p;
1229 	int idx;
1230 	int type;
1231 	bool def, defmgmt, defbeacon;
1232 	bool def_uni, def_multi;
1233 };
1234 
1235 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1236 				 struct key_parse *k)
1237 {
1238 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1239 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1240 					      nl80211_key_policy,
1241 					      info->extack);
1242 	if (err)
1243 		return err;
1244 
1245 	k->def = !!tb[NL80211_KEY_DEFAULT];
1246 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1247 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1248 
1249 	if (k->def) {
1250 		k->def_uni = true;
1251 		k->def_multi = true;
1252 	}
1253 	if (k->defmgmt || k->defbeacon)
1254 		k->def_multi = true;
1255 
1256 	if (tb[NL80211_KEY_IDX])
1257 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1258 
1259 	if (tb[NL80211_KEY_DATA]) {
1260 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1261 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1262 	}
1263 
1264 	if (tb[NL80211_KEY_SEQ]) {
1265 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1266 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1267 	}
1268 
1269 	if (tb[NL80211_KEY_CIPHER])
1270 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1271 
1272 	if (tb[NL80211_KEY_TYPE])
1273 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1274 
1275 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1276 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1277 
1278 		err = nla_parse_nested_deprecated(kdt,
1279 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1280 						  tb[NL80211_KEY_DEFAULT_TYPES],
1281 						  nl80211_key_default_policy,
1282 						  info->extack);
1283 		if (err)
1284 			return err;
1285 
1286 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1287 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1288 	}
1289 
1290 	if (tb[NL80211_KEY_MODE])
1291 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1292 
1293 	return 0;
1294 }
1295 
1296 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1297 {
1298 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1299 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1300 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1301 	}
1302 
1303 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1304 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1305 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1306 	}
1307 
1308 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1309 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1310 
1311 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1312 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1313 
1314 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1315 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1316 
1317 	if (k->def) {
1318 		k->def_uni = true;
1319 		k->def_multi = true;
1320 	}
1321 	if (k->defmgmt)
1322 		k->def_multi = true;
1323 
1324 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1325 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1326 
1327 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1328 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1329 		int err = nla_parse_nested_deprecated(kdt,
1330 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1331 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1332 						      nl80211_key_default_policy,
1333 						      info->extack);
1334 		if (err)
1335 			return err;
1336 
1337 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1338 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1339 	}
1340 
1341 	return 0;
1342 }
1343 
1344 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1345 {
1346 	int err;
1347 
1348 	memset(k, 0, sizeof(*k));
1349 	k->idx = -1;
1350 	k->type = -1;
1351 
1352 	if (info->attrs[NL80211_ATTR_KEY])
1353 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1354 	else
1355 		err = nl80211_parse_key_old(info, k);
1356 
1357 	if (err)
1358 		return err;
1359 
1360 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1361 	    (k->defbeacon ? 1 : 0) > 1) {
1362 		GENL_SET_ERR_MSG(info,
1363 				 "key with multiple default flags is invalid");
1364 		return -EINVAL;
1365 	}
1366 
1367 	if (k->defmgmt || k->defbeacon) {
1368 		if (k->def_uni || !k->def_multi) {
1369 			GENL_SET_ERR_MSG(info,
1370 					 "defmgmt/defbeacon key must be mcast");
1371 			return -EINVAL;
1372 		}
1373 	}
1374 
1375 	if (k->idx != -1) {
1376 		if (k->defmgmt) {
1377 			if (k->idx < 4 || k->idx > 5) {
1378 				GENL_SET_ERR_MSG(info,
1379 						 "defmgmt key idx not 4 or 5");
1380 				return -EINVAL;
1381 			}
1382 		} else if (k->defbeacon) {
1383 			if (k->idx < 6 || k->idx > 7) {
1384 				GENL_SET_ERR_MSG(info,
1385 						 "defbeacon key idx not 6 or 7");
1386 				return -EINVAL;
1387 			}
1388 		} else if (k->def) {
1389 			if (k->idx < 0 || k->idx > 3) {
1390 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1391 				return -EINVAL;
1392 			}
1393 		} else {
1394 			if (k->idx < 0 || k->idx > 7) {
1395 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1396 				return -EINVAL;
1397 			}
1398 		}
1399 	}
1400 
1401 	return 0;
1402 }
1403 
1404 static struct cfg80211_cached_keys *
1405 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1406 		       struct genl_info *info, bool *no_ht)
1407 {
1408 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1409 	struct key_parse parse;
1410 	struct nlattr *key;
1411 	struct cfg80211_cached_keys *result;
1412 	int rem, err, def = 0;
1413 	bool have_key = false;
1414 
1415 	nla_for_each_nested(key, keys, rem) {
1416 		have_key = true;
1417 		break;
1418 	}
1419 
1420 	if (!have_key)
1421 		return NULL;
1422 
1423 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1424 	if (!result)
1425 		return ERR_PTR(-ENOMEM);
1426 
1427 	result->def = -1;
1428 
1429 	nla_for_each_nested(key, keys, rem) {
1430 		memset(&parse, 0, sizeof(parse));
1431 		parse.idx = -1;
1432 
1433 		err = nl80211_parse_key_new(info, key, &parse);
1434 		if (err)
1435 			goto error;
1436 		err = -EINVAL;
1437 		if (!parse.p.key)
1438 			goto error;
1439 		if (parse.idx < 0 || parse.idx > 3) {
1440 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1441 			goto error;
1442 		}
1443 		if (parse.def) {
1444 			if (def) {
1445 				GENL_SET_ERR_MSG(info,
1446 						 "only one key can be default");
1447 				goto error;
1448 			}
1449 			def = 1;
1450 			result->def = parse.idx;
1451 			if (!parse.def_uni || !parse.def_multi)
1452 				goto error;
1453 		} else if (parse.defmgmt)
1454 			goto error;
1455 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1456 						     parse.idx, false, NULL);
1457 		if (err)
1458 			goto error;
1459 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1460 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1461 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1462 			err = -EINVAL;
1463 			goto error;
1464 		}
1465 		result->params[parse.idx].cipher = parse.p.cipher;
1466 		result->params[parse.idx].key_len = parse.p.key_len;
1467 		result->params[parse.idx].key = result->data[parse.idx];
1468 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1469 
1470 		/* must be WEP key if we got here */
1471 		if (no_ht)
1472 			*no_ht = true;
1473 	}
1474 
1475 	if (result->def < 0) {
1476 		err = -EINVAL;
1477 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1478 		goto error;
1479 	}
1480 
1481 	return result;
1482  error:
1483 	kfree(result);
1484 	return ERR_PTR(err);
1485 }
1486 
1487 static int nl80211_key_allowed(struct wireless_dev *wdev)
1488 {
1489 	ASSERT_WDEV_LOCK(wdev);
1490 
1491 	switch (wdev->iftype) {
1492 	case NL80211_IFTYPE_AP:
1493 	case NL80211_IFTYPE_AP_VLAN:
1494 	case NL80211_IFTYPE_P2P_GO:
1495 	case NL80211_IFTYPE_MESH_POINT:
1496 		break;
1497 	case NL80211_IFTYPE_ADHOC:
1498 	case NL80211_IFTYPE_STATION:
1499 	case NL80211_IFTYPE_P2P_CLIENT:
1500 		if (!wdev->current_bss)
1501 			return -ENOLINK;
1502 		break;
1503 	case NL80211_IFTYPE_UNSPECIFIED:
1504 	case NL80211_IFTYPE_OCB:
1505 	case NL80211_IFTYPE_MONITOR:
1506 	case NL80211_IFTYPE_NAN:
1507 	case NL80211_IFTYPE_P2P_DEVICE:
1508 	case NL80211_IFTYPE_WDS:
1509 	case NUM_NL80211_IFTYPES:
1510 		return -EINVAL;
1511 	}
1512 
1513 	return 0;
1514 }
1515 
1516 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1517 							u32 freq)
1518 {
1519 	struct ieee80211_channel *chan;
1520 
1521 	chan = ieee80211_get_channel_khz(wiphy, freq);
1522 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1523 		return NULL;
1524 	return chan;
1525 }
1526 
1527 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1528 {
1529 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1530 	int i;
1531 
1532 	if (!nl_modes)
1533 		goto nla_put_failure;
1534 
1535 	i = 0;
1536 	while (ifmodes) {
1537 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1538 			goto nla_put_failure;
1539 		ifmodes >>= 1;
1540 		i++;
1541 	}
1542 
1543 	nla_nest_end(msg, nl_modes);
1544 	return 0;
1545 
1546 nla_put_failure:
1547 	return -ENOBUFS;
1548 }
1549 
1550 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1551 					  struct sk_buff *msg,
1552 					  bool large)
1553 {
1554 	struct nlattr *nl_combis;
1555 	int i, j;
1556 
1557 	nl_combis = nla_nest_start_noflag(msg,
1558 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1559 	if (!nl_combis)
1560 		goto nla_put_failure;
1561 
1562 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1563 		const struct ieee80211_iface_combination *c;
1564 		struct nlattr *nl_combi, *nl_limits;
1565 
1566 		c = &wiphy->iface_combinations[i];
1567 
1568 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1569 		if (!nl_combi)
1570 			goto nla_put_failure;
1571 
1572 		nl_limits = nla_nest_start_noflag(msg,
1573 						  NL80211_IFACE_COMB_LIMITS);
1574 		if (!nl_limits)
1575 			goto nla_put_failure;
1576 
1577 		for (j = 0; j < c->n_limits; j++) {
1578 			struct nlattr *nl_limit;
1579 
1580 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1581 			if (!nl_limit)
1582 				goto nla_put_failure;
1583 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1584 					c->limits[j].max))
1585 				goto nla_put_failure;
1586 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1587 						c->limits[j].types))
1588 				goto nla_put_failure;
1589 			nla_nest_end(msg, nl_limit);
1590 		}
1591 
1592 		nla_nest_end(msg, nl_limits);
1593 
1594 		if (c->beacon_int_infra_match &&
1595 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1596 			goto nla_put_failure;
1597 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1598 				c->num_different_channels) ||
1599 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1600 				c->max_interfaces))
1601 			goto nla_put_failure;
1602 		if (large &&
1603 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1604 				c->radar_detect_widths) ||
1605 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1606 				c->radar_detect_regions)))
1607 			goto nla_put_failure;
1608 		if (c->beacon_int_min_gcd &&
1609 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1610 				c->beacon_int_min_gcd))
1611 			goto nla_put_failure;
1612 
1613 		nla_nest_end(msg, nl_combi);
1614 	}
1615 
1616 	nla_nest_end(msg, nl_combis);
1617 
1618 	return 0;
1619 nla_put_failure:
1620 	return -ENOBUFS;
1621 }
1622 
1623 #ifdef CONFIG_PM
1624 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1625 					struct sk_buff *msg)
1626 {
1627 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1628 	struct nlattr *nl_tcp;
1629 
1630 	if (!tcp)
1631 		return 0;
1632 
1633 	nl_tcp = nla_nest_start_noflag(msg,
1634 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1635 	if (!nl_tcp)
1636 		return -ENOBUFS;
1637 
1638 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1639 			tcp->data_payload_max))
1640 		return -ENOBUFS;
1641 
1642 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1643 			tcp->data_payload_max))
1644 		return -ENOBUFS;
1645 
1646 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1647 		return -ENOBUFS;
1648 
1649 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1650 				sizeof(*tcp->tok), tcp->tok))
1651 		return -ENOBUFS;
1652 
1653 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1654 			tcp->data_interval_max))
1655 		return -ENOBUFS;
1656 
1657 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1658 			tcp->wake_payload_max))
1659 		return -ENOBUFS;
1660 
1661 	nla_nest_end(msg, nl_tcp);
1662 	return 0;
1663 }
1664 
1665 static int nl80211_send_wowlan(struct sk_buff *msg,
1666 			       struct cfg80211_registered_device *rdev,
1667 			       bool large)
1668 {
1669 	struct nlattr *nl_wowlan;
1670 
1671 	if (!rdev->wiphy.wowlan)
1672 		return 0;
1673 
1674 	nl_wowlan = nla_nest_start_noflag(msg,
1675 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1676 	if (!nl_wowlan)
1677 		return -ENOBUFS;
1678 
1679 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1680 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1681 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1682 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1683 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1684 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1685 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1686 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1687 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1688 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1689 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1690 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1691 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1692 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1693 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1694 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1695 		return -ENOBUFS;
1696 
1697 	if (rdev->wiphy.wowlan->n_patterns) {
1698 		struct nl80211_pattern_support pat = {
1699 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1700 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1701 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1702 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1703 		};
1704 
1705 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1706 			    sizeof(pat), &pat))
1707 			return -ENOBUFS;
1708 	}
1709 
1710 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1711 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1712 			rdev->wiphy.wowlan->max_nd_match_sets))
1713 		return -ENOBUFS;
1714 
1715 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1716 		return -ENOBUFS;
1717 
1718 	nla_nest_end(msg, nl_wowlan);
1719 
1720 	return 0;
1721 }
1722 #endif
1723 
1724 static int nl80211_send_coalesce(struct sk_buff *msg,
1725 				 struct cfg80211_registered_device *rdev)
1726 {
1727 	struct nl80211_coalesce_rule_support rule;
1728 
1729 	if (!rdev->wiphy.coalesce)
1730 		return 0;
1731 
1732 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1733 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1734 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1735 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1736 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1737 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1738 
1739 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1740 		return -ENOBUFS;
1741 
1742 	return 0;
1743 }
1744 
1745 static int
1746 nl80211_send_iftype_data(struct sk_buff *msg,
1747 			 const struct ieee80211_supported_band *sband,
1748 			 const struct ieee80211_sband_iftype_data *iftdata)
1749 {
1750 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1751 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1752 
1753 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1754 				iftdata->types_mask))
1755 		return -ENOBUFS;
1756 
1757 	if (he_cap->has_he) {
1758 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1759 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1760 			    he_cap->he_cap_elem.mac_cap_info) ||
1761 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1762 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1763 			    he_cap->he_cap_elem.phy_cap_info) ||
1764 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1765 			    sizeof(he_cap->he_mcs_nss_supp),
1766 			    &he_cap->he_mcs_nss_supp) ||
1767 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1768 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1769 			return -ENOBUFS;
1770 	}
1771 
1772 	if (eht_cap->has_eht && he_cap->has_he) {
1773 		u8 mcs_nss_size, ppe_thresh_size;
1774 		u16 ppe_thres_hdr;
1775 
1776 		mcs_nss_size =
1777 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1778 						   &eht_cap->eht_cap_elem);
1779 
1780 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1781 		ppe_thresh_size =
1782 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1783 					       eht_cap->eht_cap_elem.phy_cap_info);
1784 
1785 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1786 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1787 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1788 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1789 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1790 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1791 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1792 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1793 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1794 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1795 			return -ENOBUFS;
1796 	}
1797 
1798 	if (sband->band == NL80211_BAND_6GHZ &&
1799 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1800 		    sizeof(iftdata->he_6ghz_capa),
1801 		    &iftdata->he_6ghz_capa))
1802 		return -ENOBUFS;
1803 
1804 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1805 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1806 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1807 		return -ENOBUFS;
1808 
1809 	return 0;
1810 }
1811 
1812 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1813 				      struct ieee80211_supported_band *sband,
1814 				      bool large)
1815 {
1816 	struct nlattr *nl_rates, *nl_rate;
1817 	struct ieee80211_rate *rate;
1818 	int i;
1819 
1820 	/* add HT info */
1821 	if (sband->ht_cap.ht_supported &&
1822 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1823 		     sizeof(sband->ht_cap.mcs),
1824 		     &sband->ht_cap.mcs) ||
1825 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1826 			 sband->ht_cap.cap) ||
1827 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1828 			sband->ht_cap.ampdu_factor) ||
1829 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1830 			sband->ht_cap.ampdu_density)))
1831 		return -ENOBUFS;
1832 
1833 	/* add VHT info */
1834 	if (sband->vht_cap.vht_supported &&
1835 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1836 		     sizeof(sband->vht_cap.vht_mcs),
1837 		     &sband->vht_cap.vht_mcs) ||
1838 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1839 			 sband->vht_cap.cap)))
1840 		return -ENOBUFS;
1841 
1842 	if (large && sband->n_iftype_data) {
1843 		struct nlattr *nl_iftype_data =
1844 			nla_nest_start_noflag(msg,
1845 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1846 		int err;
1847 
1848 		if (!nl_iftype_data)
1849 			return -ENOBUFS;
1850 
1851 		for (i = 0; i < sband->n_iftype_data; i++) {
1852 			struct nlattr *iftdata;
1853 
1854 			iftdata = nla_nest_start_noflag(msg, i + 1);
1855 			if (!iftdata)
1856 				return -ENOBUFS;
1857 
1858 			err = nl80211_send_iftype_data(msg, sband,
1859 						       &sband->iftype_data[i]);
1860 			if (err)
1861 				return err;
1862 
1863 			nla_nest_end(msg, iftdata);
1864 		}
1865 
1866 		nla_nest_end(msg, nl_iftype_data);
1867 	}
1868 
1869 	/* add EDMG info */
1870 	if (large && sband->edmg_cap.channels &&
1871 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1872 		       sband->edmg_cap.channels) ||
1873 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1874 		       sband->edmg_cap.bw_config)))
1875 
1876 		return -ENOBUFS;
1877 
1878 	/* add bitrates */
1879 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1880 	if (!nl_rates)
1881 		return -ENOBUFS;
1882 
1883 	for (i = 0; i < sband->n_bitrates; i++) {
1884 		nl_rate = nla_nest_start_noflag(msg, i);
1885 		if (!nl_rate)
1886 			return -ENOBUFS;
1887 
1888 		rate = &sband->bitrates[i];
1889 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1890 				rate->bitrate))
1891 			return -ENOBUFS;
1892 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1893 		    nla_put_flag(msg,
1894 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1895 			return -ENOBUFS;
1896 
1897 		nla_nest_end(msg, nl_rate);
1898 	}
1899 
1900 	nla_nest_end(msg, nl_rates);
1901 
1902 	return 0;
1903 }
1904 
1905 static int
1906 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1907 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1908 {
1909 	u16 stypes;
1910 	struct nlattr *nl_ftypes, *nl_ifs;
1911 	enum nl80211_iftype ift;
1912 	int i;
1913 
1914 	if (!mgmt_stypes)
1915 		return 0;
1916 
1917 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1918 	if (!nl_ifs)
1919 		return -ENOBUFS;
1920 
1921 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1922 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1923 		if (!nl_ftypes)
1924 			return -ENOBUFS;
1925 		i = 0;
1926 		stypes = mgmt_stypes[ift].tx;
1927 		while (stypes) {
1928 			if ((stypes & 1) &&
1929 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1930 					(i << 4) | IEEE80211_FTYPE_MGMT))
1931 				return -ENOBUFS;
1932 			stypes >>= 1;
1933 			i++;
1934 		}
1935 		nla_nest_end(msg, nl_ftypes);
1936 	}
1937 
1938 	nla_nest_end(msg, nl_ifs);
1939 
1940 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1941 	if (!nl_ifs)
1942 		return -ENOBUFS;
1943 
1944 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1945 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1946 		if (!nl_ftypes)
1947 			return -ENOBUFS;
1948 		i = 0;
1949 		stypes = mgmt_stypes[ift].rx;
1950 		while (stypes) {
1951 			if ((stypes & 1) &&
1952 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1953 					(i << 4) | IEEE80211_FTYPE_MGMT))
1954 				return -ENOBUFS;
1955 			stypes >>= 1;
1956 			i++;
1957 		}
1958 		nla_nest_end(msg, nl_ftypes);
1959 	}
1960 	nla_nest_end(msg, nl_ifs);
1961 
1962 	return 0;
1963 }
1964 
1965 #define CMD(op, n)							\
1966 	 do {								\
1967 		if (rdev->ops->op) {					\
1968 			i++;						\
1969 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1970 				goto nla_put_failure;			\
1971 		}							\
1972 	} while (0)
1973 
1974 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1975 					struct sk_buff *msg)
1976 {
1977 	int i = 0;
1978 
1979 	/*
1980 	 * do *NOT* add anything into this function, new things need to be
1981 	 * advertised only to new versions of userspace that can deal with
1982 	 * the split (and they can't possibly care about new features...
1983 	 */
1984 	CMD(add_virtual_intf, NEW_INTERFACE);
1985 	CMD(change_virtual_intf, SET_INTERFACE);
1986 	CMD(add_key, NEW_KEY);
1987 	CMD(start_ap, START_AP);
1988 	CMD(add_station, NEW_STATION);
1989 	CMD(add_mpath, NEW_MPATH);
1990 	CMD(update_mesh_config, SET_MESH_CONFIG);
1991 	CMD(change_bss, SET_BSS);
1992 	CMD(auth, AUTHENTICATE);
1993 	CMD(assoc, ASSOCIATE);
1994 	CMD(deauth, DEAUTHENTICATE);
1995 	CMD(disassoc, DISASSOCIATE);
1996 	CMD(join_ibss, JOIN_IBSS);
1997 	CMD(join_mesh, JOIN_MESH);
1998 	CMD(set_pmksa, SET_PMKSA);
1999 	CMD(del_pmksa, DEL_PMKSA);
2000 	CMD(flush_pmksa, FLUSH_PMKSA);
2001 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2002 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2003 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2004 	CMD(mgmt_tx, FRAME);
2005 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2006 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2007 		i++;
2008 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2009 			goto nla_put_failure;
2010 	}
2011 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2012 	    rdev->ops->join_mesh) {
2013 		i++;
2014 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2015 			goto nla_put_failure;
2016 	}
2017 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2018 		CMD(tdls_mgmt, TDLS_MGMT);
2019 		CMD(tdls_oper, TDLS_OPER);
2020 	}
2021 	if (rdev->wiphy.max_sched_scan_reqs)
2022 		CMD(sched_scan_start, START_SCHED_SCAN);
2023 	CMD(probe_client, PROBE_CLIENT);
2024 	CMD(set_noack_map, SET_NOACK_MAP);
2025 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2026 		i++;
2027 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2028 			goto nla_put_failure;
2029 	}
2030 	CMD(start_p2p_device, START_P2P_DEVICE);
2031 	CMD(set_mcast_rate, SET_MCAST_RATE);
2032 #ifdef CONFIG_NL80211_TESTMODE
2033 	CMD(testmode_cmd, TESTMODE);
2034 #endif
2035 
2036 	if (rdev->ops->connect || rdev->ops->auth) {
2037 		i++;
2038 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2039 			goto nla_put_failure;
2040 	}
2041 
2042 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2043 		i++;
2044 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2045 			goto nla_put_failure;
2046 	}
2047 
2048 	return i;
2049  nla_put_failure:
2050 	return -ENOBUFS;
2051 }
2052 
2053 static int
2054 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2055 			   struct sk_buff *msg)
2056 {
2057 	struct nlattr *ftm;
2058 
2059 	if (!cap->ftm.supported)
2060 		return 0;
2061 
2062 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2063 	if (!ftm)
2064 		return -ENOBUFS;
2065 
2066 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2067 		return -ENOBUFS;
2068 	if (cap->ftm.non_asap &&
2069 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2070 		return -ENOBUFS;
2071 	if (cap->ftm.request_lci &&
2072 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2073 		return -ENOBUFS;
2074 	if (cap->ftm.request_civicloc &&
2075 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2076 		return -ENOBUFS;
2077 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2078 			cap->ftm.preambles))
2079 		return -ENOBUFS;
2080 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2081 			cap->ftm.bandwidths))
2082 		return -ENOBUFS;
2083 	if (cap->ftm.max_bursts_exponent >= 0 &&
2084 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2085 			cap->ftm.max_bursts_exponent))
2086 		return -ENOBUFS;
2087 	if (cap->ftm.max_ftms_per_burst &&
2088 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2089 			cap->ftm.max_ftms_per_burst))
2090 		return -ENOBUFS;
2091 	if (cap->ftm.trigger_based &&
2092 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2093 		return -ENOBUFS;
2094 	if (cap->ftm.non_trigger_based &&
2095 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2096 		return -ENOBUFS;
2097 
2098 	nla_nest_end(msg, ftm);
2099 	return 0;
2100 }
2101 
2102 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2103 				  struct sk_buff *msg)
2104 {
2105 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2106 	struct nlattr *pmsr, *caps;
2107 
2108 	if (!cap)
2109 		return 0;
2110 
2111 	/*
2112 	 * we don't need to clean up anything here since the caller
2113 	 * will genlmsg_cancel() if we fail
2114 	 */
2115 
2116 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2117 	if (!pmsr)
2118 		return -ENOBUFS;
2119 
2120 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2121 		return -ENOBUFS;
2122 
2123 	if (cap->report_ap_tsf &&
2124 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2125 		return -ENOBUFS;
2126 
2127 	if (cap->randomize_mac_addr &&
2128 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2129 		return -ENOBUFS;
2130 
2131 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2132 	if (!caps)
2133 		return -ENOBUFS;
2134 
2135 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2136 		return -ENOBUFS;
2137 
2138 	nla_nest_end(msg, caps);
2139 	nla_nest_end(msg, pmsr);
2140 
2141 	return 0;
2142 }
2143 
2144 static int
2145 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2146 			      struct sk_buff *msg)
2147 {
2148 	int i;
2149 	struct nlattr *nested, *nested_akms;
2150 	const struct wiphy_iftype_akm_suites *iftype_akms;
2151 
2152 	if (!rdev->wiphy.num_iftype_akm_suites ||
2153 	    !rdev->wiphy.iftype_akm_suites)
2154 		return 0;
2155 
2156 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2157 	if (!nested)
2158 		return -ENOBUFS;
2159 
2160 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2161 		nested_akms = nla_nest_start(msg, i + 1);
2162 		if (!nested_akms)
2163 			return -ENOBUFS;
2164 
2165 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2166 
2167 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2168 					iftype_akms->iftypes_mask))
2169 			return -ENOBUFS;
2170 
2171 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2172 			    sizeof(u32) * iftype_akms->n_akm_suites,
2173 			    iftype_akms->akm_suites)) {
2174 			return -ENOBUFS;
2175 		}
2176 		nla_nest_end(msg, nested_akms);
2177 	}
2178 
2179 	nla_nest_end(msg, nested);
2180 
2181 	return 0;
2182 }
2183 
2184 static int
2185 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2186 			       struct sk_buff *msg)
2187 {
2188 	struct nlattr *supp;
2189 
2190 	if (!rdev->wiphy.tid_config_support.vif &&
2191 	    !rdev->wiphy.tid_config_support.peer)
2192 		return 0;
2193 
2194 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2195 	if (!supp)
2196 		return -ENOSPC;
2197 
2198 	if (rdev->wiphy.tid_config_support.vif &&
2199 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2200 			      rdev->wiphy.tid_config_support.vif,
2201 			      NL80211_TID_CONFIG_ATTR_PAD))
2202 		goto fail;
2203 
2204 	if (rdev->wiphy.tid_config_support.peer &&
2205 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2206 			      rdev->wiphy.tid_config_support.peer,
2207 			      NL80211_TID_CONFIG_ATTR_PAD))
2208 		goto fail;
2209 
2210 	/* for now we just use the same value ... makes more sense */
2211 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2212 		       rdev->wiphy.tid_config_support.max_retry))
2213 		goto fail;
2214 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2215 		       rdev->wiphy.tid_config_support.max_retry))
2216 		goto fail;
2217 
2218 	nla_nest_end(msg, supp);
2219 
2220 	return 0;
2221 fail:
2222 	nla_nest_cancel(msg, supp);
2223 	return -ENOBUFS;
2224 }
2225 
2226 static int
2227 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2228 		      struct sk_buff *msg)
2229 {
2230 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2231 	u8 num_freq_ranges;
2232 	int i;
2233 
2234 	if (!rdev->wiphy.sar_capa)
2235 		return 0;
2236 
2237 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2238 
2239 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2240 	if (!sar_capa)
2241 		return -ENOSPC;
2242 
2243 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2244 		goto fail;
2245 
2246 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2247 	if (!specs)
2248 		goto fail;
2249 
2250 	/* report supported freq_ranges */
2251 	for (i = 0; i < num_freq_ranges; i++) {
2252 		sub_freq_range = nla_nest_start(msg, i + 1);
2253 		if (!sub_freq_range)
2254 			goto fail;
2255 
2256 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2257 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2258 			goto fail;
2259 
2260 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2261 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2262 			goto fail;
2263 
2264 		nla_nest_end(msg, sub_freq_range);
2265 	}
2266 
2267 	nla_nest_end(msg, specs);
2268 	nla_nest_end(msg, sar_capa);
2269 
2270 	return 0;
2271 fail:
2272 	nla_nest_cancel(msg, sar_capa);
2273 	return -ENOBUFS;
2274 }
2275 
2276 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2277 {
2278 	struct nlattr *config;
2279 
2280 	if (!wiphy->mbssid_max_interfaces)
2281 		return 0;
2282 
2283 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2284 	if (!config)
2285 		return -ENOBUFS;
2286 
2287 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2288 		       wiphy->mbssid_max_interfaces))
2289 		goto fail;
2290 
2291 	if (wiphy->ema_max_profile_periodicity &&
2292 	    nla_put_u8(msg,
2293 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2294 		       wiphy->ema_max_profile_periodicity))
2295 		goto fail;
2296 
2297 	nla_nest_end(msg, config);
2298 	return 0;
2299 
2300 fail:
2301 	nla_nest_cancel(msg, config);
2302 	return -ENOBUFS;
2303 }
2304 
2305 struct nl80211_dump_wiphy_state {
2306 	s64 filter_wiphy;
2307 	long start;
2308 	long split_start, band_start, chan_start, capa_start;
2309 	bool split;
2310 };
2311 
2312 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2313 			      enum nl80211_commands cmd,
2314 			      struct sk_buff *msg, u32 portid, u32 seq,
2315 			      int flags, struct nl80211_dump_wiphy_state *state)
2316 {
2317 	void *hdr;
2318 	struct nlattr *nl_bands, *nl_band;
2319 	struct nlattr *nl_freqs, *nl_freq;
2320 	struct nlattr *nl_cmds;
2321 	enum nl80211_band band;
2322 	struct ieee80211_channel *chan;
2323 	int i;
2324 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2325 				rdev->wiphy.mgmt_stypes;
2326 	u32 features;
2327 
2328 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2329 	if (!hdr)
2330 		return -ENOBUFS;
2331 
2332 	if (WARN_ON(!state))
2333 		return -EINVAL;
2334 
2335 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2336 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2337 			   wiphy_name(&rdev->wiphy)) ||
2338 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2339 			cfg80211_rdev_list_generation))
2340 		goto nla_put_failure;
2341 
2342 	if (cmd != NL80211_CMD_NEW_WIPHY)
2343 		goto finish;
2344 
2345 	switch (state->split_start) {
2346 	case 0:
2347 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2348 			       rdev->wiphy.retry_short) ||
2349 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2350 			       rdev->wiphy.retry_long) ||
2351 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2352 				rdev->wiphy.frag_threshold) ||
2353 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2354 				rdev->wiphy.rts_threshold) ||
2355 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2356 			       rdev->wiphy.coverage_class) ||
2357 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2358 			       rdev->wiphy.max_scan_ssids) ||
2359 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2360 			       rdev->wiphy.max_sched_scan_ssids) ||
2361 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2362 				rdev->wiphy.max_scan_ie_len) ||
2363 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2364 				rdev->wiphy.max_sched_scan_ie_len) ||
2365 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2366 			       rdev->wiphy.max_match_sets))
2367 			goto nla_put_failure;
2368 
2369 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2370 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2371 			goto nla_put_failure;
2372 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2373 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2374 			goto nla_put_failure;
2375 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2376 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2377 			goto nla_put_failure;
2378 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2379 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2380 			goto nla_put_failure;
2381 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2382 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2383 			goto nla_put_failure;
2384 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2385 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2386 			goto nla_put_failure;
2387 		state->split_start++;
2388 		if (state->split)
2389 			break;
2390 		fallthrough;
2391 	case 1:
2392 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2393 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2394 			    rdev->wiphy.cipher_suites))
2395 			goto nla_put_failure;
2396 
2397 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2398 			       rdev->wiphy.max_num_pmkids))
2399 			goto nla_put_failure;
2400 
2401 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2402 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2403 			goto nla_put_failure;
2404 
2405 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2406 				rdev->wiphy.available_antennas_tx) ||
2407 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2408 				rdev->wiphy.available_antennas_rx))
2409 			goto nla_put_failure;
2410 
2411 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2412 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2413 				rdev->wiphy.probe_resp_offload))
2414 			goto nla_put_failure;
2415 
2416 		if ((rdev->wiphy.available_antennas_tx ||
2417 		     rdev->wiphy.available_antennas_rx) &&
2418 		    rdev->ops->get_antenna) {
2419 			u32 tx_ant = 0, rx_ant = 0;
2420 			int res;
2421 
2422 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2423 			if (!res) {
2424 				if (nla_put_u32(msg,
2425 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2426 						tx_ant) ||
2427 				    nla_put_u32(msg,
2428 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2429 						rx_ant))
2430 					goto nla_put_failure;
2431 			}
2432 		}
2433 
2434 		state->split_start++;
2435 		if (state->split)
2436 			break;
2437 		fallthrough;
2438 	case 2:
2439 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2440 					rdev->wiphy.interface_modes))
2441 				goto nla_put_failure;
2442 		state->split_start++;
2443 		if (state->split)
2444 			break;
2445 		fallthrough;
2446 	case 3:
2447 		nl_bands = nla_nest_start_noflag(msg,
2448 						 NL80211_ATTR_WIPHY_BANDS);
2449 		if (!nl_bands)
2450 			goto nla_put_failure;
2451 
2452 		for (band = state->band_start;
2453 		     band < (state->split ?
2454 				NUM_NL80211_BANDS :
2455 				NL80211_BAND_60GHZ + 1);
2456 		     band++) {
2457 			struct ieee80211_supported_band *sband;
2458 
2459 			/* omit higher bands for ancient software */
2460 			if (band > NL80211_BAND_5GHZ && !state->split)
2461 				break;
2462 
2463 			sband = rdev->wiphy.bands[band];
2464 
2465 			if (!sband)
2466 				continue;
2467 
2468 			nl_band = nla_nest_start_noflag(msg, band);
2469 			if (!nl_band)
2470 				goto nla_put_failure;
2471 
2472 			switch (state->chan_start) {
2473 			case 0:
2474 				if (nl80211_send_band_rateinfo(msg, sband,
2475 							       state->split))
2476 					goto nla_put_failure;
2477 				state->chan_start++;
2478 				if (state->split)
2479 					break;
2480 				fallthrough;
2481 			default:
2482 				/* add frequencies */
2483 				nl_freqs = nla_nest_start_noflag(msg,
2484 								 NL80211_BAND_ATTR_FREQS);
2485 				if (!nl_freqs)
2486 					goto nla_put_failure;
2487 
2488 				for (i = state->chan_start - 1;
2489 				     i < sband->n_channels;
2490 				     i++) {
2491 					nl_freq = nla_nest_start_noflag(msg,
2492 									i);
2493 					if (!nl_freq)
2494 						goto nla_put_failure;
2495 
2496 					chan = &sband->channels[i];
2497 
2498 					if (nl80211_msg_put_channel(
2499 							msg, &rdev->wiphy, chan,
2500 							state->split))
2501 						goto nla_put_failure;
2502 
2503 					nla_nest_end(msg, nl_freq);
2504 					if (state->split)
2505 						break;
2506 				}
2507 				if (i < sband->n_channels)
2508 					state->chan_start = i + 2;
2509 				else
2510 					state->chan_start = 0;
2511 				nla_nest_end(msg, nl_freqs);
2512 			}
2513 
2514 			nla_nest_end(msg, nl_band);
2515 
2516 			if (state->split) {
2517 				/* start again here */
2518 				if (state->chan_start)
2519 					band--;
2520 				break;
2521 			}
2522 		}
2523 		nla_nest_end(msg, nl_bands);
2524 
2525 		if (band < NUM_NL80211_BANDS)
2526 			state->band_start = band + 1;
2527 		else
2528 			state->band_start = 0;
2529 
2530 		/* if bands & channels are done, continue outside */
2531 		if (state->band_start == 0 && state->chan_start == 0)
2532 			state->split_start++;
2533 		if (state->split)
2534 			break;
2535 		fallthrough;
2536 	case 4:
2537 		nl_cmds = nla_nest_start_noflag(msg,
2538 						NL80211_ATTR_SUPPORTED_COMMANDS);
2539 		if (!nl_cmds)
2540 			goto nla_put_failure;
2541 
2542 		i = nl80211_add_commands_unsplit(rdev, msg);
2543 		if (i < 0)
2544 			goto nla_put_failure;
2545 		if (state->split) {
2546 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2547 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2548 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2549 				CMD(channel_switch, CHANNEL_SWITCH);
2550 			CMD(set_qos_map, SET_QOS_MAP);
2551 			if (rdev->wiphy.features &
2552 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2553 				CMD(add_tx_ts, ADD_TX_TS);
2554 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2555 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2556 			CMD(update_ft_ies, UPDATE_FT_IES);
2557 			if (rdev->wiphy.sar_capa)
2558 				CMD(set_sar_specs, SET_SAR_SPECS);
2559 		}
2560 #undef CMD
2561 
2562 		nla_nest_end(msg, nl_cmds);
2563 		state->split_start++;
2564 		if (state->split)
2565 			break;
2566 		fallthrough;
2567 	case 5:
2568 		if (rdev->ops->remain_on_channel &&
2569 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2570 		    nla_put_u32(msg,
2571 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2572 				rdev->wiphy.max_remain_on_channel_duration))
2573 			goto nla_put_failure;
2574 
2575 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2576 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2577 			goto nla_put_failure;
2578 
2579 		state->split_start++;
2580 		if (state->split)
2581 			break;
2582 		fallthrough;
2583 	case 6:
2584 #ifdef CONFIG_PM
2585 		if (nl80211_send_wowlan(msg, rdev, state->split))
2586 			goto nla_put_failure;
2587 		state->split_start++;
2588 		if (state->split)
2589 			break;
2590 #else
2591 		state->split_start++;
2592 #endif
2593 		fallthrough;
2594 	case 7:
2595 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2596 					rdev->wiphy.software_iftypes))
2597 			goto nla_put_failure;
2598 
2599 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2600 						   state->split))
2601 			goto nla_put_failure;
2602 
2603 		state->split_start++;
2604 		if (state->split)
2605 			break;
2606 		fallthrough;
2607 	case 8:
2608 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2609 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2610 				rdev->wiphy.ap_sme_capa))
2611 			goto nla_put_failure;
2612 
2613 		features = rdev->wiphy.features;
2614 		/*
2615 		 * We can only add the per-channel limit information if the
2616 		 * dump is split, otherwise it makes it too big. Therefore
2617 		 * only advertise it in that case.
2618 		 */
2619 		if (state->split)
2620 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2621 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2622 			goto nla_put_failure;
2623 
2624 		if (rdev->wiphy.ht_capa_mod_mask &&
2625 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2626 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2627 			    rdev->wiphy.ht_capa_mod_mask))
2628 			goto nla_put_failure;
2629 
2630 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2631 		    rdev->wiphy.max_acl_mac_addrs &&
2632 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2633 				rdev->wiphy.max_acl_mac_addrs))
2634 			goto nla_put_failure;
2635 
2636 		/*
2637 		 * Any information below this point is only available to
2638 		 * applications that can deal with it being split. This
2639 		 * helps ensure that newly added capabilities don't break
2640 		 * older tools by overrunning their buffers.
2641 		 *
2642 		 * We still increment split_start so that in the split
2643 		 * case we'll continue with more data in the next round,
2644 		 * but break unconditionally so unsplit data stops here.
2645 		 */
2646 		if (state->split)
2647 			state->split_start++;
2648 		else
2649 			state->split_start = 0;
2650 		break;
2651 	case 9:
2652 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2653 			goto nla_put_failure;
2654 
2655 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2656 				rdev->wiphy.max_sched_scan_plans) ||
2657 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2658 				rdev->wiphy.max_sched_scan_plan_interval) ||
2659 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2660 				rdev->wiphy.max_sched_scan_plan_iterations))
2661 			goto nla_put_failure;
2662 
2663 		if (rdev->wiphy.extended_capabilities &&
2664 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2665 			     rdev->wiphy.extended_capabilities_len,
2666 			     rdev->wiphy.extended_capabilities) ||
2667 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2668 			     rdev->wiphy.extended_capabilities_len,
2669 			     rdev->wiphy.extended_capabilities_mask)))
2670 			goto nla_put_failure;
2671 
2672 		if (rdev->wiphy.vht_capa_mod_mask &&
2673 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2674 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2675 			    rdev->wiphy.vht_capa_mod_mask))
2676 			goto nla_put_failure;
2677 
2678 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2679 			    rdev->wiphy.perm_addr))
2680 			goto nla_put_failure;
2681 
2682 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2683 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2684 			    rdev->wiphy.addr_mask))
2685 			goto nla_put_failure;
2686 
2687 		if (rdev->wiphy.n_addresses > 1) {
2688 			void *attr;
2689 
2690 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2691 			if (!attr)
2692 				goto nla_put_failure;
2693 
2694 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2695 				if (nla_put(msg, i + 1, ETH_ALEN,
2696 					    rdev->wiphy.addresses[i].addr))
2697 					goto nla_put_failure;
2698 
2699 			nla_nest_end(msg, attr);
2700 		}
2701 
2702 		state->split_start++;
2703 		break;
2704 	case 10:
2705 		if (nl80211_send_coalesce(msg, rdev))
2706 			goto nla_put_failure;
2707 
2708 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2709 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2710 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2711 			goto nla_put_failure;
2712 
2713 		if (rdev->wiphy.max_ap_assoc_sta &&
2714 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2715 				rdev->wiphy.max_ap_assoc_sta))
2716 			goto nla_put_failure;
2717 
2718 		state->split_start++;
2719 		break;
2720 	case 11:
2721 		if (rdev->wiphy.n_vendor_commands) {
2722 			const struct nl80211_vendor_cmd_info *info;
2723 			struct nlattr *nested;
2724 
2725 			nested = nla_nest_start_noflag(msg,
2726 						       NL80211_ATTR_VENDOR_DATA);
2727 			if (!nested)
2728 				goto nla_put_failure;
2729 
2730 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2731 				info = &rdev->wiphy.vendor_commands[i].info;
2732 				if (nla_put(msg, i + 1, sizeof(*info), info))
2733 					goto nla_put_failure;
2734 			}
2735 			nla_nest_end(msg, nested);
2736 		}
2737 
2738 		if (rdev->wiphy.n_vendor_events) {
2739 			const struct nl80211_vendor_cmd_info *info;
2740 			struct nlattr *nested;
2741 
2742 			nested = nla_nest_start_noflag(msg,
2743 						       NL80211_ATTR_VENDOR_EVENTS);
2744 			if (!nested)
2745 				goto nla_put_failure;
2746 
2747 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2748 				info = &rdev->wiphy.vendor_events[i];
2749 				if (nla_put(msg, i + 1, sizeof(*info), info))
2750 					goto nla_put_failure;
2751 			}
2752 			nla_nest_end(msg, nested);
2753 		}
2754 		state->split_start++;
2755 		break;
2756 	case 12:
2757 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2758 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2759 			       rdev->wiphy.max_num_csa_counters))
2760 			goto nla_put_failure;
2761 
2762 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2763 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2764 			goto nla_put_failure;
2765 
2766 		if (rdev->wiphy.max_sched_scan_reqs &&
2767 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2768 				rdev->wiphy.max_sched_scan_reqs))
2769 			goto nla_put_failure;
2770 
2771 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2772 			    sizeof(rdev->wiphy.ext_features),
2773 			    rdev->wiphy.ext_features))
2774 			goto nla_put_failure;
2775 
2776 		if (rdev->wiphy.bss_select_support) {
2777 			struct nlattr *nested;
2778 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2779 
2780 			nested = nla_nest_start_noflag(msg,
2781 						       NL80211_ATTR_BSS_SELECT);
2782 			if (!nested)
2783 				goto nla_put_failure;
2784 
2785 			i = 0;
2786 			while (bss_select_support) {
2787 				if ((bss_select_support & 1) &&
2788 				    nla_put_flag(msg, i))
2789 					goto nla_put_failure;
2790 				i++;
2791 				bss_select_support >>= 1;
2792 			}
2793 			nla_nest_end(msg, nested);
2794 		}
2795 
2796 		state->split_start++;
2797 		break;
2798 	case 13:
2799 		if (rdev->wiphy.num_iftype_ext_capab &&
2800 		    rdev->wiphy.iftype_ext_capab) {
2801 			struct nlattr *nested_ext_capab, *nested;
2802 
2803 			nested = nla_nest_start_noflag(msg,
2804 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2805 			if (!nested)
2806 				goto nla_put_failure;
2807 
2808 			for (i = state->capa_start;
2809 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2810 				const struct wiphy_iftype_ext_capab *capab;
2811 
2812 				capab = &rdev->wiphy.iftype_ext_capab[i];
2813 
2814 				nested_ext_capab = nla_nest_start_noflag(msg,
2815 									 i);
2816 				if (!nested_ext_capab ||
2817 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2818 						capab->iftype) ||
2819 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2820 					    capab->extended_capabilities_len,
2821 					    capab->extended_capabilities) ||
2822 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2823 					    capab->extended_capabilities_len,
2824 					    capab->extended_capabilities_mask))
2825 					goto nla_put_failure;
2826 
2827 				nla_nest_end(msg, nested_ext_capab);
2828 				if (state->split)
2829 					break;
2830 			}
2831 			nla_nest_end(msg, nested);
2832 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2833 				state->capa_start = i + 1;
2834 				break;
2835 			}
2836 		}
2837 
2838 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2839 				rdev->wiphy.nan_supported_bands))
2840 			goto nla_put_failure;
2841 
2842 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2843 					    NL80211_EXT_FEATURE_TXQS)) {
2844 			struct cfg80211_txq_stats txqstats = {};
2845 			int res;
2846 
2847 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2848 			if (!res &&
2849 			    !nl80211_put_txq_stats(msg, &txqstats,
2850 						   NL80211_ATTR_TXQ_STATS))
2851 				goto nla_put_failure;
2852 
2853 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2854 					rdev->wiphy.txq_limit))
2855 				goto nla_put_failure;
2856 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2857 					rdev->wiphy.txq_memory_limit))
2858 				goto nla_put_failure;
2859 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2860 					rdev->wiphy.txq_quantum))
2861 				goto nla_put_failure;
2862 		}
2863 
2864 		state->split_start++;
2865 		break;
2866 	case 14:
2867 		if (nl80211_send_pmsr_capa(rdev, msg))
2868 			goto nla_put_failure;
2869 
2870 		state->split_start++;
2871 		break;
2872 	case 15:
2873 		if (rdev->wiphy.akm_suites &&
2874 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2875 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2876 			    rdev->wiphy.akm_suites))
2877 			goto nla_put_failure;
2878 
2879 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2880 			goto nla_put_failure;
2881 
2882 		if (nl80211_put_tid_config_support(rdev, msg))
2883 			goto nla_put_failure;
2884 		state->split_start++;
2885 		break;
2886 	case 16:
2887 		if (nl80211_put_sar_specs(rdev, msg))
2888 			goto nla_put_failure;
2889 
2890 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2891 			goto nla_put_failure;
2892 
2893 		/* done */
2894 		state->split_start = 0;
2895 		break;
2896 	}
2897  finish:
2898 	genlmsg_end(msg, hdr);
2899 	return 0;
2900 
2901  nla_put_failure:
2902 	genlmsg_cancel(msg, hdr);
2903 	return -EMSGSIZE;
2904 }
2905 
2906 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2907 				    struct netlink_callback *cb,
2908 				    struct nl80211_dump_wiphy_state *state)
2909 {
2910 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2911 	int ret;
2912 
2913 	if (!tb)
2914 		return -ENOMEM;
2915 
2916 	ret = nlmsg_parse_deprecated(cb->nlh,
2917 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2918 				     tb, nl80211_fam.maxattr,
2919 				     nl80211_policy, NULL);
2920 	/* ignore parse errors for backward compatibility */
2921 	if (ret) {
2922 		ret = 0;
2923 		goto out;
2924 	}
2925 
2926 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2927 	if (tb[NL80211_ATTR_WIPHY])
2928 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2929 	if (tb[NL80211_ATTR_WDEV])
2930 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2931 	if (tb[NL80211_ATTR_IFINDEX]) {
2932 		struct net_device *netdev;
2933 		struct cfg80211_registered_device *rdev;
2934 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2935 
2936 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2937 		if (!netdev) {
2938 			ret = -ENODEV;
2939 			goto out;
2940 		}
2941 		if (netdev->ieee80211_ptr) {
2942 			rdev = wiphy_to_rdev(
2943 				netdev->ieee80211_ptr->wiphy);
2944 			state->filter_wiphy = rdev->wiphy_idx;
2945 		}
2946 	}
2947 
2948 	ret = 0;
2949 out:
2950 	kfree(tb);
2951 	return ret;
2952 }
2953 
2954 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2955 {
2956 	int idx = 0, ret;
2957 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2958 	struct cfg80211_registered_device *rdev;
2959 
2960 	rtnl_lock();
2961 	if (!state) {
2962 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2963 		if (!state) {
2964 			rtnl_unlock();
2965 			return -ENOMEM;
2966 		}
2967 		state->filter_wiphy = -1;
2968 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2969 		if (ret) {
2970 			kfree(state);
2971 			rtnl_unlock();
2972 			return ret;
2973 		}
2974 		cb->args[0] = (long)state;
2975 	}
2976 
2977 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2978 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2979 			continue;
2980 		if (++idx <= state->start)
2981 			continue;
2982 		if (state->filter_wiphy != -1 &&
2983 		    state->filter_wiphy != rdev->wiphy_idx)
2984 			continue;
2985 		/* attempt to fit multiple wiphy data chunks into the skb */
2986 		do {
2987 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2988 						 skb,
2989 						 NETLINK_CB(cb->skb).portid,
2990 						 cb->nlh->nlmsg_seq,
2991 						 NLM_F_MULTI, state);
2992 			if (ret < 0) {
2993 				/*
2994 				 * If sending the wiphy data didn't fit (ENOBUFS
2995 				 * or EMSGSIZE returned), this SKB is still
2996 				 * empty (so it's not too big because another
2997 				 * wiphy dataset is already in the skb) and
2998 				 * we've not tried to adjust the dump allocation
2999 				 * yet ... then adjust the alloc size to be
3000 				 * bigger, and return 1 but with the empty skb.
3001 				 * This results in an empty message being RX'ed
3002 				 * in userspace, but that is ignored.
3003 				 *
3004 				 * We can then retry with the larger buffer.
3005 				 */
3006 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3007 				    !skb->len && !state->split &&
3008 				    cb->min_dump_alloc < 4096) {
3009 					cb->min_dump_alloc = 4096;
3010 					state->split_start = 0;
3011 					rtnl_unlock();
3012 					return 1;
3013 				}
3014 				idx--;
3015 				break;
3016 			}
3017 		} while (state->split_start > 0);
3018 		break;
3019 	}
3020 	rtnl_unlock();
3021 
3022 	state->start = idx;
3023 
3024 	return skb->len;
3025 }
3026 
3027 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3028 {
3029 	kfree((void *)cb->args[0]);
3030 	return 0;
3031 }
3032 
3033 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3034 {
3035 	struct sk_buff *msg;
3036 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3037 	struct nl80211_dump_wiphy_state state = {};
3038 
3039 	msg = nlmsg_new(4096, GFP_KERNEL);
3040 	if (!msg)
3041 		return -ENOMEM;
3042 
3043 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3044 			       info->snd_portid, info->snd_seq, 0,
3045 			       &state) < 0) {
3046 		nlmsg_free(msg);
3047 		return -ENOBUFS;
3048 	}
3049 
3050 	return genlmsg_reply(msg, info);
3051 }
3052 
3053 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3054 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3055 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3056 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3057 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3058 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3059 };
3060 
3061 static int parse_txq_params(struct nlattr *tb[],
3062 			    struct ieee80211_txq_params *txq_params)
3063 {
3064 	u8 ac;
3065 
3066 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3067 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3068 	    !tb[NL80211_TXQ_ATTR_AIFS])
3069 		return -EINVAL;
3070 
3071 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3072 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3073 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3074 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3075 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3076 
3077 	if (ac >= NL80211_NUM_ACS)
3078 		return -EINVAL;
3079 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3080 	return 0;
3081 }
3082 
3083 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3084 {
3085 	/*
3086 	 * You can only set the channel explicitly for some interfaces,
3087 	 * most have their channel managed via their respective
3088 	 * "establish a connection" command (connect, join, ...)
3089 	 *
3090 	 * For AP/GO and mesh mode, the channel can be set with the
3091 	 * channel userspace API, but is only stored and passed to the
3092 	 * low-level driver when the AP starts or the mesh is joined.
3093 	 * This is for backward compatibility, userspace can also give
3094 	 * the channel in the start-ap or join-mesh commands instead.
3095 	 *
3096 	 * Monitors are special as they are normally slaved to
3097 	 * whatever else is going on, so they have their own special
3098 	 * operation to set the monitor channel if possible.
3099 	 */
3100 	return !wdev ||
3101 		wdev->iftype == NL80211_IFTYPE_AP ||
3102 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3103 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3104 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3105 }
3106 
3107 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3108 			  struct genl_info *info,
3109 			  struct cfg80211_chan_def *chandef)
3110 {
3111 	struct netlink_ext_ack *extack = info->extack;
3112 	struct nlattr **attrs = info->attrs;
3113 	u32 control_freq;
3114 
3115 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3116 		return -EINVAL;
3117 
3118 	control_freq = MHZ_TO_KHZ(
3119 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3120 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3121 		control_freq +=
3122 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3123 
3124 	memset(chandef, 0, sizeof(*chandef));
3125 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3126 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3127 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3128 	chandef->freq1_offset = control_freq % 1000;
3129 	chandef->center_freq2 = 0;
3130 
3131 	/* Primary channel not allowed */
3132 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3133 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3134 				    "Channel is disabled");
3135 		return -EINVAL;
3136 	}
3137 
3138 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3139 		enum nl80211_channel_type chantype;
3140 
3141 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3142 
3143 		switch (chantype) {
3144 		case NL80211_CHAN_NO_HT:
3145 		case NL80211_CHAN_HT20:
3146 		case NL80211_CHAN_HT40PLUS:
3147 		case NL80211_CHAN_HT40MINUS:
3148 			cfg80211_chandef_create(chandef, chandef->chan,
3149 						chantype);
3150 			/* user input for center_freq is incorrect */
3151 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3152 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3153 				NL_SET_ERR_MSG_ATTR(extack,
3154 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3155 						    "bad center frequency 1");
3156 				return -EINVAL;
3157 			}
3158 			/* center_freq2 must be zero */
3159 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3160 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3161 				NL_SET_ERR_MSG_ATTR(extack,
3162 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3163 						    "center frequency 2 can't be used");
3164 				return -EINVAL;
3165 			}
3166 			break;
3167 		default:
3168 			NL_SET_ERR_MSG_ATTR(extack,
3169 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3170 					    "invalid channel type");
3171 			return -EINVAL;
3172 		}
3173 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3174 		chandef->width =
3175 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3176 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3177 			chandef->center_freq1 =
3178 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3179 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3180 				chandef->freq1_offset = nla_get_u32(
3181 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3182 			else
3183 				chandef->freq1_offset = 0;
3184 		}
3185 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3186 			chandef->center_freq2 =
3187 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3188 	}
3189 
3190 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3191 		chandef->edmg.channels =
3192 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3193 
3194 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3195 			chandef->edmg.bw_config =
3196 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3197 	} else {
3198 		chandef->edmg.bw_config = 0;
3199 		chandef->edmg.channels = 0;
3200 	}
3201 
3202 	if (!cfg80211_chandef_valid(chandef)) {
3203 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3204 		return -EINVAL;
3205 	}
3206 
3207 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3208 				     IEEE80211_CHAN_DISABLED)) {
3209 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3210 		return -EINVAL;
3211 	}
3212 
3213 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3214 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3215 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3216 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3217 		return -EINVAL;
3218 	}
3219 
3220 	return 0;
3221 }
3222 
3223 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3224 				 struct net_device *dev,
3225 				 struct genl_info *info)
3226 {
3227 	struct cfg80211_chan_def chandef;
3228 	int result;
3229 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3230 	struct wireless_dev *wdev = NULL;
3231 
3232 	if (dev)
3233 		wdev = dev->ieee80211_ptr;
3234 	if (!nl80211_can_set_dev_channel(wdev))
3235 		return -EOPNOTSUPP;
3236 	if (wdev)
3237 		iftype = wdev->iftype;
3238 
3239 	result = nl80211_parse_chandef(rdev, info, &chandef);
3240 	if (result)
3241 		return result;
3242 
3243 	switch (iftype) {
3244 	case NL80211_IFTYPE_AP:
3245 	case NL80211_IFTYPE_P2P_GO:
3246 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3247 						   iftype)) {
3248 			result = -EINVAL;
3249 			break;
3250 		}
3251 		if (wdev->beacon_interval) {
3252 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3253 			    !(rdev->wiphy.features &
3254 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3255 				result = -EBUSY;
3256 				break;
3257 			}
3258 
3259 			/* Only allow dynamic channel width changes */
3260 			if (chandef.chan != wdev->preset_chandef.chan) {
3261 				result = -EBUSY;
3262 				break;
3263 			}
3264 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3265 			if (result)
3266 				break;
3267 		}
3268 		wdev->preset_chandef = chandef;
3269 		result = 0;
3270 		break;
3271 	case NL80211_IFTYPE_MESH_POINT:
3272 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3273 		break;
3274 	case NL80211_IFTYPE_MONITOR:
3275 		result = cfg80211_set_monitor_channel(rdev, &chandef);
3276 		break;
3277 	default:
3278 		result = -EINVAL;
3279 	}
3280 
3281 	return result;
3282 }
3283 
3284 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3285 {
3286 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3287 	struct net_device *netdev = info->user_ptr[1];
3288 
3289 	return __nl80211_set_channel(rdev, netdev, info);
3290 }
3291 
3292 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3293 {
3294 	struct cfg80211_registered_device *rdev = NULL;
3295 	struct net_device *netdev = NULL;
3296 	struct wireless_dev *wdev;
3297 	int result = 0, rem_txq_params = 0;
3298 	struct nlattr *nl_txq_params;
3299 	u32 changed;
3300 	u8 retry_short = 0, retry_long = 0;
3301 	u32 frag_threshold = 0, rts_threshold = 0;
3302 	u8 coverage_class = 0;
3303 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3304 
3305 	rtnl_lock();
3306 	/*
3307 	 * Try to find the wiphy and netdev. Normally this
3308 	 * function shouldn't need the netdev, but this is
3309 	 * done for backward compatibility -- previously
3310 	 * setting the channel was done per wiphy, but now
3311 	 * it is per netdev. Previous userland like hostapd
3312 	 * also passed a netdev to set_wiphy, so that it is
3313 	 * possible to let that go to the right netdev!
