xref: /openbmc/linux/net/wireless/nl80211.c (revision 7a2eb736) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2019 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <net/net_namespace.h>
24 #include <net/genetlink.h>
25 #include <net/cfg80211.h>
26 #include <net/sock.h>
27 #include <net/inet_connection_sock.h>
28 #include "core.h"
29 #include "nl80211.h"
30 #include "reg.h"
31 #include "rdev-ops.h"
32 
33 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
34 				   struct genl_info *info,
35 				   struct cfg80211_crypto_settings *settings,
36 				   int cipher_limit);
37 
38 /* the netlink family */
39 static struct genl_family nl80211_fam;
40 
41 /* multicast groups */
42 enum nl80211_multicast_groups {
43 	NL80211_MCGRP_CONFIG,
44 	NL80211_MCGRP_SCAN,
45 	NL80211_MCGRP_REGULATORY,
46 	NL80211_MCGRP_MLME,
47 	NL80211_MCGRP_VENDOR,
48 	NL80211_MCGRP_NAN,
49 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
50 };
51 
52 static const struct genl_multicast_group nl80211_mcgrps[] = {
53 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
54 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
55 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
56 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
57 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
58 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
59 #ifdef CONFIG_NL80211_TESTMODE
60 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
61 #endif
62 };
63 
64 /* returns ERR_PTR values */
65 static struct wireless_dev *
66 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
67 {
68 	struct cfg80211_registered_device *rdev;
69 	struct wireless_dev *result = NULL;
70 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
71 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
72 	u64 wdev_id;
73 	int wiphy_idx = -1;
74 	int ifidx = -1;
75 
76 	ASSERT_RTNL();
77 
78 	if (!have_ifidx && !have_wdev_id)
79 		return ERR_PTR(-EINVAL);
80 
81 	if (have_ifidx)
82 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
83 	if (have_wdev_id) {
84 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
85 		wiphy_idx = wdev_id >> 32;
86 	}
87 
88 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
89 		struct wireless_dev *wdev;
90 
91 		if (wiphy_net(&rdev->wiphy) != netns)
92 			continue;
93 
94 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
95 			continue;
96 
97 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
98 			if (have_ifidx && wdev->netdev &&
99 			    wdev->netdev->ifindex == ifidx) {
100 				result = wdev;
101 				break;
102 			}
103 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
104 				result = wdev;
105 				break;
106 			}
107 		}
108 
109 		if (result)
110 			break;
111 	}
112 
113 	if (result)
114 		return result;
115 	return ERR_PTR(-ENODEV);
116 }
117 
118 static struct cfg80211_registered_device *
119 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
120 {
121 	struct cfg80211_registered_device *rdev = NULL, *tmp;
122 	struct net_device *netdev;
123 
124 	ASSERT_RTNL();
125 
126 	if (!attrs[NL80211_ATTR_WIPHY] &&
127 	    !attrs[NL80211_ATTR_IFINDEX] &&
128 	    !attrs[NL80211_ATTR_WDEV])
129 		return ERR_PTR(-EINVAL);
130 
131 	if (attrs[NL80211_ATTR_WIPHY])
132 		rdev = cfg80211_rdev_by_wiphy_idx(
133 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
134 
135 	if (attrs[NL80211_ATTR_WDEV]) {
136 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
137 		struct wireless_dev *wdev;
138 		bool found = false;
139 
140 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
141 		if (tmp) {
142 			/* make sure wdev exists */
143 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
144 				if (wdev->identifier != (u32)wdev_id)
145 					continue;
146 				found = true;
147 				break;
148 			}
149 
150 			if (!found)
151 				tmp = NULL;
152 
153 			if (rdev && tmp != rdev)
154 				return ERR_PTR(-EINVAL);
155 			rdev = tmp;
156 		}
157 	}
158 
159 	if (attrs[NL80211_ATTR_IFINDEX]) {
160 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
161 
162 		netdev = __dev_get_by_index(netns, ifindex);
163 		if (netdev) {
164 			if (netdev->ieee80211_ptr)
165 				tmp = wiphy_to_rdev(
166 					netdev->ieee80211_ptr->wiphy);
167 			else
168 				tmp = NULL;
169 
170 			/* not wireless device -- return error */
171 			if (!tmp)
172 				return ERR_PTR(-EINVAL);
173 
174 			/* mismatch -- return error */
175 			if (rdev && tmp != rdev)
176 				return ERR_PTR(-EINVAL);
177 
178 			rdev = tmp;
179 		}
180 	}
181 
182 	if (!rdev)
183 		return ERR_PTR(-ENODEV);
184 
185 	if (netns != wiphy_net(&rdev->wiphy))
186 		return ERR_PTR(-ENODEV);
187 
188 	return rdev;
189 }
190 
191 /*
192  * This function returns a pointer to the driver
193  * that the genl_info item that is passed refers to.
194  *
195  * The result of this can be a PTR_ERR and hence must
196  * be checked with IS_ERR() for errors.
197  */
198 static struct cfg80211_registered_device *
199 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
200 {
201 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
202 }
203 
204 static int validate_ie_attr(const struct nlattr *attr,
205 			    struct netlink_ext_ack *extack)
206 {
207 	const u8 *data = nla_data(attr);
208 	unsigned int len = nla_len(attr);
209 	const struct element *elem;
210 
211 	for_each_element(elem, data, len) {
212 		/* nothing */
213 	}
214 
215 	if (for_each_element_completed(elem, data, len))
216 		return 0;
217 
218 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
219 	return -EINVAL;
220 }
221 
222 /* policy for the attributes */
223 static const struct nla_policy
224 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
225 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
226 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
227 					.len = U8_MAX },
228 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
229 					     .len = U8_MAX },
230 };
231 
232 static const struct nla_policy
233 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
234 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
235 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
236 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
237 		NLA_POLICY_MAX(NLA_U8, 15),
238 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
239 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
240 		NLA_POLICY_MAX(NLA_U8, 15),
241 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
242 		NLA_POLICY_MAX(NLA_U8, 31),
243 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
244 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
245 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
246 };
247 
248 static const struct nla_policy
249 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
250 	[NL80211_PMSR_TYPE_FTM] =
251 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
252 };
253 
254 static const struct nla_policy
255 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
256 	[NL80211_PMSR_REQ_ATTR_DATA] =
257 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
258 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
259 };
260 
261 static const struct nla_policy
262 nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
263 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
264 	/*
265 	 * we could specify this again to be the top-level policy,
266 	 * but that would open us up to recursion problems ...
267 	 */
268 	[NL80211_PMSR_PEER_ATTR_CHAN] = { .type = NLA_NESTED },
269 	[NL80211_PMSR_PEER_ATTR_REQ] =
270 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
271 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
272 };
273 
274 static const struct nla_policy
275 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
276 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
277 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
278 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
279 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
280 	[NL80211_PMSR_ATTR_PEERS] =
281 		NLA_POLICY_NESTED_ARRAY(nl80211_psmr_peer_attr_policy),
282 };
283 
284 static const struct nla_policy
285 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
286 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
287 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
288 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
289 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
290 };
291 
292 const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
293 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
294 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
295 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
296 				      .len = 20-1 },
297 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
298 
299 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
300 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
301 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
302 						NL80211_EDMG_CHANNELS_MIN,
303 						NL80211_EDMG_CHANNELS_MAX),
304 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
305 						NL80211_EDMG_BW_CONFIG_MIN,
306 						NL80211_EDMG_BW_CONFIG_MAX),
307 
308 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
309 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
310 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
311 
312 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
313 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
314 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
315 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
316 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
317 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
318 
319 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
320 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
321 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
322 
323 	[NL80211_ATTR_MAC] = { .type = NLA_EXACT_LEN_WARN, .len = ETH_ALEN },
324 	[NL80211_ATTR_PREV_BSSID] = {
325 		.type = NLA_EXACT_LEN_WARN,
326 		.len = ETH_ALEN
327 	},
328 
329 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
330 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
331 				    .len = WLAN_MAX_KEY_LEN },
332 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 5),
333 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
334 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
335 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
336 	[NL80211_ATTR_KEY_TYPE] =
337 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
338 
339 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
340 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
341 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
342 				       .len = IEEE80211_MAX_DATA_LEN },
343 	[NL80211_ATTR_BEACON_TAIL] =
344 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
345 				       IEEE80211_MAX_DATA_LEN),
346 	[NL80211_ATTR_STA_AID] =
347 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
348 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
349 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
350 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
351 					       .len = NL80211_MAX_SUPP_RATES },
352 	[NL80211_ATTR_STA_PLINK_ACTION] =
353 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
354 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
355 		NLA_POLICY_RANGE(NLA_U8,
356 				 NL80211_TX_POWER_AUTOMATIC,
357 				 NL80211_TX_POWER_FIXED),
358 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
359 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
360 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
361 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
362 				   .len = IEEE80211_MAX_MESH_ID_LEN },
363 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
364 
365 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
366 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
367 
368 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
369 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
370 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
371 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
372 					   .len = NL80211_MAX_SUPP_RATES },
373 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
374 
375 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
376 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
377 
378 	[NL80211_ATTR_HT_CAPABILITY] = {
379 		.type = NLA_EXACT_LEN_WARN,
380 		.len = NL80211_HT_CAPABILITY_LEN
381 	},
382 
383 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
384 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
385 						   validate_ie_attr,
386 						   IEEE80211_MAX_DATA_LEN),
387 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
388 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
389 
390 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
391 				.len = IEEE80211_MAX_SSID_LEN },
392 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
393 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
394 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
395 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
396 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
397 						  NL80211_MFP_NO,
398 						  NL80211_MFP_OPTIONAL),
399 	[NL80211_ATTR_STA_FLAGS2] = {
400 		.len = sizeof(struct nl80211_sta_flag_update),
401 	},
402 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
403 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
404 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
405 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
406 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
407 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
408 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
409 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
410 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
411 	[NL80211_ATTR_PMKID] = {
412 		.type = NLA_EXACT_LEN_WARN,
413 		.len = WLAN_PMKID_LEN
414 	},
415 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
416 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
417 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
418 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
419 				 .len = IEEE80211_MAX_DATA_LEN },
420 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
421 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
422 						   NL80211_PS_DISABLED,
423 						   NL80211_PS_ENABLED),
424 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
425 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
426 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
427 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
428 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
429 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
430 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
431 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
432 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
433 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
434 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
435 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
436 	[NL80211_ATTR_STA_PLINK_STATE] =
437 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
438 	[NL80211_ATTR_MESH_PEER_AID] =
439 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
440 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
441 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
442 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
443 	[NL80211_ATTR_HIDDEN_SSID] =
444 		NLA_POLICY_RANGE(NLA_U32,
445 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
446 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
447 	[NL80211_ATTR_IE_PROBE_RESP] =
448 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
449 				       IEEE80211_MAX_DATA_LEN),
450 	[NL80211_ATTR_IE_ASSOC_RESP] =
451 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
452 				       IEEE80211_MAX_DATA_LEN),
453 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
454 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
455 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
456 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
457 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
458 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
459 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
460 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
461 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
462 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
463 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
464 				      .len = IEEE80211_MAX_DATA_LEN },
465 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
466 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
467 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
468 		.len = NL80211_HT_CAPABILITY_LEN
469 	},
470 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
471 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
472 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
473 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
474 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
475 	[NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
476 	[NL80211_ATTR_VHT_CAPABILITY] = {
477 		.type = NLA_EXACT_LEN_WARN,
478 		.len = NL80211_VHT_CAPABILITY_LEN
479 	},
480 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
481 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
482 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
483 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
484 		NLA_POLICY_RANGE(NLA_U32,
485 				 NL80211_MESH_POWER_UNKNOWN + 1,
486 				 NL80211_MESH_POWER_MAX),
487 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
488 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
489 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
490 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
491 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
492 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
493 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
494 		.len = NL80211_VHT_CAPABILITY_LEN,
495 	},
496 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
497 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
498 				  .len = IEEE80211_MAX_DATA_LEN },
499 	[NL80211_ATTR_PEER_AID] =
500 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
501 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
502 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
503 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
504 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
505 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
506 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
507 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
508 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
509 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
510 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
511 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
512 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
513 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
514 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
515 	[NL80211_ATTR_MAC_HINT] = {
516 		.type = NLA_EXACT_LEN_WARN,
517 		.len = ETH_ALEN
518 	},
519 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
520 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
521 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
522 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
523 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
524 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
525 	[NL80211_ATTR_USER_PRIO] =
526 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
527 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
528 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
529 	[NL80211_ATTR_MAC_MASK] = {
530 		.type = NLA_EXACT_LEN_WARN,
531 		.len = ETH_ALEN
532 	},
533 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
534 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
535 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
536 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
537 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
538 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
539 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
540 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
541 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
542 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
543 	},
544 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = {
545 		.type = NLA_EXACT_LEN_WARN,
546 		.len = ETH_ALEN
547 	},
548 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
549 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
550 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
551 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
552 				    .len = FILS_MAX_KEK_LEN },
553 	[NL80211_ATTR_FILS_NONCES] = {
554 		.type = NLA_EXACT_LEN_WARN,
555 		.len = 2 * FILS_NONCE_LEN
556 	},
557 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
558 	[NL80211_ATTR_BSSID] = { .type = NLA_EXACT_LEN_WARN, .len = ETH_ALEN },
559 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
