xref: /openbmc/linux/net/wireless/nl80211.c (revision 55eb9a6c) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2022 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
460 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
461 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
462 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
463 				      .len = 20-1 },
464 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
465 
466 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
467 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
468 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
469 						NL80211_EDMG_CHANNELS_MIN,
470 						NL80211_EDMG_CHANNELS_MAX),
471 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
472 						NL80211_EDMG_BW_CONFIG_MIN,
473 						NL80211_EDMG_BW_CONFIG_MAX),
474 
475 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
476 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
477 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
478 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
479 
480 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
481 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
482 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
483 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
484 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
485 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
486 
487 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
488 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
489 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
490 
491 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
492 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
493 
494 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
495 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
496 				    .len = WLAN_MAX_KEY_LEN },
497 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
498 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
499 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
500 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
501 	[NL80211_ATTR_KEY_TYPE] =
502 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
503 
504 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
505 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
506 	[NL80211_ATTR_BEACON_HEAD] =
507 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
508 				       IEEE80211_MAX_DATA_LEN),
509 	[NL80211_ATTR_BEACON_TAIL] =
510 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
511 				       IEEE80211_MAX_DATA_LEN),
512 	[NL80211_ATTR_STA_AID] =
513 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
514 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
515 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
516 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
517 					       .len = NL80211_MAX_SUPP_RATES },
518 	[NL80211_ATTR_STA_PLINK_ACTION] =
519 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
520 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
521 		NLA_POLICY_RANGE(NLA_U8,
522 				 NL80211_TX_POWER_AUTOMATIC,
523 				 NL80211_TX_POWER_FIXED),
524 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
525 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
526 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
527 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
528 				   .len = IEEE80211_MAX_MESH_ID_LEN },
529 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
530 
531 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
532 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
533 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
534 
535 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
536 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
537 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
538 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
539 					   .len = NL80211_MAX_SUPP_RATES },
540 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
541 
542 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
543 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
544 
545 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
546 
547 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
548 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
549 						   validate_ie_attr,
550 						   IEEE80211_MAX_DATA_LEN),
551 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
552 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
553 
554 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
555 				.len = IEEE80211_MAX_SSID_LEN },
556 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
557 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
558 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
559 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
560 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
561 						  NL80211_MFP_NO,
562 						  NL80211_MFP_OPTIONAL),
563 	[NL80211_ATTR_STA_FLAGS2] = {
564 		.len = sizeof(struct nl80211_sta_flag_update),
565 	},
566 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
567 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
568 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
569 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
570 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
571 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
572 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
573 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
574 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
575 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
576 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
577 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
578 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
579 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
580 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
581 				 .len = IEEE80211_MAX_DATA_LEN },
582 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
583 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
584 						   NL80211_PS_DISABLED,
585 						   NL80211_PS_ENABLED),
586 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
587 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
588 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
589 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
590 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
591 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
592 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
593 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
594 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
595 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
596 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
597 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
598 	[NL80211_ATTR_STA_PLINK_STATE] =
599 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
600 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
601 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
602 	[NL80211_ATTR_MESH_PEER_AID] =
603 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
604 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
605 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
606 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
607 	[NL80211_ATTR_HIDDEN_SSID] =
608 		NLA_POLICY_RANGE(NLA_U32,
609 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
610 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
611 	[NL80211_ATTR_IE_PROBE_RESP] =
612 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
613 				       IEEE80211_MAX_DATA_LEN),
614 	[NL80211_ATTR_IE_ASSOC_RESP] =
615 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
616 				       IEEE80211_MAX_DATA_LEN),
617 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
618 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
619 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
620 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
621 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
622 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
623 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
624 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
625 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
626 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
627 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
628 				      .len = IEEE80211_MAX_DATA_LEN },
629 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
630 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
631 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
632 		.len = NL80211_HT_CAPABILITY_LEN
633 	},
634 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
635 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
636 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
637 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
638 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
639 
640 	/* need to include at least Auth Transaction and Status Code */
641 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
642 
643 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
644 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
645 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
646 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
647 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
648 		NLA_POLICY_RANGE(NLA_U32,
649 				 NL80211_MESH_POWER_UNKNOWN + 1,
650 				 NL80211_MESH_POWER_MAX),
651 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
652 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
653 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
654 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
655 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
656 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
657 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
658 		.len = NL80211_VHT_CAPABILITY_LEN,
659 	},
660 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
661 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
662 				  .len = IEEE80211_MAX_DATA_LEN },
663 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
664 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
665 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
666 	[NL80211_ATTR_PEER_AID] =
667 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
668 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
669 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
670 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
671 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
672 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
673 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
674 	/*
675 	 * The value of the Length field of the Supported Operating
676 	 * Classes element is between 2 and 253.
677 	 */
678 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
679 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
680 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
681 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
682 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
683 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
684 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
685 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
686 						  IEEE80211_QOS_MAP_LEN_MIN,
687 						  IEEE80211_QOS_MAP_LEN_MAX),
688 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
689 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
690 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
691 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
692 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
693 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
694 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
695 	[NL80211_ATTR_USER_PRIO] =
696 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
697 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
698 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
699 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
700 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
701 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
702 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
703 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
704 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
705 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
706 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
707 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
708 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
709 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
710 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
711 	},
712 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
713 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
714 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
715 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
716 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
717 				    .len = FILS_MAX_KEK_LEN },
718 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
719 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
720 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
721 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
722 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
723 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
724 	},
725 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
726 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
727 					     .len = FILS_ERP_MAX_USERNAME_LEN },
728 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
729 					  .len = FILS_ERP_MAX_REALM_LEN },
730 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
731 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
732 					.len = FILS_ERP_MAX_RRK_LEN },
733 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
734 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
735 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
736 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
737 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
738 
739 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
740 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
741 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
742 	[NL80211_ATTR_HE_CAPABILITY] =
743 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
744 				       NL80211_HE_MAX_CAPABILITY_LEN),
745 	[NL80211_ATTR_FTM_RESPONDER] =
746 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
747 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
748 	[NL80211_ATTR_PEER_MEASUREMENTS] =
749 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
750 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
751 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
752 					.len = SAE_PASSWORD_MAX_LEN },
753 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
754 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
755 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
756 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
757 	[NL80211_ATTR_TID_CONFIG] =
758 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
759 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
760 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
761 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
762 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
763 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
764 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
765 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
766 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
767 	[NL80211_ATTR_FILS_DISCOVERY] =
768 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
769 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
770 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
771 	[NL80211_ATTR_S1G_CAPABILITY] =
772 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
773 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
774 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
775 	[NL80211_ATTR_SAE_PWE] =
776 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
777 				 NL80211_SAE_PWE_BOTH),
778 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
779 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
780 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
781 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
782 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
783 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
784 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
785 	[NL80211_ATTR_MBSSID_CONFIG] =
786 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
787 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
788 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
789 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
790 	[NL80211_ATTR_EHT_CAPABILITY] =
791 		NLA_POLICY_RANGE(NLA_BINARY,
792 				 NL80211_EHT_MIN_CAPABILITY_LEN,
793 				 NL80211_EHT_MAX_CAPABILITY_LEN),
794 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
795 };
796 
797 /* policy for the key attributes */
798 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
799 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
800 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
801 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
802 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
803 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
804 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
805 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
806 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
807 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
808 };
809 
810 /* policy for the key default flags */
811 static const struct nla_policy
812 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
813 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
814 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
815 };
816 
817 #ifdef CONFIG_PM
818 /* policy for WoWLAN attributes */
819 static const struct nla_policy
820 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
821 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
822 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
823 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
824 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
825 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
826 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
827 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
828 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
829 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
830 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
831 };
832 
833 static const struct nla_policy
834 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
835 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
836 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
837 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
838 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
839 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
840 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
841 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
842 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
843 	},
844 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
845 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
846 	},
847 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
848 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
849 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
850 };
851 #endif /* CONFIG_PM */
852 
853 /* policy for coalesce rule attributes */
854 static const struct nla_policy
855 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
856 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
857 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
858 		NLA_POLICY_RANGE(NLA_U32,
859 				 NL80211_COALESCE_CONDITION_MATCH,
860 				 NL80211_COALESCE_CONDITION_NO_MATCH),
861 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
862 };
863 
864 /* policy for GTK rekey offload attributes */
865 static const struct nla_policy
866 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
867 	[NL80211_REKEY_DATA_KEK] = {
868 		.type = NLA_BINARY,
869 		.len = NL80211_KEK_EXT_LEN
870 	},
871 	[NL80211_REKEY_DATA_KCK] = {
872 		.type = NLA_BINARY,
873 		.len = NL80211_KCK_EXT_LEN
874 	},
875 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
876 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
877 };
878 
879 static const struct nla_policy
880 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
881 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
882 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
883 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
884 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
885 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
886 };
887 
888 static const struct nla_policy
889 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
890 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
891 						 .len = IEEE80211_MAX_SSID_LEN },
892 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
893 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
894 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
895 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
896 };
897 
898 static const struct nla_policy
899 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
900 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
901 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
902 };
903 
904 static const struct nla_policy
905 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
906 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
907 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
908 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
909 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
910 	},
911 };
912 
913 /* policy for NAN function attributes */
914 static const struct nla_policy
915 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
916 	[NL80211_NAN_FUNC_TYPE] =
917 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
918 	[NL80211_NAN_FUNC_SERVICE_ID] = {
919 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
920 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
921 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
922 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
923 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
924 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
925 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
926 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
927 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
928 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
929 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
930 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
931 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
932 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
933 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
934 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
935 };
936 
937 /* policy for Service Response Filter attributes */
938 static const struct nla_policy
939 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
940 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
941 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
942 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
943 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
944 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
945 };
946 
947 /* policy for packet pattern attributes */
948 static const struct nla_policy
949 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
950 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
951 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
952 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
953 };
954 
955 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
956 				     struct cfg80211_registered_device **rdev,
957 				     struct wireless_dev **wdev,
958 				     struct nlattr **attrbuf)
959 {
960 	int err;
961 
962 	if (!cb->args[0]) {
963 		struct nlattr **attrbuf_free = NULL;
964 
965 		if (!attrbuf) {
966 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
967 					  GFP_KERNEL);
968 			if (!attrbuf)
969 				return -ENOMEM;
970 			attrbuf_free = attrbuf;
971 		}
972 
973 		err = nlmsg_parse_deprecated(cb->nlh,
974 					     GENL_HDRLEN + nl80211_fam.hdrsize,
975 					     attrbuf, nl80211_fam.maxattr,
976 					     nl80211_policy, NULL);
977 		if (err) {
978 			kfree(attrbuf_free);
979 			return err;
980 		}
981 
982 		rtnl_lock();
983 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
984 						   attrbuf);
985 		kfree(attrbuf_free);
986 		if (IS_ERR(*wdev)) {
987 			rtnl_unlock();
988 			return PTR_ERR(*wdev);
989 		}
990 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
991 		mutex_lock(&(*rdev)->wiphy.mtx);
992 		rtnl_unlock();
993 		/* 0 is the first index - add 1 to parse only once */
994 		cb->args[0] = (*rdev)->wiphy_idx + 1;
995 		cb->args[1] = (*wdev)->identifier;
996 	} else {
997 		/* subtract the 1 again here */
998 		struct wiphy *wiphy;
999 		struct wireless_dev *tmp;
1000 
1001 		rtnl_lock();
1002 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1003 		if (!wiphy) {
1004 			rtnl_unlock();
1005 			return -ENODEV;
1006 		}
1007 		*rdev = wiphy_to_rdev(wiphy);
1008 		*wdev = NULL;
1009 
1010 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1011 			if (tmp->identifier == cb->args[1]) {
1012 				*wdev = tmp;
1013 				break;
1014 			}
1015 		}
1016 
1017 		if (!*wdev) {
1018 			rtnl_unlock();
1019 			return -ENODEV;
1020 		}
1021 		mutex_lock(&(*rdev)->wiphy.mtx);
1022 		rtnl_unlock();
1023 	}
1024 
1025 	return 0;
1026 }
1027 
1028 /* message building helper */
1029 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1030 		     int flags, u8 cmd)
1031 {
1032 	/* since there is no private header just add the generic one */
1033 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1034 }
1035 
1036 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1037 				     const struct ieee80211_reg_rule *rule)
1038 {
1039 	int j;
1040 	struct nlattr *nl_wmm_rules =
1041 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1042 
1043 	if (!nl_wmm_rules)
1044 		goto nla_put_failure;
1045 
1046 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1047 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1048 
1049 		if (!nl_wmm_rule)
1050 			goto nla_put_failure;
1051 
1052 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1053 				rule->wmm_rule.client[j].cw_min) ||
1054 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1055 				rule->wmm_rule.client[j].cw_max) ||
1056 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1057 			       rule->wmm_rule.client[j].aifsn) ||
1058 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1059 			        rule->wmm_rule.client[j].cot))
1060 			goto nla_put_failure;
1061 
1062 		nla_nest_end(msg, nl_wmm_rule);
1063 	}
1064 	nla_nest_end(msg, nl_wmm_rules);
1065 
1066 	return 0;
1067 
1068 nla_put_failure:
1069 	return -ENOBUFS;
1070 }
1071 
1072 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1073 				   struct ieee80211_channel *chan,
1074 				   bool large)
1075 {
1076 	/* Some channels must be completely excluded from the
1077 	 * list to protect old user-space tools from breaking
1078 	 */
1079 	if (!large && chan->flags &
1080 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1081 		return 0;
1082 	if (!large && chan->freq_offset)
1083 		return 0;
1084 
1085 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1086 			chan->center_freq))
1087 		goto nla_put_failure;
1088 
1089 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1090 		goto nla_put_failure;
1091 
1092 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1093 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1094 		goto nla_put_failure;
1095 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1096 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1097 			goto nla_put_failure;
1098 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1099 			goto nla_put_failure;
1100 	}
1101 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1102 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1103 			goto nla_put_failure;
1104 		if (large) {
1105 			u32 time;
1106 
1107 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1108 
1109 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1110 					chan->dfs_state))
1111 				goto nla_put_failure;
1112 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1113 					time))
1114 				goto nla_put_failure;
1115 			if (nla_put_u32(msg,
1116 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1117 					chan->dfs_cac_ms))
1118 				goto nla_put_failure;
1119 		}
1120 	}
1121 
1122 	if (large) {
1123 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1124 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1125 			goto nla_put_failure;
1126 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1127 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1128 			goto nla_put_failure;
1129 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1130 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1131 			goto nla_put_failure;
1132 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1133 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1134 			goto nla_put_failure;
1135 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1136 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1137 			goto nla_put_failure;
1138 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1139 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1140 			goto nla_put_failure;
1141 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1142 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1143 			goto nla_put_failure;
1144 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1145 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1146 			goto nla_put_failure;
1147 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1148 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1149 			goto nla_put_failure;
1150 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1151 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1152 			goto nla_put_failure;
1153 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1154 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1155 			goto nla_put_failure;
1156 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1157 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1158 			goto nla_put_failure;
1159 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1160 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1161 			goto nla_put_failure;
1162 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1163 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1164 			goto nla_put_failure;
1165 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1166 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1167 			goto nla_put_failure;
1168 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1169 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1170 			goto nla_put_failure;
1171 	}
1172 
1173 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1174 			DBM_TO_MBM(chan->max_power)))
1175 		goto nla_put_failure;
1176 
1177 	if (large) {
1178 		const struct ieee80211_reg_rule *rule =
1179 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1180 
1181 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1182 			if (nl80211_msg_put_wmm_rules(msg, rule))
1183 				goto nla_put_failure;
1184 		}
1185 	}
1186 
1187 	return 0;
1188 
1189  nla_put_failure:
1190 	return -ENOBUFS;
1191 }
1192 
1193 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1194 				  struct cfg80211_txq_stats *txqstats,
1195 				  int attrtype)
1196 {
1197 	struct nlattr *txqattr;
1198 
1199 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1200 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1201 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1202 		return false;						  \
1203 	} while (0)
1204 
1205 	txqattr = nla_nest_start_noflag(msg, attrtype);
1206 	if (!txqattr)
1207 		return false;
1208 
1209 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1210 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1211 	PUT_TXQVAL_U32(FLOWS, flows);
1212 	PUT_TXQVAL_U32(DROPS, drops);
1213 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1214 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1215 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1216 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1217 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1218 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1219 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1220 	nla_nest_end(msg, txqattr);
1221 
1222 #undef PUT_TXQVAL_U32
1223 	return true;
1224 }
1225 
1226 /* netlink command implementations */
1227 
1228 struct key_parse {
1229 	struct key_params p;
1230 	int idx;
1231 	int type;
1232 	bool def, defmgmt, defbeacon;
1233 	bool def_uni, def_multi;
1234 };
1235 
1236 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1237 				 struct key_parse *k)
1238 {
1239 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1240 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1241 					      nl80211_key_policy,
1242 					      info->extack);
1243 	if (err)
1244 		return err;
1245 
1246 	k->def = !!tb[NL80211_KEY_DEFAULT];
1247 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1248 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1249 
1250 	if (k->def) {
1251 		k->def_uni = true;
1252 		k->def_multi = true;
1253 	}
1254 	if (k->defmgmt || k->defbeacon)
1255 		k->def_multi = true;
1256 
1257 	if (tb[NL80211_KEY_IDX])
1258 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1259 
1260 	if (tb[NL80211_KEY_DATA]) {
1261 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1262 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1263 	}
1264 
1265 	if (tb[NL80211_KEY_SEQ]) {
1266 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1267 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1268 	}
1269 
1270 	if (tb[NL80211_KEY_CIPHER])
1271 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1272 
1273 	if (tb[NL80211_KEY_TYPE])
1274 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1275 
1276 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1277 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1278 
1279 		err = nla_parse_nested_deprecated(kdt,
1280 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1281 						  tb[NL80211_KEY_DEFAULT_TYPES],
1282 						  nl80211_key_default_policy,
1283 						  info->extack);
1284 		if (err)
1285 			return err;
1286 
1287 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1288 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1289 	}
1290 
1291 	if (tb[NL80211_KEY_MODE])
1292 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1293 
1294 	return 0;
1295 }
1296 
1297 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1298 {
1299 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1300 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1301 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1302 	}
1303 
1304 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1305 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1306 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1307 	}
1308 
1309 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1310 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1311 
1312 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1313 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1314 
1315 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1316 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1317 
1318 	if (k->def) {
1319 		k->def_uni = true;
1320 		k->def_multi = true;
1321 	}
1322 	if (k->defmgmt)
1323 		k->def_multi = true;
1324 
1325 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1326 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1327 
1328 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1329 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1330 		int err = nla_parse_nested_deprecated(kdt,
1331 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1332 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1333 						      nl80211_key_default_policy,
1334 						      info->extack);
1335 		if (err)
1336 			return err;
1337 
1338 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1339 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1340 	}
1341 
1342 	return 0;
1343 }
1344 
1345 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1346 {
1347 	int err;
1348 
1349 	memset(k, 0, sizeof(*k));
1350 	k->idx = -1;
1351 	k->type = -1;
1352 
1353 	if (info->attrs[NL80211_ATTR_KEY])
1354 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1355 	else
1356 		err = nl80211_parse_key_old(info, k);
1357 
1358 	if (err)
1359 		return err;
1360 
1361 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1362 	    (k->defbeacon ? 1 : 0) > 1) {
1363 		GENL_SET_ERR_MSG(info,
1364 				 "key with multiple default flags is invalid");
1365 		return -EINVAL;
1366 	}
1367 
1368 	if (k->defmgmt || k->defbeacon) {
1369 		if (k->def_uni || !k->def_multi) {
1370 			GENL_SET_ERR_MSG(info,
1371 					 "defmgmt/defbeacon key must be mcast");
1372 			return -EINVAL;
1373 		}
1374 	}
1375 
1376 	if (k->idx != -1) {
1377 		if (k->defmgmt) {
1378 			if (k->idx < 4 || k->idx > 5) {
1379 				GENL_SET_ERR_MSG(info,
1380 						 "defmgmt key idx not 4 or 5");
1381 				return -EINVAL;
1382 			}
1383 		} else if (k->defbeacon) {
1384 			if (k->idx < 6 || k->idx > 7) {
1385 				GENL_SET_ERR_MSG(info,
1386 						 "defbeacon key idx not 6 or 7");
1387 				return -EINVAL;
1388 			}
1389 		} else if (k->def) {
1390 			if (k->idx < 0 || k->idx > 3) {
1391 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1392 				return -EINVAL;
1393 			}
1394 		} else {
1395 			if (k->idx < 0 || k->idx > 7) {
1396 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1397 				return -EINVAL;
1398 			}
1399 		}
1400 	}
1401 
1402 	return 0;
1403 }
1404 
1405 static struct cfg80211_cached_keys *
1406 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1407 		       struct genl_info *info, bool *no_ht)
1408 {
1409 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1410 	struct key_parse parse;
1411 	struct nlattr *key;
1412 	struct cfg80211_cached_keys *result;
1413 	int rem, err, def = 0;
1414 	bool have_key = false;
1415 
1416 	nla_for_each_nested(key, keys, rem) {
1417 		have_key = true;
1418 		break;
1419 	}
1420 
1421 	if (!have_key)
1422 		return NULL;
1423 
1424 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1425 	if (!result)
1426 		return ERR_PTR(-ENOMEM);
1427 
1428 	result->def = -1;
1429 
1430 	nla_for_each_nested(key, keys, rem) {
1431 		memset(&parse, 0, sizeof(parse));
1432 		parse.idx = -1;
1433 
1434 		err = nl80211_parse_key_new(info, key, &parse);
1435 		if (err)
1436 			goto error;
1437 		err = -EINVAL;
1438 		if (!parse.p.key)
1439 			goto error;
1440 		if (parse.idx < 0 || parse.idx > 3) {
1441 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1442 			goto error;
1443 		}
1444 		if (parse.def) {
1445 			if (def) {
1446 				GENL_SET_ERR_MSG(info,
1447 						 "only one key can be default");
1448 				goto error;
1449 			}
1450 			def = 1;
1451 			result->def = parse.idx;
1452 			if (!parse.def_uni || !parse.def_multi)
1453 				goto error;
1454 		} else if (parse.defmgmt)
1455 			goto error;
1456 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1457 						     parse.idx, false, NULL);
1458 		if (err)
1459 			goto error;
1460 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1461 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1462 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1463 			err = -EINVAL;
1464 			goto error;
1465 		}
1466 		result->params[parse.idx].cipher = parse.p.cipher;
1467 		result->params[parse.idx].key_len = parse.p.key_len;
1468 		result->params[parse.idx].key = result->data[parse.idx];
1469 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1470 
1471 		/* must be WEP key if we got here */
1472 		if (no_ht)
1473 			*no_ht = true;
1474 	}
1475 
1476 	if (result->def < 0) {
1477 		err = -EINVAL;
1478 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1479 		goto error;
1480 	}
1481 
1482 	return result;
1483  error:
1484 	kfree(result);
1485 	return ERR_PTR(err);
1486 }
1487 
1488 static int nl80211_key_allowed(struct wireless_dev *wdev)
1489 {
1490 	ASSERT_WDEV_LOCK(wdev);
1491 
1492 	switch (wdev->iftype) {
1493 	case NL80211_IFTYPE_AP:
1494 	case NL80211_IFTYPE_AP_VLAN:
1495 	case NL80211_IFTYPE_P2P_GO:
1496 	case NL80211_IFTYPE_MESH_POINT:
1497 		break;
1498 	case NL80211_IFTYPE_ADHOC:
1499 	case NL80211_IFTYPE_STATION:
1500 	case NL80211_IFTYPE_P2P_CLIENT:
1501 		if (!wdev->current_bss)
1502 			return -ENOLINK;
1503 		break;
1504 	case NL80211_IFTYPE_UNSPECIFIED:
1505 	case NL80211_IFTYPE_OCB:
1506 	case NL80211_IFTYPE_MONITOR:
1507 	case NL80211_IFTYPE_NAN:
1508 	case NL80211_IFTYPE_P2P_DEVICE:
1509 	case NL80211_IFTYPE_WDS:
1510 	case NUM_NL80211_IFTYPES:
1511 		return -EINVAL;
1512 	}
1513 
1514 	return 0;
1515 }
1516 
1517 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1518 							u32 freq)
1519 {
1520 	struct ieee80211_channel *chan;
1521 
1522 	chan = ieee80211_get_channel_khz(wiphy, freq);
1523 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1524 		return NULL;
1525 	return chan;
1526 }
1527 
1528 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1529 {
1530 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1531 	int i;
1532 
1533 	if (!nl_modes)
1534 		goto nla_put_failure;
1535 
1536 	i = 0;
1537 	while (ifmodes) {
1538 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1539 			goto nla_put_failure;
1540 		ifmodes >>= 1;
1541 		i++;
1542 	}
1543 
1544 	nla_nest_end(msg, nl_modes);
1545 	return 0;
1546 
1547 nla_put_failure:
1548 	return -ENOBUFS;
1549 }
1550 
1551 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1552 					  struct sk_buff *msg,
1553 					  bool large)
1554 {
1555 	struct nlattr *nl_combis;
1556 	int i, j;
1557 
1558 	nl_combis = nla_nest_start_noflag(msg,
1559 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1560 	if (!nl_combis)
1561 		goto nla_put_failure;
1562 
1563 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1564 		const struct ieee80211_iface_combination *c;
1565 		struct nlattr *nl_combi, *nl_limits;
1566 
1567 		c = &wiphy->iface_combinations[i];
1568 
1569 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1570 		if (!nl_combi)
1571 			goto nla_put_failure;
1572 
1573 		nl_limits = nla_nest_start_noflag(msg,
1574 						  NL80211_IFACE_COMB_LIMITS);
1575 		if (!nl_limits)
1576 			goto nla_put_failure;
1577 
1578 		for (j = 0; j < c->n_limits; j++) {
1579 			struct nlattr *nl_limit;
1580 
1581 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1582 			if (!nl_limit)
1583 				goto nla_put_failure;
1584 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1585 					c->limits[j].max))
1586 				goto nla_put_failure;
1587 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1588 						c->limits[j].types))
1589 				goto nla_put_failure;
1590 			nla_nest_end(msg, nl_limit);
1591 		}
1592 
1593 		nla_nest_end(msg, nl_limits);
1594 
1595 		if (c->beacon_int_infra_match &&
1596 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1597 			goto nla_put_failure;
1598 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1599 				c->num_different_channels) ||
1600 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1601 				c->max_interfaces))
1602 			goto nla_put_failure;
1603 		if (large &&
1604 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1605 				c->radar_detect_widths) ||
1606 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1607 				c->radar_detect_regions)))
1608 			goto nla_put_failure;
1609 		if (c->beacon_int_min_gcd &&
1610 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1611 				c->beacon_int_min_gcd))
1612 			goto nla_put_failure;
1613 
1614 		nla_nest_end(msg, nl_combi);
1615 	}
1616 
1617 	nla_nest_end(msg, nl_combis);
1618 
1619 	return 0;
1620 nla_put_failure:
1621 	return -ENOBUFS;
1622 }
1623 
1624 #ifdef CONFIG_PM
1625 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1626 					struct sk_buff *msg)
1627 {
1628 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1629 	struct nlattr *nl_tcp;
1630 
1631 	if (!tcp)
1632 		return 0;
1633 
1634 	nl_tcp = nla_nest_start_noflag(msg,
1635 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1636 	if (!nl_tcp)
1637 		return -ENOBUFS;
1638 
1639 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1640 			tcp->data_payload_max))
1641 		return -ENOBUFS;
1642 
1643 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1644 			tcp->data_payload_max))
1645 		return -ENOBUFS;
1646 
1647 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1648 		return -ENOBUFS;
1649 
1650 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1651 				sizeof(*tcp->tok), tcp->tok))
1652 		return -ENOBUFS;
1653 
1654 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1655 			tcp->data_interval_max))
1656 		return -ENOBUFS;
1657 
1658 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1659 			tcp->wake_payload_max))
1660 		return -ENOBUFS;
1661 
1662 	nla_nest_end(msg, nl_tcp);
1663 	return 0;
1664 }
1665 
1666 static int nl80211_send_wowlan(struct sk_buff *msg,
1667 			       struct cfg80211_registered_device *rdev,
1668 			       bool large)
1669 {
1670 	struct nlattr *nl_wowlan;
1671 
1672 	if (!rdev->wiphy.wowlan)
1673 		return 0;
1674 
1675 	nl_wowlan = nla_nest_start_noflag(msg,
1676 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1677 	if (!nl_wowlan)
1678 		return -ENOBUFS;
1679 
1680 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1681 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1682 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1683 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1684 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1685 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1686 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1687 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1688 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1689 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1690 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1691 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1692 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1693 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1694 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1695 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1696 		return -ENOBUFS;
1697 
1698 	if (rdev->wiphy.wowlan->n_patterns) {
1699 		struct nl80211_pattern_support pat = {
1700 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1701 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1702 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1703 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1704 		};
1705 
1706 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1707 			    sizeof(pat), &pat))
1708 			return -ENOBUFS;
1709 	}
1710 
1711 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1712 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1713 			rdev->wiphy.wowlan->max_nd_match_sets))
1714 		return -ENOBUFS;
1715 
1716 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1717 		return -ENOBUFS;
1718 
1719 	nla_nest_end(msg, nl_wowlan);
1720 
1721 	return 0;
1722 }
1723 #endif
1724 
1725 static int nl80211_send_coalesce(struct sk_buff *msg,
1726 				 struct cfg80211_registered_device *rdev)
1727 {
1728 	struct nl80211_coalesce_rule_support rule;
1729 
1730 	if (!rdev->wiphy.coalesce)
1731 		return 0;
1732 
1733 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1734 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1735 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1736 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1737 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1738 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1739 
1740 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1741 		return -ENOBUFS;
1742 
1743 	return 0;
1744 }
1745 
1746 static int
1747 nl80211_send_iftype_data(struct sk_buff *msg,
1748 			 const struct ieee80211_supported_band *sband,
1749 			 const struct ieee80211_sband_iftype_data *iftdata)
1750 {
1751 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1752 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1753 
1754 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1755 				iftdata->types_mask))
1756 		return -ENOBUFS;
1757 
1758 	if (he_cap->has_he) {
1759 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1760 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1761 			    he_cap->he_cap_elem.mac_cap_info) ||
1762 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1763 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1764 			    he_cap->he_cap_elem.phy_cap_info) ||
1765 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1766 			    sizeof(he_cap->he_mcs_nss_supp),
1767 			    &he_cap->he_mcs_nss_supp) ||
1768 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1769 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1770 			return -ENOBUFS;
1771 	}
1772 
1773 	if (eht_cap->has_eht && he_cap->has_he) {
1774 		u8 mcs_nss_size, ppe_thresh_size;
1775 		u16 ppe_thres_hdr;
1776 
1777 		mcs_nss_size =
1778 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1779 						   &eht_cap->eht_cap_elem);
1780 
1781 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1782 		ppe_thresh_size =
1783 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1784 					       eht_cap->eht_cap_elem.phy_cap_info);
1785 
1786 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1787 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1788 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1789 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1790 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1791 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1792 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1793 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1794 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1795 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1796 			return -ENOBUFS;
1797 	}
1798 
1799 	if (sband->band == NL80211_BAND_6GHZ &&
1800 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1801 		    sizeof(iftdata->he_6ghz_capa),
1802 		    &iftdata->he_6ghz_capa))
1803 		return -ENOBUFS;
1804 
1805 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1806 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1807 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1808 		return -ENOBUFS;
1809 
1810 	return 0;
1811 }
1812 
1813 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1814 				      struct ieee80211_supported_band *sband,
1815 				      bool large)
1816 {
1817 	struct nlattr *nl_rates, *nl_rate;
1818 	struct ieee80211_rate *rate;
1819 	int i;
1820 
1821 	/* add HT info */
1822 	if (sband->ht_cap.ht_supported &&
1823 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1824 		     sizeof(sband->ht_cap.mcs),
1825 		     &sband->ht_cap.mcs) ||
1826 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1827 			 sband->ht_cap.cap) ||
1828 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1829 			sband->ht_cap.ampdu_factor) ||
1830 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1831 			sband->ht_cap.ampdu_density)))
1832 		return -ENOBUFS;
1833 
1834 	/* add VHT info */
1835 	if (sband->vht_cap.vht_supported &&
1836 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1837 		     sizeof(sband->vht_cap.vht_mcs),
1838 		     &sband->vht_cap.vht_mcs) ||
1839 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1840 			 sband->vht_cap.cap)))
1841 		return -ENOBUFS;
1842 
1843 	if (large && sband->n_iftype_data) {
1844 		struct nlattr *nl_iftype_data =
1845 			nla_nest_start_noflag(msg,
1846 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1847 		int err;
1848 
1849 		if (!nl_iftype_data)
1850 			return -ENOBUFS;
1851 
1852 		for (i = 0; i < sband->n_iftype_data; i++) {
1853 			struct nlattr *iftdata;
1854 
1855 			iftdata = nla_nest_start_noflag(msg, i + 1);
1856 			if (!iftdata)
1857 				return -ENOBUFS;
1858 
1859 			err = nl80211_send_iftype_data(msg, sband,
1860 						       &sband->iftype_data[i]);
1861 			if (err)
1862 				return err;
1863 
1864 			nla_nest_end(msg, iftdata);
1865 		}
1866 
1867 		nla_nest_end(msg, nl_iftype_data);
1868 	}
1869 
1870 	/* add EDMG info */
1871 	if (large && sband->edmg_cap.channels &&
1872 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1873 		       sband->edmg_cap.channels) ||
1874 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1875 		       sband->edmg_cap.bw_config)))
1876 
1877 		return -ENOBUFS;
1878 
1879 	/* add bitrates */
1880 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1881 	if (!nl_rates)
1882 		return -ENOBUFS;
1883 
1884 	for (i = 0; i < sband->n_bitrates; i++) {
1885 		nl_rate = nla_nest_start_noflag(msg, i);
1886 		if (!nl_rate)
1887 			return -ENOBUFS;
1888 
1889 		rate = &sband->bitrates[i];
1890 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1891 				rate->bitrate))
1892 			return -ENOBUFS;
1893 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1894 		    nla_put_flag(msg,
1895 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1896 			return -ENOBUFS;
1897 
1898 		nla_nest_end(msg, nl_rate);
1899 	}
1900 
1901 	nla_nest_end(msg, nl_rates);
1902 
1903 	return 0;
1904 }
1905 
1906 static int
1907 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1908 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1909 {
1910 	u16 stypes;
1911 	struct nlattr *nl_ftypes, *nl_ifs;
1912 	enum nl80211_iftype ift;
1913 	int i;
1914 
1915 	if (!mgmt_stypes)
1916 		return 0;
1917 
1918 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1919 	if (!nl_ifs)
1920 		return -ENOBUFS;
1921 
1922 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1923 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1924 		if (!nl_ftypes)
1925 			return -ENOBUFS;
1926 		i = 0;
1927 		stypes = mgmt_stypes[ift].tx;
1928 		while (stypes) {
1929 			if ((stypes & 1) &&
1930 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1931 					(i << 4) | IEEE80211_FTYPE_MGMT))
1932 				return -ENOBUFS;
1933 			stypes >>= 1;
1934 			i++;
1935 		}
1936 		nla_nest_end(msg, nl_ftypes);
1937 	}
1938 
1939 	nla_nest_end(msg, nl_ifs);
1940 
1941 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1942 	if (!nl_ifs)
1943 		return -ENOBUFS;
1944 
1945 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1946 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1947 		if (!nl_ftypes)
1948 			return -ENOBUFS;
1949 		i = 0;
1950 		stypes = mgmt_stypes[ift].rx;
1951 		while (stypes) {
1952 			if ((stypes & 1) &&
1953 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1954 					(i << 4) | IEEE80211_FTYPE_MGMT))
1955 				return -ENOBUFS;
1956 			stypes >>= 1;
1957 			i++;
1958 		}
1959 		nla_nest_end(msg, nl_ftypes);
1960 	}
1961 	nla_nest_end(msg, nl_ifs);
1962 
1963 	return 0;
1964 }
1965 
1966 #define CMD(op, n)							\
1967 	 do {								\
1968 		if (rdev->ops->op) {					\
1969 			i++;						\
1970 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1971 				goto nla_put_failure;			\
1972 		}							\
1973 	} while (0)
1974 
1975 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1976 					struct sk_buff *msg)
1977 {
1978 	int i = 0;
1979 
1980 	/*
1981 	 * do *NOT* add anything into this function, new things need to be
1982 	 * advertised only to new versions of userspace that can deal with
1983 	 * the split (and they can't possibly care about new features...
1984 	 */
1985 	CMD(add_virtual_intf, NEW_INTERFACE);
1986 	CMD(change_virtual_intf, SET_INTERFACE);
1987 	CMD(add_key, NEW_KEY);
1988 	CMD(start_ap, START_AP);
1989 	CMD(add_station, NEW_STATION);
1990 	CMD(add_mpath, NEW_MPATH);
1991 	CMD(update_mesh_config, SET_MESH_CONFIG);
1992 	CMD(change_bss, SET_BSS);
1993 	CMD(auth, AUTHENTICATE);
1994 	CMD(assoc, ASSOCIATE);
1995 	CMD(deauth, DEAUTHENTICATE);
1996 	CMD(disassoc, DISASSOCIATE);
1997 	CMD(join_ibss, JOIN_IBSS);
1998 	CMD(join_mesh, JOIN_MESH);
1999 	CMD(set_pmksa, SET_PMKSA);
2000 	CMD(del_pmksa, DEL_PMKSA);
2001 	CMD(flush_pmksa, FLUSH_PMKSA);
2002 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2003 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2004 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2005 	CMD(mgmt_tx, FRAME);
2006 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2007 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2008 		i++;
2009 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2010 			goto nla_put_failure;
2011 	}
2012 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2013 	    rdev->ops->join_mesh) {
2014 		i++;
2015 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2016 			goto nla_put_failure;
2017 	}
2018 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2019 		CMD(tdls_mgmt, TDLS_MGMT);
2020 		CMD(tdls_oper, TDLS_OPER);
2021 	}
2022 	if (rdev->wiphy.max_sched_scan_reqs)
2023 		CMD(sched_scan_start, START_SCHED_SCAN);
2024 	CMD(probe_client, PROBE_CLIENT);
2025 	CMD(set_noack_map, SET_NOACK_MAP);
2026 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2027 		i++;
2028 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2029 			goto nla_put_failure;
2030 	}
2031 	CMD(start_p2p_device, START_P2P_DEVICE);
2032 	CMD(set_mcast_rate, SET_MCAST_RATE);
2033 #ifdef CONFIG_NL80211_TESTMODE
2034 	CMD(testmode_cmd, TESTMODE);
2035 #endif
2036 
2037 	if (rdev->ops->connect || rdev->ops->auth) {
2038 		i++;
2039 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2040 			goto nla_put_failure;
2041 	}
2042 
2043 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2044 		i++;
2045 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2046 			goto nla_put_failure;
2047 	}
2048 
2049 	return i;
2050  nla_put_failure:
2051 	return -ENOBUFS;
2052 }
2053 
2054 static int
2055 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2056 			   struct sk_buff *msg)
2057 {
2058 	struct nlattr *ftm;
2059 
2060 	if (!cap->ftm.supported)
2061 		return 0;
2062 
2063 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2064 	if (!ftm)
2065 		return -ENOBUFS;
2066 
2067 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2068 		return -ENOBUFS;
2069 	if (cap->ftm.non_asap &&
2070 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2071 		return -ENOBUFS;
2072 	if (cap->ftm.request_lci &&
2073 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2074 		return -ENOBUFS;
2075 	if (cap->ftm.request_civicloc &&
2076 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2077 		return -ENOBUFS;
2078 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2079 			cap->ftm.preambles))
2080 		return -ENOBUFS;
2081 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2082 			cap->ftm.bandwidths))
2083 		return -ENOBUFS;
2084 	if (cap->ftm.max_bursts_exponent >= 0 &&
2085 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2086 			cap->ftm.max_bursts_exponent))
2087 		return -ENOBUFS;
2088 	if (cap->ftm.max_ftms_per_burst &&
2089 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2090 			cap->ftm.max_ftms_per_burst))
2091 		return -ENOBUFS;
2092 	if (cap->ftm.trigger_based &&
2093 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2094 		return -ENOBUFS;
2095 	if (cap->ftm.non_trigger_based &&
2096 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2097 		return -ENOBUFS;
2098 
2099 	nla_nest_end(msg, ftm);
2100 	return 0;
2101 }
2102 
2103 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2104 				  struct sk_buff *msg)
2105 {
2106 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2107 	struct nlattr *pmsr, *caps;
2108 
2109 	if (!cap)
2110 		return 0;
2111 
2112 	/*
2113 	 * we don't need to clean up anything here since the caller
2114 	 * will genlmsg_cancel() if we fail
2115 	 */
2116 
2117 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2118 	if (!pmsr)
2119 		return -ENOBUFS;
2120 
2121 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2122 		return -ENOBUFS;
2123 
2124 	if (cap->report_ap_tsf &&
2125 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2126 		return -ENOBUFS;
2127 
2128 	if (cap->randomize_mac_addr &&
2129 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2130 		return -ENOBUFS;
2131 
2132 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2133 	if (!caps)
2134 		return -ENOBUFS;
2135 
2136 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2137 		return -ENOBUFS;
2138 
2139 	nla_nest_end(msg, caps);
2140 	nla_nest_end(msg, pmsr);
2141 
2142 	return 0;
2143 }
2144 
2145 static int
2146 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2147 			      struct sk_buff *msg)
2148 {
2149 	int i;
2150 	struct nlattr *nested, *nested_akms;
2151 	const struct wiphy_iftype_akm_suites *iftype_akms;
2152 
2153 	if (!rdev->wiphy.num_iftype_akm_suites ||
2154 	    !rdev->wiphy.iftype_akm_suites)
2155 		return 0;
2156 
2157 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2158 	if (!nested)
2159 		return -ENOBUFS;
2160 
2161 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2162 		nested_akms = nla_nest_start(msg, i + 1);
2163 		if (!nested_akms)
2164 			return -ENOBUFS;
2165 
2166 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2167 
2168 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2169 					iftype_akms->iftypes_mask))
2170 			return -ENOBUFS;
2171 
2172 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2173 			    sizeof(u32) * iftype_akms->n_akm_suites,
2174 			    iftype_akms->akm_suites)) {
2175 			return -ENOBUFS;
2176 		}
2177 		nla_nest_end(msg, nested_akms);
2178 	}
2179 
2180 	nla_nest_end(msg, nested);
2181 
2182 	return 0;
2183 }
2184 
2185 static int
2186 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2187 			       struct sk_buff *msg)
2188 {
2189 	struct nlattr *supp;
2190 
2191 	if (!rdev->wiphy.tid_config_support.vif &&
2192 	    !rdev->wiphy.tid_config_support.peer)
2193 		return 0;
2194 
2195 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2196 	if (!supp)
2197 		return -ENOSPC;
2198 
2199 	if (rdev->wiphy.tid_config_support.vif &&
2200 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2201 			      rdev->wiphy.tid_config_support.vif,
2202 			      NL80211_TID_CONFIG_ATTR_PAD))
2203 		goto fail;
2204 
2205 	if (rdev->wiphy.tid_config_support.peer &&
2206 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2207 			      rdev->wiphy.tid_config_support.peer,
2208 			      NL80211_TID_CONFIG_ATTR_PAD))
2209 		goto fail;
2210 
2211 	/* for now we just use the same value ... makes more sense */
2212 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2213 		       rdev->wiphy.tid_config_support.max_retry))
2214 		goto fail;
2215 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2216 		       rdev->wiphy.tid_config_support.max_retry))
2217 		goto fail;
2218 
2219 	nla_nest_end(msg, supp);
2220 
2221 	return 0;
2222 fail:
2223 	nla_nest_cancel(msg, supp);
2224 	return -ENOBUFS;
2225 }
2226 
2227 static int
2228 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2229 		      struct sk_buff *msg)
2230 {
2231 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2232 	u8 num_freq_ranges;
2233 	int i;
2234 
2235 	if (!rdev->wiphy.sar_capa)
2236 		return 0;
2237 
2238 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2239 
2240 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2241 	if (!sar_capa)
2242 		return -ENOSPC;
2243 
2244 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2245 		goto fail;
2246 
2247 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2248 	if (!specs)
2249 		goto fail;
2250 
2251 	/* report supported freq_ranges */
2252 	for (i = 0; i < num_freq_ranges; i++) {
2253 		sub_freq_range = nla_nest_start(msg, i + 1);
2254 		if (!sub_freq_range)
2255 			goto fail;
2256 
2257 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2258 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2259 			goto fail;
2260 
2261 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2262 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2263 			goto fail;
2264 
2265 		nla_nest_end(msg, sub_freq_range);
2266 	}
2267 
2268 	nla_nest_end(msg, specs);
2269 	nla_nest_end(msg, sar_capa);
2270 
2271 	return 0;
2272 fail:
2273 	nla_nest_cancel(msg, sar_capa);
2274 	return -ENOBUFS;
2275 }
2276 
2277 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2278 {
2279 	struct nlattr *config;
2280 
2281 	if (!wiphy->mbssid_max_interfaces)
2282 		return 0;
2283 
2284 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2285 	if (!config)
2286 		return -ENOBUFS;
2287 
2288 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2289 		       wiphy->mbssid_max_interfaces))
2290 		goto fail;
2291 
2292 	if (wiphy->ema_max_profile_periodicity &&
2293 	    nla_put_u8(msg,
2294 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2295 		       wiphy->ema_max_profile_periodicity))
2296 		goto fail;
2297 
2298 	nla_nest_end(msg, config);
2299 	return 0;
2300 
2301 fail:
2302 	nla_nest_cancel(msg, config);
2303 	return -ENOBUFS;
2304 }
2305 
2306 struct nl80211_dump_wiphy_state {
2307 	s64 filter_wiphy;
2308 	long start;
2309 	long split_start, band_start, chan_start, capa_start;
2310 	bool split;
2311 };
2312 
2313 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2314 			      enum nl80211_commands cmd,
2315 			      struct sk_buff *msg, u32 portid, u32 seq,
2316 			      int flags, struct nl80211_dump_wiphy_state *state)
2317 {
2318 	void *hdr;
2319 	struct nlattr *nl_bands, *nl_band;
2320 	struct nlattr *nl_freqs, *nl_freq;
2321 	struct nlattr *nl_cmds;
2322 	enum nl80211_band band;
2323 	struct ieee80211_channel *chan;
2324 	int i;
2325 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2326 				rdev->wiphy.mgmt_stypes;
2327 	u32 features;
2328 
2329 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2330 	if (!hdr)
2331 		return -ENOBUFS;
2332 
2333 	if (WARN_ON(!state))
2334 		return -EINVAL;
2335 
2336 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2337 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2338 			   wiphy_name(&rdev->wiphy)) ||
2339 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2340 			cfg80211_rdev_list_generation))
2341 		goto nla_put_failure;
2342 
2343 	if (cmd != NL80211_CMD_NEW_WIPHY)
2344 		goto finish;
2345 
2346 	switch (state->split_start) {
2347 	case 0:
2348 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2349 			       rdev->wiphy.retry_short) ||
2350 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2351 			       rdev->wiphy.retry_long) ||
2352 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2353 				rdev->wiphy.frag_threshold) ||
2354 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2355 				rdev->wiphy.rts_threshold) ||
2356 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2357 			       rdev->wiphy.coverage_class) ||
2358 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2359 			       rdev->wiphy.max_scan_ssids) ||
2360 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2361 			       rdev->wiphy.max_sched_scan_ssids) ||
2362 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2363 				rdev->wiphy.max_scan_ie_len) ||
2364 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2365 				rdev->wiphy.max_sched_scan_ie_len) ||
2366 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2367 			       rdev->wiphy.max_match_sets))
2368 			goto nla_put_failure;
2369 
2370 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2371 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2372 			goto nla_put_failure;
2373 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2374 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2375 			goto nla_put_failure;
2376 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2377 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2378 			goto nla_put_failure;
2379 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2380 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2381 			goto nla_put_failure;
2382 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2383 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2384 			goto nla_put_failure;
2385 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2386 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2387 			goto nla_put_failure;
2388 		state->split_start++;
2389 		if (state->split)
2390 			break;
2391 		fallthrough;
2392 	case 1:
2393 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2394 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2395 			    rdev->wiphy.cipher_suites))
2396 			goto nla_put_failure;
2397 
2398 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2399 			       rdev->wiphy.max_num_pmkids))
2400 			goto nla_put_failure;
2401 
2402 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2403 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2404 			goto nla_put_failure;
2405 
2406 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2407 				rdev->wiphy.available_antennas_tx) ||
2408 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2409 				rdev->wiphy.available_antennas_rx))
2410 			goto nla_put_failure;
2411 
2412 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2413 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2414 				rdev->wiphy.probe_resp_offload))
2415 			goto nla_put_failure;
2416 
2417 		if ((rdev->wiphy.available_antennas_tx ||
2418 		     rdev->wiphy.available_antennas_rx) &&
2419 		    rdev->ops->get_antenna) {
2420 			u32 tx_ant = 0, rx_ant = 0;
2421 			int res;
2422 
2423 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2424 			if (!res) {
2425 				if (nla_put_u32(msg,
2426 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2427 						tx_ant) ||
2428 				    nla_put_u32(msg,
2429 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2430 						rx_ant))
2431 					goto nla_put_failure;
2432 			}
2433 		}
2434 
2435 		state->split_start++;
2436 		if (state->split)
2437 			break;
2438 		fallthrough;
2439 	case 2:
2440 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2441 					rdev->wiphy.interface_modes))
2442 				goto nla_put_failure;
2443 		state->split_start++;
2444 		if (state->split)
2445 			break;
2446 		fallthrough;
2447 	case 3:
2448 		nl_bands = nla_nest_start_noflag(msg,
2449 						 NL80211_ATTR_WIPHY_BANDS);
2450 		if (!nl_bands)
2451 			goto nla_put_failure;
2452 
2453 		for (band = state->band_start;
2454 		     band < (state->split ?
2455 				NUM_NL80211_BANDS :
2456 				NL80211_BAND_60GHZ + 1);
2457 		     band++) {
2458 			struct ieee80211_supported_band *sband;
2459 
2460 			/* omit higher bands for ancient software */
2461 			if (band > NL80211_BAND_5GHZ && !state->split)
2462 				break;
2463 
2464 			sband = rdev->wiphy.bands[band];
2465 
2466 			if (!sband)
2467 				continue;
2468 
2469 			nl_band = nla_nest_start_noflag(msg, band);
2470 			if (!nl_band)
2471 				goto nla_put_failure;
2472 
2473 			switch (state->chan_start) {
2474 			case 0:
2475 				if (nl80211_send_band_rateinfo(msg, sband,
2476 							       state->split))
2477 					goto nla_put_failure;
2478 				state->chan_start++;
2479 				if (state->split)
2480 					break;
2481 				fallthrough;
2482 			default:
2483 				/* add frequencies */
2484 				nl_freqs = nla_nest_start_noflag(msg,
2485 								 NL80211_BAND_ATTR_FREQS);
2486 				if (!nl_freqs)
2487 					goto nla_put_failure;
2488 
2489 				for (i = state->chan_start - 1;
2490 				     i < sband->n_channels;
2491 				     i++) {
2492 					nl_freq = nla_nest_start_noflag(msg,
2493 									i);
2494 					if (!nl_freq)
2495 						goto nla_put_failure;
2496 
2497 					chan = &sband->channels[i];
2498 
2499 					if (nl80211_msg_put_channel(
2500 							msg, &rdev->wiphy, chan,
2501 							state->split))
2502 						goto nla_put_failure;
2503 
2504 					nla_nest_end(msg, nl_freq);
2505 					if (state->split)
2506 						break;
2507 				}
2508 				if (i < sband->n_channels)
2509 					state->chan_start = i + 2;
2510 				else
2511 					state->chan_start = 0;
2512 				nla_nest_end(msg, nl_freqs);
2513 			}
2514 
2515 			nla_nest_end(msg, nl_band);
2516 
2517 			if (state->split) {
2518 				/* start again here */
2519 				if (state->chan_start)
2520 					band--;
2521 				break;
2522 			}
2523 		}
2524 		nla_nest_end(msg, nl_bands);
2525 
2526 		if (band < NUM_NL80211_BANDS)
2527 			state->band_start = band + 1;
2528 		else
2529 			state->band_start = 0;
2530 
2531 		/* if bands & channels are done, continue outside */
2532 		if (state->band_start == 0 && state->chan_start == 0)
2533 			state->split_start++;
2534 		if (state->split)
2535 			break;
2536 		fallthrough;
2537 	case 4:
2538 		nl_cmds = nla_nest_start_noflag(msg,
2539 						NL80211_ATTR_SUPPORTED_COMMANDS);
2540 		if (!nl_cmds)
2541 			goto nla_put_failure;
2542 
2543 		i = nl80211_add_commands_unsplit(rdev, msg);
2544 		if (i < 0)
2545 			goto nla_put_failure;
2546 		if (state->split) {
2547 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2548 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2549 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2550 				CMD(channel_switch, CHANNEL_SWITCH);
2551 			CMD(set_qos_map, SET_QOS_MAP);
2552 			if (rdev->wiphy.features &
2553 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2554 				CMD(add_tx_ts, ADD_TX_TS);
2555 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2556 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2557 			CMD(update_ft_ies, UPDATE_FT_IES);
2558 			if (rdev->wiphy.sar_capa)
2559 				CMD(set_sar_specs, SET_SAR_SPECS);
2560 		}
2561 #undef CMD
2562 
2563 		nla_nest_end(msg, nl_cmds);
2564 		state->split_start++;
2565 		if (state->split)
2566 			break;
2567 		fallthrough;
2568 	case 5:
2569 		if (rdev->ops->remain_on_channel &&
2570 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2571 		    nla_put_u32(msg,
2572 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2573 				rdev->wiphy.max_remain_on_channel_duration))
2574 			goto nla_put_failure;
2575 
2576 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2577 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2578 			goto nla_put_failure;
2579 
2580 		state->split_start++;
2581 		if (state->split)
2582 			break;
2583 		fallthrough;
2584 	case 6:
2585 #ifdef CONFIG_PM
2586 		if (nl80211_send_wowlan(msg, rdev, state->split))
2587 			goto nla_put_failure;
2588 		state->split_start++;
2589 		if (state->split)
2590 			break;
2591 #else
2592 		state->split_start++;
2593 #endif
2594 		fallthrough;
2595 	case 7:
2596 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2597 					rdev->wiphy.software_iftypes))
2598 			goto nla_put_failure;
2599 
2600 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2601 						   state->split))
2602 			goto nla_put_failure;
2603 
2604 		state->split_start++;
2605 		if (state->split)
2606 			break;
2607 		fallthrough;
2608 	case 8:
2609 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2610 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2611 				rdev->wiphy.ap_sme_capa))
2612 			goto nla_put_failure;
2613 
2614 		features = rdev->wiphy.features;
2615 		/*
2616 		 * We can only add the per-channel limit information if the
2617 		 * dump is split, otherwise it makes it too big. Therefore
2618 		 * only advertise it in that case.
2619 		 */
2620 		if (state->split)
2621 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2622 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2623 			goto nla_put_failure;
2624 
2625 		if (rdev->wiphy.ht_capa_mod_mask &&
2626 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2627 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2628 			    rdev->wiphy.ht_capa_mod_mask))
2629 			goto nla_put_failure;
2630 
2631 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2632 		    rdev->wiphy.max_acl_mac_addrs &&
2633 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2634 				rdev->wiphy.max_acl_mac_addrs))
2635 			goto nla_put_failure;
2636 
2637 		/*
2638 		 * Any information below this point is only available to
2639 		 * applications that can deal with it being split. This
2640 		 * helps ensure that newly added capabilities don't break
2641 		 * older tools by overrunning their buffers.
2642 		 *
2643 		 * We still increment split_start so that in the split
2644 		 * case we'll continue with more data in the next round,
2645 		 * but break unconditionally so unsplit data stops here.