3314 	 */
3315 
3316 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3317 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3318 
3319 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3320 		if (netdev && netdev->ieee80211_ptr)
3321 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3322 		else
3323 			netdev = NULL;
3324 	}
3325 
3326 	if (!netdev) {
3327 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3328 						  info->attrs);
3329 		if (IS_ERR(rdev)) {
3330 			rtnl_unlock();
3331 			return PTR_ERR(rdev);
3332 		}
3333 		wdev = NULL;
3334 		netdev = NULL;
3335 		result = 0;
3336 	} else
3337 		wdev = netdev->ieee80211_ptr;
3338 
3339 	wiphy_lock(&rdev->wiphy);
3340 
3341 	/*
3342 	 * end workaround code, by now the rdev is available
3343 	 * and locked, and wdev may or may not be NULL.
3344 	 */
3345 
3346 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3347 		result = cfg80211_dev_rename(
3348 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3349 	rtnl_unlock();
3350 
3351 	if (result)
3352 		goto out;
3353 
3354 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3355 		struct ieee80211_txq_params txq_params;
3356 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3357 
3358 		if (!rdev->ops->set_txq_params) {
3359 			result = -EOPNOTSUPP;
3360 			goto out;
3361 		}
3362 
3363 		if (!netdev) {
3364 			result = -EINVAL;
3365 			goto out;
3366 		}
3367 
3368 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3369 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3370 			result = -EINVAL;
3371 			goto out;
3372 		}
3373 
3374 		if (!netif_running(netdev)) {
3375 			result = -ENETDOWN;
3376 			goto out;
3377 		}
3378 
3379 		nla_for_each_nested(nl_txq_params,
3380 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3381 				    rem_txq_params) {
3382 			result = nla_parse_nested_deprecated(tb,
3383 							     NL80211_TXQ_ATTR_MAX,
3384 							     nl_txq_params,
3385 							     txq_params_policy,
3386 							     info->extack);
3387 			if (result)
3388 				goto out;
3389 			result = parse_txq_params(tb, &txq_params);
3390 			if (result)
3391 				goto out;
3392 
3393 			result = rdev_set_txq_params(rdev, netdev,
3394 						     &txq_params);
3395 			if (result)
3396 				goto out;
3397 		}
3398 	}
3399 
3400 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3401 		result = __nl80211_set_channel(
3402 			rdev,
3403 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3404 			info);
3405 		if (result)
3406 			goto out;
3407 	}
3408 
3409 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3410 		struct wireless_dev *txp_wdev = wdev;
3411 		enum nl80211_tx_power_setting type;
3412 		int idx, mbm = 0;
3413 
3414 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3415 			txp_wdev = NULL;
3416 
3417 		if (!rdev->ops->set_tx_power) {
3418 			result = -EOPNOTSUPP;
3419 			goto out;
3420 		}
3421 
3422 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3423 		type = nla_get_u32(info->attrs[idx]);
3424 
3425 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3426 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3427 			result = -EINVAL;
3428 			goto out;
3429 		}
3430 
3431 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3432 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3433 			mbm = nla_get_u32(info->attrs[idx]);
3434 		}
3435 
3436 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3437 		if (result)
3438 			goto out;
3439 	}
3440 
3441 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3442 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3443 		u32 tx_ant, rx_ant;
3444 
3445 		if ((!rdev->wiphy.available_antennas_tx &&
3446 		     !rdev->wiphy.available_antennas_rx) ||
3447 		    !rdev->ops->set_antenna) {
3448 			result = -EOPNOTSUPP;
3449 			goto out;
3450 		}
3451 
3452 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3453 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3454 
3455 		/* reject antenna configurations which don't match the
3456 		 * available antenna masks, except for the "all" mask */
3457 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3458 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3459 			result = -EINVAL;
3460 			goto out;
3461 		}
3462 
3463 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3464 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3465 
3466 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3467 		if (result)
3468 			goto out;
3469 	}
3470 
3471 	changed = 0;
3472 
3473 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3474 		retry_short = nla_get_u8(
3475 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3476 
3477 		changed |= WIPHY_PARAM_RETRY_SHORT;
3478 	}
3479 
3480 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3481 		retry_long = nla_get_u8(
3482 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3483 
3484 		changed |= WIPHY_PARAM_RETRY_LONG;
3485 	}
3486 
3487 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3488 		frag_threshold = nla_get_u32(
3489 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3490 		if (frag_threshold < 256) {
3491 			result = -EINVAL;
3492 			goto out;
3493 		}
3494 
3495 		if (frag_threshold != (u32) -1) {
3496 			/*
3497 			 * Fragments (apart from the last one) are required to
3498 			 * have even length. Make the fragmentation code
3499 			 * simpler by stripping LSB should someone try to use
3500 			 * odd threshold value.
3501 			 */
3502 			frag_threshold &= ~0x1;
3503 		}
3504 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3505 	}
3506 
3507 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3508 		rts_threshold = nla_get_u32(
3509 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3510 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3511 	}
3512 
3513 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3514 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3515 			result = -EINVAL;
3516 			goto out;
3517 		}
3518 
3519 		coverage_class = nla_get_u8(
3520 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3521 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3522 	}
3523 
3524 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3525 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3526 			result = -EOPNOTSUPP;
3527 			goto out;
3528 		}
3529 
3530 		changed |= WIPHY_PARAM_DYN_ACK;
3531 	}
3532 
3533 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3534 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3535 					     NL80211_EXT_FEATURE_TXQS)) {
3536 			result = -EOPNOTSUPP;
3537 			goto out;
3538 		}
3539 		txq_limit = nla_get_u32(
3540 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3541 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3542 	}
3543 
3544 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3545 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3546 					     NL80211_EXT_FEATURE_TXQS)) {
3547 			result = -EOPNOTSUPP;
3548 			goto out;
3549 		}
3550 		txq_memory_limit = nla_get_u32(
3551 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3552 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3553 	}
3554 
3555 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3556 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3557 					     NL80211_EXT_FEATURE_TXQS)) {
3558 			result = -EOPNOTSUPP;
3559 			goto out;
3560 		}
3561 		txq_quantum = nla_get_u32(
3562 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3563 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3564 	}
3565 
3566 	if (changed) {
3567 		u8 old_retry_short, old_retry_long;
3568 		u32 old_frag_threshold, old_rts_threshold;
3569 		u8 old_coverage_class;
3570 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3571 
3572 		if (!rdev->ops->set_wiphy_params) {
3573 			result = -EOPNOTSUPP;
3574 			goto out;
3575 		}
3576 
3577 		old_retry_short = rdev->wiphy.retry_short;
3578 		old_retry_long = rdev->wiphy.retry_long;
3579 		old_frag_threshold = rdev->wiphy.frag_threshold;
3580 		old_rts_threshold = rdev->wiphy.rts_threshold;
3581 		old_coverage_class = rdev->wiphy.coverage_class;
3582 		old_txq_limit = rdev->wiphy.txq_limit;
3583 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3584 		old_txq_quantum = rdev->wiphy.txq_quantum;
3585 
3586 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3587 			rdev->wiphy.retry_short = retry_short;
3588 		if (changed & WIPHY_PARAM_RETRY_LONG)
3589 			rdev->wiphy.retry_long = retry_long;
3590 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3591 			rdev->wiphy.frag_threshold = frag_threshold;
3592 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3593 			rdev->wiphy.rts_threshold = rts_threshold;
3594 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3595 			rdev->wiphy.coverage_class = coverage_class;
3596 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3597 			rdev->wiphy.txq_limit = txq_limit;
3598 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3599 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3600 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3601 			rdev->wiphy.txq_quantum = txq_quantum;
3602 
3603 		result = rdev_set_wiphy_params(rdev, changed);
3604 		if (result) {
3605 			rdev->wiphy.retry_short = old_retry_short;
3606 			rdev->wiphy.retry_long = old_retry_long;
3607 			rdev->wiphy.frag_threshold = old_frag_threshold;
3608 			rdev->wiphy.rts_threshold = old_rts_threshold;
3609 			rdev->wiphy.coverage_class = old_coverage_class;
3610 			rdev->wiphy.txq_limit = old_txq_limit;
3611 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3612 			rdev->wiphy.txq_quantum = old_txq_quantum;
3613 			goto out;
3614 		}
3615 	}
3616 
3617 	result = 0;
3618 
3619 out:
3620 	wiphy_unlock(&rdev->wiphy);
3621 	return result;
3622 }
3623 
3624 static int nl80211_send_chandef(struct sk_buff *msg,
3625 				const struct cfg80211_chan_def *chandef)
3626 {
3627 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3628 		return -EINVAL;
3629 
3630 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3631 			chandef->chan->center_freq))
3632 		return -ENOBUFS;
3633 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3634 			chandef->chan->freq_offset))
3635 		return -ENOBUFS;
3636 	switch (chandef->width) {
3637 	case NL80211_CHAN_WIDTH_20_NOHT:
3638 	case NL80211_CHAN_WIDTH_20:
3639 	case NL80211_CHAN_WIDTH_40:
3640 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3641 				cfg80211_get_chandef_type(chandef)))
3642 			return -ENOBUFS;
3643 		break;
3644 	default:
3645 		break;
3646 	}
3647 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3648 		return -ENOBUFS;
3649 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3650 		return -ENOBUFS;
3651 	if (chandef->center_freq2 &&
3652 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3653 		return -ENOBUFS;
3654 	return 0;
3655 }
3656 
3657 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3658 			      struct cfg80211_registered_device *rdev,
3659 			      struct wireless_dev *wdev,
3660 			      enum nl80211_commands cmd)
3661 {
3662 	struct net_device *dev = wdev->netdev;
3663 	void *hdr;
3664 
3665 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3666 		cmd != NL80211_CMD_DEL_INTERFACE &&
3667 		cmd != NL80211_CMD_SET_INTERFACE);
3668 
3669 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3670 	if (!hdr)
3671 		return -1;
3672 
3673 	if (dev &&
3674 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3675 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3676 		goto nla_put_failure;
3677 
3678 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3679 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3680 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3681 			      NL80211_ATTR_PAD) ||
3682 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3683 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3684 			rdev->devlist_generation ^
3685 			(cfg80211_rdev_list_generation << 2)) ||
3686 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3687 		goto nla_put_failure;
3688 
3689 	if (rdev->ops->get_channel) {
3690 		int ret;
3691 		struct cfg80211_chan_def chandef = {};
3692 
3693 		ret = rdev_get_channel(rdev, wdev, &chandef);
3694 		if (ret == 0) {
3695 			if (nl80211_send_chandef(msg, &chandef))
3696 				goto nla_put_failure;
3697 		}
3698 	}
3699 
3700 	if (rdev->ops->get_tx_power) {
3701 		int dbm, ret;
3702 
3703 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3704 		if (ret == 0 &&
3705 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3706 				DBM_TO_MBM(dbm)))
3707 			goto nla_put_failure;
3708 	}
3709 
3710 	wdev_lock(wdev);
3711 	switch (wdev->iftype) {
3712 	case NL80211_IFTYPE_AP:
3713 		if (wdev->ssid_len &&
3714 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3715 			goto nla_put_failure_locked;
3716 		break;
3717 	case NL80211_IFTYPE_STATION:
3718 	case NL80211_IFTYPE_P2P_CLIENT:
3719 	case NL80211_IFTYPE_ADHOC: {
3720 		const struct element *ssid_elem;
3721 
3722 		if (!wdev->current_bss)
3723 			break;
3724 		rcu_read_lock();
3725 		ssid_elem = ieee80211_bss_get_elem(&wdev->current_bss->pub,
3726 						   WLAN_EID_SSID);
3727 		if (ssid_elem &&
3728 		    nla_put(msg, NL80211_ATTR_SSID, ssid_elem->datalen,
3729 			    ssid_elem->data))
3730 			goto nla_put_failure_rcu_locked;
3731 		rcu_read_unlock();
3732 		break;
3733 		}
3734 	default:
3735 		/* nothing */
3736 		break;
3737 	}
3738 	wdev_unlock(wdev);
3739 
3740 	if (rdev->ops->get_txq_stats) {
3741 		struct cfg80211_txq_stats txqstats = {};
3742 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3743 
3744 		if (ret == 0 &&
3745 		    !nl80211_put_txq_stats(msg, &txqstats,
3746 					   NL80211_ATTR_TXQ_STATS))
3747 			goto nla_put_failure;
3748 	}
3749 
3750 	genlmsg_end(msg, hdr);
3751 	return 0;
3752 
3753  nla_put_failure_rcu_locked:
3754 	rcu_read_unlock();
3755  nla_put_failure_locked:
3756 	wdev_unlock(wdev);
3757  nla_put_failure:
3758 	genlmsg_cancel(msg, hdr);
3759 	return -EMSGSIZE;
3760 }
3761 
3762 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3763 {
3764 	int wp_idx = 0;
3765 	int if_idx = 0;
3766 	int wp_start = cb->args[0];
3767 	int if_start = cb->args[1];
3768 	int filter_wiphy = -1;
3769 	struct cfg80211_registered_device *rdev;
3770 	struct wireless_dev *wdev;
3771 	int ret;
3772 
3773 	rtnl_lock();
3774 	if (!cb->args[2]) {
3775 		struct nl80211_dump_wiphy_state state = {
3776 			.filter_wiphy = -1,
3777 		};
3778 
3779 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3780 		if (ret)
3781 			goto out_unlock;
3782 
3783 		filter_wiphy = state.filter_wiphy;
3784 
3785 		/*
3786 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3787 		 * value needed to determine that parsing is necessary.
3788 		 */
3789 		if (filter_wiphy >= 0)
3790 			cb->args[2] = filter_wiphy + 1;
3791 		else
3792 			cb->args[2] = -1;
3793 	} else if (cb->args[2] > 0) {
3794 		filter_wiphy = cb->args[2] - 1;
3795 	}
3796 
3797 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3798 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3799 			continue;
3800 		if (wp_idx < wp_start) {
3801 			wp_idx++;
3802 			continue;
3803 		}
3804 
3805 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3806 			continue;
3807 
3808 		if_idx = 0;
3809 
3810 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3811 			if (if_idx < if_start) {
3812 				if_idx++;
3813 				continue;
3814 			}
3815 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3816 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3817 					       rdev, wdev,
3818 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3819 				goto out;
3820 			}
3821 			if_idx++;
3822 		}
3823 
3824 		wp_idx++;
3825 	}
3826  out:
3827 	cb->args[0] = wp_idx;
3828 	cb->args[1] = if_idx;
3829 
3830 	ret = skb->len;
3831  out_unlock:
3832 	rtnl_unlock();
3833 
3834 	return ret;
3835 }
3836 
3837 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3838 {
3839 	struct sk_buff *msg;
3840 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3841 	struct wireless_dev *wdev = info->user_ptr[1];
3842 
3843 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3844 	if (!msg)
3845 		return -ENOMEM;
3846 
3847 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3848 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3849 		nlmsg_free(msg);
3850 		return -ENOBUFS;
3851 	}
3852 
3853 	return genlmsg_reply(msg, info);
3854 }
3855 
3856 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3857 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3858 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3859 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3860 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3861 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3862 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3863 };
3864 
3865 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3866 {
3867 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3868 	int flag;
3869 
3870 	*mntrflags = 0;
3871 
3872 	if (!nla)
3873 		return -EINVAL;
3874 
3875 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3876 		return -EINVAL;
3877 
3878 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3879 		if (flags[flag])
3880 			*mntrflags |= (1<<flag);
3881 
3882 	*mntrflags |= MONITOR_FLAG_CHANGED;
3883 
3884 	return 0;
3885 }
3886 
3887 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3888 				     enum nl80211_iftype type,
3889 				     struct genl_info *info,
3890 				     struct vif_params *params)
3891 {
3892 	bool change = false;
3893 	int err;
3894 
3895 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3896 		if (type != NL80211_IFTYPE_MONITOR)
3897 			return -EINVAL;
3898 
3899 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3900 					  &params->flags);
3901 		if (err)
3902 			return err;
3903 
3904 		change = true;
3905 	}
3906 
3907 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3908 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3909 		return -EOPNOTSUPP;
3910 
3911 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3912 		const u8 *mumimo_groups;
3913 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3914 
3915 		if (type != NL80211_IFTYPE_MONITOR)
3916 			return -EINVAL;
3917 
3918 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3919 			return -EOPNOTSUPP;
3920 
3921 		mumimo_groups =
3922 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3923 
3924 		/* bits 0 and 63 are reserved and must be zero */
3925 		if ((mumimo_groups[0] & BIT(0)) ||
3926 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3927 			return -EINVAL;
3928 
3929 		params->vht_mumimo_groups = mumimo_groups;
3930 		change = true;
3931 	}
3932 
3933 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3934 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3935 
3936 		if (type != NL80211_IFTYPE_MONITOR)
3937 			return -EINVAL;
3938 
3939 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3940 			return -EOPNOTSUPP;
3941 
3942 		params->vht_mumimo_follow_addr =
3943 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3944 		change = true;
3945 	}
3946 
3947 	return change ? 1 : 0;
3948 }
3949 
3950 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3951 			       struct net_device *netdev, u8 use_4addr,
3952 			       enum nl80211_iftype iftype)
3953 {
3954 	if (!use_4addr) {
3955 		if (netdev && netif_is_bridge_port(netdev))
3956 			return -EBUSY;
3957 		return 0;
3958 	}
3959 
3960 	switch (iftype) {
3961 	case NL80211_IFTYPE_AP_VLAN:
3962 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3963 			return 0;
3964 		break;
3965 	case NL80211_IFTYPE_STATION:
3966 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3967 			return 0;
3968 		break;
3969 	default:
3970 		break;
3971 	}
3972 
3973 	return -EOPNOTSUPP;
3974 }
3975 
3976 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3977 {
3978 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3979 	struct vif_params params;
3980 	int err;
3981 	enum nl80211_iftype otype, ntype;
3982 	struct net_device *dev = info->user_ptr[1];
3983 	bool change = false;
3984 
3985 	memset(&params, 0, sizeof(params));
3986 
3987 	otype = ntype = dev->ieee80211_ptr->iftype;
3988 
3989 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3990 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3991 		if (otype != ntype)
3992 			change = true;
3993 	}
3994 
3995 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3996 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3997 
3998 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3999 			return -EINVAL;
4000 		if (netif_running(dev))
4001 			return -EBUSY;
4002 
4003 		wdev_lock(wdev);
4004 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4005 			     IEEE80211_MAX_MESH_ID_LEN);
4006 		wdev->mesh_id_up_len =
4007 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4008 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4009 		       wdev->mesh_id_up_len);
4010 		wdev_unlock(wdev);
4011 	}
4012 
4013 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4014 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4015 		change = true;
4016 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4017 		if (err)
4018 			return err;
4019 	} else {
4020 		params.use_4addr = -1;
4021 	}
4022 
4023 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4024 	if (err < 0)
4025 		return err;
4026 	if (err > 0)
4027 		change = true;
4028 
4029 	if (change)
4030 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4031 	else
4032 		err = 0;
4033 
4034 	if (!err && params.use_4addr != -1)
4035 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4036 
4037 	if (change && !err) {
4038 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4039 
4040 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4041 	}
4042 
4043 	return err;
4044 }
4045 
4046 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4047 {
4048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4049 	struct vif_params params;
4050 	struct wireless_dev *wdev;
4051 	struct sk_buff *msg;
4052 	int err;
4053 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4054 
4055 	memset(&params, 0, sizeof(params));
4056 
4057 	if (!info->attrs[NL80211_ATTR_IFNAME])
4058 		return -EINVAL;
4059 
4060 	if (info->attrs[NL80211_ATTR_IFTYPE])
4061 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4062 
4063 	if (!rdev->ops->add_virtual_intf)
4064 		return -EOPNOTSUPP;
4065 
4066 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4067 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4068 	    info->attrs[NL80211_ATTR_MAC]) {
4069 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4070 			   ETH_ALEN);
4071 		if (!is_valid_ether_addr(params.macaddr))
4072 			return -EADDRNOTAVAIL;
4073 	}
4074 
4075 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4076 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4077 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4078 		if (err)
4079 			return err;
4080 	}
4081 
4082 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4083 		return -EOPNOTSUPP;
4084 
4085 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4086 	if (err < 0)
4087 		return err;
4088 
4089 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4090 	if (!msg)
4091 		return -ENOMEM;
4092 
4093 	wdev = rdev_add_virtual_intf(rdev,
4094 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4095 				NET_NAME_USER, type, &params);
4096 	if (WARN_ON(!wdev)) {
4097 		nlmsg_free(msg);
4098 		return -EPROTO;
4099 	} else if (IS_ERR(wdev)) {
4100 		nlmsg_free(msg);
4101 		return PTR_ERR(wdev);
4102 	}
4103 
4104 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4105 		wdev->owner_nlportid = info->snd_portid;
4106 
4107 	switch (type) {
4108 	case NL80211_IFTYPE_MESH_POINT:
4109 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4110 			break;
4111 		wdev_lock(wdev);
4112 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4113 			     IEEE80211_MAX_MESH_ID_LEN);
4114 		wdev->mesh_id_up_len =
4115 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4116 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4117 		       wdev->mesh_id_up_len);
4118 		wdev_unlock(wdev);
4119 		break;
4120 	case NL80211_IFTYPE_NAN:
4121 	case NL80211_IFTYPE_P2P_DEVICE:
4122 		/*
4123 		 * P2P Device and NAN do not have a netdev, so don't go
4124 		 * through the netdev notifier and must be added here
4125 		 */
4126 		cfg80211_init_wdev(wdev);
4127 		cfg80211_register_wdev(rdev, wdev);
4128 		break;
4129 	default:
4130 		break;
4131 	}
4132 
4133 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4134 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4135 		nlmsg_free(msg);
4136 		return -ENOBUFS;
4137 	}
4138 
4139 	return genlmsg_reply(msg, info);
4140 }
4141 
4142 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4143 {
4144 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4145 	int ret;
4146 
4147 	/* to avoid failing a new interface creation due to pending removal */
4148 	cfg80211_destroy_ifaces(rdev);
4149 
4150 	wiphy_lock(&rdev->wiphy);
4151 	ret = _nl80211_new_interface(skb, info);
4152 	wiphy_unlock(&rdev->wiphy);
4153 
4154 	return ret;
4155 }
4156 
4157 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4158 {
4159 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4160 	struct wireless_dev *wdev = info->user_ptr[1];
4161 
4162 	if (!rdev->ops->del_virtual_intf)
4163 		return -EOPNOTSUPP;
4164 
4165 	/*
4166 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4167 	 * reach 0, and thus the rdev cannot be deleted.
4168 	 *
4169 	 * We need to do it for the dev_close(), since that will call
4170 	 * the netdev notifiers, and we need to acquire the mutex there
4171 	 * but don't know if we get there from here or from some other
4172 	 * place (e.g. "ip link set ... down").
4173 	 */
4174 	mutex_unlock(&rdev->wiphy.mtx);
4175 
4176 	/*
4177 	 * If we remove a wireless device without a netdev then clear
4178 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4179 	 * to check if it needs to do dev_put(). Otherwise it crashes
4180 	 * since the wdev has been freed, unlike with a netdev where
4181 	 * we need the dev_put() for the netdev to really be freed.
4182 	 */
4183 	if (!wdev->netdev)
4184 		info->user_ptr[1] = NULL;
4185 	else
4186 		dev_close(wdev->netdev);
4187 
4188 	mutex_lock(&rdev->wiphy.mtx);
4189 
4190 	return rdev_del_virtual_intf(rdev, wdev);
4191 }
4192 
4193 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4194 {
4195 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4196 	struct net_device *dev = info->user_ptr[1];
4197 	u16 noack_map;
4198 
4199 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4200 		return -EINVAL;
4201 
4202 	if (!rdev->ops->set_noack_map)
4203 		return -EOPNOTSUPP;
4204 
4205 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4206 
4207 	return rdev_set_noack_map(rdev, dev, noack_map);
4208 }
4209 
4210 struct get_key_cookie {
4211 	struct sk_buff *msg;
4212 	int error;
4213 	int idx;
4214 };
4215 
4216 static void get_key_callback(void *c, struct key_params *params)
4217 {
4218 	struct nlattr *key;
4219 	struct get_key_cookie *cookie = c;
4220 
4221 	if ((params->key &&
4222 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4223 		     params->key_len, params->key)) ||
4224 	    (params->seq &&
4225 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4226 		     params->seq_len, params->seq)) ||
4227 	    (params->cipher &&
4228 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4229 			 params->cipher)))
4230 		goto nla_put_failure;
4231 
4232 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4233 	if (!key)
4234 		goto nla_put_failure;
4235 
4236 	if ((params->key &&
4237 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4238 		     params->key_len, params->key)) ||
4239 	    (params->seq &&
4240 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4241 		     params->seq_len, params->seq)) ||
4242 	    (params->cipher &&
4243 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4244 			 params->cipher)))
4245 		goto nla_put_failure;
4246 
4247 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4248 		goto nla_put_failure;
4249 
4250 	nla_nest_end(cookie->msg, key);
4251 
4252 	return;
4253  nla_put_failure:
4254 	cookie->error = 1;
4255 }
4256 
4257 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4258 {
4259 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4260 	int err;
4261 	struct net_device *dev = info->user_ptr[1];
4262 	u8 key_idx = 0;
4263 	const u8 *mac_addr = NULL;
4264 	bool pairwise;
4265 	struct get_key_cookie cookie = {
4266 		.error = 0,
4267 	};
4268 	void *hdr;
4269 	struct sk_buff *msg;
4270 	bool bigtk_support = false;
4271 
4272 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4273 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4274 		bigtk_support = true;
4275 
4276 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4277 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4278 	    wiphy_ext_feature_isset(&rdev->wiphy,
4279 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4280 		bigtk_support = true;
4281 
4282 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4283 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4284 
4285 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4286 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4287 			return -EINVAL;
4288 		}
4289 	}
4290 
4291 	if (info->attrs[NL80211_ATTR_MAC])
4292 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4293 
4294 	pairwise = !!mac_addr;
4295 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4296 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4297 
4298 		if (kt != NL80211_KEYTYPE_GROUP &&
4299 		    kt != NL80211_KEYTYPE_PAIRWISE)
4300 			return -EINVAL;
4301 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4302 	}
4303 
4304 	if (!rdev->ops->get_key)
4305 		return -EOPNOTSUPP;
4306 
4307 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4308 		return -ENOENT;
4309 
4310 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4311 	if (!msg)
4312 		return -ENOMEM;
4313 
4314 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4315 			     NL80211_CMD_NEW_KEY);
4316 	if (!hdr)
4317 		goto nla_put_failure;
4318 
4319 	cookie.msg = msg;
4320 	cookie.idx = key_idx;
4321 
4322 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4323 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4324 		goto nla_put_failure;
4325 	if (mac_addr &&
4326 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4327 		goto nla_put_failure;
4328 
4329 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4330 			   get_key_callback);
4331 
4332 	if (err)
4333 		goto free_msg;
4334 
4335 	if (cookie.error)
4336 		goto nla_put_failure;
4337 
4338 	genlmsg_end(msg, hdr);
4339 	return genlmsg_reply(msg, info);
4340 
4341  nla_put_failure:
4342 	err = -ENOBUFS;
4343  free_msg:
4344 	nlmsg_free(msg);
4345 	return err;
4346 }
4347 
4348 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4349 {
4350 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4351 	struct key_parse key;
4352 	int err;
4353 	struct net_device *dev = info->user_ptr[1];
4354 
4355 	err = nl80211_parse_key(info, &key);
4356 	if (err)
4357 		return err;
4358 
4359 	if (key.idx < 0)
4360 		return -EINVAL;
4361 
4362 	/* Only support setting default key and
4363 	 * Extended Key ID action NL80211_KEY_SET_TX.
4364 	 */
4365 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4366 	    !(key.p.mode == NL80211_KEY_SET_TX))
4367 		return -EINVAL;
4368 
4369 	wdev_lock(dev->ieee80211_ptr);
4370 
4371 	if (key.def) {
4372 		if (!rdev->ops->set_default_key) {
4373 			err = -EOPNOTSUPP;
4374 			goto out;
4375 		}
4376 
4377 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4378 		if (err)
4379 			goto out;
4380 
4381 		err = rdev_set_default_key(rdev, dev, key.idx,
4382 						 key.def_uni, key.def_multi);
4383 
4384 		if (err)
4385 			goto out;
4386 
4387 #ifdef CONFIG_CFG80211_WEXT
4388 		dev->ieee80211_ptr->wext.default_key = key.idx;
4389 #endif
4390 	} else if (key.defmgmt) {
4391 		if (key.def_uni || !key.def_multi) {
4392 			err = -EINVAL;
4393 			goto out;
4394 		}
4395 
4396 		if (!rdev->ops->set_default_mgmt_key) {
4397 			err = -EOPNOTSUPP;
4398 			goto out;
4399 		}
4400 
4401 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4402 		if (err)
4403 			goto out;
4404 
4405 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4406 		if (err)
4407 			goto out;
4408 
4409 #ifdef CONFIG_CFG80211_WEXT
4410 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4411 #endif
4412 	} else if (key.defbeacon) {
4413 		if (key.def_uni || !key.def_multi) {
4414 			err = -EINVAL;
4415 			goto out;
4416 		}
4417 
4418 		if (!rdev->ops->set_default_beacon_key) {
4419 			err = -EOPNOTSUPP;
4420 			goto out;
4421 		}
4422 
4423 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4424 		if (err)
4425 			goto out;
4426 
4427 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4428 		if (err)
4429 			goto out;
4430 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4431 		   wiphy_ext_feature_isset(&rdev->wiphy,
4432 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4433 		u8 *mac_addr = NULL;
4434 
4435 		if (info->attrs[NL80211_ATTR_MAC])
4436 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4437 
4438 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4439 			err = -EINVAL;
4440 			goto out;
4441 		}
4442 
4443 		err = rdev_add_key(rdev, dev, key.idx,
4444 				   NL80211_KEYTYPE_PAIRWISE,
4445 				   mac_addr, &key.p);
4446 	} else {
4447 		err = -EINVAL;
4448 	}
4449  out:
4450 	wdev_unlock(dev->ieee80211_ptr);
4451 
4452 	return err;
4453 }
4454 
4455 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4456 {
4457 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4458 	int err;
4459 	struct net_device *dev = info->user_ptr[1];
4460 	struct key_parse key;
4461 	const u8 *mac_addr = NULL;
4462 
4463 	err = nl80211_parse_key(info, &key);
4464 	if (err)
4465 		return err;
4466 
4467 	if (!key.p.key) {
4468 		GENL_SET_ERR_MSG(info, "no key");
4469 		return -EINVAL;
4470 	}
4471 
4472 	if (info->attrs[NL80211_ATTR_MAC])
4473 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4474 
4475 	if (key.type == -1) {
4476 		if (mac_addr)
4477 			key.type = NL80211_KEYTYPE_PAIRWISE;
4478 		else
4479 			key.type = NL80211_KEYTYPE_GROUP;
4480 	}
4481 
4482 	/* for now */
4483 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4484 	    key.type != NL80211_KEYTYPE_GROUP) {
4485 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4486 		return -EINVAL;
4487 	}
4488 
4489 	if (key.type == NL80211_KEYTYPE_GROUP &&
4490 	    info->attrs[NL80211_ATTR_VLAN_ID])
4491 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4492 
4493 	if (!rdev->ops->add_key)
4494 		return -EOPNOTSUPP;
4495 
4496 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4497 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4498 					   mac_addr)) {
4499 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4500 		return -EINVAL;
4501 	}
4502 
4503 	wdev_lock(dev->ieee80211_ptr);
4504 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4505 	if (err)
4506 		GENL_SET_ERR_MSG(info, "key not allowed");
4507 	if (!err) {
4508 		err = rdev_add_key(rdev, dev, key.idx,
4509 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4510 				    mac_addr, &key.p);
4511 		if (err)
4512 			GENL_SET_ERR_MSG(info, "key addition failed");
4513 	}
4514 	wdev_unlock(dev->ieee80211_ptr);
4515 
4516 	return err;
4517 }
4518 
4519 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4520 {
4521 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4522 	int err;
4523 	struct net_device *dev = info->user_ptr[1];
4524 	u8 *mac_addr = NULL;
4525 	struct key_parse key;
4526 
4527 	err = nl80211_parse_key(info, &key);
4528 	if (err)
4529 		return err;
4530 
4531 	if (info->attrs[NL80211_ATTR_MAC])
4532 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4533 
4534 	if (key.type == -1) {
4535 		if (mac_addr)
4536 			key.type = NL80211_KEYTYPE_PAIRWISE;
4537 		else
4538 			key.type = NL80211_KEYTYPE_GROUP;
4539 	}
4540 
4541 	/* for now */
4542 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4543 	    key.type != NL80211_KEYTYPE_GROUP)
4544 		return -EINVAL;
4545 
4546 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4547 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4548 		return -EINVAL;
4549 
4550 	if (!rdev->ops->del_key)
4551 		return -EOPNOTSUPP;
4552 
4553 	wdev_lock(dev->ieee80211_ptr);
4554 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4555 
4556 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4557 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4558 		err = -ENOENT;
4559 
4560 	if (!err)
4561 		err = rdev_del_key(rdev, dev, key.idx,
4562 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4563 				   mac_addr);
4564 
4565 #ifdef CONFIG_CFG80211_WEXT
4566 	if (!err) {
4567 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4568 			dev->ieee80211_ptr->wext.default_key = -1;
4569 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4570 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4571 	}
4572 #endif
4573 	wdev_unlock(dev->ieee80211_ptr);
4574 
4575 	return err;
4576 }
4577 
4578 /* This function returns an error or the number of nested attributes */
4579 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4580 {
4581 	struct nlattr *attr;
4582 	int n_entries = 0, tmp;
4583 
4584 	nla_for_each_nested(attr, nl_attr, tmp) {
4585 		if (nla_len(attr) != ETH_ALEN)
4586 			return -EINVAL;
4587 
4588 		n_entries++;
4589 	}
4590 
4591 	return n_entries;
4592 }
4593 
4594 /*
4595  * This function parses ACL information and allocates memory for ACL data.
4596  * On successful return, the calling function is responsible to free the
4597  * ACL buffer returned by this function.
4598  */
4599 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4600 						struct genl_info *info)
4601 {
4602 	enum nl80211_acl_policy acl_policy;
4603 	struct nlattr *attr;
4604 	struct cfg80211_acl_data *acl;
4605 	int i = 0, n_entries, tmp;
4606 
4607 	if (!wiphy->max_acl_mac_addrs)
4608 		return ERR_PTR(-EOPNOTSUPP);
4609 
4610 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4611 		return ERR_PTR(-EINVAL);
4612 
4613 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4614 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4615 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4616 		return ERR_PTR(-EINVAL);
4617 
4618 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4619 		return ERR_PTR(-EINVAL);
4620 
4621 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4622 	if (n_entries < 0)
4623 		return ERR_PTR(n_entries);
4624 
4625 	if (n_entries > wiphy->max_acl_mac_addrs)
4626 		return ERR_PTR(-ENOTSUPP);
4627 
4628 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4629 	if (!acl)
4630 		return ERR_PTR(-ENOMEM);
4631 
4632 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4633 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4634 		i++;
4635 	}
4636 
4637 	acl->n_acl_entries = n_entries;
4638 	acl->acl_policy = acl_policy;
4639 
4640 	return acl;
4641 }
4642 
4643 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4644 {
4645 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4646 	struct net_device *dev = info->user_ptr[1];
4647 	struct cfg80211_acl_data *acl;
4648 	int err;
4649 
4650 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4651 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4652 		return -EOPNOTSUPP;
4653 
4654 	if (!dev->ieee80211_ptr->beacon_interval)
4655 		return -EINVAL;
4656 
4657 	acl = parse_acl_data(&rdev->wiphy, info);
4658 	if (IS_ERR(acl))
4659 		return PTR_ERR(acl);
4660 
4661 	err = rdev_set_mac_acl(rdev, dev, acl);
4662 
4663 	kfree(acl);
4664 
4665 	return err;
4666 }
4667 
4668 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4669 			   u8 *rates, u8 rates_len)
4670 {
4671 	u8 i;
4672 	u32 mask = 0;
4673 
4674 	for (i = 0; i < rates_len; i++) {
4675 		int rate = (rates[i] & 0x7f) * 5;
4676 		int ridx;
4677 
4678 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4679 			struct ieee80211_rate *srate =
4680 				&sband->bitrates[ridx];
4681 			if (rate == srate->bitrate) {
4682 				mask |= 1 << ridx;
4683 				break;
4684 			}
4685 		}
4686 		if (ridx == sband->n_bitrates)
4687 			return 0; /* rate not found */
4688 	}
4689 
4690 	return mask;
4691 }
4692 
4693 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4694 			       u8 *rates, u8 rates_len,
4695 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4696 {
4697 	u8 i;
4698 
4699 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4700 
4701 	for (i = 0; i < rates_len; i++) {
4702 		int ridx, rbit;
4703 
4704 		ridx = rates[i] / 8;
4705 		rbit = BIT(rates[i] % 8);
4706 
4707 		/* check validity */
4708 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4709 			return false;
4710 
4711 		/* check availability */
4712 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4713 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4714 			mcs[ridx] |= rbit;
4715 		else
4716 			return false;
4717 	}
4718 
4719 	return true;
4720 }
4721 
4722 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4723 {
4724 	u16 mcs_mask = 0;
4725 
4726 	switch (vht_mcs_map) {
4727 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4728 		break;
4729 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4730 		mcs_mask = 0x00FF;
4731 		break;
4732 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4733 		mcs_mask = 0x01FF;
4734 		break;
4735 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4736 		mcs_mask = 0x03FF;
4737 		break;
4738 	default:
4739 		break;
4740 	}
4741 
4742 	return mcs_mask;
4743 }
4744 
4745 static void vht_build_mcs_mask(u16 vht_mcs_map,
4746 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4747 {
4748 	u8 nss;
4749 
4750 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4751 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4752 		vht_mcs_map >>= 2;
4753 	}
4754 }
4755 
4756 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4757 			     struct nl80211_txrate_vht *txrate,
4758 			     u16 mcs[NL80211_VHT_NSS_MAX])
4759 {
4760 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4761 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4762 	u8 i;
4763 
4764 	if (!sband->vht_cap.vht_supported)
4765 		return false;
4766 
4767 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4768 
4769 	/* Build vht_mcs_mask from VHT capabilities */
4770 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4771 
4772 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4773 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4774 			mcs[i] = txrate->mcs[i];
4775 		else
4776 			return false;
4777 	}
4778 
4779 	return true;
4780 }
4781 
4782 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4783 {
4784 	switch (he_mcs_map) {
4785 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4786 		return 0;
4787 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4788 		return 0x00FF;
4789 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4790 		return 0x03FF;
4791 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4792 		return 0xFFF;
4793 	default:
4794 		break;
4795 	}
4796 	return 0;
4797 }
4798 
4799 static void he_build_mcs_mask(u16 he_mcs_map,
4800 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4801 {
4802 	u8 nss;
4803 
4804 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4805 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4806 		he_mcs_map >>= 2;
4807 	}
4808 }
4809 
4810 static u16 he_get_txmcsmap(struct genl_info *info,
4811 			   const struct ieee80211_sta_he_cap *he_cap)
4812 {
4813 	struct net_device *dev = info->user_ptr[1];
4814 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4815 	__le16	tx_mcs;
4816 
4817 	switch (wdev->chandef.width) {
4818 	case NL80211_CHAN_WIDTH_80P80:
4819 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4820 		break;
4821 	case NL80211_CHAN_WIDTH_160:
4822 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4823 		break;
4824 	default:
4825 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4826 		break;
4827 	}
4828 	return le16_to_cpu(tx_mcs);
4829 }
4830 
4831 static bool he_set_mcs_mask(struct genl_info *info,
4832 			    struct wireless_dev *wdev,
4833 			    struct ieee80211_supported_band *sband,
4834 			    struct nl80211_txrate_he *txrate,
4835 			    u16 mcs[NL80211_HE_NSS_MAX])
4836 {
4837 	const struct ieee80211_sta_he_cap *he_cap;
4838 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4839 	u16 tx_mcs_map = 0;
4840 	u8 i;
4841 
4842 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4843 	if (!he_cap)
4844 		return false;
4845 
4846 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4847 
4848 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4849 
4850 	/* Build he_mcs_mask from HE capabilities */
4851 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4852 
4853 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4854 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4855 			mcs[i] = txrate->mcs[i];
4856 		else
4857 			return false;
4858 	}
4859 
4860 	return true;
4861 }
4862 
4863 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4864 					 struct nlattr *attrs[],
4865 					 enum nl80211_attrs attr,
4866 					 struct cfg80211_bitrate_mask *mask,
4867 					 struct net_device *dev,
4868 					 bool default_all_enabled)
4869 {
4870 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4871 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4872 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4873 	int rem, i;
4874 	struct nlattr *tx_rates;
4875 	struct ieee80211_supported_band *sband;
4876 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4877 
4878 	memset(mask, 0, sizeof(*mask));
4879 	/* Default to all rates enabled */
4880 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4881 		const struct ieee80211_sta_he_cap *he_cap;
4882 
4883 		if (!default_all_enabled)
4884 			break;
4885 
4886 		sband = rdev->wiphy.bands[i];
4887 
4888 		if (!sband)
4889 			continue;
4890 
4891 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4892 		memcpy(mask->control[i].ht_mcs,
4893 		       sband->ht_cap.mcs.rx_mask,
4894 		       sizeof(mask->control[i].ht_mcs));
4895 
4896 		if (sband->vht_cap.vht_supported) {
4897 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4898 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4899 		}
4900 
4901 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4902 		if (!he_cap)
4903 			continue;
4904 
4905 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4906 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4907 
4908 		mask->control[i].he_gi = 0xFF;
4909 		mask->control[i].he_ltf = 0xFF;
4910 	}
4911 
4912 	/* if no rates are given set it back to the defaults */
4913 	if (!attrs[attr])
4914 		goto out;
4915 
4916 	/* The nested attribute uses enum nl80211_band as the index. This maps
4917 	 * directly to the enum nl80211_band values used in cfg80211.
4918 	 */
4919 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4920 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4921 		enum nl80211_band band = nla_type(tx_rates);
4922 		int err;
4923 
4924 		if (band < 0 || band >= NUM_NL80211_BANDS)
4925 			return -EINVAL;
4926 		sband = rdev->wiphy.bands[band];
4927 		if (sband == NULL)
4928 			return -EINVAL;
4929 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4930 						  tx_rates,
4931 						  nl80211_txattr_policy,
4932 						  info->extack);
4933 		if (err)
4934 			return err;
4935 		if (tb[NL80211_TXRATE_LEGACY]) {
4936 			mask->control[band].legacy = rateset_to_mask(
4937 				sband,
4938 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4939 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4940 			if ((mask->control[band].legacy == 0) &&
4941 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4942 				return -EINVAL;
4943 		}
4944 		if (tb[NL80211_TXRATE_HT]) {
4945 			if (!ht_rateset_to_mask(
4946 					sband,
4947 					nla_data(tb[NL80211_TXRATE_HT]),
4948 					nla_len(tb[NL80211_TXRATE_HT]),
4949 					mask->control[band].ht_mcs))
4950 				return -EINVAL;
4951 		}
4952 
4953 		if (tb[NL80211_TXRATE_VHT]) {
4954 			if (!vht_set_mcs_mask(
4955 					sband,
4956 					nla_data(tb[NL80211_TXRATE_VHT]),
4957 					mask->control[band].vht_mcs))
4958 				return -EINVAL;
4959 		}
4960 
4961 		if (tb[NL80211_TXRATE_GI]) {
4962 			mask->control[band].gi =
4963 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4964 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4965 				return -EINVAL;
4966 		}
4967 		if (tb[NL80211_TXRATE_HE] &&
4968 		    !he_set_mcs_mask(info, wdev, sband,
4969 				     nla_data(tb[NL80211_TXRATE_HE]),
4970 				     mask->control[band].he_mcs))
4971 			return -EINVAL;
4972 
4973 		if (tb[NL80211_TXRATE_HE_GI])
4974 			mask->control[band].he_gi =
4975 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4976 		if (tb[NL80211_TXRATE_HE_LTF])
4977 			mask->control[band].he_ltf =
4978 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4979 
4980 		if (mask->control[band].legacy == 0) {
4981 			/* don't allow empty legacy rates if HT, VHT or HE
4982 			 * are not even supported.
4983 			 */
4984 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4985 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4986 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4987 				return -EINVAL;
4988 
4989 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4990 				if (mask->control[band].ht_mcs[i])
4991 					goto out;
4992 
4993 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4994 				if (mask->control[band].vht_mcs[i])
4995 					goto out;
4996 
4997 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
4998 				if (mask->control[band].he_mcs[i])
4999 					goto out;
5000 
5001 			/* legacy and mcs rates may not be both empty */
5002 			return -EINVAL;
5003 		}
5004 	}
5005 
5006 out:
5007 	return 0;
5008 }
5009 
5010 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5011 				   enum nl80211_band band,
5012 				   struct cfg80211_bitrate_mask *beacon_rate)
5013 {
5014 	u32 count_ht, count_vht, count_he, i;
5015 	u32 rate = beacon_rate->control[band].legacy;
5016 
5017 	/* Allow only one rate */
5018 	if (hweight32(rate) > 1)
5019 		return -EINVAL;
5020 
5021 	count_ht = 0;
5022 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5023 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5024 			return -EINVAL;
5025 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5026 			count_ht++;
5027 			if (count_ht > 1)
5028 				return -EINVAL;
5029 		}
5030 		if (count_ht && rate)
5031 			return -EINVAL;
5032 	}
5033 
5034 	count_vht = 0;
5035 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5036 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5037 			return -EINVAL;
5038 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5039 			count_vht++;
5040 			if (count_vht > 1)
5041 				return -EINVAL;
5042 		}
5043 		if (count_vht && rate)
5044 			return -EINVAL;
5045 	}
5046 
5047 	count_he = 0;
5048 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5049 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5050 			return -EINVAL;
5051 		} else if (beacon_rate->control[band].he_mcs[i]) {
5052 			count_he++;
5053 			if (count_he > 1)
5054 				return -EINVAL;
5055 		}
5056 		if (count_he && rate)
5057 			return -EINVAL;
5058 	}
5059 
5060 	if ((count_ht && count_vht && count_he) ||
5061 	    (!rate && !count_ht && !count_vht && !count_he))
5062 		return -EINVAL;
5063 
5064 	if (rate &&
5065 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5066 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5067 		return -EINVAL;
5068 	if (count_ht &&
5069 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5070 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5071 		return -EINVAL;
5072 	if (count_vht &&
5073 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5074 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5075 		return -EINVAL;
5076 	if (count_he &&
5077 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5078 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5079 		return -EINVAL;
5080 
5081 	return 0;
5082 }
5083 
5084 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5085 				       struct net_device *dev,
5086 				       struct nlattr *attrs,
5087 				       struct cfg80211_mbssid_config *config,
5088 				       u8 num_elems)
5089 {
5090 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5091 
5092 	if (!wiphy->mbssid_max_interfaces)
5093 		return -EOPNOTSUPP;
5094 
5095 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5096 			     NULL) ||
5097 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5098 		return -EINVAL;
5099 
5100 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5101 	if (config->ema) {
5102 		if (!wiphy->ema_max_profile_periodicity)
5103 			return -EOPNOTSUPP;
5104 
5105 		if (num_elems > wiphy->ema_max_profile_periodicity)
5106 			return -EINVAL;
5107 	}
5108 
5109 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5110 	if (config->index >= wiphy->mbssid_max_interfaces ||
5111 	    (!config->index && !num_elems))
5112 		return -EINVAL;
5113 
5114 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5115 		u32 tx_ifindex =
5116 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5117 
5118 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5119 		    (config->index && tx_ifindex == dev->ifindex))
5120 			return -EINVAL;
5121 
5122 		if (tx_ifindex != dev->ifindex) {
5123 			struct net_device *tx_netdev =
5124 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5125 
5126 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5127 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5128 			    tx_netdev->ieee80211_ptr->iftype !=
5129 							NL80211_IFTYPE_AP) {
5130 				dev_put(tx_netdev);
5131 				return -EINVAL;
5132 			}
5133 
5134 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5135 		} else {
5136 			config->tx_wdev = dev->ieee80211_ptr;
5137 		}
5138 	} else if (!config->index) {
5139 		config->tx_wdev = dev->ieee80211_ptr;
5140 	} else {
5141 		return -EINVAL;
5142 	}
5143 
5144 	return 0;
5145 }
5146 
5147 static struct cfg80211_mbssid_elems *
5148 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5149 {
5150 	struct nlattr *nl_elems;
5151 	struct cfg80211_mbssid_elems *elems;
5152 	int rem_elems;
5153 	u8 i = 0, num_elems = 0;
5154 
5155 	if (!wiphy->mbssid_max_interfaces)
5156 		return ERR_PTR(-EINVAL);
5157 
5158 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5159 		num_elems++;
5160 
5161 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5162 	if (!elems)
5163 		return ERR_PTR(-ENOMEM);
5164 
5165 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5166 		elems->elem[i].data = nla_data(nl_elems);
5167 		elems->elem[i].len = nla_len(nl_elems);
5168 		i++;
5169 	}
5170 	elems->cnt = num_elems;
5171 	return elems;
5172 }
5173 
5174 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5175 				struct nlattr *attrs[],
5176 				struct cfg80211_beacon_data *bcn)
5177 {
5178 	bool haveinfo = false;
5179 	int err;
5180 
5181 	memset(bcn, 0, sizeof(*bcn));
5182 
5183 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5184 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5185 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5186 		if (!bcn->head_len)
5187 			return -EINVAL;
5188 		haveinfo = true;
5189 	}
5190 
5191 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5192 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5193 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5194 		haveinfo = true;
5195 	}
5196 
5197 	if (!haveinfo)
5198 		return -EINVAL;
5199 
5200 	if (attrs[NL80211_ATTR_IE]) {
5201 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5202 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5203 	}
5204 
5205 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5206 		bcn->proberesp_ies =
5207 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5208 		bcn->proberesp_ies_len =
5209 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5210 	}
5211 
5212 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5213 		bcn->assocresp_ies =
5214 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5215 		bcn->assocresp_ies_len =
5216 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5217 	}
5218 
5219 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5220 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5221 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5222 	}
5223 
5224 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5225 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5226 
5227 		err = nla_parse_nested_deprecated(tb,
5228 						  NL80211_FTM_RESP_ATTR_MAX,
5229 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5230 						  NULL, NULL);
5231 		if (err)
5232 			return err;
5233 
5234 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5235 		    wiphy_ext_feature_isset(&rdev->wiphy,
5236 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5237 			bcn->ftm_responder = 1;
5238 		else
5239 			return -EOPNOTSUPP;
5240 
5241 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5242 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5243 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5244 		}
5245 
5246 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5247 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5248 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5249 		}
5250 	} else {
5251 		bcn->ftm_responder = -1;
5252 	}
5253 
5254 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5255 		struct cfg80211_mbssid_elems *mbssid =
5256 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5257 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5258 
5259 		if (IS_ERR(mbssid))
5260 			return PTR_ERR(mbssid);
5261 
5262 		bcn->mbssid_ies = mbssid;
5263 	}
5264 
5265 	return 0;
5266 }
5267 
5268 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5269 				    struct ieee80211_he_obss_pd *he_obss_pd)
5270 {
5271 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5272 	int err;
5273 
5274 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5275 			       he_obss_pd_policy, NULL);
5276 	if (err)
5277 		return err;
5278 
5279 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5280 		return -EINVAL;
5281 
5282 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5283 
5284 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5285 		he_obss_pd->min_offset =
5286 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5287 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5288 		he_obss_pd->max_offset =
5289 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5290 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5291 		he_obss_pd->non_srg_max_offset =
5292 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5293 
5294 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5295 		return -EINVAL;
5296 
5297 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5298 		memcpy(he_obss_pd->bss_color_bitmap,
5299 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5300 		       sizeof(he_obss_pd->bss_color_bitmap));
5301 
5302 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5303 		memcpy(he_obss_pd->partial_bssid_bitmap,
5304 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5305 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5306 
5307 	he_obss_pd->enable = true;
5308 
5309 	return 0;
5310 }
5311 
5312 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5313 				      struct cfg80211_he_bss_color *he_bss_color)
5314 {
5315 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5316 	int err;
5317 
5318 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5319 			       he_bss_color_policy, NULL);
5320 	if (err)
5321 		return err;
5322 
5323 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5324 		return -EINVAL;
5325 
5326 	he_bss_color->color =
5327 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5328 	he_bss_color->enabled =
5329 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5330 	he_bss_color->partial =
5331 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5332 
5333 	return 0;
5334 }
5335 
5336 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5337 					struct nlattr *attrs,
5338 					struct cfg80211_ap_settings *params)
5339 {
5340 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5341 	int ret;
5342 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5343 
5344 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5345 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5346 		return -EINVAL;
5347 
5348 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5349 			       NULL, NULL);
5350 	if (ret)
5351 		return ret;
5352 
5353 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5354 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5355 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5356 		return -EINVAL;
5357 
5358 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5359 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5360 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5361 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5362 
5363 	return 0;
5364 }
5365 
5366 static int
5367 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5368 				     struct nlattr *attrs,
5369 				     struct cfg80211_ap_settings *params)
5370 {
5371 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5372 	int ret;
5373 	struct cfg80211_unsol_bcast_probe_resp *presp =
5374 					&params->unsol_bcast_probe_resp;
5375 
5376 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5377 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5378 		return -EINVAL;
5379 
5380 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5381 			       attrs, NULL, NULL);
5382 	if (ret)
5383 		return ret;
5384 
5385 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5386 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5387 		return -EINVAL;
5388 
5389 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5390 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5391 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5392 	return 0;
5393 }
5394 
5395 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5396 					    const struct element *rates)
5397 {
5398 	int i;
5399 
5400 	if (!rates)
5401 		return;
5402 
5403 	for (i = 0; i < rates->datalen; i++) {
5404 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5405 			params->ht_required = true;
5406 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5407 			params->vht_required = true;
5408 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5409 			params->he_required = true;
5410 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5411 			params->sae_h2e_required = true;
5412 	}
5413 }
5414 
5415 /*
5416  * Since the nl80211 API didn't include, from the beginning, attributes about
5417  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5418  * benefit of drivers that rebuild IEs in the firmware.