560 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
561 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
562 	},
563 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
564 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
565 					     .len = FILS_ERP_MAX_USERNAME_LEN },
566 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
567 					  .len = FILS_ERP_MAX_REALM_LEN },
568 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
569 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
570 					.len = FILS_ERP_MAX_RRK_LEN },
571 	[NL80211_ATTR_FILS_CACHE_ID] = { .type = NLA_EXACT_LEN_WARN, .len = 2 },
572 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
573 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
574 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
575 
576 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
577 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
578 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
579 	[NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY,
580 					 .len = NL80211_HE_MAX_CAPABILITY_LEN },
581 
582 	[NL80211_ATTR_FTM_RESPONDER] = {
583 		.type = NLA_NESTED,
584 		.validation_data = nl80211_ftm_responder_policy,
585 	},
586 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
587 	[NL80211_ATTR_PEER_MEASUREMENTS] =
588 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
589 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
590 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
591 					.len = SAE_PASSWORD_MAX_LEN },
592 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
593 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
594 };
595 
596 /* policy for the key attributes */
597 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
598 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
599 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
600 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
601 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
602 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
603 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
604 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
605 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
606 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
607 };
608 
609 /* policy for the key default flags */
610 static const struct nla_policy
611 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
612 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
613 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
614 };
615 
616 #ifdef CONFIG_PM
617 /* policy for WoWLAN attributes */
618 static const struct nla_policy
619 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
620 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
621 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
622 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
623 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
624 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
625 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
626 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
627 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
628 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
629 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
630 };
631 
632 static const struct nla_policy
633 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
634 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
635 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
636 	[NL80211_WOWLAN_TCP_DST_MAC] = {
637 		.type = NLA_EXACT_LEN_WARN,
638 		.len = ETH_ALEN
639 	},
640 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
641 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
642 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .type = NLA_MIN_LEN, .len = 1 },
643 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
644 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
645 	},
646 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
647 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
648 	},
649 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
650 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .type = NLA_MIN_LEN, .len = 1 },
651 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .type = NLA_MIN_LEN, .len = 1 },
652 };
653 #endif /* CONFIG_PM */
654 
655 /* policy for coalesce rule attributes */
656 static const struct nla_policy
657 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
658 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
659 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
660 		NLA_POLICY_RANGE(NLA_U32,
661 				 NL80211_COALESCE_CONDITION_MATCH,
662 				 NL80211_COALESCE_CONDITION_NO_MATCH),
663 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
664 };
665 
666 /* policy for GTK rekey offload attributes */
667 static const struct nla_policy
668 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
669 	[NL80211_REKEY_DATA_KEK] = {
670 		.type = NLA_EXACT_LEN_WARN,
671 		.len = NL80211_KEK_LEN,
672 	},
673 	[NL80211_REKEY_DATA_KCK] = {
674 		.type = NLA_EXACT_LEN_WARN,
675 		.len = NL80211_KCK_LEN,
676 	},
677 	[NL80211_REKEY_DATA_REPLAY_CTR] = {
678 		.type = NLA_EXACT_LEN_WARN,
679 		.len = NL80211_REPLAY_CTR_LEN
680 	},
681 };
682 
683 static const struct nla_policy
684 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
685 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
686 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
687 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
688 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
689 };
690 
691 static const struct nla_policy
692 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
693 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
694 						 .len = IEEE80211_MAX_SSID_LEN },
695 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = {
696 		.type = NLA_EXACT_LEN_WARN,
697 		.len = ETH_ALEN
698 	},
699 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
700 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
701 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
702 };
703 
704 static const struct nla_policy
705 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
706 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
707 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
708 };
709 
710 static const struct nla_policy
711 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
712 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
713 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
714 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
715 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
716 	},
717 };
718 
719 /* policy for NAN function attributes */
720 static const struct nla_policy
721 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
722 	[NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
723 	[NL80211_NAN_FUNC_SERVICE_ID] = {
724 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
725 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
726 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
727 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
728 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
729 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
730 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = {
731 		.type = NLA_EXACT_LEN_WARN,
732 		.len = ETH_ALEN
733 	},
734 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
735 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
736 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
737 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
738 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
739 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
740 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
741 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
742 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
743 };
744 
745 /* policy for Service Response Filter attributes */
746 static const struct nla_policy
747 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
748 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
749 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
750 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
751 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
752 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
753 };
754 
755 /* policy for packet pattern attributes */
756 static const struct nla_policy
757 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
758 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
759 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
760 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
761 };
762 
763 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
764 			      struct cfg80211_registered_device **rdev,
765 			      struct wireless_dev **wdev)
766 {
767 	int err;
768 
769 	if (!cb->args[0]) {
770 		struct nlattr **attrbuf;
771 
772 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
773 				  GFP_KERNEL);
774 		if (!attrbuf)
775 			return -ENOMEM;
776 
777 		err = nlmsg_parse_deprecated(cb->nlh,
778 					     GENL_HDRLEN + nl80211_fam.hdrsize,
779 					     attrbuf, nl80211_fam.maxattr,
780 					     nl80211_policy, NULL);
781 		if (err) {
782 			kfree(attrbuf);
783 			return err;
784 		}
785 
786 		*wdev = __cfg80211_wdev_from_attrs(sock_net(cb->skb->sk),
787 						   attrbuf);
788 		kfree(attrbuf);
789 		if (IS_ERR(*wdev))
790 			return PTR_ERR(*wdev);
791 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
792 		/* 0 is the first index - add 1 to parse only once */
793 		cb->args[0] = (*rdev)->wiphy_idx + 1;
794 		cb->args[1] = (*wdev)->identifier;
795 	} else {
796 		/* subtract the 1 again here */
797 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
798 		struct wireless_dev *tmp;
799 
800 		if (!wiphy)
801 			return -ENODEV;
802 		*rdev = wiphy_to_rdev(wiphy);
803 		*wdev = NULL;
804 
805 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
806 			if (tmp->identifier == cb->args[1]) {
807 				*wdev = tmp;
808 				break;
809 			}
810 		}
811 
812 		if (!*wdev)
813 			return -ENODEV;
814 	}
815 
816 	return 0;
817 }
818 
819 /* message building helper */
820 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
821 		     int flags, u8 cmd)
822 {
823 	/* since there is no private header just add the generic one */
824 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
825 }
826 
827 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
828 				     const struct ieee80211_reg_rule *rule)
829 {
830 	int j;
831 	struct nlattr *nl_wmm_rules =
832 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
833 
834 	if (!nl_wmm_rules)
835 		goto nla_put_failure;
836 
837 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
838 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
839 
840 		if (!nl_wmm_rule)
841 			goto nla_put_failure;
842 
843 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
844 				rule->wmm_rule.client[j].cw_min) ||
845 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
846 				rule->wmm_rule.client[j].cw_max) ||
847 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
848 			       rule->wmm_rule.client[j].aifsn) ||
849 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
850 			        rule->wmm_rule.client[j].cot))
851 			goto nla_put_failure;
852 
853 		nla_nest_end(msg, nl_wmm_rule);
854 	}
855 	nla_nest_end(msg, nl_wmm_rules);
856 
857 	return 0;
858 
859 nla_put_failure:
860 	return -ENOBUFS;
861 }
862 
863 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
864 				   struct ieee80211_channel *chan,
865 				   bool large)
866 {
867 	/* Some channels must be completely excluded from the
868 	 * list to protect old user-space tools from breaking
869 	 */
870 	if (!large && chan->flags &
871 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
872 		return 0;
873 
874 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
875 			chan->center_freq))
876 		goto nla_put_failure;
877 
878 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
879 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
880 		goto nla_put_failure;
881 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
882 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
883 			goto nla_put_failure;
884 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
885 			goto nla_put_failure;
886 	}
887 	if (chan->flags & IEEE80211_CHAN_RADAR) {
888 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
889 			goto nla_put_failure;
890 		if (large) {
891 			u32 time;
892 
893 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
894 
895 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
896 					chan->dfs_state))
897 				goto nla_put_failure;
898 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
899 					time))
900 				goto nla_put_failure;
901 			if (nla_put_u32(msg,
902 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
903 					chan->dfs_cac_ms))
904 				goto nla_put_failure;
905 		}
906 	}
907 
908 	if (large) {
909 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
910 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
911 			goto nla_put_failure;
912 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
913 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
914 			goto nla_put_failure;
915 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
916 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
917 			goto nla_put_failure;
918 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
919 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
920 			goto nla_put_failure;
921 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
922 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
923 			goto nla_put_failure;
924 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
925 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
926 			goto nla_put_failure;
927 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
928 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
929 			goto nla_put_failure;
930 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
931 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
932 			goto nla_put_failure;
933 	}
934 
935 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
936 			DBM_TO_MBM(chan->max_power)))
937 		goto nla_put_failure;
938 
939 	if (large) {
940 		const struct ieee80211_reg_rule *rule =
941 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
942 
943 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
944 			if (nl80211_msg_put_wmm_rules(msg, rule))
945 				goto nla_put_failure;
946 		}
947 	}
948 
949 	return 0;
950 
951  nla_put_failure:
952 	return -ENOBUFS;
953 }
954 
955 static bool nl80211_put_txq_stats(struct sk_buff *msg,
956 				  struct cfg80211_txq_stats *txqstats,
957 				  int attrtype)
958 {
959 	struct nlattr *txqattr;
960 
961 #define PUT_TXQVAL_U32(attr, memb) do {					  \
962 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
963 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
964 		return false;						  \
965 	} while (0)
966 
967 	txqattr = nla_nest_start_noflag(msg, attrtype);
968 	if (!txqattr)
969 		return false;
970 
971 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
972 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
973 	PUT_TXQVAL_U32(FLOWS, flows);
974 	PUT_TXQVAL_U32(DROPS, drops);
975 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
976 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
977 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
978 	PUT_TXQVAL_U32(COLLISIONS, collisions);
979 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
980 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
981 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
982 	nla_nest_end(msg, txqattr);
983 
984 #undef PUT_TXQVAL_U32
985 	return true;
986 }
987 
988 /* netlink command implementations */
989 
990 struct key_parse {
991 	struct key_params p;
992 	int idx;
993 	int type;
994 	bool def, defmgmt;
995 	bool def_uni, def_multi;
996 };
997 
998 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
999 				 struct key_parse *k)
1000 {
1001 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1002 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1003 					      nl80211_key_policy,
1004 					      info->extack);
1005 	if (err)
1006 		return err;
1007 
1008 	k->def = !!tb[NL80211_KEY_DEFAULT];
1009 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1010 
1011 	if (k->def) {
1012 		k->def_uni = true;
1013 		k->def_multi = true;
1014 	}
1015 	if (k->defmgmt)
1016 		k->def_multi = true;
1017 
1018 	if (tb[NL80211_KEY_IDX])
1019 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1020 
1021 	if (tb[NL80211_KEY_DATA]) {
1022 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1023 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1024 	}
1025 
1026 	if (tb[NL80211_KEY_SEQ]) {
1027 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1028 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1029 	}
1030 
1031 	if (tb[NL80211_KEY_CIPHER])
1032 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1033 
1034 	if (tb[NL80211_KEY_TYPE])
1035 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1036 
1037 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1038 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1039 
1040 		err = nla_parse_nested_deprecated(kdt,
1041 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1042 						  tb[NL80211_KEY_DEFAULT_TYPES],
1043 						  nl80211_key_default_policy,
1044 						  info->extack);
1045 		if (err)
1046 			return err;
1047 
1048 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1049 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1050 	}
1051 
1052 	if (tb[NL80211_KEY_MODE])
1053 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1054 
1055 	return 0;
1056 }
1057 
1058 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1059 {
1060 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1061 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1062 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1063 	}
1064 
1065 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1066 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1067 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1068 	}
1069 
1070 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1071 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1072 
1073 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1074 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1075 
1076 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1077 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1078 
1079 	if (k->def) {
1080 		k->def_uni = true;
1081 		k->def_multi = true;
1082 	}
1083 	if (k->defmgmt)
1084 		k->def_multi = true;
1085 
1086 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1087 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1088 
1089 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1090 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1091 		int err = nla_parse_nested_deprecated(kdt,
1092 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1093 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1094 						      nl80211_key_default_policy,
1095 						      info->extack);
1096 		if (err)
1097 			return err;
1098 
1099 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1100 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1101 	}
1102 
1103 	return 0;
1104 }
1105 
1106 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1107 {
1108 	int err;
1109 
1110 	memset(k, 0, sizeof(*k));
1111 	k->idx = -1;
1112 	k->type = -1;
1113 
1114 	if (info->attrs[NL80211_ATTR_KEY])
1115 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1116 	else
1117 		err = nl80211_parse_key_old(info, k);
1118 
1119 	if (err)
1120 		return err;
1121 
1122 	if (k->def && k->defmgmt) {
1123 		GENL_SET_ERR_MSG(info, "key with def && defmgmt is invalid");
1124 		return -EINVAL;
1125 	}
1126 
1127 	if (k->defmgmt) {
1128 		if (k->def_uni || !k->def_multi) {
1129 			GENL_SET_ERR_MSG(info, "defmgmt key must be mcast");
1130 			return -EINVAL;
1131 		}
1132 	}
1133 
1134 	if (k->idx != -1) {
1135 		if (k->defmgmt) {
1136 			if (k->idx < 4 || k->idx > 5) {
1137 				GENL_SET_ERR_MSG(info,
1138 						 "defmgmt key idx not 4 or 5");
1139 				return -EINVAL;
1140 			}
1141 		} else if (k->def) {
1142 			if (k->idx < 0 || k->idx > 3) {
1143 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1144 				return -EINVAL;
1145 			}
1146 		} else {
1147 			if (k->idx < 0 || k->idx > 5) {
1148 				GENL_SET_ERR_MSG(info, "key idx not 0-5");
1149 				return -EINVAL;
1150 			}
1151 		}
1152 	}
1153 
1154 	return 0;
1155 }
1156 
1157 static struct cfg80211_cached_keys *
1158 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1159 		       struct genl_info *info, bool *no_ht)
1160 {
1161 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1162 	struct key_parse parse;
1163 	struct nlattr *key;
1164 	struct cfg80211_cached_keys *result;
1165 	int rem, err, def = 0;
1166 	bool have_key = false;
1167 
1168 	nla_for_each_nested(key, keys, rem) {
