xref: /openbmc/linux/net/wireless/nl80211.c (revision 56edb6c2) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2021 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 /* policy for the attributes */
289 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
290 
291 static const struct nla_policy
292 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
293 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
294 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
295 					.len = U8_MAX },
296 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
297 					     .len = U8_MAX },
298 };
299 
300 static const struct nla_policy
301 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
302 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
303 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
304 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
305 		NLA_POLICY_MAX(NLA_U8, 15),
306 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
307 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
308 		NLA_POLICY_MAX(NLA_U8, 15),
309 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
310 		NLA_POLICY_MAX(NLA_U8, 31),
311 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
312 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
313 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
314 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
315 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
316 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
317 };
318 
319 static const struct nla_policy
320 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
321 	[NL80211_PMSR_TYPE_FTM] =
322 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
323 };
324 
325 static const struct nla_policy
326 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
327 	[NL80211_PMSR_REQ_ATTR_DATA] =
328 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
329 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
330 };
331 
332 static const struct nla_policy
333 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
334 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
335 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
336 	[NL80211_PMSR_PEER_ATTR_REQ] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
338 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
344 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
345 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
346 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
347 	[NL80211_PMSR_ATTR_PEERS] =
348 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
349 };
350 
351 static const struct nla_policy
352 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
353 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
354 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
355 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
356 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
357 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
358 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
359 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
360 		NLA_POLICY_EXACT_LEN(8),
361 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
362 		NLA_POLICY_EXACT_LEN(8),
363 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
364 };
365 
366 static const struct nla_policy
367 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
368 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
369 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
370 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
371 };
372 
373 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
374 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
375 				    .len = NL80211_MAX_SUPP_RATES },
376 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
377 				.len = NL80211_MAX_SUPP_HT_RATES },
378 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
379 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
380 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
381 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
382 						   NL80211_RATE_INFO_HE_GI_0_8,
383 						   NL80211_RATE_INFO_HE_GI_3_2),
384 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
385 						   NL80211_RATE_INFO_HE_1XLTF,
386 						   NL80211_RATE_INFO_HE_4XLTF),
387 };
388 
389 static const struct nla_policy
390 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
391 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
392 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
393 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
394 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
395 	[NL80211_TID_CONFIG_ATTR_NOACK] =
396 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
397 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
398 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
399 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
400 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
401 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
402 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
403 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
404 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
405 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
406 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
407 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
408 			NLA_POLICY_NESTED(nl80211_txattr_policy),
409 };
410 
411 static const struct nla_policy
412 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
413 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
414 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
415 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
416 			NLA_POLICY_RANGE(NLA_BINARY,
417 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
418 					 IEEE80211_MAX_DATA_LEN),
419 };
420 
421 static const struct nla_policy
422 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
423 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
424 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
425 						       .len = IEEE80211_MAX_DATA_LEN }
426 };
427 
428 static const struct nla_policy
429 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
430 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
431 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
432 };
433 
434 static const struct nla_policy
435 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
436 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
437 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
438 };
439 
440 static const struct nla_policy
441 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
442 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
443 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
444 						NLA_POLICY_MIN(NLA_U8, 1),
445 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
446 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
447 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
448 };
449 
450 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
451 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
452 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
453 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
454 				      .len = 20-1 },
455 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
456 
457 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
458 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
459 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
460 						NL80211_EDMG_CHANNELS_MIN,
461 						NL80211_EDMG_CHANNELS_MAX),
462 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
463 						NL80211_EDMG_BW_CONFIG_MIN,
464 						NL80211_EDMG_BW_CONFIG_MAX),
465 
466 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
467 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
468 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
469 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
470 
471 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
472 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
473 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
474 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
475 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
476 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
477 
478 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
479 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
480 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
481 
482 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
483 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
484 
485 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
486 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
487 				    .len = WLAN_MAX_KEY_LEN },
488 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
489 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
490 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
491 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
492 	[NL80211_ATTR_KEY_TYPE] =
493 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
494 
495 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
496 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
497 	[NL80211_ATTR_BEACON_HEAD] =
498 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
499 				       IEEE80211_MAX_DATA_LEN),
500 	[NL80211_ATTR_BEACON_TAIL] =
501 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
502 				       IEEE80211_MAX_DATA_LEN),
503 	[NL80211_ATTR_STA_AID] =
504 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
505 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
506 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
507 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
508 					       .len = NL80211_MAX_SUPP_RATES },
509 	[NL80211_ATTR_STA_PLINK_ACTION] =
510 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
511 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
512 		NLA_POLICY_RANGE(NLA_U8,
513 				 NL80211_TX_POWER_AUTOMATIC,
514 				 NL80211_TX_POWER_FIXED),
515 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
516 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
517 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
518 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
519 				   .len = IEEE80211_MAX_MESH_ID_LEN },
520 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
521 
522 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
523 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
524 
525 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
526 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
527 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
528 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
529 					   .len = NL80211_MAX_SUPP_RATES },
530 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
531 
532 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
533 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
534 
535 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
536 
537 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
538 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
539 						   validate_ie_attr,
540 						   IEEE80211_MAX_DATA_LEN),
541 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
542 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
543 
544 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
545 				.len = IEEE80211_MAX_SSID_LEN },
546 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
547 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
548 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
549 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
550 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
551 						  NL80211_MFP_NO,
552 						  NL80211_MFP_OPTIONAL),
553 	[NL80211_ATTR_STA_FLAGS2] = {
554 		.len = sizeof(struct nl80211_sta_flag_update),
555 	},
556 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
557 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
558 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
559 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
560 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
561 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
562 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
563 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
564 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
565 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
566 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
567 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
568 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
569 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
570 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
571 				 .len = IEEE80211_MAX_DATA_LEN },
572 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
573 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
574 						   NL80211_PS_DISABLED,
575 						   NL80211_PS_ENABLED),
576 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
577 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
578 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
579 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
580 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
581 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
582 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
583 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
584 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
585 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
586 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
587 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
588 	[NL80211_ATTR_STA_PLINK_STATE] =
589 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
590 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
591 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
592 	[NL80211_ATTR_MESH_PEER_AID] =
593 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
594 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
595 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
596 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
597 	[NL80211_ATTR_HIDDEN_SSID] =
598 		NLA_POLICY_RANGE(NLA_U32,
599 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
600 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
601 	[NL80211_ATTR_IE_PROBE_RESP] =
602 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
603 				       IEEE80211_MAX_DATA_LEN),
604 	[NL80211_ATTR_IE_ASSOC_RESP] =
605 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
606 				       IEEE80211_MAX_DATA_LEN),
607 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
608 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
609 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
610 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
611 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
612 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
613 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
614 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
615 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
616 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
617 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
618 				      .len = IEEE80211_MAX_DATA_LEN },
619 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
620 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
621 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
622 		.len = NL80211_HT_CAPABILITY_LEN
623 	},
624 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
625 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
626 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
627 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
628 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
629 
630 	/* need to include at least Auth Transaction and Status Code */
631 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
632 
633 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
634 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
635 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
636 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
637 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
638 		NLA_POLICY_RANGE(NLA_U32,
639 				 NL80211_MESH_POWER_UNKNOWN + 1,
640 				 NL80211_MESH_POWER_MAX),
641 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
642 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
643 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
644 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
645 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
646 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
647 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
648 		.len = NL80211_VHT_CAPABILITY_LEN,
649 	},
650 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
651 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
652 				  .len = IEEE80211_MAX_DATA_LEN },
653 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
654 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
655 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
656 	[NL80211_ATTR_PEER_AID] =
657 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
658 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
659 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
660 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
661 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
662 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
663 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
664 	/*
665 	 * The value of the Length field of the Supported Operating
666 	 * Classes element is between 2 and 253.
667 	 */
668 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
669 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
670 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
671 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
672 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
673 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
674 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
675 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
676 						  IEEE80211_QOS_MAP_LEN_MIN,
677 						  IEEE80211_QOS_MAP_LEN_MAX),
678 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
679 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
680 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
681 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
682 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
683 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
684 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
685 	[NL80211_ATTR_USER_PRIO] =
686 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
687 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
688 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
689 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
690 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
691 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
692 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
693 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
694 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
695 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
696 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
697 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
698 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
699 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
700 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
701 	},
702 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
703 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
704 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
705 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
706 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
707 				    .len = FILS_MAX_KEK_LEN },
708 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
709 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
710 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
711 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
712 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
713 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
714 	},
715 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
716 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
717 					     .len = FILS_ERP_MAX_USERNAME_LEN },
718 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
719 					  .len = FILS_ERP_MAX_REALM_LEN },
720 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
721 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
722 					.len = FILS_ERP_MAX_RRK_LEN },
723 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
724 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
725 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
726 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
727 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
728 
729 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
730 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
731 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
732 	[NL80211_ATTR_HE_CAPABILITY] =
733 		NLA_POLICY_RANGE(NLA_BINARY,
734 				 NL80211_HE_MIN_CAPABILITY_LEN,
735 				 NL80211_HE_MAX_CAPABILITY_LEN),
736 	[NL80211_ATTR_FTM_RESPONDER] =
737 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
738 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
739 	[NL80211_ATTR_PEER_MEASUREMENTS] =
740 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
741 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
742 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
743 					.len = SAE_PASSWORD_MAX_LEN },
744 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
745 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
746 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
747 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
748 	[NL80211_ATTR_TID_CONFIG] =
749 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
750 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
751 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
752 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
753 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
754 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
755 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
756 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
757 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
758 	[NL80211_ATTR_FILS_DISCOVERY] =
759 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
760 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
761 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
762 	[NL80211_ATTR_S1G_CAPABILITY] =
763 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
764 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
765 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
766 	[NL80211_ATTR_SAE_PWE] =
767 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
768 				 NL80211_SAE_PWE_BOTH),
769 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
770 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
771 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
772 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
773 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
774 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
775 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
776 	[NL80211_ATTR_MBSSID_CONFIG] =
777 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
778 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
779 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
780 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
781 };
782 
783 /* policy for the key attributes */
784 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
785 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
786 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
787 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
788 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
789 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
790 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
791 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
792 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
793 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
794 };
795 
796 /* policy for the key default flags */
797 static const struct nla_policy
798 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
799 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
800 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
801 };
802 
803 #ifdef CONFIG_PM
804 /* policy for WoWLAN attributes */
805 static const struct nla_policy
806 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
807 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
808 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
809 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
810 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
811 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
812 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
813 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
814 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
815 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
816 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
817 };
818 
819 static const struct nla_policy
820 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
821 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
822 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
823 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
824 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
825 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
826 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
827 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
828 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
829 	},
830 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
831 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
832 	},
833 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
834 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
835 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
836 };
837 #endif /* CONFIG_PM */
838 
839 /* policy for coalesce rule attributes */
840 static const struct nla_policy
841 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
842 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
843 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
844 		NLA_POLICY_RANGE(NLA_U32,
845 				 NL80211_COALESCE_CONDITION_MATCH,
846 				 NL80211_COALESCE_CONDITION_NO_MATCH),
847 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
848 };
849 
850 /* policy for GTK rekey offload attributes */
851 static const struct nla_policy
852 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
853 	[NL80211_REKEY_DATA_KEK] = {
854 		.type = NLA_BINARY,
855 		.len = NL80211_KEK_EXT_LEN
856 	},
857 	[NL80211_REKEY_DATA_KCK] = {
858 		.type = NLA_BINARY,
859 		.len = NL80211_KCK_EXT_LEN
860 	},
861 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
862 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
863 };
864 
865 static const struct nla_policy
866 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
867 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
868 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
869 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
870 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
871 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
872 };
873 
874 static const struct nla_policy
875 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
876 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
877 						 .len = IEEE80211_MAX_SSID_LEN },
878 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
879 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
880 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
881 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
882 };
883 
884 static const struct nla_policy
885 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
886 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
887 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
888 };
889 
890 static const struct nla_policy
891 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
892 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
893 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
894 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
895 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
896 	},
897 };
898 
899 /* policy for NAN function attributes */
900 static const struct nla_policy
901 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
902 	[NL80211_NAN_FUNC_TYPE] =
903 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
904 	[NL80211_NAN_FUNC_SERVICE_ID] = {
905 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
906 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
907 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
908 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
909 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
910 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
911 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
912 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
913 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
914 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
915 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
916 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
917 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
918 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
919 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
920 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
921 };
922 
923 /* policy for Service Response Filter attributes */
924 static const struct nla_policy
925 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
926 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
927 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
928 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
929 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
930 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
931 };
932 
933 /* policy for packet pattern attributes */
934 static const struct nla_policy
935 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
936 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
937 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
938 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
939 };
940 
941 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
942 				     struct cfg80211_registered_device **rdev,
943 				     struct wireless_dev **wdev,
944 				     struct nlattr **attrbuf)
945 {
946 	int err;
947 
948 	if (!cb->args[0]) {
949 		struct nlattr **attrbuf_free = NULL;
950 
951 		if (!attrbuf) {
952 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
953 					  GFP_KERNEL);
954 			if (!attrbuf)
955 				return -ENOMEM;
956 			attrbuf_free = attrbuf;
957 		}
958 
959 		err = nlmsg_parse_deprecated(cb->nlh,
960 					     GENL_HDRLEN + nl80211_fam.hdrsize,
961 					     attrbuf, nl80211_fam.maxattr,
962 					     nl80211_policy, NULL);
963 		if (err) {
964 			kfree(attrbuf_free);
965 			return err;
966 		}
967 
968 		rtnl_lock();
969 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
970 						   attrbuf);
971 		kfree(attrbuf_free);
972 		if (IS_ERR(*wdev)) {
973 			rtnl_unlock();
974 			return PTR_ERR(*wdev);
975 		}
976 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
977 		mutex_lock(&(*rdev)->wiphy.mtx);
978 		rtnl_unlock();
979 		/* 0 is the first index - add 1 to parse only once */
980 		cb->args[0] = (*rdev)->wiphy_idx + 1;
981 		cb->args[1] = (*wdev)->identifier;
982 	} else {
983 		/* subtract the 1 again here */
984 		struct wiphy *wiphy;
985 		struct wireless_dev *tmp;
986 
987 		rtnl_lock();
988 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
989 		if (!wiphy) {
990 			rtnl_unlock();
991 			return -ENODEV;
992 		}
993 		*rdev = wiphy_to_rdev(wiphy);
994 		*wdev = NULL;
995 
996 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
997 			if (tmp->identifier == cb->args[1]) {
998 				*wdev = tmp;
999 				break;
1000 			}
1001 		}
1002 
1003 		if (!*wdev) {
1004 			rtnl_unlock();
1005 			return -ENODEV;
1006 		}
1007 		mutex_lock(&(*rdev)->wiphy.mtx);
1008 		rtnl_unlock();
1009 	}
1010 
1011 	return 0;
1012 }
1013 
1014 /* message building helper */
1015 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1016 		     int flags, u8 cmd)
1017 {
1018 	/* since there is no private header just add the generic one */
1019 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1020 }
1021 
1022 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1023 				     const struct ieee80211_reg_rule *rule)
1024 {
1025 	int j;
1026 	struct nlattr *nl_wmm_rules =
1027 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1028 
1029 	if (!nl_wmm_rules)
1030 		goto nla_put_failure;
1031 
1032 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1033 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1034 
1035 		if (!nl_wmm_rule)
1036 			goto nla_put_failure;
1037 
1038 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1039 				rule->wmm_rule.client[j].cw_min) ||
1040 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1041 				rule->wmm_rule.client[j].cw_max) ||
1042 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1043 			       rule->wmm_rule.client[j].aifsn) ||
1044 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1045 			        rule->wmm_rule.client[j].cot))
1046 			goto nla_put_failure;
1047 
1048 		nla_nest_end(msg, nl_wmm_rule);
1049 	}
1050 	nla_nest_end(msg, nl_wmm_rules);
1051 
1052 	return 0;
1053 
1054 nla_put_failure:
1055 	return -ENOBUFS;
1056 }
1057 
1058 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1059 				   struct ieee80211_channel *chan,
1060 				   bool large)
1061 {
1062 	/* Some channels must be completely excluded from the
1063 	 * list to protect old user-space tools from breaking
1064 	 */
1065 	if (!large && chan->flags &
1066 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1067 		return 0;
1068 	if (!large && chan->freq_offset)
1069 		return 0;
1070 
1071 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1072 			chan->center_freq))
1073 		goto nla_put_failure;
1074 
1075 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1076 		goto nla_put_failure;
1077 
1078 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1079 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1080 		goto nla_put_failure;
1081 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1082 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1083 			goto nla_put_failure;
1084 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1085 			goto nla_put_failure;
1086 	}
1087 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1088 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1089 			goto nla_put_failure;
1090 		if (large) {
1091 			u32 time;
1092 
1093 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1094 
1095 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1096 					chan->dfs_state))
1097 				goto nla_put_failure;
1098 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1099 					time))
1100 				goto nla_put_failure;
1101 			if (nla_put_u32(msg,
1102 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1103 					chan->dfs_cac_ms))
1104 				goto nla_put_failure;
1105 		}
1106 	}
1107 
1108 	if (large) {
1109 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1110 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1111 			goto nla_put_failure;
1112 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1113 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1114 			goto nla_put_failure;
1115 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1116 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1117 			goto nla_put_failure;
1118 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1119 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1120 			goto nla_put_failure;
1121 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1122 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1123 			goto nla_put_failure;
1124 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1125 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1126 			goto nla_put_failure;
1127 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1128 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1129 			goto nla_put_failure;
1130 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1131 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1132 			goto nla_put_failure;
1133 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1134 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1135 			goto nla_put_failure;
1136 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1137 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1138 			goto nla_put_failure;
1139 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1140 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1141 			goto nla_put_failure;
1142 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1143 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1144 			goto nla_put_failure;
1145 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1146 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1147 			goto nla_put_failure;
1148 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1149 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1150 			goto nla_put_failure;
1151 	}
1152 
1153 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1154 			DBM_TO_MBM(chan->max_power)))
1155 		goto nla_put_failure;
1156 
1157 	if (large) {
1158 		const struct ieee80211_reg_rule *rule =
1159 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1160 
1161 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1162 			if (nl80211_msg_put_wmm_rules(msg, rule))
1163 				goto nla_put_failure;
1164 		}
1165 	}
1166 
1167 	return 0;
1168 
1169  nla_put_failure:
1170 	return -ENOBUFS;
1171 }
1172 
1173 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1174 				  struct cfg80211_txq_stats *txqstats,
1175 				  int attrtype)
1176 {
1177 	struct nlattr *txqattr;
1178 
1179 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1180 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1181 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1182 		return false;						  \
1183 	} while (0)
1184 
1185 	txqattr = nla_nest_start_noflag(msg, attrtype);
1186 	if (!txqattr)
1187 		return false;
1188 
1189 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1190 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1191 	PUT_TXQVAL_U32(FLOWS, flows);
1192 	PUT_TXQVAL_U32(DROPS, drops);
1193 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1194 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1195 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1196 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1197 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1198 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1199 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1200 	nla_nest_end(msg, txqattr);
1201 
1202 #undef PUT_TXQVAL_U32
1203 	return true;
1204 }
1205 
1206 /* netlink command implementations */
1207 
1208 struct key_parse {
1209 	struct key_params p;
1210 	int idx;
1211 	int type;
1212 	bool def, defmgmt, defbeacon;
1213 	bool def_uni, def_multi;
1214 };
1215 
1216 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1217 				 struct key_parse *k)
1218 {
1219 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1220 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1221 					      nl80211_key_policy,
1222 					      info->extack);
1223 	if (err)
1224 		return err;
1225 
1226 	k->def = !!tb[NL80211_KEY_DEFAULT];
1227 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1228 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1229 
1230 	if (k->def) {
1231 		k->def_uni = true;
1232 		k->def_multi = true;
1233 	}
1234 	if (k->defmgmt || k->defbeacon)
1235 		k->def_multi = true;
1236 
1237 	if (tb[NL80211_KEY_IDX])
1238 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1239 
1240 	if (tb[NL80211_KEY_DATA]) {
1241 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1242 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1243 	}
1244 
1245 	if (tb[NL80211_KEY_SEQ]) {
1246 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1247 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1248 	}
1249 
1250 	if (tb[NL80211_KEY_CIPHER])
1251 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1252 
1253 	if (tb[NL80211_KEY_TYPE])
1254 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1255 
1256 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1257 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1258 
1259 		err = nla_parse_nested_deprecated(kdt,
1260 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1261 						  tb[NL80211_KEY_DEFAULT_TYPES],
1262 						  nl80211_key_default_policy,
1263 						  info->extack);
1264 		if (err)
1265 			return err;
1266 
1267 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1268 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1269 	}
1270 
1271 	if (tb[NL80211_KEY_MODE])
1272 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1273 
1274 	return 0;
1275 }
1276 
1277 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1278 {
1279 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1280 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1281 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1282 	}
1283 
1284 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1285 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1286 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1287 	}
1288 
1289 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1290 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1291 
1292 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1293 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1294 
1295 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1296 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1297 
1298 	if (k->def) {
1299 		k->def_uni = true;
1300 		k->def_multi = true;
1301 	}
1302 	if (k->defmgmt)
1303 		k->def_multi = true;
1304 
1305 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1306 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1307 
1308 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1309 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1310 		int err = nla_parse_nested_deprecated(kdt,
1311 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1312 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1313 						      nl80211_key_default_policy,
1314 						      info->extack);
1315 		if (err)
1316 			return err;
1317 
1318 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1319 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1320 	}
1321 
1322 	return 0;
1323 }
1324 
1325 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1326 {
1327 	int err;
1328 
1329 	memset(k, 0, sizeof(*k));
1330 	k->idx = -1;
1331 	k->type = -1;
1332 
1333 	if (info->attrs[NL80211_ATTR_KEY])
1334 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1335 	else
1336 		err = nl80211_parse_key_old(info, k);
1337 
1338 	if (err)
1339 		return err;
1340 
1341 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1342 	    (k->defbeacon ? 1 : 0) > 1) {
1343 		GENL_SET_ERR_MSG(info,
1344 				 "key with multiple default flags is invalid");
1345 		return -EINVAL;
1346 	}
1347 
1348 	if (k->defmgmt || k->defbeacon) {
1349 		if (k->def_uni || !k->def_multi) {
1350 			GENL_SET_ERR_MSG(info,
1351 					 "defmgmt/defbeacon key must be mcast");
1352 			return -EINVAL;
1353 		}
1354 	}
1355 
1356 	if (k->idx != -1) {
1357 		if (k->defmgmt) {
1358 			if (k->idx < 4 || k->idx > 5) {
1359 				GENL_SET_ERR_MSG(info,
1360 						 "defmgmt key idx not 4 or 5");
1361 				return -EINVAL;
1362 			}
1363 		} else if (k->defbeacon) {
1364 			if (k->idx < 6 || k->idx > 7) {
1365 				GENL_SET_ERR_MSG(info,
1366 						 "defbeacon key idx not 6 or 7");
1367 				return -EINVAL;
1368 			}
1369 		} else if (k->def) {
1370 			if (k->idx < 0 || k->idx > 3) {
1371 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1372 				return -EINVAL;
1373 			}
1374 		} else {
1375 			if (k->idx < 0 || k->idx > 7) {
1376 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1377 				return -EINVAL;
1378 			}
1379 		}
1380 	}
1381 
1382 	return 0;
1383 }
1384 
1385 static struct cfg80211_cached_keys *
1386 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1387 		       struct genl_info *info, bool *no_ht)
1388 {
1389 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1390 	struct key_parse parse;
1391 	struct nlattr *key;
1392 	struct cfg80211_cached_keys *result;
1393 	int rem, err, def = 0;
1394 	bool have_key = false;
1395 
1396 	nla_for_each_nested(key, keys, rem) {
1397 		have_key = true;
1398 		break;
1399 	}
1400 
1401 	if (!have_key)
1402 		return NULL;
1403 
1404 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1405 	if (!result)
1406 		return ERR_PTR(-ENOMEM);
1407 
1408 	result->def = -1;
1409 
1410 	nla_for_each_nested(key, keys, rem) {
1411 		memset(&parse, 0, sizeof(parse));
1412 		parse.idx = -1;
1413 
1414 		err = nl80211_parse_key_new(info, key, &parse);
1415 		if (err)
1416 			goto error;
1417 		err = -EINVAL;
1418 		if (!parse.p.key)
1419 			goto error;
1420 		if (parse.idx < 0 || parse.idx > 3) {
1421 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1422 			goto error;
1423 		}
1424 		if (parse.def) {
1425 			if (def) {
1426 				GENL_SET_ERR_MSG(info,
1427 						 "only one key can be default");
1428 				goto error;
1429 			}
1430 			def = 1;
1431 			result->def = parse.idx;
1432 			if (!parse.def_uni || !parse.def_multi)
1433 				goto error;
1434 		} else if (parse.defmgmt)
1435 			goto error;
1436 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1437 						     parse.idx, false, NULL);
1438 		if (err)
1439 			goto error;
1440 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1441 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1442 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1443 			err = -EINVAL;
1444 			goto error;
1445 		}
1446 		result->params[parse.idx].cipher = parse.p.cipher;
1447 		result->params[parse.idx].key_len = parse.p.key_len;
1448 		result->params[parse.idx].key = result->data[parse.idx];
1449 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1450 
1451 		/* must be WEP key if we got here */
1452 		if (no_ht)
1453 			*no_ht = true;
1454 	}
1455 
1456 	if (result->def < 0) {
1457 		err = -EINVAL;
1458 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1459 		goto error;
1460 	}
1461 
1462 	return result;
1463  error:
1464 	kfree(result);
1465 	return ERR_PTR(err);
1466 }
1467 
1468 static int nl80211_key_allowed(struct wireless_dev *wdev)
1469 {
1470 	ASSERT_WDEV_LOCK(wdev);
1471 
1472 	switch (wdev->iftype) {
1473 	case NL80211_IFTYPE_AP:
1474 	case NL80211_IFTYPE_AP_VLAN:
1475 	case NL80211_IFTYPE_P2P_GO:
1476 	case NL80211_IFTYPE_MESH_POINT:
1477 		break;
1478 	case NL80211_IFTYPE_ADHOC:
1479 	case NL80211_IFTYPE_STATION:
1480 	case NL80211_IFTYPE_P2P_CLIENT:
1481 		if (!wdev->current_bss)
1482 			return -ENOLINK;
1483 		break;
1484 	case NL80211_IFTYPE_UNSPECIFIED:
1485 	case NL80211_IFTYPE_OCB:
1486 	case NL80211_IFTYPE_MONITOR:
1487 	case NL80211_IFTYPE_NAN:
1488 	case NL80211_IFTYPE_P2P_DEVICE:
1489 	case NL80211_IFTYPE_WDS:
1490 	case NUM_NL80211_IFTYPES:
1491 		return -EINVAL;
1492 	}
1493 
1494 	return 0;
1495 }
1496 
1497 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1498 							u32 freq)
1499 {
1500 	struct ieee80211_channel *chan;
1501 
1502 	chan = ieee80211_get_channel_khz(wiphy, freq);
1503 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1504 		return NULL;
1505 	return chan;
1506 }
1507 
1508 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1509 {
1510 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1511 	int i;
1512 
1513 	if (!nl_modes)
1514 		goto nla_put_failure;
1515 
1516 	i = 0;
1517 	while (ifmodes) {
1518 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1519 			goto nla_put_failure;
1520 		ifmodes >>= 1;
1521 		i++;
1522 	}
1523 
1524 	nla_nest_end(msg, nl_modes);
1525 	return 0;
1526 
1527 nla_put_failure:
1528 	return -ENOBUFS;
1529 }
1530 
1531 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1532 					  struct sk_buff *msg,
1533 					  bool large)
1534 {
1535 	struct nlattr *nl_combis;
1536 	int i, j;
1537 
1538 	nl_combis = nla_nest_start_noflag(msg,
1539 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1540 	if (!nl_combis)
1541 		goto nla_put_failure;
1542 
1543 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1544 		const struct ieee80211_iface_combination *c;
1545 		struct nlattr *nl_combi, *nl_limits;
1546 
1547 		c = &wiphy->iface_combinations[i];
1548 
1549 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1550 		if (!nl_combi)
1551 			goto nla_put_failure;
1552 
1553 		nl_limits = nla_nest_start_noflag(msg,
1554 						  NL80211_IFACE_COMB_LIMITS);
1555 		if (!nl_limits)
1556 			goto nla_put_failure;
1557 
1558 		for (j = 0; j < c->n_limits; j++) {
1559 			struct nlattr *nl_limit;
1560 
1561 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1562 			if (!nl_limit)
1563 				goto nla_put_failure;
1564 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1565 					c->limits[j].max))
1566 				goto nla_put_failure;
1567 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1568 						c->limits[j].types))
1569 				goto nla_put_failure;
1570 			nla_nest_end(msg, nl_limit);
1571 		}
1572 
1573 		nla_nest_end(msg, nl_limits);
1574 
1575 		if (c->beacon_int_infra_match &&
1576 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1577 			goto nla_put_failure;
1578 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1579 				c->num_different_channels) ||
1580 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1581 				c->max_interfaces))
1582 			goto nla_put_failure;
1583 		if (large &&
1584 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1585 				c->radar_detect_widths) ||
1586 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1587 				c->radar_detect_regions)))
1588 			goto nla_put_failure;
1589 		if (c->beacon_int_min_gcd &&
1590 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1591 				c->beacon_int_min_gcd))
1592 			goto nla_put_failure;
1593 
1594 		nla_nest_end(msg, nl_combi);
1595 	}
1596 
1597 	nla_nest_end(msg, nl_combis);
1598 
1599 	return 0;
1600 nla_put_failure:
1601 	return -ENOBUFS;
1602 }
1603 
1604 #ifdef CONFIG_PM
1605 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1606 					struct sk_buff *msg)
1607 {
1608 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1609 	struct nlattr *nl_tcp;
1610 
1611 	if (!tcp)
1612 		return 0;
1613 
1614 	nl_tcp = nla_nest_start_noflag(msg,
1615 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1616 	if (!nl_tcp)
1617 		return -ENOBUFS;
1618 
1619 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1620 			tcp->data_payload_max))
1621 		return -ENOBUFS;
1622 
1623 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1624 			tcp->data_payload_max))
1625 		return -ENOBUFS;
1626 
1627 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1628 		return -ENOBUFS;
1629 
1630 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1631 				sizeof(*tcp->tok), tcp->tok))
1632 		return -ENOBUFS;
1633 
1634 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1635 			tcp->data_interval_max))
1636 		return -ENOBUFS;
1637 
1638 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1639 			tcp->wake_payload_max))
1640 		return -ENOBUFS;
1641 
1642 	nla_nest_end(msg, nl_tcp);
1643 	return 0;
1644 }
1645 
1646 static int nl80211_send_wowlan(struct sk_buff *msg,
1647 			       struct cfg80211_registered_device *rdev,
1648 			       bool large)
1649 {
1650 	struct nlattr *nl_wowlan;
1651 
1652 	if (!rdev->wiphy.wowlan)
1653 		return 0;
1654 
1655 	nl_wowlan = nla_nest_start_noflag(msg,
1656 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1657 	if (!nl_wowlan)
1658 		return -ENOBUFS;
1659 
1660 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1661 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1662 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1663 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1664 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1665 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1666 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1667 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1668 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1669 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1670 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1671 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1672 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1673 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1674 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1675 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1676 		return -ENOBUFS;
1677 
1678 	if (rdev->wiphy.wowlan->n_patterns) {
1679 		struct nl80211_pattern_support pat = {
1680 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1681 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1682 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1683 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1684 		};
1685 
1686 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1687 			    sizeof(pat), &pat))
1688 			return -ENOBUFS;
1689 	}
1690 
1691 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1692 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1693 			rdev->wiphy.wowlan->max_nd_match_sets))
1694 		return -ENOBUFS;
1695 
1696 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1697 		return -ENOBUFS;
1698 
1699 	nla_nest_end(msg, nl_wowlan);
1700 
1701 	return 0;
1702 }
1703 #endif
1704 
1705 static int nl80211_send_coalesce(struct sk_buff *msg,
1706 				 struct cfg80211_registered_device *rdev)
1707 {
1708 	struct nl80211_coalesce_rule_support rule;
1709 
1710 	if (!rdev->wiphy.coalesce)
1711 		return 0;
1712 
1713 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1714 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1715 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1716 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1717 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1718 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1719 
1720 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1721 		return -ENOBUFS;
1722 
1723 	return 0;
1724 }
1725 
1726 static int
1727 nl80211_send_iftype_data(struct sk_buff *msg,
1728 			 const struct ieee80211_supported_band *sband,
1729 			 const struct ieee80211_sband_iftype_data *iftdata)
1730 {
1731 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1732 
1733 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1734 				iftdata->types_mask))
1735 		return -ENOBUFS;
1736 
1737 	if (he_cap->has_he) {
1738 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1739 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1740 			    he_cap->he_cap_elem.mac_cap_info) ||
1741 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1742 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1743 			    he_cap->he_cap_elem.phy_cap_info) ||
1744 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1745 			    sizeof(he_cap->he_mcs_nss_supp),
1746 			    &he_cap->he_mcs_nss_supp) ||
1747 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1748 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1749 			return -ENOBUFS;
1750 	}
1751 
1752 	if (sband->band == NL80211_BAND_6GHZ &&
1753 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1754 		    sizeof(iftdata->he_6ghz_capa),
1755 		    &iftdata->he_6ghz_capa))
1756 		return -ENOBUFS;
1757 
1758 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1759 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1760 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1761 		return -ENOBUFS;
1762 
1763 	return 0;
1764 }
1765 
1766 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1767 				      struct ieee80211_supported_band *sband,
1768 				      bool large)
1769 {
1770 	struct nlattr *nl_rates, *nl_rate;
1771 	struct ieee80211_rate *rate;
1772 	int i;
1773 
1774 	/* add HT info */
1775 	if (sband->ht_cap.ht_supported &&
1776 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1777 		     sizeof(sband->ht_cap.mcs),
1778 		     &sband->ht_cap.mcs) ||
1779 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1780 			 sband->ht_cap.cap) ||
1781 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1782 			sband->ht_cap.ampdu_factor) ||
1783 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1784 			sband->ht_cap.ampdu_density)))
1785 		return -ENOBUFS;
1786 
1787 	/* add VHT info */
1788 	if (sband->vht_cap.vht_supported &&
1789 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1790 		     sizeof(sband->vht_cap.vht_mcs),
1791 		     &sband->vht_cap.vht_mcs) ||
1792 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1793 			 sband->vht_cap.cap)))
1794 		return -ENOBUFS;
1795 
1796 	if (large && sband->n_iftype_data) {
1797 		struct nlattr *nl_iftype_data =
1798 			nla_nest_start_noflag(msg,
1799 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1800 		int err;
1801 
1802 		if (!nl_iftype_data)
1803 			return -ENOBUFS;
1804 
1805 		for (i = 0; i < sband->n_iftype_data; i++) {
1806 			struct nlattr *iftdata;
1807 
1808 			iftdata = nla_nest_start_noflag(msg, i + 1);
1809 			if (!iftdata)
1810 				return -ENOBUFS;
1811 
1812 			err = nl80211_send_iftype_data(msg, sband,
1813 						       &sband->iftype_data[i]);
1814 			if (err)
1815 				return err;
1816 
1817 			nla_nest_end(msg, iftdata);
1818 		}
1819 
1820 		nla_nest_end(msg, nl_iftype_data);
1821 	}
1822 
1823 	/* add EDMG info */
1824 	if (large && sband->edmg_cap.channels &&
1825 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1826 		       sband->edmg_cap.channels) ||
1827 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1828 		       sband->edmg_cap.bw_config)))
1829 
1830 		return -ENOBUFS;
1831 
1832 	/* add bitrates */
1833 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1834 	if (!nl_rates)
1835 		return -ENOBUFS;
1836 
1837 	for (i = 0; i < sband->n_bitrates; i++) {
1838 		nl_rate = nla_nest_start_noflag(msg, i);
1839 		if (!nl_rate)
1840 			return -ENOBUFS;
1841 
1842 		rate = &sband->bitrates[i];
1843 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1844 				rate->bitrate))
1845 			return -ENOBUFS;
1846 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1847 		    nla_put_flag(msg,
1848 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1849 			return -ENOBUFS;
1850 
1851 		nla_nest_end(msg, nl_rate);
1852 	}
1853 
1854 	nla_nest_end(msg, nl_rates);
1855 
1856 	return 0;
1857 }
1858 
1859 static int
1860 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1861 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1862 {
1863 	u16 stypes;
1864 	struct nlattr *nl_ftypes, *nl_ifs;
1865 	enum nl80211_iftype ift;
1866 	int i;
1867 
1868 	if (!mgmt_stypes)
1869 		return 0;
1870 
1871 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1872 	if (!nl_ifs)
1873 		return -ENOBUFS;
1874 
1875 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1876 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1877 		if (!nl_ftypes)
1878 			return -ENOBUFS;
1879 		i = 0;
1880 		stypes = mgmt_stypes[ift].tx;
1881 		while (stypes) {
1882 			if ((stypes & 1) &&
1883 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1884 					(i << 4) | IEEE80211_FTYPE_MGMT))
1885 				return -ENOBUFS;
1886 			stypes >>= 1;
1887 			i++;
1888 		}
1889 		nla_nest_end(msg, nl_ftypes);
1890 	}
1891 
1892 	nla_nest_end(msg, nl_ifs);
1893 
1894 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1895 	if (!nl_ifs)
1896 		return -ENOBUFS;
1897 
1898 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1899 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1900 		if (!nl_ftypes)
1901 			return -ENOBUFS;
1902 		i = 0;
1903 		stypes = mgmt_stypes[ift].rx;
1904 		while (stypes) {
1905 			if ((stypes & 1) &&
1906 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1907 					(i << 4) | IEEE80211_FTYPE_MGMT))
1908 				return -ENOBUFS;
1909 			stypes >>= 1;
1910 			i++;
1911 		}
1912 		nla_nest_end(msg, nl_ftypes);
1913 	}
1914 	nla_nest_end(msg, nl_ifs);
1915 
1916 	return 0;
1917 }
1918 
1919 #define CMD(op, n)							\
1920 	 do {								\
1921 		if (rdev->ops->op) {					\
1922 			i++;						\
1923 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1924 				goto nla_put_failure;			\
1925 		}							\
1926 	} while (0)
1927 
1928 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1929 					struct sk_buff *msg)
1930 {
1931 	int i = 0;
1932 
1933 	/*
1934 	 * do *NOT* add anything into this function, new things need to be
1935 	 * advertised only to new versions of userspace that can deal with
1936 	 * the split (and they can't possibly care about new features...
1937 	 */
1938 	CMD(add_virtual_intf, NEW_INTERFACE);
1939 	CMD(change_virtual_intf, SET_INTERFACE);
1940 	CMD(add_key, NEW_KEY);
1941 	CMD(start_ap, START_AP);
1942 	CMD(add_station, NEW_STATION);
1943 	CMD(add_mpath, NEW_MPATH);
1944 	CMD(update_mesh_config, SET_MESH_CONFIG);
1945 	CMD(change_bss, SET_BSS);
1946 	CMD(auth, AUTHENTICATE);
1947 	CMD(assoc, ASSOCIATE);
1948 	CMD(deauth, DEAUTHENTICATE);
1949 	CMD(disassoc, DISASSOCIATE);
1950 	CMD(join_ibss, JOIN_IBSS);
1951 	CMD(join_mesh, JOIN_MESH);
1952 	CMD(set_pmksa, SET_PMKSA);
1953 	CMD(del_pmksa, DEL_PMKSA);
1954 	CMD(flush_pmksa, FLUSH_PMKSA);
1955 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1956 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1957 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1958 	CMD(mgmt_tx, FRAME);
1959 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1960 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1961 		i++;
1962 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1963 			goto nla_put_failure;
1964 	}
1965 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1966 	    rdev->ops->join_mesh) {
1967 		i++;
1968 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1969 			goto nla_put_failure;
1970 	}
1971 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1972 		CMD(tdls_mgmt, TDLS_MGMT);
1973 		CMD(tdls_oper, TDLS_OPER);
1974 	}
1975 	if (rdev->wiphy.max_sched_scan_reqs)
1976 		CMD(sched_scan_start, START_SCHED_SCAN);
1977 	CMD(probe_client, PROBE_CLIENT);
1978 	CMD(set_noack_map, SET_NOACK_MAP);
1979 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1980 		i++;
1981 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1982 			goto nla_put_failure;
1983 	}
1984 	CMD(start_p2p_device, START_P2P_DEVICE);
1985 	CMD(set_mcast_rate, SET_MCAST_RATE);
1986 #ifdef CONFIG_NL80211_TESTMODE
1987 	CMD(testmode_cmd, TESTMODE);
1988 #endif
1989 
1990 	if (rdev->ops->connect || rdev->ops->auth) {
1991 		i++;
1992 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1993 			goto nla_put_failure;
1994 	}
1995 
1996 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1997 		i++;
1998 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1999 			goto nla_put_failure;
2000 	}
2001 
2002 	return i;
2003  nla_put_failure:
2004 	return -ENOBUFS;
2005 }
2006 
2007 static int
2008 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2009 			   struct sk_buff *msg)
2010 {
2011 	struct nlattr *ftm;
2012 
2013 	if (!cap->ftm.supported)
2014 		return 0;
2015 
2016 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2017 	if (!ftm)
2018 		return -ENOBUFS;
2019 
2020 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2021 		return -ENOBUFS;
2022 	if (cap->ftm.non_asap &&
2023 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2024 		return -ENOBUFS;
2025 	if (cap->ftm.request_lci &&
2026 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2027 		return -ENOBUFS;
2028 	if (cap->ftm.request_civicloc &&
2029 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2030 		return -ENOBUFS;
2031 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2032 			cap->ftm.preambles))
2033 		return -ENOBUFS;
2034 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2035 			cap->ftm.bandwidths))
2036 		return -ENOBUFS;
2037 	if (cap->ftm.max_bursts_exponent >= 0 &&
2038 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2039 			cap->ftm.max_bursts_exponent))
2040 		return -ENOBUFS;
2041 	if (cap->ftm.max_ftms_per_burst &&
2042 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2043 			cap->ftm.max_ftms_per_burst))
2044 		return -ENOBUFS;
2045 	if (cap->ftm.trigger_based &&
2046 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2047 		return -ENOBUFS;
2048 	if (cap->ftm.non_trigger_based &&
2049 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2050 		return -ENOBUFS;
2051 
2052 	nla_nest_end(msg, ftm);
2053 	return 0;
2054 }
2055 
2056 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2057 				  struct sk_buff *msg)
2058 {
2059 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2060 	struct nlattr *pmsr, *caps;
2061 
2062 	if (!cap)
2063 		return 0;
2064 
2065 	/*
2066 	 * we don't need to clean up anything here since the caller
2067 	 * will genlmsg_cancel() if we fail
2068 	 */
2069 
2070 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2071 	if (!pmsr)
2072 		return -ENOBUFS;
2073 
2074 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2075 		return -ENOBUFS;
2076 
2077 	if (cap->report_ap_tsf &&
2078 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2079 		return -ENOBUFS;
2080 
2081 	if (cap->randomize_mac_addr &&
2082 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2083 		return -ENOBUFS;
2084 
2085 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2086 	if (!caps)
2087 		return -ENOBUFS;
2088 
2089 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2090 		return -ENOBUFS;
2091 
2092 	nla_nest_end(msg, caps);
2093 	nla_nest_end(msg, pmsr);
2094 
2095 	return 0;
2096 }
2097 
2098 static int
2099 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2100 			      struct sk_buff *msg)
2101 {
2102 	int i;
2103 	struct nlattr *nested, *nested_akms;
2104 	const struct wiphy_iftype_akm_suites *iftype_akms;
2105 
2106 	if (!rdev->wiphy.num_iftype_akm_suites ||
2107 	    !rdev->wiphy.iftype_akm_suites)
2108 		return 0;
2109 
2110 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2111 	if (!nested)
2112 		return -ENOBUFS;
2113 
2114 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2115 		nested_akms = nla_nest_start(msg, i + 1);
2116 		if (!nested_akms)
2117 			return -ENOBUFS;
2118 
2119 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2120 
2121 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2122 					iftype_akms->iftypes_mask))
2123 			return -ENOBUFS;
2124 
2125 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2126 			    sizeof(u32) * iftype_akms->n_akm_suites,
2127 			    iftype_akms->akm_suites)) {
2128 			return -ENOBUFS;
2129 		}
2130 		nla_nest_end(msg, nested_akms);
2131 	}
2132 
2133 	nla_nest_end(msg, nested);
2134 
2135 	return 0;
2136 }
2137 
2138 static int
2139 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2140 			       struct sk_buff *msg)
2141 {
2142 	struct nlattr *supp;
2143 
2144 	if (!rdev->wiphy.tid_config_support.vif &&
2145 	    !rdev->wiphy.tid_config_support.peer)
2146 		return 0;
2147 
2148 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2149 	if (!supp)
2150 		return -ENOSPC;
2151 
2152 	if (rdev->wiphy.tid_config_support.vif &&
2153 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2154 			      rdev->wiphy.tid_config_support.vif,
2155 			      NL80211_TID_CONFIG_ATTR_PAD))
2156 		goto fail;
2157 
2158 	if (rdev->wiphy.tid_config_support.peer &&
2159 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2160 			      rdev->wiphy.tid_config_support.peer,
2161 			      NL80211_TID_CONFIG_ATTR_PAD))
2162 		goto fail;
2163 
2164 	/* for now we just use the same value ... makes more sense */
2165 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2166 		       rdev->wiphy.tid_config_support.max_retry))
2167 		goto fail;
2168 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2169 		       rdev->wiphy.tid_config_support.max_retry))
2170 		goto fail;
2171 
2172 	nla_nest_end(msg, supp);
2173 
2174 	return 0;
2175 fail:
2176 	nla_nest_cancel(msg, supp);
2177 	return -ENOBUFS;
2178 }
2179 
2180 static int
2181 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2182 		      struct sk_buff *msg)
2183 {
2184 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2185 	u8 num_freq_ranges;
2186 	int i;
2187 
2188 	if (!rdev->wiphy.sar_capa)
2189 		return 0;
2190 
2191 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2192 
2193 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2194 	if (!sar_capa)
2195 		return -ENOSPC;
2196 
2197 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2198 		goto fail;
2199 
2200 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2201 	if (!specs)
2202 		goto fail;
2203 
2204 	/* report supported freq_ranges */
2205 	for (i = 0; i < num_freq_ranges; i++) {
2206 		sub_freq_range = nla_nest_start(msg, i + 1);
2207 		if (!sub_freq_range)
2208 			goto fail;
2209 
2210 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2211 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2212 			goto fail;
2213 
2214 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2215 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2216 			goto fail;
2217 
2218 		nla_nest_end(msg, sub_freq_range);
2219 	}
2220 
2221 	nla_nest_end(msg, specs);
2222 	nla_nest_end(msg, sar_capa);
2223 
2224 	return 0;
2225 fail:
2226 	nla_nest_cancel(msg, sar_capa);
2227 	return -ENOBUFS;
2228 }
2229 
2230 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2231 {
2232 	struct nlattr *config;
2233 
2234 	if (!wiphy->mbssid_max_interfaces)
2235 		return 0;
2236 
2237 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2238 	if (!config)
2239 		return -ENOBUFS;
2240 
2241 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2242 		       wiphy->mbssid_max_interfaces))
2243 		goto fail;
2244 
2245 	if (wiphy->ema_max_profile_periodicity &&
2246 	    nla_put_u8(msg,
2247 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2248 		       wiphy->ema_max_profile_periodicity))
2249 		goto fail;
2250 
2251 	nla_nest_end(msg, config);
2252 	return 0;
2253 
2254 fail:
2255 	nla_nest_cancel(msg, config);
2256 	return -ENOBUFS;
2257 }
2258 
2259 struct nl80211_dump_wiphy_state {
2260 	s64 filter_wiphy;
2261 	long start;
2262 	long split_start, band_start, chan_start, capa_start;
2263 	bool split;
2264 };
2265 
2266 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2267 			      enum nl80211_commands cmd,
2268 			      struct sk_buff *msg, u32 portid, u32 seq,
2269 			      int flags, struct nl80211_dump_wiphy_state *state)
2270 {
2271 	void *hdr;
2272 	struct nlattr *nl_bands, *nl_band;
2273 	struct nlattr *nl_freqs, *nl_freq;
2274 	struct nlattr *nl_cmds;
2275 	enum nl80211_band band;
2276 	struct ieee80211_channel *chan;
2277 	int i;
2278 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2279 				rdev->wiphy.mgmt_stypes;
2280 	u32 features;
2281 
2282 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2283 	if (!hdr)
2284 		return -ENOBUFS;
2285 
2286 	if (WARN_ON(!state))
2287 		return -EINVAL;
2288 
2289 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2290 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2291 			   wiphy_name(&rdev->wiphy)) ||
2292 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2293 			cfg80211_rdev_list_generation))
2294 		goto nla_put_failure;
2295 
2296 	if (cmd != NL80211_CMD_NEW_WIPHY)
2297 		goto finish;
2298 
2299 	switch (state->split_start) {
2300 	case 0:
2301 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2302 			       rdev->wiphy.retry_short) ||
2303 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2304 			       rdev->wiphy.retry_long) ||
2305 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2306 				rdev->wiphy.frag_threshold) ||
2307 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2308 				rdev->wiphy.rts_threshold) ||
2309 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2310 			       rdev->wiphy.coverage_class) ||
2311 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2312 			       rdev->wiphy.max_scan_ssids) ||
2313 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2314 			       rdev->wiphy.max_sched_scan_ssids) ||
2315 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2316 				rdev->wiphy.max_scan_ie_len) ||
2317 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2318 				rdev->wiphy.max_sched_scan_ie_len) ||
2319 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2320 			       rdev->wiphy.max_match_sets))
2321 			goto nla_put_failure;
2322 
2323 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2324 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2325 			goto nla_put_failure;
2326 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2327 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2328 			goto nla_put_failure;
2329 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2330 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2331 			goto nla_put_failure;
2332 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2333 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2334 			goto nla_put_failure;
2335 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2336 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2337 			goto nla_put_failure;
2338 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2339 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2340 			goto nla_put_failure;
2341 		state->split_start++;
2342 		if (state->split)
2343 			break;
2344 		fallthrough;
2345 	case 1:
2346 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2347 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2348 			    rdev->wiphy.cipher_suites))
2349 			goto nla_put_failure;
2350 
2351 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2352 			       rdev->wiphy.max_num_pmkids))
2353 			goto nla_put_failure;
2354 
2355 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2356 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2357 			goto nla_put_failure;
2358 
2359 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2360 				rdev->wiphy.available_antennas_tx) ||
2361 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2362 				rdev->wiphy.available_antennas_rx))
2363 			goto nla_put_failure;
2364 
2365 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2366 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2367 				rdev->wiphy.probe_resp_offload))
2368 			goto nla_put_failure;
2369 
2370 		if ((rdev->wiphy.available_antennas_tx ||
2371 		     rdev->wiphy.available_antennas_rx) &&
2372 		    rdev->ops->get_antenna) {
2373 			u32 tx_ant = 0, rx_ant = 0;
2374 			int res;
2375 
2376 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2377 			if (!res) {
2378 				if (nla_put_u32(msg,
2379 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2380 						tx_ant) ||
2381 				    nla_put_u32(msg,
2382 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2383 						rx_ant))
2384 					goto nla_put_failure;
2385 			}
2386 		}
2387 
2388 		state->split_start++;
2389 		if (state->split)
2390 			break;
2391 		fallthrough;
2392 	case 2:
2393 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2394 					rdev->wiphy.interface_modes))
2395 				goto nla_put_failure;
2396 		state->split_start++;
2397 		if (state->split)
2398 			break;
2399 		fallthrough;
2400 	case 3:
2401 		nl_bands = nla_nest_start_noflag(msg,
2402 						 NL80211_ATTR_WIPHY_BANDS);
2403 		if (!nl_bands)
2404 			goto nla_put_failure;
2405 
2406 		for (band = state->band_start;
2407 		     band < (state->split ?
2408 				NUM_NL80211_BANDS :
2409 				NL80211_BAND_60GHZ + 1);
2410 		     band++) {
2411 			struct ieee80211_supported_band *sband;
2412 
2413 			/* omit higher bands for ancient software */
2414 			if (band > NL80211_BAND_5GHZ && !state->split)
2415 				break;
2416 
2417 			sband = rdev->wiphy.bands[band];
2418 
2419 			if (!sband)
2420 				continue;
2421 
2422 			nl_band = nla_nest_start_noflag(msg, band);
2423 			if (!nl_band)
2424 				goto nla_put_failure;
2425 
2426 			switch (state->chan_start) {
2427 			case 0:
2428 				if (nl80211_send_band_rateinfo(msg, sband,
2429 							       state->split))
2430 					goto nla_put_failure;
2431 				state->chan_start++;
2432 				if (state->split)
2433 					break;
2434 				fallthrough;
2435 			default:
2436 				/* add frequencies */
2437 				nl_freqs = nla_nest_start_noflag(msg,
2438 								 NL80211_BAND_ATTR_FREQS);
2439 				if (!nl_freqs)
2440 					goto nla_put_failure;
2441 
2442 				for (i = state->chan_start - 1;
2443 				     i < sband->n_channels;
2444 				     i++) {
2445 					nl_freq = nla_nest_start_noflag(msg,
2446 									i);
2447 					if (!nl_freq)
2448 						goto nla_put_failure;
2449 
2450 					chan = &sband->channels[i];
2451 
2452 					if (nl80211_msg_put_channel(
2453 							msg, &rdev->wiphy, chan,
2454 							state->split))
2455 						goto nla_put_failure;
2456 
2457 					nla_nest_end(msg, nl_freq);
2458 					if (state->split)
2459 						break;
2460 				}
2461 				if (i < sband->n_channels)
2462 					state->chan_start = i + 2;
2463 				else
2464 					state->chan_start = 0;
2465 				nla_nest_end(msg, nl_freqs);
2466 			}
2467 
2468 			nla_nest_end(msg, nl_band);
2469 
2470 			if (state->split) {
2471 				/* start again here */
2472 				if (state->chan_start)
2473 					band--;
2474 				break;
2475 			}
2476 		}
2477 		nla_nest_end(msg, nl_bands);
2478 
2479 		if (band < NUM_NL80211_BANDS)
2480 			state->band_start = band + 1;
2481 		else
2482 			state->band_start = 0;
2483 
2484 		/* if bands & channels are done, continue outside */
2485 		if (state->band_start == 0 && state->chan_start == 0)
2486 			state->split_start++;
2487 		if (state->split)
2488 			break;
2489 		fallthrough;
2490 	case 4:
2491 		nl_cmds = nla_nest_start_noflag(msg,
2492 						NL80211_ATTR_SUPPORTED_COMMANDS);
2493 		if (!nl_cmds)
2494 			goto nla_put_failure;
2495 
2496 		i = nl80211_add_commands_unsplit(rdev, msg);
2497 		if (i < 0)
2498 			goto nla_put_failure;
2499 		if (state->split) {
2500 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2501 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2502 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2503 				CMD(channel_switch, CHANNEL_SWITCH);
2504 			CMD(set_qos_map, SET_QOS_MAP);
2505 			if (rdev->wiphy.features &
2506 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2507 				CMD(add_tx_ts, ADD_TX_TS);
2508 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2509 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2510 			CMD(update_ft_ies, UPDATE_FT_IES);
2511 			if (rdev->wiphy.sar_capa)
2512 				CMD(set_sar_specs, SET_SAR_SPECS);
2513 		}
2514 #undef CMD
2515 
2516 		nla_nest_end(msg, nl_cmds);
2517 		state->split_start++;
2518 		if (state->split)
2519 			break;
2520 		fallthrough;
2521 	case 5:
2522 		if (rdev->ops->remain_on_channel &&
2523 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2524 		    nla_put_u32(msg,
2525 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2526 				rdev->wiphy.max_remain_on_channel_duration))
2527 			goto nla_put_failure;
2528 
2529 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2530 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2531 			goto nla_put_failure;
2532 
2533 		state->split_start++;
2534 		if (state->split)
2535 			break;
2536 		fallthrough;
2537 	case 6:
2538 #ifdef CONFIG_PM
2539 		if (nl80211_send_wowlan(msg, rdev, state->split))
2540 			goto nla_put_failure;
2541 		state->split_start++;
2542 		if (state->split)
2543 			break;
2544 #else
2545 		state->split_start++;
2546 #endif
2547 		fallthrough;
2548 	case 7:
2549 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2550 					rdev->wiphy.software_iftypes))
2551 			goto nla_put_failure;
2552 
2553 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2554 						   state->split))
2555 			goto nla_put_failure;
2556 
2557 		state->split_start++;
2558 		if (state->split)
2559 			break;
2560 		fallthrough;
2561 	case 8:
2562 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2563 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2564 				rdev->wiphy.ap_sme_capa))
2565 			goto nla_put_failure;
2566 
2567 		features = rdev->wiphy.features;
2568 		/*
2569 		 * We can only add the per-channel limit information if the
2570 		 * dump is split, otherwise it makes it too big. Therefore
2571 		 * only advertise it in that case.
2572 		 */
2573 		if (state->split)
2574 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2575 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2576 			goto nla_put_failure;
2577 
2578 		if (rdev->wiphy.ht_capa_mod_mask &&
2579 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2580 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2581 			    rdev->wiphy.ht_capa_mod_mask))
2582 			goto nla_put_failure;
2583 
2584 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2585 		    rdev->wiphy.max_acl_mac_addrs &&
2586 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2587 				rdev->wiphy.max_acl_mac_addrs))
2588 			goto nla_put_failure;
2589 
2590 		/*
2591 		 * Any information below this point is only available to
2592 		 * applications that can deal with it being split. This
2593 		 * helps ensure that newly added capabilities don't break
2594 		 * older tools by overrunning their buffers.
2595 		 *
2596 		 * We still increment split_start so that in the split
2597 		 * case we'll continue with more data in the next round,
2598 		 * but break unconditionally so unsplit data stops here.