5419  */
5420 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5421 {
5422 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5423 	size_t ies_len = bcn->tail_len;
5424 	const u8 *ies = bcn->tail;
5425 	const struct element *rates;
5426 	const struct element *cap;
5427 
5428 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5429 	nl80211_check_ap_rate_selectors(params, rates);
5430 
5431 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5432 	nl80211_check_ap_rate_selectors(params, rates);
5433 
5434 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5435 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5436 		params->ht_cap = (void *)cap->data;
5437 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5438 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5439 		params->vht_cap = (void *)cap->data;
5440 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5441 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5442 		params->he_cap = (void *)(cap->data + 1);
5443 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5444 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5445 		params->he_oper = (void *)(cap->data + 1);
5446 }
5447 
5448 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5449 				   struct cfg80211_ap_settings *params)
5450 {
5451 	struct wireless_dev *wdev;
5452 	bool ret = false;
5453 
5454 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5455 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5456 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5457 			continue;
5458 
5459 		if (!wdev->preset_chandef.chan)
5460 			continue;
5461 
5462 		params->chandef = wdev->preset_chandef;
5463 		ret = true;
5464 		break;
5465 	}
5466 
5467 	return ret;
5468 }
5469 
5470 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5471 				    enum nl80211_auth_type auth_type,
5472 				    enum nl80211_commands cmd)
5473 {
5474 	if (auth_type > NL80211_AUTHTYPE_MAX)
5475 		return false;
5476 
5477 	switch (cmd) {
5478 	case NL80211_CMD_AUTHENTICATE:
5479 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5480 		    auth_type == NL80211_AUTHTYPE_SAE)
5481 			return false;
5482 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5483 					     NL80211_EXT_FEATURE_FILS_STA) &&
5484 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5485 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5486 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5487 			return false;
5488 		return true;
5489 	case NL80211_CMD_CONNECT:
5490 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5491 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5492 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5493 		    auth_type == NL80211_AUTHTYPE_SAE)
5494 			return false;
5495 
5496 		/* FILS with SK PFS or PK not supported yet */
5497 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5498 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5499 			return false;
5500 		if (!wiphy_ext_feature_isset(
5501 			    &rdev->wiphy,
5502 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5503 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5504 			return false;
5505 		return true;
5506 	case NL80211_CMD_START_AP:
5507 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5508 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5509 		    auth_type == NL80211_AUTHTYPE_SAE)
5510 			return false;
5511 		/* FILS not supported yet */
5512 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5513 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5514 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5515 			return false;
5516 		return true;
5517 	default:
5518 		return false;
5519 	}
5520 }
5521 
5522 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5523 {
5524 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5525 	struct net_device *dev = info->user_ptr[1];
5526 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5527 	struct cfg80211_ap_settings *params;
5528 	int err;
5529 
5530 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5531 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5532 		return -EOPNOTSUPP;
5533 
5534 	if (!rdev->ops->start_ap)
5535 		return -EOPNOTSUPP;
5536 
5537 	if (wdev->beacon_interval)
5538 		return -EALREADY;
5539 
5540 	/* these are required for START_AP */
5541 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5542 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5543 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5544 		return -EINVAL;
5545 
5546 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5547 	if (!params)
5548 		return -ENOMEM;
5549 
5550 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5551 	if (err)
5552 		goto out;
5553 
5554 	params->beacon_interval =
5555 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5556 	params->dtim_period =
5557 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5558 
5559 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5560 					   params->beacon_interval);
5561 	if (err)
5562 		goto out;
5563 
5564 	/*
5565 	 * In theory, some of these attributes should be required here
5566 	 * but since they were not used when the command was originally
5567 	 * added, keep them optional for old user space programs to let
5568 	 * them continue to work with drivers that do not need the
5569 	 * additional information -- drivers must check!
5570 	 */
5571 	if (info->attrs[NL80211_ATTR_SSID]) {
5572 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5573 		params->ssid_len =
5574 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5575 		if (params->ssid_len == 0) {
5576 			err = -EINVAL;
5577 			goto out;
5578 		}
5579 	}
5580 
5581 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5582 		params->hidden_ssid = nla_get_u32(
5583 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5584 
5585 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5586 
5587 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5588 		params->auth_type = nla_get_u32(
5589 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5590 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5591 					     NL80211_CMD_START_AP)) {
5592 			err = -EINVAL;
5593 			goto out;
5594 		}
5595 	} else
5596 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5597 
5598 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5599 				      NL80211_MAX_NR_CIPHER_SUITES);
5600 	if (err)
5601 		goto out;
5602 
5603 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5604 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5605 			err = -EOPNOTSUPP;
5606 			goto out;
5607 		}
5608 		params->inactivity_timeout = nla_get_u16(
5609 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5610 	}
5611 
5612 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5613 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5614 			err = -EINVAL;
5615 			goto out;
5616 		}
5617 		params->p2p_ctwindow =
5618 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5619 		if (params->p2p_ctwindow != 0 &&
5620 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5621 			err = -EINVAL;
5622 			goto out;
5623 		}
5624 	}
5625 
5626 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5627 		u8 tmp;
5628 
5629 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5630 			err = -EINVAL;
5631 			goto out;
5632 		}
5633 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5634 		params->p2p_opp_ps = tmp;
5635 		if (params->p2p_opp_ps != 0 &&
5636 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5637 			err = -EINVAL;
5638 			goto out;
5639 		}
5640 	}
5641 
5642 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5643 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5644 		if (err)
5645 			goto out;
5646 	} else if (wdev->preset_chandef.chan) {
5647 		params->chandef = wdev->preset_chandef;
5648 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5649 		err = -EINVAL;
5650 		goto out;
5651 	}
5652 
5653 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5654 					   wdev->iftype)) {
5655 		err = -EINVAL;
5656 		goto out;
5657 	}
5658 
5659 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5660 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5661 						    NL80211_ATTR_TX_RATES,
5662 						    &params->beacon_rate,
5663 						    dev, false);
5664 		if (err)
5665 			goto out;
5666 
5667 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
5668 					      &params->beacon_rate);
5669 		if (err)
5670 			goto out;
5671 	}
5672 
5673 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5674 		params->smps_mode =
5675 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5676 		switch (params->smps_mode) {
5677 		case NL80211_SMPS_OFF:
5678 			break;
5679 		case NL80211_SMPS_STATIC:
5680 			if (!(rdev->wiphy.features &
5681 			      NL80211_FEATURE_STATIC_SMPS)) {
5682 				err = -EINVAL;
5683 				goto out;
5684 			}
5685 			break;
5686 		case NL80211_SMPS_DYNAMIC:
5687 			if (!(rdev->wiphy.features &
5688 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
5689 				err = -EINVAL;
5690 				goto out;
5691 			}
5692 			break;
5693 		default:
5694 			err = -EINVAL;
5695 			goto out;
5696 		}
5697 	} else {
5698 		params->smps_mode = NL80211_SMPS_OFF;
5699 	}
5700 
5701 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5702 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
5703 		err = -EOPNOTSUPP;
5704 		goto out;
5705 	}
5706 
5707 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5708 		params->acl = parse_acl_data(&rdev->wiphy, info);
5709 		if (IS_ERR(params->acl)) {
5710 			err = PTR_ERR(params->acl);
5711 			params->acl = NULL;
5712 			goto out;
5713 		}
5714 	}
5715 
5716 	params->twt_responder =
5717 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5718 
5719 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5720 		err = nl80211_parse_he_obss_pd(
5721 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5722 					&params->he_obss_pd);
5723 		if (err)
5724 			goto out;
5725 	}
5726 
5727 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5728 		err = nl80211_parse_he_bss_color(
5729 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5730 					&params->he_bss_color);
5731 		if (err)
5732 			goto out;
5733 	}
5734 
5735 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5736 		err = nl80211_parse_fils_discovery(rdev,
5737 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5738 						   params);
5739 		if (err)
5740 			goto out;
5741 	}
5742 
5743 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5744 		err = nl80211_parse_unsol_bcast_probe_resp(
5745 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5746 			params);
5747 		if (err)
5748 			goto out;
5749 	}
5750 
5751 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
5752 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
5753 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
5754 						  &params->mbssid_config,
5755 						  params->beacon.mbssid_ies ?
5756 							params->beacon.mbssid_ies->cnt :
5757 							0);
5758 		if (err)
5759 			goto out;
5760 	}
5761 
5762 	nl80211_calculate_ap_params(params);
5763 
5764 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
5765 		params->flags = nla_get_u32(
5766 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
5767 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5768 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5769 
5770 	wdev_lock(wdev);
5771 	err = rdev_start_ap(rdev, dev, params);
5772 	if (!err) {
5773 		wdev->preset_chandef = params->chandef;
5774 		wdev->beacon_interval = params->beacon_interval;
5775 		wdev->chandef = params->chandef;
5776 		wdev->ssid_len = params->ssid_len;
5777 		memcpy(wdev->ssid, params->ssid, wdev->ssid_len);
5778 
5779 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5780 			wdev->conn_owner_nlportid = info->snd_portid;
5781 	}
5782 	wdev_unlock(wdev);
5783 
5784 out:
5785 	kfree(params->acl);
5786 	kfree(params->beacon.mbssid_ies);
5787 	if (params->mbssid_config.tx_wdev &&
5788 	    params->mbssid_config.tx_wdev->netdev &&
5789 	    params->mbssid_config.tx_wdev->netdev != dev)
5790 		dev_put(params->mbssid_config.tx_wdev->netdev);
5791 	kfree(params);
5792 
5793 	return err;
5794 }
5795 
5796 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5797 {
5798 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5799 	struct net_device *dev = info->user_ptr[1];
5800 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5801 	struct cfg80211_beacon_data params;
5802 	int err;
5803 
5804 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5805 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5806 		return -EOPNOTSUPP;
5807 
5808 	if (!rdev->ops->change_beacon)
5809 		return -EOPNOTSUPP;
5810 
5811 	if (!wdev->beacon_interval)
5812 		return -EINVAL;
5813 
5814 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5815 	if (err)
5816 		goto out;
5817 
5818 	wdev_lock(wdev);
5819 	err = rdev_change_beacon(rdev, dev, &params);
5820 	wdev_unlock(wdev);
5821 
5822 out:
5823 	kfree(params.mbssid_ies);
5824 	return err;
5825 }
5826 
5827 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5828 {
5829 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5830 	struct net_device *dev = info->user_ptr[1];
5831 
5832 	return cfg80211_stop_ap(rdev, dev, false);
5833 }
5834 
5835 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5836 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5837 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5838 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5839 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5840 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5841 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5842 };
5843 
5844 static int parse_station_flags(struct genl_info *info,
5845 			       enum nl80211_iftype iftype,
5846 			       struct station_parameters *params)
5847 {
5848 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5849 	struct nlattr *nla;
5850 	int flag;
5851 
5852 	/*
5853 	 * Try parsing the new attribute first so userspace
5854 	 * can specify both for older kernels.
5855 	 */
5856 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5857 	if (nla) {
5858 		struct nl80211_sta_flag_update *sta_flags;
5859 
5860 		sta_flags = nla_data(nla);
5861 		params->sta_flags_mask = sta_flags->mask;
5862 		params->sta_flags_set = sta_flags->set;
5863 		params->sta_flags_set &= params->sta_flags_mask;
5864 		if ((params->sta_flags_mask |
5865 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5866 			return -EINVAL;
5867 		return 0;
5868 	}
5869 
5870 	/* if present, parse the old attribute */
5871 
5872 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5873 	if (!nla)
5874 		return 0;
5875 
5876 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5877 		return -EINVAL;
5878 
5879 	/*
5880 	 * Only allow certain flags for interface types so that
5881 	 * other attributes are silently ignored. Remember that
5882 	 * this is backward compatibility code with old userspace
5883 	 * and shouldn't be hit in other cases anyway.
5884 	 */
5885 	switch (iftype) {
5886 	case NL80211_IFTYPE_AP:
5887 	case NL80211_IFTYPE_AP_VLAN:
5888 	case NL80211_IFTYPE_P2P_GO:
5889 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5890 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5891 					 BIT(NL80211_STA_FLAG_WME) |
5892 					 BIT(NL80211_STA_FLAG_MFP);
5893 		break;
5894 	case NL80211_IFTYPE_P2P_CLIENT:
5895 	case NL80211_IFTYPE_STATION:
5896 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5897 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5898 		break;
5899 	case NL80211_IFTYPE_MESH_POINT:
5900 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5901 					 BIT(NL80211_STA_FLAG_MFP) |
5902 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5903 		break;
5904 	default:
5905 		return -EINVAL;
5906 	}
5907 
5908 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5909 		if (flags[flag]) {
5910 			params->sta_flags_set |= (1<<flag);
5911 
5912 			/* no longer support new API additions in old API */
5913 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5914 				return -EINVAL;
5915 		}
5916 	}
5917 
5918 	return 0;
5919 }
5920 
5921 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5922 {
5923 	struct nlattr *rate;
5924 	u32 bitrate;
5925 	u16 bitrate_compat;
5926 	enum nl80211_rate_info rate_flg;
5927 
5928 	rate = nla_nest_start_noflag(msg, attr);
5929 	if (!rate)
5930 		return false;
5931 
5932 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5933 	bitrate = cfg80211_calculate_bitrate(info);
5934 	/* report 16-bit bitrate only if we can */
5935 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5936 	if (bitrate > 0 &&
5937 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5938 		return false;
5939 	if (bitrate_compat > 0 &&
5940 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5941 		return false;
5942 
5943 	switch (info->bw) {
5944 	case RATE_INFO_BW_5:
5945 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5946 		break;
5947 	case RATE_INFO_BW_10:
5948 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5949 		break;
5950 	default:
5951 		WARN_ON(1);
5952 		fallthrough;
5953 	case RATE_INFO_BW_20:
5954 		rate_flg = 0;
5955 		break;
5956 	case RATE_INFO_BW_40:
5957 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5958 		break;
5959 	case RATE_INFO_BW_80:
5960 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5961 		break;
5962 	case RATE_INFO_BW_160:
5963 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5964 		break;
5965 	case RATE_INFO_BW_HE_RU:
5966 		rate_flg = 0;
5967 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5968 		break;
5969 	case RATE_INFO_BW_320:
5970 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
5971 		break;
5972 	case RATE_INFO_BW_EHT_RU:
5973 		rate_flg = 0;
5974 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
5975 		break;
5976 	}
5977 
5978 	if (rate_flg && nla_put_flag(msg, rate_flg))
5979 		return false;
5980 
5981 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5982 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5983 			return false;
5984 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5985 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5986 			return false;
5987 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5988 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5989 			return false;
5990 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5991 			return false;
5992 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5993 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5994 			return false;
5995 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5996 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5997 			return false;
5998 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5999 			return false;
6000 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6001 			return false;
6002 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6003 			return false;
6004 		if (info->bw == RATE_INFO_BW_HE_RU &&
6005 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6006 			       info->he_ru_alloc))
6007 			return false;
6008 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6009 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6010 			return false;
6011 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6012 			return false;
6013 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6014 			return false;
6015 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6016 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6017 			       info->eht_ru_alloc))
6018 			return false;
6019 	}
6020 
6021 	nla_nest_end(msg, rate);
6022 	return true;
6023 }
6024 
6025 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6026 			       int id)
6027 {
6028 	void *attr;
6029 	int i = 0;
6030 
6031 	if (!mask)
6032 		return true;
6033 
6034 	attr = nla_nest_start_noflag(msg, id);
6035 	if (!attr)
6036 		return false;
6037 
6038 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6039 		if (!(mask & BIT(i)))
6040 			continue;
6041 
6042 		if (nla_put_u8(msg, i, signal[i]))
6043 			return false;
6044 	}
6045 
6046 	nla_nest_end(msg, attr);
6047 
6048 	return true;
6049 }
6050 
6051 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6052 				u32 seq, int flags,
6053 				struct cfg80211_registered_device *rdev,
6054 				struct net_device *dev,
6055 				const u8 *mac_addr, struct station_info *sinfo)
6056 {
6057 	void *hdr;
6058 	struct nlattr *sinfoattr, *bss_param;
6059 
6060 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6061 	if (!hdr) {
6062 		cfg80211_sinfo_release_content(sinfo);
6063 		return -1;
6064 	}
6065 
6066 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6067 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6068 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6069 		goto nla_put_failure;
6070 
6071 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6072 	if (!sinfoattr)
6073 		goto nla_put_failure;
6074 
6075 #define PUT_SINFO(attr, memb, type) do {				\
6076 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6077 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6078 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6079 			     sinfo->memb))				\
6080 		goto nla_put_failure;					\
6081 	} while (0)
6082 #define PUT_SINFO_U64(attr, memb) do {					\
6083 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6084 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6085 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6086 		goto nla_put_failure;					\
6087 	} while (0)
6088 
6089 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6090 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6091 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6092 
6093 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6094 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6095 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6096 			(u32)sinfo->rx_bytes))
6097 		goto nla_put_failure;
6098 
6099 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6100 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6101 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6102 			(u32)sinfo->tx_bytes))
6103 		goto nla_put_failure;
6104 
6105 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6106 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6107 	PUT_SINFO(LLID, llid, u16);
6108 	PUT_SINFO(PLID, plid, u16);
6109 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6110 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6111 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6112 
6113 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6114 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6115 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6116 
6117 	switch (rdev->wiphy.signal_type) {
6118 	case CFG80211_SIGNAL_TYPE_MBM:
6119 		PUT_SINFO(SIGNAL, signal, u8);
6120 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6121 		break;
6122 	default:
6123 		break;
6124 	}
6125 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6126 		if (!nl80211_put_signal(msg, sinfo->chains,
6127 					sinfo->chain_signal,
6128 					NL80211_STA_INFO_CHAIN_SIGNAL))
6129 			goto nla_put_failure;
6130 	}
6131 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6132 		if (!nl80211_put_signal(msg, sinfo->chains,
6133 					sinfo->chain_signal_avg,
6134 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6135 			goto nla_put_failure;
6136 	}
6137 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6138 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6139 					  NL80211_STA_INFO_TX_BITRATE))
6140 			goto nla_put_failure;
6141 	}
6142 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6143 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6144 					  NL80211_STA_INFO_RX_BITRATE))
6145 			goto nla_put_failure;
6146 	}
6147 
6148 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6149 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6150 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6151 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6152 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6153 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6154 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6155 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6156 	PUT_SINFO(PEER_PM, peer_pm, u32);
6157 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6158 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6159 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6160 
6161 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6162 		bss_param = nla_nest_start_noflag(msg,
6163 						  NL80211_STA_INFO_BSS_PARAM);
6164 		if (!bss_param)
6165 			goto nla_put_failure;
6166 
6167 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6168 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6169 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6170 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6171 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6172 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6173 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6174 			       sinfo->bss_param.dtim_period) ||
6175 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6176 				sinfo->bss_param.beacon_interval))
6177 			goto nla_put_failure;
6178 
6179 		nla_nest_end(msg, bss_param);
6180 	}
6181 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6182 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6183 		    sizeof(struct nl80211_sta_flag_update),
6184 		    &sinfo->sta_flags))
6185 		goto nla_put_failure;
6186 
6187 	PUT_SINFO_U64(T_OFFSET, t_offset);
6188 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6189 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6190 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6191 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6192 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6193 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6194 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6195 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6196 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6197 	}
6198 
6199 #undef PUT_SINFO
6200 #undef PUT_SINFO_U64
6201 
6202 	if (sinfo->pertid) {
6203 		struct nlattr *tidsattr;
6204 		int tid;
6205 
6206 		tidsattr = nla_nest_start_noflag(msg,
6207 						 NL80211_STA_INFO_TID_STATS);
6208 		if (!tidsattr)
6209 			goto nla_put_failure;
6210 
6211 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6212 			struct cfg80211_tid_stats *tidstats;
6213 			struct nlattr *tidattr;
6214 
6215 			tidstats = &sinfo->pertid[tid];
6216 
6217 			if (!tidstats->filled)
6218 				continue;
6219 
6220 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6221 			if (!tidattr)
6222 				goto nla_put_failure;
6223 
6224 #define PUT_TIDVAL_U64(attr, memb) do {					\
6225 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6226 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6227 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6228 		goto nla_put_failure;					\
6229 	} while (0)
6230 
6231 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6232 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6233 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6234 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6235 
6236 #undef PUT_TIDVAL_U64
6237 			if ((tidstats->filled &
6238 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6239 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6240 						   NL80211_TID_STATS_TXQ_STATS))
6241 				goto nla_put_failure;
6242 
6243 			nla_nest_end(msg, tidattr);
6244 		}
6245 
6246 		nla_nest_end(msg, tidsattr);
6247 	}
6248 
6249 	nla_nest_end(msg, sinfoattr);
6250 
6251 	if (sinfo->assoc_req_ies_len &&
6252 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6253 		    sinfo->assoc_req_ies))
6254 		goto nla_put_failure;
6255 
6256 	cfg80211_sinfo_release_content(sinfo);
6257 	genlmsg_end(msg, hdr);
6258 	return 0;
6259 
6260  nla_put_failure:
6261 	cfg80211_sinfo_release_content(sinfo);
6262 	genlmsg_cancel(msg, hdr);
6263 	return -EMSGSIZE;
6264 }
6265 
6266 static int nl80211_dump_station(struct sk_buff *skb,
6267 				struct netlink_callback *cb)
6268 {
6269 	struct station_info sinfo;
6270 	struct cfg80211_registered_device *rdev;
6271 	struct wireless_dev *wdev;
6272 	u8 mac_addr[ETH_ALEN];
6273 	int sta_idx = cb->args[2];
6274 	int err;
6275 
6276 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6277 	if (err)
6278 		return err;
6279 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6280 	__acquire(&rdev->wiphy.mtx);
6281 
6282 	if (!wdev->netdev) {
6283 		err = -EINVAL;
6284 		goto out_err;
6285 	}
6286 
6287 	if (!rdev->ops->dump_station) {
6288 		err = -EOPNOTSUPP;
6289 		goto out_err;
6290 	}
6291 
6292 	while (1) {
6293 		memset(&sinfo, 0, sizeof(sinfo));
6294 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6295 					mac_addr, &sinfo);
6296 		if (err == -ENOENT)
6297 			break;
6298 		if (err)
6299 			goto out_err;
6300 
6301 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6302 				NETLINK_CB(cb->skb).portid,
6303 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6304 				rdev, wdev->netdev, mac_addr,
6305 				&sinfo) < 0)
6306 			goto out;
6307 
6308 		sta_idx++;
6309 	}
6310 
6311  out:
6312 	cb->args[2] = sta_idx;
6313 	err = skb->len;
6314  out_err:
6315 	wiphy_unlock(&rdev->wiphy);
6316 
6317 	return err;
6318 }
6319 
6320 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6321 {
6322 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6323 	struct net_device *dev = info->user_ptr[1];
6324 	struct station_info sinfo;
6325 	struct sk_buff *msg;
6326 	u8 *mac_addr = NULL;
6327 	int err;
6328 
6329 	memset(&sinfo, 0, sizeof(sinfo));
6330 
6331 	if (!info->attrs[NL80211_ATTR_MAC])
6332 		return -EINVAL;
6333 
6334 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6335 
6336 	if (!rdev->ops->get_station)
6337 		return -EOPNOTSUPP;
6338 
6339 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6340 	if (err)
6341 		return err;
6342 
6343 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6344 	if (!msg) {
6345 		cfg80211_sinfo_release_content(&sinfo);
6346 		return -ENOMEM;
6347 	}
6348 
6349 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6350 				 info->snd_portid, info->snd_seq, 0,
6351 				 rdev, dev, mac_addr, &sinfo) < 0) {
6352 		nlmsg_free(msg);
6353 		return -ENOBUFS;
6354 	}
6355 
6356 	return genlmsg_reply(msg, info);
6357 }
6358 
6359 int cfg80211_check_station_change(struct wiphy *wiphy,
6360 				  struct station_parameters *params,
6361 				  enum cfg80211_station_type statype)
6362 {
6363 	if (params->listen_interval != -1 &&
6364 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6365 		return -EINVAL;
6366 
6367 	if (params->support_p2p_ps != -1 &&
6368 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6369 		return -EINVAL;
6370 
6371 	if (params->aid &&
6372 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6373 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6374 		return -EINVAL;
6375 
6376 	/* When you run into this, adjust the code below for the new flag */
6377 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6378 
6379 	switch (statype) {
6380 	case CFG80211_STA_MESH_PEER_KERNEL:
6381 	case CFG80211_STA_MESH_PEER_USER:
6382 		/*
6383 		 * No ignoring the TDLS flag here -- the userspace mesh
6384 		 * code doesn't have the bug of including TDLS in the
6385 		 * mask everywhere.
6386 		 */
6387 		if (params->sta_flags_mask &
6388 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6389 				  BIT(NL80211_STA_FLAG_MFP) |
6390 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6391 			return -EINVAL;
6392 		break;
6393 	case CFG80211_STA_TDLS_PEER_SETUP:
6394 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6395 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6396 			return -EINVAL;
6397 		/* ignore since it can't change */
6398 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6399 		break;
6400 	default:
6401 		/* disallow mesh-specific things */
6402 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6403 			return -EINVAL;
6404 		if (params->local_pm)
6405 			return -EINVAL;
6406 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6407 			return -EINVAL;
6408 	}
6409 
6410 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6411 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6412 		/* TDLS can't be set, ... */
6413 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6414 			return -EINVAL;
6415 		/*
6416 		 * ... but don't bother the driver with it. This works around
6417 		 * a hostapd/wpa_supplicant issue -- it always includes the
6418 		 * TLDS_PEER flag in the mask even for AP mode.
6419 		 */
6420 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6421 	}
6422 
6423 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6424 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6425 		/* reject other things that can't change */
6426 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6427 			return -EINVAL;
6428 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6429 			return -EINVAL;
6430 		if (params->supported_rates)
6431 			return -EINVAL;
6432 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
6433 		    params->he_capa || params->eht_capa)
6434 			return -EINVAL;
6435 	}
6436 
6437 	if (statype != CFG80211_STA_AP_CLIENT &&
6438 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6439 		if (params->vlan)
6440 			return -EINVAL;
6441 	}
6442 
6443 	switch (statype) {
6444 	case CFG80211_STA_AP_MLME_CLIENT:
6445 		/* Use this only for authorizing/unauthorizing a station */
6446 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6447 			return -EOPNOTSUPP;
6448 		break;
6449 	case CFG80211_STA_AP_CLIENT:
6450 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6451 		/* accept only the listed bits */
6452 		if (params->sta_flags_mask &
6453 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6454 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6455 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6456 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6457 				  BIT(NL80211_STA_FLAG_WME) |
6458 				  BIT(NL80211_STA_FLAG_MFP)))
6459 			return -EINVAL;
6460 
6461 		/* but authenticated/associated only if driver handles it */
6462 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6463 		    params->sta_flags_mask &
6464 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6465 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6466 			return -EINVAL;
6467 		break;
6468 	case CFG80211_STA_IBSS:
6469 	case CFG80211_STA_AP_STA:
6470 		/* reject any changes other than AUTHORIZED */
6471 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6472 			return -EINVAL;
6473 		break;
6474 	case CFG80211_STA_TDLS_PEER_SETUP:
6475 		/* reject any changes other than AUTHORIZED or WME */
6476 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6477 					       BIT(NL80211_STA_FLAG_WME)))
6478 			return -EINVAL;
6479 		/* force (at least) rates when authorizing */
6480 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6481 		    !params->supported_rates)
6482 			return -EINVAL;
6483 		break;
6484 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6485 		/* reject any changes */
6486 		return -EINVAL;
6487 	case CFG80211_STA_MESH_PEER_KERNEL:
6488 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6489 			return -EINVAL;
6490 		break;
6491 	case CFG80211_STA_MESH_PEER_USER:
6492 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6493 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6494 			return -EINVAL;
6495 		break;
6496 	}
6497 
6498 	/*
6499 	 * Older kernel versions ignored this attribute entirely, so don't
6500 	 * reject attempts to update it but mark it as unused instead so the
6501 	 * driver won't look at the data.
6502 	 */
6503 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6504 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6505 		params->opmode_notif_used = false;
6506 
6507 	return 0;
6508 }
6509 EXPORT_SYMBOL(cfg80211_check_station_change);
6510 
6511 /*
6512  * Get vlan interface making sure it is running and on the right wiphy.
6513  */
6514 static struct net_device *get_vlan(struct genl_info *info,
6515 				   struct cfg80211_registered_device *rdev)
6516 {
6517 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6518 	struct net_device *v;
6519 	int ret;
6520 
6521 	if (!vlanattr)
6522 		return NULL;
6523 
6524 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6525 	if (!v)
6526 		return ERR_PTR(-ENODEV);
6527 
6528 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6529 		ret = -EINVAL;
6530 		goto error;
6531 	}
6532 
6533 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6534 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6535 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6536 		ret = -EINVAL;
6537 		goto error;
6538 	}
6539 
6540 	if (!netif_running(v)) {
6541 		ret = -ENETDOWN;
6542 		goto error;
6543 	}
6544 
6545 	return v;
6546  error:
6547 	dev_put(v);
6548 	return ERR_PTR(ret);
6549 }
6550 
6551 static const struct nla_policy
6552 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6553 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6554 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6555 };
6556 
6557 static int nl80211_parse_sta_wme(struct genl_info *info,
6558 				 struct station_parameters *params)
6559 {
6560 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6561 	struct nlattr *nla;
6562 	int err;
6563 
6564 	/* parse WME attributes if present */
6565 	if (!info->attrs[NL80211_ATTR_STA_WME])
6566 		return 0;
6567 
6568 	nla = info->attrs[NL80211_ATTR_STA_WME];
6569 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6570 					  nl80211_sta_wme_policy,
6571 					  info->extack);
6572 	if (err)
6573 		return err;
6574 
6575 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6576 		params->uapsd_queues = nla_get_u8(
6577 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6578 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6579 		return -EINVAL;
6580 
6581 	if (tb[NL80211_STA_WME_MAX_SP])
6582 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6583 
6584 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6585 		return -EINVAL;
6586 
6587 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6588 
6589 	return 0;
6590 }
6591 
6592 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6593 				      struct station_parameters *params)
6594 {
6595 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6596 		params->supported_channels =
6597 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6598 		params->supported_channels_len =
6599 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6600 		/*
6601 		 * Need to include at least one (first channel, number of
6602 		 * channels) tuple for each subband (checked in policy),
6603 		 * and must have proper tuples for the rest of the data as well.
6604 		 */
6605 		if (params->supported_channels_len % 2)
6606 			return -EINVAL;
6607 	}
6608 
6609 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6610 		params->supported_oper_classes =
6611 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6612 		params->supported_oper_classes_len =
6613 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6614 	}
6615 	return 0;
6616 }
6617 
6618 static int nl80211_set_station_tdls(struct genl_info *info,
6619 				    struct station_parameters *params)
6620 {
6621 	int err;
6622 	/* Dummy STA entry gets updated once the peer capabilities are known */
6623 	if (info->attrs[NL80211_ATTR_PEER_AID])
6624 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6625 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6626 		params->ht_capa =
6627 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6628 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6629 		params->vht_capa =
6630 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6631 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6632 		params->he_capa =
6633 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6634 		params->he_capa_len =
6635 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6636 
6637 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6638 			params->eht_capa =
6639 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6640 			params->eht_capa_len =
6641 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6642 
6643 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_capa,
6644 							(const u8 *)params->eht_capa,
6645 							params->eht_capa_len))
6646 				return -EINVAL;
6647 		}
6648 	}
6649 
6650 	err = nl80211_parse_sta_channel_info(info, params);
6651 	if (err)
6652 		return err;
6653 
6654 	return nl80211_parse_sta_wme(info, params);
6655 }
6656 
6657 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6658 					     struct station_parameters *params)
6659 {
6660 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6661 	int idx;
6662 
6663 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6664 		if (!rdev->ops->set_tx_power ||
6665 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6666 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6667 			return -EOPNOTSUPP;
6668 
6669 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6670 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6671 
6672 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6673 			idx = NL80211_ATTR_STA_TX_POWER;
6674 
6675 			if (info->attrs[idx])
6676 				params->txpwr.power =
6677 					nla_get_s16(info->attrs[idx]);
6678 			else
6679 				return -EINVAL;
6680 		}
6681 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6682 	}
6683 
6684 	return 0;
6685 }
6686 
6687 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6688 {
6689 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6690 	struct net_device *dev = info->user_ptr[1];
6691 	struct station_parameters params;
6692 	u8 *mac_addr;
6693 	int err;
6694 
6695 	memset(&params, 0, sizeof(params));
6696 
6697 	if (!rdev->ops->change_station)
6698 		return -EOPNOTSUPP;
6699 
6700 	/*
6701 	 * AID and listen_interval properties can be set only for unassociated
6702 	 * station. Include these parameters here and will check them in
6703 	 * cfg80211_check_station_change().
6704 	 */
6705 	if (info->attrs[NL80211_ATTR_STA_AID])
6706 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6707 
6708 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6709 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6710 
6711 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6712 		params.listen_interval =
6713 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6714 	else
6715 		params.listen_interval = -1;
6716 
6717 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6718 		params.support_p2p_ps =
6719 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6720 	else
6721 		params.support_p2p_ps = -1;
6722 
6723 	if (!info->attrs[NL80211_ATTR_MAC])
6724 		return -EINVAL;
6725 
6726 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6727 
6728 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6729 		params.supported_rates =
6730 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6731 		params.supported_rates_len =
6732 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6733 	}
6734 
6735 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6736 		params.capability =
6737 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6738 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6739 	}
6740 
6741 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6742 		params.ext_capab =
6743 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6744 		params.ext_capab_len =
6745 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6746 	}
6747 
6748 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6749 		return -EINVAL;
6750 
6751 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6752 		params.plink_action =
6753 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6754 
6755 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6756 		params.plink_state =
6757 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6758 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6759 			params.peer_aid = nla_get_u16(
6760 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6761 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6762 	}
6763 
6764 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6765 		params.local_pm = nla_get_u32(
6766 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6767 
6768 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6769 		params.opmode_notif_used = true;
6770 		params.opmode_notif =
6771 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6772 	}
6773 
6774 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6775 		params.he_6ghz_capa =
6776 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6777 
6778 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6779 		params.airtime_weight =
6780 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6781 
6782 	if (params.airtime_weight &&
6783 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6784 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6785 		return -EOPNOTSUPP;
6786 
6787 	err = nl80211_parse_sta_txpower_setting(info, &params);
6788 	if (err)
6789 		return err;
6790 
6791 	/* Include parameters for TDLS peer (will check later) */
6792 	err = nl80211_set_station_tdls(info, &params);
6793 	if (err)
6794 		return err;
6795 
6796 	params.vlan = get_vlan(info, rdev);
6797 	if (IS_ERR(params.vlan))
6798 		return PTR_ERR(params.vlan);
6799 
6800 	switch (dev->ieee80211_ptr->iftype) {
6801 	case NL80211_IFTYPE_AP:
6802 	case NL80211_IFTYPE_AP_VLAN:
6803 	case NL80211_IFTYPE_P2P_GO:
6804 	case NL80211_IFTYPE_P2P_CLIENT:
6805 	case NL80211_IFTYPE_STATION:
6806 	case NL80211_IFTYPE_ADHOC:
6807 	case NL80211_IFTYPE_MESH_POINT:
6808 		break;
6809 	default:
6810 		err = -EOPNOTSUPP;
6811 		goto out_put_vlan;
6812 	}
6813 
6814 	/* driver will call cfg80211_check_station_change() */
6815 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6816 
6817  out_put_vlan:
6818 	dev_put(params.vlan);
6819 
6820 	return err;
6821 }
6822 
6823 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6824 {
6825 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6826 	int err;
6827 	struct net_device *dev = info->user_ptr[1];
6828 	struct station_parameters params;
6829 	u8 *mac_addr = NULL;
6830 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6831 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6832 
6833 	memset(&params, 0, sizeof(params));
6834 
6835 	if (!rdev->ops->add_station)
6836 		return -EOPNOTSUPP;
6837 
6838 	if (!info->attrs[NL80211_ATTR_MAC])
6839 		return -EINVAL;
6840 
6841 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6842 		return -EINVAL;
6843 
6844 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6845 		return -EINVAL;
6846 
6847 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6848 	    !info->attrs[NL80211_ATTR_PEER_AID])
6849 		return -EINVAL;
6850 
6851 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6852 	params.supported_rates =
6853 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6854 	params.supported_rates_len =
6855 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6856 	params.listen_interval =
6857 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6858 
6859 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6860 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6861 
6862 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6863 		params.support_p2p_ps =
6864 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6865 	} else {
6866 		/*
6867 		 * if not specified, assume it's supported for P2P GO interface,
6868 		 * and is NOT supported for AP interface
6869 		 */
6870 		params.support_p2p_ps =
6871 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6872 	}
6873 
6874 	if (info->attrs[NL80211_ATTR_PEER_AID])
6875 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6876 	else
6877 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6878 
6879 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6880 		params.capability =
6881 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6882 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6883 	}
6884 
6885 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6886 		params.ext_capab =
6887 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6888 		params.ext_capab_len =
6889 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6890 	}
6891 
6892 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6893 		params.ht_capa =
6894 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6895 
6896 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6897 		params.vht_capa =
6898 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6899 
6900 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6901 		params.he_capa =
6902 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6903 		params.he_capa_len =
6904 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6905 
6906 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6907 			params.eht_capa =
6908 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6909 			params.eht_capa_len =
6910 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6911 
6912 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
6913 							(const u8 *)params.eht_capa,
6914 							params.eht_capa_len))
6915 				return -EINVAL;
6916 		}
6917 	}
6918 
6919 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6920 		params.he_6ghz_capa =
6921 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6922 
6923 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6924 		params.opmode_notif_used = true;
6925 		params.opmode_notif =
6926 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6927 	}
6928 
6929 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6930 		params.plink_action =
6931 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6932 
6933 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6934 		params.airtime_weight =
6935 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6936 
6937 	if (params.airtime_weight &&
6938 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6939 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6940 		return -EOPNOTSUPP;
6941 
6942 	err = nl80211_parse_sta_txpower_setting(info, &params);
6943 	if (err)
6944 		return err;
6945 
6946 	err = nl80211_parse_sta_channel_info(info, &params);
6947 	if (err)
6948 		return err;
6949 
6950 	err = nl80211_parse_sta_wme(info, &params);
6951 	if (err)
6952 		return err;
6953 
6954 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6955 		return -EINVAL;
6956 
6957 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6958 	 * as userspace might just pass through the capabilities from the IEs
6959 	 * directly, rather than enforcing this restriction and returning an
6960 	 * error in this case.
6961 	 */
6962 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6963 		params.ht_capa = NULL;
6964 		params.vht_capa = NULL;
6965 
6966 		/* HE and EHT require WME */
6967 		if (params.he_capa_len || params.he_6ghz_capa ||
6968 		    params.eht_capa_len)
6969 			return -EINVAL;
6970 	}
6971 
6972 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6973 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6974 		return -EINVAL;
6975 
6976 	/* When you run into this, adjust the code below for the new flag */
6977 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6978 
6979 	switch (dev->ieee80211_ptr->iftype) {
6980 	case NL80211_IFTYPE_AP:
6981 	case NL80211_IFTYPE_AP_VLAN:
6982 	case NL80211_IFTYPE_P2P_GO:
6983 		/* ignore WME attributes if iface/sta is not capable */
6984 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6985 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6986 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6987 
6988 		/* TDLS peers cannot be added */
6989 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6990 		    info->attrs[NL80211_ATTR_PEER_AID])
6991 			return -EINVAL;
6992 		/* but don't bother the driver with it */
6993 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6994 
6995 		/* allow authenticated/associated only if driver handles it */
6996 		if (!(rdev->wiphy.features &
6997 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6998 		    params.sta_flags_mask & auth_assoc)
6999 			return -EINVAL;
7000 
7001 		/* Older userspace, or userspace wanting to be compatible with
7002 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7003 		 * and assoc flags in the mask, but assumes the station will be
7004 		 * added as associated anyway since this was the required driver
7005 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7006 		 * introduced.
7007 		 * In order to not bother drivers with this quirk in the API
7008 		 * set the flags in both the mask and set for new stations in
7009 		 * this case.
7010 		 */
7011 		if (!(params.sta_flags_mask & auth_assoc)) {
7012 			params.sta_flags_mask |= auth_assoc;
7013 			params.sta_flags_set |= auth_assoc;
7014 		}
7015 
7016 		/* must be last in here for error handling */
7017 		params.vlan = get_vlan(info, rdev);
7018 		if (IS_ERR(params.vlan))
7019 			return PTR_ERR(params.vlan);
7020 		break;
7021 	case NL80211_IFTYPE_MESH_POINT:
7022 		/* ignore uAPSD data */
7023 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7024 
7025 		/* associated is disallowed */
7026 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7027 			return -EINVAL;
7028 		/* TDLS peers cannot be added */
7029 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7030 		    info->attrs[NL80211_ATTR_PEER_AID])
7031 			return -EINVAL;
7032 		break;
7033 	case NL80211_IFTYPE_STATION:
7034 	case NL80211_IFTYPE_P2P_CLIENT:
7035 		/* ignore uAPSD data */
7036 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7037 
7038 		/* these are disallowed */
7039 		if (params.sta_flags_mask &
7040 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7041 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7042 			return -EINVAL;
7043 		/* Only TDLS peers can be added */
7044 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7045 			return -EINVAL;
7046 		/* Can only add if TDLS ... */
7047 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7048 			return -EOPNOTSUPP;
7049 		/* ... with external setup is supported */
7050 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7051 			return -EOPNOTSUPP;
7052 		/*
7053 		 * Older wpa_supplicant versions always mark the TDLS peer
7054 		 * as authorized, but it shouldn't yet be.
7055 		 */
7056 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7057 		break;
7058 	default:
7059 		return -EOPNOTSUPP;
7060 	}
7061 
7062 	/* be aware of params.vlan when changing code here */
7063 
7064 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7065 
7066 	dev_put(params.vlan);
7067 	return err;
7068 }
7069 
7070 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7071 {
7072 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7073 	struct net_device *dev = info->user_ptr[1];
7074 	struct station_del_parameters params;
7075 
7076 	memset(&params, 0, sizeof(params));
7077 
7078 	if (info->attrs[NL80211_ATTR_MAC])
7079 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7080 
7081 	switch (dev->ieee80211_ptr->iftype) {
7082 	case NL80211_IFTYPE_AP:
7083 	case NL80211_IFTYPE_AP_VLAN:
7084 	case NL80211_IFTYPE_MESH_POINT:
7085 	case NL80211_IFTYPE_P2P_GO:
7086 		/* always accept these */
7087 		break;
7088 	case NL80211_IFTYPE_ADHOC:
7089 		/* conditionally accept */
7090 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7091 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7092 			break;
7093 		return -EINVAL;
7094 	default:
7095 		return -EINVAL;
7096 	}
7097 
7098 	if (!rdev->ops->del_station)
7099 		return -EOPNOTSUPP;
7100 
7101 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7102 		params.subtype =
7103 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7104 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7105 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7106 			return -EINVAL;
7107 	} else {
7108 		/* Default to Deauthentication frame */
7109 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7110 	}
7111 
7112 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7113 		params.reason_code =
7114 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7115 		if (params.reason_code == 0)
7116 			return -EINVAL; /* 0 is reserved */
7117 	} else {
7118 		/* Default to reason code 2 */
7119 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7120 	}
7121 
7122 	return rdev_del_station(rdev, dev, &params);
7123 }
7124 
7125 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7126 				int flags, struct net_device *dev,
7127 				u8 *dst, u8 *next_hop,
7128 				struct mpath_info *pinfo)
7129 {
7130 	void *hdr;
7131 	struct nlattr *pinfoattr;
7132 
7133 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7134 	if (!hdr)
7135 		return -1;
7136 
7137 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7138 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7139 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7140 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7141 		goto nla_put_failure;
7142 
7143 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7144 	if (!pinfoattr)
7145 		goto nla_put_failure;
7146 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7147 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7148 			pinfo->frame_qlen))
7149 		goto nla_put_failure;
7150 	if (((pinfo->filled & MPATH_INFO_SN) &&
7151 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7152 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7153 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7154 			 pinfo->metric)) ||
7155 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7156 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7157 			 pinfo->exptime)) ||
7158 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7159 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7160 			pinfo->flags)) ||
7161 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7162 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7163 			 pinfo->discovery_timeout)) ||
7164 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7165 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7166 			pinfo->discovery_retries)) ||
7167 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7168 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7169 			pinfo->hop_count)) ||
7170 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7171 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7172 			 pinfo->path_change_count)))
7173 		goto nla_put_failure;
7174 
7175 	nla_nest_end(msg, pinfoattr);
7176 
7177 	genlmsg_end(msg, hdr);
7178 	return 0;
7179 
7180  nla_put_failure:
7181 	genlmsg_cancel(msg, hdr);
7182 	return -EMSGSIZE;
7183 }
7184 
7185 static int nl80211_dump_mpath(struct sk_buff *skb,
7186 			      struct netlink_callback *cb)
7187 {
7188 	struct mpath_info pinfo;
7189 	struct cfg80211_registered_device *rdev;
7190 	struct wireless_dev *wdev;
7191 	u8 dst[ETH_ALEN];
7192 	u8 next_hop[ETH_ALEN];
7193 	int path_idx = cb->args[2];
7194 	int err;
7195 
7196 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7197 	if (err)
7198 		return err;
7199 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7200 	__acquire(&rdev->wiphy.mtx);
7201 
7202 	if (!rdev->ops->dump_mpath) {
7203 		err = -EOPNOTSUPP;
7204 		goto out_err;
7205 	}
7206 
7207 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7208 		err = -EOPNOTSUPP;
7209 		goto out_err;
7210 	}
7211 
7212 	while (1) {
7213 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7214 				      next_hop, &pinfo);
7215 		if (err == -ENOENT)
7216 			break;
7217 		if (err)
7218 			goto out_err;
7219 
7220 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7221 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7222 				       wdev->netdev, dst, next_hop,
7223 				       &pinfo) < 0)
7224 			goto out;
7225 
7226 		path_idx++;
7227 	}
7228 
7229  out:
7230 	cb->args[2] = path_idx;
7231 	err = skb->len;
7232  out_err:
7233 	wiphy_unlock(&rdev->wiphy);
7234 	return err;
7235 }
7236 
7237 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7238 {
7239 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7240 	int err;
7241 	struct net_device *dev = info->user_ptr[1];
7242 	struct mpath_info pinfo;
7243 	struct sk_buff *msg;
7244 	u8 *dst = NULL;
7245 	u8 next_hop[ETH_ALEN];
7246 
7247 	memset(&pinfo, 0, sizeof(pinfo));
7248 
7249 	if (!info->attrs[NL80211_ATTR_MAC])
7250 		return -EINVAL;
7251 
7252 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7253 
7254 	if (!rdev->ops->get_mpath)
7255 		return -EOPNOTSUPP;
7256 
7257 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7258 		return -EOPNOTSUPP;
7259 
7260 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7261 	if (err)
7262 		return err;
7263 
7264 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7265 	if (!msg)
7266 		return -ENOMEM;
7267 
7268 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7269 				 dev, dst, next_hop, &pinfo) < 0) {
7270 		nlmsg_free(msg);
7271 		return -ENOBUFS;
7272 	}
7273 
7274 	return genlmsg_reply(msg, info);
7275 }
7276 
7277 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7278 {
7279 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7280 	struct net_device *dev = info->user_ptr[1];
7281 	u8 *dst = NULL;
7282 	u8 *next_hop = NULL;
7283 
7284 	if (!info->attrs[NL80211_ATTR_MAC])
7285 		return -EINVAL;
7286 
7287 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7288 		return -EINVAL;
7289 
7290 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7291 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7292 
7293 	if (!rdev->ops->change_mpath)
7294 		return -EOPNOTSUPP;
7295 
7296 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7297 		return -EOPNOTSUPP;
7298 
7299 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7300 }
7301 
7302 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7303 {
7304 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7305 	struct net_device *dev = info->user_ptr[1];
7306 	u8 *dst = NULL;
7307 	u8 *next_hop = NULL;
7308 
7309 	if (!info->attrs[NL80211_ATTR_MAC])
7310 		return -EINVAL;
7311 
7312 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7313 		return -EINVAL;
7314 
7315 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7316 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7317 
7318 	if (!rdev->ops->add_mpath)
7319 		return -EOPNOTSUPP;
7320 
7321 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7322 		return -EOPNOTSUPP;
7323 
7324 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7325 }
7326 
7327 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7328 {
7329 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7330 	struct net_device *dev = info->user_ptr[1];
7331 	u8 *dst = NULL;
7332 
7333 	if (info->attrs[NL80211_ATTR_MAC])
7334 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7335 
7336 	if (!rdev->ops->del_mpath)
7337 		return -EOPNOTSUPP;
7338 
7339 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7340 		return -EOPNOTSUPP;
7341 
7342 	return rdev_del_mpath(rdev, dev, dst);
7343 }
7344 
7345 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7346 {
7347 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7348 	int err;
7349 	struct net_device *dev = info->user_ptr[1];
7350 	struct mpath_info pinfo;
7351 	struct sk_buff *msg;
7352 	u8 *dst = NULL;
7353 	u8 mpp[ETH_ALEN];
7354 
7355 	memset(&pinfo, 0, sizeof(pinfo));
7356 
7357 	if (!info->attrs[NL80211_ATTR_MAC])
7358 		return -EINVAL;
7359 
7360 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7361 
7362 	if (!rdev->ops->get_mpp)
7363 		return -EOPNOTSUPP;
7364 
7365 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7366 		return -EOPNOTSUPP;
7367 
7368 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7369 	if (err)
7370 		return err;
7371 
7372 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7373 	if (!msg)
7374 		return -ENOMEM;
7375 
7376 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7377 			       dev, dst, mpp, &pinfo) < 0) {
7378 		nlmsg_free(msg);
7379 		return -ENOBUFS;
7380 	}
7381 
7382 	return genlmsg_reply(msg, info);
7383 }
7384 
7385 static int nl80211_dump_mpp(struct sk_buff *skb,
7386 			    struct netlink_callback *cb)
7387 {
7388 	struct mpath_info pinfo;
7389 	struct cfg80211_registered_device *rdev;
7390 	struct wireless_dev *wdev;
7391 	u8 dst[ETH_ALEN];
7392 	u8 mpp[ETH_ALEN];
7393 	int path_idx = cb->args[2];
7394 	int err;
7395 
7396 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7397 	if (err)
7398 		return err;
7399 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7400 	__acquire(&rdev->wiphy.mtx);
7401 
7402 	if (!rdev->ops->dump_mpp) {
7403 		err = -EOPNOTSUPP;
7404 		goto out_err;
7405 	}
7406 
7407 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7408 		err = -EOPNOTSUPP;
7409 		goto out_err;
7410 	}
7411 
7412 	while (1) {
7413 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7414 				    mpp, &pinfo);
7415 		if (err == -ENOENT)
7416 			break;
7417 		if (err)
7418 			goto out_err;
7419 
7420 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7421 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7422 				       wdev->netdev, dst, mpp,
7423 				       &pinfo) < 0)
7424 			goto out;
7425 
7426 		path_idx++;
7427 	}
7428 
7429  out:
7430 	cb->args[2] = path_idx;
7431 	err = skb->len;
7432  out_err:
7433 	wiphy_unlock(&rdev->wiphy);
7434 	return err;
7435 }
7436 
7437 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7438 {
7439 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7440 	struct net_device *dev = info->user_ptr[1];
7441 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7442 	struct bss_parameters params;
7443 	int err;
7444 
7445 	memset(&params, 0, sizeof(params));
7446 	/* default to not changing parameters */
7447 	params.use_cts_prot = -1;
7448 	params.use_short_preamble = -1;
7449 	params.use_short_slot_time = -1;
7450 	params.ap_isolate = -1;
7451 	params.ht_opmode = -1;
7452 	params.p2p_ctwindow = -1;
7453 	params.p2p_opp_ps = -1;
7454 
7455 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7456 		params.use_cts_prot =
7457 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7458 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7459 		params.use_short_preamble =
7460 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7461 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7462 		params.use_short_slot_time =
7463 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7464 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7465 		params.basic_rates =
7466 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7467 		params.basic_rates_len =
7468 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7469 	}
7470 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7471 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7472 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7473 		params.ht_opmode =
7474 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7475 
7476 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7477 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7478 			return -EINVAL;
7479 		params.p2p_ctwindow =
7480 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7481 		if (params.p2p_ctwindow != 0 &&
7482 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7483 			return -EINVAL;
7484 	}
7485 
7486 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7487 		u8 tmp;
7488 
7489 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7490 			return -EINVAL;
7491 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7492 		params.p2p_opp_ps = tmp;
7493 		if (params.p2p_opp_ps &&
7494 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7495 			return -EINVAL;
7496 	}
7497 
7498 	if (!rdev->ops->change_bss)
7499 		return -EOPNOTSUPP;
7500 
7501 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7502 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7503 		return -EOPNOTSUPP;
7504 
7505 	wdev_lock(wdev);
7506 	err = rdev_change_bss(rdev, dev, &params);
7507 	wdev_unlock(wdev);
7508 
7509 	return err;
7510 }
7511 
7512 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7513 {
7514 	char *data = NULL;
7515 	bool is_indoor;
7516 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7517 	u32 owner_nlportid;
7518 
7519 	/*
7520 	 * You should only get this when cfg80211 hasn't yet initialized
7521 	 * completely when built-in to the kernel right between the time
7522 	 * window between nl80211_init() and regulatory_init(), if that is
7523 	 * even possible.