1169 		have_key = true;
1170 		break;
1171 	}
1172 
1173 	if (!have_key)
1174 		return NULL;
1175 
1176 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1177 	if (!result)
1178 		return ERR_PTR(-ENOMEM);
1179 
1180 	result->def = -1;
1181 
1182 	nla_for_each_nested(key, keys, rem) {
1183 		memset(&parse, 0, sizeof(parse));
1184 		parse.idx = -1;
1185 
1186 		err = nl80211_parse_key_new(info, key, &parse);
1187 		if (err)
1188 			goto error;
1189 		err = -EINVAL;
1190 		if (!parse.p.key)
1191 			goto error;
1192 		if (parse.idx < 0 || parse.idx > 3) {
1193 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1194 			goto error;
1195 		}
1196 		if (parse.def) {
1197 			if (def) {
1198 				GENL_SET_ERR_MSG(info,
1199 						 "only one key can be default");
1200 				goto error;
1201 			}
1202 			def = 1;
1203 			result->def = parse.idx;
1204 			if (!parse.def_uni || !parse.def_multi)
1205 				goto error;
1206 		} else if (parse.defmgmt)
1207 			goto error;
1208 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1209 						     parse.idx, false, NULL);
1210 		if (err)
1211 			goto error;
1212 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1213 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1214 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1215 			err = -EINVAL;
1216 			goto error;
1217 		}
1218 		result->params[parse.idx].cipher = parse.p.cipher;
1219 		result->params[parse.idx].key_len = parse.p.key_len;
1220 		result->params[parse.idx].key = result->data[parse.idx];
1221 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1222 
1223 		/* must be WEP key if we got here */
1224 		if (no_ht)
1225 			*no_ht = true;
1226 	}
1227 
1228 	if (result->def < 0) {
1229 		err = -EINVAL;
1230 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1231 		goto error;
1232 	}
1233 
1234 	return result;
1235  error:
1236 	kfree(result);
1237 	return ERR_PTR(err);
1238 }
1239 
1240 static int nl80211_key_allowed(struct wireless_dev *wdev)
1241 {
1242 	ASSERT_WDEV_LOCK(wdev);
1243 
1244 	switch (wdev->iftype) {
1245 	case NL80211_IFTYPE_AP:
1246 	case NL80211_IFTYPE_AP_VLAN:
1247 	case NL80211_IFTYPE_P2P_GO:
1248 	case NL80211_IFTYPE_MESH_POINT:
1249 		break;
1250 	case NL80211_IFTYPE_ADHOC:
1251 	case NL80211_IFTYPE_STATION:
1252 	case NL80211_IFTYPE_P2P_CLIENT:
1253 		if (!wdev->current_bss)
1254 			return -ENOLINK;
1255 		break;
1256 	case NL80211_IFTYPE_UNSPECIFIED:
1257 	case NL80211_IFTYPE_OCB:
1258 	case NL80211_IFTYPE_MONITOR:
1259 	case NL80211_IFTYPE_NAN:
1260 	case NL80211_IFTYPE_P2P_DEVICE:
1261 	case NL80211_IFTYPE_WDS:
1262 	case NUM_NL80211_IFTYPES:
1263 		return -EINVAL;
1264 	}
1265 
1266 	return 0;
1267 }
1268 
1269 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1270 							struct nlattr *tb)
1271 {
1272 	struct ieee80211_channel *chan;
1273 
1274 	if (tb == NULL)
1275 		return NULL;
1276 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
1277 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1278 		return NULL;
1279 	return chan;
1280 }
1281 
1282 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1283 {
1284 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1285 	int i;
1286 
1287 	if (!nl_modes)
1288 		goto nla_put_failure;
1289 
1290 	i = 0;
1291 	while (ifmodes) {
1292 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1293 			goto nla_put_failure;
1294 		ifmodes >>= 1;
1295 		i++;
1296 	}
1297 
1298 	nla_nest_end(msg, nl_modes);
1299 	return 0;
1300 
1301 nla_put_failure:
1302 	return -ENOBUFS;
1303 }
1304 
1305 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1306 					  struct sk_buff *msg,
1307 					  bool large)
1308 {
1309 	struct nlattr *nl_combis;
1310 	int i, j;
1311 
1312 	nl_combis = nla_nest_start_noflag(msg,
1313 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1314 	if (!nl_combis)
1315 		goto nla_put_failure;
1316 
1317 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1318 		const struct ieee80211_iface_combination *c;
1319 		struct nlattr *nl_combi, *nl_limits;
1320 
1321 		c = &wiphy->iface_combinations[i];
1322 
1323 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1324 		if (!nl_combi)
1325 			goto nla_put_failure;
1326 
1327 		nl_limits = nla_nest_start_noflag(msg,
1328 						  NL80211_IFACE_COMB_LIMITS);
1329 		if (!nl_limits)
1330 			goto nla_put_failure;
1331 
1332 		for (j = 0; j < c->n_limits; j++) {
1333 			struct nlattr *nl_limit;
1334 
1335 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1336 			if (!nl_limit)
1337 				goto nla_put_failure;
1338 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1339 					c->limits[j].max))
1340 				goto nla_put_failure;
1341 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1342 						c->limits[j].types))
1343 				goto nla_put_failure;
1344 			nla_nest_end(msg, nl_limit);
1345 		}
1346 
1347 		nla_nest_end(msg, nl_limits);
1348 
1349 		if (c->beacon_int_infra_match &&
1350 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1351 			goto nla_put_failure;
1352 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1353 				c->num_different_channels) ||
1354 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1355 				c->max_interfaces))
1356 			goto nla_put_failure;
1357 		if (large &&
1358 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1359 				c->radar_detect_widths) ||
1360 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1361 				c->radar_detect_regions)))
1362 			goto nla_put_failure;
1363 		if (c->beacon_int_min_gcd &&
1364 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1365 				c->beacon_int_min_gcd))
1366 			goto nla_put_failure;
1367 
1368 		nla_nest_end(msg, nl_combi);
1369 	}
1370 
1371 	nla_nest_end(msg, nl_combis);
1372 
1373 	return 0;
1374 nla_put_failure:
1375 	return -ENOBUFS;
1376 }
1377 
1378 #ifdef CONFIG_PM
1379 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1380 					struct sk_buff *msg)
1381 {
1382 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1383 	struct nlattr *nl_tcp;
1384 
1385 	if (!tcp)
1386 		return 0;
1387 
1388 	nl_tcp = nla_nest_start_noflag(msg,
1389 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1390 	if (!nl_tcp)
1391 		return -ENOBUFS;
1392 
1393 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1394 			tcp->data_payload_max))
1395 		return -ENOBUFS;
1396 
1397 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1398 			tcp->data_payload_max))
1399 		return -ENOBUFS;
1400 
1401 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1402 		return -ENOBUFS;
1403 
1404 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1405 				sizeof(*tcp->tok), tcp->tok))
1406 		return -ENOBUFS;
1407 
1408 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1409 			tcp->data_interval_max))
1410 		return -ENOBUFS;
1411 
1412 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1413 			tcp->wake_payload_max))
1414 		return -ENOBUFS;
1415 
1416 	nla_nest_end(msg, nl_tcp);
1417 	return 0;
1418 }
1419 
1420 static int nl80211_send_wowlan(struct sk_buff *msg,
1421 			       struct cfg80211_registered_device *rdev,
1422 			       bool large)
1423 {
1424 	struct nlattr *nl_wowlan;
1425 
1426 	if (!rdev->wiphy.wowlan)
1427 		return 0;
1428 
1429 	nl_wowlan = nla_nest_start_noflag(msg,
1430 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1431 	if (!nl_wowlan)
1432 		return -ENOBUFS;
1433 
1434 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1435 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1436 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1437 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1438 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1439 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1440 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1441 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1442 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1443 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1444 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1445 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1446 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1447 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1448 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1449 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1450 		return -ENOBUFS;
1451 
1452 	if (rdev->wiphy.wowlan->n_patterns) {
1453 		struct nl80211_pattern_support pat = {
1454 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1455 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1456 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1457 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1458 		};
1459 
1460 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1461 			    sizeof(pat), &pat))
1462 			return -ENOBUFS;
1463 	}
1464 
1465 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1466 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1467 			rdev->wiphy.wowlan->max_nd_match_sets))
1468 		return -ENOBUFS;
1469 
1470 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1471 		return -ENOBUFS;
1472 
1473 	nla_nest_end(msg, nl_wowlan);
1474 
1475 	return 0;
1476 }
1477 #endif
1478 
1479 static int nl80211_send_coalesce(struct sk_buff *msg,
1480 				 struct cfg80211_registered_device *rdev)
1481 {
1482 	struct nl80211_coalesce_rule_support rule;
1483 
1484 	if (!rdev->wiphy.coalesce)
1485 		return 0;
1486 
1487 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1488 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1489 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1490 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1491 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1492 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1493 
1494 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1495 		return -ENOBUFS;
1496 
1497 	return 0;
1498 }
1499 
1500 static int
1501 nl80211_send_iftype_data(struct sk_buff *msg,
1502 			 const struct ieee80211_sband_iftype_data *iftdata)
1503 {
1504 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1505 
1506 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1507 				iftdata->types_mask))
1508 		return -ENOBUFS;
1509 
1510 	if (he_cap->has_he) {
1511 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1512 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1513 			    he_cap->he_cap_elem.mac_cap_info) ||
1514 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1515 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1516 			    he_cap->he_cap_elem.phy_cap_info) ||
1517 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1518 			    sizeof(he_cap->he_mcs_nss_supp),
1519 			    &he_cap->he_mcs_nss_supp) ||
1520 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1521 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1522 			return -ENOBUFS;
1523 	}
1524 
1525 	return 0;
1526 }
1527 
1528 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1529 				      struct ieee80211_supported_band *sband)
1530 {
1531 	struct nlattr *nl_rates, *nl_rate;
1532 	struct ieee80211_rate *rate;
1533 	int i;
1534 
1535 	/* add HT info */
1536 	if (sband->ht_cap.ht_supported &&
1537 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1538 		     sizeof(sband->ht_cap.mcs),
1539 		     &sband->ht_cap.mcs) ||
1540 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1541 			 sband->ht_cap.cap) ||
1542 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1543 			sband->ht_cap.ampdu_factor) ||
1544 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1545 			sband->ht_cap.ampdu_density)))
1546 		return -ENOBUFS;
1547 
1548 	/* add VHT info */
1549 	if (sband->vht_cap.vht_supported &&
1550 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1551 		     sizeof(sband->vht_cap.vht_mcs),
1552 		     &sband->vht_cap.vht_mcs) ||
1553 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1554 			 sband->vht_cap.cap)))
1555 		return -ENOBUFS;
1556 
1557 	if (sband->n_iftype_data) {
1558 		struct nlattr *nl_iftype_data =
1559 			nla_nest_start_noflag(msg,
1560 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1561 		int err;
1562 
1563 		if (!nl_iftype_data)
1564 			return -ENOBUFS;
1565 
1566 		for (i = 0; i < sband->n_iftype_data; i++) {
1567 			struct nlattr *iftdata;
1568 
1569 			iftdata = nla_nest_start_noflag(msg, i + 1);
1570 			if (!iftdata)
1571 				return -ENOBUFS;
1572 
1573 			err = nl80211_send_iftype_data(msg,
1574 						       &sband->iftype_data[i]);
1575 			if (err)
1576 				return err;
1577 
1578 			nla_nest_end(msg, iftdata);
1579 		}
1580 
1581 		nla_nest_end(msg, nl_iftype_data);
1582 	}
1583 
1584 	/* add EDMG info */
1585 	if (sband->edmg_cap.channels &&
1586 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1587 		       sband->edmg_cap.channels) ||
1588 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1589 		       sband->edmg_cap.bw_config)))
1590 
1591 		return -ENOBUFS;
1592 
1593 	/* add bitrates */
1594 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1595 	if (!nl_rates)
1596 		return -ENOBUFS;
1597 
1598 	for (i = 0; i < sband->n_bitrates; i++) {
1599 		nl_rate = nla_nest_start_noflag(msg, i);
1600 		if (!nl_rate)
1601 			return -ENOBUFS;
1602 
1603 		rate = &sband->bitrates[i];
1604 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1605 				rate->bitrate))
1606 			return -ENOBUFS;
1607 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1608 		    nla_put_flag(msg,
1609 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1610 			return -ENOBUFS;
1611 
1612 		nla_nest_end(msg, nl_rate);
1613 	}
1614 
1615 	nla_nest_end(msg, nl_rates);
1616 
1617 	return 0;
1618 }
1619 
1620 static int
1621 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1622 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1623 {
1624 	u16 stypes;
1625 	struct nlattr *nl_ftypes, *nl_ifs;
1626 	enum nl80211_iftype ift;
1627 	int i;
1628 
1629 	if (!mgmt_stypes)
1630 		return 0;
1631 
1632 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1633 	if (!nl_ifs)
1634 		return -ENOBUFS;
1635 
1636 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1637 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1638 		if (!nl_ftypes)
1639 			return -ENOBUFS;
1640 		i = 0;
1641 		stypes = mgmt_stypes[ift].tx;
1642 		while (stypes) {
1643 			if ((stypes & 1) &&
1644 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1645 					(i << 4) | IEEE80211_FTYPE_MGMT))
1646 				return -ENOBUFS;
1647 			stypes >>= 1;
1648 			i++;
1649 		}
1650 		nla_nest_end(msg, nl_ftypes);
1651 	}
1652 
1653 	nla_nest_end(msg, nl_ifs);
1654 
1655 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1656 	if (!nl_ifs)
1657 		return -ENOBUFS;
1658 
1659 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1660 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1661 		if (!nl_ftypes)
1662 			return -ENOBUFS;
1663 		i = 0;
1664 		stypes = mgmt_stypes[ift].rx;
1665 		while (stypes) {
1666 			if ((stypes & 1) &&
1667 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1668 					(i << 4) | IEEE80211_FTYPE_MGMT))
1669 				return -ENOBUFS;
1670 			stypes >>= 1;
1671 			i++;
1672 		}
1673 		nla_nest_end(msg, nl_ftypes);
1674 	}
1675 	nla_nest_end(msg, nl_ifs);
1676 
1677 	return 0;
1678 }
1679 
1680 #define CMD(op, n)							\
1681 	 do {								\
1682 		if (rdev->ops->op) {					\
1683 			i++;						\
1684 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1685 				goto nla_put_failure;			\
1686 		}							\
1687 	} while (0)
1688 
1689 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1690 					struct sk_buff *msg)
1691 {
1692 	int i = 0;
1693 
1694 	/*
1695 	 * do *NOT* add anything into this function, new things need to be
1696 	 * advertised only to new versions of userspace that can deal with
1697 	 * the split (and they can't possibly care about new features...
1698 	 */
1699 	CMD(add_virtual_intf, NEW_INTERFACE);
1700 	CMD(change_virtual_intf, SET_INTERFACE);
1701 	CMD(add_key, NEW_KEY);
1702 	CMD(start_ap, START_AP);
1703 	CMD(add_station, NEW_STATION);
1704 	CMD(add_mpath, NEW_MPATH);
1705 	CMD(update_mesh_config, SET_MESH_CONFIG);
1706 	CMD(change_bss, SET_BSS);
1707 	CMD(auth, AUTHENTICATE);
1708 	CMD(assoc, ASSOCIATE);
1709 	CMD(deauth, DEAUTHENTICATE);
1710 	CMD(disassoc, DISASSOCIATE);
1711 	CMD(join_ibss, JOIN_IBSS);
1712 	CMD(join_mesh, JOIN_MESH);
1713 	CMD(set_pmksa, SET_PMKSA);
1714 	CMD(del_pmksa, DEL_PMKSA);
1715 	CMD(flush_pmksa, FLUSH_PMKSA);
1716 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1717 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1718 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1719 	CMD(mgmt_tx, FRAME);
1720 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1721 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1722 		i++;
1723 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1724 			goto nla_put_failure;
1725 	}
1726 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1727 	    rdev->ops->join_mesh) {
1728 		i++;
1729 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1730 			goto nla_put_failure;
1731 	}
1732 	CMD(set_wds_peer, SET_WDS_PEER);
1733 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1734 		CMD(tdls_mgmt, TDLS_MGMT);
1735 		CMD(tdls_oper, TDLS_OPER);
1736 	}
1737 	if (rdev->wiphy.max_sched_scan_reqs)
1738 		CMD(sched_scan_start, START_SCHED_SCAN);
1739 	CMD(probe_client, PROBE_CLIENT);
1740 	CMD(set_noack_map, SET_NOACK_MAP);
1741 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1742 		i++;
1743 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1744 			goto nla_put_failure;
1745 	}
1746 	CMD(start_p2p_device, START_P2P_DEVICE);
1747 	CMD(set_mcast_rate, SET_MCAST_RATE);
1748 #ifdef CONFIG_NL80211_TESTMODE
1749 	CMD(testmode_cmd, TESTMODE);
1750 #endif
1751 
1752 	if (rdev->ops->connect || rdev->ops->auth) {
1753 		i++;
1754 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1755 			goto nla_put_failure;
1756 	}
1757 
1758 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1759 		i++;
1760 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1761 			goto nla_put_failure;
1762 	}
1763 
1764 	return i;
1765  nla_put_failure:
1766 	return -ENOBUFS;
1767 }
1768 
1769 static int
1770 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1771 			   struct sk_buff *msg)
1772 {
1773 	struct nlattr *ftm;
1774 
1775 	if (!cap->ftm.supported)
1776 		return 0;
1777 
1778 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1779 	if (!ftm)
1780 		return -ENOBUFS;
1781 
1782 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1783 		return -ENOBUFS;
1784 	if (cap->ftm.non_asap &&
1785 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1786 		return -ENOBUFS;
1787 	if (cap->ftm.request_lci &&
1788 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1789 		return -ENOBUFS;
1790 	if (cap->ftm.request_civicloc &&
1791 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1792 		return -ENOBUFS;
1793 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1794 			cap->ftm.preambles))
1795 		return -ENOBUFS;
1796 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
1797 			cap->ftm.bandwidths))
1798 		return -ENOBUFS;
1799 	if (cap->ftm.max_bursts_exponent >= 0 &&
1800 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
1801 			cap->ftm.max_bursts_exponent))
1802 		return -ENOBUFS;
1803 	if (cap->ftm.max_ftms_per_burst &&
1804 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
1805 			cap->ftm.max_ftms_per_burst))
1806 		return -ENOBUFS;
1807 
1808 	nla_nest_end(msg, ftm);
1809 	return 0;
1810 }
1811 
1812 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
1813 				  struct sk_buff *msg)
1814 {
1815 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
1816 	struct nlattr *pmsr, *caps;
1817 
1818 	if (!cap)
1819 		return 0;
1820 
1821 	/*
1822 	 * we don't need to clean up anything here since the caller
1823 	 * will genlmsg_cancel() if we fail
1824 	 */
1825 
1826 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
1827 	if (!pmsr)
1828 		return -ENOBUFS;
1829 
1830 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
1831 		return -ENOBUFS;
1832 
1833 	if (cap->report_ap_tsf &&
1834 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
1835 		return -ENOBUFS;
1836 
1837 	if (cap->randomize_mac_addr &&
1838 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
1839 		return -ENOBUFS;
1840 
1841 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
1842 	if (!caps)
1843 		return -ENOBUFS;
1844 
1845 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
1846 		return -ENOBUFS;
1847 
1848 	nla_nest_end(msg, caps);
1849 	nla_nest_end(msg, pmsr);
1850 
1851 	return 0;
1852 }
1853 
1854 struct nl80211_dump_wiphy_state {
1855 	s64 filter_wiphy;
1856 	long start;
1857 	long split_start, band_start, chan_start, capa_start;
1858 	bool split;
1859 };
1860 
1861 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1862 			      enum nl80211_commands cmd,
1863 			      struct sk_buff *msg, u32 portid, u32 seq,
1864 			      int flags, struct nl80211_dump_wiphy_state *state)
1865 {
1866 	void *hdr;
1867 	struct nlattr *nl_bands, *nl_band;
1868 	struct nlattr *nl_freqs, *nl_freq;
1869 	struct nlattr *nl_cmds;
1870 	enum nl80211_band band;
1871 	struct ieee80211_channel *chan;
1872 	int i;