2646 		 */
2647 		if (state->split)
2648 			state->split_start++;
2649 		else
2650 			state->split_start = 0;
2651 		break;
2652 	case 9:
2653 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2654 			goto nla_put_failure;
2655 
2656 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2657 				rdev->wiphy.max_sched_scan_plans) ||
2658 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2659 				rdev->wiphy.max_sched_scan_plan_interval) ||
2660 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2661 				rdev->wiphy.max_sched_scan_plan_iterations))
2662 			goto nla_put_failure;
2663 
2664 		if (rdev->wiphy.extended_capabilities &&
2665 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2666 			     rdev->wiphy.extended_capabilities_len,
2667 			     rdev->wiphy.extended_capabilities) ||
2668 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2669 			     rdev->wiphy.extended_capabilities_len,
2670 			     rdev->wiphy.extended_capabilities_mask)))
2671 			goto nla_put_failure;
2672 
2673 		if (rdev->wiphy.vht_capa_mod_mask &&
2674 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2675 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2676 			    rdev->wiphy.vht_capa_mod_mask))
2677 			goto nla_put_failure;
2678 
2679 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2680 			    rdev->wiphy.perm_addr))
2681 			goto nla_put_failure;
2682 
2683 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2684 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2685 			    rdev->wiphy.addr_mask))
2686 			goto nla_put_failure;
2687 
2688 		if (rdev->wiphy.n_addresses > 1) {
2689 			void *attr;
2690 
2691 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2692 			if (!attr)
2693 				goto nla_put_failure;
2694 
2695 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2696 				if (nla_put(msg, i + 1, ETH_ALEN,
2697 					    rdev->wiphy.addresses[i].addr))
2698 					goto nla_put_failure;
2699 
2700 			nla_nest_end(msg, attr);
2701 		}
2702 
2703 		state->split_start++;
2704 		break;
2705 	case 10:
2706 		if (nl80211_send_coalesce(msg, rdev))
2707 			goto nla_put_failure;
2708 
2709 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2710 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2711 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2712 			goto nla_put_failure;
2713 
2714 		if (rdev->wiphy.max_ap_assoc_sta &&
2715 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2716 				rdev->wiphy.max_ap_assoc_sta))
2717 			goto nla_put_failure;
2718 
2719 		state->split_start++;
2720 		break;
2721 	case 11:
2722 		if (rdev->wiphy.n_vendor_commands) {
2723 			const struct nl80211_vendor_cmd_info *info;
2724 			struct nlattr *nested;
2725 
2726 			nested = nla_nest_start_noflag(msg,
2727 						       NL80211_ATTR_VENDOR_DATA);
2728 			if (!nested)
2729 				goto nla_put_failure;
2730 
2731 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2732 				info = &rdev->wiphy.vendor_commands[i].info;
2733 				if (nla_put(msg, i + 1, sizeof(*info), info))
2734 					goto nla_put_failure;
2735 			}
2736 			nla_nest_end(msg, nested);
2737 		}
2738 
2739 		if (rdev->wiphy.n_vendor_events) {
2740 			const struct nl80211_vendor_cmd_info *info;
2741 			struct nlattr *nested;
2742 
2743 			nested = nla_nest_start_noflag(msg,
2744 						       NL80211_ATTR_VENDOR_EVENTS);
2745 			if (!nested)
2746 				goto nla_put_failure;
2747 
2748 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2749 				info = &rdev->wiphy.vendor_events[i];
2750 				if (nla_put(msg, i + 1, sizeof(*info), info))
2751 					goto nla_put_failure;
2752 			}
2753 			nla_nest_end(msg, nested);
2754 		}
2755 		state->split_start++;
2756 		break;
2757 	case 12:
2758 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2759 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2760 			       rdev->wiphy.max_num_csa_counters))
2761 			goto nla_put_failure;
2762 
2763 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2764 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2765 			goto nla_put_failure;
2766 
2767 		if (rdev->wiphy.max_sched_scan_reqs &&
2768 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2769 				rdev->wiphy.max_sched_scan_reqs))
2770 			goto nla_put_failure;
2771 
2772 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2773 			    sizeof(rdev->wiphy.ext_features),
2774 			    rdev->wiphy.ext_features))
2775 			goto nla_put_failure;
2776 
2777 		if (rdev->wiphy.bss_select_support) {
2778 			struct nlattr *nested;
2779 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2780 
2781 			nested = nla_nest_start_noflag(msg,
2782 						       NL80211_ATTR_BSS_SELECT);
2783 			if (!nested)
2784 				goto nla_put_failure;
2785 
2786 			i = 0;
2787 			while (bss_select_support) {
2788 				if ((bss_select_support & 1) &&
2789 				    nla_put_flag(msg, i))
2790 					goto nla_put_failure;
2791 				i++;
2792 				bss_select_support >>= 1;
2793 			}
2794 			nla_nest_end(msg, nested);
2795 		}
2796 
2797 		state->split_start++;
2798 		break;
2799 	case 13:
2800 		if (rdev->wiphy.num_iftype_ext_capab &&
2801 		    rdev->wiphy.iftype_ext_capab) {
2802 			struct nlattr *nested_ext_capab, *nested;
2803 
2804 			nested = nla_nest_start_noflag(msg,
2805 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2806 			if (!nested)
2807 				goto nla_put_failure;
2808 
2809 			for (i = state->capa_start;
2810 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2811 				const struct wiphy_iftype_ext_capab *capab;
2812 
2813 				capab = &rdev->wiphy.iftype_ext_capab[i];
2814 
2815 				nested_ext_capab = nla_nest_start_noflag(msg,
2816 									 i);
2817 				if (!nested_ext_capab ||
2818 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2819 						capab->iftype) ||
2820 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2821 					    capab->extended_capabilities_len,
2822 					    capab->extended_capabilities) ||
2823 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2824 					    capab->extended_capabilities_len,
2825 					    capab->extended_capabilities_mask))
2826 					goto nla_put_failure;
2827 
2828 				nla_nest_end(msg, nested_ext_capab);
2829 				if (state->split)
2830 					break;
2831 			}
2832 			nla_nest_end(msg, nested);
2833 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2834 				state->capa_start = i + 1;
2835 				break;
2836 			}
2837 		}
2838 
2839 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2840 				rdev->wiphy.nan_supported_bands))
2841 			goto nla_put_failure;
2842 
2843 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2844 					    NL80211_EXT_FEATURE_TXQS)) {
2845 			struct cfg80211_txq_stats txqstats = {};
2846 			int res;
2847 
2848 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2849 			if (!res &&
2850 			    !nl80211_put_txq_stats(msg, &txqstats,
2851 						   NL80211_ATTR_TXQ_STATS))
2852 				goto nla_put_failure;
2853 
2854 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2855 					rdev->wiphy.txq_limit))
2856 				goto nla_put_failure;
2857 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2858 					rdev->wiphy.txq_memory_limit))
2859 				goto nla_put_failure;
2860 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2861 					rdev->wiphy.txq_quantum))
2862 				goto nla_put_failure;
2863 		}
2864 
2865 		state->split_start++;
2866 		break;
2867 	case 14:
2868 		if (nl80211_send_pmsr_capa(rdev, msg))
2869 			goto nla_put_failure;
2870 
2871 		state->split_start++;
2872 		break;
2873 	case 15:
2874 		if (rdev->wiphy.akm_suites &&
2875 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2876 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2877 			    rdev->wiphy.akm_suites))
2878 			goto nla_put_failure;
2879 
2880 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2881 			goto nla_put_failure;
2882 
2883 		if (nl80211_put_tid_config_support(rdev, msg))
2884 			goto nla_put_failure;
2885 		state->split_start++;
2886 		break;
2887 	case 16:
2888 		if (nl80211_put_sar_specs(rdev, msg))
2889 			goto nla_put_failure;
2890 
2891 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2892 			goto nla_put_failure;
2893 
2894 		/* done */
2895 		state->split_start = 0;
2896 		break;
2897 	}
2898  finish:
2899 	genlmsg_end(msg, hdr);
2900 	return 0;
2901 
2902  nla_put_failure:
2903 	genlmsg_cancel(msg, hdr);
2904 	return -EMSGSIZE;
2905 }
2906 
2907 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2908 				    struct netlink_callback *cb,
2909 				    struct nl80211_dump_wiphy_state *state)
2910 {
2911 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2912 	int ret;
2913 
2914 	if (!tb)
2915 		return -ENOMEM;
2916 
2917 	ret = nlmsg_parse_deprecated(cb->nlh,
2918 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2919 				     tb, nl80211_fam.maxattr,
2920 				     nl80211_policy, NULL);
2921 	/* ignore parse errors for backward compatibility */
2922 	if (ret) {
2923 		ret = 0;
2924 		goto out;
2925 	}
2926 
2927 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2928 	if (tb[NL80211_ATTR_WIPHY])
2929 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2930 	if (tb[NL80211_ATTR_WDEV])
2931 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2932 	if (tb[NL80211_ATTR_IFINDEX]) {
2933 		struct net_device *netdev;
2934 		struct cfg80211_registered_device *rdev;
2935 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2936 
2937 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2938 		if (!netdev) {
2939 			ret = -ENODEV;
2940 			goto out;
2941 		}
2942 		if (netdev->ieee80211_ptr) {
2943 			rdev = wiphy_to_rdev(
2944 				netdev->ieee80211_ptr->wiphy);
2945 			state->filter_wiphy = rdev->wiphy_idx;
2946 		}
2947 	}
2948 
2949 	ret = 0;
2950 out:
2951 	kfree(tb);
2952 	return ret;
2953 }
2954 
2955 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2956 {
2957 	int idx = 0, ret;
2958 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2959 	struct cfg80211_registered_device *rdev;
2960 
2961 	rtnl_lock();
2962 	if (!state) {
2963 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2964 		if (!state) {
2965 			rtnl_unlock();
2966 			return -ENOMEM;
2967 		}
2968 		state->filter_wiphy = -1;
2969 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2970 		if (ret) {
2971 			kfree(state);
2972 			rtnl_unlock();
2973 			return ret;
2974 		}
2975 		cb->args[0] = (long)state;
2976 	}
2977 
2978 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2979 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2980 			continue;
2981 		if (++idx <= state->start)
2982 			continue;
2983 		if (state->filter_wiphy != -1 &&
2984 		    state->filter_wiphy != rdev->wiphy_idx)
2985 			continue;
2986 		/* attempt to fit multiple wiphy data chunks into the skb */
2987 		do {
2988 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2989 						 skb,
2990 						 NETLINK_CB(cb->skb).portid,
2991 						 cb->nlh->nlmsg_seq,
2992 						 NLM_F_MULTI, state);
2993 			if (ret < 0) {
2994 				/*
2995 				 * If sending the wiphy data didn't fit (ENOBUFS
2996 				 * or EMSGSIZE returned), this SKB is still
2997 				 * empty (so it's not too big because another
2998 				 * wiphy dataset is already in the skb) and
2999 				 * we've not tried to adjust the dump allocation
3000 				 * yet ... then adjust the alloc size to be
3001 				 * bigger, and return 1 but with the empty skb.
3002 				 * This results in an empty message being RX'ed
3003 				 * in userspace, but that is ignored.
3004 				 *
3005 				 * We can then retry with the larger buffer.
3006 				 */
3007 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3008 				    !skb->len && !state->split &&
3009 				    cb->min_dump_alloc < 4096) {
3010 					cb->min_dump_alloc = 4096;
3011 					state->split_start = 0;
3012 					rtnl_unlock();
3013 					return 1;
3014 				}
3015 				idx--;
3016 				break;
3017 			}
3018 		} while (state->split_start > 0);
3019 		break;
3020 	}
3021 	rtnl_unlock();
3022 
3023 	state->start = idx;
3024 
3025 	return skb->len;
3026 }
3027 
3028 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3029 {
3030 	kfree((void *)cb->args[0]);
3031 	return 0;
3032 }
3033 
3034 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3035 {
3036 	struct sk_buff *msg;
3037 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3038 	struct nl80211_dump_wiphy_state state = {};
3039 
3040 	msg = nlmsg_new(4096, GFP_KERNEL);
3041 	if (!msg)
3042 		return -ENOMEM;
3043 
3044 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3045 			       info->snd_portid, info->snd_seq, 0,
3046 			       &state) < 0) {
3047 		nlmsg_free(msg);
3048 		return -ENOBUFS;
3049 	}
3050 
3051 	return genlmsg_reply(msg, info);
3052 }
3053 
3054 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3055 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3056 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3057 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3058 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3059 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3060 };
3061 
3062 static int parse_txq_params(struct nlattr *tb[],
3063 			    struct ieee80211_txq_params *txq_params)
3064 {
3065 	u8 ac;
3066 
3067 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3068 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3069 	    !tb[NL80211_TXQ_ATTR_AIFS])
3070 		return -EINVAL;
3071 
3072 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3073 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3074 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3075 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3076 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3077 
3078 	if (ac >= NL80211_NUM_ACS)
3079 		return -EINVAL;
3080 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3081 	return 0;
3082 }
3083 
3084 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3085 {
3086 	/*
3087 	 * You can only set the channel explicitly for some interfaces,
3088 	 * most have their channel managed via their respective
3089 	 * "establish a connection" command (connect, join, ...)
3090 	 *
3091 	 * For AP/GO and mesh mode, the channel can be set with the
3092 	 * channel userspace API, but is only stored and passed to the
3093 	 * low-level driver when the AP starts or the mesh is joined.
3094 	 * This is for backward compatibility, userspace can also give
3095 	 * the channel in the start-ap or join-mesh commands instead.
3096 	 *
3097 	 * Monitors are special as they are normally slaved to
3098 	 * whatever else is going on, so they have their own special
3099 	 * operation to set the monitor channel if possible.
3100 	 */
3101 	return !wdev ||
3102 		wdev->iftype == NL80211_IFTYPE_AP ||
3103 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3104 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3105 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3106 }
3107 
3108 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3109 			  struct genl_info *info,
3110 			  struct cfg80211_chan_def *chandef)
3111 {
3112 	struct netlink_ext_ack *extack = info->extack;
3113 	struct nlattr **attrs = info->attrs;
3114 	u32 control_freq;
3115 
3116 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3117 		return -EINVAL;
3118 
3119 	control_freq = MHZ_TO_KHZ(
3120 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3121 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3122 		control_freq +=
3123 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3124 
3125 	memset(chandef, 0, sizeof(*chandef));
3126 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3127 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3128 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3129 	chandef->freq1_offset = control_freq % 1000;
3130 	chandef->center_freq2 = 0;
3131 
3132 	/* Primary channel not allowed */
3133 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3134 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3135 				    "Channel is disabled");
3136 		return -EINVAL;
3137 	}
3138 
3139 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3140 		enum nl80211_channel_type chantype;
3141 
3142 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3143 
3144 		switch (chantype) {
3145 		case NL80211_CHAN_NO_HT:
3146 		case NL80211_CHAN_HT20:
3147 		case NL80211_CHAN_HT40PLUS:
3148 		case NL80211_CHAN_HT40MINUS:
3149 			cfg80211_chandef_create(chandef, chandef->chan,
3150 						chantype);
3151 			/* user input for center_freq is incorrect */
3152 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3153 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3154 				NL_SET_ERR_MSG_ATTR(extack,
3155 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3156 						    "bad center frequency 1");
3157 				return -EINVAL;
3158 			}
3159 			/* center_freq2 must be zero */
3160 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3161 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3162 				NL_SET_ERR_MSG_ATTR(extack,
3163 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3164 						    "center frequency 2 can't be used");
3165 				return -EINVAL;
3166 			}
3167 			break;
3168 		default:
3169 			NL_SET_ERR_MSG_ATTR(extack,
3170 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3171 					    "invalid channel type");
3172 			return -EINVAL;
3173 		}
3174 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3175 		chandef->width =
3176 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3177 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3178 			/* User input error for channel width doesn't match channel  */
3179 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3180 				NL_SET_ERR_MSG_ATTR(extack,
3181 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3182 						    "bad channel width");
3183 				return -EINVAL;
3184 			}
3185 		}
3186 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3187 			chandef->center_freq1 =
3188 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3189 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3190 				chandef->freq1_offset = nla_get_u32(
3191 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3192 			else
3193 				chandef->freq1_offset = 0;
3194 		}
3195 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3196 			chandef->center_freq2 =
3197 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3198 	}
3199 
3200 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3201 		chandef->edmg.channels =
3202 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3203 
3204 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3205 			chandef->edmg.bw_config =
3206 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3207 	} else {
3208 		chandef->edmg.bw_config = 0;
3209 		chandef->edmg.channels = 0;
3210 	}
3211 
3212 	if (!cfg80211_chandef_valid(chandef)) {
3213 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3214 		return -EINVAL;
3215 	}
3216 
3217 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3218 				     IEEE80211_CHAN_DISABLED)) {
3219 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3220 		return -EINVAL;
3221 	}
3222 
3223 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3224 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3225 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3226 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3227 		return -EINVAL;
3228 	}
3229 
3230 	return 0;
3231 }
3232 
3233 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3234 				 struct net_device *dev,
3235 				 struct genl_info *info)
3236 {
3237 	struct cfg80211_chan_def chandef;
3238 	int result;
3239 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3240 	struct wireless_dev *wdev = NULL;
3241 
3242 	if (dev)
3243 		wdev = dev->ieee80211_ptr;
3244 	if (!nl80211_can_set_dev_channel(wdev))
3245 		return -EOPNOTSUPP;
3246 	if (wdev)
3247 		iftype = wdev->iftype;
3248 
3249 	result = nl80211_parse_chandef(rdev, info, &chandef);
3250 	if (result)
3251 		return result;
3252 
3253 	switch (iftype) {
3254 	case NL80211_IFTYPE_AP:
3255 	case NL80211_IFTYPE_P2P_GO:
3256 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3257 						   iftype)) {
3258 			result = -EINVAL;
3259 			break;
3260 		}
3261 		if (wdev->beacon_interval) {
3262 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3263 			    !(rdev->wiphy.features &
3264 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3265 				result = -EBUSY;
3266 				break;
3267 			}
3268 
3269 			/* Only allow dynamic channel width changes */
3270 			if (chandef.chan != wdev->preset_chandef.chan) {
3271 				result = -EBUSY;
3272 				break;
3273 			}
3274 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3275 			if (result)
3276 				break;
3277 		}
3278 		wdev->preset_chandef = chandef;
3279 		result = 0;
3280 		break;
3281 	case NL80211_IFTYPE_MESH_POINT:
3282 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3283 		break;
3284 	case NL80211_IFTYPE_MONITOR:
3285 		result = cfg80211_set_monitor_channel(rdev, &chandef);
3286 		break;
3287 	default:
3288 		result = -EINVAL;
3289 	}
3290 
3291 	return result;
3292 }
3293 
3294 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3295 {
3296 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3297 	struct net_device *netdev = info->user_ptr[1];
3298 
3299 	return __nl80211_set_channel(rdev, netdev, info);
3300 }
3301 
3302 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3303 {
3304 	struct cfg80211_registered_device *rdev = NULL;
3305 	struct net_device *netdev = NULL;
3306 	struct wireless_dev *wdev;
3307 	int result = 0, rem_txq_params = 0;
3308 	struct nlattr *nl_txq_params;
3309 	u32 changed;
3310 	u8 retry_short = 0, retry_long = 0;
3311 	u32 frag_threshold = 0, rts_threshold = 0;
3312 	u8 coverage_class = 0;
3313 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3314 
3315 	rtnl_lock();
3316 	/*
3317 	 * Try to find the wiphy and netdev. Normally this
3318 	 * function shouldn't need the netdev, but this is
3319 	 * done for backward compatibility -- previously
3320 	 * setting the channel was done per wiphy, but now
3321 	 * it is per netdev. Previous userland like hostapd
3322 	 * also passed a netdev to set_wiphy, so that it is
3323 	 * possible to let that go to the right netdev!
3324 	 */
3325 
3326 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3327 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3328 
3329 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3330 		if (netdev && netdev->ieee80211_ptr)
3331 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3332 		else
3333 			netdev = NULL;
3334 	}
3335 
3336 	if (!netdev) {
3337 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3338 						  info->attrs);
3339 		if (IS_ERR(rdev)) {
3340 			rtnl_unlock();
3341 			return PTR_ERR(rdev);
3342 		}
3343 		wdev = NULL;
3344 		netdev = NULL;
3345 		result = 0;
3346 	} else
3347 		wdev = netdev->ieee80211_ptr;
3348 
3349 	wiphy_lock(&rdev->wiphy);
3350 
3351 	/*
3352 	 * end workaround code, by now the rdev is available
3353 	 * and locked, and wdev may or may not be NULL.
3354 	 */
3355 
3356 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3357 		result = cfg80211_dev_rename(
3358 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3359 	rtnl_unlock();
3360 
3361 	if (result)
3362 		goto out;
3363 
3364 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3365 		struct ieee80211_txq_params txq_params;
3366 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3367 
3368 		if (!rdev->ops->set_txq_params) {
3369 			result = -EOPNOTSUPP;
3370 			goto out;
3371 		}
3372 
3373 		if (!netdev) {
3374 			result = -EINVAL;
3375 			goto out;
3376 		}
3377 
3378 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3379 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3380 			result = -EINVAL;
3381 			goto out;
3382 		}
3383 
3384 		if (!netif_running(netdev)) {
3385 			result = -ENETDOWN;
3386 			goto out;
3387 		}
3388 
3389 		nla_for_each_nested(nl_txq_params,
3390 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3391 				    rem_txq_params) {
3392 			result = nla_parse_nested_deprecated(tb,
3393 							     NL80211_TXQ_ATTR_MAX,
3394 							     nl_txq_params,
3395 							     txq_params_policy,
3396 							     info->extack);
3397 			if (result)
3398 				goto out;
3399 			result = parse_txq_params(tb, &txq_params);
3400 			if (result)
3401 				goto out;
3402 
3403 			result = rdev_set_txq_params(rdev, netdev,
3404 						     &txq_params);
3405 			if (result)
3406 				goto out;
3407 		}
3408 	}
3409 
3410 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3411 		result = __nl80211_set_channel(
3412 			rdev,
3413 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3414 			info);
3415 		if (result)
3416 			goto out;
3417 	}
3418 
3419 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3420 		struct wireless_dev *txp_wdev = wdev;
3421 		enum nl80211_tx_power_setting type;
3422 		int idx, mbm = 0;
3423 
3424 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3425 			txp_wdev = NULL;
3426 
3427 		if (!rdev->ops->set_tx_power) {
3428 			result = -EOPNOTSUPP;
3429 			goto out;
3430 		}
3431 
3432 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3433 		type = nla_get_u32(info->attrs[idx]);
3434 
3435 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3436 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3437 			result = -EINVAL;
3438 			goto out;
3439 		}
3440 
3441 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3442 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3443 			mbm = nla_get_u32(info->attrs[idx]);
3444 		}
3445 
3446 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3447 		if (result)
3448 			goto out;
3449 	}
3450 
3451 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3452 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3453 		u32 tx_ant, rx_ant;
3454 
3455 		if ((!rdev->wiphy.available_antennas_tx &&
3456 		     !rdev->wiphy.available_antennas_rx) ||
3457 		    !rdev->ops->set_antenna) {
3458 			result = -EOPNOTSUPP;
3459 			goto out;
3460 		}
3461 
3462 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3463 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3464 
3465 		/* reject antenna configurations which don't match the
3466 		 * available antenna masks, except for the "all" mask */
3467 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3468 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3469 			result = -EINVAL;
3470 			goto out;
3471 		}
3472 
3473 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3474 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3475 
3476 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3477 		if (result)
3478 			goto out;
3479 	}
3480 
3481 	changed = 0;
3482 
3483 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3484 		retry_short = nla_get_u8(
3485 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3486 
3487 		changed |= WIPHY_PARAM_RETRY_SHORT;
3488 	}
3489 
3490 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3491 		retry_long = nla_get_u8(
3492 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3493 
3494 		changed |= WIPHY_PARAM_RETRY_LONG;
3495 	}
3496 
3497 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3498 		frag_threshold = nla_get_u32(
3499 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3500 		if (frag_threshold < 256) {
3501 			result = -EINVAL;
3502 			goto out;
3503 		}
3504 
3505 		if (frag_threshold != (u32) -1) {
3506 			/*
3507 			 * Fragments (apart from the last one) are required to
3508 			 * have even length. Make the fragmentation code
3509 			 * simpler by stripping LSB should someone try to use
3510 			 * odd threshold value.
3511 			 */
3512 			frag_threshold &= ~0x1;
3513 		}
3514 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3515 	}
3516 
3517 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3518 		rts_threshold = nla_get_u32(
3519 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3520 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3521 	}
3522 
3523 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3524 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3525 			result = -EINVAL;
3526 			goto out;
3527 		}
3528 
3529 		coverage_class = nla_get_u8(
3530 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3531 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3532 	}
3533 
3534 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3535 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3536 			result = -EOPNOTSUPP;
3537 			goto out;
3538 		}
3539 
3540 		changed |= WIPHY_PARAM_DYN_ACK;
3541 	}
3542 
3543 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3544 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3545 					     NL80211_EXT_FEATURE_TXQS)) {
3546 			result = -EOPNOTSUPP;
3547 			goto out;
3548 		}
3549 		txq_limit = nla_get_u32(
3550 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3551 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3552 	}
3553 
3554 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3555 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3556 					     NL80211_EXT_FEATURE_TXQS)) {
3557 			result = -EOPNOTSUPP;
3558 			goto out;
3559 		}
3560 		txq_memory_limit = nla_get_u32(
3561 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3562 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3563 	}
3564 
3565 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3566 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3567 					     NL80211_EXT_FEATURE_TXQS)) {
3568 			result = -EOPNOTSUPP;
3569 			goto out;
3570 		}
3571 		txq_quantum = nla_get_u32(
3572 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3573 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3574 	}
3575 
3576 	if (changed) {
3577 		u8 old_retry_short, old_retry_long;
3578 		u32 old_frag_threshold, old_rts_threshold;
3579 		u8 old_coverage_class;
3580 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3581 
3582 		if (!rdev->ops->set_wiphy_params) {
3583 			result = -EOPNOTSUPP;
3584 			goto out;
3585 		}
3586 
3587 		old_retry_short = rdev->wiphy.retry_short;
3588 		old_retry_long = rdev->wiphy.retry_long;
3589 		old_frag_threshold = rdev->wiphy.frag_threshold;
3590 		old_rts_threshold = rdev->wiphy.rts_threshold;
3591 		old_coverage_class = rdev->wiphy.coverage_class;
3592 		old_txq_limit = rdev->wiphy.txq_limit;
3593 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3594 		old_txq_quantum = rdev->wiphy.txq_quantum;
3595 
3596 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3597 			rdev->wiphy.retry_short = retry_short;
3598 		if (changed & WIPHY_PARAM_RETRY_LONG)
3599 			rdev->wiphy.retry_long = retry_long;
3600 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3601 			rdev->wiphy.frag_threshold = frag_threshold;
3602 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3603 			rdev->wiphy.rts_threshold = rts_threshold;
3604 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3605 			rdev->wiphy.coverage_class = coverage_class;
3606 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3607 			rdev->wiphy.txq_limit = txq_limit;
3608 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3609 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3610 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3611 			rdev->wiphy.txq_quantum = txq_quantum;
3612 
3613 		result = rdev_set_wiphy_params(rdev, changed);
3614 		if (result) {
3615 			rdev->wiphy.retry_short = old_retry_short;
3616 			rdev->wiphy.retry_long = old_retry_long;
3617 			rdev->wiphy.frag_threshold = old_frag_threshold;
3618 			rdev->wiphy.rts_threshold = old_rts_threshold;
3619 			rdev->wiphy.coverage_class = old_coverage_class;
3620 			rdev->wiphy.txq_limit = old_txq_limit;
3621 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3622 			rdev->wiphy.txq_quantum = old_txq_quantum;
3623 			goto out;
3624 		}
3625 	}
3626 
3627 	result = 0;
3628 
3629 out:
3630 	wiphy_unlock(&rdev->wiphy);
3631 	return result;
3632 }
3633 
3634 static int nl80211_send_chandef(struct sk_buff *msg,
3635 				const struct cfg80211_chan_def *chandef)
3636 {
3637 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3638 		return -EINVAL;
3639 
3640 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3641 			chandef->chan->center_freq))
3642 		return -ENOBUFS;
3643 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3644 			chandef->chan->freq_offset))
3645 		return -ENOBUFS;
3646 	switch (chandef->width) {
3647 	case NL80211_CHAN_WIDTH_20_NOHT:
3648 	case NL80211_CHAN_WIDTH_20:
3649 	case NL80211_CHAN_WIDTH_40:
3650 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3651 				cfg80211_get_chandef_type(chandef)))
3652 			return -ENOBUFS;
3653 		break;
3654 	default:
3655 		break;
3656 	}
3657 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3658 		return -ENOBUFS;
3659 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3660 		return -ENOBUFS;
3661 	if (chandef->center_freq2 &&
3662 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3663 		return -ENOBUFS;
3664 	return 0;
3665 }
3666 
3667 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3668 			      struct cfg80211_registered_device *rdev,
3669 			      struct wireless_dev *wdev,
3670 			      enum nl80211_commands cmd)
3671 {
3672 	struct net_device *dev = wdev->netdev;
3673 	void *hdr;
3674 
3675 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3676 		cmd != NL80211_CMD_DEL_INTERFACE &&
3677 		cmd != NL80211_CMD_SET_INTERFACE);
3678 
3679 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3680 	if (!hdr)
3681 		return -1;
3682 
3683 	if (dev &&
3684 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3685 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3686 		goto nla_put_failure;
3687 
3688 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3689 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3690 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3691 			      NL80211_ATTR_PAD) ||
3692 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3693 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3694 			rdev->devlist_generation ^
3695 			(cfg80211_rdev_list_generation << 2)) ||
3696 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3697 		goto nla_put_failure;
3698 
3699 	if (rdev->ops->get_channel) {
3700 		int ret;
3701 		struct cfg80211_chan_def chandef = {};
3702 
3703 		ret = rdev_get_channel(rdev, wdev, &chandef);
3704 		if (ret == 0) {
3705 			if (nl80211_send_chandef(msg, &chandef))
3706 				goto nla_put_failure;
3707 		}
3708 	}
3709 
3710 	if (rdev->ops->get_tx_power) {
3711 		int dbm, ret;
3712 
3713 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3714 		if (ret == 0 &&
3715 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3716 				DBM_TO_MBM(dbm)))
3717 			goto nla_put_failure;
3718 	}
3719 
3720 	wdev_lock(wdev);
3721 	switch (wdev->iftype) {
3722 	case NL80211_IFTYPE_AP:
3723 	case NL80211_IFTYPE_P2P_GO:
3724 		if (wdev->ssid_len &&
3725 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3726 			goto nla_put_failure_locked;
3727 		break;
3728 	case NL80211_IFTYPE_STATION:
3729 	case NL80211_IFTYPE_P2P_CLIENT:
3730 	case NL80211_IFTYPE_ADHOC: {
3731 		const struct element *ssid_elem;
3732 
3733 		if (!wdev->current_bss)
3734 			break;
3735 		rcu_read_lock();
3736 		ssid_elem = ieee80211_bss_get_elem(&wdev->current_bss->pub,
3737 						   WLAN_EID_SSID);
3738 		if (ssid_elem &&
3739 		    nla_put(msg, NL80211_ATTR_SSID, ssid_elem->datalen,
3740 			    ssid_elem->data))
3741 			goto nla_put_failure_rcu_locked;
3742 		rcu_read_unlock();
3743 		break;
3744 		}
3745 	default:
3746 		/* nothing */
3747 		break;
3748 	}
3749 	wdev_unlock(wdev);
3750 
3751 	if (rdev->ops->get_txq_stats) {
3752 		struct cfg80211_txq_stats txqstats = {};
3753 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3754 
3755 		if (ret == 0 &&
3756 		    !nl80211_put_txq_stats(msg, &txqstats,
3757 					   NL80211_ATTR_TXQ_STATS))
3758 			goto nla_put_failure;
3759 	}
3760 
3761 	genlmsg_end(msg, hdr);
3762 	return 0;
3763 
3764  nla_put_failure_rcu_locked:
3765 	rcu_read_unlock();
3766  nla_put_failure_locked:
3767 	wdev_unlock(wdev);
3768  nla_put_failure:
3769 	genlmsg_cancel(msg, hdr);
3770 	return -EMSGSIZE;
3771 }
3772 
3773 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3774 {
3775 	int wp_idx = 0;
3776 	int if_idx = 0;
3777 	int wp_start = cb->args[0];
3778 	int if_start = cb->args[1];
3779 	int filter_wiphy = -1;
3780 	struct cfg80211_registered_device *rdev;
3781 	struct wireless_dev *wdev;
3782 	int ret;
3783 
3784 	rtnl_lock();
3785 	if (!cb->args[2]) {
3786 		struct nl80211_dump_wiphy_state state = {
3787 			.filter_wiphy = -1,
3788 		};
3789 
3790 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3791 		if (ret)
3792 			goto out_unlock;
3793 
3794 		filter_wiphy = state.filter_wiphy;
3795 
3796 		/*
3797 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3798 		 * value needed to determine that parsing is necessary.
3799 		 */
3800 		if (filter_wiphy >= 0)
3801 			cb->args[2] = filter_wiphy + 1;
3802 		else
3803 			cb->args[2] = -1;
3804 	} else if (cb->args[2] > 0) {
3805 		filter_wiphy = cb->args[2] - 1;
3806 	}
3807 
3808 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3809 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3810 			continue;
3811 		if (wp_idx < wp_start) {
3812 			wp_idx++;
3813 			continue;
3814 		}
3815 
3816 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3817 			continue;
3818 
3819 		if_idx = 0;
3820 
3821 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3822 			if (if_idx < if_start) {
3823 				if_idx++;
3824 				continue;
3825 			}
3826 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3827 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3828 					       rdev, wdev,
3829 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3830 				goto out;
3831 			}
3832 			if_idx++;
3833 		}
3834 
3835 		wp_idx++;
3836 	}
3837  out:
3838 	cb->args[0] = wp_idx;
3839 	cb->args[1] = if_idx;
3840 
3841 	ret = skb->len;
3842  out_unlock:
3843 	rtnl_unlock();
3844 
3845 	return ret;
3846 }
3847 
3848 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3849 {
3850 	struct sk_buff *msg;
3851 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3852 	struct wireless_dev *wdev = info->user_ptr[1];
3853 
3854 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3855 	if (!msg)
3856 		return -ENOMEM;
3857 
3858 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3859 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3860 		nlmsg_free(msg);
3861 		return -ENOBUFS;
3862 	}
3863 
3864 	return genlmsg_reply(msg, info);
3865 }
3866 
3867 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3868 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3869 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3870 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3871 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3872 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3873 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3874 };
3875 
3876 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3877 {
3878 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3879 	int flag;
3880 
3881 	*mntrflags = 0;
3882 
3883 	if (!nla)
3884 		return -EINVAL;
3885 
3886 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3887 		return -EINVAL;
3888 
3889 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3890 		if (flags[flag])
3891 			*mntrflags |= (1<<flag);
3892 
3893 	*mntrflags |= MONITOR_FLAG_CHANGED;
3894 
3895 	return 0;
3896 }
3897 
3898 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3899 				     enum nl80211_iftype type,
3900 				     struct genl_info *info,
3901 				     struct vif_params *params)
3902 {
3903 	bool change = false;
3904 	int err;
3905 
3906 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3907 		if (type != NL80211_IFTYPE_MONITOR)
3908 			return -EINVAL;
3909 
3910 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3911 					  &params->flags);
3912 		if (err)
3913 			return err;
3914 
3915 		change = true;
3916 	}
3917 
3918 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3919 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3920 		return -EOPNOTSUPP;
3921 
3922 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3923 		const u8 *mumimo_groups;
3924 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3925 
3926 		if (type != NL80211_IFTYPE_MONITOR)
3927 			return -EINVAL;
3928 
3929 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3930 			return -EOPNOTSUPP;
3931 
3932 		mumimo_groups =
3933 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3934 
3935 		/* bits 0 and 63 are reserved and must be zero */
3936 		if ((mumimo_groups[0] & BIT(0)) ||
3937 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3938 			return -EINVAL;
3939 
3940 		params->vht_mumimo_groups = mumimo_groups;
3941 		change = true;
3942 	}
3943 
3944 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3945 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3946 
3947 		if (type != NL80211_IFTYPE_MONITOR)
3948 			return -EINVAL;
3949 
3950 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3951 			return -EOPNOTSUPP;
3952 
3953 		params->vht_mumimo_follow_addr =
3954 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3955 		change = true;
3956 	}
3957 
3958 	return change ? 1 : 0;
3959 }
3960 
3961 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3962 			       struct net_device *netdev, u8 use_4addr,
3963 			       enum nl80211_iftype iftype)
3964 {
3965 	if (!use_4addr) {
3966 		if (netdev && netif_is_bridge_port(netdev))
3967 			return -EBUSY;
3968 		return 0;
3969 	}
3970 
3971 	switch (iftype) {
3972 	case NL80211_IFTYPE_AP_VLAN:
3973 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3974 			return 0;
3975 		break;
3976 	case NL80211_IFTYPE_STATION:
3977 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3978 			return 0;
3979 		break;
3980 	default:
3981 		break;
3982 	}
3983 
3984 	return -EOPNOTSUPP;
3985 }
3986 
3987 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3988 {
3989 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3990 	struct vif_params params;
3991 	int err;
3992 	enum nl80211_iftype otype, ntype;
3993 	struct net_device *dev = info->user_ptr[1];
3994 	bool change = false;
3995 
3996 	memset(&params, 0, sizeof(params));
3997 
3998 	otype = ntype = dev->ieee80211_ptr->iftype;
3999 
4000 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4001 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4002 		if (otype != ntype)
4003 			change = true;
4004 	}
4005 
4006 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4007 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4008 
4009 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4010 			return -EINVAL;
4011 		if (netif_running(dev))
4012 			return -EBUSY;
4013 
4014 		wdev_lock(wdev);
4015 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4016 			     IEEE80211_MAX_MESH_ID_LEN);
4017 		wdev->mesh_id_up_len =
4018 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4019 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4020 		       wdev->mesh_id_up_len);
4021 		wdev_unlock(wdev);
4022 	}
4023 
4024 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4025 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4026 		change = true;
4027 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4028 		if (err)
4029 			return err;
4030 	} else {
4031 		params.use_4addr = -1;
4032 	}
4033 
4034 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4035 	if (err < 0)
4036 		return err;
4037 	if (err > 0)
4038 		change = true;
4039 
4040 	if (change)
4041 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4042 	else
4043 		err = 0;
4044 
4045 	if (!err && params.use_4addr != -1)
4046 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4047 
4048 	if (change && !err) {
4049 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4050 
4051 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4052 	}
4053 
4054 	return err;
4055 }
4056 
4057 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4058 {
4059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4060 	struct vif_params params;
4061 	struct wireless_dev *wdev;
4062 	struct sk_buff *msg;
4063 	int err;
4064 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4065 
4066 	memset(&params, 0, sizeof(params));
4067 
4068 	if (!info->attrs[NL80211_ATTR_IFNAME])
4069 		return -EINVAL;
4070 
4071 	if (info->attrs[NL80211_ATTR_IFTYPE])
4072 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4073 
4074 	if (!rdev->ops->add_virtual_intf)
4075 		return -EOPNOTSUPP;
4076 
4077 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4078 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4079 	    info->attrs[NL80211_ATTR_MAC]) {
4080 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4081 			   ETH_ALEN);
4082 		if (!is_valid_ether_addr(params.macaddr))
4083 			return -EADDRNOTAVAIL;
4084 	}
4085 
4086 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4087 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4088 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4089 		if (err)
4090 			return err;
4091 	}
4092 
4093 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4094 		return -EOPNOTSUPP;
4095 
4096 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4097 	if (err < 0)
4098 		return err;
4099 
4100 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4101 	if (!msg)
4102 		return -ENOMEM;
4103 
4104 	wdev = rdev_add_virtual_intf(rdev,
4105 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4106 				NET_NAME_USER, type, &params);
4107 	if (WARN_ON(!wdev)) {
4108 		nlmsg_free(msg);
4109 		return -EPROTO;
4110 	} else if (IS_ERR(wdev)) {
4111 		nlmsg_free(msg);
4112 		return PTR_ERR(wdev);
4113 	}
4114 
4115 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4116 		wdev->owner_nlportid = info->snd_portid;
4117 
4118 	switch (type) {
4119 	case NL80211_IFTYPE_MESH_POINT:
4120 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4121 			break;
4122 		wdev_lock(wdev);
4123 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4124 			     IEEE80211_MAX_MESH_ID_LEN);
4125 		wdev->mesh_id_up_len =
4126 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4127 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4128 		       wdev->mesh_id_up_len);
4129 		wdev_unlock(wdev);
4130 		break;
4131 	case NL80211_IFTYPE_NAN:
4132 	case NL80211_IFTYPE_P2P_DEVICE:
4133 		/*
4134 		 * P2P Device and NAN do not have a netdev, so don't go
4135 		 * through the netdev notifier and must be added here
4136 		 */
4137 		cfg80211_init_wdev(wdev);
4138 		cfg80211_register_wdev(rdev, wdev);
4139 		break;
4140 	default:
4141 		break;
4142 	}
4143 
4144 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4145 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4146 		nlmsg_free(msg);
4147 		return -ENOBUFS;
4148 	}
4149 
4150 	return genlmsg_reply(msg, info);
4151 }
4152 
4153 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4154 {
4155 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4156 	int ret;
4157 
4158 	/* to avoid failing a new interface creation due to pending removal */
4159 	cfg80211_destroy_ifaces(rdev);
4160 
4161 	wiphy_lock(&rdev->wiphy);
4162 	ret = _nl80211_new_interface(skb, info);
4163 	wiphy_unlock(&rdev->wiphy);
4164 
4165 	return ret;
4166 }
4167 
4168 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4169 {
4170 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4171 	struct wireless_dev *wdev = info->user_ptr[1];
4172 
4173 	if (!rdev->ops->del_virtual_intf)
4174 		return -EOPNOTSUPP;
4175 
4176 	/*
4177 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4178 	 * reach 0, and thus the rdev cannot be deleted.
4179 	 *
4180 	 * We need to do it for the dev_close(), since that will call
4181 	 * the netdev notifiers, and we need to acquire the mutex there
4182 	 * but don't know if we get there from here or from some other
4183 	 * place (e.g. "ip link set ... down").
4184 	 */
4185 	mutex_unlock(&rdev->wiphy.mtx);
4186 
4187 	/*
4188 	 * If we remove a wireless device without a netdev then clear
4189 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4190 	 * to check if it needs to do dev_put(). Otherwise it crashes
4191 	 * since the wdev has been freed, unlike with a netdev where
4192 	 * we need the dev_put() for the netdev to really be freed.
4193 	 */
4194 	if (!wdev->netdev)
4195 		info->user_ptr[1] = NULL;
4196 	else
4197 		dev_close(wdev->netdev);
4198 
4199 	mutex_lock(&rdev->wiphy.mtx);
4200 
4201 	return rdev_del_virtual_intf(rdev, wdev);
4202 }
4203 
4204 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4205 {
4206 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4207 	struct net_device *dev = info->user_ptr[1];
4208 	u16 noack_map;
4209 
4210 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4211 		return -EINVAL;
4212 
4213 	if (!rdev->ops->set_noack_map)
4214 		return -EOPNOTSUPP;
4215 
4216 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4217 
4218 	return rdev_set_noack_map(rdev, dev, noack_map);
4219 }
4220 
4221 struct get_key_cookie {
4222 	struct sk_buff *msg;
4223 	int error;
4224 	int idx;
4225 };
4226 
4227 static void get_key_callback(void *c, struct key_params *params)
4228 {
4229 	struct nlattr *key;
4230 	struct get_key_cookie *cookie = c;
4231 
4232 	if ((params->key &&
4233 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4234 		     params->key_len, params->key)) ||
4235 	    (params->seq &&
4236 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4237 		     params->seq_len, params->seq)) ||
4238 	    (params->cipher &&
4239 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4240 			 params->cipher)))
4241 		goto nla_put_failure;
4242 
4243 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4244 	if (!key)
4245 		goto nla_put_failure;
4246 
4247 	if ((params->key &&
4248 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4249 		     params->key_len, params->key)) ||
4250 	    (params->seq &&
4251 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4252 		     params->seq_len, params->seq)) ||
4253 	    (params->cipher &&
4254 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4255 			 params->cipher)))
4256 		goto nla_put_failure;
4257 
4258 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4259 		goto nla_put_failure;
4260 
4261 	nla_nest_end(cookie->msg, key);
4262 
4263 	return;
4264  nla_put_failure:
4265 	cookie->error = 1;
4266 }
4267 
4268 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4269 {
4270 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4271 	int err;
4272 	struct net_device *dev = info->user_ptr[1];
4273 	u8 key_idx = 0;
4274 	const u8 *mac_addr = NULL;
4275 	bool pairwise;
4276 	struct get_key_cookie cookie = {
4277 		.error = 0,
4278 	};
4279 	void *hdr;
4280 	struct sk_buff *msg;
4281 	bool bigtk_support = false;
4282 
4283 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4284 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4285 		bigtk_support = true;
4286 
4287 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4288 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4289 	    wiphy_ext_feature_isset(&rdev->wiphy,
4290 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4291 		bigtk_support = true;
4292 
4293 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4294 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4295 
4296 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4297 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4298 			return -EINVAL;
4299 		}
4300 	}
4301 
4302 	if (info->attrs[NL80211_ATTR_MAC])
4303 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4304 
4305 	pairwise = !!mac_addr;
4306 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4307 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4308 
4309 		if (kt != NL80211_KEYTYPE_GROUP &&
4310 		    kt != NL80211_KEYTYPE_PAIRWISE)
4311 			return -EINVAL;
4312 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4313 	}
4314 
4315 	if (!rdev->ops->get_key)
4316 		return -EOPNOTSUPP;
4317 
4318 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4319 		return -ENOENT;
4320 
4321 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4322 	if (!msg)
4323 		return -ENOMEM;
4324 
4325 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4326 			     NL80211_CMD_NEW_KEY);
4327 	if (!hdr)
4328 		goto nla_put_failure;
4329 
4330 	cookie.msg = msg;
4331 	cookie.idx = key_idx;
4332 
4333 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4334 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4335 		goto nla_put_failure;
4336 	if (mac_addr &&
4337 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4338 		goto nla_put_failure;
4339 
4340 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4341 			   get_key_callback);
4342 
4343 	if (err)
4344 		goto free_msg;
4345 
4346 	if (cookie.error)
4347 		goto nla_put_failure;
4348 
4349 	genlmsg_end(msg, hdr);
4350 	return genlmsg_reply(msg, info);
4351 
4352  nla_put_failure:
4353 	err = -ENOBUFS;
4354  free_msg:
4355 	nlmsg_free(msg);
4356 	return err;
4357 }
4358 
4359 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4360 {
4361 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4362 	struct key_parse key;
4363 	int err;
4364 	struct net_device *dev = info->user_ptr[1];
4365 
4366 	err = nl80211_parse_key(info, &key);
4367 	if (err)
4368 		return err;
4369 
4370 	if (key.idx < 0)
4371 		return -EINVAL;
4372 
4373 	/* Only support setting default key and
4374 	 * Extended Key ID action NL80211_KEY_SET_TX.
4375 	 */
4376 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4377 	    !(key.p.mode == NL80211_KEY_SET_TX))
4378 		return -EINVAL;
4379 
4380 	wdev_lock(dev->ieee80211_ptr);
4381 
4382 	if (key.def) {
4383 		if (!rdev->ops->set_default_key) {
4384 			err = -EOPNOTSUPP;
4385 			goto out;
4386 		}
4387 
4388 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4389 		if (err)
4390 			goto out;
4391 
4392 		err = rdev_set_default_key(rdev, dev, key.idx,
4393 						 key.def_uni, key.def_multi);
4394 
4395 		if (err)
4396 			goto out;
4397 
4398 #ifdef CONFIG_CFG80211_WEXT
4399 		dev->ieee80211_ptr->wext.default_key = key.idx;
4400 #endif
4401 	} else if (key.defmgmt) {
4402 		if (key.def_uni || !key.def_multi) {
4403 			err = -EINVAL;
4404 			goto out;
4405 		}
4406 
4407 		if (!rdev->ops->set_default_mgmt_key) {
4408 			err = -EOPNOTSUPP;
4409 			goto out;
4410 		}
4411 
4412 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4413 		if (err)
4414 			goto out;
4415 
4416 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4417 		if (err)
4418 			goto out;
4419 
4420 #ifdef CONFIG_CFG80211_WEXT
4421 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4422 #endif
4423 	} else if (key.defbeacon) {
4424 		if (key.def_uni || !key.def_multi) {
4425 			err = -EINVAL;
4426 			goto out;
4427 		}
4428 
4429 		if (!rdev->ops->set_default_beacon_key) {
4430 			err = -EOPNOTSUPP;
4431 			goto out;
4432 		}
4433 
4434 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4435 		if (err)
4436 			goto out;
4437 
4438 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4439 		if (err)
4440 			goto out;
4441 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4442 		   wiphy_ext_feature_isset(&rdev->wiphy,
4443 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4444 		u8 *mac_addr = NULL;
4445 
4446 		if (info->attrs[NL80211_ATTR_MAC])
4447 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4448 
4449 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4450 			err = -EINVAL;
4451 			goto out;
4452 		}
4453 
4454 		err = rdev_add_key(rdev, dev, key.idx,
4455 				   NL80211_KEYTYPE_PAIRWISE,
4456 				   mac_addr, &key.p);
4457 	} else {
4458 		err = -EINVAL;
4459 	}
4460  out:
4461 	wdev_unlock(dev->ieee80211_ptr);
4462 
4463 	return err;
4464 }
4465 
4466 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4467 {
4468 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4469 	int err;
4470 	struct net_device *dev = info->user_ptr[1];
4471 	struct key_parse key;
4472 	const u8 *mac_addr = NULL;
4473 
4474 	err = nl80211_parse_key(info, &key);
4475 	if (err)
4476 		return err;
4477 
4478 	if (!key.p.key) {
4479 		GENL_SET_ERR_MSG(info, "no key");
4480 		return -EINVAL;
4481 	}
4482 
4483 	if (info->attrs[NL80211_ATTR_MAC])
4484 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4485 
4486 	if (key.type == -1) {
4487 		if (mac_addr)
4488 			key.type = NL80211_KEYTYPE_PAIRWISE;
4489 		else
4490 			key.type = NL80211_KEYTYPE_GROUP;
4491 	}
4492 
4493 	/* for now */
4494 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4495 	    key.type != NL80211_KEYTYPE_GROUP) {
4496 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4497 		return -EINVAL;
4498 	}
4499 
4500 	if (key.type == NL80211_KEYTYPE_GROUP &&
4501 	    info->attrs[NL80211_ATTR_VLAN_ID])
4502 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4503 
4504 	if (!rdev->ops->add_key)
4505 		return -EOPNOTSUPP;
4506 
4507 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4508 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4509 					   mac_addr)) {
4510 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4511 		return -EINVAL;
4512 	}
4513 
4514 	wdev_lock(dev->ieee80211_ptr);
4515 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4516 	if (err)
4517 		GENL_SET_ERR_MSG(info, "key not allowed");
4518 	if (!err) {
4519 		err = rdev_add_key(rdev, dev, key.idx,
4520 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4521 				    mac_addr, &key.p);
4522 		if (err)
4523 			GENL_SET_ERR_MSG(info, "key addition failed");
4524 	}
4525 	wdev_unlock(dev->ieee80211_ptr);
4526 
4527 	return err;
4528 }
4529 
4530 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4531 {
4532 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4533 	int err;
4534 	struct net_device *dev = info->user_ptr[1];
4535 	u8 *mac_addr = NULL;
4536 	struct key_parse key;
4537 
4538 	err = nl80211_parse_key(info, &key);
4539 	if (err)
4540 		return err;
4541 
4542 	if (info->attrs[NL80211_ATTR_MAC])
4543 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4544 
4545 	if (key.type == -1) {
4546 		if (mac_addr)
4547 			key.type = NL80211_KEYTYPE_PAIRWISE;
4548 		else
4549 			key.type = NL80211_KEYTYPE_GROUP;
4550 	}
4551 
4552 	/* for now */
4553 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4554 	    key.type != NL80211_KEYTYPE_GROUP)
4555 		return -EINVAL;
4556 
4557 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4558 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4559 		return -EINVAL;
4560 
4561 	if (!rdev->ops->del_key)
4562 		return -EOPNOTSUPP;
4563 
4564 	wdev_lock(dev->ieee80211_ptr);
4565 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4566 
4567 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4568 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4569 		err = -ENOENT;
4570 
4571 	if (!err)
4572 		err = rdev_del_key(rdev, dev, key.idx,
4573 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4574 				   mac_addr);
4575 
4576 #ifdef CONFIG_CFG80211_WEXT
4577 	if (!err) {
4578 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4579 			dev->ieee80211_ptr->wext.default_key = -1;
4580 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4581 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4582 	}
4583 #endif
4584 	wdev_unlock(dev->ieee80211_ptr);
4585 
4586 	return err;
4587 }
4588 
4589 /* This function returns an error or the number of nested attributes */
4590 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4591 {
4592 	struct nlattr *attr;
4593 	int n_entries = 0, tmp;
4594 
4595 	nla_for_each_nested(attr, nl_attr, tmp) {
4596 		if (nla_len(attr) != ETH_ALEN)
4597 			return -EINVAL;
4598 
4599 		n_entries++;
4600 	}
4601 
4602 	return n_entries;
4603 }
4604 
4605 /*
4606  * This function parses ACL information and allocates memory for ACL data.
4607  * On successful return, the calling function is responsible to free the
4608  * ACL buffer returned by this function.
4609  */
4610 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4611 						struct genl_info *info)
4612 {
4613 	enum nl80211_acl_policy acl_policy;
4614 	struct nlattr *attr;
4615 	struct cfg80211_acl_data *acl;
4616 	int i = 0, n_entries, tmp;
4617 
4618 	if (!wiphy->max_acl_mac_addrs)
4619 		return ERR_PTR(-EOPNOTSUPP);
4620 
4621 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4622 		return ERR_PTR(-EINVAL);
4623 
4624 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4625 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4626 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4627 		return ERR_PTR(-EINVAL);
4628 
4629 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4630 		return ERR_PTR(-EINVAL);
4631 
4632 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4633 	if (n_entries < 0)
4634 		return ERR_PTR(n_entries);
4635 
4636 	if (n_entries > wiphy->max_acl_mac_addrs)
4637 		return ERR_PTR(-ENOTSUPP);
4638 
4639 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4640 	if (!acl)
4641 		return ERR_PTR(-ENOMEM);
4642 
4643 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4644 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4645 		i++;
4646 	}
4647 
4648 	acl->n_acl_entries = n_entries;
4649 	acl->acl_policy = acl_policy;
4650 
4651 	return acl;
4652 }
4653 
4654 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4655 {
4656 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4657 	struct net_device *dev = info->user_ptr[1];
4658 	struct cfg80211_acl_data *acl;
4659 	int err;
4660 
4661 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4662 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4663 		return -EOPNOTSUPP;
4664 
4665 	if (!dev->ieee80211_ptr->beacon_interval)
4666 		return -EINVAL;
4667 
4668 	acl = parse_acl_data(&rdev->wiphy, info);
4669 	if (IS_ERR(acl))
4670 		return PTR_ERR(acl);
4671 
4672 	err = rdev_set_mac_acl(rdev, dev, acl);
4673 
4674 	kfree(acl);
4675 
4676 	return err;
4677 }
4678 
4679 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4680 			   u8 *rates, u8 rates_len)
4681 {
4682 	u8 i;
4683 	u32 mask = 0;
4684 
4685 	for (i = 0; i < rates_len; i++) {
4686 		int rate = (rates[i] & 0x7f) * 5;
4687 		int ridx;
4688 
4689 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4690 			struct ieee80211_rate *srate =
4691 				&sband->bitrates[ridx];
4692 			if (rate == srate->bitrate) {
4693 				mask |= 1 << ridx;
4694 				break;
4695 			}
4696 		}
4697 		if (ridx == sband->n_bitrates)
4698 			return 0; /* rate not found */
4699 	}
4700 
4701 	return mask;
4702 }
4703 
4704 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4705 			       u8 *rates, u8 rates_len,
4706 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4707 {
4708 	u8 i;
4709 
4710 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4711 
4712 	for (i = 0; i < rates_len; i++) {
4713 		int ridx, rbit;
4714 
4715 		ridx = rates[i] / 8;
4716 		rbit = BIT(rates[i] % 8);
4717 
4718 		/* check validity */
4719 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4720 			return false;
4721 
4722 		/* check availability */
4723 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4724 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4725 			mcs[ridx] |= rbit;
4726 		else
4727 			return false;
4728 	}
4729 
4730 	return true;
4731 }
4732 
4733 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4734 {
4735 	u16 mcs_mask = 0;
4736 
4737 	switch (vht_mcs_map) {
4738 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4739 		break;
4740 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4741 		mcs_mask = 0x00FF;
4742 		break;
4743 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4744 		mcs_mask = 0x01FF;
4745 		break;
4746 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4747 		mcs_mask = 0x03FF;
4748 		break;
4749 	default:
4750 		break;
4751 	}
4752 
4753 	return mcs_mask;
4754 }
4755 
4756 static void vht_build_mcs_mask(u16 vht_mcs_map,
4757 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4758 {
4759 	u8 nss;
4760 
4761 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4762 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4763 		vht_mcs_map >>= 2;
4764 	}
4765 }
4766 
4767 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4768 			     struct nl80211_txrate_vht *txrate,
4769 			     u16 mcs[NL80211_VHT_NSS_MAX])
4770 {
4771 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4772 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4773 	u8 i;
4774 
4775 	if (!sband->vht_cap.vht_supported)
4776 		return false;
4777 
4778 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4779 
4780 	/* Build vht_mcs_mask from VHT capabilities */
4781 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4782 
4783 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4784 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4785 			mcs[i] = txrate->mcs[i];
4786 		else
4787 			return false;
4788 	}
4789 
4790 	return true;
4791 }
4792 
4793 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4794 {
4795 	switch (he_mcs_map) {
4796 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4797 		return 0;
4798 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4799 		return 0x00FF;
4800 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4801 		return 0x03FF;
4802 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4803 		return 0xFFF;
4804 	default:
4805 		break;
4806 	}
4807 	return 0;
4808 }
4809 
4810 static void he_build_mcs_mask(u16 he_mcs_map,
4811 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4812 {
4813 	u8 nss;
4814 
4815 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4816 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4817 		he_mcs_map >>= 2;
4818 	}
4819 }
4820 
4821 static u16 he_get_txmcsmap(struct genl_info *info,
4822 			   const struct ieee80211_sta_he_cap *he_cap)
4823 {
4824 	struct net_device *dev = info->user_ptr[1];
4825 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4826 	__le16	tx_mcs;
4827 
4828 	switch (wdev->chandef.width) {
4829 	case NL80211_CHAN_WIDTH_80P80:
4830 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4831 		break;
4832 	case NL80211_CHAN_WIDTH_160:
4833 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4834 		break;
4835 	default:
4836 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4837 		break;
4838 	}
4839 	return le16_to_cpu(tx_mcs);
4840 }
4841 
4842 static bool he_set_mcs_mask(struct genl_info *info,
4843 			    struct wireless_dev *wdev,
4844 			    struct ieee80211_supported_band *sband,
4845 			    struct nl80211_txrate_he *txrate,
4846 			    u16 mcs[NL80211_HE_NSS_MAX])
4847 {
4848 	const struct ieee80211_sta_he_cap *he_cap;
4849 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4850 	u16 tx_mcs_map = 0;
4851 	u8 i;
4852 
4853 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4854 	if (!he_cap)
4855 		return false;
4856 
4857 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4858 
4859 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4860 
4861 	/* Build he_mcs_mask from HE capabilities */
4862 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4863 
4864 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4865 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4866 			mcs[i] = txrate->mcs[i];
4867 		else
4868 			return false;
4869 	}
4870 
4871 	return true;
4872 }
4873 
4874 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4875 					 struct nlattr *attrs[],
4876 					 enum nl80211_attrs attr,
4877 					 struct cfg80211_bitrate_mask *mask,
4878 					 struct net_device *dev,
4879 					 bool default_all_enabled)
4880 {
4881 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4882 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4883 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4884 	int rem, i;
4885 	struct nlattr *tx_rates;
4886 	struct ieee80211_supported_band *sband;
4887 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4888 
4889 	memset(mask, 0, sizeof(*mask));
4890 	/* Default to all rates enabled */
4891 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4892 		const struct ieee80211_sta_he_cap *he_cap;
4893 
4894 		if (!default_all_enabled)
4895 			break;
4896 
4897 		sband = rdev->wiphy.bands[i];
4898 
4899 		if (!sband)
4900 			continue;
4901 
4902 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4903 		memcpy(mask->control[i].ht_mcs,
4904 		       sband->ht_cap.mcs.rx_mask,
4905 		       sizeof(mask->control[i].ht_mcs));
4906 
4907 		if (sband->vht_cap.vht_supported) {
4908 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4909 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4910 		}
4911 
4912 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4913 		if (!he_cap)
4914 			continue;
4915 
4916 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4917 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4918 
4919 		mask->control[i].he_gi = 0xFF;
4920 		mask->control[i].he_ltf = 0xFF;
4921 	}
4922 
4923 	/* if no rates are given set it back to the defaults */
4924 	if (!attrs[attr])
4925 		goto out;
4926 
4927 	/* The nested attribute uses enum nl80211_band as the index. This maps
4928 	 * directly to the enum nl80211_band values used in cfg80211.
4929 	 */
4930 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4931 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4932 		enum nl80211_band band = nla_type(tx_rates);
4933 		int err;
4934 
4935 		if (band < 0 || band >= NUM_NL80211_BANDS)
4936 			return -EINVAL;
4937 		sband = rdev->wiphy.bands[band];
4938 		if (sband == NULL)
4939 			return -EINVAL;
4940 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4941 						  tx_rates,
4942 						  nl80211_txattr_policy,
4943 						  info->extack);
4944 		if (err)
4945 			return err;
4946 		if (tb[NL80211_TXRATE_LEGACY]) {
4947 			mask->control[band].legacy = rateset_to_mask(
4948 				sband,
4949 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4950 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4951 			if ((mask->control[band].legacy == 0) &&
4952 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4953 				return -EINVAL;
4954 		}
4955 		if (tb[NL80211_TXRATE_HT]) {
4956 			if (!ht_rateset_to_mask(
4957 					sband,
4958 					nla_data(tb[NL80211_TXRATE_HT]),
4959 					nla_len(tb[NL80211_TXRATE_HT]),
4960 					mask->control[band].ht_mcs))
4961 				return -EINVAL;
4962 		}
4963 
4964 		if (tb[NL80211_TXRATE_VHT]) {
4965 			if (!vht_set_mcs_mask(
4966 					sband,
4967 					nla_data(tb[NL80211_TXRATE_VHT]),
4968 					mask->control[band].vht_mcs))
4969 				return -EINVAL;
4970 		}
4971 
4972 		if (tb[NL80211_TXRATE_GI]) {
4973 			mask->control[band].gi =
4974 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4975 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4976 				return -EINVAL;
4977 		}
4978 		if (tb[NL80211_TXRATE_HE] &&
4979 		    !he_set_mcs_mask(info, wdev, sband,
4980 				     nla_data(tb[NL80211_TXRATE_HE]),
4981 				     mask->control[band].he_mcs))
4982 			return -EINVAL;
4983 
4984 		if (tb[NL80211_TXRATE_HE_GI])
4985 			mask->control[band].he_gi =
4986 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4987 		if (tb[NL80211_TXRATE_HE_LTF])
4988 			mask->control[band].he_ltf =
4989 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4990 
4991 		if (mask->control[band].legacy == 0) {
4992 			/* don't allow empty legacy rates if HT, VHT or HE
4993 			 * are not even supported.