7524 	 */
7525 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7526 		return -EINPROGRESS;
7527 
7528 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7529 		user_reg_hint_type =
7530 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7531 	else
7532 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7533 
7534 	switch (user_reg_hint_type) {
7535 	case NL80211_USER_REG_HINT_USER:
7536 	case NL80211_USER_REG_HINT_CELL_BASE:
7537 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7538 			return -EINVAL;
7539 
7540 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7541 		return regulatory_hint_user(data, user_reg_hint_type);
7542 	case NL80211_USER_REG_HINT_INDOOR:
7543 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7544 			owner_nlportid = info->snd_portid;
7545 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7546 		} else {
7547 			owner_nlportid = 0;
7548 			is_indoor = true;
7549 		}
7550 
7551 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7552 	default:
7553 		return -EINVAL;
7554 	}
7555 }
7556 
7557 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7558 {
7559 	return reg_reload_regdb();
7560 }
7561 
7562 static int nl80211_get_mesh_config(struct sk_buff *skb,
7563 				   struct genl_info *info)
7564 {
7565 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7566 	struct net_device *dev = info->user_ptr[1];
7567 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7568 	struct mesh_config cur_params;
7569 	int err = 0;
7570 	void *hdr;
7571 	struct nlattr *pinfoattr;
7572 	struct sk_buff *msg;
7573 
7574 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7575 		return -EOPNOTSUPP;
7576 
7577 	if (!rdev->ops->get_mesh_config)
7578 		return -EOPNOTSUPP;
7579 
7580 	wdev_lock(wdev);
7581 	/* If not connected, get default parameters */
7582 	if (!wdev->mesh_id_len)
7583 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7584 	else
7585 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7586 	wdev_unlock(wdev);
7587 
7588 	if (err)
7589 		return err;
7590 
7591 	/* Draw up a netlink message to send back */
7592 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7593 	if (!msg)
7594 		return -ENOMEM;
7595 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7596 			     NL80211_CMD_GET_MESH_CONFIG);
7597 	if (!hdr)
7598 		goto out;
7599 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7600 	if (!pinfoattr)
7601 		goto nla_put_failure;
7602 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7603 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7604 			cur_params.dot11MeshRetryTimeout) ||
7605 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7606 			cur_params.dot11MeshConfirmTimeout) ||
7607 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7608 			cur_params.dot11MeshHoldingTimeout) ||
7609 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7610 			cur_params.dot11MeshMaxPeerLinks) ||
7611 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7612 		       cur_params.dot11MeshMaxRetries) ||
7613 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7614 		       cur_params.dot11MeshTTL) ||
7615 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7616 		       cur_params.element_ttl) ||
7617 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7618 		       cur_params.auto_open_plinks) ||
7619 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7620 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7621 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7622 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7623 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7624 			cur_params.path_refresh_time) ||
7625 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7626 			cur_params.min_discovery_timeout) ||
7627 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7628 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7629 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7630 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7631 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7632 			cur_params.dot11MeshHWMPperrMinInterval) ||
7633 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7634 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7635 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7636 		       cur_params.dot11MeshHWMPRootMode) ||
7637 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7638 			cur_params.dot11MeshHWMPRannInterval) ||
7639 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7640 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7641 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7642 		       cur_params.dot11MeshForwarding) ||
7643 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7644 			cur_params.rssi_threshold) ||
7645 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7646 			cur_params.ht_opmode) ||
7647 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7648 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7649 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7650 			cur_params.dot11MeshHWMProotInterval) ||
7651 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7652 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7653 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7654 			cur_params.power_mode) ||
7655 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7656 			cur_params.dot11MeshAwakeWindowDuration) ||
7657 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7658 			cur_params.plink_timeout) ||
7659 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7660 		       cur_params.dot11MeshConnectedToMeshGate) ||
7661 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7662 		       cur_params.dot11MeshNolearn) ||
7663 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7664 		       cur_params.dot11MeshConnectedToAuthServer))
7665 		goto nla_put_failure;
7666 	nla_nest_end(msg, pinfoattr);
7667 	genlmsg_end(msg, hdr);
7668 	return genlmsg_reply(msg, info);
7669 
7670  nla_put_failure:
7671  out:
7672 	nlmsg_free(msg);
7673 	return -ENOBUFS;
7674 }
7675 
7676 static const struct nla_policy
7677 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7678 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7679 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7680 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7681 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7682 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7683 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7684 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7685 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7686 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7687 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7688 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7689 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7690 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7691 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7692 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7693 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7694 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7695 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7696 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7697 		NLA_POLICY_MIN(NLA_U16, 1),
7698 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7699 		NLA_POLICY_MIN(NLA_U16, 1),
7700 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7701 		NLA_POLICY_MIN(NLA_U16, 1),
7702 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7703 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7704 		NLA_POLICY_MIN(NLA_U16, 1),
7705 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7706 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7707 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7708 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7709 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7710 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7711 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7712 		NLA_POLICY_MIN(NLA_U16, 1),
7713 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7714 		NLA_POLICY_MIN(NLA_U16, 1),
7715 	[NL80211_MESHCONF_POWER_MODE] =
7716 		NLA_POLICY_RANGE(NLA_U32,
7717 				 NL80211_MESH_POWER_ACTIVE,
7718 				 NL80211_MESH_POWER_MAX),
7719 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7720 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7721 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7722 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7723 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7724 };
7725 
7726 static const struct nla_policy
7727 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7728 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7729 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7730 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7731 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7732 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7733 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7734 	[NL80211_MESH_SETUP_IE] =
7735 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7736 				       IEEE80211_MAX_DATA_LEN),
7737 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7738 };
7739 
7740 static int nl80211_parse_mesh_config(struct genl_info *info,
7741 				     struct mesh_config *cfg,
7742 				     u32 *mask_out)
7743 {
7744 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7745 	u32 mask = 0;
7746 	u16 ht_opmode;
7747 
7748 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7749 do {									\
7750 	if (tb[attr]) {							\
7751 		cfg->param = fn(tb[attr]);				\
7752 		mask |= BIT((attr) - 1);				\
7753 	}								\
7754 } while (0)
7755 
7756 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7757 		return -EINVAL;
7758 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7759 		return -EINVAL;
7760 
7761 	/* This makes sure that there aren't more than 32 mesh config
7762 	 * parameters (otherwise our bitfield scheme would not work.) */
7763 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7764 
7765 	/* Fill in the params struct */
7766 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7767 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7768 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7769 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7770 				  nla_get_u16);
7771 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7772 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7773 				  nla_get_u16);
7774 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7775 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7776 				  nla_get_u16);
7777 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7778 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7779 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7780 				  NL80211_MESHCONF_TTL, nla_get_u8);
7781 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7782 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7783 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7784 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7785 				  nla_get_u8);
7786 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7787 				  mask,
7788 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7789 				  nla_get_u32);
7790 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7791 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7792 				  nla_get_u8);
7793 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7794 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7795 				  nla_get_u32);
7796 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7797 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7798 		return -EINVAL;
7799 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7800 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7801 				  nla_get_u16);
7802 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7803 				  mask,
7804 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7805 				  nla_get_u32);
7806 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7807 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7808 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7809 		return -EINVAL;
7810 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7811 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7812 				  nla_get_u16);
7813 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7814 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7815 				  nla_get_u16);
7816 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7817 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7818 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7819 				  nla_get_u16);
7820 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7821 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7822 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7823 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7824 				  nla_get_u16);
7825 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7826 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7827 				  nla_get_u8);
7828 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7829 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7830 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7831 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7832 				  nla_get_s32);
7833 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7834 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7835 				  nla_get_u8);
7836 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7837 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7838 				  nla_get_u8);
7839 	/*
7840 	 * Check HT operation mode based on
7841 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7842 	 */
7843 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7844 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7845 
7846 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7847 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7848 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7849 			return -EINVAL;
7850 
7851 		/* NON_HT_STA bit is reserved, but some programs set it */
7852 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7853 
7854 		cfg->ht_opmode = ht_opmode;
7855 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7856 	}
7857 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7858 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7859 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7860 				  nla_get_u32);
7861 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7862 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7863 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7864 		return -EINVAL;
7865 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7866 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7867 				  nla_get_u16);
7868 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7869 				  mask,
7870 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7871 				  nla_get_u16);
7872 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7873 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7874 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7875 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7876 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7877 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7878 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7879 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7880 	if (mask_out)
7881 		*mask_out = mask;
7882 
7883 	return 0;
7884 
7885 #undef FILL_IN_MESH_PARAM_IF_SET
7886 }
7887 
7888 static int nl80211_parse_mesh_setup(struct genl_info *info,
7889 				     struct mesh_setup *setup)
7890 {
7891 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7892 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7893 
7894 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7895 		return -EINVAL;
7896 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7897 		return -EINVAL;
7898 
7899 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7900 		setup->sync_method =
7901 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7902 		 IEEE80211_SYNC_METHOD_VENDOR :
7903 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7904 
7905 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7906 		setup->path_sel_proto =
7907 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7908 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7909 		 IEEE80211_PATH_PROTOCOL_HWMP;
7910 
7911 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7912 		setup->path_metric =
7913 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7914 		 IEEE80211_PATH_METRIC_VENDOR :
7915 		 IEEE80211_PATH_METRIC_AIRTIME;
7916 
7917 	if (tb[NL80211_MESH_SETUP_IE]) {
7918 		struct nlattr *ieattr =
7919 			tb[NL80211_MESH_SETUP_IE];
7920 		setup->ie = nla_data(ieattr);
7921 		setup->ie_len = nla_len(ieattr);
7922 	}
7923 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7924 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7925 		return -EINVAL;
7926 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7927 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7928 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7929 	if (setup->is_secure)
7930 		setup->user_mpm = true;
7931 
7932 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7933 		if (!setup->user_mpm)
7934 			return -EINVAL;
7935 		setup->auth_id =
7936 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7937 	}
7938 
7939 	return 0;
7940 }
7941 
7942 static int nl80211_update_mesh_config(struct sk_buff *skb,
7943 				      struct genl_info *info)
7944 {
7945 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7946 	struct net_device *dev = info->user_ptr[1];
7947 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7948 	struct mesh_config cfg;
7949 	u32 mask;
7950 	int err;
7951 
7952 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7953 		return -EOPNOTSUPP;
7954 
7955 	if (!rdev->ops->update_mesh_config)
7956 		return -EOPNOTSUPP;
7957 
7958 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7959 	if (err)
7960 		return err;
7961 
7962 	wdev_lock(wdev);
7963 	if (!wdev->mesh_id_len)
7964 		err = -ENOLINK;
7965 
7966 	if (!err)
7967 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7968 
7969 	wdev_unlock(wdev);
7970 
7971 	return err;
7972 }
7973 
7974 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7975 			      struct sk_buff *msg)
7976 {
7977 	struct nlattr *nl_reg_rules;
7978 	unsigned int i;
7979 
7980 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7981 	    (regdom->dfs_region &&
7982 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7983 		goto nla_put_failure;
7984 
7985 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7986 	if (!nl_reg_rules)
7987 		goto nla_put_failure;
7988 
7989 	for (i = 0; i < regdom->n_reg_rules; i++) {
7990 		struct nlattr *nl_reg_rule;
7991 		const struct ieee80211_reg_rule *reg_rule;
7992 		const struct ieee80211_freq_range *freq_range;
7993 		const struct ieee80211_power_rule *power_rule;
7994 		unsigned int max_bandwidth_khz;
7995 
7996 		reg_rule = &regdom->reg_rules[i];
7997 		freq_range = &reg_rule->freq_range;
7998 		power_rule = &reg_rule->power_rule;
7999 
8000 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8001 		if (!nl_reg_rule)
8002 			goto nla_put_failure;
8003 
8004 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8005 		if (!max_bandwidth_khz)
8006 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8007 								  reg_rule);
8008 
8009 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8010 				reg_rule->flags) ||
8011 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8012 				freq_range->start_freq_khz) ||
8013 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8014 				freq_range->end_freq_khz) ||
8015 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8016 				max_bandwidth_khz) ||
8017 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8018 				power_rule->max_antenna_gain) ||
8019 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8020 				power_rule->max_eirp) ||
8021 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8022 				reg_rule->dfs_cac_ms))
8023 			goto nla_put_failure;
8024 
8025 		nla_nest_end(msg, nl_reg_rule);
8026 	}
8027 
8028 	nla_nest_end(msg, nl_reg_rules);
8029 	return 0;
8030 
8031 nla_put_failure:
8032 	return -EMSGSIZE;
8033 }
8034 
8035 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8036 {
8037 	const struct ieee80211_regdomain *regdom = NULL;
8038 	struct cfg80211_registered_device *rdev;
8039 	struct wiphy *wiphy = NULL;
8040 	struct sk_buff *msg;
8041 	int err = -EMSGSIZE;
8042 	void *hdr;
8043 
8044 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8045 	if (!msg)
8046 		return -ENOBUFS;
8047 
8048 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8049 			     NL80211_CMD_GET_REG);
8050 	if (!hdr)
8051 		goto put_failure;
8052 
8053 	rtnl_lock();
8054 
8055 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8056 		bool self_managed;
8057 
8058 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8059 		if (IS_ERR(rdev)) {
8060 			err = PTR_ERR(rdev);
8061 			goto nla_put_failure;
8062 		}
8063 
8064 		wiphy = &rdev->wiphy;
8065 		self_managed = wiphy->regulatory_flags &
8066 			       REGULATORY_WIPHY_SELF_MANAGED;
8067 
8068 		rcu_read_lock();
8069 
8070 		regdom = get_wiphy_regdom(wiphy);
8071 
8072 		/* a self-managed-reg device must have a private regdom */
8073 		if (WARN_ON(!regdom && self_managed)) {
8074 			err = -EINVAL;
8075 			goto nla_put_failure_rcu;
8076 		}
8077 
8078 		if (regdom &&
8079 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8080 			goto nla_put_failure_rcu;
8081 	} else {
8082 		rcu_read_lock();
8083 	}
8084 
8085 	if (!wiphy && reg_last_request_cell_base() &&
8086 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8087 			NL80211_USER_REG_HINT_CELL_BASE))
8088 		goto nla_put_failure_rcu;
8089 
8090 	if (!regdom)
8091 		regdom = rcu_dereference(cfg80211_regdomain);
8092 
8093 	if (nl80211_put_regdom(regdom, msg))
8094 		goto nla_put_failure_rcu;
8095 
8096 	rcu_read_unlock();
8097 
8098 	genlmsg_end(msg, hdr);
8099 	rtnl_unlock();
8100 	return genlmsg_reply(msg, info);
8101 
8102 nla_put_failure_rcu:
8103 	rcu_read_unlock();
8104 nla_put_failure:
8105 	rtnl_unlock();
8106 put_failure:
8107 	nlmsg_free(msg);
8108 	return err;
8109 }
8110 
8111 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8112 			       u32 seq, int flags, struct wiphy *wiphy,
8113 			       const struct ieee80211_regdomain *regdom)
8114 {
8115 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8116 				   NL80211_CMD_GET_REG);
8117 
8118 	if (!hdr)
8119 		return -1;
8120 
8121 	genl_dump_check_consistent(cb, hdr);
8122 
8123 	if (nl80211_put_regdom(regdom, msg))
8124 		goto nla_put_failure;
8125 
8126 	if (!wiphy && reg_last_request_cell_base() &&
8127 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8128 			NL80211_USER_REG_HINT_CELL_BASE))
8129 		goto nla_put_failure;
8130 
8131 	if (wiphy &&
8132 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8133 		goto nla_put_failure;
8134 
8135 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8136 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8137 		goto nla_put_failure;
8138 
8139 	genlmsg_end(msg, hdr);
8140 	return 0;
8141 
8142 nla_put_failure:
8143 	genlmsg_cancel(msg, hdr);
8144 	return -EMSGSIZE;
8145 }
8146 
8147 static int nl80211_get_reg_dump(struct sk_buff *skb,
8148 				struct netlink_callback *cb)
8149 {
8150 	const struct ieee80211_regdomain *regdom = NULL;
8151 	struct cfg80211_registered_device *rdev;
8152 	int err, reg_idx, start = cb->args[2];
8153 
8154 	rcu_read_lock();
8155 
8156 	if (cfg80211_regdomain && start == 0) {
8157 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8158 					  NLM_F_MULTI, NULL,
8159 					  rcu_dereference(cfg80211_regdomain));
8160 		if (err < 0)
8161 			goto out_err;
8162 	}
8163 
8164 	/* the global regdom is idx 0 */
8165 	reg_idx = 1;
8166 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8167 		regdom = get_wiphy_regdom(&rdev->wiphy);
8168 		if (!regdom)
8169 			continue;
8170 
8171 		if (++reg_idx <= start)
8172 			continue;
8173 
8174 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8175 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8176 		if (err < 0) {
8177 			reg_idx--;
8178 			break;
8179 		}
8180 	}
8181 
8182 	cb->args[2] = reg_idx;
8183 	err = skb->len;
8184 out_err:
8185 	rcu_read_unlock();
8186 	return err;
8187 }
8188 
8189 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8190 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8191 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8192 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8193 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8194 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8195 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8196 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8197 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8198 };
8199 
8200 static int parse_reg_rule(struct nlattr *tb[],
8201 	struct ieee80211_reg_rule *reg_rule)
8202 {
8203 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8204 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8205 
8206 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8207 		return -EINVAL;
8208 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8209 		return -EINVAL;
8210 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8211 		return -EINVAL;
8212 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8213 		return -EINVAL;
8214 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8215 		return -EINVAL;
8216 
8217 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8218 
8219 	freq_range->start_freq_khz =
8220 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8221 	freq_range->end_freq_khz =
8222 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8223 	freq_range->max_bandwidth_khz =
8224 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8225 
8226 	power_rule->max_eirp =
8227 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8228 
8229 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8230 		power_rule->max_antenna_gain =
8231 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8232 
8233 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8234 		reg_rule->dfs_cac_ms =
8235 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8236 
8237 	return 0;
8238 }
8239 
8240 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8241 {
8242 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8243 	struct nlattr *nl_reg_rule;
8244 	char *alpha2;
8245 	int rem_reg_rules, r;
8246 	u32 num_rules = 0, rule_idx = 0;
8247 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8248 	struct ieee80211_regdomain *rd;
8249 
8250 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8251 		return -EINVAL;
8252 
8253 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8254 		return -EINVAL;
8255 
8256 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8257 
8258 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8259 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8260 
8261 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8262 			    rem_reg_rules) {
8263 		num_rules++;
8264 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8265 			return -EINVAL;
8266 	}
8267 
8268 	rtnl_lock();
8269 	if (!reg_is_valid_request(alpha2)) {
8270 		r = -EINVAL;
8271 		goto out;
8272 	}
8273 
8274 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8275 	if (!rd) {
8276 		r = -ENOMEM;
8277 		goto out;
8278 	}
8279 
8280 	rd->n_reg_rules = num_rules;
8281 	rd->alpha2[0] = alpha2[0];
8282 	rd->alpha2[1] = alpha2[1];
8283 
8284 	/*
8285 	 * Disable DFS master mode if the DFS region was
8286 	 * not supported or known on this kernel.
8287 	 */
8288 	if (reg_supported_dfs_region(dfs_region))
8289 		rd->dfs_region = dfs_region;
8290 
8291 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8292 			    rem_reg_rules) {
8293 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8294 						nl_reg_rule, reg_rule_policy,
8295 						info->extack);
8296 		if (r)
8297 			goto bad_reg;
8298 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8299 		if (r)
8300 			goto bad_reg;
8301 
8302 		rule_idx++;
8303 
8304 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8305 			r = -EINVAL;
8306 			goto bad_reg;
8307 		}
8308 	}
8309 
8310 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8311 	/* set_regdom takes ownership of rd */
8312 	rd = NULL;
8313  bad_reg:
8314 	kfree(rd);
8315  out:
8316 	rtnl_unlock();
8317 	return r;
8318 }
8319 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8320 
8321 static int validate_scan_freqs(struct nlattr *freqs)
8322 {
8323 	struct nlattr *attr1, *attr2;
8324 	int n_channels = 0, tmp1, tmp2;
8325 
8326 	nla_for_each_nested(attr1, freqs, tmp1)
8327 		if (nla_len(attr1) != sizeof(u32))
8328 			return 0;
8329 
8330 	nla_for_each_nested(attr1, freqs, tmp1) {
8331 		n_channels++;
8332 		/*
8333 		 * Some hardware has a limited channel list for
8334 		 * scanning, and it is pretty much nonsensical
8335 		 * to scan for a channel twice, so disallow that
8336 		 * and don't require drivers to check that the
8337 		 * channel list they get isn't longer than what
8338 		 * they can scan, as long as they can scan all
8339 		 * the channels they registered at once.
8340 		 */
8341 		nla_for_each_nested(attr2, freqs, tmp2)
8342 			if (attr1 != attr2 &&
8343 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8344 				return 0;
8345 	}
8346 
8347 	return n_channels;
8348 }
8349 
8350 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8351 {
8352 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8353 }
8354 
8355 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8356 			    struct cfg80211_bss_selection *bss_select)
8357 {
8358 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8359 	struct nlattr *nest;
8360 	int err;
8361 	bool found = false;
8362 	int i;
8363 
8364 	/* only process one nested attribute */
8365 	nest = nla_data(nla);
8366 	if (!nla_ok(nest, nla_len(nest)))
8367 		return -EINVAL;
8368 
8369 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8370 					  nest, nl80211_bss_select_policy,
8371 					  NULL);
8372 	if (err)
8373 		return err;
8374 
8375 	/* only one attribute may be given */
8376 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8377 		if (attr[i]) {
8378 			if (found)
8379 				return -EINVAL;
8380 			found = true;
8381 		}
8382 	}
8383 
8384 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8385 
8386 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8387 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8388 
8389 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8390 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8391 		bss_select->param.band_pref =
8392 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8393 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8394 			return -EINVAL;
8395 	}
8396 
8397 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8398 		struct nl80211_bss_select_rssi_adjust *adj_param;
8399 
8400 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8401 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8402 		bss_select->param.adjust.band = adj_param->band;
8403 		bss_select->param.adjust.delta = adj_param->delta;
8404 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8405 			return -EINVAL;
8406 	}
8407 
8408 	/* user-space did not provide behaviour attribute */
8409 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8410 		return -EINVAL;
8411 
8412 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8413 		return -EINVAL;
8414 
8415 	return 0;
8416 }
8417 
8418 int nl80211_parse_random_mac(struct nlattr **attrs,
8419 			     u8 *mac_addr, u8 *mac_addr_mask)
8420 {
8421 	int i;
8422 
8423 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8424 		eth_zero_addr(mac_addr);
8425 		eth_zero_addr(mac_addr_mask);
8426 		mac_addr[0] = 0x2;
8427 		mac_addr_mask[0] = 0x3;
8428 
8429 		return 0;
8430 	}
8431 
8432 	/* need both or none */
8433 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8434 		return -EINVAL;
8435 
8436 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8437 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8438 
8439 	/* don't allow or configure an mcast address */
8440 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8441 	    is_multicast_ether_addr(mac_addr))
8442 		return -EINVAL;
8443 
8444 	/*
8445 	 * allow users to pass a MAC address that has bits set outside
8446 	 * of the mask, but don't bother drivers with having to deal
8447 	 * with such bits
8448 	 */
8449 	for (i = 0; i < ETH_ALEN; i++)
8450 		mac_addr[i] &= mac_addr_mask[i];
8451 
8452 	return 0;
8453 }
8454 
8455 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
8456 {
8457 	ASSERT_WDEV_LOCK(wdev);
8458 
8459 	if (!cfg80211_beaconing_iface_active(wdev))
8460 		return true;
8461 
8462 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
8463 		return true;
8464 
8465 	return regulatory_pre_cac_allowed(wdev->wiphy);
8466 }
8467 
8468 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8469 				    enum nl80211_ext_feature_index feat)
8470 {
8471 	if (!(flags & flag))
8472 		return true;
8473 	if (wiphy_ext_feature_isset(wiphy, feat))
8474 		return true;
8475 	return false;
8476 }
8477 
8478 static int
8479 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8480 			 void *request, struct nlattr **attrs,
8481 			 bool is_sched_scan)
8482 {
8483 	u8 *mac_addr, *mac_addr_mask;
8484 	u32 *flags;
8485 	enum nl80211_feature_flags randomness_flag;
8486 
8487 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8488 		return 0;
8489 
8490 	if (is_sched_scan) {
8491 		struct cfg80211_sched_scan_request *req = request;
8492 
8493 		randomness_flag = wdev ?
8494 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8495 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8496 		flags = &req->flags;
8497 		mac_addr = req->mac_addr;
8498 		mac_addr_mask = req->mac_addr_mask;
8499 	} else {
8500 		struct cfg80211_scan_request *req = request;
8501 
8502 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8503 		flags = &req->flags;
8504 		mac_addr = req->mac_addr;
8505 		mac_addr_mask = req->mac_addr_mask;
8506 	}
8507 
8508 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8509 
8510 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8511 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8512 	    !nl80211_check_scan_feat(wiphy, *flags,
8513 				     NL80211_SCAN_FLAG_LOW_SPAN,
8514 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8515 	    !nl80211_check_scan_feat(wiphy, *flags,
8516 				     NL80211_SCAN_FLAG_LOW_POWER,
8517 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8518 	    !nl80211_check_scan_feat(wiphy, *flags,
8519 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8520 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8521 	    !nl80211_check_scan_feat(wiphy, *flags,
8522 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8523 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8524 	    !nl80211_check_scan_feat(wiphy, *flags,
8525 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8526 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8527 	    !nl80211_check_scan_feat(wiphy, *flags,
8528 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8529 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8530 	    !nl80211_check_scan_feat(wiphy, *flags,
8531 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8532 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8533 	    !nl80211_check_scan_feat(wiphy, *flags,
8534 				     NL80211_SCAN_FLAG_RANDOM_SN,
8535 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8536 	    !nl80211_check_scan_feat(wiphy, *flags,
8537 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8538 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8539 		return -EOPNOTSUPP;
8540 
8541 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8542 		int err;
8543 
8544 		if (!(wiphy->features & randomness_flag) ||
8545 		    (wdev && wdev->current_bss))
8546 			return -EOPNOTSUPP;
8547 
8548 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8549 		if (err)
8550 			return err;
8551 	}
8552 
8553 	return 0;
8554 }
8555 
8556 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8557 {
8558 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8559 	struct wireless_dev *wdev = info->user_ptr[1];
8560 	struct cfg80211_scan_request *request;
8561 	struct nlattr *scan_freqs = NULL;
8562 	bool scan_freqs_khz = false;
8563 	struct nlattr *attr;
8564 	struct wiphy *wiphy;
8565 	int err, tmp, n_ssids = 0, n_channels, i;
8566 	size_t ie_len;
8567 
8568 	wiphy = &rdev->wiphy;
8569 
8570 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8571 		return -EOPNOTSUPP;
8572 
8573 	if (!rdev->ops->scan)
8574 		return -EOPNOTSUPP;
8575 
8576 	if (rdev->scan_req || rdev->scan_msg)
8577 		return -EBUSY;
8578 
8579 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8580 		if (!wiphy_ext_feature_isset(wiphy,
8581 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8582 			return -EOPNOTSUPP;
8583 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8584 		scan_freqs_khz = true;
8585 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8586 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8587 
8588 	if (scan_freqs) {
8589 		n_channels = validate_scan_freqs(scan_freqs);
8590 		if (!n_channels)
8591 			return -EINVAL;
8592 	} else {
8593 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8594 	}
8595 
8596 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8597 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8598 			n_ssids++;
8599 
8600 	if (n_ssids > wiphy->max_scan_ssids)
8601 		return -EINVAL;
8602 
8603 	if (info->attrs[NL80211_ATTR_IE])
8604 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8605 	else
8606 		ie_len = 0;
8607 
8608 	if (ie_len > wiphy->max_scan_ie_len)
8609 		return -EINVAL;
8610 
8611 	request = kzalloc(sizeof(*request)
8612 			+ sizeof(*request->ssids) * n_ssids
8613 			+ sizeof(*request->channels) * n_channels
8614 			+ ie_len, GFP_KERNEL);
8615 	if (!request)
8616 		return -ENOMEM;
8617 
8618 	if (n_ssids)
8619 		request->ssids = (void *)&request->channels[n_channels];
8620 	request->n_ssids = n_ssids;
8621 	if (ie_len) {
8622 		if (n_ssids)
8623 			request->ie = (void *)(request->ssids + n_ssids);
8624 		else
8625 			request->ie = (void *)(request->channels + n_channels);
8626 	}
8627 
8628 	i = 0;
8629 	if (scan_freqs) {
8630 		/* user specified, bail out if channel not found */
8631 		nla_for_each_nested(attr, scan_freqs, tmp) {
8632 			struct ieee80211_channel *chan;
8633 			int freq = nla_get_u32(attr);
8634 
8635 			if (!scan_freqs_khz)
8636 				freq = MHZ_TO_KHZ(freq);
8637 
8638 			chan = ieee80211_get_channel_khz(wiphy, freq);
8639 			if (!chan) {
8640 				err = -EINVAL;
8641 				goto out_free;
8642 			}
8643 
8644 			/* ignore disabled channels */
8645 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8646 				continue;
8647 
8648 			request->channels[i] = chan;
8649 			i++;
8650 		}
8651 	} else {
8652 		enum nl80211_band band;
8653 
8654 		/* all channels */
8655 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8656 			int j;
8657 
8658 			if (!wiphy->bands[band])
8659 				continue;
8660 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8661 				struct ieee80211_channel *chan;
8662 
8663 				chan = &wiphy->bands[band]->channels[j];
8664 
8665 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8666 					continue;
8667 
8668 				request->channels[i] = chan;
8669 				i++;
8670 			}
8671 		}
8672 	}
8673 
8674 	if (!i) {
8675 		err = -EINVAL;
8676 		goto out_free;
8677 	}
8678 
8679 	request->n_channels = i;
8680 
8681 	wdev_lock(wdev);
8682 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8683 		struct ieee80211_channel *chan;
8684 
8685 		if (request->n_channels != 1) {
8686 			wdev_unlock(wdev);
8687 			err = -EBUSY;
8688 			goto out_free;
8689 		}
8690 
8691 		chan = request->channels[0];
8692 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8693 			wdev_unlock(wdev);
8694 			err = -EBUSY;
8695 			goto out_free;
8696 		}
8697 	}
8698 	wdev_unlock(wdev);
8699 
8700 	i = 0;
8701 	if (n_ssids) {
8702 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8703 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8704 				err = -EINVAL;
8705 				goto out_free;
8706 			}
8707 			request->ssids[i].ssid_len = nla_len(attr);
8708 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8709 			i++;
8710 		}
8711 	}
8712 
8713 	if (info->attrs[NL80211_ATTR_IE]) {
8714 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8715 		memcpy((void *)request->ie,
8716 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8717 		       request->ie_len);
8718 	}
8719 
8720 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8721 		if (wiphy->bands[i])
8722 			request->rates[i] =
8723 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8724 
8725 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8726 		nla_for_each_nested(attr,
8727 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8728 				    tmp) {
8729 			enum nl80211_band band = nla_type(attr);
8730 
8731 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8732 				err = -EINVAL;
8733 				goto out_free;
8734 			}
8735 
8736 			if (!wiphy->bands[band])
8737 				continue;
8738 
8739 			err = ieee80211_get_ratemask(wiphy->bands[band],
8740 						     nla_data(attr),
8741 						     nla_len(attr),
8742 						     &request->rates[band]);
8743 			if (err)
8744 				goto out_free;
8745 		}
8746 	}
8747 
8748 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8749 		request->duration =
8750 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8751 		request->duration_mandatory =
8752 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8753 	}
8754 
8755 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8756 				       false);
8757 	if (err)
8758 		goto out_free;
8759 
8760 	request->no_cck =
8761 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8762 
8763 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8764 	 * BSSID to scan for. This was problematic because that same attribute
8765 	 * was already used for another purpose (local random MAC address). The
8766 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8767 	 * compatibility with older userspace components, also use the
8768 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8769 	 * the specific BSSID use case instead of the random MAC address
8770 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8771 	 */
8772 	if (info->attrs[NL80211_ATTR_BSSID])
8773 		memcpy(request->bssid,
8774 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8775 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8776 		 info->attrs[NL80211_ATTR_MAC])
8777 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8778 		       ETH_ALEN);
8779 	else
8780 		eth_broadcast_addr(request->bssid);
8781 
8782 	request->wdev = wdev;
8783 	request->wiphy = &rdev->wiphy;
8784 	request->scan_start = jiffies;
8785 
8786 	rdev->scan_req = request;
8787 	err = cfg80211_scan(rdev);
8788 
8789 	if (err)
8790 		goto out_free;
8791 
8792 	nl80211_send_scan_start(rdev, wdev);
8793 	dev_hold(wdev->netdev);
8794 
8795 	return 0;
8796 
8797  out_free:
8798 	rdev->scan_req = NULL;
8799 	kfree(request);
8800 
8801 	return err;
8802 }
8803 
8804 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8805 {
8806 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8807 	struct wireless_dev *wdev = info->user_ptr[1];
8808 
8809 	if (!rdev->ops->abort_scan)
8810 		return -EOPNOTSUPP;
8811 
8812 	if (rdev->scan_msg)
8813 		return 0;
8814 
8815 	if (!rdev->scan_req)
8816 		return -ENOENT;
8817 
8818 	rdev_abort_scan(rdev, wdev);
8819 	return 0;
8820 }
8821 
8822 static int
8823 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8824 			       struct cfg80211_sched_scan_request *request,
8825 			       struct nlattr **attrs)
8826 {
8827 	int tmp, err, i = 0;
8828 	struct nlattr *attr;
8829 
8830 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8831 		u32 interval;
8832 
8833 		/*
8834 		 * If scan plans are not specified,
8835 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8836 		 * case one scan plan will be set with the specified scan
8837 		 * interval and infinite number of iterations.
8838 		 */
8839 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8840 		if (!interval)
8841 			return -EINVAL;
8842 
8843 		request->scan_plans[0].interval =
8844 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8845 		if (!request->scan_plans[0].interval)
8846 			return -EINVAL;
8847 
8848 		if (request->scan_plans[0].interval >
8849 		    wiphy->max_sched_scan_plan_interval)
8850 			request->scan_plans[0].interval =
8851 				wiphy->max_sched_scan_plan_interval;
8852 
8853 		return 0;
8854 	}
8855 
8856 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8857 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8858 
8859 		if (WARN_ON(i >= n_plans))
8860 			return -EINVAL;
8861 
8862 		err = nla_parse_nested_deprecated(plan,
8863 						  NL80211_SCHED_SCAN_PLAN_MAX,
8864 						  attr, nl80211_plan_policy,
8865 						  NULL);
8866 		if (err)
8867 			return err;
8868 
8869 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8870 			return -EINVAL;
8871 
8872 		request->scan_plans[i].interval =
8873 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8874 		if (!request->scan_plans[i].interval ||
8875 		    request->scan_plans[i].interval >
8876 		    wiphy->max_sched_scan_plan_interval)
8877 			return -EINVAL;
8878 
8879 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8880 			request->scan_plans[i].iterations =
8881 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8882 			if (!request->scan_plans[i].iterations ||
8883 			    (request->scan_plans[i].iterations >
8884 			     wiphy->max_sched_scan_plan_iterations))
8885 				return -EINVAL;
8886 		} else if (i < n_plans - 1) {
8887 			/*
8888 			 * All scan plans but the last one must specify
8889 			 * a finite number of iterations
8890 			 */
8891 			return -EINVAL;
8892 		}
8893 
8894 		i++;
8895 	}
8896 
8897 	/*
8898 	 * The last scan plan must not specify the number of
8899 	 * iterations, it is supposed to run infinitely
8900 	 */
8901 	if (request->scan_plans[n_plans - 1].iterations)
8902 		return  -EINVAL;
8903 
8904 	return 0;
8905 }
8906 
8907 static int
8908 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8909 				       struct cfg80211_match_set *match_sets,
8910 				       struct nlattr *tb_band_rssi,
8911 				       s32 rssi_thold)
8912 {
8913 	struct nlattr *attr;
8914 	int i, tmp, ret = 0;
8915 
8916 	if (!wiphy_ext_feature_isset(wiphy,
8917 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8918 		if (tb_band_rssi)
8919 			ret = -EOPNOTSUPP;
8920 		else
8921 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8922 				match_sets->per_band_rssi_thold[i] =
8923 					NL80211_SCAN_RSSI_THOLD_OFF;
8924 		return ret;
8925 	}
8926 
8927 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8928 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8929 
8930 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8931 		enum nl80211_band band = nla_type(attr);
8932 
8933 		if (band < 0 || band >= NUM_NL80211_BANDS)
8934 			return -EINVAL;
8935 
8936 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8937 	}
8938 
8939 	return 0;
8940 }
8941 
8942 static struct cfg80211_sched_scan_request *
8943 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8944 			 struct nlattr **attrs, int max_match_sets)
8945 {
8946 	struct cfg80211_sched_scan_request *request;
8947 	struct nlattr *attr;
8948 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8949 	enum nl80211_band band;
8950 	size_t ie_len;
8951 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8952 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8953 
8954 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8955 		n_channels = validate_scan_freqs(
8956 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8957 		if (!n_channels)
8958 			return ERR_PTR(-EINVAL);
8959 	} else {
8960 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8961 	}
8962 
8963 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8964 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8965 				    tmp)
8966 			n_ssids++;
8967 
8968 	if (n_ssids > wiphy->max_sched_scan_ssids)
8969 		return ERR_PTR(-EINVAL);
8970 
8971 	/*
8972 	 * First, count the number of 'real' matchsets. Due to an issue with
8973 	 * the old implementation, matchsets containing only the RSSI attribute
8974 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8975 	 * RSSI for all matchsets, rather than their own matchset for reporting
8976 	 * all APs with a strong RSSI. This is needed to be compatible with
8977 	 * older userspace that treated a matchset with only the RSSI as the
8978 	 * global RSSI for all other matchsets - if there are other matchsets.
8979 	 */
8980 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8981 		nla_for_each_nested(attr,
8982 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8983 				    tmp) {
8984 			struct nlattr *rssi;
8985 
8986 			err = nla_parse_nested_deprecated(tb,
8987 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8988 							  attr,
8989 							  nl80211_match_policy,
8990 							  NULL);
8991 			if (err)
8992 				return ERR_PTR(err);
8993 
8994 			/* SSID and BSSID are mutually exclusive */
8995 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8996 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8997 				return ERR_PTR(-EINVAL);
8998 
8999 			/* add other standalone attributes here */
9000 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9001 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9002 				n_match_sets++;
9003 				continue;
9004 			}
9005 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9006 			if (rssi)
9007 				default_match_rssi = nla_get_s32(rssi);
9008 		}
9009 	}
9010 
9011 	/* However, if there's no other matchset, add the RSSI one */
9012 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9013 		n_match_sets = 1;
9014 
9015 	if (n_match_sets > max_match_sets)
9016 		return ERR_PTR(-EINVAL);
9017 
9018 	if (attrs[NL80211_ATTR_IE])
9019 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9020 	else
9021 		ie_len = 0;
9022 
9023 	if (ie_len > wiphy->max_sched_scan_ie_len)
9024 		return ERR_PTR(-EINVAL);
9025 
9026 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9027 		/*
9028 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9029 		 * each scan plan already specifies its own interval
9030 		 */
9031 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9032 			return ERR_PTR(-EINVAL);
9033 
9034 		nla_for_each_nested(attr,
9035 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9036 			n_plans++;
9037 	} else {
9038 		/*
9039 		 * The scan interval attribute is kept for backward
9040 		 * compatibility. If no scan plans are specified and sched scan
9041 		 * interval is specified, one scan plan will be set with this
9042 		 * scan interval and infinite number of iterations.
9043 		 */
9044 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9045 			return ERR_PTR(-EINVAL);
9046 
9047 		n_plans = 1;
9048 	}
9049 
9050 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9051 		return ERR_PTR(-EINVAL);
9052 
9053 	if (!wiphy_ext_feature_isset(
9054 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9055 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9056 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9057 		return ERR_PTR(-EINVAL);
9058 
9059 	request = kzalloc(sizeof(*request)
9060 			+ sizeof(*request->ssids) * n_ssids
9061 			+ sizeof(*request->match_sets) * n_match_sets
9062 			+ sizeof(*request->scan_plans) * n_plans
9063 			+ sizeof(*request->channels) * n_channels
9064 			+ ie_len, GFP_KERNEL);
9065 	if (!request)
9066 		return ERR_PTR(-ENOMEM);
9067 
9068 	if (n_ssids)
9069 		request->ssids = (void *)&request->channels[n_channels];
9070 	request->n_ssids = n_ssids;
9071 	if (ie_len) {
9072 		if (n_ssids)
9073 			request->ie = (void *)(request->ssids + n_ssids);
9074 		else
9075 			request->ie = (void *)(request->channels + n_channels);
9076 	}
9077 
9078 	if (n_match_sets) {
9079 		if (request->ie)
9080 			request->match_sets = (void *)(request->ie + ie_len);
9081 		else if (n_ssids)
9082 			request->match_sets =
9083 				(void *)(request->ssids + n_ssids);
9084 		else
9085 			request->match_sets =
9086 				(void *)(request->channels + n_channels);
9087 	}
9088 	request->n_match_sets = n_match_sets;
9089 
9090 	if (n_match_sets)
9091 		request->scan_plans = (void *)(request->match_sets +
9092 					       n_match_sets);
9093 	else if (request->ie)
9094 		request->scan_plans = (void *)(request->ie + ie_len);
9095 	else if (n_ssids)
9096 		request->scan_plans = (void *)(request->ssids + n_ssids);
9097 	else
9098 		request->scan_plans = (void *)(request->channels + n_channels);
9099 
9100 	request->n_scan_plans = n_plans;
9101 
9102 	i = 0;
9103 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9104 		/* user specified, bail out if channel not found */
9105 		nla_for_each_nested(attr,
9106 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9107 				    tmp) {
9108 			struct ieee80211_channel *chan;
9109 
9110 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9111 
9112 			if (!chan) {
9113 				err = -EINVAL;
9114 				goto out_free;
9115 			}
9116 
9117 			/* ignore disabled channels */
9118 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9119 				continue;
9120 
9121 			request->channels[i] = chan;
9122 			i++;
9123 		}
9124 	} else {
9125 		/* all channels */
9126 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9127 			int j;
9128 
9129 			if (!wiphy->bands[band])
9130 				continue;
9131 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9132 				struct ieee80211_channel *chan;
9133 
9134 				chan = &wiphy->bands[band]->channels[j];
9135 
9136 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9137 					continue;
9138 
9139 				request->channels[i] = chan;
9140 				i++;
9141 			}
9142 		}
9143 	}
9144 
9145 	if (!i) {
9146 		err = -EINVAL;
9147 		goto out_free;
9148 	}
9149 
9150 	request->n_channels = i;
9151 
9152 	i = 0;
9153 	if (n_ssids) {
9154 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9155 				    tmp) {
9156 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9157 				err = -EINVAL;
9158 				goto out_free;
9159 			}
9160 			request->ssids[i].ssid_len = nla_len(attr);
9161 			memcpy(request->ssids[i].ssid, nla_data(attr),
9162 			       nla_len(attr));
9163 			i++;
9164 		}
9165 	}
9166 
9167 	i = 0;
9168 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9169 		nla_for_each_nested(attr,
9170 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9171 				    tmp) {
9172 			struct nlattr *ssid, *bssid, *rssi;
9173 
9174 			err = nla_parse_nested_deprecated(tb,
9175 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9176 							  attr,
9177 							  nl80211_match_policy,
9178 							  NULL);
9179 			if (err)
9180 				goto out_free;
9181 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9182 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9183 
9184 			if (!ssid && !bssid) {
9185 				i++;
9186 				continue;
9187 			}
9188 
9189 			if (WARN_ON(i >= n_match_sets)) {
9190 				/* this indicates a programming error,
9191 				 * the loop above should have verified
9192 				 * things properly
9193 				 */
9194 				err = -EINVAL;
9195 				goto out_free;
9196 			}
9197 
9198 			if (ssid) {
9199 				memcpy(request->match_sets[i].ssid.ssid,
9200 				       nla_data(ssid), nla_len(ssid));
9201 				request->match_sets[i].ssid.ssid_len =
9202 					nla_len(ssid);
9203 			}
9204 			if (bssid)
9205 				memcpy(request->match_sets[i].bssid,
9206 				       nla_data(bssid), ETH_ALEN);
9207 
9208 			/* special attribute - old implementation w/a */
9209 			request->match_sets[i].rssi_thold = default_match_rssi;
9210 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9211 			if (rssi)
9212 				request->match_sets[i].rssi_thold =
9213 					nla_get_s32(rssi);
9214 
9215 			/* Parse per band RSSI attribute */
9216 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9217 				&request->match_sets[i],
9218 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9219 				request->match_sets[i].rssi_thold);
9220 			if (err)
9221 				goto out_free;
9222 
9223 			i++;
9224 		}
9225 
9226 		/* there was no other matchset, so the RSSI one is alone */
9227 		if (i == 0 && n_match_sets)
9228 			request->match_sets[0].rssi_thold = default_match_rssi;
9229 
9230 		request->min_rssi_thold = INT_MAX;
9231 		for (i = 0; i < n_match_sets; i++)
9232 			request->min_rssi_thold =
9233 				min(request->match_sets[i].rssi_thold,
9234 				    request->min_rssi_thold);
9235 	} else {
9236 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9237 	}
9238 
9239 	if (ie_len) {
9240 		request->ie_len = ie_len;
9241 		memcpy((void *)request->ie,
9242 		       nla_data(attrs[NL80211_ATTR_IE]),
9243 		       request->ie_len);
9244 	}
9245 
9246 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9247 	if (err)
9248 		goto out_free;
9249 
9250 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9251 		request->delay =
9252 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9253 
9254 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9255 		request->relative_rssi = nla_get_s8(
9256 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9257 		request->relative_rssi_set = true;
9258 	}
9259 
9260 	if (request->relative_rssi_set &&
9261 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9262 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9263 
9264 		rssi_adjust = nla_data(
9265 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9266 		request->rssi_adjust.band = rssi_adjust->band;
9267 		request->rssi_adjust.delta = rssi_adjust->delta;
9268 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9269 			err = -EINVAL;
9270 			goto out_free;
9271 		}
9272 	}
9273 
9274 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9275 	if (err)
9276 		goto out_free;
9277 
9278 	request->scan_start = jiffies;
9279 
9280 	return request;
9281 
9282 out_free:
9283 	kfree(request);
9284 	return ERR_PTR(err);
9285 }
9286 
9287 static int nl80211_start_sched_scan(struct sk_buff *skb,
9288 				    struct genl_info *info)
9289 {
9290 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9291 	struct net_device *dev = info->user_ptr[1];
9292 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9293 	struct cfg80211_sched_scan_request *sched_scan_req;
9294 	bool want_multi;
9295 	int err;
9296 
9297 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9298 		return -EOPNOTSUPP;
9299 
9300 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9301 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9302 	if (err)
9303 		return err;
9304 
9305 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9306 						  info->attrs,
9307 						  rdev->wiphy.max_match_sets);
9308 
9309 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9310 	if (err)
9311 		goto out_err;
9312 
9313 	/* leave request id zero for legacy request
9314 	 * or if driver does not support multi-scheduled scan
9315 	 */
9316 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9317 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9318 
9319 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9320 	if (err)
9321 		goto out_free;
9322 
9323 	sched_scan_req->dev = dev;
9324 	sched_scan_req->wiphy = &rdev->wiphy;
9325 
9326 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9327 		sched_scan_req->owner_nlportid = info->snd_portid;
9328 
9329 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9330 
9331 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9332 	return 0;
9333 
9334 out_free:
9335 	kfree(sched_scan_req);
9336 out_err:
9337 	return err;
9338 }
9339 
9340 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9341 				   struct genl_info *info)
9342 {
9343 	struct cfg80211_sched_scan_request *req;
9344 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9345 	u64 cookie;
9346 
9347 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9348 		return -EOPNOTSUPP;
9349 
9350 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9351 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9352 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9353 	}
9354 
9355 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9356 				     struct cfg80211_sched_scan_request,
9357 				     list);
9358 	if (!req || req->reqid ||
9359 	    (req->owner_nlportid &&
9360 	     req->owner_nlportid != info->snd_portid))
9361 		return -ENOENT;
9362 
9363 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9364 }
9365 
9366 static int nl80211_start_radar_detection(struct sk_buff *skb,
9367 					 struct genl_info *info)
9368 {
9369 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9370 	struct net_device *dev = info->user_ptr[1];
9371 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9372 	struct wiphy *wiphy = wdev->wiphy;
9373 	struct cfg80211_chan_def chandef;
9374 	enum nl80211_dfs_regions dfs_region;
9375 	unsigned int cac_time_ms;
9376 	int err = -EINVAL;
9377 
9378 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9379 
9380 	wiphy_lock(wiphy);
9381 
9382 	dfs_region = reg_get_dfs_region(wiphy);
9383 	if (dfs_region == NL80211_DFS_UNSET)
9384 		goto unlock;
9385 
9386 	err = nl80211_parse_chandef(rdev, info, &chandef);
9387 	if (err)
9388 		goto unlock;
9389 
9390 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9391 	if (err < 0)
9392 		goto unlock;
9393 
9394 	if (err == 0) {
9395 		err = -EINVAL;
9396 		goto unlock;
9397 	}
9398 
9399 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9400 		err = -EINVAL;
9401 		goto unlock;
9402 	}
9403 
9404 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9405 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9406 								&chandef);
9407 		goto unlock;
9408 	}
9409 
9410 	if (netif_carrier_ok(dev)) {
9411 		err = -EBUSY;
9412 		goto unlock;
9413 	}
9414 
9415 	if (wdev->cac_started) {
9416 		err = -EBUSY;
9417 		goto unlock;
9418 	}
9419 
9420 	/* CAC start is offloaded to HW and can't be started manually */
9421 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9422 		err = -EOPNOTSUPP;
9423 		goto unlock;
9424 	}
9425 
9426 	if (!rdev->ops->start_radar_detection) {
9427 		err = -EOPNOTSUPP;
9428 		goto unlock;
9429 	}
9430 
9431 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9432 	if (WARN_ON(!cac_time_ms))
9433 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9434 
9435 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9436 	if (!err) {
9437 		wdev->chandef = chandef;
9438 		wdev->cac_started = true;
9439 		wdev->cac_start_time = jiffies;
9440 		wdev->cac_time_ms = cac_time_ms;
9441 	}
9442 unlock:
9443 	wiphy_unlock(wiphy);
9444 
9445 	return err;
9446 }
9447 
9448 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9449 					  struct genl_info *info)
9450 {
9451 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9452 	struct net_device *dev = info->user_ptr[1];
9453 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9454 	struct wiphy *wiphy = wdev->wiphy;
9455 	struct cfg80211_chan_def chandef;
9456 	enum nl80211_dfs_regions dfs_region;
9457 	int err;
9458 
9459 	dfs_region = reg_get_dfs_region(wiphy);
9460 	if (dfs_region == NL80211_DFS_UNSET) {
9461 		GENL_SET_ERR_MSG(info,
9462 				 "DFS Region is not set. Unexpected Radar indication");
9463 		return -EINVAL;
9464 	}
9465 
9466 	err = nl80211_parse_chandef(rdev, info, &chandef);
9467 	if (err) {
9468 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9469 		return err;
9470 	}
9471 
9472 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9473 	if (err < 0) {
9474 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9475 		return err;
9476 	}
9477 
9478 	if (err == 0) {
9479 		GENL_SET_ERR_MSG(info,
9480 				 "Unexpected Radar indication for chandef/iftype");
9481 		return -EINVAL;
9482 	}
9483 
9484 	/* Do not process this notification if radar is already detected
9485 	 * by kernel on this channel, and return success.
9486 	 */
9487 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9488 		return 0;
9489 
9490 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9491 
9492 	cfg80211_sched_dfs_chan_update(rdev);
9493 
9494 	rdev->radar_chandef = chandef;
9495 
9496 	/* Propagate this notification to other radios as well */
9497 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9498 
9499 	return 0;
9500 }
9501 
9502 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9503 {
9504 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9505 	struct net_device *dev = info->user_ptr[1];
9506 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9507 	struct cfg80211_csa_settings params;
9508 	struct nlattr **csa_attrs = NULL;
9509 	int err;
9510 	bool need_new_beacon = false;
9511 	bool need_handle_dfs_flag = true;
9512 	int len, i;
9513 	u32 cs_count;
9514 
9515 	if (!rdev->ops->channel_switch ||
9516 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9517 		return -EOPNOTSUPP;
9518 
9519 	switch (dev->ieee80211_ptr->iftype) {
9520 	case NL80211_IFTYPE_AP:
9521 	case NL80211_IFTYPE_P2P_GO:
9522 		need_new_beacon = true;
9523 		/* For all modes except AP the handle_dfs flag needs to be
9524 		 * supplied to tell the kernel that userspace will handle radar
9525 		 * events when they happen. Otherwise a switch to a channel
9526 		 * requiring DFS will be rejected.
9527 		 */
9528 		need_handle_dfs_flag = false;
9529 
9530 		/* useless if AP is not running */
9531 		if (!wdev->beacon_interval)
9532 			return -ENOTCONN;
9533 		break;
9534 	case NL80211_IFTYPE_ADHOC:
9535 		if (!wdev->ssid_len)
9536 			return -ENOTCONN;
9537 		break;
9538 	case NL80211_IFTYPE_MESH_POINT:
9539 		if (!wdev->mesh_id_len)
9540 			return -ENOTCONN;
9541 		break;
9542 	default:
9543 		return -EOPNOTSUPP;
9544 	}
9545 
9546 	memset(&params, 0, sizeof(params));
9547 	params.beacon_csa.ftm_responder = -1;
9548 
9549 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9550 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9551 		return -EINVAL;
9552 
9553 	/* only important for AP, IBSS and mesh create IEs internally */
9554 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9555 		return -EINVAL;
9556 
9557 	/* Even though the attribute is u32, the specification says
9558 	 * u8, so let's make sure we don't overflow.
9559 	 */
9560 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9561 	if (cs_count > 255)
9562 		return -EINVAL;
9563 
9564 	params.count = cs_count;
9565 
9566 	if (!need_new_beacon)
9567 		goto skip_beacons;
9568 
9569 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9570 	if (err)
9571 		goto free;
9572 
9573 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9574 			    GFP_KERNEL);
9575 	if (!csa_attrs) {
9576 		err = -ENOMEM;
9577 		goto free;
9578 	}
9579 
9580 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9581 					  info->attrs[NL80211_ATTR_CSA_IES],
9582 					  nl80211_policy, info->extack);
9583 	if (err)
9584 		goto free;
9585 
9586 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9587 	if (err)
9588 		goto free;
9589 
9590 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9591 		err = -EINVAL;
9592 		goto free;
9593 	}
9594 
9595 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9596 	if (!len || (len % sizeof(u16))) {
9597 		err = -EINVAL;
9598 		goto free;
9599 	}
9600 
9601 	params.n_counter_offsets_beacon = len / sizeof(u16);
9602 	if (rdev->wiphy.max_num_csa_counters &&
9603 	    (params.n_counter_offsets_beacon >
9604 	     rdev->wiphy.max_num_csa_counters)) {
9605 		err = -EINVAL;
9606 		goto free;
9607 	}
9608 
9609 	params.counter_offsets_beacon =
9610 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9611 
9612 	/* sanity checks - counters should fit and be the same */
9613 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9614 		u16 offset = params.counter_offsets_beacon[i];
9615 
9616 		if (offset >= params.beacon_csa.tail_len) {
9617 			err = -EINVAL;
9618 			goto free;
9619 		}
9620 
9621 		if (params.beacon_csa.tail[offset] != params.count) {
9622 			err = -EINVAL;
9623 			goto free;
9624 		}
9625 	}
9626 
9627 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9628 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9629 		if (!len || (len % sizeof(u16))) {
9630 			err = -EINVAL;
9631 			goto free;
9632 		}
9633 
9634 		params.n_counter_offsets_presp = len / sizeof(u16);
9635 		if (rdev->wiphy.max_num_csa_counters &&
9636 		    (params.n_counter_offsets_presp >
9637 		     rdev->wiphy.max_num_csa_counters)) {
9638 			err = -EINVAL;
9639 			goto free;
9640 		}
9641 
9642 		params.counter_offsets_presp =
9643 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9644 
9645 		/* sanity checks - counters should fit and be the same */
9646 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9647 			u16 offset = params.counter_offsets_presp[i];
9648 
9649 			if (offset >= params.beacon_csa.probe_resp_len) {
9650 				err = -EINVAL;
9651 				goto free;
9652 			}
9653 
9654 			if (params.beacon_csa.probe_resp[offset] !=
9655 			    params.count) {
9656 				err = -EINVAL;
9657 				goto free;
9658 			}
9659 		}
9660 	}
9661 
9662 skip_beacons:
9663 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9664 	if (err)
9665 		goto free;
9666 
9667 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9668 					   wdev->iftype)) {
9669 		err = -EINVAL;
9670 		goto free;
9671 	}
9672 
9673 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9674 					    &params.chandef,
9675 					    wdev->iftype);
9676 	if (err < 0)
9677 		goto free;
9678 
9679 	if (err > 0) {
9680 		params.radar_required = true;
9681 		if (need_handle_dfs_flag &&
9682 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9683 			err = -EINVAL;
9684 			goto free;
9685 		}
9686 	}
9687 
9688 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9689 		params.block_tx = true;
9690 
9691 	wdev_lock(wdev);
9692 	err = rdev_channel_switch(rdev, dev, &params);
9693 	wdev_unlock(wdev);
9694 
9695 free:
9696 	kfree(params.beacon_after.mbssid_ies);
9697 	kfree(params.beacon_csa.mbssid_ies);
9698 	kfree(csa_attrs);
9699 	return err;
9700 }
9701 
9702 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9703 			    u32 seq, int flags,
9704 			    struct cfg80211_registered_device *rdev,
9705 			    struct wireless_dev *wdev,
9706 			    struct cfg80211_internal_bss *intbss)
9707 {
9708 	struct cfg80211_bss *res = &intbss->pub;
9709 	const struct cfg80211_bss_ies *ies;
9710 	void *hdr;
9711 	struct nlattr *bss;
9712 
9713 	ASSERT_WDEV_LOCK(wdev);
9714 
9715 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9716 			     NL80211_CMD_NEW_SCAN_RESULTS);
9717 	if (!hdr)
9718 		return -1;
9719 
9720 	genl_dump_check_consistent(cb, hdr);
9721 
9722 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9723 		goto nla_put_failure;
9724 	if (wdev->netdev &&
9725 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9726 		goto nla_put_failure;
9727 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9728 			      NL80211_ATTR_PAD))
9729 		goto nla_put_failure;
9730 
9731 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9732 	if (!bss)
9733 		goto nla_put_failure;
9734 	if ((!is_zero_ether_addr(res->bssid) &&
9735 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9736 		goto nla_put_failure;
9737 
9738 	rcu_read_lock();
9739 	/* indicate whether we have probe response data or not */
9740 	if (rcu_access_pointer(res->proberesp_ies) &&
9741 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9742 		goto fail_unlock_rcu;
9743 
9744 	/* this pointer prefers to be pointed to probe response data
9745 	 * but is always valid
9746 	 */
9747 	ies = rcu_dereference(res->ies);
9748 	if (ies) {
9749 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9750 				      NL80211_BSS_PAD))
9751 			goto fail_unlock_rcu;
9752 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9753 					ies->len, ies->data))
9754 			goto fail_unlock_rcu;
9755 	}
9756 
9757 	/* and this pointer is always (unless driver didn't know) beacon data */
9758 	ies = rcu_dereference(res->beacon_ies);
9759 	if (ies && ies->from_beacon) {
9760 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9761 				      NL80211_BSS_PAD))
9762 			goto fail_unlock_rcu;
9763 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9764 					ies->len, ies->data))
9765 			goto fail_unlock_rcu;
9766 	}
9767 	rcu_read_unlock();
9768 
9769 	if (res->beacon_interval &&
9770 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9771 		goto nla_put_failure;
9772 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9773 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9774 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9775 			res->channel->freq_offset) ||
9776 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9777 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9778 			jiffies_to_msecs(jiffies - intbss->ts)))
9779 		goto nla_put_failure;
9780 
9781 	if (intbss->parent_tsf &&
9782 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9783 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9784 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9785 		     intbss->parent_bssid)))
9786 		goto nla_put_failure;
9787 
9788 	if (intbss->ts_boottime &&
9789 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9790 			      intbss->ts_boottime, NL80211_BSS_PAD))
9791 		goto nla_put_failure;
9792 
9793 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9794 				intbss->pub.chain_signal,
9795 				NL80211_BSS_CHAIN_SIGNAL))
9796 		goto nla_put_failure;
9797 
9798 	switch (rdev->wiphy.signal_type) {
9799 	case CFG80211_SIGNAL_TYPE_MBM:
9800 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9801 			goto nla_put_failure;
9802 		break;
9803 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9804 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9805 			goto nla_put_failure;
9806 		break;
9807 	default:
9808 		break;
9809 	}
9810 
9811 	switch (wdev->iftype) {
9812 	case NL80211_IFTYPE_P2P_CLIENT:
9813 	case NL80211_IFTYPE_STATION:
9814 		if (intbss == wdev->current_bss &&
9815 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9816 				NL80211_BSS_STATUS_ASSOCIATED))
9817 			goto nla_put_failure;
9818 		break;
9819 	case NL80211_IFTYPE_ADHOC:
9820 		if (intbss == wdev->current_bss &&
9821 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9822 				NL80211_BSS_STATUS_IBSS_JOINED))
9823 			goto nla_put_failure;
9824 		break;
9825 	default:
9826 		break;
9827 	}
9828 
9829 	nla_nest_end(msg, bss);
9830 
9831 	genlmsg_end(msg, hdr);
9832 	return 0;
9833 
9834  fail_unlock_rcu:
9835 	rcu_read_unlock();
9836  nla_put_failure:
9837 	genlmsg_cancel(msg, hdr);
9838 	return -EMSGSIZE;
9839 }
9840 
9841 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9842 {
9843 	struct cfg80211_registered_device *rdev;
9844 	struct cfg80211_internal_bss *scan;
9845 	struct wireless_dev *wdev;
9846 	int start = cb->args[2], idx = 0;
9847 	int err;
9848 
9849 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9850 	if (err)
9851 		return err;
9852 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9853 	__acquire(&rdev->wiphy.mtx);
9854 
9855 	wdev_lock(wdev);
9856 	spin_lock_bh(&rdev->bss_lock);
9857 
9858 	/*
9859 	 * dump_scan will be called multiple times to break up the scan results
9860 	 * into multiple messages.  It is unlikely that any more bss-es will be
9861 	 * expired after the first call, so only call only call this on the
9862 	 * first dump_scan invocation.