1873 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1874 				rdev->wiphy.mgmt_stypes;
1875 	u32 features;
1876 
1877 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1878 	if (!hdr)
1879 		return -ENOBUFS;
1880 
1881 	if (WARN_ON(!state))
1882 		return -EINVAL;
1883 
1884 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1885 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1886 			   wiphy_name(&rdev->wiphy)) ||
1887 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1888 			cfg80211_rdev_list_generation))
1889 		goto nla_put_failure;
1890 
1891 	if (cmd != NL80211_CMD_NEW_WIPHY)
1892 		goto finish;
1893 
1894 	switch (state->split_start) {
1895 	case 0:
1896 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1897 			       rdev->wiphy.retry_short) ||
1898 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1899 			       rdev->wiphy.retry_long) ||
1900 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1901 				rdev->wiphy.frag_threshold) ||
1902 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1903 				rdev->wiphy.rts_threshold) ||
1904 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1905 			       rdev->wiphy.coverage_class) ||
1906 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1907 			       rdev->wiphy.max_scan_ssids) ||
1908 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1909 			       rdev->wiphy.max_sched_scan_ssids) ||
1910 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1911 				rdev->wiphy.max_scan_ie_len) ||
1912 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1913 				rdev->wiphy.max_sched_scan_ie_len) ||
1914 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1915 			       rdev->wiphy.max_match_sets) ||
1916 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1917 				rdev->wiphy.max_sched_scan_plans) ||
1918 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1919 				rdev->wiphy.max_sched_scan_plan_interval) ||
1920 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1921 				rdev->wiphy.max_sched_scan_plan_iterations))
1922 			goto nla_put_failure;
1923 
1924 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1925 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1926 			goto nla_put_failure;
1927 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1928 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1929 			goto nla_put_failure;
1930 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1931 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1932 			goto nla_put_failure;
1933 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1934 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1935 			goto nla_put_failure;
1936 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1937 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1938 			goto nla_put_failure;
1939 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1940 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1941 			goto nla_put_failure;
1942 		state->split_start++;
1943 		if (state->split)
1944 			break;
1945 		/* fall through */
1946 	case 1:
1947 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1948 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1949 			    rdev->wiphy.cipher_suites))
1950 			goto nla_put_failure;
1951 
1952 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1953 			       rdev->wiphy.max_num_pmkids))
1954 			goto nla_put_failure;
1955 
1956 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1957 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1958 			goto nla_put_failure;
1959 
1960 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1961 				rdev->wiphy.available_antennas_tx) ||
1962 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1963 				rdev->wiphy.available_antennas_rx))
1964 			goto nla_put_failure;
1965 
1966 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1967 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1968 				rdev->wiphy.probe_resp_offload))
1969 			goto nla_put_failure;
1970 
1971 		if ((rdev->wiphy.available_antennas_tx ||
1972 		     rdev->wiphy.available_antennas_rx) &&
1973 		    rdev->ops->get_antenna) {
1974 			u32 tx_ant = 0, rx_ant = 0;
1975 			int res;
1976 
1977 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1978 			if (!res) {
1979 				if (nla_put_u32(msg,
1980 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1981 						tx_ant) ||
1982 				    nla_put_u32(msg,
1983 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1984 						rx_ant))
1985 					goto nla_put_failure;
1986 			}
1987 		}
1988 
1989 		state->split_start++;
1990 		if (state->split)
1991 			break;
1992 		/* fall through */
1993 	case 2:
1994 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1995 					rdev->wiphy.interface_modes))
1996 				goto nla_put_failure;
1997 		state->split_start++;
1998 		if (state->split)
1999 			break;
2000 		/* fall through */
2001 	case 3:
2002 		nl_bands = nla_nest_start_noflag(msg,
2003 						 NL80211_ATTR_WIPHY_BANDS);
2004 		if (!nl_bands)
2005 			goto nla_put_failure;
2006 
2007 		for (band = state->band_start;
2008 		     band < NUM_NL80211_BANDS; band++) {
2009 			struct ieee80211_supported_band *sband;
2010 
2011 			sband = rdev->wiphy.bands[band];
2012 
2013 			if (!sband)
2014 				continue;
2015 
2016 			nl_band = nla_nest_start_noflag(msg, band);
2017 			if (!nl_band)
2018 				goto nla_put_failure;
2019 
2020 			switch (state->chan_start) {
2021 			case 0:
2022 				if (nl80211_send_band_rateinfo(msg, sband))
2023 					goto nla_put_failure;
2024 				state->chan_start++;
2025 				if (state->split)
2026 					break;
2027 				/* fall through */
2028 			default:
2029 				/* add frequencies */
2030 				nl_freqs = nla_nest_start_noflag(msg,
2031 								 NL80211_BAND_ATTR_FREQS);
2032 				if (!nl_freqs)
2033 					goto nla_put_failure;
2034 
2035 				for (i = state->chan_start - 1;
2036 				     i < sband->n_channels;
2037 				     i++) {
2038 					nl_freq = nla_nest_start_noflag(msg,
2039 									i);
2040 					if (!nl_freq)
2041 						goto nla_put_failure;
2042 
2043 					chan = &sband->channels[i];
2044 
2045 					if (nl80211_msg_put_channel(
2046 							msg, &rdev->wiphy, chan,
2047 							state->split))
2048 						goto nla_put_failure;
2049 
2050 					nla_nest_end(msg, nl_freq);
2051 					if (state->split)
2052 						break;
2053 				}
2054 				if (i < sband->n_channels)
2055 					state->chan_start = i + 2;
2056 				else
2057 					state->chan_start = 0;
2058 				nla_nest_end(msg, nl_freqs);
2059 			}
2060 
2061 			nla_nest_end(msg, nl_band);
2062 
2063 			if (state->split) {
2064 				/* start again here */
2065 				if (state->chan_start)
2066 					band--;
2067 				break;
2068 			}
2069 		}
2070 		nla_nest_end(msg, nl_bands);
2071 
2072 		if (band < NUM_NL80211_BANDS)
2073 			state->band_start = band + 1;
2074 		else
2075 			state->band_start = 0;
2076 
2077 		/* if bands & channels are done, continue outside */
2078 		if (state->band_start == 0 && state->chan_start == 0)
2079 			state->split_start++;
2080 		if (state->split)
2081 			break;
2082 		/* fall through */
2083 	case 4:
2084 		nl_cmds = nla_nest_start_noflag(msg,
2085 						NL80211_ATTR_SUPPORTED_COMMANDS);
2086 		if (!nl_cmds)
2087 			goto nla_put_failure;
2088 
2089 		i = nl80211_add_commands_unsplit(rdev, msg);
2090 		if (i < 0)
2091 			goto nla_put_failure;
2092 		if (state->split) {
2093 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2094 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2095 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2096 				CMD(channel_switch, CHANNEL_SWITCH);
2097 			CMD(set_qos_map, SET_QOS_MAP);
2098 			if (rdev->wiphy.features &
2099 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2100 				CMD(add_tx_ts, ADD_TX_TS);
2101 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2102 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2103 		}
2104 #undef CMD
2105 
2106 		nla_nest_end(msg, nl_cmds);
2107 		state->split_start++;
2108 		if (state->split)
2109 			break;
2110 		/* fall through */
2111 	case 5:
2112 		if (rdev->ops->remain_on_channel &&
2113 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2114 		    nla_put_u32(msg,
2115 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2116 				rdev->wiphy.max_remain_on_channel_duration))
2117 			goto nla_put_failure;
2118 
2119 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2120 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2121 			goto nla_put_failure;
2122 
2123 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2124 			goto nla_put_failure;
2125 		state->split_start++;
2126 		if (state->split)
2127 			break;
2128 		/* fall through */
2129 	case 6:
2130 #ifdef CONFIG_PM
2131 		if (nl80211_send_wowlan(msg, rdev, state->split))
2132 			goto nla_put_failure;
2133 		state->split_start++;
2134 		if (state->split)
2135 			break;
2136 #else
2137 		state->split_start++;
2138 #endif
2139 		/* fall through */
2140 	case 7:
2141 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2142 					rdev->wiphy.software_iftypes))
2143 			goto nla_put_failure;
2144 
2145 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2146 						   state->split))
2147 			goto nla_put_failure;
2148 
2149 		state->split_start++;
2150 		if (state->split)
2151 			break;
2152 		/* fall through */
2153 	case 8:
2154 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2155 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2156 				rdev->wiphy.ap_sme_capa))
2157 			goto nla_put_failure;
2158 
2159 		features = rdev->wiphy.features;
2160 		/*
2161 		 * We can only add the per-channel limit information if the
2162 		 * dump is split, otherwise it makes it too big. Therefore
2163 		 * only advertise it in that case.
2164 		 */
2165 		if (state->split)
2166 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2167 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2168 			goto nla_put_failure;
2169 
2170 		if (rdev->wiphy.ht_capa_mod_mask &&
2171 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2172 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2173 			    rdev->wiphy.ht_capa_mod_mask))
2174 			goto nla_put_failure;
2175 
2176 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2177 		    rdev->wiphy.max_acl_mac_addrs &&
2178 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2179 				rdev->wiphy.max_acl_mac_addrs))
2180 			goto nla_put_failure;
2181 
2182 		/*
2183 		 * Any information below this point is only available to
2184 		 * applications that can deal with it being split. This
2185 		 * helps ensure that newly added capabilities don't break
2186 		 * older tools by overrunning their buffers.
2187 		 *
2188 		 * We still increment split_start so that in the split
2189 		 * case we'll continue with more data in the next round,
2190 		 * but break unconditionally so unsplit data stops here.
2191 		 */
2192 		state->split_start++;
2193 		break;
2194 	case 9:
2195 		if (rdev->wiphy.extended_capabilities &&
2196 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2197 			     rdev->wiphy.extended_capabilities_len,
2198 			     rdev->wiphy.extended_capabilities) ||
2199 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2200 			     rdev->wiphy.extended_capabilities_len,
2201 			     rdev->wiphy.extended_capabilities_mask)))
2202 			goto nla_put_failure;
2203 
2204 		if (rdev->wiphy.vht_capa_mod_mask &&
2205 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2206 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2207 			    rdev->wiphy.vht_capa_mod_mask))
2208 			goto nla_put_failure;
2209 
2210 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2211 			    rdev->wiphy.perm_addr))
2212 			goto nla_put_failure;
2213 
2214 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2215 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2216 			    rdev->wiphy.addr_mask))
2217 			goto nla_put_failure;
2218 
2219 		if (rdev->wiphy.n_addresses > 1) {
2220 			void *attr;
2221 
2222 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2223 			if (!attr)
2224 				goto nla_put_failure;
2225 
2226 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2227 				if (nla_put(msg, i + 1, ETH_ALEN,
2228 					    rdev->wiphy.addresses[i].addr))
2229 					goto nla_put_failure;
2230 
2231 			nla_nest_end(msg, attr);
2232 		}
2233 
2234 		state->split_start++;
2235 		break;
2236 	case 10:
2237 		if (nl80211_send_coalesce(msg, rdev))
2238 			goto nla_put_failure;
2239 
2240 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2241 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2242 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2243 			goto nla_put_failure;
2244 
2245 		if (rdev->wiphy.max_ap_assoc_sta &&
2246 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2247 				rdev->wiphy.max_ap_assoc_sta))
2248 			goto nla_put_failure;
2249 
2250 		state->split_start++;
2251 		break;
2252 	case 11:
2253 		if (rdev->wiphy.n_vendor_commands) {
2254 			const struct nl80211_vendor_cmd_info *info;
2255 			struct nlattr *nested;
2256 
2257 			nested = nla_nest_start_noflag(msg,
2258 						       NL80211_ATTR_VENDOR_DATA);
2259 			if (!nested)
2260 				goto nla_put_failure;
2261 
2262 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2263 				info = &rdev->wiphy.vendor_commands[i].info;
2264 				if (nla_put(msg, i + 1, sizeof(*info), info))
2265 					goto nla_put_failure;
2266 			}
2267 			nla_nest_end(msg, nested);
2268 		}
2269 
2270 		if (rdev->wiphy.n_vendor_events) {
2271 			const struct nl80211_vendor_cmd_info *info;
2272 			struct nlattr *nested;
2273 
2274 			nested = nla_nest_start_noflag(msg,
2275 						       NL80211_ATTR_VENDOR_EVENTS);
2276 			if (!nested)
2277 				goto nla_put_failure;
2278 
2279 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2280 				info = &rdev->wiphy.vendor_events[i];
2281 				if (nla_put(msg, i + 1, sizeof(*info), info))
2282 					goto nla_put_failure;
2283 			}
2284 			nla_nest_end(msg, nested);
2285 		}
2286 		state->split_start++;
2287 		break;
2288 	case 12:
2289 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2290 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2291 			       rdev->wiphy.max_num_csa_counters))
2292 			goto nla_put_failure;
2293 
2294 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2295 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2296 			goto nla_put_failure;
2297 
2298 		if (rdev->wiphy.max_sched_scan_reqs &&
2299 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2300 				rdev->wiphy.max_sched_scan_reqs))
2301 			goto nla_put_failure;
2302 
2303 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2304 			    sizeof(rdev->wiphy.ext_features),
2305 			    rdev->wiphy.ext_features))
2306 			goto nla_put_failure;
2307 
2308 		if (rdev->wiphy.bss_select_support) {
2309 			struct nlattr *nested;
2310 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2311 
2312 			nested = nla_nest_start_noflag(msg,
2313 						       NL80211_ATTR_BSS_SELECT);
2314 			if (!nested)
2315 				goto nla_put_failure;
2316 
2317 			i = 0;
2318 			while (bss_select_support) {
2319 				if ((bss_select_support & 1) &&
2320 				    nla_put_flag(msg, i))
2321 					goto nla_put_failure;
2322 				i++;
2323 				bss_select_support >>= 1;
2324 			}
2325 			nla_nest_end(msg, nested);
2326 		}
2327 
2328 		state->split_start++;
2329 		break;
2330 	case 13:
2331 		if (rdev->wiphy.num_iftype_ext_capab &&
2332 		    rdev->wiphy.iftype_ext_capab) {
2333 			struct nlattr *nested_ext_capab, *nested;
2334 
2335 			nested = nla_nest_start_noflag(msg,
2336 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2337 			if (!nested)
2338 				goto nla_put_failure;
2339 
2340 			for (i = state->capa_start;
2341 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2342 				const struct wiphy_iftype_ext_capab *capab;
2343 
2344 				capab = &rdev->wiphy.iftype_ext_capab[i];
2345 
2346 				nested_ext_capab = nla_nest_start_noflag(msg,
2347 									 i);
2348 				if (!nested_ext_capab ||
2349 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2350 						capab->iftype) ||
2351 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2352 					    capab->extended_capabilities_len,
2353 					    capab->extended_capabilities) ||
2354 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2355 					    capab->extended_capabilities_len,
2356 					    capab->extended_capabilities_mask))
2357 					goto nla_put_failure;
2358 
2359 				nla_nest_end(msg, nested_ext_capab);
2360 				if (state->split)
2361 					break;
2362 			}
2363 			nla_nest_end(msg, nested);
2364 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2365 				state->capa_start = i + 1;
2366 				break;
2367 			}
2368 		}
2369 
2370 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2371 				rdev->wiphy.nan_supported_bands))
2372 			goto nla_put_failure;
2373 
2374 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2375 					    NL80211_EXT_FEATURE_TXQS)) {
2376 			struct cfg80211_txq_stats txqstats = {};
2377 			int res;
2378 
2379 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2380 			if (!res &&
2381 			    !nl80211_put_txq_stats(msg, &txqstats,
2382 						   NL80211_ATTR_TXQ_STATS))
2383 				goto nla_put_failure;
2384 
2385 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2386 					rdev->wiphy.txq_limit))
2387 				goto nla_put_failure;
2388 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2389 					rdev->wiphy.txq_memory_limit))
2390 				goto nla_put_failure;
2391 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2392 					rdev->wiphy.txq_quantum))
2393 				goto nla_put_failure;
2394 		}
2395 
2396 		state->split_start++;
2397 		break;
2398 	case 14:
2399 		if (nl80211_send_pmsr_capa(rdev, msg))
2400 			goto nla_put_failure;
2401 
2402 		state->split_start++;
2403 		break;
2404 	case 15:
2405 		if (rdev->wiphy.akm_suites &&
2406 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2407 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2408 			    rdev->wiphy.akm_suites))
2409 			goto nla_put_failure;
2410 
2411 		/* done */
2412 		state->split_start = 0;
2413 		break;
2414 	}
2415  finish:
2416 	genlmsg_end(msg, hdr);
2417 	return 0;
2418 
2419  nla_put_failure:
2420 	genlmsg_cancel(msg, hdr);
2421 	return -EMSGSIZE;
2422 }
2423 
2424 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2425 				    struct netlink_callback *cb,
2426 				    struct nl80211_dump_wiphy_state *state)
2427 {
2428 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2429 	int ret;
2430 
2431 	if (!tb)
2432 		return -ENOMEM;
2433 
2434 	ret = nlmsg_parse_deprecated(cb->nlh,
2435 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2436 				     tb, nl80211_fam.maxattr,
2437 				     nl80211_policy, NULL);
2438 	/* ignore parse errors for backward compatibility */
2439 	if (ret) {
2440 		ret = 0;
2441 		goto out;
2442 	}
2443 
2444 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2445 	if (tb[NL80211_ATTR_WIPHY])
2446 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2447 	if (tb[NL80211_ATTR_WDEV])
2448 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2449 	if (tb[NL80211_ATTR_IFINDEX]) {
2450 		struct net_device *netdev;
2451 		struct cfg80211_registered_device *rdev;
2452 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2453 
2454 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2455 		if (!netdev) {
2456 			ret = -ENODEV;
2457 			goto out;
2458 		}
2459 		if (netdev->ieee80211_ptr) {
2460 			rdev = wiphy_to_rdev(
2461 				netdev->ieee80211_ptr->wiphy);
2462 			state->filter_wiphy = rdev->wiphy_idx;
2463 		}
2464 	}
2465 
2466 	ret = 0;
2467 out:
2468 	kfree(tb);
2469 	return ret;
2470 }
2471 
2472 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2473 {
2474 	int idx = 0, ret;
2475 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2476 	struct cfg80211_registered_device *rdev;
2477 
2478 	rtnl_lock();
2479 	if (!state) {
2480 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2481 		if (!state) {
2482 			rtnl_unlock();
2483 			return -ENOMEM;
2484 		}
2485 		state->filter_wiphy = -1;
2486 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2487 		if (ret) {
2488 			kfree(state);
2489 			rtnl_unlock();
2490 			return ret;
2491 		}
2492 		cb->args[0] = (long)state;
2493 	}
2494 
2495 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2496 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2497 			continue;
2498 		if (++idx <= state->start)
2499 			continue;
2500 		if (state->filter_wiphy != -1 &&
2501 		    state->filter_wiphy != rdev->wiphy_idx)
2502 			continue;
2503 		/* attempt to fit multiple wiphy data chunks into the skb */
2504 		do {
2505 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2506 						 skb,
2507 						 NETLINK_CB(cb->skb).portid,
2508 						 cb->nlh->nlmsg_seq,
2509 						 NLM_F_MULTI, state);
2510 			if (ret < 0) {
2511 				/*
2512 				 * If sending the wiphy data didn't fit (ENOBUFS
2513 				 * or EMSGSIZE returned), this SKB is still
2514 				 * empty (so it's not too big because another
2515 				 * wiphy dataset is already in the skb) and
2516 				 * we've not tried to adjust the dump allocation
2517 				 * yet ... then adjust the alloc size to be
2518 				 * bigger, and return 1 but with the empty skb.