2599 		 */
2600 		if (state->split)
2601 			state->split_start++;
2602 		else
2603 			state->split_start = 0;
2604 		break;
2605 	case 9:
2606 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2607 			goto nla_put_failure;
2608 
2609 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2610 				rdev->wiphy.max_sched_scan_plans) ||
2611 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2612 				rdev->wiphy.max_sched_scan_plan_interval) ||
2613 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2614 				rdev->wiphy.max_sched_scan_plan_iterations))
2615 			goto nla_put_failure;
2616 
2617 		if (rdev->wiphy.extended_capabilities &&
2618 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2619 			     rdev->wiphy.extended_capabilities_len,
2620 			     rdev->wiphy.extended_capabilities) ||
2621 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2622 			     rdev->wiphy.extended_capabilities_len,
2623 			     rdev->wiphy.extended_capabilities_mask)))
2624 			goto nla_put_failure;
2625 
2626 		if (rdev->wiphy.vht_capa_mod_mask &&
2627 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2628 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2629 			    rdev->wiphy.vht_capa_mod_mask))
2630 			goto nla_put_failure;
2631 
2632 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2633 			    rdev->wiphy.perm_addr))
2634 			goto nla_put_failure;
2635 
2636 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2637 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2638 			    rdev->wiphy.addr_mask))
2639 			goto nla_put_failure;
2640 
2641 		if (rdev->wiphy.n_addresses > 1) {
2642 			void *attr;
2643 
2644 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2645 			if (!attr)
2646 				goto nla_put_failure;
2647 
2648 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2649 				if (nla_put(msg, i + 1, ETH_ALEN,
2650 					    rdev->wiphy.addresses[i].addr))
2651 					goto nla_put_failure;
2652 
2653 			nla_nest_end(msg, attr);
2654 		}
2655 
2656 		state->split_start++;
2657 		break;
2658 	case 10:
2659 		if (nl80211_send_coalesce(msg, rdev))
2660 			goto nla_put_failure;
2661 
2662 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2663 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2664 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2665 			goto nla_put_failure;
2666 
2667 		if (rdev->wiphy.max_ap_assoc_sta &&
2668 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2669 				rdev->wiphy.max_ap_assoc_sta))
2670 			goto nla_put_failure;
2671 
2672 		state->split_start++;
2673 		break;
2674 	case 11:
2675 		if (rdev->wiphy.n_vendor_commands) {
2676 			const struct nl80211_vendor_cmd_info *info;
2677 			struct nlattr *nested;
2678 
2679 			nested = nla_nest_start_noflag(msg,
2680 						       NL80211_ATTR_VENDOR_DATA);
2681 			if (!nested)
2682 				goto nla_put_failure;
2683 
2684 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2685 				info = &rdev->wiphy.vendor_commands[i].info;
2686 				if (nla_put(msg, i + 1, sizeof(*info), info))
2687 					goto nla_put_failure;
2688 			}
2689 			nla_nest_end(msg, nested);
2690 		}
2691 
2692 		if (rdev->wiphy.n_vendor_events) {
2693 			const struct nl80211_vendor_cmd_info *info;
2694 			struct nlattr *nested;
2695 
2696 			nested = nla_nest_start_noflag(msg,
2697 						       NL80211_ATTR_VENDOR_EVENTS);
2698 			if (!nested)
2699 				goto nla_put_failure;
2700 
2701 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2702 				info = &rdev->wiphy.vendor_events[i];
2703 				if (nla_put(msg, i + 1, sizeof(*info), info))
2704 					goto nla_put_failure;
2705 			}
2706 			nla_nest_end(msg, nested);
2707 		}
2708 		state->split_start++;
2709 		break;
2710 	case 12:
2711 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2712 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2713 			       rdev->wiphy.max_num_csa_counters))
2714 			goto nla_put_failure;
2715 
2716 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2717 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2718 			goto nla_put_failure;
2719 
2720 		if (rdev->wiphy.max_sched_scan_reqs &&
2721 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2722 				rdev->wiphy.max_sched_scan_reqs))
2723 			goto nla_put_failure;
2724 
2725 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2726 			    sizeof(rdev->wiphy.ext_features),
2727 			    rdev->wiphy.ext_features))
2728 			goto nla_put_failure;
2729 
2730 		if (rdev->wiphy.bss_select_support) {
2731 			struct nlattr *nested;
2732 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2733 
2734 			nested = nla_nest_start_noflag(msg,
2735 						       NL80211_ATTR_BSS_SELECT);
2736 			if (!nested)
2737 				goto nla_put_failure;
2738 
2739 			i = 0;
2740 			while (bss_select_support) {
2741 				if ((bss_select_support & 1) &&
2742 				    nla_put_flag(msg, i))
2743 					goto nla_put_failure;
2744 				i++;
2745 				bss_select_support >>= 1;
2746 			}
2747 			nla_nest_end(msg, nested);
2748 		}
2749 
2750 		state->split_start++;
2751 		break;
2752 	case 13:
2753 		if (rdev->wiphy.num_iftype_ext_capab &&
2754 		    rdev->wiphy.iftype_ext_capab) {
2755 			struct nlattr *nested_ext_capab, *nested;
2756 
2757 			nested = nla_nest_start_noflag(msg,
2758 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2759 			if (!nested)
2760 				goto nla_put_failure;
2761 
2762 			for (i = state->capa_start;
2763 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2764 				const struct wiphy_iftype_ext_capab *capab;
2765 
2766 				capab = &rdev->wiphy.iftype_ext_capab[i];
2767 
2768 				nested_ext_capab = nla_nest_start_noflag(msg,
2769 									 i);
2770 				if (!nested_ext_capab ||
2771 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2772 						capab->iftype) ||
2773 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2774 					    capab->extended_capabilities_len,
2775 					    capab->extended_capabilities) ||
2776 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2777 					    capab->extended_capabilities_len,
2778 					    capab->extended_capabilities_mask))
2779 					goto nla_put_failure;
2780 
2781 				nla_nest_end(msg, nested_ext_capab);
2782 				if (state->split)
2783 					break;
2784 			}
2785 			nla_nest_end(msg, nested);
2786 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2787 				state->capa_start = i + 1;
2788 				break;
2789 			}
2790 		}
2791 
2792 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2793 				rdev->wiphy.nan_supported_bands))
2794 			goto nla_put_failure;
2795 
2796 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2797 					    NL80211_EXT_FEATURE_TXQS)) {
2798 			struct cfg80211_txq_stats txqstats = {};
2799 			int res;
2800 
2801 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2802 			if (!res &&
2803 			    !nl80211_put_txq_stats(msg, &txqstats,
2804 						   NL80211_ATTR_TXQ_STATS))
2805 				goto nla_put_failure;
2806 
2807 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2808 					rdev->wiphy.txq_limit))
2809 				goto nla_put_failure;
2810 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2811 					rdev->wiphy.txq_memory_limit))
2812 				goto nla_put_failure;
2813 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2814 					rdev->wiphy.txq_quantum))
2815 				goto nla_put_failure;
2816 		}
2817 
2818 		state->split_start++;
2819 		break;
2820 	case 14:
2821 		if (nl80211_send_pmsr_capa(rdev, msg))
2822 			goto nla_put_failure;
2823 
2824 		state->split_start++;
2825 		break;
2826 	case 15:
2827 		if (rdev->wiphy.akm_suites &&
2828 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2829 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2830 			    rdev->wiphy.akm_suites))
2831 			goto nla_put_failure;
2832 
2833 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2834 			goto nla_put_failure;
2835 
2836 		if (nl80211_put_tid_config_support(rdev, msg))
2837 			goto nla_put_failure;
2838 		state->split_start++;
2839 		break;
2840 	case 16:
2841 		if (nl80211_put_sar_specs(rdev, msg))
2842 			goto nla_put_failure;
2843 
2844 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2845 			goto nla_put_failure;
2846 
2847 		/* done */
2848 		state->split_start = 0;
2849 		break;
2850 	}
2851  finish:
2852 	genlmsg_end(msg, hdr);
2853 	return 0;
2854 
2855  nla_put_failure:
2856 	genlmsg_cancel(msg, hdr);
2857 	return -EMSGSIZE;
2858 }
2859 
2860 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2861 				    struct netlink_callback *cb,
2862 				    struct nl80211_dump_wiphy_state *state)
2863 {
2864 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2865 	int ret;
2866 
2867 	if (!tb)
2868 		return -ENOMEM;
2869 
2870 	ret = nlmsg_parse_deprecated(cb->nlh,
2871 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2872 				     tb, nl80211_fam.maxattr,
2873 				     nl80211_policy, NULL);
2874 	/* ignore parse errors for backward compatibility */
2875 	if (ret) {
2876 		ret = 0;
2877 		goto out;
2878 	}
2879 
2880 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2881 	if (tb[NL80211_ATTR_WIPHY])
2882 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2883 	if (tb[NL80211_ATTR_WDEV])
2884 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2885 	if (tb[NL80211_ATTR_IFINDEX]) {
2886 		struct net_device *netdev;
2887 		struct cfg80211_registered_device *rdev;
2888 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2889 
2890 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2891 		if (!netdev) {
2892 			ret = -ENODEV;
2893 			goto out;
2894 		}
2895 		if (netdev->ieee80211_ptr) {
2896 			rdev = wiphy_to_rdev(
2897 				netdev->ieee80211_ptr->wiphy);
2898 			state->filter_wiphy = rdev->wiphy_idx;
2899 		}
2900 	}
2901 
2902 	ret = 0;
2903 out:
2904 	kfree(tb);
2905 	return ret;
2906 }
2907 
2908 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2909 {
2910 	int idx = 0, ret;
2911 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2912 	struct cfg80211_registered_device *rdev;
2913 
2914 	rtnl_lock();
2915 	if (!state) {
2916 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2917 		if (!state) {
2918 			rtnl_unlock();
2919 			return -ENOMEM;
2920 		}
2921 		state->filter_wiphy = -1;
2922 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2923 		if (ret) {
2924 			kfree(state);
2925 			rtnl_unlock();
2926 			return ret;
2927 		}
2928 		cb->args[0] = (long)state;
2929 	}
2930 
2931 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2932 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2933 			continue;
2934 		if (++idx <= state->start)
2935 			continue;
2936 		if (state->filter_wiphy != -1 &&
2937 		    state->filter_wiphy != rdev->wiphy_idx)
2938 			continue;
2939 		/* attempt to fit multiple wiphy data chunks into the skb */
2940 		do {
2941 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2942 						 skb,
2943 						 NETLINK_CB(cb->skb).portid,
2944 						 cb->nlh->nlmsg_seq,
2945 						 NLM_F_MULTI, state);
2946 			if (ret < 0) {
2947 				/*
2948 				 * If sending the wiphy data didn't fit (ENOBUFS
2949 				 * or EMSGSIZE returned), this SKB is still
2950 				 * empty (so it's not too big because another
2951 				 * wiphy dataset is already in the skb) and
2952 				 * we've not tried to adjust the dump allocation
2953 				 * yet ... then adjust the alloc size to be
2954 				 * bigger, and return 1 but with the empty skb.
2955 				 * This results in an empty message being RX'ed
2956 				 * in userspace, but that is ignored.
2957 				 *
2958 				 * We can then retry with the larger buffer.
2959 				 */
2960 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2961 				    !skb->len && !state->split &&
2962 				    cb->min_dump_alloc < 4096) {
2963 					cb->min_dump_alloc = 4096;
2964 					state->split_start = 0;
2965 					rtnl_unlock();
2966 					return 1;
2967 				}
2968 				idx--;
2969 				break;
2970 			}
2971 		} while (state->split_start > 0);
2972 		break;
2973 	}
2974 	rtnl_unlock();
2975 
2976 	state->start = idx;
2977 
2978 	return skb->len;
2979 }
2980 
2981 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2982 {
2983 	kfree((void *)cb->args[0]);
2984 	return 0;
2985 }
2986 
2987 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2988 {
2989 	struct sk_buff *msg;
2990 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2991 	struct nl80211_dump_wiphy_state state = {};
2992 
2993 	msg = nlmsg_new(4096, GFP_KERNEL);
2994 	if (!msg)
2995 		return -ENOMEM;
2996 
2997 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2998 			       info->snd_portid, info->snd_seq, 0,
2999 			       &state) < 0) {
3000 		nlmsg_free(msg);
3001 		return -ENOBUFS;
3002 	}
3003 
3004 	return genlmsg_reply(msg, info);
3005 }
3006 
3007 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3008 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3009 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3010 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3011 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3012 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3013 };
3014 
3015 static int parse_txq_params(struct nlattr *tb[],
3016 			    struct ieee80211_txq_params *txq_params)
3017 {
3018 	u8 ac;
3019 
3020 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3021 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3022 	    !tb[NL80211_TXQ_ATTR_AIFS])
3023 		return -EINVAL;
3024 
3025 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3026 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3027 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3028 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3029 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3030 
3031 	if (ac >= NL80211_NUM_ACS)
3032 		return -EINVAL;
3033 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3034 	return 0;
3035 }
3036 
3037 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3038 {
3039 	/*
3040 	 * You can only set the channel explicitly for some interfaces,
3041 	 * most have their channel managed via their respective
3042 	 * "establish a connection" command (connect, join, ...)
3043 	 *
3044 	 * For AP/GO and mesh mode, the channel can be set with the
3045 	 * channel userspace API, but is only stored and passed to the
3046 	 * low-level driver when the AP starts or the mesh is joined.
3047 	 * This is for backward compatibility, userspace can also give
3048 	 * the channel in the start-ap or join-mesh commands instead.
3049 	 *
3050 	 * Monitors are special as they are normally slaved to
3051 	 * whatever else is going on, so they have their own special
3052 	 * operation to set the monitor channel if possible.
3053 	 */
3054 	return !wdev ||
3055 		wdev->iftype == NL80211_IFTYPE_AP ||
3056 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3057 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3058 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3059 }
3060 
3061 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3062 			  struct genl_info *info,
3063 			  struct cfg80211_chan_def *chandef)
3064 {
3065 	struct netlink_ext_ack *extack = info->extack;
3066 	struct nlattr **attrs = info->attrs;
3067 	u32 control_freq;
3068 
3069 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3070 		return -EINVAL;
3071 
3072 	control_freq = MHZ_TO_KHZ(
3073 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3074 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3075 		control_freq +=
3076 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3077 
3078 	memset(chandef, 0, sizeof(*chandef));
3079 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3080 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3081 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3082 	chandef->freq1_offset = control_freq % 1000;
3083 	chandef->center_freq2 = 0;
3084 
3085 	/* Primary channel not allowed */
3086 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3087 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3088 				    "Channel is disabled");
3089 		return -EINVAL;
3090 	}
3091 
3092 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3093 		enum nl80211_channel_type chantype;
3094 
3095 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3096 
3097 		switch (chantype) {
3098 		case NL80211_CHAN_NO_HT:
3099 		case NL80211_CHAN_HT20:
3100 		case NL80211_CHAN_HT40PLUS:
3101 		case NL80211_CHAN_HT40MINUS:
3102 			cfg80211_chandef_create(chandef, chandef->chan,
3103 						chantype);
3104 			/* user input for center_freq is incorrect */
3105 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3106 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3107 				NL_SET_ERR_MSG_ATTR(extack,
3108 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3109 						    "bad center frequency 1");
3110 				return -EINVAL;
3111 			}
3112 			/* center_freq2 must be zero */
3113 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3114 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3115 				NL_SET_ERR_MSG_ATTR(extack,
3116 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3117 						    "center frequency 2 can't be used");
3118 				return -EINVAL;
3119 			}
3120 			break;
3121 		default:
3122 			NL_SET_ERR_MSG_ATTR(extack,
3123 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3124 					    "invalid channel type");
3125 			return -EINVAL;
3126 		}
3127 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3128 		chandef->width =
3129 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3130 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3131 			chandef->center_freq1 =
3132 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3133 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3134 				chandef->freq1_offset = nla_get_u32(
3135 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3136 			else
3137 				chandef->freq1_offset = 0;
3138 		}
3139 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3140 			chandef->center_freq2 =
3141 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3142 	}
3143 
3144 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3145 		chandef->edmg.channels =
3146 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3147 
3148 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3149 			chandef->edmg.bw_config =
3150 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3151 	} else {
3152 		chandef->edmg.bw_config = 0;
3153 		chandef->edmg.channels = 0;
3154 	}
3155 
3156 	if (!cfg80211_chandef_valid(chandef)) {
3157 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3158 		return -EINVAL;
3159 	}
3160 
3161 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3162 				     IEEE80211_CHAN_DISABLED)) {
3163 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3164 		return -EINVAL;
3165 	}
3166 
3167 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3168 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3169 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3170 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3171 		return -EINVAL;
3172 	}
3173 
3174 	return 0;
3175 }
3176 
3177 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3178 				 struct net_device *dev,
3179 				 struct genl_info *info)
3180 {
3181 	struct cfg80211_chan_def chandef;
3182 	int result;
3183 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3184 	struct wireless_dev *wdev = NULL;
3185 
3186 	if (dev)
3187 		wdev = dev->ieee80211_ptr;
3188 	if (!nl80211_can_set_dev_channel(wdev))
3189 		return -EOPNOTSUPP;
3190 	if (wdev)
3191 		iftype = wdev->iftype;
3192 
3193 	result = nl80211_parse_chandef(rdev, info, &chandef);
3194 	if (result)
3195 		return result;
3196 
3197 	switch (iftype) {
3198 	case NL80211_IFTYPE_AP:
3199 	case NL80211_IFTYPE_P2P_GO:
3200 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3201 						   iftype)) {
3202 			result = -EINVAL;
3203 			break;
3204 		}
3205 		if (wdev->beacon_interval) {
3206 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3207 			    !(rdev->wiphy.features &
3208 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3209 				result = -EBUSY;
3210 				break;
3211 			}
3212 
3213 			/* Only allow dynamic channel width changes */
3214 			if (chandef.chan != wdev->preset_chandef.chan) {
3215 				result = -EBUSY;
3216 				break;
3217 			}
3218 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3219 			if (result)
3220 				break;
3221 		}
3222 		wdev->preset_chandef = chandef;
3223 		result = 0;
3224 		break;
3225 	case NL80211_IFTYPE_MESH_POINT:
3226 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3227 		break;
3228 	case NL80211_IFTYPE_MONITOR:
3229 		result = cfg80211_set_monitor_channel(rdev, &chandef);
3230 		break;
3231 	default:
3232 		result = -EINVAL;
3233 	}
3234 
3235 	return result;
3236 }
3237 
3238 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3239 {
3240 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3241 	struct net_device *netdev = info->user_ptr[1];
3242 
3243 	return __nl80211_set_channel(rdev, netdev, info);
3244 }
3245 
3246 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3247 {
3248 	struct cfg80211_registered_device *rdev = NULL;
3249 	struct net_device *netdev = NULL;
3250 	struct wireless_dev *wdev;
3251 	int result = 0, rem_txq_params = 0;
3252 	struct nlattr *nl_txq_params;
3253 	u32 changed;
3254 	u8 retry_short = 0, retry_long = 0;
3255 	u32 frag_threshold = 0, rts_threshold = 0;
3256 	u8 coverage_class = 0;
3257 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3258 
3259 	rtnl_lock();
3260 	/*
3261 	 * Try to find the wiphy and netdev. Normally this
3262 	 * function shouldn't need the netdev, but this is
3263 	 * done for backward compatibility -- previously
3264 	 * setting the channel was done per wiphy, but now
3265 	 * it is per netdev. Previous userland like hostapd
3266 	 * also passed a netdev to set_wiphy, so that it is
3267 	 * possible to let that go to the right netdev!
3268 	 */
3269 
3270 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3271 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3272 
3273 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3274 		if (netdev && netdev->ieee80211_ptr)
3275 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3276 		else
3277 			netdev = NULL;
3278 	}
3279 
3280 	if (!netdev) {
3281 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3282 						  info->attrs);
3283 		if (IS_ERR(rdev)) {
3284 			rtnl_unlock();
3285 			return PTR_ERR(rdev);
3286 		}
3287 		wdev = NULL;
3288 		netdev = NULL;
3289 		result = 0;
3290 	} else
3291 		wdev = netdev->ieee80211_ptr;
3292 
3293 	wiphy_lock(&rdev->wiphy);
3294 
3295 	/*
3296 	 * end workaround code, by now the rdev is available
3297 	 * and locked, and wdev may or may not be NULL.
3298 	 */
3299 
3300 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3301 		result = cfg80211_dev_rename(
3302 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3303 	rtnl_unlock();
3304 
3305 	if (result)
3306 		goto out;
3307 
3308 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3309 		struct ieee80211_txq_params txq_params;
3310 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3311 
3312 		if (!rdev->ops->set_txq_params) {
3313 			result = -EOPNOTSUPP;
3314 			goto out;
3315 		}
3316 
3317 		if (!netdev) {
3318 			result = -EINVAL;
3319 			goto out;
3320 		}
3321 
3322 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3323 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3324 			result = -EINVAL;
3325 			goto out;
3326 		}
3327 
3328 		if (!netif_running(netdev)) {
3329 			result = -ENETDOWN;
3330 			goto out;
3331 		}
3332 
3333 		nla_for_each_nested(nl_txq_params,
3334 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3335 				    rem_txq_params) {
3336 			result = nla_parse_nested_deprecated(tb,
3337 							     NL80211_TXQ_ATTR_MAX,
3338 							     nl_txq_params,
3339 							     txq_params_policy,
3340 							     info->extack);
3341 			if (result)
3342 				goto out;
3343 			result = parse_txq_params(tb, &txq_params);
3344 			if (result)
3345 				goto out;
3346 
3347 			result = rdev_set_txq_params(rdev, netdev,
3348 						     &txq_params);
3349 			if (result)
3350 				goto out;
3351 		}
3352 	}
3353 
3354 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3355 		result = __nl80211_set_channel(
3356 			rdev,
3357 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3358 			info);
3359 		if (result)
3360 			goto out;
3361 	}
3362 
3363 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3364 		struct wireless_dev *txp_wdev = wdev;
3365 		enum nl80211_tx_power_setting type;
3366 		int idx, mbm = 0;
3367 
3368 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3369 			txp_wdev = NULL;
3370 
3371 		if (!rdev->ops->set_tx_power) {
3372 			result = -EOPNOTSUPP;
3373 			goto out;
3374 		}
3375 
3376 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3377 		type = nla_get_u32(info->attrs[idx]);
3378 
3379 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3380 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3381 			result = -EINVAL;
3382 			goto out;
3383 		}
3384 
3385 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3386 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3387 			mbm = nla_get_u32(info->attrs[idx]);
3388 		}
3389 
3390 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3391 		if (result)
3392 			goto out;
3393 	}
3394 
3395 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3396 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3397 		u32 tx_ant, rx_ant;
3398 
3399 		if ((!rdev->wiphy.available_antennas_tx &&
3400 		     !rdev->wiphy.available_antennas_rx) ||
3401 		    !rdev->ops->set_antenna) {
3402 			result = -EOPNOTSUPP;
3403 			goto out;
3404 		}
3405 
3406 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3407 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3408 
3409 		/* reject antenna configurations which don't match the
3410 		 * available antenna masks, except for the "all" mask */
3411 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3412 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3413 			result = -EINVAL;
3414 			goto out;
3415 		}
3416 
3417 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3418 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3419 
3420 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3421 		if (result)
3422 			goto out;
3423 	}
3424 
3425 	changed = 0;
3426 
3427 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3428 		retry_short = nla_get_u8(
3429 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3430 
3431 		changed |= WIPHY_PARAM_RETRY_SHORT;
3432 	}
3433 
3434 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3435 		retry_long = nla_get_u8(
3436 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3437 
3438 		changed |= WIPHY_PARAM_RETRY_LONG;
3439 	}
3440 
3441 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3442 		frag_threshold = nla_get_u32(
3443 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3444 		if (frag_threshold < 256) {
3445 			result = -EINVAL;
3446 			goto out;
3447 		}
3448 
3449 		if (frag_threshold != (u32) -1) {
3450 			/*
3451 			 * Fragments (apart from the last one) are required to
3452 			 * have even length. Make the fragmentation code
3453 			 * simpler by stripping LSB should someone try to use
3454 			 * odd threshold value.
3455 			 */
3456 			frag_threshold &= ~0x1;
3457 		}
3458 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3459 	}
3460 
3461 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3462 		rts_threshold = nla_get_u32(
3463 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3464 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3465 	}
3466 
3467 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3468 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3469 			result = -EINVAL;
3470 			goto out;
3471 		}
3472 
3473 		coverage_class = nla_get_u8(
3474 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3475 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3476 	}
3477 
3478 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3479 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3480 			result = -EOPNOTSUPP;
3481 			goto out;
3482 		}
3483 
3484 		changed |= WIPHY_PARAM_DYN_ACK;
3485 	}
3486 
3487 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3488 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3489 					     NL80211_EXT_FEATURE_TXQS)) {
3490 			result = -EOPNOTSUPP;
3491 			goto out;
3492 		}
3493 		txq_limit = nla_get_u32(
3494 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3495 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3496 	}
3497 
3498 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3499 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3500 					     NL80211_EXT_FEATURE_TXQS)) {
3501 			result = -EOPNOTSUPP;
3502 			goto out;
3503 		}
3504 		txq_memory_limit = nla_get_u32(
3505 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3506 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3507 	}
3508 
3509 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3510 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3511 					     NL80211_EXT_FEATURE_TXQS)) {
3512 			result = -EOPNOTSUPP;
3513 			goto out;
3514 		}
3515 		txq_quantum = nla_get_u32(
3516 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3517 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3518 	}
3519 
3520 	if (changed) {
3521 		u8 old_retry_short, old_retry_long;
3522 		u32 old_frag_threshold, old_rts_threshold;
3523 		u8 old_coverage_class;
3524 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3525 
3526 		if (!rdev->ops->set_wiphy_params) {
3527 			result = -EOPNOTSUPP;
3528 			goto out;
3529 		}
3530 
3531 		old_retry_short = rdev->wiphy.retry_short;
3532 		old_retry_long = rdev->wiphy.retry_long;
3533 		old_frag_threshold = rdev->wiphy.frag_threshold;
3534 		old_rts_threshold = rdev->wiphy.rts_threshold;
3535 		old_coverage_class = rdev->wiphy.coverage_class;
3536 		old_txq_limit = rdev->wiphy.txq_limit;
3537 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3538 		old_txq_quantum = rdev->wiphy.txq_quantum;
3539 
3540 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3541 			rdev->wiphy.retry_short = retry_short;
3542 		if (changed & WIPHY_PARAM_RETRY_LONG)
3543 			rdev->wiphy.retry_long = retry_long;
3544 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3545 			rdev->wiphy.frag_threshold = frag_threshold;
3546 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3547 			rdev->wiphy.rts_threshold = rts_threshold;
3548 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3549 			rdev->wiphy.coverage_class = coverage_class;
3550 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3551 			rdev->wiphy.txq_limit = txq_limit;
3552 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3553 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3554 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3555 			rdev->wiphy.txq_quantum = txq_quantum;
3556 
3557 		result = rdev_set_wiphy_params(rdev, changed);
3558 		if (result) {
3559 			rdev->wiphy.retry_short = old_retry_short;
3560 			rdev->wiphy.retry_long = old_retry_long;
3561 			rdev->wiphy.frag_threshold = old_frag_threshold;
3562 			rdev->wiphy.rts_threshold = old_rts_threshold;
3563 			rdev->wiphy.coverage_class = old_coverage_class;
3564 			rdev->wiphy.txq_limit = old_txq_limit;
3565 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3566 			rdev->wiphy.txq_quantum = old_txq_quantum;
3567 			goto out;
3568 		}
3569 	}
3570 
3571 	result = 0;
3572 
3573 out:
3574 	wiphy_unlock(&rdev->wiphy);
3575 	return result;
3576 }
3577 
3578 static int nl80211_send_chandef(struct sk_buff *msg,
3579 				const struct cfg80211_chan_def *chandef)
3580 {
3581 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3582 		return -EINVAL;
3583 
3584 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3585 			chandef->chan->center_freq))
3586 		return -ENOBUFS;
3587 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3588 			chandef->chan->freq_offset))
3589 		return -ENOBUFS;
3590 	switch (chandef->width) {
3591 	case NL80211_CHAN_WIDTH_20_NOHT:
3592 	case NL80211_CHAN_WIDTH_20:
3593 	case NL80211_CHAN_WIDTH_40:
3594 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3595 				cfg80211_get_chandef_type(chandef)))
3596 			return -ENOBUFS;
3597 		break;
3598 	default:
3599 		break;
3600 	}
3601 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3602 		return -ENOBUFS;
3603 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3604 		return -ENOBUFS;
3605 	if (chandef->center_freq2 &&
3606 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3607 		return -ENOBUFS;
3608 	return 0;
3609 }
3610 
3611 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3612 			      struct cfg80211_registered_device *rdev,
3613 			      struct wireless_dev *wdev,
3614 			      enum nl80211_commands cmd)
3615 {
3616 	struct net_device *dev = wdev->netdev;
3617 	void *hdr;
3618 
3619 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3620 		cmd != NL80211_CMD_DEL_INTERFACE &&
3621 		cmd != NL80211_CMD_SET_INTERFACE);
3622 
3623 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3624 	if (!hdr)
3625 		return -1;
3626 
3627 	if (dev &&
3628 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3629 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3630 		goto nla_put_failure;
3631 
3632 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3633 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3634 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3635 			      NL80211_ATTR_PAD) ||
3636 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3637 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3638 			rdev->devlist_generation ^
3639 			(cfg80211_rdev_list_generation << 2)) ||
3640 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3641 		goto nla_put_failure;
3642 
3643 	if (rdev->ops->get_channel) {
3644 		int ret;
3645 		struct cfg80211_chan_def chandef = {};
3646 
3647 		ret = rdev_get_channel(rdev, wdev, &chandef);
3648 		if (ret == 0) {
3649 			if (nl80211_send_chandef(msg, &chandef))
3650 				goto nla_put_failure;
3651 		}
3652 	}
3653 
3654 	if (rdev->ops->get_tx_power) {
3655 		int dbm, ret;
3656 
3657 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3658 		if (ret == 0 &&
3659 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3660 				DBM_TO_MBM(dbm)))
3661 			goto nla_put_failure;
3662 	}
3663 
3664 	wdev_lock(wdev);
3665 	switch (wdev->iftype) {
3666 	case NL80211_IFTYPE_AP:
3667 		if (wdev->ssid_len &&
3668 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3669 			goto nla_put_failure_locked;
3670 		break;
3671 	case NL80211_IFTYPE_STATION:
3672 	case NL80211_IFTYPE_P2P_CLIENT:
3673 	case NL80211_IFTYPE_ADHOC: {
3674 		const struct element *ssid_elem;
3675 
3676 		if (!wdev->current_bss)
3677 			break;
3678 		rcu_read_lock();
3679 		ssid_elem = ieee80211_bss_get_elem(&wdev->current_bss->pub,
3680 						   WLAN_EID_SSID);
3681 		if (ssid_elem &&
3682 		    nla_put(msg, NL80211_ATTR_SSID, ssid_elem->datalen,
3683 			    ssid_elem->data))
3684 			goto nla_put_failure_rcu_locked;
3685 		rcu_read_unlock();
3686 		break;
3687 		}
3688 	default:
3689 		/* nothing */
3690 		break;
3691 	}
3692 	wdev_unlock(wdev);
3693 
3694 	if (rdev->ops->get_txq_stats) {
3695 		struct cfg80211_txq_stats txqstats = {};
3696 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3697 
3698 		if (ret == 0 &&
3699 		    !nl80211_put_txq_stats(msg, &txqstats,
3700 					   NL80211_ATTR_TXQ_STATS))
3701 			goto nla_put_failure;
3702 	}
3703 
3704 	genlmsg_end(msg, hdr);
3705 	return 0;
3706 
3707  nla_put_failure_rcu_locked:
3708 	rcu_read_unlock();
3709  nla_put_failure_locked:
3710 	wdev_unlock(wdev);
3711  nla_put_failure:
3712 	genlmsg_cancel(msg, hdr);
3713 	return -EMSGSIZE;
3714 }
3715 
3716 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3717 {
3718 	int wp_idx = 0;
3719 	int if_idx = 0;
3720 	int wp_start = cb->args[0];
3721 	int if_start = cb->args[1];
3722 	int filter_wiphy = -1;
3723 	struct cfg80211_registered_device *rdev;
3724 	struct wireless_dev *wdev;
3725 	int ret;
3726 
3727 	rtnl_lock();
3728 	if (!cb->args[2]) {
3729 		struct nl80211_dump_wiphy_state state = {
3730 			.filter_wiphy = -1,
3731 		};
3732 
3733 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3734 		if (ret)
3735 			goto out_unlock;
3736 
3737 		filter_wiphy = state.filter_wiphy;
3738 
3739 		/*
3740 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3741 		 * value needed to determine that parsing is necessary.
3742 		 */
3743 		if (filter_wiphy >= 0)
3744 			cb->args[2] = filter_wiphy + 1;
3745 		else
3746 			cb->args[2] = -1;
3747 	} else if (cb->args[2] > 0) {
3748 		filter_wiphy = cb->args[2] - 1;
3749 	}
3750 
3751 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3752 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3753 			continue;
3754 		if (wp_idx < wp_start) {
3755 			wp_idx++;
3756 			continue;
3757 		}
3758 
3759 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3760 			continue;
3761 
3762 		if_idx = 0;
3763 
3764 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3765 			if (if_idx < if_start) {
3766 				if_idx++;
3767 				continue;
3768 			}
3769 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3770 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3771 					       rdev, wdev,
3772 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3773 				goto out;
3774 			}
3775 			if_idx++;
3776 		}
3777 
3778 		wp_idx++;
3779 	}
3780  out:
3781 	cb->args[0] = wp_idx;
3782 	cb->args[1] = if_idx;
3783 
3784 	ret = skb->len;
3785  out_unlock:
3786 	rtnl_unlock();
3787 
3788 	return ret;
3789 }
3790 
3791 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3792 {
3793 	struct sk_buff *msg;
3794 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3795 	struct wireless_dev *wdev = info->user_ptr[1];
3796 
3797 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3798 	if (!msg)
3799 		return -ENOMEM;
3800 
3801 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3802 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3803 		nlmsg_free(msg);
3804 		return -ENOBUFS;
3805 	}
3806 
3807 	return genlmsg_reply(msg, info);
3808 }
3809 
3810 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3811 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3812 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3813 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3814 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3815 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3816 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3817 };
3818 
3819 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3820 {
3821 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3822 	int flag;
3823 
3824 	*mntrflags = 0;
3825 
3826 	if (!nla)
3827 		return -EINVAL;
3828 
3829 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3830 		return -EINVAL;
3831 
3832 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3833 		if (flags[flag])
3834 			*mntrflags |= (1<<flag);
3835 
3836 	*mntrflags |= MONITOR_FLAG_CHANGED;
3837 
3838 	return 0;
3839 }
3840 
3841 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3842 				     enum nl80211_iftype type,
3843 				     struct genl_info *info,
3844 				     struct vif_params *params)
3845 {
3846 	bool change = false;
3847 	int err;
3848 
3849 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3850 		if (type != NL80211_IFTYPE_MONITOR)
3851 			return -EINVAL;
3852 
3853 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3854 					  &params->flags);
3855 		if (err)
3856 			return err;
3857 
3858 		change = true;
3859 	}
3860 
3861 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3862 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3863 		return -EOPNOTSUPP;
3864 
3865 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3866 		const u8 *mumimo_groups;
3867 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3868 
3869 		if (type != NL80211_IFTYPE_MONITOR)
3870 			return -EINVAL;
3871 
3872 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3873 			return -EOPNOTSUPP;
3874 
3875 		mumimo_groups =
3876 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3877 
3878 		/* bits 0 and 63 are reserved and must be zero */
3879 		if ((mumimo_groups[0] & BIT(0)) ||
3880 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3881 			return -EINVAL;
3882 
3883 		params->vht_mumimo_groups = mumimo_groups;
3884 		change = true;
3885 	}
3886 
3887 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3888 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3889 
3890 		if (type != NL80211_IFTYPE_MONITOR)
3891 			return -EINVAL;
3892 
3893 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3894 			return -EOPNOTSUPP;
3895 
3896 		params->vht_mumimo_follow_addr =
3897 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3898 		change = true;
3899 	}
3900 
3901 	return change ? 1 : 0;
3902 }
3903 
3904 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3905 			       struct net_device *netdev, u8 use_4addr,
3906 			       enum nl80211_iftype iftype)
3907 {
3908 	if (!use_4addr) {
3909 		if (netdev && netif_is_bridge_port(netdev))
3910 			return -EBUSY;
3911 		return 0;
3912 	}
3913 
3914 	switch (iftype) {
3915 	case NL80211_IFTYPE_AP_VLAN:
3916 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3917 			return 0;
3918 		break;
3919 	case NL80211_IFTYPE_STATION:
3920 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3921 			return 0;
3922 		break;
3923 	default:
3924 		break;
3925 	}
3926 
3927 	return -EOPNOTSUPP;
3928 }
3929 
3930 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3931 {
3932 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3933 	struct vif_params params;
3934 	int err;
3935 	enum nl80211_iftype otype, ntype;
3936 	struct net_device *dev = info->user_ptr[1];
3937 	bool change = false;
3938 
3939 	memset(&params, 0, sizeof(params));
3940 
3941 	otype = ntype = dev->ieee80211_ptr->iftype;
3942 
3943 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3944 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3945 		if (otype != ntype)
3946 			change = true;
3947 	}
3948 
3949 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3950 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3951 
3952 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3953 			return -EINVAL;
3954 		if (netif_running(dev))
3955 			return -EBUSY;
3956 
3957 		wdev_lock(wdev);
3958 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3959 			     IEEE80211_MAX_MESH_ID_LEN);
3960 		wdev->mesh_id_up_len =
3961 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3962 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3963 		       wdev->mesh_id_up_len);
3964 		wdev_unlock(wdev);
3965 	}
3966 
3967 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3968 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3969 		change = true;
3970 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3971 		if (err)
3972 			return err;
3973 	} else {
3974 		params.use_4addr = -1;
3975 	}
3976 
3977 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3978 	if (err < 0)
3979 		return err;
3980 	if (err > 0)
3981 		change = true;
3982 
3983 	if (change)
3984 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3985 	else
3986 		err = 0;
3987 
3988 	if (!err && params.use_4addr != -1)
3989 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3990 
3991 	if (change && !err) {
3992 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3993 
3994 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3995 	}
3996 
3997 	return err;
3998 }
3999 
4000 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4001 {
4002 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4003 	struct vif_params params;
4004 	struct wireless_dev *wdev;
4005 	struct sk_buff *msg;
4006 	int err;
4007 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4008 
4009 	memset(&params, 0, sizeof(params));
4010 
4011 	if (!info->attrs[NL80211_ATTR_IFNAME])
4012 		return -EINVAL;
4013 
4014 	if (info->attrs[NL80211_ATTR_IFTYPE])
4015 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4016 
4017 	if (!rdev->ops->add_virtual_intf)
4018 		return -EOPNOTSUPP;
4019 
4020 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4021 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4022 	    info->attrs[NL80211_ATTR_MAC]) {
4023 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4024 			   ETH_ALEN);
4025 		if (!is_valid_ether_addr(params.macaddr))
4026 			return -EADDRNOTAVAIL;
4027 	}
4028 
4029 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4030 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4031 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4032 		if (err)
4033 			return err;
4034 	}
4035 
4036 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4037 		return -EOPNOTSUPP;
4038 
4039 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4040 	if (err < 0)
4041 		return err;
4042 
4043 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4044 	if (!msg)
4045 		return -ENOMEM;
4046 
4047 	wdev = rdev_add_virtual_intf(rdev,
4048 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4049 				NET_NAME_USER, type, &params);
4050 	if (WARN_ON(!wdev)) {
4051 		nlmsg_free(msg);
4052 		return -EPROTO;
4053 	} else if (IS_ERR(wdev)) {
4054 		nlmsg_free(msg);
4055 		return PTR_ERR(wdev);
4056 	}
4057 
4058 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4059 		wdev->owner_nlportid = info->snd_portid;
4060 
4061 	switch (type) {
4062 	case NL80211_IFTYPE_MESH_POINT:
4063 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4064 			break;
4065 		wdev_lock(wdev);
4066 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4067 			     IEEE80211_MAX_MESH_ID_LEN);
4068 		wdev->mesh_id_up_len =
4069 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4070 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4071 		       wdev->mesh_id_up_len);
4072 		wdev_unlock(wdev);
4073 		break;
4074 	case NL80211_IFTYPE_NAN:
4075 	case NL80211_IFTYPE_P2P_DEVICE:
4076 		/*
4077 		 * P2P Device and NAN do not have a netdev, so don't go
4078 		 * through the netdev notifier and must be added here
4079 		 */
4080 		cfg80211_init_wdev(wdev);
4081 		cfg80211_register_wdev(rdev, wdev);
4082 		break;
4083 	default:
4084 		break;
4085 	}
4086 
4087 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4088 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4089 		nlmsg_free(msg);
4090 		return -ENOBUFS;
4091 	}
4092 
4093 	return genlmsg_reply(msg, info);
4094 }
4095 
4096 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4097 {
4098 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4099 	int ret;
4100 
4101 	/* to avoid failing a new interface creation due to pending removal */
4102 	cfg80211_destroy_ifaces(rdev);
4103 
4104 	wiphy_lock(&rdev->wiphy);
4105 	ret = _nl80211_new_interface(skb, info);
4106 	wiphy_unlock(&rdev->wiphy);
4107 
4108 	return ret;
4109 }
4110 
4111 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4112 {
4113 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4114 	struct wireless_dev *wdev = info->user_ptr[1];
4115 
4116 	if (!rdev->ops->del_virtual_intf)
4117 		return -EOPNOTSUPP;
4118 
4119 	/*
4120 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4121 	 * reach 0, and thus the rdev cannot be deleted.
4122 	 *
4123 	 * We need to do it for the dev_close(), since that will call
4124 	 * the netdev notifiers, and we need to acquire the mutex there
4125 	 * but don't know if we get there from here or from some other
4126 	 * place (e.g. "ip link set ... down").
4127 	 */
4128 	mutex_unlock(&rdev->wiphy.mtx);
4129 
4130 	/*
4131 	 * If we remove a wireless device without a netdev then clear
4132 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4133 	 * to check if it needs to do dev_put(). Otherwise it crashes
4134 	 * since the wdev has been freed, unlike with a netdev where
4135 	 * we need the dev_put() for the netdev to really be freed.
4136 	 */
4137 	if (!wdev->netdev)
4138 		info->user_ptr[1] = NULL;
4139 	else
4140 		dev_close(wdev->netdev);
4141 
4142 	mutex_lock(&rdev->wiphy.mtx);
4143 
4144 	return rdev_del_virtual_intf(rdev, wdev);
4145 }
4146 
4147 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4148 {
4149 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4150 	struct net_device *dev = info->user_ptr[1];
4151 	u16 noack_map;
4152 
4153 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4154 		return -EINVAL;
4155 
4156 	if (!rdev->ops->set_noack_map)
4157 		return -EOPNOTSUPP;
4158 
4159 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4160 
4161 	return rdev_set_noack_map(rdev, dev, noack_map);
4162 }
4163 
4164 struct get_key_cookie {
4165 	struct sk_buff *msg;
4166 	int error;
4167 	int idx;
4168 };
4169 
4170 static void get_key_callback(void *c, struct key_params *params)
4171 {
4172 	struct nlattr *key;
4173 	struct get_key_cookie *cookie = c;
4174 
4175 	if ((params->key &&
4176 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4177 		     params->key_len, params->key)) ||
4178 	    (params->seq &&
4179 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4180 		     params->seq_len, params->seq)) ||
4181 	    (params->cipher &&
4182 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4183 			 params->cipher)))
4184 		goto nla_put_failure;
4185 
4186 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4187 	if (!key)
4188 		goto nla_put_failure;
4189 
4190 	if ((params->key &&
4191 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4192 		     params->key_len, params->key)) ||
4193 	    (params->seq &&
4194 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4195 		     params->seq_len, params->seq)) ||
4196 	    (params->cipher &&
4197 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4198 			 params->cipher)))
4199 		goto nla_put_failure;
4200 
4201 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4202 		goto nla_put_failure;
4203 
4204 	nla_nest_end(cookie->msg, key);
4205 
4206 	return;
4207  nla_put_failure:
4208 	cookie->error = 1;
4209 }
4210 
4211 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4212 {
4213 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4214 	int err;
4215 	struct net_device *dev = info->user_ptr[1];
4216 	u8 key_idx = 0;
4217 	const u8 *mac_addr = NULL;
4218 	bool pairwise;
4219 	struct get_key_cookie cookie = {
4220 		.error = 0,
4221 	};
4222 	void *hdr;
4223 	struct sk_buff *msg;
4224 	bool bigtk_support = false;
4225 
4226 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4227 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4228 		bigtk_support = true;
4229 
4230 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4231 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4232 	    wiphy_ext_feature_isset(&rdev->wiphy,
4233 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4234 		bigtk_support = true;
4235 
4236 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4237 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4238 
4239 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4240 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4241 			return -EINVAL;
4242 		}
4243 	}
4244 
4245 	if (info->attrs[NL80211_ATTR_MAC])
4246 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4247 
4248 	pairwise = !!mac_addr;
4249 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4250 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4251 
4252 		if (kt != NL80211_KEYTYPE_GROUP &&
4253 		    kt != NL80211_KEYTYPE_PAIRWISE)
4254 			return -EINVAL;
4255 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4256 	}
4257 
4258 	if (!rdev->ops->get_key)
4259 		return -EOPNOTSUPP;
4260 
4261 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4262 		return -ENOENT;
4263 
4264 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4265 	if (!msg)
4266 		return -ENOMEM;
4267 
4268 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4269 			     NL80211_CMD_NEW_KEY);
4270 	if (!hdr)
4271 		goto nla_put_failure;
4272 
4273 	cookie.msg = msg;
4274 	cookie.idx = key_idx;
4275 
4276 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4277 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4278 		goto nla_put_failure;
4279 	if (mac_addr &&
4280 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4281 		goto nla_put_failure;
4282 
4283 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4284 			   get_key_callback);
4285 
4286 	if (err)
4287 		goto free_msg;
4288 
4289 	if (cookie.error)
4290 		goto nla_put_failure;
4291 
4292 	genlmsg_end(msg, hdr);
4293 	return genlmsg_reply(msg, info);
4294 
4295  nla_put_failure:
4296 	err = -ENOBUFS;
4297  free_msg:
4298 	nlmsg_free(msg);
4299 	return err;
4300 }
4301 
4302 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4303 {
4304 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4305 	struct key_parse key;
4306 	int err;
4307 	struct net_device *dev = info->user_ptr[1];
4308 
4309 	err = nl80211_parse_key(info, &key);
4310 	if (err)
4311 		return err;
4312 
4313 	if (key.idx < 0)
4314 		return -EINVAL;
4315 
4316 	/* Only support setting default key and
4317 	 * Extended Key ID action NL80211_KEY_SET_TX.
4318 	 */
4319 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4320 	    !(key.p.mode == NL80211_KEY_SET_TX))
4321 		return -EINVAL;
4322 
4323 	wdev_lock(dev->ieee80211_ptr);
4324 
4325 	if (key.def) {
4326 		if (!rdev->ops->set_default_key) {
4327 			err = -EOPNOTSUPP;
4328 			goto out;
4329 		}
4330 
4331 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4332 		if (err)
4333 			goto out;
4334 
4335 		err = rdev_set_default_key(rdev, dev, key.idx,
4336 						 key.def_uni, key.def_multi);
4337 
4338 		if (err)
4339 			goto out;
4340 
4341 #ifdef CONFIG_CFG80211_WEXT
4342 		dev->ieee80211_ptr->wext.default_key = key.idx;
4343 #endif
4344 	} else if (key.defmgmt) {
4345 		if (key.def_uni || !key.def_multi) {
4346 			err = -EINVAL;
4347 			goto out;
4348 		}
4349 
4350 		if (!rdev->ops->set_default_mgmt_key) {
4351 			err = -EOPNOTSUPP;
4352 			goto out;
4353 		}
4354 
4355 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4356 		if (err)
4357 			goto out;
4358 
4359 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4360 		if (err)
4361 			goto out;
4362 
4363 #ifdef CONFIG_CFG80211_WEXT
4364 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4365 #endif
4366 	} else if (key.defbeacon) {
4367 		if (key.def_uni || !key.def_multi) {
4368 			err = -EINVAL;
4369 			goto out;
4370 		}
4371 
4372 		if (!rdev->ops->set_default_beacon_key) {
4373 			err = -EOPNOTSUPP;
4374 			goto out;
4375 		}
4376 
4377 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4378 		if (err)
4379 			goto out;
4380 
4381 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4382 		if (err)
4383 			goto out;
4384 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4385 		   wiphy_ext_feature_isset(&rdev->wiphy,
4386 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4387 		u8 *mac_addr = NULL;
4388 
4389 		if (info->attrs[NL80211_ATTR_MAC])
4390 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4391 
4392 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4393 			err = -EINVAL;
4394 			goto out;
4395 		}
4396 
4397 		err = rdev_add_key(rdev, dev, key.idx,
4398 				   NL80211_KEYTYPE_PAIRWISE,
4399 				   mac_addr, &key.p);
4400 	} else {
4401 		err = -EINVAL;
4402 	}
4403  out:
4404 	wdev_unlock(dev->ieee80211_ptr);
4405 
4406 	return err;
4407 }
4408 
4409 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4410 {
4411 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4412 	int err;
4413 	struct net_device *dev = info->user_ptr[1];
4414 	struct key_parse key;
4415 	const u8 *mac_addr = NULL;
4416 
4417 	err = nl80211_parse_key(info, &key);
4418 	if (err)
4419 		return err;
4420 
4421 	if (!key.p.key) {
4422 		GENL_SET_ERR_MSG(info, "no key");
4423 		return -EINVAL;
4424 	}
4425 
4426 	if (info->attrs[NL80211_ATTR_MAC])
4427 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4428 
4429 	if (key.type == -1) {
4430 		if (mac_addr)
4431 			key.type = NL80211_KEYTYPE_PAIRWISE;
4432 		else
4433 			key.type = NL80211_KEYTYPE_GROUP;
4434 	}
4435 
4436 	/* for now */
4437 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4438 	    key.type != NL80211_KEYTYPE_GROUP) {
4439 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4440 		return -EINVAL;
4441 	}
4442 
4443 	if (key.type == NL80211_KEYTYPE_GROUP &&
4444 	    info->attrs[NL80211_ATTR_VLAN_ID])
4445 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4446 
4447 	if (!rdev->ops->add_key)
4448 		return -EOPNOTSUPP;
4449 
4450 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4451 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4452 					   mac_addr)) {
4453 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4454 		return -EINVAL;
4455 	}
4456 
4457 	wdev_lock(dev->ieee80211_ptr);
4458 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4459 	if (err)
4460 		GENL_SET_ERR_MSG(info, "key not allowed");
4461 	if (!err) {
4462 		err = rdev_add_key(rdev, dev, key.idx,
4463 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4464 				    mac_addr, &key.p);
4465 		if (err)
4466 			GENL_SET_ERR_MSG(info, "key addition failed");
4467 	}
4468 	wdev_unlock(dev->ieee80211_ptr);
4469 
4470 	return err;
4471 }
4472 
4473 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4474 {
4475 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4476 	int err;
4477 	struct net_device *dev = info->user_ptr[1];
4478 	u8 *mac_addr = NULL;
4479 	struct key_parse key;
4480 
4481 	err = nl80211_parse_key(info, &key);
4482 	if (err)
4483 		return err;
4484 
4485 	if (info->attrs[NL80211_ATTR_MAC])
4486 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4487 
4488 	if (key.type == -1) {
4489 		if (mac_addr)
4490 			key.type = NL80211_KEYTYPE_PAIRWISE;
4491 		else
4492 			key.type = NL80211_KEYTYPE_GROUP;
4493 	}
4494 
4495 	/* for now */
4496 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4497 	    key.type != NL80211_KEYTYPE_GROUP)
4498 		return -EINVAL;
4499 
4500 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4501 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4502 		return -EINVAL;
4503 
4504 	if (!rdev->ops->del_key)
4505 		return -EOPNOTSUPP;
4506 
4507 	wdev_lock(dev->ieee80211_ptr);
4508 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4509 
4510 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4511 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4512 		err = -ENOENT;
4513 
4514 	if (!err)
4515 		err = rdev_del_key(rdev, dev, key.idx,
4516 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4517 				   mac_addr);
4518 
4519 #ifdef CONFIG_CFG80211_WEXT
4520 	if (!err) {
4521 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4522 			dev->ieee80211_ptr->wext.default_key = -1;
4523 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4524 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4525 	}
4526 #endif
4527 	wdev_unlock(dev->ieee80211_ptr);
4528 
4529 	return err;
4530 }
4531 
4532 /* This function returns an error or the number of nested attributes */
4533 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4534 {
4535 	struct nlattr *attr;
4536 	int n_entries = 0, tmp;
4537 
4538 	nla_for_each_nested(attr, nl_attr, tmp) {
4539 		if (nla_len(attr) != ETH_ALEN)
4540 			return -EINVAL;
4541 
4542 		n_entries++;
4543 	}
4544 
4545 	return n_entries;
4546 }
4547 
4548 /*
4549  * This function parses ACL information and allocates memory for ACL data.
4550  * On successful return, the calling function is responsible to free the
4551  * ACL buffer returned by this function.
4552  */
4553 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4554 						struct genl_info *info)
4555 {
4556 	enum nl80211_acl_policy acl_policy;
4557 	struct nlattr *attr;
4558 	struct cfg80211_acl_data *acl;
4559 	int i = 0, n_entries, tmp;
4560 
4561 	if (!wiphy->max_acl_mac_addrs)
4562 		return ERR_PTR(-EOPNOTSUPP);
4563 
4564 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4565 		return ERR_PTR(-EINVAL);
4566 
4567 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4568 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4569 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4570 		return ERR_PTR(-EINVAL);
4571 
4572 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4573 		return ERR_PTR(-EINVAL);
4574 
4575 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4576 	if (n_entries < 0)
4577 		return ERR_PTR(n_entries);
4578 
4579 	if (n_entries > wiphy->max_acl_mac_addrs)
4580 		return ERR_PTR(-ENOTSUPP);
4581 
4582 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4583 	if (!acl)
4584 		return ERR_PTR(-ENOMEM);
4585 
4586 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4587 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4588 		i++;
4589 	}
4590 
4591 	acl->n_acl_entries = n_entries;
4592 	acl->acl_policy = acl_policy;
4593 
4594 	return acl;
4595 }
4596 
4597 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4598 {
4599 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4600 	struct net_device *dev = info->user_ptr[1];
4601 	struct cfg80211_acl_data *acl;
4602 	int err;
4603 
4604 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4605 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4606 		return -EOPNOTSUPP;
4607 
4608 	if (!dev->ieee80211_ptr->beacon_interval)
4609 		return -EINVAL;
4610 
4611 	acl = parse_acl_data(&rdev->wiphy, info);
4612 	if (IS_ERR(acl))
4613 		return PTR_ERR(acl);
4614 
4615 	err = rdev_set_mac_acl(rdev, dev, acl);
4616 
4617 	kfree(acl);
4618 
4619 	return err;
4620 }
4621 
4622 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4623 			   u8 *rates, u8 rates_len)
4624 {
4625 	u8 i;
4626 	u32 mask = 0;
4627 
4628 	for (i = 0; i < rates_len; i++) {
4629 		int rate = (rates[i] & 0x7f) * 5;
4630 		int ridx;
4631 
4632 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4633 			struct ieee80211_rate *srate =
4634 				&sband->bitrates[ridx];
4635 			if (rate == srate->bitrate) {
4636 				mask |= 1 << ridx;
4637 				break;
4638 			}
4639 		}
4640 		if (ridx == sband->n_bitrates)
4641 			return 0; /* rate not found */
4642 	}
4643 
4644 	return mask;
4645 }
4646 
4647 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4648 			       u8 *rates, u8 rates_len,
4649 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4650 {
4651 	u8 i;
4652 
4653 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4654 
4655 	for (i = 0; i < rates_len; i++) {
4656 		int ridx, rbit;
4657 
4658 		ridx = rates[i] / 8;
4659 		rbit = BIT(rates[i] % 8);
4660 
4661 		/* check validity */
4662 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4663 			return false;
4664 
4665 		/* check availability */
4666 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4667 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4668 			mcs[ridx] |= rbit;
4669 		else
4670 			return false;
4671 	}
4672 
4673 	return true;
4674 }
4675 
4676 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4677 {
4678 	u16 mcs_mask = 0;
4679 
4680 	switch (vht_mcs_map) {
4681 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4682 		break;
4683 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4684 		mcs_mask = 0x00FF;
4685 		break;
4686 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4687 		mcs_mask = 0x01FF;
4688 		break;
4689 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4690 		mcs_mask = 0x03FF;
4691 		break;
4692 	default:
4693 		break;
4694 	}
4695 
4696 	return mcs_mask;
4697 }
4698 
4699 static void vht_build_mcs_mask(u16 vht_mcs_map,
4700 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4701 {
4702 	u8 nss;
4703 
4704 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4705 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4706 		vht_mcs_map >>= 2;
4707 	}
4708 }
4709 
4710 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4711 			     struct nl80211_txrate_vht *txrate,
4712 			     u16 mcs[NL80211_VHT_NSS_MAX])
4713 {
4714 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4715 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4716 	u8 i;
4717 
4718 	if (!sband->vht_cap.vht_supported)
4719 		return false;
4720 
4721 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4722 
4723 	/* Build vht_mcs_mask from VHT capabilities */
4724 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4725 
4726 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4727 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4728 			mcs[i] = txrate->mcs[i];
4729 		else
4730 			return false;
4731 	}
4732 
4733 	return true;
4734 }
4735 
4736 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4737 {
4738 	switch (he_mcs_map) {
4739 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4740 		return 0;
4741 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4742 		return 0x00FF;
4743 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4744 		return 0x03FF;
4745 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4746 		return 0xFFF;
4747 	default:
4748 		break;
4749 	}
4750 	return 0;
4751 }
4752 
4753 static void he_build_mcs_mask(u16 he_mcs_map,
4754 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4755 {
4756 	u8 nss;
4757 
4758 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4759 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4760 		he_mcs_map >>= 2;
4761 	}
4762 }
4763 
4764 static u16 he_get_txmcsmap(struct genl_info *info,
4765 			   const struct ieee80211_sta_he_cap *he_cap)
4766 {
4767 	struct net_device *dev = info->user_ptr[1];
4768 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4769 	__le16	tx_mcs;
4770 
4771 	switch (wdev->chandef.width) {
4772 	case NL80211_CHAN_WIDTH_80P80:
4773 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4774 		break;
4775 	case NL80211_CHAN_WIDTH_160:
4776 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4777 		break;
4778 	default:
4779 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4780 		break;
4781 	}
4782 	return le16_to_cpu(tx_mcs);
4783 }
4784 
4785 static bool he_set_mcs_mask(struct genl_info *info,
4786 			    struct wireless_dev *wdev,
4787 			    struct ieee80211_supported_band *sband,
4788 			    struct nl80211_txrate_he *txrate,
4789 			    u16 mcs[NL80211_HE_NSS_MAX])
4790 {
4791 	const struct ieee80211_sta_he_cap *he_cap;
4792 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4793 	u16 tx_mcs_map = 0;
4794 	u8 i;
4795 
4796 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4797 	if (!he_cap)
4798 		return false;
4799 
4800 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4801 
4802 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4803 
4804 	/* Build he_mcs_mask from HE capabilities */
4805 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4806 
4807 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4808 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4809 			mcs[i] = txrate->mcs[i];
4810 		else
4811 			return false;
4812 	}
4813 
4814 	return true;
4815 }
4816 
4817 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4818 					 struct nlattr *attrs[],
4819 					 enum nl80211_attrs attr,
4820 					 struct cfg80211_bitrate_mask *mask,
4821 					 struct net_device *dev,
4822 					 bool default_all_enabled)
4823 {
4824 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4825 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4826 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4827 	int rem, i;
4828 	struct nlattr *tx_rates;
4829 	struct ieee80211_supported_band *sband;
4830 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4831 
4832 	memset(mask, 0, sizeof(*mask));
4833 	/* Default to all rates enabled */
4834 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4835 		const struct ieee80211_sta_he_cap *he_cap;
4836 
4837 		if (!default_all_enabled)
4838 			break;
4839 
4840 		sband = rdev->wiphy.bands[i];
4841 
4842 		if (!sband)
4843 			continue;
4844 
4845 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4846 		memcpy(mask->control[i].ht_mcs,
4847 		       sband->ht_cap.mcs.rx_mask,
4848 		       sizeof(mask->control[i].ht_mcs));
4849 
4850 		if (sband->vht_cap.vht_supported) {
4851 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4852 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4853 		}
4854 
4855 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4856 		if (!he_cap)
4857 			continue;
4858 
4859 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4860 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4861 
4862 		mask->control[i].he_gi = 0xFF;
4863 		mask->control[i].he_ltf = 0xFF;
4864 	}
4865 
4866 	/* if no rates are given set it back to the defaults */
4867 	if (!attrs[attr])
4868 		goto out;
4869 
4870 	/* The nested attribute uses enum nl80211_band as the index. This maps
4871 	 * directly to the enum nl80211_band values used in cfg80211.