4994 			 */
4995 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4996 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4997 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4998 				return -EINVAL;
4999 
5000 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5001 				if (mask->control[band].ht_mcs[i])
5002 					goto out;
5003 
5004 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5005 				if (mask->control[band].vht_mcs[i])
5006 					goto out;
5007 
5008 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5009 				if (mask->control[band].he_mcs[i])
5010 					goto out;
5011 
5012 			/* legacy and mcs rates may not be both empty */
5013 			return -EINVAL;
5014 		}
5015 	}
5016 
5017 out:
5018 	return 0;
5019 }
5020 
5021 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5022 				   enum nl80211_band band,
5023 				   struct cfg80211_bitrate_mask *beacon_rate)
5024 {
5025 	u32 count_ht, count_vht, count_he, i;
5026 	u32 rate = beacon_rate->control[band].legacy;
5027 
5028 	/* Allow only one rate */
5029 	if (hweight32(rate) > 1)
5030 		return -EINVAL;
5031 
5032 	count_ht = 0;
5033 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5034 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5035 			return -EINVAL;
5036 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5037 			count_ht++;
5038 			if (count_ht > 1)
5039 				return -EINVAL;
5040 		}
5041 		if (count_ht && rate)
5042 			return -EINVAL;
5043 	}
5044 
5045 	count_vht = 0;
5046 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5047 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5048 			return -EINVAL;
5049 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5050 			count_vht++;
5051 			if (count_vht > 1)
5052 				return -EINVAL;
5053 		}
5054 		if (count_vht && rate)
5055 			return -EINVAL;
5056 	}
5057 
5058 	count_he = 0;
5059 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5060 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5061 			return -EINVAL;
5062 		} else if (beacon_rate->control[band].he_mcs[i]) {
5063 			count_he++;
5064 			if (count_he > 1)
5065 				return -EINVAL;
5066 		}
5067 		if (count_he && rate)
5068 			return -EINVAL;
5069 	}
5070 
5071 	if ((count_ht && count_vht && count_he) ||
5072 	    (!rate && !count_ht && !count_vht && !count_he))
5073 		return -EINVAL;
5074 
5075 	if (rate &&
5076 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5077 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5078 		return -EINVAL;
5079 	if (count_ht &&
5080 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5081 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5082 		return -EINVAL;
5083 	if (count_vht &&
5084 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5085 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5086 		return -EINVAL;
5087 	if (count_he &&
5088 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5089 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5090 		return -EINVAL;
5091 
5092 	return 0;
5093 }
5094 
5095 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5096 				       struct net_device *dev,
5097 				       struct nlattr *attrs,
5098 				       struct cfg80211_mbssid_config *config,
5099 				       u8 num_elems)
5100 {
5101 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5102 
5103 	if (!wiphy->mbssid_max_interfaces)
5104 		return -EOPNOTSUPP;
5105 
5106 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5107 			     NULL) ||
5108 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5109 		return -EINVAL;
5110 
5111 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5112 	if (config->ema) {
5113 		if (!wiphy->ema_max_profile_periodicity)
5114 			return -EOPNOTSUPP;
5115 
5116 		if (num_elems > wiphy->ema_max_profile_periodicity)
5117 			return -EINVAL;
5118 	}
5119 
5120 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5121 	if (config->index >= wiphy->mbssid_max_interfaces ||
5122 	    (!config->index && !num_elems))
5123 		return -EINVAL;
5124 
5125 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5126 		u32 tx_ifindex =
5127 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5128 
5129 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5130 		    (config->index && tx_ifindex == dev->ifindex))
5131 			return -EINVAL;
5132 
5133 		if (tx_ifindex != dev->ifindex) {
5134 			struct net_device *tx_netdev =
5135 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5136 
5137 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5138 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5139 			    tx_netdev->ieee80211_ptr->iftype !=
5140 							NL80211_IFTYPE_AP) {
5141 				dev_put(tx_netdev);
5142 				return -EINVAL;
5143 			}
5144 
5145 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5146 		} else {
5147 			config->tx_wdev = dev->ieee80211_ptr;
5148 		}
5149 	} else if (!config->index) {
5150 		config->tx_wdev = dev->ieee80211_ptr;
5151 	} else {
5152 		return -EINVAL;
5153 	}
5154 
5155 	return 0;
5156 }
5157 
5158 static struct cfg80211_mbssid_elems *
5159 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5160 {
5161 	struct nlattr *nl_elems;
5162 	struct cfg80211_mbssid_elems *elems;
5163 	int rem_elems;
5164 	u8 i = 0, num_elems = 0;
5165 
5166 	if (!wiphy->mbssid_max_interfaces)
5167 		return ERR_PTR(-EINVAL);
5168 
5169 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5170 		num_elems++;
5171 
5172 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5173 	if (!elems)
5174 		return ERR_PTR(-ENOMEM);
5175 
5176 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5177 		elems->elem[i].data = nla_data(nl_elems);
5178 		elems->elem[i].len = nla_len(nl_elems);
5179 		i++;
5180 	}
5181 	elems->cnt = num_elems;
5182 	return elems;
5183 }
5184 
5185 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5186 				      struct cfg80211_he_bss_color *he_bss_color)
5187 {
5188 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5189 	int err;
5190 
5191 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5192 			       he_bss_color_policy, NULL);
5193 	if (err)
5194 		return err;
5195 
5196 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5197 		return -EINVAL;
5198 
5199 	he_bss_color->color =
5200 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5201 	he_bss_color->enabled =
5202 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5203 	he_bss_color->partial =
5204 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5205 
5206 	return 0;
5207 }
5208 
5209 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5210 				struct nlattr *attrs[],
5211 				struct cfg80211_beacon_data *bcn)
5212 {
5213 	bool haveinfo = false;
5214 	int err;
5215 
5216 	memset(bcn, 0, sizeof(*bcn));
5217 
5218 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5219 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5220 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5221 		if (!bcn->head_len)
5222 			return -EINVAL;
5223 		haveinfo = true;
5224 	}
5225 
5226 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5227 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5228 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5229 		haveinfo = true;
5230 	}
5231 
5232 	if (!haveinfo)
5233 		return -EINVAL;
5234 
5235 	if (attrs[NL80211_ATTR_IE]) {
5236 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5237 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5238 	}
5239 
5240 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5241 		bcn->proberesp_ies =
5242 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5243 		bcn->proberesp_ies_len =
5244 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5245 	}
5246 
5247 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5248 		bcn->assocresp_ies =
5249 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5250 		bcn->assocresp_ies_len =
5251 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5252 	}
5253 
5254 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5255 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5256 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5257 	}
5258 
5259 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5260 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5261 
5262 		err = nla_parse_nested_deprecated(tb,
5263 						  NL80211_FTM_RESP_ATTR_MAX,
5264 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5265 						  NULL, NULL);
5266 		if (err)
5267 			return err;
5268 
5269 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5270 		    wiphy_ext_feature_isset(&rdev->wiphy,
5271 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5272 			bcn->ftm_responder = 1;
5273 		else
5274 			return -EOPNOTSUPP;
5275 
5276 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5277 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5278 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5279 		}
5280 
5281 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5282 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5283 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5284 		}
5285 	} else {
5286 		bcn->ftm_responder = -1;
5287 	}
5288 
5289 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5290 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5291 						 &bcn->he_bss_color);
5292 		if (err)
5293 			return err;
5294 		bcn->he_bss_color_valid = true;
5295 	}
5296 
5297 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5298 		struct cfg80211_mbssid_elems *mbssid =
5299 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5300 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5301 
5302 		if (IS_ERR(mbssid))
5303 			return PTR_ERR(mbssid);
5304 
5305 		bcn->mbssid_ies = mbssid;
5306 	}
5307 
5308 	return 0;
5309 }
5310 
5311 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5312 				    struct ieee80211_he_obss_pd *he_obss_pd)
5313 {
5314 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5315 	int err;
5316 
5317 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5318 			       he_obss_pd_policy, NULL);
5319 	if (err)
5320 		return err;
5321 
5322 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5323 		return -EINVAL;
5324 
5325 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5326 
5327 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5328 		he_obss_pd->min_offset =
5329 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5330 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5331 		he_obss_pd->max_offset =
5332 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5333 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5334 		he_obss_pd->non_srg_max_offset =
5335 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5336 
5337 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5338 		return -EINVAL;
5339 
5340 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5341 		memcpy(he_obss_pd->bss_color_bitmap,
5342 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5343 		       sizeof(he_obss_pd->bss_color_bitmap));
5344 
5345 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5346 		memcpy(he_obss_pd->partial_bssid_bitmap,
5347 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5348 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5349 
5350 	he_obss_pd->enable = true;
5351 
5352 	return 0;
5353 }
5354 
5355 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5356 					struct nlattr *attrs,
5357 					struct cfg80211_ap_settings *params)
5358 {
5359 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5360 	int ret;
5361 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5362 
5363 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5364 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5365 		return -EINVAL;
5366 
5367 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5368 			       NULL, NULL);
5369 	if (ret)
5370 		return ret;
5371 
5372 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5373 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5374 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5375 		return -EINVAL;
5376 
5377 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5378 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5379 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5380 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5381 
5382 	return 0;
5383 }
5384 
5385 static int
5386 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5387 				     struct nlattr *attrs,
5388 				     struct cfg80211_ap_settings *params)
5389 {
5390 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5391 	int ret;
5392 	struct cfg80211_unsol_bcast_probe_resp *presp =
5393 					&params->unsol_bcast_probe_resp;
5394 
5395 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5396 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5397 		return -EINVAL;
5398 
5399 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5400 			       attrs, NULL, NULL);
5401 	if (ret)
5402 		return ret;
5403 
5404 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5405 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5406 		return -EINVAL;
5407 
5408 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5409 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5410 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5411 	return 0;
5412 }
5413 
5414 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5415 					    const struct element *rates)
5416 {
5417 	int i;
5418 
5419 	if (!rates)
5420 		return;
5421 
5422 	for (i = 0; i < rates->datalen; i++) {
5423 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5424 			params->ht_required = true;
5425 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5426 			params->vht_required = true;
5427 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5428 			params->he_required = true;
5429 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5430 			params->sae_h2e_required = true;
5431 	}
5432 }
5433 
5434 /*
5435  * Since the nl80211 API didn't include, from the beginning, attributes about
5436  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5437  * benefit of drivers that rebuild IEs in the firmware.
5438  */
5439 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5440 {
5441 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5442 	size_t ies_len = bcn->tail_len;
5443 	const u8 *ies = bcn->tail;
5444 	const struct element *rates;
5445 	const struct element *cap;
5446 
5447 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5448 	nl80211_check_ap_rate_selectors(params, rates);
5449 
5450 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5451 	nl80211_check_ap_rate_selectors(params, rates);
5452 
5453 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5454 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5455 		params->ht_cap = (void *)cap->data;
5456 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5457 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5458 		params->vht_cap = (void *)cap->data;
5459 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5460 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5461 		params->he_cap = (void *)(cap->data + 1);
5462 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5463 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5464 		params->he_oper = (void *)(cap->data + 1);
5465 }
5466 
5467 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5468 				   struct cfg80211_ap_settings *params)
5469 {
5470 	struct wireless_dev *wdev;
5471 	bool ret = false;
5472 
5473 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5474 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5475 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5476 			continue;
5477 
5478 		if (!wdev->preset_chandef.chan)
5479 			continue;
5480 
5481 		params->chandef = wdev->preset_chandef;
5482 		ret = true;
5483 		break;
5484 	}
5485 
5486 	return ret;
5487 }
5488 
5489 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5490 				    enum nl80211_auth_type auth_type,
5491 				    enum nl80211_commands cmd)
5492 {
5493 	if (auth_type > NL80211_AUTHTYPE_MAX)
5494 		return false;
5495 
5496 	switch (cmd) {
5497 	case NL80211_CMD_AUTHENTICATE:
5498 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5499 		    auth_type == NL80211_AUTHTYPE_SAE)
5500 			return false;
5501 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5502 					     NL80211_EXT_FEATURE_FILS_STA) &&
5503 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5504 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5505 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5506 			return false;
5507 		return true;
5508 	case NL80211_CMD_CONNECT:
5509 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5510 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5511 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5512 		    auth_type == NL80211_AUTHTYPE_SAE)
5513 			return false;
5514 
5515 		/* FILS with SK PFS or PK not supported yet */
5516 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5517 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5518 			return false;
5519 		if (!wiphy_ext_feature_isset(
5520 			    &rdev->wiphy,
5521 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5522 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5523 			return false;
5524 		return true;
5525 	case NL80211_CMD_START_AP:
5526 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5527 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5528 		    auth_type == NL80211_AUTHTYPE_SAE)
5529 			return false;
5530 		/* FILS not supported yet */
5531 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5532 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5533 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5534 			return false;
5535 		return true;
5536 	default:
5537 		return false;
5538 	}
5539 }
5540 
5541 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5542 {
5543 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5544 	struct net_device *dev = info->user_ptr[1];
5545 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5546 	struct cfg80211_ap_settings *params;
5547 	int err;
5548 
5549 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5550 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5551 		return -EOPNOTSUPP;
5552 
5553 	if (!rdev->ops->start_ap)
5554 		return -EOPNOTSUPP;
5555 
5556 	if (wdev->beacon_interval)
5557 		return -EALREADY;
5558 
5559 	/* these are required for START_AP */
5560 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5561 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5562 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5563 		return -EINVAL;
5564 
5565 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5566 	if (!params)
5567 		return -ENOMEM;
5568 
5569 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5570 	if (err)
5571 		goto out;
5572 
5573 	params->beacon_interval =
5574 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5575 	params->dtim_period =
5576 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5577 
5578 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5579 					   params->beacon_interval);
5580 	if (err)
5581 		goto out;
5582 
5583 	/*
5584 	 * In theory, some of these attributes should be required here
5585 	 * but since they were not used when the command was originally
5586 	 * added, keep them optional for old user space programs to let
5587 	 * them continue to work with drivers that do not need the
5588 	 * additional information -- drivers must check!
5589 	 */
5590 	if (info->attrs[NL80211_ATTR_SSID]) {
5591 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5592 		params->ssid_len =
5593 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5594 		if (params->ssid_len == 0) {
5595 			err = -EINVAL;
5596 			goto out;
5597 		}
5598 	}
5599 
5600 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5601 		params->hidden_ssid = nla_get_u32(
5602 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5603 
5604 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5605 
5606 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5607 		params->auth_type = nla_get_u32(
5608 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5609 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5610 					     NL80211_CMD_START_AP)) {
5611 			err = -EINVAL;
5612 			goto out;
5613 		}
5614 	} else
5615 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5616 
5617 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5618 				      NL80211_MAX_NR_CIPHER_SUITES);
5619 	if (err)
5620 		goto out;
5621 
5622 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5623 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5624 			err = -EOPNOTSUPP;
5625 			goto out;
5626 		}
5627 		params->inactivity_timeout = nla_get_u16(
5628 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5629 	}
5630 
5631 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5632 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5633 			err = -EINVAL;
5634 			goto out;
5635 		}
5636 		params->p2p_ctwindow =
5637 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5638 		if (params->p2p_ctwindow != 0 &&
5639 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5640 			err = -EINVAL;
5641 			goto out;
5642 		}
5643 	}
5644 
5645 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5646 		u8 tmp;
5647 
5648 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5649 			err = -EINVAL;
5650 			goto out;
5651 		}
5652 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5653 		params->p2p_opp_ps = tmp;
5654 		if (params->p2p_opp_ps != 0 &&
5655 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5656 			err = -EINVAL;
5657 			goto out;
5658 		}
5659 	}
5660 
5661 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5662 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5663 		if (err)
5664 			goto out;
5665 	} else if (wdev->preset_chandef.chan) {
5666 		params->chandef = wdev->preset_chandef;
5667 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5668 		err = -EINVAL;
5669 		goto out;
5670 	}
5671 
5672 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5673 					   wdev->iftype)) {
5674 		err = -EINVAL;
5675 		goto out;
5676 	}
5677 
5678 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5679 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5680 						    NL80211_ATTR_TX_RATES,
5681 						    &params->beacon_rate,
5682 						    dev, false);
5683 		if (err)
5684 			goto out;
5685 
5686 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
5687 					      &params->beacon_rate);
5688 		if (err)
5689 			goto out;
5690 	}
5691 
5692 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5693 		params->smps_mode =
5694 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5695 		switch (params->smps_mode) {
5696 		case NL80211_SMPS_OFF:
5697 			break;
5698 		case NL80211_SMPS_STATIC:
5699 			if (!(rdev->wiphy.features &
5700 			      NL80211_FEATURE_STATIC_SMPS)) {
5701 				err = -EINVAL;
5702 				goto out;
5703 			}
5704 			break;
5705 		case NL80211_SMPS_DYNAMIC:
5706 			if (!(rdev->wiphy.features &
5707 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
5708 				err = -EINVAL;
5709 				goto out;
5710 			}
5711 			break;
5712 		default:
5713 			err = -EINVAL;
5714 			goto out;
5715 		}
5716 	} else {
5717 		params->smps_mode = NL80211_SMPS_OFF;
5718 	}
5719 
5720 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5721 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
5722 		err = -EOPNOTSUPP;
5723 		goto out;
5724 	}
5725 
5726 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5727 		params->acl = parse_acl_data(&rdev->wiphy, info);
5728 		if (IS_ERR(params->acl)) {
5729 			err = PTR_ERR(params->acl);
5730 			params->acl = NULL;
5731 			goto out;
5732 		}
5733 	}
5734 
5735 	params->twt_responder =
5736 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5737 
5738 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5739 		err = nl80211_parse_he_obss_pd(
5740 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5741 					&params->he_obss_pd);
5742 		if (err)
5743 			goto out;
5744 	}
5745 
5746 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5747 		err = nl80211_parse_fils_discovery(rdev,
5748 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5749 						   params);
5750 		if (err)
5751 			goto out;
5752 	}
5753 
5754 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5755 		err = nl80211_parse_unsol_bcast_probe_resp(
5756 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5757 			params);
5758 		if (err)
5759 			goto out;
5760 	}
5761 
5762 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
5763 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
5764 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
5765 						  &params->mbssid_config,
5766 						  params->beacon.mbssid_ies ?
5767 							params->beacon.mbssid_ies->cnt :
5768 							0);
5769 		if (err)
5770 			goto out;
5771 	}
5772 
5773 	nl80211_calculate_ap_params(params);
5774 
5775 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
5776 		params->flags = nla_get_u32(
5777 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
5778 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5779 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5780 
5781 	wdev_lock(wdev);
5782 	err = rdev_start_ap(rdev, dev, params);
5783 	if (!err) {
5784 		wdev->preset_chandef = params->chandef;
5785 		wdev->beacon_interval = params->beacon_interval;
5786 		wdev->chandef = params->chandef;
5787 		wdev->ssid_len = params->ssid_len;
5788 		memcpy(wdev->ssid, params->ssid, wdev->ssid_len);
5789 
5790 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5791 			wdev->conn_owner_nlportid = info->snd_portid;
5792 	}
5793 	wdev_unlock(wdev);
5794 
5795 out:
5796 	kfree(params->acl);
5797 	kfree(params->beacon.mbssid_ies);
5798 	if (params->mbssid_config.tx_wdev &&
5799 	    params->mbssid_config.tx_wdev->netdev &&
5800 	    params->mbssid_config.tx_wdev->netdev != dev)
5801 		dev_put(params->mbssid_config.tx_wdev->netdev);
5802 	kfree(params);
5803 
5804 	return err;
5805 }
5806 
5807 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5808 {
5809 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5810 	struct net_device *dev = info->user_ptr[1];
5811 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5812 	struct cfg80211_beacon_data params;
5813 	int err;
5814 
5815 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5816 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5817 		return -EOPNOTSUPP;
5818 
5819 	if (!rdev->ops->change_beacon)
5820 		return -EOPNOTSUPP;
5821 
5822 	if (!wdev->beacon_interval)
5823 		return -EINVAL;
5824 
5825 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5826 	if (err)
5827 		goto out;
5828 
5829 	wdev_lock(wdev);
5830 	err = rdev_change_beacon(rdev, dev, &params);
5831 	wdev_unlock(wdev);
5832 
5833 out:
5834 	kfree(params.mbssid_ies);
5835 	return err;
5836 }
5837 
5838 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5839 {
5840 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5841 	struct net_device *dev = info->user_ptr[1];
5842 
5843 	return cfg80211_stop_ap(rdev, dev, false);
5844 }
5845 
5846 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5847 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5848 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5849 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5850 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5851 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5852 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5853 };
5854 
5855 static int parse_station_flags(struct genl_info *info,
5856 			       enum nl80211_iftype iftype,
5857 			       struct station_parameters *params)
5858 {
5859 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5860 	struct nlattr *nla;
5861 	int flag;
5862 
5863 	/*
5864 	 * Try parsing the new attribute first so userspace
5865 	 * can specify both for older kernels.
5866 	 */
5867 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5868 	if (nla) {
5869 		struct nl80211_sta_flag_update *sta_flags;
5870 
5871 		sta_flags = nla_data(nla);
5872 		params->sta_flags_mask = sta_flags->mask;
5873 		params->sta_flags_set = sta_flags->set;
5874 		params->sta_flags_set &= params->sta_flags_mask;
5875 		if ((params->sta_flags_mask |
5876 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5877 			return -EINVAL;
5878 		return 0;
5879 	}
5880 
5881 	/* if present, parse the old attribute */
5882 
5883 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5884 	if (!nla)
5885 		return 0;
5886 
5887 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5888 		return -EINVAL;
5889 
5890 	/*
5891 	 * Only allow certain flags for interface types so that
5892 	 * other attributes are silently ignored. Remember that
5893 	 * this is backward compatibility code with old userspace
5894 	 * and shouldn't be hit in other cases anyway.
5895 	 */
5896 	switch (iftype) {
5897 	case NL80211_IFTYPE_AP:
5898 	case NL80211_IFTYPE_AP_VLAN:
5899 	case NL80211_IFTYPE_P2P_GO:
5900 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5901 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5902 					 BIT(NL80211_STA_FLAG_WME) |
5903 					 BIT(NL80211_STA_FLAG_MFP);
5904 		break;
5905 	case NL80211_IFTYPE_P2P_CLIENT:
5906 	case NL80211_IFTYPE_STATION:
5907 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5908 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5909 		break;
5910 	case NL80211_IFTYPE_MESH_POINT:
5911 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5912 					 BIT(NL80211_STA_FLAG_MFP) |
5913 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5914 		break;
5915 	default:
5916 		return -EINVAL;
5917 	}
5918 
5919 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5920 		if (flags[flag]) {
5921 			params->sta_flags_set |= (1<<flag);
5922 
5923 			/* no longer support new API additions in old API */
5924 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5925 				return -EINVAL;
5926 		}
5927 	}
5928 
5929 	return 0;
5930 }
5931 
5932 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5933 {
5934 	struct nlattr *rate;
5935 	u32 bitrate;
5936 	u16 bitrate_compat;
5937 	enum nl80211_rate_info rate_flg;
5938 
5939 	rate = nla_nest_start_noflag(msg, attr);
5940 	if (!rate)
5941 		return false;
5942 
5943 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5944 	bitrate = cfg80211_calculate_bitrate(info);
5945 	/* report 16-bit bitrate only if we can */
5946 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5947 	if (bitrate > 0 &&
5948 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5949 		return false;
5950 	if (bitrate_compat > 0 &&
5951 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5952 		return false;
5953 
5954 	switch (info->bw) {
5955 	case RATE_INFO_BW_5:
5956 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5957 		break;
5958 	case RATE_INFO_BW_10:
5959 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5960 		break;
5961 	default:
5962 		WARN_ON(1);
5963 		fallthrough;
5964 	case RATE_INFO_BW_20:
5965 		rate_flg = 0;
5966 		break;
5967 	case RATE_INFO_BW_40:
5968 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5969 		break;
5970 	case RATE_INFO_BW_80:
5971 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5972 		break;
5973 	case RATE_INFO_BW_160:
5974 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5975 		break;
5976 	case RATE_INFO_BW_HE_RU:
5977 		rate_flg = 0;
5978 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5979 		break;
5980 	case RATE_INFO_BW_320:
5981 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
5982 		break;
5983 	case RATE_INFO_BW_EHT_RU:
5984 		rate_flg = 0;
5985 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
5986 		break;
5987 	}
5988 
5989 	if (rate_flg && nla_put_flag(msg, rate_flg))
5990 		return false;
5991 
5992 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5993 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5994 			return false;
5995 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5996 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5997 			return false;
5998 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5999 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6000 			return false;
6001 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6002 			return false;
6003 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6004 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6005 			return false;
6006 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6007 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6008 			return false;
6009 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6010 			return false;
6011 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6012 			return false;
6013 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6014 			return false;
6015 		if (info->bw == RATE_INFO_BW_HE_RU &&
6016 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6017 			       info->he_ru_alloc))
6018 			return false;
6019 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6020 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6021 			return false;
6022 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6023 			return false;
6024 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6025 			return false;
6026 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6027 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6028 			       info->eht_ru_alloc))
6029 			return false;
6030 	}
6031 
6032 	nla_nest_end(msg, rate);
6033 	return true;
6034 }
6035 
6036 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6037 			       int id)
6038 {
6039 	void *attr;
6040 	int i = 0;
6041 
6042 	if (!mask)
6043 		return true;
6044 
6045 	attr = nla_nest_start_noflag(msg, id);
6046 	if (!attr)
6047 		return false;
6048 
6049 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6050 		if (!(mask & BIT(i)))
6051 			continue;
6052 
6053 		if (nla_put_u8(msg, i, signal[i]))
6054 			return false;
6055 	}
6056 
6057 	nla_nest_end(msg, attr);
6058 
6059 	return true;
6060 }
6061 
6062 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6063 				u32 seq, int flags,
6064 				struct cfg80211_registered_device *rdev,
6065 				struct net_device *dev,
6066 				const u8 *mac_addr, struct station_info *sinfo)
6067 {
6068 	void *hdr;
6069 	struct nlattr *sinfoattr, *bss_param;
6070 
6071 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6072 	if (!hdr) {
6073 		cfg80211_sinfo_release_content(sinfo);
6074 		return -1;
6075 	}
6076 
6077 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6078 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6079 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6080 		goto nla_put_failure;
6081 
6082 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6083 	if (!sinfoattr)
6084 		goto nla_put_failure;
6085 
6086 #define PUT_SINFO(attr, memb, type) do {				\
6087 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6088 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6089 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6090 			     sinfo->memb))				\
6091 		goto nla_put_failure;					\
6092 	} while (0)
6093 #define PUT_SINFO_U64(attr, memb) do {					\
6094 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6095 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6096 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6097 		goto nla_put_failure;					\
6098 	} while (0)
6099 
6100 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6101 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6102 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6103 
6104 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6105 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6106 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6107 			(u32)sinfo->rx_bytes))
6108 		goto nla_put_failure;
6109 
6110 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6111 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6112 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6113 			(u32)sinfo->tx_bytes))
6114 		goto nla_put_failure;
6115 
6116 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6117 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6118 	PUT_SINFO(LLID, llid, u16);
6119 	PUT_SINFO(PLID, plid, u16);
6120 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6121 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6122 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6123 
6124 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6125 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6126 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6127 
6128 	switch (rdev->wiphy.signal_type) {
6129 	case CFG80211_SIGNAL_TYPE_MBM:
6130 		PUT_SINFO(SIGNAL, signal, u8);
6131 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6132 		break;
6133 	default:
6134 		break;
6135 	}
6136 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6137 		if (!nl80211_put_signal(msg, sinfo->chains,
6138 					sinfo->chain_signal,
6139 					NL80211_STA_INFO_CHAIN_SIGNAL))
6140 			goto nla_put_failure;
6141 	}
6142 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6143 		if (!nl80211_put_signal(msg, sinfo->chains,
6144 					sinfo->chain_signal_avg,
6145 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6146 			goto nla_put_failure;
6147 	}
6148 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6149 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6150 					  NL80211_STA_INFO_TX_BITRATE))
6151 			goto nla_put_failure;
6152 	}
6153 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6154 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6155 					  NL80211_STA_INFO_RX_BITRATE))
6156 			goto nla_put_failure;
6157 	}
6158 
6159 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6160 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6161 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6162 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6163 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6164 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6165 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6166 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6167 	PUT_SINFO(PEER_PM, peer_pm, u32);
6168 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6169 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6170 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6171 
6172 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6173 		bss_param = nla_nest_start_noflag(msg,
6174 						  NL80211_STA_INFO_BSS_PARAM);
6175 		if (!bss_param)
6176 			goto nla_put_failure;
6177 
6178 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6179 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6180 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6181 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6182 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6183 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6184 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6185 			       sinfo->bss_param.dtim_period) ||
6186 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6187 				sinfo->bss_param.beacon_interval))
6188 			goto nla_put_failure;
6189 
6190 		nla_nest_end(msg, bss_param);
6191 	}
6192 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6193 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6194 		    sizeof(struct nl80211_sta_flag_update),
6195 		    &sinfo->sta_flags))
6196 		goto nla_put_failure;
6197 
6198 	PUT_SINFO_U64(T_OFFSET, t_offset);
6199 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6200 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6201 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6202 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6203 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6204 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6205 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6206 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6207 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6208 	}
6209 
6210 #undef PUT_SINFO
6211 #undef PUT_SINFO_U64
6212 
6213 	if (sinfo->pertid) {
6214 		struct nlattr *tidsattr;
6215 		int tid;
6216 
6217 		tidsattr = nla_nest_start_noflag(msg,
6218 						 NL80211_STA_INFO_TID_STATS);
6219 		if (!tidsattr)
6220 			goto nla_put_failure;
6221 
6222 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6223 			struct cfg80211_tid_stats *tidstats;
6224 			struct nlattr *tidattr;
6225 
6226 			tidstats = &sinfo->pertid[tid];
6227 
6228 			if (!tidstats->filled)
6229 				continue;
6230 
6231 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6232 			if (!tidattr)
6233 				goto nla_put_failure;
6234 
6235 #define PUT_TIDVAL_U64(attr, memb) do {					\
6236 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6237 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6238 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6239 		goto nla_put_failure;					\
6240 	} while (0)
6241 
6242 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6243 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6244 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6245 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6246 
6247 #undef PUT_TIDVAL_U64
6248 			if ((tidstats->filled &
6249 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6250 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6251 						   NL80211_TID_STATS_TXQ_STATS))
6252 				goto nla_put_failure;
6253 
6254 			nla_nest_end(msg, tidattr);
6255 		}
6256 
6257 		nla_nest_end(msg, tidsattr);
6258 	}
6259 
6260 	nla_nest_end(msg, sinfoattr);
6261 
6262 	if (sinfo->assoc_req_ies_len &&
6263 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6264 		    sinfo->assoc_req_ies))
6265 		goto nla_put_failure;
6266 
6267 	cfg80211_sinfo_release_content(sinfo);
6268 	genlmsg_end(msg, hdr);
6269 	return 0;
6270 
6271  nla_put_failure:
6272 	cfg80211_sinfo_release_content(sinfo);
6273 	genlmsg_cancel(msg, hdr);
6274 	return -EMSGSIZE;
6275 }
6276 
6277 static int nl80211_dump_station(struct sk_buff *skb,
6278 				struct netlink_callback *cb)
6279 {
6280 	struct station_info sinfo;
6281 	struct cfg80211_registered_device *rdev;
6282 	struct wireless_dev *wdev;
6283 	u8 mac_addr[ETH_ALEN];
6284 	int sta_idx = cb->args[2];
6285 	int err;
6286 
6287 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6288 	if (err)
6289 		return err;
6290 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6291 	__acquire(&rdev->wiphy.mtx);
6292 
6293 	if (!wdev->netdev) {
6294 		err = -EINVAL;
6295 		goto out_err;
6296 	}
6297 
6298 	if (!rdev->ops->dump_station) {
6299 		err = -EOPNOTSUPP;
6300 		goto out_err;
6301 	}
6302 
6303 	while (1) {
6304 		memset(&sinfo, 0, sizeof(sinfo));
6305 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6306 					mac_addr, &sinfo);
6307 		if (err == -ENOENT)
6308 			break;
6309 		if (err)
6310 			goto out_err;
6311 
6312 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6313 				NETLINK_CB(cb->skb).portid,
6314 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6315 				rdev, wdev->netdev, mac_addr,
6316 				&sinfo) < 0)
6317 			goto out;
6318 
6319 		sta_idx++;
6320 	}
6321 
6322  out:
6323 	cb->args[2] = sta_idx;
6324 	err = skb->len;
6325  out_err:
6326 	wiphy_unlock(&rdev->wiphy);
6327 
6328 	return err;
6329 }
6330 
6331 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6332 {
6333 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6334 	struct net_device *dev = info->user_ptr[1];
6335 	struct station_info sinfo;
6336 	struct sk_buff *msg;
6337 	u8 *mac_addr = NULL;
6338 	int err;
6339 
6340 	memset(&sinfo, 0, sizeof(sinfo));
6341 
6342 	if (!info->attrs[NL80211_ATTR_MAC])
6343 		return -EINVAL;
6344 
6345 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6346 
6347 	if (!rdev->ops->get_station)
6348 		return -EOPNOTSUPP;
6349 
6350 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6351 	if (err)
6352 		return err;
6353 
6354 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6355 	if (!msg) {
6356 		cfg80211_sinfo_release_content(&sinfo);
6357 		return -ENOMEM;
6358 	}
6359 
6360 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6361 				 info->snd_portid, info->snd_seq, 0,
6362 				 rdev, dev, mac_addr, &sinfo) < 0) {
6363 		nlmsg_free(msg);
6364 		return -ENOBUFS;
6365 	}
6366 
6367 	return genlmsg_reply(msg, info);
6368 }
6369 
6370 int cfg80211_check_station_change(struct wiphy *wiphy,
6371 				  struct station_parameters *params,
6372 				  enum cfg80211_station_type statype)
6373 {
6374 	if (params->listen_interval != -1 &&
6375 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6376 		return -EINVAL;
6377 
6378 	if (params->support_p2p_ps != -1 &&
6379 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6380 		return -EINVAL;
6381 
6382 	if (params->aid &&
6383 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6384 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6385 		return -EINVAL;
6386 
6387 	/* When you run into this, adjust the code below for the new flag */
6388 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6389 
6390 	switch (statype) {
6391 	case CFG80211_STA_MESH_PEER_KERNEL:
6392 	case CFG80211_STA_MESH_PEER_USER:
6393 		/*
6394 		 * No ignoring the TDLS flag here -- the userspace mesh
6395 		 * code doesn't have the bug of including TDLS in the
6396 		 * mask everywhere.
6397 		 */
6398 		if (params->sta_flags_mask &
6399 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6400 				  BIT(NL80211_STA_FLAG_MFP) |
6401 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6402 			return -EINVAL;
6403 		break;
6404 	case CFG80211_STA_TDLS_PEER_SETUP:
6405 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6406 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6407 			return -EINVAL;
6408 		/* ignore since it can't change */
6409 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6410 		break;
6411 	default:
6412 		/* disallow mesh-specific things */
6413 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6414 			return -EINVAL;
6415 		if (params->local_pm)
6416 			return -EINVAL;
6417 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6418 			return -EINVAL;
6419 	}
6420 
6421 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6422 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6423 		/* TDLS can't be set, ... */
6424 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6425 			return -EINVAL;
6426 		/*
6427 		 * ... but don't bother the driver with it. This works around
6428 		 * a hostapd/wpa_supplicant issue -- it always includes the
6429 		 * TLDS_PEER flag in the mask even for AP mode.
6430 		 */
6431 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6432 	}
6433 
6434 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6435 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6436 		/* reject other things that can't change */
6437 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6438 			return -EINVAL;
6439 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6440 			return -EINVAL;
6441 		if (params->supported_rates)
6442 			return -EINVAL;
6443 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
6444 		    params->he_capa || params->eht_capa)
6445 			return -EINVAL;
6446 	}
6447 
6448 	if (statype != CFG80211_STA_AP_CLIENT &&
6449 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6450 		if (params->vlan)
6451 			return -EINVAL;
6452 	}
6453 
6454 	switch (statype) {
6455 	case CFG80211_STA_AP_MLME_CLIENT:
6456 		/* Use this only for authorizing/unauthorizing a station */
6457 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6458 			return -EOPNOTSUPP;
6459 		break;
6460 	case CFG80211_STA_AP_CLIENT:
6461 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6462 		/* accept only the listed bits */
6463 		if (params->sta_flags_mask &
6464 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6465 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6466 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6467 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6468 				  BIT(NL80211_STA_FLAG_WME) |
6469 				  BIT(NL80211_STA_FLAG_MFP)))
6470 			return -EINVAL;
6471 
6472 		/* but authenticated/associated only if driver handles it */
6473 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6474 		    params->sta_flags_mask &
6475 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6476 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6477 			return -EINVAL;
6478 		break;
6479 	case CFG80211_STA_IBSS:
6480 	case CFG80211_STA_AP_STA:
6481 		/* reject any changes other than AUTHORIZED */
6482 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6483 			return -EINVAL;
6484 		break;
6485 	case CFG80211_STA_TDLS_PEER_SETUP:
6486 		/* reject any changes other than AUTHORIZED or WME */
6487 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6488 					       BIT(NL80211_STA_FLAG_WME)))
6489 			return -EINVAL;
6490 		/* force (at least) rates when authorizing */
6491 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6492 		    !params->supported_rates)
6493 			return -EINVAL;
6494 		break;
6495 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6496 		/* reject any changes */
6497 		return -EINVAL;
6498 	case CFG80211_STA_MESH_PEER_KERNEL:
6499 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6500 			return -EINVAL;
6501 		break;
6502 	case CFG80211_STA_MESH_PEER_USER:
6503 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6504 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6505 			return -EINVAL;
6506 		break;
6507 	}
6508 
6509 	/*
6510 	 * Older kernel versions ignored this attribute entirely, so don't
6511 	 * reject attempts to update it but mark it as unused instead so the
6512 	 * driver won't look at the data.
6513 	 */
6514 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6515 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6516 		params->opmode_notif_used = false;
6517 
6518 	return 0;
6519 }
6520 EXPORT_SYMBOL(cfg80211_check_station_change);
6521 
6522 /*
6523  * Get vlan interface making sure it is running and on the right wiphy.
6524  */
6525 static struct net_device *get_vlan(struct genl_info *info,
6526 				   struct cfg80211_registered_device *rdev)
6527 {
6528 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6529 	struct net_device *v;
6530 	int ret;
6531 
6532 	if (!vlanattr)
6533 		return NULL;
6534 
6535 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6536 	if (!v)
6537 		return ERR_PTR(-ENODEV);
6538 
6539 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6540 		ret = -EINVAL;
6541 		goto error;
6542 	}
6543 
6544 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6545 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6546 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6547 		ret = -EINVAL;
6548 		goto error;
6549 	}
6550 
6551 	if (!netif_running(v)) {
6552 		ret = -ENETDOWN;
6553 		goto error;
6554 	}
6555 
6556 	return v;
6557  error:
6558 	dev_put(v);
6559 	return ERR_PTR(ret);
6560 }
6561 
6562 static const struct nla_policy
6563 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6564 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6565 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6566 };
6567 
6568 static int nl80211_parse_sta_wme(struct genl_info *info,
6569 				 struct station_parameters *params)
6570 {
6571 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6572 	struct nlattr *nla;
6573 	int err;
6574 
6575 	/* parse WME attributes if present */
6576 	if (!info->attrs[NL80211_ATTR_STA_WME])
6577 		return 0;
6578 
6579 	nla = info->attrs[NL80211_ATTR_STA_WME];
6580 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6581 					  nl80211_sta_wme_policy,
6582 					  info->extack);
6583 	if (err)
6584 		return err;
6585 
6586 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6587 		params->uapsd_queues = nla_get_u8(
6588 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6589 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6590 		return -EINVAL;
6591 
6592 	if (tb[NL80211_STA_WME_MAX_SP])
6593 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6594 
6595 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6596 		return -EINVAL;
6597 
6598 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6599 
6600 	return 0;
6601 }
6602 
6603 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6604 				      struct station_parameters *params)
6605 {
6606 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6607 		params->supported_channels =
6608 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6609 		params->supported_channels_len =
6610 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6611 		/*
6612 		 * Need to include at least one (first channel, number of
6613 		 * channels) tuple for each subband (checked in policy),
6614 		 * and must have proper tuples for the rest of the data as well.
6615 		 */
6616 		if (params->supported_channels_len % 2)
6617 			return -EINVAL;
6618 	}
6619 
6620 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6621 		params->supported_oper_classes =
6622 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6623 		params->supported_oper_classes_len =
6624 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6625 	}
6626 	return 0;
6627 }
6628 
6629 static int nl80211_set_station_tdls(struct genl_info *info,
6630 				    struct station_parameters *params)
6631 {
6632 	int err;
6633 	/* Dummy STA entry gets updated once the peer capabilities are known */
6634 	if (info->attrs[NL80211_ATTR_PEER_AID])
6635 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6636 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6637 		params->ht_capa =
6638 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6639 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6640 		params->vht_capa =
6641 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6642 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6643 		params->he_capa =
6644 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6645 		params->he_capa_len =
6646 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6647 
6648 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6649 			params->eht_capa =
6650 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6651 			params->eht_capa_len =
6652 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6653 
6654 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_capa,
6655 							(const u8 *)params->eht_capa,
6656 							params->eht_capa_len))
6657 				return -EINVAL;
6658 		}
6659 	}
6660 
6661 	err = nl80211_parse_sta_channel_info(info, params);
6662 	if (err)
6663 		return err;
6664 
6665 	return nl80211_parse_sta_wme(info, params);
6666 }
6667 
6668 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6669 					     struct station_parameters *params)
6670 {
6671 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6672 	int idx;
6673 
6674 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6675 		if (!rdev->ops->set_tx_power ||
6676 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6677 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6678 			return -EOPNOTSUPP;
6679 
6680 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6681 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6682 
6683 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6684 			idx = NL80211_ATTR_STA_TX_POWER;
6685 
6686 			if (info->attrs[idx])
6687 				params->txpwr.power =
6688 					nla_get_s16(info->attrs[idx]);
6689 			else
6690 				return -EINVAL;
6691 		}
6692 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6693 	}
6694 
6695 	return 0;
6696 }
6697 
6698 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6699 {
6700 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6701 	struct net_device *dev = info->user_ptr[1];
6702 	struct station_parameters params;
6703 	u8 *mac_addr;
6704 	int err;
6705 
6706 	memset(&params, 0, sizeof(params));
6707 
6708 	if (!rdev->ops->change_station)
6709 		return -EOPNOTSUPP;
6710 
6711 	/*
6712 	 * AID and listen_interval properties can be set only for unassociated
6713 	 * station. Include these parameters here and will check them in
6714 	 * cfg80211_check_station_change().
6715 	 */
6716 	if (info->attrs[NL80211_ATTR_STA_AID])
6717 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6718 
6719 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6720 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6721 
6722 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6723 		params.listen_interval =
6724 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6725 	else
6726 		params.listen_interval = -1;
6727 
6728 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6729 		params.support_p2p_ps =
6730 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6731 	else
6732 		params.support_p2p_ps = -1;
6733 
6734 	if (!info->attrs[NL80211_ATTR_MAC])
6735 		return -EINVAL;
6736 
6737 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6738 
6739 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6740 		params.supported_rates =
6741 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6742 		params.supported_rates_len =
6743 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6744 	}
6745 
6746 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6747 		params.capability =
6748 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6749 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6750 	}
6751 
6752 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6753 		params.ext_capab =
6754 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6755 		params.ext_capab_len =
6756 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6757 	}
6758 
6759 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6760 		return -EINVAL;
6761 
6762 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6763 		params.plink_action =
6764 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6765 
6766 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6767 		params.plink_state =
6768 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6769 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6770 			params.peer_aid = nla_get_u16(
6771 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6772 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6773 	}
6774 
6775 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6776 		params.local_pm = nla_get_u32(
6777 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6778 
6779 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6780 		params.opmode_notif_used = true;
6781 		params.opmode_notif =
6782 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6783 	}
6784 
6785 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6786 		params.he_6ghz_capa =
6787 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6788 
6789 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6790 		params.airtime_weight =
6791 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6792 
6793 	if (params.airtime_weight &&
6794 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6795 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6796 		return -EOPNOTSUPP;
6797 
6798 	err = nl80211_parse_sta_txpower_setting(info, &params);
6799 	if (err)
6800 		return err;
6801 
6802 	/* Include parameters for TDLS peer (will check later) */
6803 	err = nl80211_set_station_tdls(info, &params);
6804 	if (err)
6805 		return err;
6806 
6807 	params.vlan = get_vlan(info, rdev);
6808 	if (IS_ERR(params.vlan))
6809 		return PTR_ERR(params.vlan);
6810 
6811 	switch (dev->ieee80211_ptr->iftype) {
6812 	case NL80211_IFTYPE_AP:
6813 	case NL80211_IFTYPE_AP_VLAN:
6814 	case NL80211_IFTYPE_P2P_GO:
6815 	case NL80211_IFTYPE_P2P_CLIENT:
6816 	case NL80211_IFTYPE_STATION:
6817 	case NL80211_IFTYPE_ADHOC:
6818 	case NL80211_IFTYPE_MESH_POINT:
6819 		break;
6820 	default:
6821 		err = -EOPNOTSUPP;
6822 		goto out_put_vlan;
6823 	}
6824 
6825 	/* driver will call cfg80211_check_station_change() */
6826 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6827 
6828  out_put_vlan:
6829 	dev_put(params.vlan);
6830 
6831 	return err;
6832 }
6833 
6834 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6835 {
6836 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6837 	int err;
6838 	struct net_device *dev = info->user_ptr[1];
6839 	struct station_parameters params;
6840 	u8 *mac_addr = NULL;
6841 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6842 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6843 
6844 	memset(&params, 0, sizeof(params));
6845 
6846 	if (!rdev->ops->add_station)
6847 		return -EOPNOTSUPP;
6848 
6849 	if (!info->attrs[NL80211_ATTR_MAC])
6850 		return -EINVAL;
6851 
6852 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6853 		return -EINVAL;
6854 
6855 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6856 		return -EINVAL;
6857 
6858 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6859 	    !info->attrs[NL80211_ATTR_PEER_AID])
6860 		return -EINVAL;
6861 
6862 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6863 	params.supported_rates =
6864 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6865 	params.supported_rates_len =
6866 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6867 	params.listen_interval =
6868 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6869 
6870 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6871 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6872 
6873 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6874 		params.support_p2p_ps =
6875 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6876 	} else {
6877 		/*
6878 		 * if not specified, assume it's supported for P2P GO interface,
6879 		 * and is NOT supported for AP interface
6880 		 */
6881 		params.support_p2p_ps =
6882 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6883 	}
6884 
6885 	if (info->attrs[NL80211_ATTR_PEER_AID])
6886 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6887 	else
6888 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6889 
6890 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6891 		params.capability =
6892 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6893 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6894 	}
6895 
6896 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6897 		params.ext_capab =
6898 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6899 		params.ext_capab_len =
6900 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6901 	}
6902 
6903 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6904 		params.ht_capa =
6905 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6906 
6907 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6908 		params.vht_capa =
6909 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6910 
6911 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6912 		params.he_capa =
6913 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6914 		params.he_capa_len =
6915 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6916 
6917 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6918 			params.eht_capa =
6919 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6920 			params.eht_capa_len =
6921 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6922 
6923 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
6924 							(const u8 *)params.eht_capa,
6925 							params.eht_capa_len))
6926 				return -EINVAL;
6927 		}
6928 	}
6929 
6930 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6931 		params.he_6ghz_capa =
6932 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6933 
6934 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6935 		params.opmode_notif_used = true;
6936 		params.opmode_notif =
6937 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6938 	}
6939 
6940 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6941 		params.plink_action =
6942 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6943 
6944 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6945 		params.airtime_weight =
6946 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6947 
6948 	if (params.airtime_weight &&
6949 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6950 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6951 		return -EOPNOTSUPP;
6952 
6953 	err = nl80211_parse_sta_txpower_setting(info, &params);
6954 	if (err)
6955 		return err;
6956 
6957 	err = nl80211_parse_sta_channel_info(info, &params);
6958 	if (err)
6959 		return err;
6960 
6961 	err = nl80211_parse_sta_wme(info, &params);
6962 	if (err)
6963 		return err;
6964 
6965 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6966 		return -EINVAL;
6967 
6968 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6969 	 * as userspace might just pass through the capabilities from the IEs
6970 	 * directly, rather than enforcing this restriction and returning an
6971 	 * error in this case.
6972 	 */
6973 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6974 		params.ht_capa = NULL;
6975 		params.vht_capa = NULL;
6976 
6977 		/* HE and EHT require WME */
6978 		if (params.he_capa_len || params.he_6ghz_capa ||
6979 		    params.eht_capa_len)
6980 			return -EINVAL;
6981 	}
6982 
6983 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6984 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6985 		return -EINVAL;
6986 
6987 	/* When you run into this, adjust the code below for the new flag */
6988 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6989 
6990 	switch (dev->ieee80211_ptr->iftype) {
6991 	case NL80211_IFTYPE_AP:
6992 	case NL80211_IFTYPE_AP_VLAN:
6993 	case NL80211_IFTYPE_P2P_GO:
6994 		/* ignore WME attributes if iface/sta is not capable */
6995 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6996 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6997 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6998 
6999 		/* TDLS peers cannot be added */
7000 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7001 		    info->attrs[NL80211_ATTR_PEER_AID])
7002 			return -EINVAL;
7003 		/* but don't bother the driver with it */
7004 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7005 
7006 		/* allow authenticated/associated only if driver handles it */
7007 		if (!(rdev->wiphy.features &
7008 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7009 		    params.sta_flags_mask & auth_assoc)
7010 			return -EINVAL;
7011 
7012 		/* Older userspace, or userspace wanting to be compatible with
7013 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7014 		 * and assoc flags in the mask, but assumes the station will be
7015 		 * added as associated anyway since this was the required driver
7016 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7017 		 * introduced.
7018 		 * In order to not bother drivers with this quirk in the API
7019 		 * set the flags in both the mask and set for new stations in
7020 		 * this case.
7021 		 */
7022 		if (!(params.sta_flags_mask & auth_assoc)) {
7023 			params.sta_flags_mask |= auth_assoc;
7024 			params.sta_flags_set |= auth_assoc;
7025 		}
7026 
7027 		/* must be last in here for error handling */
7028 		params.vlan = get_vlan(info, rdev);
7029 		if (IS_ERR(params.vlan))
7030 			return PTR_ERR(params.vlan);
7031 		break;
7032 	case NL80211_IFTYPE_MESH_POINT:
7033 		/* ignore uAPSD data */
7034 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7035 
7036 		/* associated is disallowed */
7037 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7038 			return -EINVAL;
7039 		/* TDLS peers cannot be added */
7040 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7041 		    info->attrs[NL80211_ATTR_PEER_AID])
7042 			return -EINVAL;
7043 		break;
7044 	case NL80211_IFTYPE_STATION:
7045 	case NL80211_IFTYPE_P2P_CLIENT:
7046 		/* ignore uAPSD data */
7047 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7048 
7049 		/* these are disallowed */
7050 		if (params.sta_flags_mask &
7051 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7052 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7053 			return -EINVAL;
7054 		/* Only TDLS peers can be added */
7055 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7056 			return -EINVAL;
7057 		/* Can only add if TDLS ... */
7058 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7059 			return -EOPNOTSUPP;
7060 		/* ... with external setup is supported */
7061 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7062 			return -EOPNOTSUPP;
7063 		/*
7064 		 * Older wpa_supplicant versions always mark the TDLS peer
7065 		 * as authorized, but it shouldn't yet be.
7066 		 */
7067 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7068 		break;
7069 	default:
7070 		return -EOPNOTSUPP;
7071 	}
7072 
7073 	/* be aware of params.vlan when changing code here */
7074 
7075 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7076 
7077 	dev_put(params.vlan);
7078 	return err;
7079 }
7080 
7081 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7082 {
7083 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7084 	struct net_device *dev = info->user_ptr[1];
7085 	struct station_del_parameters params;
7086 
7087 	memset(&params, 0, sizeof(params));
7088 
7089 	if (info->attrs[NL80211_ATTR_MAC])
7090 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7091 
7092 	switch (dev->ieee80211_ptr->iftype) {
7093 	case NL80211_IFTYPE_AP:
7094 	case NL80211_IFTYPE_AP_VLAN:
7095 	case NL80211_IFTYPE_MESH_POINT:
7096 	case NL80211_IFTYPE_P2P_GO:
7097 		/* always accept these */
7098 		break;
7099 	case NL80211_IFTYPE_ADHOC:
7100 		/* conditionally accept */
7101 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7102 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7103 			break;
7104 		return -EINVAL;
7105 	default:
7106 		return -EINVAL;
7107 	}
7108 
7109 	if (!rdev->ops->del_station)
7110 		return -EOPNOTSUPP;
7111 
7112 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7113 		params.subtype =
7114 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7115 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7116 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7117 			return -EINVAL;
7118 	} else {
7119 		/* Default to Deauthentication frame */
7120 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7121 	}
7122 
7123 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7124 		params.reason_code =
7125 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7126 		if (params.reason_code == 0)
7127 			return -EINVAL; /* 0 is reserved */
7128 	} else {
7129 		/* Default to reason code 2 */
7130 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7131 	}
7132 
7133 	return rdev_del_station(rdev, dev, &params);
7134 }
7135 
7136 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7137 				int flags, struct net_device *dev,
7138 				u8 *dst, u8 *next_hop,
7139 				struct mpath_info *pinfo)
7140 {
7141 	void *hdr;
7142 	struct nlattr *pinfoattr;
7143 
7144 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7145 	if (!hdr)
7146 		return -1;
7147 
7148 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7149 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7150 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7151 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7152 		goto nla_put_failure;
7153 
7154 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7155 	if (!pinfoattr)
7156 		goto nla_put_failure;
7157 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7158 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7159 			pinfo->frame_qlen))
7160 		goto nla_put_failure;
7161 	if (((pinfo->filled & MPATH_INFO_SN) &&
7162 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7163 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7164 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7165 			 pinfo->metric)) ||
7166 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7167 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7168 			 pinfo->exptime)) ||
7169 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7170 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7171 			pinfo->flags)) ||
7172 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7173 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7174 			 pinfo->discovery_timeout)) ||
7175 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7176 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7177 			pinfo->discovery_retries)) ||
7178 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7179 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7180 			pinfo->hop_count)) ||
7181 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7182 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7183 			 pinfo->path_change_count)))
7184 		goto nla_put_failure;
7185 
7186 	nla_nest_end(msg, pinfoattr);
7187 
7188 	genlmsg_end(msg, hdr);
7189 	return 0;
7190 
7191  nla_put_failure:
7192 	genlmsg_cancel(msg, hdr);
7193 	return -EMSGSIZE;
7194 }
7195 
7196 static int nl80211_dump_mpath(struct sk_buff *skb,
7197 			      struct netlink_callback *cb)
7198 {
7199 	struct mpath_info pinfo;
7200 	struct cfg80211_registered_device *rdev;
7201 	struct wireless_dev *wdev;
7202 	u8 dst[ETH_ALEN];
7203 	u8 next_hop[ETH_ALEN];
7204 	int path_idx = cb->args[2];
7205 	int err;
7206 
7207 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7208 	if (err)
7209 		return err;
7210 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7211 	__acquire(&rdev->wiphy.mtx);
7212 
7213 	if (!rdev->ops->dump_mpath) {
7214 		err = -EOPNOTSUPP;
7215 		goto out_err;
7216 	}
7217 
7218 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7219 		err = -EOPNOTSUPP;
7220 		goto out_err;
7221 	}
7222 
7223 	while (1) {
7224 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7225 				      next_hop, &pinfo);
7226 		if (err == -ENOENT)
7227 			break;
7228 		if (err)
7229 			goto out_err;
7230 
7231 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7232 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7233 				       wdev->netdev, dst, next_hop,
7234 				       &pinfo) < 0)
7235 			goto out;
7236 
7237 		path_idx++;
7238 	}
7239 
7240  out:
7241 	cb->args[2] = path_idx;
7242 	err = skb->len;
7243  out_err:
7244 	wiphy_unlock(&rdev->wiphy);
7245 	return err;
7246 }
7247 
7248 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7249 {
7250 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7251 	int err;
7252 	struct net_device *dev = info->user_ptr[1];
7253 	struct mpath_info pinfo;
7254 	struct sk_buff *msg;
7255 	u8 *dst = NULL;
7256 	u8 next_hop[ETH_ALEN];
7257 
7258 	memset(&pinfo, 0, sizeof(pinfo));
7259 
7260 	if (!info->attrs[NL80211_ATTR_MAC])
7261 		return -EINVAL;
7262 
7263 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7264 
7265 	if (!rdev->ops->get_mpath)
7266 		return -EOPNOTSUPP;
7267 
7268 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7269 		return -EOPNOTSUPP;
7270 
7271 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7272 	if (err)
7273 		return err;
7274 
7275 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7276 	if (!msg)
7277 		return -ENOMEM;
7278 
7279 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7280 				 dev, dst, next_hop, &pinfo) < 0) {
7281 		nlmsg_free(msg);
7282 		return -ENOBUFS;
7283 	}
7284 
7285 	return genlmsg_reply(msg, info);
7286 }
7287 
7288 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7289 {
7290 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7291 	struct net_device *dev = info->user_ptr[1];
7292 	u8 *dst = NULL;
7293 	u8 *next_hop = NULL;
7294 
7295 	if (!info->attrs[NL80211_ATTR_MAC])
7296 		return -EINVAL;
7297 
7298 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7299 		return -EINVAL;
7300 
7301 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7302 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7303 
7304 	if (!rdev->ops->change_mpath)
7305 		return -EOPNOTSUPP;
7306 
7307 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7308 		return -EOPNOTSUPP;
7309 
7310 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7311 }
7312 
7313 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7314 {
7315 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7316 	struct net_device *dev = info->user_ptr[1];
7317 	u8 *dst = NULL;
7318 	u8 *next_hop = NULL;
7319 
7320 	if (!info->attrs[NL80211_ATTR_MAC])
7321 		return -EINVAL;
7322 
7323 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7324 		return -EINVAL;
7325 
7326 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7327 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7328 
7329 	if (!rdev->ops->add_mpath)
7330 		return -EOPNOTSUPP;
7331 
7332 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7333 		return -EOPNOTSUPP;
7334 
7335 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7336 }
7337 
7338 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7339 {
7340 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7341 	struct net_device *dev = info->user_ptr[1];
7342 	u8 *dst = NULL;
7343 
7344 	if (info->attrs[NL80211_ATTR_MAC])
7345 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7346 
7347 	if (!rdev->ops->del_mpath)
7348 		return -EOPNOTSUPP;
7349 
7350 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7351 		return -EOPNOTSUPP;
7352 
7353 	return rdev_del_mpath(rdev, dev, dst);
7354 }
7355 
7356 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7357 {
7358 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7359 	int err;
7360 	struct net_device *dev = info->user_ptr[1];
7361 	struct mpath_info pinfo;
7362 	struct sk_buff *msg;
7363 	u8 *dst = NULL;
7364 	u8 mpp[ETH_ALEN];
7365 
7366 	memset(&pinfo, 0, sizeof(pinfo));
7367 
7368 	if (!info->attrs[NL80211_ATTR_MAC])
7369 		return -EINVAL;
7370 
7371 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7372 
7373 	if (!rdev->ops->get_mpp)
7374 		return -EOPNOTSUPP;
7375 
7376 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7377 		return -EOPNOTSUPP;
7378 
7379 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7380 	if (err)
7381 		return err;
7382 
7383 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7384 	if (!msg)
7385 		return -ENOMEM;
7386 
7387 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7388 			       dev, dst, mpp, &pinfo) < 0) {
7389 		nlmsg_free(msg);
7390 		return -ENOBUFS;
7391 	}
7392 
7393 	return genlmsg_reply(msg, info);
7394 }
7395 
7396 static int nl80211_dump_mpp(struct sk_buff *skb,
7397 			    struct netlink_callback *cb)
7398 {
7399 	struct mpath_info pinfo;
7400 	struct cfg80211_registered_device *rdev;
7401 	struct wireless_dev *wdev;
7402 	u8 dst[ETH_ALEN];
7403 	u8 mpp[ETH_ALEN];
7404 	int path_idx = cb->args[2];
7405 	int err;
7406 
7407 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7408 	if (err)
7409 		return err;
7410 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7411 	__acquire(&rdev->wiphy.mtx);
7412 
7413 	if (!rdev->ops->dump_mpp) {
7414 		err = -EOPNOTSUPP;
7415 		goto out_err;
7416 	}
7417 
7418 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7419 		err = -EOPNOTSUPP;
7420 		goto out_err;
7421 	}
7422 
7423 	while (1) {
7424 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7425 				    mpp, &pinfo);
7426 		if (err == -ENOENT)
7427 			break;
7428 		if (err)
7429 			goto out_err;
7430 
7431 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7432 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7433 				       wdev->netdev, dst, mpp,
7434 				       &pinfo) < 0)
7435 			goto out;
7436 
7437 		path_idx++;
7438 	}
7439 
7440  out:
7441 	cb->args[2] = path_idx;
7442 	err = skb->len;
7443  out_err:
7444 	wiphy_unlock(&rdev->wiphy);
7445 	return err;
7446 }
7447 
7448 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7449 {
7450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7451 	struct net_device *dev = info->user_ptr[1];
7452 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7453 	struct bss_parameters params;
7454 	int err;
7455 
7456 	memset(&params, 0, sizeof(params));
7457 	/* default to not changing parameters */
7458 	params.use_cts_prot = -1;
7459 	params.use_short_preamble = -1;
7460 	params.use_short_slot_time = -1;
7461 	params.ap_isolate = -1;
7462 	params.ht_opmode = -1;
7463 	params.p2p_ctwindow = -1;
7464 	params.p2p_opp_ps = -1;
7465 
7466 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7467 		params.use_cts_prot =
7468 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7469 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7470 		params.use_short_preamble =
7471 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7472 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7473 		params.use_short_slot_time =
7474 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7475 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7476 		params.basic_rates =
7477 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7478 		params.basic_rates_len =
7479 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7480 	}
7481 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7482 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7483 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7484 		params.ht_opmode =
7485 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7486 
7487 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7488 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7489 			return -EINVAL;
7490 		params.p2p_ctwindow =
7491 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7492 		if (params.p2p_ctwindow != 0 &&
7493 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7494 			return -EINVAL;
7495 	}
7496 
7497 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7498 		u8 tmp;
7499 
7500 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7501 			return -EINVAL;
7502 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7503 		params.p2p_opp_ps = tmp;
7504 		if (params.p2p_opp_ps &&
7505 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7506 			return -EINVAL;
7507 	}
7508 
7509 	if (!rdev->ops->change_bss)
7510 		return -EOPNOTSUPP;
7511 
7512 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7513 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7514 		return -EOPNOTSUPP;
7515 
7516 	wdev_lock(wdev);
7517 	err = rdev_change_bss(rdev, dev, &params);
7518 	wdev_unlock(wdev);
7519 
7520 	return err;
7521 }
7522 
7523 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7524 {
7525 	char *data = NULL;
7526 	bool is_indoor;
7527 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7528 	u32 owner_nlportid;
7529 
7530 	/*
7531 	 * You should only get this when cfg80211 hasn't yet initialized
7532 	 * completely when built-in to the kernel right between the time
7533 	 * window between nl80211_init() and regulatory_init(), if that is
7534 	 * even possible.