2519 				 * This results in an empty message being RX'ed
2520 				 * in userspace, but that is ignored.
2521 				 *
2522 				 * We can then retry with the larger buffer.
2523 				 */
2524 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2525 				    !skb->len && !state->split &&
2526 				    cb->min_dump_alloc < 4096) {
2527 					cb->min_dump_alloc = 4096;
2528 					state->split_start = 0;
2529 					rtnl_unlock();
2530 					return 1;
2531 				}
2532 				idx--;
2533 				break;
2534 			}
2535 		} while (state->split_start > 0);
2536 		break;
2537 	}
2538 	rtnl_unlock();
2539 
2540 	state->start = idx;
2541 
2542 	return skb->len;
2543 }
2544 
2545 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2546 {
2547 	kfree((void *)cb->args[0]);
2548 	return 0;
2549 }
2550 
2551 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2552 {
2553 	struct sk_buff *msg;
2554 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2555 	struct nl80211_dump_wiphy_state state = {};
2556 
2557 	msg = nlmsg_new(4096, GFP_KERNEL);
2558 	if (!msg)
2559 		return -ENOMEM;
2560 
2561 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2562 			       info->snd_portid, info->snd_seq, 0,
2563 			       &state) < 0) {
2564 		nlmsg_free(msg);
2565 		return -ENOBUFS;
2566 	}
2567 
2568 	return genlmsg_reply(msg, info);
2569 }
2570 
2571 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2572 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2573 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2574 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2575 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2576 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2577 };
2578 
2579 static int parse_txq_params(struct nlattr *tb[],
2580 			    struct ieee80211_txq_params *txq_params)
2581 {
2582 	u8 ac;
2583 
2584 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2585 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2586 	    !tb[NL80211_TXQ_ATTR_AIFS])
2587 		return -EINVAL;
2588 
2589 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2590 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2591 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2592 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2593 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2594 
2595 	if (ac >= NL80211_NUM_ACS)
2596 		return -EINVAL;
2597 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2598 	return 0;
2599 }
2600 
2601 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2602 {
2603 	/*
2604 	 * You can only set the channel explicitly for WDS interfaces,
2605 	 * all others have their channel managed via their respective
2606 	 * "establish a connection" command (connect, join, ...)
2607 	 *
2608 	 * For AP/GO and mesh mode, the channel can be set with the
2609 	 * channel userspace API, but is only stored and passed to the
2610 	 * low-level driver when the AP starts or the mesh is joined.
2611 	 * This is for backward compatibility, userspace can also give
2612 	 * the channel in the start-ap or join-mesh commands instead.
2613 	 *
2614 	 * Monitors are special as they are normally slaved to
2615 	 * whatever else is going on, so they have their own special
2616 	 * operation to set the monitor channel if possible.
2617 	 */
2618 	return !wdev ||
2619 		wdev->iftype == NL80211_IFTYPE_AP ||
2620 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2621 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2622 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2623 }
2624 
2625 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2626 			  struct genl_info *info,
2627 			  struct cfg80211_chan_def *chandef)
2628 {
2629 	struct netlink_ext_ack *extack = info->extack;
2630 	struct nlattr **attrs = info->attrs;
2631 	u32 control_freq;
2632 
2633 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2634 		return -EINVAL;
2635 
2636 	control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);
2637 
2638 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2639 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2640 	chandef->center_freq1 = control_freq;
2641 	chandef->center_freq2 = 0;
2642 
2643 	/* Primary channel not allowed */
2644 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2645 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2646 				    "Channel is disabled");
2647 		return -EINVAL;
2648 	}
2649 
2650 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2651 		enum nl80211_channel_type chantype;
2652 
2653 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2654 
2655 		switch (chantype) {
2656 		case NL80211_CHAN_NO_HT:
2657 		case NL80211_CHAN_HT20:
2658 		case NL80211_CHAN_HT40PLUS:
2659 		case NL80211_CHAN_HT40MINUS:
2660 			cfg80211_chandef_create(chandef, chandef->chan,
2661 						chantype);
2662 			/* user input for center_freq is incorrect */
2663 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2664 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2665 				NL_SET_ERR_MSG_ATTR(extack,
2666 						    attrs[NL80211_ATTR_CENTER_FREQ1],
2667 						    "bad center frequency 1");
2668 				return -EINVAL;
2669 			}
2670 			/* center_freq2 must be zero */
2671 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2672 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2673 				NL_SET_ERR_MSG_ATTR(extack,
2674 						    attrs[NL80211_ATTR_CENTER_FREQ2],
2675 						    "center frequency 2 can't be used");
2676 				return -EINVAL;
2677 			}
2678 			break;
2679 		default:
2680 			NL_SET_ERR_MSG_ATTR(extack,
2681 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2682 					    "invalid channel type");
2683 			return -EINVAL;
2684 		}
2685 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2686 		chandef->width =
2687 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2688 		if (attrs[NL80211_ATTR_CENTER_FREQ1])
2689 			chandef->center_freq1 =
2690 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2691 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
2692 			chandef->center_freq2 =
2693 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2694 	}
2695 
2696 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
2697 		chandef->edmg.channels =
2698 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
2699 
2700 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
2701 			chandef->edmg.bw_config =
2702 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
2703 	} else {
2704 		chandef->edmg.bw_config = 0;
2705 		chandef->edmg.channels = 0;
2706 	}
2707 
2708 	if (!cfg80211_chandef_valid(chandef)) {
2709 		NL_SET_ERR_MSG(extack, "invalid channel definition");
2710 		return -EINVAL;
2711 	}
2712 
2713 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2714 				     IEEE80211_CHAN_DISABLED)) {
2715 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
2716 		return -EINVAL;
2717 	}
2718 
2719 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2720 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2721 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
2722 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
2723 		return -EINVAL;
2724 	}
2725 
2726 	return 0;
2727 }
2728 
2729 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2730 				 struct net_device *dev,
2731 				 struct genl_info *info)
2732 {
2733 	struct cfg80211_chan_def chandef;
2734 	int result;
2735 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2736 	struct wireless_dev *wdev = NULL;
2737 
2738 	if (dev)
2739 		wdev = dev->ieee80211_ptr;
2740 	if (!nl80211_can_set_dev_channel(wdev))
2741 		return -EOPNOTSUPP;
2742 	if (wdev)
2743 		iftype = wdev->iftype;
2744 
2745 	result = nl80211_parse_chandef(rdev, info, &chandef);
2746 	if (result)
2747 		return result;
2748 
2749 	switch (iftype) {
2750 	case NL80211_IFTYPE_AP:
2751 	case NL80211_IFTYPE_P2P_GO:
2752 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2753 						   iftype)) {
2754 			result = -EINVAL;
2755 			break;
2756 		}
2757 		if (wdev->beacon_interval) {
2758 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2759 			    !(rdev->wiphy.features &
2760 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2761 				result = -EBUSY;
2762 				break;
2763 			}
2764 
2765 			/* Only allow dynamic channel width changes */
2766 			if (chandef.chan != wdev->preset_chandef.chan) {
2767 				result = -EBUSY;
2768 				break;
2769 			}
2770 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2771 			if (result)
2772 				break;
2773 		}
2774 		wdev->preset_chandef = chandef;
2775 		result = 0;
2776 		break;
2777 	case NL80211_IFTYPE_MESH_POINT:
2778 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2779 		break;
2780 	case NL80211_IFTYPE_MONITOR:
2781 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2782 		break;
2783 	default:
2784 		result = -EINVAL;
2785 	}
2786 
2787 	return result;
2788 }
2789 
2790 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2791 {
2792 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2793 	struct net_device *netdev = info->user_ptr[1];
2794 
2795 	return __nl80211_set_channel(rdev, netdev, info);
2796 }
2797 
2798 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2799 {
2800 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2801 	struct net_device *dev = info->user_ptr[1];
2802 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2803 	const u8 *bssid;
2804 
2805 	if (!info->attrs[NL80211_ATTR_MAC])
2806 		return -EINVAL;
2807 
2808 	if (netif_running(dev))
2809 		return -EBUSY;
2810 
2811 	if (!rdev->ops->set_wds_peer)
2812 		return -EOPNOTSUPP;
2813 
2814 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2815 		return -EOPNOTSUPP;
2816 
2817 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2818 	return rdev_set_wds_peer(rdev, dev, bssid);
2819 }
2820 
2821 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2822 {
2823 	struct cfg80211_registered_device *rdev;
2824 	struct net_device *netdev = NULL;
2825 	struct wireless_dev *wdev;
2826 	int result = 0, rem_txq_params = 0;
2827 	struct nlattr *nl_txq_params;
2828 	u32 changed;
2829 	u8 retry_short = 0, retry_long = 0;
2830 	u32 frag_threshold = 0, rts_threshold = 0;
2831 	u8 coverage_class = 0;
2832 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
2833 
2834 	ASSERT_RTNL();
2835 
2836 	/*
2837 	 * Try to find the wiphy and netdev. Normally this
2838 	 * function shouldn't need the netdev, but this is
2839 	 * done for backward compatibility -- previously
2840 	 * setting the channel was done per wiphy, but now
2841 	 * it is per netdev. Previous userland like hostapd
2842 	 * also passed a netdev to set_wiphy, so that it is
2843 	 * possible to let that go to the right netdev!
2844 	 */
2845 
2846 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2847 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2848 
2849 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2850 		if (netdev && netdev->ieee80211_ptr)
2851 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2852 		else
2853 			netdev = NULL;
2854 	}
2855 
2856 	if (!netdev) {
2857 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2858 						  info->attrs);
2859 		if (IS_ERR(rdev))
2860 			return PTR_ERR(rdev);
2861 		wdev = NULL;
2862 		netdev = NULL;
2863 		result = 0;
2864 	} else
2865 		wdev = netdev->ieee80211_ptr;
2866 
2867 	/*
2868 	 * end workaround code, by now the rdev is available
2869 	 * and locked, and wdev may or may not be NULL.
2870 	 */
2871 
2872 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2873 		result = cfg80211_dev_rename(
2874 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2875 
2876 	if (result)
2877 		return result;
2878 
2879 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2880 		struct ieee80211_txq_params txq_params;
2881 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2882 
2883 		if (!rdev->ops->set_txq_params)
2884 			return -EOPNOTSUPP;
2885 
2886 		if (!netdev)
2887 			return -EINVAL;
2888 
2889 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2890 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2891 			return -EINVAL;
2892 
2893 		if (!netif_running(netdev))
2894 			return -ENETDOWN;
2895 
2896 		nla_for_each_nested(nl_txq_params,
2897 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2898 				    rem_txq_params) {
2899 			result = nla_parse_nested_deprecated(tb,
2900 							     NL80211_TXQ_ATTR_MAX,
2901 							     nl_txq_params,
2902 							     txq_params_policy,
2903 							     info->extack);
2904 			if (result)
2905 				return result;
2906 			result = parse_txq_params(tb, &txq_params);
2907 			if (result)
2908 				return result;
2909 
2910 			result = rdev_set_txq_params(rdev, netdev,
2911 						     &txq_params);
2912 			if (result)
2913 				return result;
2914 		}
2915 	}
2916 
2917 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2918 		result = __nl80211_set_channel(
2919 			rdev,
2920 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2921 			info);
2922 		if (result)
2923 			return result;
2924 	}
2925 
2926 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2927 		struct wireless_dev *txp_wdev = wdev;
2928 		enum nl80211_tx_power_setting type;
2929 		int idx, mbm = 0;
2930 
2931 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2932 			txp_wdev = NULL;
2933 
2934 		if (!rdev->ops->set_tx_power)
2935 			return -EOPNOTSUPP;
2936 
2937 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2938 		type = nla_get_u32(info->attrs[idx]);
2939 
2940 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2941 		    (type != NL80211_TX_POWER_AUTOMATIC))
2942 			return -EINVAL;
2943 
2944 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2945 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2946 			mbm = nla_get_u32(info->attrs[idx]);
2947 		}
2948 
2949 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2950 		if (result)
2951 			return result;
2952 	}
2953 
2954 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2955 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2956 		u32 tx_ant, rx_ant;
2957 
2958 		if ((!rdev->wiphy.available_antennas_tx &&
2959 		     !rdev->wiphy.available_antennas_rx) ||
2960 		    !rdev->ops->set_antenna)
2961 			return -EOPNOTSUPP;
2962 
2963 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2964 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2965 
2966 		/* reject antenna configurations which don't match the
2967 		 * available antenna masks, except for the "all" mask */
2968 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2969 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2970 			return -EINVAL;
2971 
2972 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2973 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2974 
2975 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2976 		if (result)
2977 			return result;
2978 	}
2979 
2980 	changed = 0;
2981 
2982 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2983 		retry_short = nla_get_u8(
2984 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2985 
2986 		changed |= WIPHY_PARAM_RETRY_SHORT;
2987 	}
2988 
2989 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2990 		retry_long = nla_get_u8(
2991 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2992 
2993 		changed |= WIPHY_PARAM_RETRY_LONG;
2994 	}
2995 
2996 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2997 		frag_threshold = nla_get_u32(
2998 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2999 		if (frag_threshold < 256)
3000 			return -EINVAL;
3001 
3002 		if (frag_threshold != (u32) -1) {
3003 			/*
3004 			 * Fragments (apart from the last one) are required to
3005 			 * have even length. Make the fragmentation code
3006 			 * simpler by stripping LSB should someone try to use
3007 			 * odd threshold value.