9863 	 */
9864 	if (start == 0)
9865 		cfg80211_bss_expire(rdev);
9866 
9867 	cb->seq = rdev->bss_generation;
9868 
9869 	list_for_each_entry(scan, &rdev->bss_list, list) {
9870 		if (++idx <= start)
9871 			continue;
9872 		if (nl80211_send_bss(skb, cb,
9873 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9874 				rdev, wdev, scan) < 0) {
9875 			idx--;
9876 			break;
9877 		}
9878 	}
9879 
9880 	spin_unlock_bh(&rdev->bss_lock);
9881 	wdev_unlock(wdev);
9882 
9883 	cb->args[2] = idx;
9884 	wiphy_unlock(&rdev->wiphy);
9885 
9886 	return skb->len;
9887 }
9888 
9889 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9890 			       int flags, struct net_device *dev,
9891 			       bool allow_radio_stats,
9892 			       struct survey_info *survey)
9893 {
9894 	void *hdr;
9895 	struct nlattr *infoattr;
9896 
9897 	/* skip radio stats if userspace didn't request them */
9898 	if (!survey->channel && !allow_radio_stats)
9899 		return 0;
9900 
9901 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9902 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9903 	if (!hdr)
9904 		return -ENOMEM;
9905 
9906 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9907 		goto nla_put_failure;
9908 
9909 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9910 	if (!infoattr)
9911 		goto nla_put_failure;
9912 
9913 	if (survey->channel &&
9914 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9915 			survey->channel->center_freq))
9916 		goto nla_put_failure;
9917 
9918 	if (survey->channel && survey->channel->freq_offset &&
9919 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9920 			survey->channel->freq_offset))
9921 		goto nla_put_failure;
9922 
9923 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9924 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9925 		goto nla_put_failure;
9926 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9927 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9928 		goto nla_put_failure;
9929 	if ((survey->filled & SURVEY_INFO_TIME) &&
9930 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9931 			survey->time, NL80211_SURVEY_INFO_PAD))
9932 		goto nla_put_failure;
9933 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9934 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9935 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9936 		goto nla_put_failure;
9937 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9938 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9939 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9940 		goto nla_put_failure;
9941 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9942 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9943 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9944 		goto nla_put_failure;
9945 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9946 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9947 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9948 		goto nla_put_failure;
9949 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9950 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9951 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9952 		goto nla_put_failure;
9953 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9954 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9955 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9956 		goto nla_put_failure;
9957 
9958 	nla_nest_end(msg, infoattr);
9959 
9960 	genlmsg_end(msg, hdr);
9961 	return 0;
9962 
9963  nla_put_failure:
9964 	genlmsg_cancel(msg, hdr);
9965 	return -EMSGSIZE;
9966 }
9967 
9968 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9969 {
9970 	struct nlattr **attrbuf;
9971 	struct survey_info survey;
9972 	struct cfg80211_registered_device *rdev;
9973 	struct wireless_dev *wdev;
9974 	int survey_idx = cb->args[2];
9975 	int res;
9976 	bool radio_stats;
9977 
9978 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9979 	if (!attrbuf)
9980 		return -ENOMEM;
9981 
9982 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
9983 	if (res) {
9984 		kfree(attrbuf);
9985 		return res;
9986 	}
9987 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9988 	__acquire(&rdev->wiphy.mtx);
9989 
9990 	/* prepare_wdev_dump parsed the attributes */
9991 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9992 
9993 	if (!wdev->netdev) {
9994 		res = -EINVAL;
9995 		goto out_err;
9996 	}
9997 
9998 	if (!rdev->ops->dump_survey) {
9999 		res = -EOPNOTSUPP;
10000 		goto out_err;
10001 	}
10002 
10003 	while (1) {
10004 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10005 		if (res == -ENOENT)
10006 			break;
10007 		if (res)
10008 			goto out_err;
10009 
10010 		/* don't send disabled channels, but do send non-channel data */
10011 		if (survey.channel &&
10012 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10013 			survey_idx++;
10014 			continue;
10015 		}
10016 
10017 		if (nl80211_send_survey(skb,
10018 				NETLINK_CB(cb->skb).portid,
10019 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10020 				wdev->netdev, radio_stats, &survey) < 0)
10021 			goto out;
10022 		survey_idx++;
10023 	}
10024 
10025  out:
10026 	cb->args[2] = survey_idx;
10027 	res = skb->len;
10028  out_err:
10029 	kfree(attrbuf);
10030 	wiphy_unlock(&rdev->wiphy);
10031 	return res;
10032 }
10033 
10034 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10035 {
10036 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10037 				  NL80211_WPA_VERSION_2 |
10038 				  NL80211_WPA_VERSION_3));
10039 }
10040 
10041 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10042 {
10043 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10044 	struct net_device *dev = info->user_ptr[1];
10045 	struct ieee80211_channel *chan;
10046 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
10047 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
10048 	enum nl80211_auth_type auth_type;
10049 	struct key_parse key;
10050 	bool local_state_change;
10051 	u32 freq;
10052 
10053 	if (!info->attrs[NL80211_ATTR_MAC])
10054 		return -EINVAL;
10055 
10056 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10057 		return -EINVAL;
10058 
10059 	if (!info->attrs[NL80211_ATTR_SSID])
10060 		return -EINVAL;
10061 
10062 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10063 		return -EINVAL;
10064 
10065 	err = nl80211_parse_key(info, &key);
10066 	if (err)
10067 		return err;
10068 
10069 	if (key.idx >= 0) {
10070 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10071 			return -EINVAL;
10072 		if (!key.p.key || !key.p.key_len)
10073 			return -EINVAL;
10074 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10075 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10076 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10077 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10078 			return -EINVAL;
10079 		if (key.idx > 3)
10080 			return -EINVAL;
10081 	} else {
10082 		key.p.key_len = 0;
10083 		key.p.key = NULL;
10084 	}
10085 
10086 	if (key.idx >= 0) {
10087 		int i;
10088 		bool ok = false;
10089 
10090 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10091 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10092 				ok = true;
10093 				break;
10094 			}
10095 		}
10096 		if (!ok)
10097 			return -EINVAL;
10098 	}
10099 
10100 	if (!rdev->ops->auth)
10101 		return -EOPNOTSUPP;
10102 
10103 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10104 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10105 		return -EOPNOTSUPP;
10106 
10107 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10108 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10109 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10110 		freq +=
10111 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10112 
10113 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10114 	if (!chan)
10115 		return -EINVAL;
10116 
10117 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10118 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10119 
10120 	if (info->attrs[NL80211_ATTR_IE]) {
10121 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10122 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10123 	}
10124 
10125 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10126 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10127 		return -EINVAL;
10128 
10129 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10130 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10131 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10132 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10133 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10134 		return -EINVAL;
10135 
10136 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10137 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10138 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10139 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10140 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10141 			return -EINVAL;
10142 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10143 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10144 	}
10145 
10146 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10147 
10148 	/*
10149 	 * Since we no longer track auth state, ignore
10150 	 * requests to only change local state.
10151 	 */
10152 	if (local_state_change)
10153 		return 0;
10154 
10155 	wdev_lock(dev->ieee80211_ptr);
10156 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
10157 				 ssid, ssid_len, ie, ie_len,
10158 				 key.p.key, key.p.key_len, key.idx,
10159 				 auth_data, auth_data_len);
10160 	wdev_unlock(dev->ieee80211_ptr);
10161 	return err;
10162 }
10163 
10164 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10165 				     struct genl_info *info)
10166 {
10167 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10168 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10169 		return -EINVAL;
10170 	}
10171 
10172 	if (!rdev->ops->tx_control_port ||
10173 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10174 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10175 		return -EOPNOTSUPP;
10176 
10177 	return 0;
10178 }
10179 
10180 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10181 				   struct genl_info *info,
10182 				   struct cfg80211_crypto_settings *settings,
10183 				   int cipher_limit)
10184 {
10185 	memset(settings, 0, sizeof(*settings));
10186 
10187 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10188 
10189 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10190 		u16 proto;
10191 
10192 		proto = nla_get_u16(
10193 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10194 		settings->control_port_ethertype = cpu_to_be16(proto);
10195 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10196 		    proto != ETH_P_PAE)
10197 			return -EINVAL;
10198 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10199 			settings->control_port_no_encrypt = true;
10200 	} else
10201 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10202 
10203 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10204 		int r = validate_pae_over_nl80211(rdev, info);
10205 
10206 		if (r < 0)
10207 			return r;
10208 
10209 		settings->control_port_over_nl80211 = true;
10210 
10211 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10212 			settings->control_port_no_preauth = true;
10213 	}
10214 
10215 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10216 		void *data;
10217 		int len, i;
10218 
10219 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10220 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10221 		settings->n_ciphers_pairwise = len / sizeof(u32);
10222 
10223 		if (len % sizeof(u32))
10224 			return -EINVAL;
10225 
10226 		if (settings->n_ciphers_pairwise > cipher_limit)
10227 			return -EINVAL;
10228 
10229 		memcpy(settings->ciphers_pairwise, data, len);
10230 
10231 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10232 			if (!cfg80211_supported_cipher_suite(
10233 					&rdev->wiphy,
10234 					settings->ciphers_pairwise[i]))
10235 				return -EINVAL;
10236 	}
10237 
10238 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10239 		settings->cipher_group =
10240 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10241 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10242 						     settings->cipher_group))
10243 			return -EINVAL;
10244 	}
10245 
10246 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10247 		settings->wpa_versions =
10248 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10249 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10250 			return -EINVAL;
10251 	}
10252 
10253 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10254 		void *data;
10255 		int len;
10256 
10257 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10258 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10259 		settings->n_akm_suites = len / sizeof(u32);
10260 
10261 		if (len % sizeof(u32))
10262 			return -EINVAL;
10263 
10264 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
10265 			return -EINVAL;
10266 
10267 		memcpy(settings->akm_suites, data, len);
10268 	}
10269 
10270 	if (info->attrs[NL80211_ATTR_PMK]) {
10271 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10272 			return -EINVAL;
10273 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10274 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10275 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10276 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10277 			return -EINVAL;
10278 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10279 	}
10280 
10281 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10282 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10283 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10284 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10285 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10286 			return -EINVAL;
10287 		settings->sae_pwd =
10288 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10289 		settings->sae_pwd_len =
10290 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10291 	}
10292 
10293 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10294 		settings->sae_pwe =
10295 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10296 	else
10297 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10298 
10299 	return 0;
10300 }
10301 
10302 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10303 {
10304 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10305 	struct net_device *dev = info->user_ptr[1];
10306 	struct ieee80211_channel *chan;
10307 	struct cfg80211_assoc_request req = {};
10308 	const u8 *bssid, *ssid;
10309 	int err, ssid_len = 0;
10310 	u32 freq;
10311 
10312 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10313 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10314 		return -EPERM;
10315 
10316 	if (!info->attrs[NL80211_ATTR_MAC] ||
10317 	    !info->attrs[NL80211_ATTR_SSID] ||
10318 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
10319 		return -EINVAL;
10320 
10321 	if (!rdev->ops->assoc)
10322 		return -EOPNOTSUPP;
10323 
10324 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10325 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10326 		return -EOPNOTSUPP;
10327 
10328 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10329 
10330 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10331 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10332 		freq +=
10333 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10334 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10335 	if (!chan)
10336 		return -EINVAL;
10337 
10338 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10339 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10340 
10341 	if (info->attrs[NL80211_ATTR_IE]) {
10342 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10343 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10344 	}
10345 
10346 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10347 		enum nl80211_mfp mfp =
10348 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10349 		if (mfp == NL80211_MFP_REQUIRED)
10350 			req.use_mfp = true;
10351 		else if (mfp != NL80211_MFP_NO)
10352 			return -EINVAL;
10353 	}
10354 
10355 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10356 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10357 
10358 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10359 		req.flags |= ASSOC_REQ_DISABLE_HT;
10360 
10361 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10362 		memcpy(&req.ht_capa_mask,
10363 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10364 		       sizeof(req.ht_capa_mask));
10365 
10366 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10367 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10368 			return -EINVAL;
10369 		memcpy(&req.ht_capa,
10370 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10371 		       sizeof(req.ht_capa));
10372 	}
10373 
10374 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10375 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10376 
10377 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10378 		req.flags |= ASSOC_REQ_DISABLE_HE;
10379 
10380 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10381 		memcpy(&req.vht_capa_mask,
10382 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10383 		       sizeof(req.vht_capa_mask));
10384 
10385 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10386 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10387 			return -EINVAL;
10388 		memcpy(&req.vht_capa,
10389 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10390 		       sizeof(req.vht_capa));
10391 	}
10392 
10393 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10394 		if (!((rdev->wiphy.features &
10395 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10396 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10397 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10398 					     NL80211_EXT_FEATURE_RRM))
10399 			return -EINVAL;
10400 		req.flags |= ASSOC_REQ_USE_RRM;
10401 	}
10402 
10403 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10404 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10405 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10406 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10407 			return -EINVAL;
10408 		req.fils_nonces =
10409 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10410 	}
10411 
10412 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10413 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10414 			return -EINVAL;
10415 		memcpy(&req.s1g_capa_mask,
10416 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10417 		       sizeof(req.s1g_capa_mask));
10418 	}
10419 
10420 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10421 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10422 			return -EINVAL;
10423 		memcpy(&req.s1g_capa,
10424 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10425 		       sizeof(req.s1g_capa));
10426 	}
10427 
10428 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10429 	if (!err) {
10430 		wdev_lock(dev->ieee80211_ptr);
10431 
10432 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
10433 					  ssid, ssid_len, &req);
10434 
10435 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10436 			dev->ieee80211_ptr->conn_owner_nlportid =
10437 				info->snd_portid;
10438 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10439 			       bssid, ETH_ALEN);
10440 		}
10441 
10442 		wdev_unlock(dev->ieee80211_ptr);
10443 	}
10444 
10445 	return err;
10446 }
10447 
10448 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10449 {
10450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10451 	struct net_device *dev = info->user_ptr[1];
10452 	const u8 *ie = NULL, *bssid;
10453 	int ie_len = 0, err;
10454 	u16 reason_code;
10455 	bool local_state_change;
10456 
10457 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10458 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10459 		return -EPERM;
10460 
10461 	if (!info->attrs[NL80211_ATTR_MAC])
10462 		return -EINVAL;
10463 
10464 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10465 		return -EINVAL;
10466 
10467 	if (!rdev->ops->deauth)
10468 		return -EOPNOTSUPP;
10469 
10470 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10471 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10472 		return -EOPNOTSUPP;
10473 
10474 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10475 
10476 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10477 	if (reason_code == 0) {
10478 		/* Reason Code 0 is reserved */
10479 		return -EINVAL;
10480 	}
10481 
10482 	if (info->attrs[NL80211_ATTR_IE]) {
10483 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10484 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10485 	}
10486 
10487 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10488 
10489 	wdev_lock(dev->ieee80211_ptr);
10490 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10491 				   local_state_change);
10492 	wdev_unlock(dev->ieee80211_ptr);
10493 	return err;
10494 }
10495 
10496 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10497 {
10498 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10499 	struct net_device *dev = info->user_ptr[1];
10500 	const u8 *ie = NULL, *bssid;
10501 	int ie_len = 0, err;
10502 	u16 reason_code;
10503 	bool local_state_change;
10504 
10505 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10506 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10507 		return -EPERM;
10508 
10509 	if (!info->attrs[NL80211_ATTR_MAC])
10510 		return -EINVAL;
10511 
10512 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10513 		return -EINVAL;
10514 
10515 	if (!rdev->ops->disassoc)
10516 		return -EOPNOTSUPP;
10517 
10518 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10519 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10520 		return -EOPNOTSUPP;
10521 
10522 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10523 
10524 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10525 	if (reason_code == 0) {
10526 		/* Reason Code 0 is reserved */
10527 		return -EINVAL;
10528 	}
10529 
10530 	if (info->attrs[NL80211_ATTR_IE]) {
10531 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10532 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10533 	}
10534 
10535 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10536 
10537 	wdev_lock(dev->ieee80211_ptr);
10538 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10539 				     local_state_change);
10540 	wdev_unlock(dev->ieee80211_ptr);
10541 	return err;
10542 }
10543 
10544 static bool
10545 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10546 			 int mcast_rate[NUM_NL80211_BANDS],
10547 			 int rateval)
10548 {
10549 	struct wiphy *wiphy = &rdev->wiphy;
10550 	bool found = false;
10551 	int band, i;
10552 
10553 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10554 		struct ieee80211_supported_band *sband;
10555 
10556 		sband = wiphy->bands[band];
10557 		if (!sband)
10558 			continue;
10559 
10560 		for (i = 0; i < sband->n_bitrates; i++) {
10561 			if (sband->bitrates[i].bitrate == rateval) {
10562 				mcast_rate[band] = i + 1;
10563 				found = true;
10564 				break;
10565 			}
10566 		}
10567 	}
10568 
10569 	return found;
10570 }
10571 
10572 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10573 {
10574 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10575 	struct net_device *dev = info->user_ptr[1];
10576 	struct cfg80211_ibss_params ibss;
10577 	struct wiphy *wiphy;
10578 	struct cfg80211_cached_keys *connkeys = NULL;
10579 	int err;
10580 
10581 	memset(&ibss, 0, sizeof(ibss));
10582 
10583 	if (!info->attrs[NL80211_ATTR_SSID] ||
10584 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10585 		return -EINVAL;
10586 
10587 	ibss.beacon_interval = 100;
10588 
10589 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10590 		ibss.beacon_interval =
10591 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10592 
10593 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10594 					   ibss.beacon_interval);
10595 	if (err)
10596 		return err;
10597 
10598 	if (!rdev->ops->join_ibss)
10599 		return -EOPNOTSUPP;
10600 
10601 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10602 		return -EOPNOTSUPP;
10603 
10604 	wiphy = &rdev->wiphy;
10605 
10606 	if (info->attrs[NL80211_ATTR_MAC]) {
10607 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10608 
10609 		if (!is_valid_ether_addr(ibss.bssid))
10610 			return -EINVAL;
10611 	}
10612 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10613 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10614 
10615 	if (info->attrs[NL80211_ATTR_IE]) {
10616 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10617 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10618 	}
10619 
10620 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10621 	if (err)
10622 		return err;
10623 
10624 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10625 				     NL80211_IFTYPE_ADHOC))
10626 		return -EINVAL;
10627 
10628 	switch (ibss.chandef.width) {
10629 	case NL80211_CHAN_WIDTH_5:
10630 	case NL80211_CHAN_WIDTH_10:
10631 	case NL80211_CHAN_WIDTH_20_NOHT:
10632 		break;
10633 	case NL80211_CHAN_WIDTH_20:
10634 	case NL80211_CHAN_WIDTH_40:
10635 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10636 			return -EINVAL;
10637 		break;
10638 	case NL80211_CHAN_WIDTH_80:
10639 	case NL80211_CHAN_WIDTH_80P80:
10640 	case NL80211_CHAN_WIDTH_160:
10641 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10642 			return -EINVAL;
10643 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10644 					     NL80211_EXT_FEATURE_VHT_IBSS))
10645 			return -EINVAL;
10646 		break;
10647 	case NL80211_CHAN_WIDTH_320:
10648 		return -EINVAL;
10649 	default:
10650 		return -EINVAL;
10651 	}
10652 
10653 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10654 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10655 
10656 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10657 		u8 *rates =
10658 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10659 		int n_rates =
10660 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10661 		struct ieee80211_supported_band *sband =
10662 			wiphy->bands[ibss.chandef.chan->band];
10663 
10664 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10665 					     &ibss.basic_rates);
10666 		if (err)
10667 			return err;
10668 	}
10669 
10670 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10671 		memcpy(&ibss.ht_capa_mask,
10672 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10673 		       sizeof(ibss.ht_capa_mask));
10674 
10675 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10676 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10677 			return -EINVAL;
10678 		memcpy(&ibss.ht_capa,
10679 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10680 		       sizeof(ibss.ht_capa));
10681 	}
10682 
10683 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10684 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10685 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10686 		return -EINVAL;
10687 
10688 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10689 		bool no_ht = false;
10690 
10691 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10692 		if (IS_ERR(connkeys))
10693 			return PTR_ERR(connkeys);
10694 
10695 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10696 		    no_ht) {
10697 			kfree_sensitive(connkeys);
10698 			return -EINVAL;
10699 		}
10700 	}
10701 
10702 	ibss.control_port =
10703 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10704 
10705 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10706 		int r = validate_pae_over_nl80211(rdev, info);
10707 
10708 		if (r < 0) {
10709 			kfree_sensitive(connkeys);
10710 			return r;
10711 		}
10712 
10713 		ibss.control_port_over_nl80211 = true;
10714 	}
10715 
10716 	ibss.userspace_handles_dfs =
10717 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10718 
10719 	wdev_lock(dev->ieee80211_ptr);
10720 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10721 	if (err)
10722 		kfree_sensitive(connkeys);
10723 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10724 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10725 	wdev_unlock(dev->ieee80211_ptr);
10726 
10727 	return err;
10728 }
10729 
10730 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10731 {
10732 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10733 	struct net_device *dev = info->user_ptr[1];
10734 
10735 	if (!rdev->ops->leave_ibss)
10736 		return -EOPNOTSUPP;
10737 
10738 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10739 		return -EOPNOTSUPP;
10740 
10741 	return cfg80211_leave_ibss(rdev, dev, false);
10742 }
10743 
10744 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10745 {
10746 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10747 	struct net_device *dev = info->user_ptr[1];
10748 	int mcast_rate[NUM_NL80211_BANDS];
10749 	u32 nla_rate;
10750 	int err;
10751 
10752 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10753 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10754 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10755 		return -EOPNOTSUPP;
10756 
10757 	if (!rdev->ops->set_mcast_rate)
10758 		return -EOPNOTSUPP;
10759 
10760 	memset(mcast_rate, 0, sizeof(mcast_rate));
10761 
10762 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10763 		return -EINVAL;
10764 
10765 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10766 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10767 		return -EINVAL;
10768 
10769 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10770 
10771 	return err;
10772 }
10773 
10774 static struct sk_buff *
10775 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10776 			    struct wireless_dev *wdev, int approxlen,
10777 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10778 			    enum nl80211_attrs attr,
10779 			    const struct nl80211_vendor_cmd_info *info,
10780 			    gfp_t gfp)
10781 {
10782 	struct sk_buff *skb;
10783 	void *hdr;
10784 	struct nlattr *data;
10785 
10786 	skb = nlmsg_new(approxlen + 100, gfp);
10787 	if (!skb)
10788 		return NULL;
10789 
10790 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10791 	if (!hdr) {
10792 		kfree_skb(skb);
10793 		return NULL;
10794 	}
10795 
10796 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10797 		goto nla_put_failure;
10798 
10799 	if (info) {
10800 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10801 				info->vendor_id))
10802 			goto nla_put_failure;
10803 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10804 				info->subcmd))
10805 			goto nla_put_failure;
10806 	}
10807 
10808 	if (wdev) {
10809 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10810 				      wdev_id(wdev), NL80211_ATTR_PAD))
10811 			goto nla_put_failure;
10812 		if (wdev->netdev &&
10813 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10814 				wdev->netdev->ifindex))
10815 			goto nla_put_failure;
10816 	}
10817 
10818 	data = nla_nest_start_noflag(skb, attr);
10819 	if (!data)
10820 		goto nla_put_failure;
10821 
10822 	((void **)skb->cb)[0] = rdev;
10823 	((void **)skb->cb)[1] = hdr;
10824 	((void **)skb->cb)[2] = data;
10825 
10826 	return skb;
10827 
10828  nla_put_failure:
10829 	kfree_skb(skb);
10830 	return NULL;
10831 }
10832 
10833 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10834 					   struct wireless_dev *wdev,
10835 					   enum nl80211_commands cmd,
10836 					   enum nl80211_attrs attr,
10837 					   unsigned int portid,
10838 					   int vendor_event_idx,
10839 					   int approxlen, gfp_t gfp)
10840 {
10841 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10842 	const struct nl80211_vendor_cmd_info *info;
10843 
10844 	switch (cmd) {
10845 	case NL80211_CMD_TESTMODE:
10846 		if (WARN_ON(vendor_event_idx != -1))
10847 			return NULL;
10848 		info = NULL;
10849 		break;
10850 	case NL80211_CMD_VENDOR:
10851 		if (WARN_ON(vendor_event_idx < 0 ||
10852 			    vendor_event_idx >= wiphy->n_vendor_events))
10853 			return NULL;
10854 		info = &wiphy->vendor_events[vendor_event_idx];
10855 		break;
10856 	default:
10857 		WARN_ON(1);
10858 		return NULL;
10859 	}
10860 
10861 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10862 					   cmd, attr, info, gfp);
10863 }
10864 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10865 
10866 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10867 {
10868 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10869 	void *hdr = ((void **)skb->cb)[1];
10870 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10871 	struct nlattr *data = ((void **)skb->cb)[2];
10872 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10873 
10874 	/* clear CB data for netlink core to own from now on */
10875 	memset(skb->cb, 0, sizeof(skb->cb));
10876 
10877 	nla_nest_end(skb, data);
10878 	genlmsg_end(skb, hdr);
10879 
10880 	if (nlhdr->nlmsg_pid) {
10881 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10882 				nlhdr->nlmsg_pid);
10883 	} else {
10884 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10885 			mcgrp = NL80211_MCGRP_VENDOR;
10886 
10887 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10888 					skb, 0, mcgrp, gfp);
10889 	}
10890 }
10891 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10892 
10893 #ifdef CONFIG_NL80211_TESTMODE
10894 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10895 {
10896 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10897 	struct wireless_dev *wdev;
10898 	int err;
10899 
10900 	lockdep_assert_held(&rdev->wiphy.mtx);
10901 
10902 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
10903 					  info->attrs);
10904 
10905 	if (!rdev->ops->testmode_cmd)
10906 		return -EOPNOTSUPP;
10907 
10908 	if (IS_ERR(wdev)) {
10909 		err = PTR_ERR(wdev);
10910 		if (err != -EINVAL)
10911 			return err;
10912 		wdev = NULL;
10913 	} else if (wdev->wiphy != &rdev->wiphy) {
10914 		return -EINVAL;
10915 	}
10916 
10917 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10918 		return -EINVAL;
10919 
10920 	rdev->cur_cmd_info = info;
10921 	err = rdev_testmode_cmd(rdev, wdev,
10922 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10923 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10924 	rdev->cur_cmd_info = NULL;
10925 
10926 	return err;
10927 }
10928 
10929 static int nl80211_testmode_dump(struct sk_buff *skb,
10930 				 struct netlink_callback *cb)
10931 {
10932 	struct cfg80211_registered_device *rdev;
10933 	struct nlattr **attrbuf = NULL;
10934 	int err;
10935 	long phy_idx;
10936 	void *data = NULL;
10937 	int data_len = 0;
10938 
10939 	rtnl_lock();
10940 
10941 	if (cb->args[0]) {
10942 		/*
10943 		 * 0 is a valid index, but not valid for args[0],
10944 		 * so we need to offset by 1.
10945 		 */
10946 		phy_idx = cb->args[0] - 1;
10947 
10948 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10949 		if (!rdev) {
10950 			err = -ENOENT;
10951 			goto out_err;
10952 		}
10953 	} else {
10954 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10955 				  GFP_KERNEL);
10956 		if (!attrbuf) {
10957 			err = -ENOMEM;
10958 			goto out_err;
10959 		}
10960 
10961 		err = nlmsg_parse_deprecated(cb->nlh,
10962 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10963 					     attrbuf, nl80211_fam.maxattr,
10964 					     nl80211_policy, NULL);
10965 		if (err)
10966 			goto out_err;
10967 
10968 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10969 		if (IS_ERR(rdev)) {
10970 			err = PTR_ERR(rdev);
10971 			goto out_err;
10972 		}
10973 		phy_idx = rdev->wiphy_idx;
10974 
10975 		if (attrbuf[NL80211_ATTR_TESTDATA])
10976 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10977 	}
10978 
10979 	if (cb->args[1]) {
10980 		data = nla_data((void *)cb->args[1]);
10981 		data_len = nla_len((void *)cb->args[1]);
10982 	}
10983 
10984 	if (!rdev->ops->testmode_dump) {
10985 		err = -EOPNOTSUPP;
10986 		goto out_err;
10987 	}
10988 
10989 	while (1) {
10990 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10991 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10992 					   NL80211_CMD_TESTMODE);
10993 		struct nlattr *tmdata;
10994 
10995 		if (!hdr)
10996 			break;
10997 
10998 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10999 			genlmsg_cancel(skb, hdr);
11000 			break;
11001 		}
11002 
11003 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11004 		if (!tmdata) {
11005 			genlmsg_cancel(skb, hdr);
11006 			break;
11007 		}
11008 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11009 		nla_nest_end(skb, tmdata);
11010 
11011 		if (err == -ENOBUFS || err == -ENOENT) {
11012 			genlmsg_cancel(skb, hdr);
11013 			break;
11014 		} else if (err) {
11015 			genlmsg_cancel(skb, hdr);
11016 			goto out_err;
11017 		}
11018 
11019 		genlmsg_end(skb, hdr);
11020 	}
11021 
11022 	err = skb->len;
11023 	/* see above */
11024 	cb->args[0] = phy_idx + 1;
11025  out_err:
11026 	kfree(attrbuf);
11027 	rtnl_unlock();
11028 	return err;
11029 }
11030 #endif
11031 
11032 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11033 {
11034 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11035 	struct net_device *dev = info->user_ptr[1];
11036 	struct cfg80211_connect_params connect;
11037 	struct wiphy *wiphy;
11038 	struct cfg80211_cached_keys *connkeys = NULL;
11039 	u32 freq = 0;
11040 	int err;
11041 
11042 	memset(&connect, 0, sizeof(connect));
11043 
11044 	if (!info->attrs[NL80211_ATTR_SSID] ||
11045 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11046 		return -EINVAL;
11047 
11048 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11049 		connect.auth_type =
11050 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11051 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11052 					     NL80211_CMD_CONNECT))
11053 			return -EINVAL;
11054 	} else
11055 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11056 
11057 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11058 
11059 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11060 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11061 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11062 		return -EINVAL;
11063 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11064 
11065 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11066 				      NL80211_MAX_NR_CIPHER_SUITES);
11067 	if (err)
11068 		return err;
11069 
11070 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11071 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11072 		return -EOPNOTSUPP;
11073 
11074 	wiphy = &rdev->wiphy;
11075 
11076 	connect.bg_scan_period = -1;
11077 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11078 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11079 		connect.bg_scan_period =
11080 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11081 	}
11082 
11083 	if (info->attrs[NL80211_ATTR_MAC])
11084 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11085 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11086 		connect.bssid_hint =
11087 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11088 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11089 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11090 
11091 	if (info->attrs[NL80211_ATTR_IE]) {
11092 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11093 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11094 	}
11095 
11096 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11097 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11098 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11099 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11100 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11101 			return -EOPNOTSUPP;
11102 	} else {
11103 		connect.mfp = NL80211_MFP_NO;
11104 	}
11105 
11106 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11107 		connect.prev_bssid =
11108 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11109 
11110 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11111 		freq = MHZ_TO_KHZ(nla_get_u32(
11112 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11113 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11114 		freq +=
11115 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11116 
11117 	if (freq) {
11118 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11119 		if (!connect.channel)
11120 			return -EINVAL;
11121 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11122 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11123 		freq = MHZ_TO_KHZ(freq);
11124 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11125 		if (!connect.channel_hint)
11126 			return -EINVAL;
11127 	}
11128 
11129 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11130 		connect.edmg.channels =
11131 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11132 
11133 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11134 			connect.edmg.bw_config =
11135 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11136 	}
11137 
11138 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11139 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11140 		if (IS_ERR(connkeys))
11141 			return PTR_ERR(connkeys);
11142 	}
11143 
11144 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11145 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11146 
11147 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11148 		memcpy(&connect.ht_capa_mask,
11149 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11150 		       sizeof(connect.ht_capa_mask));
11151 
11152 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11153 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11154 			kfree_sensitive(connkeys);
11155 			return -EINVAL;
11156 		}
11157 		memcpy(&connect.ht_capa,
11158 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11159 		       sizeof(connect.ht_capa));
11160 	}
11161 
11162 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11163 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11164 
11165 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11166 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11167 
11168 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11169 		memcpy(&connect.vht_capa_mask,
11170 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11171 		       sizeof(connect.vht_capa_mask));
11172 
11173 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11174 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11175 			kfree_sensitive(connkeys);
11176 			return -EINVAL;
11177 		}
11178 		memcpy(&connect.vht_capa,
11179 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11180 		       sizeof(connect.vht_capa));
11181 	}
11182 
11183 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11184 		if (!((rdev->wiphy.features &
11185 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11186 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11187 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11188 					     NL80211_EXT_FEATURE_RRM)) {
11189 			kfree_sensitive(connkeys);
11190 			return -EINVAL;
11191 		}
11192 		connect.flags |= ASSOC_REQ_USE_RRM;
11193 	}
11194 
11195 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11196 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11197 		kfree_sensitive(connkeys);
11198 		return -EOPNOTSUPP;
11199 	}
11200 
11201 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11202 		/* bss selection makes no sense if bssid is set */
11203 		if (connect.bssid) {
11204 			kfree_sensitive(connkeys);
11205 			return -EINVAL;
11206 		}
11207 
11208 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11209 				       wiphy, &connect.bss_select);
11210 		if (err) {
11211 			kfree_sensitive(connkeys);
11212 			return err;
11213 		}
11214 	}
11215 
11216 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11217 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11218 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11219 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11220 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11221 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11222 		connect.fils_erp_username =
11223 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11224 		connect.fils_erp_username_len =
11225 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11226 		connect.fils_erp_realm =
11227 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11228 		connect.fils_erp_realm_len =
11229 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11230 		connect.fils_erp_next_seq_num =
11231 			nla_get_u16(
11232 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11233 		connect.fils_erp_rrk =
11234 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11235 		connect.fils_erp_rrk_len =
11236 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11237 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11238 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11239 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11240 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11241 		kfree_sensitive(connkeys);
11242 		return -EINVAL;
11243 	}
11244 
11245 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11246 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11247 			kfree_sensitive(connkeys);
11248 			GENL_SET_ERR_MSG(info,
11249 					 "external auth requires connection ownership");
11250 			return -EINVAL;
11251 		}
11252 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11253 	}
11254 
11255 	wdev_lock(dev->ieee80211_ptr);
11256 
11257 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11258 			       connect.prev_bssid);
11259 	if (err)
11260 		kfree_sensitive(connkeys);
11261 
11262 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11263 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11264 		if (connect.bssid)
11265 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11266 			       connect.bssid, ETH_ALEN);
11267 		else
11268 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11269 	}
11270 
11271 	wdev_unlock(dev->ieee80211_ptr);
11272 
11273 	return err;
11274 }
11275 
11276 static int nl80211_update_connect_params(struct sk_buff *skb,
11277 					 struct genl_info *info)
11278 {
11279 	struct cfg80211_connect_params connect = {};
11280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11281 	struct net_device *dev = info->user_ptr[1];
11282 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11283 	bool fils_sk_offload;
11284 	u32 auth_type;
11285 	u32 changed = 0;
11286 	int ret;
11287 
11288 	if (!rdev->ops->update_connect_params)
11289 		return -EOPNOTSUPP;
11290 
11291 	if (info->attrs[NL80211_ATTR_IE]) {
11292 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11293 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11294 		changed |= UPDATE_ASSOC_IES;
11295 	}
11296 
11297 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11298 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11299 
11300 	/*
11301 	 * when driver supports fils-sk offload all attributes must be
11302 	 * provided. So the else covers "fils-sk-not-all" and
11303 	 * "no-fils-sk-any".
11304 	 */
11305 	if (fils_sk_offload &&
11306 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11307 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11308 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11309 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11310 		connect.fils_erp_username =
11311 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11312 		connect.fils_erp_username_len =
11313 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11314 		connect.fils_erp_realm =
11315 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11316 		connect.fils_erp_realm_len =
11317 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11318 		connect.fils_erp_next_seq_num =
11319 			nla_get_u16(
11320 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11321 		connect.fils_erp_rrk =
11322 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11323 		connect.fils_erp_rrk_len =
11324 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11325 		changed |= UPDATE_FILS_ERP_INFO;
11326 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11327 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11328 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11329 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11330 		return -EINVAL;
11331 	}
11332 
11333 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11334 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11335 		if (!nl80211_valid_auth_type(rdev, auth_type,
11336 					     NL80211_CMD_CONNECT))
11337 			return -EINVAL;
11338 
11339 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11340 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11341 			return -EINVAL;
11342 
11343 		connect.auth_type = auth_type;
11344 		changed |= UPDATE_AUTH_TYPE;
11345 	}
11346 
11347 	wdev_lock(dev->ieee80211_ptr);
11348 	if (!wdev->current_bss)
11349 		ret = -ENOLINK;
11350 	else
11351 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11352 	wdev_unlock(dev->ieee80211_ptr);
11353 
11354 	return ret;
11355 }
11356 
11357 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11358 {
11359 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11360 	struct net_device *dev = info->user_ptr[1];
11361 	u16 reason;
11362 	int ret;
11363 
11364 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11365 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11366 		return -EPERM;
11367 
11368 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11369 		reason = WLAN_REASON_DEAUTH_LEAVING;
11370 	else
11371 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11372 
11373 	if (reason == 0)
11374 		return -EINVAL;
11375 
11376 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11377 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11378 		return -EOPNOTSUPP;
11379 
11380 	wdev_lock(dev->ieee80211_ptr);
11381 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11382 	wdev_unlock(dev->ieee80211_ptr);
11383 	return ret;
11384 }
11385 
11386 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11387 {
11388 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11389 	struct net *net;
11390 	int err;
11391 
11392 	if (info->attrs[NL80211_ATTR_PID]) {
11393 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11394 
11395 		net = get_net_ns_by_pid(pid);
11396 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11397 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11398 
11399 		net = get_net_ns_by_fd(fd);
11400 	} else {
11401 		return -EINVAL;
11402 	}
11403 
11404 	if (IS_ERR(net))
11405 		return PTR_ERR(net);
11406 
11407 	err = 0;
11408 
11409 	/* check if anything to do */
11410 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11411 		err = cfg80211_switch_netns(rdev, net);
11412 
11413 	put_net(net);
11414 	return err;
11415 }
11416 
11417 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11418 {
11419 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11420 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11421 			struct cfg80211_pmksa *pmksa) = NULL;
11422 	struct net_device *dev = info->user_ptr[1];
11423 	struct cfg80211_pmksa pmksa;
11424 
11425 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11426 
11427 	if (!info->attrs[NL80211_ATTR_PMKID])
11428 		return -EINVAL;
11429 
11430 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11431 
11432 	if (info->attrs[NL80211_ATTR_MAC]) {
11433 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11434 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11435 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11436 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11437 		    info->attrs[NL80211_ATTR_PMK])) {
11438 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11439 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11440 		pmksa.cache_id =
11441 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11442 	} else {
11443 		return -EINVAL;
11444 	}
11445 	if (info->attrs[NL80211_ATTR_PMK]) {
11446 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11447 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11448 	}
11449 
11450 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11451 		pmksa.pmk_lifetime =
11452 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11453 
11454 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11455 		pmksa.pmk_reauth_threshold =
11456 			nla_get_u8(
11457 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11458 
11459 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11460 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11461 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11462 	      wiphy_ext_feature_isset(&rdev->wiphy,
11463 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11464 		return -EOPNOTSUPP;
11465 
11466 	switch (info->genlhdr->cmd) {
11467 	case NL80211_CMD_SET_PMKSA:
11468 		rdev_ops = rdev->ops->set_pmksa;
11469 		break;
11470 	case NL80211_CMD_DEL_PMKSA:
11471 		rdev_ops = rdev->ops->del_pmksa;
11472 		break;
11473 	default:
11474 		WARN_ON(1);
11475 		break;
11476 	}
11477 
11478 	if (!rdev_ops)
11479 		return -EOPNOTSUPP;
11480 
11481 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11482 }
11483 
11484 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11485 {
11486 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11487 	struct net_device *dev = info->user_ptr[1];
11488 
11489 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11490 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11491 		return -EOPNOTSUPP;
11492 
11493 	if (!rdev->ops->flush_pmksa)
11494 		return -EOPNOTSUPP;
11495 
11496 	return rdev_flush_pmksa(rdev, dev);
11497 }
11498 
11499 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11500 {
11501 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11502 	struct net_device *dev = info->user_ptr[1];
11503 	u8 action_code, dialog_token;
11504 	u32 peer_capability = 0;
11505 	u16 status_code;
11506 	u8 *peer;
11507 	bool initiator;
11508 
11509 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11510 	    !rdev->ops->tdls_mgmt)
11511 		return -EOPNOTSUPP;
11512 
11513 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11514 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11515 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11516 	    !info->attrs[NL80211_ATTR_IE] ||
11517 	    !info->attrs[NL80211_ATTR_MAC])
11518 		return -EINVAL;
11519 
11520 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11521 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11522 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11523 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11524 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11525 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11526 		peer_capability =
11527 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11528 
11529 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11530 			      dialog_token, status_code, peer_capability,
11531 			      initiator,
11532 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11533 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11534 }
11535 
11536 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11537 {
11538 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11539 	struct net_device *dev = info->user_ptr[1];
11540 	enum nl80211_tdls_operation operation;
11541 	u8 *peer;
11542 
11543 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11544 	    !rdev->ops->tdls_oper)
11545 		return -EOPNOTSUPP;
11546 
11547 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11548 	    !info->attrs[NL80211_ATTR_MAC])
11549 		return -EINVAL;
11550 
11551 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11552 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11553 
11554 	return rdev_tdls_oper(rdev, dev, peer, operation);
11555 }
11556 
11557 static int nl80211_remain_on_channel(struct sk_buff *skb,
11558 				     struct genl_info *info)
11559 {
11560 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11561 	struct wireless_dev *wdev = info->user_ptr[1];
11562 	struct cfg80211_chan_def chandef;
11563 	const struct cfg80211_chan_def *compat_chandef;
11564 	struct sk_buff *msg;
11565 	void *hdr;
11566 	u64 cookie;
11567 	u32 duration;
11568 	int err;
11569 
11570 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11571 	    !info->attrs[NL80211_ATTR_DURATION])
11572 		return -EINVAL;
11573 
11574 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11575 
11576 	if (!rdev->ops->remain_on_channel ||
11577 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11578 		return -EOPNOTSUPP;
11579 
11580 	/*
11581 	 * We should be on that channel for at least a minimum amount of
11582 	 * time (10ms) but no longer than the driver supports.
11583 	 */
11584 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11585 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11586 		return -EINVAL;
11587 
11588 	err = nl80211_parse_chandef(rdev, info, &chandef);
11589 	if (err)
11590 		return err;
11591 
11592 	wdev_lock(wdev);
11593 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11594 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11595 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11596 							     &chandef);
11597 		if (compat_chandef != &chandef) {
11598 			wdev_unlock(wdev);
11599 			return -EBUSY;
11600 		}
11601 	}
11602 	wdev_unlock(wdev);
11603 
11604 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11605 	if (!msg)
11606 		return -ENOMEM;
11607 
11608 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11609 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11610 	if (!hdr) {
11611 		err = -ENOBUFS;
11612 		goto free_msg;
11613 	}
11614 
11615 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11616 				     duration, &cookie);
11617 
11618 	if (err)
11619 		goto free_msg;
11620 
11621 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11622 			      NL80211_ATTR_PAD))
11623 		goto nla_put_failure;
11624 
11625 	genlmsg_end(msg, hdr);
11626 
11627 	return genlmsg_reply(msg, info);
11628 
11629  nla_put_failure:
11630 	err = -ENOBUFS;
11631  free_msg:
11632 	nlmsg_free(msg);
11633 	return err;
11634 }
11635 
11636 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11637 					    struct genl_info *info)
11638 {
11639 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11640 	struct wireless_dev *wdev = info->user_ptr[1];
11641 	u64 cookie;
11642 
11643 	if (!info->attrs[NL80211_ATTR_COOKIE])
11644 		return -EINVAL;
11645 
11646 	if (!rdev->ops->cancel_remain_on_channel)
11647 		return -EOPNOTSUPP;
11648 
11649 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11650 
11651 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11652 }
11653 
11654 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11655 				       struct genl_info *info)
11656 {
11657 	struct cfg80211_bitrate_mask mask;
11658 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11659 	struct net_device *dev = info->user_ptr[1];
11660 	int err;
11661 
11662 	if (!rdev->ops->set_bitrate_mask)
11663 		return -EOPNOTSUPP;
11664 
11665 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11666 					    NL80211_ATTR_TX_RATES, &mask,
11667 					    dev, true);
11668 	if (err)
11669 		return err;
11670 
11671 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11672 }
11673 
11674 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11675 {
11676 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11677 	struct wireless_dev *wdev = info->user_ptr[1];
11678 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11679 
11680 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11681 		return -EINVAL;
11682 
11683 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11684 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11685 
11686 	switch (wdev->iftype) {
11687 	case NL80211_IFTYPE_STATION:
11688 	case NL80211_IFTYPE_ADHOC:
11689 	case NL80211_IFTYPE_P2P_CLIENT:
11690 	case NL80211_IFTYPE_AP:
11691 	case NL80211_IFTYPE_AP_VLAN:
11692 	case NL80211_IFTYPE_MESH_POINT:
11693 	case NL80211_IFTYPE_P2P_GO:
11694 	case NL80211_IFTYPE_P2P_DEVICE:
11695 		break;
11696 	case NL80211_IFTYPE_NAN:
11697 	default:
11698 		return -EOPNOTSUPP;
11699 	}
11700 
11701 	/* not much point in registering if we can't reply */
11702 	if (!rdev->ops->mgmt_tx)
11703 		return -EOPNOTSUPP;
11704 
11705 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11706 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11707 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11708 		GENL_SET_ERR_MSG(info,
11709 				 "multicast RX registrations are not supported");
11710 		return -EOPNOTSUPP;
11711 	}
11712 
11713 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11714 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11715 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11716 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11717 					   info->extack);
11718 }
11719 
11720 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11721 {
11722 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11723 	struct wireless_dev *wdev = info->user_ptr[1];
11724 	struct cfg80211_chan_def chandef;
11725 	int err;
11726 	void *hdr = NULL;
11727 	u64 cookie;
11728 	struct sk_buff *msg = NULL;
11729 	struct cfg80211_mgmt_tx_params params = {
11730 		.dont_wait_for_ack =
11731 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11732 	};
11733 
11734 	if (!info->attrs[NL80211_ATTR_FRAME])
11735 		return -EINVAL;
11736 
11737 	if (!rdev->ops->mgmt_tx)
11738 		return -EOPNOTSUPP;
11739 
11740 	switch (wdev->iftype) {
11741 	case NL80211_IFTYPE_P2P_DEVICE:
11742 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11743 			return -EINVAL;
11744 		break;
11745 	case NL80211_IFTYPE_STATION:
11746 	case NL80211_IFTYPE_ADHOC:
11747 	case NL80211_IFTYPE_P2P_CLIENT:
11748 	case NL80211_IFTYPE_AP:
11749 	case NL80211_IFTYPE_AP_VLAN:
11750 	case NL80211_IFTYPE_MESH_POINT:
11751 	case NL80211_IFTYPE_P2P_GO:
11752 		break;
11753 	case NL80211_IFTYPE_NAN:
11754 	default:
11755 		return -EOPNOTSUPP;
11756 	}
11757 
11758 	if (info->attrs[NL80211_ATTR_DURATION]) {
11759 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11760 			return -EINVAL;
11761 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11762 
11763 		/*
11764 		 * We should wait on the channel for at least a minimum amount
11765 		 * of time (10ms) but no longer than the driver supports.
11766 		 */
11767 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11768 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11769 			return -EINVAL;
11770 	}
11771 
11772 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11773 
11774 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11775 		return -EINVAL;
11776 
11777 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11778 
11779 	/* get the channel if any has been specified, otherwise pass NULL to
11780 	 * the driver. The latter will use the current one
11781 	 */
11782 	chandef.chan = NULL;
11783 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11784 		err = nl80211_parse_chandef(rdev, info, &chandef);
11785 		if (err)
11786 			return err;
11787 	}
11788 
11789 	if (!chandef.chan && params.offchan)
11790 		return -EINVAL;
11791 
11792 	wdev_lock(wdev);
11793 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11794 		wdev_unlock(wdev);
11795 		return -EBUSY;
11796 	}
11797 	wdev_unlock(wdev);
11798 
11799 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11800 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11801 
11802 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11803 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11804 		int i;
11805 
11806 		if (len % sizeof(u16))
11807 			return -EINVAL;
11808 
11809 		params.n_csa_offsets = len / sizeof(u16);
11810 		params.csa_offsets =
11811 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11812 
11813 		/* check that all the offsets fit the frame */
11814 		for (i = 0; i < params.n_csa_offsets; i++) {
11815 			if (params.csa_offsets[i] >= params.len)
11816 				return -EINVAL;
11817 		}
11818 	}
11819 
11820 	if (!params.dont_wait_for_ack) {
11821 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11822 		if (!msg)
11823 			return -ENOMEM;
11824 
11825 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11826 				     NL80211_CMD_FRAME);
11827 		if (!hdr) {
11828 			err = -ENOBUFS;
11829 			goto free_msg;
11830 		}
11831 	}
11832 
11833 	params.chan = chandef.chan;
11834 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11835 	if (err)
11836 		goto free_msg;
11837 
11838 	if (msg) {
11839 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11840 				      NL80211_ATTR_PAD))
11841 			goto nla_put_failure;
11842 
11843 		genlmsg_end(msg, hdr);
11844 		return genlmsg_reply(msg, info);
11845 	}
11846 
11847 	return 0;
11848 
11849  nla_put_failure:
11850 	err = -ENOBUFS;
11851  free_msg:
11852 	nlmsg_free(msg);
11853 	return err;
11854 }
11855 
11856 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11857 {
11858 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11859 	struct wireless_dev *wdev = info->user_ptr[1];
11860 	u64 cookie;
11861 
11862 	if (!info->attrs[NL80211_ATTR_COOKIE])
11863 		return -EINVAL;
11864 
11865 	if (!rdev->ops->mgmt_tx_cancel_wait)
11866 		return -EOPNOTSUPP;
11867 
11868 	switch (wdev->iftype) {
11869 	case NL80211_IFTYPE_STATION:
11870 	case NL80211_IFTYPE_ADHOC:
11871 	case NL80211_IFTYPE_P2P_CLIENT:
11872 	case NL80211_IFTYPE_AP:
11873 	case NL80211_IFTYPE_AP_VLAN:
11874 	case NL80211_IFTYPE_P2P_GO:
11875 	case NL80211_IFTYPE_P2P_DEVICE:
11876 		break;
11877 	case NL80211_IFTYPE_NAN:
11878 	default:
11879 		return -EOPNOTSUPP;
11880 	}
11881 
11882 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11883 
11884 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11885 }
11886 
11887 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11888 {
11889 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11890 	struct wireless_dev *wdev;
11891 	struct net_device *dev = info->user_ptr[1];
11892 	u8 ps_state;
11893 	bool state;
11894 	int err;
11895 
11896 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11897 		return -EINVAL;
11898 
11899 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11900 
11901 	wdev = dev->ieee80211_ptr;
11902 
11903 	if (!rdev->ops->set_power_mgmt)
11904 		return -EOPNOTSUPP;
11905 
11906 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11907 
11908 	if (state == wdev->ps)
11909 		return 0;
11910 
11911 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11912 	if (!err)
11913 		wdev->ps = state;
11914 	return err;
11915 }
11916 
11917 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11918 {
11919 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11920 	enum nl80211_ps_state ps_state;
11921 	struct wireless_dev *wdev;
11922 	struct net_device *dev = info->user_ptr[1];
11923 	struct sk_buff *msg;
11924 	void *hdr;
11925 	int err;
11926 
11927 	wdev = dev->ieee80211_ptr;
11928 
11929 	if (!rdev->ops->set_power_mgmt)
11930 		return -EOPNOTSUPP;
11931 
11932 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11933 	if (!msg)
11934 		return -ENOMEM;
11935 
11936 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11937 			     NL80211_CMD_GET_POWER_SAVE);
11938 	if (!hdr) {
11939 		err = -ENOBUFS;
11940 		goto free_msg;
11941 	}
11942 
11943 	if (wdev->ps)
11944 		ps_state = NL80211_PS_ENABLED;
11945 	else
11946 		ps_state = NL80211_PS_DISABLED;
11947 
11948 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11949 		goto nla_put_failure;
11950 
11951 	genlmsg_end(msg, hdr);
11952 	return genlmsg_reply(msg, info);
11953 
11954  nla_put_failure:
11955 	err = -ENOBUFS;
11956  free_msg:
11957 	nlmsg_free(msg);
11958 	return err;
11959 }
11960 
11961 static const struct nla_policy
11962 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11963 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11964 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11965 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11966 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11967 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11968 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11969 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11970 };
11971 
11972 static int nl80211_set_cqm_txe(struct genl_info *info,
11973 			       u32 rate, u32 pkts, u32 intvl)
11974 {
11975 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11976 	struct net_device *dev = info->user_ptr[1];
11977 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11978 
11979 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11980 		return -EINVAL;
11981 
11982 	if (!rdev->ops->set_cqm_txe_config)
11983 		return -EOPNOTSUPP;
11984 
11985 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11986 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11987 		return -EOPNOTSUPP;
11988 
11989 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11990 }
11991 
11992 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11993 				    struct net_device *dev)
11994 {
11995 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11996 	s32 last, low, high;
11997 	u32 hyst;
11998 	int i, n, low_index;
11999 	int err;
12000 
12001 	/* RSSI reporting disabled? */
12002 	if (!wdev->cqm_config)
12003 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12004 
12005 	/*
12006 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12007 	 * event has been received yet, we should receive an event after a
12008 	 * connection is established and enough beacons received to calculate
12009 	 * the average.