7535 	 */
7536 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7537 		return -EINPROGRESS;
7538 
7539 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7540 		user_reg_hint_type =
7541 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7542 	else
7543 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7544 
7545 	switch (user_reg_hint_type) {
7546 	case NL80211_USER_REG_HINT_USER:
7547 	case NL80211_USER_REG_HINT_CELL_BASE:
7548 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7549 			return -EINVAL;
7550 
7551 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7552 		return regulatory_hint_user(data, user_reg_hint_type);
7553 	case NL80211_USER_REG_HINT_INDOOR:
7554 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7555 			owner_nlportid = info->snd_portid;
7556 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7557 		} else {
7558 			owner_nlportid = 0;
7559 			is_indoor = true;
7560 		}
7561 
7562 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7563 	default:
7564 		return -EINVAL;
7565 	}
7566 }
7567 
7568 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7569 {
7570 	return reg_reload_regdb();
7571 }
7572 
7573 static int nl80211_get_mesh_config(struct sk_buff *skb,
7574 				   struct genl_info *info)
7575 {
7576 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7577 	struct net_device *dev = info->user_ptr[1];
7578 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7579 	struct mesh_config cur_params;
7580 	int err = 0;
7581 	void *hdr;
7582 	struct nlattr *pinfoattr;
7583 	struct sk_buff *msg;
7584 
7585 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7586 		return -EOPNOTSUPP;
7587 
7588 	if (!rdev->ops->get_mesh_config)
7589 		return -EOPNOTSUPP;
7590 
7591 	wdev_lock(wdev);
7592 	/* If not connected, get default parameters */
7593 	if (!wdev->mesh_id_len)
7594 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7595 	else
7596 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7597 	wdev_unlock(wdev);
7598 
7599 	if (err)
7600 		return err;
7601 
7602 	/* Draw up a netlink message to send back */
7603 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7604 	if (!msg)
7605 		return -ENOMEM;
7606 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7607 			     NL80211_CMD_GET_MESH_CONFIG);
7608 	if (!hdr)
7609 		goto out;
7610 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7611 	if (!pinfoattr)
7612 		goto nla_put_failure;
7613 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7614 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7615 			cur_params.dot11MeshRetryTimeout) ||
7616 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7617 			cur_params.dot11MeshConfirmTimeout) ||
7618 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7619 			cur_params.dot11MeshHoldingTimeout) ||
7620 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7621 			cur_params.dot11MeshMaxPeerLinks) ||
7622 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7623 		       cur_params.dot11MeshMaxRetries) ||
7624 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7625 		       cur_params.dot11MeshTTL) ||
7626 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7627 		       cur_params.element_ttl) ||
7628 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7629 		       cur_params.auto_open_plinks) ||
7630 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7631 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7632 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7633 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7634 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7635 			cur_params.path_refresh_time) ||
7636 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7637 			cur_params.min_discovery_timeout) ||
7638 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7639 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7640 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7641 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7642 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7643 			cur_params.dot11MeshHWMPperrMinInterval) ||
7644 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7645 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7646 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7647 		       cur_params.dot11MeshHWMPRootMode) ||
7648 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7649 			cur_params.dot11MeshHWMPRannInterval) ||
7650 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7651 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7652 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7653 		       cur_params.dot11MeshForwarding) ||
7654 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7655 			cur_params.rssi_threshold) ||
7656 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7657 			cur_params.ht_opmode) ||
7658 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7659 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7660 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7661 			cur_params.dot11MeshHWMProotInterval) ||
7662 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7663 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7664 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7665 			cur_params.power_mode) ||
7666 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7667 			cur_params.dot11MeshAwakeWindowDuration) ||
7668 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7669 			cur_params.plink_timeout) ||
7670 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7671 		       cur_params.dot11MeshConnectedToMeshGate) ||
7672 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7673 		       cur_params.dot11MeshNolearn) ||
7674 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7675 		       cur_params.dot11MeshConnectedToAuthServer))
7676 		goto nla_put_failure;
7677 	nla_nest_end(msg, pinfoattr);
7678 	genlmsg_end(msg, hdr);
7679 	return genlmsg_reply(msg, info);
7680 
7681  nla_put_failure:
7682  out:
7683 	nlmsg_free(msg);
7684 	return -ENOBUFS;
7685 }
7686 
7687 static const struct nla_policy
7688 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7689 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7690 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7691 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7692 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7693 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7694 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7695 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7696 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7697 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7698 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7699 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7700 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7701 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7702 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7703 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7704 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7705 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7706 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7707 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7708 		NLA_POLICY_MIN(NLA_U16, 1),
7709 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7710 		NLA_POLICY_MIN(NLA_U16, 1),
7711 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7712 		NLA_POLICY_MIN(NLA_U16, 1),
7713 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7714 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7715 		NLA_POLICY_MIN(NLA_U16, 1),
7716 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7717 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7718 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7719 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7720 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7721 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7722 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7723 		NLA_POLICY_MIN(NLA_U16, 1),
7724 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7725 		NLA_POLICY_MIN(NLA_U16, 1),
7726 	[NL80211_MESHCONF_POWER_MODE] =
7727 		NLA_POLICY_RANGE(NLA_U32,
7728 				 NL80211_MESH_POWER_ACTIVE,
7729 				 NL80211_MESH_POWER_MAX),
7730 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7731 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7732 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7733 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7734 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7735 };
7736 
7737 static const struct nla_policy
7738 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7739 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7740 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7741 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7742 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7743 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7744 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7745 	[NL80211_MESH_SETUP_IE] =
7746 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7747 				       IEEE80211_MAX_DATA_LEN),
7748 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7749 };
7750 
7751 static int nl80211_parse_mesh_config(struct genl_info *info,
7752 				     struct mesh_config *cfg,
7753 				     u32 *mask_out)
7754 {
7755 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7756 	u32 mask = 0;
7757 	u16 ht_opmode;
7758 
7759 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7760 do {									\
7761 	if (tb[attr]) {							\
7762 		cfg->param = fn(tb[attr]);				\
7763 		mask |= BIT((attr) - 1);				\
7764 	}								\
7765 } while (0)
7766 
7767 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7768 		return -EINVAL;
7769 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7770 		return -EINVAL;
7771 
7772 	/* This makes sure that there aren't more than 32 mesh config
7773 	 * parameters (otherwise our bitfield scheme would not work.) */
7774 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7775 
7776 	/* Fill in the params struct */
7777 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7778 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7779 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7780 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7781 				  nla_get_u16);
7782 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7783 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7784 				  nla_get_u16);
7785 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7786 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7787 				  nla_get_u16);
7788 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7789 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7790 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7791 				  NL80211_MESHCONF_TTL, nla_get_u8);
7792 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7793 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7794 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7795 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7796 				  nla_get_u8);
7797 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7798 				  mask,
7799 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7800 				  nla_get_u32);
7801 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7802 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7803 				  nla_get_u8);
7804 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7805 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7806 				  nla_get_u32);
7807 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7808 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7809 		return -EINVAL;
7810 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7811 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7812 				  nla_get_u16);
7813 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7814 				  mask,
7815 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7816 				  nla_get_u32);
7817 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7818 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7819 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7820 		return -EINVAL;
7821 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7822 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7823 				  nla_get_u16);
7824 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7825 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7826 				  nla_get_u16);
7827 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7828 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7829 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7830 				  nla_get_u16);
7831 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7832 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7833 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7834 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7835 				  nla_get_u16);
7836 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7837 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7838 				  nla_get_u8);
7839 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7840 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7841 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7842 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7843 				  nla_get_s32);
7844 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7845 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7846 				  nla_get_u8);
7847 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7848 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7849 				  nla_get_u8);
7850 	/*
7851 	 * Check HT operation mode based on
7852 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7853 	 */
7854 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7855 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7856 
7857 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7858 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7859 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7860 			return -EINVAL;
7861 
7862 		/* NON_HT_STA bit is reserved, but some programs set it */
7863 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7864 
7865 		cfg->ht_opmode = ht_opmode;
7866 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7867 	}
7868 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7869 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7870 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7871 				  nla_get_u32);
7872 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7873 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7874 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7875 		return -EINVAL;
7876 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7877 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7878 				  nla_get_u16);
7879 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7880 				  mask,
7881 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7882 				  nla_get_u16);
7883 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7884 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7885 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7886 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7887 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7888 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7889 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7890 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7891 	if (mask_out)
7892 		*mask_out = mask;
7893 
7894 	return 0;
7895 
7896 #undef FILL_IN_MESH_PARAM_IF_SET
7897 }
7898 
7899 static int nl80211_parse_mesh_setup(struct genl_info *info,
7900 				     struct mesh_setup *setup)
7901 {
7902 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7903 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7904 
7905 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7906 		return -EINVAL;
7907 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7908 		return -EINVAL;
7909 
7910 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7911 		setup->sync_method =
7912 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7913 		 IEEE80211_SYNC_METHOD_VENDOR :
7914 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7915 
7916 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7917 		setup->path_sel_proto =
7918 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7919 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7920 		 IEEE80211_PATH_PROTOCOL_HWMP;
7921 
7922 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7923 		setup->path_metric =
7924 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7925 		 IEEE80211_PATH_METRIC_VENDOR :
7926 		 IEEE80211_PATH_METRIC_AIRTIME;
7927 
7928 	if (tb[NL80211_MESH_SETUP_IE]) {
7929 		struct nlattr *ieattr =
7930 			tb[NL80211_MESH_SETUP_IE];
7931 		setup->ie = nla_data(ieattr);
7932 		setup->ie_len = nla_len(ieattr);
7933 	}
7934 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7935 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7936 		return -EINVAL;
7937 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7938 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7939 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7940 	if (setup->is_secure)
7941 		setup->user_mpm = true;
7942 
7943 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7944 		if (!setup->user_mpm)
7945 			return -EINVAL;
7946 		setup->auth_id =
7947 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7948 	}
7949 
7950 	return 0;
7951 }
7952 
7953 static int nl80211_update_mesh_config(struct sk_buff *skb,
7954 				      struct genl_info *info)
7955 {
7956 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7957 	struct net_device *dev = info->user_ptr[1];
7958 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7959 	struct mesh_config cfg;
7960 	u32 mask;
7961 	int err;
7962 
7963 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7964 		return -EOPNOTSUPP;
7965 
7966 	if (!rdev->ops->update_mesh_config)
7967 		return -EOPNOTSUPP;
7968 
7969 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7970 	if (err)
7971 		return err;
7972 
7973 	wdev_lock(wdev);
7974 	if (!wdev->mesh_id_len)
7975 		err = -ENOLINK;
7976 
7977 	if (!err)
7978 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7979 
7980 	wdev_unlock(wdev);
7981 
7982 	return err;
7983 }
7984 
7985 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7986 			      struct sk_buff *msg)
7987 {
7988 	struct nlattr *nl_reg_rules;
7989 	unsigned int i;
7990 
7991 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7992 	    (regdom->dfs_region &&
7993 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7994 		goto nla_put_failure;
7995 
7996 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7997 	if (!nl_reg_rules)
7998 		goto nla_put_failure;
7999 
8000 	for (i = 0; i < regdom->n_reg_rules; i++) {
8001 		struct nlattr *nl_reg_rule;
8002 		const struct ieee80211_reg_rule *reg_rule;
8003 		const struct ieee80211_freq_range *freq_range;
8004 		const struct ieee80211_power_rule *power_rule;
8005 		unsigned int max_bandwidth_khz;
8006 
8007 		reg_rule = &regdom->reg_rules[i];
8008 		freq_range = &reg_rule->freq_range;
8009 		power_rule = &reg_rule->power_rule;
8010 
8011 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8012 		if (!nl_reg_rule)
8013 			goto nla_put_failure;
8014 
8015 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8016 		if (!max_bandwidth_khz)
8017 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8018 								  reg_rule);
8019 
8020 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8021 				reg_rule->flags) ||
8022 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8023 				freq_range->start_freq_khz) ||
8024 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8025 				freq_range->end_freq_khz) ||
8026 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8027 				max_bandwidth_khz) ||
8028 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8029 				power_rule->max_antenna_gain) ||
8030 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8031 				power_rule->max_eirp) ||
8032 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8033 				reg_rule->dfs_cac_ms))
8034 			goto nla_put_failure;
8035 
8036 		nla_nest_end(msg, nl_reg_rule);
8037 	}
8038 
8039 	nla_nest_end(msg, nl_reg_rules);
8040 	return 0;
8041 
8042 nla_put_failure:
8043 	return -EMSGSIZE;
8044 }
8045 
8046 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8047 {
8048 	const struct ieee80211_regdomain *regdom = NULL;
8049 	struct cfg80211_registered_device *rdev;
8050 	struct wiphy *wiphy = NULL;
8051 	struct sk_buff *msg;
8052 	int err = -EMSGSIZE;
8053 	void *hdr;
8054 
8055 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8056 	if (!msg)
8057 		return -ENOBUFS;
8058 
8059 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8060 			     NL80211_CMD_GET_REG);
8061 	if (!hdr)
8062 		goto put_failure;
8063 
8064 	rtnl_lock();
8065 
8066 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8067 		bool self_managed;
8068 
8069 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8070 		if (IS_ERR(rdev)) {
8071 			err = PTR_ERR(rdev);
8072 			goto nla_put_failure;
8073 		}
8074 
8075 		wiphy = &rdev->wiphy;
8076 		self_managed = wiphy->regulatory_flags &
8077 			       REGULATORY_WIPHY_SELF_MANAGED;
8078 
8079 		rcu_read_lock();
8080 
8081 		regdom = get_wiphy_regdom(wiphy);
8082 
8083 		/* a self-managed-reg device must have a private regdom */
8084 		if (WARN_ON(!regdom && self_managed)) {
8085 			err = -EINVAL;
8086 			goto nla_put_failure_rcu;
8087 		}
8088 
8089 		if (regdom &&
8090 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8091 			goto nla_put_failure_rcu;
8092 	} else {
8093 		rcu_read_lock();
8094 	}
8095 
8096 	if (!wiphy && reg_last_request_cell_base() &&
8097 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8098 			NL80211_USER_REG_HINT_CELL_BASE))
8099 		goto nla_put_failure_rcu;
8100 
8101 	if (!regdom)
8102 		regdom = rcu_dereference(cfg80211_regdomain);
8103 
8104 	if (nl80211_put_regdom(regdom, msg))
8105 		goto nla_put_failure_rcu;
8106 
8107 	rcu_read_unlock();
8108 
8109 	genlmsg_end(msg, hdr);
8110 	rtnl_unlock();
8111 	return genlmsg_reply(msg, info);
8112 
8113 nla_put_failure_rcu:
8114 	rcu_read_unlock();
8115 nla_put_failure:
8116 	rtnl_unlock();
8117 put_failure:
8118 	nlmsg_free(msg);
8119 	return err;
8120 }
8121 
8122 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8123 			       u32 seq, int flags, struct wiphy *wiphy,
8124 			       const struct ieee80211_regdomain *regdom)
8125 {
8126 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8127 				   NL80211_CMD_GET_REG);
8128 
8129 	if (!hdr)
8130 		return -1;
8131 
8132 	genl_dump_check_consistent(cb, hdr);
8133 
8134 	if (nl80211_put_regdom(regdom, msg))
8135 		goto nla_put_failure;
8136 
8137 	if (!wiphy && reg_last_request_cell_base() &&
8138 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8139 			NL80211_USER_REG_HINT_CELL_BASE))
8140 		goto nla_put_failure;
8141 
8142 	if (wiphy &&
8143 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8144 		goto nla_put_failure;
8145 
8146 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8147 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8148 		goto nla_put_failure;
8149 
8150 	genlmsg_end(msg, hdr);
8151 	return 0;
8152 
8153 nla_put_failure:
8154 	genlmsg_cancel(msg, hdr);
8155 	return -EMSGSIZE;
8156 }
8157 
8158 static int nl80211_get_reg_dump(struct sk_buff *skb,
8159 				struct netlink_callback *cb)
8160 {
8161 	const struct ieee80211_regdomain *regdom = NULL;
8162 	struct cfg80211_registered_device *rdev;
8163 	int err, reg_idx, start = cb->args[2];
8164 
8165 	rcu_read_lock();
8166 
8167 	if (cfg80211_regdomain && start == 0) {
8168 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8169 					  NLM_F_MULTI, NULL,
8170 					  rcu_dereference(cfg80211_regdomain));
8171 		if (err < 0)
8172 			goto out_err;
8173 	}
8174 
8175 	/* the global regdom is idx 0 */
8176 	reg_idx = 1;
8177 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8178 		regdom = get_wiphy_regdom(&rdev->wiphy);
8179 		if (!regdom)
8180 			continue;
8181 
8182 		if (++reg_idx <= start)
8183 			continue;
8184 
8185 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8186 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8187 		if (err < 0) {
8188 			reg_idx--;
8189 			break;
8190 		}
8191 	}
8192 
8193 	cb->args[2] = reg_idx;
8194 	err = skb->len;
8195 out_err:
8196 	rcu_read_unlock();
8197 	return err;
8198 }
8199 
8200 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8201 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8202 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8203 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8204 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8205 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8206 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8207 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8208 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8209 };
8210 
8211 static int parse_reg_rule(struct nlattr *tb[],
8212 	struct ieee80211_reg_rule *reg_rule)
8213 {
8214 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8215 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8216 
8217 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8218 		return -EINVAL;
8219 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8220 		return -EINVAL;
8221 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8222 		return -EINVAL;
8223 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8224 		return -EINVAL;
8225 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8226 		return -EINVAL;
8227 
8228 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8229 
8230 	freq_range->start_freq_khz =
8231 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8232 	freq_range->end_freq_khz =
8233 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8234 	freq_range->max_bandwidth_khz =
8235 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8236 
8237 	power_rule->max_eirp =
8238 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8239 
8240 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8241 		power_rule->max_antenna_gain =
8242 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8243 
8244 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8245 		reg_rule->dfs_cac_ms =
8246 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8247 
8248 	return 0;
8249 }
8250 
8251 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8252 {
8253 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8254 	struct nlattr *nl_reg_rule;
8255 	char *alpha2;
8256 	int rem_reg_rules, r;
8257 	u32 num_rules = 0, rule_idx = 0;
8258 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8259 	struct ieee80211_regdomain *rd;
8260 
8261 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8262 		return -EINVAL;
8263 
8264 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8265 		return -EINVAL;
8266 
8267 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8268 
8269 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8270 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8271 
8272 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8273 			    rem_reg_rules) {
8274 		num_rules++;
8275 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8276 			return -EINVAL;
8277 	}
8278 
8279 	rtnl_lock();
8280 	if (!reg_is_valid_request(alpha2)) {
8281 		r = -EINVAL;
8282 		goto out;
8283 	}
8284 
8285 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8286 	if (!rd) {
8287 		r = -ENOMEM;
8288 		goto out;
8289 	}
8290 
8291 	rd->n_reg_rules = num_rules;
8292 	rd->alpha2[0] = alpha2[0];
8293 	rd->alpha2[1] = alpha2[1];
8294 
8295 	/*
8296 	 * Disable DFS master mode if the DFS region was
8297 	 * not supported or known on this kernel.
8298 	 */
8299 	if (reg_supported_dfs_region(dfs_region))
8300 		rd->dfs_region = dfs_region;
8301 
8302 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8303 			    rem_reg_rules) {
8304 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8305 						nl_reg_rule, reg_rule_policy,
8306 						info->extack);
8307 		if (r)
8308 			goto bad_reg;
8309 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8310 		if (r)
8311 			goto bad_reg;
8312 
8313 		rule_idx++;
8314 
8315 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8316 			r = -EINVAL;
8317 			goto bad_reg;
8318 		}
8319 	}
8320 
8321 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8322 	/* set_regdom takes ownership of rd */
8323 	rd = NULL;
8324  bad_reg:
8325 	kfree(rd);
8326  out:
8327 	rtnl_unlock();
8328 	return r;
8329 }
8330 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8331 
8332 static int validate_scan_freqs(struct nlattr *freqs)
8333 {
8334 	struct nlattr *attr1, *attr2;
8335 	int n_channels = 0, tmp1, tmp2;
8336 
8337 	nla_for_each_nested(attr1, freqs, tmp1)
8338 		if (nla_len(attr1) != sizeof(u32))
8339 			return 0;
8340 
8341 	nla_for_each_nested(attr1, freqs, tmp1) {
8342 		n_channels++;
8343 		/*
8344 		 * Some hardware has a limited channel list for
8345 		 * scanning, and it is pretty much nonsensical
8346 		 * to scan for a channel twice, so disallow that
8347 		 * and don't require drivers to check that the
8348 		 * channel list they get isn't longer than what
8349 		 * they can scan, as long as they can scan all
8350 		 * the channels they registered at once.
8351 		 */
8352 		nla_for_each_nested(attr2, freqs, tmp2)
8353 			if (attr1 != attr2 &&
8354 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8355 				return 0;
8356 	}
8357 
8358 	return n_channels;
8359 }
8360 
8361 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8362 {
8363 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8364 }
8365 
8366 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8367 			    struct cfg80211_bss_selection *bss_select)
8368 {
8369 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8370 	struct nlattr *nest;
8371 	int err;
8372 	bool found = false;
8373 	int i;
8374 
8375 	/* only process one nested attribute */
8376 	nest = nla_data(nla);
8377 	if (!nla_ok(nest, nla_len(nest)))
8378 		return -EINVAL;
8379 
8380 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8381 					  nest, nl80211_bss_select_policy,
8382 					  NULL);
8383 	if (err)
8384 		return err;
8385 
8386 	/* only one attribute may be given */
8387 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8388 		if (attr[i]) {
8389 			if (found)
8390 				return -EINVAL;
8391 			found = true;
8392 		}
8393 	}
8394 
8395 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8396 
8397 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8398 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8399 
8400 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8401 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8402 		bss_select->param.band_pref =
8403 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8404 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8405 			return -EINVAL;
8406 	}
8407 
8408 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8409 		struct nl80211_bss_select_rssi_adjust *adj_param;
8410 
8411 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8412 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8413 		bss_select->param.adjust.band = adj_param->band;
8414 		bss_select->param.adjust.delta = adj_param->delta;
8415 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8416 			return -EINVAL;
8417 	}
8418 
8419 	/* user-space did not provide behaviour attribute */
8420 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8421 		return -EINVAL;
8422 
8423 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8424 		return -EINVAL;
8425 
8426 	return 0;
8427 }
8428 
8429 int nl80211_parse_random_mac(struct nlattr **attrs,
8430 			     u8 *mac_addr, u8 *mac_addr_mask)
8431 {
8432 	int i;
8433 
8434 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8435 		eth_zero_addr(mac_addr);
8436 		eth_zero_addr(mac_addr_mask);
8437 		mac_addr[0] = 0x2;
8438 		mac_addr_mask[0] = 0x3;
8439 
8440 		return 0;
8441 	}
8442 
8443 	/* need both or none */
8444 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8445 		return -EINVAL;
8446 
8447 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8448 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8449 
8450 	/* don't allow or configure an mcast address */
8451 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8452 	    is_multicast_ether_addr(mac_addr))
8453 		return -EINVAL;
8454 
8455 	/*
8456 	 * allow users to pass a MAC address that has bits set outside
8457 	 * of the mask, but don't bother drivers with having to deal
8458 	 * with such bits
8459 	 */
8460 	for (i = 0; i < ETH_ALEN; i++)
8461 		mac_addr[i] &= mac_addr_mask[i];
8462 
8463 	return 0;
8464 }
8465 
8466 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
8467 {
8468 	ASSERT_WDEV_LOCK(wdev);
8469 
8470 	if (!cfg80211_beaconing_iface_active(wdev))
8471 		return true;
8472 
8473 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
8474 		return true;
8475 
8476 	return regulatory_pre_cac_allowed(wdev->wiphy);
8477 }
8478 
8479 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8480 				    enum nl80211_ext_feature_index feat)
8481 {
8482 	if (!(flags & flag))
8483 		return true;
8484 	if (wiphy_ext_feature_isset(wiphy, feat))
8485 		return true;
8486 	return false;
8487 }
8488 
8489 static int
8490 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8491 			 void *request, struct nlattr **attrs,
8492 			 bool is_sched_scan)
8493 {
8494 	u8 *mac_addr, *mac_addr_mask;
8495 	u32 *flags;
8496 	enum nl80211_feature_flags randomness_flag;
8497 
8498 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8499 		return 0;
8500 
8501 	if (is_sched_scan) {
8502 		struct cfg80211_sched_scan_request *req = request;
8503 
8504 		randomness_flag = wdev ?
8505 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8506 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8507 		flags = &req->flags;
8508 		mac_addr = req->mac_addr;
8509 		mac_addr_mask = req->mac_addr_mask;
8510 	} else {
8511 		struct cfg80211_scan_request *req = request;
8512 
8513 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8514 		flags = &req->flags;
8515 		mac_addr = req->mac_addr;
8516 		mac_addr_mask = req->mac_addr_mask;
8517 	}
8518 
8519 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8520 
8521 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8522 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8523 	    !nl80211_check_scan_feat(wiphy, *flags,
8524 				     NL80211_SCAN_FLAG_LOW_SPAN,
8525 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8526 	    !nl80211_check_scan_feat(wiphy, *flags,
8527 				     NL80211_SCAN_FLAG_LOW_POWER,
8528 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8529 	    !nl80211_check_scan_feat(wiphy, *flags,
8530 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8531 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8532 	    !nl80211_check_scan_feat(wiphy, *flags,
8533 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8534 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8535 	    !nl80211_check_scan_feat(wiphy, *flags,
8536 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8537 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8538 	    !nl80211_check_scan_feat(wiphy, *flags,
8539 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8540 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8541 	    !nl80211_check_scan_feat(wiphy, *flags,
8542 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8543 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8544 	    !nl80211_check_scan_feat(wiphy, *flags,
8545 				     NL80211_SCAN_FLAG_RANDOM_SN,
8546 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8547 	    !nl80211_check_scan_feat(wiphy, *flags,
8548 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8549 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8550 		return -EOPNOTSUPP;
8551 
8552 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8553 		int err;
8554 
8555 		if (!(wiphy->features & randomness_flag) ||
8556 		    (wdev && wdev->current_bss))
8557 			return -EOPNOTSUPP;
8558 
8559 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8560 		if (err)
8561 			return err;
8562 	}
8563 
8564 	return 0;
8565 }
8566 
8567 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8568 {
8569 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8570 	struct wireless_dev *wdev = info->user_ptr[1];
8571 	struct cfg80211_scan_request *request;
8572 	struct nlattr *scan_freqs = NULL;
8573 	bool scan_freqs_khz = false;
8574 	struct nlattr *attr;
8575 	struct wiphy *wiphy;
8576 	int err, tmp, n_ssids = 0, n_channels, i;
8577 	size_t ie_len;
8578 
8579 	wiphy = &rdev->wiphy;
8580 
8581 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8582 		return -EOPNOTSUPP;
8583 
8584 	if (!rdev->ops->scan)
8585 		return -EOPNOTSUPP;
8586 
8587 	if (rdev->scan_req || rdev->scan_msg)
8588 		return -EBUSY;
8589 
8590 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8591 		if (!wiphy_ext_feature_isset(wiphy,
8592 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8593 			return -EOPNOTSUPP;
8594 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8595 		scan_freqs_khz = true;
8596 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8597 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8598 
8599 	if (scan_freqs) {
8600 		n_channels = validate_scan_freqs(scan_freqs);
8601 		if (!n_channels)
8602 			return -EINVAL;
8603 	} else {
8604 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8605 	}
8606 
8607 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8608 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8609 			n_ssids++;
8610 
8611 	if (n_ssids > wiphy->max_scan_ssids)
8612 		return -EINVAL;
8613 
8614 	if (info->attrs[NL80211_ATTR_IE])
8615 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8616 	else
8617 		ie_len = 0;
8618 
8619 	if (ie_len > wiphy->max_scan_ie_len)
8620 		return -EINVAL;
8621 
8622 	request = kzalloc(sizeof(*request)
8623 			+ sizeof(*request->ssids) * n_ssids
8624 			+ sizeof(*request->channels) * n_channels
8625 			+ ie_len, GFP_KERNEL);
8626 	if (!request)
8627 		return -ENOMEM;
8628 
8629 	if (n_ssids)
8630 		request->ssids = (void *)&request->channels[n_channels];
8631 	request->n_ssids = n_ssids;
8632 	if (ie_len) {
8633 		if (n_ssids)
8634 			request->ie = (void *)(request->ssids + n_ssids);
8635 		else
8636 			request->ie = (void *)(request->channels + n_channels);
8637 	}
8638 
8639 	i = 0;
8640 	if (scan_freqs) {
8641 		/* user specified, bail out if channel not found */
8642 		nla_for_each_nested(attr, scan_freqs, tmp) {
8643 			struct ieee80211_channel *chan;
8644 			int freq = nla_get_u32(attr);
8645 
8646 			if (!scan_freqs_khz)
8647 				freq = MHZ_TO_KHZ(freq);
8648 
8649 			chan = ieee80211_get_channel_khz(wiphy, freq);
8650 			if (!chan) {
8651 				err = -EINVAL;
8652 				goto out_free;
8653 			}
8654 
8655 			/* ignore disabled channels */
8656 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8657 				continue;
8658 
8659 			request->channels[i] = chan;
8660 			i++;
8661 		}
8662 	} else {
8663 		enum nl80211_band band;
8664 
8665 		/* all channels */
8666 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8667 			int j;
8668 
8669 			if (!wiphy->bands[band])
8670 				continue;
8671 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8672 				struct ieee80211_channel *chan;
8673 
8674 				chan = &wiphy->bands[band]->channels[j];
8675 
8676 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8677 					continue;
8678 
8679 				request->channels[i] = chan;
8680 				i++;
8681 			}
8682 		}
8683 	}
8684 
8685 	if (!i) {
8686 		err = -EINVAL;
8687 		goto out_free;
8688 	}
8689 
8690 	request->n_channels = i;
8691 
8692 	wdev_lock(wdev);
8693 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8694 		struct ieee80211_channel *chan;
8695 
8696 		if (request->n_channels != 1) {
8697 			wdev_unlock(wdev);
8698 			err = -EBUSY;
8699 			goto out_free;
8700 		}
8701 
8702 		chan = request->channels[0];
8703 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8704 			wdev_unlock(wdev);
8705 			err = -EBUSY;
8706 			goto out_free;
8707 		}
8708 	}
8709 	wdev_unlock(wdev);
8710 
8711 	i = 0;
8712 	if (n_ssids) {
8713 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8714 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8715 				err = -EINVAL;
8716 				goto out_free;
8717 			}
8718 			request->ssids[i].ssid_len = nla_len(attr);
8719 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8720 			i++;
8721 		}
8722 	}
8723 
8724 	if (info->attrs[NL80211_ATTR_IE]) {
8725 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8726 		memcpy((void *)request->ie,
8727 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8728 		       request->ie_len);
8729 	}
8730 
8731 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8732 		if (wiphy->bands[i])
8733 			request->rates[i] =
8734 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8735 
8736 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8737 		nla_for_each_nested(attr,
8738 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8739 				    tmp) {
8740 			enum nl80211_band band = nla_type(attr);
8741 
8742 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8743 				err = -EINVAL;
8744 				goto out_free;
8745 			}
8746 
8747 			if (!wiphy->bands[band])
8748 				continue;
8749 
8750 			err = ieee80211_get_ratemask(wiphy->bands[band],
8751 						     nla_data(attr),
8752 						     nla_len(attr),
8753 						     &request->rates[band]);
8754 			if (err)
8755 				goto out_free;
8756 		}
8757 	}
8758 
8759 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8760 		request->duration =
8761 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8762 		request->duration_mandatory =
8763 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8764 	}
8765 
8766 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8767 				       false);
8768 	if (err)
8769 		goto out_free;
8770 
8771 	request->no_cck =
8772 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8773 
8774 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8775 	 * BSSID to scan for. This was problematic because that same attribute
8776 	 * was already used for another purpose (local random MAC address). The
8777 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8778 	 * compatibility with older userspace components, also use the
8779 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8780 	 * the specific BSSID use case instead of the random MAC address
8781 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8782 	 */
8783 	if (info->attrs[NL80211_ATTR_BSSID])
8784 		memcpy(request->bssid,
8785 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8786 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8787 		 info->attrs[NL80211_ATTR_MAC])
8788 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8789 		       ETH_ALEN);
8790 	else
8791 		eth_broadcast_addr(request->bssid);
8792 
8793 	request->wdev = wdev;
8794 	request->wiphy = &rdev->wiphy;
8795 	request->scan_start = jiffies;
8796 
8797 	rdev->scan_req = request;
8798 	err = cfg80211_scan(rdev);
8799 
8800 	if (err)
8801 		goto out_free;
8802 
8803 	nl80211_send_scan_start(rdev, wdev);
8804 	dev_hold(wdev->netdev);
8805 
8806 	return 0;
8807 
8808  out_free:
8809 	rdev->scan_req = NULL;
8810 	kfree(request);
8811 
8812 	return err;
8813 }
8814 
8815 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8816 {
8817 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8818 	struct wireless_dev *wdev = info->user_ptr[1];
8819 
8820 	if (!rdev->ops->abort_scan)
8821 		return -EOPNOTSUPP;
8822 
8823 	if (rdev->scan_msg)
8824 		return 0;
8825 
8826 	if (!rdev->scan_req)
8827 		return -ENOENT;
8828 
8829 	rdev_abort_scan(rdev, wdev);
8830 	return 0;
8831 }
8832 
8833 static int
8834 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8835 			       struct cfg80211_sched_scan_request *request,
8836 			       struct nlattr **attrs)
8837 {
8838 	int tmp, err, i = 0;
8839 	struct nlattr *attr;
8840 
8841 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8842 		u32 interval;
8843 
8844 		/*
8845 		 * If scan plans are not specified,
8846 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8847 		 * case one scan plan will be set with the specified scan
8848 		 * interval and infinite number of iterations.
8849 		 */
8850 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8851 		if (!interval)
8852 			return -EINVAL;
8853 
8854 		request->scan_plans[0].interval =
8855 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8856 		if (!request->scan_plans[0].interval)
8857 			return -EINVAL;
8858 
8859 		if (request->scan_plans[0].interval >
8860 		    wiphy->max_sched_scan_plan_interval)
8861 			request->scan_plans[0].interval =
8862 				wiphy->max_sched_scan_plan_interval;
8863 
8864 		return 0;
8865 	}
8866 
8867 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8868 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8869 
8870 		if (WARN_ON(i >= n_plans))
8871 			return -EINVAL;
8872 
8873 		err = nla_parse_nested_deprecated(plan,
8874 						  NL80211_SCHED_SCAN_PLAN_MAX,
8875 						  attr, nl80211_plan_policy,
8876 						  NULL);
8877 		if (err)
8878 			return err;
8879 
8880 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8881 			return -EINVAL;
8882 
8883 		request->scan_plans[i].interval =
8884 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8885 		if (!request->scan_plans[i].interval ||
8886 		    request->scan_plans[i].interval >
8887 		    wiphy->max_sched_scan_plan_interval)
8888 			return -EINVAL;
8889 
8890 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8891 			request->scan_plans[i].iterations =
8892 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8893 			if (!request->scan_plans[i].iterations ||
8894 			    (request->scan_plans[i].iterations >
8895 			     wiphy->max_sched_scan_plan_iterations))
8896 				return -EINVAL;
8897 		} else if (i < n_plans - 1) {
8898 			/*
8899 			 * All scan plans but the last one must specify
8900 			 * a finite number of iterations
8901 			 */
8902 			return -EINVAL;
8903 		}
8904 
8905 		i++;
8906 	}
8907 
8908 	/*
8909 	 * The last scan plan must not specify the number of
8910 	 * iterations, it is supposed to run infinitely
8911 	 */
8912 	if (request->scan_plans[n_plans - 1].iterations)
8913 		return  -EINVAL;
8914 
8915 	return 0;
8916 }
8917 
8918 static int
8919 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8920 				       struct cfg80211_match_set *match_sets,
8921 				       struct nlattr *tb_band_rssi,
8922 				       s32 rssi_thold)
8923 {
8924 	struct nlattr *attr;
8925 	int i, tmp, ret = 0;
8926 
8927 	if (!wiphy_ext_feature_isset(wiphy,
8928 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8929 		if (tb_band_rssi)
8930 			ret = -EOPNOTSUPP;
8931 		else
8932 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8933 				match_sets->per_band_rssi_thold[i] =
8934 					NL80211_SCAN_RSSI_THOLD_OFF;
8935 		return ret;
8936 	}
8937 
8938 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8939 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8940 
8941 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8942 		enum nl80211_band band = nla_type(attr);
8943 
8944 		if (band < 0 || band >= NUM_NL80211_BANDS)
8945 			return -EINVAL;
8946 
8947 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8948 	}
8949 
8950 	return 0;
8951 }
8952 
8953 static struct cfg80211_sched_scan_request *
8954 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8955 			 struct nlattr **attrs, int max_match_sets)
8956 {
8957 	struct cfg80211_sched_scan_request *request;
8958 	struct nlattr *attr;
8959 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8960 	enum nl80211_band band;
8961 	size_t ie_len;
8962 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8963 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8964 
8965 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8966 		n_channels = validate_scan_freqs(
8967 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8968 		if (!n_channels)
8969 			return ERR_PTR(-EINVAL);
8970 	} else {
8971 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8972 	}
8973 
8974 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8975 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8976 				    tmp)
8977 			n_ssids++;
8978 
8979 	if (n_ssids > wiphy->max_sched_scan_ssids)
8980 		return ERR_PTR(-EINVAL);
8981 
8982 	/*
8983 	 * First, count the number of 'real' matchsets. Due to an issue with
8984 	 * the old implementation, matchsets containing only the RSSI attribute
8985 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8986 	 * RSSI for all matchsets, rather than their own matchset for reporting
8987 	 * all APs with a strong RSSI. This is needed to be compatible with
8988 	 * older userspace that treated a matchset with only the RSSI as the
8989 	 * global RSSI for all other matchsets - if there are other matchsets.
8990 	 */
8991 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8992 		nla_for_each_nested(attr,
8993 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8994 				    tmp) {
8995 			struct nlattr *rssi;
8996 
8997 			err = nla_parse_nested_deprecated(tb,
8998 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8999 							  attr,
9000 							  nl80211_match_policy,
9001 							  NULL);
9002 			if (err)
9003 				return ERR_PTR(err);
9004 
9005 			/* SSID and BSSID are mutually exclusive */
9006 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9007 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9008 				return ERR_PTR(-EINVAL);
9009 
9010 			/* add other standalone attributes here */
9011 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9012 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9013 				n_match_sets++;
9014 				continue;
9015 			}
9016 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9017 			if (rssi)
9018 				default_match_rssi = nla_get_s32(rssi);
9019 		}
9020 	}
9021 
9022 	/* However, if there's no other matchset, add the RSSI one */
9023 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9024 		n_match_sets = 1;
9025 
9026 	if (n_match_sets > max_match_sets)
9027 		return ERR_PTR(-EINVAL);
9028 
9029 	if (attrs[NL80211_ATTR_IE])
9030 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9031 	else
9032 		ie_len = 0;
9033 
9034 	if (ie_len > wiphy->max_sched_scan_ie_len)
9035 		return ERR_PTR(-EINVAL);
9036 
9037 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9038 		/*
9039 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9040 		 * each scan plan already specifies its own interval
9041 		 */
9042 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9043 			return ERR_PTR(-EINVAL);
9044 
9045 		nla_for_each_nested(attr,
9046 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9047 			n_plans++;
9048 	} else {
9049 		/*
9050 		 * The scan interval attribute is kept for backward
9051 		 * compatibility. If no scan plans are specified and sched scan
9052 		 * interval is specified, one scan plan will be set with this
9053 		 * scan interval and infinite number of iterations.
9054 		 */
9055 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9056 			return ERR_PTR(-EINVAL);
9057 
9058 		n_plans = 1;
9059 	}
9060 
9061 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9062 		return ERR_PTR(-EINVAL);
9063 
9064 	if (!wiphy_ext_feature_isset(
9065 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9066 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9067 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9068 		return ERR_PTR(-EINVAL);
9069 
9070 	request = kzalloc(sizeof(*request)
9071 			+ sizeof(*request->ssids) * n_ssids
9072 			+ sizeof(*request->match_sets) * n_match_sets
9073 			+ sizeof(*request->scan_plans) * n_plans
9074 			+ sizeof(*request->channels) * n_channels
9075 			+ ie_len, GFP_KERNEL);
9076 	if (!request)
9077 		return ERR_PTR(-ENOMEM);
9078 
9079 	if (n_ssids)
9080 		request->ssids = (void *)&request->channels[n_channels];
9081 	request->n_ssids = n_ssids;
9082 	if (ie_len) {
9083 		if (n_ssids)
9084 			request->ie = (void *)(request->ssids + n_ssids);
9085 		else
9086 			request->ie = (void *)(request->channels + n_channels);
9087 	}
9088 
9089 	if (n_match_sets) {
9090 		if (request->ie)
9091 			request->match_sets = (void *)(request->ie + ie_len);
9092 		else if (n_ssids)
9093 			request->match_sets =
9094 				(void *)(request->ssids + n_ssids);
9095 		else
9096 			request->match_sets =
9097 				(void *)(request->channels + n_channels);
9098 	}
9099 	request->n_match_sets = n_match_sets;
9100 
9101 	if (n_match_sets)
9102 		request->scan_plans = (void *)(request->match_sets +
9103 					       n_match_sets);
9104 	else if (request->ie)
9105 		request->scan_plans = (void *)(request->ie + ie_len);
9106 	else if (n_ssids)
9107 		request->scan_plans = (void *)(request->ssids + n_ssids);
9108 	else
9109 		request->scan_plans = (void *)(request->channels + n_channels);
9110 
9111 	request->n_scan_plans = n_plans;
9112 
9113 	i = 0;
9114 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9115 		/* user specified, bail out if channel not found */
9116 		nla_for_each_nested(attr,
9117 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9118 				    tmp) {
9119 			struct ieee80211_channel *chan;
9120 
9121 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9122 
9123 			if (!chan) {
9124 				err = -EINVAL;
9125 				goto out_free;
9126 			}
9127 
9128 			/* ignore disabled channels */
9129 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9130 				continue;
9131 
9132 			request->channels[i] = chan;
9133 			i++;
9134 		}
9135 	} else {
9136 		/* all channels */
9137 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9138 			int j;
9139 
9140 			if (!wiphy->bands[band])
9141 				continue;
9142 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9143 				struct ieee80211_channel *chan;
9144 
9145 				chan = &wiphy->bands[band]->channels[j];
9146 
9147 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9148 					continue;
9149 
9150 				request->channels[i] = chan;
9151 				i++;
9152 			}
9153 		}
9154 	}
9155 
9156 	if (!i) {
9157 		err = -EINVAL;
9158 		goto out_free;
9159 	}
9160 
9161 	request->n_channels = i;
9162 
9163 	i = 0;
9164 	if (n_ssids) {
9165 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9166 				    tmp) {
9167 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9168 				err = -EINVAL;
9169 				goto out_free;
9170 			}
9171 			request->ssids[i].ssid_len = nla_len(attr);
9172 			memcpy(request->ssids[i].ssid, nla_data(attr),
9173 			       nla_len(attr));
9174 			i++;
9175 		}
9176 	}
9177 
9178 	i = 0;
9179 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9180 		nla_for_each_nested(attr,
9181 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9182 				    tmp) {
9183 			struct nlattr *ssid, *bssid, *rssi;
9184 
9185 			err = nla_parse_nested_deprecated(tb,
9186 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9187 							  attr,
9188 							  nl80211_match_policy,
9189 							  NULL);
9190 			if (err)
9191 				goto out_free;
9192 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9193 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9194 
9195 			if (!ssid && !bssid) {
9196 				i++;
9197 				continue;
9198 			}
9199 
9200 			if (WARN_ON(i >= n_match_sets)) {
9201 				/* this indicates a programming error,
9202 				 * the loop above should have verified
9203 				 * things properly
9204 				 */
9205 				err = -EINVAL;
9206 				goto out_free;
9207 			}
9208 
9209 			if (ssid) {
9210 				memcpy(request->match_sets[i].ssid.ssid,
9211 				       nla_data(ssid), nla_len(ssid));
9212 				request->match_sets[i].ssid.ssid_len =
9213 					nla_len(ssid);
9214 			}
9215 			if (bssid)
9216 				memcpy(request->match_sets[i].bssid,
9217 				       nla_data(bssid), ETH_ALEN);
9218 
9219 			/* special attribute - old implementation w/a */
9220 			request->match_sets[i].rssi_thold = default_match_rssi;
9221 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9222 			if (rssi)
9223 				request->match_sets[i].rssi_thold =
9224 					nla_get_s32(rssi);
9225 
9226 			/* Parse per band RSSI attribute */
9227 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9228 				&request->match_sets[i],
9229 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9230 				request->match_sets[i].rssi_thold);
9231 			if (err)
9232 				goto out_free;
9233 
9234 			i++;
9235 		}
9236 
9237 		/* there was no other matchset, so the RSSI one is alone */
9238 		if (i == 0 && n_match_sets)
9239 			request->match_sets[0].rssi_thold = default_match_rssi;
9240 
9241 		request->min_rssi_thold = INT_MAX;
9242 		for (i = 0; i < n_match_sets; i++)
9243 			request->min_rssi_thold =
9244 				min(request->match_sets[i].rssi_thold,
9245 				    request->min_rssi_thold);
9246 	} else {
9247 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9248 	}
9249 
9250 	if (ie_len) {
9251 		request->ie_len = ie_len;
9252 		memcpy((void *)request->ie,
9253 		       nla_data(attrs[NL80211_ATTR_IE]),
9254 		       request->ie_len);
9255 	}
9256 
9257 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9258 	if (err)
9259 		goto out_free;
9260 
9261 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9262 		request->delay =
9263 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9264 
9265 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9266 		request->relative_rssi = nla_get_s8(
9267 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9268 		request->relative_rssi_set = true;
9269 	}
9270 
9271 	if (request->relative_rssi_set &&
9272 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9273 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9274 
9275 		rssi_adjust = nla_data(
9276 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9277 		request->rssi_adjust.band = rssi_adjust->band;
9278 		request->rssi_adjust.delta = rssi_adjust->delta;
9279 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9280 			err = -EINVAL;
9281 			goto out_free;
9282 		}
9283 	}
9284 
9285 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9286 	if (err)
9287 		goto out_free;
9288 
9289 	request->scan_start = jiffies;
9290 
9291 	return request;
9292 
9293 out_free:
9294 	kfree(request);
9295 	return ERR_PTR(err);
9296 }
9297 
9298 static int nl80211_start_sched_scan(struct sk_buff *skb,
9299 				    struct genl_info *info)
9300 {
9301 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9302 	struct net_device *dev = info->user_ptr[1];
9303 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9304 	struct cfg80211_sched_scan_request *sched_scan_req;
9305 	bool want_multi;
9306 	int err;
9307 
9308 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9309 		return -EOPNOTSUPP;
9310 
9311 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9312 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9313 	if (err)
9314 		return err;
9315 
9316 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9317 						  info->attrs,
9318 						  rdev->wiphy.max_match_sets);
9319 
9320 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9321 	if (err)
9322 		goto out_err;
9323 
9324 	/* leave request id zero for legacy request
9325 	 * or if driver does not support multi-scheduled scan
9326 	 */
9327 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9328 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9329 
9330 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9331 	if (err)
9332 		goto out_free;
9333 
9334 	sched_scan_req->dev = dev;
9335 	sched_scan_req->wiphy = &rdev->wiphy;
9336 
9337 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9338 		sched_scan_req->owner_nlportid = info->snd_portid;
9339 
9340 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9341 
9342 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9343 	return 0;
9344 
9345 out_free:
9346 	kfree(sched_scan_req);
9347 out_err:
9348 	return err;
9349 }
9350 
9351 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9352 				   struct genl_info *info)
9353 {
9354 	struct cfg80211_sched_scan_request *req;
9355 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9356 	u64 cookie;
9357 
9358 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9359 		return -EOPNOTSUPP;
9360 
9361 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9362 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9363 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9364 	}
9365 
9366 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9367 				     struct cfg80211_sched_scan_request,
9368 				     list);
9369 	if (!req || req->reqid ||
9370 	    (req->owner_nlportid &&
9371 	     req->owner_nlportid != info->snd_portid))
9372 		return -ENOENT;
9373 
9374 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9375 }
9376 
9377 static int nl80211_start_radar_detection(struct sk_buff *skb,
9378 					 struct genl_info *info)
9379 {
9380 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9381 	struct net_device *dev = info->user_ptr[1];
9382 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9383 	struct wiphy *wiphy = wdev->wiphy;
9384 	struct cfg80211_chan_def chandef;
9385 	enum nl80211_dfs_regions dfs_region;
9386 	unsigned int cac_time_ms;
9387 	int err = -EINVAL;
9388 
9389 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9390 
9391 	wiphy_lock(wiphy);
9392 
9393 	dfs_region = reg_get_dfs_region(wiphy);
9394 	if (dfs_region == NL80211_DFS_UNSET)
9395 		goto unlock;
9396 
9397 	err = nl80211_parse_chandef(rdev, info, &chandef);
9398 	if (err)
9399 		goto unlock;
9400 
9401 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9402 	if (err < 0)
9403 		goto unlock;
9404 
9405 	if (err == 0) {
9406 		err = -EINVAL;
9407 		goto unlock;
9408 	}
9409 
9410 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9411 		err = -EINVAL;
9412 		goto unlock;
9413 	}
9414 
9415 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9416 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9417 								&chandef);
9418 		goto unlock;
9419 	}
9420 
9421 	if (netif_carrier_ok(dev)) {
9422 		err = -EBUSY;
9423 		goto unlock;
9424 	}
9425 
9426 	if (wdev->cac_started) {
9427 		err = -EBUSY;
9428 		goto unlock;
9429 	}
9430 
9431 	/* CAC start is offloaded to HW and can't be started manually */
9432 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9433 		err = -EOPNOTSUPP;
9434 		goto unlock;
9435 	}
9436 
9437 	if (!rdev->ops->start_radar_detection) {
9438 		err = -EOPNOTSUPP;
9439 		goto unlock;
9440 	}
9441 
9442 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9443 	if (WARN_ON(!cac_time_ms))
9444 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9445 
9446 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9447 	if (!err) {
9448 		wdev->chandef = chandef;
9449 		wdev->cac_started = true;
9450 		wdev->cac_start_time = jiffies;
9451 		wdev->cac_time_ms = cac_time_ms;
9452 	}
9453 unlock:
9454 	wiphy_unlock(wiphy);
9455 
9456 	return err;
9457 }
9458 
9459 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9460 					  struct genl_info *info)
9461 {
9462 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9463 	struct net_device *dev = info->user_ptr[1];
9464 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9465 	struct wiphy *wiphy = wdev->wiphy;
9466 	struct cfg80211_chan_def chandef;
9467 	enum nl80211_dfs_regions dfs_region;
9468 	int err;
9469 
9470 	dfs_region = reg_get_dfs_region(wiphy);
9471 	if (dfs_region == NL80211_DFS_UNSET) {
9472 		GENL_SET_ERR_MSG(info,
9473 				 "DFS Region is not set. Unexpected Radar indication");
9474 		return -EINVAL;
9475 	}
9476 
9477 	err = nl80211_parse_chandef(rdev, info, &chandef);
9478 	if (err) {
9479 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9480 		return err;
9481 	}
9482 
9483 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9484 	if (err < 0) {
9485 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9486 		return err;
9487 	}
9488 
9489 	if (err == 0) {
9490 		GENL_SET_ERR_MSG(info,
9491 				 "Unexpected Radar indication for chandef/iftype");
9492 		return -EINVAL;
9493 	}
9494 
9495 	/* Do not process this notification if radar is already detected
9496 	 * by kernel on this channel, and return success.
9497 	 */
9498 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9499 		return 0;
9500 
9501 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9502 
9503 	cfg80211_sched_dfs_chan_update(rdev);
9504 
9505 	rdev->radar_chandef = chandef;
9506 
9507 	/* Propagate this notification to other radios as well */
9508 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9509 
9510 	return 0;
9511 }
9512 
9513 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9514 {
9515 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9516 	struct net_device *dev = info->user_ptr[1];
9517 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9518 	struct cfg80211_csa_settings params;
9519 	struct nlattr **csa_attrs = NULL;
9520 	int err;
9521 	bool need_new_beacon = false;
9522 	bool need_handle_dfs_flag = true;
9523 	int len, i;
9524 	u32 cs_count;
9525 
9526 	if (!rdev->ops->channel_switch ||
9527 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9528 		return -EOPNOTSUPP;
9529 
9530 	switch (dev->ieee80211_ptr->iftype) {
9531 	case NL80211_IFTYPE_AP:
9532 	case NL80211_IFTYPE_P2P_GO:
9533 		need_new_beacon = true;
9534 		/* For all modes except AP the handle_dfs flag needs to be
9535 		 * supplied to tell the kernel that userspace will handle radar
9536 		 * events when they happen. Otherwise a switch to a channel
9537 		 * requiring DFS will be rejected.
9538 		 */
9539 		need_handle_dfs_flag = false;
9540 
9541 		/* useless if AP is not running */
9542 		if (!wdev->beacon_interval)
9543 			return -ENOTCONN;
9544 		break;
9545 	case NL80211_IFTYPE_ADHOC:
9546 		if (!wdev->ssid_len)
9547 			return -ENOTCONN;
9548 		break;
9549 	case NL80211_IFTYPE_MESH_POINT:
9550 		if (!wdev->mesh_id_len)
9551 			return -ENOTCONN;
9552 		break;
9553 	default:
9554 		return -EOPNOTSUPP;
9555 	}
9556 
9557 	memset(&params, 0, sizeof(params));
9558 	params.beacon_csa.ftm_responder = -1;
9559 
9560 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9561 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9562 		return -EINVAL;
9563 
9564 	/* only important for AP, IBSS and mesh create IEs internally */
9565 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9566 		return -EINVAL;
9567 
9568 	/* Even though the attribute is u32, the specification says
9569 	 * u8, so let's make sure we don't overflow.