4872 	 */
4873 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4874 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4875 		enum nl80211_band band = nla_type(tx_rates);
4876 		int err;
4877 
4878 		if (band < 0 || band >= NUM_NL80211_BANDS)
4879 			return -EINVAL;
4880 		sband = rdev->wiphy.bands[band];
4881 		if (sband == NULL)
4882 			return -EINVAL;
4883 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4884 						  tx_rates,
4885 						  nl80211_txattr_policy,
4886 						  info->extack);
4887 		if (err)
4888 			return err;
4889 		if (tb[NL80211_TXRATE_LEGACY]) {
4890 			mask->control[band].legacy = rateset_to_mask(
4891 				sband,
4892 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4893 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4894 			if ((mask->control[band].legacy == 0) &&
4895 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4896 				return -EINVAL;
4897 		}
4898 		if (tb[NL80211_TXRATE_HT]) {
4899 			if (!ht_rateset_to_mask(
4900 					sband,
4901 					nla_data(tb[NL80211_TXRATE_HT]),
4902 					nla_len(tb[NL80211_TXRATE_HT]),
4903 					mask->control[band].ht_mcs))
4904 				return -EINVAL;
4905 		}
4906 
4907 		if (tb[NL80211_TXRATE_VHT]) {
4908 			if (!vht_set_mcs_mask(
4909 					sband,
4910 					nla_data(tb[NL80211_TXRATE_VHT]),
4911 					mask->control[band].vht_mcs))
4912 				return -EINVAL;
4913 		}
4914 
4915 		if (tb[NL80211_TXRATE_GI]) {
4916 			mask->control[band].gi =
4917 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4918 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4919 				return -EINVAL;
4920 		}
4921 		if (tb[NL80211_TXRATE_HE] &&
4922 		    !he_set_mcs_mask(info, wdev, sband,
4923 				     nla_data(tb[NL80211_TXRATE_HE]),
4924 				     mask->control[band].he_mcs))
4925 			return -EINVAL;
4926 
4927 		if (tb[NL80211_TXRATE_HE_GI])
4928 			mask->control[band].he_gi =
4929 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4930 		if (tb[NL80211_TXRATE_HE_LTF])
4931 			mask->control[band].he_ltf =
4932 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4933 
4934 		if (mask->control[band].legacy == 0) {
4935 			/* don't allow empty legacy rates if HT, VHT or HE
4936 			 * are not even supported.
4937 			 */
4938 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4939 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4940 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4941 				return -EINVAL;
4942 
4943 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4944 				if (mask->control[band].ht_mcs[i])
4945 					goto out;
4946 
4947 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4948 				if (mask->control[band].vht_mcs[i])
4949 					goto out;
4950 
4951 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
4952 				if (mask->control[band].he_mcs[i])
4953 					goto out;
4954 
4955 			/* legacy and mcs rates may not be both empty */
4956 			return -EINVAL;
4957 		}
4958 	}
4959 
4960 out:
4961 	return 0;
4962 }
4963 
4964 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4965 				   enum nl80211_band band,
4966 				   struct cfg80211_bitrate_mask *beacon_rate)
4967 {
4968 	u32 count_ht, count_vht, count_he, i;
4969 	u32 rate = beacon_rate->control[band].legacy;
4970 
4971 	/* Allow only one rate */
4972 	if (hweight32(rate) > 1)
4973 		return -EINVAL;
4974 
4975 	count_ht = 0;
4976 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4977 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4978 			return -EINVAL;
4979 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4980 			count_ht++;
4981 			if (count_ht > 1)
4982 				return -EINVAL;
4983 		}
4984 		if (count_ht && rate)
4985 			return -EINVAL;
4986 	}
4987 
4988 	count_vht = 0;
4989 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4990 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4991 			return -EINVAL;
4992 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4993 			count_vht++;
4994 			if (count_vht > 1)
4995 				return -EINVAL;
4996 		}
4997 		if (count_vht && rate)
4998 			return -EINVAL;
4999 	}
5000 
5001 	count_he = 0;
5002 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5003 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5004 			return -EINVAL;
5005 		} else if (beacon_rate->control[band].he_mcs[i]) {
5006 			count_he++;
5007 			if (count_he > 1)
5008 				return -EINVAL;
5009 		}
5010 		if (count_he && rate)
5011 			return -EINVAL;
5012 	}
5013 
5014 	if ((count_ht && count_vht && count_he) ||
5015 	    (!rate && !count_ht && !count_vht && !count_he))
5016 		return -EINVAL;
5017 
5018 	if (rate &&
5019 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5020 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5021 		return -EINVAL;
5022 	if (count_ht &&
5023 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5024 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5025 		return -EINVAL;
5026 	if (count_vht &&
5027 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5028 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5029 		return -EINVAL;
5030 	if (count_he &&
5031 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5032 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5033 		return -EINVAL;
5034 
5035 	return 0;
5036 }
5037 
5038 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5039 				       struct net_device *dev,
5040 				       struct nlattr *attrs,
5041 				       struct cfg80211_mbssid_config *config,
5042 				       u8 num_elems)
5043 {
5044 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5045 
5046 	if (!wiphy->mbssid_max_interfaces)
5047 		return -EOPNOTSUPP;
5048 
5049 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5050 			     NULL) ||
5051 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5052 		return -EINVAL;
5053 
5054 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5055 	if (config->ema) {
5056 		if (!wiphy->ema_max_profile_periodicity)
5057 			return -EOPNOTSUPP;
5058 
5059 		if (num_elems > wiphy->ema_max_profile_periodicity)
5060 			return -EINVAL;
5061 	}
5062 
5063 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5064 	if (config->index >= wiphy->mbssid_max_interfaces ||
5065 	    (!config->index && !num_elems))
5066 		return -EINVAL;
5067 
5068 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5069 		u32 tx_ifindex =
5070 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5071 
5072 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5073 		    (config->index && tx_ifindex == dev->ifindex))
5074 			return -EINVAL;
5075 
5076 		if (tx_ifindex != dev->ifindex) {
5077 			struct net_device *tx_netdev =
5078 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5079 
5080 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5081 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5082 			    tx_netdev->ieee80211_ptr->iftype !=
5083 							NL80211_IFTYPE_AP) {
5084 				dev_put(tx_netdev);
5085 				return -EINVAL;
5086 			}
5087 
5088 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5089 		} else {
5090 			config->tx_wdev = dev->ieee80211_ptr;
5091 		}
5092 	} else if (!config->index) {
5093 		config->tx_wdev = dev->ieee80211_ptr;
5094 	} else {
5095 		return -EINVAL;
5096 	}
5097 
5098 	return 0;
5099 }
5100 
5101 static struct cfg80211_mbssid_elems *
5102 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5103 {
5104 	struct nlattr *nl_elems;
5105 	struct cfg80211_mbssid_elems *elems;
5106 	int rem_elems;
5107 	u8 i = 0, num_elems = 0;
5108 
5109 	if (!wiphy->mbssid_max_interfaces)
5110 		return ERR_PTR(-EINVAL);
5111 
5112 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5113 		num_elems++;
5114 
5115 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5116 	if (!elems)
5117 		return ERR_PTR(-ENOMEM);
5118 
5119 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5120 		elems->elem[i].data = nla_data(nl_elems);
5121 		elems->elem[i].len = nla_len(nl_elems);
5122 		i++;
5123 	}
5124 	elems->cnt = num_elems;
5125 	return elems;
5126 }
5127 
5128 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5129 				struct nlattr *attrs[],
5130 				struct cfg80211_beacon_data *bcn)
5131 {
5132 	bool haveinfo = false;
5133 	int err;
5134 
5135 	memset(bcn, 0, sizeof(*bcn));
5136 
5137 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5138 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5139 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5140 		if (!bcn->head_len)
5141 			return -EINVAL;
5142 		haveinfo = true;
5143 	}
5144 
5145 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5146 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5147 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5148 		haveinfo = true;
5149 	}
5150 
5151 	if (!haveinfo)
5152 		return -EINVAL;
5153 
5154 	if (attrs[NL80211_ATTR_IE]) {
5155 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5156 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5157 	}
5158 
5159 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5160 		bcn->proberesp_ies =
5161 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5162 		bcn->proberesp_ies_len =
5163 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5164 	}
5165 
5166 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5167 		bcn->assocresp_ies =
5168 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5169 		bcn->assocresp_ies_len =
5170 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5171 	}
5172 
5173 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5174 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5175 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5176 	}
5177 
5178 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5179 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5180 
5181 		err = nla_parse_nested_deprecated(tb,
5182 						  NL80211_FTM_RESP_ATTR_MAX,
5183 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5184 						  NULL, NULL);
5185 		if (err)
5186 			return err;
5187 
5188 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5189 		    wiphy_ext_feature_isset(&rdev->wiphy,
5190 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5191 			bcn->ftm_responder = 1;
5192 		else
5193 			return -EOPNOTSUPP;
5194 
5195 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5196 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5197 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5198 		}
5199 
5200 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5201 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5202 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5203 		}
5204 	} else {
5205 		bcn->ftm_responder = -1;
5206 	}
5207 
5208 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5209 		struct cfg80211_mbssid_elems *mbssid =
5210 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5211 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5212 
5213 		if (IS_ERR(mbssid))
5214 			return PTR_ERR(mbssid);
5215 
5216 		bcn->mbssid_ies = mbssid;
5217 	}
5218 
5219 	return 0;
5220 }
5221 
5222 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5223 				    struct ieee80211_he_obss_pd *he_obss_pd)
5224 {
5225 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5226 	int err;
5227 
5228 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5229 			       he_obss_pd_policy, NULL);
5230 	if (err)
5231 		return err;
5232 
5233 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5234 		return -EINVAL;
5235 
5236 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5237 
5238 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5239 		he_obss_pd->min_offset =
5240 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5241 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5242 		he_obss_pd->max_offset =
5243 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5244 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5245 		he_obss_pd->non_srg_max_offset =
5246 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5247 
5248 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5249 		return -EINVAL;
5250 
5251 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5252 		memcpy(he_obss_pd->bss_color_bitmap,
5253 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5254 		       sizeof(he_obss_pd->bss_color_bitmap));
5255 
5256 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5257 		memcpy(he_obss_pd->partial_bssid_bitmap,
5258 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5259 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5260 
5261 	he_obss_pd->enable = true;
5262 
5263 	return 0;
5264 }
5265 
5266 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5267 				      struct cfg80211_he_bss_color *he_bss_color)
5268 {
5269 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5270 	int err;
5271 
5272 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5273 			       he_bss_color_policy, NULL);
5274 	if (err)
5275 		return err;
5276 
5277 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5278 		return -EINVAL;
5279 
5280 	he_bss_color->color =
5281 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5282 	he_bss_color->enabled =
5283 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5284 	he_bss_color->partial =
5285 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5286 
5287 	return 0;
5288 }
5289 
5290 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5291 					struct nlattr *attrs,
5292 					struct cfg80211_ap_settings *params)
5293 {
5294 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5295 	int ret;
5296 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5297 
5298 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5299 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5300 		return -EINVAL;
5301 
5302 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5303 			       NULL, NULL);
5304 	if (ret)
5305 		return ret;
5306 
5307 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5308 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5309 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5310 		return -EINVAL;
5311 
5312 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5313 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5314 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5315 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5316 
5317 	return 0;
5318 }
5319 
5320 static int
5321 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5322 				     struct nlattr *attrs,
5323 				     struct cfg80211_ap_settings *params)
5324 {
5325 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5326 	int ret;
5327 	struct cfg80211_unsol_bcast_probe_resp *presp =
5328 					&params->unsol_bcast_probe_resp;
5329 
5330 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5331 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5332 		return -EINVAL;
5333 
5334 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5335 			       attrs, NULL, NULL);
5336 	if (ret)
5337 		return ret;
5338 
5339 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5340 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5341 		return -EINVAL;
5342 
5343 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5344 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5345 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5346 	return 0;
5347 }
5348 
5349 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5350 					    const struct element *rates)
5351 {
5352 	int i;
5353 
5354 	if (!rates)
5355 		return;
5356 
5357 	for (i = 0; i < rates->datalen; i++) {
5358 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5359 			params->ht_required = true;
5360 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5361 			params->vht_required = true;
5362 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5363 			params->he_required = true;
5364 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5365 			params->sae_h2e_required = true;
5366 	}
5367 }
5368 
5369 /*
5370  * Since the nl80211 API didn't include, from the beginning, attributes about
5371  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5372  * benefit of drivers that rebuild IEs in the firmware.
5373  */
5374 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5375 {
5376 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5377 	size_t ies_len = bcn->tail_len;
5378 	const u8 *ies = bcn->tail;
5379 	const struct element *rates;
5380 	const struct element *cap;
5381 
5382 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5383 	nl80211_check_ap_rate_selectors(params, rates);
5384 
5385 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5386 	nl80211_check_ap_rate_selectors(params, rates);
5387 
5388 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5389 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5390 		params->ht_cap = (void *)cap->data;
5391 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5392 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5393 		params->vht_cap = (void *)cap->data;
5394 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5395 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5396 		params->he_cap = (void *)(cap->data + 1);
5397 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5398 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5399 		params->he_oper = (void *)(cap->data + 1);
5400 }
5401 
5402 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5403 				   struct cfg80211_ap_settings *params)
5404 {
5405 	struct wireless_dev *wdev;
5406 	bool ret = false;
5407 
5408 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5409 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5410 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5411 			continue;
5412 
5413 		if (!wdev->preset_chandef.chan)
5414 			continue;
5415 
5416 		params->chandef = wdev->preset_chandef;
5417 		ret = true;
5418 		break;
5419 	}
5420 
5421 	return ret;
5422 }
5423 
5424 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5425 				    enum nl80211_auth_type auth_type,
5426 				    enum nl80211_commands cmd)
5427 {
5428 	if (auth_type > NL80211_AUTHTYPE_MAX)
5429 		return false;
5430 
5431 	switch (cmd) {
5432 	case NL80211_CMD_AUTHENTICATE:
5433 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5434 		    auth_type == NL80211_AUTHTYPE_SAE)
5435 			return false;
5436 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5437 					     NL80211_EXT_FEATURE_FILS_STA) &&
5438 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5439 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5440 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5441 			return false;
5442 		return true;
5443 	case NL80211_CMD_CONNECT:
5444 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5445 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5446 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5447 		    auth_type == NL80211_AUTHTYPE_SAE)
5448 			return false;
5449 
5450 		/* FILS with SK PFS or PK not supported yet */
5451 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5452 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5453 			return false;
5454 		if (!wiphy_ext_feature_isset(
5455 			    &rdev->wiphy,
5456 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5457 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5458 			return false;
5459 		return true;
5460 	case NL80211_CMD_START_AP:
5461 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5462 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5463 		    auth_type == NL80211_AUTHTYPE_SAE)
5464 			return false;
5465 		/* FILS not supported yet */
5466 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5467 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5468 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5469 			return false;
5470 		return true;
5471 	default:
5472 		return false;
5473 	}
5474 }
5475 
5476 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5477 {
5478 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5479 	struct net_device *dev = info->user_ptr[1];
5480 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5481 	struct cfg80211_ap_settings *params;
5482 	int err;
5483 
5484 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5485 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5486 		return -EOPNOTSUPP;
5487 
5488 	if (!rdev->ops->start_ap)
5489 		return -EOPNOTSUPP;
5490 
5491 	if (wdev->beacon_interval)
5492 		return -EALREADY;
5493 
5494 	/* these are required for START_AP */
5495 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5496 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5497 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5498 		return -EINVAL;
5499 
5500 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5501 	if (!params)
5502 		return -ENOMEM;
5503 
5504 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5505 	if (err)
5506 		goto out;
5507 
5508 	params->beacon_interval =
5509 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5510 	params->dtim_period =
5511 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5512 
5513 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5514 					   params->beacon_interval);
5515 	if (err)
5516 		goto out;
5517 
5518 	/*
5519 	 * In theory, some of these attributes should be required here
5520 	 * but since they were not used when the command was originally
5521 	 * added, keep them optional for old user space programs to let
5522 	 * them continue to work with drivers that do not need the
5523 	 * additional information -- drivers must check!
5524 	 */
5525 	if (info->attrs[NL80211_ATTR_SSID]) {
5526 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5527 		params->ssid_len =
5528 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5529 		if (params->ssid_len == 0) {
5530 			err = -EINVAL;
5531 			goto out;
5532 		}
5533 	}
5534 
5535 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5536 		params->hidden_ssid = nla_get_u32(
5537 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5538 
5539 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5540 
5541 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5542 		params->auth_type = nla_get_u32(
5543 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5544 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5545 					     NL80211_CMD_START_AP)) {
5546 			err = -EINVAL;
5547 			goto out;
5548 		}
5549 	} else
5550 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5551 
5552 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5553 				      NL80211_MAX_NR_CIPHER_SUITES);
5554 	if (err)
5555 		goto out;
5556 
5557 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5558 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5559 			err = -EOPNOTSUPP;
5560 			goto out;
5561 		}
5562 		params->inactivity_timeout = nla_get_u16(
5563 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5564 	}
5565 
5566 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5567 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5568 			err = -EINVAL;
5569 			goto out;
5570 		}
5571 		params->p2p_ctwindow =
5572 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5573 		if (params->p2p_ctwindow != 0 &&
5574 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5575 			err = -EINVAL;
5576 			goto out;
5577 		}
5578 	}
5579 
5580 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5581 		u8 tmp;
5582 
5583 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5584 			err = -EINVAL;
5585 			goto out;
5586 		}
5587 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5588 		params->p2p_opp_ps = tmp;
5589 		if (params->p2p_opp_ps != 0 &&
5590 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5591 			err = -EINVAL;
5592 			goto out;
5593 		}
5594 	}
5595 
5596 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5597 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5598 		if (err)
5599 			goto out;
5600 	} else if (wdev->preset_chandef.chan) {
5601 		params->chandef = wdev->preset_chandef;
5602 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5603 		err = -EINVAL;
5604 		goto out;
5605 	}
5606 
5607 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5608 					   wdev->iftype)) {
5609 		err = -EINVAL;
5610 		goto out;
5611 	}
5612 
5613 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5614 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5615 						    NL80211_ATTR_TX_RATES,
5616 						    &params->beacon_rate,
5617 						    dev, false);
5618 		if (err)
5619 			goto out;
5620 
5621 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
5622 					      &params->beacon_rate);
5623 		if (err)
5624 			goto out;
5625 	}
5626 
5627 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5628 		params->smps_mode =
5629 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5630 		switch (params->smps_mode) {
5631 		case NL80211_SMPS_OFF:
5632 			break;
5633 		case NL80211_SMPS_STATIC:
5634 			if (!(rdev->wiphy.features &
5635 			      NL80211_FEATURE_STATIC_SMPS)) {
5636 				err = -EINVAL;
5637 				goto out;
5638 			}
5639 			break;
5640 		case NL80211_SMPS_DYNAMIC:
5641 			if (!(rdev->wiphy.features &
5642 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
5643 				err = -EINVAL;
5644 				goto out;
5645 			}
5646 			break;
5647 		default:
5648 			err = -EINVAL;
5649 			goto out;
5650 		}
5651 	} else {
5652 		params->smps_mode = NL80211_SMPS_OFF;
5653 	}
5654 
5655 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5656 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
5657 		err = -EOPNOTSUPP;
5658 		goto out;
5659 	}
5660 
5661 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5662 		params->acl = parse_acl_data(&rdev->wiphy, info);
5663 		if (IS_ERR(params->acl)) {
5664 			err = PTR_ERR(params->acl);
5665 			params->acl = NULL;
5666 			goto out;
5667 		}
5668 	}
5669 
5670 	params->twt_responder =
5671 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5672 
5673 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5674 		err = nl80211_parse_he_obss_pd(
5675 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5676 					&params->he_obss_pd);
5677 		if (err)
5678 			goto out;
5679 	}
5680 
5681 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5682 		err = nl80211_parse_he_bss_color(
5683 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5684 					&params->he_bss_color);
5685 		if (err)
5686 			goto out;
5687 	}
5688 
5689 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5690 		err = nl80211_parse_fils_discovery(rdev,
5691 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5692 						   params);
5693 		if (err)
5694 			goto out;
5695 	}
5696 
5697 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5698 		err = nl80211_parse_unsol_bcast_probe_resp(
5699 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5700 			params);
5701 		if (err)
5702 			goto out;
5703 	}
5704 
5705 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
5706 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
5707 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
5708 						  &params->mbssid_config,
5709 						  params->beacon.mbssid_ies ?
5710 							params->beacon.mbssid_ies->cnt :
5711 							0);
5712 		if (err)
5713 			goto out;
5714 	}
5715 
5716 	nl80211_calculate_ap_params(params);
5717 
5718 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
5719 		params->flags = nla_get_u32(
5720 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
5721 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5722 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5723 
5724 	wdev_lock(wdev);
5725 	err = rdev_start_ap(rdev, dev, params);
5726 	if (!err) {
5727 		wdev->preset_chandef = params->chandef;
5728 		wdev->beacon_interval = params->beacon_interval;
5729 		wdev->chandef = params->chandef;
5730 		wdev->ssid_len = params->ssid_len;
5731 		memcpy(wdev->ssid, params->ssid, wdev->ssid_len);
5732 
5733 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5734 			wdev->conn_owner_nlportid = info->snd_portid;
5735 	}
5736 	wdev_unlock(wdev);
5737 
5738 out:
5739 	kfree(params->acl);
5740 	kfree(params->beacon.mbssid_ies);
5741 	if (params->mbssid_config.tx_wdev &&
5742 	    params->mbssid_config.tx_wdev->netdev &&
5743 	    params->mbssid_config.tx_wdev->netdev != dev)
5744 		dev_put(params->mbssid_config.tx_wdev->netdev);
5745 	kfree(params);
5746 
5747 	return err;
5748 }
5749 
5750 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5751 {
5752 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5753 	struct net_device *dev = info->user_ptr[1];
5754 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5755 	struct cfg80211_beacon_data params;
5756 	int err;
5757 
5758 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5759 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5760 		return -EOPNOTSUPP;
5761 
5762 	if (!rdev->ops->change_beacon)
5763 		return -EOPNOTSUPP;
5764 
5765 	if (!wdev->beacon_interval)
5766 		return -EINVAL;
5767 
5768 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5769 	if (err)
5770 		goto out;
5771 
5772 	wdev_lock(wdev);
5773 	err = rdev_change_beacon(rdev, dev, &params);
5774 	wdev_unlock(wdev);
5775 
5776 out:
5777 	kfree(params.mbssid_ies);
5778 	return err;
5779 }
5780 
5781 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5782 {
5783 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5784 	struct net_device *dev = info->user_ptr[1];
5785 
5786 	return cfg80211_stop_ap(rdev, dev, false);
5787 }
5788 
5789 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5790 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5791 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5792 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5793 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5794 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5795 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5796 };
5797 
5798 static int parse_station_flags(struct genl_info *info,
5799 			       enum nl80211_iftype iftype,
5800 			       struct station_parameters *params)
5801 {
5802 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5803 	struct nlattr *nla;
5804 	int flag;
5805 
5806 	/*
5807 	 * Try parsing the new attribute first so userspace
5808 	 * can specify both for older kernels.
5809 	 */
5810 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5811 	if (nla) {
5812 		struct nl80211_sta_flag_update *sta_flags;
5813 
5814 		sta_flags = nla_data(nla);
5815 		params->sta_flags_mask = sta_flags->mask;
5816 		params->sta_flags_set = sta_flags->set;
5817 		params->sta_flags_set &= params->sta_flags_mask;
5818 		if ((params->sta_flags_mask |
5819 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5820 			return -EINVAL;
5821 		return 0;
5822 	}
5823 
5824 	/* if present, parse the old attribute */
5825 
5826 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5827 	if (!nla)
5828 		return 0;
5829 
5830 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5831 		return -EINVAL;
5832 
5833 	/*
5834 	 * Only allow certain flags for interface types so that
5835 	 * other attributes are silently ignored. Remember that
5836 	 * this is backward compatibility code with old userspace
5837 	 * and shouldn't be hit in other cases anyway.
5838 	 */
5839 	switch (iftype) {
5840 	case NL80211_IFTYPE_AP:
5841 	case NL80211_IFTYPE_AP_VLAN:
5842 	case NL80211_IFTYPE_P2P_GO:
5843 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5844 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5845 					 BIT(NL80211_STA_FLAG_WME) |
5846 					 BIT(NL80211_STA_FLAG_MFP);
5847 		break;
5848 	case NL80211_IFTYPE_P2P_CLIENT:
5849 	case NL80211_IFTYPE_STATION:
5850 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5851 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5852 		break;
5853 	case NL80211_IFTYPE_MESH_POINT:
5854 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5855 					 BIT(NL80211_STA_FLAG_MFP) |
5856 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5857 		break;
5858 	default:
5859 		return -EINVAL;
5860 	}
5861 
5862 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5863 		if (flags[flag]) {
5864 			params->sta_flags_set |= (1<<flag);
5865 
5866 			/* no longer support new API additions in old API */
5867 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5868 				return -EINVAL;
5869 		}
5870 	}
5871 
5872 	return 0;
5873 }
5874 
5875 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5876 {
5877 	struct nlattr *rate;
5878 	u32 bitrate;
5879 	u16 bitrate_compat;
5880 	enum nl80211_rate_info rate_flg;
5881 
5882 	rate = nla_nest_start_noflag(msg, attr);
5883 	if (!rate)
5884 		return false;
5885 
5886 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5887 	bitrate = cfg80211_calculate_bitrate(info);
5888 	/* report 16-bit bitrate only if we can */
5889 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5890 	if (bitrate > 0 &&
5891 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5892 		return false;
5893 	if (bitrate_compat > 0 &&
5894 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5895 		return false;
5896 
5897 	switch (info->bw) {
5898 	case RATE_INFO_BW_5:
5899 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5900 		break;
5901 	case RATE_INFO_BW_10:
5902 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5903 		break;
5904 	default:
5905 		WARN_ON(1);
5906 		fallthrough;
5907 	case RATE_INFO_BW_20:
5908 		rate_flg = 0;
5909 		break;
5910 	case RATE_INFO_BW_40:
5911 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5912 		break;
5913 	case RATE_INFO_BW_80:
5914 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5915 		break;
5916 	case RATE_INFO_BW_160:
5917 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5918 		break;
5919 	case RATE_INFO_BW_HE_RU:
5920 		rate_flg = 0;
5921 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5922 	}
5923 
5924 	if (rate_flg && nla_put_flag(msg, rate_flg))
5925 		return false;
5926 
5927 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5928 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5929 			return false;
5930 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5931 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5932 			return false;
5933 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5934 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5935 			return false;
5936 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5937 			return false;
5938 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5939 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5940 			return false;
5941 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5942 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5943 			return false;
5944 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5945 			return false;
5946 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
5947 			return false;
5948 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
5949 			return false;
5950 		if (info->bw == RATE_INFO_BW_HE_RU &&
5951 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
5952 			       info->he_ru_alloc))
5953 			return false;
5954 	}
5955 
5956 	nla_nest_end(msg, rate);
5957 	return true;
5958 }
5959 
5960 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
5961 			       int id)
5962 {
5963 	void *attr;
5964 	int i = 0;
5965 
5966 	if (!mask)
5967 		return true;
5968 
5969 	attr = nla_nest_start_noflag(msg, id);
5970 	if (!attr)
5971 		return false;
5972 
5973 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5974 		if (!(mask & BIT(i)))
5975 			continue;
5976 
5977 		if (nla_put_u8(msg, i, signal[i]))
5978 			return false;
5979 	}
5980 
5981 	nla_nest_end(msg, attr);
5982 
5983 	return true;
5984 }
5985 
5986 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5987 				u32 seq, int flags,
5988 				struct cfg80211_registered_device *rdev,
5989 				struct net_device *dev,
5990 				const u8 *mac_addr, struct station_info *sinfo)
5991 {
5992 	void *hdr;
5993 	struct nlattr *sinfoattr, *bss_param;
5994 
5995 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5996 	if (!hdr) {
5997 		cfg80211_sinfo_release_content(sinfo);
5998 		return -1;
5999 	}
6000 
6001 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6002 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6003 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6004 		goto nla_put_failure;
6005 
6006 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6007 	if (!sinfoattr)
6008 		goto nla_put_failure;
6009 
6010 #define PUT_SINFO(attr, memb, type) do {				\
6011 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6012 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6013 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6014 			     sinfo->memb))				\
6015 		goto nla_put_failure;					\
6016 	} while (0)
6017 #define PUT_SINFO_U64(attr, memb) do {					\
6018 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6019 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6020 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6021 		goto nla_put_failure;					\
6022 	} while (0)
6023 
6024 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6025 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6026 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6027 
6028 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6029 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6030 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6031 			(u32)sinfo->rx_bytes))
6032 		goto nla_put_failure;
6033 
6034 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6035 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6036 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6037 			(u32)sinfo->tx_bytes))
6038 		goto nla_put_failure;
6039 
6040 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6041 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6042 	PUT_SINFO(LLID, llid, u16);
6043 	PUT_SINFO(PLID, plid, u16);
6044 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6045 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6046 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6047 
6048 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6049 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6050 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6051 
6052 	switch (rdev->wiphy.signal_type) {
6053 	case CFG80211_SIGNAL_TYPE_MBM:
6054 		PUT_SINFO(SIGNAL, signal, u8);
6055 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6056 		break;
6057 	default:
6058 		break;
6059 	}
6060 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6061 		if (!nl80211_put_signal(msg, sinfo->chains,
6062 					sinfo->chain_signal,
6063 					NL80211_STA_INFO_CHAIN_SIGNAL))
6064 			goto nla_put_failure;
6065 	}
6066 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6067 		if (!nl80211_put_signal(msg, sinfo->chains,
6068 					sinfo->chain_signal_avg,
6069 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6070 			goto nla_put_failure;
6071 	}
6072 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6073 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6074 					  NL80211_STA_INFO_TX_BITRATE))
6075 			goto nla_put_failure;
6076 	}
6077 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6078 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6079 					  NL80211_STA_INFO_RX_BITRATE))
6080 			goto nla_put_failure;
6081 	}
6082 
6083 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6084 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6085 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6086 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6087 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6088 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6089 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6090 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6091 	PUT_SINFO(PEER_PM, peer_pm, u32);
6092 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6093 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6094 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6095 
6096 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6097 		bss_param = nla_nest_start_noflag(msg,
6098 						  NL80211_STA_INFO_BSS_PARAM);
6099 		if (!bss_param)
6100 			goto nla_put_failure;
6101 
6102 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6103 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6104 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6105 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6106 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6107 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6108 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6109 			       sinfo->bss_param.dtim_period) ||
6110 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6111 				sinfo->bss_param.beacon_interval))
6112 			goto nla_put_failure;
6113 
6114 		nla_nest_end(msg, bss_param);
6115 	}
6116 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6117 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6118 		    sizeof(struct nl80211_sta_flag_update),
6119 		    &sinfo->sta_flags))
6120 		goto nla_put_failure;
6121 
6122 	PUT_SINFO_U64(T_OFFSET, t_offset);
6123 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6124 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6125 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6126 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6127 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6128 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6129 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6130 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6131 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6132 	}
6133 
6134 #undef PUT_SINFO
6135 #undef PUT_SINFO_U64
6136 
6137 	if (sinfo->pertid) {
6138 		struct nlattr *tidsattr;
6139 		int tid;
6140 
6141 		tidsattr = nla_nest_start_noflag(msg,
6142 						 NL80211_STA_INFO_TID_STATS);
6143 		if (!tidsattr)
6144 			goto nla_put_failure;
6145 
6146 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6147 			struct cfg80211_tid_stats *tidstats;
6148 			struct nlattr *tidattr;
6149 
6150 			tidstats = &sinfo->pertid[tid];
6151 
6152 			if (!tidstats->filled)
6153 				continue;
6154 
6155 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6156 			if (!tidattr)
6157 				goto nla_put_failure;
6158 
6159 #define PUT_TIDVAL_U64(attr, memb) do {					\
6160 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6161 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6162 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6163 		goto nla_put_failure;					\
6164 	} while (0)
6165 
6166 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6167 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6168 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6169 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6170 
6171 #undef PUT_TIDVAL_U64
6172 			if ((tidstats->filled &
6173 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6174 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6175 						   NL80211_TID_STATS_TXQ_STATS))
6176 				goto nla_put_failure;
6177 
6178 			nla_nest_end(msg, tidattr);
6179 		}
6180 
6181 		nla_nest_end(msg, tidsattr);
6182 	}
6183 
6184 	nla_nest_end(msg, sinfoattr);
6185 
6186 	if (sinfo->assoc_req_ies_len &&
6187 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6188 		    sinfo->assoc_req_ies))
6189 		goto nla_put_failure;
6190 
6191 	cfg80211_sinfo_release_content(sinfo);
6192 	genlmsg_end(msg, hdr);
6193 	return 0;
6194 
6195  nla_put_failure:
6196 	cfg80211_sinfo_release_content(sinfo);
6197 	genlmsg_cancel(msg, hdr);
6198 	return -EMSGSIZE;
6199 }
6200 
6201 static int nl80211_dump_station(struct sk_buff *skb,
6202 				struct netlink_callback *cb)
6203 {
6204 	struct station_info sinfo;
6205 	struct cfg80211_registered_device *rdev;
6206 	struct wireless_dev *wdev;
6207 	u8 mac_addr[ETH_ALEN];
6208 	int sta_idx = cb->args[2];
6209 	int err;
6210 
6211 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6212 	if (err)
6213 		return err;
6214 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6215 	__acquire(&rdev->wiphy.mtx);
6216 
6217 	if (!wdev->netdev) {
6218 		err = -EINVAL;
6219 		goto out_err;
6220 	}
6221 
6222 	if (!rdev->ops->dump_station) {
6223 		err = -EOPNOTSUPP;
6224 		goto out_err;
6225 	}
6226 
6227 	while (1) {
6228 		memset(&sinfo, 0, sizeof(sinfo));
6229 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6230 					mac_addr, &sinfo);
6231 		if (err == -ENOENT)
6232 			break;
6233 		if (err)
6234 			goto out_err;
6235 
6236 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6237 				NETLINK_CB(cb->skb).portid,
6238 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6239 				rdev, wdev->netdev, mac_addr,
6240 				&sinfo) < 0)
6241 			goto out;
6242 
6243 		sta_idx++;
6244 	}
6245 
6246  out:
6247 	cb->args[2] = sta_idx;
6248 	err = skb->len;
6249  out_err:
6250 	wiphy_unlock(&rdev->wiphy);
6251 
6252 	return err;
6253 }
6254 
6255 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6256 {
6257 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6258 	struct net_device *dev = info->user_ptr[1];
6259 	struct station_info sinfo;
6260 	struct sk_buff *msg;
6261 	u8 *mac_addr = NULL;
6262 	int err;
6263 
6264 	memset(&sinfo, 0, sizeof(sinfo));
6265 
6266 	if (!info->attrs[NL80211_ATTR_MAC])
6267 		return -EINVAL;
6268 
6269 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6270 
6271 	if (!rdev->ops->get_station)
6272 		return -EOPNOTSUPP;
6273 
6274 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6275 	if (err)
6276 		return err;
6277 
6278 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6279 	if (!msg) {
6280 		cfg80211_sinfo_release_content(&sinfo);
6281 		return -ENOMEM;
6282 	}
6283 
6284 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6285 				 info->snd_portid, info->snd_seq, 0,
6286 				 rdev, dev, mac_addr, &sinfo) < 0) {
6287 		nlmsg_free(msg);
6288 		return -ENOBUFS;
6289 	}
6290 
6291 	return genlmsg_reply(msg, info);
6292 }
6293 
6294 int cfg80211_check_station_change(struct wiphy *wiphy,
6295 				  struct station_parameters *params,
6296 				  enum cfg80211_station_type statype)
6297 {
6298 	if (params->listen_interval != -1 &&
6299 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6300 		return -EINVAL;
6301 
6302 	if (params->support_p2p_ps != -1 &&
6303 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6304 		return -EINVAL;
6305 
6306 	if (params->aid &&
6307 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6308 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6309 		return -EINVAL;
6310 
6311 	/* When you run into this, adjust the code below for the new flag */
6312 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6313 
6314 	switch (statype) {
6315 	case CFG80211_STA_MESH_PEER_KERNEL:
6316 	case CFG80211_STA_MESH_PEER_USER:
6317 		/*
6318 		 * No ignoring the TDLS flag here -- the userspace mesh
6319 		 * code doesn't have the bug of including TDLS in the
6320 		 * mask everywhere.
6321 		 */
6322 		if (params->sta_flags_mask &
6323 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6324 				  BIT(NL80211_STA_FLAG_MFP) |
6325 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6326 			return -EINVAL;
6327 		break;
6328 	case CFG80211_STA_TDLS_PEER_SETUP:
6329 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6330 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6331 			return -EINVAL;
6332 		/* ignore since it can't change */
6333 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6334 		break;
6335 	default:
6336 		/* disallow mesh-specific things */
6337 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6338 			return -EINVAL;
6339 		if (params->local_pm)
6340 			return -EINVAL;
6341 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6342 			return -EINVAL;
6343 	}
6344 
6345 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6346 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6347 		/* TDLS can't be set, ... */
6348 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6349 			return -EINVAL;
6350 		/*
6351 		 * ... but don't bother the driver with it. This works around
6352 		 * a hostapd/wpa_supplicant issue -- it always includes the
6353 		 * TLDS_PEER flag in the mask even for AP mode.
6354 		 */
6355 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6356 	}
6357 
6358 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6359 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6360 		/* reject other things that can't change */
6361 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6362 			return -EINVAL;
6363 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6364 			return -EINVAL;
6365 		if (params->supported_rates)
6366 			return -EINVAL;
6367 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
6368 		    params->he_capa)
6369 			return -EINVAL;
6370 	}
6371 
6372 	if (statype != CFG80211_STA_AP_CLIENT &&
6373 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6374 		if (params->vlan)
6375 			return -EINVAL;
6376 	}
6377 
6378 	switch (statype) {
6379 	case CFG80211_STA_AP_MLME_CLIENT:
6380 		/* Use this only for authorizing/unauthorizing a station */
6381 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6382 			return -EOPNOTSUPP;
6383 		break;
6384 	case CFG80211_STA_AP_CLIENT:
6385 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6386 		/* accept only the listed bits */
6387 		if (params->sta_flags_mask &
6388 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6389 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6390 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6391 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6392 				  BIT(NL80211_STA_FLAG_WME) |
6393 				  BIT(NL80211_STA_FLAG_MFP)))
6394 			return -EINVAL;
6395 
6396 		/* but authenticated/associated only if driver handles it */
6397 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6398 		    params->sta_flags_mask &
6399 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6400 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6401 			return -EINVAL;
6402 		break;
6403 	case CFG80211_STA_IBSS:
6404 	case CFG80211_STA_AP_STA:
6405 		/* reject any changes other than AUTHORIZED */
6406 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6407 			return -EINVAL;
6408 		break;
6409 	case CFG80211_STA_TDLS_PEER_SETUP:
6410 		/* reject any changes other than AUTHORIZED or WME */
6411 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6412 					       BIT(NL80211_STA_FLAG_WME)))
6413 			return -EINVAL;
6414 		/* force (at least) rates when authorizing */
6415 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6416 		    !params->supported_rates)
6417 			return -EINVAL;
6418 		break;
6419 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6420 		/* reject any changes */
6421 		return -EINVAL;
6422 	case CFG80211_STA_MESH_PEER_KERNEL:
6423 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6424 			return -EINVAL;
6425 		break;
6426 	case CFG80211_STA_MESH_PEER_USER:
6427 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6428 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6429 			return -EINVAL;
6430 		break;
6431 	}
6432 
6433 	/*
6434 	 * Older kernel versions ignored this attribute entirely, so don't
6435 	 * reject attempts to update it but mark it as unused instead so the
6436 	 * driver won't look at the data.
6437 	 */
6438 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6439 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6440 		params->opmode_notif_used = false;
6441 
6442 	return 0;
6443 }
6444 EXPORT_SYMBOL(cfg80211_check_station_change);
6445 
6446 /*
6447  * Get vlan interface making sure it is running and on the right wiphy.
6448  */
6449 static struct net_device *get_vlan(struct genl_info *info,
6450 				   struct cfg80211_registered_device *rdev)
6451 {
6452 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6453 	struct net_device *v;
6454 	int ret;
6455 
6456 	if (!vlanattr)
6457 		return NULL;
6458 
6459 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6460 	if (!v)
6461 		return ERR_PTR(-ENODEV);
6462 
6463 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6464 		ret = -EINVAL;
6465 		goto error;
6466 	}
6467 
6468 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6469 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6470 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6471 		ret = -EINVAL;
6472 		goto error;
6473 	}
6474 
6475 	if (!netif_running(v)) {
6476 		ret = -ENETDOWN;
6477 		goto error;
6478 	}
6479 
6480 	return v;
6481  error:
6482 	dev_put(v);
6483 	return ERR_PTR(ret);
6484 }
6485 
6486 static const struct nla_policy
6487 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6488 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6489 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6490 };
6491 
6492 static int nl80211_parse_sta_wme(struct genl_info *info,
6493 				 struct station_parameters *params)
6494 {
6495 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6496 	struct nlattr *nla;
6497 	int err;
6498 
6499 	/* parse WME attributes if present */
6500 	if (!info->attrs[NL80211_ATTR_STA_WME])
6501 		return 0;
6502 
6503 	nla = info->attrs[NL80211_ATTR_STA_WME];
6504 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6505 					  nl80211_sta_wme_policy,
6506 					  info->extack);
6507 	if (err)
6508 		return err;
6509 
6510 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6511 		params->uapsd_queues = nla_get_u8(
6512 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6513 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6514 		return -EINVAL;
6515 
6516 	if (tb[NL80211_STA_WME_MAX_SP])
6517 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6518 
6519 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6520 		return -EINVAL;
6521 
6522 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6523 
6524 	return 0;
6525 }
6526 
6527 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6528 				      struct station_parameters *params)
6529 {
6530 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6531 		params->supported_channels =
6532 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6533 		params->supported_channels_len =
6534 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6535 		/*
6536 		 * Need to include at least one (first channel, number of
6537 		 * channels) tuple for each subband (checked in policy),
6538 		 * and must have proper tuples for the rest of the data as well.
6539 		 */
6540 		if (params->supported_channels_len % 2)
6541 			return -EINVAL;
6542 	}
6543 
6544 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6545 		params->supported_oper_classes =
6546 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6547 		params->supported_oper_classes_len =
6548 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6549 	}
6550 	return 0;
6551 }
6552 
6553 static int nl80211_set_station_tdls(struct genl_info *info,
6554 				    struct station_parameters *params)
6555 {
6556 	int err;
6557 	/* Dummy STA entry gets updated once the peer capabilities are known */
6558 	if (info->attrs[NL80211_ATTR_PEER_AID])
6559 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6560 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6561 		params->ht_capa =
6562 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6563 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6564 		params->vht_capa =
6565 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6566 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6567 		params->he_capa =
6568 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6569 		params->he_capa_len =
6570 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6571 	}
6572 
6573 	err = nl80211_parse_sta_channel_info(info, params);
6574 	if (err)
6575 		return err;
6576 
6577 	return nl80211_parse_sta_wme(info, params);
6578 }
6579 
6580 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6581 					     struct station_parameters *params)
6582 {
6583 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6584 	int idx;
6585 
6586 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6587 		if (!rdev->ops->set_tx_power ||
6588 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6589 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6590 			return -EOPNOTSUPP;
6591 
6592 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6593 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6594 
6595 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6596 			idx = NL80211_ATTR_STA_TX_POWER;
6597 
6598 			if (info->attrs[idx])
6599 				params->txpwr.power =
6600 					nla_get_s16(info->attrs[idx]);
6601 			else
6602 				return -EINVAL;
6603 		}
6604 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6605 	}
6606 
6607 	return 0;
6608 }
6609 
6610 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6611 {
6612 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6613 	struct net_device *dev = info->user_ptr[1];
6614 	struct station_parameters params;
6615 	u8 *mac_addr;
6616 	int err;
6617 
6618 	memset(&params, 0, sizeof(params));
6619 
6620 	if (!rdev->ops->change_station)
6621 		return -EOPNOTSUPP;
6622 
6623 	/*
6624 	 * AID and listen_interval properties can be set only for unassociated
6625 	 * station. Include these parameters here and will check them in
6626 	 * cfg80211_check_station_change().
6627 	 */
6628 	if (info->attrs[NL80211_ATTR_STA_AID])
6629 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6630 
6631 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6632 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6633 
6634 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6635 		params.listen_interval =
6636 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6637 	else
6638 		params.listen_interval = -1;
6639 
6640 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6641 		params.support_p2p_ps =
6642 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6643 	else
6644 		params.support_p2p_ps = -1;
6645 
6646 	if (!info->attrs[NL80211_ATTR_MAC])
6647 		return -EINVAL;
6648 
6649 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6650 
6651 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6652 		params.supported_rates =
6653 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6654 		params.supported_rates_len =
6655 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6656 	}
6657 
6658 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6659 		params.capability =
6660 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6661 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6662 	}
6663 
6664 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6665 		params.ext_capab =
6666 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6667 		params.ext_capab_len =
6668 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6669 	}
6670 
6671 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6672 		return -EINVAL;
6673 
6674 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6675 		params.plink_action =
6676 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6677 
6678 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6679 		params.plink_state =
6680 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6681 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6682 			params.peer_aid = nla_get_u16(
6683 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6684 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6685 	}
6686 
6687 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6688 		params.local_pm = nla_get_u32(
6689 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6690 
6691 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6692 		params.opmode_notif_used = true;
6693 		params.opmode_notif =
6694 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6695 	}
6696 
6697 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6698 		params.he_6ghz_capa =
6699 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6700 
6701 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6702 		params.airtime_weight =
6703 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6704 
6705 	if (params.airtime_weight &&
6706 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6707 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6708 		return -EOPNOTSUPP;
6709 
6710 	err = nl80211_parse_sta_txpower_setting(info, &params);
6711 	if (err)
6712 		return err;
6713 
6714 	/* Include parameters for TDLS peer (will check later) */
6715 	err = nl80211_set_station_tdls(info, &params);
6716 	if (err)
6717 		return err;
6718 
6719 	params.vlan = get_vlan(info, rdev);
6720 	if (IS_ERR(params.vlan))
6721 		return PTR_ERR(params.vlan);
6722 
6723 	switch (dev->ieee80211_ptr->iftype) {
6724 	case NL80211_IFTYPE_AP:
6725 	case NL80211_IFTYPE_AP_VLAN:
6726 	case NL80211_IFTYPE_P2P_GO:
6727 	case NL80211_IFTYPE_P2P_CLIENT:
6728 	case NL80211_IFTYPE_STATION:
6729 	case NL80211_IFTYPE_ADHOC:
6730 	case NL80211_IFTYPE_MESH_POINT:
6731 		break;
6732 	default:
6733 		err = -EOPNOTSUPP;
6734 		goto out_put_vlan;
6735 	}
6736 
6737 	/* driver will call cfg80211_check_station_change() */
6738 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6739 
6740  out_put_vlan:
6741 	dev_put(params.vlan);
6742 
6743 	return err;
6744 }
6745 
6746 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6747 {
6748 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6749 	int err;
6750 	struct net_device *dev = info->user_ptr[1];
6751 	struct station_parameters params;
6752 	u8 *mac_addr = NULL;
6753 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6754 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6755 
6756 	memset(&params, 0, sizeof(params));
6757 
6758 	if (!rdev->ops->add_station)
6759 		return -EOPNOTSUPP;
6760 
6761 	if (!info->attrs[NL80211_ATTR_MAC])
6762 		return -EINVAL;
6763 
6764 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6765 		return -EINVAL;
6766 
6767 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6768 		return -EINVAL;
6769 
6770 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6771 	    !info->attrs[NL80211_ATTR_PEER_AID])
6772 		return -EINVAL;
6773 
6774 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6775 	params.supported_rates =
6776 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6777 	params.supported_rates_len =
6778 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6779 	params.listen_interval =
6780 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6781 
6782 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6783 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6784 
6785 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6786 		params.support_p2p_ps =
6787 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6788 	} else {
6789 		/*
6790 		 * if not specified, assume it's supported for P2P GO interface,
6791 		 * and is NOT supported for AP interface
6792 		 */
6793 		params.support_p2p_ps =
6794 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6795 	}
6796 
6797 	if (info->attrs[NL80211_ATTR_PEER_AID])
6798 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6799 	else
6800 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6801 
6802 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6803 		params.capability =
6804 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6805 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6806 	}
6807 
6808 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6809 		params.ext_capab =
6810 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6811 		params.ext_capab_len =
6812 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6813 	}
6814 
6815 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6816 		params.ht_capa =
6817 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6818 
6819 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6820 		params.vht_capa =
6821 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6822 
6823 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6824 		params.he_capa =
6825 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6826 		params.he_capa_len =
6827 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6828 	}
6829 
6830 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6831 		params.he_6ghz_capa =
6832 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6833 
6834 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6835 		params.opmode_notif_used = true;
6836 		params.opmode_notif =
6837 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6838 	}
6839 
6840 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6841 		params.plink_action =
6842 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6843 
6844 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6845 		params.airtime_weight =
6846 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6847 
6848 	if (params.airtime_weight &&
6849 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6850 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6851 		return -EOPNOTSUPP;
6852 
6853 	err = nl80211_parse_sta_txpower_setting(info, &params);
6854 	if (err)
6855 		return err;
6856 
6857 	err = nl80211_parse_sta_channel_info(info, &params);
6858 	if (err)
6859 		return err;
6860 
6861 	err = nl80211_parse_sta_wme(info, &params);
6862 	if (err)
6863 		return err;
6864 
6865 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6866 		return -EINVAL;
6867 
6868 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6869 	 * as userspace might just pass through the capabilities from the IEs
6870 	 * directly, rather than enforcing this restriction and returning an
6871 	 * error in this case.
6872 	 */
6873 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6874 		params.ht_capa = NULL;
6875 		params.vht_capa = NULL;
6876 
6877 		/* HE requires WME */
6878 		if (params.he_capa_len || params.he_6ghz_capa)
6879 			return -EINVAL;
6880 	}
6881 
6882 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6883 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6884 		return -EINVAL;
6885 
6886 	/* When you run into this, adjust the code below for the new flag */
6887 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6888 
6889 	switch (dev->ieee80211_ptr->iftype) {
6890 	case NL80211_IFTYPE_AP:
6891 	case NL80211_IFTYPE_AP_VLAN:
6892 	case NL80211_IFTYPE_P2P_GO:
6893 		/* ignore WME attributes if iface/sta is not capable */
6894 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6895 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6896 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6897 
6898 		/* TDLS peers cannot be added */
6899 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6900 		    info->attrs[NL80211_ATTR_PEER_AID])
6901 			return -EINVAL;
6902 		/* but don't bother the driver with it */
6903 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6904 
6905 		/* allow authenticated/associated only if driver handles it */
6906 		if (!(rdev->wiphy.features &
6907 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6908 		    params.sta_flags_mask & auth_assoc)
6909 			return -EINVAL;
6910 
6911 		/* Older userspace, or userspace wanting to be compatible with
6912 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
6913 		 * and assoc flags in the mask, but assumes the station will be
6914 		 * added as associated anyway since this was the required driver
6915 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
6916 		 * introduced.
6917 		 * In order to not bother drivers with this quirk in the API
6918 		 * set the flags in both the mask and set for new stations in
6919 		 * this case.
6920 		 */
6921 		if (!(params.sta_flags_mask & auth_assoc)) {
6922 			params.sta_flags_mask |= auth_assoc;
6923 			params.sta_flags_set |= auth_assoc;
6924 		}
6925 
6926 		/* must be last in here for error handling */
6927 		params.vlan = get_vlan(info, rdev);
6928 		if (IS_ERR(params.vlan))
6929 			return PTR_ERR(params.vlan);
6930 		break;
6931 	case NL80211_IFTYPE_MESH_POINT:
6932 		/* ignore uAPSD data */
6933 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6934 
6935 		/* associated is disallowed */
6936 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
6937 			return -EINVAL;
6938 		/* TDLS peers cannot be added */
6939 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6940 		    info->attrs[NL80211_ATTR_PEER_AID])
6941 			return -EINVAL;
6942 		break;
6943 	case NL80211_IFTYPE_STATION:
6944 	case NL80211_IFTYPE_P2P_CLIENT:
6945 		/* ignore uAPSD data */
6946 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6947 
6948 		/* these are disallowed */
6949 		if (params.sta_flags_mask &
6950 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
6951 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
6952 			return -EINVAL;
6953 		/* Only TDLS peers can be added */
6954 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6955 			return -EINVAL;
6956 		/* Can only add if TDLS ... */
6957 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
6958 			return -EOPNOTSUPP;
6959 		/* ... with external setup is supported */
6960 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
6961 			return -EOPNOTSUPP;
6962 		/*
6963 		 * Older wpa_supplicant versions always mark the TDLS peer
6964 		 * as authorized, but it shouldn't yet be.
6965 		 */
6966 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6967 		break;
6968 	default:
6969 		return -EOPNOTSUPP;
6970 	}
6971 
6972 	/* be aware of params.vlan when changing code here */
6973 
6974 	err = rdev_add_station(rdev, dev, mac_addr, &params);
6975 
6976 	dev_put(params.vlan);
6977 	return err;
6978 }
6979 
6980 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6981 {
6982 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6983 	struct net_device *dev = info->user_ptr[1];
6984 	struct station_del_parameters params;
6985 
6986 	memset(&params, 0, sizeof(params));
6987 
6988 	if (info->attrs[NL80211_ATTR_MAC])
6989 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6990 
6991 	switch (dev->ieee80211_ptr->iftype) {
6992 	case NL80211_IFTYPE_AP:
6993 	case NL80211_IFTYPE_AP_VLAN:
6994 	case NL80211_IFTYPE_MESH_POINT:
6995 	case NL80211_IFTYPE_P2P_GO:
6996 		/* always accept these */
6997 		break;
6998 	case NL80211_IFTYPE_ADHOC:
6999 		/* conditionally accept */
7000 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7001 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7002 			break;
7003 		return -EINVAL;
7004 	default:
7005 		return -EINVAL;
7006 	}
7007 
7008 	if (!rdev->ops->del_station)
7009 		return -EOPNOTSUPP;
7010 
7011 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7012 		params.subtype =
7013 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7014 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7015 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7016 			return -EINVAL;
7017 	} else {
7018 		/* Default to Deauthentication frame */
7019 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7020 	}
7021 
7022 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7023 		params.reason_code =
7024 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7025 		if (params.reason_code == 0)
7026 			return -EINVAL; /* 0 is reserved */
7027 	} else {
7028 		/* Default to reason code 2 */
7029 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7030 	}
7031 
7032 	return rdev_del_station(rdev, dev, &params);
7033 }
7034 
7035 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7036 				int flags, struct net_device *dev,
7037 				u8 *dst, u8 *next_hop,
7038 				struct mpath_info *pinfo)
7039 {
7040 	void *hdr;
7041 	struct nlattr *pinfoattr;
7042 
7043 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7044 	if (!hdr)
7045 		return -1;
7046 
7047 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7048 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7049 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7050 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7051 		goto nla_put_failure;
7052 
7053 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7054 	if (!pinfoattr)
7055 		goto nla_put_failure;
7056 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7057 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7058 			pinfo->frame_qlen))
7059 		goto nla_put_failure;
7060 	if (((pinfo->filled & MPATH_INFO_SN) &&
7061 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7062 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7063 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7064 			 pinfo->metric)) ||
7065 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7066 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7067 			 pinfo->exptime)) ||
7068 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7069 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7070 			pinfo->flags)) ||
7071 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7072 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7073 			 pinfo->discovery_timeout)) ||
7074 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7075 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7076 			pinfo->discovery_retries)) ||
7077 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7078 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7079 			pinfo->hop_count)) ||
7080 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7081 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7082 			 pinfo->path_change_count)))
7083 		goto nla_put_failure;
7084 
7085 	nla_nest_end(msg, pinfoattr);
7086 
7087 	genlmsg_end(msg, hdr);
7088 	return 0;
7089 
7090  nla_put_failure:
7091 	genlmsg_cancel(msg, hdr);
7092 	return -EMSGSIZE;
7093 }
7094 
7095 static int nl80211_dump_mpath(struct sk_buff *skb,
7096 			      struct netlink_callback *cb)
7097 {
7098 	struct mpath_info pinfo;
7099 	struct cfg80211_registered_device *rdev;
7100 	struct wireless_dev *wdev;
7101 	u8 dst[ETH_ALEN];
7102 	u8 next_hop[ETH_ALEN];
7103 	int path_idx = cb->args[2];
7104 	int err;
7105 
7106 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7107 	if (err)
7108 		return err;
7109 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7110 	__acquire(&rdev->wiphy.mtx);
7111 
7112 	if (!rdev->ops->dump_mpath) {
7113 		err = -EOPNOTSUPP;
7114 		goto out_err;
7115 	}
7116 
7117 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7118 		err = -EOPNOTSUPP;
7119 		goto out_err;
7120 	}
7121 
7122 	while (1) {
7123 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7124 				      next_hop, &pinfo);
7125 		if (err == -ENOENT)
7126 			break;
7127 		if (err)
7128 			goto out_err;
7129 
7130 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7131 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7132 				       wdev->netdev, dst, next_hop,
7133 				       &pinfo) < 0)
7134 			goto out;
7135 
7136 		path_idx++;
7137 	}
7138 
7139  out:
7140 	cb->args[2] = path_idx;
7141 	err = skb->len;
7142  out_err:
7143 	wiphy_unlock(&rdev->wiphy);
7144 	return err;
7145 }
7146 
7147 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7148 {
7149 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7150 	int err;
7151 	struct net_device *dev = info->user_ptr[1];
7152 	struct mpath_info pinfo;
7153 	struct sk_buff *msg;
7154 	u8 *dst = NULL;
7155 	u8 next_hop[ETH_ALEN];
7156 
7157 	memset(&pinfo, 0, sizeof(pinfo));
7158 
7159 	if (!info->attrs[NL80211_ATTR_MAC])
7160 		return -EINVAL;
7161 
7162 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7163 
7164 	if (!rdev->ops->get_mpath)
7165 		return -EOPNOTSUPP;
7166 
7167 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7168 		return -EOPNOTSUPP;
7169 
7170 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7171 	if (err)
7172 		return err;
7173 
7174 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7175 	if (!msg)
7176 		return -ENOMEM;
7177 
7178 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7179 				 dev, dst, next_hop, &pinfo) < 0) {
7180 		nlmsg_free(msg);
7181 		return -ENOBUFS;
7182 	}
7183 
7184 	return genlmsg_reply(msg, info);
7185 }
7186 
7187 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7188 {
7189 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7190 	struct net_device *dev = info->user_ptr[1];
7191 	u8 *dst = NULL;
7192 	u8 *next_hop = NULL;
7193 
7194 	if (!info->attrs[NL80211_ATTR_MAC])
7195 		return -EINVAL;
7196 
7197 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7198 		return -EINVAL;
7199 
7200 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7201 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7202 
7203 	if (!rdev->ops->change_mpath)
7204 		return -EOPNOTSUPP;
7205 
7206 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7207 		return -EOPNOTSUPP;
7208 
7209 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7210 }
7211 
7212 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7213 {
7214 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7215 	struct net_device *dev = info->user_ptr[1];
7216 	u8 *dst = NULL;
7217 	u8 *next_hop = NULL;
7218 
7219 	if (!info->attrs[NL80211_ATTR_MAC])
7220 		return -EINVAL;
7221 
7222 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7223 		return -EINVAL;
7224 
7225 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7226 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7227 
7228 	if (!rdev->ops->add_mpath)
7229 		return -EOPNOTSUPP;
7230 
7231 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7232 		return -EOPNOTSUPP;
7233 
7234 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7235 }
7236 
7237 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7238 {
7239 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7240 	struct net_device *dev = info->user_ptr[1];
7241 	u8 *dst = NULL;
7242 
7243 	if (info->attrs[NL80211_ATTR_MAC])
7244 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7245 
7246 	if (!rdev->ops->del_mpath)
7247 		return -EOPNOTSUPP;
7248 
7249 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7250 		return -EOPNOTSUPP;
7251 
7252 	return rdev_del_mpath(rdev, dev, dst);
7253 }
7254 
7255 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7256 {
7257 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7258 	int err;
7259 	struct net_device *dev = info->user_ptr[1];
7260 	struct mpath_info pinfo;
7261 	struct sk_buff *msg;
7262 	u8 *dst = NULL;
7263 	u8 mpp[ETH_ALEN];
7264 
7265 	memset(&pinfo, 0, sizeof(pinfo));
7266 
7267 	if (!info->attrs[NL80211_ATTR_MAC])
7268 		return -EINVAL;
7269 
7270 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7271 
7272 	if (!rdev->ops->get_mpp)
7273 		return -EOPNOTSUPP;
7274 
7275 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7276 		return -EOPNOTSUPP;
7277 
7278 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7279 	if (err)
7280 		return err;
7281 
7282 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7283 	if (!msg)
7284 		return -ENOMEM;
7285 
7286 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7287 			       dev, dst, mpp, &pinfo) < 0) {
7288 		nlmsg_free(msg);
7289 		return -ENOBUFS;
7290 	}
7291 
7292 	return genlmsg_reply(msg, info);
7293 }
7294 
7295 static int nl80211_dump_mpp(struct sk_buff *skb,
7296 			    struct netlink_callback *cb)
7297 {
7298 	struct mpath_info pinfo;
7299 	struct cfg80211_registered_device *rdev;
7300 	struct wireless_dev *wdev;
7301 	u8 dst[ETH_ALEN];
7302 	u8 mpp[ETH_ALEN];
7303 	int path_idx = cb->args[2];
7304 	int err;
7305 
7306 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7307 	if (err)
7308 		return err;
7309 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7310 	__acquire(&rdev->wiphy.mtx);
7311 
7312 	if (!rdev->ops->dump_mpp) {
7313 		err = -EOPNOTSUPP;
7314 		goto out_err;
7315 	}
7316 
7317 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7318 		err = -EOPNOTSUPP;
7319 		goto out_err;
7320 	}
7321 
7322 	while (1) {
7323 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7324 				    mpp, &pinfo);
7325 		if (err == -ENOENT)
7326 			break;
7327 		if (err)
7328 			goto out_err;
7329 
7330 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7331 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7332 				       wdev->netdev, dst, mpp,
7333 				       &pinfo) < 0)
7334 			goto out;
7335 
7336 		path_idx++;
7337 	}
7338 
7339  out:
7340 	cb->args[2] = path_idx;
7341 	err = skb->len;
7342  out_err:
7343 	wiphy_unlock(&rdev->wiphy);
7344 	return err;
7345 }
7346 
7347 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7348 {
7349 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7350 	struct net_device *dev = info->user_ptr[1];
7351 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7352 	struct bss_parameters params;
7353 	int err;
7354 
7355 	memset(&params, 0, sizeof(params));
7356 	/* default to not changing parameters */
7357 	params.use_cts_prot = -1;
7358 	params.use_short_preamble = -1;
7359 	params.use_short_slot_time = -1;
7360 	params.ap_isolate = -1;
7361 	params.ht_opmode = -1;
7362 	params.p2p_ctwindow = -1;
7363 	params.p2p_opp_ps = -1;
7364 
7365 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7366 		params.use_cts_prot =
7367 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7368 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7369 		params.use_short_preamble =
7370 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7371 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7372 		params.use_short_slot_time =
7373 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7374 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7375 		params.basic_rates =
7376 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7377 		params.basic_rates_len =
7378 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7379 	}
7380 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7381 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7382 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7383 		params.ht_opmode =
7384 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7385 
7386 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7387 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7388 			return -EINVAL;
7389 		params.p2p_ctwindow =
7390 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7391 		if (params.p2p_ctwindow != 0 &&
7392 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7393 			return -EINVAL;
7394 	}
7395 
7396 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7397 		u8 tmp;
7398 
7399 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7400 			return -EINVAL;
7401 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7402 		params.p2p_opp_ps = tmp;
7403 		if (params.p2p_opp_ps &&
7404 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7405 			return -EINVAL;
7406 	}
7407 
7408 	if (!rdev->ops->change_bss)
7409 		return -EOPNOTSUPP;
7410 
7411 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7412 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7413 		return -EOPNOTSUPP;
7414 
7415 	wdev_lock(wdev);
7416 	err = rdev_change_bss(rdev, dev, &params);
7417 	wdev_unlock(wdev);
7418 
7419 	return err;
7420 }
7421 
7422 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7423 {
7424 	char *data = NULL;
7425 	bool is_indoor;
7426 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7427 	u32 owner_nlportid;
7428 
7429 	/*
7430 	 * You should only get this when cfg80211 hasn't yet initialized
7431 	 * completely when built-in to the kernel right between the time
7432 	 * window between nl80211_init() and regulatory_init(), if that is
7433 	 * even possible.