12010 	 */
12011 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
12012 	    rdev->ops->get_station) {
12013 		struct station_info sinfo = {};
12014 		u8 *mac_addr;
12015 
12016 		mac_addr = wdev->current_bss->pub.bssid;
12017 
12018 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12019 		if (err)
12020 			return err;
12021 
12022 		cfg80211_sinfo_release_content(&sinfo);
12023 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12024 			wdev->cqm_config->last_rssi_event_value =
12025 				(s8) sinfo.rx_beacon_signal_avg;
12026 	}
12027 
12028 	last = wdev->cqm_config->last_rssi_event_value;
12029 	hyst = wdev->cqm_config->rssi_hyst;
12030 	n = wdev->cqm_config->n_rssi_thresholds;
12031 
12032 	for (i = 0; i < n; i++) {
12033 		i = array_index_nospec(i, n);
12034 		if (last < wdev->cqm_config->rssi_thresholds[i])
12035 			break;
12036 	}
12037 
12038 	low_index = i - 1;
12039 	if (low_index >= 0) {
12040 		low_index = array_index_nospec(low_index, n);
12041 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
12042 	} else {
12043 		low = S32_MIN;
12044 	}
12045 	if (i < n) {
12046 		i = array_index_nospec(i, n);
12047 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
12048 	} else {
12049 		high = S32_MAX;
12050 	}
12051 
12052 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12053 }
12054 
12055 static int nl80211_set_cqm_rssi(struct genl_info *info,
12056 				const s32 *thresholds, int n_thresholds,
12057 				u32 hysteresis)
12058 {
12059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12060 	struct net_device *dev = info->user_ptr[1];
12061 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12062 	int i, err;
12063 	s32 prev = S32_MIN;
12064 
12065 	/* Check all values negative and sorted */
12066 	for (i = 0; i < n_thresholds; i++) {
12067 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12068 			return -EINVAL;
12069 
12070 		prev = thresholds[i];
12071 	}
12072 
12073 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12074 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12075 		return -EOPNOTSUPP;
12076 
12077 	wdev_lock(wdev);
12078 	cfg80211_cqm_config_free(wdev);
12079 	wdev_unlock(wdev);
12080 
12081 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
12082 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
12083 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12084 
12085 		return rdev_set_cqm_rssi_config(rdev, dev,
12086 						thresholds[0], hysteresis);
12087 	}
12088 
12089 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12090 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
12091 		return -EOPNOTSUPP;
12092 
12093 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12094 		n_thresholds = 0;
12095 
12096 	wdev_lock(wdev);
12097 	if (n_thresholds) {
12098 		struct cfg80211_cqm_config *cqm_config;
12099 
12100 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12101 						 n_thresholds),
12102 				     GFP_KERNEL);
12103 		if (!cqm_config) {
12104 			err = -ENOMEM;
12105 			goto unlock;
12106 		}
12107 
12108 		cqm_config->rssi_hyst = hysteresis;
12109 		cqm_config->n_rssi_thresholds = n_thresholds;
12110 		memcpy(cqm_config->rssi_thresholds, thresholds,
12111 		       flex_array_size(cqm_config, rssi_thresholds,
12112 				       n_thresholds));
12113 
12114 		wdev->cqm_config = cqm_config;
12115 	}
12116 
12117 	err = cfg80211_cqm_rssi_update(rdev, dev);
12118 
12119 unlock:
12120 	wdev_unlock(wdev);
12121 
12122 	return err;
12123 }
12124 
12125 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12126 {
12127 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12128 	struct nlattr *cqm;
12129 	int err;
12130 
12131 	cqm = info->attrs[NL80211_ATTR_CQM];
12132 	if (!cqm)
12133 		return -EINVAL;
12134 
12135 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12136 					  nl80211_attr_cqm_policy,
12137 					  info->extack);
12138 	if (err)
12139 		return err;
12140 
12141 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12142 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12143 		const s32 *thresholds =
12144 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12145 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12146 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12147 
12148 		if (len % 4)
12149 			return -EINVAL;
12150 
12151 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12152 					    hysteresis);
12153 	}
12154 
12155 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12156 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12157 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12158 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12159 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12160 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12161 
12162 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12163 	}
12164 
12165 	return -EINVAL;
12166 }
12167 
12168 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12169 {
12170 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12171 	struct net_device *dev = info->user_ptr[1];
12172 	struct ocb_setup setup = {};
12173 	int err;
12174 
12175 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12176 	if (err)
12177 		return err;
12178 
12179 	return cfg80211_join_ocb(rdev, dev, &setup);
12180 }
12181 
12182 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12183 {
12184 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12185 	struct net_device *dev = info->user_ptr[1];
12186 
12187 	return cfg80211_leave_ocb(rdev, dev);
12188 }
12189 
12190 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12191 {
12192 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12193 	struct net_device *dev = info->user_ptr[1];
12194 	struct mesh_config cfg;
12195 	struct mesh_setup setup;
12196 	int err;
12197 
12198 	/* start with default */
12199 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12200 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12201 
12202 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12203 		/* and parse parameters if given */
12204 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12205 		if (err)
12206 			return err;
12207 	}
12208 
12209 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12210 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12211 		return -EINVAL;
12212 
12213 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12214 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12215 
12216 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12217 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12218 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12219 			return -EINVAL;
12220 
12221 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12222 		setup.beacon_interval =
12223 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12224 
12225 		err = cfg80211_validate_beacon_int(rdev,
12226 						   NL80211_IFTYPE_MESH_POINT,
12227 						   setup.beacon_interval);
12228 		if (err)
12229 			return err;
12230 	}
12231 
12232 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12233 		setup.dtim_period =
12234 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12235 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12236 			return -EINVAL;
12237 	}
12238 
12239 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12240 		/* parse additional setup parameters if given */
12241 		err = nl80211_parse_mesh_setup(info, &setup);
12242 		if (err)
12243 			return err;
12244 	}
12245 
12246 	if (setup.user_mpm)
12247 		cfg.auto_open_plinks = false;
12248 
12249 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12250 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12251 		if (err)
12252 			return err;
12253 	} else {
12254 		/* __cfg80211_join_mesh() will sort it out */
12255 		setup.chandef.chan = NULL;
12256 	}
12257 
12258 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12259 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12260 		int n_rates =
12261 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12262 		struct ieee80211_supported_band *sband;
12263 
12264 		if (!setup.chandef.chan)
12265 			return -EINVAL;
12266 
12267 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12268 
12269 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12270 					     &setup.basic_rates);
12271 		if (err)
12272 			return err;
12273 	}
12274 
12275 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12276 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12277 						    NL80211_ATTR_TX_RATES,
12278 						    &setup.beacon_rate,
12279 						    dev, false);
12280 		if (err)
12281 			return err;
12282 
12283 		if (!setup.chandef.chan)
12284 			return -EINVAL;
12285 
12286 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12287 					      &setup.beacon_rate);
12288 		if (err)
12289 			return err;
12290 	}
12291 
12292 	setup.userspace_handles_dfs =
12293 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12294 
12295 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12296 		int r = validate_pae_over_nl80211(rdev, info);
12297 
12298 		if (r < 0)
12299 			return r;
12300 
12301 		setup.control_port_over_nl80211 = true;
12302 	}
12303 
12304 	wdev_lock(dev->ieee80211_ptr);
12305 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12306 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12307 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12308 	wdev_unlock(dev->ieee80211_ptr);
12309 
12310 	return err;
12311 }
12312 
12313 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12314 {
12315 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12316 	struct net_device *dev = info->user_ptr[1];
12317 
12318 	return cfg80211_leave_mesh(rdev, dev);
12319 }
12320 
12321 #ifdef CONFIG_PM
12322 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
12323 					struct cfg80211_registered_device *rdev)
12324 {
12325 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
12326 	struct nlattr *nl_pats, *nl_pat;
12327 	int i, pat_len;
12328 
12329 	if (!wowlan->n_patterns)
12330 		return 0;
12331 
12332 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12333 	if (!nl_pats)
12334 		return -ENOBUFS;
12335 
12336 	for (i = 0; i < wowlan->n_patterns; i++) {
12337 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12338 		if (!nl_pat)
12339 			return -ENOBUFS;
12340 		pat_len = wowlan->patterns[i].pattern_len;
12341 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12342 			    wowlan->patterns[i].mask) ||
12343 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12344 			    wowlan->patterns[i].pattern) ||
12345 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12346 				wowlan->patterns[i].pkt_offset))
12347 			return -ENOBUFS;
12348 		nla_nest_end(msg, nl_pat);
12349 	}
12350 	nla_nest_end(msg, nl_pats);
12351 
12352 	return 0;
12353 }
12354 
12355 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12356 				   struct cfg80211_wowlan_tcp *tcp)
12357 {
12358 	struct nlattr *nl_tcp;
12359 
12360 	if (!tcp)
12361 		return 0;
12362 
12363 	nl_tcp = nla_nest_start_noflag(msg,
12364 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12365 	if (!nl_tcp)
12366 		return -ENOBUFS;
12367 
12368 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12369 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12370 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12371 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12372 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12373 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12374 		    tcp->payload_len, tcp->payload) ||
12375 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12376 			tcp->data_interval) ||
12377 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12378 		    tcp->wake_len, tcp->wake_data) ||
12379 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12380 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12381 		return -ENOBUFS;
12382 
12383 	if (tcp->payload_seq.len &&
12384 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12385 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12386 		return -ENOBUFS;
12387 
12388 	if (tcp->payload_tok.len &&
12389 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12390 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12391 		    &tcp->payload_tok))
12392 		return -ENOBUFS;
12393 
12394 	nla_nest_end(msg, nl_tcp);
12395 
12396 	return 0;
12397 }
12398 
12399 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12400 				  struct cfg80211_sched_scan_request *req)
12401 {
12402 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12403 	int i;
12404 
12405 	if (!req)
12406 		return 0;
12407 
12408 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12409 	if (!nd)
12410 		return -ENOBUFS;
12411 
12412 	if (req->n_scan_plans == 1 &&
12413 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12414 			req->scan_plans[0].interval * 1000))
12415 		return -ENOBUFS;
12416 
12417 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12418 		return -ENOBUFS;
12419 
12420 	if (req->relative_rssi_set) {
12421 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12422 
12423 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12424 			       req->relative_rssi))
12425 			return -ENOBUFS;
12426 
12427 		rssi_adjust.band = req->rssi_adjust.band;
12428 		rssi_adjust.delta = req->rssi_adjust.delta;
12429 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12430 			    sizeof(rssi_adjust), &rssi_adjust))
12431 			return -ENOBUFS;
12432 	}
12433 
12434 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12435 	if (!freqs)
12436 		return -ENOBUFS;
12437 
12438 	for (i = 0; i < req->n_channels; i++) {
12439 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12440 			return -ENOBUFS;
12441 	}
12442 
12443 	nla_nest_end(msg, freqs);
12444 
12445 	if (req->n_match_sets) {
12446 		matches = nla_nest_start_noflag(msg,
12447 						NL80211_ATTR_SCHED_SCAN_MATCH);
12448 		if (!matches)
12449 			return -ENOBUFS;
12450 
12451 		for (i = 0; i < req->n_match_sets; i++) {
12452 			match = nla_nest_start_noflag(msg, i);
12453 			if (!match)
12454 				return -ENOBUFS;
12455 
12456 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12457 				    req->match_sets[i].ssid.ssid_len,
12458 				    req->match_sets[i].ssid.ssid))
12459 				return -ENOBUFS;
12460 			nla_nest_end(msg, match);
12461 		}
12462 		nla_nest_end(msg, matches);
12463 	}
12464 
12465 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12466 	if (!scan_plans)
12467 		return -ENOBUFS;
12468 
12469 	for (i = 0; i < req->n_scan_plans; i++) {
12470 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12471 		if (!scan_plan)
12472 			return -ENOBUFS;
12473 
12474 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12475 				req->scan_plans[i].interval) ||
12476 		    (req->scan_plans[i].iterations &&
12477 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12478 				 req->scan_plans[i].iterations)))
12479 			return -ENOBUFS;
12480 		nla_nest_end(msg, scan_plan);
12481 	}
12482 	nla_nest_end(msg, scan_plans);
12483 
12484 	nla_nest_end(msg, nd);
12485 
12486 	return 0;
12487 }
12488 
12489 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12490 {
12491 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12492 	struct sk_buff *msg;
12493 	void *hdr;
12494 	u32 size = NLMSG_DEFAULT_SIZE;
12495 
12496 	if (!rdev->wiphy.wowlan)
12497 		return -EOPNOTSUPP;
12498 
12499 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12500 		/* adjust size to have room for all the data */
12501 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12502 			rdev->wiphy.wowlan_config->tcp->payload_len +
12503 			rdev->wiphy.wowlan_config->tcp->wake_len +
12504 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12505 	}
12506 
12507 	msg = nlmsg_new(size, GFP_KERNEL);
12508 	if (!msg)
12509 		return -ENOMEM;
12510 
12511 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12512 			     NL80211_CMD_GET_WOWLAN);
12513 	if (!hdr)
12514 		goto nla_put_failure;
12515 
12516 	if (rdev->wiphy.wowlan_config) {
12517 		struct nlattr *nl_wowlan;
12518 
12519 		nl_wowlan = nla_nest_start_noflag(msg,
12520 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12521 		if (!nl_wowlan)
12522 			goto nla_put_failure;
12523 
12524 		if ((rdev->wiphy.wowlan_config->any &&
12525 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
12526 		    (rdev->wiphy.wowlan_config->disconnect &&
12527 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
12528 		    (rdev->wiphy.wowlan_config->magic_pkt &&
12529 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
12530 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
12531 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
12532 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
12533 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
12534 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
12535 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
12536 		    (rdev->wiphy.wowlan_config->rfkill_release &&
12537 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
12538 			goto nla_put_failure;
12539 
12540 		if (nl80211_send_wowlan_patterns(msg, rdev))
12541 			goto nla_put_failure;
12542 
12543 		if (nl80211_send_wowlan_tcp(msg,
12544 					    rdev->wiphy.wowlan_config->tcp))
12545 			goto nla_put_failure;
12546 
12547 		if (nl80211_send_wowlan_nd(
12548 			    msg,
12549 			    rdev->wiphy.wowlan_config->nd_config))
12550 			goto nla_put_failure;
12551 
12552 		nla_nest_end(msg, nl_wowlan);
12553 	}
12554 
12555 	genlmsg_end(msg, hdr);
12556 	return genlmsg_reply(msg, info);
12557 
12558 nla_put_failure:
12559 	nlmsg_free(msg);
12560 	return -ENOBUFS;
12561 }
12562 
12563 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12564 				    struct nlattr *attr,
12565 				    struct cfg80211_wowlan *trig)
12566 {
12567 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12568 	struct cfg80211_wowlan_tcp *cfg;
12569 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12570 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12571 	u32 size;
12572 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12573 	int err, port;
12574 
12575 	if (!rdev->wiphy.wowlan->tcp)
12576 		return -EINVAL;
12577 
12578 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12579 					  nl80211_wowlan_tcp_policy, NULL);
12580 	if (err)
12581 		return err;
12582 
12583 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12584 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12585 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12586 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12587 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12588 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12589 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12590 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12591 		return -EINVAL;
12592 
12593 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12594 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12595 		return -EINVAL;
12596 
12597 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12598 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12599 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12600 		return -EINVAL;
12601 
12602 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12603 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12604 		return -EINVAL;
12605 
12606 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12607 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12608 		return -EINVAL;
12609 
12610 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12611 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12612 
12613 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12614 		tokens_size = tokln - sizeof(*tok);
12615 
12616 		if (!tok->len || tokens_size % tok->len)
12617 			return -EINVAL;
12618 		if (!rdev->wiphy.wowlan->tcp->tok)
12619 			return -EINVAL;
12620 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12621 			return -EINVAL;
12622 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12623 			return -EINVAL;
12624 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12625 			return -EINVAL;
12626 		if (tok->offset + tok->len > data_size)
12627 			return -EINVAL;
12628 	}
12629 
12630 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12631 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12632 		if (!rdev->wiphy.wowlan->tcp->seq)
12633 			return -EINVAL;
12634 		if (seq->len == 0 || seq->len > 4)
12635 			return -EINVAL;
12636 		if (seq->len + seq->offset > data_size)
12637 			return -EINVAL;
12638 	}
12639 
12640 	size = sizeof(*cfg);
12641 	size += data_size;
12642 	size += wake_size + wake_mask_size;
12643 	size += tokens_size;
12644 
12645 	cfg = kzalloc(size, GFP_KERNEL);
12646 	if (!cfg)
12647 		return -ENOMEM;
12648 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12649 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12650 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12651 	       ETH_ALEN);
12652 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12653 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12654 	else
12655 		port = 0;
12656 #ifdef CONFIG_INET
12657 	/* allocate a socket and port for it and use it */
12658 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12659 			    IPPROTO_TCP, &cfg->sock, 1);
12660 	if (err) {
12661 		kfree(cfg);
12662 		return err;
12663 	}
12664 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12665 		sock_release(cfg->sock);
12666 		kfree(cfg);
12667 		return -EADDRINUSE;
12668 	}
12669 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12670 #else
12671 	if (!port) {
12672 		kfree(cfg);
12673 		return -EINVAL;
12674 	}
12675 	cfg->src_port = port;
12676 #endif
12677 
12678 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12679 	cfg->payload_len = data_size;
12680 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12681 	memcpy((void *)cfg->payload,
12682 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12683 	       data_size);
12684 	if (seq)
12685 		cfg->payload_seq = *seq;
12686 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12687 	cfg->wake_len = wake_size;
12688 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12689 	memcpy((void *)cfg->wake_data,
12690 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12691 	       wake_size);
12692 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12693 			 data_size + wake_size;
12694 	memcpy((void *)cfg->wake_mask,
12695 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12696 	       wake_mask_size);
12697 	if (tok) {
12698 		cfg->tokens_size = tokens_size;
12699 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12700 	}
12701 
12702 	trig->tcp = cfg;
12703 
12704 	return 0;
12705 }
12706 
12707 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12708 				   const struct wiphy_wowlan_support *wowlan,
12709 				   struct nlattr *attr,
12710 				   struct cfg80211_wowlan *trig)
12711 {
12712 	struct nlattr **tb;
12713 	int err;
12714 
12715 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12716 	if (!tb)
12717 		return -ENOMEM;
12718 
12719 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12720 		err = -EOPNOTSUPP;
12721 		goto out;
12722 	}
12723 
12724 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12725 					  nl80211_policy, NULL);
12726 	if (err)
12727 		goto out;
12728 
12729 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12730 						   wowlan->max_nd_match_sets);
12731 	err = PTR_ERR_OR_ZERO(trig->nd_config);
12732 	if (err)
12733 		trig->nd_config = NULL;
12734 
12735 out:
12736 	kfree(tb);
12737 	return err;
12738 }
12739 
12740 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12741 {
12742 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12743 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12744 	struct cfg80211_wowlan new_triggers = {};
12745 	struct cfg80211_wowlan *ntrig;
12746 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12747 	int err, i;
12748 	bool prev_enabled = rdev->wiphy.wowlan_config;
12749 	bool regular = false;
12750 
12751 	if (!wowlan)
12752 		return -EOPNOTSUPP;
12753 
12754 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12755 		cfg80211_rdev_free_wowlan(rdev);
12756 		rdev->wiphy.wowlan_config = NULL;
12757 		goto set_wakeup;
12758 	}
12759 
12760 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12761 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12762 					  nl80211_wowlan_policy, info->extack);
12763 	if (err)
12764 		return err;
12765 
12766 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12767 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12768 			return -EINVAL;
12769 		new_triggers.any = true;
12770 	}
12771 
12772 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12773 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12774 			return -EINVAL;
12775 		new_triggers.disconnect = true;
12776 		regular = true;
12777 	}
12778 
12779 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12780 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12781 			return -EINVAL;
12782 		new_triggers.magic_pkt = true;
12783 		regular = true;
12784 	}
12785 
12786 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12787 		return -EINVAL;
12788 
12789 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12790 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12791 			return -EINVAL;
12792 		new_triggers.gtk_rekey_failure = true;
12793 		regular = true;
12794 	}
12795 
12796 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12797 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12798 			return -EINVAL;
12799 		new_triggers.eap_identity_req = true;
12800 		regular = true;
12801 	}
12802 
12803 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12804 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12805 			return -EINVAL;
12806 		new_triggers.four_way_handshake = true;
12807 		regular = true;
12808 	}
12809 
12810 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12811 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12812 			return -EINVAL;
12813 		new_triggers.rfkill_release = true;
12814 		regular = true;
12815 	}
12816 
12817 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12818 		struct nlattr *pat;
12819 		int n_patterns = 0;
12820 		int rem, pat_len, mask_len, pkt_offset;
12821 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12822 
12823 		regular = true;
12824 
12825 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12826 				    rem)
12827 			n_patterns++;
12828 		if (n_patterns > wowlan->n_patterns)
12829 			return -EINVAL;
12830 
12831 		new_triggers.patterns = kcalloc(n_patterns,
12832 						sizeof(new_triggers.patterns[0]),
12833 						GFP_KERNEL);
12834 		if (!new_triggers.patterns)
12835 			return -ENOMEM;
12836 
12837 		new_triggers.n_patterns = n_patterns;
12838 		i = 0;
12839 
12840 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12841 				    rem) {
12842 			u8 *mask_pat;
12843 
12844 			err = nla_parse_nested_deprecated(pat_tb,
12845 							  MAX_NL80211_PKTPAT,
12846 							  pat,
12847 							  nl80211_packet_pattern_policy,
12848 							  info->extack);
12849 			if (err)
12850 				goto error;
12851 
12852 			err = -EINVAL;
12853 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12854 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12855 				goto error;
12856 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12857 			mask_len = DIV_ROUND_UP(pat_len, 8);
12858 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12859 				goto error;
12860 			if (pat_len > wowlan->pattern_max_len ||
12861 			    pat_len < wowlan->pattern_min_len)
12862 				goto error;
12863 
12864 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12865 				pkt_offset = 0;
12866 			else
12867 				pkt_offset = nla_get_u32(
12868 					pat_tb[NL80211_PKTPAT_OFFSET]);
12869 			if (pkt_offset > wowlan->max_pkt_offset)
12870 				goto error;
12871 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12872 
12873 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12874 			if (!mask_pat) {
12875 				err = -ENOMEM;
12876 				goto error;
12877 			}
12878 			new_triggers.patterns[i].mask = mask_pat;
12879 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12880 			       mask_len);
12881 			mask_pat += mask_len;
12882 			new_triggers.patterns[i].pattern = mask_pat;
12883 			new_triggers.patterns[i].pattern_len = pat_len;
12884 			memcpy(mask_pat,
12885 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12886 			       pat_len);
12887 			i++;
12888 		}
12889 	}
12890 
12891 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12892 		regular = true;
12893 		err = nl80211_parse_wowlan_tcp(
12894 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12895 			&new_triggers);
12896 		if (err)
12897 			goto error;
12898 	}
12899 
12900 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12901 		regular = true;
12902 		err = nl80211_parse_wowlan_nd(
12903 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12904 			&new_triggers);
12905 		if (err)
12906 			goto error;
12907 	}
12908 
12909 	/* The 'any' trigger means the device continues operating more or less
12910 	 * as in its normal operation mode and wakes up the host on most of the
12911 	 * normal interrupts (like packet RX, ...)
12912 	 * It therefore makes little sense to combine with the more constrained
12913 	 * wakeup trigger modes.
12914 	 */
12915 	if (new_triggers.any && regular) {
12916 		err = -EINVAL;
12917 		goto error;
12918 	}
12919 
12920 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12921 	if (!ntrig) {
12922 		err = -ENOMEM;
12923 		goto error;
12924 	}
12925 	cfg80211_rdev_free_wowlan(rdev);
12926 	rdev->wiphy.wowlan_config = ntrig;
12927 
12928  set_wakeup:
12929 	if (rdev->ops->set_wakeup &&
12930 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12931 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12932 
12933 	return 0;
12934  error:
12935 	for (i = 0; i < new_triggers.n_patterns; i++)
12936 		kfree(new_triggers.patterns[i].mask);
12937 	kfree(new_triggers.patterns);
12938 	if (new_triggers.tcp && new_triggers.tcp->sock)
12939 		sock_release(new_triggers.tcp->sock);
12940 	kfree(new_triggers.tcp);
12941 	kfree(new_triggers.nd_config);
12942 	return err;
12943 }
12944 #endif
12945 
12946 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12947 				       struct cfg80211_registered_device *rdev)
12948 {
12949 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12950 	int i, j, pat_len;
12951 	struct cfg80211_coalesce_rules *rule;
12952 
12953 	if (!rdev->coalesce->n_rules)
12954 		return 0;
12955 
12956 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12957 	if (!nl_rules)
12958 		return -ENOBUFS;
12959 
12960 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12961 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12962 		if (!nl_rule)
12963 			return -ENOBUFS;
12964 
12965 		rule = &rdev->coalesce->rules[i];
12966 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12967 				rule->delay))
12968 			return -ENOBUFS;
12969 
12970 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12971 				rule->condition))
12972 			return -ENOBUFS;
12973 
12974 		nl_pats = nla_nest_start_noflag(msg,
12975 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12976 		if (!nl_pats)
12977 			return -ENOBUFS;
12978 
12979 		for (j = 0; j < rule->n_patterns; j++) {
12980 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12981 			if (!nl_pat)
12982 				return -ENOBUFS;
12983 			pat_len = rule->patterns[j].pattern_len;
12984 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12985 				    DIV_ROUND_UP(pat_len, 8),
12986 				    rule->patterns[j].mask) ||
12987 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12988 				    rule->patterns[j].pattern) ||
12989 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12990 					rule->patterns[j].pkt_offset))
12991 				return -ENOBUFS;
12992 			nla_nest_end(msg, nl_pat);
12993 		}
12994 		nla_nest_end(msg, nl_pats);
12995 		nla_nest_end(msg, nl_rule);
12996 	}
12997 	nla_nest_end(msg, nl_rules);
12998 
12999 	return 0;
13000 }
13001 
13002 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13003 {
13004 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13005 	struct sk_buff *msg;
13006 	void *hdr;
13007 
13008 	if (!rdev->wiphy.coalesce)
13009 		return -EOPNOTSUPP;
13010 
13011 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13012 	if (!msg)
13013 		return -ENOMEM;
13014 
13015 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13016 			     NL80211_CMD_GET_COALESCE);
13017 	if (!hdr)
13018 		goto nla_put_failure;
13019 
13020 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13021 		goto nla_put_failure;
13022 
13023 	genlmsg_end(msg, hdr);
13024 	return genlmsg_reply(msg, info);
13025 
13026 nla_put_failure:
13027 	nlmsg_free(msg);
13028 	return -ENOBUFS;
13029 }
13030 
13031 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13032 {
13033 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13034 	int i, j;
13035 	struct cfg80211_coalesce_rules *rule;
13036 
13037 	if (!coalesce)
13038 		return;
13039 
13040 	for (i = 0; i < coalesce->n_rules; i++) {
13041 		rule = &coalesce->rules[i];
13042 		for (j = 0; j < rule->n_patterns; j++)
13043 			kfree(rule->patterns[j].mask);
13044 		kfree(rule->patterns);
13045 	}
13046 	kfree(coalesce->rules);
13047 	kfree(coalesce);
13048 	rdev->coalesce = NULL;
13049 }
13050 
13051 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13052 				       struct nlattr *rule,
13053 				       struct cfg80211_coalesce_rules *new_rule)
13054 {
13055 	int err, i;
13056 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13057 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13058 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13059 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13060 
13061 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13062 					  rule, nl80211_coalesce_policy, NULL);
13063 	if (err)
13064 		return err;
13065 
13066 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13067 		new_rule->delay =
13068 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13069 	if (new_rule->delay > coalesce->max_delay)
13070 		return -EINVAL;
13071 
13072 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13073 		new_rule->condition =
13074 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13075 
13076 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13077 		return -EINVAL;
13078 
13079 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13080 			    rem)
13081 		n_patterns++;
13082 	if (n_patterns > coalesce->n_patterns)
13083 		return -EINVAL;
13084 
13085 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13086 				     GFP_KERNEL);
13087 	if (!new_rule->patterns)
13088 		return -ENOMEM;
13089 
13090 	new_rule->n_patterns = n_patterns;
13091 	i = 0;
13092 
13093 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13094 			    rem) {
13095 		u8 *mask_pat;
13096 
13097 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13098 						  pat,
13099 						  nl80211_packet_pattern_policy,
13100 						  NULL);
13101 		if (err)
13102 			return err;
13103 
13104 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13105 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13106 			return -EINVAL;
13107 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13108 		mask_len = DIV_ROUND_UP(pat_len, 8);
13109 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13110 			return -EINVAL;
13111 		if (pat_len > coalesce->pattern_max_len ||
13112 		    pat_len < coalesce->pattern_min_len)
13113 			return -EINVAL;
13114 
13115 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13116 			pkt_offset = 0;
13117 		else
13118 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13119 		if (pkt_offset > coalesce->max_pkt_offset)
13120 			return -EINVAL;
13121 		new_rule->patterns[i].pkt_offset = pkt_offset;
13122 
13123 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13124 		if (!mask_pat)
13125 			return -ENOMEM;
13126 
13127 		new_rule->patterns[i].mask = mask_pat;
13128 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13129 		       mask_len);
13130 
13131 		mask_pat += mask_len;
13132 		new_rule->patterns[i].pattern = mask_pat;
13133 		new_rule->patterns[i].pattern_len = pat_len;
13134 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13135 		       pat_len);
13136 		i++;
13137 	}
13138 
13139 	return 0;
13140 }
13141 
13142 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13143 {
13144 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13145 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13146 	struct cfg80211_coalesce new_coalesce = {};
13147 	struct cfg80211_coalesce *n_coalesce;
13148 	int err, rem_rule, n_rules = 0, i, j;
13149 	struct nlattr *rule;
13150 	struct cfg80211_coalesce_rules *tmp_rule;
13151 
13152 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13153 		return -EOPNOTSUPP;
13154 
13155 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13156 		cfg80211_rdev_free_coalesce(rdev);
13157 		rdev_set_coalesce(rdev, NULL);
13158 		return 0;
13159 	}
13160 
13161 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13162 			    rem_rule)
13163 		n_rules++;
13164 	if (n_rules > coalesce->n_rules)
13165 		return -EINVAL;
13166 
13167 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13168 				     GFP_KERNEL);
13169 	if (!new_coalesce.rules)
13170 		return -ENOMEM;
13171 
13172 	new_coalesce.n_rules = n_rules;
13173 	i = 0;
13174 
13175 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13176 			    rem_rule) {
13177 		err = nl80211_parse_coalesce_rule(rdev, rule,
13178 						  &new_coalesce.rules[i]);
13179 		if (err)
13180 			goto error;
13181 
13182 		i++;
13183 	}
13184 
13185 	err = rdev_set_coalesce(rdev, &new_coalesce);
13186 	if (err)
13187 		goto error;
13188 
13189 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13190 	if (!n_coalesce) {
13191 		err = -ENOMEM;
13192 		goto error;
13193 	}
13194 	cfg80211_rdev_free_coalesce(rdev);
13195 	rdev->coalesce = n_coalesce;
13196 
13197 	return 0;
13198 error:
13199 	for (i = 0; i < new_coalesce.n_rules; i++) {
13200 		tmp_rule = &new_coalesce.rules[i];
13201 		for (j = 0; j < tmp_rule->n_patterns; j++)
13202 			kfree(tmp_rule->patterns[j].mask);
13203 		kfree(tmp_rule->patterns);
13204 	}
13205 	kfree(new_coalesce.rules);
13206 
13207 	return err;
13208 }
13209 
13210 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13211 {
13212 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13213 	struct net_device *dev = info->user_ptr[1];
13214 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13215 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13216 	struct cfg80211_gtk_rekey_data rekey_data = {};
13217 	int err;
13218 
13219 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13220 		return -EINVAL;
13221 
13222 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13223 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13224 					  nl80211_rekey_policy, info->extack);
13225 	if (err)
13226 		return err;
13227 
13228 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13229 	    !tb[NL80211_REKEY_DATA_KCK])
13230 		return -EINVAL;
13231 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13232 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13233 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13234 		return -ERANGE;
13235 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13236 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13237 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
13238 		return -ERANGE;
13239 
13240 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13241 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13242 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13243 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13244 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13245 	if (tb[NL80211_REKEY_DATA_AKM])
13246 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13247 
13248 	wdev_lock(wdev);
13249 	if (!wdev->current_bss) {
13250 		err = -ENOTCONN;
13251 		goto out;
13252 	}
13253 
13254 	if (!rdev->ops->set_rekey_data) {
13255 		err = -EOPNOTSUPP;
13256 		goto out;
13257 	}
13258 
13259 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13260  out:
13261 	wdev_unlock(wdev);
13262 	return err;
13263 }
13264 
13265 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13266 					     struct genl_info *info)
13267 {
13268 	struct net_device *dev = info->user_ptr[1];
13269 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13270 
13271 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13272 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13273 		return -EINVAL;
13274 
13275 	if (wdev->ap_unexpected_nlportid)
13276 		return -EBUSY;
13277 
13278 	wdev->ap_unexpected_nlportid = info->snd_portid;
13279 	return 0;
13280 }
13281 
13282 static int nl80211_probe_client(struct sk_buff *skb,
13283 				struct genl_info *info)
13284 {
13285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13286 	struct net_device *dev = info->user_ptr[1];
13287 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13288 	struct sk_buff *msg;
13289 	void *hdr;
13290 	const u8 *addr;
13291 	u64 cookie;
13292 	int err;
13293 
13294 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13295 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13296 		return -EOPNOTSUPP;
13297 
13298 	if (!info->attrs[NL80211_ATTR_MAC])
13299 		return -EINVAL;
13300 
13301 	if (!rdev->ops->probe_client)
13302 		return -EOPNOTSUPP;
13303 
13304 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13305 	if (!msg)
13306 		return -ENOMEM;
13307 
13308 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13309 			     NL80211_CMD_PROBE_CLIENT);
13310 	if (!hdr) {
13311 		err = -ENOBUFS;
13312 		goto free_msg;
13313 	}
13314 
13315 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13316 
13317 	err = rdev_probe_client(rdev, dev, addr, &cookie);
13318 	if (err)
13319 		goto free_msg;
13320 
13321 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13322 			      NL80211_ATTR_PAD))
13323 		goto nla_put_failure;
13324 
13325 	genlmsg_end(msg, hdr);
13326 
13327 	return genlmsg_reply(msg, info);
13328 
13329  nla_put_failure:
13330 	err = -ENOBUFS;
13331  free_msg:
13332 	nlmsg_free(msg);
13333 	return err;
13334 }
13335 
13336 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13337 {
13338 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13339 	struct cfg80211_beacon_registration *reg, *nreg;
13340 	int rv;
13341 
13342 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13343 		return -EOPNOTSUPP;
13344 
13345 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13346 	if (!nreg)
13347 		return -ENOMEM;
13348 
13349 	/* First, check if already registered. */
13350 	spin_lock_bh(&rdev->beacon_registrations_lock);
13351 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13352 		if (reg->nlportid == info->snd_portid) {
13353 			rv = -EALREADY;
13354 			goto out_err;
13355 		}
13356 	}
13357 	/* Add it to the list */
13358 	nreg->nlportid = info->snd_portid;
13359 	list_add(&nreg->list, &rdev->beacon_registrations);
13360 
13361 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13362 
13363 	return 0;
13364 out_err:
13365 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13366 	kfree(nreg);
13367 	return rv;
13368 }
13369 
13370 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13371 {
13372 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13373 	struct wireless_dev *wdev = info->user_ptr[1];
13374 	int err;
13375 
13376 	if (!rdev->ops->start_p2p_device)
13377 		return -EOPNOTSUPP;
13378 
13379 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13380 		return -EOPNOTSUPP;
13381 
13382 	if (wdev_running(wdev))
13383 		return 0;
13384 
13385 	if (rfkill_blocked(rdev->wiphy.rfkill))
13386 		return -ERFKILL;
13387 
13388 	err = rdev_start_p2p_device(rdev, wdev);
13389 	if (err)
13390 		return err;
13391 
13392 	wdev->is_running = true;
13393 	rdev->opencount++;
13394 
13395 	return 0;
13396 }
13397 
13398 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13399 {
13400 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13401 	struct wireless_dev *wdev = info->user_ptr[1];
13402 
13403 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13404 		return -EOPNOTSUPP;
13405 
13406 	if (!rdev->ops->stop_p2p_device)
13407 		return -EOPNOTSUPP;
13408 
13409 	cfg80211_stop_p2p_device(rdev, wdev);
13410 
13411 	return 0;
13412 }
13413 
13414 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13415 {
13416 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13417 	struct wireless_dev *wdev = info->user_ptr[1];
13418 	struct cfg80211_nan_conf conf = {};
13419 	int err;
13420 
13421 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13422 		return -EOPNOTSUPP;
13423 
13424 	if (wdev_running(wdev))
13425 		return -EEXIST;
13426 
13427 	if (rfkill_blocked(rdev->wiphy.rfkill))
13428 		return -ERFKILL;
13429 
13430 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13431 		return -EINVAL;
13432 
13433 	conf.master_pref =
13434 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13435 
13436 	if (info->attrs[NL80211_ATTR_BANDS]) {
13437 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13438 
13439 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13440 			return -EOPNOTSUPP;
13441 
13442 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13443 			return -EINVAL;
13444 
13445 		conf.bands = bands;
13446 	}
13447 
13448 	err = rdev_start_nan(rdev, wdev, &conf);
13449 	if (err)
13450 		return err;
13451 
13452 	wdev->is_running = true;
13453 	rdev->opencount++;
13454 
13455 	return 0;
13456 }
13457 
13458 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13459 {
13460 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13461 	struct wireless_dev *wdev = info->user_ptr[1];
13462 
13463 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13464 		return -EOPNOTSUPP;
13465 
13466 	cfg80211_stop_nan(rdev, wdev);
13467 
13468 	return 0;
13469 }
13470 
13471 static int validate_nan_filter(struct nlattr *filter_attr)
13472 {
13473 	struct nlattr *attr;
13474 	int len = 0, n_entries = 0, rem;
13475 
13476 	nla_for_each_nested(attr, filter_attr, rem) {
13477 		len += nla_len(attr);
13478 		n_entries++;
13479 	}
13480 
13481 	if (len >= U8_MAX)
13482 		return -EINVAL;
13483 
13484 	return n_entries;
13485 }
13486 
13487 static int handle_nan_filter(struct nlattr *attr_filter,
13488 			     struct cfg80211_nan_func *func,
13489 			     bool tx)
13490 {
13491 	struct nlattr *attr;
13492 	int n_entries, rem, i;
13493 	struct cfg80211_nan_func_filter *filter;
13494 
13495 	n_entries = validate_nan_filter(attr_filter);
13496 	if (n_entries < 0)
13497 		return n_entries;
13498 
13499 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13500 
13501 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13502 	if (!filter)
13503 		return -ENOMEM;
13504 
13505 	i = 0;
13506 	nla_for_each_nested(attr, attr_filter, rem) {
13507 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13508 		if (!filter[i].filter)
13509 			goto err;
13510 
13511 		filter[i].len = nla_len(attr);
13512 		i++;
13513 	}
13514 	if (tx) {
13515 		func->num_tx_filters = n_entries;
13516 		func->tx_filters = filter;
13517 	} else {
13518 		func->num_rx_filters = n_entries;
13519 		func->rx_filters = filter;
13520 	}
13521 
13522 	return 0;
13523 
13524 err:
13525 	i = 0;
13526 	nla_for_each_nested(attr, attr_filter, rem) {
13527 		kfree(filter[i].filter);
13528 		i++;
13529 	}
13530 	kfree(filter);
13531 	return -ENOMEM;
13532 }
13533 
13534 static int nl80211_nan_add_func(struct sk_buff *skb,
13535 				struct genl_info *info)
13536 {
13537 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13538 	struct wireless_dev *wdev = info->user_ptr[1];
13539 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
13540 	struct cfg80211_nan_func *func;
13541 	struct sk_buff *msg = NULL;
13542 	void *hdr = NULL;
13543 	int err = 0;
13544 
13545 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13546 		return -EOPNOTSUPP;
13547 
13548 	if (!wdev_running(wdev))
13549 		return -ENOTCONN;
13550 
13551 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13552 		return -EINVAL;
13553 
13554 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13555 					  info->attrs[NL80211_ATTR_NAN_FUNC],
13556 					  nl80211_nan_func_policy,
13557 					  info->extack);
13558 	if (err)
13559 		return err;
13560 
13561 	func = kzalloc(sizeof(*func), GFP_KERNEL);
13562 	if (!func)
13563 		return -ENOMEM;
13564 
13565 	func->cookie = cfg80211_assign_cookie(rdev);
13566 
13567 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13568 		err = -EINVAL;
13569 		goto out;
13570 	}
13571 
13572 
13573 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13574 
13575 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13576 		err = -EINVAL;
13577 		goto out;
13578 	}
13579 
13580 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13581 	       sizeof(func->service_id));
13582 
13583 	func->close_range =
13584 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13585 
13586 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13587 		func->serv_spec_info_len =
13588 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13589 		func->serv_spec_info =
13590 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13591 				func->serv_spec_info_len,
13592 				GFP_KERNEL);
13593 		if (!func->serv_spec_info) {
13594 			err = -ENOMEM;
13595 			goto out;
13596 		}
13597 	}
13598 
13599 	if (tb[NL80211_NAN_FUNC_TTL])
13600 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13601 
13602 	switch (func->type) {
13603 	case NL80211_NAN_FUNC_PUBLISH:
13604 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13605 			err = -EINVAL;
13606 			goto out;
13607 		}
13608 
13609 		func->publish_type =
13610 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13611 		func->publish_bcast =
13612 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13613 
13614 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13615 			func->publish_bcast) {
13616 			err = -EINVAL;
13617 			goto out;
13618 		}
13619 		break;
13620 	case NL80211_NAN_FUNC_SUBSCRIBE:
13621 		func->subscribe_active =
13622 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13623 		break;
13624 	case NL80211_NAN_FUNC_FOLLOW_UP:
13625 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13626 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13627 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13628 			err = -EINVAL;
13629 			goto out;
13630 		}
13631 
13632 		func->followup_id =
13633 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13634 		func->followup_reqid =
13635 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13636 		memcpy(func->followup_dest.addr,
13637 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13638 		       sizeof(func->followup_dest.addr));
13639 		if (func->ttl) {
13640 			err = -EINVAL;
13641 			goto out;
13642 		}
13643 		break;
13644 	default:
13645 		err = -EINVAL;
13646 		goto out;
13647 	}
13648 
13649 	if (tb[NL80211_NAN_FUNC_SRF]) {
13650 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13651 
13652 		err = nla_parse_nested_deprecated(srf_tb,
13653 						  NL80211_NAN_SRF_ATTR_MAX,
13654 						  tb[NL80211_NAN_FUNC_SRF],
13655 						  nl80211_nan_srf_policy,
13656 						  info->extack);
13657 		if (err)
13658 			goto out;
13659 
13660 		func->srf_include =
13661 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13662 
13663 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13664 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13665 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13666 				err = -EINVAL;
13667 				goto out;
13668 			}
13669 
13670 			func->srf_bf_len =
13671 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13672 			func->srf_bf =
13673 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13674 					func->srf_bf_len, GFP_KERNEL);
13675 			if (!func->srf_bf) {
13676 				err = -ENOMEM;
13677 				goto out;
13678 			}
13679 
13680 			func->srf_bf_idx =
13681 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13682 		} else {
13683 			struct nlattr *attr, *mac_attr =
13684 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13685 			int n_entries, rem, i = 0;
13686 
13687 			if (!mac_attr) {
13688 				err = -EINVAL;
13689 				goto out;
13690 			}
13691 
13692 			n_entries = validate_acl_mac_addrs(mac_attr);
13693 			if (n_entries <= 0) {
13694 				err = -EINVAL;
13695 				goto out;
13696 			}
13697 
13698 			func->srf_num_macs = n_entries;
13699 			func->srf_macs =
13700 				kcalloc(n_entries, sizeof(*func->srf_macs),
13701 					GFP_KERNEL);
13702 			if (!func->srf_macs) {
13703 				err = -ENOMEM;
13704 				goto out;
13705 			}
13706 
13707 			nla_for_each_nested(attr, mac_attr, rem)
13708 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13709 				       sizeof(*func->srf_macs));
13710 		}
13711 	}
13712 
13713 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13714 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13715 					func, true);
13716 		if (err)
13717 			goto out;
13718 	}
13719 
13720 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13721 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13722 					func, false);
13723 		if (err)
13724 			goto out;
13725 	}
13726 
13727 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13728 	if (!msg) {
13729 		err = -ENOMEM;
13730 		goto out;
13731 	}
13732 
13733 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13734 			     NL80211_CMD_ADD_NAN_FUNCTION);
13735 	/* This can't really happen - we just allocated 4KB */
13736 	if (WARN_ON(!hdr)) {
13737 		err = -ENOMEM;
13738 		goto out;
13739 	}
13740 
13741 	err = rdev_add_nan_func(rdev, wdev, func);
13742 out:
13743 	if (err < 0) {
13744 		cfg80211_free_nan_func(func);
13745 		nlmsg_free(msg);
13746 		return err;
13747 	}
13748 
13749 	/* propagate the instance id and cookie to userspace  */
13750 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13751 			      NL80211_ATTR_PAD))
13752 		goto nla_put_failure;
13753 
13754 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13755 	if (!func_attr)
13756 		goto nla_put_failure;
13757 
13758 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13759 		       func->instance_id))
13760 		goto nla_put_failure;
13761 
13762 	nla_nest_end(msg, func_attr);
13763 
13764 	genlmsg_end(msg, hdr);
13765 	return genlmsg_reply(msg, info);
13766 
13767 nla_put_failure:
13768 	nlmsg_free(msg);
13769 	return -ENOBUFS;
13770 }
13771 
13772 static int nl80211_nan_del_func(struct sk_buff *skb,
13773 			       struct genl_info *info)
13774 {
13775 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13776 	struct wireless_dev *wdev = info->user_ptr[1];
13777 	u64 cookie;
13778 
13779 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13780 		return -EOPNOTSUPP;
13781 
13782 	if (!wdev_running(wdev))
13783 		return -ENOTCONN;
13784 
13785 	if (!info->attrs[NL80211_ATTR_COOKIE])
13786 		return -EINVAL;
13787 
13788 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13789 
13790 	rdev_del_nan_func(rdev, wdev, cookie);
13791 
13792 	return 0;
13793 }
13794 
13795 static int nl80211_nan_change_config(struct sk_buff *skb,
13796 				     struct genl_info *info)
13797 {
13798 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13799 	struct wireless_dev *wdev = info->user_ptr[1];
13800 	struct cfg80211_nan_conf conf = {};
13801 	u32 changed = 0;
13802 
13803 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13804 		return -EOPNOTSUPP;
13805 
13806 	if (!wdev_running(wdev))
13807 		return -ENOTCONN;
13808 
13809 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13810 		conf.master_pref =
13811 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13812 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13813 			return -EINVAL;
13814 
13815 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13816 	}
13817 
13818 	if (info->attrs[NL80211_ATTR_BANDS]) {
13819 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13820 
13821 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13822 			return -EOPNOTSUPP;
13823 
13824 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13825 			return -EINVAL;
13826 
13827 		conf.bands = bands;
13828 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13829 	}
13830 
13831 	if (!changed)
13832 		return -EINVAL;
13833 
13834 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13835 }
13836 
13837 void cfg80211_nan_match(struct wireless_dev *wdev,
13838 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13839 {
13840 	struct wiphy *wiphy = wdev->wiphy;
13841 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13842 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13843 	struct sk_buff *msg;
13844 	void *hdr;
13845 
13846 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13847 		return;
13848 
13849 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13850 	if (!msg)
13851 		return;
13852 
13853 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13854 	if (!hdr) {
13855 		nlmsg_free(msg);
13856 		return;
13857 	}
13858 
13859 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13860 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13861 					 wdev->netdev->ifindex)) ||
13862 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13863 			      NL80211_ATTR_PAD))
13864 		goto nla_put_failure;
13865 
13866 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13867 			      NL80211_ATTR_PAD) ||
13868 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13869 		goto nla_put_failure;
13870 
13871 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13872 	if (!match_attr)
13873 		goto nla_put_failure;
13874 
13875 	local_func_attr = nla_nest_start_noflag(msg,
13876 						NL80211_NAN_MATCH_FUNC_LOCAL);
13877 	if (!local_func_attr)
13878 		goto nla_put_failure;
13879 
13880 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13881 		goto nla_put_failure;
13882 
13883 	nla_nest_end(msg, local_func_attr);
13884 
13885 	peer_func_attr = nla_nest_start_noflag(msg,
13886 					       NL80211_NAN_MATCH_FUNC_PEER);
13887 	if (!peer_func_attr)
13888 		goto nla_put_failure;
13889 
13890 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13891 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13892 		goto nla_put_failure;
13893 
13894 	if (match->info && match->info_len &&
13895 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13896 		    match->info))
13897 		goto nla_put_failure;
13898 
13899 	nla_nest_end(msg, peer_func_attr);
13900 	nla_nest_end(msg, match_attr);
13901 	genlmsg_end(msg, hdr);
13902 
13903 	if (!wdev->owner_nlportid)
13904 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13905 					msg, 0, NL80211_MCGRP_NAN, gfp);
13906 	else
13907 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13908 				wdev->owner_nlportid);
13909 
13910 	return;
13911 
13912 nla_put_failure:
13913 	nlmsg_free(msg);
13914 }
13915 EXPORT_SYMBOL(cfg80211_nan_match);
13916 
13917 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13918 				  u8 inst_id,
13919 				  enum nl80211_nan_func_term_reason reason,
13920 				  u64 cookie, gfp_t gfp)
13921 {
13922 	struct wiphy *wiphy = wdev->wiphy;
13923 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13924 	struct sk_buff *msg;
13925 	struct nlattr *func_attr;
13926 	void *hdr;
13927 
13928 	if (WARN_ON(!inst_id))
13929 		return;
13930 
13931 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13932 	if (!msg)
13933 		return;
13934 
13935 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13936 	if (!hdr) {
13937 		nlmsg_free(msg);
13938 		return;
13939 	}
13940 
13941 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13942 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13943 					 wdev->netdev->ifindex)) ||
13944 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13945 			      NL80211_ATTR_PAD))
13946 		goto nla_put_failure;
13947 
13948 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13949 			      NL80211_ATTR_PAD))
13950 		goto nla_put_failure;
13951 
13952 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13953 	if (!func_attr)
13954 		goto nla_put_failure;
13955 
13956 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13957 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13958 		goto nla_put_failure;
13959 
13960 	nla_nest_end(msg, func_attr);
13961 	genlmsg_end(msg, hdr);
13962 
13963 	if (!wdev->owner_nlportid)
13964 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13965 					msg, 0, NL80211_MCGRP_NAN, gfp);
13966 	else
13967 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13968 				wdev->owner_nlportid);
13969 
13970 	return;
13971 
13972 nla_put_failure:
13973 	nlmsg_free(msg);
13974 }
13975 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13976 
13977 static int nl80211_get_protocol_features(struct sk_buff *skb,
13978 					 struct genl_info *info)
13979 {
13980 	void *hdr;
13981 	struct sk_buff *msg;
13982 
13983 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13984 	if (!msg)
13985 		return -ENOMEM;
13986 
13987 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13988 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13989 	if (!hdr)
13990 		goto nla_put_failure;
13991 
13992 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13993 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13994 		goto nla_put_failure;
13995 
13996 	genlmsg_end(msg, hdr);
13997 	return genlmsg_reply(msg, info);
13998 
13999  nla_put_failure:
14000 	kfree_skb(msg);
14001 	return -ENOBUFS;
14002 }
14003 
14004 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14005 {
14006 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14007 	struct cfg80211_update_ft_ies_params ft_params;
14008 	struct net_device *dev = info->user_ptr[1];
14009 
14010 	if (!rdev->ops->update_ft_ies)
14011 		return -EOPNOTSUPP;
14012 
14013 	if (!info->attrs[NL80211_ATTR_MDID] ||
14014 	    !info->attrs[NL80211_ATTR_IE])
14015 		return -EINVAL;
14016 
14017 	memset(&ft_params, 0, sizeof(ft_params));
14018 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14019 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14020 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14021 
14022 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14023 }
14024 
14025 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14026 				       struct genl_info *info)
14027 {
14028 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14029 	struct wireless_dev *wdev = info->user_ptr[1];
14030 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14031 	u16 duration;
14032 	int ret;
14033 
14034 	if (!rdev->ops->crit_proto_start)
14035 		return -EOPNOTSUPP;
14036 
14037 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14038 		return -EINVAL;
14039 
14040 	if (rdev->crit_proto_nlportid)
14041 		return -EBUSY;
14042 
14043 	/* determine protocol if provided */
14044 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14045 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14046 
14047 	if (proto >= NUM_NL80211_CRIT_PROTO)
14048 		return -EINVAL;
14049 
14050 	/* timeout must be provided */
14051 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14052 		return -EINVAL;
14053 
14054 	duration =
14055 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14056 
14057 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14058 	if (!ret)
14059 		rdev->crit_proto_nlportid = info->snd_portid;
14060 
14061 	return ret;
14062 }
14063 
14064 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14065 				      struct genl_info *info)
14066 {
14067 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14068 	struct wireless_dev *wdev = info->user_ptr[1];
14069 
14070 	if (!rdev->ops->crit_proto_stop)
14071 		return -EOPNOTSUPP;
14072 
14073 	if (rdev->crit_proto_nlportid) {
14074 		rdev->crit_proto_nlportid = 0;
14075 		rdev_crit_proto_stop(rdev, wdev);
14076 	}
14077 	return 0;
14078 }
14079 
14080 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14081 				       struct nlattr *attr,
14082 				       struct netlink_ext_ack *extack)
14083 {
14084 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14085 		if (attr->nla_type & NLA_F_NESTED) {
14086 			NL_SET_ERR_MSG_ATTR(extack, attr,
14087 					    "unexpected nested data");
14088 			return -EINVAL;
14089 		}
14090 
14091 		return 0;
14092 	}
14093 
14094 	if (!(attr->nla_type & NLA_F_NESTED)) {
14095 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14096 		return -EINVAL;
14097 	}
14098 
14099 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14100 }
14101 
14102 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14103 {
14104 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14105 	struct wireless_dev *wdev =
14106 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14107 					   info->attrs);
14108 	int i, err;
14109 	u32 vid, subcmd;
14110 
14111 	if (!rdev->wiphy.vendor_commands)
14112 		return -EOPNOTSUPP;
14113 
14114 	if (IS_ERR(wdev)) {
14115 		err = PTR_ERR(wdev);
14116 		if (err != -EINVAL)
14117 			return err;
14118 		wdev = NULL;
14119 	} else if (wdev->wiphy != &rdev->wiphy) {
14120 		return -EINVAL;
14121 	}
14122 
14123 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14124 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14125 		return -EINVAL;
14126 
14127 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14128 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14129 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14130 		const struct wiphy_vendor_command *vcmd;
14131 		void *data = NULL;
14132 		int len = 0;
14133 
14134 		vcmd = &rdev->wiphy.vendor_commands[i];
14135 
14136 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14137 			continue;
14138 
14139 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14140 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14141 			if (!wdev)
14142 				return -EINVAL;
14143 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14144 			    !wdev->netdev)
14145 				return -EINVAL;
14146 
14147 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14148 				if (!wdev_running(wdev))
14149 					return -ENETDOWN;
14150 			}
14151 		} else {
14152 			wdev = NULL;
14153 		}
14154 
14155 		if (!vcmd->doit)
14156 			return -EOPNOTSUPP;
14157 
14158 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14159 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14160 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14161 
14162 			err = nl80211_vendor_check_policy(vcmd,
14163 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14164 					info->extack);
14165 			if (err)
14166 				return err;
14167 		}
14168 
14169 		rdev->cur_cmd_info = info;
14170 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14171 		rdev->cur_cmd_info = NULL;
14172 		return err;
14173 	}
14174 
14175 	return -EOPNOTSUPP;
14176 }
14177 
14178 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14179 				       struct netlink_callback *cb,
14180 				       struct cfg80211_registered_device **rdev,
14181 				       struct wireless_dev **wdev)
14182 {
14183 	struct nlattr **attrbuf;
14184 	u32 vid, subcmd;
14185 	unsigned int i;
14186 	int vcmd_idx = -1;
14187 	int err;
14188 	void *data = NULL;
14189 	unsigned int data_len = 0;
14190 
14191 	if (cb->args[0]) {
14192 		/* subtract the 1 again here */
14193 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14194 		struct wireless_dev *tmp;
14195 
14196 		if (!wiphy)
14197 			return -ENODEV;
14198 		*rdev = wiphy_to_rdev(wiphy);
14199 		*wdev = NULL;
14200 
14201 		if (cb->args[1]) {
14202 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14203 				if (tmp->identifier == cb->args[1] - 1) {
14204 					*wdev = tmp;
14205 					break;
14206 				}
14207 			}
14208 		}
14209 
14210 		/* keep rtnl locked in successful case */
14211 		return 0;
14212 	}
14213 
14214 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14215 	if (!attrbuf)
14216 		return -ENOMEM;
14217 
14218 	err = nlmsg_parse_deprecated(cb->nlh,
14219 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14220 				     attrbuf, nl80211_fam.maxattr,
14221 				     nl80211_policy, NULL);
14222 	if (err)
14223 		goto out;
14224 
14225 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14226 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14227 		err = -EINVAL;
14228 		goto out;
14229 	}
14230 
14231 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14232 	if (IS_ERR(*wdev))
14233 		*wdev = NULL;
14234 
14235 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14236 	if (IS_ERR(*rdev)) {
14237 		err = PTR_ERR(*rdev);
14238 		goto out;
14239 	}
14240 
14241 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14242 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14243 
14244 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14245 		const struct wiphy_vendor_command *vcmd;
14246 
14247 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14248 
14249 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14250 			continue;
14251 
14252 		if (!vcmd->dumpit) {
14253 			err = -EOPNOTSUPP;
14254 			goto out;
14255 		}
14256 
14257 		vcmd_idx = i;
14258 		break;
14259 	}
14260 
14261 	if (vcmd_idx < 0) {
14262 		err = -EOPNOTSUPP;
14263 		goto out;
14264 	}
14265 
14266 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14267 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14268 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14269 
14270 		err = nl80211_vendor_check_policy(
14271 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14272 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14273 				cb->extack);
14274 		if (err)
14275 			goto out;
14276 	}
14277 
14278 	/* 0 is the first index - add 1 to parse only once */
14279 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14280 	/* add 1 to know if it was NULL */
14281 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14282 	cb->args[2] = vcmd_idx;
14283 	cb->args[3] = (unsigned long)data;
14284 	cb->args[4] = data_len;
14285 
14286 	/* keep rtnl locked in successful case */
14287 	err = 0;
14288 out:
14289 	kfree(attrbuf);
14290 	return err;
14291 }
14292 
14293 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14294 				   struct netlink_callback *cb)
14295 {
14296 	struct cfg80211_registered_device *rdev;
14297 	struct wireless_dev *wdev;
14298 	unsigned int vcmd_idx;
14299 	const struct wiphy_vendor_command *vcmd;
14300 	void *data;
14301 	int data_len;
14302 	int err;
14303 	struct nlattr *vendor_data;
14304 
14305 	rtnl_lock();
14306 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14307 	if (err)
14308 		goto out;
14309 
14310 	vcmd_idx = cb->args[2];
14311 	data = (void *)cb->args[3];
14312 	data_len = cb->args[4];
14313 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14314 
14315 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14316 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14317 		if (!wdev) {
14318 			err = -EINVAL;
14319 			goto out;
14320 		}
14321 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14322 		    !wdev->netdev) {
14323 			err = -EINVAL;
14324 			goto out;
14325 		}
14326 
14327 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14328 			if (!wdev_running(wdev)) {
14329 				err = -ENETDOWN;
14330 				goto out;
14331 			}
14332 		}
14333 	}
14334 
14335 	while (1) {
14336 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
14337 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
14338 					   NL80211_CMD_VENDOR);
14339 		if (!hdr)
14340 			break;
14341 
14342 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14343 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14344 					       wdev_id(wdev),
14345 					       NL80211_ATTR_PAD))) {
14346 			genlmsg_cancel(skb, hdr);
14347 			break;
14348 		}
14349 
14350 		vendor_data = nla_nest_start_noflag(skb,
14351 						    NL80211_ATTR_VENDOR_DATA);
14352 		if (!vendor_data) {
14353 			genlmsg_cancel(skb, hdr);
14354 			break;
14355 		}
14356 
14357 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14358 				   (unsigned long *)&cb->args[5]);
14359 		nla_nest_end(skb, vendor_data);
14360 
14361 		if (err == -ENOBUFS || err == -ENOENT) {
14362 			genlmsg_cancel(skb, hdr);
14363 			break;
14364 		} else if (err <= 0) {
14365 			genlmsg_cancel(skb, hdr);
14366 			goto out;
14367 		}
14368 
14369 		genlmsg_end(skb, hdr);
14370 	}
14371 
14372 	err = skb->len;
14373  out:
14374 	rtnl_unlock();
14375 	return err;
14376 }
14377 
14378 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14379 					   enum nl80211_commands cmd,
14380 					   enum nl80211_attrs attr,
14381 					   int approxlen)
14382 {
14383 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14384 
14385 	if (WARN_ON(!rdev->cur_cmd_info))
14386 		return NULL;
14387 
14388 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14389 					   rdev->cur_cmd_info->snd_portid,
14390 					   rdev->cur_cmd_info->snd_seq,
14391 					   cmd, attr, NULL, GFP_KERNEL);
14392 }
14393 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14394 
14395 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14396 {
14397 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14398 	void *hdr = ((void **)skb->cb)[1];
14399 	struct nlattr *data = ((void **)skb->cb)[2];
14400 
14401 	/* clear CB data for netlink core to own from now on */
14402 	memset(skb->cb, 0, sizeof(skb->cb));
14403 
14404 	if (WARN_ON(!rdev->cur_cmd_info)) {
14405 		kfree_skb(skb);
14406 		return -EINVAL;
14407 	}
14408 
14409 	nla_nest_end(skb, data);
14410 	genlmsg_end(skb, hdr);
14411 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14412 }
14413 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14414 
14415 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14416 {
14417 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14418 
14419 	if (WARN_ON(!rdev->cur_cmd_info))
14420 		return 0;
14421 
14422 	return rdev->cur_cmd_info->snd_portid;
14423 }
14424 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14425 
14426 static int nl80211_set_qos_map(struct sk_buff *skb,
14427 			       struct genl_info *info)
14428 {
14429 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14430 	struct cfg80211_qos_map *qos_map = NULL;
14431 	struct net_device *dev = info->user_ptr[1];
14432 	u8 *pos, len, num_des, des_len, des;
14433 	int ret;
14434 
14435 	if (!rdev->ops->set_qos_map)
14436 		return -EOPNOTSUPP;
14437 
14438 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14439 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14440 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14441 
14442 		if (len % 2)
14443 			return -EINVAL;
14444 
14445 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14446 		if (!qos_map)
14447 			return -ENOMEM;
14448 
14449 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14450 		if (num_des) {
14451 			des_len = num_des *
14452 				sizeof(struct cfg80211_dscp_exception);
14453 			memcpy(qos_map->dscp_exception, pos, des_len);
14454 			qos_map->num_des = num_des;
14455 			for (des = 0; des < num_des; des++) {
14456 				if (qos_map->dscp_exception[des].up > 7) {
14457 					kfree(qos_map);
14458 					return -EINVAL;
14459 				}
14460 			}
14461 			pos += des_len;
14462 		}
14463 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14464 	}
14465 
14466 	wdev_lock(dev->ieee80211_ptr);
14467 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14468 	if (!ret)
14469 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14470 	wdev_unlock(dev->ieee80211_ptr);
14471 
14472 	kfree(qos_map);
14473 	return ret;
14474 }
14475 
14476 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14477 {
14478 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14479 	struct net_device *dev = info->user_ptr[1];
14480 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14481 	const u8 *peer;
14482 	u8 tsid, up;
14483 	u16 admitted_time = 0;
14484 	int err;
14485 
14486 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14487 		return -EOPNOTSUPP;
14488 
14489 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14490 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14491 		return -EINVAL;
14492 
14493 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14494 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14495 
14496 	/* WMM uses TIDs 0-7 even for TSPEC */
14497 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14498 		/* TODO: handle 802.11 TSPEC/admission control
14499 		 * need more attributes for that (e.g. BA session requirement);
14500 		 * change the WMM adminssion test above to allow both then
14501 		 */
14502 		return -EINVAL;
14503 	}
14504 
14505 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14506 
14507 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14508 		admitted_time =
14509 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14510 		if (!admitted_time)
14511 			return -EINVAL;
14512 	}
14513 
14514 	wdev_lock(wdev);
14515 	switch (wdev->iftype) {
14516 	case NL80211_IFTYPE_STATION:
14517 	case NL80211_IFTYPE_P2P_CLIENT:
14518 		if (wdev->current_bss)
14519 			break;
14520 		err = -ENOTCONN;
14521 		goto out;
14522 	default:
14523 		err = -EOPNOTSUPP;
14524 		goto out;
14525 	}
14526 
14527 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
14528 
14529  out:
14530 	wdev_unlock(wdev);
14531 	return err;
14532 }
14533 
14534 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
14535 {
14536 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14537 	struct net_device *dev = info->user_ptr[1];
14538 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14539 	const u8 *peer;
14540 	u8 tsid;
14541 	int err;
14542 
14543 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
14544 		return -EINVAL;
14545 
14546 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14547 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14548 
14549 	wdev_lock(wdev);
14550 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
14551 	wdev_unlock(wdev);
14552 
14553 	return err;
14554 }
14555 
14556 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14557 				       struct genl_info *info)
14558 {
14559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14560 	struct net_device *dev = info->user_ptr[1];
14561 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14562 	struct cfg80211_chan_def chandef = {};
14563 	const u8 *addr;
14564 	u8 oper_class;
14565 	int err;
14566 
14567 	if (!rdev->ops->tdls_channel_switch ||
14568 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14569 		return -EOPNOTSUPP;
14570 
14571 	switch (dev->ieee80211_ptr->iftype) {
14572 	case NL80211_IFTYPE_STATION:
14573 	case NL80211_IFTYPE_P2P_CLIENT:
14574 		break;
14575 	default:
14576 		return -EOPNOTSUPP;
14577 	}
14578 
14579 	if (!info->attrs[NL80211_ATTR_MAC] ||
14580 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14581 		return -EINVAL;
14582 
14583 	err = nl80211_parse_chandef(rdev, info, &chandef);
14584 	if (err)
14585 		return err;
14586 
14587 	/*
14588 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14589 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14590 	 * specification is not defined for them.