9570 	 */
9571 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9572 	if (cs_count > 255)
9573 		return -EINVAL;
9574 
9575 	params.count = cs_count;
9576 
9577 	if (!need_new_beacon)
9578 		goto skip_beacons;
9579 
9580 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9581 	if (err)
9582 		goto free;
9583 
9584 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9585 			    GFP_KERNEL);
9586 	if (!csa_attrs) {
9587 		err = -ENOMEM;
9588 		goto free;
9589 	}
9590 
9591 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9592 					  info->attrs[NL80211_ATTR_CSA_IES],
9593 					  nl80211_policy, info->extack);
9594 	if (err)
9595 		goto free;
9596 
9597 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9598 	if (err)
9599 		goto free;
9600 
9601 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9602 		err = -EINVAL;
9603 		goto free;
9604 	}
9605 
9606 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9607 	if (!len || (len % sizeof(u16))) {
9608 		err = -EINVAL;
9609 		goto free;
9610 	}
9611 
9612 	params.n_counter_offsets_beacon = len / sizeof(u16);
9613 	if (rdev->wiphy.max_num_csa_counters &&
9614 	    (params.n_counter_offsets_beacon >
9615 	     rdev->wiphy.max_num_csa_counters)) {
9616 		err = -EINVAL;
9617 		goto free;
9618 	}
9619 
9620 	params.counter_offsets_beacon =
9621 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9622 
9623 	/* sanity checks - counters should fit and be the same */
9624 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9625 		u16 offset = params.counter_offsets_beacon[i];
9626 
9627 		if (offset >= params.beacon_csa.tail_len) {
9628 			err = -EINVAL;
9629 			goto free;
9630 		}
9631 
9632 		if (params.beacon_csa.tail[offset] != params.count) {
9633 			err = -EINVAL;
9634 			goto free;
9635 		}
9636 	}
9637 
9638 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9639 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9640 		if (!len || (len % sizeof(u16))) {
9641 			err = -EINVAL;
9642 			goto free;
9643 		}
9644 
9645 		params.n_counter_offsets_presp = len / sizeof(u16);
9646 		if (rdev->wiphy.max_num_csa_counters &&
9647 		    (params.n_counter_offsets_presp >
9648 		     rdev->wiphy.max_num_csa_counters)) {
9649 			err = -EINVAL;
9650 			goto free;
9651 		}
9652 
9653 		params.counter_offsets_presp =
9654 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9655 
9656 		/* sanity checks - counters should fit and be the same */
9657 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9658 			u16 offset = params.counter_offsets_presp[i];
9659 
9660 			if (offset >= params.beacon_csa.probe_resp_len) {
9661 				err = -EINVAL;
9662 				goto free;
9663 			}
9664 
9665 			if (params.beacon_csa.probe_resp[offset] !=
9666 			    params.count) {
9667 				err = -EINVAL;
9668 				goto free;
9669 			}
9670 		}
9671 	}
9672 
9673 skip_beacons:
9674 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9675 	if (err)
9676 		goto free;
9677 
9678 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9679 					   wdev->iftype)) {
9680 		err = -EINVAL;
9681 		goto free;
9682 	}
9683 
9684 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9685 					    &params.chandef,
9686 					    wdev->iftype);
9687 	if (err < 0)
9688 		goto free;
9689 
9690 	if (err > 0) {
9691 		params.radar_required = true;
9692 		if (need_handle_dfs_flag &&
9693 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9694 			err = -EINVAL;
9695 			goto free;
9696 		}
9697 	}
9698 
9699 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9700 		params.block_tx = true;
9701 
9702 	wdev_lock(wdev);
9703 	err = rdev_channel_switch(rdev, dev, &params);
9704 	wdev_unlock(wdev);
9705 
9706 free:
9707 	kfree(params.beacon_after.mbssid_ies);
9708 	kfree(params.beacon_csa.mbssid_ies);
9709 	kfree(csa_attrs);
9710 	return err;
9711 }
9712 
9713 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9714 			    u32 seq, int flags,
9715 			    struct cfg80211_registered_device *rdev,
9716 			    struct wireless_dev *wdev,
9717 			    struct cfg80211_internal_bss *intbss)
9718 {
9719 	struct cfg80211_bss *res = &intbss->pub;
9720 	const struct cfg80211_bss_ies *ies;
9721 	void *hdr;
9722 	struct nlattr *bss;
9723 
9724 	ASSERT_WDEV_LOCK(wdev);
9725 
9726 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9727 			     NL80211_CMD_NEW_SCAN_RESULTS);
9728 	if (!hdr)
9729 		return -1;
9730 
9731 	genl_dump_check_consistent(cb, hdr);
9732 
9733 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9734 		goto nla_put_failure;
9735 	if (wdev->netdev &&
9736 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9737 		goto nla_put_failure;
9738 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9739 			      NL80211_ATTR_PAD))
9740 		goto nla_put_failure;
9741 
9742 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9743 	if (!bss)
9744 		goto nla_put_failure;
9745 	if ((!is_zero_ether_addr(res->bssid) &&
9746 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9747 		goto nla_put_failure;
9748 
9749 	rcu_read_lock();
9750 	/* indicate whether we have probe response data or not */
9751 	if (rcu_access_pointer(res->proberesp_ies) &&
9752 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9753 		goto fail_unlock_rcu;
9754 
9755 	/* this pointer prefers to be pointed to probe response data
9756 	 * but is always valid
9757 	 */
9758 	ies = rcu_dereference(res->ies);
9759 	if (ies) {
9760 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9761 				      NL80211_BSS_PAD))
9762 			goto fail_unlock_rcu;
9763 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9764 					ies->len, ies->data))
9765 			goto fail_unlock_rcu;
9766 	}
9767 
9768 	/* and this pointer is always (unless driver didn't know) beacon data */
9769 	ies = rcu_dereference(res->beacon_ies);
9770 	if (ies && ies->from_beacon) {
9771 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9772 				      NL80211_BSS_PAD))
9773 			goto fail_unlock_rcu;
9774 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9775 					ies->len, ies->data))
9776 			goto fail_unlock_rcu;
9777 	}
9778 	rcu_read_unlock();
9779 
9780 	if (res->beacon_interval &&
9781 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9782 		goto nla_put_failure;
9783 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9784 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9785 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9786 			res->channel->freq_offset) ||
9787 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9788 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9789 			jiffies_to_msecs(jiffies - intbss->ts)))
9790 		goto nla_put_failure;
9791 
9792 	if (intbss->parent_tsf &&
9793 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9794 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9795 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9796 		     intbss->parent_bssid)))
9797 		goto nla_put_failure;
9798 
9799 	if (intbss->ts_boottime &&
9800 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9801 			      intbss->ts_boottime, NL80211_BSS_PAD))
9802 		goto nla_put_failure;
9803 
9804 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9805 				intbss->pub.chain_signal,
9806 				NL80211_BSS_CHAIN_SIGNAL))
9807 		goto nla_put_failure;
9808 
9809 	switch (rdev->wiphy.signal_type) {
9810 	case CFG80211_SIGNAL_TYPE_MBM:
9811 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9812 			goto nla_put_failure;
9813 		break;
9814 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9815 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9816 			goto nla_put_failure;
9817 		break;
9818 	default:
9819 		break;
9820 	}
9821 
9822 	switch (wdev->iftype) {
9823 	case NL80211_IFTYPE_P2P_CLIENT:
9824 	case NL80211_IFTYPE_STATION:
9825 		if (intbss == wdev->current_bss &&
9826 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9827 				NL80211_BSS_STATUS_ASSOCIATED))
9828 			goto nla_put_failure;
9829 		break;
9830 	case NL80211_IFTYPE_ADHOC:
9831 		if (intbss == wdev->current_bss &&
9832 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9833 				NL80211_BSS_STATUS_IBSS_JOINED))
9834 			goto nla_put_failure;
9835 		break;
9836 	default:
9837 		break;
9838 	}
9839 
9840 	nla_nest_end(msg, bss);
9841 
9842 	genlmsg_end(msg, hdr);
9843 	return 0;
9844 
9845  fail_unlock_rcu:
9846 	rcu_read_unlock();
9847  nla_put_failure:
9848 	genlmsg_cancel(msg, hdr);
9849 	return -EMSGSIZE;
9850 }
9851 
9852 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9853 {
9854 	struct cfg80211_registered_device *rdev;
9855 	struct cfg80211_internal_bss *scan;
9856 	struct wireless_dev *wdev;
9857 	int start = cb->args[2], idx = 0;
9858 	int err;
9859 
9860 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9861 	if (err)
9862 		return err;
9863 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9864 	__acquire(&rdev->wiphy.mtx);
9865 
9866 	wdev_lock(wdev);
9867 	spin_lock_bh(&rdev->bss_lock);
9868 
9869 	/*
9870 	 * dump_scan will be called multiple times to break up the scan results
9871 	 * into multiple messages.  It is unlikely that any more bss-es will be
9872 	 * expired after the first call, so only call only call this on the
9873 	 * first dump_scan invocation.
9874 	 */
9875 	if (start == 0)
9876 		cfg80211_bss_expire(rdev);
9877 
9878 	cb->seq = rdev->bss_generation;
9879 
9880 	list_for_each_entry(scan, &rdev->bss_list, list) {
9881 		if (++idx <= start)
9882 			continue;
9883 		if (nl80211_send_bss(skb, cb,
9884 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9885 				rdev, wdev, scan) < 0) {
9886 			idx--;
9887 			break;
9888 		}
9889 	}
9890 
9891 	spin_unlock_bh(&rdev->bss_lock);
9892 	wdev_unlock(wdev);
9893 
9894 	cb->args[2] = idx;
9895 	wiphy_unlock(&rdev->wiphy);
9896 
9897 	return skb->len;
9898 }
9899 
9900 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9901 			       int flags, struct net_device *dev,
9902 			       bool allow_radio_stats,
9903 			       struct survey_info *survey)
9904 {
9905 	void *hdr;
9906 	struct nlattr *infoattr;
9907 
9908 	/* skip radio stats if userspace didn't request them */
9909 	if (!survey->channel && !allow_radio_stats)
9910 		return 0;
9911 
9912 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9913 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9914 	if (!hdr)
9915 		return -ENOMEM;
9916 
9917 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9918 		goto nla_put_failure;
9919 
9920 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9921 	if (!infoattr)
9922 		goto nla_put_failure;
9923 
9924 	if (survey->channel &&
9925 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9926 			survey->channel->center_freq))
9927 		goto nla_put_failure;
9928 
9929 	if (survey->channel && survey->channel->freq_offset &&
9930 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9931 			survey->channel->freq_offset))
9932 		goto nla_put_failure;
9933 
9934 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9935 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9936 		goto nla_put_failure;
9937 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9938 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9939 		goto nla_put_failure;
9940 	if ((survey->filled & SURVEY_INFO_TIME) &&
9941 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9942 			survey->time, NL80211_SURVEY_INFO_PAD))
9943 		goto nla_put_failure;
9944 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9945 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9946 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9947 		goto nla_put_failure;
9948 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9949 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9950 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9951 		goto nla_put_failure;
9952 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9953 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9954 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9955 		goto nla_put_failure;
9956 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9957 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9958 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9959 		goto nla_put_failure;
9960 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9961 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9962 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9963 		goto nla_put_failure;
9964 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9965 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9966 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9967 		goto nla_put_failure;
9968 
9969 	nla_nest_end(msg, infoattr);
9970 
9971 	genlmsg_end(msg, hdr);
9972 	return 0;
9973 
9974  nla_put_failure:
9975 	genlmsg_cancel(msg, hdr);
9976 	return -EMSGSIZE;
9977 }
9978 
9979 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9980 {
9981 	struct nlattr **attrbuf;
9982 	struct survey_info survey;
9983 	struct cfg80211_registered_device *rdev;
9984 	struct wireless_dev *wdev;
9985 	int survey_idx = cb->args[2];
9986 	int res;
9987 	bool radio_stats;
9988 
9989 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9990 	if (!attrbuf)
9991 		return -ENOMEM;
9992 
9993 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
9994 	if (res) {
9995 		kfree(attrbuf);
9996 		return res;
9997 	}
9998 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9999 	__acquire(&rdev->wiphy.mtx);
10000 
10001 	/* prepare_wdev_dump parsed the attributes */
10002 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10003 
10004 	if (!wdev->netdev) {
10005 		res = -EINVAL;
10006 		goto out_err;
10007 	}
10008 
10009 	if (!rdev->ops->dump_survey) {
10010 		res = -EOPNOTSUPP;
10011 		goto out_err;
10012 	}
10013 
10014 	while (1) {
10015 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10016 		if (res == -ENOENT)
10017 			break;
10018 		if (res)
10019 			goto out_err;
10020 
10021 		/* don't send disabled channels, but do send non-channel data */
10022 		if (survey.channel &&
10023 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10024 			survey_idx++;
10025 			continue;
10026 		}
10027 
10028 		if (nl80211_send_survey(skb,
10029 				NETLINK_CB(cb->skb).portid,
10030 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10031 				wdev->netdev, radio_stats, &survey) < 0)
10032 			goto out;
10033 		survey_idx++;
10034 	}
10035 
10036  out:
10037 	cb->args[2] = survey_idx;
10038 	res = skb->len;
10039  out_err:
10040 	kfree(attrbuf);
10041 	wiphy_unlock(&rdev->wiphy);
10042 	return res;
10043 }
10044 
10045 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10046 {
10047 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10048 				  NL80211_WPA_VERSION_2 |
10049 				  NL80211_WPA_VERSION_3));
10050 }
10051 
10052 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10053 {
10054 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10055 	struct net_device *dev = info->user_ptr[1];
10056 	struct ieee80211_channel *chan;
10057 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
10058 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
10059 	enum nl80211_auth_type auth_type;
10060 	struct key_parse key;
10061 	bool local_state_change;
10062 	u32 freq;
10063 
10064 	if (!info->attrs[NL80211_ATTR_MAC])
10065 		return -EINVAL;
10066 
10067 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10068 		return -EINVAL;
10069 
10070 	if (!info->attrs[NL80211_ATTR_SSID])
10071 		return -EINVAL;
10072 
10073 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10074 		return -EINVAL;
10075 
10076 	err = nl80211_parse_key(info, &key);
10077 	if (err)
10078 		return err;
10079 
10080 	if (key.idx >= 0) {
10081 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10082 			return -EINVAL;
10083 		if (!key.p.key || !key.p.key_len)
10084 			return -EINVAL;
10085 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10086 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10087 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10088 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10089 			return -EINVAL;
10090 		if (key.idx > 3)
10091 			return -EINVAL;
10092 	} else {
10093 		key.p.key_len = 0;
10094 		key.p.key = NULL;
10095 	}
10096 
10097 	if (key.idx >= 0) {
10098 		int i;
10099 		bool ok = false;
10100 
10101 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10102 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10103 				ok = true;
10104 				break;
10105 			}
10106 		}
10107 		if (!ok)
10108 			return -EINVAL;
10109 	}
10110 
10111 	if (!rdev->ops->auth)
10112 		return -EOPNOTSUPP;
10113 
10114 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10115 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10116 		return -EOPNOTSUPP;
10117 
10118 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10119 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10120 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10121 		freq +=
10122 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10123 
10124 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10125 	if (!chan)
10126 		return -EINVAL;
10127 
10128 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10129 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10130 
10131 	if (info->attrs[NL80211_ATTR_IE]) {
10132 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10133 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10134 	}
10135 
10136 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10137 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10138 		return -EINVAL;
10139 
10140 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10141 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10142 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10143 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10144 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10145 		return -EINVAL;
10146 
10147 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10148 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10149 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10150 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10151 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10152 			return -EINVAL;
10153 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10154 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10155 	}
10156 
10157 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10158 
10159 	/*
10160 	 * Since we no longer track auth state, ignore
10161 	 * requests to only change local state.
10162 	 */
10163 	if (local_state_change)
10164 		return 0;
10165 
10166 	wdev_lock(dev->ieee80211_ptr);
10167 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
10168 				 ssid, ssid_len, ie, ie_len,
10169 				 key.p.key, key.p.key_len, key.idx,
10170 				 auth_data, auth_data_len);
10171 	wdev_unlock(dev->ieee80211_ptr);
10172 	return err;
10173 }
10174 
10175 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10176 				     struct genl_info *info)
10177 {
10178 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10179 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10180 		return -EINVAL;
10181 	}
10182 
10183 	if (!rdev->ops->tx_control_port ||
10184 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10185 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10186 		return -EOPNOTSUPP;
10187 
10188 	return 0;
10189 }
10190 
10191 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10192 				   struct genl_info *info,
10193 				   struct cfg80211_crypto_settings *settings,
10194 				   int cipher_limit)
10195 {
10196 	memset(settings, 0, sizeof(*settings));
10197 
10198 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10199 
10200 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10201 		u16 proto;
10202 
10203 		proto = nla_get_u16(
10204 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10205 		settings->control_port_ethertype = cpu_to_be16(proto);
10206 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10207 		    proto != ETH_P_PAE)
10208 			return -EINVAL;
10209 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10210 			settings->control_port_no_encrypt = true;
10211 	} else
10212 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10213 
10214 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10215 		int r = validate_pae_over_nl80211(rdev, info);
10216 
10217 		if (r < 0)
10218 			return r;
10219 
10220 		settings->control_port_over_nl80211 = true;
10221 
10222 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10223 			settings->control_port_no_preauth = true;
10224 	}
10225 
10226 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10227 		void *data;
10228 		int len, i;
10229 
10230 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10231 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10232 		settings->n_ciphers_pairwise = len / sizeof(u32);
10233 
10234 		if (len % sizeof(u32))
10235 			return -EINVAL;
10236 
10237 		if (settings->n_ciphers_pairwise > cipher_limit)
10238 			return -EINVAL;
10239 
10240 		memcpy(settings->ciphers_pairwise, data, len);
10241 
10242 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10243 			if (!cfg80211_supported_cipher_suite(
10244 					&rdev->wiphy,
10245 					settings->ciphers_pairwise[i]))
10246 				return -EINVAL;
10247 	}
10248 
10249 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10250 		settings->cipher_group =
10251 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10252 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10253 						     settings->cipher_group))
10254 			return -EINVAL;
10255 	}
10256 
10257 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10258 		settings->wpa_versions =
10259 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10260 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10261 			return -EINVAL;
10262 	}
10263 
10264 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10265 		void *data;
10266 		int len;
10267 
10268 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10269 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10270 		settings->n_akm_suites = len / sizeof(u32);
10271 
10272 		if (len % sizeof(u32))
10273 			return -EINVAL;
10274 
10275 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
10276 			return -EINVAL;
10277 
10278 		memcpy(settings->akm_suites, data, len);
10279 	}
10280 
10281 	if (info->attrs[NL80211_ATTR_PMK]) {
10282 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10283 			return -EINVAL;
10284 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10285 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10286 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10287 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10288 			return -EINVAL;
10289 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10290 	}
10291 
10292 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10293 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10294 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10295 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10296 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10297 			return -EINVAL;
10298 		settings->sae_pwd =
10299 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10300 		settings->sae_pwd_len =
10301 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10302 	}
10303 
10304 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10305 		settings->sae_pwe =
10306 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10307 	else
10308 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10309 
10310 	return 0;
10311 }
10312 
10313 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10314 {
10315 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10316 	struct net_device *dev = info->user_ptr[1];
10317 	struct ieee80211_channel *chan;
10318 	struct cfg80211_assoc_request req = {};
10319 	const u8 *bssid, *ssid;
10320 	int err, ssid_len = 0;
10321 	u32 freq;
10322 
10323 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10324 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10325 		return -EPERM;
10326 
10327 	if (!info->attrs[NL80211_ATTR_MAC] ||
10328 	    !info->attrs[NL80211_ATTR_SSID] ||
10329 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
10330 		return -EINVAL;
10331 
10332 	if (!rdev->ops->assoc)
10333 		return -EOPNOTSUPP;
10334 
10335 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10336 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10337 		return -EOPNOTSUPP;
10338 
10339 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10340 
10341 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10342 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10343 		freq +=
10344 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10345 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10346 	if (!chan)
10347 		return -EINVAL;
10348 
10349 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10350 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10351 
10352 	if (info->attrs[NL80211_ATTR_IE]) {
10353 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10354 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10355 	}
10356 
10357 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10358 		enum nl80211_mfp mfp =
10359 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10360 		if (mfp == NL80211_MFP_REQUIRED)
10361 			req.use_mfp = true;
10362 		else if (mfp != NL80211_MFP_NO)
10363 			return -EINVAL;
10364 	}
10365 
10366 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10367 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10368 
10369 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10370 		req.flags |= ASSOC_REQ_DISABLE_HT;
10371 
10372 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10373 		memcpy(&req.ht_capa_mask,
10374 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10375 		       sizeof(req.ht_capa_mask));
10376 
10377 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10378 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10379 			return -EINVAL;
10380 		memcpy(&req.ht_capa,
10381 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10382 		       sizeof(req.ht_capa));
10383 	}
10384 
10385 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10386 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10387 
10388 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10389 		req.flags |= ASSOC_REQ_DISABLE_HE;
10390 
10391 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
10392 		req.flags |= ASSOC_REQ_DISABLE_EHT;
10393 
10394 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10395 		memcpy(&req.vht_capa_mask,
10396 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10397 		       sizeof(req.vht_capa_mask));
10398 
10399 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10400 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10401 			return -EINVAL;
10402 		memcpy(&req.vht_capa,
10403 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10404 		       sizeof(req.vht_capa));
10405 	}
10406 
10407 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10408 		if (!((rdev->wiphy.features &
10409 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10410 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10411 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10412 					     NL80211_EXT_FEATURE_RRM))
10413 			return -EINVAL;
10414 		req.flags |= ASSOC_REQ_USE_RRM;
10415 	}
10416 
10417 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10418 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10419 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10420 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10421 			return -EINVAL;
10422 		req.fils_nonces =
10423 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10424 	}
10425 
10426 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10427 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10428 			return -EINVAL;
10429 		memcpy(&req.s1g_capa_mask,
10430 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10431 		       sizeof(req.s1g_capa_mask));
10432 	}
10433 
10434 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10435 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10436 			return -EINVAL;
10437 		memcpy(&req.s1g_capa,
10438 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10439 		       sizeof(req.s1g_capa));
10440 	}
10441 
10442 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10443 	if (!err) {
10444 		wdev_lock(dev->ieee80211_ptr);
10445 
10446 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
10447 					  ssid, ssid_len, &req);
10448 
10449 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10450 			dev->ieee80211_ptr->conn_owner_nlportid =
10451 				info->snd_portid;
10452 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10453 			       bssid, ETH_ALEN);
10454 		}
10455 
10456 		wdev_unlock(dev->ieee80211_ptr);
10457 	}
10458 
10459 	return err;
10460 }
10461 
10462 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10463 {
10464 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10465 	struct net_device *dev = info->user_ptr[1];
10466 	const u8 *ie = NULL, *bssid;
10467 	int ie_len = 0, err;
10468 	u16 reason_code;
10469 	bool local_state_change;
10470 
10471 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10472 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10473 		return -EPERM;
10474 
10475 	if (!info->attrs[NL80211_ATTR_MAC])
10476 		return -EINVAL;
10477 
10478 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10479 		return -EINVAL;
10480 
10481 	if (!rdev->ops->deauth)
10482 		return -EOPNOTSUPP;
10483 
10484 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10485 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10486 		return -EOPNOTSUPP;
10487 
10488 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10489 
10490 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10491 	if (reason_code == 0) {
10492 		/* Reason Code 0 is reserved */
10493 		return -EINVAL;
10494 	}
10495 
10496 	if (info->attrs[NL80211_ATTR_IE]) {
10497 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10498 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10499 	}
10500 
10501 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10502 
10503 	wdev_lock(dev->ieee80211_ptr);
10504 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10505 				   local_state_change);
10506 	wdev_unlock(dev->ieee80211_ptr);
10507 	return err;
10508 }
10509 
10510 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10511 {
10512 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10513 	struct net_device *dev = info->user_ptr[1];
10514 	const u8 *ie = NULL, *bssid;
10515 	int ie_len = 0, err;
10516 	u16 reason_code;
10517 	bool local_state_change;
10518 
10519 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10520 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10521 		return -EPERM;
10522 
10523 	if (!info->attrs[NL80211_ATTR_MAC])
10524 		return -EINVAL;
10525 
10526 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10527 		return -EINVAL;
10528 
10529 	if (!rdev->ops->disassoc)
10530 		return -EOPNOTSUPP;
10531 
10532 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10533 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10534 		return -EOPNOTSUPP;
10535 
10536 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10537 
10538 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10539 	if (reason_code == 0) {
10540 		/* Reason Code 0 is reserved */
10541 		return -EINVAL;
10542 	}
10543 
10544 	if (info->attrs[NL80211_ATTR_IE]) {
10545 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10546 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10547 	}
10548 
10549 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10550 
10551 	wdev_lock(dev->ieee80211_ptr);
10552 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10553 				     local_state_change);
10554 	wdev_unlock(dev->ieee80211_ptr);
10555 	return err;
10556 }
10557 
10558 static bool
10559 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10560 			 int mcast_rate[NUM_NL80211_BANDS],
10561 			 int rateval)
10562 {
10563 	struct wiphy *wiphy = &rdev->wiphy;
10564 	bool found = false;
10565 	int band, i;
10566 
10567 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10568 		struct ieee80211_supported_band *sband;
10569 
10570 		sband = wiphy->bands[band];
10571 		if (!sband)
10572 			continue;
10573 
10574 		for (i = 0; i < sband->n_bitrates; i++) {
10575 			if (sband->bitrates[i].bitrate == rateval) {
10576 				mcast_rate[band] = i + 1;
10577 				found = true;
10578 				break;
10579 			}
10580 		}
10581 	}
10582 
10583 	return found;
10584 }
10585 
10586 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10587 {
10588 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10589 	struct net_device *dev = info->user_ptr[1];
10590 	struct cfg80211_ibss_params ibss;
10591 	struct wiphy *wiphy;
10592 	struct cfg80211_cached_keys *connkeys = NULL;
10593 	int err;
10594 
10595 	memset(&ibss, 0, sizeof(ibss));
10596 
10597 	if (!info->attrs[NL80211_ATTR_SSID] ||
10598 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10599 		return -EINVAL;
10600 
10601 	ibss.beacon_interval = 100;
10602 
10603 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10604 		ibss.beacon_interval =
10605 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10606 
10607 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10608 					   ibss.beacon_interval);
10609 	if (err)
10610 		return err;
10611 
10612 	if (!rdev->ops->join_ibss)
10613 		return -EOPNOTSUPP;
10614 
10615 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10616 		return -EOPNOTSUPP;
10617 
10618 	wiphy = &rdev->wiphy;
10619 
10620 	if (info->attrs[NL80211_ATTR_MAC]) {
10621 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10622 
10623 		if (!is_valid_ether_addr(ibss.bssid))
10624 			return -EINVAL;
10625 	}
10626 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10627 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10628 
10629 	if (info->attrs[NL80211_ATTR_IE]) {
10630 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10631 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10632 	}
10633 
10634 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10635 	if (err)
10636 		return err;
10637 
10638 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10639 				     NL80211_IFTYPE_ADHOC))
10640 		return -EINVAL;
10641 
10642 	switch (ibss.chandef.width) {
10643 	case NL80211_CHAN_WIDTH_5:
10644 	case NL80211_CHAN_WIDTH_10:
10645 	case NL80211_CHAN_WIDTH_20_NOHT:
10646 		break;
10647 	case NL80211_CHAN_WIDTH_20:
10648 	case NL80211_CHAN_WIDTH_40:
10649 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10650 			return -EINVAL;
10651 		break;
10652 	case NL80211_CHAN_WIDTH_80:
10653 	case NL80211_CHAN_WIDTH_80P80:
10654 	case NL80211_CHAN_WIDTH_160:
10655 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10656 			return -EINVAL;
10657 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10658 					     NL80211_EXT_FEATURE_VHT_IBSS))
10659 			return -EINVAL;
10660 		break;
10661 	case NL80211_CHAN_WIDTH_320:
10662 		return -EINVAL;
10663 	default:
10664 		return -EINVAL;
10665 	}
10666 
10667 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10668 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10669 
10670 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10671 		u8 *rates =
10672 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10673 		int n_rates =
10674 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10675 		struct ieee80211_supported_band *sband =
10676 			wiphy->bands[ibss.chandef.chan->band];
10677 
10678 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10679 					     &ibss.basic_rates);
10680 		if (err)
10681 			return err;
10682 	}
10683 
10684 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10685 		memcpy(&ibss.ht_capa_mask,
10686 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10687 		       sizeof(ibss.ht_capa_mask));
10688 
10689 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10690 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10691 			return -EINVAL;
10692 		memcpy(&ibss.ht_capa,
10693 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10694 		       sizeof(ibss.ht_capa));
10695 	}
10696 
10697 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10698 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10699 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10700 		return -EINVAL;
10701 
10702 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10703 		bool no_ht = false;
10704 
10705 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10706 		if (IS_ERR(connkeys))
10707 			return PTR_ERR(connkeys);
10708 
10709 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10710 		    no_ht) {
10711 			kfree_sensitive(connkeys);
10712 			return -EINVAL;
10713 		}
10714 	}
10715 
10716 	ibss.control_port =
10717 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10718 
10719 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10720 		int r = validate_pae_over_nl80211(rdev, info);
10721 
10722 		if (r < 0) {
10723 			kfree_sensitive(connkeys);
10724 			return r;
10725 		}
10726 
10727 		ibss.control_port_over_nl80211 = true;
10728 	}
10729 
10730 	ibss.userspace_handles_dfs =
10731 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10732 
10733 	wdev_lock(dev->ieee80211_ptr);
10734 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10735 	if (err)
10736 		kfree_sensitive(connkeys);
10737 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10738 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10739 	wdev_unlock(dev->ieee80211_ptr);
10740 
10741 	return err;
10742 }
10743 
10744 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10745 {
10746 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10747 	struct net_device *dev = info->user_ptr[1];
10748 
10749 	if (!rdev->ops->leave_ibss)
10750 		return -EOPNOTSUPP;
10751 
10752 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10753 		return -EOPNOTSUPP;
10754 
10755 	return cfg80211_leave_ibss(rdev, dev, false);
10756 }
10757 
10758 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10759 {
10760 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10761 	struct net_device *dev = info->user_ptr[1];
10762 	int mcast_rate[NUM_NL80211_BANDS];
10763 	u32 nla_rate;
10764 	int err;
10765 
10766 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10767 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10768 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10769 		return -EOPNOTSUPP;
10770 
10771 	if (!rdev->ops->set_mcast_rate)
10772 		return -EOPNOTSUPP;
10773 
10774 	memset(mcast_rate, 0, sizeof(mcast_rate));
10775 
10776 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10777 		return -EINVAL;
10778 
10779 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10780 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10781 		return -EINVAL;
10782 
10783 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10784 
10785 	return err;
10786 }
10787 
10788 static struct sk_buff *
10789 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10790 			    struct wireless_dev *wdev, int approxlen,
10791 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10792 			    enum nl80211_attrs attr,
10793 			    const struct nl80211_vendor_cmd_info *info,
10794 			    gfp_t gfp)
10795 {
10796 	struct sk_buff *skb;
10797 	void *hdr;
10798 	struct nlattr *data;
10799 
10800 	skb = nlmsg_new(approxlen + 100, gfp);
10801 	if (!skb)
10802 		return NULL;
10803 
10804 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10805 	if (!hdr) {
10806 		kfree_skb(skb);
10807 		return NULL;
10808 	}
10809 
10810 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10811 		goto nla_put_failure;
10812 
10813 	if (info) {
10814 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10815 				info->vendor_id))
10816 			goto nla_put_failure;
10817 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10818 				info->subcmd))
10819 			goto nla_put_failure;
10820 	}
10821 
10822 	if (wdev) {
10823 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10824 				      wdev_id(wdev), NL80211_ATTR_PAD))
10825 			goto nla_put_failure;
10826 		if (wdev->netdev &&
10827 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10828 				wdev->netdev->ifindex))
10829 			goto nla_put_failure;
10830 	}
10831 
10832 	data = nla_nest_start_noflag(skb, attr);
10833 	if (!data)
10834 		goto nla_put_failure;
10835 
10836 	((void **)skb->cb)[0] = rdev;
10837 	((void **)skb->cb)[1] = hdr;
10838 	((void **)skb->cb)[2] = data;
10839 
10840 	return skb;
10841 
10842  nla_put_failure:
10843 	kfree_skb(skb);
10844 	return NULL;
10845 }
10846 
10847 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10848 					   struct wireless_dev *wdev,
10849 					   enum nl80211_commands cmd,
10850 					   enum nl80211_attrs attr,
10851 					   unsigned int portid,
10852 					   int vendor_event_idx,
10853 					   int approxlen, gfp_t gfp)
10854 {
10855 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10856 	const struct nl80211_vendor_cmd_info *info;
10857 
10858 	switch (cmd) {
10859 	case NL80211_CMD_TESTMODE:
10860 		if (WARN_ON(vendor_event_idx != -1))
10861 			return NULL;
10862 		info = NULL;
10863 		break;
10864 	case NL80211_CMD_VENDOR:
10865 		if (WARN_ON(vendor_event_idx < 0 ||
10866 			    vendor_event_idx >= wiphy->n_vendor_events))
10867 			return NULL;
10868 		info = &wiphy->vendor_events[vendor_event_idx];
10869 		break;
10870 	default:
10871 		WARN_ON(1);
10872 		return NULL;
10873 	}
10874 
10875 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10876 					   cmd, attr, info, gfp);
10877 }
10878 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10879 
10880 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10881 {
10882 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10883 	void *hdr = ((void **)skb->cb)[1];
10884 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10885 	struct nlattr *data = ((void **)skb->cb)[2];
10886 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10887 
10888 	/* clear CB data for netlink core to own from now on */
10889 	memset(skb->cb, 0, sizeof(skb->cb));
10890 
10891 	nla_nest_end(skb, data);
10892 	genlmsg_end(skb, hdr);
10893 
10894 	if (nlhdr->nlmsg_pid) {
10895 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10896 				nlhdr->nlmsg_pid);
10897 	} else {
10898 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10899 			mcgrp = NL80211_MCGRP_VENDOR;
10900 
10901 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10902 					skb, 0, mcgrp, gfp);
10903 	}
10904 }
10905 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10906 
10907 #ifdef CONFIG_NL80211_TESTMODE
10908 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10909 {
10910 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10911 	struct wireless_dev *wdev;
10912 	int err;
10913 
10914 	lockdep_assert_held(&rdev->wiphy.mtx);
10915 
10916 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
10917 					  info->attrs);
10918 
10919 	if (!rdev->ops->testmode_cmd)
10920 		return -EOPNOTSUPP;
10921 
10922 	if (IS_ERR(wdev)) {
10923 		err = PTR_ERR(wdev);
10924 		if (err != -EINVAL)
10925 			return err;
10926 		wdev = NULL;
10927 	} else if (wdev->wiphy != &rdev->wiphy) {
10928 		return -EINVAL;
10929 	}
10930 
10931 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10932 		return -EINVAL;
10933 
10934 	rdev->cur_cmd_info = info;
10935 	err = rdev_testmode_cmd(rdev, wdev,
10936 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10937 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10938 	rdev->cur_cmd_info = NULL;
10939 
10940 	return err;
10941 }
10942 
10943 static int nl80211_testmode_dump(struct sk_buff *skb,
10944 				 struct netlink_callback *cb)
10945 {
10946 	struct cfg80211_registered_device *rdev;
10947 	struct nlattr **attrbuf = NULL;
10948 	int err;
10949 	long phy_idx;
10950 	void *data = NULL;
10951 	int data_len = 0;
10952 
10953 	rtnl_lock();
10954 
10955 	if (cb->args[0]) {
10956 		/*
10957 		 * 0 is a valid index, but not valid for args[0],
10958 		 * so we need to offset by 1.
10959 		 */
10960 		phy_idx = cb->args[0] - 1;
10961 
10962 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10963 		if (!rdev) {
10964 			err = -ENOENT;
10965 			goto out_err;
10966 		}
10967 	} else {
10968 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10969 				  GFP_KERNEL);
10970 		if (!attrbuf) {
10971 			err = -ENOMEM;
10972 			goto out_err;
10973 		}
10974 
10975 		err = nlmsg_parse_deprecated(cb->nlh,
10976 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10977 					     attrbuf, nl80211_fam.maxattr,
10978 					     nl80211_policy, NULL);
10979 		if (err)
10980 			goto out_err;
10981 
10982 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10983 		if (IS_ERR(rdev)) {
10984 			err = PTR_ERR(rdev);
10985 			goto out_err;
10986 		}
10987 		phy_idx = rdev->wiphy_idx;
10988 
10989 		if (attrbuf[NL80211_ATTR_TESTDATA])
10990 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10991 	}
10992 
10993 	if (cb->args[1]) {
10994 		data = nla_data((void *)cb->args[1]);
10995 		data_len = nla_len((void *)cb->args[1]);
10996 	}
10997 
10998 	if (!rdev->ops->testmode_dump) {
10999 		err = -EOPNOTSUPP;
11000 		goto out_err;
11001 	}
11002 
11003 	while (1) {
11004 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11005 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11006 					   NL80211_CMD_TESTMODE);
11007 		struct nlattr *tmdata;
11008 
11009 		if (!hdr)
11010 			break;
11011 
11012 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11013 			genlmsg_cancel(skb, hdr);
11014 			break;
11015 		}
11016 
11017 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11018 		if (!tmdata) {
11019 			genlmsg_cancel(skb, hdr);
11020 			break;
11021 		}
11022 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11023 		nla_nest_end(skb, tmdata);
11024 
11025 		if (err == -ENOBUFS || err == -ENOENT) {
11026 			genlmsg_cancel(skb, hdr);
11027 			break;
11028 		} else if (err) {
11029 			genlmsg_cancel(skb, hdr);
11030 			goto out_err;
11031 		}
11032 
11033 		genlmsg_end(skb, hdr);
11034 	}
11035 
11036 	err = skb->len;
11037 	/* see above */
11038 	cb->args[0] = phy_idx + 1;
11039  out_err:
11040 	kfree(attrbuf);
11041 	rtnl_unlock();
11042 	return err;
11043 }
11044 #endif
11045 
11046 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11047 {
11048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11049 	struct net_device *dev = info->user_ptr[1];
11050 	struct cfg80211_connect_params connect;
11051 	struct wiphy *wiphy;
11052 	struct cfg80211_cached_keys *connkeys = NULL;
11053 	u32 freq = 0;
11054 	int err;
11055 
11056 	memset(&connect, 0, sizeof(connect));
11057 
11058 	if (!info->attrs[NL80211_ATTR_SSID] ||
11059 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11060 		return -EINVAL;
11061 
11062 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11063 		connect.auth_type =
11064 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11065 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11066 					     NL80211_CMD_CONNECT))
11067 			return -EINVAL;
11068 	} else
11069 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11070 
11071 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11072 
11073 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11074 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11075 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11076 		return -EINVAL;
11077 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11078 
11079 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11080 				      NL80211_MAX_NR_CIPHER_SUITES);
11081 	if (err)
11082 		return err;
11083 
11084 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11085 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11086 		return -EOPNOTSUPP;
11087 
11088 	wiphy = &rdev->wiphy;
11089 
11090 	connect.bg_scan_period = -1;
11091 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11092 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11093 		connect.bg_scan_period =
11094 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11095 	}
11096 
11097 	if (info->attrs[NL80211_ATTR_MAC])
11098 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11099 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11100 		connect.bssid_hint =
11101 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11102 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11103 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11104 
11105 	if (info->attrs[NL80211_ATTR_IE]) {
11106 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11107 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11108 	}
11109 
11110 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11111 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11112 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11113 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11114 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11115 			return -EOPNOTSUPP;
11116 	} else {
11117 		connect.mfp = NL80211_MFP_NO;
11118 	}
11119 
11120 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11121 		connect.prev_bssid =
11122 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11123 
11124 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11125 		freq = MHZ_TO_KHZ(nla_get_u32(
11126 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11127 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11128 		freq +=
11129 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11130 
11131 	if (freq) {
11132 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11133 		if (!connect.channel)
11134 			return -EINVAL;
11135 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11136 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11137 		freq = MHZ_TO_KHZ(freq);
11138 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11139 		if (!connect.channel_hint)
11140 			return -EINVAL;
11141 	}
11142 
11143 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11144 		connect.edmg.channels =
11145 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11146 
11147 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11148 			connect.edmg.bw_config =
11149 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11150 	}
11151 
11152 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11153 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11154 		if (IS_ERR(connkeys))
11155 			return PTR_ERR(connkeys);
11156 	}
11157 
11158 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11159 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11160 
11161 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11162 		memcpy(&connect.ht_capa_mask,
11163 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11164 		       sizeof(connect.ht_capa_mask));
11165 
11166 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11167 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11168 			kfree_sensitive(connkeys);
11169 			return -EINVAL;
11170 		}
11171 		memcpy(&connect.ht_capa,
11172 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11173 		       sizeof(connect.ht_capa));
11174 	}
11175 
11176 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11177 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11178 
11179 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11180 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11181 
11182 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11183 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
11184 
11185 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11186 		memcpy(&connect.vht_capa_mask,
11187 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11188 		       sizeof(connect.vht_capa_mask));
11189 
11190 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11191 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11192 			kfree_sensitive(connkeys);
11193 			return -EINVAL;
11194 		}
11195 		memcpy(&connect.vht_capa,
11196 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11197 		       sizeof(connect.vht_capa));
11198 	}
11199 
11200 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11201 		if (!((rdev->wiphy.features &
11202 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11203 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11204 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11205 					     NL80211_EXT_FEATURE_RRM)) {
11206 			kfree_sensitive(connkeys);
11207 			return -EINVAL;
11208 		}
11209 		connect.flags |= ASSOC_REQ_USE_RRM;
11210 	}
11211 
11212 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11213 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11214 		kfree_sensitive(connkeys);
11215 		return -EOPNOTSUPP;
11216 	}
11217 
11218 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11219 		/* bss selection makes no sense if bssid is set */
11220 		if (connect.bssid) {
11221 			kfree_sensitive(connkeys);
11222 			return -EINVAL;
11223 		}
11224 
11225 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11226 				       wiphy, &connect.bss_select);
11227 		if (err) {
11228 			kfree_sensitive(connkeys);
11229 			return err;
11230 		}
11231 	}
11232 
11233 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11234 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11235 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11236 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11237 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11238 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11239 		connect.fils_erp_username =
11240 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11241 		connect.fils_erp_username_len =
11242 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11243 		connect.fils_erp_realm =
11244 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11245 		connect.fils_erp_realm_len =
11246 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11247 		connect.fils_erp_next_seq_num =
11248 			nla_get_u16(
11249 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11250 		connect.fils_erp_rrk =
11251 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11252 		connect.fils_erp_rrk_len =
11253 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11254 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11255 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11256 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11257 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11258 		kfree_sensitive(connkeys);
11259 		return -EINVAL;
11260 	}
11261 
11262 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11263 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11264 			kfree_sensitive(connkeys);
11265 			GENL_SET_ERR_MSG(info,
11266 					 "external auth requires connection ownership");
11267 			return -EINVAL;
11268 		}
11269 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11270 	}
11271 
11272 	wdev_lock(dev->ieee80211_ptr);
11273 
11274 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11275 			       connect.prev_bssid);
11276 	if (err)
11277 		kfree_sensitive(connkeys);
11278 
11279 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11280 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11281 		if (connect.bssid)
11282 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11283 			       connect.bssid, ETH_ALEN);
11284 		else
11285 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11286 	}
11287 
11288 	wdev_unlock(dev->ieee80211_ptr);
11289 
11290 	return err;
11291 }
11292 
11293 static int nl80211_update_connect_params(struct sk_buff *skb,
11294 					 struct genl_info *info)
11295 {
11296 	struct cfg80211_connect_params connect = {};
11297 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11298 	struct net_device *dev = info->user_ptr[1];
11299 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11300 	bool fils_sk_offload;
11301 	u32 auth_type;
11302 	u32 changed = 0;
11303 	int ret;
11304 
11305 	if (!rdev->ops->update_connect_params)
11306 		return -EOPNOTSUPP;
11307 
11308 	if (info->attrs[NL80211_ATTR_IE]) {
11309 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11310 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11311 		changed |= UPDATE_ASSOC_IES;
11312 	}
11313 
11314 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11315 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11316 
11317 	/*
11318 	 * when driver supports fils-sk offload all attributes must be
11319 	 * provided. So the else covers "fils-sk-not-all" and
11320 	 * "no-fils-sk-any".
11321 	 */
11322 	if (fils_sk_offload &&
11323 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11324 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11325 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11326 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11327 		connect.fils_erp_username =
11328 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11329 		connect.fils_erp_username_len =
11330 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11331 		connect.fils_erp_realm =
11332 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11333 		connect.fils_erp_realm_len =
11334 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11335 		connect.fils_erp_next_seq_num =
11336 			nla_get_u16(
11337 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11338 		connect.fils_erp_rrk =
11339 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11340 		connect.fils_erp_rrk_len =
11341 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11342 		changed |= UPDATE_FILS_ERP_INFO;
11343 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11344 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11345 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11346 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11347 		return -EINVAL;
11348 	}
11349 
11350 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11351 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11352 		if (!nl80211_valid_auth_type(rdev, auth_type,
11353 					     NL80211_CMD_CONNECT))
11354 			return -EINVAL;
11355 
11356 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11357 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11358 			return -EINVAL;
11359 
11360 		connect.auth_type = auth_type;
11361 		changed |= UPDATE_AUTH_TYPE;
11362 	}
11363 
11364 	wdev_lock(dev->ieee80211_ptr);
11365 	if (!wdev->current_bss)
11366 		ret = -ENOLINK;
11367 	else
11368 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11369 	wdev_unlock(dev->ieee80211_ptr);
11370 
11371 	return ret;
11372 }
11373 
11374 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11375 {
11376 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11377 	struct net_device *dev = info->user_ptr[1];
11378 	u16 reason;
11379 	int ret;
11380 
11381 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11382 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11383 		return -EPERM;
11384 
11385 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11386 		reason = WLAN_REASON_DEAUTH_LEAVING;
11387 	else
11388 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11389 
11390 	if (reason == 0)
11391 		return -EINVAL;
11392 
11393 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11394 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11395 		return -EOPNOTSUPP;
11396 
11397 	wdev_lock(dev->ieee80211_ptr);
11398 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11399 	wdev_unlock(dev->ieee80211_ptr);
11400 	return ret;
11401 }
11402 
11403 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11404 {
11405 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11406 	struct net *net;
11407 	int err;
11408 
11409 	if (info->attrs[NL80211_ATTR_PID]) {
11410 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11411 
11412 		net = get_net_ns_by_pid(pid);
11413 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11414 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11415 
11416 		net = get_net_ns_by_fd(fd);
11417 	} else {
11418 		return -EINVAL;
11419 	}
11420 
11421 	if (IS_ERR(net))
11422 		return PTR_ERR(net);
11423 
11424 	err = 0;
11425 
11426 	/* check if anything to do */
11427 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11428 		err = cfg80211_switch_netns(rdev, net);
11429 
11430 	put_net(net);
11431 	return err;
11432 }
11433 
11434 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11435 {
11436 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11437 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11438 			struct cfg80211_pmksa *pmksa) = NULL;
11439 	struct net_device *dev = info->user_ptr[1];
11440 	struct cfg80211_pmksa pmksa;
11441 
11442 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11443 
11444 	if (!info->attrs[NL80211_ATTR_PMKID])
11445 		return -EINVAL;
11446 
11447 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11448 
11449 	if (info->attrs[NL80211_ATTR_MAC]) {
11450 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11451 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11452 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11453 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11454 		    info->attrs[NL80211_ATTR_PMK])) {
11455 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11456 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11457 		pmksa.cache_id =
11458 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11459 	} else {
11460 		return -EINVAL;
11461 	}
11462 	if (info->attrs[NL80211_ATTR_PMK]) {
11463 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11464 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11465 	}
11466 
11467 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11468 		pmksa.pmk_lifetime =
11469 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11470 
11471 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11472 		pmksa.pmk_reauth_threshold =
11473 			nla_get_u8(
11474 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11475 
11476 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11477 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11478 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11479 	      wiphy_ext_feature_isset(&rdev->wiphy,
11480 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11481 		return -EOPNOTSUPP;
11482 
11483 	switch (info->genlhdr->cmd) {
11484 	case NL80211_CMD_SET_PMKSA:
11485 		rdev_ops = rdev->ops->set_pmksa;
11486 		break;
11487 	case NL80211_CMD_DEL_PMKSA:
11488 		rdev_ops = rdev->ops->del_pmksa;
11489 		break;
11490 	default:
11491 		WARN_ON(1);
11492 		break;
11493 	}
11494 
11495 	if (!rdev_ops)
11496 		return -EOPNOTSUPP;
11497 
11498 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11499 }
11500 
11501 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11502 {
11503 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11504 	struct net_device *dev = info->user_ptr[1];
11505 
11506 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11507 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11508 		return -EOPNOTSUPP;
11509 
11510 	if (!rdev->ops->flush_pmksa)
11511 		return -EOPNOTSUPP;
11512 
11513 	return rdev_flush_pmksa(rdev, dev);
11514 }
11515 
11516 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11517 {
11518 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11519 	struct net_device *dev = info->user_ptr[1];
11520 	u8 action_code, dialog_token;
11521 	u32 peer_capability = 0;
11522 	u16 status_code;
11523 	u8 *peer;
11524 	bool initiator;
11525 
11526 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11527 	    !rdev->ops->tdls_mgmt)
11528 		return -EOPNOTSUPP;
11529 
11530 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11531 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11532 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11533 	    !info->attrs[NL80211_ATTR_IE] ||
11534 	    !info->attrs[NL80211_ATTR_MAC])
11535 		return -EINVAL;
11536 
11537 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11538 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11539 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11540 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11541 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11542 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11543 		peer_capability =
11544 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11545 
11546 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11547 			      dialog_token, status_code, peer_capability,
11548 			      initiator,
11549 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11550 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11551 }
11552 
11553 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11554 {
11555 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11556 	struct net_device *dev = info->user_ptr[1];
11557 	enum nl80211_tdls_operation operation;
11558 	u8 *peer;
11559 
11560 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11561 	    !rdev->ops->tdls_oper)
11562 		return -EOPNOTSUPP;
11563 
11564 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11565 	    !info->attrs[NL80211_ATTR_MAC])
11566 		return -EINVAL;
11567 
11568 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11569 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11570 
11571 	return rdev_tdls_oper(rdev, dev, peer, operation);
11572 }
11573 
11574 static int nl80211_remain_on_channel(struct sk_buff *skb,
11575 				     struct genl_info *info)
11576 {
11577 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11578 	struct wireless_dev *wdev = info->user_ptr[1];
11579 	struct cfg80211_chan_def chandef;
11580 	const struct cfg80211_chan_def *compat_chandef;
11581 	struct sk_buff *msg;
11582 	void *hdr;
11583 	u64 cookie;
11584 	u32 duration;
11585 	int err;
11586 
11587 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11588 	    !info->attrs[NL80211_ATTR_DURATION])
11589 		return -EINVAL;
11590 
11591 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11592 
11593 	if (!rdev->ops->remain_on_channel ||
11594 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11595 		return -EOPNOTSUPP;
11596 
11597 	/*
11598 	 * We should be on that channel for at least a minimum amount of
11599 	 * time (10ms) but no longer than the driver supports.
11600 	 */
11601 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11602 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11603 		return -EINVAL;
11604 
11605 	err = nl80211_parse_chandef(rdev, info, &chandef);
11606 	if (err)
11607 		return err;
11608 
11609 	wdev_lock(wdev);
11610 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11611 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11612 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11613 							     &chandef);
11614 		if (compat_chandef != &chandef) {
11615 			wdev_unlock(wdev);
11616 			return -EBUSY;
11617 		}
11618 	}
11619 	wdev_unlock(wdev);
11620 
11621 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11622 	if (!msg)
11623 		return -ENOMEM;
11624 
11625 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11626 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11627 	if (!hdr) {
11628 		err = -ENOBUFS;
11629 		goto free_msg;
11630 	}
11631 
11632 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11633 				     duration, &cookie);
11634 
11635 	if (err)
11636 		goto free_msg;
11637 
11638 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11639 			      NL80211_ATTR_PAD))
11640 		goto nla_put_failure;
11641 
11642 	genlmsg_end(msg, hdr);
11643 
11644 	return genlmsg_reply(msg, info);
11645 
11646  nla_put_failure:
11647 	err = -ENOBUFS;
11648  free_msg:
11649 	nlmsg_free(msg);
11650 	return err;
11651 }
11652 
11653 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11654 					    struct genl_info *info)
11655 {
11656 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11657 	struct wireless_dev *wdev = info->user_ptr[1];
11658 	u64 cookie;
11659 
11660 	if (!info->attrs[NL80211_ATTR_COOKIE])
11661 		return -EINVAL;
11662 
11663 	if (!rdev->ops->cancel_remain_on_channel)
11664 		return -EOPNOTSUPP;
11665 
11666 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11667 
11668 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11669 }
11670 
11671 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11672 				       struct genl_info *info)
11673 {
11674 	struct cfg80211_bitrate_mask mask;
11675 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11676 	struct net_device *dev = info->user_ptr[1];
11677 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11678 	int err;
11679 
11680 	if (!rdev->ops->set_bitrate_mask)
11681 		return -EOPNOTSUPP;
11682 
11683 	wdev_lock(wdev);
11684 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11685 					    NL80211_ATTR_TX_RATES, &mask,
11686 					    dev, true);
11687 	if (err)
11688 		goto out;
11689 
11690 	err = rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11691 out:
11692 	wdev_unlock(wdev);
11693 	return err;
11694 }
11695 
11696 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11697 {
11698 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11699 	struct wireless_dev *wdev = info->user_ptr[1];
11700 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11701 
11702 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11703 		return -EINVAL;
11704 
11705 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11706 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11707 
11708 	switch (wdev->iftype) {
11709 	case NL80211_IFTYPE_STATION:
11710 	case NL80211_IFTYPE_ADHOC:
11711 	case NL80211_IFTYPE_P2P_CLIENT:
11712 	case NL80211_IFTYPE_AP:
11713 	case NL80211_IFTYPE_AP_VLAN:
11714 	case NL80211_IFTYPE_MESH_POINT:
11715 	case NL80211_IFTYPE_P2P_GO:
11716 	case NL80211_IFTYPE_P2P_DEVICE:
11717 		break;
11718 	case NL80211_IFTYPE_NAN:
11719 	default:
11720 		return -EOPNOTSUPP;
11721 	}
11722 
11723 	/* not much point in registering if we can't reply */
11724 	if (!rdev->ops->mgmt_tx)
11725 		return -EOPNOTSUPP;
11726 
11727 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11728 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11729 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11730 		GENL_SET_ERR_MSG(info,
11731 				 "multicast RX registrations are not supported");
11732 		return -EOPNOTSUPP;
11733 	}
11734 
11735 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11736 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11737 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11738 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11739 					   info->extack);
11740 }
11741 
11742 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11743 {
11744 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11745 	struct wireless_dev *wdev = info->user_ptr[1];
11746 	struct cfg80211_chan_def chandef;
11747 	int err;
11748 	void *hdr = NULL;
11749 	u64 cookie;
11750 	struct sk_buff *msg = NULL;
11751 	struct cfg80211_mgmt_tx_params params = {
11752 		.dont_wait_for_ack =
11753 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11754 	};
11755 
11756 	if (!info->attrs[NL80211_ATTR_FRAME])
11757 		return -EINVAL;
11758 
11759 	if (!rdev->ops->mgmt_tx)
11760 		return -EOPNOTSUPP;
11761 
11762 	switch (wdev->iftype) {
11763 	case NL80211_IFTYPE_P2P_DEVICE:
11764 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11765 			return -EINVAL;
11766 		break;
11767 	case NL80211_IFTYPE_STATION:
11768 	case NL80211_IFTYPE_ADHOC:
11769 	case NL80211_IFTYPE_P2P_CLIENT:
11770 	case NL80211_IFTYPE_AP:
11771 	case NL80211_IFTYPE_AP_VLAN:
11772 	case NL80211_IFTYPE_MESH_POINT:
11773 	case NL80211_IFTYPE_P2P_GO:
11774 		break;
11775 	case NL80211_IFTYPE_NAN:
11776 	default:
11777 		return -EOPNOTSUPP;
11778 	}
11779 
11780 	if (info->attrs[NL80211_ATTR_DURATION]) {
11781 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11782 			return -EINVAL;
11783 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11784 
11785 		/*
11786 		 * We should wait on the channel for at least a minimum amount
11787 		 * of time (10ms) but no longer than the driver supports.
11788 		 */
11789 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11790 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11791 			return -EINVAL;
11792 	}
11793 
11794 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11795 
11796 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11797 		return -EINVAL;
11798 
11799 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11800 
11801 	/* get the channel if any has been specified, otherwise pass NULL to
11802 	 * the driver. The latter will use the current one
11803 	 */
11804 	chandef.chan = NULL;
11805 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11806 		err = nl80211_parse_chandef(rdev, info, &chandef);
11807 		if (err)
11808 			return err;
11809 	}
11810 
11811 	if (!chandef.chan && params.offchan)
11812 		return -EINVAL;
11813 
11814 	wdev_lock(wdev);
11815 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11816 		wdev_unlock(wdev);
11817 		return -EBUSY;
11818 	}
11819 	wdev_unlock(wdev);
11820 
11821 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11822 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11823 
11824 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11825 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11826 		int i;
11827 
11828 		if (len % sizeof(u16))
11829 			return -EINVAL;
11830 
11831 		params.n_csa_offsets = len / sizeof(u16);
11832 		params.csa_offsets =
11833 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11834 
11835 		/* check that all the offsets fit the frame */
11836 		for (i = 0; i < params.n_csa_offsets; i++) {
11837 			if (params.csa_offsets[i] >= params.len)
11838 				return -EINVAL;
11839 		}
11840 	}
11841 
11842 	if (!params.dont_wait_for_ack) {
11843 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11844 		if (!msg)
11845 			return -ENOMEM;
11846 
11847 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11848 				     NL80211_CMD_FRAME);
11849 		if (!hdr) {
11850 			err = -ENOBUFS;
11851 			goto free_msg;
11852 		}
11853 	}
11854 
11855 	params.chan = chandef.chan;
11856 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11857 	if (err)
11858 		goto free_msg;
11859 
11860 	if (msg) {
11861 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11862 				      NL80211_ATTR_PAD))
11863 			goto nla_put_failure;
11864 
11865 		genlmsg_end(msg, hdr);
11866 		return genlmsg_reply(msg, info);
11867 	}
11868 
11869 	return 0;
11870 
11871  nla_put_failure:
11872 	err = -ENOBUFS;
11873  free_msg:
11874 	nlmsg_free(msg);
11875 	return err;
11876 }
11877 
11878 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11879 {
11880 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11881 	struct wireless_dev *wdev = info->user_ptr[1];
11882 	u64 cookie;
11883 
11884 	if (!info->attrs[NL80211_ATTR_COOKIE])
11885 		return -EINVAL;
11886 
11887 	if (!rdev->ops->mgmt_tx_cancel_wait)
11888 		return -EOPNOTSUPP;
11889 
11890 	switch (wdev->iftype) {
11891 	case NL80211_IFTYPE_STATION:
11892 	case NL80211_IFTYPE_ADHOC:
11893 	case NL80211_IFTYPE_P2P_CLIENT:
11894 	case NL80211_IFTYPE_AP:
11895 	case NL80211_IFTYPE_AP_VLAN:
11896 	case NL80211_IFTYPE_P2P_GO:
11897 	case NL80211_IFTYPE_P2P_DEVICE:
11898 		break;
11899 	case NL80211_IFTYPE_NAN:
11900 	default:
11901 		return -EOPNOTSUPP;
11902 	}
11903 
11904 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11905 
11906 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11907 }
11908 
11909 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11910 {
11911 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11912 	struct wireless_dev *wdev;
11913 	struct net_device *dev = info->user_ptr[1];
11914 	u8 ps_state;
11915 	bool state;
11916 	int err;
11917 
11918 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11919 		return -EINVAL;
11920 
11921 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11922 
11923 	wdev = dev->ieee80211_ptr;
11924 
11925 	if (!rdev->ops->set_power_mgmt)
11926 		return -EOPNOTSUPP;
11927 
11928 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11929 
11930 	if (state == wdev->ps)
11931 		return 0;
11932 
11933 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11934 	if (!err)
11935 		wdev->ps = state;
11936 	return err;
11937 }
11938 
11939 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11940 {
11941 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11942 	enum nl80211_ps_state ps_state;
11943 	struct wireless_dev *wdev;
11944 	struct net_device *dev = info->user_ptr[1];
11945 	struct sk_buff *msg;
11946 	void *hdr;
11947 	int err;
11948 
11949 	wdev = dev->ieee80211_ptr;
11950 
11951 	if (!rdev->ops->set_power_mgmt)
11952 		return -EOPNOTSUPP;
11953 
11954 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11955 	if (!msg)
11956 		return -ENOMEM;
11957 
11958 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11959 			     NL80211_CMD_GET_POWER_SAVE);
11960 	if (!hdr) {
11961 		err = -ENOBUFS;
11962 		goto free_msg;
11963 	}
11964 
11965 	if (wdev->ps)
11966 		ps_state = NL80211_PS_ENABLED;
11967 	else
11968 		ps_state = NL80211_PS_DISABLED;
11969 
11970 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11971 		goto nla_put_failure;
11972 
11973 	genlmsg_end(msg, hdr);
11974 	return genlmsg_reply(msg, info);
11975 
11976  nla_put_failure:
11977 	err = -ENOBUFS;
11978  free_msg:
11979 	nlmsg_free(msg);
11980 	return err;
11981 }
11982 
11983 static const struct nla_policy
11984 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11985 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11986 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11987 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11988 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11989 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11990 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11991 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11992 };
11993 
11994 static int nl80211_set_cqm_txe(struct genl_info *info,
11995 			       u32 rate, u32 pkts, u32 intvl)
11996 {
11997 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11998 	struct net_device *dev = info->user_ptr[1];
11999 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12000 
12001 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12002 		return -EINVAL;
12003 
12004 	if (!rdev->ops->set_cqm_txe_config)
12005 		return -EOPNOTSUPP;
12006 
12007 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12008 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12009 		return -EOPNOTSUPP;
12010 
12011 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12012 }
12013 
12014 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12015 				    struct net_device *dev)
12016 {
12017 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12018 	s32 last, low, high;
12019 	u32 hyst;
12020 	int i, n, low_index;
12021 	int err;
12022 
12023 	/* RSSI reporting disabled? */
12024 	if (!wdev->cqm_config)
12025 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12026 
12027 	/*
12028 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12029 	 * event has been received yet, we should receive an event after a
12030 	 * connection is established and enough beacons received to calculate
12031 	 * the average.