7434 	 */
7435 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7436 		return -EINPROGRESS;
7437 
7438 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7439 		user_reg_hint_type =
7440 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7441 	else
7442 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7443 
7444 	switch (user_reg_hint_type) {
7445 	case NL80211_USER_REG_HINT_USER:
7446 	case NL80211_USER_REG_HINT_CELL_BASE:
7447 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7448 			return -EINVAL;
7449 
7450 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7451 		return regulatory_hint_user(data, user_reg_hint_type);
7452 	case NL80211_USER_REG_HINT_INDOOR:
7453 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7454 			owner_nlportid = info->snd_portid;
7455 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7456 		} else {
7457 			owner_nlportid = 0;
7458 			is_indoor = true;
7459 		}
7460 
7461 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7462 	default:
7463 		return -EINVAL;
7464 	}
7465 }
7466 
7467 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7468 {
7469 	return reg_reload_regdb();
7470 }
7471 
7472 static int nl80211_get_mesh_config(struct sk_buff *skb,
7473 				   struct genl_info *info)
7474 {
7475 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7476 	struct net_device *dev = info->user_ptr[1];
7477 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7478 	struct mesh_config cur_params;
7479 	int err = 0;
7480 	void *hdr;
7481 	struct nlattr *pinfoattr;
7482 	struct sk_buff *msg;
7483 
7484 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7485 		return -EOPNOTSUPP;
7486 
7487 	if (!rdev->ops->get_mesh_config)
7488 		return -EOPNOTSUPP;
7489 
7490 	wdev_lock(wdev);
7491 	/* If not connected, get default parameters */
7492 	if (!wdev->mesh_id_len)
7493 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7494 	else
7495 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7496 	wdev_unlock(wdev);
7497 
7498 	if (err)
7499 		return err;
7500 
7501 	/* Draw up a netlink message to send back */
7502 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7503 	if (!msg)
7504 		return -ENOMEM;
7505 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7506 			     NL80211_CMD_GET_MESH_CONFIG);
7507 	if (!hdr)
7508 		goto out;
7509 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7510 	if (!pinfoattr)
7511 		goto nla_put_failure;
7512 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7513 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7514 			cur_params.dot11MeshRetryTimeout) ||
7515 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7516 			cur_params.dot11MeshConfirmTimeout) ||
7517 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7518 			cur_params.dot11MeshHoldingTimeout) ||
7519 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7520 			cur_params.dot11MeshMaxPeerLinks) ||
7521 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7522 		       cur_params.dot11MeshMaxRetries) ||
7523 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7524 		       cur_params.dot11MeshTTL) ||
7525 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7526 		       cur_params.element_ttl) ||
7527 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7528 		       cur_params.auto_open_plinks) ||
7529 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7530 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7531 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7532 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7533 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7534 			cur_params.path_refresh_time) ||
7535 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7536 			cur_params.min_discovery_timeout) ||
7537 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7538 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7539 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7540 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7541 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7542 			cur_params.dot11MeshHWMPperrMinInterval) ||
7543 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7544 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7545 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7546 		       cur_params.dot11MeshHWMPRootMode) ||
7547 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7548 			cur_params.dot11MeshHWMPRannInterval) ||
7549 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7550 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7551 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7552 		       cur_params.dot11MeshForwarding) ||
7553 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7554 			cur_params.rssi_threshold) ||
7555 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7556 			cur_params.ht_opmode) ||
7557 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7558 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7559 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7560 			cur_params.dot11MeshHWMProotInterval) ||
7561 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7562 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7563 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7564 			cur_params.power_mode) ||
7565 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7566 			cur_params.dot11MeshAwakeWindowDuration) ||
7567 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7568 			cur_params.plink_timeout) ||
7569 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7570 		       cur_params.dot11MeshConnectedToMeshGate) ||
7571 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7572 		       cur_params.dot11MeshNolearn) ||
7573 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7574 		       cur_params.dot11MeshConnectedToAuthServer))
7575 		goto nla_put_failure;
7576 	nla_nest_end(msg, pinfoattr);
7577 	genlmsg_end(msg, hdr);
7578 	return genlmsg_reply(msg, info);
7579 
7580  nla_put_failure:
7581  out:
7582 	nlmsg_free(msg);
7583 	return -ENOBUFS;
7584 }
7585 
7586 static const struct nla_policy
7587 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7588 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7589 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7590 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7591 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7592 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7593 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7594 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7595 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7596 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7597 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7598 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7599 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7600 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7601 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7602 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7603 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7604 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7605 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7606 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7607 		NLA_POLICY_MIN(NLA_U16, 1),
7608 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7609 		NLA_POLICY_MIN(NLA_U16, 1),
7610 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7611 		NLA_POLICY_MIN(NLA_U16, 1),
7612 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7613 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7614 		NLA_POLICY_MIN(NLA_U16, 1),
7615 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7616 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7617 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7618 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7619 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7620 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7621 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7622 		NLA_POLICY_MIN(NLA_U16, 1),
7623 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7624 		NLA_POLICY_MIN(NLA_U16, 1),
7625 	[NL80211_MESHCONF_POWER_MODE] =
7626 		NLA_POLICY_RANGE(NLA_U32,
7627 				 NL80211_MESH_POWER_ACTIVE,
7628 				 NL80211_MESH_POWER_MAX),
7629 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7630 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7631 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7632 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7633 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7634 };
7635 
7636 static const struct nla_policy
7637 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7638 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7639 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7640 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7641 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7642 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7643 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7644 	[NL80211_MESH_SETUP_IE] =
7645 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7646 				       IEEE80211_MAX_DATA_LEN),
7647 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7648 };
7649 
7650 static int nl80211_parse_mesh_config(struct genl_info *info,
7651 				     struct mesh_config *cfg,
7652 				     u32 *mask_out)
7653 {
7654 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7655 	u32 mask = 0;
7656 	u16 ht_opmode;
7657 
7658 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7659 do {									\
7660 	if (tb[attr]) {							\
7661 		cfg->param = fn(tb[attr]);				\
7662 		mask |= BIT((attr) - 1);				\
7663 	}								\
7664 } while (0)
7665 
7666 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7667 		return -EINVAL;
7668 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7669 		return -EINVAL;
7670 
7671 	/* This makes sure that there aren't more than 32 mesh config
7672 	 * parameters (otherwise our bitfield scheme would not work.) */
7673 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7674 
7675 	/* Fill in the params struct */
7676 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7677 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7678 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7679 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7680 				  nla_get_u16);
7681 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7682 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7683 				  nla_get_u16);
7684 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7685 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7686 				  nla_get_u16);
7687 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7688 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7689 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7690 				  NL80211_MESHCONF_TTL, nla_get_u8);
7691 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7692 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7693 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7694 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7695 				  nla_get_u8);
7696 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7697 				  mask,
7698 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7699 				  nla_get_u32);
7700 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7701 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7702 				  nla_get_u8);
7703 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7704 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7705 				  nla_get_u32);
7706 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7707 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7708 		return -EINVAL;
7709 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7710 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7711 				  nla_get_u16);
7712 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7713 				  mask,
7714 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7715 				  nla_get_u32);
7716 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7717 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7718 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7719 		return -EINVAL;
7720 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7721 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7722 				  nla_get_u16);
7723 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7724 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7725 				  nla_get_u16);
7726 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7727 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7728 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7729 				  nla_get_u16);
7730 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7731 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7732 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7733 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7734 				  nla_get_u16);
7735 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7736 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7737 				  nla_get_u8);
7738 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7739 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7740 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7741 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7742 				  nla_get_s32);
7743 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7744 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7745 				  nla_get_u8);
7746 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7747 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7748 				  nla_get_u8);
7749 	/*
7750 	 * Check HT operation mode based on
7751 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7752 	 */
7753 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7754 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7755 
7756 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7757 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7758 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7759 			return -EINVAL;
7760 
7761 		/* NON_HT_STA bit is reserved, but some programs set it */
7762 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7763 
7764 		cfg->ht_opmode = ht_opmode;
7765 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7766 	}
7767 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7768 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7769 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7770 				  nla_get_u32);
7771 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7772 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7773 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7774 		return -EINVAL;
7775 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7776 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7777 				  nla_get_u16);
7778 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7779 				  mask,
7780 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7781 				  nla_get_u16);
7782 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7783 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7784 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7785 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7786 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7787 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7788 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7789 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7790 	if (mask_out)
7791 		*mask_out = mask;
7792 
7793 	return 0;
7794 
7795 #undef FILL_IN_MESH_PARAM_IF_SET
7796 }
7797 
7798 static int nl80211_parse_mesh_setup(struct genl_info *info,
7799 				     struct mesh_setup *setup)
7800 {
7801 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7802 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7803 
7804 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7805 		return -EINVAL;
7806 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7807 		return -EINVAL;
7808 
7809 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7810 		setup->sync_method =
7811 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7812 		 IEEE80211_SYNC_METHOD_VENDOR :
7813 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7814 
7815 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7816 		setup->path_sel_proto =
7817 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7818 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7819 		 IEEE80211_PATH_PROTOCOL_HWMP;
7820 
7821 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7822 		setup->path_metric =
7823 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7824 		 IEEE80211_PATH_METRIC_VENDOR :
7825 		 IEEE80211_PATH_METRIC_AIRTIME;
7826 
7827 	if (tb[NL80211_MESH_SETUP_IE]) {
7828 		struct nlattr *ieattr =
7829 			tb[NL80211_MESH_SETUP_IE];
7830 		setup->ie = nla_data(ieattr);
7831 		setup->ie_len = nla_len(ieattr);
7832 	}
7833 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7834 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7835 		return -EINVAL;
7836 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7837 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7838 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7839 	if (setup->is_secure)
7840 		setup->user_mpm = true;
7841 
7842 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7843 		if (!setup->user_mpm)
7844 			return -EINVAL;
7845 		setup->auth_id =
7846 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7847 	}
7848 
7849 	return 0;
7850 }
7851 
7852 static int nl80211_update_mesh_config(struct sk_buff *skb,
7853 				      struct genl_info *info)
7854 {
7855 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7856 	struct net_device *dev = info->user_ptr[1];
7857 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7858 	struct mesh_config cfg;
7859 	u32 mask;
7860 	int err;
7861 
7862 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7863 		return -EOPNOTSUPP;
7864 
7865 	if (!rdev->ops->update_mesh_config)
7866 		return -EOPNOTSUPP;
7867 
7868 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7869 	if (err)
7870 		return err;
7871 
7872 	wdev_lock(wdev);
7873 	if (!wdev->mesh_id_len)
7874 		err = -ENOLINK;
7875 
7876 	if (!err)
7877 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7878 
7879 	wdev_unlock(wdev);
7880 
7881 	return err;
7882 }
7883 
7884 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7885 			      struct sk_buff *msg)
7886 {
7887 	struct nlattr *nl_reg_rules;
7888 	unsigned int i;
7889 
7890 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7891 	    (regdom->dfs_region &&
7892 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7893 		goto nla_put_failure;
7894 
7895 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7896 	if (!nl_reg_rules)
7897 		goto nla_put_failure;
7898 
7899 	for (i = 0; i < regdom->n_reg_rules; i++) {
7900 		struct nlattr *nl_reg_rule;
7901 		const struct ieee80211_reg_rule *reg_rule;
7902 		const struct ieee80211_freq_range *freq_range;
7903 		const struct ieee80211_power_rule *power_rule;
7904 		unsigned int max_bandwidth_khz;
7905 
7906 		reg_rule = &regdom->reg_rules[i];
7907 		freq_range = &reg_rule->freq_range;
7908 		power_rule = &reg_rule->power_rule;
7909 
7910 		nl_reg_rule = nla_nest_start_noflag(msg, i);
7911 		if (!nl_reg_rule)
7912 			goto nla_put_failure;
7913 
7914 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
7915 		if (!max_bandwidth_khz)
7916 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
7917 								  reg_rule);
7918 
7919 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
7920 				reg_rule->flags) ||
7921 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
7922 				freq_range->start_freq_khz) ||
7923 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
7924 				freq_range->end_freq_khz) ||
7925 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
7926 				max_bandwidth_khz) ||
7927 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
7928 				power_rule->max_antenna_gain) ||
7929 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
7930 				power_rule->max_eirp) ||
7931 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
7932 				reg_rule->dfs_cac_ms))
7933 			goto nla_put_failure;
7934 
7935 		nla_nest_end(msg, nl_reg_rule);
7936 	}
7937 
7938 	nla_nest_end(msg, nl_reg_rules);
7939 	return 0;
7940 
7941 nla_put_failure:
7942 	return -EMSGSIZE;
7943 }
7944 
7945 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
7946 {
7947 	const struct ieee80211_regdomain *regdom = NULL;
7948 	struct cfg80211_registered_device *rdev;
7949 	struct wiphy *wiphy = NULL;
7950 	struct sk_buff *msg;
7951 	void *hdr;
7952 
7953 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7954 	if (!msg)
7955 		return -ENOBUFS;
7956 
7957 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7958 			     NL80211_CMD_GET_REG);
7959 	if (!hdr)
7960 		goto put_failure;
7961 
7962 	rtnl_lock();
7963 
7964 	if (info->attrs[NL80211_ATTR_WIPHY]) {
7965 		bool self_managed;
7966 
7967 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
7968 		if (IS_ERR(rdev)) {
7969 			nlmsg_free(msg);
7970 			rtnl_unlock();
7971 			return PTR_ERR(rdev);
7972 		}
7973 
7974 		wiphy = &rdev->wiphy;
7975 		self_managed = wiphy->regulatory_flags &
7976 			       REGULATORY_WIPHY_SELF_MANAGED;
7977 		regdom = get_wiphy_regdom(wiphy);
7978 
7979 		/* a self-managed-reg device must have a private regdom */
7980 		if (WARN_ON(!regdom && self_managed)) {
7981 			nlmsg_free(msg);
7982 			rtnl_unlock();
7983 			return -EINVAL;
7984 		}
7985 
7986 		if (regdom &&
7987 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7988 			goto nla_put_failure;
7989 	}
7990 
7991 	if (!wiphy && reg_last_request_cell_base() &&
7992 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7993 			NL80211_USER_REG_HINT_CELL_BASE))
7994 		goto nla_put_failure;
7995 
7996 	rcu_read_lock();
7997 
7998 	if (!regdom)
7999 		regdom = rcu_dereference(cfg80211_regdomain);
8000 
8001 	if (nl80211_put_regdom(regdom, msg))
8002 		goto nla_put_failure_rcu;
8003 
8004 	rcu_read_unlock();
8005 
8006 	genlmsg_end(msg, hdr);
8007 	rtnl_unlock();
8008 	return genlmsg_reply(msg, info);
8009 
8010 nla_put_failure_rcu:
8011 	rcu_read_unlock();
8012 nla_put_failure:
8013 	rtnl_unlock();
8014 put_failure:
8015 	nlmsg_free(msg);
8016 	return -EMSGSIZE;
8017 }
8018 
8019 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8020 			       u32 seq, int flags, struct wiphy *wiphy,
8021 			       const struct ieee80211_regdomain *regdom)
8022 {
8023 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8024 				   NL80211_CMD_GET_REG);
8025 
8026 	if (!hdr)
8027 		return -1;
8028 
8029 	genl_dump_check_consistent(cb, hdr);
8030 
8031 	if (nl80211_put_regdom(regdom, msg))
8032 		goto nla_put_failure;
8033 
8034 	if (!wiphy && reg_last_request_cell_base() &&
8035 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8036 			NL80211_USER_REG_HINT_CELL_BASE))
8037 		goto nla_put_failure;
8038 
8039 	if (wiphy &&
8040 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8041 		goto nla_put_failure;
8042 
8043 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8044 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8045 		goto nla_put_failure;
8046 
8047 	genlmsg_end(msg, hdr);
8048 	return 0;
8049 
8050 nla_put_failure:
8051 	genlmsg_cancel(msg, hdr);
8052 	return -EMSGSIZE;
8053 }
8054 
8055 static int nl80211_get_reg_dump(struct sk_buff *skb,
8056 				struct netlink_callback *cb)
8057 {
8058 	const struct ieee80211_regdomain *regdom = NULL;
8059 	struct cfg80211_registered_device *rdev;
8060 	int err, reg_idx, start = cb->args[2];
8061 
8062 	rtnl_lock();
8063 
8064 	if (cfg80211_regdomain && start == 0) {
8065 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8066 					  NLM_F_MULTI, NULL,
8067 					  rtnl_dereference(cfg80211_regdomain));
8068 		if (err < 0)
8069 			goto out_err;
8070 	}
8071 
8072 	/* the global regdom is idx 0 */
8073 	reg_idx = 1;
8074 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
8075 		regdom = get_wiphy_regdom(&rdev->wiphy);
8076 		if (!regdom)
8077 			continue;
8078 
8079 		if (++reg_idx <= start)
8080 			continue;
8081 
8082 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8083 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8084 		if (err < 0) {
8085 			reg_idx--;
8086 			break;
8087 		}
8088 	}
8089 
8090 	cb->args[2] = reg_idx;
8091 	err = skb->len;
8092 out_err:
8093 	rtnl_unlock();
8094 	return err;
8095 }
8096 
8097 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8098 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8099 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8100 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8101 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8102 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8103 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8104 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8105 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8106 };
8107 
8108 static int parse_reg_rule(struct nlattr *tb[],
8109 	struct ieee80211_reg_rule *reg_rule)
8110 {
8111 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8112 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8113 
8114 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8115 		return -EINVAL;
8116 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8117 		return -EINVAL;
8118 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8119 		return -EINVAL;
8120 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8121 		return -EINVAL;
8122 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8123 		return -EINVAL;
8124 
8125 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8126 
8127 	freq_range->start_freq_khz =
8128 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8129 	freq_range->end_freq_khz =
8130 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8131 	freq_range->max_bandwidth_khz =
8132 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8133 
8134 	power_rule->max_eirp =
8135 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8136 
8137 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8138 		power_rule->max_antenna_gain =
8139 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8140 
8141 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8142 		reg_rule->dfs_cac_ms =
8143 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8144 
8145 	return 0;
8146 }
8147 
8148 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8149 {
8150 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8151 	struct nlattr *nl_reg_rule;
8152 	char *alpha2;
8153 	int rem_reg_rules, r;
8154 	u32 num_rules = 0, rule_idx = 0;
8155 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8156 	struct ieee80211_regdomain *rd;
8157 
8158 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8159 		return -EINVAL;
8160 
8161 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8162 		return -EINVAL;
8163 
8164 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8165 
8166 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8167 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8168 
8169 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8170 			    rem_reg_rules) {
8171 		num_rules++;
8172 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8173 			return -EINVAL;
8174 	}
8175 
8176 	rtnl_lock();
8177 	if (!reg_is_valid_request(alpha2)) {
8178 		r = -EINVAL;
8179 		goto out;
8180 	}
8181 
8182 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8183 	if (!rd) {
8184 		r = -ENOMEM;
8185 		goto out;
8186 	}
8187 
8188 	rd->n_reg_rules = num_rules;
8189 	rd->alpha2[0] = alpha2[0];
8190 	rd->alpha2[1] = alpha2[1];
8191 
8192 	/*
8193 	 * Disable DFS master mode if the DFS region was
8194 	 * not supported or known on this kernel.
8195 	 */
8196 	if (reg_supported_dfs_region(dfs_region))
8197 		rd->dfs_region = dfs_region;
8198 
8199 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8200 			    rem_reg_rules) {
8201 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8202 						nl_reg_rule, reg_rule_policy,
8203 						info->extack);
8204 		if (r)
8205 			goto bad_reg;
8206 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8207 		if (r)
8208 			goto bad_reg;
8209 
8210 		rule_idx++;
8211 
8212 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8213 			r = -EINVAL;
8214 			goto bad_reg;
8215 		}
8216 	}
8217 
8218 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8219 	/* set_regdom takes ownership of rd */
8220 	rd = NULL;
8221  bad_reg:
8222 	kfree(rd);
8223  out:
8224 	rtnl_unlock();
8225 	return r;
8226 }
8227 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8228 
8229 static int validate_scan_freqs(struct nlattr *freqs)
8230 {
8231 	struct nlattr *attr1, *attr2;
8232 	int n_channels = 0, tmp1, tmp2;
8233 
8234 	nla_for_each_nested(attr1, freqs, tmp1)
8235 		if (nla_len(attr1) != sizeof(u32))
8236 			return 0;
8237 
8238 	nla_for_each_nested(attr1, freqs, tmp1) {
8239 		n_channels++;
8240 		/*
8241 		 * Some hardware has a limited channel list for
8242 		 * scanning, and it is pretty much nonsensical
8243 		 * to scan for a channel twice, so disallow that
8244 		 * and don't require drivers to check that the
8245 		 * channel list they get isn't longer than what
8246 		 * they can scan, as long as they can scan all
8247 		 * the channels they registered at once.
8248 		 */
8249 		nla_for_each_nested(attr2, freqs, tmp2)
8250 			if (attr1 != attr2 &&
8251 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8252 				return 0;
8253 	}
8254 
8255 	return n_channels;
8256 }
8257 
8258 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8259 {
8260 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8261 }
8262 
8263 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8264 			    struct cfg80211_bss_selection *bss_select)
8265 {
8266 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8267 	struct nlattr *nest;
8268 	int err;
8269 	bool found = false;
8270 	int i;
8271 
8272 	/* only process one nested attribute */
8273 	nest = nla_data(nla);
8274 	if (!nla_ok(nest, nla_len(nest)))
8275 		return -EINVAL;
8276 
8277 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8278 					  nest, nl80211_bss_select_policy,
8279 					  NULL);
8280 	if (err)
8281 		return err;
8282 
8283 	/* only one attribute may be given */
8284 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8285 		if (attr[i]) {
8286 			if (found)
8287 				return -EINVAL;
8288 			found = true;
8289 		}
8290 	}
8291 
8292 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8293 
8294 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8295 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8296 
8297 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8298 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8299 		bss_select->param.band_pref =
8300 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8301 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8302 			return -EINVAL;
8303 	}
8304 
8305 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8306 		struct nl80211_bss_select_rssi_adjust *adj_param;
8307 
8308 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8309 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8310 		bss_select->param.adjust.band = adj_param->band;
8311 		bss_select->param.adjust.delta = adj_param->delta;
8312 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8313 			return -EINVAL;
8314 	}
8315 
8316 	/* user-space did not provide behaviour attribute */
8317 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8318 		return -EINVAL;
8319 
8320 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8321 		return -EINVAL;
8322 
8323 	return 0;
8324 }
8325 
8326 int nl80211_parse_random_mac(struct nlattr **attrs,
8327 			     u8 *mac_addr, u8 *mac_addr_mask)
8328 {
8329 	int i;
8330 
8331 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8332 		eth_zero_addr(mac_addr);
8333 		eth_zero_addr(mac_addr_mask);
8334 		mac_addr[0] = 0x2;
8335 		mac_addr_mask[0] = 0x3;
8336 
8337 		return 0;
8338 	}
8339 
8340 	/* need both or none */
8341 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8342 		return -EINVAL;
8343 
8344 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8345 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8346 
8347 	/* don't allow or configure an mcast address */
8348 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8349 	    is_multicast_ether_addr(mac_addr))
8350 		return -EINVAL;
8351 
8352 	/*
8353 	 * allow users to pass a MAC address that has bits set outside
8354 	 * of the mask, but don't bother drivers with having to deal
8355 	 * with such bits
8356 	 */
8357 	for (i = 0; i < ETH_ALEN; i++)
8358 		mac_addr[i] &= mac_addr_mask[i];
8359 
8360 	return 0;
8361 }
8362 
8363 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
8364 {
8365 	ASSERT_WDEV_LOCK(wdev);
8366 
8367 	if (!cfg80211_beaconing_iface_active(wdev))
8368 		return true;
8369 
8370 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
8371 		return true;
8372 
8373 	return regulatory_pre_cac_allowed(wdev->wiphy);
8374 }
8375 
8376 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8377 				    enum nl80211_ext_feature_index feat)
8378 {
8379 	if (!(flags & flag))
8380 		return true;
8381 	if (wiphy_ext_feature_isset(wiphy, feat))
8382 		return true;
8383 	return false;
8384 }
8385 
8386 static int
8387 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8388 			 void *request, struct nlattr **attrs,
8389 			 bool is_sched_scan)
8390 {
8391 	u8 *mac_addr, *mac_addr_mask;
8392 	u32 *flags;
8393 	enum nl80211_feature_flags randomness_flag;
8394 
8395 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8396 		return 0;
8397 
8398 	if (is_sched_scan) {
8399 		struct cfg80211_sched_scan_request *req = request;
8400 
8401 		randomness_flag = wdev ?
8402 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8403 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8404 		flags = &req->flags;
8405 		mac_addr = req->mac_addr;
8406 		mac_addr_mask = req->mac_addr_mask;
8407 	} else {
8408 		struct cfg80211_scan_request *req = request;
8409 
8410 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8411 		flags = &req->flags;
8412 		mac_addr = req->mac_addr;
8413 		mac_addr_mask = req->mac_addr_mask;
8414 	}
8415 
8416 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8417 
8418 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8419 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8420 	    !nl80211_check_scan_feat(wiphy, *flags,
8421 				     NL80211_SCAN_FLAG_LOW_SPAN,
8422 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8423 	    !nl80211_check_scan_feat(wiphy, *flags,
8424 				     NL80211_SCAN_FLAG_LOW_POWER,
8425 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8426 	    !nl80211_check_scan_feat(wiphy, *flags,
8427 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8428 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8429 	    !nl80211_check_scan_feat(wiphy, *flags,
8430 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8431 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8432 	    !nl80211_check_scan_feat(wiphy, *flags,
8433 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8434 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8435 	    !nl80211_check_scan_feat(wiphy, *flags,
8436 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8437 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8438 	    !nl80211_check_scan_feat(wiphy, *flags,
8439 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8440 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8441 	    !nl80211_check_scan_feat(wiphy, *flags,
8442 				     NL80211_SCAN_FLAG_RANDOM_SN,
8443 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8444 	    !nl80211_check_scan_feat(wiphy, *flags,
8445 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8446 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8447 		return -EOPNOTSUPP;
8448 
8449 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8450 		int err;
8451 
8452 		if (!(wiphy->features & randomness_flag) ||
8453 		    (wdev && wdev->current_bss))
8454 			return -EOPNOTSUPP;
8455 
8456 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8457 		if (err)
8458 			return err;
8459 	}
8460 
8461 	return 0;
8462 }
8463 
8464 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8465 {
8466 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8467 	struct wireless_dev *wdev = info->user_ptr[1];
8468 	struct cfg80211_scan_request *request;
8469 	struct nlattr *scan_freqs = NULL;
8470 	bool scan_freqs_khz = false;
8471 	struct nlattr *attr;
8472 	struct wiphy *wiphy;
8473 	int err, tmp, n_ssids = 0, n_channels, i;
8474 	size_t ie_len;
8475 
8476 	wiphy = &rdev->wiphy;
8477 
8478 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8479 		return -EOPNOTSUPP;
8480 
8481 	if (!rdev->ops->scan)
8482 		return -EOPNOTSUPP;
8483 
8484 	if (rdev->scan_req || rdev->scan_msg)
8485 		return -EBUSY;
8486 
8487 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8488 		if (!wiphy_ext_feature_isset(wiphy,
8489 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8490 			return -EOPNOTSUPP;
8491 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8492 		scan_freqs_khz = true;
8493 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8494 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8495 
8496 	if (scan_freqs) {
8497 		n_channels = validate_scan_freqs(scan_freqs);
8498 		if (!n_channels)
8499 			return -EINVAL;
8500 	} else {
8501 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8502 	}
8503 
8504 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8505 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8506 			n_ssids++;
8507 
8508 	if (n_ssids > wiphy->max_scan_ssids)
8509 		return -EINVAL;
8510 
8511 	if (info->attrs[NL80211_ATTR_IE])
8512 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8513 	else
8514 		ie_len = 0;
8515 
8516 	if (ie_len > wiphy->max_scan_ie_len)
8517 		return -EINVAL;
8518 
8519 	request = kzalloc(sizeof(*request)
8520 			+ sizeof(*request->ssids) * n_ssids
8521 			+ sizeof(*request->channels) * n_channels
8522 			+ ie_len, GFP_KERNEL);
8523 	if (!request)
8524 		return -ENOMEM;
8525 
8526 	if (n_ssids)
8527 		request->ssids = (void *)&request->channels[n_channels];
8528 	request->n_ssids = n_ssids;
8529 	if (ie_len) {
8530 		if (n_ssids)
8531 			request->ie = (void *)(request->ssids + n_ssids);
8532 		else
8533 			request->ie = (void *)(request->channels + n_channels);
8534 	}
8535 
8536 	i = 0;
8537 	if (scan_freqs) {
8538 		/* user specified, bail out if channel not found */
8539 		nla_for_each_nested(attr, scan_freqs, tmp) {
8540 			struct ieee80211_channel *chan;
8541 			int freq = nla_get_u32(attr);
8542 
8543 			if (!scan_freqs_khz)
8544 				freq = MHZ_TO_KHZ(freq);
8545 
8546 			chan = ieee80211_get_channel_khz(wiphy, freq);
8547 			if (!chan) {
8548 				err = -EINVAL;
8549 				goto out_free;
8550 			}
8551 
8552 			/* ignore disabled channels */
8553 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8554 				continue;
8555 
8556 			request->channels[i] = chan;
8557 			i++;
8558 		}
8559 	} else {
8560 		enum nl80211_band band;
8561 
8562 		/* all channels */
8563 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8564 			int j;
8565 
8566 			if (!wiphy->bands[band])
8567 				continue;
8568 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8569 				struct ieee80211_channel *chan;
8570 
8571 				chan = &wiphy->bands[band]->channels[j];
8572 
8573 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8574 					continue;
8575 
8576 				request->channels[i] = chan;
8577 				i++;
8578 			}
8579 		}
8580 	}
8581 
8582 	if (!i) {
8583 		err = -EINVAL;
8584 		goto out_free;
8585 	}
8586 
8587 	request->n_channels = i;
8588 
8589 	wdev_lock(wdev);
8590 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8591 		struct ieee80211_channel *chan;
8592 
8593 		if (request->n_channels != 1) {
8594 			wdev_unlock(wdev);
8595 			err = -EBUSY;
8596 			goto out_free;
8597 		}
8598 
8599 		chan = request->channels[0];
8600 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8601 			wdev_unlock(wdev);
8602 			err = -EBUSY;
8603 			goto out_free;
8604 		}
8605 	}
8606 	wdev_unlock(wdev);
8607 
8608 	i = 0;
8609 	if (n_ssids) {
8610 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8611 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8612 				err = -EINVAL;
8613 				goto out_free;
8614 			}
8615 			request->ssids[i].ssid_len = nla_len(attr);
8616 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8617 			i++;
8618 		}
8619 	}
8620 
8621 	if (info->attrs[NL80211_ATTR_IE]) {
8622 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8623 		memcpy((void *)request->ie,
8624 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8625 		       request->ie_len);
8626 	}
8627 
8628 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8629 		if (wiphy->bands[i])
8630 			request->rates[i] =
8631 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8632 
8633 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8634 		nla_for_each_nested(attr,
8635 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8636 				    tmp) {
8637 			enum nl80211_band band = nla_type(attr);
8638 
8639 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8640 				err = -EINVAL;
8641 				goto out_free;
8642 			}
8643 
8644 			if (!wiphy->bands[band])
8645 				continue;
8646 
8647 			err = ieee80211_get_ratemask(wiphy->bands[band],
8648 						     nla_data(attr),
8649 						     nla_len(attr),
8650 						     &request->rates[band]);
8651 			if (err)
8652 				goto out_free;
8653 		}
8654 	}
8655 
8656 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8657 		request->duration =
8658 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8659 		request->duration_mandatory =
8660 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8661 	}
8662 
8663 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8664 				       false);
8665 	if (err)
8666 		goto out_free;
8667 
8668 	request->no_cck =
8669 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8670 
8671 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8672 	 * BSSID to scan for. This was problematic because that same attribute
8673 	 * was already used for another purpose (local random MAC address). The
8674 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8675 	 * compatibility with older userspace components, also use the
8676 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8677 	 * the specific BSSID use case instead of the random MAC address
8678 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8679 	 */
8680 	if (info->attrs[NL80211_ATTR_BSSID])
8681 		memcpy(request->bssid,
8682 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8683 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8684 		 info->attrs[NL80211_ATTR_MAC])
8685 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8686 		       ETH_ALEN);
8687 	else
8688 		eth_broadcast_addr(request->bssid);
8689 
8690 	request->wdev = wdev;
8691 	request->wiphy = &rdev->wiphy;
8692 	request->scan_start = jiffies;
8693 
8694 	rdev->scan_req = request;
8695 	err = cfg80211_scan(rdev);
8696 
8697 	if (err)
8698 		goto out_free;
8699 
8700 	nl80211_send_scan_start(rdev, wdev);
8701 	dev_hold(wdev->netdev);
8702 
8703 	return 0;
8704 
8705  out_free:
8706 	rdev->scan_req = NULL;
8707 	kfree(request);
8708 
8709 	return err;
8710 }
8711 
8712 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8713 {
8714 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8715 	struct wireless_dev *wdev = info->user_ptr[1];
8716 
8717 	if (!rdev->ops->abort_scan)
8718 		return -EOPNOTSUPP;
8719 
8720 	if (rdev->scan_msg)
8721 		return 0;
8722 
8723 	if (!rdev->scan_req)
8724 		return -ENOENT;
8725 
8726 	rdev_abort_scan(rdev, wdev);
8727 	return 0;
8728 }
8729 
8730 static int
8731 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8732 			       struct cfg80211_sched_scan_request *request,
8733 			       struct nlattr **attrs)
8734 {
8735 	int tmp, err, i = 0;
8736 	struct nlattr *attr;
8737 
8738 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8739 		u32 interval;
8740 
8741 		/*
8742 		 * If scan plans are not specified,
8743 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8744 		 * case one scan plan will be set with the specified scan
8745 		 * interval and infinite number of iterations.
8746 		 */
8747 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8748 		if (!interval)
8749 			return -EINVAL;
8750 
8751 		request->scan_plans[0].interval =
8752 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8753 		if (!request->scan_plans[0].interval)
8754 			return -EINVAL;
8755 
8756 		if (request->scan_plans[0].interval >
8757 		    wiphy->max_sched_scan_plan_interval)
8758 			request->scan_plans[0].interval =
8759 				wiphy->max_sched_scan_plan_interval;
8760 
8761 		return 0;
8762 	}
8763 
8764 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8765 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8766 
8767 		if (WARN_ON(i >= n_plans))
8768 			return -EINVAL;
8769 
8770 		err = nla_parse_nested_deprecated(plan,
8771 						  NL80211_SCHED_SCAN_PLAN_MAX,
8772 						  attr, nl80211_plan_policy,
8773 						  NULL);
8774 		if (err)
8775 			return err;
8776 
8777 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8778 			return -EINVAL;
8779 
8780 		request->scan_plans[i].interval =
8781 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8782 		if (!request->scan_plans[i].interval ||
8783 		    request->scan_plans[i].interval >
8784 		    wiphy->max_sched_scan_plan_interval)
8785 			return -EINVAL;
8786 
8787 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8788 			request->scan_plans[i].iterations =
8789 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8790 			if (!request->scan_plans[i].iterations ||
8791 			    (request->scan_plans[i].iterations >
8792 			     wiphy->max_sched_scan_plan_iterations))
8793 				return -EINVAL;
8794 		} else if (i < n_plans - 1) {
8795 			/*
8796 			 * All scan plans but the last one must specify
8797 			 * a finite number of iterations
8798 			 */
8799 			return -EINVAL;
8800 		}
8801 
8802 		i++;
8803 	}
8804 
8805 	/*
8806 	 * The last scan plan must not specify the number of
8807 	 * iterations, it is supposed to run infinitely
8808 	 */
8809 	if (request->scan_plans[n_plans - 1].iterations)
8810 		return  -EINVAL;
8811 
8812 	return 0;
8813 }
8814 
8815 static int
8816 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8817 				       struct cfg80211_match_set *match_sets,
8818 				       struct nlattr *tb_band_rssi,
8819 				       s32 rssi_thold)
8820 {
8821 	struct nlattr *attr;
8822 	int i, tmp, ret = 0;
8823 
8824 	if (!wiphy_ext_feature_isset(wiphy,
8825 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8826 		if (tb_band_rssi)
8827 			ret = -EOPNOTSUPP;
8828 		else
8829 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8830 				match_sets->per_band_rssi_thold[i] =
8831 					NL80211_SCAN_RSSI_THOLD_OFF;
8832 		return ret;
8833 	}
8834 
8835 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8836 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8837 
8838 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8839 		enum nl80211_band band = nla_type(attr);
8840 
8841 		if (band < 0 || band >= NUM_NL80211_BANDS)
8842 			return -EINVAL;
8843 
8844 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8845 	}
8846 
8847 	return 0;
8848 }
8849 
8850 static struct cfg80211_sched_scan_request *
8851 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8852 			 struct nlattr **attrs, int max_match_sets)
8853 {
8854 	struct cfg80211_sched_scan_request *request;
8855 	struct nlattr *attr;
8856 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8857 	enum nl80211_band band;
8858 	size_t ie_len;
8859 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8860 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8861 
8862 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8863 		n_channels = validate_scan_freqs(
8864 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8865 		if (!n_channels)
8866 			return ERR_PTR(-EINVAL);
8867 	} else {
8868 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8869 	}
8870 
8871 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8872 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8873 				    tmp)
8874 			n_ssids++;
8875 
8876 	if (n_ssids > wiphy->max_sched_scan_ssids)
8877 		return ERR_PTR(-EINVAL);
8878 
8879 	/*
8880 	 * First, count the number of 'real' matchsets. Due to an issue with
8881 	 * the old implementation, matchsets containing only the RSSI attribute
8882 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8883 	 * RSSI for all matchsets, rather than their own matchset for reporting
8884 	 * all APs with a strong RSSI. This is needed to be compatible with
8885 	 * older userspace that treated a matchset with only the RSSI as the
8886 	 * global RSSI for all other matchsets - if there are other matchsets.
8887 	 */
8888 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8889 		nla_for_each_nested(attr,
8890 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8891 				    tmp) {
8892 			struct nlattr *rssi;
8893 
8894 			err = nla_parse_nested_deprecated(tb,
8895 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8896 							  attr,
8897 							  nl80211_match_policy,
8898 							  NULL);
8899 			if (err)
8900 				return ERR_PTR(err);
8901 
8902 			/* SSID and BSSID are mutually exclusive */
8903 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8904 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8905 				return ERR_PTR(-EINVAL);
8906 
8907 			/* add other standalone attributes here */
8908 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
8909 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
8910 				n_match_sets++;
8911 				continue;
8912 			}
8913 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8914 			if (rssi)
8915 				default_match_rssi = nla_get_s32(rssi);
8916 		}
8917 	}
8918 
8919 	/* However, if there's no other matchset, add the RSSI one */
8920 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
8921 		n_match_sets = 1;
8922 
8923 	if (n_match_sets > max_match_sets)
8924 		return ERR_PTR(-EINVAL);
8925 
8926 	if (attrs[NL80211_ATTR_IE])
8927 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
8928 	else
8929 		ie_len = 0;
8930 
8931 	if (ie_len > wiphy->max_sched_scan_ie_len)
8932 		return ERR_PTR(-EINVAL);
8933 
8934 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8935 		/*
8936 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
8937 		 * each scan plan already specifies its own interval
8938 		 */
8939 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8940 			return ERR_PTR(-EINVAL);
8941 
8942 		nla_for_each_nested(attr,
8943 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
8944 			n_plans++;
8945 	} else {
8946 		/*
8947 		 * The scan interval attribute is kept for backward
8948 		 * compatibility. If no scan plans are specified and sched scan
8949 		 * interval is specified, one scan plan will be set with this
8950 		 * scan interval and infinite number of iterations.
8951 		 */
8952 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8953 			return ERR_PTR(-EINVAL);
8954 
8955 		n_plans = 1;
8956 	}
8957 
8958 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
8959 		return ERR_PTR(-EINVAL);
8960 
8961 	if (!wiphy_ext_feature_isset(
8962 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
8963 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
8964 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
8965 		return ERR_PTR(-EINVAL);
8966 
8967 	request = kzalloc(sizeof(*request)
8968 			+ sizeof(*request->ssids) * n_ssids
8969 			+ sizeof(*request->match_sets) * n_match_sets
8970 			+ sizeof(*request->scan_plans) * n_plans
8971 			+ sizeof(*request->channels) * n_channels
8972 			+ ie_len, GFP_KERNEL);
8973 	if (!request)
8974 		return ERR_PTR(-ENOMEM);
8975 
8976 	if (n_ssids)
8977 		request->ssids = (void *)&request->channels[n_channels];
8978 	request->n_ssids = n_ssids;
8979 	if (ie_len) {
8980 		if (n_ssids)
8981 			request->ie = (void *)(request->ssids + n_ssids);
8982 		else
8983 			request->ie = (void *)(request->channels + n_channels);
8984 	}
8985 
8986 	if (n_match_sets) {
8987 		if (request->ie)
8988 			request->match_sets = (void *)(request->ie + ie_len);
8989 		else if (n_ssids)
8990 			request->match_sets =
8991 				(void *)(request->ssids + n_ssids);
8992 		else
8993 			request->match_sets =
8994 				(void *)(request->channels + n_channels);
8995 	}
8996 	request->n_match_sets = n_match_sets;
8997 
8998 	if (n_match_sets)
8999 		request->scan_plans = (void *)(request->match_sets +
9000 					       n_match_sets);
9001 	else if (request->ie)
9002 		request->scan_plans = (void *)(request->ie + ie_len);
9003 	else if (n_ssids)
9004 		request->scan_plans = (void *)(request->ssids + n_ssids);
9005 	else
9006 		request->scan_plans = (void *)(request->channels + n_channels);
9007 
9008 	request->n_scan_plans = n_plans;
9009 
9010 	i = 0;
9011 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9012 		/* user specified, bail out if channel not found */
9013 		nla_for_each_nested(attr,
9014 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9015 				    tmp) {
9016 			struct ieee80211_channel *chan;
9017 
9018 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9019 
9020 			if (!chan) {
9021 				err = -EINVAL;
9022 				goto out_free;
9023 			}
9024 
9025 			/* ignore disabled channels */
9026 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9027 				continue;
9028 
9029 			request->channels[i] = chan;
9030 			i++;
9031 		}
9032 	} else {
9033 		/* all channels */
9034 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9035 			int j;
9036 
9037 			if (!wiphy->bands[band])
9038 				continue;
9039 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9040 				struct ieee80211_channel *chan;
9041 
9042 				chan = &wiphy->bands[band]->channels[j];
9043 
9044 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9045 					continue;
9046 
9047 				request->channels[i] = chan;
9048 				i++;
9049 			}
9050 		}
9051 	}
9052 
9053 	if (!i) {
9054 		err = -EINVAL;
9055 		goto out_free;
9056 	}
9057 
9058 	request->n_channels = i;
9059 
9060 	i = 0;
9061 	if (n_ssids) {
9062 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9063 				    tmp) {
9064 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9065 				err = -EINVAL;
9066 				goto out_free;
9067 			}
9068 			request->ssids[i].ssid_len = nla_len(attr);
9069 			memcpy(request->ssids[i].ssid, nla_data(attr),
9070 			       nla_len(attr));
9071 			i++;
9072 		}
9073 	}
9074 
9075 	i = 0;
9076 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9077 		nla_for_each_nested(attr,
9078 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9079 				    tmp) {
9080 			struct nlattr *ssid, *bssid, *rssi;
9081 
9082 			err = nla_parse_nested_deprecated(tb,
9083 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9084 							  attr,
9085 							  nl80211_match_policy,
9086 							  NULL);
9087 			if (err)
9088 				goto out_free;
9089 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9090 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9091 
9092 			if (!ssid && !bssid) {
9093 				i++;
9094 				continue;
9095 			}
9096 
9097 			if (WARN_ON(i >= n_match_sets)) {
9098 				/* this indicates a programming error,
9099 				 * the loop above should have verified
9100 				 * things properly
9101 				 */
9102 				err = -EINVAL;
9103 				goto out_free;
9104 			}
9105 
9106 			if (ssid) {
9107 				memcpy(request->match_sets[i].ssid.ssid,
9108 				       nla_data(ssid), nla_len(ssid));
9109 				request->match_sets[i].ssid.ssid_len =
9110 					nla_len(ssid);
9111 			}
9112 			if (bssid)
9113 				memcpy(request->match_sets[i].bssid,
9114 				       nla_data(bssid), ETH_ALEN);
9115 
9116 			/* special attribute - old implementation w/a */
9117 			request->match_sets[i].rssi_thold = default_match_rssi;
9118 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9119 			if (rssi)
9120 				request->match_sets[i].rssi_thold =
9121 					nla_get_s32(rssi);
9122 
9123 			/* Parse per band RSSI attribute */
9124 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9125 				&request->match_sets[i],
9126 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9127 				request->match_sets[i].rssi_thold);
9128 			if (err)
9129 				goto out_free;
9130 
9131 			i++;
9132 		}
9133 
9134 		/* there was no other matchset, so the RSSI one is alone */
9135 		if (i == 0 && n_match_sets)
9136 			request->match_sets[0].rssi_thold = default_match_rssi;
9137 
9138 		request->min_rssi_thold = INT_MAX;
9139 		for (i = 0; i < n_match_sets; i++)
9140 			request->min_rssi_thold =
9141 				min(request->match_sets[i].rssi_thold,
9142 				    request->min_rssi_thold);
9143 	} else {
9144 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9145 	}
9146 
9147 	if (ie_len) {
9148 		request->ie_len = ie_len;
9149 		memcpy((void *)request->ie,
9150 		       nla_data(attrs[NL80211_ATTR_IE]),
9151 		       request->ie_len);
9152 	}
9153 
9154 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9155 	if (err)
9156 		goto out_free;
9157 
9158 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9159 		request->delay =
9160 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9161 
9162 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9163 		request->relative_rssi = nla_get_s8(
9164 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9165 		request->relative_rssi_set = true;
9166 	}
9167 
9168 	if (request->relative_rssi_set &&
9169 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9170 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9171 
9172 		rssi_adjust = nla_data(
9173 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9174 		request->rssi_adjust.band = rssi_adjust->band;
9175 		request->rssi_adjust.delta = rssi_adjust->delta;
9176 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9177 			err = -EINVAL;
9178 			goto out_free;
9179 		}
9180 	}
9181 
9182 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9183 	if (err)
9184 		goto out_free;
9185 
9186 	request->scan_start = jiffies;
9187 
9188 	return request;
9189 
9190 out_free:
9191 	kfree(request);
9192 	return ERR_PTR(err);
9193 }
9194 
9195 static int nl80211_start_sched_scan(struct sk_buff *skb,
9196 				    struct genl_info *info)
9197 {
9198 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9199 	struct net_device *dev = info->user_ptr[1];
9200 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9201 	struct cfg80211_sched_scan_request *sched_scan_req;
9202 	bool want_multi;
9203 	int err;
9204 
9205 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9206 		return -EOPNOTSUPP;
9207 
9208 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9209 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9210 	if (err)
9211 		return err;
9212 
9213 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9214 						  info->attrs,
9215 						  rdev->wiphy.max_match_sets);
9216 
9217 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9218 	if (err)
9219 		goto out_err;
9220 
9221 	/* leave request id zero for legacy request
9222 	 * or if driver does not support multi-scheduled scan
9223 	 */
9224 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9225 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9226 
9227 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9228 	if (err)
9229 		goto out_free;
9230 
9231 	sched_scan_req->dev = dev;
9232 	sched_scan_req->wiphy = &rdev->wiphy;
9233 
9234 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9235 		sched_scan_req->owner_nlportid = info->snd_portid;
9236 
9237 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9238 
9239 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9240 	return 0;
9241 
9242 out_free:
9243 	kfree(sched_scan_req);
9244 out_err:
9245 	return err;
9246 }
9247 
9248 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9249 				   struct genl_info *info)
9250 {
9251 	struct cfg80211_sched_scan_request *req;
9252 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9253 	u64 cookie;
9254 
9255 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9256 		return -EOPNOTSUPP;
9257 
9258 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9259 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9260 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9261 	}
9262 
9263 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9264 				     struct cfg80211_sched_scan_request,
9265 				     list);
9266 	if (!req || req->reqid ||
9267 	    (req->owner_nlportid &&
9268 	     req->owner_nlportid != info->snd_portid))
9269 		return -ENOENT;
9270 
9271 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9272 }
9273 
9274 static int nl80211_start_radar_detection(struct sk_buff *skb,
9275 					 struct genl_info *info)
9276 {
9277 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9278 	struct net_device *dev = info->user_ptr[1];
9279 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9280 	struct wiphy *wiphy = wdev->wiphy;
9281 	struct cfg80211_chan_def chandef;
9282 	enum nl80211_dfs_regions dfs_region;
9283 	unsigned int cac_time_ms;
9284 	int err = -EINVAL;
9285 
9286 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9287 
9288 	wiphy_lock(wiphy);
9289 
9290 	dfs_region = reg_get_dfs_region(wiphy);
9291 	if (dfs_region == NL80211_DFS_UNSET)
9292 		goto unlock;
9293 
9294 	err = nl80211_parse_chandef(rdev, info, &chandef);
9295 	if (err)
9296 		goto unlock;
9297 
9298 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9299 	if (err < 0)
9300 		goto unlock;
9301 
9302 	if (err == 0) {
9303 		err = -EINVAL;
9304 		goto unlock;
9305 	}
9306 
9307 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9308 		err = -EINVAL;
9309 		goto unlock;
9310 	}
9311 
9312 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9313 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9314 								&chandef);
9315 		goto unlock;
9316 	}
9317 
9318 	if (netif_carrier_ok(dev)) {
9319 		err = -EBUSY;
9320 		goto unlock;
9321 	}
9322 
9323 	if (wdev->cac_started) {
9324 		err = -EBUSY;
9325 		goto unlock;
9326 	}
9327 
9328 	/* CAC start is offloaded to HW and can't be started manually */
9329 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9330 		err = -EOPNOTSUPP;
9331 		goto unlock;
9332 	}
9333 
9334 	if (!rdev->ops->start_radar_detection) {
9335 		err = -EOPNOTSUPP;
9336 		goto unlock;
9337 	}
9338 
9339 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9340 	if (WARN_ON(!cac_time_ms))
9341 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9342 
9343 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9344 	if (!err) {
9345 		wdev->chandef = chandef;
9346 		wdev->cac_started = true;
9347 		wdev->cac_start_time = jiffies;
9348 		wdev->cac_time_ms = cac_time_ms;
9349 	}
9350 unlock:
9351 	wiphy_unlock(wiphy);
9352 
9353 	return err;
9354 }
9355 
9356 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9357 					  struct genl_info *info)
9358 {
9359 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9360 	struct net_device *dev = info->user_ptr[1];
9361 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9362 	struct wiphy *wiphy = wdev->wiphy;
9363 	struct cfg80211_chan_def chandef;
9364 	enum nl80211_dfs_regions dfs_region;
9365 	int err;
9366 
9367 	dfs_region = reg_get_dfs_region(wiphy);
9368 	if (dfs_region == NL80211_DFS_UNSET) {
9369 		GENL_SET_ERR_MSG(info,
9370 				 "DFS Region is not set. Unexpected Radar indication");
9371 		return -EINVAL;
9372 	}
9373 
9374 	err = nl80211_parse_chandef(rdev, info, &chandef);
9375 	if (err) {
9376 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9377 		return err;
9378 	}
9379 
9380 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9381 	if (err < 0) {
9382 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9383 		return err;
9384 	}
9385 
9386 	if (err == 0) {
9387 		GENL_SET_ERR_MSG(info,
9388 				 "Unexpected Radar indication for chandef/iftype");
9389 		return -EINVAL;
9390 	}
9391 
9392 	/* Do not process this notification if radar is already detected
9393 	 * by kernel on this channel, and return success.
9394 	 */
9395 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9396 		return 0;
9397 
9398 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9399 
9400 	cfg80211_sched_dfs_chan_update(rdev);
9401 
9402 	rdev->radar_chandef = chandef;
9403 
9404 	/* Propagate this notification to other radios as well */
9405 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9406 
9407 	return 0;
9408 }
9409 
9410 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9411 {
9412 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9413 	struct net_device *dev = info->user_ptr[1];
9414 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9415 	struct cfg80211_csa_settings params;
9416 	struct nlattr **csa_attrs = NULL;
9417 	int err;
9418 	bool need_new_beacon = false;
9419 	bool need_handle_dfs_flag = true;
9420 	int len, i;
9421 	u32 cs_count;
9422 
9423 	if (!rdev->ops->channel_switch ||
9424 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9425 		return -EOPNOTSUPP;
9426 
9427 	switch (dev->ieee80211_ptr->iftype) {
9428 	case NL80211_IFTYPE_AP:
9429 	case NL80211_IFTYPE_P2P_GO:
9430 		need_new_beacon = true;
9431 		/* For all modes except AP the handle_dfs flag needs to be
9432 		 * supplied to tell the kernel that userspace will handle radar
9433 		 * events when they happen. Otherwise a switch to a channel
9434 		 * requiring DFS will be rejected.