14591 	 */
14592 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14593 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14594 	    chandef.width != NL80211_CHAN_WIDTH_20)
14595 		return -EINVAL;
14596 
14597 	/* we will be active on the TDLS link */
14598 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14599 					   wdev->iftype))
14600 		return -EINVAL;
14601 
14602 	/* don't allow switching to DFS channels */
14603 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14604 		return -EINVAL;
14605 
14606 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14607 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14608 
14609 	wdev_lock(wdev);
14610 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14611 	wdev_unlock(wdev);
14612 
14613 	return err;
14614 }
14615 
14616 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14617 					      struct genl_info *info)
14618 {
14619 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14620 	struct net_device *dev = info->user_ptr[1];
14621 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14622 	const u8 *addr;
14623 
14624 	if (!rdev->ops->tdls_channel_switch ||
14625 	    !rdev->ops->tdls_cancel_channel_switch ||
14626 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14627 		return -EOPNOTSUPP;
14628 
14629 	switch (dev->ieee80211_ptr->iftype) {
14630 	case NL80211_IFTYPE_STATION:
14631 	case NL80211_IFTYPE_P2P_CLIENT:
14632 		break;
14633 	default:
14634 		return -EOPNOTSUPP;
14635 	}
14636 
14637 	if (!info->attrs[NL80211_ATTR_MAC])
14638 		return -EINVAL;
14639 
14640 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14641 
14642 	wdev_lock(wdev);
14643 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14644 	wdev_unlock(wdev);
14645 
14646 	return 0;
14647 }
14648 
14649 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14650 					    struct genl_info *info)
14651 {
14652 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14653 	struct net_device *dev = info->user_ptr[1];
14654 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14655 	const struct nlattr *nla;
14656 	bool enabled;
14657 
14658 	if (!rdev->ops->set_multicast_to_unicast)
14659 		return -EOPNOTSUPP;
14660 
14661 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14662 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14663 		return -EOPNOTSUPP;
14664 
14665 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14666 	enabled = nla_get_flag(nla);
14667 
14668 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14669 }
14670 
14671 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14672 {
14673 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14674 	struct net_device *dev = info->user_ptr[1];
14675 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14676 	struct cfg80211_pmk_conf pmk_conf = {};
14677 	int ret;
14678 
14679 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14680 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14681 		return -EOPNOTSUPP;
14682 
14683 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14684 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14685 		return -EOPNOTSUPP;
14686 
14687 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14688 		return -EINVAL;
14689 
14690 	wdev_lock(wdev);
14691 	if (!wdev->current_bss) {
14692 		ret = -ENOTCONN;
14693 		goto out;
14694 	}
14695 
14696 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14697 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14698 		ret = -EINVAL;
14699 		goto out;
14700 	}
14701 
14702 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14703 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14704 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14705 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14706 		ret = -EINVAL;
14707 		goto out;
14708 	}
14709 
14710 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14711 		pmk_conf.pmk_r0_name =
14712 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14713 
14714 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14715 out:
14716 	wdev_unlock(wdev);
14717 	return ret;
14718 }
14719 
14720 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14721 {
14722 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14723 	struct net_device *dev = info->user_ptr[1];
14724 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14725 	const u8 *aa;
14726 	int ret;
14727 
14728 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14729 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14730 		return -EOPNOTSUPP;
14731 
14732 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14733 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14734 		return -EOPNOTSUPP;
14735 
14736 	if (!info->attrs[NL80211_ATTR_MAC])
14737 		return -EINVAL;
14738 
14739 	wdev_lock(wdev);
14740 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14741 	ret = rdev_del_pmk(rdev, dev, aa);
14742 	wdev_unlock(wdev);
14743 
14744 	return ret;
14745 }
14746 
14747 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14748 {
14749 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14750 	struct net_device *dev = info->user_ptr[1];
14751 	struct cfg80211_external_auth_params params;
14752 
14753 	if (!rdev->ops->external_auth)
14754 		return -EOPNOTSUPP;
14755 
14756 	if (!info->attrs[NL80211_ATTR_SSID] &&
14757 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14758 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14759 		return -EINVAL;
14760 
14761 	if (!info->attrs[NL80211_ATTR_BSSID])
14762 		return -EINVAL;
14763 
14764 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14765 		return -EINVAL;
14766 
14767 	memset(&params, 0, sizeof(params));
14768 
14769 	if (info->attrs[NL80211_ATTR_SSID]) {
14770 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14771 		if (params.ssid.ssid_len == 0)
14772 			return -EINVAL;
14773 		memcpy(params.ssid.ssid,
14774 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14775 		       params.ssid.ssid_len);
14776 	}
14777 
14778 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14779 	       ETH_ALEN);
14780 
14781 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14782 
14783 	if (info->attrs[NL80211_ATTR_PMKID])
14784 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14785 
14786 	return rdev_external_auth(rdev, dev, &params);
14787 }
14788 
14789 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14790 {
14791 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14792 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14793 	struct net_device *dev = info->user_ptr[1];
14794 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14795 	const u8 *buf;
14796 	size_t len;
14797 	u8 *dest;
14798 	u16 proto;
14799 	bool noencrypt;
14800 	u64 cookie = 0;
14801 	int err;
14802 
14803 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14804 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14805 		return -EOPNOTSUPP;
14806 
14807 	if (!rdev->ops->tx_control_port)
14808 		return -EOPNOTSUPP;
14809 
14810 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14811 	    !info->attrs[NL80211_ATTR_MAC] ||
14812 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14813 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14814 		return -EINVAL;
14815 	}
14816 
14817 	wdev_lock(wdev);
14818 
14819 	switch (wdev->iftype) {
14820 	case NL80211_IFTYPE_AP:
14821 	case NL80211_IFTYPE_P2P_GO:
14822 	case NL80211_IFTYPE_MESH_POINT:
14823 		break;
14824 	case NL80211_IFTYPE_ADHOC:
14825 	case NL80211_IFTYPE_STATION:
14826 	case NL80211_IFTYPE_P2P_CLIENT:
14827 		if (wdev->current_bss)
14828 			break;
14829 		err = -ENOTCONN;
14830 		goto out;
14831 	default:
14832 		err = -EOPNOTSUPP;
14833 		goto out;
14834 	}
14835 
14836 	wdev_unlock(wdev);
14837 
14838 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14839 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14840 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14841 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14842 	noencrypt =
14843 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14844 
14845 	err = rdev_tx_control_port(rdev, dev, buf, len,
14846 				   dest, cpu_to_be16(proto), noencrypt,
14847 				   dont_wait_for_ack ? NULL : &cookie);
14848 	if (!err && !dont_wait_for_ack)
14849 		nl_set_extack_cookie_u64(info->extack, cookie);
14850 	return err;
14851  out:
14852 	wdev_unlock(wdev);
14853 	return err;
14854 }
14855 
14856 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14857 					   struct genl_info *info)
14858 {
14859 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14860 	struct net_device *dev = info->user_ptr[1];
14861 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14862 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14863 	struct sk_buff *msg;
14864 	void *hdr;
14865 	struct nlattr *ftm_stats_attr;
14866 	int err;
14867 
14868 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14869 		return -EOPNOTSUPP;
14870 
14871 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14872 	if (err)
14873 		return err;
14874 
14875 	if (!ftm_stats.filled)
14876 		return -ENODATA;
14877 
14878 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14879 	if (!msg)
14880 		return -ENOMEM;
14881 
14882 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14883 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14884 	if (!hdr)
14885 		goto nla_put_failure;
14886 
14887 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14888 		goto nla_put_failure;
14889 
14890 	ftm_stats_attr = nla_nest_start_noflag(msg,
14891 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14892 	if (!ftm_stats_attr)
14893 		goto nla_put_failure;
14894 
14895 #define SET_FTM(field, name, type)					 \
14896 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14897 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14898 			     ftm_stats.field))				 \
14899 		goto nla_put_failure; } while (0)
14900 #define SET_FTM_U64(field, name)					 \
14901 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14902 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14903 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14904 		goto nla_put_failure; } while (0)
14905 
14906 	SET_FTM(success_num, SUCCESS_NUM, u32);
14907 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14908 	SET_FTM(failed_num, FAILED_NUM, u32);
14909 	SET_FTM(asap_num, ASAP_NUM, u32);
14910 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14911 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14912 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14913 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14914 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14915 #undef SET_FTM
14916 
14917 	nla_nest_end(msg, ftm_stats_attr);
14918 
14919 	genlmsg_end(msg, hdr);
14920 	return genlmsg_reply(msg, info);
14921 
14922 nla_put_failure:
14923 	nlmsg_free(msg);
14924 	return -ENOBUFS;
14925 }
14926 
14927 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14928 {
14929 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14930 	struct cfg80211_update_owe_info owe_info;
14931 	struct net_device *dev = info->user_ptr[1];
14932 
14933 	if (!rdev->ops->update_owe_info)
14934 		return -EOPNOTSUPP;
14935 
14936 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14937 	    !info->attrs[NL80211_ATTR_MAC])
14938 		return -EINVAL;
14939 
14940 	memset(&owe_info, 0, sizeof(owe_info));
14941 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14942 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14943 
14944 	if (info->attrs[NL80211_ATTR_IE]) {
14945 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14946 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14947 	}
14948 
14949 	return rdev_update_owe_info(rdev, dev, &owe_info);
14950 }
14951 
14952 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14953 {
14954 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14955 	struct net_device *dev = info->user_ptr[1];
14956 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14957 	struct station_info sinfo = {};
14958 	const u8 *buf;
14959 	size_t len;
14960 	u8 *dest;
14961 	int err;
14962 
14963 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14964 		return -EOPNOTSUPP;
14965 
14966 	if (!info->attrs[NL80211_ATTR_MAC] ||
14967 	    !info->attrs[NL80211_ATTR_FRAME]) {
14968 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14969 		return -EINVAL;
14970 	}
14971 
14972 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14973 		return -EOPNOTSUPP;
14974 
14975 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14976 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14977 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14978 
14979 	if (len < sizeof(struct ethhdr))
14980 		return -EINVAL;
14981 
14982 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14983 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14984 		return -EINVAL;
14985 
14986 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14987 	if (err)
14988 		return err;
14989 
14990 	cfg80211_sinfo_release_content(&sinfo);
14991 
14992 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14993 }
14994 
14995 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14996 			  struct nlattr *attrs[], struct net_device *dev,
14997 			  struct cfg80211_tid_cfg *tid_conf,
14998 			  struct genl_info *info, const u8 *peer)
14999 {
15000 	struct netlink_ext_ack *extack = info->extack;
15001 	u64 mask;
15002 	int err;
15003 
15004 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15005 		return -EINVAL;
15006 
15007 	tid_conf->config_override =
15008 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15009 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15010 
15011 	if (tid_conf->config_override) {
15012 		if (rdev->ops->reset_tid_config) {
15013 			err = rdev_reset_tid_config(rdev, dev, peer,
15014 						    tid_conf->tids);
15015 			if (err)
15016 				return err;
15017 		} else {
15018 			return -EINVAL;
15019 		}
15020 	}
15021 
15022 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15023 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15024 		tid_conf->noack =
15025 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15026 	}
15027 
15028 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15029 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15030 		tid_conf->retry_short =
15031 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15032 
15033 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15034 			return -EINVAL;
15035 	}
15036 
15037 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15038 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15039 		tid_conf->retry_long =
15040 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15041 
15042 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15043 			return -EINVAL;
15044 	}
15045 
15046 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15047 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15048 		tid_conf->ampdu =
15049 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15050 	}
15051 
15052 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15053 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15054 		tid_conf->rtscts =
15055 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15056 	}
15057 
15058 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15059 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15060 		tid_conf->amsdu =
15061 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15062 	}
15063 
15064 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15065 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15066 
15067 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15068 
15069 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15070 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15071 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15072 						    &tid_conf->txrate_mask, dev,
15073 						    true);
15074 			if (err)
15075 				return err;
15076 
15077 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15078 		}
15079 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15080 	}
15081 
15082 	if (peer)
15083 		mask = rdev->wiphy.tid_config_support.peer;
15084 	else
15085 		mask = rdev->wiphy.tid_config_support.vif;
15086 
15087 	if (tid_conf->mask & ~mask) {
15088 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15089 		return -ENOTSUPP;
15090 	}
15091 
15092 	return 0;
15093 }
15094 
15095 static int nl80211_set_tid_config(struct sk_buff *skb,
15096 				  struct genl_info *info)
15097 {
15098 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15099 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15100 	struct net_device *dev = info->user_ptr[1];
15101 	struct cfg80211_tid_config *tid_config;
15102 	struct nlattr *tid;
15103 	int conf_idx = 0, rem_conf;
15104 	int ret = -EINVAL;
15105 	u32 num_conf = 0;
15106 
15107 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15108 		return -EINVAL;
15109 
15110 	if (!rdev->ops->set_tid_config)
15111 		return -EOPNOTSUPP;
15112 
15113 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15114 			    rem_conf)
15115 		num_conf++;
15116 
15117 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15118 			     GFP_KERNEL);
15119 	if (!tid_config)
15120 		return -ENOMEM;
15121 
15122 	tid_config->n_tid_conf = num_conf;
15123 
15124 	if (info->attrs[NL80211_ATTR_MAC])
15125 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15126 
15127 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15128 			    rem_conf) {
15129 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15130 				       tid, NULL, NULL);
15131 
15132 		if (ret)
15133 			goto bad_tid_conf;
15134 
15135 		ret = parse_tid_conf(rdev, attrs, dev,
15136 				     &tid_config->tid_conf[conf_idx],
15137 				     info, tid_config->peer);
15138 		if (ret)
15139 			goto bad_tid_conf;
15140 
15141 		conf_idx++;
15142 	}
15143 
15144 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15145 
15146 bad_tid_conf:
15147 	kfree(tid_config);
15148 	return ret;
15149 }
15150 
15151 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15152 {
15153 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15154 	struct cfg80211_color_change_settings params = {};
15155 	struct net_device *dev = info->user_ptr[1];
15156 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15157 	struct nlattr **tb;
15158 	u16 offset;
15159 	int err;
15160 
15161 	if (!rdev->ops->color_change)
15162 		return -EOPNOTSUPP;
15163 
15164 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15165 				     NL80211_EXT_FEATURE_BSS_COLOR))
15166 		return -EOPNOTSUPP;
15167 
15168 	if (wdev->iftype != NL80211_IFTYPE_AP)
15169 		return -EOPNOTSUPP;
15170 
15171 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15172 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15173 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15174 		return -EINVAL;
15175 
15176 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15177 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15178 
15179 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15180 	if (err)
15181 		return err;
15182 
15183 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15184 	if (!tb)
15185 		return -ENOMEM;
15186 
15187 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15188 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15189 			       nl80211_policy, info->extack);
15190 	if (err)
15191 		goto out;
15192 
15193 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15194 	if (err)
15195 		goto out;
15196 
15197 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15198 		err = -EINVAL;
15199 		goto out;
15200 	}
15201 
15202 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15203 		err = -EINVAL;
15204 		goto out;
15205 	}
15206 
15207 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15208 	if (offset >= params.beacon_color_change.tail_len) {
15209 		err = -EINVAL;
15210 		goto out;
15211 	}
15212 
15213 	if (params.beacon_color_change.tail[offset] != params.count) {
15214 		err = -EINVAL;
15215 		goto out;
15216 	}
15217 
15218 	params.counter_offset_beacon = offset;
15219 
15220 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15221 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15222 		    sizeof(u16)) {
15223 			err = -EINVAL;
15224 			goto out;
15225 		}
15226 
15227 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15228 		if (offset >= params.beacon_color_change.probe_resp_len) {
15229 			err = -EINVAL;
15230 			goto out;
15231 		}
15232 
15233 		if (params.beacon_color_change.probe_resp[offset] !=
15234 		    params.count) {
15235 			err = -EINVAL;
15236 			goto out;
15237 		}
15238 
15239 		params.counter_offset_presp = offset;
15240 	}
15241 
15242 	wdev_lock(wdev);
15243 	err = rdev_color_change(rdev, dev, &params);
15244 	wdev_unlock(wdev);
15245 
15246 out:
15247 	kfree(params.beacon_next.mbssid_ies);
15248 	kfree(params.beacon_color_change.mbssid_ies);
15249 	kfree(tb);
15250 	return err;
15251 }
15252 
15253 static int nl80211_set_fils_aad(struct sk_buff *skb,
15254 				struct genl_info *info)
15255 {
15256 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15257 	struct net_device *dev = info->user_ptr[1];
15258 	struct cfg80211_fils_aad fils_aad = {};
15259 	u8 *nonces;
15260 
15261 	if (!info->attrs[NL80211_ATTR_MAC] ||
15262 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15263 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15264 		return -EINVAL;
15265 
15266 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15267 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15268 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15269 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15270 	fils_aad.snonce = nonces;
15271 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15272 
15273 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15274 }
15275 
15276 #define NL80211_FLAG_NEED_WIPHY		0x01
15277 #define NL80211_FLAG_NEED_NETDEV	0x02
15278 #define NL80211_FLAG_NEED_RTNL		0x04
15279 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
15280 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
15281 					 NL80211_FLAG_CHECK_NETDEV_UP)
15282 #define NL80211_FLAG_NEED_WDEV		0x10
15283 /* If a netdev is associated, it must be UP, P2P must be started */
15284 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
15285 					 NL80211_FLAG_CHECK_NETDEV_UP)
15286 #define NL80211_FLAG_CLEAR_SKB		0x20
15287 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
15288 
15289 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
15290 			    struct genl_info *info)
15291 {
15292 	struct cfg80211_registered_device *rdev = NULL;
15293 	struct wireless_dev *wdev;
15294 	struct net_device *dev;
15295 
15296 	rtnl_lock();
15297 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
15298 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
15299 		if (IS_ERR(rdev)) {
15300 			rtnl_unlock();
15301 			return PTR_ERR(rdev);
15302 		}
15303 		info->user_ptr[0] = rdev;
15304 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
15305 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15306 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
15307 						  info->attrs);
15308 		if (IS_ERR(wdev)) {
15309 			rtnl_unlock();
15310 			return PTR_ERR(wdev);
15311 		}
15312 
15313 		dev = wdev->netdev;
15314 		rdev = wiphy_to_rdev(wdev->wiphy);
15315 
15316 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
15317 			if (!dev) {
15318 				rtnl_unlock();
15319 				return -EINVAL;
15320 			}
15321 
15322 			info->user_ptr[1] = dev;
15323 		} else {
15324 			info->user_ptr[1] = wdev;
15325 		}
15326 
15327 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
15328 		    !wdev_running(wdev)) {
15329 			rtnl_unlock();
15330 			return -ENETDOWN;
15331 		}
15332 
15333 		dev_hold(dev);
15334 		info->user_ptr[0] = rdev;
15335 	}
15336 
15337 	if (rdev && !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15338 		wiphy_lock(&rdev->wiphy);
15339 		/* we keep the mutex locked until post_doit */
15340 		__release(&rdev->wiphy.mtx);
15341 	}
15342 	if (!(ops->internal_flags & NL80211_FLAG_NEED_RTNL))
15343 		rtnl_unlock();
15344 
15345 	return 0;
15346 }
15347 
15348 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
15349 			      struct genl_info *info)
15350 {
15351 	if (info->user_ptr[1]) {
15352 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15353 			struct wireless_dev *wdev = info->user_ptr[1];
15354 
15355 			dev_put(wdev->netdev);
15356 		} else {
15357 			dev_put(info->user_ptr[1]);
15358 		}
15359 	}
15360 
15361 	if (info->user_ptr[0] &&
15362 	    !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15363 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
15364 
15365 		/* we kept the mutex locked since pre_doit */
15366 		__acquire(&rdev->wiphy.mtx);
15367 		wiphy_unlock(&rdev->wiphy);
15368 	}
15369 
15370 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
15371 		rtnl_unlock();
15372 
15373 	/* If needed, clear the netlink message payload from the SKB
15374 	 * as it might contain key data that shouldn't stick around on
15375 	 * the heap after the SKB is freed. The netlink message header
15376 	 * is still needed for further processing, so leave it intact.
15377 	 */
15378 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
15379 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
15380 
15381 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
15382 	}
15383 }
15384 
15385 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
15386 				     struct cfg80211_sar_specs *sar_specs,
15387 				     struct nlattr *spec[], int index)
15388 {
15389 	u32 range_index, i;
15390 
15391 	if (!sar_specs || !spec)
15392 		return -EINVAL;
15393 
15394 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
15395 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
15396 		return -EINVAL;
15397 
15398 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
15399 
15400 	/* check if range_index exceeds num_freq_ranges */
15401 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
15402 		return -EINVAL;
15403 
15404 	/* check if range_index duplicates */
15405 	for (i = 0; i < index; i++) {
15406 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
15407 			return -EINVAL;
15408 	}
15409 
15410 	sar_specs->sub_specs[index].power =
15411 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
15412 
15413 	sar_specs->sub_specs[index].freq_range_index = range_index;
15414 
15415 	return 0;
15416 }
15417 
15418 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
15419 {
15420 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15421 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
15422 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
15423 	struct cfg80211_sar_specs *sar_spec;
15424 	enum nl80211_sar_type type;
15425 	struct nlattr *spec_list;
15426 	u32 specs;
15427 	int rem, err;
15428 
15429 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
15430 		return -EOPNOTSUPP;
15431 
15432 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
15433 		return -EINVAL;
15434 
15435 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
15436 			 info->attrs[NL80211_ATTR_SAR_SPEC],
15437 			 NULL, NULL);
15438 
15439 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
15440 		return -EINVAL;
15441 
15442 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
15443 	if (type != rdev->wiphy.sar_capa->type)
15444 		return -EINVAL;
15445 
15446 	specs = 0;
15447 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
15448 		specs++;
15449 
15450 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
15451 		return -EINVAL;
15452 
15453 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
15454 	if (!sar_spec)
15455 		return -ENOMEM;
15456 
15457 	sar_spec->type = type;
15458 	specs = 0;
15459 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
15460 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
15461 				 spec_list, NULL, NULL);
15462 
15463 		switch (type) {
15464 		case NL80211_SAR_TYPE_POWER:
15465 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
15466 						      spec, specs)) {
15467 				err = -EINVAL;
15468 				goto error;
15469 			}
15470 			break;
15471 		default:
15472 			err = -EINVAL;
15473 			goto error;
15474 		}
15475 		specs++;
15476 	}
15477 
15478 	sar_spec->num_sub_specs = specs;
15479 
15480 	rdev->cur_cmd_info = info;
15481 	err = rdev_set_sar_specs(rdev, sar_spec);
15482 	rdev->cur_cmd_info = NULL;
15483 error:
15484 	kfree(sar_spec);
15485 	return err;
15486 }
15487 
15488 static const struct genl_ops nl80211_ops[] = {
15489 	{
15490 		.cmd = NL80211_CMD_GET_WIPHY,
15491 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15492 		.doit = nl80211_get_wiphy,
15493 		.dumpit = nl80211_dump_wiphy,
15494 		.done = nl80211_dump_wiphy_done,
15495 		/* can be retrieved by unprivileged users */
15496 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15497 	},
15498 };
15499 
15500 static const struct genl_small_ops nl80211_small_ops[] = {
15501 	{
15502 		.cmd = NL80211_CMD_SET_WIPHY,
15503 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15504 		.doit = nl80211_set_wiphy,
15505 		.flags = GENL_UNS_ADMIN_PERM,
15506 	},
15507 	{
15508 		.cmd = NL80211_CMD_GET_INTERFACE,
15509 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15510 		.doit = nl80211_get_interface,
15511 		.dumpit = nl80211_dump_interface,
15512 		/* can be retrieved by unprivileged users */
15513 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15514 	},
15515 	{
15516 		.cmd = NL80211_CMD_SET_INTERFACE,
15517 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15518 		.doit = nl80211_set_interface,
15519 		.flags = GENL_UNS_ADMIN_PERM,
15520 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15521 				  NL80211_FLAG_NEED_RTNL,
15522 	},
15523 	{
15524 		.cmd = NL80211_CMD_NEW_INTERFACE,
15525 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15526 		.doit = nl80211_new_interface,
15527 		.flags = GENL_UNS_ADMIN_PERM,
15528 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15529 				  NL80211_FLAG_NEED_RTNL |
15530 				  /* we take the wiphy mutex later ourselves */
15531 				  NL80211_FLAG_NO_WIPHY_MTX,
15532 	},
15533 	{
15534 		.cmd = NL80211_CMD_DEL_INTERFACE,
15535 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15536 		.doit = nl80211_del_interface,
15537 		.flags = GENL_UNS_ADMIN_PERM,
15538 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15539 				  NL80211_FLAG_NEED_RTNL,
15540 	},
15541 	{
15542 		.cmd = NL80211_CMD_GET_KEY,
15543 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15544 		.doit = nl80211_get_key,
15545 		.flags = GENL_UNS_ADMIN_PERM,
15546 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15547 	},
15548 	{
15549 		.cmd = NL80211_CMD_SET_KEY,
15550 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15551 		.doit = nl80211_set_key,
15552 		.flags = GENL_UNS_ADMIN_PERM,
15553 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15554 				  NL80211_FLAG_CLEAR_SKB,
15555 	},
15556 	{
15557 		.cmd = NL80211_CMD_NEW_KEY,
15558 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15559 		.doit = nl80211_new_key,
15560 		.flags = GENL_UNS_ADMIN_PERM,
15561 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15562 				  NL80211_FLAG_CLEAR_SKB,
15563 	},
15564 	{
15565 		.cmd = NL80211_CMD_DEL_KEY,
15566 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15567 		.doit = nl80211_del_key,
15568 		.flags = GENL_UNS_ADMIN_PERM,
15569 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15570 	},
15571 	{
15572 		.cmd = NL80211_CMD_SET_BEACON,
15573 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15574 		.flags = GENL_UNS_ADMIN_PERM,
15575 		.doit = nl80211_set_beacon,
15576 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15577 	},
15578 	{
15579 		.cmd = NL80211_CMD_START_AP,
15580 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15581 		.flags = GENL_UNS_ADMIN_PERM,
15582 		.doit = nl80211_start_ap,
15583 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15584 	},
15585 	{
15586 		.cmd = NL80211_CMD_STOP_AP,
15587 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15588 		.flags = GENL_UNS_ADMIN_PERM,
15589 		.doit = nl80211_stop_ap,
15590 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15591 	},
15592 	{
15593 		.cmd = NL80211_CMD_GET_STATION,
15594 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15595 		.doit = nl80211_get_station,
15596 		.dumpit = nl80211_dump_station,
15597 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15598 	},
15599 	{
15600 		.cmd = NL80211_CMD_SET_STATION,
15601 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15602 		.doit = nl80211_set_station,
15603 		.flags = GENL_UNS_ADMIN_PERM,
15604 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15605 	},
15606 	{
15607 		.cmd = NL80211_CMD_NEW_STATION,
15608 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15609 		.doit = nl80211_new_station,
15610 		.flags = GENL_UNS_ADMIN_PERM,
15611 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15612 	},
15613 	{
15614 		.cmd = NL80211_CMD_DEL_STATION,
15615 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15616 		.doit = nl80211_del_station,
15617 		.flags = GENL_UNS_ADMIN_PERM,
15618 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15619 	},
15620 	{
15621 		.cmd = NL80211_CMD_GET_MPATH,
15622 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15623 		.doit = nl80211_get_mpath,
15624 		.dumpit = nl80211_dump_mpath,
15625 		.flags = GENL_UNS_ADMIN_PERM,
15626 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15627 	},
15628 	{
15629 		.cmd = NL80211_CMD_GET_MPP,
15630 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15631 		.doit = nl80211_get_mpp,
15632 		.dumpit = nl80211_dump_mpp,
15633 		.flags = GENL_UNS_ADMIN_PERM,
15634 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15635 	},
15636 	{
15637 		.cmd = NL80211_CMD_SET_MPATH,
15638 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15639 		.doit = nl80211_set_mpath,
15640 		.flags = GENL_UNS_ADMIN_PERM,
15641 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15642 	},
15643 	{
15644 		.cmd = NL80211_CMD_NEW_MPATH,
15645 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15646 		.doit = nl80211_new_mpath,
15647 		.flags = GENL_UNS_ADMIN_PERM,
15648 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15649 	},
15650 	{
15651 		.cmd = NL80211_CMD_DEL_MPATH,
15652 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15653 		.doit = nl80211_del_mpath,
15654 		.flags = GENL_UNS_ADMIN_PERM,
15655 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15656 	},
15657 	{
15658 		.cmd = NL80211_CMD_SET_BSS,
15659 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15660 		.doit = nl80211_set_bss,
15661 		.flags = GENL_UNS_ADMIN_PERM,
15662 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15663 	},
15664 	{
15665 		.cmd = NL80211_CMD_GET_REG,
15666 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15667 		.doit = nl80211_get_reg_do,
15668 		.dumpit = nl80211_get_reg_dump,
15669 		.internal_flags = 0,
15670 		/* can be retrieved by unprivileged users */
15671 	},
15672 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
15673 	{
15674 		.cmd = NL80211_CMD_SET_REG,
15675 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15676 		.doit = nl80211_set_reg,
15677 		.flags = GENL_ADMIN_PERM,
15678 		.internal_flags = 0,
15679 	},
15680 #endif
15681 	{
15682 		.cmd = NL80211_CMD_REQ_SET_REG,
15683 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15684 		.doit = nl80211_req_set_reg,
15685 		.flags = GENL_ADMIN_PERM,
15686 	},
15687 	{
15688 		.cmd = NL80211_CMD_RELOAD_REGDB,
15689 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15690 		.doit = nl80211_reload_regdb,
15691 		.flags = GENL_ADMIN_PERM,
15692 	},
15693 	{
15694 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
15695 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15696 		.doit = nl80211_get_mesh_config,
15697 		/* can be retrieved by unprivileged users */
15698 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15699 	},
15700 	{
15701 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
15702 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15703 		.doit = nl80211_update_mesh_config,
15704 		.flags = GENL_UNS_ADMIN_PERM,
15705 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15706 	},
15707 	{
15708 		.cmd = NL80211_CMD_TRIGGER_SCAN,
15709 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15710 		.doit = nl80211_trigger_scan,
15711 		.flags = GENL_UNS_ADMIN_PERM,
15712 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15713 	},
15714 	{
15715 		.cmd = NL80211_CMD_ABORT_SCAN,
15716 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15717 		.doit = nl80211_abort_scan,
15718 		.flags = GENL_UNS_ADMIN_PERM,
15719 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15720 	},
15721 	{
15722 		.cmd = NL80211_CMD_GET_SCAN,
15723 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15724 		.dumpit = nl80211_dump_scan,
15725 	},
15726 	{
15727 		.cmd = NL80211_CMD_START_SCHED_SCAN,
15728 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15729 		.doit = nl80211_start_sched_scan,
15730 		.flags = GENL_UNS_ADMIN_PERM,
15731 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15732 	},
15733 	{
15734 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
15735 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15736 		.doit = nl80211_stop_sched_scan,
15737 		.flags = GENL_UNS_ADMIN_PERM,
15738 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15739 	},
15740 	{
15741 		.cmd = NL80211_CMD_AUTHENTICATE,
15742 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15743 		.doit = nl80211_authenticate,
15744 		.flags = GENL_UNS_ADMIN_PERM,
15745 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15746 				  0 |
15747 				  NL80211_FLAG_CLEAR_SKB,
15748 	},
15749 	{
15750 		.cmd = NL80211_CMD_ASSOCIATE,
15751 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15752 		.doit = nl80211_associate,
15753 		.flags = GENL_UNS_ADMIN_PERM,
15754 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15755 				  0 |
15756 				  NL80211_FLAG_CLEAR_SKB,
15757 	},
15758 	{
15759 		.cmd = NL80211_CMD_DEAUTHENTICATE,
15760 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15761 		.doit = nl80211_deauthenticate,
15762 		.flags = GENL_UNS_ADMIN_PERM,
15763 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15764 	},
15765 	{
15766 		.cmd = NL80211_CMD_DISASSOCIATE,
15767 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15768 		.doit = nl80211_disassociate,
15769 		.flags = GENL_UNS_ADMIN_PERM,
15770 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15771 	},
15772 	{
15773 		.cmd = NL80211_CMD_JOIN_IBSS,
15774 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15775 		.doit = nl80211_join_ibss,
15776 		.flags = GENL_UNS_ADMIN_PERM,
15777 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15778 	},
15779 	{
15780 		.cmd = NL80211_CMD_LEAVE_IBSS,
15781 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15782 		.doit = nl80211_leave_ibss,
15783 		.flags = GENL_UNS_ADMIN_PERM,
15784 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15785 	},
15786 #ifdef CONFIG_NL80211_TESTMODE
15787 	{
15788 		.cmd = NL80211_CMD_TESTMODE,
15789 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15790 		.doit = nl80211_testmode_do,
15791 		.dumpit = nl80211_testmode_dump,
15792 		.flags = GENL_UNS_ADMIN_PERM,
15793 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15794 	},
15795 #endif
15796 	{
15797 		.cmd = NL80211_CMD_CONNECT,
15798 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15799 		.doit = nl80211_connect,
15800 		.flags = GENL_UNS_ADMIN_PERM,
15801 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15802 				  0 |
15803 				  NL80211_FLAG_CLEAR_SKB,
15804 	},
15805 	{
15806 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15807 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15808 		.doit = nl80211_update_connect_params,
15809 		.flags = GENL_ADMIN_PERM,
15810 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15811 				  0 |
15812 				  NL80211_FLAG_CLEAR_SKB,
15813 	},
15814 	{
15815 		.cmd = NL80211_CMD_DISCONNECT,
15816 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15817 		.doit = nl80211_disconnect,
15818 		.flags = GENL_UNS_ADMIN_PERM,
15819 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15820 	},
15821 	{
15822 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15823 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15824 		.doit = nl80211_wiphy_netns,
15825 		.flags = GENL_UNS_ADMIN_PERM,
15826 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15827 				  NL80211_FLAG_NEED_RTNL |
15828 				  NL80211_FLAG_NO_WIPHY_MTX,
15829 	},
15830 	{
15831 		.cmd = NL80211_CMD_GET_SURVEY,
15832 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15833 		.dumpit = nl80211_dump_survey,
15834 	},
15835 	{
15836 		.cmd = NL80211_CMD_SET_PMKSA,
15837 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15838 		.doit = nl80211_setdel_pmksa,
15839 		.flags = GENL_UNS_ADMIN_PERM,
15840 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15841 				  0 |
15842 				  NL80211_FLAG_CLEAR_SKB,
15843 	},
15844 	{
15845 		.cmd = NL80211_CMD_DEL_PMKSA,
15846 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15847 		.doit = nl80211_setdel_pmksa,
15848 		.flags = GENL_UNS_ADMIN_PERM,
15849 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15850 	},
15851 	{
15852 		.cmd = NL80211_CMD_FLUSH_PMKSA,
15853 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15854 		.doit = nl80211_flush_pmksa,
15855 		.flags = GENL_UNS_ADMIN_PERM,
15856 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15857 	},
15858 	{
15859 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15860 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15861 		.doit = nl80211_remain_on_channel,
15862 		.flags = GENL_UNS_ADMIN_PERM,
15863 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15864 	},
15865 	{
15866 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15867 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15868 		.doit = nl80211_cancel_remain_on_channel,
15869 		.flags = GENL_UNS_ADMIN_PERM,
15870 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15871 	},
15872 	{
15873 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15874 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15875 		.doit = nl80211_set_tx_bitrate_mask,
15876 		.flags = GENL_UNS_ADMIN_PERM,
15877 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15878 	},
15879 	{
15880 		.cmd = NL80211_CMD_REGISTER_FRAME,
15881 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15882 		.doit = nl80211_register_mgmt,
15883 		.flags = GENL_UNS_ADMIN_PERM,
15884 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15885 	},
15886 	{
15887 		.cmd = NL80211_CMD_FRAME,
15888 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15889 		.doit = nl80211_tx_mgmt,
15890 		.flags = GENL_UNS_ADMIN_PERM,
15891 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15892 	},
15893 	{
15894 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15895 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15896 		.doit = nl80211_tx_mgmt_cancel_wait,
15897 		.flags = GENL_UNS_ADMIN_PERM,
15898 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15899 	},
15900 	{
15901 		.cmd = NL80211_CMD_SET_POWER_SAVE,
15902 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15903 		.doit = nl80211_set_power_save,
15904 		.flags = GENL_UNS_ADMIN_PERM,
15905 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15906 	},
15907 	{
15908 		.cmd = NL80211_CMD_GET_POWER_SAVE,
15909 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15910 		.doit = nl80211_get_power_save,
15911 		/* can be retrieved by unprivileged users */
15912 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15913 	},
15914 	{
15915 		.cmd = NL80211_CMD_SET_CQM,
15916 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15917 		.doit = nl80211_set_cqm,
15918 		.flags = GENL_UNS_ADMIN_PERM,
15919 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15920 	},
15921 	{
15922 		.cmd = NL80211_CMD_SET_CHANNEL,
15923 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15924 		.doit = nl80211_set_channel,
15925 		.flags = GENL_UNS_ADMIN_PERM,
15926 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15927 	},
15928 	{
15929 		.cmd = NL80211_CMD_JOIN_MESH,
15930 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15931 		.doit = nl80211_join_mesh,
15932 		.flags = GENL_UNS_ADMIN_PERM,
15933 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15934 	},
15935 	{
15936 		.cmd = NL80211_CMD_LEAVE_MESH,
15937 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15938 		.doit = nl80211_leave_mesh,
15939 		.flags = GENL_UNS_ADMIN_PERM,
15940 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15941 	},
15942 	{
15943 		.cmd = NL80211_CMD_JOIN_OCB,
15944 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15945 		.doit = nl80211_join_ocb,
15946 		.flags = GENL_UNS_ADMIN_PERM,
15947 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15948 	},
15949 	{
15950 		.cmd = NL80211_CMD_LEAVE_OCB,
15951 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15952 		.doit = nl80211_leave_ocb,
15953 		.flags = GENL_UNS_ADMIN_PERM,
15954 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15955 	},
15956 #ifdef CONFIG_PM
15957 	{
15958 		.cmd = NL80211_CMD_GET_WOWLAN,
15959 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15960 		.doit = nl80211_get_wowlan,
15961 		/* can be retrieved by unprivileged users */
15962 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15963 	},
15964 	{
15965 		.cmd = NL80211_CMD_SET_WOWLAN,
15966 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15967 		.doit = nl80211_set_wowlan,
15968 		.flags = GENL_UNS_ADMIN_PERM,
15969 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15970 	},
15971 #endif
15972 	{
15973 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15974 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15975 		.doit = nl80211_set_rekey_data,
15976 		.flags = GENL_UNS_ADMIN_PERM,
15977 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15978 				  0 |
15979 				  NL80211_FLAG_CLEAR_SKB,
15980 	},
15981 	{
15982 		.cmd = NL80211_CMD_TDLS_MGMT,
15983 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15984 		.doit = nl80211_tdls_mgmt,
15985 		.flags = GENL_UNS_ADMIN_PERM,
15986 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15987 	},
15988 	{
15989 		.cmd = NL80211_CMD_TDLS_OPER,
15990 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15991 		.doit = nl80211_tdls_oper,
15992 		.flags = GENL_UNS_ADMIN_PERM,
15993 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15994 	},
15995 	{
15996 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
15997 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15998 		.doit = nl80211_register_unexpected_frame,
15999 		.flags = GENL_UNS_ADMIN_PERM,
16000 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16001 	},
16002 	{
16003 		.cmd = NL80211_CMD_PROBE_CLIENT,
16004 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16005 		.doit = nl80211_probe_client,
16006 		.flags = GENL_UNS_ADMIN_PERM,
16007 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16008 	},
16009 	{
16010 		.cmd = NL80211_CMD_REGISTER_BEACONS,
16011 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16012 		.doit = nl80211_register_beacons,
16013 		.flags = GENL_UNS_ADMIN_PERM,
16014 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16015 	},
16016 	{
16017 		.cmd = NL80211_CMD_SET_NOACK_MAP,
16018 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16019 		.doit = nl80211_set_noack_map,
16020 		.flags = GENL_UNS_ADMIN_PERM,
16021 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16022 	},
16023 	{
16024 		.cmd = NL80211_CMD_START_P2P_DEVICE,
16025 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16026 		.doit = nl80211_start_p2p_device,
16027 		.flags = GENL_UNS_ADMIN_PERM,
16028 		.internal_flags = NL80211_FLAG_NEED_WDEV |
16029 				  NL80211_FLAG_NEED_RTNL,
16030 	},
16031 	{
16032 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
16033 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16034 		.doit = nl80211_stop_p2p_device,
16035 		.flags = GENL_UNS_ADMIN_PERM,
16036 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
16037 				  NL80211_FLAG_NEED_RTNL,
16038 	},
16039 	{
16040 		.cmd = NL80211_CMD_START_NAN,
16041 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16042 		.doit = nl80211_start_nan,
16043 		.flags = GENL_ADMIN_PERM,
16044 		.internal_flags = NL80211_FLAG_NEED_WDEV |
16045 				  NL80211_FLAG_NEED_RTNL,
16046 	},
16047 	{
16048 		.cmd = NL80211_CMD_STOP_NAN,
16049 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16050 		.doit = nl80211_stop_nan,
16051 		.flags = GENL_ADMIN_PERM,
16052 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
16053 				  NL80211_FLAG_NEED_RTNL,
16054 	},
16055 	{
16056 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
16057 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16058 		.doit = nl80211_nan_add_func,
16059 		.flags = GENL_ADMIN_PERM,
16060 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16061 	},
16062 	{
16063 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
16064 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16065 		.doit = nl80211_nan_del_func,
16066 		.flags = GENL_ADMIN_PERM,
16067 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16068 	},
16069 	{
16070 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
16071 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16072 		.doit = nl80211_nan_change_config,
16073 		.flags = GENL_ADMIN_PERM,
16074 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16075 	},
16076 	{
16077 		.cmd = NL80211_CMD_SET_MCAST_RATE,
16078 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16079 		.doit = nl80211_set_mcast_rate,
16080 		.flags = GENL_UNS_ADMIN_PERM,
16081 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16082 	},
16083 	{
16084 		.cmd = NL80211_CMD_SET_MAC_ACL,
16085 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16086 		.doit = nl80211_set_mac_acl,
16087 		.flags = GENL_UNS_ADMIN_PERM,
16088 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16089 	},
16090 	{
16091 		.cmd = NL80211_CMD_RADAR_DETECT,
16092 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16093 		.doit = nl80211_start_radar_detection,
16094 		.flags = GENL_UNS_ADMIN_PERM,
16095 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16096 				  NL80211_FLAG_NO_WIPHY_MTX,
16097 	},
16098 	{
16099 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
16100 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16101 		.doit = nl80211_get_protocol_features,
16102 	},
16103 	{
16104 		.cmd = NL80211_CMD_UPDATE_FT_IES,
16105 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16106 		.doit = nl80211_update_ft_ies,
16107 		.flags = GENL_UNS_ADMIN_PERM,
16108 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16109 	},
16110 	{
16111 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
16112 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16113 		.doit = nl80211_crit_protocol_start,
16114 		.flags = GENL_UNS_ADMIN_PERM,
16115 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16116 	},
16117 	{
16118 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
16119 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16120 		.doit = nl80211_crit_protocol_stop,
16121 		.flags = GENL_UNS_ADMIN_PERM,
16122 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16123 	},
16124 	{
16125 		.cmd = NL80211_CMD_GET_COALESCE,
16126 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16127 		.doit = nl80211_get_coalesce,
16128 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16129 	},
16130 	{
16131 		.cmd = NL80211_CMD_SET_COALESCE,
16132 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16133 		.doit = nl80211_set_coalesce,
16134 		.flags = GENL_UNS_ADMIN_PERM,
16135 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16136 	},
16137 	{
16138 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
16139 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16140 		.doit = nl80211_channel_switch,
16141 		.flags = GENL_UNS_ADMIN_PERM,
16142 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16143 	},
16144 	{
16145 		.cmd = NL80211_CMD_VENDOR,
16146 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16147 		.doit = nl80211_vendor_cmd,
16148 		.dumpit = nl80211_vendor_cmd_dump,
16149 		.flags = GENL_UNS_ADMIN_PERM,
16150 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16151 				  0 |
16152 				  NL80211_FLAG_CLEAR_SKB,
16153 	},
16154 	{
16155 		.cmd = NL80211_CMD_SET_QOS_MAP,
16156 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16157 		.doit = nl80211_set_qos_map,
16158 		.flags = GENL_UNS_ADMIN_PERM,
16159 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16160 	},
16161 	{
16162 		.cmd = NL80211_CMD_ADD_TX_TS,
16163 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16164 		.doit = nl80211_add_tx_ts,
16165 		.flags = GENL_UNS_ADMIN_PERM,
16166 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16167 	},
16168 	{
16169 		.cmd = NL80211_CMD_DEL_TX_TS,
16170 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16171 		.doit = nl80211_del_tx_ts,
16172 		.flags = GENL_UNS_ADMIN_PERM,
16173 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16174 	},
16175 	{
16176 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
16177 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16178 		.doit = nl80211_tdls_channel_switch,
16179 		.flags = GENL_UNS_ADMIN_PERM,
16180 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16181 	},
16182 	{
16183 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
16184 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16185 		.doit = nl80211_tdls_cancel_channel_switch,
16186 		.flags = GENL_UNS_ADMIN_PERM,
16187 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16188 	},
16189 	{
16190 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
16191 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16192 		.doit = nl80211_set_multicast_to_unicast,
16193 		.flags = GENL_UNS_ADMIN_PERM,
16194 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16195 	},
16196 	{
16197 		.cmd = NL80211_CMD_SET_PMK,
16198 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16199 		.doit = nl80211_set_pmk,
16200 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16201 				  0 |
16202 				  NL80211_FLAG_CLEAR_SKB,
16203 	},
16204 	{
16205 		.cmd = NL80211_CMD_DEL_PMK,
16206 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16207 		.doit = nl80211_del_pmk,
16208 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16209 	},
16210 	{
16211 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
16212 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16213 		.doit = nl80211_external_auth,
16214 		.flags = GENL_ADMIN_PERM,
16215 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16216 	},
16217 	{
16218 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
16219 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16220 		.doit = nl80211_tx_control_port,
16221 		.flags = GENL_UNS_ADMIN_PERM,
16222 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16223 	},
16224 	{
16225 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
16226 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16227 		.doit = nl80211_get_ftm_responder_stats,
16228 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16229 	},
16230 	{
16231 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
16232 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16233 		.doit = nl80211_pmsr_start,
16234 		.flags = GENL_UNS_ADMIN_PERM,
16235 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16236 	},
16237 	{
16238 		.cmd = NL80211_CMD_NOTIFY_RADAR,
16239 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16240 		.doit = nl80211_notify_radar_detection,
16241 		.flags = GENL_UNS_ADMIN_PERM,
16242 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16243 	},
16244 	{
16245 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
16246 		.doit = nl80211_update_owe_info,
16247 		.flags = GENL_ADMIN_PERM,
16248 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16249 	},
16250 	{
16251 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
16252 		.doit = nl80211_probe_mesh_link,
16253 		.flags = GENL_UNS_ADMIN_PERM,
16254 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16255 	},
16256 	{
16257 		.cmd = NL80211_CMD_SET_TID_CONFIG,
16258 		.doit = nl80211_set_tid_config,
16259 		.flags = GENL_UNS_ADMIN_PERM,
16260 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16261 	},
16262 	{
16263 		.cmd = NL80211_CMD_SET_SAR_SPECS,
16264 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16265 		.doit = nl80211_set_sar_specs,
16266 		.flags = GENL_UNS_ADMIN_PERM,
16267 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16268 				  NL80211_FLAG_NEED_RTNL,
16269 	},
16270 	{
16271 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
16272 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16273 		.doit = nl80211_color_change,
16274 		.flags = GENL_UNS_ADMIN_PERM,
16275 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16276 				  NL80211_FLAG_NEED_RTNL,
16277 	},
16278 	{
16279 		.cmd = NL80211_CMD_SET_FILS_AAD,
16280 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16281 		.doit = nl80211_set_fils_aad,
16282 		.flags = GENL_UNS_ADMIN_PERM,
16283 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16284 	},
16285 };
16286 
16287 static struct genl_family nl80211_fam __ro_after_init = {
16288 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
16289 	.hdrsize = 0,			/* no private header */
16290 	.version = 1,			/* no particular meaning now */
16291 	.maxattr = NL80211_ATTR_MAX,
16292 	.policy = nl80211_policy,
16293 	.netnsok = true,
16294 	.pre_doit = nl80211_pre_doit,
16295 	.post_doit = nl80211_post_doit,
16296 	.module = THIS_MODULE,
16297 	.ops = nl80211_ops,
16298 	.n_ops = ARRAY_SIZE(nl80211_ops),
16299 	.small_ops = nl80211_small_ops,
16300 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
16301 	.mcgrps = nl80211_mcgrps,
16302 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
16303 	.parallel_ops = true,
16304 };
16305 
16306 /* notification functions */
16307 
16308 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
16309 			  enum nl80211_commands cmd)
16310 {
16311 	struct sk_buff *msg;
16312 	struct nl80211_dump_wiphy_state state = {};
16313 
16314 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
16315 		cmd != NL80211_CMD_DEL_WIPHY);
16316 
16317 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16318 	if (!msg)
16319 		return;
16320 
16321 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
16322 		nlmsg_free(msg);
16323 		return;
16324 	}
16325 
16326 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16327 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16328 }
16329 
16330 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
16331 				struct wireless_dev *wdev,
16332 				enum nl80211_commands cmd)
16333 {
16334 	struct sk_buff *msg;
16335 
16336 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16337 	if (!msg)
16338 		return;
16339 
16340 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
16341 		nlmsg_free(msg);
16342 		return;
16343 	}
16344 
16345 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16346 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16347 }
16348 
16349 static int nl80211_add_scan_req(struct sk_buff *msg,
16350 				struct cfg80211_registered_device *rdev)
16351 {
16352 	struct cfg80211_scan_request *req = rdev->scan_req;
16353 	struct nlattr *nest;
16354 	int i;
16355 	struct cfg80211_scan_info *info;
16356 
16357 	if (WARN_ON(!req))
16358 		return 0;
16359 
16360 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
16361 	if (!nest)
16362 		goto nla_put_failure;
16363 	for (i = 0; i < req->n_ssids; i++) {
16364 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
16365 			goto nla_put_failure;
16366 	}
16367 	nla_nest_end(msg, nest);
16368 
16369 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
16370 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
16371 		if (!nest)
16372 			goto nla_put_failure;
16373 		for (i = 0; i < req->n_channels; i++) {
16374 			if (nla_put_u32(msg, i,
16375 				   ieee80211_channel_to_khz(req->channels[i])))
16376 				goto nla_put_failure;
16377 		}
16378 		nla_nest_end(msg, nest);
16379 	} else {
16380 		nest = nla_nest_start_noflag(msg,
16381 					     NL80211_ATTR_SCAN_FREQUENCIES);
16382 		if (!nest)
16383 			goto nla_put_failure;
16384 		for (i = 0; i < req->n_channels; i++) {
16385 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
16386 				goto nla_put_failure;
16387 		}
16388 		nla_nest_end(msg, nest);
16389 	}
16390 
16391 	if (req->ie &&
16392 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
16393 		goto nla_put_failure;
16394 
16395 	if (req->flags &&
16396 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
16397 		goto nla_put_failure;
16398 
16399 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
16400 		&rdev->scan_req->info;
16401 	if (info->scan_start_tsf &&
16402 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
16403 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
16404 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
16405 		     info->tsf_bssid)))
16406 		goto nla_put_failure;
16407 
16408 	return 0;
16409  nla_put_failure:
16410 	return -ENOBUFS;
16411 }
16412 
16413 static int nl80211_prep_scan_msg(struct sk_buff *msg,
16414 				 struct cfg80211_registered_device *rdev,
16415 				 struct wireless_dev *wdev,
16416 				 u32 portid, u32 seq, int flags,
16417 				 u32 cmd)
16418 {
16419 	void *hdr;
16420 
16421 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
16422 	if (!hdr)
16423 		return -1;
16424 
16425 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16426 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16427 					 wdev->netdev->ifindex)) ||
16428 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16429 			      NL80211_ATTR_PAD))
16430 		goto nla_put_failure;
16431 
16432 	/* ignore errors and send incomplete event anyway */
16433 	nl80211_add_scan_req(msg, rdev);
16434 
16435 	genlmsg_end(msg, hdr);
16436 	return 0;
16437 
16438  nla_put_failure:
16439 	genlmsg_cancel(msg, hdr);
16440 	return -EMSGSIZE;
16441 }
16442 
16443 static int
16444 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
16445 			    struct cfg80211_sched_scan_request *req, u32 cmd)
16446 {
16447 	void *hdr;
16448 
16449 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16450 	if (!hdr)
16451 		return -1;
16452 
16453 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
16454 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
16455 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
16456 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
16457 			      NL80211_ATTR_PAD))
16458 		goto nla_put_failure;
16459 
16460 	genlmsg_end(msg, hdr);
16461 	return 0;
16462 
16463  nla_put_failure:
16464 	genlmsg_cancel(msg, hdr);
16465 	return -EMSGSIZE;
16466 }
16467 
16468 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
16469 			     struct wireless_dev *wdev)
16470 {
16471 	struct sk_buff *msg;
16472 
16473 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16474 	if (!msg)
16475 		return;
16476 
16477 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16478 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
16479 		nlmsg_free(msg);
16480 		return;
16481 	}
16482 
16483 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16484 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16485 }
16486 
16487 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
16488 				       struct wireless_dev *wdev, bool aborted)
16489 {
16490 	struct sk_buff *msg;
16491 
16492 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16493 	if (!msg)
16494 		return NULL;
16495 
16496 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16497 				  aborted ? NL80211_CMD_SCAN_ABORTED :
16498 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
16499 		nlmsg_free(msg);
16500 		return NULL;
16501 	}
16502 
16503 	return msg;
16504 }
16505 
16506 /* send message created by nl80211_build_scan_msg() */
16507 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
16508 			   struct sk_buff *msg)
16509 {
16510 	if (!msg)
16511 		return;
16512 
16513 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16514 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16515 }
16516 
16517 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
16518 {
16519 	struct sk_buff *msg;
16520 
16521 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16522 	if (!msg)
16523 		return;
16524 
16525 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
16526 		nlmsg_free(msg);
16527 		return;
16528 	}
16529 
16530 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
16531 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16532 }
16533 
16534 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
16535 					  struct regulatory_request *request)
16536 {
16537 	/* Userspace can always count this one always being set */
16538 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
16539 		goto nla_put_failure;
16540 
16541 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
16542 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16543 			       NL80211_REGDOM_TYPE_WORLD))
16544 			goto nla_put_failure;
16545 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
16546 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16547 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
16548 			goto nla_put_failure;
16549 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
16550 		   request->intersect) {
16551 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16552 			       NL80211_REGDOM_TYPE_INTERSECTION))
16553 			goto nla_put_failure;
16554 	} else {
16555 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16556 			       NL80211_REGDOM_TYPE_COUNTRY) ||
16557 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
16558 				   request->alpha2))
16559 			goto nla_put_failure;
16560 	}
16561 
16562 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
16563 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
16564 
16565 		if (wiphy &&
16566 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
16567 			goto nla_put_failure;
16568 
16569 		if (wiphy &&
16570 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
16571 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
16572 			goto nla_put_failure;
16573 	}
16574 
16575 	return true;
16576 
16577 nla_put_failure:
16578 	return false;
16579 }
16580 
16581 /*
16582  * This can happen on global regulatory changes or device specific settings
16583  * based on custom regulatory domains.