12032 	 */
12033 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
12034 	    rdev->ops->get_station) {
12035 		struct station_info sinfo = {};
12036 		u8 *mac_addr;
12037 
12038 		mac_addr = wdev->current_bss->pub.bssid;
12039 
12040 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12041 		if (err)
12042 			return err;
12043 
12044 		cfg80211_sinfo_release_content(&sinfo);
12045 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12046 			wdev->cqm_config->last_rssi_event_value =
12047 				(s8) sinfo.rx_beacon_signal_avg;
12048 	}
12049 
12050 	last = wdev->cqm_config->last_rssi_event_value;
12051 	hyst = wdev->cqm_config->rssi_hyst;
12052 	n = wdev->cqm_config->n_rssi_thresholds;
12053 
12054 	for (i = 0; i < n; i++) {
12055 		i = array_index_nospec(i, n);
12056 		if (last < wdev->cqm_config->rssi_thresholds[i])
12057 			break;
12058 	}
12059 
12060 	low_index = i - 1;
12061 	if (low_index >= 0) {
12062 		low_index = array_index_nospec(low_index, n);
12063 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
12064 	} else {
12065 		low = S32_MIN;
12066 	}
12067 	if (i < n) {
12068 		i = array_index_nospec(i, n);
12069 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
12070 	} else {
12071 		high = S32_MAX;
12072 	}
12073 
12074 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12075 }
12076 
12077 static int nl80211_set_cqm_rssi(struct genl_info *info,
12078 				const s32 *thresholds, int n_thresholds,
12079 				u32 hysteresis)
12080 {
12081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12082 	struct net_device *dev = info->user_ptr[1];
12083 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12084 	int i, err;
12085 	s32 prev = S32_MIN;
12086 
12087 	/* Check all values negative and sorted */
12088 	for (i = 0; i < n_thresholds; i++) {
12089 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12090 			return -EINVAL;
12091 
12092 		prev = thresholds[i];
12093 	}
12094 
12095 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12096 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12097 		return -EOPNOTSUPP;
12098 
12099 	wdev_lock(wdev);
12100 	cfg80211_cqm_config_free(wdev);
12101 	wdev_unlock(wdev);
12102 
12103 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
12104 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
12105 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12106 
12107 		return rdev_set_cqm_rssi_config(rdev, dev,
12108 						thresholds[0], hysteresis);
12109 	}
12110 
12111 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12112 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
12113 		return -EOPNOTSUPP;
12114 
12115 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12116 		n_thresholds = 0;
12117 
12118 	wdev_lock(wdev);
12119 	if (n_thresholds) {
12120 		struct cfg80211_cqm_config *cqm_config;
12121 
12122 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12123 						 n_thresholds),
12124 				     GFP_KERNEL);
12125 		if (!cqm_config) {
12126 			err = -ENOMEM;
12127 			goto unlock;
12128 		}
12129 
12130 		cqm_config->rssi_hyst = hysteresis;
12131 		cqm_config->n_rssi_thresholds = n_thresholds;
12132 		memcpy(cqm_config->rssi_thresholds, thresholds,
12133 		       flex_array_size(cqm_config, rssi_thresholds,
12134 				       n_thresholds));
12135 
12136 		wdev->cqm_config = cqm_config;
12137 	}
12138 
12139 	err = cfg80211_cqm_rssi_update(rdev, dev);
12140 
12141 unlock:
12142 	wdev_unlock(wdev);
12143 
12144 	return err;
12145 }
12146 
12147 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12148 {
12149 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12150 	struct nlattr *cqm;
12151 	int err;
12152 
12153 	cqm = info->attrs[NL80211_ATTR_CQM];
12154 	if (!cqm)
12155 		return -EINVAL;
12156 
12157 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12158 					  nl80211_attr_cqm_policy,
12159 					  info->extack);
12160 	if (err)
12161 		return err;
12162 
12163 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12164 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12165 		const s32 *thresholds =
12166 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12167 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12168 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12169 
12170 		if (len % 4)
12171 			return -EINVAL;
12172 
12173 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12174 					    hysteresis);
12175 	}
12176 
12177 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12178 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12179 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12180 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12181 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12182 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12183 
12184 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12185 	}
12186 
12187 	return -EINVAL;
12188 }
12189 
12190 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12191 {
12192 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12193 	struct net_device *dev = info->user_ptr[1];
12194 	struct ocb_setup setup = {};
12195 	int err;
12196 
12197 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12198 	if (err)
12199 		return err;
12200 
12201 	return cfg80211_join_ocb(rdev, dev, &setup);
12202 }
12203 
12204 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12205 {
12206 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12207 	struct net_device *dev = info->user_ptr[1];
12208 
12209 	return cfg80211_leave_ocb(rdev, dev);
12210 }
12211 
12212 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12213 {
12214 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12215 	struct net_device *dev = info->user_ptr[1];
12216 	struct mesh_config cfg;
12217 	struct mesh_setup setup;
12218 	int err;
12219 
12220 	/* start with default */
12221 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12222 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12223 
12224 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12225 		/* and parse parameters if given */
12226 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12227 		if (err)
12228 			return err;
12229 	}
12230 
12231 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12232 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12233 		return -EINVAL;
12234 
12235 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12236 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12237 
12238 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12239 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12240 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12241 			return -EINVAL;
12242 
12243 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12244 		setup.beacon_interval =
12245 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12246 
12247 		err = cfg80211_validate_beacon_int(rdev,
12248 						   NL80211_IFTYPE_MESH_POINT,
12249 						   setup.beacon_interval);
12250 		if (err)
12251 			return err;
12252 	}
12253 
12254 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12255 		setup.dtim_period =
12256 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12257 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12258 			return -EINVAL;
12259 	}
12260 
12261 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12262 		/* parse additional setup parameters if given */
12263 		err = nl80211_parse_mesh_setup(info, &setup);
12264 		if (err)
12265 			return err;
12266 	}
12267 
12268 	if (setup.user_mpm)
12269 		cfg.auto_open_plinks = false;
12270 
12271 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12272 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12273 		if (err)
12274 			return err;
12275 	} else {
12276 		/* __cfg80211_join_mesh() will sort it out */
12277 		setup.chandef.chan = NULL;
12278 	}
12279 
12280 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12281 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12282 		int n_rates =
12283 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12284 		struct ieee80211_supported_band *sband;
12285 
12286 		if (!setup.chandef.chan)
12287 			return -EINVAL;
12288 
12289 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12290 
12291 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12292 					     &setup.basic_rates);
12293 		if (err)
12294 			return err;
12295 	}
12296 
12297 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12298 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12299 						    NL80211_ATTR_TX_RATES,
12300 						    &setup.beacon_rate,
12301 						    dev, false);
12302 		if (err)
12303 			return err;
12304 
12305 		if (!setup.chandef.chan)
12306 			return -EINVAL;
12307 
12308 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12309 					      &setup.beacon_rate);
12310 		if (err)
12311 			return err;
12312 	}
12313 
12314 	setup.userspace_handles_dfs =
12315 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12316 
12317 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12318 		int r = validate_pae_over_nl80211(rdev, info);
12319 
12320 		if (r < 0)
12321 			return r;
12322 
12323 		setup.control_port_over_nl80211 = true;
12324 	}
12325 
12326 	wdev_lock(dev->ieee80211_ptr);
12327 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12328 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12329 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12330 	wdev_unlock(dev->ieee80211_ptr);
12331 
12332 	return err;
12333 }
12334 
12335 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12336 {
12337 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12338 	struct net_device *dev = info->user_ptr[1];
12339 
12340 	return cfg80211_leave_mesh(rdev, dev);
12341 }
12342 
12343 #ifdef CONFIG_PM
12344 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
12345 					struct cfg80211_registered_device *rdev)
12346 {
12347 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
12348 	struct nlattr *nl_pats, *nl_pat;
12349 	int i, pat_len;
12350 
12351 	if (!wowlan->n_patterns)
12352 		return 0;
12353 
12354 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12355 	if (!nl_pats)
12356 		return -ENOBUFS;
12357 
12358 	for (i = 0; i < wowlan->n_patterns; i++) {
12359 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12360 		if (!nl_pat)
12361 			return -ENOBUFS;
12362 		pat_len = wowlan->patterns[i].pattern_len;
12363 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12364 			    wowlan->patterns[i].mask) ||
12365 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12366 			    wowlan->patterns[i].pattern) ||
12367 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12368 				wowlan->patterns[i].pkt_offset))
12369 			return -ENOBUFS;
12370 		nla_nest_end(msg, nl_pat);
12371 	}
12372 	nla_nest_end(msg, nl_pats);
12373 
12374 	return 0;
12375 }
12376 
12377 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12378 				   struct cfg80211_wowlan_tcp *tcp)
12379 {
12380 	struct nlattr *nl_tcp;
12381 
12382 	if (!tcp)
12383 		return 0;
12384 
12385 	nl_tcp = nla_nest_start_noflag(msg,
12386 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12387 	if (!nl_tcp)
12388 		return -ENOBUFS;
12389 
12390 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12391 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12392 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12393 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12394 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12395 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12396 		    tcp->payload_len, tcp->payload) ||
12397 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12398 			tcp->data_interval) ||
12399 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12400 		    tcp->wake_len, tcp->wake_data) ||
12401 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12402 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12403 		return -ENOBUFS;
12404 
12405 	if (tcp->payload_seq.len &&
12406 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12407 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12408 		return -ENOBUFS;
12409 
12410 	if (tcp->payload_tok.len &&
12411 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12412 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12413 		    &tcp->payload_tok))
12414 		return -ENOBUFS;
12415 
12416 	nla_nest_end(msg, nl_tcp);
12417 
12418 	return 0;
12419 }
12420 
12421 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12422 				  struct cfg80211_sched_scan_request *req)
12423 {
12424 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12425 	int i;
12426 
12427 	if (!req)
12428 		return 0;
12429 
12430 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12431 	if (!nd)
12432 		return -ENOBUFS;
12433 
12434 	if (req->n_scan_plans == 1 &&
12435 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12436 			req->scan_plans[0].interval * 1000))
12437 		return -ENOBUFS;
12438 
12439 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12440 		return -ENOBUFS;
12441 
12442 	if (req->relative_rssi_set) {
12443 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12444 
12445 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12446 			       req->relative_rssi))
12447 			return -ENOBUFS;
12448 
12449 		rssi_adjust.band = req->rssi_adjust.band;
12450 		rssi_adjust.delta = req->rssi_adjust.delta;
12451 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12452 			    sizeof(rssi_adjust), &rssi_adjust))
12453 			return -ENOBUFS;
12454 	}
12455 
12456 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12457 	if (!freqs)
12458 		return -ENOBUFS;
12459 
12460 	for (i = 0; i < req->n_channels; i++) {
12461 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12462 			return -ENOBUFS;
12463 	}
12464 
12465 	nla_nest_end(msg, freqs);
12466 
12467 	if (req->n_match_sets) {
12468 		matches = nla_nest_start_noflag(msg,
12469 						NL80211_ATTR_SCHED_SCAN_MATCH);
12470 		if (!matches)
12471 			return -ENOBUFS;
12472 
12473 		for (i = 0; i < req->n_match_sets; i++) {
12474 			match = nla_nest_start_noflag(msg, i);
12475 			if (!match)
12476 				return -ENOBUFS;
12477 
12478 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12479 				    req->match_sets[i].ssid.ssid_len,
12480 				    req->match_sets[i].ssid.ssid))
12481 				return -ENOBUFS;
12482 			nla_nest_end(msg, match);
12483 		}
12484 		nla_nest_end(msg, matches);
12485 	}
12486 
12487 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12488 	if (!scan_plans)
12489 		return -ENOBUFS;
12490 
12491 	for (i = 0; i < req->n_scan_plans; i++) {
12492 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12493 		if (!scan_plan)
12494 			return -ENOBUFS;
12495 
12496 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12497 				req->scan_plans[i].interval) ||
12498 		    (req->scan_plans[i].iterations &&
12499 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12500 				 req->scan_plans[i].iterations)))
12501 			return -ENOBUFS;
12502 		nla_nest_end(msg, scan_plan);
12503 	}
12504 	nla_nest_end(msg, scan_plans);
12505 
12506 	nla_nest_end(msg, nd);
12507 
12508 	return 0;
12509 }
12510 
12511 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12512 {
12513 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12514 	struct sk_buff *msg;
12515 	void *hdr;
12516 	u32 size = NLMSG_DEFAULT_SIZE;
12517 
12518 	if (!rdev->wiphy.wowlan)
12519 		return -EOPNOTSUPP;
12520 
12521 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12522 		/* adjust size to have room for all the data */
12523 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12524 			rdev->wiphy.wowlan_config->tcp->payload_len +
12525 			rdev->wiphy.wowlan_config->tcp->wake_len +
12526 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12527 	}
12528 
12529 	msg = nlmsg_new(size, GFP_KERNEL);
12530 	if (!msg)
12531 		return -ENOMEM;
12532 
12533 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12534 			     NL80211_CMD_GET_WOWLAN);
12535 	if (!hdr)
12536 		goto nla_put_failure;
12537 
12538 	if (rdev->wiphy.wowlan_config) {
12539 		struct nlattr *nl_wowlan;
12540 
12541 		nl_wowlan = nla_nest_start_noflag(msg,
12542 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12543 		if (!nl_wowlan)
12544 			goto nla_put_failure;
12545 
12546 		if ((rdev->wiphy.wowlan_config->any &&
12547 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
12548 		    (rdev->wiphy.wowlan_config->disconnect &&
12549 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
12550 		    (rdev->wiphy.wowlan_config->magic_pkt &&
12551 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
12552 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
12553 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
12554 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
12555 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
12556 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
12557 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
12558 		    (rdev->wiphy.wowlan_config->rfkill_release &&
12559 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
12560 			goto nla_put_failure;
12561 
12562 		if (nl80211_send_wowlan_patterns(msg, rdev))
12563 			goto nla_put_failure;
12564 
12565 		if (nl80211_send_wowlan_tcp(msg,
12566 					    rdev->wiphy.wowlan_config->tcp))
12567 			goto nla_put_failure;
12568 
12569 		if (nl80211_send_wowlan_nd(
12570 			    msg,
12571 			    rdev->wiphy.wowlan_config->nd_config))
12572 			goto nla_put_failure;
12573 
12574 		nla_nest_end(msg, nl_wowlan);
12575 	}
12576 
12577 	genlmsg_end(msg, hdr);
12578 	return genlmsg_reply(msg, info);
12579 
12580 nla_put_failure:
12581 	nlmsg_free(msg);
12582 	return -ENOBUFS;
12583 }
12584 
12585 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12586 				    struct nlattr *attr,
12587 				    struct cfg80211_wowlan *trig)
12588 {
12589 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12590 	struct cfg80211_wowlan_tcp *cfg;
12591 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12592 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12593 	u32 size;
12594 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12595 	int err, port;
12596 
12597 	if (!rdev->wiphy.wowlan->tcp)
12598 		return -EINVAL;
12599 
12600 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12601 					  nl80211_wowlan_tcp_policy, NULL);
12602 	if (err)
12603 		return err;
12604 
12605 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12606 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12607 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12608 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12609 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12610 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12611 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12612 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12613 		return -EINVAL;
12614 
12615 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12616 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12617 		return -EINVAL;
12618 
12619 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12620 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12621 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12622 		return -EINVAL;
12623 
12624 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12625 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12626 		return -EINVAL;
12627 
12628 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12629 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12630 		return -EINVAL;
12631 
12632 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12633 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12634 
12635 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12636 		tokens_size = tokln - sizeof(*tok);
12637 
12638 		if (!tok->len || tokens_size % tok->len)
12639 			return -EINVAL;
12640 		if (!rdev->wiphy.wowlan->tcp->tok)
12641 			return -EINVAL;
12642 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12643 			return -EINVAL;
12644 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12645 			return -EINVAL;
12646 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12647 			return -EINVAL;
12648 		if (tok->offset + tok->len > data_size)
12649 			return -EINVAL;
12650 	}
12651 
12652 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12653 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12654 		if (!rdev->wiphy.wowlan->tcp->seq)
12655 			return -EINVAL;
12656 		if (seq->len == 0 || seq->len > 4)
12657 			return -EINVAL;
12658 		if (seq->len + seq->offset > data_size)
12659 			return -EINVAL;
12660 	}
12661 
12662 	size = sizeof(*cfg);
12663 	size += data_size;
12664 	size += wake_size + wake_mask_size;
12665 	size += tokens_size;
12666 
12667 	cfg = kzalloc(size, GFP_KERNEL);
12668 	if (!cfg)
12669 		return -ENOMEM;
12670 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12671 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12672 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12673 	       ETH_ALEN);
12674 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12675 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12676 	else
12677 		port = 0;
12678 #ifdef CONFIG_INET
12679 	/* allocate a socket and port for it and use it */
12680 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12681 			    IPPROTO_TCP, &cfg->sock, 1);
12682 	if (err) {
12683 		kfree(cfg);
12684 		return err;
12685 	}
12686 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12687 		sock_release(cfg->sock);
12688 		kfree(cfg);
12689 		return -EADDRINUSE;
12690 	}
12691 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12692 #else
12693 	if (!port) {
12694 		kfree(cfg);
12695 		return -EINVAL;
12696 	}
12697 	cfg->src_port = port;
12698 #endif
12699 
12700 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12701 	cfg->payload_len = data_size;
12702 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12703 	memcpy((void *)cfg->payload,
12704 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12705 	       data_size);
12706 	if (seq)
12707 		cfg->payload_seq = *seq;
12708 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12709 	cfg->wake_len = wake_size;
12710 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12711 	memcpy((void *)cfg->wake_data,
12712 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12713 	       wake_size);
12714 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12715 			 data_size + wake_size;
12716 	memcpy((void *)cfg->wake_mask,
12717 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12718 	       wake_mask_size);
12719 	if (tok) {
12720 		cfg->tokens_size = tokens_size;
12721 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12722 	}
12723 
12724 	trig->tcp = cfg;
12725 
12726 	return 0;
12727 }
12728 
12729 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12730 				   const struct wiphy_wowlan_support *wowlan,
12731 				   struct nlattr *attr,
12732 				   struct cfg80211_wowlan *trig)
12733 {
12734 	struct nlattr **tb;
12735 	int err;
12736 
12737 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12738 	if (!tb)
12739 		return -ENOMEM;
12740 
12741 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12742 		err = -EOPNOTSUPP;
12743 		goto out;
12744 	}
12745 
12746 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12747 					  nl80211_policy, NULL);
12748 	if (err)
12749 		goto out;
12750 
12751 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12752 						   wowlan->max_nd_match_sets);
12753 	err = PTR_ERR_OR_ZERO(trig->nd_config);
12754 	if (err)
12755 		trig->nd_config = NULL;
12756 
12757 out:
12758 	kfree(tb);
12759 	return err;
12760 }
12761 
12762 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12763 {
12764 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12765 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12766 	struct cfg80211_wowlan new_triggers = {};
12767 	struct cfg80211_wowlan *ntrig;
12768 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12769 	int err, i;
12770 	bool prev_enabled = rdev->wiphy.wowlan_config;
12771 	bool regular = false;
12772 
12773 	if (!wowlan)
12774 		return -EOPNOTSUPP;
12775 
12776 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12777 		cfg80211_rdev_free_wowlan(rdev);
12778 		rdev->wiphy.wowlan_config = NULL;
12779 		goto set_wakeup;
12780 	}
12781 
12782 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12783 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12784 					  nl80211_wowlan_policy, info->extack);
12785 	if (err)
12786 		return err;
12787 
12788 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12789 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12790 			return -EINVAL;
12791 		new_triggers.any = true;
12792 	}
12793 
12794 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12795 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12796 			return -EINVAL;
12797 		new_triggers.disconnect = true;
12798 		regular = true;
12799 	}
12800 
12801 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12802 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12803 			return -EINVAL;
12804 		new_triggers.magic_pkt = true;
12805 		regular = true;
12806 	}
12807 
12808 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12809 		return -EINVAL;
12810 
12811 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12812 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12813 			return -EINVAL;
12814 		new_triggers.gtk_rekey_failure = true;
12815 		regular = true;
12816 	}
12817 
12818 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12819 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12820 			return -EINVAL;
12821 		new_triggers.eap_identity_req = true;
12822 		regular = true;
12823 	}
12824 
12825 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12826 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12827 			return -EINVAL;
12828 		new_triggers.four_way_handshake = true;
12829 		regular = true;
12830 	}
12831 
12832 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12833 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12834 			return -EINVAL;
12835 		new_triggers.rfkill_release = true;
12836 		regular = true;
12837 	}
12838 
12839 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12840 		struct nlattr *pat;
12841 		int n_patterns = 0;
12842 		int rem, pat_len, mask_len, pkt_offset;
12843 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12844 
12845 		regular = true;
12846 
12847 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12848 				    rem)
12849 			n_patterns++;
12850 		if (n_patterns > wowlan->n_patterns)
12851 			return -EINVAL;
12852 
12853 		new_triggers.patterns = kcalloc(n_patterns,
12854 						sizeof(new_triggers.patterns[0]),
12855 						GFP_KERNEL);
12856 		if (!new_triggers.patterns)
12857 			return -ENOMEM;
12858 
12859 		new_triggers.n_patterns = n_patterns;
12860 		i = 0;
12861 
12862 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12863 				    rem) {
12864 			u8 *mask_pat;
12865 
12866 			err = nla_parse_nested_deprecated(pat_tb,
12867 							  MAX_NL80211_PKTPAT,
12868 							  pat,
12869 							  nl80211_packet_pattern_policy,
12870 							  info->extack);
12871 			if (err)
12872 				goto error;
12873 
12874 			err = -EINVAL;
12875 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12876 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12877 				goto error;
12878 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12879 			mask_len = DIV_ROUND_UP(pat_len, 8);
12880 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12881 				goto error;
12882 			if (pat_len > wowlan->pattern_max_len ||
12883 			    pat_len < wowlan->pattern_min_len)
12884 				goto error;
12885 
12886 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12887 				pkt_offset = 0;
12888 			else
12889 				pkt_offset = nla_get_u32(
12890 					pat_tb[NL80211_PKTPAT_OFFSET]);
12891 			if (pkt_offset > wowlan->max_pkt_offset)
12892 				goto error;
12893 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12894 
12895 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12896 			if (!mask_pat) {
12897 				err = -ENOMEM;
12898 				goto error;
12899 			}
12900 			new_triggers.patterns[i].mask = mask_pat;
12901 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12902 			       mask_len);
12903 			mask_pat += mask_len;
12904 			new_triggers.patterns[i].pattern = mask_pat;
12905 			new_triggers.patterns[i].pattern_len = pat_len;
12906 			memcpy(mask_pat,
12907 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12908 			       pat_len);
12909 			i++;
12910 		}
12911 	}
12912 
12913 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12914 		regular = true;
12915 		err = nl80211_parse_wowlan_tcp(
12916 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12917 			&new_triggers);
12918 		if (err)
12919 			goto error;
12920 	}
12921 
12922 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12923 		regular = true;
12924 		err = nl80211_parse_wowlan_nd(
12925 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12926 			&new_triggers);
12927 		if (err)
12928 			goto error;
12929 	}
12930 
12931 	/* The 'any' trigger means the device continues operating more or less
12932 	 * as in its normal operation mode and wakes up the host on most of the
12933 	 * normal interrupts (like packet RX, ...)
12934 	 * It therefore makes little sense to combine with the more constrained
12935 	 * wakeup trigger modes.
12936 	 */
12937 	if (new_triggers.any && regular) {
12938 		err = -EINVAL;
12939 		goto error;
12940 	}
12941 
12942 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12943 	if (!ntrig) {
12944 		err = -ENOMEM;
12945 		goto error;
12946 	}
12947 	cfg80211_rdev_free_wowlan(rdev);
12948 	rdev->wiphy.wowlan_config = ntrig;
12949 
12950  set_wakeup:
12951 	if (rdev->ops->set_wakeup &&
12952 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12953 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12954 
12955 	return 0;
12956  error:
12957 	for (i = 0; i < new_triggers.n_patterns; i++)
12958 		kfree(new_triggers.patterns[i].mask);
12959 	kfree(new_triggers.patterns);
12960 	if (new_triggers.tcp && new_triggers.tcp->sock)
12961 		sock_release(new_triggers.tcp->sock);
12962 	kfree(new_triggers.tcp);
12963 	kfree(new_triggers.nd_config);
12964 	return err;
12965 }
12966 #endif
12967 
12968 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12969 				       struct cfg80211_registered_device *rdev)
12970 {
12971 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12972 	int i, j, pat_len;
12973 	struct cfg80211_coalesce_rules *rule;
12974 
12975 	if (!rdev->coalesce->n_rules)
12976 		return 0;
12977 
12978 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12979 	if (!nl_rules)
12980 		return -ENOBUFS;
12981 
12982 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12983 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12984 		if (!nl_rule)
12985 			return -ENOBUFS;
12986 
12987 		rule = &rdev->coalesce->rules[i];
12988 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12989 				rule->delay))
12990 			return -ENOBUFS;
12991 
12992 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12993 				rule->condition))
12994 			return -ENOBUFS;
12995 
12996 		nl_pats = nla_nest_start_noflag(msg,
12997 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12998 		if (!nl_pats)
12999 			return -ENOBUFS;
13000 
13001 		for (j = 0; j < rule->n_patterns; j++) {
13002 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13003 			if (!nl_pat)
13004 				return -ENOBUFS;
13005 			pat_len = rule->patterns[j].pattern_len;
13006 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13007 				    DIV_ROUND_UP(pat_len, 8),
13008 				    rule->patterns[j].mask) ||
13009 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13010 				    rule->patterns[j].pattern) ||
13011 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13012 					rule->patterns[j].pkt_offset))
13013 				return -ENOBUFS;
13014 			nla_nest_end(msg, nl_pat);
13015 		}
13016 		nla_nest_end(msg, nl_pats);
13017 		nla_nest_end(msg, nl_rule);
13018 	}
13019 	nla_nest_end(msg, nl_rules);
13020 
13021 	return 0;
13022 }
13023 
13024 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13025 {
13026 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13027 	struct sk_buff *msg;
13028 	void *hdr;
13029 
13030 	if (!rdev->wiphy.coalesce)
13031 		return -EOPNOTSUPP;
13032 
13033 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13034 	if (!msg)
13035 		return -ENOMEM;
13036 
13037 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13038 			     NL80211_CMD_GET_COALESCE);
13039 	if (!hdr)
13040 		goto nla_put_failure;
13041 
13042 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13043 		goto nla_put_failure;
13044 
13045 	genlmsg_end(msg, hdr);
13046 	return genlmsg_reply(msg, info);
13047 
13048 nla_put_failure:
13049 	nlmsg_free(msg);
13050 	return -ENOBUFS;
13051 }
13052 
13053 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13054 {
13055 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13056 	int i, j;
13057 	struct cfg80211_coalesce_rules *rule;
13058 
13059 	if (!coalesce)
13060 		return;
13061 
13062 	for (i = 0; i < coalesce->n_rules; i++) {
13063 		rule = &coalesce->rules[i];
13064 		for (j = 0; j < rule->n_patterns; j++)
13065 			kfree(rule->patterns[j].mask);
13066 		kfree(rule->patterns);
13067 	}
13068 	kfree(coalesce->rules);
13069 	kfree(coalesce);
13070 	rdev->coalesce = NULL;
13071 }
13072 
13073 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13074 				       struct nlattr *rule,
13075 				       struct cfg80211_coalesce_rules *new_rule)
13076 {
13077 	int err, i;
13078 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13079 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13080 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13081 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13082 
13083 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13084 					  rule, nl80211_coalesce_policy, NULL);
13085 	if (err)
13086 		return err;
13087 
13088 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13089 		new_rule->delay =
13090 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13091 	if (new_rule->delay > coalesce->max_delay)
13092 		return -EINVAL;
13093 
13094 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13095 		new_rule->condition =
13096 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13097 
13098 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13099 		return -EINVAL;
13100 
13101 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13102 			    rem)
13103 		n_patterns++;
13104 	if (n_patterns > coalesce->n_patterns)
13105 		return -EINVAL;
13106 
13107 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13108 				     GFP_KERNEL);
13109 	if (!new_rule->patterns)
13110 		return -ENOMEM;
13111 
13112 	new_rule->n_patterns = n_patterns;
13113 	i = 0;
13114 
13115 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13116 			    rem) {
13117 		u8 *mask_pat;
13118 
13119 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13120 						  pat,
13121 						  nl80211_packet_pattern_policy,
13122 						  NULL);
13123 		if (err)
13124 			return err;
13125 
13126 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13127 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13128 			return -EINVAL;
13129 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13130 		mask_len = DIV_ROUND_UP(pat_len, 8);
13131 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13132 			return -EINVAL;
13133 		if (pat_len > coalesce->pattern_max_len ||
13134 		    pat_len < coalesce->pattern_min_len)
13135 			return -EINVAL;
13136 
13137 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13138 			pkt_offset = 0;
13139 		else
13140 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13141 		if (pkt_offset > coalesce->max_pkt_offset)
13142 			return -EINVAL;
13143 		new_rule->patterns[i].pkt_offset = pkt_offset;
13144 
13145 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13146 		if (!mask_pat)
13147 			return -ENOMEM;
13148 
13149 		new_rule->patterns[i].mask = mask_pat;
13150 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13151 		       mask_len);
13152 
13153 		mask_pat += mask_len;
13154 		new_rule->patterns[i].pattern = mask_pat;
13155 		new_rule->patterns[i].pattern_len = pat_len;
13156 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13157 		       pat_len);
13158 		i++;
13159 	}
13160 
13161 	return 0;
13162 }
13163 
13164 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13165 {
13166 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13167 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13168 	struct cfg80211_coalesce new_coalesce = {};
13169 	struct cfg80211_coalesce *n_coalesce;
13170 	int err, rem_rule, n_rules = 0, i, j;
13171 	struct nlattr *rule;
13172 	struct cfg80211_coalesce_rules *tmp_rule;
13173 
13174 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13175 		return -EOPNOTSUPP;
13176 
13177 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13178 		cfg80211_rdev_free_coalesce(rdev);
13179 		rdev_set_coalesce(rdev, NULL);
13180 		return 0;
13181 	}
13182 
13183 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13184 			    rem_rule)
13185 		n_rules++;
13186 	if (n_rules > coalesce->n_rules)
13187 		return -EINVAL;
13188 
13189 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13190 				     GFP_KERNEL);
13191 	if (!new_coalesce.rules)
13192 		return -ENOMEM;
13193 
13194 	new_coalesce.n_rules = n_rules;
13195 	i = 0;
13196 
13197 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13198 			    rem_rule) {
13199 		err = nl80211_parse_coalesce_rule(rdev, rule,
13200 						  &new_coalesce.rules[i]);
13201 		if (err)
13202 			goto error;
13203 
13204 		i++;
13205 	}
13206 
13207 	err = rdev_set_coalesce(rdev, &new_coalesce);
13208 	if (err)
13209 		goto error;
13210 
13211 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13212 	if (!n_coalesce) {
13213 		err = -ENOMEM;
13214 		goto error;
13215 	}
13216 	cfg80211_rdev_free_coalesce(rdev);
13217 	rdev->coalesce = n_coalesce;
13218 
13219 	return 0;
13220 error:
13221 	for (i = 0; i < new_coalesce.n_rules; i++) {
13222 		tmp_rule = &new_coalesce.rules[i];
13223 		for (j = 0; j < tmp_rule->n_patterns; j++)
13224 			kfree(tmp_rule->patterns[j].mask);
13225 		kfree(tmp_rule->patterns);
13226 	}
13227 	kfree(new_coalesce.rules);
13228 
13229 	return err;
13230 }
13231 
13232 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13233 {
13234 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13235 	struct net_device *dev = info->user_ptr[1];
13236 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13237 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13238 	struct cfg80211_gtk_rekey_data rekey_data = {};
13239 	int err;
13240 
13241 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13242 		return -EINVAL;
13243 
13244 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13245 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13246 					  nl80211_rekey_policy, info->extack);
13247 	if (err)
13248 		return err;
13249 
13250 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13251 	    !tb[NL80211_REKEY_DATA_KCK])
13252 		return -EINVAL;
13253 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13254 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13255 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13256 		return -ERANGE;
13257 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13258 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13259 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
13260 		return -ERANGE;
13261 
13262 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13263 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13264 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13265 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13266 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13267 	if (tb[NL80211_REKEY_DATA_AKM])
13268 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13269 
13270 	wdev_lock(wdev);
13271 	if (!wdev->current_bss) {
13272 		err = -ENOTCONN;
13273 		goto out;
13274 	}
13275 
13276 	if (!rdev->ops->set_rekey_data) {
13277 		err = -EOPNOTSUPP;
13278 		goto out;
13279 	}
13280 
13281 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13282  out:
13283 	wdev_unlock(wdev);
13284 	return err;
13285 }
13286 
13287 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13288 					     struct genl_info *info)
13289 {
13290 	struct net_device *dev = info->user_ptr[1];
13291 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13292 
13293 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13294 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13295 		return -EINVAL;
13296 
13297 	if (wdev->ap_unexpected_nlportid)
13298 		return -EBUSY;
13299 
13300 	wdev->ap_unexpected_nlportid = info->snd_portid;
13301 	return 0;
13302 }
13303 
13304 static int nl80211_probe_client(struct sk_buff *skb,
13305 				struct genl_info *info)
13306 {
13307 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13308 	struct net_device *dev = info->user_ptr[1];
13309 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13310 	struct sk_buff *msg;
13311 	void *hdr;
13312 	const u8 *addr;
13313 	u64 cookie;
13314 	int err;
13315 
13316 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13317 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13318 		return -EOPNOTSUPP;
13319 
13320 	if (!info->attrs[NL80211_ATTR_MAC])
13321 		return -EINVAL;
13322 
13323 	if (!rdev->ops->probe_client)
13324 		return -EOPNOTSUPP;
13325 
13326 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13327 	if (!msg)
13328 		return -ENOMEM;
13329 
13330 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13331 			     NL80211_CMD_PROBE_CLIENT);
13332 	if (!hdr) {
13333 		err = -ENOBUFS;
13334 		goto free_msg;
13335 	}
13336 
13337 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13338 
13339 	err = rdev_probe_client(rdev, dev, addr, &cookie);
13340 	if (err)
13341 		goto free_msg;
13342 
13343 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13344 			      NL80211_ATTR_PAD))
13345 		goto nla_put_failure;
13346 
13347 	genlmsg_end(msg, hdr);
13348 
13349 	return genlmsg_reply(msg, info);
13350 
13351  nla_put_failure:
13352 	err = -ENOBUFS;
13353  free_msg:
13354 	nlmsg_free(msg);
13355 	return err;
13356 }
13357 
13358 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13359 {
13360 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13361 	struct cfg80211_beacon_registration *reg, *nreg;
13362 	int rv;
13363 
13364 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13365 		return -EOPNOTSUPP;
13366 
13367 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13368 	if (!nreg)
13369 		return -ENOMEM;
13370 
13371 	/* First, check if already registered. */
13372 	spin_lock_bh(&rdev->beacon_registrations_lock);
13373 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13374 		if (reg->nlportid == info->snd_portid) {
13375 			rv = -EALREADY;
13376 			goto out_err;
13377 		}
13378 	}
13379 	/* Add it to the list */
13380 	nreg->nlportid = info->snd_portid;
13381 	list_add(&nreg->list, &rdev->beacon_registrations);
13382 
13383 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13384 
13385 	return 0;
13386 out_err:
13387 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13388 	kfree(nreg);
13389 	return rv;
13390 }
13391 
13392 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13393 {
13394 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13395 	struct wireless_dev *wdev = info->user_ptr[1];
13396 	int err;
13397 
13398 	if (!rdev->ops->start_p2p_device)
13399 		return -EOPNOTSUPP;
13400 
13401 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13402 		return -EOPNOTSUPP;
13403 
13404 	if (wdev_running(wdev))
13405 		return 0;
13406 
13407 	if (rfkill_blocked(rdev->wiphy.rfkill))
13408 		return -ERFKILL;
13409 
13410 	err = rdev_start_p2p_device(rdev, wdev);
13411 	if (err)
13412 		return err;
13413 
13414 	wdev->is_running = true;
13415 	rdev->opencount++;
13416 
13417 	return 0;
13418 }
13419 
13420 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13421 {
13422 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13423 	struct wireless_dev *wdev = info->user_ptr[1];
13424 
13425 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13426 		return -EOPNOTSUPP;
13427 
13428 	if (!rdev->ops->stop_p2p_device)
13429 		return -EOPNOTSUPP;
13430 
13431 	cfg80211_stop_p2p_device(rdev, wdev);
13432 
13433 	return 0;
13434 }
13435 
13436 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13437 {
13438 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13439 	struct wireless_dev *wdev = info->user_ptr[1];
13440 	struct cfg80211_nan_conf conf = {};
13441 	int err;
13442 
13443 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13444 		return -EOPNOTSUPP;
13445 
13446 	if (wdev_running(wdev))
13447 		return -EEXIST;
13448 
13449 	if (rfkill_blocked(rdev->wiphy.rfkill))
13450 		return -ERFKILL;
13451 
13452 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13453 		return -EINVAL;
13454 
13455 	conf.master_pref =
13456 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13457 
13458 	if (info->attrs[NL80211_ATTR_BANDS]) {
13459 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13460 
13461 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13462 			return -EOPNOTSUPP;
13463 
13464 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13465 			return -EINVAL;
13466 
13467 		conf.bands = bands;
13468 	}
13469 
13470 	err = rdev_start_nan(rdev, wdev, &conf);
13471 	if (err)
13472 		return err;
13473 
13474 	wdev->is_running = true;
13475 	rdev->opencount++;
13476 
13477 	return 0;
13478 }
13479 
13480 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13481 {
13482 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13483 	struct wireless_dev *wdev = info->user_ptr[1];
13484 
13485 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13486 		return -EOPNOTSUPP;
13487 
13488 	cfg80211_stop_nan(rdev, wdev);
13489 
13490 	return 0;
13491 }
13492 
13493 static int validate_nan_filter(struct nlattr *filter_attr)
13494 {
13495 	struct nlattr *attr;
13496 	int len = 0, n_entries = 0, rem;
13497 
13498 	nla_for_each_nested(attr, filter_attr, rem) {
13499 		len += nla_len(attr);
13500 		n_entries++;
13501 	}
13502 
13503 	if (len >= U8_MAX)
13504 		return -EINVAL;
13505 
13506 	return n_entries;
13507 }
13508 
13509 static int handle_nan_filter(struct nlattr *attr_filter,
13510 			     struct cfg80211_nan_func *func,
13511 			     bool tx)
13512 {
13513 	struct nlattr *attr;
13514 	int n_entries, rem, i;
13515 	struct cfg80211_nan_func_filter *filter;
13516 
13517 	n_entries = validate_nan_filter(attr_filter);
13518 	if (n_entries < 0)
13519 		return n_entries;
13520 
13521 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13522 
13523 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13524 	if (!filter)
13525 		return -ENOMEM;
13526 
13527 	i = 0;
13528 	nla_for_each_nested(attr, attr_filter, rem) {
13529 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13530 		if (!filter[i].filter)
13531 			goto err;
13532 
13533 		filter[i].len = nla_len(attr);
13534 		i++;
13535 	}
13536 	if (tx) {
13537 		func->num_tx_filters = n_entries;
13538 		func->tx_filters = filter;
13539 	} else {
13540 		func->num_rx_filters = n_entries;
13541 		func->rx_filters = filter;
13542 	}
13543 
13544 	return 0;
13545 
13546 err:
13547 	i = 0;
13548 	nla_for_each_nested(attr, attr_filter, rem) {
13549 		kfree(filter[i].filter);
13550 		i++;
13551 	}
13552 	kfree(filter);
13553 	return -ENOMEM;
13554 }
13555 
13556 static int nl80211_nan_add_func(struct sk_buff *skb,
13557 				struct genl_info *info)
13558 {
13559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13560 	struct wireless_dev *wdev = info->user_ptr[1];
13561 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
13562 	struct cfg80211_nan_func *func;
13563 	struct sk_buff *msg = NULL;
13564 	void *hdr = NULL;
13565 	int err = 0;
13566 
13567 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13568 		return -EOPNOTSUPP;
13569 
13570 	if (!wdev_running(wdev))
13571 		return -ENOTCONN;
13572 
13573 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13574 		return -EINVAL;
13575 
13576 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13577 					  info->attrs[NL80211_ATTR_NAN_FUNC],
13578 					  nl80211_nan_func_policy,
13579 					  info->extack);
13580 	if (err)
13581 		return err;
13582 
13583 	func = kzalloc(sizeof(*func), GFP_KERNEL);
13584 	if (!func)
13585 		return -ENOMEM;
13586 
13587 	func->cookie = cfg80211_assign_cookie(rdev);
13588 
13589 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13590 		err = -EINVAL;
13591 		goto out;
13592 	}
13593 
13594 
13595 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13596 
13597 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13598 		err = -EINVAL;
13599 		goto out;
13600 	}
13601 
13602 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13603 	       sizeof(func->service_id));
13604 
13605 	func->close_range =
13606 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13607 
13608 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13609 		func->serv_spec_info_len =
13610 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13611 		func->serv_spec_info =
13612 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13613 				func->serv_spec_info_len,
13614 				GFP_KERNEL);
13615 		if (!func->serv_spec_info) {
13616 			err = -ENOMEM;
13617 			goto out;
13618 		}
13619 	}
13620 
13621 	if (tb[NL80211_NAN_FUNC_TTL])
13622 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13623 
13624 	switch (func->type) {
13625 	case NL80211_NAN_FUNC_PUBLISH:
13626 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13627 			err = -EINVAL;
13628 			goto out;
13629 		}
13630 
13631 		func->publish_type =
13632 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13633 		func->publish_bcast =
13634 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13635 
13636 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13637 			func->publish_bcast) {
13638 			err = -EINVAL;
13639 			goto out;
13640 		}
13641 		break;
13642 	case NL80211_NAN_FUNC_SUBSCRIBE:
13643 		func->subscribe_active =
13644 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13645 		break;
13646 	case NL80211_NAN_FUNC_FOLLOW_UP:
13647 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13648 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13649 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13650 			err = -EINVAL;
13651 			goto out;
13652 		}
13653 
13654 		func->followup_id =
13655 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13656 		func->followup_reqid =
13657 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13658 		memcpy(func->followup_dest.addr,
13659 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13660 		       sizeof(func->followup_dest.addr));
13661 		if (func->ttl) {
13662 			err = -EINVAL;
13663 			goto out;
13664 		}
13665 		break;
13666 	default:
13667 		err = -EINVAL;
13668 		goto out;
13669 	}
13670 
13671 	if (tb[NL80211_NAN_FUNC_SRF]) {
13672 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13673 
13674 		err = nla_parse_nested_deprecated(srf_tb,
13675 						  NL80211_NAN_SRF_ATTR_MAX,
13676 						  tb[NL80211_NAN_FUNC_SRF],
13677 						  nl80211_nan_srf_policy,
13678 						  info->extack);
13679 		if (err)
13680 			goto out;
13681 
13682 		func->srf_include =
13683 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13684 
13685 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13686 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13687 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13688 				err = -EINVAL;
13689 				goto out;
13690 			}
13691 
13692 			func->srf_bf_len =
13693 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13694 			func->srf_bf =
13695 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13696 					func->srf_bf_len, GFP_KERNEL);
13697 			if (!func->srf_bf) {
13698 				err = -ENOMEM;
13699 				goto out;
13700 			}
13701 
13702 			func->srf_bf_idx =
13703 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13704 		} else {
13705 			struct nlattr *attr, *mac_attr =
13706 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13707 			int n_entries, rem, i = 0;
13708 
13709 			if (!mac_attr) {
13710 				err = -EINVAL;
13711 				goto out;
13712 			}
13713 
13714 			n_entries = validate_acl_mac_addrs(mac_attr);
13715 			if (n_entries <= 0) {
13716 				err = -EINVAL;
13717 				goto out;
13718 			}
13719 
13720 			func->srf_num_macs = n_entries;
13721 			func->srf_macs =
13722 				kcalloc(n_entries, sizeof(*func->srf_macs),
13723 					GFP_KERNEL);
13724 			if (!func->srf_macs) {
13725 				err = -ENOMEM;
13726 				goto out;
13727 			}
13728 
13729 			nla_for_each_nested(attr, mac_attr, rem)
13730 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13731 				       sizeof(*func->srf_macs));
13732 		}
13733 	}
13734 
13735 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13736 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13737 					func, true);
13738 		if (err)
13739 			goto out;
13740 	}
13741 
13742 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13743 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13744 					func, false);
13745 		if (err)
13746 			goto out;
13747 	}
13748 
13749 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13750 	if (!msg) {
13751 		err = -ENOMEM;
13752 		goto out;
13753 	}
13754 
13755 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13756 			     NL80211_CMD_ADD_NAN_FUNCTION);
13757 	/* This can't really happen - we just allocated 4KB */
13758 	if (WARN_ON(!hdr)) {
13759 		err = -ENOMEM;
13760 		goto out;
13761 	}
13762 
13763 	err = rdev_add_nan_func(rdev, wdev, func);
13764 out:
13765 	if (err < 0) {
13766 		cfg80211_free_nan_func(func);
13767 		nlmsg_free(msg);
13768 		return err;
13769 	}
13770 
13771 	/* propagate the instance id and cookie to userspace  */
13772 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13773 			      NL80211_ATTR_PAD))
13774 		goto nla_put_failure;
13775 
13776 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13777 	if (!func_attr)
13778 		goto nla_put_failure;
13779 
13780 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13781 		       func->instance_id))
13782 		goto nla_put_failure;
13783 
13784 	nla_nest_end(msg, func_attr);
13785 
13786 	genlmsg_end(msg, hdr);
13787 	return genlmsg_reply(msg, info);
13788 
13789 nla_put_failure:
13790 	nlmsg_free(msg);
13791 	return -ENOBUFS;
13792 }
13793 
13794 static int nl80211_nan_del_func(struct sk_buff *skb,
13795 			       struct genl_info *info)
13796 {
13797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13798 	struct wireless_dev *wdev = info->user_ptr[1];
13799 	u64 cookie;
13800 
13801 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13802 		return -EOPNOTSUPP;
13803 
13804 	if (!wdev_running(wdev))
13805 		return -ENOTCONN;
13806 
13807 	if (!info->attrs[NL80211_ATTR_COOKIE])
13808 		return -EINVAL;
13809 
13810 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13811 
13812 	rdev_del_nan_func(rdev, wdev, cookie);
13813 
13814 	return 0;
13815 }
13816 
13817 static int nl80211_nan_change_config(struct sk_buff *skb,
13818 				     struct genl_info *info)
13819 {
13820 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13821 	struct wireless_dev *wdev = info->user_ptr[1];
13822 	struct cfg80211_nan_conf conf = {};
13823 	u32 changed = 0;
13824 
13825 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13826 		return -EOPNOTSUPP;
13827 
13828 	if (!wdev_running(wdev))
13829 		return -ENOTCONN;
13830 
13831 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13832 		conf.master_pref =
13833 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13834 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13835 			return -EINVAL;
13836 
13837 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13838 	}
13839 
13840 	if (info->attrs[NL80211_ATTR_BANDS]) {
13841 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13842 
13843 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13844 			return -EOPNOTSUPP;
13845 
13846 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13847 			return -EINVAL;
13848 
13849 		conf.bands = bands;
13850 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13851 	}
13852 
13853 	if (!changed)
13854 		return -EINVAL;
13855 
13856 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13857 }
13858 
13859 void cfg80211_nan_match(struct wireless_dev *wdev,
13860 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13861 {
13862 	struct wiphy *wiphy = wdev->wiphy;
13863 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13864 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13865 	struct sk_buff *msg;
13866 	void *hdr;
13867 
13868 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13869 		return;
13870 
13871 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13872 	if (!msg)
13873 		return;
13874 
13875 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13876 	if (!hdr) {
13877 		nlmsg_free(msg);
13878 		return;
13879 	}
13880 
13881 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13882 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13883 					 wdev->netdev->ifindex)) ||
13884 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13885 			      NL80211_ATTR_PAD))
13886 		goto nla_put_failure;
13887 
13888 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13889 			      NL80211_ATTR_PAD) ||
13890 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13891 		goto nla_put_failure;
13892 
13893 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13894 	if (!match_attr)
13895 		goto nla_put_failure;
13896 
13897 	local_func_attr = nla_nest_start_noflag(msg,
13898 						NL80211_NAN_MATCH_FUNC_LOCAL);
13899 	if (!local_func_attr)
13900 		goto nla_put_failure;
13901 
13902 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13903 		goto nla_put_failure;
13904 
13905 	nla_nest_end(msg, local_func_attr);
13906 
13907 	peer_func_attr = nla_nest_start_noflag(msg,
13908 					       NL80211_NAN_MATCH_FUNC_PEER);
13909 	if (!peer_func_attr)
13910 		goto nla_put_failure;
13911 
13912 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13913 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13914 		goto nla_put_failure;
13915 
13916 	if (match->info && match->info_len &&
13917 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13918 		    match->info))
13919 		goto nla_put_failure;
13920 
13921 	nla_nest_end(msg, peer_func_attr);
13922 	nla_nest_end(msg, match_attr);
13923 	genlmsg_end(msg, hdr);
13924 
13925 	if (!wdev->owner_nlportid)
13926 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13927 					msg, 0, NL80211_MCGRP_NAN, gfp);
13928 	else
13929 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13930 				wdev->owner_nlportid);
13931 
13932 	return;
13933 
13934 nla_put_failure:
13935 	nlmsg_free(msg);
13936 }
13937 EXPORT_SYMBOL(cfg80211_nan_match);
13938 
13939 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13940 				  u8 inst_id,
13941 				  enum nl80211_nan_func_term_reason reason,
13942 				  u64 cookie, gfp_t gfp)
13943 {
13944 	struct wiphy *wiphy = wdev->wiphy;
13945 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13946 	struct sk_buff *msg;
13947 	struct nlattr *func_attr;
13948 	void *hdr;
13949 
13950 	if (WARN_ON(!inst_id))
13951 		return;
13952 
13953 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13954 	if (!msg)
13955 		return;
13956 
13957 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13958 	if (!hdr) {
13959 		nlmsg_free(msg);
13960 		return;
13961 	}
13962 
13963 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13964 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13965 					 wdev->netdev->ifindex)) ||
13966 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13967 			      NL80211_ATTR_PAD))
13968 		goto nla_put_failure;
13969 
13970 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13971 			      NL80211_ATTR_PAD))
13972 		goto nla_put_failure;
13973 
13974 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13975 	if (!func_attr)
13976 		goto nla_put_failure;
13977 
13978 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13979 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13980 		goto nla_put_failure;
13981 
13982 	nla_nest_end(msg, func_attr);
13983 	genlmsg_end(msg, hdr);
13984 
13985 	if (!wdev->owner_nlportid)
13986 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13987 					msg, 0, NL80211_MCGRP_NAN, gfp);
13988 	else
13989 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13990 				wdev->owner_nlportid);
13991 
13992 	return;
13993 
13994 nla_put_failure:
13995 	nlmsg_free(msg);
13996 }
13997 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13998 
13999 static int nl80211_get_protocol_features(struct sk_buff *skb,
14000 					 struct genl_info *info)
14001 {
14002 	void *hdr;
14003 	struct sk_buff *msg;
14004 
14005 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14006 	if (!msg)
14007 		return -ENOMEM;
14008 
14009 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14010 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14011 	if (!hdr)
14012 		goto nla_put_failure;
14013 
14014 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14015 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14016 		goto nla_put_failure;
14017 
14018 	genlmsg_end(msg, hdr);
14019 	return genlmsg_reply(msg, info);
14020 
14021  nla_put_failure:
14022 	kfree_skb(msg);
14023 	return -ENOBUFS;
14024 }
14025 
14026 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14027 {
14028 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14029 	struct cfg80211_update_ft_ies_params ft_params;
14030 	struct net_device *dev = info->user_ptr[1];
14031 
14032 	if (!rdev->ops->update_ft_ies)
14033 		return -EOPNOTSUPP;
14034 
14035 	if (!info->attrs[NL80211_ATTR_MDID] ||
14036 	    !info->attrs[NL80211_ATTR_IE])
14037 		return -EINVAL;
14038 
14039 	memset(&ft_params, 0, sizeof(ft_params));
14040 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14041 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14042 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14043 
14044 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14045 }
14046 
14047 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14048 				       struct genl_info *info)
14049 {
14050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14051 	struct wireless_dev *wdev = info->user_ptr[1];
14052 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14053 	u16 duration;
14054 	int ret;
14055 
14056 	if (!rdev->ops->crit_proto_start)
14057 		return -EOPNOTSUPP;
14058 
14059 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14060 		return -EINVAL;
14061 
14062 	if (rdev->crit_proto_nlportid)
14063 		return -EBUSY;
14064 
14065 	/* determine protocol if provided */
14066 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14067 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14068 
14069 	if (proto >= NUM_NL80211_CRIT_PROTO)
14070 		return -EINVAL;
14071 
14072 	/* timeout must be provided */
14073 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14074 		return -EINVAL;
14075 
14076 	duration =
14077 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14078 
14079 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14080 	if (!ret)
14081 		rdev->crit_proto_nlportid = info->snd_portid;
14082 
14083 	return ret;
14084 }
14085 
14086 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14087 				      struct genl_info *info)
14088 {
14089 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14090 	struct wireless_dev *wdev = info->user_ptr[1];
14091 
14092 	if (!rdev->ops->crit_proto_stop)
14093 		return -EOPNOTSUPP;
14094 
14095 	if (rdev->crit_proto_nlportid) {
14096 		rdev->crit_proto_nlportid = 0;
14097 		rdev_crit_proto_stop(rdev, wdev);
14098 	}
14099 	return 0;
14100 }
14101 
14102 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14103 				       struct nlattr *attr,
14104 				       struct netlink_ext_ack *extack)
14105 {
14106 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14107 		if (attr->nla_type & NLA_F_NESTED) {
14108 			NL_SET_ERR_MSG_ATTR(extack, attr,
14109 					    "unexpected nested data");
14110 			return -EINVAL;
14111 		}
14112 
14113 		return 0;
14114 	}
14115 
14116 	if (!(attr->nla_type & NLA_F_NESTED)) {
14117 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14118 		return -EINVAL;
14119 	}
14120 
14121 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14122 }
14123 
14124 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14125 {
14126 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14127 	struct wireless_dev *wdev =
14128 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14129 					   info->attrs);
14130 	int i, err;
14131 	u32 vid, subcmd;
14132 
14133 	if (!rdev->wiphy.vendor_commands)
14134 		return -EOPNOTSUPP;
14135 
14136 	if (IS_ERR(wdev)) {
14137 		err = PTR_ERR(wdev);
14138 		if (err != -EINVAL)
14139 			return err;
14140 		wdev = NULL;
14141 	} else if (wdev->wiphy != &rdev->wiphy) {
14142 		return -EINVAL;
14143 	}
14144 
14145 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14146 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14147 		return -EINVAL;
14148 
14149 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14150 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14151 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14152 		const struct wiphy_vendor_command *vcmd;
14153 		void *data = NULL;
14154 		int len = 0;
14155 
14156 		vcmd = &rdev->wiphy.vendor_commands[i];
14157 
14158 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14159 			continue;
14160 
14161 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14162 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14163 			if (!wdev)
14164 				return -EINVAL;
14165 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14166 			    !wdev->netdev)
14167 				return -EINVAL;
14168 
14169 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14170 				if (!wdev_running(wdev))
14171 					return -ENETDOWN;
14172 			}
14173 		} else {
14174 			wdev = NULL;
14175 		}
14176 
14177 		if (!vcmd->doit)
14178 			return -EOPNOTSUPP;
14179 
14180 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14181 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14182 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14183 
14184 			err = nl80211_vendor_check_policy(vcmd,
14185 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14186 					info->extack);
14187 			if (err)
14188 				return err;
14189 		}
14190 
14191 		rdev->cur_cmd_info = info;
14192 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14193 		rdev->cur_cmd_info = NULL;
14194 		return err;
14195 	}
14196 
14197 	return -EOPNOTSUPP;
14198 }
14199 
14200 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14201 				       struct netlink_callback *cb,
14202 				       struct cfg80211_registered_device **rdev,
14203 				       struct wireless_dev **wdev)
14204 {
14205 	struct nlattr **attrbuf;
14206 	u32 vid, subcmd;
14207 	unsigned int i;
14208 	int vcmd_idx = -1;
14209 	int err;
14210 	void *data = NULL;
14211 	unsigned int data_len = 0;
14212 
14213 	if (cb->args[0]) {
14214 		/* subtract the 1 again here */
14215 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14216 		struct wireless_dev *tmp;
14217 
14218 		if (!wiphy)
14219 			return -ENODEV;
14220 		*rdev = wiphy_to_rdev(wiphy);
14221 		*wdev = NULL;
14222 
14223 		if (cb->args[1]) {
14224 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14225 				if (tmp->identifier == cb->args[1] - 1) {
14226 					*wdev = tmp;
14227 					break;
14228 				}
14229 			}
14230 		}
14231 
14232 		/* keep rtnl locked in successful case */
14233 		return 0;
14234 	}
14235 
14236 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14237 	if (!attrbuf)
14238 		return -ENOMEM;
14239 
14240 	err = nlmsg_parse_deprecated(cb->nlh,
14241 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14242 				     attrbuf, nl80211_fam.maxattr,
14243 				     nl80211_policy, NULL);
14244 	if (err)
14245 		goto out;
14246 
14247 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14248 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14249 		err = -EINVAL;
14250 		goto out;
14251 	}
14252 
14253 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14254 	if (IS_ERR(*wdev))
14255 		*wdev = NULL;
14256 
14257 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14258 	if (IS_ERR(*rdev)) {
14259 		err = PTR_ERR(*rdev);
14260 		goto out;
14261 	}
14262 
14263 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14264 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14265 
14266 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14267 		const struct wiphy_vendor_command *vcmd;
14268 
14269 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14270 
14271 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14272 			continue;
14273 
14274 		if (!vcmd->dumpit) {
14275 			err = -EOPNOTSUPP;
14276 			goto out;
14277 		}
14278 
14279 		vcmd_idx = i;
14280 		break;
14281 	}
14282 
14283 	if (vcmd_idx < 0) {
14284 		err = -EOPNOTSUPP;
14285 		goto out;
14286 	}
14287 
14288 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14289 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14290 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14291 
14292 		err = nl80211_vendor_check_policy(
14293 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14294 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14295 				cb->extack);
14296 		if (err)
14297 			goto out;
14298 	}
14299 
14300 	/* 0 is the first index - add 1 to parse only once */
14301 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14302 	/* add 1 to know if it was NULL */
14303 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14304 	cb->args[2] = vcmd_idx;
14305 	cb->args[3] = (unsigned long)data;
14306 	cb->args[4] = data_len;
14307 
14308 	/* keep rtnl locked in successful case */
14309 	err = 0;
14310 out:
14311 	kfree(attrbuf);
14312 	return err;
14313 }
14314 
14315 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14316 				   struct netlink_callback *cb)
14317 {
14318 	struct cfg80211_registered_device *rdev;
14319 	struct wireless_dev *wdev;
14320 	unsigned int vcmd_idx;
14321 	const struct wiphy_vendor_command *vcmd;
14322 	void *data;
14323 	int data_len;
14324 	int err;
14325 	struct nlattr *vendor_data;
14326 
14327 	rtnl_lock();
14328 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14329 	if (err)
14330 		goto out;
14331 
14332 	vcmd_idx = cb->args[2];
14333 	data = (void *)cb->args[3];
14334 	data_len = cb->args[4];
14335 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14336 
14337 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14338 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14339 		if (!wdev) {
14340 			err = -EINVAL;
14341 			goto out;
14342 		}
14343 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14344 		    !wdev->netdev) {
14345 			err = -EINVAL;
14346 			goto out;
14347 		}
14348 
14349 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14350 			if (!wdev_running(wdev)) {
14351 				err = -ENETDOWN;
14352 				goto out;
14353 			}
14354 		}
14355 	}
14356 
14357 	while (1) {
14358 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
14359 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
14360 					   NL80211_CMD_VENDOR);
14361 		if (!hdr)
14362 			break;
14363 
14364 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14365 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14366 					       wdev_id(wdev),
14367 					       NL80211_ATTR_PAD))) {
14368 			genlmsg_cancel(skb, hdr);
14369 			break;
14370 		}
14371 
14372 		vendor_data = nla_nest_start_noflag(skb,
14373 						    NL80211_ATTR_VENDOR_DATA);
14374 		if (!vendor_data) {
14375 			genlmsg_cancel(skb, hdr);
14376 			break;
14377 		}
14378 
14379 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14380 				   (unsigned long *)&cb->args[5]);
14381 		nla_nest_end(skb, vendor_data);
14382 
14383 		if (err == -ENOBUFS || err == -ENOENT) {
14384 			genlmsg_cancel(skb, hdr);
14385 			break;
14386 		} else if (err <= 0) {
14387 			genlmsg_cancel(skb, hdr);
14388 			goto out;
14389 		}
14390 
14391 		genlmsg_end(skb, hdr);
14392 	}
14393 
14394 	err = skb->len;
14395  out:
14396 	rtnl_unlock();
14397 	return err;
14398 }
14399 
14400 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14401 					   enum nl80211_commands cmd,
14402 					   enum nl80211_attrs attr,
14403 					   int approxlen)
14404 {
14405 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14406 
14407 	if (WARN_ON(!rdev->cur_cmd_info))
14408 		return NULL;
14409 
14410 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14411 					   rdev->cur_cmd_info->snd_portid,
14412 					   rdev->cur_cmd_info->snd_seq,
14413 					   cmd, attr, NULL, GFP_KERNEL);
14414 }
14415 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14416 
14417 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14418 {
14419 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14420 	void *hdr = ((void **)skb->cb)[1];
14421 	struct nlattr *data = ((void **)skb->cb)[2];
14422 
14423 	/* clear CB data for netlink core to own from now on */
14424 	memset(skb->cb, 0, sizeof(skb->cb));
14425 
14426 	if (WARN_ON(!rdev->cur_cmd_info)) {
14427 		kfree_skb(skb);
14428 		return -EINVAL;
14429 	}
14430 
14431 	nla_nest_end(skb, data);
14432 	genlmsg_end(skb, hdr);
14433 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14434 }
14435 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14436 
14437 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14438 {
14439 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14440 
14441 	if (WARN_ON(!rdev->cur_cmd_info))
14442 		return 0;
14443 
14444 	return rdev->cur_cmd_info->snd_portid;
14445 }
14446 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14447 
14448 static int nl80211_set_qos_map(struct sk_buff *skb,
14449 			       struct genl_info *info)
14450 {
14451 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14452 	struct cfg80211_qos_map *qos_map = NULL;
14453 	struct net_device *dev = info->user_ptr[1];
14454 	u8 *pos, len, num_des, des_len, des;
14455 	int ret;
14456 
14457 	if (!rdev->ops->set_qos_map)
14458 		return -EOPNOTSUPP;
14459 
14460 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14461 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14462 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14463 
14464 		if (len % 2)
14465 			return -EINVAL;
14466 
14467 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14468 		if (!qos_map)
14469 			return -ENOMEM;
14470 
14471 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14472 		if (num_des) {
14473 			des_len = num_des *
14474 				sizeof(struct cfg80211_dscp_exception);
14475 			memcpy(qos_map->dscp_exception, pos, des_len);
14476 			qos_map->num_des = num_des;
14477 			for (des = 0; des < num_des; des++) {
14478 				if (qos_map->dscp_exception[des].up > 7) {
14479 					kfree(qos_map);
14480 					return -EINVAL;
14481 				}
14482 			}
14483 			pos += des_len;
14484 		}
14485 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14486 	}
14487 
14488 	wdev_lock(dev->ieee80211_ptr);
14489 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14490 	if (!ret)
14491 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14492 	wdev_unlock(dev->ieee80211_ptr);
14493 
14494 	kfree(qos_map);
14495 	return ret;
14496 }
14497 
14498 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14499 {
14500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14501 	struct net_device *dev = info->user_ptr[1];
14502 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14503 	const u8 *peer;
14504 	u8 tsid, up;
14505 	u16 admitted_time = 0;
14506 	int err;
14507 
14508 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14509 		return -EOPNOTSUPP;
14510 
14511 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14512 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14513 		return -EINVAL;
14514 
14515 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14516 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14517 
14518 	/* WMM uses TIDs 0-7 even for TSPEC */
14519 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14520 		/* TODO: handle 802.11 TSPEC/admission control
14521 		 * need more attributes for that (e.g. BA session requirement);
14522 		 * change the WMM adminssion test above to allow both then
14523 		 */
14524 		return -EINVAL;
14525 	}
14526 
14527 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14528 
14529 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14530 		admitted_time =
14531 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14532 		if (!admitted_time)
14533 			return -EINVAL;
14534 	}
14535 
14536 	wdev_lock(wdev);
14537 	switch (wdev->iftype) {
14538 	case NL80211_IFTYPE_STATION:
14539 	case NL80211_IFTYPE_P2P_CLIENT:
14540 		if (wdev->current_bss)
14541 			break;
14542 		err = -ENOTCONN;
14543 		goto out;
14544 	default:
14545 		err = -EOPNOTSUPP;
14546 		goto out;
14547 	}
14548 
14549 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
14550 
14551  out:
14552 	wdev_unlock(wdev);
14553 	return err;
14554 }
14555 
14556 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
14557 {
14558 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14559 	struct net_device *dev = info->user_ptr[1];
14560 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14561 	const u8 *peer;
14562 	u8 tsid;
14563 	int err;
14564 
14565 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
14566 		return -EINVAL;
14567 
14568 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14569 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14570 
14571 	wdev_lock(wdev);
14572 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
14573 	wdev_unlock(wdev);
14574 
14575 	return err;
14576 }
14577 
14578 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14579 				       struct genl_info *info)
14580 {
14581 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14582 	struct net_device *dev = info->user_ptr[1];
14583 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14584 	struct cfg80211_chan_def chandef = {};
14585 	const u8 *addr;
14586 	u8 oper_class;
14587 	int err;
14588 
14589 	if (!rdev->ops->tdls_channel_switch ||
14590 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14591 		return -EOPNOTSUPP;
14592 
14593 	switch (dev->ieee80211_ptr->iftype) {
14594 	case NL80211_IFTYPE_STATION:
14595 	case NL80211_IFTYPE_P2P_CLIENT:
14596 		break;
14597 	default:
14598 		return -EOPNOTSUPP;
14599 	}
14600 
14601 	if (!info->attrs[NL80211_ATTR_MAC] ||
14602 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14603 		return -EINVAL;
14604 
14605 	err = nl80211_parse_chandef(rdev, info, &chandef);
14606 	if (err)
14607 		return err;
14608 
14609 	/*
14610 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14611 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14612 	 * specification is not defined for them.