9435 		 */
9436 		need_handle_dfs_flag = false;
9437 
9438 		/* useless if AP is not running */
9439 		if (!wdev->beacon_interval)
9440 			return -ENOTCONN;
9441 		break;
9442 	case NL80211_IFTYPE_ADHOC:
9443 		if (!wdev->ssid_len)
9444 			return -ENOTCONN;
9445 		break;
9446 	case NL80211_IFTYPE_MESH_POINT:
9447 		if (!wdev->mesh_id_len)
9448 			return -ENOTCONN;
9449 		break;
9450 	default:
9451 		return -EOPNOTSUPP;
9452 	}
9453 
9454 	memset(&params, 0, sizeof(params));
9455 	params.beacon_csa.ftm_responder = -1;
9456 
9457 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9458 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9459 		return -EINVAL;
9460 
9461 	/* only important for AP, IBSS and mesh create IEs internally */
9462 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9463 		return -EINVAL;
9464 
9465 	/* Even though the attribute is u32, the specification says
9466 	 * u8, so let's make sure we don't overflow.
9467 	 */
9468 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9469 	if (cs_count > 255)
9470 		return -EINVAL;
9471 
9472 	params.count = cs_count;
9473 
9474 	if (!need_new_beacon)
9475 		goto skip_beacons;
9476 
9477 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9478 	if (err)
9479 		goto free;
9480 
9481 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9482 			    GFP_KERNEL);
9483 	if (!csa_attrs) {
9484 		err = -ENOMEM;
9485 		goto free;
9486 	}
9487 
9488 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9489 					  info->attrs[NL80211_ATTR_CSA_IES],
9490 					  nl80211_policy, info->extack);
9491 	if (err)
9492 		goto free;
9493 
9494 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9495 	if (err)
9496 		goto free;
9497 
9498 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9499 		err = -EINVAL;
9500 		goto free;
9501 	}
9502 
9503 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9504 	if (!len || (len % sizeof(u16))) {
9505 		err = -EINVAL;
9506 		goto free;
9507 	}
9508 
9509 	params.n_counter_offsets_beacon = len / sizeof(u16);
9510 	if (rdev->wiphy.max_num_csa_counters &&
9511 	    (params.n_counter_offsets_beacon >
9512 	     rdev->wiphy.max_num_csa_counters)) {
9513 		err = -EINVAL;
9514 		goto free;
9515 	}
9516 
9517 	params.counter_offsets_beacon =
9518 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9519 
9520 	/* sanity checks - counters should fit and be the same */
9521 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9522 		u16 offset = params.counter_offsets_beacon[i];
9523 
9524 		if (offset >= params.beacon_csa.tail_len) {
9525 			err = -EINVAL;
9526 			goto free;
9527 		}
9528 
9529 		if (params.beacon_csa.tail[offset] != params.count) {
9530 			err = -EINVAL;
9531 			goto free;
9532 		}
9533 	}
9534 
9535 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9536 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9537 		if (!len || (len % sizeof(u16))) {
9538 			err = -EINVAL;
9539 			goto free;
9540 		}
9541 
9542 		params.n_counter_offsets_presp = len / sizeof(u16);
9543 		if (rdev->wiphy.max_num_csa_counters &&
9544 		    (params.n_counter_offsets_presp >
9545 		     rdev->wiphy.max_num_csa_counters)) {
9546 			err = -EINVAL;
9547 			goto free;
9548 		}
9549 
9550 		params.counter_offsets_presp =
9551 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9552 
9553 		/* sanity checks - counters should fit and be the same */
9554 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9555 			u16 offset = params.counter_offsets_presp[i];
9556 
9557 			if (offset >= params.beacon_csa.probe_resp_len) {
9558 				err = -EINVAL;
9559 				goto free;
9560 			}
9561 
9562 			if (params.beacon_csa.probe_resp[offset] !=
9563 			    params.count) {
9564 				err = -EINVAL;
9565 				goto free;
9566 			}
9567 		}
9568 	}
9569 
9570 skip_beacons:
9571 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9572 	if (err)
9573 		goto free;
9574 
9575 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9576 					   wdev->iftype)) {
9577 		err = -EINVAL;
9578 		goto free;
9579 	}
9580 
9581 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9582 					    &params.chandef,
9583 					    wdev->iftype);
9584 	if (err < 0)
9585 		goto free;
9586 
9587 	if (err > 0) {
9588 		params.radar_required = true;
9589 		if (need_handle_dfs_flag &&
9590 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9591 			err = -EINVAL;
9592 			goto free;
9593 		}
9594 	}
9595 
9596 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9597 		params.block_tx = true;
9598 
9599 	wdev_lock(wdev);
9600 	err = rdev_channel_switch(rdev, dev, &params);
9601 	wdev_unlock(wdev);
9602 
9603 free:
9604 	kfree(params.beacon_after.mbssid_ies);
9605 	kfree(params.beacon_csa.mbssid_ies);
9606 	kfree(csa_attrs);
9607 	return err;
9608 }
9609 
9610 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9611 			    u32 seq, int flags,
9612 			    struct cfg80211_registered_device *rdev,
9613 			    struct wireless_dev *wdev,
9614 			    struct cfg80211_internal_bss *intbss)
9615 {
9616 	struct cfg80211_bss *res = &intbss->pub;
9617 	const struct cfg80211_bss_ies *ies;
9618 	void *hdr;
9619 	struct nlattr *bss;
9620 
9621 	ASSERT_WDEV_LOCK(wdev);
9622 
9623 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9624 			     NL80211_CMD_NEW_SCAN_RESULTS);
9625 	if (!hdr)
9626 		return -1;
9627 
9628 	genl_dump_check_consistent(cb, hdr);
9629 
9630 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9631 		goto nla_put_failure;
9632 	if (wdev->netdev &&
9633 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9634 		goto nla_put_failure;
9635 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9636 			      NL80211_ATTR_PAD))
9637 		goto nla_put_failure;
9638 
9639 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9640 	if (!bss)
9641 		goto nla_put_failure;
9642 	if ((!is_zero_ether_addr(res->bssid) &&
9643 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9644 		goto nla_put_failure;
9645 
9646 	rcu_read_lock();
9647 	/* indicate whether we have probe response data or not */
9648 	if (rcu_access_pointer(res->proberesp_ies) &&
9649 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9650 		goto fail_unlock_rcu;
9651 
9652 	/* this pointer prefers to be pointed to probe response data
9653 	 * but is always valid
9654 	 */
9655 	ies = rcu_dereference(res->ies);
9656 	if (ies) {
9657 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9658 				      NL80211_BSS_PAD))
9659 			goto fail_unlock_rcu;
9660 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9661 					ies->len, ies->data))
9662 			goto fail_unlock_rcu;
9663 	}
9664 
9665 	/* and this pointer is always (unless driver didn't know) beacon data */
9666 	ies = rcu_dereference(res->beacon_ies);
9667 	if (ies && ies->from_beacon) {
9668 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9669 				      NL80211_BSS_PAD))
9670 			goto fail_unlock_rcu;
9671 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9672 					ies->len, ies->data))
9673 			goto fail_unlock_rcu;
9674 	}
9675 	rcu_read_unlock();
9676 
9677 	if (res->beacon_interval &&
9678 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9679 		goto nla_put_failure;
9680 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9681 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9682 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9683 			res->channel->freq_offset) ||
9684 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9685 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9686 			jiffies_to_msecs(jiffies - intbss->ts)))
9687 		goto nla_put_failure;
9688 
9689 	if (intbss->parent_tsf &&
9690 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9691 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9692 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9693 		     intbss->parent_bssid)))
9694 		goto nla_put_failure;
9695 
9696 	if (intbss->ts_boottime &&
9697 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9698 			      intbss->ts_boottime, NL80211_BSS_PAD))
9699 		goto nla_put_failure;
9700 
9701 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9702 				intbss->pub.chain_signal,
9703 				NL80211_BSS_CHAIN_SIGNAL))
9704 		goto nla_put_failure;
9705 
9706 	switch (rdev->wiphy.signal_type) {
9707 	case CFG80211_SIGNAL_TYPE_MBM:
9708 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9709 			goto nla_put_failure;
9710 		break;
9711 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9712 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9713 			goto nla_put_failure;
9714 		break;
9715 	default:
9716 		break;
9717 	}
9718 
9719 	switch (wdev->iftype) {
9720 	case NL80211_IFTYPE_P2P_CLIENT:
9721 	case NL80211_IFTYPE_STATION:
9722 		if (intbss == wdev->current_bss &&
9723 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9724 				NL80211_BSS_STATUS_ASSOCIATED))
9725 			goto nla_put_failure;
9726 		break;
9727 	case NL80211_IFTYPE_ADHOC:
9728 		if (intbss == wdev->current_bss &&
9729 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9730 				NL80211_BSS_STATUS_IBSS_JOINED))
9731 			goto nla_put_failure;
9732 		break;
9733 	default:
9734 		break;
9735 	}
9736 
9737 	nla_nest_end(msg, bss);
9738 
9739 	genlmsg_end(msg, hdr);
9740 	return 0;
9741 
9742  fail_unlock_rcu:
9743 	rcu_read_unlock();
9744  nla_put_failure:
9745 	genlmsg_cancel(msg, hdr);
9746 	return -EMSGSIZE;
9747 }
9748 
9749 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9750 {
9751 	struct cfg80211_registered_device *rdev;
9752 	struct cfg80211_internal_bss *scan;
9753 	struct wireless_dev *wdev;
9754 	int start = cb->args[2], idx = 0;
9755 	int err;
9756 
9757 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9758 	if (err)
9759 		return err;
9760 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9761 	__acquire(&rdev->wiphy.mtx);
9762 
9763 	wdev_lock(wdev);
9764 	spin_lock_bh(&rdev->bss_lock);
9765 
9766 	/*
9767 	 * dump_scan will be called multiple times to break up the scan results
9768 	 * into multiple messages.  It is unlikely that any more bss-es will be
9769 	 * expired after the first call, so only call only call this on the
9770 	 * first dump_scan invocation.
9771 	 */
9772 	if (start == 0)
9773 		cfg80211_bss_expire(rdev);
9774 
9775 	cb->seq = rdev->bss_generation;
9776 
9777 	list_for_each_entry(scan, &rdev->bss_list, list) {
9778 		if (++idx <= start)
9779 			continue;
9780 		if (nl80211_send_bss(skb, cb,
9781 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9782 				rdev, wdev, scan) < 0) {
9783 			idx--;
9784 			break;
9785 		}
9786 	}
9787 
9788 	spin_unlock_bh(&rdev->bss_lock);
9789 	wdev_unlock(wdev);
9790 
9791 	cb->args[2] = idx;
9792 	wiphy_unlock(&rdev->wiphy);
9793 
9794 	return skb->len;
9795 }
9796 
9797 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9798 			       int flags, struct net_device *dev,
9799 			       bool allow_radio_stats,
9800 			       struct survey_info *survey)
9801 {
9802 	void *hdr;
9803 	struct nlattr *infoattr;
9804 
9805 	/* skip radio stats if userspace didn't request them */
9806 	if (!survey->channel && !allow_radio_stats)
9807 		return 0;
9808 
9809 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9810 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9811 	if (!hdr)
9812 		return -ENOMEM;
9813 
9814 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9815 		goto nla_put_failure;
9816 
9817 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9818 	if (!infoattr)
9819 		goto nla_put_failure;
9820 
9821 	if (survey->channel &&
9822 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9823 			survey->channel->center_freq))
9824 		goto nla_put_failure;
9825 
9826 	if (survey->channel && survey->channel->freq_offset &&
9827 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9828 			survey->channel->freq_offset))
9829 		goto nla_put_failure;
9830 
9831 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9832 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9833 		goto nla_put_failure;
9834 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9835 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9836 		goto nla_put_failure;
9837 	if ((survey->filled & SURVEY_INFO_TIME) &&
9838 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9839 			survey->time, NL80211_SURVEY_INFO_PAD))
9840 		goto nla_put_failure;
9841 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9842 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9843 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9844 		goto nla_put_failure;
9845 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9846 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9847 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9848 		goto nla_put_failure;
9849 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9850 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9851 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9852 		goto nla_put_failure;
9853 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9854 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9855 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9856 		goto nla_put_failure;
9857 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9858 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9859 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9860 		goto nla_put_failure;
9861 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9862 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9863 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9864 		goto nla_put_failure;
9865 
9866 	nla_nest_end(msg, infoattr);
9867 
9868 	genlmsg_end(msg, hdr);
9869 	return 0;
9870 
9871  nla_put_failure:
9872 	genlmsg_cancel(msg, hdr);
9873 	return -EMSGSIZE;
9874 }
9875 
9876 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9877 {
9878 	struct nlattr **attrbuf;
9879 	struct survey_info survey;
9880 	struct cfg80211_registered_device *rdev;
9881 	struct wireless_dev *wdev;
9882 	int survey_idx = cb->args[2];
9883 	int res;
9884 	bool radio_stats;
9885 
9886 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9887 	if (!attrbuf)
9888 		return -ENOMEM;
9889 
9890 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
9891 	if (res) {
9892 		kfree(attrbuf);
9893 		return res;
9894 	}
9895 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9896 	__acquire(&rdev->wiphy.mtx);
9897 
9898 	/* prepare_wdev_dump parsed the attributes */
9899 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9900 
9901 	if (!wdev->netdev) {
9902 		res = -EINVAL;
9903 		goto out_err;
9904 	}
9905 
9906 	if (!rdev->ops->dump_survey) {
9907 		res = -EOPNOTSUPP;
9908 		goto out_err;
9909 	}
9910 
9911 	while (1) {
9912 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
9913 		if (res == -ENOENT)
9914 			break;
9915 		if (res)
9916 			goto out_err;
9917 
9918 		/* don't send disabled channels, but do send non-channel data */
9919 		if (survey.channel &&
9920 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
9921 			survey_idx++;
9922 			continue;
9923 		}
9924 
9925 		if (nl80211_send_survey(skb,
9926 				NETLINK_CB(cb->skb).portid,
9927 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9928 				wdev->netdev, radio_stats, &survey) < 0)
9929 			goto out;
9930 		survey_idx++;
9931 	}
9932 
9933  out:
9934 	cb->args[2] = survey_idx;
9935 	res = skb->len;
9936  out_err:
9937 	kfree(attrbuf);
9938 	wiphy_unlock(&rdev->wiphy);
9939 	return res;
9940 }
9941 
9942 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
9943 {
9944 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
9945 				  NL80211_WPA_VERSION_2 |
9946 				  NL80211_WPA_VERSION_3));
9947 }
9948 
9949 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
9950 {
9951 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9952 	struct net_device *dev = info->user_ptr[1];
9953 	struct ieee80211_channel *chan;
9954 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
9955 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
9956 	enum nl80211_auth_type auth_type;
9957 	struct key_parse key;
9958 	bool local_state_change;
9959 	u32 freq;
9960 
9961 	if (!info->attrs[NL80211_ATTR_MAC])
9962 		return -EINVAL;
9963 
9964 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
9965 		return -EINVAL;
9966 
9967 	if (!info->attrs[NL80211_ATTR_SSID])
9968 		return -EINVAL;
9969 
9970 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9971 		return -EINVAL;
9972 
9973 	err = nl80211_parse_key(info, &key);
9974 	if (err)
9975 		return err;
9976 
9977 	if (key.idx >= 0) {
9978 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
9979 			return -EINVAL;
9980 		if (!key.p.key || !key.p.key_len)
9981 			return -EINVAL;
9982 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
9983 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
9984 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
9985 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
9986 			return -EINVAL;
9987 		if (key.idx > 3)
9988 			return -EINVAL;
9989 	} else {
9990 		key.p.key_len = 0;
9991 		key.p.key = NULL;
9992 	}
9993 
9994 	if (key.idx >= 0) {
9995 		int i;
9996 		bool ok = false;
9997 
9998 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
9999 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10000 				ok = true;
10001 				break;
10002 			}
10003 		}
10004 		if (!ok)
10005 			return -EINVAL;
10006 	}
10007 
10008 	if (!rdev->ops->auth)
10009 		return -EOPNOTSUPP;
10010 
10011 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10012 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10013 		return -EOPNOTSUPP;
10014 
10015 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10016 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10017 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10018 		freq +=
10019 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10020 
10021 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10022 	if (!chan)
10023 		return -EINVAL;
10024 
10025 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10026 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10027 
10028 	if (info->attrs[NL80211_ATTR_IE]) {
10029 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10030 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10031 	}
10032 
10033 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10034 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10035 		return -EINVAL;
10036 
10037 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10038 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10039 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10040 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10041 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10042 		return -EINVAL;
10043 
10044 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10045 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10046 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10047 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10048 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10049 			return -EINVAL;
10050 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10051 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10052 	}
10053 
10054 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10055 
10056 	/*
10057 	 * Since we no longer track auth state, ignore
10058 	 * requests to only change local state.
10059 	 */
10060 	if (local_state_change)
10061 		return 0;
10062 
10063 	wdev_lock(dev->ieee80211_ptr);
10064 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
10065 				 ssid, ssid_len, ie, ie_len,
10066 				 key.p.key, key.p.key_len, key.idx,
10067 				 auth_data, auth_data_len);
10068 	wdev_unlock(dev->ieee80211_ptr);
10069 	return err;
10070 }
10071 
10072 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10073 				     struct genl_info *info)
10074 {
10075 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10076 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10077 		return -EINVAL;
10078 	}
10079 
10080 	if (!rdev->ops->tx_control_port ||
10081 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10082 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10083 		return -EOPNOTSUPP;
10084 
10085 	return 0;
10086 }
10087 
10088 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10089 				   struct genl_info *info,
10090 				   struct cfg80211_crypto_settings *settings,
10091 				   int cipher_limit)
10092 {
10093 	memset(settings, 0, sizeof(*settings));
10094 
10095 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10096 
10097 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10098 		u16 proto;
10099 
10100 		proto = nla_get_u16(
10101 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10102 		settings->control_port_ethertype = cpu_to_be16(proto);
10103 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10104 		    proto != ETH_P_PAE)
10105 			return -EINVAL;
10106 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10107 			settings->control_port_no_encrypt = true;
10108 	} else
10109 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10110 
10111 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10112 		int r = validate_pae_over_nl80211(rdev, info);
10113 
10114 		if (r < 0)
10115 			return r;
10116 
10117 		settings->control_port_over_nl80211 = true;
10118 
10119 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10120 			settings->control_port_no_preauth = true;
10121 	}
10122 
10123 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10124 		void *data;
10125 		int len, i;
10126 
10127 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10128 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10129 		settings->n_ciphers_pairwise = len / sizeof(u32);
10130 
10131 		if (len % sizeof(u32))
10132 			return -EINVAL;
10133 
10134 		if (settings->n_ciphers_pairwise > cipher_limit)
10135 			return -EINVAL;
10136 
10137 		memcpy(settings->ciphers_pairwise, data, len);
10138 
10139 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10140 			if (!cfg80211_supported_cipher_suite(
10141 					&rdev->wiphy,
10142 					settings->ciphers_pairwise[i]))
10143 				return -EINVAL;
10144 	}
10145 
10146 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10147 		settings->cipher_group =
10148 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10149 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10150 						     settings->cipher_group))
10151 			return -EINVAL;
10152 	}
10153 
10154 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10155 		settings->wpa_versions =
10156 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10157 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10158 			return -EINVAL;
10159 	}
10160 
10161 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10162 		void *data;
10163 		int len;
10164 
10165 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10166 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10167 		settings->n_akm_suites = len / sizeof(u32);
10168 
10169 		if (len % sizeof(u32))
10170 			return -EINVAL;
10171 
10172 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
10173 			return -EINVAL;
10174 
10175 		memcpy(settings->akm_suites, data, len);
10176 	}
10177 
10178 	if (info->attrs[NL80211_ATTR_PMK]) {
10179 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10180 			return -EINVAL;
10181 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10182 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10183 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10184 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10185 			return -EINVAL;
10186 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10187 	}
10188 
10189 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10190 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10191 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10192 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10193 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10194 			return -EINVAL;
10195 		settings->sae_pwd =
10196 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10197 		settings->sae_pwd_len =
10198 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10199 	}
10200 
10201 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10202 		settings->sae_pwe =
10203 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10204 	else
10205 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10206 
10207 	return 0;
10208 }
10209 
10210 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10211 {
10212 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10213 	struct net_device *dev = info->user_ptr[1];
10214 	struct ieee80211_channel *chan;
10215 	struct cfg80211_assoc_request req = {};
10216 	const u8 *bssid, *ssid;
10217 	int err, ssid_len = 0;
10218 	u32 freq;
10219 
10220 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10221 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10222 		return -EPERM;
10223 
10224 	if (!info->attrs[NL80211_ATTR_MAC] ||
10225 	    !info->attrs[NL80211_ATTR_SSID] ||
10226 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
10227 		return -EINVAL;
10228 
10229 	if (!rdev->ops->assoc)
10230 		return -EOPNOTSUPP;
10231 
10232 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10233 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10234 		return -EOPNOTSUPP;
10235 
10236 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10237 
10238 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10239 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10240 		freq +=
10241 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10242 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10243 	if (!chan)
10244 		return -EINVAL;
10245 
10246 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10247 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10248 
10249 	if (info->attrs[NL80211_ATTR_IE]) {
10250 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10251 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10252 	}
10253 
10254 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10255 		enum nl80211_mfp mfp =
10256 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10257 		if (mfp == NL80211_MFP_REQUIRED)
10258 			req.use_mfp = true;
10259 		else if (mfp != NL80211_MFP_NO)
10260 			return -EINVAL;
10261 	}
10262 
10263 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10264 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10265 
10266 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10267 		req.flags |= ASSOC_REQ_DISABLE_HT;
10268 
10269 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10270 		memcpy(&req.ht_capa_mask,
10271 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10272 		       sizeof(req.ht_capa_mask));
10273 
10274 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10275 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10276 			return -EINVAL;
10277 		memcpy(&req.ht_capa,
10278 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10279 		       sizeof(req.ht_capa));
10280 	}
10281 
10282 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10283 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10284 
10285 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10286 		req.flags |= ASSOC_REQ_DISABLE_HE;
10287 
10288 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10289 		memcpy(&req.vht_capa_mask,
10290 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10291 		       sizeof(req.vht_capa_mask));
10292 
10293 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10294 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10295 			return -EINVAL;
10296 		memcpy(&req.vht_capa,
10297 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10298 		       sizeof(req.vht_capa));
10299 	}
10300 
10301 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10302 		if (!((rdev->wiphy.features &
10303 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10304 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10305 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10306 					     NL80211_EXT_FEATURE_RRM))
10307 			return -EINVAL;
10308 		req.flags |= ASSOC_REQ_USE_RRM;
10309 	}
10310 
10311 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10312 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10313 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10314 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10315 			return -EINVAL;
10316 		req.fils_nonces =
10317 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10318 	}
10319 
10320 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10321 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10322 			return -EINVAL;
10323 		memcpy(&req.s1g_capa_mask,
10324 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10325 		       sizeof(req.s1g_capa_mask));
10326 	}
10327 
10328 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10329 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10330 			return -EINVAL;
10331 		memcpy(&req.s1g_capa,
10332 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10333 		       sizeof(req.s1g_capa));
10334 	}
10335 
10336 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10337 	if (!err) {
10338 		wdev_lock(dev->ieee80211_ptr);
10339 
10340 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
10341 					  ssid, ssid_len, &req);
10342 
10343 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10344 			dev->ieee80211_ptr->conn_owner_nlportid =
10345 				info->snd_portid;
10346 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10347 			       bssid, ETH_ALEN);
10348 		}
10349 
10350 		wdev_unlock(dev->ieee80211_ptr);
10351 	}
10352 
10353 	return err;
10354 }
10355 
10356 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10357 {
10358 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10359 	struct net_device *dev = info->user_ptr[1];
10360 	const u8 *ie = NULL, *bssid;
10361 	int ie_len = 0, err;
10362 	u16 reason_code;
10363 	bool local_state_change;
10364 
10365 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10366 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10367 		return -EPERM;
10368 
10369 	if (!info->attrs[NL80211_ATTR_MAC])
10370 		return -EINVAL;
10371 
10372 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10373 		return -EINVAL;
10374 
10375 	if (!rdev->ops->deauth)
10376 		return -EOPNOTSUPP;
10377 
10378 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10379 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10380 		return -EOPNOTSUPP;
10381 
10382 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10383 
10384 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10385 	if (reason_code == 0) {
10386 		/* Reason Code 0 is reserved */
10387 		return -EINVAL;
10388 	}
10389 
10390 	if (info->attrs[NL80211_ATTR_IE]) {
10391 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10392 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10393 	}
10394 
10395 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10396 
10397 	wdev_lock(dev->ieee80211_ptr);
10398 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10399 				   local_state_change);
10400 	wdev_unlock(dev->ieee80211_ptr);
10401 	return err;
10402 }
10403 
10404 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10405 {
10406 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10407 	struct net_device *dev = info->user_ptr[1];
10408 	const u8 *ie = NULL, *bssid;
10409 	int ie_len = 0, err;
10410 	u16 reason_code;
10411 	bool local_state_change;
10412 
10413 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10414 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10415 		return -EPERM;
10416 
10417 	if (!info->attrs[NL80211_ATTR_MAC])
10418 		return -EINVAL;
10419 
10420 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10421 		return -EINVAL;
10422 
10423 	if (!rdev->ops->disassoc)
10424 		return -EOPNOTSUPP;
10425 
10426 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10427 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10428 		return -EOPNOTSUPP;
10429 
10430 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10431 
10432 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10433 	if (reason_code == 0) {
10434 		/* Reason Code 0 is reserved */
10435 		return -EINVAL;
10436 	}
10437 
10438 	if (info->attrs[NL80211_ATTR_IE]) {
10439 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10440 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10441 	}
10442 
10443 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10444 
10445 	wdev_lock(dev->ieee80211_ptr);
10446 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10447 				     local_state_change);
10448 	wdev_unlock(dev->ieee80211_ptr);
10449 	return err;
10450 }
10451 
10452 static bool
10453 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10454 			 int mcast_rate[NUM_NL80211_BANDS],
10455 			 int rateval)
10456 {
10457 	struct wiphy *wiphy = &rdev->wiphy;
10458 	bool found = false;
10459 	int band, i;
10460 
10461 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10462 		struct ieee80211_supported_band *sband;
10463 
10464 		sband = wiphy->bands[band];
10465 		if (!sband)
10466 			continue;
10467 
10468 		for (i = 0; i < sband->n_bitrates; i++) {
10469 			if (sband->bitrates[i].bitrate == rateval) {
10470 				mcast_rate[band] = i + 1;
10471 				found = true;
10472 				break;
10473 			}
10474 		}
10475 	}
10476 
10477 	return found;
10478 }
10479 
10480 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10481 {
10482 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10483 	struct net_device *dev = info->user_ptr[1];
10484 	struct cfg80211_ibss_params ibss;
10485 	struct wiphy *wiphy;
10486 	struct cfg80211_cached_keys *connkeys = NULL;
10487 	int err;
10488 
10489 	memset(&ibss, 0, sizeof(ibss));
10490 
10491 	if (!info->attrs[NL80211_ATTR_SSID] ||
10492 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10493 		return -EINVAL;
10494 
10495 	ibss.beacon_interval = 100;
10496 
10497 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10498 		ibss.beacon_interval =
10499 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10500 
10501 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10502 					   ibss.beacon_interval);
10503 	if (err)
10504 		return err;
10505 
10506 	if (!rdev->ops->join_ibss)
10507 		return -EOPNOTSUPP;
10508 
10509 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10510 		return -EOPNOTSUPP;
10511 
10512 	wiphy = &rdev->wiphy;
10513 
10514 	if (info->attrs[NL80211_ATTR_MAC]) {
10515 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10516 
10517 		if (!is_valid_ether_addr(ibss.bssid))
10518 			return -EINVAL;
10519 	}
10520 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10521 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10522 
10523 	if (info->attrs[NL80211_ATTR_IE]) {
10524 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10525 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10526 	}
10527 
10528 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10529 	if (err)
10530 		return err;
10531 
10532 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10533 				     NL80211_IFTYPE_ADHOC))
10534 		return -EINVAL;
10535 
10536 	switch (ibss.chandef.width) {
10537 	case NL80211_CHAN_WIDTH_5:
10538 	case NL80211_CHAN_WIDTH_10:
10539 	case NL80211_CHAN_WIDTH_20_NOHT:
10540 		break;
10541 	case NL80211_CHAN_WIDTH_20:
10542 	case NL80211_CHAN_WIDTH_40:
10543 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10544 			return -EINVAL;
10545 		break;
10546 	case NL80211_CHAN_WIDTH_80:
10547 	case NL80211_CHAN_WIDTH_80P80:
10548 	case NL80211_CHAN_WIDTH_160:
10549 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10550 			return -EINVAL;
10551 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10552 					     NL80211_EXT_FEATURE_VHT_IBSS))
10553 			return -EINVAL;
10554 		break;
10555 	default:
10556 		return -EINVAL;
10557 	}
10558 
10559 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10560 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10561 
10562 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10563 		u8 *rates =
10564 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10565 		int n_rates =
10566 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10567 		struct ieee80211_supported_band *sband =
10568 			wiphy->bands[ibss.chandef.chan->band];
10569 
10570 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10571 					     &ibss.basic_rates);
10572 		if (err)
10573 			return err;
10574 	}
10575 
10576 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10577 		memcpy(&ibss.ht_capa_mask,
10578 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10579 		       sizeof(ibss.ht_capa_mask));
10580 
10581 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10582 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10583 			return -EINVAL;
10584 		memcpy(&ibss.ht_capa,
10585 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10586 		       sizeof(ibss.ht_capa));
10587 	}
10588 
10589 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10590 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10591 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10592 		return -EINVAL;
10593 
10594 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10595 		bool no_ht = false;
10596 
10597 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10598 		if (IS_ERR(connkeys))
10599 			return PTR_ERR(connkeys);
10600 
10601 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10602 		    no_ht) {
10603 			kfree_sensitive(connkeys);
10604 			return -EINVAL;
10605 		}
10606 	}
10607 
10608 	ibss.control_port =
10609 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10610 
10611 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10612 		int r = validate_pae_over_nl80211(rdev, info);
10613 
10614 		if (r < 0) {
10615 			kfree_sensitive(connkeys);
10616 			return r;
10617 		}
10618 
10619 		ibss.control_port_over_nl80211 = true;
10620 	}
10621 
10622 	ibss.userspace_handles_dfs =
10623 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10624 
10625 	wdev_lock(dev->ieee80211_ptr);
10626 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10627 	if (err)
10628 		kfree_sensitive(connkeys);
10629 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10630 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10631 	wdev_unlock(dev->ieee80211_ptr);
10632 
10633 	return err;
10634 }
10635 
10636 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10637 {
10638 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10639 	struct net_device *dev = info->user_ptr[1];
10640 
10641 	if (!rdev->ops->leave_ibss)
10642 		return -EOPNOTSUPP;
10643 
10644 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10645 		return -EOPNOTSUPP;
10646 
10647 	return cfg80211_leave_ibss(rdev, dev, false);
10648 }
10649 
10650 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10651 {
10652 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10653 	struct net_device *dev = info->user_ptr[1];
10654 	int mcast_rate[NUM_NL80211_BANDS];
10655 	u32 nla_rate;
10656 	int err;
10657 
10658 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10659 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10660 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10661 		return -EOPNOTSUPP;
10662 
10663 	if (!rdev->ops->set_mcast_rate)
10664 		return -EOPNOTSUPP;
10665 
10666 	memset(mcast_rate, 0, sizeof(mcast_rate));
10667 
10668 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10669 		return -EINVAL;
10670 
10671 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10672 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10673 		return -EINVAL;
10674 
10675 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10676 
10677 	return err;
10678 }
10679 
10680 static struct sk_buff *
10681 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10682 			    struct wireless_dev *wdev, int approxlen,
10683 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10684 			    enum nl80211_attrs attr,
10685 			    const struct nl80211_vendor_cmd_info *info,
10686 			    gfp_t gfp)
10687 {
10688 	struct sk_buff *skb;
10689 	void *hdr;
10690 	struct nlattr *data;
10691 
10692 	skb = nlmsg_new(approxlen + 100, gfp);
10693 	if (!skb)
10694 		return NULL;
10695 
10696 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10697 	if (!hdr) {
10698 		kfree_skb(skb);
10699 		return NULL;
10700 	}
10701 
10702 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10703 		goto nla_put_failure;
10704 
10705 	if (info) {
10706 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10707 				info->vendor_id))
10708 			goto nla_put_failure;
10709 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10710 				info->subcmd))
10711 			goto nla_put_failure;
10712 	}
10713 
10714 	if (wdev) {
10715 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10716 				      wdev_id(wdev), NL80211_ATTR_PAD))
10717 			goto nla_put_failure;
10718 		if (wdev->netdev &&
10719 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10720 				wdev->netdev->ifindex))
10721 			goto nla_put_failure;
10722 	}
10723 
10724 	data = nla_nest_start_noflag(skb, attr);
10725 	if (!data)
10726 		goto nla_put_failure;
10727 
10728 	((void **)skb->cb)[0] = rdev;
10729 	((void **)skb->cb)[1] = hdr;
10730 	((void **)skb->cb)[2] = data;
10731 
10732 	return skb;
10733 
10734  nla_put_failure:
10735 	kfree_skb(skb);
10736 	return NULL;
10737 }
10738 
10739 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10740 					   struct wireless_dev *wdev,
10741 					   enum nl80211_commands cmd,
10742 					   enum nl80211_attrs attr,
10743 					   unsigned int portid,
10744 					   int vendor_event_idx,
10745 					   int approxlen, gfp_t gfp)
10746 {
10747 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10748 	const struct nl80211_vendor_cmd_info *info;
10749 
10750 	switch (cmd) {
10751 	case NL80211_CMD_TESTMODE:
10752 		if (WARN_ON(vendor_event_idx != -1))
10753 			return NULL;
10754 		info = NULL;
10755 		break;
10756 	case NL80211_CMD_VENDOR:
10757 		if (WARN_ON(vendor_event_idx < 0 ||
10758 			    vendor_event_idx >= wiphy->n_vendor_events))
10759 			return NULL;
10760 		info = &wiphy->vendor_events[vendor_event_idx];
10761 		break;
10762 	default:
10763 		WARN_ON(1);
10764 		return NULL;
10765 	}
10766 
10767 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10768 					   cmd, attr, info, gfp);
10769 }
10770 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10771 
10772 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10773 {
10774 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10775 	void *hdr = ((void **)skb->cb)[1];
10776 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10777 	struct nlattr *data = ((void **)skb->cb)[2];
10778 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10779 
10780 	/* clear CB data for netlink core to own from now on */
10781 	memset(skb->cb, 0, sizeof(skb->cb));
10782 
10783 	nla_nest_end(skb, data);
10784 	genlmsg_end(skb, hdr);
10785 
10786 	if (nlhdr->nlmsg_pid) {
10787 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10788 				nlhdr->nlmsg_pid);
10789 	} else {
10790 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10791 			mcgrp = NL80211_MCGRP_VENDOR;
10792 
10793 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10794 					skb, 0, mcgrp, gfp);
10795 	}
10796 }
10797 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10798 
10799 #ifdef CONFIG_NL80211_TESTMODE
10800 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10801 {
10802 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10803 	struct wireless_dev *wdev;
10804 	int err;
10805 
10806 	lockdep_assert_held(&rdev->wiphy.mtx);
10807 
10808 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
10809 					  info->attrs);
10810 
10811 	if (!rdev->ops->testmode_cmd)
10812 		return -EOPNOTSUPP;
10813 
10814 	if (IS_ERR(wdev)) {
10815 		err = PTR_ERR(wdev);
10816 		if (err != -EINVAL)
10817 			return err;
10818 		wdev = NULL;
10819 	} else if (wdev->wiphy != &rdev->wiphy) {
10820 		return -EINVAL;
10821 	}
10822 
10823 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10824 		return -EINVAL;
10825 
10826 	rdev->cur_cmd_info = info;
10827 	err = rdev_testmode_cmd(rdev, wdev,
10828 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10829 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10830 	rdev->cur_cmd_info = NULL;
10831 
10832 	return err;
10833 }
10834 
10835 static int nl80211_testmode_dump(struct sk_buff *skb,
10836 				 struct netlink_callback *cb)
10837 {
10838 	struct cfg80211_registered_device *rdev;
10839 	struct nlattr **attrbuf = NULL;
10840 	int err;
10841 	long phy_idx;
10842 	void *data = NULL;
10843 	int data_len = 0;
10844 
10845 	rtnl_lock();
10846 
10847 	if (cb->args[0]) {
10848 		/*
10849 		 * 0 is a valid index, but not valid for args[0],
10850 		 * so we need to offset by 1.
10851 		 */
10852 		phy_idx = cb->args[0] - 1;
10853 
10854 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10855 		if (!rdev) {
10856 			err = -ENOENT;
10857 			goto out_err;
10858 		}
10859 	} else {
10860 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10861 				  GFP_KERNEL);
10862 		if (!attrbuf) {
10863 			err = -ENOMEM;
10864 			goto out_err;
10865 		}
10866 
10867 		err = nlmsg_parse_deprecated(cb->nlh,
10868 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10869 					     attrbuf, nl80211_fam.maxattr,
10870 					     nl80211_policy, NULL);
10871 		if (err)
10872 			goto out_err;
10873 
10874 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10875 		if (IS_ERR(rdev)) {
10876 			err = PTR_ERR(rdev);
10877 			goto out_err;
10878 		}
10879 		phy_idx = rdev->wiphy_idx;
10880 
10881 		if (attrbuf[NL80211_ATTR_TESTDATA])
10882 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10883 	}
10884 
10885 	if (cb->args[1]) {
10886 		data = nla_data((void *)cb->args[1]);
10887 		data_len = nla_len((void *)cb->args[1]);
10888 	}
10889 
10890 	if (!rdev->ops->testmode_dump) {
10891 		err = -EOPNOTSUPP;
10892 		goto out_err;
10893 	}
10894 
10895 	while (1) {
10896 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10897 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10898 					   NL80211_CMD_TESTMODE);
10899 		struct nlattr *tmdata;
10900 
10901 		if (!hdr)
10902 			break;
10903 
10904 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10905 			genlmsg_cancel(skb, hdr);
10906 			break;
10907 		}
10908 
10909 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
10910 		if (!tmdata) {
10911 			genlmsg_cancel(skb, hdr);
10912 			break;
10913 		}
10914 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
10915 		nla_nest_end(skb, tmdata);
10916 
10917 		if (err == -ENOBUFS || err == -ENOENT) {
10918 			genlmsg_cancel(skb, hdr);
10919 			break;
10920 		} else if (err) {
10921 			genlmsg_cancel(skb, hdr);
10922 			goto out_err;
10923 		}
10924 
10925 		genlmsg_end(skb, hdr);
10926 	}
10927 
10928 	err = skb->len;
10929 	/* see above */
10930 	cb->args[0] = phy_idx + 1;
10931  out_err:
10932 	kfree(attrbuf);
10933 	rtnl_unlock();
10934 	return err;
10935 }
10936 #endif
10937 
10938 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
10939 {
10940 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10941 	struct net_device *dev = info->user_ptr[1];
10942 	struct cfg80211_connect_params connect;
10943 	struct wiphy *wiphy;
10944 	struct cfg80211_cached_keys *connkeys = NULL;
10945 	u32 freq = 0;
10946 	int err;
10947 
10948 	memset(&connect, 0, sizeof(connect));
10949 
10950 	if (!info->attrs[NL80211_ATTR_SSID] ||
10951 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10952 		return -EINVAL;
10953 
10954 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10955 		connect.auth_type =
10956 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10957 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
10958 					     NL80211_CMD_CONNECT))
10959 			return -EINVAL;
10960 	} else
10961 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
10962 
10963 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
10964 
10965 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
10966 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10967 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
10968 		return -EINVAL;
10969 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
10970 
10971 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
10972 				      NL80211_MAX_NR_CIPHER_SUITES);
10973 	if (err)
10974 		return err;
10975 
10976 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10977 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10978 		return -EOPNOTSUPP;
10979 
10980 	wiphy = &rdev->wiphy;
10981 
10982 	connect.bg_scan_period = -1;
10983 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
10984 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
10985 		connect.bg_scan_period =
10986 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
10987 	}
10988 
10989 	if (info->attrs[NL80211_ATTR_MAC])
10990 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10991 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
10992 		connect.bssid_hint =
10993 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
10994 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10995 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10996 
10997 	if (info->attrs[NL80211_ATTR_IE]) {
10998 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10999 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11000 	}
11001 
11002 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11003 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11004 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11005 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11006 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11007 			return -EOPNOTSUPP;
11008 	} else {
11009 		connect.mfp = NL80211_MFP_NO;
11010 	}
11011 
11012 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11013 		connect.prev_bssid =
11014 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11015 
11016 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11017 		freq = MHZ_TO_KHZ(nla_get_u32(
11018 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11019 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11020 		freq +=
11021 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11022 
11023 	if (freq) {
11024 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11025 		if (!connect.channel)
11026 			return -EINVAL;
11027 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11028 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11029 		freq = MHZ_TO_KHZ(freq);
11030 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11031 		if (!connect.channel_hint)
11032 			return -EINVAL;
11033 	}
11034 
11035 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11036 		connect.edmg.channels =
11037 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11038 
11039 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11040 			connect.edmg.bw_config =
11041 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11042 	}
11043 
11044 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11045 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11046 		if (IS_ERR(connkeys))
11047 			return PTR_ERR(connkeys);
11048 	}
11049 
11050 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11051 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11052 
11053 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11054 		memcpy(&connect.ht_capa_mask,
11055 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11056 		       sizeof(connect.ht_capa_mask));
11057 
11058 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11059 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11060 			kfree_sensitive(connkeys);
11061 			return -EINVAL;
11062 		}
11063 		memcpy(&connect.ht_capa,
11064 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11065 		       sizeof(connect.ht_capa));
11066 	}
11067 
11068 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11069 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11070 
11071 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11072 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11073 
11074 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11075 		memcpy(&connect.vht_capa_mask,
11076 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11077 		       sizeof(connect.vht_capa_mask));
11078 
11079 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11080 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11081 			kfree_sensitive(connkeys);
11082 			return -EINVAL;
11083 		}
11084 		memcpy(&connect.vht_capa,
11085 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11086 		       sizeof(connect.vht_capa));
11087 	}
11088 
11089 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11090 		if (!((rdev->wiphy.features &
11091 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11092 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11093 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11094 					     NL80211_EXT_FEATURE_RRM)) {
11095 			kfree_sensitive(connkeys);
11096 			return -EINVAL;
11097 		}
11098 		connect.flags |= ASSOC_REQ_USE_RRM;
11099 	}
11100 
11101 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11102 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11103 		kfree_sensitive(connkeys);
11104 		return -EOPNOTSUPP;
11105 	}
11106 
11107 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11108 		/* bss selection makes no sense if bssid is set */
11109 		if (connect.bssid) {
11110 			kfree_sensitive(connkeys);
11111 			return -EINVAL;
11112 		}
11113 
11114 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11115 				       wiphy, &connect.bss_select);
11116 		if (err) {
11117 			kfree_sensitive(connkeys);
11118 			return err;
11119 		}
11120 	}
11121 
11122 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11123 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11124 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11125 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11126 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11127 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11128 		connect.fils_erp_username =
11129 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11130 		connect.fils_erp_username_len =
11131 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11132 		connect.fils_erp_realm =
11133 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11134 		connect.fils_erp_realm_len =
11135 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11136 		connect.fils_erp_next_seq_num =
11137 			nla_get_u16(
11138 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11139 		connect.fils_erp_rrk =
11140 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11141 		connect.fils_erp_rrk_len =
11142 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11143 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11144 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11145 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11146 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11147 		kfree_sensitive(connkeys);
11148 		return -EINVAL;
11149 	}
11150 
11151 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11152 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11153 			kfree_sensitive(connkeys);
11154 			GENL_SET_ERR_MSG(info,
11155 					 "external auth requires connection ownership");
11156 			return -EINVAL;
11157 		}
11158 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11159 	}
11160 
11161 	wdev_lock(dev->ieee80211_ptr);
11162 
11163 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11164 			       connect.prev_bssid);
11165 	if (err)
11166 		kfree_sensitive(connkeys);
11167 
11168 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11169 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11170 		if (connect.bssid)
11171 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11172 			       connect.bssid, ETH_ALEN);
11173 		else
11174 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11175 	}
11176 
11177 	wdev_unlock(dev->ieee80211_ptr);
11178 
11179 	return err;
11180 }
11181 
11182 static int nl80211_update_connect_params(struct sk_buff *skb,
11183 					 struct genl_info *info)
11184 {
11185 	struct cfg80211_connect_params connect = {};
11186 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11187 	struct net_device *dev = info->user_ptr[1];
11188 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11189 	bool fils_sk_offload;
11190 	u32 auth_type;
11191 	u32 changed = 0;
11192 	int ret;
11193 
11194 	if (!rdev->ops->update_connect_params)
11195 		return -EOPNOTSUPP;
11196 
11197 	if (info->attrs[NL80211_ATTR_IE]) {
11198 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11199 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11200 		changed |= UPDATE_ASSOC_IES;
11201 	}
11202 
11203 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11204 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11205 
11206 	/*
11207 	 * when driver supports fils-sk offload all attributes must be
11208 	 * provided. So the else covers "fils-sk-not-all" and
11209 	 * "no-fils-sk-any".
11210 	 */
11211 	if (fils_sk_offload &&
11212 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11213 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11214 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11215 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11216 		connect.fils_erp_username =
11217 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11218 		connect.fils_erp_username_len =
11219 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11220 		connect.fils_erp_realm =
11221 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11222 		connect.fils_erp_realm_len =
11223 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11224 		connect.fils_erp_next_seq_num =
11225 			nla_get_u16(
11226 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11227 		connect.fils_erp_rrk =
11228 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11229 		connect.fils_erp_rrk_len =
11230 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11231 		changed |= UPDATE_FILS_ERP_INFO;
11232 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11233 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11234 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11235 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11236 		return -EINVAL;
11237 	}
11238 
11239 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11240 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11241 		if (!nl80211_valid_auth_type(rdev, auth_type,
11242 					     NL80211_CMD_CONNECT))
11243 			return -EINVAL;
11244 
11245 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11246 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11247 			return -EINVAL;
11248 
11249 		connect.auth_type = auth_type;
11250 		changed |= UPDATE_AUTH_TYPE;
11251 	}
11252 
11253 	wdev_lock(dev->ieee80211_ptr);
11254 	if (!wdev->current_bss)
11255 		ret = -ENOLINK;
11256 	else
11257 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11258 	wdev_unlock(dev->ieee80211_ptr);
11259 
11260 	return ret;
11261 }
11262 
11263 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11264 {
11265 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11266 	struct net_device *dev = info->user_ptr[1];
11267 	u16 reason;
11268 	int ret;
11269 
11270 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11271 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11272 		return -EPERM;
11273 
11274 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11275 		reason = WLAN_REASON_DEAUTH_LEAVING;
11276 	else
11277 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11278 
11279 	if (reason == 0)
11280 		return -EINVAL;
11281 
11282 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11283 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11284 		return -EOPNOTSUPP;
11285 
11286 	wdev_lock(dev->ieee80211_ptr);
11287 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11288 	wdev_unlock(dev->ieee80211_ptr);
11289 	return ret;
11290 }
11291 
11292 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11293 {
11294 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11295 	struct net *net;
11296 	int err;
11297 
11298 	if (info->attrs[NL80211_ATTR_PID]) {
11299 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11300 
11301 		net = get_net_ns_by_pid(pid);
11302 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11303 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11304 
11305 		net = get_net_ns_by_fd(fd);
11306 	} else {
11307 		return -EINVAL;
11308 	}
11309 
11310 	if (IS_ERR(net))
11311 		return PTR_ERR(net);
11312 
11313 	err = 0;
11314 
11315 	/* check if anything to do */
11316 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11317 		err = cfg80211_switch_netns(rdev, net);
11318 
11319 	put_net(net);
11320 	return err;
11321 }
11322 
11323 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11324 {
11325 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11326 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11327 			struct cfg80211_pmksa *pmksa) = NULL;
11328 	struct net_device *dev = info->user_ptr[1];
11329 	struct cfg80211_pmksa pmksa;
11330 
11331 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11332 
11333 	if (!info->attrs[NL80211_ATTR_PMKID])
11334 		return -EINVAL;
11335 
11336 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11337 
11338 	if (info->attrs[NL80211_ATTR_MAC]) {
11339 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11340 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11341 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11342 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11343 		    info->attrs[NL80211_ATTR_PMK])) {
11344 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11345 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11346 		pmksa.cache_id =
11347 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11348 	} else {
11349 		return -EINVAL;
11350 	}
11351 	if (info->attrs[NL80211_ATTR_PMK]) {
11352 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11353 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11354 	}
11355 
11356 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11357 		pmksa.pmk_lifetime =
11358 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11359 
11360 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11361 		pmksa.pmk_reauth_threshold =
11362 			nla_get_u8(
11363 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11364 
11365 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11366 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11367 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11368 	      wiphy_ext_feature_isset(&rdev->wiphy,
11369 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11370 		return -EOPNOTSUPP;
11371 
11372 	switch (info->genlhdr->cmd) {
11373 	case NL80211_CMD_SET_PMKSA:
11374 		rdev_ops = rdev->ops->set_pmksa;
11375 		break;
11376 	case NL80211_CMD_DEL_PMKSA:
11377 		rdev_ops = rdev->ops->del_pmksa;
11378 		break;
11379 	default:
11380 		WARN_ON(1);
11381 		break;
11382 	}
11383 
11384 	if (!rdev_ops)
11385 		return -EOPNOTSUPP;
11386 
11387 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11388 }
11389 
11390 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11391 {
11392 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11393 	struct net_device *dev = info->user_ptr[1];
11394 
11395 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11396 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11397 		return -EOPNOTSUPP;
11398 
11399 	if (!rdev->ops->flush_pmksa)
11400 		return -EOPNOTSUPP;
11401 
11402 	return rdev_flush_pmksa(rdev, dev);
11403 }
11404 
11405 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11406 {
11407 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11408 	struct net_device *dev = info->user_ptr[1];
11409 	u8 action_code, dialog_token;
11410 	u32 peer_capability = 0;
11411 	u16 status_code;
11412 	u8 *peer;
11413 	bool initiator;
11414 
11415 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11416 	    !rdev->ops->tdls_mgmt)
11417 		return -EOPNOTSUPP;
11418 
11419 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11420 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11421 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11422 	    !info->attrs[NL80211_ATTR_IE] ||
11423 	    !info->attrs[NL80211_ATTR_MAC])
11424 		return -EINVAL;
11425 
11426 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11427 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11428 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11429 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11430 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11431 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11432 		peer_capability =
11433 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11434 
11435 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11436 			      dialog_token, status_code, peer_capability,
11437 			      initiator,
11438 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11439 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11440 }
11441 
11442 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11443 {
11444 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11445 	struct net_device *dev = info->user_ptr[1];
11446 	enum nl80211_tdls_operation operation;
11447 	u8 *peer;
11448 
11449 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11450 	    !rdev->ops->tdls_oper)
11451 		return -EOPNOTSUPP;
11452 
11453 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11454 	    !info->attrs[NL80211_ATTR_MAC])
11455 		return -EINVAL;
11456 
11457 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11458 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11459 
11460 	return rdev_tdls_oper(rdev, dev, peer, operation);
11461 }
11462 
11463 static int nl80211_remain_on_channel(struct sk_buff *skb,
11464 				     struct genl_info *info)
11465 {
11466 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11467 	struct wireless_dev *wdev = info->user_ptr[1];
11468 	struct cfg80211_chan_def chandef;
11469 	const struct cfg80211_chan_def *compat_chandef;
11470 	struct sk_buff *msg;
11471 	void *hdr;
11472 	u64 cookie;
11473 	u32 duration;
11474 	int err;
11475 
11476 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11477 	    !info->attrs[NL80211_ATTR_DURATION])
11478 		return -EINVAL;
11479 
11480 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11481 
11482 	if (!rdev->ops->remain_on_channel ||
11483 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11484 		return -EOPNOTSUPP;
11485 
11486 	/*
11487 	 * We should be on that channel for at least a minimum amount of
11488 	 * time (10ms) but no longer than the driver supports.
11489 	 */
11490 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11491 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11492 		return -EINVAL;
11493 
11494 	err = nl80211_parse_chandef(rdev, info, &chandef);
11495 	if (err)
11496 		return err;
11497 
11498 	wdev_lock(wdev);
11499 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11500 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11501 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11502 							     &chandef);
11503 		if (compat_chandef != &chandef) {
11504 			wdev_unlock(wdev);
11505 			return -EBUSY;
11506 		}
11507 	}
11508 	wdev_unlock(wdev);
11509 
11510 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11511 	if (!msg)
11512 		return -ENOMEM;
11513 
11514 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11515 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11516 	if (!hdr) {
11517 		err = -ENOBUFS;
11518 		goto free_msg;
11519 	}
11520 
11521 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11522 				     duration, &cookie);
11523 
11524 	if (err)
11525 		goto free_msg;
11526 
11527 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11528 			      NL80211_ATTR_PAD))
11529 		goto nla_put_failure;
11530 
11531 	genlmsg_end(msg, hdr);
11532 
11533 	return genlmsg_reply(msg, info);
11534 
11535  nla_put_failure:
11536 	err = -ENOBUFS;
11537  free_msg:
11538 	nlmsg_free(msg);
11539 	return err;
11540 }
11541 
11542 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11543 					    struct genl_info *info)
11544 {
11545 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11546 	struct wireless_dev *wdev = info->user_ptr[1];
11547 	u64 cookie;
11548 
11549 	if (!info->attrs[NL80211_ATTR_COOKIE])
11550 		return -EINVAL;
11551 
11552 	if (!rdev->ops->cancel_remain_on_channel)
11553 		return -EOPNOTSUPP;
11554 
11555 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11556 
11557 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11558 }
11559 
11560 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11561 				       struct genl_info *info)
11562 {
11563 	struct cfg80211_bitrate_mask mask;
11564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11565 	struct net_device *dev = info->user_ptr[1];
11566 	int err;
11567 
11568 	if (!rdev->ops->set_bitrate_mask)
11569 		return -EOPNOTSUPP;
11570 
11571 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11572 					    NL80211_ATTR_TX_RATES, &mask,
11573 					    dev, true);
11574 	if (err)
11575 		return err;
11576 
11577 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11578 }
11579 
11580 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11581 {
11582 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11583 	struct wireless_dev *wdev = info->user_ptr[1];
11584 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11585 
11586 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11587 		return -EINVAL;
11588 
11589 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11590 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11591 
11592 	switch (wdev->iftype) {
11593 	case NL80211_IFTYPE_STATION:
11594 	case NL80211_IFTYPE_ADHOC:
11595 	case NL80211_IFTYPE_P2P_CLIENT:
11596 	case NL80211_IFTYPE_AP:
11597 	case NL80211_IFTYPE_AP_VLAN:
11598 	case NL80211_IFTYPE_MESH_POINT:
11599 	case NL80211_IFTYPE_P2P_GO:
11600 	case NL80211_IFTYPE_P2P_DEVICE:
11601 		break;
11602 	case NL80211_IFTYPE_NAN:
11603 	default:
11604 		return -EOPNOTSUPP;
11605 	}
11606 
11607 	/* not much point in registering if we can't reply */
11608 	if (!rdev->ops->mgmt_tx)
11609 		return -EOPNOTSUPP;
11610 
11611 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11612 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11613 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11614 		GENL_SET_ERR_MSG(info,
11615 				 "multicast RX registrations are not supported");
11616 		return -EOPNOTSUPP;
11617 	}
11618 
11619 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11620 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11621 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11622 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11623 					   info->extack);
11624 }
11625 
11626 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11627 {
11628 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11629 	struct wireless_dev *wdev = info->user_ptr[1];
11630 	struct cfg80211_chan_def chandef;
11631 	int err;
11632 	void *hdr = NULL;
11633 	u64 cookie;
11634 	struct sk_buff *msg = NULL;
11635 	struct cfg80211_mgmt_tx_params params = {
11636 		.dont_wait_for_ack =
11637 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11638 	};
11639 
11640 	if (!info->attrs[NL80211_ATTR_FRAME])
11641 		return -EINVAL;
11642 
11643 	if (!rdev->ops->mgmt_tx)
11644 		return -EOPNOTSUPP;
11645 
11646 	switch (wdev->iftype) {
11647 	case NL80211_IFTYPE_P2P_DEVICE:
11648 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11649 			return -EINVAL;
11650 		break;
11651 	case NL80211_IFTYPE_STATION:
11652 	case NL80211_IFTYPE_ADHOC:
11653 	case NL80211_IFTYPE_P2P_CLIENT:
11654 	case NL80211_IFTYPE_AP:
11655 	case NL80211_IFTYPE_AP_VLAN:
11656 	case NL80211_IFTYPE_MESH_POINT:
11657 	case NL80211_IFTYPE_P2P_GO:
11658 		break;
11659 	case NL80211_IFTYPE_NAN:
11660 	default:
11661 		return -EOPNOTSUPP;
11662 	}
11663 
11664 	if (info->attrs[NL80211_ATTR_DURATION]) {
11665 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11666 			return -EINVAL;
11667 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11668 
11669 		/*
11670 		 * We should wait on the channel for at least a minimum amount
11671 		 * of time (10ms) but no longer than the driver supports.