3008 			 */
3009 			frag_threshold &= ~0x1;
3010 		}
3011 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3012 	}
3013 
3014 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3015 		rts_threshold = nla_get_u32(
3016 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3017 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3018 	}
3019 
3020 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3021 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3022 			return -EINVAL;
3023 
3024 		coverage_class = nla_get_u8(
3025 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3026 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3027 	}
3028 
3029 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3030 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3031 			return -EOPNOTSUPP;
3032 
3033 		changed |= WIPHY_PARAM_DYN_ACK;
3034 	}
3035 
3036 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3037 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3038 					     NL80211_EXT_FEATURE_TXQS))
3039 			return -EOPNOTSUPP;
3040 		txq_limit = nla_get_u32(
3041 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3042 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3043 	}
3044 
3045 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3046 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3047 					     NL80211_EXT_FEATURE_TXQS))
3048 			return -EOPNOTSUPP;
3049 		txq_memory_limit = nla_get_u32(
3050 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3051 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3052 	}
3053 
3054 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3055 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3056 					     NL80211_EXT_FEATURE_TXQS))
3057 			return -EOPNOTSUPP;
3058 		txq_quantum = nla_get_u32(
3059 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3060 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3061 	}
3062 
3063 	if (changed) {
3064 		u8 old_retry_short, old_retry_long;
3065 		u32 old_frag_threshold, old_rts_threshold;
3066 		u8 old_coverage_class;
3067 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3068 
3069 		if (!rdev->ops->set_wiphy_params)
3070 			return -EOPNOTSUPP;
3071 
3072 		old_retry_short = rdev->wiphy.retry_short;
3073 		old_retry_long = rdev->wiphy.retry_long;
3074 		old_frag_threshold = rdev->wiphy.frag_threshold;
3075 		old_rts_threshold = rdev->wiphy.rts_threshold;
3076 		old_coverage_class = rdev->wiphy.coverage_class;
3077 		old_txq_limit = rdev->wiphy.txq_limit;
3078 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3079 		old_txq_quantum = rdev->wiphy.txq_quantum;
3080 
3081 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3082 			rdev->wiphy.retry_short = retry_short;
3083 		if (changed & WIPHY_PARAM_RETRY_LONG)
3084 			rdev->wiphy.retry_long = retry_long;
3085 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3086 			rdev->wiphy.frag_threshold = frag_threshold;
3087 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3088 			rdev->wiphy.rts_threshold = rts_threshold;
3089 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3090 			rdev->wiphy.coverage_class = coverage_class;
3091 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3092 			rdev->wiphy.txq_limit = txq_limit;
3093 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3094 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3095 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3096 			rdev->wiphy.txq_quantum = txq_quantum;
3097 
3098 		result = rdev_set_wiphy_params(rdev, changed);
3099 		if (result) {
3100 			rdev->wiphy.retry_short = old_retry_short;
3101 			rdev->wiphy.retry_long = old_retry_long;
3102 			rdev->wiphy.frag_threshold = old_frag_threshold;
3103 			rdev->wiphy.rts_threshold = old_rts_threshold;
3104 			rdev->wiphy.coverage_class = old_coverage_class;
3105 			rdev->wiphy.txq_limit = old_txq_limit;
3106 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3107 			rdev->wiphy.txq_quantum = old_txq_quantum;
3108 			return result;
3109 		}
3110 	}
3111 	return 0;
3112 }
3113 
3114 static int nl80211_send_chandef(struct sk_buff *msg,
3115 				const struct cfg80211_chan_def *chandef)
3116 {
3117 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3118 		return -EINVAL;
3119 
3120 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3121 			chandef->chan->center_freq))
3122 		return -ENOBUFS;
3123 	switch (chandef->width) {
3124 	case NL80211_CHAN_WIDTH_20_NOHT:
3125 	case NL80211_CHAN_WIDTH_20:
3126 	case NL80211_CHAN_WIDTH_40:
3127 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3128 				cfg80211_get_chandef_type(chandef)))
3129 			return -ENOBUFS;
3130 		break;
3131 	default:
3132 		break;
3133 	}
3134 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3135 		return -ENOBUFS;
3136 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3137 		return -ENOBUFS;
3138 	if (chandef->center_freq2 &&
3139 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3140 		return -ENOBUFS;
3141 	return 0;
3142 }
3143 
3144 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3145 			      struct cfg80211_registered_device *rdev,
3146 			      struct wireless_dev *wdev,
3147 			      enum nl80211_commands cmd)
3148 {
3149 	struct net_device *dev = wdev->netdev;
3150 	void *hdr;
3151 
3152 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3153 		cmd != NL80211_CMD_DEL_INTERFACE &&
3154 		cmd != NL80211_CMD_SET_INTERFACE);
3155 
3156 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3157 	if (!hdr)
3158 		return -1;
3159 
3160 	if (dev &&
3161 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3162 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3163 		goto nla_put_failure;
3164 
3165 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3166 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3167 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3168 			      NL80211_ATTR_PAD) ||
3169 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3170 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3171 			rdev->devlist_generation ^
3172 			(cfg80211_rdev_list_generation << 2)) ||
3173 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3174 		goto nla_put_failure;
3175 
3176 	if (rdev->ops->get_channel) {
3177 		int ret;
3178 		struct cfg80211_chan_def chandef;
3179 
3180 		ret = rdev_get_channel(rdev, wdev, &chandef);
3181 		if (ret == 0) {
3182 			if (nl80211_send_chandef(msg, &chandef))
3183 				goto nla_put_failure;
3184 		}
3185 	}
3186 
3187 	if (rdev->ops->get_tx_power) {
3188 		int dbm, ret;
3189 
3190 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3191 		if (ret == 0 &&
3192 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3193 				DBM_TO_MBM(dbm)))
3194 			goto nla_put_failure;
3195 	}
3196 
3197 	wdev_lock(wdev);
3198 	switch (wdev->iftype) {
3199 	case NL80211_IFTYPE_AP:
3200 		if (wdev->ssid_len &&
3201 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3202 			goto nla_put_failure_locked;
3203 		break;
3204 	case NL80211_IFTYPE_STATION:
3205 	case NL80211_IFTYPE_P2P_CLIENT:
3206 	case NL80211_IFTYPE_ADHOC: {
3207 		const u8 *ssid_ie;
3208 		if (!wdev->current_bss)
3209 			break;
3210 		rcu_read_lock();
3211 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3212 					       WLAN_EID_SSID);
3213 		if (ssid_ie &&
3214 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3215 			goto nla_put_failure_rcu_locked;
3216 		rcu_read_unlock();
3217 		break;
3218 		}
3219 	default:
3220 		/* nothing */
3221 		break;
3222 	}
3223 	wdev_unlock(wdev);
3224 
3225 	if (rdev->ops->get_txq_stats) {
3226 		struct cfg80211_txq_stats txqstats = {};
3227 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3228 
3229 		if (ret == 0 &&
3230 		    !nl80211_put_txq_stats(msg, &txqstats,
3231 					   NL80211_ATTR_TXQ_STATS))
3232 			goto nla_put_failure;
3233 	}
3234 
3235 	genlmsg_end(msg, hdr);
3236 	return 0;
3237 
3238  nla_put_failure_rcu_locked:
3239 	rcu_read_unlock();
3240  nla_put_failure_locked:
3241 	wdev_unlock(wdev);
3242  nla_put_failure:
3243 	genlmsg_cancel(msg, hdr);
3244 	return -EMSGSIZE;
3245 }
3246 
3247 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3248 {
3249 	int wp_idx = 0;
3250 	int if_idx = 0;
3251 	int wp_start = cb->args[0];
3252 	int if_start = cb->args[1];
3253 	int filter_wiphy = -1;
3254 	struct cfg80211_registered_device *rdev;
3255 	struct wireless_dev *wdev;
3256 	int ret;
3257 
3258 	rtnl_lock();
3259 	if (!cb->args[2]) {
3260 		struct nl80211_dump_wiphy_state state = {
3261 			.filter_wiphy = -1,
3262 		};
3263 
3264 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3265 		if (ret)
3266 			goto out_unlock;
3267 
3268 		filter_wiphy = state.filter_wiphy;
3269 
3270 		/*
3271 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3272 		 * value needed to determine that parsing is necessary.
3273 		 */
3274 		if (filter_wiphy >= 0)
3275 			cb->args[2] = filter_wiphy + 1;
3276 		else
3277 			cb->args[2] = -1;
3278 	} else if (cb->args[2] > 0) {
3279 		filter_wiphy = cb->args[2] - 1;
3280 	}
3281 
3282 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3283 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3284 			continue;
3285 		if (wp_idx < wp_start) {
3286 			wp_idx++;
3287 			continue;
3288 		}
3289 
3290 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3291 			continue;
3292 
3293 		if_idx = 0;
3294 
3295 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3296 			if (if_idx < if_start) {
3297 				if_idx++;
3298 				continue;
3299 			}
3300 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3301 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3302 					       rdev, wdev,
3303 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3304 				goto out;
3305 			}
3306 			if_idx++;
3307 		}
3308 
3309 		wp_idx++;
3310 	}
3311  out:
3312 	cb->args[0] = wp_idx;
3313 	cb->args[1] = if_idx;
3314 
3315 	ret = skb->len;
3316  out_unlock:
3317 	rtnl_unlock();
3318 
3319 	return ret;
3320 }
3321 
3322 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3323 {
3324 	struct sk_buff *msg;
3325 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3326 	struct wireless_dev *wdev = info->user_ptr[1];
3327 
3328 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3329 	if (!msg)
3330 		return -ENOMEM;
3331 
3332 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3333 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3334 		nlmsg_free(msg);
3335 		return -ENOBUFS;
3336 	}
3337 
3338 	return genlmsg_reply(msg, info);
3339 }
3340 
3341 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3342 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3343 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3344 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3345 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3346 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3347 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3348 };
3349 
3350 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3351 {
3352 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3353 	int flag;
3354 
3355 	*mntrflags = 0;
3356 
3357 	if (!nla)
3358 		return -EINVAL;
3359 
3360 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3361 		return -EINVAL;
3362 
3363 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3364 		if (flags[flag])
3365 			*mntrflags |= (1<<flag);
3366 
3367 	*mntrflags |= MONITOR_FLAG_CHANGED;
3368 
3369 	return 0;
3370 }
3371 
3372 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3373 				     enum nl80211_iftype type,
3374 				     struct genl_info *info,
3375 				     struct vif_params *params)
3376 {
3377 	bool change = false;
3378 	int err;
3379 
3380 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3381 		if (type != NL80211_IFTYPE_MONITOR)
3382 			return -EINVAL;
3383 
3384 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3385 					  &params->flags);
3386 		if (err)
3387 			return err;
3388 
3389 		change = true;
3390 	}
3391 
3392 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3393 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3394 		return -EOPNOTSUPP;
3395 
3396 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3397 		const u8 *mumimo_groups;
3398 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3399 
3400 		if (type != NL80211_IFTYPE_MONITOR)
3401 			return -EINVAL;
3402 
3403 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3404 			return -EOPNOTSUPP;
3405 
3406 		mumimo_groups =
3407 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3408 
3409 		/* bits 0 and 63 are reserved and must be zero */
3410 		if ((mumimo_groups[0] & BIT(0)) ||
3411 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3412 			return -EINVAL;
3413 
3414 		params->vht_mumimo_groups = mumimo_groups;
3415 		change = true;
3416 	}
3417 
3418 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3419 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3420 
3421 		if (type != NL80211_IFTYPE_MONITOR)
3422 			return -EINVAL;
3423 
3424 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3425 			return -EOPNOTSUPP;
3426 
3427 		params->vht_mumimo_follow_addr =
3428 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3429 		change = true;
3430 	}
3431 
3432 	return change ? 1 : 0;
3433 }
3434 
3435 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3436 			       struct net_device *netdev, u8 use_4addr,
3437 			       enum nl80211_iftype iftype)
3438 {
3439 	if (!use_4addr) {
3440 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
3441 			return -EBUSY;
3442 		return 0;
3443 	}
3444 
3445 	switch (iftype) {
3446 	case NL80211_IFTYPE_AP_VLAN:
3447 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3448 			return 0;
3449 		break;
3450 	case NL80211_IFTYPE_STATION:
3451 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3452 			return 0;
3453 		break;
3454 	default:
3455 		break;
3456 	}
3457 
3458 	return -EOPNOTSUPP;
3459 }
3460 
3461 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3462 {
3463 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3464 	struct vif_params params;
3465 	int err;
3466 	enum nl80211_iftype otype, ntype;
3467 	struct net_device *dev = info->user_ptr[1];
3468 	bool change = false;
3469 
3470 	memset(&params, 0, sizeof(params));
3471 
3472 	otype = ntype = dev->ieee80211_ptr->iftype;
3473 
3474 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3475 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3476 		if (otype != ntype)
3477 			change = true;
3478 	}
3479 
3480 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3481 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3482 
3483 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3484 			return -EINVAL;
3485 		if (netif_running(dev))
3486 			return -EBUSY;
3487 
3488 		wdev_lock(wdev);
3489 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3490 			     IEEE80211_MAX_MESH_ID_LEN);
3491 		wdev->mesh_id_up_len =
3492 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3493 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3494 		       wdev->mesh_id_up_len);
3495 		wdev_unlock(wdev);
3496 	}
3497 
3498 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3499 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3500 		change = true;
3501 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3502 		if (err)
3503 			return err;
3504 	} else {
3505 		params.use_4addr = -1;
3506 	}
3507 
3508 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3509 	if (err < 0)
3510 		return err;
3511 	if (err > 0)
3512 		change = true;
3513 
3514 	if (change)
3515 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3516 	else
3517 		err = 0;
3518 
3519 	if (!err && params.use_4addr != -1)
3520 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3521 
3522 	if (change && !err) {
3523 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3524 
3525 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3526 	}
3527 
3528 	return err;
3529 }
3530 
3531 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3532 {
3533 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3534 	struct vif_params params;
3535 	struct wireless_dev *wdev;
3536 	struct sk_buff *msg;
3537 	int err;
3538 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3539 
3540 	/* to avoid failing a new interface creation due to pending removal */
3541 	cfg80211_destroy_ifaces(rdev);
3542 
3543 	memset(&params, 0, sizeof(params));
3544 
3545 	if (!info->attrs[NL80211_ATTR_IFNAME])
3546 		return -EINVAL;
3547 
3548 	if (info->attrs[NL80211_ATTR_IFTYPE])
3549 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3550 
3551 	if (!rdev->ops->add_virtual_intf)
3552 		return -EOPNOTSUPP;
3553 
3554 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3555 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3556 	    info->attrs[NL80211_ATTR_MAC]) {
3557 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3558 			   ETH_ALEN);
3559 		if (!is_valid_ether_addr(params.macaddr))
3560 			return -EADDRNOTAVAIL;
3561 	}
3562 
3563 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3564 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3565 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3566 		if (err)
3567 			return err;
3568 	}
3569 
3570 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
3571 		return -EOPNOTSUPP;
3572 
3573 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3574 	if (err < 0)
3575 		return err;
3576 
3577 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3578 	if (!msg)
3579 		return -ENOMEM;
3580 
3581 	wdev = rdev_add_virtual_intf(rdev,
3582 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3583 				NET_NAME_USER, type, &params);
3584 	if (WARN_ON(!wdev)) {
3585 		nlmsg_free(msg);
3586 		return -EPROTO;
3587 	} else if (IS_ERR(wdev)) {
3588 		nlmsg_free(msg);
3589 		return PTR_ERR(wdev);
3590 	}
3591 
3592 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3593 		wdev->owner_nlportid = info->snd_portid;
3594 
3595 	switch (type) {
3596 	case NL80211_IFTYPE_MESH_POINT:
3597 		if (!info->attrs[NL80211_ATTR_MESH_ID])
3598 			break;
3599 		wdev_lock(wdev);
3600 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3601 			     IEEE80211_MAX_MESH_ID_LEN);
3602 		wdev->mesh_id_up_len =
3603 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3604 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3605 		       wdev->mesh_id_up_len);
3606 		wdev_unlock(wdev);
3607 		break;
3608 	case NL80211_IFTYPE_NAN:
3609 	case NL80211_IFTYPE_P2P_DEVICE:
3610 		/*
3611 		 * P2P Device and NAN do not have a netdev, so don't go
3612 		 * through the netdev notifier and must be added here
3613 		 */
3614 		cfg80211_init_wdev(rdev, wdev);
3615 		break;
3616 	default:
3617 		break;
3618 	}
3619 
3620 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3621 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3622 		nlmsg_free(msg);
3623 		return -ENOBUFS;
3624 	}
3625 
3626 	return genlmsg_reply(msg, info);
3627 }
3628 
3629 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3630 {
3631 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3632 	struct wireless_dev *wdev = info->user_ptr[1];
3633 
3634 	if (!rdev->ops->del_virtual_intf)
3635 		return -EOPNOTSUPP;
3636 
3637 	/*
3638 	 * If we remove a wireless device without a netdev then clear
3639 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
3640 	 * to check if it needs to do dev_put(). Otherwise it crashes
3641 	 * since the wdev has been freed, unlike with a netdev where
3642 	 * we need the dev_put() for the netdev to really be freed.
3643 	 */
3644 	if (!wdev->netdev)
3645 		info->user_ptr[1] = NULL;
3646 
3647 	return rdev_del_virtual_intf(rdev, wdev);
3648 }
3649 
3650 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3651 {
3652 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3653 	struct net_device *dev = info->user_ptr[1];
3654 	u16 noack_map;
3655 
3656 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3657 		return -EINVAL;
3658 
3659 	if (!rdev->ops->set_noack_map)
3660 		return -EOPNOTSUPP;
3661 
3662 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3663 
3664 	return rdev_set_noack_map(rdev, dev, noack_map);
3665 }
3666 
3667 struct get_key_cookie {
3668 	struct sk_buff *msg;
3669 	int error;
3670 	int idx;
3671 };
3672 
3673 static void get_key_callback(void *c, struct key_params *params)
3674 {
3675 	struct nlattr *key;
3676 	struct get_key_cookie *cookie = c;
3677 
3678 	if ((params->key &&
3679 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3680 		     params->key_len, params->key)) ||
3681 	    (params->seq &&
3682 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3683 		     params->seq_len, params->seq)) ||
3684 	    (params->cipher &&
3685 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3686 			 params->cipher)))
3687 		goto nla_put_failure;
3688 
3689 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
3690 	if (!key)
3691 		goto nla_put_failure;
3692 
3693 	if ((params->key &&
3694 	     nla_put(cookie->msg, NL80211_KEY_DATA,
3695 		     params->key_len, params->key)) ||
3696 	    (params->seq &&
3697 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3698 		     params->seq_len, params->seq)) ||
3699 	    (params->cipher &&
3700 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3701 			 params->cipher)))
3702 		goto nla_put_failure;
3703 
3704 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3705 		goto nla_put_failure;
3706 
3707 	nla_nest_end(cookie->msg, key);
3708 
3709 	return;
3710  nla_put_failure:
3711 	cookie->error = 1;
3712 }
3713 
3714 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3715 {
3716 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3717 	int err;
3718 	struct net_device *dev = info->user_ptr[1];
3719 	u8 key_idx = 0;
3720 	const u8 *mac_addr = NULL;
3721 	bool pairwise;
3722 	struct get_key_cookie cookie = {
3723 		.error = 0,
3724 	};
3725 	void *hdr;
3726 	struct sk_buff *msg;
3727 
3728 	if (info->attrs[NL80211_ATTR_KEY_IDX])
3729 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3730 
3731 	if (info->attrs[NL80211_ATTR_MAC])
3732 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3733 
3734 	pairwise = !!mac_addr;
3735 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3736 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3737 
3738 		if (kt != NL80211_KEYTYPE_GROUP &&
3739 		    kt != NL80211_KEYTYPE_PAIRWISE)
3740 			return -EINVAL;
3741 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3742 	}
3743 
3744 	if (!rdev->ops->get_key)
3745 		return -EOPNOTSUPP;
3746 
3747 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3748 		return -ENOENT;
3749 
3750 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3751 	if (!msg)
3752 		return -ENOMEM;
3753 
3754 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3755 			     NL80211_CMD_NEW_KEY);
3756 	if (!hdr)
3757 		goto nla_put_failure;
3758 
3759 	cookie.msg = msg;
3760 	cookie.idx = key_idx;
3761 
3762 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3763 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3764 		goto nla_put_failure;
3765 	if (mac_addr &&
3766 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3767 		goto nla_put_failure;
3768 
3769 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3770 			   get_key_callback);
3771 
3772 	if (err)
3773 		goto free_msg;
3774 
3775 	if (cookie.error)
3776 		goto nla_put_failure;
3777 
3778 	genlmsg_end(msg, hdr);
3779 	return genlmsg_reply(msg, info);
3780 
3781  nla_put_failure:
3782 	err = -ENOBUFS;
3783  free_msg:
3784 	nlmsg_free(msg);
3785 	return err;
3786 }
3787 
3788 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3789 {
3790 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3791 	struct key_parse key;
3792 	int err;
3793 	struct net_device *dev = info->user_ptr[1];
3794 
3795 	err = nl80211_parse_key(info, &key);
3796 	if (err)
3797 		return err;
3798 
3799 	if (key.idx < 0)
3800 		return -EINVAL;
3801 
3802 	/* Only support setting default key and
3803 	 * Extended Key ID action NL80211_KEY_SET_TX.