14613 	 */
14614 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14615 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14616 	    chandef.width != NL80211_CHAN_WIDTH_20)
14617 		return -EINVAL;
14618 
14619 	/* we will be active on the TDLS link */
14620 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14621 					   wdev->iftype))
14622 		return -EINVAL;
14623 
14624 	/* don't allow switching to DFS channels */
14625 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14626 		return -EINVAL;
14627 
14628 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14629 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14630 
14631 	wdev_lock(wdev);
14632 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14633 	wdev_unlock(wdev);
14634 
14635 	return err;
14636 }
14637 
14638 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14639 					      struct genl_info *info)
14640 {
14641 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14642 	struct net_device *dev = info->user_ptr[1];
14643 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14644 	const u8 *addr;
14645 
14646 	if (!rdev->ops->tdls_channel_switch ||
14647 	    !rdev->ops->tdls_cancel_channel_switch ||
14648 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14649 		return -EOPNOTSUPP;
14650 
14651 	switch (dev->ieee80211_ptr->iftype) {
14652 	case NL80211_IFTYPE_STATION:
14653 	case NL80211_IFTYPE_P2P_CLIENT:
14654 		break;
14655 	default:
14656 		return -EOPNOTSUPP;
14657 	}
14658 
14659 	if (!info->attrs[NL80211_ATTR_MAC])
14660 		return -EINVAL;
14661 
14662 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14663 
14664 	wdev_lock(wdev);
14665 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14666 	wdev_unlock(wdev);
14667 
14668 	return 0;
14669 }
14670 
14671 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14672 					    struct genl_info *info)
14673 {
14674 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14675 	struct net_device *dev = info->user_ptr[1];
14676 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14677 	const struct nlattr *nla;
14678 	bool enabled;
14679 
14680 	if (!rdev->ops->set_multicast_to_unicast)
14681 		return -EOPNOTSUPP;
14682 
14683 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14684 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14685 		return -EOPNOTSUPP;
14686 
14687 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14688 	enabled = nla_get_flag(nla);
14689 
14690 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14691 }
14692 
14693 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14694 {
14695 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14696 	struct net_device *dev = info->user_ptr[1];
14697 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14698 	struct cfg80211_pmk_conf pmk_conf = {};
14699 	int ret;
14700 
14701 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14702 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14703 		return -EOPNOTSUPP;
14704 
14705 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14706 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14707 		return -EOPNOTSUPP;
14708 
14709 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14710 		return -EINVAL;
14711 
14712 	wdev_lock(wdev);
14713 	if (!wdev->current_bss) {
14714 		ret = -ENOTCONN;
14715 		goto out;
14716 	}
14717 
14718 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14719 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14720 		ret = -EINVAL;
14721 		goto out;
14722 	}
14723 
14724 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14725 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14726 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14727 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14728 		ret = -EINVAL;
14729 		goto out;
14730 	}
14731 
14732 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14733 		pmk_conf.pmk_r0_name =
14734 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14735 
14736 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14737 out:
14738 	wdev_unlock(wdev);
14739 	return ret;
14740 }
14741 
14742 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14743 {
14744 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14745 	struct net_device *dev = info->user_ptr[1];
14746 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14747 	const u8 *aa;
14748 	int ret;
14749 
14750 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14751 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14752 		return -EOPNOTSUPP;
14753 
14754 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14755 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14756 		return -EOPNOTSUPP;
14757 
14758 	if (!info->attrs[NL80211_ATTR_MAC])
14759 		return -EINVAL;
14760 
14761 	wdev_lock(wdev);
14762 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14763 	ret = rdev_del_pmk(rdev, dev, aa);
14764 	wdev_unlock(wdev);
14765 
14766 	return ret;
14767 }
14768 
14769 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14770 {
14771 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14772 	struct net_device *dev = info->user_ptr[1];
14773 	struct cfg80211_external_auth_params params;
14774 
14775 	if (!rdev->ops->external_auth)
14776 		return -EOPNOTSUPP;
14777 
14778 	if (!info->attrs[NL80211_ATTR_SSID] &&
14779 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14780 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14781 		return -EINVAL;
14782 
14783 	if (!info->attrs[NL80211_ATTR_BSSID])
14784 		return -EINVAL;
14785 
14786 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14787 		return -EINVAL;
14788 
14789 	memset(&params, 0, sizeof(params));
14790 
14791 	if (info->attrs[NL80211_ATTR_SSID]) {
14792 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14793 		if (params.ssid.ssid_len == 0)
14794 			return -EINVAL;
14795 		memcpy(params.ssid.ssid,
14796 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14797 		       params.ssid.ssid_len);
14798 	}
14799 
14800 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14801 	       ETH_ALEN);
14802 
14803 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14804 
14805 	if (info->attrs[NL80211_ATTR_PMKID])
14806 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14807 
14808 	return rdev_external_auth(rdev, dev, &params);
14809 }
14810 
14811 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14812 {
14813 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14814 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14815 	struct net_device *dev = info->user_ptr[1];
14816 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14817 	const u8 *buf;
14818 	size_t len;
14819 	u8 *dest;
14820 	u16 proto;
14821 	bool noencrypt;
14822 	u64 cookie = 0;
14823 	int err;
14824 
14825 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14826 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14827 		return -EOPNOTSUPP;
14828 
14829 	if (!rdev->ops->tx_control_port)
14830 		return -EOPNOTSUPP;
14831 
14832 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14833 	    !info->attrs[NL80211_ATTR_MAC] ||
14834 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14835 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14836 		return -EINVAL;
14837 	}
14838 
14839 	wdev_lock(wdev);
14840 
14841 	switch (wdev->iftype) {
14842 	case NL80211_IFTYPE_AP:
14843 	case NL80211_IFTYPE_P2P_GO:
14844 	case NL80211_IFTYPE_MESH_POINT:
14845 		break;
14846 	case NL80211_IFTYPE_ADHOC:
14847 	case NL80211_IFTYPE_STATION:
14848 	case NL80211_IFTYPE_P2P_CLIENT:
14849 		if (wdev->current_bss)
14850 			break;
14851 		err = -ENOTCONN;
14852 		goto out;
14853 	default:
14854 		err = -EOPNOTSUPP;
14855 		goto out;
14856 	}
14857 
14858 	wdev_unlock(wdev);
14859 
14860 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14861 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14862 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14863 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14864 	noencrypt =
14865 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14866 
14867 	err = rdev_tx_control_port(rdev, dev, buf, len,
14868 				   dest, cpu_to_be16(proto), noencrypt,
14869 				   dont_wait_for_ack ? NULL : &cookie);
14870 	if (!err && !dont_wait_for_ack)
14871 		nl_set_extack_cookie_u64(info->extack, cookie);
14872 	return err;
14873  out:
14874 	wdev_unlock(wdev);
14875 	return err;
14876 }
14877 
14878 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14879 					   struct genl_info *info)
14880 {
14881 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14882 	struct net_device *dev = info->user_ptr[1];
14883 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14884 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14885 	struct sk_buff *msg;
14886 	void *hdr;
14887 	struct nlattr *ftm_stats_attr;
14888 	int err;
14889 
14890 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14891 		return -EOPNOTSUPP;
14892 
14893 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14894 	if (err)
14895 		return err;
14896 
14897 	if (!ftm_stats.filled)
14898 		return -ENODATA;
14899 
14900 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14901 	if (!msg)
14902 		return -ENOMEM;
14903 
14904 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14905 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14906 	if (!hdr)
14907 		goto nla_put_failure;
14908 
14909 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14910 		goto nla_put_failure;
14911 
14912 	ftm_stats_attr = nla_nest_start_noflag(msg,
14913 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14914 	if (!ftm_stats_attr)
14915 		goto nla_put_failure;
14916 
14917 #define SET_FTM(field, name, type)					 \
14918 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14919 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14920 			     ftm_stats.field))				 \
14921 		goto nla_put_failure; } while (0)
14922 #define SET_FTM_U64(field, name)					 \
14923 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14924 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14925 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14926 		goto nla_put_failure; } while (0)
14927 
14928 	SET_FTM(success_num, SUCCESS_NUM, u32);
14929 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14930 	SET_FTM(failed_num, FAILED_NUM, u32);
14931 	SET_FTM(asap_num, ASAP_NUM, u32);
14932 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14933 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14934 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14935 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14936 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14937 #undef SET_FTM
14938 
14939 	nla_nest_end(msg, ftm_stats_attr);
14940 
14941 	genlmsg_end(msg, hdr);
14942 	return genlmsg_reply(msg, info);
14943 
14944 nla_put_failure:
14945 	nlmsg_free(msg);
14946 	return -ENOBUFS;
14947 }
14948 
14949 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14950 {
14951 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14952 	struct cfg80211_update_owe_info owe_info;
14953 	struct net_device *dev = info->user_ptr[1];
14954 
14955 	if (!rdev->ops->update_owe_info)
14956 		return -EOPNOTSUPP;
14957 
14958 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14959 	    !info->attrs[NL80211_ATTR_MAC])
14960 		return -EINVAL;
14961 
14962 	memset(&owe_info, 0, sizeof(owe_info));
14963 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14964 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14965 
14966 	if (info->attrs[NL80211_ATTR_IE]) {
14967 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14968 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14969 	}
14970 
14971 	return rdev_update_owe_info(rdev, dev, &owe_info);
14972 }
14973 
14974 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14975 {
14976 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14977 	struct net_device *dev = info->user_ptr[1];
14978 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14979 	struct station_info sinfo = {};
14980 	const u8 *buf;
14981 	size_t len;
14982 	u8 *dest;
14983 	int err;
14984 
14985 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14986 		return -EOPNOTSUPP;
14987 
14988 	if (!info->attrs[NL80211_ATTR_MAC] ||
14989 	    !info->attrs[NL80211_ATTR_FRAME]) {
14990 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14991 		return -EINVAL;
14992 	}
14993 
14994 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14995 		return -EOPNOTSUPP;
14996 
14997 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14998 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14999 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15000 
15001 	if (len < sizeof(struct ethhdr))
15002 		return -EINVAL;
15003 
15004 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15005 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15006 		return -EINVAL;
15007 
15008 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15009 	if (err)
15010 		return err;
15011 
15012 	cfg80211_sinfo_release_content(&sinfo);
15013 
15014 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15015 }
15016 
15017 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15018 			  struct nlattr *attrs[], struct net_device *dev,
15019 			  struct cfg80211_tid_cfg *tid_conf,
15020 			  struct genl_info *info, const u8 *peer)
15021 {
15022 	struct netlink_ext_ack *extack = info->extack;
15023 	u64 mask;
15024 	int err;
15025 
15026 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15027 		return -EINVAL;
15028 
15029 	tid_conf->config_override =
15030 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15031 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15032 
15033 	if (tid_conf->config_override) {
15034 		if (rdev->ops->reset_tid_config) {
15035 			err = rdev_reset_tid_config(rdev, dev, peer,
15036 						    tid_conf->tids);
15037 			if (err)
15038 				return err;
15039 		} else {
15040 			return -EINVAL;
15041 		}
15042 	}
15043 
15044 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15045 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15046 		tid_conf->noack =
15047 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15048 	}
15049 
15050 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15051 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15052 		tid_conf->retry_short =
15053 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15054 
15055 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15056 			return -EINVAL;
15057 	}
15058 
15059 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15060 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15061 		tid_conf->retry_long =
15062 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15063 
15064 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15065 			return -EINVAL;
15066 	}
15067 
15068 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15069 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15070 		tid_conf->ampdu =
15071 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15072 	}
15073 
15074 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15075 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15076 		tid_conf->rtscts =
15077 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15078 	}
15079 
15080 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15081 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15082 		tid_conf->amsdu =
15083 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15084 	}
15085 
15086 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15087 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15088 
15089 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15090 
15091 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15092 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15093 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15094 						    &tid_conf->txrate_mask, dev,
15095 						    true);
15096 			if (err)
15097 				return err;
15098 
15099 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15100 		}
15101 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15102 	}
15103 
15104 	if (peer)
15105 		mask = rdev->wiphy.tid_config_support.peer;
15106 	else
15107 		mask = rdev->wiphy.tid_config_support.vif;
15108 
15109 	if (tid_conf->mask & ~mask) {
15110 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15111 		return -ENOTSUPP;
15112 	}
15113 
15114 	return 0;
15115 }
15116 
15117 static int nl80211_set_tid_config(struct sk_buff *skb,
15118 				  struct genl_info *info)
15119 {
15120 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15121 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15122 	struct net_device *dev = info->user_ptr[1];
15123 	struct cfg80211_tid_config *tid_config;
15124 	struct nlattr *tid;
15125 	int conf_idx = 0, rem_conf;
15126 	int ret = -EINVAL;
15127 	u32 num_conf = 0;
15128 
15129 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15130 		return -EINVAL;
15131 
15132 	if (!rdev->ops->set_tid_config)
15133 		return -EOPNOTSUPP;
15134 
15135 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15136 			    rem_conf)
15137 		num_conf++;
15138 
15139 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15140 			     GFP_KERNEL);
15141 	if (!tid_config)
15142 		return -ENOMEM;
15143 
15144 	tid_config->n_tid_conf = num_conf;
15145 
15146 	if (info->attrs[NL80211_ATTR_MAC])
15147 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15148 
15149 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15150 			    rem_conf) {
15151 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15152 				       tid, NULL, NULL);
15153 
15154 		if (ret)
15155 			goto bad_tid_conf;
15156 
15157 		ret = parse_tid_conf(rdev, attrs, dev,
15158 				     &tid_config->tid_conf[conf_idx],
15159 				     info, tid_config->peer);
15160 		if (ret)
15161 			goto bad_tid_conf;
15162 
15163 		conf_idx++;
15164 	}
15165 
15166 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15167 
15168 bad_tid_conf:
15169 	kfree(tid_config);
15170 	return ret;
15171 }
15172 
15173 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15174 {
15175 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15176 	struct cfg80211_color_change_settings params = {};
15177 	struct net_device *dev = info->user_ptr[1];
15178 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15179 	struct nlattr **tb;
15180 	u16 offset;
15181 	int err;
15182 
15183 	if (!rdev->ops->color_change)
15184 		return -EOPNOTSUPP;
15185 
15186 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15187 				     NL80211_EXT_FEATURE_BSS_COLOR))
15188 		return -EOPNOTSUPP;
15189 
15190 	if (wdev->iftype != NL80211_IFTYPE_AP)
15191 		return -EOPNOTSUPP;
15192 
15193 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15194 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15195 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15196 		return -EINVAL;
15197 
15198 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15199 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15200 
15201 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15202 	if (err)
15203 		return err;
15204 
15205 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15206 	if (!tb)
15207 		return -ENOMEM;
15208 
15209 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15210 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15211 			       nl80211_policy, info->extack);
15212 	if (err)
15213 		goto out;
15214 
15215 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15216 	if (err)
15217 		goto out;
15218 
15219 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15220 		err = -EINVAL;
15221 		goto out;
15222 	}
15223 
15224 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15225 		err = -EINVAL;
15226 		goto out;
15227 	}
15228 
15229 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15230 	if (offset >= params.beacon_color_change.tail_len) {
15231 		err = -EINVAL;
15232 		goto out;
15233 	}
15234 
15235 	if (params.beacon_color_change.tail[offset] != params.count) {
15236 		err = -EINVAL;
15237 		goto out;
15238 	}
15239 
15240 	params.counter_offset_beacon = offset;
15241 
15242 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15243 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15244 		    sizeof(u16)) {
15245 			err = -EINVAL;
15246 			goto out;
15247 		}
15248 
15249 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15250 		if (offset >= params.beacon_color_change.probe_resp_len) {
15251 			err = -EINVAL;
15252 			goto out;
15253 		}
15254 
15255 		if (params.beacon_color_change.probe_resp[offset] !=
15256 		    params.count) {
15257 			err = -EINVAL;
15258 			goto out;
15259 		}
15260 
15261 		params.counter_offset_presp = offset;
15262 	}
15263 
15264 	wdev_lock(wdev);
15265 	err = rdev_color_change(rdev, dev, &params);
15266 	wdev_unlock(wdev);
15267 
15268 out:
15269 	kfree(params.beacon_next.mbssid_ies);
15270 	kfree(params.beacon_color_change.mbssid_ies);
15271 	kfree(tb);
15272 	return err;
15273 }
15274 
15275 static int nl80211_set_fils_aad(struct sk_buff *skb,
15276 				struct genl_info *info)
15277 {
15278 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15279 	struct net_device *dev = info->user_ptr[1];
15280 	struct cfg80211_fils_aad fils_aad = {};
15281 	u8 *nonces;
15282 
15283 	if (!info->attrs[NL80211_ATTR_MAC] ||
15284 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15285 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15286 		return -EINVAL;
15287 
15288 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15289 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15290 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15291 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15292 	fils_aad.snonce = nonces;
15293 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15294 
15295 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15296 }
15297 
15298 #define NL80211_FLAG_NEED_WIPHY		0x01
15299 #define NL80211_FLAG_NEED_NETDEV	0x02
15300 #define NL80211_FLAG_NEED_RTNL		0x04
15301 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
15302 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
15303 					 NL80211_FLAG_CHECK_NETDEV_UP)
15304 #define NL80211_FLAG_NEED_WDEV		0x10
15305 /* If a netdev is associated, it must be UP, P2P must be started */
15306 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
15307 					 NL80211_FLAG_CHECK_NETDEV_UP)
15308 #define NL80211_FLAG_CLEAR_SKB		0x20
15309 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
15310 
15311 #define INTERNAL_FLAG_SELECTORS(__sel)			\
15312 	SELECTOR(__sel, NONE, 0) /* must be first */	\
15313 	SELECTOR(__sel, WIPHY,				\
15314 		 NL80211_FLAG_NEED_WIPHY)		\
15315 	SELECTOR(__sel, WDEV,				\
15316 		 NL80211_FLAG_NEED_WDEV)		\
15317 	SELECTOR(__sel, NETDEV,				\
15318 		 NL80211_FLAG_NEED_NETDEV)		\
15319 	SELECTOR(__sel, WIPHY_RTNL,			\
15320 		 NL80211_FLAG_NEED_WIPHY |		\
15321 		 NL80211_FLAG_NEED_RTNL)		\
15322 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
15323 		 NL80211_FLAG_NEED_WIPHY |		\
15324 		 NL80211_FLAG_NEED_RTNL |		\
15325 		 NL80211_FLAG_NO_WIPHY_MTX)		\
15326 	SELECTOR(__sel, WDEV_RTNL,			\
15327 		 NL80211_FLAG_NEED_WDEV |		\
15328 		 NL80211_FLAG_NEED_RTNL)		\
15329 	SELECTOR(__sel, NETDEV_RTNL,			\
15330 		 NL80211_FLAG_NEED_NETDEV |		\
15331 		 NL80211_FLAG_NEED_RTNL)		\
15332 	SELECTOR(__sel, NETDEV_UP,			\
15333 		 NL80211_FLAG_NEED_NETDEV_UP)		\
15334 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
15335 		 NL80211_FLAG_NEED_NETDEV_UP |		\
15336 		 NL80211_FLAG_NO_WIPHY_MTX)		\
15337 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
15338 		 NL80211_FLAG_NEED_NETDEV_UP |		\
15339 		 NL80211_FLAG_CLEAR_SKB)		\
15340 	SELECTOR(__sel, WDEV_UP,			\
15341 		 NL80211_FLAG_NEED_WDEV_UP)		\
15342 	SELECTOR(__sel, WDEV_UP_RTNL,			\
15343 		 NL80211_FLAG_NEED_WDEV_UP |		\
15344 		 NL80211_FLAG_NEED_RTNL)		\
15345 	SELECTOR(__sel, WIPHY_CLEAR,			\
15346 		 NL80211_FLAG_NEED_WIPHY |		\
15347 		 NL80211_FLAG_CLEAR_SKB)
15348 
15349 enum nl80211_internal_flags_selector {
15350 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
15351 	INTERNAL_FLAG_SELECTORS(_)
15352 #undef SELECTOR
15353 };
15354 
15355 static u32 nl80211_internal_flags[] = {
15356 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
15357 	INTERNAL_FLAG_SELECTORS(_)
15358 #undef SELECTOR
15359 };
15360 
15361 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
15362 			    struct genl_info *info)
15363 {
15364 	struct cfg80211_registered_device *rdev = NULL;
15365 	struct wireless_dev *wdev;
15366 	struct net_device *dev;
15367 	u32 internal_flags;
15368 
15369 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
15370 		return -EINVAL;
15371 
15372 	internal_flags = nl80211_internal_flags[ops->internal_flags];
15373 
15374 	rtnl_lock();
15375 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
15376 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
15377 		if (IS_ERR(rdev)) {
15378 			rtnl_unlock();
15379 			return PTR_ERR(rdev);
15380 		}
15381 		info->user_ptr[0] = rdev;
15382 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
15383 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
15384 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
15385 						  info->attrs);
15386 		if (IS_ERR(wdev)) {
15387 			rtnl_unlock();
15388 			return PTR_ERR(wdev);
15389 		}
15390 
15391 		dev = wdev->netdev;
15392 		rdev = wiphy_to_rdev(wdev->wiphy);
15393 
15394 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
15395 			if (!dev) {
15396 				rtnl_unlock();
15397 				return -EINVAL;
15398 			}
15399 
15400 			info->user_ptr[1] = dev;
15401 		} else {
15402 			info->user_ptr[1] = wdev;
15403 		}
15404 
15405 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
15406 		    !wdev_running(wdev)) {
15407 			rtnl_unlock();
15408 			return -ENETDOWN;
15409 		}
15410 
15411 		dev_hold(dev);
15412 		info->user_ptr[0] = rdev;
15413 	}
15414 
15415 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15416 		wiphy_lock(&rdev->wiphy);
15417 		/* we keep the mutex locked until post_doit */
15418 		__release(&rdev->wiphy.mtx);
15419 	}
15420 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
15421 		rtnl_unlock();
15422 
15423 	return 0;
15424 }
15425 
15426 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
15427 			      struct genl_info *info)
15428 {
15429 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
15430 
15431 	if (info->user_ptr[1]) {
15432 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
15433 			struct wireless_dev *wdev = info->user_ptr[1];
15434 
15435 			dev_put(wdev->netdev);
15436 		} else {
15437 			dev_put(info->user_ptr[1]);
15438 		}
15439 	}
15440 
15441 	if (info->user_ptr[0] &&
15442 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15443 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
15444 
15445 		/* we kept the mutex locked since pre_doit */
15446 		__acquire(&rdev->wiphy.mtx);
15447 		wiphy_unlock(&rdev->wiphy);
15448 	}
15449 
15450 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
15451 		rtnl_unlock();
15452 
15453 	/* If needed, clear the netlink message payload from the SKB
15454 	 * as it might contain key data that shouldn't stick around on
15455 	 * the heap after the SKB is freed. The netlink message header
15456 	 * is still needed for further processing, so leave it intact.
15457 	 */
15458 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
15459 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
15460 
15461 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
15462 	}
15463 }
15464 
15465 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
15466 				     struct cfg80211_sar_specs *sar_specs,
15467 				     struct nlattr *spec[], int index)
15468 {
15469 	u32 range_index, i;
15470 
15471 	if (!sar_specs || !spec)
15472 		return -EINVAL;
15473 
15474 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
15475 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
15476 		return -EINVAL;
15477 
15478 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
15479 
15480 	/* check if range_index exceeds num_freq_ranges */
15481 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
15482 		return -EINVAL;
15483 
15484 	/* check if range_index duplicates */
15485 	for (i = 0; i < index; i++) {
15486 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
15487 			return -EINVAL;
15488 	}
15489 
15490 	sar_specs->sub_specs[index].power =
15491 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
15492 
15493 	sar_specs->sub_specs[index].freq_range_index = range_index;
15494 
15495 	return 0;
15496 }
15497 
15498 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
15499 {
15500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15501 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
15502 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
15503 	struct cfg80211_sar_specs *sar_spec;
15504 	enum nl80211_sar_type type;
15505 	struct nlattr *spec_list;
15506 	u32 specs;
15507 	int rem, err;
15508 
15509 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
15510 		return -EOPNOTSUPP;
15511 
15512 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
15513 		return -EINVAL;
15514 
15515 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
15516 			 info->attrs[NL80211_ATTR_SAR_SPEC],
15517 			 NULL, NULL);
15518 
15519 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
15520 		return -EINVAL;
15521 
15522 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
15523 	if (type != rdev->wiphy.sar_capa->type)
15524 		return -EINVAL;
15525 
15526 	specs = 0;
15527 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
15528 		specs++;
15529 
15530 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
15531 		return -EINVAL;
15532 
15533 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
15534 	if (!sar_spec)
15535 		return -ENOMEM;
15536 
15537 	sar_spec->type = type;
15538 	specs = 0;
15539 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
15540 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
15541 				 spec_list, NULL, NULL);
15542 
15543 		switch (type) {
15544 		case NL80211_SAR_TYPE_POWER:
15545 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
15546 						      spec, specs)) {
15547 				err = -EINVAL;
15548 				goto error;
15549 			}
15550 			break;
15551 		default:
15552 			err = -EINVAL;
15553 			goto error;
15554 		}
15555 		specs++;
15556 	}
15557 
15558 	sar_spec->num_sub_specs = specs;
15559 
15560 	rdev->cur_cmd_info = info;
15561 	err = rdev_set_sar_specs(rdev, sar_spec);
15562 	rdev->cur_cmd_info = NULL;
15563 error:
15564 	kfree(sar_spec);
15565 	return err;
15566 }
15567 
15568 #define SELECTOR(__sel, name, value) \
15569 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
15570 int __missing_selector(void);
15571 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
15572 
15573 static const struct genl_ops nl80211_ops[] = {
15574 	{
15575 		.cmd = NL80211_CMD_GET_WIPHY,
15576 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15577 		.doit = nl80211_get_wiphy,
15578 		.dumpit = nl80211_dump_wiphy,
15579 		.done = nl80211_dump_wiphy_done,
15580 		/* can be retrieved by unprivileged users */
15581 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
15582 	},
15583 };
15584 
15585 static const struct genl_small_ops nl80211_small_ops[] = {
15586 	{
15587 		.cmd = NL80211_CMD_SET_WIPHY,
15588 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15589 		.doit = nl80211_set_wiphy,
15590 		.flags = GENL_UNS_ADMIN_PERM,
15591 	},
15592 	{
15593 		.cmd = NL80211_CMD_GET_INTERFACE,
15594 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15595 		.doit = nl80211_get_interface,
15596 		.dumpit = nl80211_dump_interface,
15597 		/* can be retrieved by unprivileged users */
15598 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
15599 	},
15600 	{
15601 		.cmd = NL80211_CMD_SET_INTERFACE,
15602 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15603 		.doit = nl80211_set_interface,
15604 		.flags = GENL_UNS_ADMIN_PERM,
15605 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
15606 					 NL80211_FLAG_NEED_RTNL),
15607 	},
15608 	{
15609 		.cmd = NL80211_CMD_NEW_INTERFACE,
15610 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15611 		.doit = nl80211_new_interface,
15612 		.flags = GENL_UNS_ADMIN_PERM,
15613 		.internal_flags =
15614 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
15615 			       NL80211_FLAG_NEED_RTNL |
15616 			       /* we take the wiphy mutex later ourselves */
15617 			       NL80211_FLAG_NO_WIPHY_MTX),
15618 	},
15619 	{
15620 		.cmd = NL80211_CMD_DEL_INTERFACE,
15621 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15622 		.doit = nl80211_del_interface,
15623 		.flags = GENL_UNS_ADMIN_PERM,
15624 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
15625 					 NL80211_FLAG_NEED_RTNL),
15626 	},
15627 	{
15628 		.cmd = NL80211_CMD_GET_KEY,
15629 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15630 		.doit = nl80211_get_key,
15631 		.flags = GENL_UNS_ADMIN_PERM,
15632 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15633 	},
15634 	{
15635 		.cmd = NL80211_CMD_SET_KEY,
15636 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15637 		.doit = nl80211_set_key,
15638 		.flags = GENL_UNS_ADMIN_PERM,
15639 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
15640 					 NL80211_FLAG_CLEAR_SKB),
15641 	},
15642 	{
15643 		.cmd = NL80211_CMD_NEW_KEY,
15644 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15645 		.doit = nl80211_new_key,
15646 		.flags = GENL_UNS_ADMIN_PERM,
15647 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
15648 					 NL80211_FLAG_CLEAR_SKB),
15649 	},
15650 	{
15651 		.cmd = NL80211_CMD_DEL_KEY,
15652 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15653 		.doit = nl80211_del_key,
15654 		.flags = GENL_UNS_ADMIN_PERM,
15655 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15656 	},
15657 	{
15658 		.cmd = NL80211_CMD_SET_BEACON,
15659 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15660 		.flags = GENL_UNS_ADMIN_PERM,
15661 		.doit = nl80211_set_beacon,
15662 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15663 	},
15664 	{
15665 		.cmd = NL80211_CMD_START_AP,
15666 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15667 		.flags = GENL_UNS_ADMIN_PERM,
15668 		.doit = nl80211_start_ap,
15669 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15670 	},
15671 	{
15672 		.cmd = NL80211_CMD_STOP_AP,
15673 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15674 		.flags = GENL_UNS_ADMIN_PERM,
15675 		.doit = nl80211_stop_ap,
15676 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15677 	},
15678 	{
15679 		.cmd = NL80211_CMD_GET_STATION,
15680 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15681 		.doit = nl80211_get_station,
15682 		.dumpit = nl80211_dump_station,
15683 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
15684 	},
15685 	{
15686 		.cmd = NL80211_CMD_SET_STATION,
15687 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15688 		.doit = nl80211_set_station,
15689 		.flags = GENL_UNS_ADMIN_PERM,
15690 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15691 	},
15692 	{
15693 		.cmd = NL80211_CMD_NEW_STATION,
15694 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15695 		.doit = nl80211_new_station,
15696 		.flags = GENL_UNS_ADMIN_PERM,
15697 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15698 	},
15699 	{
15700 		.cmd = NL80211_CMD_DEL_STATION,
15701 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15702 		.doit = nl80211_del_station,
15703 		.flags = GENL_UNS_ADMIN_PERM,
15704 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15705 	},
15706 	{
15707 		.cmd = NL80211_CMD_GET_MPATH,
15708 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15709 		.doit = nl80211_get_mpath,
15710 		.dumpit = nl80211_dump_mpath,
15711 		.flags = GENL_UNS_ADMIN_PERM,
15712 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15713 	},
15714 	{
15715 		.cmd = NL80211_CMD_GET_MPP,
15716 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15717 		.doit = nl80211_get_mpp,
15718 		.dumpit = nl80211_dump_mpp,
15719 		.flags = GENL_UNS_ADMIN_PERM,
15720 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15721 	},
15722 	{
15723 		.cmd = NL80211_CMD_SET_MPATH,
15724 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15725 		.doit = nl80211_set_mpath,
15726 		.flags = GENL_UNS_ADMIN_PERM,
15727 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15728 	},
15729 	{
15730 		.cmd = NL80211_CMD_NEW_MPATH,
15731 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15732 		.doit = nl80211_new_mpath,
15733 		.flags = GENL_UNS_ADMIN_PERM,
15734 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15735 	},
15736 	{
15737 		.cmd = NL80211_CMD_DEL_MPATH,
15738 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15739 		.doit = nl80211_del_mpath,
15740 		.flags = GENL_UNS_ADMIN_PERM,
15741 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15742 	},
15743 	{
15744 		.cmd = NL80211_CMD_SET_BSS,
15745 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15746 		.doit = nl80211_set_bss,
15747 		.flags = GENL_UNS_ADMIN_PERM,
15748 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15749 	},
15750 	{
15751 		.cmd = NL80211_CMD_GET_REG,
15752 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15753 		.doit = nl80211_get_reg_do,
15754 		.dumpit = nl80211_get_reg_dump,
15755 		/* can be retrieved by unprivileged users */
15756 	},
15757 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
15758 	{
15759 		.cmd = NL80211_CMD_SET_REG,
15760 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15761 		.doit = nl80211_set_reg,
15762 		.flags = GENL_ADMIN_PERM,
15763 	},
15764 #endif
15765 	{
15766 		.cmd = NL80211_CMD_REQ_SET_REG,
15767 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15768 		.doit = nl80211_req_set_reg,
15769 		.flags = GENL_ADMIN_PERM,
15770 	},
15771 	{
15772 		.cmd = NL80211_CMD_RELOAD_REGDB,
15773 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15774 		.doit = nl80211_reload_regdb,
15775 		.flags = GENL_ADMIN_PERM,
15776 	},
15777 	{
15778 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
15779 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15780 		.doit = nl80211_get_mesh_config,
15781 		/* can be retrieved by unprivileged users */
15782 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15783 	},
15784 	{
15785 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
15786 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15787 		.doit = nl80211_update_mesh_config,
15788 		.flags = GENL_UNS_ADMIN_PERM,
15789 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15790 	},
15791 	{
15792 		.cmd = NL80211_CMD_TRIGGER_SCAN,
15793 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15794 		.doit = nl80211_trigger_scan,
15795 		.flags = GENL_UNS_ADMIN_PERM,
15796 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
15797 	},
15798 	{
15799 		.cmd = NL80211_CMD_ABORT_SCAN,
15800 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15801 		.doit = nl80211_abort_scan,
15802 		.flags = GENL_UNS_ADMIN_PERM,
15803 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
15804 	},
15805 	{
15806 		.cmd = NL80211_CMD_GET_SCAN,
15807 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15808 		.dumpit = nl80211_dump_scan,
15809 	},
15810 	{
15811 		.cmd = NL80211_CMD_START_SCHED_SCAN,
15812 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15813 		.doit = nl80211_start_sched_scan,
15814 		.flags = GENL_UNS_ADMIN_PERM,
15815 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15816 	},
15817 	{
15818 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
15819 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15820 		.doit = nl80211_stop_sched_scan,
15821 		.flags = GENL_UNS_ADMIN_PERM,
15822 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15823 	},
15824 	{
15825 		.cmd = NL80211_CMD_AUTHENTICATE,
15826 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15827 		.doit = nl80211_authenticate,
15828 		.flags = GENL_UNS_ADMIN_PERM,
15829 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
15830 					 NL80211_FLAG_CLEAR_SKB),
15831 	},
15832 	{
15833 		.cmd = NL80211_CMD_ASSOCIATE,
15834 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15835 		.doit = nl80211_associate,
15836 		.flags = GENL_UNS_ADMIN_PERM,
15837 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
15838 					 NL80211_FLAG_CLEAR_SKB),
15839 	},
15840 	{
15841 		.cmd = NL80211_CMD_DEAUTHENTICATE,
15842 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15843 		.doit = nl80211_deauthenticate,
15844 		.flags = GENL_UNS_ADMIN_PERM,
15845 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15846 	},
15847 	{
15848 		.cmd = NL80211_CMD_DISASSOCIATE,
15849 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15850 		.doit = nl80211_disassociate,
15851 		.flags = GENL_UNS_ADMIN_PERM,
15852 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15853 	},
15854 	{
15855 		.cmd = NL80211_CMD_JOIN_IBSS,
15856 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15857 		.doit = nl80211_join_ibss,
15858 		.flags = GENL_UNS_ADMIN_PERM,
15859 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15860 	},
15861 	{
15862 		.cmd = NL80211_CMD_LEAVE_IBSS,
15863 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15864 		.doit = nl80211_leave_ibss,
15865 		.flags = GENL_UNS_ADMIN_PERM,
15866 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15867 	},
15868 #ifdef CONFIG_NL80211_TESTMODE
15869 	{
15870 		.cmd = NL80211_CMD_TESTMODE,
15871 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15872 		.doit = nl80211_testmode_do,
15873 		.dumpit = nl80211_testmode_dump,
15874 		.flags = GENL_UNS_ADMIN_PERM,
15875 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
15876 	},
15877 #endif
15878 	{
15879 		.cmd = NL80211_CMD_CONNECT,
15880 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15881 		.doit = nl80211_connect,
15882 		.flags = GENL_UNS_ADMIN_PERM,
15883 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
15884 					 NL80211_FLAG_CLEAR_SKB),
15885 	},
15886 	{
15887 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15888 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15889 		.doit = nl80211_update_connect_params,
15890 		.flags = GENL_ADMIN_PERM,
15891 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
15892 					 NL80211_FLAG_CLEAR_SKB),
15893 	},
15894 	{
15895 		.cmd = NL80211_CMD_DISCONNECT,
15896 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15897 		.doit = nl80211_disconnect,
15898 		.flags = GENL_UNS_ADMIN_PERM,
15899 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15900 	},
15901 	{
15902 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15903 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15904 		.doit = nl80211_wiphy_netns,
15905 		.flags = GENL_UNS_ADMIN_PERM,
15906 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
15907 					 NL80211_FLAG_NEED_RTNL |
15908 					 NL80211_FLAG_NO_WIPHY_MTX),
15909 	},
15910 	{
15911 		.cmd = NL80211_CMD_GET_SURVEY,
15912 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15913 		.dumpit = nl80211_dump_survey,
15914 	},
15915 	{
15916 		.cmd = NL80211_CMD_SET_PMKSA,
15917 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15918 		.doit = nl80211_setdel_pmksa,
15919 		.flags = GENL_UNS_ADMIN_PERM,
15920 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
15921 					 NL80211_FLAG_CLEAR_SKB),
15922 	},
15923 	{
15924 		.cmd = NL80211_CMD_DEL_PMKSA,
15925 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15926 		.doit = nl80211_setdel_pmksa,
15927 		.flags = GENL_UNS_ADMIN_PERM,
15928 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15929 	},
15930 	{
15931 		.cmd = NL80211_CMD_FLUSH_PMKSA,
15932 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15933 		.doit = nl80211_flush_pmksa,
15934 		.flags = GENL_UNS_ADMIN_PERM,
15935 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
15936 	},
15937 	{
15938 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15939 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15940 		.doit = nl80211_remain_on_channel,
15941 		.flags = GENL_UNS_ADMIN_PERM,
15942 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
15943 	},
15944 	{
15945 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15946 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15947 		.doit = nl80211_cancel_remain_on_channel,
15948 		.flags = GENL_UNS_ADMIN_PERM,
15949 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
15950 	},
15951 	{
15952 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15953 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15954 		.doit = nl80211_set_tx_bitrate_mask,
15955 		.flags = GENL_UNS_ADMIN_PERM,
15956 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
15957 	},
15958 	{
15959 		.cmd = NL80211_CMD_REGISTER_FRAME,
15960 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15961 		.doit = nl80211_register_mgmt,
15962 		.flags = GENL_UNS_ADMIN_PERM,
15963 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
15964 	},
15965 	{
15966 		.cmd = NL80211_CMD_FRAME,
15967 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15968 		.doit = nl80211_tx_mgmt,
15969 		.flags = GENL_UNS_ADMIN_PERM,
15970 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
15971 	},
15972 	{
15973 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15974 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15975 		.doit = nl80211_tx_mgmt_cancel_wait,
15976 		.flags = GENL_UNS_ADMIN_PERM,
15977 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
15978 	},
15979 	{
15980 		.cmd = NL80211_CMD_SET_POWER_SAVE,
15981 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15982 		.doit = nl80211_set_power_save,
15983 		.flags = GENL_UNS_ADMIN_PERM,
15984 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
15985 	},
15986 	{
15987 		.cmd = NL80211_CMD_GET_POWER_SAVE,
15988 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15989 		.doit = nl80211_get_power_save,
15990 		/* can be retrieved by unprivileged users */
15991 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
15992 	},
15993 	{
15994 		.cmd = NL80211_CMD_SET_CQM,
15995 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15996 		.doit = nl80211_set_cqm,
15997 		.flags = GENL_UNS_ADMIN_PERM,
15998 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
15999 	},
16000 	{
16001 		.cmd = NL80211_CMD_SET_CHANNEL,
16002 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16003 		.doit = nl80211_set_channel,
16004 		.flags = GENL_UNS_ADMIN_PERM,
16005 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16006 	},
16007 	{
16008 		.cmd = NL80211_CMD_JOIN_MESH,
16009 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16010 		.doit = nl80211_join_mesh,
16011 		.flags = GENL_UNS_ADMIN_PERM,
16012 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16013 	},
16014 	{
16015 		.cmd = NL80211_CMD_LEAVE_MESH,
16016 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16017 		.doit = nl80211_leave_mesh,
16018 		.flags = GENL_UNS_ADMIN_PERM,
16019 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16020 	},
16021 	{
16022 		.cmd = NL80211_CMD_JOIN_OCB,
16023 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16024 		.doit = nl80211_join_ocb,
16025 		.flags = GENL_UNS_ADMIN_PERM,
16026 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16027 	},
16028 	{
16029 		.cmd = NL80211_CMD_LEAVE_OCB,
16030 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16031 		.doit = nl80211_leave_ocb,
16032 		.flags = GENL_UNS_ADMIN_PERM,
16033 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16034 	},
16035 #ifdef CONFIG_PM
16036 	{
16037 		.cmd = NL80211_CMD_GET_WOWLAN,
16038 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16039 		.doit = nl80211_get_wowlan,
16040 		/* can be retrieved by unprivileged users */
16041 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16042 	},
16043 	{
16044 		.cmd = NL80211_CMD_SET_WOWLAN,
16045 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16046 		.doit = nl80211_set_wowlan,
16047 		.flags = GENL_UNS_ADMIN_PERM,
16048 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16049 	},
16050 #endif
16051 	{
16052 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
16053 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16054 		.doit = nl80211_set_rekey_data,
16055 		.flags = GENL_UNS_ADMIN_PERM,
16056 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16057 					 NL80211_FLAG_CLEAR_SKB),
16058 	},
16059 	{
16060 		.cmd = NL80211_CMD_TDLS_MGMT,
16061 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16062 		.doit = nl80211_tdls_mgmt,
16063 		.flags = GENL_UNS_ADMIN_PERM,
16064 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16065 	},
16066 	{
16067 		.cmd = NL80211_CMD_TDLS_OPER,
16068 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16069 		.doit = nl80211_tdls_oper,
16070 		.flags = GENL_UNS_ADMIN_PERM,
16071 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16072 	},
16073 	{
16074 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
16075 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16076 		.doit = nl80211_register_unexpected_frame,
16077 		.flags = GENL_UNS_ADMIN_PERM,
16078 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16079 	},
16080 	{
16081 		.cmd = NL80211_CMD_PROBE_CLIENT,
16082 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16083 		.doit = nl80211_probe_client,
16084 		.flags = GENL_UNS_ADMIN_PERM,
16085 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16086 	},
16087 	{
16088 		.cmd = NL80211_CMD_REGISTER_BEACONS,
16089 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16090 		.doit = nl80211_register_beacons,
16091 		.flags = GENL_UNS_ADMIN_PERM,
16092 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16093 	},
16094 	{
16095 		.cmd = NL80211_CMD_SET_NOACK_MAP,
16096 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16097 		.doit = nl80211_set_noack_map,
16098 		.flags = GENL_UNS_ADMIN_PERM,
16099 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16100 	},
16101 	{
16102 		.cmd = NL80211_CMD_START_P2P_DEVICE,
16103 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16104 		.doit = nl80211_start_p2p_device,
16105 		.flags = GENL_UNS_ADMIN_PERM,
16106 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16107 					 NL80211_FLAG_NEED_RTNL),
16108 	},
16109 	{
16110 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
16111 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16112 		.doit = nl80211_stop_p2p_device,
16113 		.flags = GENL_UNS_ADMIN_PERM,
16114 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16115 					 NL80211_FLAG_NEED_RTNL),
16116 	},
16117 	{
16118 		.cmd = NL80211_CMD_START_NAN,
16119 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16120 		.doit = nl80211_start_nan,
16121 		.flags = GENL_ADMIN_PERM,
16122 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16123 					 NL80211_FLAG_NEED_RTNL),
16124 	},
16125 	{
16126 		.cmd = NL80211_CMD_STOP_NAN,
16127 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16128 		.doit = nl80211_stop_nan,
16129 		.flags = GENL_ADMIN_PERM,
16130 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16131 					 NL80211_FLAG_NEED_RTNL),
16132 	},
16133 	{
16134 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
16135 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16136 		.doit = nl80211_nan_add_func,
16137 		.flags = GENL_ADMIN_PERM,
16138 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16139 	},
16140 	{
16141 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
16142 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16143 		.doit = nl80211_nan_del_func,
16144 		.flags = GENL_ADMIN_PERM,
16145 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16146 	},
16147 	{
16148 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
16149 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16150 		.doit = nl80211_nan_change_config,
16151 		.flags = GENL_ADMIN_PERM,
16152 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16153 	},
16154 	{
16155 		.cmd = NL80211_CMD_SET_MCAST_RATE,
16156 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16157 		.doit = nl80211_set_mcast_rate,
16158 		.flags = GENL_UNS_ADMIN_PERM,
16159 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16160 	},
16161 	{
16162 		.cmd = NL80211_CMD_SET_MAC_ACL,
16163 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16164 		.doit = nl80211_set_mac_acl,
16165 		.flags = GENL_UNS_ADMIN_PERM,
16166 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16167 	},
16168 	{
16169 		.cmd = NL80211_CMD_RADAR_DETECT,
16170 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16171 		.doit = nl80211_start_radar_detection,
16172 		.flags = GENL_UNS_ADMIN_PERM,
16173 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16174 					 NL80211_FLAG_NO_WIPHY_MTX),
16175 	},
16176 	{
16177 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
16178 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16179 		.doit = nl80211_get_protocol_features,
16180 	},
16181 	{
16182 		.cmd = NL80211_CMD_UPDATE_FT_IES,
16183 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16184 		.doit = nl80211_update_ft_ies,
16185 		.flags = GENL_UNS_ADMIN_PERM,
16186 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16187 	},
16188 	{
16189 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
16190 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16191 		.doit = nl80211_crit_protocol_start,
16192 		.flags = GENL_UNS_ADMIN_PERM,
16193 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16194 	},
16195 	{
16196 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
16197 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16198 		.doit = nl80211_crit_protocol_stop,
16199 		.flags = GENL_UNS_ADMIN_PERM,
16200 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16201 	},
16202 	{
16203 		.cmd = NL80211_CMD_GET_COALESCE,
16204 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16205 		.doit = nl80211_get_coalesce,
16206 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16207 	},
16208 	{
16209 		.cmd = NL80211_CMD_SET_COALESCE,
16210 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16211 		.doit = nl80211_set_coalesce,
16212 		.flags = GENL_UNS_ADMIN_PERM,
16213 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16214 	},
16215 	{
16216 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
16217 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16218 		.doit = nl80211_channel_switch,
16219 		.flags = GENL_UNS_ADMIN_PERM,
16220 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16221 	},
16222 	{
16223 		.cmd = NL80211_CMD_VENDOR,
16224 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16225 		.doit = nl80211_vendor_cmd,
16226 		.dumpit = nl80211_vendor_cmd_dump,
16227 		.flags = GENL_UNS_ADMIN_PERM,
16228 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
16229 					 NL80211_FLAG_CLEAR_SKB),
16230 	},
16231 	{
16232 		.cmd = NL80211_CMD_SET_QOS_MAP,
16233 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16234 		.doit = nl80211_set_qos_map,
16235 		.flags = GENL_UNS_ADMIN_PERM,
16236 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16237 	},
16238 	{
16239 		.cmd = NL80211_CMD_ADD_TX_TS,
16240 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16241 		.doit = nl80211_add_tx_ts,
16242 		.flags = GENL_UNS_ADMIN_PERM,
16243 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16244 	},
16245 	{
16246 		.cmd = NL80211_CMD_DEL_TX_TS,
16247 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16248 		.doit = nl80211_del_tx_ts,
16249 		.flags = GENL_UNS_ADMIN_PERM,
16250 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16251 	},
16252 	{
16253 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
16254 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16255 		.doit = nl80211_tdls_channel_switch,
16256 		.flags = GENL_UNS_ADMIN_PERM,
16257 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16258 	},
16259 	{
16260 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
16261 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16262 		.doit = nl80211_tdls_cancel_channel_switch,
16263 		.flags = GENL_UNS_ADMIN_PERM,
16264 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16265 	},
16266 	{
16267 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
16268 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16269 		.doit = nl80211_set_multicast_to_unicast,
16270 		.flags = GENL_UNS_ADMIN_PERM,
16271 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16272 	},
16273 	{
16274 		.cmd = NL80211_CMD_SET_PMK,
16275 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16276 		.doit = nl80211_set_pmk,
16277 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16278 					 NL80211_FLAG_CLEAR_SKB),
16279 	},
16280 	{
16281 		.cmd = NL80211_CMD_DEL_PMK,
16282 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16283 		.doit = nl80211_del_pmk,
16284 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16285 	},
16286 	{
16287 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
16288 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16289 		.doit = nl80211_external_auth,
16290 		.flags = GENL_ADMIN_PERM,
16291 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16292 	},
16293 	{
16294 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
16295 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16296 		.doit = nl80211_tx_control_port,
16297 		.flags = GENL_UNS_ADMIN_PERM,
16298 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16299 	},
16300 	{
16301 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
16302 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16303 		.doit = nl80211_get_ftm_responder_stats,
16304 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16305 	},
16306 	{
16307 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
16308 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16309 		.doit = nl80211_pmsr_start,
16310 		.flags = GENL_UNS_ADMIN_PERM,
16311 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16312 	},
16313 	{
16314 		.cmd = NL80211_CMD_NOTIFY_RADAR,
16315 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16316 		.doit = nl80211_notify_radar_detection,
16317 		.flags = GENL_UNS_ADMIN_PERM,
16318 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16319 	},
16320 	{
16321 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
16322 		.doit = nl80211_update_owe_info,
16323 		.flags = GENL_ADMIN_PERM,
16324 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16325 	},
16326 	{
16327 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
16328 		.doit = nl80211_probe_mesh_link,
16329 		.flags = GENL_UNS_ADMIN_PERM,
16330 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16331 	},
16332 	{
16333 		.cmd = NL80211_CMD_SET_TID_CONFIG,
16334 		.doit = nl80211_set_tid_config,
16335 		.flags = GENL_UNS_ADMIN_PERM,
16336 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16337 	},
16338 	{
16339 		.cmd = NL80211_CMD_SET_SAR_SPECS,
16340 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16341 		.doit = nl80211_set_sar_specs,
16342 		.flags = GENL_UNS_ADMIN_PERM,
16343 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
16344 					 NL80211_FLAG_NEED_RTNL),
16345 	},
16346 	{
16347 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
16348 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16349 		.doit = nl80211_color_change,
16350 		.flags = GENL_UNS_ADMIN_PERM,
16351 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16352 	},
16353 	{
16354 		.cmd = NL80211_CMD_SET_FILS_AAD,
16355 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16356 		.doit = nl80211_set_fils_aad,
16357 		.flags = GENL_UNS_ADMIN_PERM,
16358 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16359 	},
16360 };
16361 
16362 static struct genl_family nl80211_fam __ro_after_init = {
16363 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
16364 	.hdrsize = 0,			/* no private header */
16365 	.version = 1,			/* no particular meaning now */
16366 	.maxattr = NL80211_ATTR_MAX,
16367 	.policy = nl80211_policy,
16368 	.netnsok = true,
16369 	.pre_doit = nl80211_pre_doit,
16370 	.post_doit = nl80211_post_doit,
16371 	.module = THIS_MODULE,
16372 	.ops = nl80211_ops,
16373 	.n_ops = ARRAY_SIZE(nl80211_ops),
16374 	.small_ops = nl80211_small_ops,
16375 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
16376 	.mcgrps = nl80211_mcgrps,
16377 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
16378 	.parallel_ops = true,
16379 };
16380 
16381 /* notification functions */
16382 
16383 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
16384 			  enum nl80211_commands cmd)
16385 {
16386 	struct sk_buff *msg;
16387 	struct nl80211_dump_wiphy_state state = {};
16388 
16389 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
16390 		cmd != NL80211_CMD_DEL_WIPHY);
16391 
16392 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16393 	if (!msg)
16394 		return;
16395 
16396 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
16397 		nlmsg_free(msg);
16398 		return;
16399 	}
16400 
16401 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16402 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16403 }
16404 
16405 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
16406 				struct wireless_dev *wdev,
16407 				enum nl80211_commands cmd)
16408 {
16409 	struct sk_buff *msg;
16410 
16411 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16412 	if (!msg)
16413 		return;
16414 
16415 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
16416 		nlmsg_free(msg);
16417 		return;
16418 	}
16419 
16420 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16421 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16422 }
16423 
16424 static int nl80211_add_scan_req(struct sk_buff *msg,
16425 				struct cfg80211_registered_device *rdev)
16426 {
16427 	struct cfg80211_scan_request *req = rdev->scan_req;
16428 	struct nlattr *nest;
16429 	int i;
16430 	struct cfg80211_scan_info *info;
16431 
16432 	if (WARN_ON(!req))
16433 		return 0;
16434 
16435 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
16436 	if (!nest)
16437 		goto nla_put_failure;
16438 	for (i = 0; i < req->n_ssids; i++) {
16439 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
16440 			goto nla_put_failure;
16441 	}
16442 	nla_nest_end(msg, nest);
16443 
16444 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
16445 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
16446 		if (!nest)
16447 			goto nla_put_failure;
16448 		for (i = 0; i < req->n_channels; i++) {
16449 			if (nla_put_u32(msg, i,
16450 				   ieee80211_channel_to_khz(req->channels[i])))
16451 				goto nla_put_failure;
16452 		}
16453 		nla_nest_end(msg, nest);
16454 	} else {
16455 		nest = nla_nest_start_noflag(msg,
16456 					     NL80211_ATTR_SCAN_FREQUENCIES);
16457 		if (!nest)
16458 			goto nla_put_failure;
16459 		for (i = 0; i < req->n_channels; i++) {
16460 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
16461 				goto nla_put_failure;
16462 		}
16463 		nla_nest_end(msg, nest);
16464 	}
16465 
16466 	if (req->ie &&
16467 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
16468 		goto nla_put_failure;
16469 
16470 	if (req->flags &&
16471 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
16472 		goto nla_put_failure;
16473 
16474 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
16475 		&rdev->scan_req->info;
16476 	if (info->scan_start_tsf &&
16477 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
16478 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
16479 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
16480 		     info->tsf_bssid)))
16481 		goto nla_put_failure;
16482 
16483 	return 0;
16484  nla_put_failure:
16485 	return -ENOBUFS;
16486 }
16487 
16488 static int nl80211_prep_scan_msg(struct sk_buff *msg,
16489 				 struct cfg80211_registered_device *rdev,
16490 				 struct wireless_dev *wdev,
16491 				 u32 portid, u32 seq, int flags,
16492 				 u32 cmd)
16493 {
16494 	void *hdr;
16495 
16496 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
16497 	if (!hdr)
16498 		return -1;
16499 
16500 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16501 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16502 					 wdev->netdev->ifindex)) ||
16503 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16504 			      NL80211_ATTR_PAD))
16505 		goto nla_put_failure;
16506 
16507 	/* ignore errors and send incomplete event anyway */
16508 	nl80211_add_scan_req(msg, rdev);
16509 
16510 	genlmsg_end(msg, hdr);
16511 	return 0;
16512 
16513  nla_put_failure:
16514 	genlmsg_cancel(msg, hdr);
16515 	return -EMSGSIZE;
16516 }
16517 
16518 static int
16519 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
16520 			    struct cfg80211_sched_scan_request *req, u32 cmd)
16521 {
16522 	void *hdr;
16523 
16524 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16525 	if (!hdr)
16526 		return -1;
16527 
16528 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
16529 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
16530 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
16531 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
16532 			      NL80211_ATTR_PAD))
16533 		goto nla_put_failure;
16534 
16535 	genlmsg_end(msg, hdr);
16536 	return 0;
16537 
16538  nla_put_failure:
16539 	genlmsg_cancel(msg, hdr);
16540 	return -EMSGSIZE;
16541 }
16542 
16543 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
16544 			     struct wireless_dev *wdev)
16545 {
16546 	struct sk_buff *msg;
16547 
16548 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16549 	if (!msg)
16550 		return;
16551 
16552 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16553 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
16554 		nlmsg_free(msg);
16555 		return;
16556 	}
16557 
16558 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16559 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16560 }
16561 
16562 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
16563 				       struct wireless_dev *wdev, bool aborted)
16564 {
16565 	struct sk_buff *msg;
16566 
16567 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16568 	if (!msg)
16569 		return NULL;
16570 
16571 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16572 				  aborted ? NL80211_CMD_SCAN_ABORTED :
16573 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
16574 		nlmsg_free(msg);
16575 		return NULL;
16576 	}
16577 
16578 	return msg;
16579 }
16580 
16581 /* send message created by nl80211_build_scan_msg() */
16582 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
16583 			   struct sk_buff *msg)
16584 {
16585 	if (!msg)
16586 		return;
16587 
16588 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16589 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16590 }
16591 
16592 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
16593 {
16594 	struct sk_buff *msg;
16595 
16596 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16597 	if (!msg)
16598 		return;
16599 
16600 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
16601 		nlmsg_free(msg);
16602 		return;
16603 	}
16604 
16605 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
16606 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16607 }
16608 
16609 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
16610 					  struct regulatory_request *request)
16611 {
16612 	/* Userspace can always count this one always being set */
16613 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
16614 		goto nla_put_failure;
16615 
16616 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
16617 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16618 			       NL80211_REGDOM_TYPE_WORLD))
16619 			goto nla_put_failure;
16620 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
16621 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16622 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
16623 			goto nla_put_failure;
16624 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
16625 		   request->intersect) {
16626 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16627 			       NL80211_REGDOM_TYPE_INTERSECTION))
16628 			goto nla_put_failure;
16629 	} else {
16630 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16631 			       NL80211_REGDOM_TYPE_COUNTRY) ||
16632 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
16633 				   request->alpha2))
16634 			goto nla_put_failure;
16635 	}
16636 
16637 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
16638 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
16639 
16640 		if (wiphy &&
16641 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
16642 			goto nla_put_failure;
16643 
16644 		if (wiphy &&
16645 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
16646 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
16647 			goto nla_put_failure;
16648 	}
16649 
16650 	return true;
16651 
16652 nla_put_failure:
16653 	return false;
16654 }
16655 
16656 /*
16657  * This can happen on global regulatory changes or device specific settings
16658  * based on custom regulatory domains.