11672 		 */
11673 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11674 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11675 			return -EINVAL;
11676 	}
11677 
11678 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11679 
11680 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11681 		return -EINVAL;
11682 
11683 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11684 
11685 	/* get the channel if any has been specified, otherwise pass NULL to
11686 	 * the driver. The latter will use the current one
11687 	 */
11688 	chandef.chan = NULL;
11689 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11690 		err = nl80211_parse_chandef(rdev, info, &chandef);
11691 		if (err)
11692 			return err;
11693 	}
11694 
11695 	if (!chandef.chan && params.offchan)
11696 		return -EINVAL;
11697 
11698 	wdev_lock(wdev);
11699 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11700 		wdev_unlock(wdev);
11701 		return -EBUSY;
11702 	}
11703 	wdev_unlock(wdev);
11704 
11705 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11706 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11707 
11708 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11709 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11710 		int i;
11711 
11712 		if (len % sizeof(u16))
11713 			return -EINVAL;
11714 
11715 		params.n_csa_offsets = len / sizeof(u16);
11716 		params.csa_offsets =
11717 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11718 
11719 		/* check that all the offsets fit the frame */
11720 		for (i = 0; i < params.n_csa_offsets; i++) {
11721 			if (params.csa_offsets[i] >= params.len)
11722 				return -EINVAL;
11723 		}
11724 	}
11725 
11726 	if (!params.dont_wait_for_ack) {
11727 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11728 		if (!msg)
11729 			return -ENOMEM;
11730 
11731 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11732 				     NL80211_CMD_FRAME);
11733 		if (!hdr) {
11734 			err = -ENOBUFS;
11735 			goto free_msg;
11736 		}
11737 	}
11738 
11739 	params.chan = chandef.chan;
11740 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11741 	if (err)
11742 		goto free_msg;
11743 
11744 	if (msg) {
11745 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11746 				      NL80211_ATTR_PAD))
11747 			goto nla_put_failure;
11748 
11749 		genlmsg_end(msg, hdr);
11750 		return genlmsg_reply(msg, info);
11751 	}
11752 
11753 	return 0;
11754 
11755  nla_put_failure:
11756 	err = -ENOBUFS;
11757  free_msg:
11758 	nlmsg_free(msg);
11759 	return err;
11760 }
11761 
11762 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11763 {
11764 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11765 	struct wireless_dev *wdev = info->user_ptr[1];
11766 	u64 cookie;
11767 
11768 	if (!info->attrs[NL80211_ATTR_COOKIE])
11769 		return -EINVAL;
11770 
11771 	if (!rdev->ops->mgmt_tx_cancel_wait)
11772 		return -EOPNOTSUPP;
11773 
11774 	switch (wdev->iftype) {
11775 	case NL80211_IFTYPE_STATION:
11776 	case NL80211_IFTYPE_ADHOC:
11777 	case NL80211_IFTYPE_P2P_CLIENT:
11778 	case NL80211_IFTYPE_AP:
11779 	case NL80211_IFTYPE_AP_VLAN:
11780 	case NL80211_IFTYPE_P2P_GO:
11781 	case NL80211_IFTYPE_P2P_DEVICE:
11782 		break;
11783 	case NL80211_IFTYPE_NAN:
11784 	default:
11785 		return -EOPNOTSUPP;
11786 	}
11787 
11788 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11789 
11790 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11791 }
11792 
11793 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11794 {
11795 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11796 	struct wireless_dev *wdev;
11797 	struct net_device *dev = info->user_ptr[1];
11798 	u8 ps_state;
11799 	bool state;
11800 	int err;
11801 
11802 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11803 		return -EINVAL;
11804 
11805 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11806 
11807 	wdev = dev->ieee80211_ptr;
11808 
11809 	if (!rdev->ops->set_power_mgmt)
11810 		return -EOPNOTSUPP;
11811 
11812 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11813 
11814 	if (state == wdev->ps)
11815 		return 0;
11816 
11817 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11818 	if (!err)
11819 		wdev->ps = state;
11820 	return err;
11821 }
11822 
11823 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11824 {
11825 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11826 	enum nl80211_ps_state ps_state;
11827 	struct wireless_dev *wdev;
11828 	struct net_device *dev = info->user_ptr[1];
11829 	struct sk_buff *msg;
11830 	void *hdr;
11831 	int err;
11832 
11833 	wdev = dev->ieee80211_ptr;
11834 
11835 	if (!rdev->ops->set_power_mgmt)
11836 		return -EOPNOTSUPP;
11837 
11838 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11839 	if (!msg)
11840 		return -ENOMEM;
11841 
11842 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11843 			     NL80211_CMD_GET_POWER_SAVE);
11844 	if (!hdr) {
11845 		err = -ENOBUFS;
11846 		goto free_msg;
11847 	}
11848 
11849 	if (wdev->ps)
11850 		ps_state = NL80211_PS_ENABLED;
11851 	else
11852 		ps_state = NL80211_PS_DISABLED;
11853 
11854 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11855 		goto nla_put_failure;
11856 
11857 	genlmsg_end(msg, hdr);
11858 	return genlmsg_reply(msg, info);
11859 
11860  nla_put_failure:
11861 	err = -ENOBUFS;
11862  free_msg:
11863 	nlmsg_free(msg);
11864 	return err;
11865 }
11866 
11867 static const struct nla_policy
11868 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11869 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11870 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11871 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11872 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11873 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11874 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11875 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11876 };
11877 
11878 static int nl80211_set_cqm_txe(struct genl_info *info,
11879 			       u32 rate, u32 pkts, u32 intvl)
11880 {
11881 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11882 	struct net_device *dev = info->user_ptr[1];
11883 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11884 
11885 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11886 		return -EINVAL;
11887 
11888 	if (!rdev->ops->set_cqm_txe_config)
11889 		return -EOPNOTSUPP;
11890 
11891 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11892 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11893 		return -EOPNOTSUPP;
11894 
11895 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11896 }
11897 
11898 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11899 				    struct net_device *dev)
11900 {
11901 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11902 	s32 last, low, high;
11903 	u32 hyst;
11904 	int i, n, low_index;
11905 	int err;
11906 
11907 	/* RSSI reporting disabled? */
11908 	if (!wdev->cqm_config)
11909 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
11910 
11911 	/*
11912 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
11913 	 * event has been received yet, we should receive an event after a
11914 	 * connection is established and enough beacons received to calculate
11915 	 * the average.
11916 	 */
11917 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
11918 	    rdev->ops->get_station) {
11919 		struct station_info sinfo = {};
11920 		u8 *mac_addr;
11921 
11922 		mac_addr = wdev->current_bss->pub.bssid;
11923 
11924 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
11925 		if (err)
11926 			return err;
11927 
11928 		cfg80211_sinfo_release_content(&sinfo);
11929 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
11930 			wdev->cqm_config->last_rssi_event_value =
11931 				(s8) sinfo.rx_beacon_signal_avg;
11932 	}
11933 
11934 	last = wdev->cqm_config->last_rssi_event_value;
11935 	hyst = wdev->cqm_config->rssi_hyst;
11936 	n = wdev->cqm_config->n_rssi_thresholds;
11937 
11938 	for (i = 0; i < n; i++) {
11939 		i = array_index_nospec(i, n);
11940 		if (last < wdev->cqm_config->rssi_thresholds[i])
11941 			break;
11942 	}
11943 
11944 	low_index = i - 1;
11945 	if (low_index >= 0) {
11946 		low_index = array_index_nospec(low_index, n);
11947 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
11948 	} else {
11949 		low = S32_MIN;
11950 	}
11951 	if (i < n) {
11952 		i = array_index_nospec(i, n);
11953 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
11954 	} else {
11955 		high = S32_MAX;
11956 	}
11957 
11958 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
11959 }
11960 
11961 static int nl80211_set_cqm_rssi(struct genl_info *info,
11962 				const s32 *thresholds, int n_thresholds,
11963 				u32 hysteresis)
11964 {
11965 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11966 	struct net_device *dev = info->user_ptr[1];
11967 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11968 	int i, err;
11969 	s32 prev = S32_MIN;
11970 
11971 	/* Check all values negative and sorted */
11972 	for (i = 0; i < n_thresholds; i++) {
11973 		if (thresholds[i] > 0 || thresholds[i] <= prev)
11974 			return -EINVAL;
11975 
11976 		prev = thresholds[i];
11977 	}
11978 
11979 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11980 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11981 		return -EOPNOTSUPP;
11982 
11983 	wdev_lock(wdev);
11984 	cfg80211_cqm_config_free(wdev);
11985 	wdev_unlock(wdev);
11986 
11987 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
11988 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
11989 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
11990 
11991 		return rdev_set_cqm_rssi_config(rdev, dev,
11992 						thresholds[0], hysteresis);
11993 	}
11994 
11995 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
11996 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
11997 		return -EOPNOTSUPP;
11998 
11999 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12000 		n_thresholds = 0;
12001 
12002 	wdev_lock(wdev);
12003 	if (n_thresholds) {
12004 		struct cfg80211_cqm_config *cqm_config;
12005 
12006 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12007 						 n_thresholds),
12008 				     GFP_KERNEL);
12009 		if (!cqm_config) {
12010 			err = -ENOMEM;
12011 			goto unlock;
12012 		}
12013 
12014 		cqm_config->rssi_hyst = hysteresis;
12015 		cqm_config->n_rssi_thresholds = n_thresholds;
12016 		memcpy(cqm_config->rssi_thresholds, thresholds,
12017 		       flex_array_size(cqm_config, rssi_thresholds,
12018 				       n_thresholds));
12019 
12020 		wdev->cqm_config = cqm_config;
12021 	}
12022 
12023 	err = cfg80211_cqm_rssi_update(rdev, dev);
12024 
12025 unlock:
12026 	wdev_unlock(wdev);
12027 
12028 	return err;
12029 }
12030 
12031 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12032 {
12033 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12034 	struct nlattr *cqm;
12035 	int err;
12036 
12037 	cqm = info->attrs[NL80211_ATTR_CQM];
12038 	if (!cqm)
12039 		return -EINVAL;
12040 
12041 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12042 					  nl80211_attr_cqm_policy,
12043 					  info->extack);
12044 	if (err)
12045 		return err;
12046 
12047 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12048 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12049 		const s32 *thresholds =
12050 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12051 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12052 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12053 
12054 		if (len % 4)
12055 			return -EINVAL;
12056 
12057 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12058 					    hysteresis);
12059 	}
12060 
12061 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12062 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12063 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12064 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12065 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12066 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12067 
12068 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12069 	}
12070 
12071 	return -EINVAL;
12072 }
12073 
12074 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12075 {
12076 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12077 	struct net_device *dev = info->user_ptr[1];
12078 	struct ocb_setup setup = {};
12079 	int err;
12080 
12081 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12082 	if (err)
12083 		return err;
12084 
12085 	return cfg80211_join_ocb(rdev, dev, &setup);
12086 }
12087 
12088 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12089 {
12090 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12091 	struct net_device *dev = info->user_ptr[1];
12092 
12093 	return cfg80211_leave_ocb(rdev, dev);
12094 }
12095 
12096 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12097 {
12098 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12099 	struct net_device *dev = info->user_ptr[1];
12100 	struct mesh_config cfg;
12101 	struct mesh_setup setup;
12102 	int err;
12103 
12104 	/* start with default */
12105 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12106 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12107 
12108 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12109 		/* and parse parameters if given */
12110 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12111 		if (err)
12112 			return err;
12113 	}
12114 
12115 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12116 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12117 		return -EINVAL;
12118 
12119 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12120 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12121 
12122 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12123 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12124 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12125 			return -EINVAL;
12126 
12127 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12128 		setup.beacon_interval =
12129 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12130 
12131 		err = cfg80211_validate_beacon_int(rdev,
12132 						   NL80211_IFTYPE_MESH_POINT,
12133 						   setup.beacon_interval);
12134 		if (err)
12135 			return err;
12136 	}
12137 
12138 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12139 		setup.dtim_period =
12140 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12141 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12142 			return -EINVAL;
12143 	}
12144 
12145 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12146 		/* parse additional setup parameters if given */
12147 		err = nl80211_parse_mesh_setup(info, &setup);
12148 		if (err)
12149 			return err;
12150 	}
12151 
12152 	if (setup.user_mpm)
12153 		cfg.auto_open_plinks = false;
12154 
12155 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12156 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12157 		if (err)
12158 			return err;
12159 	} else {
12160 		/* __cfg80211_join_mesh() will sort it out */
12161 		setup.chandef.chan = NULL;
12162 	}
12163 
12164 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12165 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12166 		int n_rates =
12167 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12168 		struct ieee80211_supported_band *sband;
12169 
12170 		if (!setup.chandef.chan)
12171 			return -EINVAL;
12172 
12173 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12174 
12175 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12176 					     &setup.basic_rates);
12177 		if (err)
12178 			return err;
12179 	}
12180 
12181 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12182 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12183 						    NL80211_ATTR_TX_RATES,
12184 						    &setup.beacon_rate,
12185 						    dev, false);
12186 		if (err)
12187 			return err;
12188 
12189 		if (!setup.chandef.chan)
12190 			return -EINVAL;
12191 
12192 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12193 					      &setup.beacon_rate);
12194 		if (err)
12195 			return err;
12196 	}
12197 
12198 	setup.userspace_handles_dfs =
12199 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12200 
12201 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12202 		int r = validate_pae_over_nl80211(rdev, info);
12203 
12204 		if (r < 0)
12205 			return r;
12206 
12207 		setup.control_port_over_nl80211 = true;
12208 	}
12209 
12210 	wdev_lock(dev->ieee80211_ptr);
12211 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12212 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12213 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12214 	wdev_unlock(dev->ieee80211_ptr);
12215 
12216 	return err;
12217 }
12218 
12219 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12220 {
12221 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12222 	struct net_device *dev = info->user_ptr[1];
12223 
12224 	return cfg80211_leave_mesh(rdev, dev);
12225 }
12226 
12227 #ifdef CONFIG_PM
12228 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
12229 					struct cfg80211_registered_device *rdev)
12230 {
12231 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
12232 	struct nlattr *nl_pats, *nl_pat;
12233 	int i, pat_len;
12234 
12235 	if (!wowlan->n_patterns)
12236 		return 0;
12237 
12238 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12239 	if (!nl_pats)
12240 		return -ENOBUFS;
12241 
12242 	for (i = 0; i < wowlan->n_patterns; i++) {
12243 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12244 		if (!nl_pat)
12245 			return -ENOBUFS;
12246 		pat_len = wowlan->patterns[i].pattern_len;
12247 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12248 			    wowlan->patterns[i].mask) ||
12249 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12250 			    wowlan->patterns[i].pattern) ||
12251 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12252 				wowlan->patterns[i].pkt_offset))
12253 			return -ENOBUFS;
12254 		nla_nest_end(msg, nl_pat);
12255 	}
12256 	nla_nest_end(msg, nl_pats);
12257 
12258 	return 0;
12259 }
12260 
12261 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12262 				   struct cfg80211_wowlan_tcp *tcp)
12263 {
12264 	struct nlattr *nl_tcp;
12265 
12266 	if (!tcp)
12267 		return 0;
12268 
12269 	nl_tcp = nla_nest_start_noflag(msg,
12270 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12271 	if (!nl_tcp)
12272 		return -ENOBUFS;
12273 
12274 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12275 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12276 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12277 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12278 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12279 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12280 		    tcp->payload_len, tcp->payload) ||
12281 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12282 			tcp->data_interval) ||
12283 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12284 		    tcp->wake_len, tcp->wake_data) ||
12285 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12286 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12287 		return -ENOBUFS;
12288 
12289 	if (tcp->payload_seq.len &&
12290 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12291 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12292 		return -ENOBUFS;
12293 
12294 	if (tcp->payload_tok.len &&
12295 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12296 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12297 		    &tcp->payload_tok))
12298 		return -ENOBUFS;
12299 
12300 	nla_nest_end(msg, nl_tcp);
12301 
12302 	return 0;
12303 }
12304 
12305 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12306 				  struct cfg80211_sched_scan_request *req)
12307 {
12308 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12309 	int i;
12310 
12311 	if (!req)
12312 		return 0;
12313 
12314 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12315 	if (!nd)
12316 		return -ENOBUFS;
12317 
12318 	if (req->n_scan_plans == 1 &&
12319 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12320 			req->scan_plans[0].interval * 1000))
12321 		return -ENOBUFS;
12322 
12323 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12324 		return -ENOBUFS;
12325 
12326 	if (req->relative_rssi_set) {
12327 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12328 
12329 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12330 			       req->relative_rssi))
12331 			return -ENOBUFS;
12332 
12333 		rssi_adjust.band = req->rssi_adjust.band;
12334 		rssi_adjust.delta = req->rssi_adjust.delta;
12335 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12336 			    sizeof(rssi_adjust), &rssi_adjust))
12337 			return -ENOBUFS;
12338 	}
12339 
12340 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12341 	if (!freqs)
12342 		return -ENOBUFS;
12343 
12344 	for (i = 0; i < req->n_channels; i++) {
12345 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12346 			return -ENOBUFS;
12347 	}
12348 
12349 	nla_nest_end(msg, freqs);
12350 
12351 	if (req->n_match_sets) {
12352 		matches = nla_nest_start_noflag(msg,
12353 						NL80211_ATTR_SCHED_SCAN_MATCH);
12354 		if (!matches)
12355 			return -ENOBUFS;
12356 
12357 		for (i = 0; i < req->n_match_sets; i++) {
12358 			match = nla_nest_start_noflag(msg, i);
12359 			if (!match)
12360 				return -ENOBUFS;
12361 
12362 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12363 				    req->match_sets[i].ssid.ssid_len,
12364 				    req->match_sets[i].ssid.ssid))
12365 				return -ENOBUFS;
12366 			nla_nest_end(msg, match);
12367 		}
12368 		nla_nest_end(msg, matches);
12369 	}
12370 
12371 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12372 	if (!scan_plans)
12373 		return -ENOBUFS;
12374 
12375 	for (i = 0; i < req->n_scan_plans; i++) {
12376 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12377 		if (!scan_plan)
12378 			return -ENOBUFS;
12379 
12380 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12381 				req->scan_plans[i].interval) ||
12382 		    (req->scan_plans[i].iterations &&
12383 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12384 				 req->scan_plans[i].iterations)))
12385 			return -ENOBUFS;
12386 		nla_nest_end(msg, scan_plan);
12387 	}
12388 	nla_nest_end(msg, scan_plans);
12389 
12390 	nla_nest_end(msg, nd);
12391 
12392 	return 0;
12393 }
12394 
12395 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12396 {
12397 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12398 	struct sk_buff *msg;
12399 	void *hdr;
12400 	u32 size = NLMSG_DEFAULT_SIZE;
12401 
12402 	if (!rdev->wiphy.wowlan)
12403 		return -EOPNOTSUPP;
12404 
12405 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12406 		/* adjust size to have room for all the data */
12407 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12408 			rdev->wiphy.wowlan_config->tcp->payload_len +
12409 			rdev->wiphy.wowlan_config->tcp->wake_len +
12410 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12411 	}
12412 
12413 	msg = nlmsg_new(size, GFP_KERNEL);
12414 	if (!msg)
12415 		return -ENOMEM;
12416 
12417 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12418 			     NL80211_CMD_GET_WOWLAN);
12419 	if (!hdr)
12420 		goto nla_put_failure;
12421 
12422 	if (rdev->wiphy.wowlan_config) {
12423 		struct nlattr *nl_wowlan;
12424 
12425 		nl_wowlan = nla_nest_start_noflag(msg,
12426 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12427 		if (!nl_wowlan)
12428 			goto nla_put_failure;
12429 
12430 		if ((rdev->wiphy.wowlan_config->any &&
12431 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
12432 		    (rdev->wiphy.wowlan_config->disconnect &&
12433 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
12434 		    (rdev->wiphy.wowlan_config->magic_pkt &&
12435 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
12436 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
12437 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
12438 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
12439 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
12440 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
12441 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
12442 		    (rdev->wiphy.wowlan_config->rfkill_release &&
12443 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
12444 			goto nla_put_failure;
12445 
12446 		if (nl80211_send_wowlan_patterns(msg, rdev))
12447 			goto nla_put_failure;
12448 
12449 		if (nl80211_send_wowlan_tcp(msg,
12450 					    rdev->wiphy.wowlan_config->tcp))
12451 			goto nla_put_failure;
12452 
12453 		if (nl80211_send_wowlan_nd(
12454 			    msg,
12455 			    rdev->wiphy.wowlan_config->nd_config))
12456 			goto nla_put_failure;
12457 
12458 		nla_nest_end(msg, nl_wowlan);
12459 	}
12460 
12461 	genlmsg_end(msg, hdr);
12462 	return genlmsg_reply(msg, info);
12463 
12464 nla_put_failure:
12465 	nlmsg_free(msg);
12466 	return -ENOBUFS;
12467 }
12468 
12469 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12470 				    struct nlattr *attr,
12471 				    struct cfg80211_wowlan *trig)
12472 {
12473 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12474 	struct cfg80211_wowlan_tcp *cfg;
12475 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12476 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12477 	u32 size;
12478 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12479 	int err, port;
12480 
12481 	if (!rdev->wiphy.wowlan->tcp)
12482 		return -EINVAL;
12483 
12484 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12485 					  nl80211_wowlan_tcp_policy, NULL);
12486 	if (err)
12487 		return err;
12488 
12489 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12490 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12491 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12492 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12493 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12494 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12495 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12496 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12497 		return -EINVAL;
12498 
12499 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12500 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12501 		return -EINVAL;
12502 
12503 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12504 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12505 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12506 		return -EINVAL;
12507 
12508 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12509 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12510 		return -EINVAL;
12511 
12512 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12513 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12514 		return -EINVAL;
12515 
12516 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12517 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12518 
12519 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12520 		tokens_size = tokln - sizeof(*tok);
12521 
12522 		if (!tok->len || tokens_size % tok->len)
12523 			return -EINVAL;
12524 		if (!rdev->wiphy.wowlan->tcp->tok)
12525 			return -EINVAL;
12526 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12527 			return -EINVAL;
12528 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12529 			return -EINVAL;
12530 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12531 			return -EINVAL;
12532 		if (tok->offset + tok->len > data_size)
12533 			return -EINVAL;
12534 	}
12535 
12536 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12537 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12538 		if (!rdev->wiphy.wowlan->tcp->seq)
12539 			return -EINVAL;
12540 		if (seq->len == 0 || seq->len > 4)
12541 			return -EINVAL;
12542 		if (seq->len + seq->offset > data_size)
12543 			return -EINVAL;
12544 	}
12545 
12546 	size = sizeof(*cfg);
12547 	size += data_size;
12548 	size += wake_size + wake_mask_size;
12549 	size += tokens_size;
12550 
12551 	cfg = kzalloc(size, GFP_KERNEL);
12552 	if (!cfg)
12553 		return -ENOMEM;
12554 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12555 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12556 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12557 	       ETH_ALEN);
12558 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12559 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12560 	else
12561 		port = 0;
12562 #ifdef CONFIG_INET
12563 	/* allocate a socket and port for it and use it */
12564 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12565 			    IPPROTO_TCP, &cfg->sock, 1);
12566 	if (err) {
12567 		kfree(cfg);
12568 		return err;
12569 	}
12570 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12571 		sock_release(cfg->sock);
12572 		kfree(cfg);
12573 		return -EADDRINUSE;
12574 	}
12575 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12576 #else
12577 	if (!port) {
12578 		kfree(cfg);
12579 		return -EINVAL;
12580 	}
12581 	cfg->src_port = port;
12582 #endif
12583 
12584 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12585 	cfg->payload_len = data_size;
12586 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12587 	memcpy((void *)cfg->payload,
12588 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12589 	       data_size);
12590 	if (seq)
12591 		cfg->payload_seq = *seq;
12592 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12593 	cfg->wake_len = wake_size;
12594 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12595 	memcpy((void *)cfg->wake_data,
12596 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12597 	       wake_size);
12598 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12599 			 data_size + wake_size;
12600 	memcpy((void *)cfg->wake_mask,
12601 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12602 	       wake_mask_size);
12603 	if (tok) {
12604 		cfg->tokens_size = tokens_size;
12605 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12606 	}
12607 
12608 	trig->tcp = cfg;
12609 
12610 	return 0;
12611 }
12612 
12613 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12614 				   const struct wiphy_wowlan_support *wowlan,
12615 				   struct nlattr *attr,
12616 				   struct cfg80211_wowlan *trig)
12617 {
12618 	struct nlattr **tb;
12619 	int err;
12620 
12621 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12622 	if (!tb)
12623 		return -ENOMEM;
12624 
12625 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12626 		err = -EOPNOTSUPP;
12627 		goto out;
12628 	}
12629 
12630 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12631 					  nl80211_policy, NULL);
12632 	if (err)
12633 		goto out;
12634 
12635 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12636 						   wowlan->max_nd_match_sets);
12637 	err = PTR_ERR_OR_ZERO(trig->nd_config);
12638 	if (err)
12639 		trig->nd_config = NULL;
12640 
12641 out:
12642 	kfree(tb);
12643 	return err;
12644 }
12645 
12646 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12647 {
12648 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12649 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12650 	struct cfg80211_wowlan new_triggers = {};
12651 	struct cfg80211_wowlan *ntrig;
12652 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12653 	int err, i;
12654 	bool prev_enabled = rdev->wiphy.wowlan_config;
12655 	bool regular = false;
12656 
12657 	if (!wowlan)
12658 		return -EOPNOTSUPP;
12659 
12660 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12661 		cfg80211_rdev_free_wowlan(rdev);
12662 		rdev->wiphy.wowlan_config = NULL;
12663 		goto set_wakeup;
12664 	}
12665 
12666 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12667 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12668 					  nl80211_wowlan_policy, info->extack);
12669 	if (err)
12670 		return err;
12671 
12672 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12673 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12674 			return -EINVAL;
12675 		new_triggers.any = true;
12676 	}
12677 
12678 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12679 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12680 			return -EINVAL;
12681 		new_triggers.disconnect = true;
12682 		regular = true;
12683 	}
12684 
12685 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12686 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12687 			return -EINVAL;
12688 		new_triggers.magic_pkt = true;
12689 		regular = true;
12690 	}
12691 
12692 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12693 		return -EINVAL;
12694 
12695 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12696 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12697 			return -EINVAL;
12698 		new_triggers.gtk_rekey_failure = true;
12699 		regular = true;
12700 	}
12701 
12702 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12703 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12704 			return -EINVAL;
12705 		new_triggers.eap_identity_req = true;
12706 		regular = true;
12707 	}
12708 
12709 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12710 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12711 			return -EINVAL;
12712 		new_triggers.four_way_handshake = true;
12713 		regular = true;
12714 	}
12715 
12716 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12717 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12718 			return -EINVAL;
12719 		new_triggers.rfkill_release = true;
12720 		regular = true;
12721 	}
12722 
12723 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12724 		struct nlattr *pat;
12725 		int n_patterns = 0;
12726 		int rem, pat_len, mask_len, pkt_offset;
12727 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12728 
12729 		regular = true;
12730 
12731 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12732 				    rem)
12733 			n_patterns++;
12734 		if (n_patterns > wowlan->n_patterns)
12735 			return -EINVAL;
12736 
12737 		new_triggers.patterns = kcalloc(n_patterns,
12738 						sizeof(new_triggers.patterns[0]),
12739 						GFP_KERNEL);
12740 		if (!new_triggers.patterns)
12741 			return -ENOMEM;
12742 
12743 		new_triggers.n_patterns = n_patterns;
12744 		i = 0;
12745 
12746 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12747 				    rem) {
12748 			u8 *mask_pat;
12749 
12750 			err = nla_parse_nested_deprecated(pat_tb,
12751 							  MAX_NL80211_PKTPAT,
12752 							  pat,
12753 							  nl80211_packet_pattern_policy,
12754 							  info->extack);
12755 			if (err)
12756 				goto error;
12757 
12758 			err = -EINVAL;
12759 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12760 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12761 				goto error;
12762 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12763 			mask_len = DIV_ROUND_UP(pat_len, 8);
12764 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12765 				goto error;
12766 			if (pat_len > wowlan->pattern_max_len ||
12767 			    pat_len < wowlan->pattern_min_len)
12768 				goto error;
12769 
12770 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12771 				pkt_offset = 0;
12772 			else
12773 				pkt_offset = nla_get_u32(
12774 					pat_tb[NL80211_PKTPAT_OFFSET]);
12775 			if (pkt_offset > wowlan->max_pkt_offset)
12776 				goto error;
12777 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12778 
12779 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12780 			if (!mask_pat) {
12781 				err = -ENOMEM;
12782 				goto error;
12783 			}
12784 			new_triggers.patterns[i].mask = mask_pat;
12785 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12786 			       mask_len);
12787 			mask_pat += mask_len;
12788 			new_triggers.patterns[i].pattern = mask_pat;
12789 			new_triggers.patterns[i].pattern_len = pat_len;
12790 			memcpy(mask_pat,
12791 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12792 			       pat_len);
12793 			i++;
12794 		}
12795 	}
12796 
12797 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12798 		regular = true;
12799 		err = nl80211_parse_wowlan_tcp(
12800 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12801 			&new_triggers);
12802 		if (err)
12803 			goto error;
12804 	}
12805 
12806 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12807 		regular = true;
12808 		err = nl80211_parse_wowlan_nd(
12809 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12810 			&new_triggers);
12811 		if (err)
12812 			goto error;
12813 	}
12814 
12815 	/* The 'any' trigger means the device continues operating more or less
12816 	 * as in its normal operation mode and wakes up the host on most of the
12817 	 * normal interrupts (like packet RX, ...)
12818 	 * It therefore makes little sense to combine with the more constrained
12819 	 * wakeup trigger modes.
12820 	 */
12821 	if (new_triggers.any && regular) {
12822 		err = -EINVAL;
12823 		goto error;
12824 	}
12825 
12826 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12827 	if (!ntrig) {
12828 		err = -ENOMEM;
12829 		goto error;
12830 	}
12831 	cfg80211_rdev_free_wowlan(rdev);
12832 	rdev->wiphy.wowlan_config = ntrig;
12833 
12834  set_wakeup:
12835 	if (rdev->ops->set_wakeup &&
12836 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12837 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12838 
12839 	return 0;
12840  error:
12841 	for (i = 0; i < new_triggers.n_patterns; i++)
12842 		kfree(new_triggers.patterns[i].mask);
12843 	kfree(new_triggers.patterns);
12844 	if (new_triggers.tcp && new_triggers.tcp->sock)
12845 		sock_release(new_triggers.tcp->sock);
12846 	kfree(new_triggers.tcp);
12847 	kfree(new_triggers.nd_config);
12848 	return err;
12849 }
12850 #endif
12851 
12852 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12853 				       struct cfg80211_registered_device *rdev)
12854 {
12855 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12856 	int i, j, pat_len;
12857 	struct cfg80211_coalesce_rules *rule;
12858 
12859 	if (!rdev->coalesce->n_rules)
12860 		return 0;
12861 
12862 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12863 	if (!nl_rules)
12864 		return -ENOBUFS;
12865 
12866 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12867 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12868 		if (!nl_rule)
12869 			return -ENOBUFS;
12870 
12871 		rule = &rdev->coalesce->rules[i];
12872 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12873 				rule->delay))
12874 			return -ENOBUFS;
12875 
12876 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12877 				rule->condition))
12878 			return -ENOBUFS;
12879 
12880 		nl_pats = nla_nest_start_noflag(msg,
12881 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12882 		if (!nl_pats)
12883 			return -ENOBUFS;
12884 
12885 		for (j = 0; j < rule->n_patterns; j++) {
12886 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12887 			if (!nl_pat)
12888 				return -ENOBUFS;
12889 			pat_len = rule->patterns[j].pattern_len;
12890 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12891 				    DIV_ROUND_UP(pat_len, 8),
12892 				    rule->patterns[j].mask) ||
12893 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12894 				    rule->patterns[j].pattern) ||
12895 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12896 					rule->patterns[j].pkt_offset))
12897 				return -ENOBUFS;
12898 			nla_nest_end(msg, nl_pat);
12899 		}
12900 		nla_nest_end(msg, nl_pats);
12901 		nla_nest_end(msg, nl_rule);
12902 	}
12903 	nla_nest_end(msg, nl_rules);
12904 
12905 	return 0;
12906 }
12907 
12908 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
12909 {
12910 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12911 	struct sk_buff *msg;
12912 	void *hdr;
12913 
12914 	if (!rdev->wiphy.coalesce)
12915 		return -EOPNOTSUPP;
12916 
12917 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12918 	if (!msg)
12919 		return -ENOMEM;
12920 
12921 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12922 			     NL80211_CMD_GET_COALESCE);
12923 	if (!hdr)
12924 		goto nla_put_failure;
12925 
12926 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
12927 		goto nla_put_failure;
12928 
12929 	genlmsg_end(msg, hdr);
12930 	return genlmsg_reply(msg, info);
12931 
12932 nla_put_failure:
12933 	nlmsg_free(msg);
12934 	return -ENOBUFS;
12935 }
12936 
12937 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
12938 {
12939 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
12940 	int i, j;
12941 	struct cfg80211_coalesce_rules *rule;
12942 
12943 	if (!coalesce)
12944 		return;
12945 
12946 	for (i = 0; i < coalesce->n_rules; i++) {
12947 		rule = &coalesce->rules[i];
12948 		for (j = 0; j < rule->n_patterns; j++)
12949 			kfree(rule->patterns[j].mask);
12950 		kfree(rule->patterns);
12951 	}
12952 	kfree(coalesce->rules);
12953 	kfree(coalesce);
12954 	rdev->coalesce = NULL;
12955 }
12956 
12957 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
12958 				       struct nlattr *rule,
12959 				       struct cfg80211_coalesce_rules *new_rule)
12960 {
12961 	int err, i;
12962 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12963 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
12964 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
12965 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12966 
12967 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
12968 					  rule, nl80211_coalesce_policy, NULL);
12969 	if (err)
12970 		return err;
12971 
12972 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
12973 		new_rule->delay =
12974 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
12975 	if (new_rule->delay > coalesce->max_delay)
12976 		return -EINVAL;
12977 
12978 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
12979 		new_rule->condition =
12980 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
12981 
12982 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
12983 		return -EINVAL;
12984 
12985 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12986 			    rem)
12987 		n_patterns++;
12988 	if (n_patterns > coalesce->n_patterns)
12989 		return -EINVAL;
12990 
12991 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
12992 				     GFP_KERNEL);
12993 	if (!new_rule->patterns)
12994 		return -ENOMEM;
12995 
12996 	new_rule->n_patterns = n_patterns;
12997 	i = 0;
12998 
12999 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13000 			    rem) {
13001 		u8 *mask_pat;
13002 
13003 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13004 						  pat,
13005 						  nl80211_packet_pattern_policy,
13006 						  NULL);
13007 		if (err)
13008 			return err;
13009 
13010 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13011 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13012 			return -EINVAL;
13013 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13014 		mask_len = DIV_ROUND_UP(pat_len, 8);
13015 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13016 			return -EINVAL;
13017 		if (pat_len > coalesce->pattern_max_len ||
13018 		    pat_len < coalesce->pattern_min_len)
13019 			return -EINVAL;
13020 
13021 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13022 			pkt_offset = 0;
13023 		else
13024 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13025 		if (pkt_offset > coalesce->max_pkt_offset)
13026 			return -EINVAL;
13027 		new_rule->patterns[i].pkt_offset = pkt_offset;
13028 
13029 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13030 		if (!mask_pat)
13031 			return -ENOMEM;
13032 
13033 		new_rule->patterns[i].mask = mask_pat;
13034 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13035 		       mask_len);
13036 
13037 		mask_pat += mask_len;
13038 		new_rule->patterns[i].pattern = mask_pat;
13039 		new_rule->patterns[i].pattern_len = pat_len;
13040 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13041 		       pat_len);
13042 		i++;
13043 	}
13044 
13045 	return 0;
13046 }
13047 
13048 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13049 {
13050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13051 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13052 	struct cfg80211_coalesce new_coalesce = {};
13053 	struct cfg80211_coalesce *n_coalesce;
13054 	int err, rem_rule, n_rules = 0, i, j;
13055 	struct nlattr *rule;
13056 	struct cfg80211_coalesce_rules *tmp_rule;
13057 
13058 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13059 		return -EOPNOTSUPP;
13060 
13061 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13062 		cfg80211_rdev_free_coalesce(rdev);
13063 		rdev_set_coalesce(rdev, NULL);
13064 		return 0;
13065 	}
13066 
13067 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13068 			    rem_rule)
13069 		n_rules++;
13070 	if (n_rules > coalesce->n_rules)
13071 		return -EINVAL;
13072 
13073 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13074 				     GFP_KERNEL);
13075 	if (!new_coalesce.rules)
13076 		return -ENOMEM;
13077 
13078 	new_coalesce.n_rules = n_rules;
13079 	i = 0;
13080 
13081 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13082 			    rem_rule) {
13083 		err = nl80211_parse_coalesce_rule(rdev, rule,
13084 						  &new_coalesce.rules[i]);
13085 		if (err)
13086 			goto error;
13087 
13088 		i++;
13089 	}
13090 
13091 	err = rdev_set_coalesce(rdev, &new_coalesce);
13092 	if (err)
13093 		goto error;
13094 
13095 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13096 	if (!n_coalesce) {
13097 		err = -ENOMEM;
13098 		goto error;
13099 	}
13100 	cfg80211_rdev_free_coalesce(rdev);
13101 	rdev->coalesce = n_coalesce;
13102 
13103 	return 0;
13104 error:
13105 	for (i = 0; i < new_coalesce.n_rules; i++) {
13106 		tmp_rule = &new_coalesce.rules[i];
13107 		for (j = 0; j < tmp_rule->n_patterns; j++)
13108 			kfree(tmp_rule->patterns[j].mask);
13109 		kfree(tmp_rule->patterns);
13110 	}
13111 	kfree(new_coalesce.rules);
13112 
13113 	return err;
13114 }
13115 
13116 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13117 {
13118 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13119 	struct net_device *dev = info->user_ptr[1];
13120 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13121 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13122 	struct cfg80211_gtk_rekey_data rekey_data = {};
13123 	int err;
13124 
13125 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13126 		return -EINVAL;
13127 
13128 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13129 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13130 					  nl80211_rekey_policy, info->extack);
13131 	if (err)
13132 		return err;
13133 
13134 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13135 	    !tb[NL80211_REKEY_DATA_KCK])
13136 		return -EINVAL;
13137 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13138 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13139 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13140 		return -ERANGE;
13141 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13142 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13143 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
13144 		return -ERANGE;
13145 
13146 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13147 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13148 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13149 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13150 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13151 	if (tb[NL80211_REKEY_DATA_AKM])
13152 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13153 
13154 	wdev_lock(wdev);
13155 	if (!wdev->current_bss) {
13156 		err = -ENOTCONN;
13157 		goto out;
13158 	}
13159 
13160 	if (!rdev->ops->set_rekey_data) {
13161 		err = -EOPNOTSUPP;
13162 		goto out;
13163 	}
13164 
13165 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13166  out:
13167 	wdev_unlock(wdev);
13168 	return err;
13169 }
13170 
13171 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13172 					     struct genl_info *info)
13173 {
13174 	struct net_device *dev = info->user_ptr[1];
13175 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13176 
13177 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13178 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13179 		return -EINVAL;
13180 
13181 	if (wdev->ap_unexpected_nlportid)
13182 		return -EBUSY;
13183 
13184 	wdev->ap_unexpected_nlportid = info->snd_portid;
13185 	return 0;
13186 }
13187 
13188 static int nl80211_probe_client(struct sk_buff *skb,
13189 				struct genl_info *info)
13190 {
13191 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13192 	struct net_device *dev = info->user_ptr[1];
13193 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13194 	struct sk_buff *msg;
13195 	void *hdr;
13196 	const u8 *addr;
13197 	u64 cookie;
13198 	int err;
13199 
13200 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13201 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13202 		return -EOPNOTSUPP;
13203 
13204 	if (!info->attrs[NL80211_ATTR_MAC])
13205 		return -EINVAL;
13206 
13207 	if (!rdev->ops->probe_client)
13208 		return -EOPNOTSUPP;
13209 
13210 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13211 	if (!msg)
13212 		return -ENOMEM;
13213 
13214 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13215 			     NL80211_CMD_PROBE_CLIENT);
13216 	if (!hdr) {
13217 		err = -ENOBUFS;
13218 		goto free_msg;
13219 	}
13220 
13221 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13222 
13223 	err = rdev_probe_client(rdev, dev, addr, &cookie);
13224 	if (err)
13225 		goto free_msg;
13226 
13227 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13228 			      NL80211_ATTR_PAD))
13229 		goto nla_put_failure;
13230 
13231 	genlmsg_end(msg, hdr);
13232 
13233 	return genlmsg_reply(msg, info);
13234 
13235  nla_put_failure:
13236 	err = -ENOBUFS;
13237  free_msg:
13238 	nlmsg_free(msg);
13239 	return err;
13240 }
13241 
13242 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13243 {
13244 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13245 	struct cfg80211_beacon_registration *reg, *nreg;
13246 	int rv;
13247 
13248 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13249 		return -EOPNOTSUPP;
13250 
13251 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13252 	if (!nreg)
13253 		return -ENOMEM;
13254 
13255 	/* First, check if already registered. */
13256 	spin_lock_bh(&rdev->beacon_registrations_lock);
13257 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13258 		if (reg->nlportid == info->snd_portid) {
13259 			rv = -EALREADY;
13260 			goto out_err;
13261 		}
13262 	}
13263 	/* Add it to the list */
13264 	nreg->nlportid = info->snd_portid;
13265 	list_add(&nreg->list, &rdev->beacon_registrations);
13266 
13267 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13268 
13269 	return 0;
13270 out_err:
13271 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13272 	kfree(nreg);
13273 	return rv;
13274 }
13275 
13276 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13277 {
13278 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13279 	struct wireless_dev *wdev = info->user_ptr[1];
13280 	int err;
13281 
13282 	if (!rdev->ops->start_p2p_device)
13283 		return -EOPNOTSUPP;
13284 
13285 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13286 		return -EOPNOTSUPP;
13287 
13288 	if (wdev_running(wdev))
13289 		return 0;
13290 
13291 	if (rfkill_blocked(rdev->wiphy.rfkill))
13292 		return -ERFKILL;
13293 
13294 	err = rdev_start_p2p_device(rdev, wdev);
13295 	if (err)
13296 		return err;
13297 
13298 	wdev->is_running = true;
13299 	rdev->opencount++;
13300 
13301 	return 0;
13302 }
13303 
13304 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13305 {
13306 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13307 	struct wireless_dev *wdev = info->user_ptr[1];
13308 
13309 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13310 		return -EOPNOTSUPP;
13311 
13312 	if (!rdev->ops->stop_p2p_device)
13313 		return -EOPNOTSUPP;
13314 
13315 	cfg80211_stop_p2p_device(rdev, wdev);
13316 
13317 	return 0;
13318 }
13319 
13320 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13321 {
13322 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13323 	struct wireless_dev *wdev = info->user_ptr[1];
13324 	struct cfg80211_nan_conf conf = {};
13325 	int err;
13326 
13327 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13328 		return -EOPNOTSUPP;
13329 
13330 	if (wdev_running(wdev))
13331 		return -EEXIST;
13332 
13333 	if (rfkill_blocked(rdev->wiphy.rfkill))
13334 		return -ERFKILL;
13335 
13336 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13337 		return -EINVAL;
13338 
13339 	conf.master_pref =
13340 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13341 
13342 	if (info->attrs[NL80211_ATTR_BANDS]) {
13343 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13344 
13345 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13346 			return -EOPNOTSUPP;
13347 
13348 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13349 			return -EINVAL;
13350 
13351 		conf.bands = bands;
13352 	}
13353 
13354 	err = rdev_start_nan(rdev, wdev, &conf);
13355 	if (err)
13356 		return err;
13357 
13358 	wdev->is_running = true;
13359 	rdev->opencount++;
13360 
13361 	return 0;
13362 }
13363 
13364 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13365 {
13366 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13367 	struct wireless_dev *wdev = info->user_ptr[1];
13368 
13369 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13370 		return -EOPNOTSUPP;
13371 
13372 	cfg80211_stop_nan(rdev, wdev);
13373 
13374 	return 0;
13375 }
13376 
13377 static int validate_nan_filter(struct nlattr *filter_attr)
13378 {
13379 	struct nlattr *attr;
13380 	int len = 0, n_entries = 0, rem;
13381 
13382 	nla_for_each_nested(attr, filter_attr, rem) {
13383 		len += nla_len(attr);
13384 		n_entries++;
13385 	}
13386 
13387 	if (len >= U8_MAX)
13388 		return -EINVAL;
13389 
13390 	return n_entries;
13391 }
13392 
13393 static int handle_nan_filter(struct nlattr *attr_filter,
13394 			     struct cfg80211_nan_func *func,
13395 			     bool tx)
13396 {
13397 	struct nlattr *attr;
13398 	int n_entries, rem, i;
13399 	struct cfg80211_nan_func_filter *filter;
13400 
13401 	n_entries = validate_nan_filter(attr_filter);
13402 	if (n_entries < 0)
13403 		return n_entries;
13404 
13405 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13406 
13407 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13408 	if (!filter)
13409 		return -ENOMEM;
13410 
13411 	i = 0;
13412 	nla_for_each_nested(attr, attr_filter, rem) {
13413 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13414 		if (!filter[i].filter)
13415 			goto err;
13416 
13417 		filter[i].len = nla_len(attr);
13418 		i++;
13419 	}
13420 	if (tx) {
13421 		func->num_tx_filters = n_entries;
13422 		func->tx_filters = filter;
13423 	} else {
13424 		func->num_rx_filters = n_entries;
13425 		func->rx_filters = filter;
13426 	}
13427 
13428 	return 0;
13429 
13430 err:
13431 	i = 0;
13432 	nla_for_each_nested(attr, attr_filter, rem) {
13433 		kfree(filter[i].filter);
13434 		i++;
13435 	}
13436 	kfree(filter);
13437 	return -ENOMEM;
13438 }
13439 
13440 static int nl80211_nan_add_func(struct sk_buff *skb,
13441 				struct genl_info *info)
13442 {
13443 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13444 	struct wireless_dev *wdev = info->user_ptr[1];
13445 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
13446 	struct cfg80211_nan_func *func;
13447 	struct sk_buff *msg = NULL;
13448 	void *hdr = NULL;
13449 	int err = 0;
13450 
13451 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13452 		return -EOPNOTSUPP;
13453 
13454 	if (!wdev_running(wdev))
13455 		return -ENOTCONN;
13456 
13457 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13458 		return -EINVAL;
13459 
13460 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13461 					  info->attrs[NL80211_ATTR_NAN_FUNC],
13462 					  nl80211_nan_func_policy,
13463 					  info->extack);
13464 	if (err)
13465 		return err;
13466 
13467 	func = kzalloc(sizeof(*func), GFP_KERNEL);
13468 	if (!func)
13469 		return -ENOMEM;
13470 
13471 	func->cookie = cfg80211_assign_cookie(rdev);
13472 
13473 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13474 		err = -EINVAL;
13475 		goto out;
13476 	}
13477 
13478 
13479 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13480 
13481 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13482 		err = -EINVAL;
13483 		goto out;
13484 	}
13485 
13486 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13487 	       sizeof(func->service_id));
13488 
13489 	func->close_range =
13490 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13491 
13492 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13493 		func->serv_spec_info_len =
13494 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13495 		func->serv_spec_info =
13496 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13497 				func->serv_spec_info_len,
13498 				GFP_KERNEL);
13499 		if (!func->serv_spec_info) {
13500 			err = -ENOMEM;
13501 			goto out;
13502 		}
13503 	}
13504 
13505 	if (tb[NL80211_NAN_FUNC_TTL])
13506 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13507 
13508 	switch (func->type) {
13509 	case NL80211_NAN_FUNC_PUBLISH:
13510 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13511 			err = -EINVAL;
13512 			goto out;
13513 		}
13514 
13515 		func->publish_type =
13516 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13517 		func->publish_bcast =
13518 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13519 
13520 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13521 			func->publish_bcast) {
13522 			err = -EINVAL;
13523 			goto out;
13524 		}
13525 		break;
13526 	case NL80211_NAN_FUNC_SUBSCRIBE:
13527 		func->subscribe_active =
13528 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13529 		break;
13530 	case NL80211_NAN_FUNC_FOLLOW_UP:
13531 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13532 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13533 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13534 			err = -EINVAL;
13535 			goto out;
13536 		}
13537 
13538 		func->followup_id =
13539 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13540 		func->followup_reqid =
13541 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13542 		memcpy(func->followup_dest.addr,
13543 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13544 		       sizeof(func->followup_dest.addr));
13545 		if (func->ttl) {
13546 			err = -EINVAL;
13547 			goto out;
13548 		}
13549 		break;
13550 	default:
13551 		err = -EINVAL;
13552 		goto out;
13553 	}
13554 
13555 	if (tb[NL80211_NAN_FUNC_SRF]) {
13556 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13557 
13558 		err = nla_parse_nested_deprecated(srf_tb,
13559 						  NL80211_NAN_SRF_ATTR_MAX,
13560 						  tb[NL80211_NAN_FUNC_SRF],
13561 						  nl80211_nan_srf_policy,
13562 						  info->extack);
13563 		if (err)
13564 			goto out;
13565 
13566 		func->srf_include =
13567 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13568 
13569 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13570 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13571 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13572 				err = -EINVAL;
13573 				goto out;
13574 			}
13575 
13576 			func->srf_bf_len =
13577 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13578 			func->srf_bf =
13579 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13580 					func->srf_bf_len, GFP_KERNEL);
13581 			if (!func->srf_bf) {
13582 				err = -ENOMEM;
13583 				goto out;
13584 			}
13585 
13586 			func->srf_bf_idx =
13587 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13588 		} else {
13589 			struct nlattr *attr, *mac_attr =
13590 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13591 			int n_entries, rem, i = 0;
13592 
13593 			if (!mac_attr) {
13594 				err = -EINVAL;
13595 				goto out;
13596 			}
13597 
13598 			n_entries = validate_acl_mac_addrs(mac_attr);
13599 			if (n_entries <= 0) {
13600 				err = -EINVAL;
13601 				goto out;
13602 			}
13603 
13604 			func->srf_num_macs = n_entries;
13605 			func->srf_macs =
13606 				kcalloc(n_entries, sizeof(*func->srf_macs),
13607 					GFP_KERNEL);
13608 			if (!func->srf_macs) {
13609 				err = -ENOMEM;
13610 				goto out;
13611 			}
13612 
13613 			nla_for_each_nested(attr, mac_attr, rem)
13614 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13615 				       sizeof(*func->srf_macs));
13616 		}
13617 	}
13618 
13619 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13620 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13621 					func, true);
13622 		if (err)
13623 			goto out;
13624 	}
13625 
13626 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13627 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13628 					func, false);
13629 		if (err)
13630 			goto out;
13631 	}
13632 
13633 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13634 	if (!msg) {
13635 		err = -ENOMEM;
13636 		goto out;
13637 	}
13638 
13639 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13640 			     NL80211_CMD_ADD_NAN_FUNCTION);
13641 	/* This can't really happen - we just allocated 4KB */
13642 	if (WARN_ON(!hdr)) {
13643 		err = -ENOMEM;
13644 		goto out;
13645 	}
13646 
13647 	err = rdev_add_nan_func(rdev, wdev, func);
13648 out:
13649 	if (err < 0) {
13650 		cfg80211_free_nan_func(func);
13651 		nlmsg_free(msg);
13652 		return err;
13653 	}
13654 
13655 	/* propagate the instance id and cookie to userspace  */
13656 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13657 			      NL80211_ATTR_PAD))
13658 		goto nla_put_failure;
13659 
13660 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13661 	if (!func_attr)
13662 		goto nla_put_failure;
13663 
13664 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13665 		       func->instance_id))
13666 		goto nla_put_failure;
13667 
13668 	nla_nest_end(msg, func_attr);
13669 
13670 	genlmsg_end(msg, hdr);
13671 	return genlmsg_reply(msg, info);
13672 
13673 nla_put_failure:
13674 	nlmsg_free(msg);
13675 	return -ENOBUFS;
13676 }
13677 
13678 static int nl80211_nan_del_func(struct sk_buff *skb,
13679 			       struct genl_info *info)
13680 {
13681 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13682 	struct wireless_dev *wdev = info->user_ptr[1];
13683 	u64 cookie;
13684 
13685 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13686 		return -EOPNOTSUPP;
13687 
13688 	if (!wdev_running(wdev))
13689 		return -ENOTCONN;
13690 
13691 	if (!info->attrs[NL80211_ATTR_COOKIE])
13692 		return -EINVAL;
13693 
13694 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13695 
13696 	rdev_del_nan_func(rdev, wdev, cookie);
13697 
13698 	return 0;
13699 }
13700 
13701 static int nl80211_nan_change_config(struct sk_buff *skb,
13702 				     struct genl_info *info)
13703 {
13704 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13705 	struct wireless_dev *wdev = info->user_ptr[1];
13706 	struct cfg80211_nan_conf conf = {};
13707 	u32 changed = 0;
13708 
13709 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13710 		return -EOPNOTSUPP;
13711 
13712 	if (!wdev_running(wdev))
13713 		return -ENOTCONN;
13714 
13715 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13716 		conf.master_pref =
13717 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13718 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13719 			return -EINVAL;
13720 
13721 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13722 	}
13723 
13724 	if (info->attrs[NL80211_ATTR_BANDS]) {
13725 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13726 
13727 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13728 			return -EOPNOTSUPP;
13729 
13730 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13731 			return -EINVAL;
13732 
13733 		conf.bands = bands;
13734 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13735 	}
13736 
13737 	if (!changed)
13738 		return -EINVAL;
13739 
13740 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13741 }
13742 
13743 void cfg80211_nan_match(struct wireless_dev *wdev,
13744 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13745 {
13746 	struct wiphy *wiphy = wdev->wiphy;
13747 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13748 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13749 	struct sk_buff *msg;
13750 	void *hdr;
13751 
13752 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13753 		return;
13754 
13755 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13756 	if (!msg)
13757 		return;
13758 
13759 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13760 	if (!hdr) {
13761 		nlmsg_free(msg);
13762 		return;
13763 	}
13764 
13765 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13766 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13767 					 wdev->netdev->ifindex)) ||
13768 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13769 			      NL80211_ATTR_PAD))
13770 		goto nla_put_failure;
13771 
13772 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13773 			      NL80211_ATTR_PAD) ||
13774 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13775 		goto nla_put_failure;
13776 
13777 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13778 	if (!match_attr)
13779 		goto nla_put_failure;
13780 
13781 	local_func_attr = nla_nest_start_noflag(msg,
13782 						NL80211_NAN_MATCH_FUNC_LOCAL);
13783 	if (!local_func_attr)
13784 		goto nla_put_failure;
13785 
13786 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13787 		goto nla_put_failure;
13788 
13789 	nla_nest_end(msg, local_func_attr);
13790 
13791 	peer_func_attr = nla_nest_start_noflag(msg,
13792 					       NL80211_NAN_MATCH_FUNC_PEER);
13793 	if (!peer_func_attr)
13794 		goto nla_put_failure;
13795 
13796 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13797 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13798 		goto nla_put_failure;
13799 
13800 	if (match->info && match->info_len &&
13801 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13802 		    match->info))
13803 		goto nla_put_failure;
13804 
13805 	nla_nest_end(msg, peer_func_attr);
13806 	nla_nest_end(msg, match_attr);
13807 	genlmsg_end(msg, hdr);
13808 
13809 	if (!wdev->owner_nlportid)
13810 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13811 					msg, 0, NL80211_MCGRP_NAN, gfp);
13812 	else
13813 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13814 				wdev->owner_nlportid);
13815 
13816 	return;
13817 
13818 nla_put_failure:
13819 	nlmsg_free(msg);
13820 }
13821 EXPORT_SYMBOL(cfg80211_nan_match);
13822 
13823 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13824 				  u8 inst_id,
13825 				  enum nl80211_nan_func_term_reason reason,
13826 				  u64 cookie, gfp_t gfp)
13827 {
13828 	struct wiphy *wiphy = wdev->wiphy;
13829 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13830 	struct sk_buff *msg;
13831 	struct nlattr *func_attr;
13832 	void *hdr;
13833 
13834 	if (WARN_ON(!inst_id))
13835 		return;
13836 
13837 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13838 	if (!msg)
13839 		return;
13840 
13841 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13842 	if (!hdr) {
13843 		nlmsg_free(msg);
13844 		return;
13845 	}
13846 
13847 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13848 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13849 					 wdev->netdev->ifindex)) ||
13850 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13851 			      NL80211_ATTR_PAD))
13852 		goto nla_put_failure;
13853 
13854 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13855 			      NL80211_ATTR_PAD))
13856 		goto nla_put_failure;
13857 
13858 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13859 	if (!func_attr)
13860 		goto nla_put_failure;
13861 
13862 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13863 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13864 		goto nla_put_failure;
13865 
13866 	nla_nest_end(msg, func_attr);
13867 	genlmsg_end(msg, hdr);
13868 
13869 	if (!wdev->owner_nlportid)
13870 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13871 					msg, 0, NL80211_MCGRP_NAN, gfp);
13872 	else
13873 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13874 				wdev->owner_nlportid);
13875 
13876 	return;
13877 
13878 nla_put_failure:
13879 	nlmsg_free(msg);
13880 }
13881 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13882 
13883 static int nl80211_get_protocol_features(struct sk_buff *skb,
13884 					 struct genl_info *info)
13885 {
13886 	void *hdr;
13887 	struct sk_buff *msg;
13888 
13889 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13890 	if (!msg)
13891 		return -ENOMEM;
13892 
13893 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13894 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13895 	if (!hdr)
13896 		goto nla_put_failure;
13897 
13898 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13899 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13900 		goto nla_put_failure;
13901 
13902 	genlmsg_end(msg, hdr);
13903 	return genlmsg_reply(msg, info);
13904 
13905  nla_put_failure:
13906 	kfree_skb(msg);
13907 	return -ENOBUFS;
13908 }
13909 
13910 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
13911 {
13912 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13913 	struct cfg80211_update_ft_ies_params ft_params;
13914 	struct net_device *dev = info->user_ptr[1];
13915 
13916 	if (!rdev->ops->update_ft_ies)
13917 		return -EOPNOTSUPP;
13918 
13919 	if (!info->attrs[NL80211_ATTR_MDID] ||
13920 	    !info->attrs[NL80211_ATTR_IE])
13921 		return -EINVAL;
13922 
13923 	memset(&ft_params, 0, sizeof(ft_params));
13924 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
13925 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13926 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13927 
13928 	return rdev_update_ft_ies(rdev, dev, &ft_params);
13929 }
13930 
13931 static int nl80211_crit_protocol_start(struct sk_buff *skb,
13932 				       struct genl_info *info)
13933 {
13934 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13935 	struct wireless_dev *wdev = info->user_ptr[1];
13936 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
13937 	u16 duration;
13938 	int ret;
13939 
13940 	if (!rdev->ops->crit_proto_start)
13941 		return -EOPNOTSUPP;
13942 
13943 	if (WARN_ON(!rdev->ops->crit_proto_stop))
13944 		return -EINVAL;
13945 
13946 	if (rdev->crit_proto_nlportid)
13947 		return -EBUSY;
13948 
13949 	/* determine protocol if provided */
13950 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
13951 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
13952 
13953 	if (proto >= NUM_NL80211_CRIT_PROTO)
13954 		return -EINVAL;
13955 
13956 	/* timeout must be provided */
13957 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
13958 		return -EINVAL;
13959 
13960 	duration =
13961 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
13962 
13963 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
13964 	if (!ret)
13965 		rdev->crit_proto_nlportid = info->snd_portid;
13966 
13967 	return ret;
13968 }
13969 
13970 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
13971 				      struct genl_info *info)
13972 {
13973 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13974 	struct wireless_dev *wdev = info->user_ptr[1];
13975 
13976 	if (!rdev->ops->crit_proto_stop)
13977 		return -EOPNOTSUPP;
13978 
13979 	if (rdev->crit_proto_nlportid) {
13980 		rdev->crit_proto_nlportid = 0;
13981 		rdev_crit_proto_stop(rdev, wdev);
13982 	}
13983 	return 0;
13984 }
13985 
13986 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
13987 				       struct nlattr *attr,
13988 				       struct netlink_ext_ack *extack)
13989 {
13990 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
13991 		if (attr->nla_type & NLA_F_NESTED) {
13992 			NL_SET_ERR_MSG_ATTR(extack, attr,
13993 					    "unexpected nested data");
13994 			return -EINVAL;
13995 		}
13996 
13997 		return 0;
13998 	}
13999 
14000 	if (!(attr->nla_type & NLA_F_NESTED)) {
14001 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14002 		return -EINVAL;
14003 	}
14004 
14005 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14006 }
14007 
14008 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14009 {
14010 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14011 	struct wireless_dev *wdev =
14012 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14013 					   info->attrs);
14014 	int i, err;
14015 	u32 vid, subcmd;
14016 
14017 	if (!rdev->wiphy.vendor_commands)
14018 		return -EOPNOTSUPP;
14019 
14020 	if (IS_ERR(wdev)) {
14021 		err = PTR_ERR(wdev);
14022 		if (err != -EINVAL)
14023 			return err;
14024 		wdev = NULL;
14025 	} else if (wdev->wiphy != &rdev->wiphy) {
14026 		return -EINVAL;
14027 	}
14028 
14029 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14030 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14031 		return -EINVAL;
14032 
14033 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14034 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14035 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14036 		const struct wiphy_vendor_command *vcmd;
14037 		void *data = NULL;
14038 		int len = 0;
14039 
14040 		vcmd = &rdev->wiphy.vendor_commands[i];
14041 
14042 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14043 			continue;
14044 
14045 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14046 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14047 			if (!wdev)
14048 				return -EINVAL;
14049 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14050 			    !wdev->netdev)
14051 				return -EINVAL;
14052 
14053 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14054 				if (!wdev_running(wdev))
14055 					return -ENETDOWN;
14056 			}
14057 		} else {
14058 			wdev = NULL;
14059 		}
14060 
14061 		if (!vcmd->doit)
14062 			return -EOPNOTSUPP;
14063 
14064 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14065 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14066 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14067 
14068 			err = nl80211_vendor_check_policy(vcmd,
14069 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14070 					info->extack);
14071 			if (err)
14072 				return err;
14073 		}
14074 
14075 		rdev->cur_cmd_info = info;
14076 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14077 		rdev->cur_cmd_info = NULL;
14078 		return err;
14079 	}
14080 
14081 	return -EOPNOTSUPP;
14082 }
14083 
14084 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14085 				       struct netlink_callback *cb,
14086 				       struct cfg80211_registered_device **rdev,
14087 				       struct wireless_dev **wdev)
14088 {
14089 	struct nlattr **attrbuf;
14090 	u32 vid, subcmd;
14091 	unsigned int i;
14092 	int vcmd_idx = -1;
14093 	int err;
14094 	void *data = NULL;
14095 	unsigned int data_len = 0;
14096 
14097 	if (cb->args[0]) {
14098 		/* subtract the 1 again here */
14099 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14100 		struct wireless_dev *tmp;
14101 
14102 		if (!wiphy)
14103 			return -ENODEV;
14104 		*rdev = wiphy_to_rdev(wiphy);
14105 		*wdev = NULL;
14106 
14107 		if (cb->args[1]) {
14108 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14109 				if (tmp->identifier == cb->args[1] - 1) {
14110 					*wdev = tmp;
14111 					break;
14112 				}
14113 			}
14114 		}
14115 
14116 		/* keep rtnl locked in successful case */
14117 		return 0;
14118 	}
14119 
14120 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14121 	if (!attrbuf)
14122 		return -ENOMEM;
14123 
14124 	err = nlmsg_parse_deprecated(cb->nlh,
14125 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14126 				     attrbuf, nl80211_fam.maxattr,
14127 				     nl80211_policy, NULL);
14128 	if (err)
14129 		goto out;
14130 
14131 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14132 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14133 		err = -EINVAL;
14134 		goto out;
14135 	}
14136 
14137 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14138 	if (IS_ERR(*wdev))
14139 		*wdev = NULL;
14140 
14141 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14142 	if (IS_ERR(*rdev)) {
14143 		err = PTR_ERR(*rdev);
14144 		goto out;
14145 	}
14146 
14147 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14148 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14149 
14150 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14151 		const struct wiphy_vendor_command *vcmd;
14152 
14153 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14154 
14155 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14156 			continue;
14157 
14158 		if (!vcmd->dumpit) {
14159 			err = -EOPNOTSUPP;
14160 			goto out;
14161 		}
14162 
14163 		vcmd_idx = i;
14164 		break;
14165 	}
14166 
14167 	if (vcmd_idx < 0) {
14168 		err = -EOPNOTSUPP;
14169 		goto out;
14170 	}
14171 
14172 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14173 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14174 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14175 
14176 		err = nl80211_vendor_check_policy(
14177 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14178 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14179 				cb->extack);
14180 		if (err)
14181 			goto out;
14182 	}
14183 
14184 	/* 0 is the first index - add 1 to parse only once */
14185 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14186 	/* add 1 to know if it was NULL */
14187 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14188 	cb->args[2] = vcmd_idx;
14189 	cb->args[3] = (unsigned long)data;
14190 	cb->args[4] = data_len;
14191 
14192 	/* keep rtnl locked in successful case */
14193 	err = 0;
14194 out:
14195 	kfree(attrbuf);
14196 	return err;
14197 }
14198 
14199 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14200 				   struct netlink_callback *cb)
14201 {
14202 	struct cfg80211_registered_device *rdev;
14203 	struct wireless_dev *wdev;
14204 	unsigned int vcmd_idx;
14205 	const struct wiphy_vendor_command *vcmd;
14206 	void *data;
14207 	int data_len;
14208 	int err;
14209 	struct nlattr *vendor_data;
14210 
14211 	rtnl_lock();
14212 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14213 	if (err)
14214 		goto out;
14215 
14216 	vcmd_idx = cb->args[2];
14217 	data = (void *)cb->args[3];
14218 	data_len = cb->args[4];
14219 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14220 
14221 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14222 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14223 		if (!wdev) {
14224 			err = -EINVAL;
14225 			goto out;
14226 		}
14227 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14228 		    !wdev->netdev) {
14229 			err = -EINVAL;
14230 			goto out;
14231 		}
14232 
14233 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14234 			if (!wdev_running(wdev)) {
14235 				err = -ENETDOWN;
14236 				goto out;
14237 			}
14238 		}
14239 	}
14240 
14241 	while (1) {
14242 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
14243 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
14244 					   NL80211_CMD_VENDOR);
14245 		if (!hdr)
14246 			break;
14247 
14248 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14249 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14250 					       wdev_id(wdev),
14251 					       NL80211_ATTR_PAD))) {
14252 			genlmsg_cancel(skb, hdr);
14253 			break;
14254 		}
14255 
14256 		vendor_data = nla_nest_start_noflag(skb,
14257 						    NL80211_ATTR_VENDOR_DATA);
14258 		if (!vendor_data) {
14259 			genlmsg_cancel(skb, hdr);
14260 			break;
14261 		}
14262 
14263 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14264 				   (unsigned long *)&cb->args[5]);
14265 		nla_nest_end(skb, vendor_data);
14266 
14267 		if (err == -ENOBUFS || err == -ENOENT) {
14268 			genlmsg_cancel(skb, hdr);
14269 			break;
14270 		} else if (err <= 0) {
14271 			genlmsg_cancel(skb, hdr);
14272 			goto out;
14273 		}
14274 
14275 		genlmsg_end(skb, hdr);
14276 	}
14277 
14278 	err = skb->len;
14279  out:
14280 	rtnl_unlock();
14281 	return err;
14282 }
14283 
14284 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14285 					   enum nl80211_commands cmd,
14286 					   enum nl80211_attrs attr,
14287 					   int approxlen)
14288 {
14289 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14290 
14291 	if (WARN_ON(!rdev->cur_cmd_info))
14292 		return NULL;
14293 
14294 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14295 					   rdev->cur_cmd_info->snd_portid,
14296 					   rdev->cur_cmd_info->snd_seq,
14297 					   cmd, attr, NULL, GFP_KERNEL);
14298 }
14299 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14300 
14301 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14302 {
14303 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14304 	void *hdr = ((void **)skb->cb)[1];
14305 	struct nlattr *data = ((void **)skb->cb)[2];
14306 
14307 	/* clear CB data for netlink core to own from now on */
14308 	memset(skb->cb, 0, sizeof(skb->cb));
14309 
14310 	if (WARN_ON(!rdev->cur_cmd_info)) {
14311 		kfree_skb(skb);
14312 		return -EINVAL;
14313 	}
14314 
14315 	nla_nest_end(skb, data);
14316 	genlmsg_end(skb, hdr);
14317 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14318 }
14319 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14320 
14321 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14322 {
14323 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14324 
14325 	if (WARN_ON(!rdev->cur_cmd_info))
14326 		return 0;
14327 
14328 	return rdev->cur_cmd_info->snd_portid;
14329 }
14330 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14331 
14332 static int nl80211_set_qos_map(struct sk_buff *skb,
14333 			       struct genl_info *info)
14334 {
14335 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14336 	struct cfg80211_qos_map *qos_map = NULL;
14337 	struct net_device *dev = info->user_ptr[1];
14338 	u8 *pos, len, num_des, des_len, des;
14339 	int ret;
14340 
14341 	if (!rdev->ops->set_qos_map)
14342 		return -EOPNOTSUPP;
14343 
14344 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14345 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14346 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14347 
14348 		if (len % 2)
14349 			return -EINVAL;
14350 
14351 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14352 		if (!qos_map)
14353 			return -ENOMEM;
14354 
14355 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14356 		if (num_des) {
14357 			des_len = num_des *
14358 				sizeof(struct cfg80211_dscp_exception);
14359 			memcpy(qos_map->dscp_exception, pos, des_len);
14360 			qos_map->num_des = num_des;
14361 			for (des = 0; des < num_des; des++) {
14362 				if (qos_map->dscp_exception[des].up > 7) {
14363 					kfree(qos_map);
14364 					return -EINVAL;
14365 				}
14366 			}
14367 			pos += des_len;
14368 		}
14369 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14370 	}
14371 
14372 	wdev_lock(dev->ieee80211_ptr);
14373 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14374 	if (!ret)
14375 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14376 	wdev_unlock(dev->ieee80211_ptr);
14377 
14378 	kfree(qos_map);
14379 	return ret;
14380 }
14381 
14382 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14383 {
14384 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14385 	struct net_device *dev = info->user_ptr[1];
14386 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14387 	const u8 *peer;
14388 	u8 tsid, up;
14389 	u16 admitted_time = 0;
14390 	int err;
14391 
14392 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14393 		return -EOPNOTSUPP;
14394 
14395 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14396 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14397 		return -EINVAL;
14398 
14399 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14400 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14401 
14402 	/* WMM uses TIDs 0-7 even for TSPEC */
14403 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14404 		/* TODO: handle 802.11 TSPEC/admission control
14405 		 * need more attributes for that (e.g. BA session requirement);
14406 		 * change the WMM adminssion test above to allow both then
14407 		 */
14408 		return -EINVAL;
14409 	}
14410 
14411 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14412 
14413 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14414 		admitted_time =
14415 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14416 		if (!admitted_time)
14417 			return -EINVAL;
14418 	}
14419 
14420 	wdev_lock(wdev);
14421 	switch (wdev->iftype) {
14422 	case NL80211_IFTYPE_STATION:
14423 	case NL80211_IFTYPE_P2P_CLIENT:
14424 		if (wdev->current_bss)
14425 			break;
14426 		err = -ENOTCONN;
14427 		goto out;
14428 	default:
14429 		err = -EOPNOTSUPP;
14430 		goto out;
14431 	}
14432 
14433 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
14434 
14435  out:
14436 	wdev_unlock(wdev);
14437 	return err;
14438 }
14439 
14440 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
14441 {
14442 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14443 	struct net_device *dev = info->user_ptr[1];
14444 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14445 	const u8 *peer;
14446 	u8 tsid;
14447 	int err;
14448 
14449 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
14450 		return -EINVAL;
14451 
14452 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14453 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14454 
14455 	wdev_lock(wdev);
14456 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
14457 	wdev_unlock(wdev);
14458 
14459 	return err;
14460 }
14461 
14462 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14463 				       struct genl_info *info)
14464 {
14465 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14466 	struct net_device *dev = info->user_ptr[1];
14467 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14468 	struct cfg80211_chan_def chandef = {};
14469 	const u8 *addr;
14470 	u8 oper_class;
14471 	int err;
14472 
14473 	if (!rdev->ops->tdls_channel_switch ||
14474 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14475 		return -EOPNOTSUPP;
14476 
14477 	switch (dev->ieee80211_ptr->iftype) {
14478 	case NL80211_IFTYPE_STATION:
14479 	case NL80211_IFTYPE_P2P_CLIENT:
14480 		break;
14481 	default:
14482 		return -EOPNOTSUPP;
14483 	}
14484 
14485 	if (!info->attrs[NL80211_ATTR_MAC] ||
14486 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14487 		return -EINVAL;
14488 
14489 	err = nl80211_parse_chandef(rdev, info, &chandef);
14490 	if (err)
14491 		return err;
14492 
14493 	/*
14494 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14495 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14496 	 * specification is not defined for them.