3804 	 */
3805 	if (!key.def && !key.defmgmt &&
3806 	    !(key.p.mode == NL80211_KEY_SET_TX))
3807 		return -EINVAL;
3808 
3809 	wdev_lock(dev->ieee80211_ptr);
3810 
3811 	if (key.def) {
3812 		if (!rdev->ops->set_default_key) {
3813 			err = -EOPNOTSUPP;
3814 			goto out;
3815 		}
3816 
3817 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3818 		if (err)
3819 			goto out;
3820 
3821 		err = rdev_set_default_key(rdev, dev, key.idx,
3822 						 key.def_uni, key.def_multi);
3823 
3824 		if (err)
3825 			goto out;
3826 
3827 #ifdef CONFIG_CFG80211_WEXT
3828 		dev->ieee80211_ptr->wext.default_key = key.idx;
3829 #endif
3830 	} else if (key.defmgmt) {
3831 		if (key.def_uni || !key.def_multi) {
3832 			err = -EINVAL;
3833 			goto out;
3834 		}
3835 
3836 		if (!rdev->ops->set_default_mgmt_key) {
3837 			err = -EOPNOTSUPP;
3838 			goto out;
3839 		}
3840 
3841 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3842 		if (err)
3843 			goto out;
3844 
3845 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3846 		if (err)
3847 			goto out;
3848 
3849 #ifdef CONFIG_CFG80211_WEXT
3850 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3851 #endif
3852 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
3853 		   wiphy_ext_feature_isset(&rdev->wiphy,
3854 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
3855 		u8 *mac_addr = NULL;
3856 
3857 		if (info->attrs[NL80211_ATTR_MAC])
3858 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3859 
3860 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
3861 			err = -EINVAL;
3862 			goto out;
3863 		}
3864 
3865 		err = rdev_add_key(rdev, dev, key.idx,
3866 				   NL80211_KEYTYPE_PAIRWISE,
3867 				   mac_addr, &key.p);
3868 	} else {
3869 		err = -EINVAL;
3870 	}
3871  out:
3872 	wdev_unlock(dev->ieee80211_ptr);
3873 
3874 	return err;
3875 }
3876 
3877 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3878 {
3879 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3880 	int err;
3881 	struct net_device *dev = info->user_ptr[1];
3882 	struct key_parse key;
3883 	const u8 *mac_addr = NULL;
3884 
3885 	err = nl80211_parse_key(info, &key);
3886 	if (err)
3887 		return err;
3888 
3889 	if (!key.p.key)
3890 		return -EINVAL;
3891 
3892 	if (info->attrs[NL80211_ATTR_MAC])
3893 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3894 
3895 	if (key.type == -1) {
3896 		if (mac_addr)
3897 			key.type = NL80211_KEYTYPE_PAIRWISE;
3898 		else
3899 			key.type = NL80211_KEYTYPE_GROUP;
3900 	}
3901 
3902 	/* for now */
3903 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3904 	    key.type != NL80211_KEYTYPE_GROUP)
3905 		return -EINVAL;
3906 
3907 	if (!rdev->ops->add_key)
3908 		return -EOPNOTSUPP;
3909 
3910 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3911 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3912 					   mac_addr))
3913 		return -EINVAL;
3914 
3915 	wdev_lock(dev->ieee80211_ptr);
3916 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3917 	if (!err)
3918 		err = rdev_add_key(rdev, dev, key.idx,
3919 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3920 				    mac_addr, &key.p);
3921 	wdev_unlock(dev->ieee80211_ptr);
3922 
3923 	return err;
3924 }
3925 
3926 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3927 {
3928 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3929 	int err;
3930 	struct net_device *dev = info->user_ptr[1];
3931 	u8 *mac_addr = NULL;
3932 	struct key_parse key;
3933 
3934 	err = nl80211_parse_key(info, &key);
3935 	if (err)
3936 		return err;
3937 
3938 	if (info->attrs[NL80211_ATTR_MAC])
3939 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3940 
3941 	if (key.type == -1) {
3942 		if (mac_addr)
3943 			key.type = NL80211_KEYTYPE_PAIRWISE;
3944 		else
3945 			key.type = NL80211_KEYTYPE_GROUP;
3946 	}
3947 
3948 	/* for now */
3949 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3950 	    key.type != NL80211_KEYTYPE_GROUP)
3951 		return -EINVAL;
3952 
3953 	if (!rdev->ops->del_key)
3954 		return -EOPNOTSUPP;
3955 
3956 	wdev_lock(dev->ieee80211_ptr);
3957 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3958 
3959 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3960 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3961 		err = -ENOENT;
3962 
3963 	if (!err)
3964 		err = rdev_del_key(rdev, dev, key.idx,
3965 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3966 				   mac_addr);
3967 
3968 #ifdef CONFIG_CFG80211_WEXT
3969 	if (!err) {
3970 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3971 			dev->ieee80211_ptr->wext.default_key = -1;
3972 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3973 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3974 	}
3975 #endif
3976 	wdev_unlock(dev->ieee80211_ptr);
3977 
3978 	return err;
3979 }
3980 
3981 /* This function returns an error or the number of nested attributes */
3982 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3983 {
3984 	struct nlattr *attr;
3985 	int n_entries = 0, tmp;
3986 
3987 	nla_for_each_nested(attr, nl_attr, tmp) {
3988 		if (nla_len(attr) != ETH_ALEN)
3989 			return -EINVAL;
3990 
3991 		n_entries++;
3992 	}
3993 
3994 	return n_entries;
3995 }
3996 
3997 /*
3998  * This function parses ACL information and allocates memory for ACL data.
3999  * On successful return, the calling function is responsible to free the
4000  * ACL buffer returned by this function.
4001  */
4002 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4003 						struct genl_info *info)
4004 {
4005 	enum nl80211_acl_policy acl_policy;
4006 	struct nlattr *attr;
4007 	struct cfg80211_acl_data *acl;
4008 	int i = 0, n_entries, tmp;
4009 
4010 	if (!wiphy->max_acl_mac_addrs)
4011 		return ERR_PTR(-EOPNOTSUPP);
4012 
4013 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4014 		return ERR_PTR(-EINVAL);
4015 
4016 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4017 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4018 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4019 		return ERR_PTR(-EINVAL);
4020 
4021 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4022 		return ERR_PTR(-EINVAL);
4023 
4024 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4025 	if (n_entries < 0)
4026 		return ERR_PTR(n_entries);
4027 
4028 	if (n_entries > wiphy->max_acl_mac_addrs)
4029 		return ERR_PTR(-ENOTSUPP);
4030 
4031 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4032 	if (!acl)
4033 		return ERR_PTR(-ENOMEM);
4034 
4035 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4036 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4037 		i++;
4038 	}
4039 
4040 	acl->n_acl_entries = n_entries;
4041 	acl->acl_policy = acl_policy;
4042 
4043 	return acl;
4044 }
4045 
4046 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4047 {
4048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4049 	struct net_device *dev = info->user_ptr[1];
4050 	struct cfg80211_acl_data *acl;
4051 	int err;
4052 
4053 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4054 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4055 		return -EOPNOTSUPP;
4056 
4057 	if (!dev->ieee80211_ptr->beacon_interval)
4058 		return -EINVAL;
4059 
4060 	acl = parse_acl_data(&rdev->wiphy, info);
4061 	if (IS_ERR(acl))
4062 		return PTR_ERR(acl);
4063 
4064 	err = rdev_set_mac_acl(rdev, dev, acl);
4065 
4066 	kfree(acl);
4067 
4068 	return err;
4069 }
4070 
4071 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4072 			   u8 *rates, u8 rates_len)
4073 {
4074 	u8 i;
4075 	u32 mask = 0;
4076 
4077 	for (i = 0; i < rates_len; i++) {
4078 		int rate = (rates[i] & 0x7f) * 5;
4079 		int ridx;
4080 
4081 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4082 			struct ieee80211_rate *srate =
4083 				&sband->bitrates[ridx];
4084 			if (rate == srate->bitrate) {
4085 				mask |= 1 << ridx;
4086 				break;
4087 			}
4088 		}
4089 		if (ridx == sband->n_bitrates)
4090 			return 0; /* rate not found */
4091 	}
4092 
4093 	return mask;
4094 }
4095 
4096 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4097 			       u8 *rates, u8 rates_len,
4098 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4099 {
4100 	u8 i;
4101 
4102 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4103 
4104 	for (i = 0; i < rates_len; i++) {
4105 		int ridx, rbit;
4106 
4107 		ridx = rates[i] / 8;
4108 		rbit = BIT(rates[i] % 8);
4109 
4110 		/* check validity */
4111 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4112 			return false;
4113 
4114 		/* check availability */
4115 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4116 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4117 			mcs[ridx] |= rbit;
4118 		else
4119 			return false;
4120 	}
4121 
4122 	return true;
4123 }
4124 
4125 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4126 {
4127 	u16 mcs_mask = 0;
4128 
4129 	switch (vht_mcs_map) {
4130 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4131 		break;
4132 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4133 		mcs_mask = 0x00FF;
4134 		break;
4135 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4136 		mcs_mask = 0x01FF;
4137 		break;
4138 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4139 		mcs_mask = 0x03FF;
4140 		break;
4141 	default:
4142 		break;
4143 	}
4144 
4145 	return mcs_mask;
4146 }
4147 
4148 static void vht_build_mcs_mask(u16 vht_mcs_map,
4149 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4150 {
4151 	u8 nss;
4152 
4153 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4154 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4155 		vht_mcs_map >>= 2;
4156 	}
4157 }
4158 
4159 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4160 			     struct nl80211_txrate_vht *txrate,
4161 			     u16 mcs[NL80211_VHT_NSS_MAX])
4162 {
4163 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4164 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4165 	u8 i;
4166 
4167 	if (!sband->vht_cap.vht_supported)
4168 		return false;
4169 
4170 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4171 
4172 	/* Build vht_mcs_mask from VHT capabilities */
4173 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4174 
4175 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4176 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4177 			mcs[i] = txrate->mcs[i];
4178 		else
4179 			return false;
4180 	}
4181 
4182 	return true;
4183 }
4184 
4185 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
4186 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
4187 				    .len = NL80211_MAX_SUPP_RATES },
4188 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
4189 				.len = NL80211_MAX_SUPP_HT_RATES },
4190 	[NL80211_TXRATE_VHT] = {
4191 		.type = NLA_EXACT_LEN_WARN,
4192 		.len = sizeof(struct nl80211_txrate_vht),
4193 	},
4194 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
4195 };
4196 
4197 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4198 					 struct cfg80211_bitrate_mask *mask)
4199 {
4200 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4201 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4202 	int rem, i;
4203 	struct nlattr *tx_rates;
4204 	struct ieee80211_supported_band *sband;
4205 	u16 vht_tx_mcs_map;
4206 
4207 	memset(mask, 0, sizeof(*mask));
4208 	/* Default to all rates enabled */
4209 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4210 		sband = rdev->wiphy.bands[i];
4211 
4212 		if (!sband)
4213 			continue;
4214 
4215 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4216 		memcpy(mask->control[i].ht_mcs,
4217 		       sband->ht_cap.mcs.rx_mask,
4218 		       sizeof(mask->control[i].ht_mcs));
4219 
4220 		if (!sband->vht_cap.vht_supported)
4221 			continue;
4222 
4223 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4224 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4225 	}
4226 
4227 	/* if no rates are given set it back to the defaults */
4228 	if (!info->attrs[NL80211_ATTR_TX_RATES])
4229 		goto out;
4230 
4231 	/* The nested attribute uses enum nl80211_band as the index. This maps
4232 	 * directly to the enum nl80211_band values used in cfg80211.
4233 	 */
4234 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4235 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
4236 		enum nl80211_band band = nla_type(tx_rates);
4237 		int err;
4238 
4239 		if (band < 0 || band >= NUM_NL80211_BANDS)
4240 			return -EINVAL;
4241 		sband = rdev->wiphy.bands[band];
4242 		if (sband == NULL)
4243 			return -EINVAL;
4244 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4245 						  tx_rates,
4246 						  nl80211_txattr_policy,
4247 						  info->extack);
4248 		if (err)
4249 			return err;
4250 		if (tb[NL80211_TXRATE_LEGACY]) {
4251 			mask->control[band].legacy = rateset_to_mask(
4252 				sband,
4253 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4254 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4255 			if ((mask->control[band].legacy == 0) &&
4256 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4257 				return -EINVAL;
4258 		}
4259 		if (tb[NL80211_TXRATE_HT]) {
4260 			if (!ht_rateset_to_mask(
4261 					sband,
4262 					nla_data(tb[NL80211_TXRATE_HT]),
4263 					nla_len(tb[NL80211_TXRATE_HT]),
4264 					mask->control[band].ht_mcs))
4265 				return -EINVAL;
4266 		}
4267 		if (tb[NL80211_TXRATE_VHT]) {
4268 			if (!vht_set_mcs_mask(
4269 					sband,
4270 					nla_data(tb[NL80211_TXRATE_VHT]),
4271 					mask->control[band].vht_mcs))
4272 				return -EINVAL;
4273 		}
4274 		if (tb[NL80211_TXRATE_GI]) {
4275 			mask->control[band].gi =
4276 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4277 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4278 				return -EINVAL;
4279 		}
4280 
4281 		if (mask->control[band].legacy == 0) {
4282 			/* don't allow empty legacy rates if HT or VHT
4283 			 * are not even supported.