16659  */
16660 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
16661 				     struct regulatory_request *request)
16662 {
16663 	struct sk_buff *msg;
16664 	void *hdr;
16665 
16666 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16667 	if (!msg)
16668 		return;
16669 
16670 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
16671 	if (!hdr)
16672 		goto nla_put_failure;
16673 
16674 	if (!nl80211_reg_change_event_fill(msg, request))
16675 		goto nla_put_failure;
16676 
16677 	genlmsg_end(msg, hdr);
16678 
16679 	rcu_read_lock();
16680 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16681 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16682 	rcu_read_unlock();
16683 
16684 	return;
16685 
16686 nla_put_failure:
16687 	nlmsg_free(msg);
16688 }
16689 
16690 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
16691 				    struct net_device *netdev,
16692 				    const u8 *buf, size_t len,
16693 				    enum nl80211_commands cmd, gfp_t gfp,
16694 				    int uapsd_queues, const u8 *req_ies,
16695 				    size_t req_ies_len, bool reconnect)
16696 {
16697 	struct sk_buff *msg;
16698 	void *hdr;
16699 
16700 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
16701 	if (!msg)
16702 		return;
16703 
16704 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16705 	if (!hdr) {
16706 		nlmsg_free(msg);
16707 		return;
16708 	}
16709 
16710 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16711 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16712 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16713 	    (req_ies &&
16714 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
16715 		goto nla_put_failure;
16716 
16717 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
16718 		goto nla_put_failure;
16719 
16720 	if (uapsd_queues >= 0) {
16721 		struct nlattr *nla_wmm =
16722 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
16723 		if (!nla_wmm)
16724 			goto nla_put_failure;
16725 
16726 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
16727 			       uapsd_queues))
16728 			goto nla_put_failure;
16729 
16730 		nla_nest_end(msg, nla_wmm);
16731 	}
16732 
16733 	genlmsg_end(msg, hdr);
16734 
16735 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16736 				NL80211_MCGRP_MLME, gfp);
16737 	return;
16738 
16739  nla_put_failure:
16740 	nlmsg_free(msg);
16741 }
16742 
16743 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
16744 			  struct net_device *netdev, const u8 *buf,
16745 			  size_t len, gfp_t gfp)
16746 {
16747 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16748 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
16749 				false);
16750 }
16751 
16752 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
16753 			   struct net_device *netdev, const u8 *buf,
16754 			   size_t len, gfp_t gfp, int uapsd_queues,
16755 			   const u8 *req_ies, size_t req_ies_len)
16756 {
16757 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16758 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
16759 				req_ies, req_ies_len, false);
16760 }
16761 
16762 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
16763 			 struct net_device *netdev, const u8 *buf,
16764 			 size_t len, bool reconnect, gfp_t gfp)
16765 {
16766 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16767 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
16768 				reconnect);
16769 }
16770 
16771 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
16772 			   struct net_device *netdev, const u8 *buf,
16773 			   size_t len, bool reconnect, gfp_t gfp)
16774 {
16775 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16776 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
16777 				reconnect);
16778 }
16779 
16780 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
16781 				  size_t len)
16782 {
16783 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16784 	struct wiphy *wiphy = wdev->wiphy;
16785 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16786 	const struct ieee80211_mgmt *mgmt = (void *)buf;
16787 	u32 cmd;
16788 
16789 	if (WARN_ON(len < 2))
16790 		return;
16791 
16792 	if (ieee80211_is_deauth(mgmt->frame_control)) {
16793 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
16794 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
16795 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
16796 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
16797 		if (wdev->unprot_beacon_reported &&
16798 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
16799 			return;
16800 		cmd = NL80211_CMD_UNPROT_BEACON;
16801 		wdev->unprot_beacon_reported = jiffies;
16802 	} else {
16803 		return;
16804 	}
16805 
16806 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
16807 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
16808 				NULL, 0, false);
16809 }
16810 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
16811 
16812 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
16813 				      struct net_device *netdev, int cmd,
16814 				      const u8 *addr, gfp_t gfp)
16815 {
16816 	struct sk_buff *msg;
16817 	void *hdr;
16818 
16819 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16820 	if (!msg)
16821 		return;
16822 
16823 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16824 	if (!hdr) {
16825 		nlmsg_free(msg);
16826 		return;
16827 	}
16828 
16829 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16830 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16831 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16832 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16833 		goto nla_put_failure;
16834 
16835 	genlmsg_end(msg, hdr);
16836 
16837 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16838 				NL80211_MCGRP_MLME, gfp);
16839 	return;
16840 
16841  nla_put_failure:
16842 	nlmsg_free(msg);
16843 }
16844 
16845 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16846 			       struct net_device *netdev, const u8 *addr,
16847 			       gfp_t gfp)
16848 {
16849 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16850 				  addr, gfp);
16851 }
16852 
16853 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16854 				struct net_device *netdev, const u8 *addr,
16855 				gfp_t gfp)
16856 {
16857 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16858 				  addr, gfp);
16859 }
16860 
16861 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16862 				 struct net_device *netdev,
16863 				 struct cfg80211_connect_resp_params *cr,
16864 				 gfp_t gfp)
16865 {
16866 	struct sk_buff *msg;
16867 	void *hdr;
16868 
16869 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16870 			cr->fils.kek_len + cr->fils.pmk_len +
16871 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16872 	if (!msg)
16873 		return;
16874 
16875 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16876 	if (!hdr) {
16877 		nlmsg_free(msg);
16878 		return;
16879 	}
16880 
16881 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16882 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16883 	    (cr->bssid &&
16884 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16885 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16886 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16887 			cr->status) ||
16888 	    (cr->status < 0 &&
16889 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16890 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16891 			  cr->timeout_reason))) ||
16892 	    (cr->req_ie &&
16893 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16894 	    (cr->resp_ie &&
16895 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16896 		     cr->resp_ie)) ||
16897 	    (cr->fils.update_erp_next_seq_num &&
16898 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16899 			 cr->fils.erp_next_seq_num)) ||
16900 	    (cr->status == WLAN_STATUS_SUCCESS &&
16901 	     ((cr->fils.kek &&
16902 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16903 		       cr->fils.kek)) ||
16904 	      (cr->fils.pmk &&
16905 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16906 	      (cr->fils.pmkid &&
16907 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16908 		goto nla_put_failure;
16909 
16910 	genlmsg_end(msg, hdr);
16911 
16912 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16913 				NL80211_MCGRP_MLME, gfp);
16914 	return;
16915 
16916  nla_put_failure:
16917 	nlmsg_free(msg);
16918 }
16919 
16920 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16921 			 struct net_device *netdev,
16922 			 struct cfg80211_roam_info *info, gfp_t gfp)
16923 {
16924 	struct sk_buff *msg;
16925 	void *hdr;
16926 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16927 
16928 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16929 			info->fils.kek_len + info->fils.pmk_len +
16930 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16931 	if (!msg)
16932 		return;
16933 
16934 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16935 	if (!hdr) {
16936 		nlmsg_free(msg);
16937 		return;
16938 	}
16939 
16940 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16941 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16942 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16943 	    (info->req_ie &&
16944 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16945 		     info->req_ie)) ||
16946 	    (info->resp_ie &&
16947 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16948 		     info->resp_ie)) ||
16949 	    (info->fils.update_erp_next_seq_num &&
16950 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16951 			 info->fils.erp_next_seq_num)) ||
16952 	    (info->fils.kek &&
16953 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16954 		     info->fils.kek)) ||
16955 	    (info->fils.pmk &&
16956 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16957 	    (info->fils.pmkid &&
16958 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16959 		goto nla_put_failure;
16960 
16961 	genlmsg_end(msg, hdr);
16962 
16963 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16964 				NL80211_MCGRP_MLME, gfp);
16965 	return;
16966 
16967  nla_put_failure:
16968 	nlmsg_free(msg);
16969 }
16970 
16971 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16972 				  struct net_device *netdev, const u8 *bssid)
16973 {
16974 	struct sk_buff *msg;
16975 	void *hdr;
16976 
16977 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16978 	if (!msg)
16979 		return;
16980 
16981 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16982 	if (!hdr) {
16983 		nlmsg_free(msg);
16984 		return;
16985 	}
16986 
16987 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16988 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16989 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16990 		goto nla_put_failure;
16991 
16992 	genlmsg_end(msg, hdr);
16993 
16994 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16995 				NL80211_MCGRP_MLME, GFP_KERNEL);
16996 	return;
16997 
16998  nla_put_failure:
16999 	nlmsg_free(msg);
17000 }
17001 
17002 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
17003 			       struct net_device *netdev, u16 reason,
17004 			       const u8 *ie, size_t ie_len, bool from_ap)
17005 {
17006 	struct sk_buff *msg;
17007 	void *hdr;
17008 
17009 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
17010 	if (!msg)
17011 		return;
17012 
17013 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
17014 	if (!hdr) {
17015 		nlmsg_free(msg);
17016 		return;
17017 	}
17018 
17019 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17020 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17021 	    (reason &&
17022 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
17023 	    (from_ap &&
17024 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
17025 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
17026 		goto nla_put_failure;
17027 
17028 	genlmsg_end(msg, hdr);
17029 
17030 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17031 				NL80211_MCGRP_MLME, GFP_KERNEL);
17032 	return;
17033 
17034  nla_put_failure:
17035 	nlmsg_free(msg);
17036 }
17037 
17038 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
17039 			     struct net_device *netdev, const u8 *bssid,
17040 			     gfp_t gfp)
17041 {
17042 	struct sk_buff *msg;
17043 	void *hdr;
17044 
17045 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17046 	if (!msg)
17047 		return;
17048 
17049 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
17050 	if (!hdr) {
17051 		nlmsg_free(msg);
17052 		return;
17053 	}
17054 
17055 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17056 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17057 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17058 		goto nla_put_failure;
17059 
17060 	genlmsg_end(msg, hdr);
17061 
17062 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17063 				NL80211_MCGRP_MLME, gfp);
17064 	return;
17065 
17066  nla_put_failure:
17067 	nlmsg_free(msg);
17068 }
17069 
17070 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
17071 					const u8 *ie, u8 ie_len,
17072 					int sig_dbm, gfp_t gfp)
17073 {
17074 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17075 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17076 	struct sk_buff *msg;
17077 	void *hdr;
17078 
17079 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
17080 		return;
17081 
17082 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
17083 
17084 	msg = nlmsg_new(100 + ie_len, gfp);
17085 	if (!msg)
17086 		return;
17087 
17088 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
17089 	if (!hdr) {
17090 		nlmsg_free(msg);
17091 		return;
17092 	}
17093 
17094 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17095 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17096 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17097 	    (ie_len && ie &&
17098 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
17099 	    (sig_dbm &&
17100 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
17101 		goto nla_put_failure;
17102 
17103 	genlmsg_end(msg, hdr);
17104 
17105 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17106 				NL80211_MCGRP_MLME, gfp);
17107 	return;
17108 
17109  nla_put_failure:
17110 	nlmsg_free(msg);
17111 }
17112 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
17113 
17114 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
17115 				 struct net_device *netdev, const u8 *addr,
17116 				 enum nl80211_key_type key_type, int key_id,
17117 				 const u8 *tsc, gfp_t gfp)
17118 {
17119 	struct sk_buff *msg;
17120 	void *hdr;
17121 
17122 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17123 	if (!msg)
17124 		return;
17125 
17126 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
17127 	if (!hdr) {
17128 		nlmsg_free(msg);
17129 		return;
17130 	}
17131 
17132 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17133 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17134 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
17135 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
17136 	    (key_id != -1 &&
17137 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
17138 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
17139 		goto nla_put_failure;
17140 
17141 	genlmsg_end(msg, hdr);
17142 
17143 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17144 				NL80211_MCGRP_MLME, gfp);
17145 	return;
17146 
17147  nla_put_failure:
17148 	nlmsg_free(msg);
17149 }
17150 
17151 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
17152 				    struct ieee80211_channel *channel_before,
17153 				    struct ieee80211_channel *channel_after)
17154 {
17155 	struct sk_buff *msg;
17156 	void *hdr;
17157 	struct nlattr *nl_freq;
17158 
17159 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
17160 	if (!msg)
17161 		return;
17162 
17163 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
17164 	if (!hdr) {
17165 		nlmsg_free(msg);
17166 		return;
17167 	}
17168 
17169 	/*
17170 	 * Since we are applying the beacon hint to a wiphy we know its
17171 	 * wiphy_idx is valid
17172 	 */
17173 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
17174 		goto nla_put_failure;
17175 
17176 	/* Before */
17177 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
17178 	if (!nl_freq)
17179 		goto nla_put_failure;
17180 
17181 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
17182 		goto nla_put_failure;
17183 	nla_nest_end(msg, nl_freq);
17184 
17185 	/* After */
17186 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
17187 	if (!nl_freq)
17188 		goto nla_put_failure;
17189 
17190 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
17191 		goto nla_put_failure;
17192 	nla_nest_end(msg, nl_freq);
17193 
17194 	genlmsg_end(msg, hdr);
17195 
17196 	rcu_read_lock();
17197 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17198 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17199 	rcu_read_unlock();
17200 
17201 	return;
17202 
17203 nla_put_failure:
17204 	nlmsg_free(msg);
17205 }
17206 
17207 static void nl80211_send_remain_on_chan_event(
17208 	int cmd, struct cfg80211_registered_device *rdev,
17209 	struct wireless_dev *wdev, u64 cookie,
17210 	struct ieee80211_channel *chan,
17211 	unsigned int duration, gfp_t gfp)
17212 {
17213 	struct sk_buff *msg;
17214 	void *hdr;
17215 
17216 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17217 	if (!msg)
17218 		return;
17219 
17220 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17221 	if (!hdr) {
17222 		nlmsg_free(msg);
17223 		return;
17224 	}
17225 
17226 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17227 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17228 					 wdev->netdev->ifindex)) ||
17229 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17230 			      NL80211_ATTR_PAD) ||
17231 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
17232 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
17233 			NL80211_CHAN_NO_HT) ||
17234 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17235 			      NL80211_ATTR_PAD))
17236 		goto nla_put_failure;
17237 
17238 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
17239 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
17240 		goto nla_put_failure;
17241 
17242 	genlmsg_end(msg, hdr);
17243 
17244 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17245 				NL80211_MCGRP_MLME, gfp);
17246 	return;
17247 
17248  nla_put_failure:
17249 	nlmsg_free(msg);
17250 }
17251 
17252 void cfg80211_assoc_comeback(struct net_device *netdev,
17253 			     struct cfg80211_bss *bss, u32 timeout)
17254 {
17255 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
17256 	struct wiphy *wiphy = wdev->wiphy;
17257 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17258 	struct sk_buff *msg;
17259 	void *hdr;
17260 
17261 	trace_cfg80211_assoc_comeback(wdev, bss->bssid, timeout);
17262 
17263 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17264 	if (!msg)
17265 		return;
17266 
17267 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
17268 	if (!hdr) {
17269 		nlmsg_free(msg);
17270 		return;
17271 	}
17272 
17273 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17274 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17275 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bss->bssid) ||
17276 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
17277 		goto nla_put_failure;
17278 
17279 	genlmsg_end(msg, hdr);
17280 
17281 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17282 				NL80211_MCGRP_MLME, GFP_KERNEL);
17283 	return;
17284 
17285  nla_put_failure:
17286 	nlmsg_free(msg);
17287 }
17288 EXPORT_SYMBOL(cfg80211_assoc_comeback);
17289 
17290 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
17291 			       struct ieee80211_channel *chan,
17292 			       unsigned int duration, gfp_t gfp)
17293 {
17294 	struct wiphy *wiphy = wdev->wiphy;
17295 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17296 
17297 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
17298 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
17299 					  rdev, wdev, cookie, chan,
17300 					  duration, gfp);
17301 }
17302 EXPORT_SYMBOL(cfg80211_ready_on_channel);
17303 
17304 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
17305 					struct ieee80211_channel *chan,
17306 					gfp_t gfp)
17307 {
17308 	struct wiphy *wiphy = wdev->wiphy;
17309 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17310 
17311 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
17312 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17313 					  rdev, wdev, cookie, chan, 0, gfp);
17314 }
17315 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
17316 
17317 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
17318 					struct ieee80211_channel *chan,
17319 					gfp_t gfp)
17320 {
17321 	struct wiphy *wiphy = wdev->wiphy;
17322 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17323 
17324 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
17325 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
17326 					  rdev, wdev, cookie, chan, 0, gfp);
17327 }
17328 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
17329 
17330 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
17331 		      struct station_info *sinfo, gfp_t gfp)
17332 {
17333 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17334 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17335 	struct sk_buff *msg;
17336 
17337 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
17338 
17339 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17340 	if (!msg)
17341 		return;
17342 
17343 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
17344 				 rdev, dev, mac_addr, sinfo) < 0) {
17345 		nlmsg_free(msg);
17346 		return;
17347 	}
17348 
17349 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17350 				NL80211_MCGRP_MLME, gfp);
17351 }
17352 EXPORT_SYMBOL(cfg80211_new_sta);
17353 
17354 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
17355 			    struct station_info *sinfo, gfp_t gfp)
17356 {
17357 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17358 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17359 	struct sk_buff *msg;
17360 	struct station_info empty_sinfo = {};
17361 
17362 	if (!sinfo)
17363 		sinfo = &empty_sinfo;
17364 
17365 	trace_cfg80211_del_sta(dev, mac_addr);
17366 
17367 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17368 	if (!msg) {
17369 		cfg80211_sinfo_release_content(sinfo);
17370 		return;
17371 	}
17372 
17373 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
17374 				 rdev, dev, mac_addr, sinfo) < 0) {
17375 		nlmsg_free(msg);
17376 		return;
17377 	}
17378 
17379 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17380 				NL80211_MCGRP_MLME, gfp);
17381 }
17382 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
17383 
17384 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
17385 			  enum nl80211_connect_failed_reason reason,
17386 			  gfp_t gfp)
17387 {
17388 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17389 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17390 	struct sk_buff *msg;
17391 	void *hdr;
17392 
17393 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
17394 	if (!msg)
17395 		return;
17396 
17397 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
17398 	if (!hdr) {
17399 		nlmsg_free(msg);
17400 		return;
17401 	}
17402 
17403 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17404 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
17405 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
17406 		goto nla_put_failure;
17407 
17408 	genlmsg_end(msg, hdr);
17409 
17410 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17411 				NL80211_MCGRP_MLME, gfp);
17412 	return;
17413 
17414  nla_put_failure:
17415 	nlmsg_free(msg);
17416 }
17417 EXPORT_SYMBOL(cfg80211_conn_failed);
17418 
17419 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
17420 				       const u8 *addr, gfp_t gfp)
17421 {
17422 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17423 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17424 	struct sk_buff *msg;
17425 	void *hdr;
17426 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
17427 
17428 	if (!nlportid)
17429 		return false;
17430 
17431 	msg = nlmsg_new(100, gfp);
17432 	if (!msg)
17433 		return true;
17434 
17435 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17436 	if (!hdr) {
17437 		nlmsg_free(msg);
17438 		return true;
17439 	}
17440 
17441 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17442 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17443 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17444 		goto nla_put_failure;
17445 
17446 	genlmsg_end(msg, hdr);
17447 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17448 	return true;
17449 
17450  nla_put_failure:
17451 	nlmsg_free(msg);
17452 	return true;
17453 }
17454 
17455 bool cfg80211_rx_spurious_frame(struct net_device *dev,
17456 				const u8 *addr, gfp_t gfp)
17457 {
17458 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17459 	bool ret;
17460 
17461 	trace_cfg80211_rx_spurious_frame(dev, addr);
17462 
17463 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17464 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
17465 		trace_cfg80211_return_bool(false);
17466 		return false;
17467 	}
17468 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
17469 					 addr, gfp);
17470 	trace_cfg80211_return_bool(ret);
17471 	return ret;
17472 }
17473 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
17474 
17475 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
17476 					const u8 *addr, gfp_t gfp)
17477 {
17478 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17479 	bool ret;
17480 
17481 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
17482 
17483 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17484 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
17485 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
17486 		trace_cfg80211_return_bool(false);
17487 		return false;
17488 	}
17489 	ret = __nl80211_unexpected_frame(dev,
17490 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
17491 					 addr, gfp);
17492 	trace_cfg80211_return_bool(ret);
17493 	return ret;
17494 }
17495 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
17496 
17497 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
17498 		      struct wireless_dev *wdev, u32 nlportid,
17499 		      int freq, int sig_dbm,
17500 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
17501 {
17502 	struct net_device *netdev = wdev->netdev;
17503 	struct sk_buff *msg;
17504 	void *hdr;
17505 
17506 	msg = nlmsg_new(100 + len, gfp);
17507 	if (!msg)
17508 		return -ENOMEM;
17509 
17510 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17511 	if (!hdr) {
17512 		nlmsg_free(msg);
17513 		return -ENOMEM;
17514 	}
17515 
17516 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17517 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17518 					netdev->ifindex)) ||
17519 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17520 			      NL80211_ATTR_PAD) ||
17521 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
17522 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
17523 	    (sig_dbm &&
17524 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17525 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17526 	    (flags &&
17527 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
17528 		goto nla_put_failure;
17529 
17530 	genlmsg_end(msg, hdr);
17531 
17532 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17533 
17534  nla_put_failure:
17535 	nlmsg_free(msg);
17536 	return -ENOBUFS;
17537 }
17538 
17539 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
17540 				    const u8 *buf, size_t len, bool ack,
17541 				    gfp_t gfp, enum nl80211_commands command)
17542 {
17543 	struct wiphy *wiphy = wdev->wiphy;
17544 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17545 	struct net_device *netdev = wdev->netdev;
17546 	struct sk_buff *msg;
17547 	void *hdr;
17548 
17549 	if (command == NL80211_CMD_FRAME_TX_STATUS)
17550 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
17551 	else
17552 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
17553 
17554 	msg = nlmsg_new(100 + len, gfp);
17555 	if (!msg)
17556 		return;
17557 
17558 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
17559 	if (!hdr) {
17560 		nlmsg_free(msg);
17561 		return;
17562 	}
17563 
17564 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17565 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17566 				   netdev->ifindex)) ||
17567 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17568 			      NL80211_ATTR_PAD) ||
17569 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17570 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17571 			      NL80211_ATTR_PAD) ||
17572 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
17573 		goto nla_put_failure;
17574 
17575 	genlmsg_end(msg, hdr);
17576 
17577 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17578 				NL80211_MCGRP_MLME, gfp);
17579 	return;
17580 
17581 nla_put_failure:
17582 	nlmsg_free(msg);
17583 }
17584 
17585 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
17586 				     const u8 *buf, size_t len, bool ack,
17587 				     gfp_t gfp)
17588 {
17589 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17590 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
17591 }
17592 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
17593 
17594 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
17595 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
17596 {
17597 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17598 				NL80211_CMD_FRAME_TX_STATUS);
17599 }
17600 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
17601 
17602 static int __nl80211_rx_control_port(struct net_device *dev,
17603 				     struct sk_buff *skb,
17604 				     bool unencrypted, gfp_t gfp)
17605 {
17606 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17607 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17608 	struct ethhdr *ehdr = eth_hdr(skb);
17609 	const u8 *addr = ehdr->h_source;
17610 	u16 proto = be16_to_cpu(skb->protocol);
17611 	struct sk_buff *msg;
17612 	void *hdr;
17613 	struct nlattr *frame;
17614 
17615 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
17616 
17617 	if (!nlportid)
17618 		return -ENOENT;
17619 
17620 	msg = nlmsg_new(100 + skb->len, gfp);
17621 	if (!msg)
17622 		return -ENOMEM;
17623 
17624 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
17625 	if (!hdr) {
17626 		nlmsg_free(msg);
17627 		return -ENOBUFS;
17628 	}
17629 
17630 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17631 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17632 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17633 			      NL80211_ATTR_PAD) ||
17634 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17635 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
17636 	    (unencrypted && nla_put_flag(msg,
17637 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
17638 		goto nla_put_failure;
17639 
17640 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
17641 	if (!frame)
17642 		goto nla_put_failure;
17643 
17644 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
17645 	genlmsg_end(msg, hdr);
17646 
17647 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17648 
17649  nla_put_failure:
17650 	nlmsg_free(msg);
17651 	return -ENOBUFS;
17652 }
17653 
17654 bool cfg80211_rx_control_port(struct net_device *dev,
17655 			      struct sk_buff *skb, bool unencrypted)
17656 {
17657 	int ret;
17658 
17659 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
17660 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
17661 	trace_cfg80211_return_bool(ret == 0);
17662 	return ret == 0;
17663 }
17664 EXPORT_SYMBOL(cfg80211_rx_control_port);
17665 
17666 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
17667 					    const char *mac, gfp_t gfp)
17668 {
17669 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17670 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17671 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17672 	void **cb;
17673 
17674 	if (!msg)
17675 		return NULL;
17676 
17677 	cb = (void **)msg->cb;
17678 
17679 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
17680 	if (!cb[0]) {
17681 		nlmsg_free(msg);
17682 		return NULL;
17683 	}
17684 
17685 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17686 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17687 		goto nla_put_failure;
17688 
17689 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17690 		goto nla_put_failure;
17691 
17692 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
17693 	if (!cb[1])
17694 		goto nla_put_failure;
17695 
17696 	cb[2] = rdev;
17697 
17698 	return msg;
17699  nla_put_failure:
17700 	nlmsg_free(msg);
17701 	return NULL;
17702 }
17703 
17704 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
17705 {
17706 	void **cb = (void **)msg->cb;
17707 	struct cfg80211_registered_device *rdev = cb[2];
17708 
17709 	nla_nest_end(msg, cb[1]);
17710 	genlmsg_end(msg, cb[0]);
17711 
17712 	memset(msg->cb, 0, sizeof(msg->cb));
17713 
17714 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17715 				NL80211_MCGRP_MLME, gfp);
17716 }
17717 
17718 void cfg80211_cqm_rssi_notify(struct net_device *dev,
17719 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
17720 			      s32 rssi_level, gfp_t gfp)
17721 {
17722 	struct sk_buff *msg;
17723 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17724 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17725 
17726 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
17727 
17728 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
17729 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
17730 		return;
17731 
17732 	if (wdev->cqm_config) {
17733 		wdev->cqm_config->last_rssi_event_value = rssi_level;
17734 
17735 		cfg80211_cqm_rssi_update(rdev, dev);
17736 
17737 		if (rssi_level == 0)
17738 			rssi_level = wdev->cqm_config->last_rssi_event_value;
17739 	}
17740 
17741 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17742 	if (!msg)
17743 		return;
17744 
17745 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
17746 			rssi_event))
17747 		goto nla_put_failure;
17748 
17749 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
17750 				      rssi_level))
17751 		goto nla_put_failure;
17752 
17753 	cfg80211_send_cqm(msg, gfp);
17754 
17755 	return;
17756 
17757  nla_put_failure:
17758 	nlmsg_free(msg);
17759 }
17760 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
17761 
17762 void cfg80211_cqm_txe_notify(struct net_device *dev,
17763 			     const u8 *peer, u32 num_packets,
17764 			     u32 rate, u32 intvl, gfp_t gfp)
17765 {
17766 	struct sk_buff *msg;
17767 
17768 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17769 	if (!msg)
17770 		return;
17771 
17772 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
17773 		goto nla_put_failure;
17774 
17775 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
17776 		goto nla_put_failure;
17777 
17778 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
17779 		goto nla_put_failure;
17780 
17781 	cfg80211_send_cqm(msg, gfp);
17782 	return;
17783 
17784  nla_put_failure:
17785 	nlmsg_free(msg);
17786 }
17787 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
17788 
17789 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
17790 				 const u8 *peer, u32 num_packets, gfp_t gfp)
17791 {
17792 	struct sk_buff *msg;
17793 
17794 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
17795 
17796 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17797 	if (!msg)
17798 		return;
17799 
17800 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
17801 		goto nla_put_failure;
17802 
17803 	cfg80211_send_cqm(msg, gfp);
17804 	return;
17805 
17806  nla_put_failure:
17807 	nlmsg_free(msg);
17808 }
17809 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
17810 
17811 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
17812 {
17813 	struct sk_buff *msg;
17814 
17815 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17816 	if (!msg)
17817 		return;
17818 
17819 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
17820 		goto nla_put_failure;
17821 
17822 	cfg80211_send_cqm(msg, gfp);
17823 	return;
17824 
17825  nla_put_failure:
17826 	nlmsg_free(msg);
17827 }
17828 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
17829 
17830 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
17831 				     struct net_device *netdev, const u8 *bssid,
17832 				     const u8 *replay_ctr, gfp_t gfp)
17833 {
17834 	struct sk_buff *msg;
17835 	struct nlattr *rekey_attr;
17836 	void *hdr;
17837 
17838 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17839 	if (!msg)
17840 		return;
17841 
17842 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
17843 	if (!hdr) {
17844 		nlmsg_free(msg);
17845 		return;
17846 	}
17847 
17848 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17849 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17850 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17851 		goto nla_put_failure;
17852 
17853 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
17854 	if (!rekey_attr)
17855 		goto nla_put_failure;
17856 
17857 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
17858 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
17859 		goto nla_put_failure;
17860 
17861 	nla_nest_end(msg, rekey_attr);
17862 
17863 	genlmsg_end(msg, hdr);
17864 
17865 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17866 				NL80211_MCGRP_MLME, gfp);
17867 	return;
17868 
17869  nla_put_failure:
17870 	nlmsg_free(msg);
17871 }
17872 
17873 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
17874 			       const u8 *replay_ctr, gfp_t gfp)
17875 {
17876 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17877 	struct wiphy *wiphy = wdev->wiphy;
17878 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17879 
17880 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
17881 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
17882 }
17883 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17884 
17885 static void
17886 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17887 			       struct net_device *netdev, int index,
17888 			       const u8 *bssid, bool preauth, gfp_t gfp)
17889 {
17890 	struct sk_buff *msg;
17891 	struct nlattr *attr;
17892 	void *hdr;
17893 
17894 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17895 	if (!msg)
17896 		return;
17897 
17898 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17899 	if (!hdr) {
17900 		nlmsg_free(msg);
17901 		return;
17902 	}
17903 
17904 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17905 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17906 		goto nla_put_failure;
17907 
17908 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17909 	if (!attr)
17910 		goto nla_put_failure;
17911 
17912 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17913 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17914 	    (preauth &&
17915 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17916 		goto nla_put_failure;
17917 
17918 	nla_nest_end(msg, attr);
17919 
17920 	genlmsg_end(msg, hdr);
17921 
17922 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17923 				NL80211_MCGRP_MLME, gfp);
17924 	return;
17925 
17926  nla_put_failure:
17927 	nlmsg_free(msg);
17928 }
17929 
17930 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17931 				     const u8 *bssid, bool preauth, gfp_t gfp)
17932 {
17933 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17934 	struct wiphy *wiphy = wdev->wiphy;
17935 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17936 
17937 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17938 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17939 }
17940 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17941 
17942 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17943 				     struct net_device *netdev,
17944 				     struct cfg80211_chan_def *chandef,
17945 				     gfp_t gfp,
17946 				     enum nl80211_commands notif,
17947 				     u8 count, bool quiet)
17948 {
17949 	struct sk_buff *msg;
17950 	void *hdr;
17951 
17952 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17953 	if (!msg)
17954 		return;
17955 
17956 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17957 	if (!hdr) {
17958 		nlmsg_free(msg);
17959 		return;
17960 	}
17961 
17962 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17963 		goto nla_put_failure;
17964 
17965 	if (nl80211_send_chandef(msg, chandef))
17966 		goto nla_put_failure;
17967 
17968 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
17969 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
17970 			goto nla_put_failure;
17971 		if (quiet &&
17972 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
17973 			goto nla_put_failure;
17974 	}
17975 
17976 	genlmsg_end(msg, hdr);
17977 
17978 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17979 				NL80211_MCGRP_MLME, gfp);
17980 	return;
17981 
17982  nla_put_failure:
17983 	nlmsg_free(msg);
17984 }
17985 
17986 void cfg80211_ch_switch_notify(struct net_device *dev,
17987 			       struct cfg80211_chan_def *chandef)
17988 {
17989 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17990 	struct wiphy *wiphy = wdev->wiphy;
17991 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17992 
17993 	ASSERT_WDEV_LOCK(wdev);
17994 
17995 	trace_cfg80211_ch_switch_notify(dev, chandef);
17996 
17997 	wdev->chandef = *chandef;
17998 	wdev->preset_chandef = *chandef;
17999 
18000 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
18001 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
18002 	    !WARN_ON(!wdev->current_bss))
18003 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
18004 
18005 	cfg80211_sched_dfs_chan_update(rdev);
18006 
18007 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
18008 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
18009 }
18010 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
18011 
18012 void cfg80211_ch_switch_started_notify(struct net_device *dev,
18013 				       struct cfg80211_chan_def *chandef,
18014 				       u8 count, bool quiet)
18015 {
18016 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18017 	struct wiphy *wiphy = wdev->wiphy;
18018 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18019 
18020 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
18021 
18022 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
18023 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
18024 				 count, quiet);
18025 }
18026 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
18027 
18028 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
18029 			      enum nl80211_commands cmd, u8 count,
18030 			      u64 color_bitmap)
18031 {
18032 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18033 	struct wiphy *wiphy = wdev->wiphy;
18034 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18035 	struct sk_buff *msg;
18036 	void *hdr;
18037 
18038 	ASSERT_WDEV_LOCK(wdev);
18039 
18040 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
18041 
18042 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18043 	if (!msg)
18044 		return -ENOMEM;
18045 
18046 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18047 	if (!hdr)
18048 		goto nla_put_failure;
18049 
18050 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18051 		goto nla_put_failure;
18052 
18053 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
18054 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
18055 		goto nla_put_failure;
18056 
18057 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
18058 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
18059 			      color_bitmap, NL80211_ATTR_PAD))
18060 		goto nla_put_failure;
18061 
18062 	genlmsg_end(msg, hdr);
18063 
18064 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
18065 				       msg, 0, NL80211_MCGRP_MLME, gfp);
18066 
18067 nla_put_failure:
18068 	nlmsg_free(msg);
18069 	return -EINVAL;
18070 }
18071 EXPORT_SYMBOL(cfg80211_bss_color_notify);
18072 
18073 void
18074 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
18075 		     const struct cfg80211_chan_def *chandef,
18076 		     enum nl80211_radar_event event,
18077 		     struct net_device *netdev, gfp_t gfp)
18078 {
18079 	struct sk_buff *msg;
18080 	void *hdr;
18081 
18082 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18083 	if (!msg)
18084 		return;
18085 
18086 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
18087 	if (!hdr) {
18088 		nlmsg_free(msg);
18089 		return;
18090 	}
18091 
18092 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18093 		goto nla_put_failure;
18094 
18095 	/* NOP and radar events don't need a netdev parameter */
18096 	if (netdev) {
18097 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
18098 
18099 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18100 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18101 				      NL80211_ATTR_PAD))
18102 			goto nla_put_failure;
18103 	}
18104 
18105 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
18106 		goto nla_put_failure;
18107 
18108 	if (nl80211_send_chandef(msg, chandef))
18109 		goto nla_put_failure;
18110 
18111 	genlmsg_end(msg, hdr);
18112 
18113 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18114 				NL80211_MCGRP_MLME, gfp);
18115 	return;
18116 
18117  nla_put_failure:
18118 	nlmsg_free(msg);
18119 }
18120 
18121 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
18122 				       struct sta_opmode_info *sta_opmode,
18123 				       gfp_t gfp)
18124 {
18125 	struct sk_buff *msg;
18126 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18127 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18128 	void *hdr;
18129 
18130 	if (WARN_ON(!mac))
18131 		return;
18132 
18133 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18134 	if (!msg)
18135 		return;
18136 
18137 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
18138 	if (!hdr) {
18139 		nlmsg_free(msg);
18140 		return;
18141 	}
18142 
18143 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18144 		goto nla_put_failure;
18145 
18146 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18147 		goto nla_put_failure;
18148 
18149 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
18150 		goto nla_put_failure;
18151 
18152 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
18153 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
18154 		goto nla_put_failure;
18155 
18156 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
18157 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
18158 		goto nla_put_failure;
18159 
18160 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
18161 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
18162 		goto nla_put_failure;
18163 
18164 	genlmsg_end(msg, hdr);
18165 
18166 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18167 				NL80211_MCGRP_MLME, gfp);
18168 
18169 	return;
18170 
18171 nla_put_failure:
18172 	nlmsg_free(msg);
18173 }
18174 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
18175 
18176 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
18177 			   u64 cookie, bool acked, s32 ack_signal,
18178 			   bool is_valid_ack_signal, gfp_t gfp)
18179 {
18180 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18181 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18182 	struct sk_buff *msg;
18183 	void *hdr;
18184 
18185 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
18186 
18187 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18188 
18189 	if (!msg)
18190 		return;
18191 
18192 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
18193 	if (!hdr) {
18194 		nlmsg_free(msg);
18195 		return;
18196 	}
18197 
18198 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18199 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18200 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18201 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18202 			      NL80211_ATTR_PAD) ||
18203 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18204 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
18205 						ack_signal)))
18206 		goto nla_put_failure;
18207 
18208 	genlmsg_end(msg, hdr);
18209 
18210 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18211 				NL80211_MCGRP_MLME, gfp);
18212 	return;
18213 
18214  nla_put_failure:
18215 	nlmsg_free(msg);
18216 }
18217 EXPORT_SYMBOL(cfg80211_probe_status);
18218 
18219 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
18220 				     size_t len, int freq, int sig_dbm)
18221 {
18222 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18223 	struct sk_buff *msg;
18224 	void *hdr;
18225 	struct cfg80211_beacon_registration *reg;
18226 
18227 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
18228 
18229 	spin_lock_bh(&rdev->beacon_registrations_lock);
18230 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
18231 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
18232 		if (!msg) {
18233 			spin_unlock_bh(&rdev->beacon_registrations_lock);
18234 			return;
18235 		}
18236 
18237 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18238 		if (!hdr)
18239 			goto nla_put_failure;
18240 
18241 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18242 		    (freq &&
18243 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
18244 				  KHZ_TO_MHZ(freq)) ||
18245 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
18246 				  freq % 1000))) ||
18247 		    (sig_dbm &&
18248 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
18249 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
18250 			goto nla_put_failure;
18251 
18252 		genlmsg_end(msg, hdr);
18253 
18254 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
18255 	}
18256 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18257 	return;
18258 
18259  nla_put_failure:
18260 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18261 	nlmsg_free(msg);
18262 }
18263 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
18264 
18265 #ifdef CONFIG_PM
18266 static int cfg80211_net_detect_results(struct sk_buff *msg,
18267 				       struct cfg80211_wowlan_wakeup *wakeup)
18268 {
18269 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
18270 	struct nlattr *nl_results, *nl_match, *nl_freqs;
18271 	int i, j;
18272 
18273 	nl_results = nla_nest_start_noflag(msg,
18274 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
18275 	if (!nl_results)
18276 		return -EMSGSIZE;
18277 
18278 	for (i = 0; i < nd->n_matches; i++) {
18279 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
18280 
18281 		nl_match = nla_nest_start_noflag(msg, i);
18282 		if (!nl_match)
18283 			break;
18284 
18285 		/* The SSID attribute is optional in nl80211, but for
18286 		 * simplicity reasons it's always present in the
18287 		 * cfg80211 structure.  If a driver can't pass the
18288 		 * SSID, that needs to be changed.  A zero length SSID
18289 		 * is still a valid SSID (wildcard), so it cannot be
18290 		 * used for this purpose.
18291 		 */
18292 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
18293 			    match->ssid.ssid)) {
18294 			nla_nest_cancel(msg, nl_match);
18295 			goto out;
18296 		}
18297 
18298 		if (match->n_channels) {
18299 			nl_freqs = nla_nest_start_noflag(msg,
18300 							 NL80211_ATTR_SCAN_FREQUENCIES);
18301 			if (!nl_freqs) {
18302 				nla_nest_cancel(msg, nl_match);
18303 				goto out;
18304 			}
18305 
18306 			for (j = 0; j < match->n_channels; j++) {
18307 				if (nla_put_u32(msg, j, match->channels[j])) {
18308 					nla_nest_cancel(msg, nl_freqs);
18309 					nla_nest_cancel(msg, nl_match);
18310 					goto out;
18311 				}
18312 			}
18313 
18314 			nla_nest_end(msg, nl_freqs);
18315 		}
18316 
18317 		nla_nest_end(msg, nl_match);
18318 	}
18319 
18320 out:
18321 	nla_nest_end(msg, nl_results);
18322 	return 0;
18323 }
18324 
18325 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
18326 				   struct cfg80211_wowlan_wakeup *wakeup,
18327 				   gfp_t gfp)
18328 {
18329 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18330 	struct sk_buff *msg;
18331 	void *hdr;
18332 	int size = 200;
18333 
18334 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
18335 
18336 	if (wakeup)
18337 		size += wakeup->packet_present_len;
18338 
18339 	msg = nlmsg_new(size, gfp);
18340 	if (!msg)
18341 		return;
18342 
18343 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
18344 	if (!hdr)
18345 		goto free_msg;
18346 
18347 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18348 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18349 			      NL80211_ATTR_PAD))
18350 		goto free_msg;
18351 
18352 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18353 					wdev->netdev->ifindex))
18354 		goto free_msg;
18355 
18356 	if (wakeup) {
18357 		struct nlattr *reasons;
18358 
18359 		reasons = nla_nest_start_noflag(msg,
18360 						NL80211_ATTR_WOWLAN_TRIGGERS);
18361 		if (!reasons)
18362 			goto free_msg;
18363 
18364 		if (wakeup->disconnect &&
18365 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
18366 			goto free_msg;
18367 		if (wakeup->magic_pkt &&
18368 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
18369 			goto free_msg;
18370 		if (wakeup->gtk_rekey_failure &&
18371 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
18372 			goto free_msg;
18373 		if (wakeup->eap_identity_req &&
18374 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
18375 			goto free_msg;
18376 		if (wakeup->four_way_handshake &&
18377 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
18378 			goto free_msg;
18379 		if (wakeup->rfkill_release &&
18380 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
18381 			goto free_msg;
18382 
18383 		if (wakeup->pattern_idx >= 0 &&
18384 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
18385 				wakeup->pattern_idx))
18386 			goto free_msg;
18387 
18388 		if (wakeup->tcp_match &&
18389 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
18390 			goto free_msg;
18391 
18392 		if (wakeup->tcp_connlost &&
18393 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
18394 			goto free_msg;
18395 
18396 		if (wakeup->tcp_nomoretokens &&
18397 		    nla_put_flag(msg,
18398 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
18399 			goto free_msg;
18400 
18401 		if (wakeup->packet) {
18402 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
18403 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
18404 
18405 			if (!wakeup->packet_80211) {
18406 				pkt_attr =
18407 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
18408 				len_attr =
18409 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
18410 			}
18411 
18412 			if (wakeup->packet_len &&
18413 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
18414 				goto free_msg;
18415 
18416 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
18417 				    wakeup->packet))
18418 				goto free_msg;
18419 		}
18420 
18421 		if (wakeup->net_detect &&
18422 		    cfg80211_net_detect_results(msg, wakeup))
18423 				goto free_msg;
18424 
18425 		nla_nest_end(msg, reasons);
18426 	}
18427 
18428 	genlmsg_end(msg, hdr);
18429 
18430 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18431 				NL80211_MCGRP_MLME, gfp);
18432 	return;
18433 
18434  free_msg:
18435 	nlmsg_free(msg);
18436 }
18437 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
18438 #endif
18439 
18440 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
18441 				enum nl80211_tdls_operation oper,
18442 				u16 reason_code, gfp_t gfp)
18443 {
18444 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18445 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18446 	struct sk_buff *msg;
18447 	void *hdr;
18448 
18449 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
18450 					 reason_code);
18451 
18452 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18453 	if (!msg)
18454 		return;
18455 
18456 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
18457 	if (!hdr) {
18458 		nlmsg_free(msg);
18459 		return;
18460 	}
18461 
18462 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18463 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18464 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
18465 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
18466 	    (reason_code > 0 &&
18467 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
18468 		goto nla_put_failure;
18469 
18470 	genlmsg_end(msg, hdr);
18471 
18472 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18473 				NL80211_MCGRP_MLME, gfp);
18474 	return;
18475 
18476  nla_put_failure:
18477 	nlmsg_free(msg);
18478 }
18479 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
18480 
18481 static int nl80211_netlink_notify(struct notifier_block * nb,
18482 				  unsigned long state,
18483 				  void *_notify)
18484 {
18485 	struct netlink_notify *notify = _notify;
18486 	struct cfg80211_registered_device *rdev;
18487 	struct wireless_dev *wdev;
18488 	struct cfg80211_beacon_registration *reg, *tmp;
18489 
18490 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
18491 		return NOTIFY_DONE;
18492 
18493 	rcu_read_lock();
18494 
18495 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
18496 		struct cfg80211_sched_scan_request *sched_scan_req;
18497 
18498 		list_for_each_entry_rcu(sched_scan_req,
18499 					&rdev->sched_scan_req_list,
18500 					list) {
18501 			if (sched_scan_req->owner_nlportid == notify->portid) {
18502 				sched_scan_req->nl_owner_dead = true;
18503 				schedule_work(&rdev->sched_scan_stop_wk);
18504 			}
18505 		}
18506 
18507 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
18508 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
18509 
18510 			if (wdev->owner_nlportid == notify->portid) {
18511 				wdev->nl_owner_dead = true;
18512 				schedule_work(&rdev->destroy_work);
18513 			} else if (wdev->conn_owner_nlportid == notify->portid) {
18514 				schedule_work(&wdev->disconnect_wk);
18515 			}
18516 
18517 			cfg80211_release_pmsr(wdev, notify->portid);
18518 		}
18519 
18520 		spin_lock_bh(&rdev->beacon_registrations_lock);
18521 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
18522 					 list) {
18523 			if (reg->nlportid == notify->portid) {
18524 				list_del(&reg->list);
18525 				kfree(reg);
18526 				break;
18527 			}
18528 		}
18529 		spin_unlock_bh(&rdev->beacon_registrations_lock);
18530 	}
18531 
18532 	rcu_read_unlock();
18533 
18534 	/*
18535 	 * It is possible that the user space process that is controlling the
18536 	 * indoor setting disappeared, so notify the regulatory core.
18537 	 */
18538 	regulatory_netlink_notify(notify->portid);
18539 	return NOTIFY_OK;
18540 }
18541 
18542 static struct notifier_block nl80211_netlink_notifier = {
18543 	.notifier_call = nl80211_netlink_notify,
18544 };
18545 
18546 void cfg80211_ft_event(struct net_device *netdev,
18547 		       struct cfg80211_ft_event_params *ft_event)
18548 {
18549 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18550 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18551 	struct sk_buff *msg;
18552 	void *hdr;
18553 
18554 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
18555 
18556 	if (!ft_event->target_ap)
18557 		return;
18558 
18559 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
18560 			GFP_KERNEL);
18561 	if (!msg)
18562 		return;
18563 
18564 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
18565 	if (!hdr)
18566 		goto out;
18567 
18568 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18569 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18570 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
18571 		goto out;
18572 
18573 	if (ft_event->ies &&
18574 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
18575 		goto out;
18576 	if (ft_event->ric_ies &&
18577 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
18578 		    ft_event->ric_ies))
18579 		goto out;
18580 
18581 	genlmsg_end(msg, hdr);
18582 
18583 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18584 				NL80211_MCGRP_MLME, GFP_KERNEL);
18585 	return;
18586  out:
18587 	nlmsg_free(msg);
18588 }
18589 EXPORT_SYMBOL(cfg80211_ft_event);
18590 
18591 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
18592 {
18593 	struct cfg80211_registered_device *rdev;
18594 	struct sk_buff *msg;
18595 	void *hdr;
18596 	u32 nlportid;
18597 
18598 	rdev = wiphy_to_rdev(wdev->wiphy);
18599 	if (!rdev->crit_proto_nlportid)
18600 		return;
18601 
18602 	nlportid = rdev->crit_proto_nlportid;
18603 	rdev->crit_proto_nlportid = 0;
18604 
18605 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18606 	if (!msg)
18607 		return;
18608 
18609 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
18610 	if (!hdr)
18611 		goto nla_put_failure;
18612 
18613 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18614 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18615 			      NL80211_ATTR_PAD))
18616 		goto nla_put_failure;
18617 
18618 	genlmsg_end(msg, hdr);
18619 
18620 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18621 	return;
18622 
18623  nla_put_failure:
18624 	nlmsg_free(msg);
18625 }
18626 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
18627 
18628 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
18629 {
18630 	struct wiphy *wiphy = wdev->wiphy;
18631 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18632 	struct sk_buff *msg;
18633 	void *hdr;
18634 
18635 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18636 	if (!msg)
18637 		return;
18638 
18639 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
18640 	if (!hdr)
18641 		goto out;
18642 
18643 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18644 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
18645 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18646 			      NL80211_ATTR_PAD))
18647 		goto out;
18648 
18649 	genlmsg_end(msg, hdr);
18650 
18651 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
18652 				NL80211_MCGRP_MLME, GFP_KERNEL);
18653 	return;
18654  out:
18655 	nlmsg_free(msg);
18656 }
18657 
18658 int cfg80211_external_auth_request(struct net_device *dev,
18659 				   struct cfg80211_external_auth_params *params,
18660 				   gfp_t gfp)
18661 {
18662 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18663 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18664 	struct sk_buff *msg;
18665 	void *hdr;
18666 
18667 	if (!wdev->conn_owner_nlportid)
18668 		return -EINVAL;
18669 
18670 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18671 	if (!msg)
18672 		return -ENOMEM;
18673 
18674 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
18675 	if (!hdr)
18676 		goto nla_put_failure;
18677 
18678 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18679 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18680 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
18681 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
18682 			params->action) ||
18683 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
18684 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
18685 		    params->ssid.ssid))
18686 		goto nla_put_failure;
18687 
18688 	genlmsg_end(msg, hdr);
18689 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
18690 			wdev->conn_owner_nlportid);
18691 	return 0;
18692 
18693  nla_put_failure:
18694 	nlmsg_free(msg);
18695 	return -ENOBUFS;
18696 }
18697 EXPORT_SYMBOL(cfg80211_external_auth_request);
18698 
18699 void cfg80211_update_owe_info_event(struct net_device *netdev,
18700 				    struct cfg80211_update_owe_info *owe_info,
18701 				    gfp_t gfp)
18702 {
18703 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18704 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18705 	struct sk_buff *msg;
18706 	void *hdr;
18707 
18708 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
18709 
18710 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18711 	if (!msg)
18712 		return;
18713 
18714 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
18715 	if (!hdr)
18716 		goto nla_put_failure;
18717 
18718 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18719 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18720 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
18721 		goto nla_put_failure;
18722 
18723 	if (!owe_info->ie_len ||
18724 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
18725 		goto nla_put_failure;
18726 
18727 	genlmsg_end(msg, hdr);
18728 
18729 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18730 				NL80211_MCGRP_MLME, gfp);
18731 	return;
18732 
18733 nla_put_failure:
18734 	genlmsg_cancel(msg, hdr);
18735 	nlmsg_free(msg);
18736 }
18737 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
18738 
18739 /* initialisation/exit functions */
18740 
18741 int __init nl80211_init(void)
18742 {
18743 	int err;
18744 
18745 	err = genl_register_family(&nl80211_fam);
18746 	if (err)
18747 		return err;
18748 
18749 	err = netlink_register_notifier(&nl80211_netlink_notifier);
18750 	if (err)
18751 		goto err_out;
18752 
18753 	return 0;
18754  err_out:
18755 	genl_unregister_family(&nl80211_fam);
18756 	return err;
18757 }
18758 
18759 void nl80211_exit(void)
18760 {
18761 	netlink_unregister_notifier(&nl80211_netlink_notifier);
18762 	genl_unregister_family(&nl80211_fam);
18763 }
18764