14497 	 */
14498 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14499 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14500 	    chandef.width != NL80211_CHAN_WIDTH_20)
14501 		return -EINVAL;
14502 
14503 	/* we will be active on the TDLS link */
14504 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14505 					   wdev->iftype))
14506 		return -EINVAL;
14507 
14508 	/* don't allow switching to DFS channels */
14509 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14510 		return -EINVAL;
14511 
14512 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14513 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14514 
14515 	wdev_lock(wdev);
14516 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14517 	wdev_unlock(wdev);
14518 
14519 	return err;
14520 }
14521 
14522 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14523 					      struct genl_info *info)
14524 {
14525 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14526 	struct net_device *dev = info->user_ptr[1];
14527 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14528 	const u8 *addr;
14529 
14530 	if (!rdev->ops->tdls_channel_switch ||
14531 	    !rdev->ops->tdls_cancel_channel_switch ||
14532 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14533 		return -EOPNOTSUPP;
14534 
14535 	switch (dev->ieee80211_ptr->iftype) {
14536 	case NL80211_IFTYPE_STATION:
14537 	case NL80211_IFTYPE_P2P_CLIENT:
14538 		break;
14539 	default:
14540 		return -EOPNOTSUPP;
14541 	}
14542 
14543 	if (!info->attrs[NL80211_ATTR_MAC])
14544 		return -EINVAL;
14545 
14546 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14547 
14548 	wdev_lock(wdev);
14549 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14550 	wdev_unlock(wdev);
14551 
14552 	return 0;
14553 }
14554 
14555 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14556 					    struct genl_info *info)
14557 {
14558 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14559 	struct net_device *dev = info->user_ptr[1];
14560 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14561 	const struct nlattr *nla;
14562 	bool enabled;
14563 
14564 	if (!rdev->ops->set_multicast_to_unicast)
14565 		return -EOPNOTSUPP;
14566 
14567 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14568 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14569 		return -EOPNOTSUPP;
14570 
14571 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14572 	enabled = nla_get_flag(nla);
14573 
14574 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14575 }
14576 
14577 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14578 {
14579 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14580 	struct net_device *dev = info->user_ptr[1];
14581 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14582 	struct cfg80211_pmk_conf pmk_conf = {};
14583 	int ret;
14584 
14585 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14586 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14587 		return -EOPNOTSUPP;
14588 
14589 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14590 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14591 		return -EOPNOTSUPP;
14592 
14593 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14594 		return -EINVAL;
14595 
14596 	wdev_lock(wdev);
14597 	if (!wdev->current_bss) {
14598 		ret = -ENOTCONN;
14599 		goto out;
14600 	}
14601 
14602 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14603 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14604 		ret = -EINVAL;
14605 		goto out;
14606 	}
14607 
14608 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14609 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14610 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14611 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14612 		ret = -EINVAL;
14613 		goto out;
14614 	}
14615 
14616 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14617 		pmk_conf.pmk_r0_name =
14618 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14619 
14620 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14621 out:
14622 	wdev_unlock(wdev);
14623 	return ret;
14624 }
14625 
14626 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14627 {
14628 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14629 	struct net_device *dev = info->user_ptr[1];
14630 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14631 	const u8 *aa;
14632 	int ret;
14633 
14634 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14635 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14636 		return -EOPNOTSUPP;
14637 
14638 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14639 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14640 		return -EOPNOTSUPP;
14641 
14642 	if (!info->attrs[NL80211_ATTR_MAC])
14643 		return -EINVAL;
14644 
14645 	wdev_lock(wdev);
14646 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14647 	ret = rdev_del_pmk(rdev, dev, aa);
14648 	wdev_unlock(wdev);
14649 
14650 	return ret;
14651 }
14652 
14653 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14654 {
14655 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14656 	struct net_device *dev = info->user_ptr[1];
14657 	struct cfg80211_external_auth_params params;
14658 
14659 	if (!rdev->ops->external_auth)
14660 		return -EOPNOTSUPP;
14661 
14662 	if (!info->attrs[NL80211_ATTR_SSID] &&
14663 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14664 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14665 		return -EINVAL;
14666 
14667 	if (!info->attrs[NL80211_ATTR_BSSID])
14668 		return -EINVAL;
14669 
14670 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14671 		return -EINVAL;
14672 
14673 	memset(&params, 0, sizeof(params));
14674 
14675 	if (info->attrs[NL80211_ATTR_SSID]) {
14676 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14677 		if (params.ssid.ssid_len == 0)
14678 			return -EINVAL;
14679 		memcpy(params.ssid.ssid,
14680 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14681 		       params.ssid.ssid_len);
14682 	}
14683 
14684 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14685 	       ETH_ALEN);
14686 
14687 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14688 
14689 	if (info->attrs[NL80211_ATTR_PMKID])
14690 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14691 
14692 	return rdev_external_auth(rdev, dev, &params);
14693 }
14694 
14695 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14696 {
14697 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14698 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14699 	struct net_device *dev = info->user_ptr[1];
14700 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14701 	const u8 *buf;
14702 	size_t len;
14703 	u8 *dest;
14704 	u16 proto;
14705 	bool noencrypt;
14706 	u64 cookie = 0;
14707 	int err;
14708 
14709 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14710 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14711 		return -EOPNOTSUPP;
14712 
14713 	if (!rdev->ops->tx_control_port)
14714 		return -EOPNOTSUPP;
14715 
14716 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14717 	    !info->attrs[NL80211_ATTR_MAC] ||
14718 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14719 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14720 		return -EINVAL;
14721 	}
14722 
14723 	wdev_lock(wdev);
14724 
14725 	switch (wdev->iftype) {
14726 	case NL80211_IFTYPE_AP:
14727 	case NL80211_IFTYPE_P2P_GO:
14728 	case NL80211_IFTYPE_MESH_POINT:
14729 		break;
14730 	case NL80211_IFTYPE_ADHOC:
14731 	case NL80211_IFTYPE_STATION:
14732 	case NL80211_IFTYPE_P2P_CLIENT:
14733 		if (wdev->current_bss)
14734 			break;
14735 		err = -ENOTCONN;
14736 		goto out;
14737 	default:
14738 		err = -EOPNOTSUPP;
14739 		goto out;
14740 	}
14741 
14742 	wdev_unlock(wdev);
14743 
14744 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14745 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14746 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14747 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14748 	noencrypt =
14749 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14750 
14751 	err = rdev_tx_control_port(rdev, dev, buf, len,
14752 				   dest, cpu_to_be16(proto), noencrypt,
14753 				   dont_wait_for_ack ? NULL : &cookie);
14754 	if (!err && !dont_wait_for_ack)
14755 		nl_set_extack_cookie_u64(info->extack, cookie);
14756 	return err;
14757  out:
14758 	wdev_unlock(wdev);
14759 	return err;
14760 }
14761 
14762 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14763 					   struct genl_info *info)
14764 {
14765 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14766 	struct net_device *dev = info->user_ptr[1];
14767 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14768 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14769 	struct sk_buff *msg;
14770 	void *hdr;
14771 	struct nlattr *ftm_stats_attr;
14772 	int err;
14773 
14774 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14775 		return -EOPNOTSUPP;
14776 
14777 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14778 	if (err)
14779 		return err;
14780 
14781 	if (!ftm_stats.filled)
14782 		return -ENODATA;
14783 
14784 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14785 	if (!msg)
14786 		return -ENOMEM;
14787 
14788 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14789 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14790 	if (!hdr)
14791 		goto nla_put_failure;
14792 
14793 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14794 		goto nla_put_failure;
14795 
14796 	ftm_stats_attr = nla_nest_start_noflag(msg,
14797 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14798 	if (!ftm_stats_attr)
14799 		goto nla_put_failure;
14800 
14801 #define SET_FTM(field, name, type)					 \
14802 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14803 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14804 			     ftm_stats.field))				 \
14805 		goto nla_put_failure; } while (0)
14806 #define SET_FTM_U64(field, name)					 \
14807 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14808 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14809 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14810 		goto nla_put_failure; } while (0)
14811 
14812 	SET_FTM(success_num, SUCCESS_NUM, u32);
14813 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14814 	SET_FTM(failed_num, FAILED_NUM, u32);
14815 	SET_FTM(asap_num, ASAP_NUM, u32);
14816 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14817 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14818 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14819 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14820 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14821 #undef SET_FTM
14822 
14823 	nla_nest_end(msg, ftm_stats_attr);
14824 
14825 	genlmsg_end(msg, hdr);
14826 	return genlmsg_reply(msg, info);
14827 
14828 nla_put_failure:
14829 	nlmsg_free(msg);
14830 	return -ENOBUFS;
14831 }
14832 
14833 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14834 {
14835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14836 	struct cfg80211_update_owe_info owe_info;
14837 	struct net_device *dev = info->user_ptr[1];
14838 
14839 	if (!rdev->ops->update_owe_info)
14840 		return -EOPNOTSUPP;
14841 
14842 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14843 	    !info->attrs[NL80211_ATTR_MAC])
14844 		return -EINVAL;
14845 
14846 	memset(&owe_info, 0, sizeof(owe_info));
14847 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14848 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14849 
14850 	if (info->attrs[NL80211_ATTR_IE]) {
14851 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14852 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14853 	}
14854 
14855 	return rdev_update_owe_info(rdev, dev, &owe_info);
14856 }
14857 
14858 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14859 {
14860 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14861 	struct net_device *dev = info->user_ptr[1];
14862 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14863 	struct station_info sinfo = {};
14864 	const u8 *buf;
14865 	size_t len;
14866 	u8 *dest;
14867 	int err;
14868 
14869 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14870 		return -EOPNOTSUPP;
14871 
14872 	if (!info->attrs[NL80211_ATTR_MAC] ||
14873 	    !info->attrs[NL80211_ATTR_FRAME]) {
14874 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14875 		return -EINVAL;
14876 	}
14877 
14878 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14879 		return -EOPNOTSUPP;
14880 
14881 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14882 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14883 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14884 
14885 	if (len < sizeof(struct ethhdr))
14886 		return -EINVAL;
14887 
14888 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14889 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14890 		return -EINVAL;
14891 
14892 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14893 	if (err)
14894 		return err;
14895 
14896 	cfg80211_sinfo_release_content(&sinfo);
14897 
14898 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14899 }
14900 
14901 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14902 			  struct nlattr *attrs[], struct net_device *dev,
14903 			  struct cfg80211_tid_cfg *tid_conf,
14904 			  struct genl_info *info, const u8 *peer)
14905 {
14906 	struct netlink_ext_ack *extack = info->extack;
14907 	u64 mask;
14908 	int err;
14909 
14910 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
14911 		return -EINVAL;
14912 
14913 	tid_conf->config_override =
14914 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
14915 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
14916 
14917 	if (tid_conf->config_override) {
14918 		if (rdev->ops->reset_tid_config) {
14919 			err = rdev_reset_tid_config(rdev, dev, peer,
14920 						    tid_conf->tids);
14921 			if (err)
14922 				return err;
14923 		} else {
14924 			return -EINVAL;
14925 		}
14926 	}
14927 
14928 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
14929 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
14930 		tid_conf->noack =
14931 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
14932 	}
14933 
14934 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
14935 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
14936 		tid_conf->retry_short =
14937 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
14938 
14939 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
14940 			return -EINVAL;
14941 	}
14942 
14943 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
14944 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
14945 		tid_conf->retry_long =
14946 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
14947 
14948 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
14949 			return -EINVAL;
14950 	}
14951 
14952 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
14953 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
14954 		tid_conf->ampdu =
14955 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
14956 	}
14957 
14958 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
14959 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
14960 		tid_conf->rtscts =
14961 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
14962 	}
14963 
14964 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
14965 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
14966 		tid_conf->amsdu =
14967 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
14968 	}
14969 
14970 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
14971 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
14972 
14973 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
14974 
14975 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
14976 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
14977 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
14978 						    &tid_conf->txrate_mask, dev,
14979 						    true);
14980 			if (err)
14981 				return err;
14982 
14983 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
14984 		}
14985 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
14986 	}
14987 
14988 	if (peer)
14989 		mask = rdev->wiphy.tid_config_support.peer;
14990 	else
14991 		mask = rdev->wiphy.tid_config_support.vif;
14992 
14993 	if (tid_conf->mask & ~mask) {
14994 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
14995 		return -ENOTSUPP;
14996 	}
14997 
14998 	return 0;
14999 }
15000 
15001 static int nl80211_set_tid_config(struct sk_buff *skb,
15002 				  struct genl_info *info)
15003 {
15004 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15005 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15006 	struct net_device *dev = info->user_ptr[1];
15007 	struct cfg80211_tid_config *tid_config;
15008 	struct nlattr *tid;
15009 	int conf_idx = 0, rem_conf;
15010 	int ret = -EINVAL;
15011 	u32 num_conf = 0;
15012 
15013 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15014 		return -EINVAL;
15015 
15016 	if (!rdev->ops->set_tid_config)
15017 		return -EOPNOTSUPP;
15018 
15019 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15020 			    rem_conf)
15021 		num_conf++;
15022 
15023 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15024 			     GFP_KERNEL);
15025 	if (!tid_config)
15026 		return -ENOMEM;
15027 
15028 	tid_config->n_tid_conf = num_conf;
15029 
15030 	if (info->attrs[NL80211_ATTR_MAC])
15031 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15032 
15033 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15034 			    rem_conf) {
15035 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15036 				       tid, NULL, NULL);
15037 
15038 		if (ret)
15039 			goto bad_tid_conf;
15040 
15041 		ret = parse_tid_conf(rdev, attrs, dev,
15042 				     &tid_config->tid_conf[conf_idx],
15043 				     info, tid_config->peer);
15044 		if (ret)
15045 			goto bad_tid_conf;
15046 
15047 		conf_idx++;
15048 	}
15049 
15050 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15051 
15052 bad_tid_conf:
15053 	kfree(tid_config);
15054 	return ret;
15055 }
15056 
15057 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15058 {
15059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15060 	struct cfg80211_color_change_settings params = {};
15061 	struct net_device *dev = info->user_ptr[1];
15062 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15063 	struct nlattr **tb;
15064 	u16 offset;
15065 	int err;
15066 
15067 	if (!rdev->ops->color_change)
15068 		return -EOPNOTSUPP;
15069 
15070 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15071 				     NL80211_EXT_FEATURE_BSS_COLOR))
15072 		return -EOPNOTSUPP;
15073 
15074 	if (wdev->iftype != NL80211_IFTYPE_AP)
15075 		return -EOPNOTSUPP;
15076 
15077 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15078 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15079 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15080 		return -EINVAL;
15081 
15082 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15083 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15084 
15085 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15086 	if (err)
15087 		return err;
15088 
15089 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15090 	if (!tb)
15091 		return -ENOMEM;
15092 
15093 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15094 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15095 			       nl80211_policy, info->extack);
15096 	if (err)
15097 		goto out;
15098 
15099 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15100 	if (err)
15101 		goto out;
15102 
15103 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15104 		err = -EINVAL;
15105 		goto out;
15106 	}
15107 
15108 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15109 		err = -EINVAL;
15110 		goto out;
15111 	}
15112 
15113 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15114 	if (offset >= params.beacon_color_change.tail_len) {
15115 		err = -EINVAL;
15116 		goto out;
15117 	}
15118 
15119 	if (params.beacon_color_change.tail[offset] != params.count) {
15120 		err = -EINVAL;
15121 		goto out;
15122 	}
15123 
15124 	params.counter_offset_beacon = offset;
15125 
15126 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15127 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15128 		    sizeof(u16)) {
15129 			err = -EINVAL;
15130 			goto out;
15131 		}
15132 
15133 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15134 		if (offset >= params.beacon_color_change.probe_resp_len) {
15135 			err = -EINVAL;
15136 			goto out;
15137 		}
15138 
15139 		if (params.beacon_color_change.probe_resp[offset] !=
15140 		    params.count) {
15141 			err = -EINVAL;
15142 			goto out;
15143 		}
15144 
15145 		params.counter_offset_presp = offset;
15146 	}
15147 
15148 	wdev_lock(wdev);
15149 	err = rdev_color_change(rdev, dev, &params);
15150 	wdev_unlock(wdev);
15151 
15152 out:
15153 	kfree(params.beacon_next.mbssid_ies);
15154 	kfree(params.beacon_color_change.mbssid_ies);
15155 	kfree(tb);
15156 	return err;
15157 }
15158 
15159 static int nl80211_set_fils_aad(struct sk_buff *skb,
15160 				struct genl_info *info)
15161 {
15162 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15163 	struct net_device *dev = info->user_ptr[1];
15164 	struct cfg80211_fils_aad fils_aad = {};
15165 	u8 *nonces;
15166 
15167 	if (!info->attrs[NL80211_ATTR_MAC] ||
15168 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15169 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15170 		return -EINVAL;
15171 
15172 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15173 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15174 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15175 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15176 	fils_aad.snonce = nonces;
15177 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15178 
15179 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15180 }
15181 
15182 #define NL80211_FLAG_NEED_WIPHY		0x01
15183 #define NL80211_FLAG_NEED_NETDEV	0x02
15184 #define NL80211_FLAG_NEED_RTNL		0x04
15185 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
15186 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
15187 					 NL80211_FLAG_CHECK_NETDEV_UP)
15188 #define NL80211_FLAG_NEED_WDEV		0x10
15189 /* If a netdev is associated, it must be UP, P2P must be started */
15190 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
15191 					 NL80211_FLAG_CHECK_NETDEV_UP)
15192 #define NL80211_FLAG_CLEAR_SKB		0x20
15193 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
15194 
15195 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
15196 			    struct genl_info *info)
15197 {
15198 	struct cfg80211_registered_device *rdev = NULL;
15199 	struct wireless_dev *wdev;
15200 	struct net_device *dev;
15201 
15202 	rtnl_lock();
15203 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
15204 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
15205 		if (IS_ERR(rdev)) {
15206 			rtnl_unlock();
15207 			return PTR_ERR(rdev);
15208 		}
15209 		info->user_ptr[0] = rdev;
15210 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
15211 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15212 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
15213 						  info->attrs);
15214 		if (IS_ERR(wdev)) {
15215 			rtnl_unlock();
15216 			return PTR_ERR(wdev);
15217 		}
15218 
15219 		dev = wdev->netdev;
15220 		rdev = wiphy_to_rdev(wdev->wiphy);
15221 
15222 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
15223 			if (!dev) {
15224 				rtnl_unlock();
15225 				return -EINVAL;
15226 			}
15227 
15228 			info->user_ptr[1] = dev;
15229 		} else {
15230 			info->user_ptr[1] = wdev;
15231 		}
15232 
15233 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
15234 		    !wdev_running(wdev)) {
15235 			rtnl_unlock();
15236 			return -ENETDOWN;
15237 		}
15238 
15239 		dev_hold(dev);
15240 		info->user_ptr[0] = rdev;
15241 	}
15242 
15243 	if (rdev && !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15244 		wiphy_lock(&rdev->wiphy);
15245 		/* we keep the mutex locked until post_doit */
15246 		__release(&rdev->wiphy.mtx);
15247 	}
15248 	if (!(ops->internal_flags & NL80211_FLAG_NEED_RTNL))
15249 		rtnl_unlock();
15250 
15251 	return 0;
15252 }
15253 
15254 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
15255 			      struct genl_info *info)
15256 {
15257 	if (info->user_ptr[1]) {
15258 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15259 			struct wireless_dev *wdev = info->user_ptr[1];
15260 
15261 			dev_put(wdev->netdev);
15262 		} else {
15263 			dev_put(info->user_ptr[1]);
15264 		}
15265 	}
15266 
15267 	if (info->user_ptr[0] &&
15268 	    !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15269 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
15270 
15271 		/* we kept the mutex locked since pre_doit */
15272 		__acquire(&rdev->wiphy.mtx);
15273 		wiphy_unlock(&rdev->wiphy);
15274 	}
15275 
15276 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
15277 		rtnl_unlock();
15278 
15279 	/* If needed, clear the netlink message payload from the SKB
15280 	 * as it might contain key data that shouldn't stick around on
15281 	 * the heap after the SKB is freed. The netlink message header
15282 	 * is still needed for further processing, so leave it intact.
15283 	 */
15284 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
15285 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
15286 
15287 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
15288 	}
15289 }
15290 
15291 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
15292 				     struct cfg80211_sar_specs *sar_specs,
15293 				     struct nlattr *spec[], int index)
15294 {
15295 	u32 range_index, i;
15296 
15297 	if (!sar_specs || !spec)
15298 		return -EINVAL;
15299 
15300 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
15301 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
15302 		return -EINVAL;
15303 
15304 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
15305 
15306 	/* check if range_index exceeds num_freq_ranges */
15307 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
15308 		return -EINVAL;
15309 
15310 	/* check if range_index duplicates */
15311 	for (i = 0; i < index; i++) {
15312 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
15313 			return -EINVAL;
15314 	}
15315 
15316 	sar_specs->sub_specs[index].power =
15317 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
15318 
15319 	sar_specs->sub_specs[index].freq_range_index = range_index;
15320 
15321 	return 0;
15322 }
15323 
15324 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
15325 {
15326 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15327 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
15328 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
15329 	struct cfg80211_sar_specs *sar_spec;
15330 	enum nl80211_sar_type type;
15331 	struct nlattr *spec_list;
15332 	u32 specs;
15333 	int rem, err;
15334 
15335 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
15336 		return -EOPNOTSUPP;
15337 
15338 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
15339 		return -EINVAL;
15340 
15341 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
15342 			 info->attrs[NL80211_ATTR_SAR_SPEC],
15343 			 NULL, NULL);
15344 
15345 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
15346 		return -EINVAL;
15347 
15348 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
15349 	if (type != rdev->wiphy.sar_capa->type)
15350 		return -EINVAL;
15351 
15352 	specs = 0;
15353 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
15354 		specs++;
15355 
15356 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
15357 		return -EINVAL;
15358 
15359 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
15360 	if (!sar_spec)
15361 		return -ENOMEM;
15362 
15363 	sar_spec->type = type;
15364 	specs = 0;
15365 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
15366 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
15367 				 spec_list, NULL, NULL);
15368 
15369 		switch (type) {
15370 		case NL80211_SAR_TYPE_POWER:
15371 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
15372 						      spec, specs)) {
15373 				err = -EINVAL;
15374 				goto error;
15375 			}
15376 			break;
15377 		default:
15378 			err = -EINVAL;
15379 			goto error;
15380 		}
15381 		specs++;
15382 	}
15383 
15384 	sar_spec->num_sub_specs = specs;
15385 
15386 	rdev->cur_cmd_info = info;
15387 	err = rdev_set_sar_specs(rdev, sar_spec);
15388 	rdev->cur_cmd_info = NULL;
15389 error:
15390 	kfree(sar_spec);
15391 	return err;
15392 }
15393 
15394 static const struct genl_ops nl80211_ops[] = {
15395 	{
15396 		.cmd = NL80211_CMD_GET_WIPHY,
15397 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15398 		.doit = nl80211_get_wiphy,
15399 		.dumpit = nl80211_dump_wiphy,
15400 		.done = nl80211_dump_wiphy_done,
15401 		/* can be retrieved by unprivileged users */
15402 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15403 	},
15404 };
15405 
15406 static const struct genl_small_ops nl80211_small_ops[] = {
15407 	{
15408 		.cmd = NL80211_CMD_SET_WIPHY,
15409 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15410 		.doit = nl80211_set_wiphy,
15411 		.flags = GENL_UNS_ADMIN_PERM,
15412 	},
15413 	{
15414 		.cmd = NL80211_CMD_GET_INTERFACE,
15415 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15416 		.doit = nl80211_get_interface,
15417 		.dumpit = nl80211_dump_interface,
15418 		/* can be retrieved by unprivileged users */
15419 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15420 	},
15421 	{
15422 		.cmd = NL80211_CMD_SET_INTERFACE,
15423 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15424 		.doit = nl80211_set_interface,
15425 		.flags = GENL_UNS_ADMIN_PERM,
15426 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15427 				  NL80211_FLAG_NEED_RTNL,
15428 	},
15429 	{
15430 		.cmd = NL80211_CMD_NEW_INTERFACE,
15431 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15432 		.doit = nl80211_new_interface,
15433 		.flags = GENL_UNS_ADMIN_PERM,
15434 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15435 				  NL80211_FLAG_NEED_RTNL |
15436 				  /* we take the wiphy mutex later ourselves */
15437 				  NL80211_FLAG_NO_WIPHY_MTX,
15438 	},
15439 	{
15440 		.cmd = NL80211_CMD_DEL_INTERFACE,
15441 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15442 		.doit = nl80211_del_interface,
15443 		.flags = GENL_UNS_ADMIN_PERM,
15444 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15445 				  NL80211_FLAG_NEED_RTNL,
15446 	},
15447 	{
15448 		.cmd = NL80211_CMD_GET_KEY,
15449 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15450 		.doit = nl80211_get_key,
15451 		.flags = GENL_UNS_ADMIN_PERM,
15452 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15453 	},
15454 	{
15455 		.cmd = NL80211_CMD_SET_KEY,
15456 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15457 		.doit = nl80211_set_key,
15458 		.flags = GENL_UNS_ADMIN_PERM,
15459 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15460 				  NL80211_FLAG_CLEAR_SKB,
15461 	},
15462 	{
15463 		.cmd = NL80211_CMD_NEW_KEY,
15464 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15465 		.doit = nl80211_new_key,
15466 		.flags = GENL_UNS_ADMIN_PERM,
15467 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15468 				  NL80211_FLAG_CLEAR_SKB,
15469 	},
15470 	{
15471 		.cmd = NL80211_CMD_DEL_KEY,
15472 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15473 		.doit = nl80211_del_key,
15474 		.flags = GENL_UNS_ADMIN_PERM,
15475 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15476 	},
15477 	{
15478 		.cmd = NL80211_CMD_SET_BEACON,
15479 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15480 		.flags = GENL_UNS_ADMIN_PERM,
15481 		.doit = nl80211_set_beacon,
15482 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15483 	},
15484 	{
15485 		.cmd = NL80211_CMD_START_AP,
15486 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15487 		.flags = GENL_UNS_ADMIN_PERM,
15488 		.doit = nl80211_start_ap,
15489 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15490 	},
15491 	{
15492 		.cmd = NL80211_CMD_STOP_AP,
15493 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15494 		.flags = GENL_UNS_ADMIN_PERM,
15495 		.doit = nl80211_stop_ap,
15496 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15497 	},
15498 	{
15499 		.cmd = NL80211_CMD_GET_STATION,
15500 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15501 		.doit = nl80211_get_station,
15502 		.dumpit = nl80211_dump_station,
15503 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15504 	},
15505 	{
15506 		.cmd = NL80211_CMD_SET_STATION,
15507 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15508 		.doit = nl80211_set_station,
15509 		.flags = GENL_UNS_ADMIN_PERM,
15510 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15511 	},
15512 	{
15513 		.cmd = NL80211_CMD_NEW_STATION,
15514 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15515 		.doit = nl80211_new_station,
15516 		.flags = GENL_UNS_ADMIN_PERM,
15517 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15518 	},
15519 	{
15520 		.cmd = NL80211_CMD_DEL_STATION,
15521 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15522 		.doit = nl80211_del_station,
15523 		.flags = GENL_UNS_ADMIN_PERM,
15524 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15525 	},
15526 	{
15527 		.cmd = NL80211_CMD_GET_MPATH,
15528 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15529 		.doit = nl80211_get_mpath,
15530 		.dumpit = nl80211_dump_mpath,
15531 		.flags = GENL_UNS_ADMIN_PERM,
15532 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15533 	},
15534 	{
15535 		.cmd = NL80211_CMD_GET_MPP,
15536 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15537 		.doit = nl80211_get_mpp,
15538 		.dumpit = nl80211_dump_mpp,
15539 		.flags = GENL_UNS_ADMIN_PERM,
15540 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15541 	},
15542 	{
15543 		.cmd = NL80211_CMD_SET_MPATH,
15544 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15545 		.doit = nl80211_set_mpath,
15546 		.flags = GENL_UNS_ADMIN_PERM,
15547 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15548 	},
15549 	{
15550 		.cmd = NL80211_CMD_NEW_MPATH,
15551 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15552 		.doit = nl80211_new_mpath,
15553 		.flags = GENL_UNS_ADMIN_PERM,
15554 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15555 	},
15556 	{
15557 		.cmd = NL80211_CMD_DEL_MPATH,
15558 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15559 		.doit = nl80211_del_mpath,
15560 		.flags = GENL_UNS_ADMIN_PERM,
15561 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15562 	},
15563 	{
15564 		.cmd = NL80211_CMD_SET_BSS,
15565 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15566 		.doit = nl80211_set_bss,
15567 		.flags = GENL_UNS_ADMIN_PERM,
15568 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15569 	},
15570 	{
15571 		.cmd = NL80211_CMD_GET_REG,
15572 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15573 		.doit = nl80211_get_reg_do,
15574 		.dumpit = nl80211_get_reg_dump,
15575 		.internal_flags = 0,
15576 		/* can be retrieved by unprivileged users */
15577 	},
15578 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
15579 	{
15580 		.cmd = NL80211_CMD_SET_REG,
15581 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15582 		.doit = nl80211_set_reg,
15583 		.flags = GENL_ADMIN_PERM,
15584 		.internal_flags = 0,
15585 	},
15586 #endif
15587 	{
15588 		.cmd = NL80211_CMD_REQ_SET_REG,
15589 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15590 		.doit = nl80211_req_set_reg,
15591 		.flags = GENL_ADMIN_PERM,
15592 	},
15593 	{
15594 		.cmd = NL80211_CMD_RELOAD_REGDB,
15595 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15596 		.doit = nl80211_reload_regdb,
15597 		.flags = GENL_ADMIN_PERM,
15598 	},
15599 	{
15600 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
15601 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15602 		.doit = nl80211_get_mesh_config,
15603 		/* can be retrieved by unprivileged users */
15604 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15605 	},
15606 	{
15607 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
15608 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15609 		.doit = nl80211_update_mesh_config,
15610 		.flags = GENL_UNS_ADMIN_PERM,
15611 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15612 	},
15613 	{
15614 		.cmd = NL80211_CMD_TRIGGER_SCAN,
15615 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15616 		.doit = nl80211_trigger_scan,
15617 		.flags = GENL_UNS_ADMIN_PERM,
15618 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15619 	},
15620 	{
15621 		.cmd = NL80211_CMD_ABORT_SCAN,
15622 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15623 		.doit = nl80211_abort_scan,
15624 		.flags = GENL_UNS_ADMIN_PERM,
15625 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15626 	},
15627 	{
15628 		.cmd = NL80211_CMD_GET_SCAN,
15629 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15630 		.dumpit = nl80211_dump_scan,
15631 	},
15632 	{
15633 		.cmd = NL80211_CMD_START_SCHED_SCAN,
15634 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15635 		.doit = nl80211_start_sched_scan,
15636 		.flags = GENL_UNS_ADMIN_PERM,
15637 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15638 	},
15639 	{
15640 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
15641 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15642 		.doit = nl80211_stop_sched_scan,
15643 		.flags = GENL_UNS_ADMIN_PERM,
15644 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15645 	},
15646 	{
15647 		.cmd = NL80211_CMD_AUTHENTICATE,
15648 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15649 		.doit = nl80211_authenticate,
15650 		.flags = GENL_UNS_ADMIN_PERM,
15651 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15652 				  0 |
15653 				  NL80211_FLAG_CLEAR_SKB,
15654 	},
15655 	{
15656 		.cmd = NL80211_CMD_ASSOCIATE,
15657 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15658 		.doit = nl80211_associate,
15659 		.flags = GENL_UNS_ADMIN_PERM,
15660 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15661 				  0 |
15662 				  NL80211_FLAG_CLEAR_SKB,
15663 	},
15664 	{
15665 		.cmd = NL80211_CMD_DEAUTHENTICATE,
15666 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15667 		.doit = nl80211_deauthenticate,
15668 		.flags = GENL_UNS_ADMIN_PERM,
15669 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15670 	},
15671 	{
15672 		.cmd = NL80211_CMD_DISASSOCIATE,
15673 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15674 		.doit = nl80211_disassociate,
15675 		.flags = GENL_UNS_ADMIN_PERM,
15676 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15677 	},
15678 	{
15679 		.cmd = NL80211_CMD_JOIN_IBSS,
15680 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15681 		.doit = nl80211_join_ibss,
15682 		.flags = GENL_UNS_ADMIN_PERM,
15683 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15684 	},
15685 	{
15686 		.cmd = NL80211_CMD_LEAVE_IBSS,
15687 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15688 		.doit = nl80211_leave_ibss,
15689 		.flags = GENL_UNS_ADMIN_PERM,
15690 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15691 	},
15692 #ifdef CONFIG_NL80211_TESTMODE
15693 	{
15694 		.cmd = NL80211_CMD_TESTMODE,
15695 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15696 		.doit = nl80211_testmode_do,
15697 		.dumpit = nl80211_testmode_dump,
15698 		.flags = GENL_UNS_ADMIN_PERM,
15699 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15700 	},
15701 #endif
15702 	{
15703 		.cmd = NL80211_CMD_CONNECT,
15704 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15705 		.doit = nl80211_connect,
15706 		.flags = GENL_UNS_ADMIN_PERM,
15707 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15708 				  0 |
15709 				  NL80211_FLAG_CLEAR_SKB,
15710 	},
15711 	{
15712 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15713 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15714 		.doit = nl80211_update_connect_params,
15715 		.flags = GENL_ADMIN_PERM,
15716 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15717 				  0 |
15718 				  NL80211_FLAG_CLEAR_SKB,
15719 	},
15720 	{
15721 		.cmd = NL80211_CMD_DISCONNECT,
15722 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15723 		.doit = nl80211_disconnect,
15724 		.flags = GENL_UNS_ADMIN_PERM,
15725 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15726 	},
15727 	{
15728 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15729 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15730 		.doit = nl80211_wiphy_netns,
15731 		.flags = GENL_UNS_ADMIN_PERM,
15732 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15733 				  NL80211_FLAG_NEED_RTNL |
15734 				  NL80211_FLAG_NO_WIPHY_MTX,
15735 	},
15736 	{
15737 		.cmd = NL80211_CMD_GET_SURVEY,
15738 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15739 		.dumpit = nl80211_dump_survey,
15740 	},
15741 	{
15742 		.cmd = NL80211_CMD_SET_PMKSA,
15743 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15744 		.doit = nl80211_setdel_pmksa,
15745 		.flags = GENL_UNS_ADMIN_PERM,
15746 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15747 				  0 |
15748 				  NL80211_FLAG_CLEAR_SKB,
15749 	},
15750 	{
15751 		.cmd = NL80211_CMD_DEL_PMKSA,
15752 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15753 		.doit = nl80211_setdel_pmksa,
15754 		.flags = GENL_UNS_ADMIN_PERM,
15755 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15756 	},
15757 	{
15758 		.cmd = NL80211_CMD_FLUSH_PMKSA,
15759 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15760 		.doit = nl80211_flush_pmksa,
15761 		.flags = GENL_UNS_ADMIN_PERM,
15762 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15763 	},
15764 	{
15765 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15766 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15767 		.doit = nl80211_remain_on_channel,
15768 		.flags = GENL_UNS_ADMIN_PERM,
15769 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15770 	},
15771 	{
15772 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15773 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15774 		.doit = nl80211_cancel_remain_on_channel,
15775 		.flags = GENL_UNS_ADMIN_PERM,
15776 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15777 	},
15778 	{
15779 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15780 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15781 		.doit = nl80211_set_tx_bitrate_mask,
15782 		.flags = GENL_UNS_ADMIN_PERM,
15783 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15784 	},
15785 	{
15786 		.cmd = NL80211_CMD_REGISTER_FRAME,
15787 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15788 		.doit = nl80211_register_mgmt,
15789 		.flags = GENL_UNS_ADMIN_PERM,
15790 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15791 	},
15792 	{
15793 		.cmd = NL80211_CMD_FRAME,
15794 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15795 		.doit = nl80211_tx_mgmt,
15796 		.flags = GENL_UNS_ADMIN_PERM,
15797 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15798 	},
15799 	{
15800 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15801 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15802 		.doit = nl80211_tx_mgmt_cancel_wait,
15803 		.flags = GENL_UNS_ADMIN_PERM,
15804 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15805 	},
15806 	{
15807 		.cmd = NL80211_CMD_SET_POWER_SAVE,
15808 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15809 		.doit = nl80211_set_power_save,
15810 		.flags = GENL_UNS_ADMIN_PERM,
15811 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15812 	},
15813 	{
15814 		.cmd = NL80211_CMD_GET_POWER_SAVE,
15815 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15816 		.doit = nl80211_get_power_save,
15817 		/* can be retrieved by unprivileged users */
15818 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15819 	},
15820 	{
15821 		.cmd = NL80211_CMD_SET_CQM,
15822 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15823 		.doit = nl80211_set_cqm,
15824 		.flags = GENL_UNS_ADMIN_PERM,
15825 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15826 	},
15827 	{
15828 		.cmd = NL80211_CMD_SET_CHANNEL,
15829 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15830 		.doit = nl80211_set_channel,
15831 		.flags = GENL_UNS_ADMIN_PERM,
15832 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15833 	},
15834 	{
15835 		.cmd = NL80211_CMD_JOIN_MESH,
15836 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15837 		.doit = nl80211_join_mesh,
15838 		.flags = GENL_UNS_ADMIN_PERM,
15839 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15840 	},
15841 	{
15842 		.cmd = NL80211_CMD_LEAVE_MESH,
15843 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15844 		.doit = nl80211_leave_mesh,
15845 		.flags = GENL_UNS_ADMIN_PERM,
15846 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15847 	},
15848 	{
15849 		.cmd = NL80211_CMD_JOIN_OCB,
15850 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15851 		.doit = nl80211_join_ocb,
15852 		.flags = GENL_UNS_ADMIN_PERM,
15853 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15854 	},
15855 	{
15856 		.cmd = NL80211_CMD_LEAVE_OCB,
15857 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15858 		.doit = nl80211_leave_ocb,
15859 		.flags = GENL_UNS_ADMIN_PERM,
15860 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15861 	},
15862 #ifdef CONFIG_PM
15863 	{
15864 		.cmd = NL80211_CMD_GET_WOWLAN,
15865 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15866 		.doit = nl80211_get_wowlan,
15867 		/* can be retrieved by unprivileged users */
15868 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15869 	},
15870 	{
15871 		.cmd = NL80211_CMD_SET_WOWLAN,
15872 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15873 		.doit = nl80211_set_wowlan,
15874 		.flags = GENL_UNS_ADMIN_PERM,
15875 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15876 	},
15877 #endif
15878 	{
15879 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15880 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15881 		.doit = nl80211_set_rekey_data,
15882 		.flags = GENL_UNS_ADMIN_PERM,
15883 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15884 				  0 |
15885 				  NL80211_FLAG_CLEAR_SKB,
15886 	},
15887 	{
15888 		.cmd = NL80211_CMD_TDLS_MGMT,
15889 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15890 		.doit = nl80211_tdls_mgmt,
15891 		.flags = GENL_UNS_ADMIN_PERM,
15892 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15893 	},
15894 	{
15895 		.cmd = NL80211_CMD_TDLS_OPER,
15896 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15897 		.doit = nl80211_tdls_oper,
15898 		.flags = GENL_UNS_ADMIN_PERM,
15899 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15900 	},
15901 	{
15902 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
15903 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15904 		.doit = nl80211_register_unexpected_frame,
15905 		.flags = GENL_UNS_ADMIN_PERM,
15906 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15907 	},
15908 	{
15909 		.cmd = NL80211_CMD_PROBE_CLIENT,
15910 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15911 		.doit = nl80211_probe_client,
15912 		.flags = GENL_UNS_ADMIN_PERM,
15913 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15914 	},
15915 	{
15916 		.cmd = NL80211_CMD_REGISTER_BEACONS,
15917 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15918 		.doit = nl80211_register_beacons,
15919 		.flags = GENL_UNS_ADMIN_PERM,
15920 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15921 	},
15922 	{
15923 		.cmd = NL80211_CMD_SET_NOACK_MAP,
15924 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15925 		.doit = nl80211_set_noack_map,
15926 		.flags = GENL_UNS_ADMIN_PERM,
15927 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15928 	},
15929 	{
15930 		.cmd = NL80211_CMD_START_P2P_DEVICE,
15931 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15932 		.doit = nl80211_start_p2p_device,
15933 		.flags = GENL_UNS_ADMIN_PERM,
15934 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15935 				  NL80211_FLAG_NEED_RTNL,
15936 	},
15937 	{
15938 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
15939 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15940 		.doit = nl80211_stop_p2p_device,
15941 		.flags = GENL_UNS_ADMIN_PERM,
15942 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15943 				  NL80211_FLAG_NEED_RTNL,
15944 	},
15945 	{
15946 		.cmd = NL80211_CMD_START_NAN,
15947 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15948 		.doit = nl80211_start_nan,
15949 		.flags = GENL_ADMIN_PERM,
15950 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15951 				  NL80211_FLAG_NEED_RTNL,
15952 	},
15953 	{
15954 		.cmd = NL80211_CMD_STOP_NAN,
15955 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15956 		.doit = nl80211_stop_nan,
15957 		.flags = GENL_ADMIN_PERM,
15958 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15959 				  NL80211_FLAG_NEED_RTNL,
15960 	},
15961 	{
15962 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
15963 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15964 		.doit = nl80211_nan_add_func,
15965 		.flags = GENL_ADMIN_PERM,
15966 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15967 	},
15968 	{
15969 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
15970 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15971 		.doit = nl80211_nan_del_func,
15972 		.flags = GENL_ADMIN_PERM,
15973 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15974 	},
15975 	{
15976 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
15977 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15978 		.doit = nl80211_nan_change_config,
15979 		.flags = GENL_ADMIN_PERM,
15980 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15981 	},
15982 	{
15983 		.cmd = NL80211_CMD_SET_MCAST_RATE,
15984 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15985 		.doit = nl80211_set_mcast_rate,
15986 		.flags = GENL_UNS_ADMIN_PERM,
15987 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15988 	},
15989 	{
15990 		.cmd = NL80211_CMD_SET_MAC_ACL,
15991 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15992 		.doit = nl80211_set_mac_acl,
15993 		.flags = GENL_UNS_ADMIN_PERM,
15994 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15995 	},
15996 	{
15997 		.cmd = NL80211_CMD_RADAR_DETECT,
15998 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15999 		.doit = nl80211_start_radar_detection,
16000 		.flags = GENL_UNS_ADMIN_PERM,
16001 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16002 				  NL80211_FLAG_NO_WIPHY_MTX,
16003 	},
16004 	{
16005 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
16006 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16007 		.doit = nl80211_get_protocol_features,
16008 	},
16009 	{
16010 		.cmd = NL80211_CMD_UPDATE_FT_IES,
16011 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16012 		.doit = nl80211_update_ft_ies,
16013 		.flags = GENL_UNS_ADMIN_PERM,
16014 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16015 	},
16016 	{
16017 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
16018 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16019 		.doit = nl80211_crit_protocol_start,
16020 		.flags = GENL_UNS_ADMIN_PERM,
16021 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16022 	},
16023 	{
16024 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
16025 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16026 		.doit = nl80211_crit_protocol_stop,
16027 		.flags = GENL_UNS_ADMIN_PERM,
16028 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16029 	},
16030 	{
16031 		.cmd = NL80211_CMD_GET_COALESCE,
16032 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16033 		.doit = nl80211_get_coalesce,
16034 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16035 	},
16036 	{
16037 		.cmd = NL80211_CMD_SET_COALESCE,
16038 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16039 		.doit = nl80211_set_coalesce,
16040 		.flags = GENL_UNS_ADMIN_PERM,
16041 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16042 	},
16043 	{
16044 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
16045 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16046 		.doit = nl80211_channel_switch,
16047 		.flags = GENL_UNS_ADMIN_PERM,
16048 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16049 	},
16050 	{
16051 		.cmd = NL80211_CMD_VENDOR,
16052 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16053 		.doit = nl80211_vendor_cmd,
16054 		.dumpit = nl80211_vendor_cmd_dump,
16055 		.flags = GENL_UNS_ADMIN_PERM,
16056 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16057 				  0 |
16058 				  NL80211_FLAG_CLEAR_SKB,
16059 	},
16060 	{
16061 		.cmd = NL80211_CMD_SET_QOS_MAP,
16062 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16063 		.doit = nl80211_set_qos_map,
16064 		.flags = GENL_UNS_ADMIN_PERM,
16065 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16066 	},
16067 	{
16068 		.cmd = NL80211_CMD_ADD_TX_TS,
16069 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16070 		.doit = nl80211_add_tx_ts,
16071 		.flags = GENL_UNS_ADMIN_PERM,
16072 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16073 	},
16074 	{
16075 		.cmd = NL80211_CMD_DEL_TX_TS,
16076 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16077 		.doit = nl80211_del_tx_ts,
16078 		.flags = GENL_UNS_ADMIN_PERM,
16079 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16080 	},
16081 	{
16082 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
16083 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16084 		.doit = nl80211_tdls_channel_switch,
16085 		.flags = GENL_UNS_ADMIN_PERM,
16086 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16087 	},
16088 	{
16089 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
16090 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16091 		.doit = nl80211_tdls_cancel_channel_switch,
16092 		.flags = GENL_UNS_ADMIN_PERM,
16093 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16094 	},
16095 	{
16096 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
16097 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16098 		.doit = nl80211_set_multicast_to_unicast,
16099 		.flags = GENL_UNS_ADMIN_PERM,
16100 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16101 	},
16102 	{
16103 		.cmd = NL80211_CMD_SET_PMK,
16104 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16105 		.doit = nl80211_set_pmk,
16106 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16107 				  0 |
16108 				  NL80211_FLAG_CLEAR_SKB,
16109 	},
16110 	{
16111 		.cmd = NL80211_CMD_DEL_PMK,
16112 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16113 		.doit = nl80211_del_pmk,
16114 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16115 	},
16116 	{
16117 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
16118 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16119 		.doit = nl80211_external_auth,
16120 		.flags = GENL_ADMIN_PERM,
16121 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16122 	},
16123 	{
16124 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
16125 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16126 		.doit = nl80211_tx_control_port,
16127 		.flags = GENL_UNS_ADMIN_PERM,
16128 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16129 	},
16130 	{
16131 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
16132 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16133 		.doit = nl80211_get_ftm_responder_stats,
16134 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16135 	},
16136 	{
16137 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
16138 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16139 		.doit = nl80211_pmsr_start,
16140 		.flags = GENL_UNS_ADMIN_PERM,
16141 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16142 	},
16143 	{
16144 		.cmd = NL80211_CMD_NOTIFY_RADAR,
16145 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16146 		.doit = nl80211_notify_radar_detection,
16147 		.flags = GENL_UNS_ADMIN_PERM,
16148 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16149 	},
16150 	{
16151 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
16152 		.doit = nl80211_update_owe_info,
16153 		.flags = GENL_ADMIN_PERM,
16154 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16155 	},
16156 	{
16157 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
16158 		.doit = nl80211_probe_mesh_link,
16159 		.flags = GENL_UNS_ADMIN_PERM,
16160 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16161 	},
16162 	{
16163 		.cmd = NL80211_CMD_SET_TID_CONFIG,
16164 		.doit = nl80211_set_tid_config,
16165 		.flags = GENL_UNS_ADMIN_PERM,
16166 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16167 	},
16168 	{
16169 		.cmd = NL80211_CMD_SET_SAR_SPECS,
16170 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16171 		.doit = nl80211_set_sar_specs,
16172 		.flags = GENL_UNS_ADMIN_PERM,
16173 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16174 				  NL80211_FLAG_NEED_RTNL,
16175 	},
16176 	{
16177 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
16178 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16179 		.doit = nl80211_color_change,
16180 		.flags = GENL_UNS_ADMIN_PERM,
16181 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16182 				  NL80211_FLAG_NEED_RTNL,
16183 	},
16184 	{
16185 		.cmd = NL80211_CMD_SET_FILS_AAD,
16186 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16187 		.doit = nl80211_set_fils_aad,
16188 		.flags = GENL_UNS_ADMIN_PERM,
16189 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16190 	},
16191 };
16192 
16193 static struct genl_family nl80211_fam __ro_after_init = {
16194 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
16195 	.hdrsize = 0,			/* no private header */
16196 	.version = 1,			/* no particular meaning now */
16197 	.maxattr = NL80211_ATTR_MAX,
16198 	.policy = nl80211_policy,
16199 	.netnsok = true,
16200 	.pre_doit = nl80211_pre_doit,
16201 	.post_doit = nl80211_post_doit,
16202 	.module = THIS_MODULE,
16203 	.ops = nl80211_ops,
16204 	.n_ops = ARRAY_SIZE(nl80211_ops),
16205 	.small_ops = nl80211_small_ops,
16206 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
16207 	.mcgrps = nl80211_mcgrps,
16208 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
16209 	.parallel_ops = true,
16210 };
16211 
16212 /* notification functions */
16213 
16214 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
16215 			  enum nl80211_commands cmd)
16216 {
16217 	struct sk_buff *msg;
16218 	struct nl80211_dump_wiphy_state state = {};
16219 
16220 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
16221 		cmd != NL80211_CMD_DEL_WIPHY);
16222 
16223 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16224 	if (!msg)
16225 		return;
16226 
16227 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
16228 		nlmsg_free(msg);
16229 		return;
16230 	}
16231 
16232 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16233 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16234 }
16235 
16236 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
16237 				struct wireless_dev *wdev,
16238 				enum nl80211_commands cmd)
16239 {
16240 	struct sk_buff *msg;
16241 
16242 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16243 	if (!msg)
16244 		return;
16245 
16246 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
16247 		nlmsg_free(msg);
16248 		return;
16249 	}
16250 
16251 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16252 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16253 }
16254 
16255 static int nl80211_add_scan_req(struct sk_buff *msg,
16256 				struct cfg80211_registered_device *rdev)
16257 {
16258 	struct cfg80211_scan_request *req = rdev->scan_req;
16259 	struct nlattr *nest;
16260 	int i;
16261 	struct cfg80211_scan_info *info;
16262 
16263 	if (WARN_ON(!req))
16264 		return 0;
16265 
16266 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
16267 	if (!nest)
16268 		goto nla_put_failure;
16269 	for (i = 0; i < req->n_ssids; i++) {
16270 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
16271 			goto nla_put_failure;
16272 	}
16273 	nla_nest_end(msg, nest);
16274 
16275 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
16276 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
16277 		if (!nest)
16278 			goto nla_put_failure;
16279 		for (i = 0; i < req->n_channels; i++) {
16280 			if (nla_put_u32(msg, i,
16281 				   ieee80211_channel_to_khz(req->channels[i])))
16282 				goto nla_put_failure;
16283 		}
16284 		nla_nest_end(msg, nest);
16285 	} else {
16286 		nest = nla_nest_start_noflag(msg,
16287 					     NL80211_ATTR_SCAN_FREQUENCIES);
16288 		if (!nest)
16289 			goto nla_put_failure;
16290 		for (i = 0; i < req->n_channels; i++) {
16291 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
16292 				goto nla_put_failure;
16293 		}
16294 		nla_nest_end(msg, nest);
16295 	}
16296 
16297 	if (req->ie &&
16298 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
16299 		goto nla_put_failure;
16300 
16301 	if (req->flags &&
16302 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
16303 		goto nla_put_failure;
16304 
16305 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
16306 		&rdev->scan_req->info;
16307 	if (info->scan_start_tsf &&
16308 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
16309 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
16310 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
16311 		     info->tsf_bssid)))
16312 		goto nla_put_failure;
16313 
16314 	return 0;
16315  nla_put_failure:
16316 	return -ENOBUFS;
16317 }
16318 
16319 static int nl80211_prep_scan_msg(struct sk_buff *msg,
16320 				 struct cfg80211_registered_device *rdev,
16321 				 struct wireless_dev *wdev,
16322 				 u32 portid, u32 seq, int flags,
16323 				 u32 cmd)
16324 {
16325 	void *hdr;
16326 
16327 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
16328 	if (!hdr)
16329 		return -1;
16330 
16331 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16332 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16333 					 wdev->netdev->ifindex)) ||
16334 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16335 			      NL80211_ATTR_PAD))
16336 		goto nla_put_failure;
16337 
16338 	/* ignore errors and send incomplete event anyway */
16339 	nl80211_add_scan_req(msg, rdev);
16340 
16341 	genlmsg_end(msg, hdr);
16342 	return 0;
16343 
16344  nla_put_failure:
16345 	genlmsg_cancel(msg, hdr);
16346 	return -EMSGSIZE;
16347 }
16348 
16349 static int
16350 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
16351 			    struct cfg80211_sched_scan_request *req, u32 cmd)
16352 {
16353 	void *hdr;
16354 
16355 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16356 	if (!hdr)
16357 		return -1;
16358 
16359 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
16360 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
16361 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
16362 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
16363 			      NL80211_ATTR_PAD))
16364 		goto nla_put_failure;
16365 
16366 	genlmsg_end(msg, hdr);
16367 	return 0;
16368 
16369  nla_put_failure:
16370 	genlmsg_cancel(msg, hdr);
16371 	return -EMSGSIZE;
16372 }
16373 
16374 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
16375 			     struct wireless_dev *wdev)
16376 {
16377 	struct sk_buff *msg;
16378 
16379 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16380 	if (!msg)
16381 		return;
16382 
16383 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16384 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
16385 		nlmsg_free(msg);
16386 		return;
16387 	}
16388 
16389 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16390 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16391 }
16392 
16393 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
16394 				       struct wireless_dev *wdev, bool aborted)
16395 {
16396 	struct sk_buff *msg;
16397 
16398 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16399 	if (!msg)
16400 		return NULL;
16401 
16402 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16403 				  aborted ? NL80211_CMD_SCAN_ABORTED :
16404 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
16405 		nlmsg_free(msg);
16406 		return NULL;
16407 	}
16408 
16409 	return msg;
16410 }
16411 
16412 /* send message created by nl80211_build_scan_msg() */
16413 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
16414 			   struct sk_buff *msg)
16415 {
16416 	if (!msg)
16417 		return;
16418 
16419 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16420 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16421 }
16422 
16423 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
16424 {
16425 	struct sk_buff *msg;
16426 
16427 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16428 	if (!msg)
16429 		return;
16430 
16431 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
16432 		nlmsg_free(msg);
16433 		return;
16434 	}
16435 
16436 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
16437 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16438 }
16439 
16440 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
16441 					  struct regulatory_request *request)
16442 {
16443 	/* Userspace can always count this one always being set */
16444 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
16445 		goto nla_put_failure;
16446 
16447 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
16448 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16449 			       NL80211_REGDOM_TYPE_WORLD))
16450 			goto nla_put_failure;
16451 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
16452 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16453 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
16454 			goto nla_put_failure;
16455 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
16456 		   request->intersect) {
16457 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16458 			       NL80211_REGDOM_TYPE_INTERSECTION))
16459 			goto nla_put_failure;
16460 	} else {
16461 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16462 			       NL80211_REGDOM_TYPE_COUNTRY) ||
16463 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
16464 				   request->alpha2))
16465 			goto nla_put_failure;
16466 	}
16467 
16468 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
16469 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
16470 
16471 		if (wiphy &&
16472 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
16473 			goto nla_put_failure;
16474 
16475 		if (wiphy &&
16476 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
16477 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
16478 			goto nla_put_failure;
16479 	}
16480 
16481 	return true;
16482 
16483 nla_put_failure:
16484 	return false;
16485 }
16486 
16487 /*
16488  * This can happen on global regulatory changes or device specific settings
16489  * based on custom regulatory domains.