16584  */
16585 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
16586 				     struct regulatory_request *request)
16587 {
16588 	struct sk_buff *msg;
16589 	void *hdr;
16590 
16591 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16592 	if (!msg)
16593 		return;
16594 
16595 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
16596 	if (!hdr)
16597 		goto nla_put_failure;
16598 
16599 	if (!nl80211_reg_change_event_fill(msg, request))
16600 		goto nla_put_failure;
16601 
16602 	genlmsg_end(msg, hdr);
16603 
16604 	rcu_read_lock();
16605 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16606 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16607 	rcu_read_unlock();
16608 
16609 	return;
16610 
16611 nla_put_failure:
16612 	nlmsg_free(msg);
16613 }
16614 
16615 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
16616 				    struct net_device *netdev,
16617 				    const u8 *buf, size_t len,
16618 				    enum nl80211_commands cmd, gfp_t gfp,
16619 				    int uapsd_queues, const u8 *req_ies,
16620 				    size_t req_ies_len, bool reconnect)
16621 {
16622 	struct sk_buff *msg;
16623 	void *hdr;
16624 
16625 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
16626 	if (!msg)
16627 		return;
16628 
16629 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16630 	if (!hdr) {
16631 		nlmsg_free(msg);
16632 		return;
16633 	}
16634 
16635 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16636 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16637 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16638 	    (req_ies &&
16639 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
16640 		goto nla_put_failure;
16641 
16642 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
16643 		goto nla_put_failure;
16644 
16645 	if (uapsd_queues >= 0) {
16646 		struct nlattr *nla_wmm =
16647 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
16648 		if (!nla_wmm)
16649 			goto nla_put_failure;
16650 
16651 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
16652 			       uapsd_queues))
16653 			goto nla_put_failure;
16654 
16655 		nla_nest_end(msg, nla_wmm);
16656 	}
16657 
16658 	genlmsg_end(msg, hdr);
16659 
16660 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16661 				NL80211_MCGRP_MLME, gfp);
16662 	return;
16663 
16664  nla_put_failure:
16665 	nlmsg_free(msg);
16666 }
16667 
16668 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
16669 			  struct net_device *netdev, const u8 *buf,
16670 			  size_t len, gfp_t gfp)
16671 {
16672 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16673 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
16674 				false);
16675 }
16676 
16677 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
16678 			   struct net_device *netdev, const u8 *buf,
16679 			   size_t len, gfp_t gfp, int uapsd_queues,
16680 			   const u8 *req_ies, size_t req_ies_len)
16681 {
16682 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16683 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
16684 				req_ies, req_ies_len, false);
16685 }
16686 
16687 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
16688 			 struct net_device *netdev, const u8 *buf,
16689 			 size_t len, bool reconnect, gfp_t gfp)
16690 {
16691 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16692 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
16693 				reconnect);
16694 }
16695 
16696 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
16697 			   struct net_device *netdev, const u8 *buf,
16698 			   size_t len, bool reconnect, gfp_t gfp)
16699 {
16700 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16701 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
16702 				reconnect);
16703 }
16704 
16705 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
16706 				  size_t len)
16707 {
16708 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16709 	struct wiphy *wiphy = wdev->wiphy;
16710 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16711 	const struct ieee80211_mgmt *mgmt = (void *)buf;
16712 	u32 cmd;
16713 
16714 	if (WARN_ON(len < 2))
16715 		return;
16716 
16717 	if (ieee80211_is_deauth(mgmt->frame_control)) {
16718 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
16719 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
16720 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
16721 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
16722 		if (wdev->unprot_beacon_reported &&
16723 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
16724 			return;
16725 		cmd = NL80211_CMD_UNPROT_BEACON;
16726 		wdev->unprot_beacon_reported = jiffies;
16727 	} else {
16728 		return;
16729 	}
16730 
16731 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
16732 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
16733 				NULL, 0, false);
16734 }
16735 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
16736 
16737 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
16738 				      struct net_device *netdev, int cmd,
16739 				      const u8 *addr, gfp_t gfp)
16740 {
16741 	struct sk_buff *msg;
16742 	void *hdr;
16743 
16744 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16745 	if (!msg)
16746 		return;
16747 
16748 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16749 	if (!hdr) {
16750 		nlmsg_free(msg);
16751 		return;
16752 	}
16753 
16754 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16755 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16756 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16757 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16758 		goto nla_put_failure;
16759 
16760 	genlmsg_end(msg, hdr);
16761 
16762 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16763 				NL80211_MCGRP_MLME, gfp);
16764 	return;
16765 
16766  nla_put_failure:
16767 	nlmsg_free(msg);
16768 }
16769 
16770 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16771 			       struct net_device *netdev, const u8 *addr,
16772 			       gfp_t gfp)
16773 {
16774 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16775 				  addr, gfp);
16776 }
16777 
16778 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16779 				struct net_device *netdev, const u8 *addr,
16780 				gfp_t gfp)
16781 {
16782 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16783 				  addr, gfp);
16784 }
16785 
16786 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16787 				 struct net_device *netdev,
16788 				 struct cfg80211_connect_resp_params *cr,
16789 				 gfp_t gfp)
16790 {
16791 	struct sk_buff *msg;
16792 	void *hdr;
16793 
16794 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16795 			cr->fils.kek_len + cr->fils.pmk_len +
16796 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16797 	if (!msg)
16798 		return;
16799 
16800 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16801 	if (!hdr) {
16802 		nlmsg_free(msg);
16803 		return;
16804 	}
16805 
16806 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16807 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16808 	    (cr->bssid &&
16809 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16810 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16811 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16812 			cr->status) ||
16813 	    (cr->status < 0 &&
16814 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16815 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16816 			  cr->timeout_reason))) ||
16817 	    (cr->req_ie &&
16818 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16819 	    (cr->resp_ie &&
16820 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16821 		     cr->resp_ie)) ||
16822 	    (cr->fils.update_erp_next_seq_num &&
16823 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16824 			 cr->fils.erp_next_seq_num)) ||
16825 	    (cr->status == WLAN_STATUS_SUCCESS &&
16826 	     ((cr->fils.kek &&
16827 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16828 		       cr->fils.kek)) ||
16829 	      (cr->fils.pmk &&
16830 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16831 	      (cr->fils.pmkid &&
16832 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16833 		goto nla_put_failure;
16834 
16835 	genlmsg_end(msg, hdr);
16836 
16837 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16838 				NL80211_MCGRP_MLME, gfp);
16839 	return;
16840 
16841  nla_put_failure:
16842 	nlmsg_free(msg);
16843 }
16844 
16845 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16846 			 struct net_device *netdev,
16847 			 struct cfg80211_roam_info *info, gfp_t gfp)
16848 {
16849 	struct sk_buff *msg;
16850 	void *hdr;
16851 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16852 
16853 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16854 			info->fils.kek_len + info->fils.pmk_len +
16855 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16856 	if (!msg)
16857 		return;
16858 
16859 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16860 	if (!hdr) {
16861 		nlmsg_free(msg);
16862 		return;
16863 	}
16864 
16865 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16866 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16867 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16868 	    (info->req_ie &&
16869 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16870 		     info->req_ie)) ||
16871 	    (info->resp_ie &&
16872 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16873 		     info->resp_ie)) ||
16874 	    (info->fils.update_erp_next_seq_num &&
16875 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16876 			 info->fils.erp_next_seq_num)) ||
16877 	    (info->fils.kek &&
16878 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16879 		     info->fils.kek)) ||
16880 	    (info->fils.pmk &&
16881 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16882 	    (info->fils.pmkid &&
16883 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16884 		goto nla_put_failure;
16885 
16886 	genlmsg_end(msg, hdr);
16887 
16888 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16889 				NL80211_MCGRP_MLME, gfp);
16890 	return;
16891 
16892  nla_put_failure:
16893 	nlmsg_free(msg);
16894 }
16895 
16896 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16897 				  struct net_device *netdev, const u8 *bssid)
16898 {
16899 	struct sk_buff *msg;
16900 	void *hdr;
16901 
16902 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16903 	if (!msg)
16904 		return;
16905 
16906 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16907 	if (!hdr) {
16908 		nlmsg_free(msg);
16909 		return;
16910 	}
16911 
16912 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16913 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16914 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16915 		goto nla_put_failure;
16916 
16917 	genlmsg_end(msg, hdr);
16918 
16919 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16920 				NL80211_MCGRP_MLME, GFP_KERNEL);
16921 	return;
16922 
16923  nla_put_failure:
16924 	nlmsg_free(msg);
16925 }
16926 
16927 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
16928 			       struct net_device *netdev, u16 reason,
16929 			       const u8 *ie, size_t ie_len, bool from_ap)
16930 {
16931 	struct sk_buff *msg;
16932 	void *hdr;
16933 
16934 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
16935 	if (!msg)
16936 		return;
16937 
16938 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
16939 	if (!hdr) {
16940 		nlmsg_free(msg);
16941 		return;
16942 	}
16943 
16944 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16945 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16946 	    (reason &&
16947 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
16948 	    (from_ap &&
16949 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
16950 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
16951 		goto nla_put_failure;
16952 
16953 	genlmsg_end(msg, hdr);
16954 
16955 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16956 				NL80211_MCGRP_MLME, GFP_KERNEL);
16957 	return;
16958 
16959  nla_put_failure:
16960 	nlmsg_free(msg);
16961 }
16962 
16963 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16964 			     struct net_device *netdev, const u8 *bssid,
16965 			     gfp_t gfp)
16966 {
16967 	struct sk_buff *msg;
16968 	void *hdr;
16969 
16970 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16971 	if (!msg)
16972 		return;
16973 
16974 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16975 	if (!hdr) {
16976 		nlmsg_free(msg);
16977 		return;
16978 	}
16979 
16980 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16981 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16982 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16983 		goto nla_put_failure;
16984 
16985 	genlmsg_end(msg, hdr);
16986 
16987 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16988 				NL80211_MCGRP_MLME, gfp);
16989 	return;
16990 
16991  nla_put_failure:
16992 	nlmsg_free(msg);
16993 }
16994 
16995 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
16996 					const u8 *ie, u8 ie_len,
16997 					int sig_dbm, gfp_t gfp)
16998 {
16999 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17000 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17001 	struct sk_buff *msg;
17002 	void *hdr;
17003 
17004 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
17005 		return;
17006 
17007 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
17008 
17009 	msg = nlmsg_new(100 + ie_len, gfp);
17010 	if (!msg)
17011 		return;
17012 
17013 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
17014 	if (!hdr) {
17015 		nlmsg_free(msg);
17016 		return;
17017 	}
17018 
17019 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17020 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17021 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17022 	    (ie_len && ie &&
17023 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
17024 	    (sig_dbm &&
17025 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
17026 		goto nla_put_failure;
17027 
17028 	genlmsg_end(msg, hdr);
17029 
17030 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17031 				NL80211_MCGRP_MLME, gfp);
17032 	return;
17033 
17034  nla_put_failure:
17035 	nlmsg_free(msg);
17036 }
17037 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
17038 
17039 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
17040 				 struct net_device *netdev, const u8 *addr,
17041 				 enum nl80211_key_type key_type, int key_id,
17042 				 const u8 *tsc, gfp_t gfp)
17043 {
17044 	struct sk_buff *msg;
17045 	void *hdr;
17046 
17047 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17048 	if (!msg)
17049 		return;
17050 
17051 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
17052 	if (!hdr) {
17053 		nlmsg_free(msg);
17054 		return;
17055 	}
17056 
17057 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17058 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17059 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
17060 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
17061 	    (key_id != -1 &&
17062 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
17063 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
17064 		goto nla_put_failure;
17065 
17066 	genlmsg_end(msg, hdr);
17067 
17068 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17069 				NL80211_MCGRP_MLME, gfp);
17070 	return;
17071 
17072  nla_put_failure:
17073 	nlmsg_free(msg);
17074 }
17075 
17076 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
17077 				    struct ieee80211_channel *channel_before,
17078 				    struct ieee80211_channel *channel_after)
17079 {
17080 	struct sk_buff *msg;
17081 	void *hdr;
17082 	struct nlattr *nl_freq;
17083 
17084 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
17085 	if (!msg)
17086 		return;
17087 
17088 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
17089 	if (!hdr) {
17090 		nlmsg_free(msg);
17091 		return;
17092 	}
17093 
17094 	/*
17095 	 * Since we are applying the beacon hint to a wiphy we know its
17096 	 * wiphy_idx is valid
17097 	 */
17098 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
17099 		goto nla_put_failure;
17100 
17101 	/* Before */
17102 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
17103 	if (!nl_freq)
17104 		goto nla_put_failure;
17105 
17106 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
17107 		goto nla_put_failure;
17108 	nla_nest_end(msg, nl_freq);
17109 
17110 	/* After */
17111 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
17112 	if (!nl_freq)
17113 		goto nla_put_failure;
17114 
17115 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
17116 		goto nla_put_failure;
17117 	nla_nest_end(msg, nl_freq);
17118 
17119 	genlmsg_end(msg, hdr);
17120 
17121 	rcu_read_lock();
17122 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17123 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17124 	rcu_read_unlock();
17125 
17126 	return;
17127 
17128 nla_put_failure:
17129 	nlmsg_free(msg);
17130 }
17131 
17132 static void nl80211_send_remain_on_chan_event(
17133 	int cmd, struct cfg80211_registered_device *rdev,
17134 	struct wireless_dev *wdev, u64 cookie,
17135 	struct ieee80211_channel *chan,
17136 	unsigned int duration, gfp_t gfp)
17137 {
17138 	struct sk_buff *msg;
17139 	void *hdr;
17140 
17141 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17142 	if (!msg)
17143 		return;
17144 
17145 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17146 	if (!hdr) {
17147 		nlmsg_free(msg);
17148 		return;
17149 	}
17150 
17151 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17152 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17153 					 wdev->netdev->ifindex)) ||
17154 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17155 			      NL80211_ATTR_PAD) ||
17156 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
17157 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
17158 			NL80211_CHAN_NO_HT) ||
17159 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17160 			      NL80211_ATTR_PAD))
17161 		goto nla_put_failure;
17162 
17163 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
17164 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
17165 		goto nla_put_failure;
17166 
17167 	genlmsg_end(msg, hdr);
17168 
17169 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17170 				NL80211_MCGRP_MLME, gfp);
17171 	return;
17172 
17173  nla_put_failure:
17174 	nlmsg_free(msg);
17175 }
17176 
17177 void cfg80211_assoc_comeback(struct net_device *netdev,
17178 			     struct cfg80211_bss *bss, u32 timeout)
17179 {
17180 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
17181 	struct wiphy *wiphy = wdev->wiphy;
17182 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17183 	struct sk_buff *msg;
17184 	void *hdr;
17185 
17186 	trace_cfg80211_assoc_comeback(wdev, bss->bssid, timeout);
17187 
17188 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17189 	if (!msg)
17190 		return;
17191 
17192 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
17193 	if (!hdr) {
17194 		nlmsg_free(msg);
17195 		return;
17196 	}
17197 
17198 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17199 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17200 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bss->bssid) ||
17201 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
17202 		goto nla_put_failure;
17203 
17204 	genlmsg_end(msg, hdr);
17205 
17206 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17207 				NL80211_MCGRP_MLME, GFP_KERNEL);
17208 	return;
17209 
17210  nla_put_failure:
17211 	nlmsg_free(msg);
17212 }
17213 EXPORT_SYMBOL(cfg80211_assoc_comeback);
17214 
17215 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
17216 			       struct ieee80211_channel *chan,
17217 			       unsigned int duration, gfp_t gfp)
17218 {
17219 	struct wiphy *wiphy = wdev->wiphy;
17220 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17221 
17222 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
17223 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
17224 					  rdev, wdev, cookie, chan,
17225 					  duration, gfp);
17226 }
17227 EXPORT_SYMBOL(cfg80211_ready_on_channel);
17228 
17229 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
17230 					struct ieee80211_channel *chan,
17231 					gfp_t gfp)
17232 {
17233 	struct wiphy *wiphy = wdev->wiphy;
17234 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17235 
17236 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
17237 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17238 					  rdev, wdev, cookie, chan, 0, gfp);
17239 }
17240 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
17241 
17242 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
17243 					struct ieee80211_channel *chan,
17244 					gfp_t gfp)
17245 {
17246 	struct wiphy *wiphy = wdev->wiphy;
17247 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17248 
17249 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
17250 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
17251 					  rdev, wdev, cookie, chan, 0, gfp);
17252 }
17253 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
17254 
17255 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
17256 		      struct station_info *sinfo, gfp_t gfp)
17257 {
17258 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17259 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17260 	struct sk_buff *msg;
17261 
17262 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
17263 
17264 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17265 	if (!msg)
17266 		return;
17267 
17268 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
17269 				 rdev, dev, mac_addr, sinfo) < 0) {
17270 		nlmsg_free(msg);
17271 		return;
17272 	}
17273 
17274 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17275 				NL80211_MCGRP_MLME, gfp);
17276 }
17277 EXPORT_SYMBOL(cfg80211_new_sta);
17278 
17279 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
17280 			    struct station_info *sinfo, gfp_t gfp)
17281 {
17282 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17283 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17284 	struct sk_buff *msg;
17285 	struct station_info empty_sinfo = {};
17286 
17287 	if (!sinfo)
17288 		sinfo = &empty_sinfo;
17289 
17290 	trace_cfg80211_del_sta(dev, mac_addr);
17291 
17292 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17293 	if (!msg) {
17294 		cfg80211_sinfo_release_content(sinfo);
17295 		return;
17296 	}
17297 
17298 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
17299 				 rdev, dev, mac_addr, sinfo) < 0) {
17300 		nlmsg_free(msg);
17301 		return;
17302 	}
17303 
17304 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17305 				NL80211_MCGRP_MLME, gfp);
17306 }
17307 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
17308 
17309 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
17310 			  enum nl80211_connect_failed_reason reason,
17311 			  gfp_t gfp)
17312 {
17313 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17314 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17315 	struct sk_buff *msg;
17316 	void *hdr;
17317 
17318 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
17319 	if (!msg)
17320 		return;
17321 
17322 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
17323 	if (!hdr) {
17324 		nlmsg_free(msg);
17325 		return;
17326 	}
17327 
17328 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17329 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
17330 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
17331 		goto nla_put_failure;
17332 
17333 	genlmsg_end(msg, hdr);
17334 
17335 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17336 				NL80211_MCGRP_MLME, gfp);
17337 	return;
17338 
17339  nla_put_failure:
17340 	nlmsg_free(msg);
17341 }
17342 EXPORT_SYMBOL(cfg80211_conn_failed);
17343 
17344 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
17345 				       const u8 *addr, gfp_t gfp)
17346 {
17347 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17348 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17349 	struct sk_buff *msg;
17350 	void *hdr;
17351 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
17352 
17353 	if (!nlportid)
17354 		return false;
17355 
17356 	msg = nlmsg_new(100, gfp);
17357 	if (!msg)
17358 		return true;
17359 
17360 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17361 	if (!hdr) {
17362 		nlmsg_free(msg);
17363 		return true;
17364 	}
17365 
17366 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17367 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17368 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17369 		goto nla_put_failure;
17370 
17371 	genlmsg_end(msg, hdr);
17372 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17373 	return true;
17374 
17375  nla_put_failure:
17376 	nlmsg_free(msg);
17377 	return true;
17378 }
17379 
17380 bool cfg80211_rx_spurious_frame(struct net_device *dev,
17381 				const u8 *addr, gfp_t gfp)
17382 {
17383 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17384 	bool ret;
17385 
17386 	trace_cfg80211_rx_spurious_frame(dev, addr);
17387 
17388 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17389 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
17390 		trace_cfg80211_return_bool(false);
17391 		return false;
17392 	}
17393 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
17394 					 addr, gfp);
17395 	trace_cfg80211_return_bool(ret);
17396 	return ret;
17397 }
17398 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
17399 
17400 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
17401 					const u8 *addr, gfp_t gfp)
17402 {
17403 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17404 	bool ret;
17405 
17406 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
17407 
17408 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17409 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
17410 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
17411 		trace_cfg80211_return_bool(false);
17412 		return false;
17413 	}
17414 	ret = __nl80211_unexpected_frame(dev,
17415 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
17416 					 addr, gfp);
17417 	trace_cfg80211_return_bool(ret);
17418 	return ret;
17419 }
17420 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
17421 
17422 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
17423 		      struct wireless_dev *wdev, u32 nlportid,
17424 		      int freq, int sig_dbm,
17425 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
17426 {
17427 	struct net_device *netdev = wdev->netdev;
17428 	struct sk_buff *msg;
17429 	void *hdr;
17430 
17431 	msg = nlmsg_new(100 + len, gfp);
17432 	if (!msg)
17433 		return -ENOMEM;
17434 
17435 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17436 	if (!hdr) {
17437 		nlmsg_free(msg);
17438 		return -ENOMEM;
17439 	}
17440 
17441 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17442 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17443 					netdev->ifindex)) ||
17444 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17445 			      NL80211_ATTR_PAD) ||
17446 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
17447 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
17448 	    (sig_dbm &&
17449 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17450 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17451 	    (flags &&
17452 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
17453 		goto nla_put_failure;
17454 
17455 	genlmsg_end(msg, hdr);
17456 
17457 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17458 
17459  nla_put_failure:
17460 	nlmsg_free(msg);
17461 	return -ENOBUFS;
17462 }
17463 
17464 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
17465 				    const u8 *buf, size_t len, bool ack,
17466 				    gfp_t gfp, enum nl80211_commands command)
17467 {
17468 	struct wiphy *wiphy = wdev->wiphy;
17469 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17470 	struct net_device *netdev = wdev->netdev;
17471 	struct sk_buff *msg;
17472 	void *hdr;
17473 
17474 	if (command == NL80211_CMD_FRAME_TX_STATUS)
17475 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
17476 	else
17477 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
17478 
17479 	msg = nlmsg_new(100 + len, gfp);
17480 	if (!msg)
17481 		return;
17482 
17483 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
17484 	if (!hdr) {
17485 		nlmsg_free(msg);
17486 		return;
17487 	}
17488 
17489 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17490 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17491 				   netdev->ifindex)) ||
17492 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17493 			      NL80211_ATTR_PAD) ||
17494 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17495 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17496 			      NL80211_ATTR_PAD) ||
17497 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
17498 		goto nla_put_failure;
17499 
17500 	genlmsg_end(msg, hdr);
17501 
17502 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17503 				NL80211_MCGRP_MLME, gfp);
17504 	return;
17505 
17506 nla_put_failure:
17507 	nlmsg_free(msg);
17508 }
17509 
17510 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
17511 				     const u8 *buf, size_t len, bool ack,
17512 				     gfp_t gfp)
17513 {
17514 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17515 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
17516 }
17517 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
17518 
17519 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
17520 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
17521 {
17522 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17523 				NL80211_CMD_FRAME_TX_STATUS);
17524 }
17525 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
17526 
17527 static int __nl80211_rx_control_port(struct net_device *dev,
17528 				     struct sk_buff *skb,
17529 				     bool unencrypted, gfp_t gfp)
17530 {
17531 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17532 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17533 	struct ethhdr *ehdr = eth_hdr(skb);
17534 	const u8 *addr = ehdr->h_source;
17535 	u16 proto = be16_to_cpu(skb->protocol);
17536 	struct sk_buff *msg;
17537 	void *hdr;
17538 	struct nlattr *frame;
17539 
17540 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
17541 
17542 	if (!nlportid)
17543 		return -ENOENT;
17544 
17545 	msg = nlmsg_new(100 + skb->len, gfp);
17546 	if (!msg)
17547 		return -ENOMEM;
17548 
17549 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
17550 	if (!hdr) {
17551 		nlmsg_free(msg);
17552 		return -ENOBUFS;
17553 	}
17554 
17555 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17556 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17557 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17558 			      NL80211_ATTR_PAD) ||
17559 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17560 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
17561 	    (unencrypted && nla_put_flag(msg,
17562 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
17563 		goto nla_put_failure;
17564 
17565 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
17566 	if (!frame)
17567 		goto nla_put_failure;
17568 
17569 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
17570 	genlmsg_end(msg, hdr);
17571 
17572 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17573 
17574  nla_put_failure:
17575 	nlmsg_free(msg);
17576 	return -ENOBUFS;
17577 }
17578 
17579 bool cfg80211_rx_control_port(struct net_device *dev,
17580 			      struct sk_buff *skb, bool unencrypted)
17581 {
17582 	int ret;
17583 
17584 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
17585 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
17586 	trace_cfg80211_return_bool(ret == 0);
17587 	return ret == 0;
17588 }
17589 EXPORT_SYMBOL(cfg80211_rx_control_port);
17590 
17591 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
17592 					    const char *mac, gfp_t gfp)
17593 {
17594 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17595 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17596 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17597 	void **cb;
17598 
17599 	if (!msg)
17600 		return NULL;
17601 
17602 	cb = (void **)msg->cb;
17603 
17604 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
17605 	if (!cb[0]) {
17606 		nlmsg_free(msg);
17607 		return NULL;
17608 	}
17609 
17610 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17611 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17612 		goto nla_put_failure;
17613 
17614 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17615 		goto nla_put_failure;
17616 
17617 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
17618 	if (!cb[1])
17619 		goto nla_put_failure;
17620 
17621 	cb[2] = rdev;
17622 
17623 	return msg;
17624  nla_put_failure:
17625 	nlmsg_free(msg);
17626 	return NULL;
17627 }
17628 
17629 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
17630 {
17631 	void **cb = (void **)msg->cb;
17632 	struct cfg80211_registered_device *rdev = cb[2];
17633 
17634 	nla_nest_end(msg, cb[1]);
17635 	genlmsg_end(msg, cb[0]);
17636 
17637 	memset(msg->cb, 0, sizeof(msg->cb));
17638 
17639 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17640 				NL80211_MCGRP_MLME, gfp);
17641 }
17642 
17643 void cfg80211_cqm_rssi_notify(struct net_device *dev,
17644 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
17645 			      s32 rssi_level, gfp_t gfp)
17646 {
17647 	struct sk_buff *msg;
17648 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17649 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17650 
17651 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
17652 
17653 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
17654 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
17655 		return;
17656 
17657 	if (wdev->cqm_config) {
17658 		wdev->cqm_config->last_rssi_event_value = rssi_level;
17659 
17660 		cfg80211_cqm_rssi_update(rdev, dev);
17661 
17662 		if (rssi_level == 0)
17663 			rssi_level = wdev->cqm_config->last_rssi_event_value;
17664 	}
17665 
17666 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17667 	if (!msg)
17668 		return;
17669 
17670 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
17671 			rssi_event))
17672 		goto nla_put_failure;
17673 
17674 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
17675 				      rssi_level))
17676 		goto nla_put_failure;
17677 
17678 	cfg80211_send_cqm(msg, gfp);
17679 
17680 	return;
17681 
17682  nla_put_failure:
17683 	nlmsg_free(msg);
17684 }
17685 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
17686 
17687 void cfg80211_cqm_txe_notify(struct net_device *dev,
17688 			     const u8 *peer, u32 num_packets,
17689 			     u32 rate, u32 intvl, gfp_t gfp)
17690 {
17691 	struct sk_buff *msg;
17692 
17693 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17694 	if (!msg)
17695 		return;
17696 
17697 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
17698 		goto nla_put_failure;
17699 
17700 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
17701 		goto nla_put_failure;
17702 
17703 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
17704 		goto nla_put_failure;
17705 
17706 	cfg80211_send_cqm(msg, gfp);
17707 	return;
17708 
17709  nla_put_failure:
17710 	nlmsg_free(msg);
17711 }
17712 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
17713 
17714 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
17715 				 const u8 *peer, u32 num_packets, gfp_t gfp)
17716 {
17717 	struct sk_buff *msg;
17718 
17719 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
17720 
17721 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17722 	if (!msg)
17723 		return;
17724 
17725 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
17726 		goto nla_put_failure;
17727 
17728 	cfg80211_send_cqm(msg, gfp);
17729 	return;
17730 
17731  nla_put_failure:
17732 	nlmsg_free(msg);
17733 }
17734 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
17735 
17736 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
17737 {
17738 	struct sk_buff *msg;
17739 
17740 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17741 	if (!msg)
17742 		return;
17743 
17744 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
17745 		goto nla_put_failure;
17746 
17747 	cfg80211_send_cqm(msg, gfp);
17748 	return;
17749 
17750  nla_put_failure:
17751 	nlmsg_free(msg);
17752 }
17753 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
17754 
17755 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
17756 				     struct net_device *netdev, const u8 *bssid,
17757 				     const u8 *replay_ctr, gfp_t gfp)
17758 {
17759 	struct sk_buff *msg;
17760 	struct nlattr *rekey_attr;
17761 	void *hdr;
17762 
17763 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17764 	if (!msg)
17765 		return;
17766 
17767 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
17768 	if (!hdr) {
17769 		nlmsg_free(msg);
17770 		return;
17771 	}
17772 
17773 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17774 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17775 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17776 		goto nla_put_failure;
17777 
17778 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
17779 	if (!rekey_attr)
17780 		goto nla_put_failure;
17781 
17782 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
17783 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
17784 		goto nla_put_failure;
17785 
17786 	nla_nest_end(msg, rekey_attr);
17787 
17788 	genlmsg_end(msg, hdr);
17789 
17790 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17791 				NL80211_MCGRP_MLME, gfp);
17792 	return;
17793 
17794  nla_put_failure:
17795 	nlmsg_free(msg);
17796 }
17797 
17798 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
17799 			       const u8 *replay_ctr, gfp_t gfp)
17800 {
17801 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17802 	struct wiphy *wiphy = wdev->wiphy;
17803 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17804 
17805 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
17806 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
17807 }
17808 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17809 
17810 static void
17811 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17812 			       struct net_device *netdev, int index,
17813 			       const u8 *bssid, bool preauth, gfp_t gfp)
17814 {
17815 	struct sk_buff *msg;
17816 	struct nlattr *attr;
17817 	void *hdr;
17818 
17819 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17820 	if (!msg)
17821 		return;
17822 
17823 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17824 	if (!hdr) {
17825 		nlmsg_free(msg);
17826 		return;
17827 	}
17828 
17829 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17830 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17831 		goto nla_put_failure;
17832 
17833 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17834 	if (!attr)
17835 		goto nla_put_failure;
17836 
17837 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17838 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17839 	    (preauth &&
17840 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17841 		goto nla_put_failure;
17842 
17843 	nla_nest_end(msg, attr);
17844 
17845 	genlmsg_end(msg, hdr);
17846 
17847 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17848 				NL80211_MCGRP_MLME, gfp);
17849 	return;
17850 
17851  nla_put_failure:
17852 	nlmsg_free(msg);
17853 }
17854 
17855 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17856 				     const u8 *bssid, bool preauth, gfp_t gfp)
17857 {
17858 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17859 	struct wiphy *wiphy = wdev->wiphy;
17860 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17861 
17862 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17863 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17864 }
17865 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17866 
17867 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17868 				     struct net_device *netdev,
17869 				     struct cfg80211_chan_def *chandef,
17870 				     gfp_t gfp,
17871 				     enum nl80211_commands notif,
17872 				     u8 count, bool quiet)
17873 {
17874 	struct sk_buff *msg;
17875 	void *hdr;
17876 
17877 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17878 	if (!msg)
17879 		return;
17880 
17881 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17882 	if (!hdr) {
17883 		nlmsg_free(msg);
17884 		return;
17885 	}
17886 
17887 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17888 		goto nla_put_failure;
17889 
17890 	if (nl80211_send_chandef(msg, chandef))
17891 		goto nla_put_failure;
17892 
17893 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
17894 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
17895 			goto nla_put_failure;
17896 		if (quiet &&
17897 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
17898 			goto nla_put_failure;
17899 	}
17900 
17901 	genlmsg_end(msg, hdr);
17902 
17903 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17904 				NL80211_MCGRP_MLME, gfp);
17905 	return;
17906 
17907  nla_put_failure:
17908 	nlmsg_free(msg);
17909 }
17910 
17911 void cfg80211_ch_switch_notify(struct net_device *dev,
17912 			       struct cfg80211_chan_def *chandef)
17913 {
17914 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17915 	struct wiphy *wiphy = wdev->wiphy;
17916 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17917 
17918 	ASSERT_WDEV_LOCK(wdev);
17919 
17920 	trace_cfg80211_ch_switch_notify(dev, chandef);
17921 
17922 	wdev->chandef = *chandef;
17923 	wdev->preset_chandef = *chandef;
17924 
17925 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
17926 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
17927 	    !WARN_ON(!wdev->current_bss))
17928 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
17929 
17930 	cfg80211_sched_dfs_chan_update(rdev);
17931 
17932 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17933 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
17934 }
17935 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
17936 
17937 void cfg80211_ch_switch_started_notify(struct net_device *dev,
17938 				       struct cfg80211_chan_def *chandef,
17939 				       u8 count, bool quiet)
17940 {
17941 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17942 	struct wiphy *wiphy = wdev->wiphy;
17943 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17944 
17945 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
17946 
17947 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17948 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
17949 				 count, quiet);
17950 }
17951 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
17952 
17953 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
17954 			      enum nl80211_commands cmd, u8 count,
17955 			      u64 color_bitmap)
17956 {
17957 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17958 	struct wiphy *wiphy = wdev->wiphy;
17959 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17960 	struct sk_buff *msg;
17961 	void *hdr;
17962 
17963 	ASSERT_WDEV_LOCK(wdev);
17964 
17965 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
17966 
17967 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17968 	if (!msg)
17969 		return -ENOMEM;
17970 
17971 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17972 	if (!hdr)
17973 		goto nla_put_failure;
17974 
17975 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17976 		goto nla_put_failure;
17977 
17978 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
17979 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
17980 		goto nla_put_failure;
17981 
17982 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
17983 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
17984 			      color_bitmap, NL80211_ATTR_PAD))
17985 		goto nla_put_failure;
17986 
17987 	genlmsg_end(msg, hdr);
17988 
17989 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
17990 				       msg, 0, NL80211_MCGRP_MLME, gfp);
17991 
17992 nla_put_failure:
17993 	nlmsg_free(msg);
17994 	return -EINVAL;
17995 }
17996 EXPORT_SYMBOL(cfg80211_bss_color_notify);
17997 
17998 void
17999 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
18000 		     const struct cfg80211_chan_def *chandef,
18001 		     enum nl80211_radar_event event,
18002 		     struct net_device *netdev, gfp_t gfp)
18003 {
18004 	struct sk_buff *msg;
18005 	void *hdr;
18006 
18007 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18008 	if (!msg)
18009 		return;
18010 
18011 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
18012 	if (!hdr) {
18013 		nlmsg_free(msg);
18014 		return;
18015 	}
18016 
18017 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18018 		goto nla_put_failure;
18019 
18020 	/* NOP and radar events don't need a netdev parameter */
18021 	if (netdev) {
18022 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
18023 
18024 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18025 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18026 				      NL80211_ATTR_PAD))
18027 			goto nla_put_failure;
18028 	}
18029 
18030 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
18031 		goto nla_put_failure;
18032 
18033 	if (nl80211_send_chandef(msg, chandef))
18034 		goto nla_put_failure;
18035 
18036 	genlmsg_end(msg, hdr);
18037 
18038 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18039 				NL80211_MCGRP_MLME, gfp);
18040 	return;
18041 
18042  nla_put_failure:
18043 	nlmsg_free(msg);
18044 }
18045 
18046 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
18047 				       struct sta_opmode_info *sta_opmode,
18048 				       gfp_t gfp)
18049 {
18050 	struct sk_buff *msg;
18051 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18052 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18053 	void *hdr;
18054 
18055 	if (WARN_ON(!mac))
18056 		return;
18057 
18058 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18059 	if (!msg)
18060 		return;
18061 
18062 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
18063 	if (!hdr) {
18064 		nlmsg_free(msg);
18065 		return;
18066 	}
18067 
18068 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18069 		goto nla_put_failure;
18070 
18071 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18072 		goto nla_put_failure;
18073 
18074 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
18075 		goto nla_put_failure;
18076 
18077 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
18078 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
18079 		goto nla_put_failure;
18080 
18081 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
18082 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
18083 		goto nla_put_failure;
18084 
18085 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
18086 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
18087 		goto nla_put_failure;
18088 
18089 	genlmsg_end(msg, hdr);
18090 
18091 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18092 				NL80211_MCGRP_MLME, gfp);
18093 
18094 	return;
18095 
18096 nla_put_failure:
18097 	nlmsg_free(msg);
18098 }
18099 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
18100 
18101 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
18102 			   u64 cookie, bool acked, s32 ack_signal,
18103 			   bool is_valid_ack_signal, gfp_t gfp)
18104 {
18105 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18106 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18107 	struct sk_buff *msg;
18108 	void *hdr;
18109 
18110 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
18111 
18112 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18113 
18114 	if (!msg)
18115 		return;
18116 
18117 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
18118 	if (!hdr) {
18119 		nlmsg_free(msg);
18120 		return;
18121 	}
18122 
18123 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18124 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18125 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18126 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18127 			      NL80211_ATTR_PAD) ||
18128 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18129 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
18130 						ack_signal)))
18131 		goto nla_put_failure;
18132 
18133 	genlmsg_end(msg, hdr);
18134 
18135 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18136 				NL80211_MCGRP_MLME, gfp);
18137 	return;
18138 
18139  nla_put_failure:
18140 	nlmsg_free(msg);
18141 }
18142 EXPORT_SYMBOL(cfg80211_probe_status);
18143 
18144 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
18145 				     size_t len, int freq, int sig_dbm)
18146 {
18147 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18148 	struct sk_buff *msg;
18149 	void *hdr;
18150 	struct cfg80211_beacon_registration *reg;
18151 
18152 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
18153 
18154 	spin_lock_bh(&rdev->beacon_registrations_lock);
18155 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
18156 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
18157 		if (!msg) {
18158 			spin_unlock_bh(&rdev->beacon_registrations_lock);
18159 			return;
18160 		}
18161 
18162 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18163 		if (!hdr)
18164 			goto nla_put_failure;
18165 
18166 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18167 		    (freq &&
18168 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
18169 				  KHZ_TO_MHZ(freq)) ||
18170 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
18171 				  freq % 1000))) ||
18172 		    (sig_dbm &&
18173 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
18174 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
18175 			goto nla_put_failure;
18176 
18177 		genlmsg_end(msg, hdr);
18178 
18179 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
18180 	}
18181 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18182 	return;
18183 
18184  nla_put_failure:
18185 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18186 	nlmsg_free(msg);
18187 }
18188 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
18189 
18190 #ifdef CONFIG_PM
18191 static int cfg80211_net_detect_results(struct sk_buff *msg,
18192 				       struct cfg80211_wowlan_wakeup *wakeup)
18193 {
18194 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
18195 	struct nlattr *nl_results, *nl_match, *nl_freqs;
18196 	int i, j;
18197 
18198 	nl_results = nla_nest_start_noflag(msg,
18199 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
18200 	if (!nl_results)
18201 		return -EMSGSIZE;
18202 
18203 	for (i = 0; i < nd->n_matches; i++) {
18204 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
18205 
18206 		nl_match = nla_nest_start_noflag(msg, i);
18207 		if (!nl_match)
18208 			break;
18209 
18210 		/* The SSID attribute is optional in nl80211, but for
18211 		 * simplicity reasons it's always present in the
18212 		 * cfg80211 structure.  If a driver can't pass the
18213 		 * SSID, that needs to be changed.  A zero length SSID
18214 		 * is still a valid SSID (wildcard), so it cannot be
18215 		 * used for this purpose.
18216 		 */
18217 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
18218 			    match->ssid.ssid)) {
18219 			nla_nest_cancel(msg, nl_match);
18220 			goto out;
18221 		}
18222 
18223 		if (match->n_channels) {
18224 			nl_freqs = nla_nest_start_noflag(msg,
18225 							 NL80211_ATTR_SCAN_FREQUENCIES);
18226 			if (!nl_freqs) {
18227 				nla_nest_cancel(msg, nl_match);
18228 				goto out;
18229 			}
18230 
18231 			for (j = 0; j < match->n_channels; j++) {
18232 				if (nla_put_u32(msg, j, match->channels[j])) {
18233 					nla_nest_cancel(msg, nl_freqs);
18234 					nla_nest_cancel(msg, nl_match);
18235 					goto out;
18236 				}
18237 			}
18238 
18239 			nla_nest_end(msg, nl_freqs);
18240 		}
18241 
18242 		nla_nest_end(msg, nl_match);
18243 	}
18244 
18245 out:
18246 	nla_nest_end(msg, nl_results);
18247 	return 0;
18248 }
18249 
18250 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
18251 				   struct cfg80211_wowlan_wakeup *wakeup,
18252 				   gfp_t gfp)
18253 {
18254 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18255 	struct sk_buff *msg;
18256 	void *hdr;
18257 	int size = 200;
18258 
18259 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
18260 
18261 	if (wakeup)
18262 		size += wakeup->packet_present_len;
18263 
18264 	msg = nlmsg_new(size, gfp);
18265 	if (!msg)
18266 		return;
18267 
18268 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
18269 	if (!hdr)
18270 		goto free_msg;
18271 
18272 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18273 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18274 			      NL80211_ATTR_PAD))
18275 		goto free_msg;
18276 
18277 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18278 					wdev->netdev->ifindex))
18279 		goto free_msg;
18280 
18281 	if (wakeup) {
18282 		struct nlattr *reasons;
18283 
18284 		reasons = nla_nest_start_noflag(msg,
18285 						NL80211_ATTR_WOWLAN_TRIGGERS);
18286 		if (!reasons)
18287 			goto free_msg;
18288 
18289 		if (wakeup->disconnect &&
18290 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
18291 			goto free_msg;
18292 		if (wakeup->magic_pkt &&
18293 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
18294 			goto free_msg;
18295 		if (wakeup->gtk_rekey_failure &&
18296 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
18297 			goto free_msg;
18298 		if (wakeup->eap_identity_req &&
18299 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
18300 			goto free_msg;
18301 		if (wakeup->four_way_handshake &&
18302 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
18303 			goto free_msg;
18304 		if (wakeup->rfkill_release &&
18305 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
18306 			goto free_msg;
18307 
18308 		if (wakeup->pattern_idx >= 0 &&
18309 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
18310 				wakeup->pattern_idx))
18311 			goto free_msg;
18312 
18313 		if (wakeup->tcp_match &&
18314 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
18315 			goto free_msg;
18316 
18317 		if (wakeup->tcp_connlost &&
18318 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
18319 			goto free_msg;
18320 
18321 		if (wakeup->tcp_nomoretokens &&
18322 		    nla_put_flag(msg,
18323 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
18324 			goto free_msg;
18325 
18326 		if (wakeup->packet) {
18327 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
18328 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
18329 
18330 			if (!wakeup->packet_80211) {
18331 				pkt_attr =
18332 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
18333 				len_attr =
18334 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
18335 			}
18336 
18337 			if (wakeup->packet_len &&
18338 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
18339 				goto free_msg;
18340 
18341 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
18342 				    wakeup->packet))
18343 				goto free_msg;
18344 		}
18345 
18346 		if (wakeup->net_detect &&
18347 		    cfg80211_net_detect_results(msg, wakeup))
18348 				goto free_msg;
18349 
18350 		nla_nest_end(msg, reasons);
18351 	}
18352 
18353 	genlmsg_end(msg, hdr);
18354 
18355 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18356 				NL80211_MCGRP_MLME, gfp);
18357 	return;
18358 
18359  free_msg:
18360 	nlmsg_free(msg);
18361 }
18362 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
18363 #endif
18364 
18365 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
18366 				enum nl80211_tdls_operation oper,
18367 				u16 reason_code, gfp_t gfp)
18368 {
18369 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18370 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18371 	struct sk_buff *msg;
18372 	void *hdr;
18373 
18374 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
18375 					 reason_code);
18376 
18377 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18378 	if (!msg)
18379 		return;
18380 
18381 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
18382 	if (!hdr) {
18383 		nlmsg_free(msg);
18384 		return;
18385 	}
18386 
18387 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18388 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18389 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
18390 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
18391 	    (reason_code > 0 &&
18392 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
18393 		goto nla_put_failure;
18394 
18395 	genlmsg_end(msg, hdr);
18396 
18397 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18398 				NL80211_MCGRP_MLME, gfp);
18399 	return;
18400 
18401  nla_put_failure:
18402 	nlmsg_free(msg);
18403 }
18404 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
18405 
18406 static int nl80211_netlink_notify(struct notifier_block * nb,
18407 				  unsigned long state,
18408 				  void *_notify)
18409 {
18410 	struct netlink_notify *notify = _notify;
18411 	struct cfg80211_registered_device *rdev;
18412 	struct wireless_dev *wdev;
18413 	struct cfg80211_beacon_registration *reg, *tmp;
18414 
18415 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
18416 		return NOTIFY_DONE;
18417 
18418 	rcu_read_lock();
18419 
18420 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
18421 		struct cfg80211_sched_scan_request *sched_scan_req;
18422 
18423 		list_for_each_entry_rcu(sched_scan_req,
18424 					&rdev->sched_scan_req_list,
18425 					list) {
18426 			if (sched_scan_req->owner_nlportid == notify->portid) {
18427 				sched_scan_req->nl_owner_dead = true;
18428 				schedule_work(&rdev->sched_scan_stop_wk);
18429 			}
18430 		}
18431 
18432 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
18433 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
18434 
18435 			if (wdev->owner_nlportid == notify->portid) {
18436 				wdev->nl_owner_dead = true;
18437 				schedule_work(&rdev->destroy_work);
18438 			} else if (wdev->conn_owner_nlportid == notify->portid) {
18439 				schedule_work(&wdev->disconnect_wk);
18440 			}
18441 
18442 			cfg80211_release_pmsr(wdev, notify->portid);
18443 		}
18444 
18445 		spin_lock_bh(&rdev->beacon_registrations_lock);
18446 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
18447 					 list) {
18448 			if (reg->nlportid == notify->portid) {
18449 				list_del(&reg->list);
18450 				kfree(reg);
18451 				break;
18452 			}
18453 		}
18454 		spin_unlock_bh(&rdev->beacon_registrations_lock);
18455 	}
18456 
18457 	rcu_read_unlock();
18458 
18459 	/*
18460 	 * It is possible that the user space process that is controlling the
18461 	 * indoor setting disappeared, so notify the regulatory core.
18462 	 */
18463 	regulatory_netlink_notify(notify->portid);
18464 	return NOTIFY_OK;
18465 }
18466 
18467 static struct notifier_block nl80211_netlink_notifier = {
18468 	.notifier_call = nl80211_netlink_notify,
18469 };
18470 
18471 void cfg80211_ft_event(struct net_device *netdev,
18472 		       struct cfg80211_ft_event_params *ft_event)
18473 {
18474 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18475 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18476 	struct sk_buff *msg;
18477 	void *hdr;
18478 
18479 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
18480 
18481 	if (!ft_event->target_ap)
18482 		return;
18483 
18484 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
18485 			GFP_KERNEL);
18486 	if (!msg)
18487 		return;
18488 
18489 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
18490 	if (!hdr)
18491 		goto out;
18492 
18493 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18494 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18495 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
18496 		goto out;
18497 
18498 	if (ft_event->ies &&
18499 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
18500 		goto out;
18501 	if (ft_event->ric_ies &&
18502 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
18503 		    ft_event->ric_ies))
18504 		goto out;
18505 
18506 	genlmsg_end(msg, hdr);
18507 
18508 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18509 				NL80211_MCGRP_MLME, GFP_KERNEL);
18510 	return;
18511  out:
18512 	nlmsg_free(msg);
18513 }
18514 EXPORT_SYMBOL(cfg80211_ft_event);
18515 
18516 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
18517 {
18518 	struct cfg80211_registered_device *rdev;
18519 	struct sk_buff *msg;
18520 	void *hdr;
18521 	u32 nlportid;
18522 
18523 	rdev = wiphy_to_rdev(wdev->wiphy);
18524 	if (!rdev->crit_proto_nlportid)
18525 		return;
18526 
18527 	nlportid = rdev->crit_proto_nlportid;
18528 	rdev->crit_proto_nlportid = 0;
18529 
18530 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18531 	if (!msg)
18532 		return;
18533 
18534 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
18535 	if (!hdr)
18536 		goto nla_put_failure;
18537 
18538 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18539 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18540 			      NL80211_ATTR_PAD))
18541 		goto nla_put_failure;
18542 
18543 	genlmsg_end(msg, hdr);
18544 
18545 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18546 	return;
18547 
18548  nla_put_failure:
18549 	nlmsg_free(msg);
18550 }
18551 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
18552 
18553 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
18554 {
18555 	struct wiphy *wiphy = wdev->wiphy;
18556 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18557 	struct sk_buff *msg;
18558 	void *hdr;
18559 
18560 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18561 	if (!msg)
18562 		return;
18563 
18564 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
18565 	if (!hdr)
18566 		goto out;
18567 
18568 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18569 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
18570 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18571 			      NL80211_ATTR_PAD))
18572 		goto out;
18573 
18574 	genlmsg_end(msg, hdr);
18575 
18576 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
18577 				NL80211_MCGRP_MLME, GFP_KERNEL);
18578 	return;
18579  out:
18580 	nlmsg_free(msg);
18581 }
18582 
18583 int cfg80211_external_auth_request(struct net_device *dev,
18584 				   struct cfg80211_external_auth_params *params,
18585 				   gfp_t gfp)
18586 {
18587 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18588 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18589 	struct sk_buff *msg;
18590 	void *hdr;
18591 
18592 	if (!wdev->conn_owner_nlportid)
18593 		return -EINVAL;
18594 
18595 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18596 	if (!msg)
18597 		return -ENOMEM;
18598 
18599 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
18600 	if (!hdr)
18601 		goto nla_put_failure;
18602 
18603 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18604 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18605 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
18606 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
18607 			params->action) ||
18608 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
18609 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
18610 		    params->ssid.ssid))
18611 		goto nla_put_failure;
18612 
18613 	genlmsg_end(msg, hdr);
18614 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
18615 			wdev->conn_owner_nlportid);
18616 	return 0;
18617 
18618  nla_put_failure:
18619 	nlmsg_free(msg);
18620 	return -ENOBUFS;
18621 }
18622 EXPORT_SYMBOL(cfg80211_external_auth_request);
18623 
18624 void cfg80211_update_owe_info_event(struct net_device *netdev,
18625 				    struct cfg80211_update_owe_info *owe_info,
18626 				    gfp_t gfp)
18627 {
18628 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18629 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18630 	struct sk_buff *msg;
18631 	void *hdr;
18632 
18633 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
18634 
18635 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18636 	if (!msg)
18637 		return;
18638 
18639 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
18640 	if (!hdr)
18641 		goto nla_put_failure;
18642 
18643 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18644 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18645 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
18646 		goto nla_put_failure;
18647 
18648 	if (!owe_info->ie_len ||
18649 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
18650 		goto nla_put_failure;
18651 
18652 	genlmsg_end(msg, hdr);
18653 
18654 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18655 				NL80211_MCGRP_MLME, gfp);
18656 	return;
18657 
18658 nla_put_failure:
18659 	genlmsg_cancel(msg, hdr);
18660 	nlmsg_free(msg);
18661 }
18662 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
18663 
18664 /* initialisation/exit functions */
18665 
18666 int __init nl80211_init(void)
18667 {
18668 	int err;
18669 
18670 	err = genl_register_family(&nl80211_fam);
18671 	if (err)
18672 		return err;
18673 
18674 	err = netlink_register_notifier(&nl80211_netlink_notifier);
18675 	if (err)
18676 		goto err_out;
18677 
18678 	return 0;
18679  err_out:
18680 	genl_unregister_family(&nl80211_fam);
18681 	return err;
18682 }
18683 
18684 void nl80211_exit(void)
18685 {
18686 	netlink_unregister_notifier(&nl80211_netlink_notifier);
18687 	genl_unregister_family(&nl80211_fam);
18688 }
18689