16490  */
16491 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
16492 				     struct regulatory_request *request)
16493 {
16494 	struct sk_buff *msg;
16495 	void *hdr;
16496 
16497 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16498 	if (!msg)
16499 		return;
16500 
16501 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
16502 	if (!hdr)
16503 		goto nla_put_failure;
16504 
16505 	if (!nl80211_reg_change_event_fill(msg, request))
16506 		goto nla_put_failure;
16507 
16508 	genlmsg_end(msg, hdr);
16509 
16510 	rcu_read_lock();
16511 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16512 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16513 	rcu_read_unlock();
16514 
16515 	return;
16516 
16517 nla_put_failure:
16518 	nlmsg_free(msg);
16519 }
16520 
16521 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
16522 				    struct net_device *netdev,
16523 				    const u8 *buf, size_t len,
16524 				    enum nl80211_commands cmd, gfp_t gfp,
16525 				    int uapsd_queues, const u8 *req_ies,
16526 				    size_t req_ies_len, bool reconnect)
16527 {
16528 	struct sk_buff *msg;
16529 	void *hdr;
16530 
16531 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
16532 	if (!msg)
16533 		return;
16534 
16535 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16536 	if (!hdr) {
16537 		nlmsg_free(msg);
16538 		return;
16539 	}
16540 
16541 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16542 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16543 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16544 	    (req_ies &&
16545 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
16546 		goto nla_put_failure;
16547 
16548 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
16549 		goto nla_put_failure;
16550 
16551 	if (uapsd_queues >= 0) {
16552 		struct nlattr *nla_wmm =
16553 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
16554 		if (!nla_wmm)
16555 			goto nla_put_failure;
16556 
16557 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
16558 			       uapsd_queues))
16559 			goto nla_put_failure;
16560 
16561 		nla_nest_end(msg, nla_wmm);
16562 	}
16563 
16564 	genlmsg_end(msg, hdr);
16565 
16566 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16567 				NL80211_MCGRP_MLME, gfp);
16568 	return;
16569 
16570  nla_put_failure:
16571 	nlmsg_free(msg);
16572 }
16573 
16574 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
16575 			  struct net_device *netdev, const u8 *buf,
16576 			  size_t len, gfp_t gfp)
16577 {
16578 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16579 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
16580 				false);
16581 }
16582 
16583 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
16584 			   struct net_device *netdev, const u8 *buf,
16585 			   size_t len, gfp_t gfp, int uapsd_queues,
16586 			   const u8 *req_ies, size_t req_ies_len)
16587 {
16588 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16589 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
16590 				req_ies, req_ies_len, false);
16591 }
16592 
16593 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
16594 			 struct net_device *netdev, const u8 *buf,
16595 			 size_t len, bool reconnect, gfp_t gfp)
16596 {
16597 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16598 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
16599 				reconnect);
16600 }
16601 
16602 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
16603 			   struct net_device *netdev, const u8 *buf,
16604 			   size_t len, bool reconnect, gfp_t gfp)
16605 {
16606 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16607 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
16608 				reconnect);
16609 }
16610 
16611 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
16612 				  size_t len)
16613 {
16614 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16615 	struct wiphy *wiphy = wdev->wiphy;
16616 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16617 	const struct ieee80211_mgmt *mgmt = (void *)buf;
16618 	u32 cmd;
16619 
16620 	if (WARN_ON(len < 2))
16621 		return;
16622 
16623 	if (ieee80211_is_deauth(mgmt->frame_control)) {
16624 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
16625 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
16626 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
16627 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
16628 		if (wdev->unprot_beacon_reported &&
16629 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
16630 			return;
16631 		cmd = NL80211_CMD_UNPROT_BEACON;
16632 		wdev->unprot_beacon_reported = jiffies;
16633 	} else {
16634 		return;
16635 	}
16636 
16637 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
16638 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
16639 				NULL, 0, false);
16640 }
16641 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
16642 
16643 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
16644 				      struct net_device *netdev, int cmd,
16645 				      const u8 *addr, gfp_t gfp)
16646 {
16647 	struct sk_buff *msg;
16648 	void *hdr;
16649 
16650 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16651 	if (!msg)
16652 		return;
16653 
16654 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16655 	if (!hdr) {
16656 		nlmsg_free(msg);
16657 		return;
16658 	}
16659 
16660 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16661 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16662 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16663 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16664 		goto nla_put_failure;
16665 
16666 	genlmsg_end(msg, hdr);
16667 
16668 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16669 				NL80211_MCGRP_MLME, gfp);
16670 	return;
16671 
16672  nla_put_failure:
16673 	nlmsg_free(msg);
16674 }
16675 
16676 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16677 			       struct net_device *netdev, const u8 *addr,
16678 			       gfp_t gfp)
16679 {
16680 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16681 				  addr, gfp);
16682 }
16683 
16684 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16685 				struct net_device *netdev, const u8 *addr,
16686 				gfp_t gfp)
16687 {
16688 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16689 				  addr, gfp);
16690 }
16691 
16692 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16693 				 struct net_device *netdev,
16694 				 struct cfg80211_connect_resp_params *cr,
16695 				 gfp_t gfp)
16696 {
16697 	struct sk_buff *msg;
16698 	void *hdr;
16699 
16700 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16701 			cr->fils.kek_len + cr->fils.pmk_len +
16702 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16703 	if (!msg)
16704 		return;
16705 
16706 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16707 	if (!hdr) {
16708 		nlmsg_free(msg);
16709 		return;
16710 	}
16711 
16712 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16713 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16714 	    (cr->bssid &&
16715 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16716 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16717 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16718 			cr->status) ||
16719 	    (cr->status < 0 &&
16720 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16721 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16722 			  cr->timeout_reason))) ||
16723 	    (cr->req_ie &&
16724 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16725 	    (cr->resp_ie &&
16726 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16727 		     cr->resp_ie)) ||
16728 	    (cr->fils.update_erp_next_seq_num &&
16729 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16730 			 cr->fils.erp_next_seq_num)) ||
16731 	    (cr->status == WLAN_STATUS_SUCCESS &&
16732 	     ((cr->fils.kek &&
16733 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16734 		       cr->fils.kek)) ||
16735 	      (cr->fils.pmk &&
16736 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16737 	      (cr->fils.pmkid &&
16738 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16739 		goto nla_put_failure;
16740 
16741 	genlmsg_end(msg, hdr);
16742 
16743 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16744 				NL80211_MCGRP_MLME, gfp);
16745 	return;
16746 
16747  nla_put_failure:
16748 	nlmsg_free(msg);
16749 }
16750 
16751 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16752 			 struct net_device *netdev,
16753 			 struct cfg80211_roam_info *info, gfp_t gfp)
16754 {
16755 	struct sk_buff *msg;
16756 	void *hdr;
16757 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16758 
16759 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16760 			info->fils.kek_len + info->fils.pmk_len +
16761 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16762 	if (!msg)
16763 		return;
16764 
16765 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16766 	if (!hdr) {
16767 		nlmsg_free(msg);
16768 		return;
16769 	}
16770 
16771 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16772 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16773 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16774 	    (info->req_ie &&
16775 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16776 		     info->req_ie)) ||
16777 	    (info->resp_ie &&
16778 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16779 		     info->resp_ie)) ||
16780 	    (info->fils.update_erp_next_seq_num &&
16781 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16782 			 info->fils.erp_next_seq_num)) ||
16783 	    (info->fils.kek &&
16784 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16785 		     info->fils.kek)) ||
16786 	    (info->fils.pmk &&
16787 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16788 	    (info->fils.pmkid &&
16789 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16790 		goto nla_put_failure;
16791 
16792 	genlmsg_end(msg, hdr);
16793 
16794 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16795 				NL80211_MCGRP_MLME, gfp);
16796 	return;
16797 
16798  nla_put_failure:
16799 	nlmsg_free(msg);
16800 }
16801 
16802 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16803 				  struct net_device *netdev, const u8 *bssid)
16804 {
16805 	struct sk_buff *msg;
16806 	void *hdr;
16807 
16808 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16809 	if (!msg)
16810 		return;
16811 
16812 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16813 	if (!hdr) {
16814 		nlmsg_free(msg);
16815 		return;
16816 	}
16817 
16818 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16819 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16820 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16821 		goto nla_put_failure;
16822 
16823 	genlmsg_end(msg, hdr);
16824 
16825 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16826 				NL80211_MCGRP_MLME, GFP_KERNEL);
16827 	return;
16828 
16829  nla_put_failure:
16830 	nlmsg_free(msg);
16831 }
16832 
16833 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
16834 			       struct net_device *netdev, u16 reason,
16835 			       const u8 *ie, size_t ie_len, bool from_ap)
16836 {
16837 	struct sk_buff *msg;
16838 	void *hdr;
16839 
16840 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
16841 	if (!msg)
16842 		return;
16843 
16844 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
16845 	if (!hdr) {
16846 		nlmsg_free(msg);
16847 		return;
16848 	}
16849 
16850 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16851 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16852 	    (reason &&
16853 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
16854 	    (from_ap &&
16855 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
16856 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
16857 		goto nla_put_failure;
16858 
16859 	genlmsg_end(msg, hdr);
16860 
16861 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16862 				NL80211_MCGRP_MLME, GFP_KERNEL);
16863 	return;
16864 
16865  nla_put_failure:
16866 	nlmsg_free(msg);
16867 }
16868 
16869 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16870 			     struct net_device *netdev, const u8 *bssid,
16871 			     gfp_t gfp)
16872 {
16873 	struct sk_buff *msg;
16874 	void *hdr;
16875 
16876 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16877 	if (!msg)
16878 		return;
16879 
16880 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16881 	if (!hdr) {
16882 		nlmsg_free(msg);
16883 		return;
16884 	}
16885 
16886 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16887 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16888 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16889 		goto nla_put_failure;
16890 
16891 	genlmsg_end(msg, hdr);
16892 
16893 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16894 				NL80211_MCGRP_MLME, gfp);
16895 	return;
16896 
16897  nla_put_failure:
16898 	nlmsg_free(msg);
16899 }
16900 
16901 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
16902 					const u8 *ie, u8 ie_len,
16903 					int sig_dbm, gfp_t gfp)
16904 {
16905 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16906 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16907 	struct sk_buff *msg;
16908 	void *hdr;
16909 
16910 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
16911 		return;
16912 
16913 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
16914 
16915 	msg = nlmsg_new(100 + ie_len, gfp);
16916 	if (!msg)
16917 		return;
16918 
16919 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
16920 	if (!hdr) {
16921 		nlmsg_free(msg);
16922 		return;
16923 	}
16924 
16925 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16926 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16927 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16928 	    (ie_len && ie &&
16929 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
16930 	    (sig_dbm &&
16931 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
16932 		goto nla_put_failure;
16933 
16934 	genlmsg_end(msg, hdr);
16935 
16936 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16937 				NL80211_MCGRP_MLME, gfp);
16938 	return;
16939 
16940  nla_put_failure:
16941 	nlmsg_free(msg);
16942 }
16943 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
16944 
16945 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
16946 				 struct net_device *netdev, const u8 *addr,
16947 				 enum nl80211_key_type key_type, int key_id,
16948 				 const u8 *tsc, gfp_t gfp)
16949 {
16950 	struct sk_buff *msg;
16951 	void *hdr;
16952 
16953 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16954 	if (!msg)
16955 		return;
16956 
16957 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
16958 	if (!hdr) {
16959 		nlmsg_free(msg);
16960 		return;
16961 	}
16962 
16963 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16964 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16965 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
16966 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
16967 	    (key_id != -1 &&
16968 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
16969 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
16970 		goto nla_put_failure;
16971 
16972 	genlmsg_end(msg, hdr);
16973 
16974 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16975 				NL80211_MCGRP_MLME, gfp);
16976 	return;
16977 
16978  nla_put_failure:
16979 	nlmsg_free(msg);
16980 }
16981 
16982 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
16983 				    struct ieee80211_channel *channel_before,
16984 				    struct ieee80211_channel *channel_after)
16985 {
16986 	struct sk_buff *msg;
16987 	void *hdr;
16988 	struct nlattr *nl_freq;
16989 
16990 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
16991 	if (!msg)
16992 		return;
16993 
16994 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
16995 	if (!hdr) {
16996 		nlmsg_free(msg);
16997 		return;
16998 	}
16999 
17000 	/*
17001 	 * Since we are applying the beacon hint to a wiphy we know its
17002 	 * wiphy_idx is valid
17003 	 */
17004 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
17005 		goto nla_put_failure;
17006 
17007 	/* Before */
17008 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
17009 	if (!nl_freq)
17010 		goto nla_put_failure;
17011 
17012 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
17013 		goto nla_put_failure;
17014 	nla_nest_end(msg, nl_freq);
17015 
17016 	/* After */
17017 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
17018 	if (!nl_freq)
17019 		goto nla_put_failure;
17020 
17021 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
17022 		goto nla_put_failure;
17023 	nla_nest_end(msg, nl_freq);
17024 
17025 	genlmsg_end(msg, hdr);
17026 
17027 	rcu_read_lock();
17028 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17029 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17030 	rcu_read_unlock();
17031 
17032 	return;
17033 
17034 nla_put_failure:
17035 	nlmsg_free(msg);
17036 }
17037 
17038 static void nl80211_send_remain_on_chan_event(
17039 	int cmd, struct cfg80211_registered_device *rdev,
17040 	struct wireless_dev *wdev, u64 cookie,
17041 	struct ieee80211_channel *chan,
17042 	unsigned int duration, gfp_t gfp)
17043 {
17044 	struct sk_buff *msg;
17045 	void *hdr;
17046 
17047 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17048 	if (!msg)
17049 		return;
17050 
17051 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17052 	if (!hdr) {
17053 		nlmsg_free(msg);
17054 		return;
17055 	}
17056 
17057 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17058 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17059 					 wdev->netdev->ifindex)) ||
17060 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17061 			      NL80211_ATTR_PAD) ||
17062 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
17063 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
17064 			NL80211_CHAN_NO_HT) ||
17065 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17066 			      NL80211_ATTR_PAD))
17067 		goto nla_put_failure;
17068 
17069 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
17070 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
17071 		goto nla_put_failure;
17072 
17073 	genlmsg_end(msg, hdr);
17074 
17075 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17076 				NL80211_MCGRP_MLME, gfp);
17077 	return;
17078 
17079  nla_put_failure:
17080 	nlmsg_free(msg);
17081 }
17082 
17083 void cfg80211_assoc_comeback(struct net_device *netdev,
17084 			     struct cfg80211_bss *bss, u32 timeout)
17085 {
17086 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
17087 	struct wiphy *wiphy = wdev->wiphy;
17088 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17089 	struct sk_buff *msg;
17090 	void *hdr;
17091 
17092 	trace_cfg80211_assoc_comeback(wdev, bss->bssid, timeout);
17093 
17094 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17095 	if (!msg)
17096 		return;
17097 
17098 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
17099 	if (!hdr) {
17100 		nlmsg_free(msg);
17101 		return;
17102 	}
17103 
17104 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17105 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17106 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bss->bssid) ||
17107 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
17108 		goto nla_put_failure;
17109 
17110 	genlmsg_end(msg, hdr);
17111 
17112 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17113 				NL80211_MCGRP_MLME, GFP_KERNEL);
17114 	return;
17115 
17116  nla_put_failure:
17117 	nlmsg_free(msg);
17118 }
17119 EXPORT_SYMBOL(cfg80211_assoc_comeback);
17120 
17121 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
17122 			       struct ieee80211_channel *chan,
17123 			       unsigned int duration, gfp_t gfp)
17124 {
17125 	struct wiphy *wiphy = wdev->wiphy;
17126 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17127 
17128 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
17129 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
17130 					  rdev, wdev, cookie, chan,
17131 					  duration, gfp);
17132 }
17133 EXPORT_SYMBOL(cfg80211_ready_on_channel);
17134 
17135 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
17136 					struct ieee80211_channel *chan,
17137 					gfp_t gfp)
17138 {
17139 	struct wiphy *wiphy = wdev->wiphy;
17140 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17141 
17142 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
17143 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17144 					  rdev, wdev, cookie, chan, 0, gfp);
17145 }
17146 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
17147 
17148 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
17149 					struct ieee80211_channel *chan,
17150 					gfp_t gfp)
17151 {
17152 	struct wiphy *wiphy = wdev->wiphy;
17153 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17154 
17155 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
17156 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
17157 					  rdev, wdev, cookie, chan, 0, gfp);
17158 }
17159 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
17160 
17161 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
17162 		      struct station_info *sinfo, gfp_t gfp)
17163 {
17164 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17165 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17166 	struct sk_buff *msg;
17167 
17168 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
17169 
17170 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17171 	if (!msg)
17172 		return;
17173 
17174 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
17175 				 rdev, dev, mac_addr, sinfo) < 0) {
17176 		nlmsg_free(msg);
17177 		return;
17178 	}
17179 
17180 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17181 				NL80211_MCGRP_MLME, gfp);
17182 }
17183 EXPORT_SYMBOL(cfg80211_new_sta);
17184 
17185 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
17186 			    struct station_info *sinfo, gfp_t gfp)
17187 {
17188 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17189 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17190 	struct sk_buff *msg;
17191 	struct station_info empty_sinfo = {};
17192 
17193 	if (!sinfo)
17194 		sinfo = &empty_sinfo;
17195 
17196 	trace_cfg80211_del_sta(dev, mac_addr);
17197 
17198 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17199 	if (!msg) {
17200 		cfg80211_sinfo_release_content(sinfo);
17201 		return;
17202 	}
17203 
17204 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
17205 				 rdev, dev, mac_addr, sinfo) < 0) {
17206 		nlmsg_free(msg);
17207 		return;
17208 	}
17209 
17210 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17211 				NL80211_MCGRP_MLME, gfp);
17212 }
17213 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
17214 
17215 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
17216 			  enum nl80211_connect_failed_reason reason,
17217 			  gfp_t gfp)
17218 {
17219 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17220 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17221 	struct sk_buff *msg;
17222 	void *hdr;
17223 
17224 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
17225 	if (!msg)
17226 		return;
17227 
17228 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
17229 	if (!hdr) {
17230 		nlmsg_free(msg);
17231 		return;
17232 	}
17233 
17234 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17235 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
17236 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
17237 		goto nla_put_failure;
17238 
17239 	genlmsg_end(msg, hdr);
17240 
17241 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17242 				NL80211_MCGRP_MLME, gfp);
17243 	return;
17244 
17245  nla_put_failure:
17246 	nlmsg_free(msg);
17247 }
17248 EXPORT_SYMBOL(cfg80211_conn_failed);
17249 
17250 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
17251 				       const u8 *addr, gfp_t gfp)
17252 {
17253 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17254 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17255 	struct sk_buff *msg;
17256 	void *hdr;
17257 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
17258 
17259 	if (!nlportid)
17260 		return false;
17261 
17262 	msg = nlmsg_new(100, gfp);
17263 	if (!msg)
17264 		return true;
17265 
17266 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17267 	if (!hdr) {
17268 		nlmsg_free(msg);
17269 		return true;
17270 	}
17271 
17272 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17273 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17274 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17275 		goto nla_put_failure;
17276 
17277 	genlmsg_end(msg, hdr);
17278 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17279 	return true;
17280 
17281  nla_put_failure:
17282 	nlmsg_free(msg);
17283 	return true;
17284 }
17285 
17286 bool cfg80211_rx_spurious_frame(struct net_device *dev,
17287 				const u8 *addr, gfp_t gfp)
17288 {
17289 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17290 	bool ret;
17291 
17292 	trace_cfg80211_rx_spurious_frame(dev, addr);
17293 
17294 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17295 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
17296 		trace_cfg80211_return_bool(false);
17297 		return false;
17298 	}
17299 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
17300 					 addr, gfp);
17301 	trace_cfg80211_return_bool(ret);
17302 	return ret;
17303 }
17304 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
17305 
17306 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
17307 					const u8 *addr, gfp_t gfp)
17308 {
17309 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17310 	bool ret;
17311 
17312 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
17313 
17314 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17315 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
17316 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
17317 		trace_cfg80211_return_bool(false);
17318 		return false;
17319 	}
17320 	ret = __nl80211_unexpected_frame(dev,
17321 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
17322 					 addr, gfp);
17323 	trace_cfg80211_return_bool(ret);
17324 	return ret;
17325 }
17326 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
17327 
17328 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
17329 		      struct wireless_dev *wdev, u32 nlportid,
17330 		      int freq, int sig_dbm,
17331 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
17332 {
17333 	struct net_device *netdev = wdev->netdev;
17334 	struct sk_buff *msg;
17335 	void *hdr;
17336 
17337 	msg = nlmsg_new(100 + len, gfp);
17338 	if (!msg)
17339 		return -ENOMEM;
17340 
17341 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17342 	if (!hdr) {
17343 		nlmsg_free(msg);
17344 		return -ENOMEM;
17345 	}
17346 
17347 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17348 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17349 					netdev->ifindex)) ||
17350 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17351 			      NL80211_ATTR_PAD) ||
17352 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
17353 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
17354 	    (sig_dbm &&
17355 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17356 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17357 	    (flags &&
17358 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
17359 		goto nla_put_failure;
17360 
17361 	genlmsg_end(msg, hdr);
17362 
17363 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17364 
17365  nla_put_failure:
17366 	nlmsg_free(msg);
17367 	return -ENOBUFS;
17368 }
17369 
17370 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
17371 				    const u8 *buf, size_t len, bool ack,
17372 				    gfp_t gfp, enum nl80211_commands command)
17373 {
17374 	struct wiphy *wiphy = wdev->wiphy;
17375 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17376 	struct net_device *netdev = wdev->netdev;
17377 	struct sk_buff *msg;
17378 	void *hdr;
17379 
17380 	if (command == NL80211_CMD_FRAME_TX_STATUS)
17381 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
17382 	else
17383 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
17384 
17385 	msg = nlmsg_new(100 + len, gfp);
17386 	if (!msg)
17387 		return;
17388 
17389 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
17390 	if (!hdr) {
17391 		nlmsg_free(msg);
17392 		return;
17393 	}
17394 
17395 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17396 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17397 				   netdev->ifindex)) ||
17398 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17399 			      NL80211_ATTR_PAD) ||
17400 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17401 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17402 			      NL80211_ATTR_PAD) ||
17403 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
17404 		goto nla_put_failure;
17405 
17406 	genlmsg_end(msg, hdr);
17407 
17408 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17409 				NL80211_MCGRP_MLME, gfp);
17410 	return;
17411 
17412 nla_put_failure:
17413 	nlmsg_free(msg);
17414 }
17415 
17416 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
17417 				     const u8 *buf, size_t len, bool ack,
17418 				     gfp_t gfp)
17419 {
17420 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17421 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
17422 }
17423 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
17424 
17425 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
17426 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
17427 {
17428 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17429 				NL80211_CMD_FRAME_TX_STATUS);
17430 }
17431 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
17432 
17433 static int __nl80211_rx_control_port(struct net_device *dev,
17434 				     struct sk_buff *skb,
17435 				     bool unencrypted, gfp_t gfp)
17436 {
17437 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17438 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17439 	struct ethhdr *ehdr = eth_hdr(skb);
17440 	const u8 *addr = ehdr->h_source;
17441 	u16 proto = be16_to_cpu(skb->protocol);
17442 	struct sk_buff *msg;
17443 	void *hdr;
17444 	struct nlattr *frame;
17445 
17446 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
17447 
17448 	if (!nlportid)
17449 		return -ENOENT;
17450 
17451 	msg = nlmsg_new(100 + skb->len, gfp);
17452 	if (!msg)
17453 		return -ENOMEM;
17454 
17455 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
17456 	if (!hdr) {
17457 		nlmsg_free(msg);
17458 		return -ENOBUFS;
17459 	}
17460 
17461 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17462 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17463 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17464 			      NL80211_ATTR_PAD) ||
17465 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17466 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
17467 	    (unencrypted && nla_put_flag(msg,
17468 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
17469 		goto nla_put_failure;
17470 
17471 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
17472 	if (!frame)
17473 		goto nla_put_failure;
17474 
17475 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
17476 	genlmsg_end(msg, hdr);
17477 
17478 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17479 
17480  nla_put_failure:
17481 	nlmsg_free(msg);
17482 	return -ENOBUFS;
17483 }
17484 
17485 bool cfg80211_rx_control_port(struct net_device *dev,
17486 			      struct sk_buff *skb, bool unencrypted)
17487 {
17488 	int ret;
17489 
17490 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
17491 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
17492 	trace_cfg80211_return_bool(ret == 0);
17493 	return ret == 0;
17494 }
17495 EXPORT_SYMBOL(cfg80211_rx_control_port);
17496 
17497 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
17498 					    const char *mac, gfp_t gfp)
17499 {
17500 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17501 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17502 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17503 	void **cb;
17504 
17505 	if (!msg)
17506 		return NULL;
17507 
17508 	cb = (void **)msg->cb;
17509 
17510 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
17511 	if (!cb[0]) {
17512 		nlmsg_free(msg);
17513 		return NULL;
17514 	}
17515 
17516 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17517 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17518 		goto nla_put_failure;
17519 
17520 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17521 		goto nla_put_failure;
17522 
17523 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
17524 	if (!cb[1])
17525 		goto nla_put_failure;
17526 
17527 	cb[2] = rdev;
17528 
17529 	return msg;
17530  nla_put_failure:
17531 	nlmsg_free(msg);
17532 	return NULL;
17533 }
17534 
17535 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
17536 {
17537 	void **cb = (void **)msg->cb;
17538 	struct cfg80211_registered_device *rdev = cb[2];
17539 
17540 	nla_nest_end(msg, cb[1]);
17541 	genlmsg_end(msg, cb[0]);
17542 
17543 	memset(msg->cb, 0, sizeof(msg->cb));
17544 
17545 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17546 				NL80211_MCGRP_MLME, gfp);
17547 }
17548 
17549 void cfg80211_cqm_rssi_notify(struct net_device *dev,
17550 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
17551 			      s32 rssi_level, gfp_t gfp)
17552 {
17553 	struct sk_buff *msg;
17554 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17555 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17556 
17557 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
17558 
17559 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
17560 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
17561 		return;
17562 
17563 	if (wdev->cqm_config) {
17564 		wdev->cqm_config->last_rssi_event_value = rssi_level;
17565 
17566 		cfg80211_cqm_rssi_update(rdev, dev);
17567 
17568 		if (rssi_level == 0)
17569 			rssi_level = wdev->cqm_config->last_rssi_event_value;
17570 	}
17571 
17572 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17573 	if (!msg)
17574 		return;
17575 
17576 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
17577 			rssi_event))
17578 		goto nla_put_failure;
17579 
17580 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
17581 				      rssi_level))
17582 		goto nla_put_failure;
17583 
17584 	cfg80211_send_cqm(msg, gfp);
17585 
17586 	return;
17587 
17588  nla_put_failure:
17589 	nlmsg_free(msg);
17590 }
17591 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
17592 
17593 void cfg80211_cqm_txe_notify(struct net_device *dev,
17594 			     const u8 *peer, u32 num_packets,
17595 			     u32 rate, u32 intvl, gfp_t gfp)
17596 {
17597 	struct sk_buff *msg;
17598 
17599 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17600 	if (!msg)
17601 		return;
17602 
17603 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
17604 		goto nla_put_failure;
17605 
17606 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
17607 		goto nla_put_failure;
17608 
17609 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
17610 		goto nla_put_failure;
17611 
17612 	cfg80211_send_cqm(msg, gfp);
17613 	return;
17614 
17615  nla_put_failure:
17616 	nlmsg_free(msg);
17617 }
17618 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
17619 
17620 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
17621 				 const u8 *peer, u32 num_packets, gfp_t gfp)
17622 {
17623 	struct sk_buff *msg;
17624 
17625 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
17626 
17627 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17628 	if (!msg)
17629 		return;
17630 
17631 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
17632 		goto nla_put_failure;
17633 
17634 	cfg80211_send_cqm(msg, gfp);
17635 	return;
17636 
17637  nla_put_failure:
17638 	nlmsg_free(msg);
17639 }
17640 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
17641 
17642 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
17643 {
17644 	struct sk_buff *msg;
17645 
17646 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17647 	if (!msg)
17648 		return;
17649 
17650 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
17651 		goto nla_put_failure;
17652 
17653 	cfg80211_send_cqm(msg, gfp);
17654 	return;
17655 
17656  nla_put_failure:
17657 	nlmsg_free(msg);
17658 }
17659 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
17660 
17661 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
17662 				     struct net_device *netdev, const u8 *bssid,
17663 				     const u8 *replay_ctr, gfp_t gfp)
17664 {
17665 	struct sk_buff *msg;
17666 	struct nlattr *rekey_attr;
17667 	void *hdr;
17668 
17669 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17670 	if (!msg)
17671 		return;
17672 
17673 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
17674 	if (!hdr) {
17675 		nlmsg_free(msg);
17676 		return;
17677 	}
17678 
17679 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17680 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17681 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17682 		goto nla_put_failure;
17683 
17684 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
17685 	if (!rekey_attr)
17686 		goto nla_put_failure;
17687 
17688 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
17689 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
17690 		goto nla_put_failure;
17691 
17692 	nla_nest_end(msg, rekey_attr);
17693 
17694 	genlmsg_end(msg, hdr);
17695 
17696 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17697 				NL80211_MCGRP_MLME, gfp);
17698 	return;
17699 
17700  nla_put_failure:
17701 	nlmsg_free(msg);
17702 }
17703 
17704 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
17705 			       const u8 *replay_ctr, gfp_t gfp)
17706 {
17707 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17708 	struct wiphy *wiphy = wdev->wiphy;
17709 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17710 
17711 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
17712 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
17713 }
17714 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17715 
17716 static void
17717 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17718 			       struct net_device *netdev, int index,
17719 			       const u8 *bssid, bool preauth, gfp_t gfp)
17720 {
17721 	struct sk_buff *msg;
17722 	struct nlattr *attr;
17723 	void *hdr;
17724 
17725 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17726 	if (!msg)
17727 		return;
17728 
17729 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17730 	if (!hdr) {
17731 		nlmsg_free(msg);
17732 		return;
17733 	}
17734 
17735 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17736 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17737 		goto nla_put_failure;
17738 
17739 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17740 	if (!attr)
17741 		goto nla_put_failure;
17742 
17743 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17744 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17745 	    (preauth &&
17746 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17747 		goto nla_put_failure;
17748 
17749 	nla_nest_end(msg, attr);
17750 
17751 	genlmsg_end(msg, hdr);
17752 
17753 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17754 				NL80211_MCGRP_MLME, gfp);
17755 	return;
17756 
17757  nla_put_failure:
17758 	nlmsg_free(msg);
17759 }
17760 
17761 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17762 				     const u8 *bssid, bool preauth, gfp_t gfp)
17763 {
17764 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17765 	struct wiphy *wiphy = wdev->wiphy;
17766 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17767 
17768 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17769 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17770 }
17771 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17772 
17773 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17774 				     struct net_device *netdev,
17775 				     struct cfg80211_chan_def *chandef,
17776 				     gfp_t gfp,
17777 				     enum nl80211_commands notif,
17778 				     u8 count, bool quiet)
17779 {
17780 	struct sk_buff *msg;
17781 	void *hdr;
17782 
17783 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17784 	if (!msg)
17785 		return;
17786 
17787 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17788 	if (!hdr) {
17789 		nlmsg_free(msg);
17790 		return;
17791 	}
17792 
17793 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17794 		goto nla_put_failure;
17795 
17796 	if (nl80211_send_chandef(msg, chandef))
17797 		goto nla_put_failure;
17798 
17799 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
17800 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
17801 			goto nla_put_failure;
17802 		if (quiet &&
17803 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
17804 			goto nla_put_failure;
17805 	}
17806 
17807 	genlmsg_end(msg, hdr);
17808 
17809 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17810 				NL80211_MCGRP_MLME, gfp);
17811 	return;
17812 
17813  nla_put_failure:
17814 	nlmsg_free(msg);
17815 }
17816 
17817 void cfg80211_ch_switch_notify(struct net_device *dev,
17818 			       struct cfg80211_chan_def *chandef)
17819 {
17820 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17821 	struct wiphy *wiphy = wdev->wiphy;
17822 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17823 
17824 	ASSERT_WDEV_LOCK(wdev);
17825 
17826 	trace_cfg80211_ch_switch_notify(dev, chandef);
17827 
17828 	wdev->chandef = *chandef;
17829 	wdev->preset_chandef = *chandef;
17830 
17831 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
17832 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
17833 	    !WARN_ON(!wdev->current_bss))
17834 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
17835 
17836 	cfg80211_sched_dfs_chan_update(rdev);
17837 
17838 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17839 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
17840 }
17841 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
17842 
17843 void cfg80211_ch_switch_started_notify(struct net_device *dev,
17844 				       struct cfg80211_chan_def *chandef,
17845 				       u8 count, bool quiet)
17846 {
17847 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17848 	struct wiphy *wiphy = wdev->wiphy;
17849 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17850 
17851 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
17852 
17853 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17854 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
17855 				 count, quiet);
17856 }
17857 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
17858 
17859 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
17860 			      enum nl80211_commands cmd, u8 count,
17861 			      u64 color_bitmap)
17862 {
17863 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17864 	struct wiphy *wiphy = wdev->wiphy;
17865 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17866 	struct sk_buff *msg;
17867 	void *hdr;
17868 
17869 	ASSERT_WDEV_LOCK(wdev);
17870 
17871 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
17872 
17873 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17874 	if (!msg)
17875 		return -ENOMEM;
17876 
17877 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17878 	if (!hdr)
17879 		goto nla_put_failure;
17880 
17881 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17882 		goto nla_put_failure;
17883 
17884 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
17885 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
17886 		goto nla_put_failure;
17887 
17888 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
17889 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
17890 			      color_bitmap, NL80211_ATTR_PAD))
17891 		goto nla_put_failure;
17892 
17893 	genlmsg_end(msg, hdr);
17894 
17895 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
17896 				       msg, 0, NL80211_MCGRP_MLME, gfp);
17897 
17898 nla_put_failure:
17899 	nlmsg_free(msg);
17900 	return -EINVAL;
17901 }
17902 EXPORT_SYMBOL(cfg80211_bss_color_notify);
17903 
17904 void
17905 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
17906 		     const struct cfg80211_chan_def *chandef,
17907 		     enum nl80211_radar_event event,
17908 		     struct net_device *netdev, gfp_t gfp)
17909 {
17910 	struct sk_buff *msg;
17911 	void *hdr;
17912 
17913 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17914 	if (!msg)
17915 		return;
17916 
17917 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
17918 	if (!hdr) {
17919 		nlmsg_free(msg);
17920 		return;
17921 	}
17922 
17923 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17924 		goto nla_put_failure;
17925 
17926 	/* NOP and radar events don't need a netdev parameter */
17927 	if (netdev) {
17928 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
17929 
17930 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17931 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17932 				      NL80211_ATTR_PAD))
17933 			goto nla_put_failure;
17934 	}
17935 
17936 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
17937 		goto nla_put_failure;
17938 
17939 	if (nl80211_send_chandef(msg, chandef))
17940 		goto nla_put_failure;
17941 
17942 	genlmsg_end(msg, hdr);
17943 
17944 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17945 				NL80211_MCGRP_MLME, gfp);
17946 	return;
17947 
17948  nla_put_failure:
17949 	nlmsg_free(msg);
17950 }
17951 
17952 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
17953 				       struct sta_opmode_info *sta_opmode,
17954 				       gfp_t gfp)
17955 {
17956 	struct sk_buff *msg;
17957 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17958 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17959 	void *hdr;
17960 
17961 	if (WARN_ON(!mac))
17962 		return;
17963 
17964 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17965 	if (!msg)
17966 		return;
17967 
17968 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
17969 	if (!hdr) {
17970 		nlmsg_free(msg);
17971 		return;
17972 	}
17973 
17974 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17975 		goto nla_put_failure;
17976 
17977 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17978 		goto nla_put_failure;
17979 
17980 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17981 		goto nla_put_failure;
17982 
17983 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
17984 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
17985 		goto nla_put_failure;
17986 
17987 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
17988 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
17989 		goto nla_put_failure;
17990 
17991 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
17992 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
17993 		goto nla_put_failure;
17994 
17995 	genlmsg_end(msg, hdr);
17996 
17997 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17998 				NL80211_MCGRP_MLME, gfp);
17999 
18000 	return;
18001 
18002 nla_put_failure:
18003 	nlmsg_free(msg);
18004 }
18005 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
18006 
18007 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
18008 			   u64 cookie, bool acked, s32 ack_signal,
18009 			   bool is_valid_ack_signal, gfp_t gfp)
18010 {
18011 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18012 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18013 	struct sk_buff *msg;
18014 	void *hdr;
18015 
18016 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
18017 
18018 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18019 
18020 	if (!msg)
18021 		return;
18022 
18023 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
18024 	if (!hdr) {
18025 		nlmsg_free(msg);
18026 		return;
18027 	}
18028 
18029 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18030 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18031 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18032 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18033 			      NL80211_ATTR_PAD) ||
18034 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18035 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
18036 						ack_signal)))
18037 		goto nla_put_failure;
18038 
18039 	genlmsg_end(msg, hdr);
18040 
18041 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18042 				NL80211_MCGRP_MLME, gfp);
18043 	return;
18044 
18045  nla_put_failure:
18046 	nlmsg_free(msg);
18047 }
18048 EXPORT_SYMBOL(cfg80211_probe_status);
18049 
18050 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
18051 				     size_t len, int freq, int sig_dbm)
18052 {
18053 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18054 	struct sk_buff *msg;
18055 	void *hdr;
18056 	struct cfg80211_beacon_registration *reg;
18057 
18058 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
18059 
18060 	spin_lock_bh(&rdev->beacon_registrations_lock);
18061 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
18062 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
18063 		if (!msg) {
18064 			spin_unlock_bh(&rdev->beacon_registrations_lock);
18065 			return;
18066 		}
18067 
18068 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18069 		if (!hdr)
18070 			goto nla_put_failure;
18071 
18072 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18073 		    (freq &&
18074 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
18075 				  KHZ_TO_MHZ(freq)) ||
18076 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
18077 				  freq % 1000))) ||
18078 		    (sig_dbm &&
18079 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
18080 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
18081 			goto nla_put_failure;
18082 
18083 		genlmsg_end(msg, hdr);
18084 
18085 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
18086 	}
18087 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18088 	return;
18089 
18090  nla_put_failure:
18091 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18092 	nlmsg_free(msg);
18093 }
18094 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
18095 
18096 #ifdef CONFIG_PM
18097 static int cfg80211_net_detect_results(struct sk_buff *msg,
18098 				       struct cfg80211_wowlan_wakeup *wakeup)
18099 {
18100 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
18101 	struct nlattr *nl_results, *nl_match, *nl_freqs;
18102 	int i, j;
18103 
18104 	nl_results = nla_nest_start_noflag(msg,
18105 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
18106 	if (!nl_results)
18107 		return -EMSGSIZE;
18108 
18109 	for (i = 0; i < nd->n_matches; i++) {
18110 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
18111 
18112 		nl_match = nla_nest_start_noflag(msg, i);
18113 		if (!nl_match)
18114 			break;
18115 
18116 		/* The SSID attribute is optional in nl80211, but for
18117 		 * simplicity reasons it's always present in the
18118 		 * cfg80211 structure.  If a driver can't pass the
18119 		 * SSID, that needs to be changed.  A zero length SSID
18120 		 * is still a valid SSID (wildcard), so it cannot be
18121 		 * used for this purpose.
18122 		 */
18123 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
18124 			    match->ssid.ssid)) {
18125 			nla_nest_cancel(msg, nl_match);
18126 			goto out;
18127 		}
18128 
18129 		if (match->n_channels) {
18130 			nl_freqs = nla_nest_start_noflag(msg,
18131 							 NL80211_ATTR_SCAN_FREQUENCIES);
18132 			if (!nl_freqs) {
18133 				nla_nest_cancel(msg, nl_match);
18134 				goto out;
18135 			}
18136 
18137 			for (j = 0; j < match->n_channels; j++) {
18138 				if (nla_put_u32(msg, j, match->channels[j])) {
18139 					nla_nest_cancel(msg, nl_freqs);
18140 					nla_nest_cancel(msg, nl_match);
18141 					goto out;
18142 				}
18143 			}
18144 
18145 			nla_nest_end(msg, nl_freqs);
18146 		}
18147 
18148 		nla_nest_end(msg, nl_match);
18149 	}
18150 
18151 out:
18152 	nla_nest_end(msg, nl_results);
18153 	return 0;
18154 }
18155 
18156 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
18157 				   struct cfg80211_wowlan_wakeup *wakeup,
18158 				   gfp_t gfp)
18159 {
18160 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18161 	struct sk_buff *msg;
18162 	void *hdr;
18163 	int size = 200;
18164 
18165 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
18166 
18167 	if (wakeup)
18168 		size += wakeup->packet_present_len;
18169 
18170 	msg = nlmsg_new(size, gfp);
18171 	if (!msg)
18172 		return;
18173 
18174 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
18175 	if (!hdr)
18176 		goto free_msg;
18177 
18178 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18179 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18180 			      NL80211_ATTR_PAD))
18181 		goto free_msg;
18182 
18183 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18184 					wdev->netdev->ifindex))
18185 		goto free_msg;
18186 
18187 	if (wakeup) {
18188 		struct nlattr *reasons;
18189 
18190 		reasons = nla_nest_start_noflag(msg,
18191 						NL80211_ATTR_WOWLAN_TRIGGERS);
18192 		if (!reasons)
18193 			goto free_msg;
18194 
18195 		if (wakeup->disconnect &&
18196 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
18197 			goto free_msg;
18198 		if (wakeup->magic_pkt &&
18199 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
18200 			goto free_msg;
18201 		if (wakeup->gtk_rekey_failure &&
18202 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
18203 			goto free_msg;
18204 		if (wakeup->eap_identity_req &&
18205 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
18206 			goto free_msg;
18207 		if (wakeup->four_way_handshake &&
18208 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
18209 			goto free_msg;
18210 		if (wakeup->rfkill_release &&
18211 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
18212 			goto free_msg;
18213 
18214 		if (wakeup->pattern_idx >= 0 &&
18215 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
18216 				wakeup->pattern_idx))
18217 			goto free_msg;
18218 
18219 		if (wakeup->tcp_match &&
18220 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
18221 			goto free_msg;
18222 
18223 		if (wakeup->tcp_connlost &&
18224 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
18225 			goto free_msg;
18226 
18227 		if (wakeup->tcp_nomoretokens &&
18228 		    nla_put_flag(msg,
18229 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
18230 			goto free_msg;
18231 
18232 		if (wakeup->packet) {
18233 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
18234 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
18235 
18236 			if (!wakeup->packet_80211) {
18237 				pkt_attr =
18238 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
18239 				len_attr =
18240 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
18241 			}
18242 
18243 			if (wakeup->packet_len &&
18244 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
18245 				goto free_msg;
18246 
18247 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
18248 				    wakeup->packet))
18249 				goto free_msg;
18250 		}
18251 
18252 		if (wakeup->net_detect &&
18253 		    cfg80211_net_detect_results(msg, wakeup))
18254 				goto free_msg;
18255 
18256 		nla_nest_end(msg, reasons);
18257 	}
18258 
18259 	genlmsg_end(msg, hdr);
18260 
18261 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18262 				NL80211_MCGRP_MLME, gfp);
18263 	return;
18264 
18265  free_msg:
18266 	nlmsg_free(msg);
18267 }
18268 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
18269 #endif
18270 
18271 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
18272 				enum nl80211_tdls_operation oper,
18273 				u16 reason_code, gfp_t gfp)
18274 {
18275 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18276 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18277 	struct sk_buff *msg;
18278 	void *hdr;
18279 
18280 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
18281 					 reason_code);
18282 
18283 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18284 	if (!msg)
18285 		return;
18286 
18287 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
18288 	if (!hdr) {
18289 		nlmsg_free(msg);
18290 		return;
18291 	}
18292 
18293 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18294 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18295 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
18296 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
18297 	    (reason_code > 0 &&
18298 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
18299 		goto nla_put_failure;
18300 
18301 	genlmsg_end(msg, hdr);
18302 
18303 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18304 				NL80211_MCGRP_MLME, gfp);
18305 	return;
18306 
18307  nla_put_failure:
18308 	nlmsg_free(msg);
18309 }
18310 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
18311 
18312 static int nl80211_netlink_notify(struct notifier_block * nb,
18313 				  unsigned long state,
18314 				  void *_notify)
18315 {
18316 	struct netlink_notify *notify = _notify;
18317 	struct cfg80211_registered_device *rdev;
18318 	struct wireless_dev *wdev;
18319 	struct cfg80211_beacon_registration *reg, *tmp;
18320 
18321 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
18322 		return NOTIFY_DONE;
18323 
18324 	rcu_read_lock();
18325 
18326 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
18327 		struct cfg80211_sched_scan_request *sched_scan_req;
18328 
18329 		list_for_each_entry_rcu(sched_scan_req,
18330 					&rdev->sched_scan_req_list,
18331 					list) {
18332 			if (sched_scan_req->owner_nlportid == notify->portid) {
18333 				sched_scan_req->nl_owner_dead = true;
18334 				schedule_work(&rdev->sched_scan_stop_wk);
18335 			}
18336 		}
18337 
18338 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
18339 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
18340 
18341 			if (wdev->owner_nlportid == notify->portid) {
18342 				wdev->nl_owner_dead = true;
18343 				schedule_work(&rdev->destroy_work);
18344 			} else if (wdev->conn_owner_nlportid == notify->portid) {
18345 				schedule_work(&wdev->disconnect_wk);
18346 			}
18347 
18348 			cfg80211_release_pmsr(wdev, notify->portid);
18349 		}
18350 
18351 		spin_lock_bh(&rdev->beacon_registrations_lock);
18352 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
18353 					 list) {
18354 			if (reg->nlportid == notify->portid) {
18355 				list_del(&reg->list);
18356 				kfree(reg);
18357 				break;
18358 			}
18359 		}
18360 		spin_unlock_bh(&rdev->beacon_registrations_lock);
18361 	}
18362 
18363 	rcu_read_unlock();
18364 
18365 	/*
18366 	 * It is possible that the user space process that is controlling the
18367 	 * indoor setting disappeared, so notify the regulatory core.
18368 	 */
18369 	regulatory_netlink_notify(notify->portid);
18370 	return NOTIFY_OK;
18371 }
18372 
18373 static struct notifier_block nl80211_netlink_notifier = {
18374 	.notifier_call = nl80211_netlink_notify,
18375 };
18376 
18377 void cfg80211_ft_event(struct net_device *netdev,
18378 		       struct cfg80211_ft_event_params *ft_event)
18379 {
18380 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18381 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18382 	struct sk_buff *msg;
18383 	void *hdr;
18384 
18385 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
18386 
18387 	if (!ft_event->target_ap)
18388 		return;
18389 
18390 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
18391 			GFP_KERNEL);
18392 	if (!msg)
18393 		return;
18394 
18395 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
18396 	if (!hdr)
18397 		goto out;
18398 
18399 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18400 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18401 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
18402 		goto out;
18403 
18404 	if (ft_event->ies &&
18405 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
18406 		goto out;
18407 	if (ft_event->ric_ies &&
18408 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
18409 		    ft_event->ric_ies))
18410 		goto out;
18411 
18412 	genlmsg_end(msg, hdr);
18413 
18414 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18415 				NL80211_MCGRP_MLME, GFP_KERNEL);
18416 	return;
18417  out:
18418 	nlmsg_free(msg);
18419 }
18420 EXPORT_SYMBOL(cfg80211_ft_event);
18421 
18422 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
18423 {
18424 	struct cfg80211_registered_device *rdev;
18425 	struct sk_buff *msg;
18426 	void *hdr;
18427 	u32 nlportid;
18428 
18429 	rdev = wiphy_to_rdev(wdev->wiphy);
18430 	if (!rdev->crit_proto_nlportid)
18431 		return;
18432 
18433 	nlportid = rdev->crit_proto_nlportid;
18434 	rdev->crit_proto_nlportid = 0;
18435 
18436 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18437 	if (!msg)
18438 		return;
18439 
18440 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
18441 	if (!hdr)
18442 		goto nla_put_failure;
18443 
18444 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18445 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18446 			      NL80211_ATTR_PAD))
18447 		goto nla_put_failure;
18448 
18449 	genlmsg_end(msg, hdr);
18450 
18451 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18452 	return;
18453 
18454  nla_put_failure:
18455 	nlmsg_free(msg);
18456 }
18457 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
18458 
18459 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
18460 {
18461 	struct wiphy *wiphy = wdev->wiphy;
18462 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18463 	struct sk_buff *msg;
18464 	void *hdr;
18465 
18466 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18467 	if (!msg)
18468 		return;
18469 
18470 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
18471 	if (!hdr)
18472 		goto out;
18473 
18474 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18475 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
18476 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18477 			      NL80211_ATTR_PAD))
18478 		goto out;
18479 
18480 	genlmsg_end(msg, hdr);
18481 
18482 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
18483 				NL80211_MCGRP_MLME, GFP_KERNEL);
18484 	return;
18485  out:
18486 	nlmsg_free(msg);
18487 }
18488 
18489 int cfg80211_external_auth_request(struct net_device *dev,
18490 				   struct cfg80211_external_auth_params *params,
18491 				   gfp_t gfp)
18492 {
18493 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18494 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18495 	struct sk_buff *msg;
18496 	void *hdr;
18497 
18498 	if (!wdev->conn_owner_nlportid)
18499 		return -EINVAL;
18500 
18501 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18502 	if (!msg)
18503 		return -ENOMEM;
18504 
18505 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
18506 	if (!hdr)
18507 		goto nla_put_failure;
18508 
18509 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18510 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18511 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
18512 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
18513 			params->action) ||
18514 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
18515 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
18516 		    params->ssid.ssid))
18517 		goto nla_put_failure;
18518 
18519 	genlmsg_end(msg, hdr);
18520 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
18521 			wdev->conn_owner_nlportid);
18522 	return 0;
18523 
18524  nla_put_failure:
18525 	nlmsg_free(msg);
18526 	return -ENOBUFS;
18527 }
18528 EXPORT_SYMBOL(cfg80211_external_auth_request);
18529 
18530 void cfg80211_update_owe_info_event(struct net_device *netdev,
18531 				    struct cfg80211_update_owe_info *owe_info,
18532 				    gfp_t gfp)
18533 {
18534 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18535 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18536 	struct sk_buff *msg;
18537 	void *hdr;
18538 
18539 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
18540 
18541 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18542 	if (!msg)
18543 		return;
18544 
18545 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
18546 	if (!hdr)
18547 		goto nla_put_failure;
18548 
18549 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18550 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18551 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
18552 		goto nla_put_failure;
18553 
18554 	if (!owe_info->ie_len ||
18555 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
18556 		goto nla_put_failure;
18557 
18558 	genlmsg_end(msg, hdr);
18559 
18560 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18561 				NL80211_MCGRP_MLME, gfp);
18562 	return;
18563 
18564 nla_put_failure:
18565 	genlmsg_cancel(msg, hdr);
18566 	nlmsg_free(msg);
18567 }
18568 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
18569 
18570 /* initialisation/exit functions */
18571 
18572 int __init nl80211_init(void)
18573 {
18574 	int err;
18575 
18576 	err = genl_register_family(&nl80211_fam);
18577 	if (err)
18578 		return err;
18579 
18580 	err = netlink_register_notifier(&nl80211_netlink_notifier);
18581 	if (err)
18582 		goto err_out;
18583 
18584 	return 0;
18585  err_out:
18586 	genl_unregister_family(&nl80211_fam);
18587 	return err;
18588 }
18589 
18590 void nl80211_exit(void)
18591 {
18592 	netlink_unregister_notifier(&nl80211_netlink_notifier);
18593 	genl_unregister_family(&nl80211_fam);
18594 }
18595