4284 			 */
4285 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4286 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
4287 				return -EINVAL;
4288 
4289 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4290 				if (mask->control[band].ht_mcs[i])
4291 					goto out;
4292 
4293 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4294 				if (mask->control[band].vht_mcs[i])
4295 					goto out;
4296 
4297 			/* legacy and mcs rates may not be both empty */
4298 			return -EINVAL;
4299 		}
4300 	}
4301 
4302 out:
4303 	return 0;
4304 }
4305 
4306 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4307 				   enum nl80211_band band,
4308 				   struct cfg80211_bitrate_mask *beacon_rate)
4309 {
4310 	u32 count_ht, count_vht, i;
4311 	u32 rate = beacon_rate->control[band].legacy;
4312 
4313 	/* Allow only one rate */
4314 	if (hweight32(rate) > 1)
4315 		return -EINVAL;
4316 
4317 	count_ht = 0;
4318 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4319 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4320 			return -EINVAL;
4321 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4322 			count_ht++;
4323 			if (count_ht > 1)
4324 				return -EINVAL;
4325 		}
4326 		if (count_ht && rate)
4327 			return -EINVAL;
4328 	}
4329 
4330 	count_vht = 0;
4331 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4332 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4333 			return -EINVAL;
4334 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4335 			count_vht++;
4336 			if (count_vht > 1)
4337 				return -EINVAL;
4338 		}
4339 		if (count_vht && rate)
4340 			return -EINVAL;
4341 	}
4342 
4343 	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4344 		return -EINVAL;
4345 
4346 	if (rate &&
4347 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4348 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4349 		return -EINVAL;
4350 	if (count_ht &&
4351 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4352 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4353 		return -EINVAL;
4354 	if (count_vht &&
4355 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4356 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4357 		return -EINVAL;
4358 
4359 	return 0;
4360 }
4361 
4362 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4363 				struct nlattr *attrs[],
4364 				struct cfg80211_beacon_data *bcn)
4365 {
4366 	bool haveinfo = false;
4367 	int err;
4368 
4369 	memset(bcn, 0, sizeof(*bcn));
4370 
4371 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4372 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4373 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4374 		if (!bcn->head_len)
4375 			return -EINVAL;
4376 		haveinfo = true;
4377 	}
4378 
4379 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4380 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4381 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4382 		haveinfo = true;
4383 	}
4384 
4385 	if (!haveinfo)
4386 		return -EINVAL;
4387 
4388 	if (attrs[NL80211_ATTR_IE]) {
4389 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4390 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4391 	}
4392 
4393 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4394 		bcn->proberesp_ies =
4395 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4396 		bcn->proberesp_ies_len =
4397 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4398 	}
4399 
4400 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4401 		bcn->assocresp_ies =
4402 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4403 		bcn->assocresp_ies_len =
4404 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4405 	}
4406 
4407 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
4408 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4409 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4410 	}
4411 
4412 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4413 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4414 
4415 		err = nla_parse_nested_deprecated(tb,
4416 						  NL80211_FTM_RESP_ATTR_MAX,
4417 						  attrs[NL80211_ATTR_FTM_RESPONDER],
4418 						  NULL, NULL);
4419 		if (err)
4420 			return err;
4421 
4422 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4423 		    wiphy_ext_feature_isset(&rdev->wiphy,
4424 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4425 			bcn->ftm_responder = 1;
4426 		else
4427 			return -EOPNOTSUPP;
4428 
4429 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4430 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4431 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4432 		}
4433 
4434 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4435 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4436 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4437 		}
4438 	} else {
4439 		bcn->ftm_responder = -1;
4440 	}
4441 
4442 	return 0;
4443 }
4444 
4445 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
4446 				    struct ieee80211_he_obss_pd *he_obss_pd)
4447 {
4448 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
4449 	int err;
4450 
4451 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
4452 			       he_obss_pd_policy, NULL);
4453 	if (err)
4454 		return err;
4455 
4456 	if (!tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] ||
4457 	    !tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
4458 		return -EINVAL;
4459 
4460 	he_obss_pd->min_offset =
4461 		nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
4462 	he_obss_pd->max_offset =
4463 		nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
4464 
4465 	if (he_obss_pd->min_offset >= he_obss_pd->max_offset)
4466 		return -EINVAL;
4467 
4468 	he_obss_pd->enable = true;
4469 
4470 	return 0;
4471 }
4472 
4473 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4474 					    const u8 *rates)
4475 {
4476 	int i;
4477 
4478 	if (!rates)
4479 		return;
4480 
4481 	for (i = 0; i < rates[1]; i++) {
4482 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4483 			params->ht_required = true;
4484 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4485 			params->vht_required = true;
4486 	}
4487 }
4488 
4489 /*
4490  * Since the nl80211 API didn't include, from the beginning, attributes about
4491  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4492  * benefit of drivers that rebuild IEs in the firmware.
4493  */
4494 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4495 {
4496 	const struct cfg80211_beacon_data *bcn = &params->beacon;
4497 	size_t ies_len = bcn->tail_len;
4498 	const u8 *ies = bcn->tail;
4499 	const u8 *rates;
4500 	const u8 *cap;
4501 
4502 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4503 	nl80211_check_ap_rate_selectors(params, rates);
4504 
4505 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4506 	nl80211_check_ap_rate_selectors(params, rates);
4507 
4508 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4509 	if (cap && cap[1] >= sizeof(*params->ht_cap))
4510 		params->ht_cap = (void *)(cap + 2);
4511 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4512 	if (cap && cap[1] >= sizeof(*params->vht_cap))
4513 		params->vht_cap = (void *)(cap + 2);
4514 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
4515 	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
4516 		params->he_cap = (void *)(cap + 3);
4517 }
4518 
4519 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4520 				   struct cfg80211_ap_settings *params)
4521 {
4522 	struct wireless_dev *wdev;
4523 	bool ret = false;
4524 
4525 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4526 		if (wdev->iftype != NL80211_IFTYPE_AP &&
4527 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
4528 			continue;
4529 
4530 		if (!wdev->preset_chandef.chan)
4531 			continue;
4532 
4533 		params->chandef = wdev->preset_chandef;
4534 		ret = true;
4535 		break;
4536 	}
4537 
4538 	return ret;
4539 }
4540 
4541 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4542 				    enum nl80211_auth_type auth_type,
4543 				    enum nl80211_commands cmd)
4544 {
4545 	if (auth_type > NL80211_AUTHTYPE_MAX)
4546 		return false;
4547 
4548 	switch (cmd) {
4549 	case NL80211_CMD_AUTHENTICATE:
4550 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4551 		    auth_type == NL80211_AUTHTYPE_SAE)
4552 			return false;
4553 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4554 					     NL80211_EXT_FEATURE_FILS_STA) &&
4555 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4556 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4557 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
4558 			return false;
4559 		return true;
4560 	case NL80211_CMD_CONNECT:
4561 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4562 		    !wiphy_ext_feature_isset(&rdev->wiphy,
4563 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
4564 		    auth_type == NL80211_AUTHTYPE_SAE)
4565 			return false;
4566 
4567 		/* FILS with SK PFS or PK not supported yet */
4568 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4569 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4570 			return false;
4571 		if (!wiphy_ext_feature_isset(
4572 			    &rdev->wiphy,
4573 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4574 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
4575 			return false;
4576 		return true;
4577 	case NL80211_CMD_START_AP:
4578 		/* SAE not supported yet */
4579 		if (auth_type == NL80211_AUTHTYPE_SAE)
4580 			return false;
4581 		/* FILS not supported yet */
4582 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4583 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4584 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4585 			return false;
4586 		return true;
4587 	default:
4588 		return false;
4589 	}
4590 }
4591 
4592 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4593 {
4594 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4595 	struct net_device *dev = info->user_ptr[1];
4596 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4597 	struct cfg80211_ap_settings params;
4598 	int err;
4599 
4600 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4601 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4602 		return -EOPNOTSUPP;
4603 
4604 	if (!rdev->ops->start_ap)
4605 		return -EOPNOTSUPP;
4606 
4607 	if (wdev->beacon_interval)
4608 		return -EALREADY;
4609 
4610 	memset(&params, 0, sizeof(params));
4611 
4612 	/* these are required for START_AP */
4613 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
4614 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
4615 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
4616 		return -EINVAL;
4617 
4618 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
4619 	if (err)
4620 		return err;
4621 
4622 	params.beacon_interval =
4623 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4624 	params.dtim_period =
4625 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
4626 
4627 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
4628 					   params.beacon_interval);
4629 	if (err)
4630 		return err;
4631 
4632 	/*
4633 	 * In theory, some of these attributes should be required here
4634 	 * but since they were not used when the command was originally
4635 	 * added, keep them optional for old user space programs to let
4636 	 * them continue to work with drivers that do not need the
4637 	 * additional information -- drivers must check!
4638 	 */
4639 	if (info->attrs[NL80211_ATTR_SSID]) {
4640 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4641 		params.ssid_len =
4642 			nla_len(info->attrs[NL80211_ATTR_SSID]);
4643 		if (params.ssid_len == 0 ||
4644 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
4645 			return -EINVAL;
4646 	}
4647 
4648 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
4649 		params.hidden_ssid = nla_get_u32(
4650 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
4651 
4652 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4653 
4654 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
4655 		params.auth_type = nla_get_u32(
4656 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
4657 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
4658 					     NL80211_CMD_START_AP))
4659 			return -EINVAL;
4660 	} else
4661 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
4662 
4663 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
4664 				      NL80211_MAX_NR_CIPHER_SUITES);
4665 	if (err)
4666 		return err;
4667 
4668 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
4669 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
4670 			return -EOPNOTSUPP;
4671 		params.inactivity_timeout = nla_get_u16(
4672 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
4673 	}
4674 
4675 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4676 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4677 			return -EINVAL;
4678 		params.p2p_ctwindow =
4679 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4680 		if (params.p2p_ctwindow != 0 &&
4681 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4682 			return -EINVAL;
4683 	}
4684 
4685 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4686 		u8 tmp;
4687 
4688 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4689 			return -EINVAL;
4690 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4691 		params.p2p_opp_ps = tmp;
4692 		if (params.p2p_opp_ps != 0 &&
4693 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4694 			return -EINVAL;
4695 	}
4696 
4697 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4698 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
4699 		if (err)
4700 			return err;
4701 	} else if (wdev->preset_chandef.chan) {
4702 		params.chandef = wdev->preset_chandef;
4703 	} else if (!nl80211_get_ap_channel(rdev, &params))
4704 		return -EINVAL;
4705 
4706 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
4707 					   wdev->iftype))
4708 		return -EINVAL;
4709 
4710 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
4711 		err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
4712 		if (err)
4713 			return err;
4714 
4715 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
4716 					      &params.beacon_rate);
4717 		if (err)
4718 			return err;
4719 	}
4720 
4721 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
4722 		params.smps_mode =
4723 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
4724 		switch (params.smps_mode) {
4725 		case NL80211_SMPS_OFF:
4726 			break;
4727 		case NL80211_SMPS_STATIC:
4728 			if (!(rdev->wiphy.features &
4729 			      NL80211_FEATURE_STATIC_SMPS))
4730 				return -EINVAL;
4731 			break;
4732 		case NL80211_SMPS_DYNAMIC:
4733 			if (!(rdev->wiphy.features &
4734 			      NL80211_FEATURE_DYNAMIC_SMPS))
4735 				return -EINVAL;
4736 			break;
4737 		default:
4738 			return -EINVAL;
4739 		}
4740 	} else {
4741 		params.smps_mode = NL80211_SMPS_OFF;
4742 	}
4743 
4744 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
4745 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
4746 		return -EOPNOTSUPP;
4747 
4748 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
4749 		params.acl = parse_acl_data(&rdev->wiphy, info);
4750 		if (IS_ERR(params.acl))
4751 			return PTR_ERR(params.acl);
4752 	}
4753 
4754 	params.twt_responder =
4755 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
4756 
4757 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
4758 		err = nl80211_parse_he_obss_pd(
4759 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
4760 					&params.he_obss_pd);
4761 		if (err)
4762 			return err;
4763 	}
4764 
4765 	nl80211_calculate_ap_params(&params);
4766 
4767 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
4768 		params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
4769 
4770 	wdev_lock(wdev);
4771 	err = rdev_start_ap(rdev, dev, &params);
4772 	if (!err) {
4773 		wdev->preset_chandef = params.chandef;
4774 		wdev->beacon_interval = params.beacon_interval;
4775 		wdev->chandef = params.chandef;
4776 		wdev->ssid_len = params.ssid_len;
4777 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
4778 
4779 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4780 			wdev->conn_owner_nlportid = info->snd_portid;
4781 	}
4782 	wdev_unlock(wdev);
4783 
4784 	kfree(params.acl);
4785 
4786 	return err;
4787 }
4788 
4789 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
4790 {
4791 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4792 	struct net_device *dev = info->user_ptr[1];
4793 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4794 	struct cfg80211_beacon_data params;
4795 	int err;
4796 
4797 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4798 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4799 		return -EOPNOTSUPP;
4800 
4801 	if (!rdev->ops->change_beacon)
4802 		return -EOPNOTSUPP;
4803 
4804 	if (!wdev->beacon_interval)
4805 		return -EINVAL;
4806 
4807 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
4808 	if (err)
4809 		return err;
4810 
4811 	wdev_lock(wdev);
4812 	err = rdev_change_beacon(rdev, dev, &params);
4813 	wdev_unlock(wdev);
4814 
4815 	return err;
4816 }
4817 
4818 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
4819 {
4820 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4821 	struct net_device *dev = info->user_ptr[1];
4822 
4823 	return cfg80211_stop_ap(rdev, dev, false);
4824 }
4825 
4826 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
4827 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
4828 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
4829 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
4830 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
4831 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
4832 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
4833 };
4834 
4835 static int parse_station_flags(struct genl_info *info,
4836 			       enum nl80211_iftype iftype,
4837 			       struct station_parameters *params)
4838 {
4839 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
4840 	struct nlattr *nla;
4841 	int flag;
4842 
4843 	/*
4844 	 * Try parsing the new attribute first so userspace
4845 	 * can specify both for older kernels.
4846 	 */
4847 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
4848 	if (nla) {
4849 		struct nl80211_sta_flag_update *sta_flags;
4850 
4851 		sta_flags = nla_data(nla);
4852 		params->sta_flags_mask = sta_flags->mask;
4853 		params->sta_flags_set = sta_flags->set;
4854 		params->sta_flags_set &= params->sta_flags_mask;
4855 		if ((params->sta_flags_mask |
4856 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
4857 			return -EINVAL;
4858 		return 0;
4859 	}
4860 
4861 	/* if present, parse the old attribute */
4862 
4863 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
4864 	if (!nla)
4865 		return 0;
4866 
4867 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
4868 		return -EINVAL;
4869 
4870 	/*
4871 	 * Only allow certain flags for interface types so that
4872 	 * other attributes are silently ignored. Remember that
4873 	 * this is backward compatibility code with old userspace
4874 	 * and shouldn't be hit in other cases anyway.
4875 	 */
4876 	switch (iftype) {
4877 	case NL80211_IFTYPE_AP:
4878 	case NL80211_IFTYPE_AP_VLAN:
4879 	case NL80211_IFTYPE_P2P_GO:
4880 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4881 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4882 					 BIT(NL80211_STA_FLAG_WME) |
4883 					 BIT(NL80211_STA_FLAG_MFP);
4884 		break;
4885 	case NL80211_IFTYPE_P2P_CLIENT:
4886 	case NL80211_IFTYPE_STATION:
4887 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4888 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
4889 		break;
4890 	case NL80211_IFTYPE_MESH_POINT:
4891 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4892 					 BIT(NL80211_STA_FLAG_MFP) |
4893 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
4894 		break;
4895 	default:
4896 		return -EINVAL;
4897 	}
4898 
4899 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
4900 		if (flags[flag]) {
4901 			params->sta_flags_set |= (1<<flag);
4902 
4903 			/* no longer support new API additions in old API */
4904 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
4905 				return -EINVAL;
4906 		}
4907 	}
4908 
4909 	return 0;
4910 }
4911 
4912 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
4913 {
4914 	struct nlattr *rate;
4915 	u32 bitrate;
4916 	u16 bitrate_compat;
4917 	enum nl80211_rate_info rate_flg;
4918 
4919 	rate = nla_nest_start_noflag(msg, attr);
4920 	if (!rate)
4921 		return false;
4922 
4923 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
4924 	bitrate = cfg80211_calculate_bitrate(info);
4925 	/* report 16-bit bitrate only if we can */
4926 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
4927 	if (bitrate > 0 &&
4928 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
4929 		return false;
4930 	if (bitrate_compat > 0 &&
4931 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
4932 		return false;
4933 
4934 	switch (info->bw) {
4935 	case RATE_INFO_BW_5:
4936 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
4937 		break;
4938 	case RATE_INFO_BW_10:
4939 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
4940 		break;
4941 	default:
4942 		WARN_ON(1);
4943 		/* fall through */
4944 	case RATE_INFO_BW_20:
4945 		rate_flg = 0;
4946 		break;
4947 	case RATE_INFO_BW_40:
4948 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
4949 		break;
4950 	case RATE_INFO_BW_80:
4951 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
4952 		break;
4953 	case RATE_INFO_BW_160:
4954 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
4955 		break;
4956 	case RATE_INFO_BW_HE_RU:
4957 		rate_flg = 0;
4958 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
4959 	}
4960 
4961 	if (rate_flg && nla_put_flag(msg, rate_flg))
4962 		return false;
4963 
4964 	if (info->flags & RATE_INFO_FLAGS_MCS) {
4965 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
4966 			return false;
4967 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4968 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4969 			return false;
4970 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
4971 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
4972 			return false;
4973 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
4974 			return false;
4975 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4976 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4977 			return false;
4978 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
4979 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
4980 			return false;
4981 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
4982 			return false;
4983 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
4984 			return false;
4985 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
4986 			return false;
4987 		if (info->bw == RATE_INFO_BW_HE_RU &&
4988 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
4989 			       info->he_ru_alloc))
4990 			return false;
4991 	}
4992 
4993 	nla_nest_end(msg, rate);
4994 	return true;
4995 }
4996 
4997 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
4998 			       int id)
4999 {
5000 	void *attr;
5001 	int i = 0;
5002 
5003 	if (!mask)
5004 		return true;
5005 
5006 	attr = nla_nest_start_noflag(msg, id);
5007 	if (!attr)
5008 		return false;
5009 
5010 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5011 		if (!(mask & BIT(i)))
5012 			continue;
5013 
5014 		if (nla_put_u8(msg, i, signal[i]))
5015 			return false;
5016 	}
5017 
5018 	nla_nest_end(msg, attr);
5019 
5020 	return true;
5021 }
5022 
5023 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5024 				u32 seq, int flags,
5025 				struct cfg80211_registered_device *rdev,
5026 				struct net_device *dev,
5027 				const u8 *mac_addr, struct station_info *sinfo)
5028 {
5029 	void *hdr;
5030 	struct nlattr *sinfoattr, *bss_param;
5031 
5032 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5033 	if (!hdr) {
5034 		cfg80211_sinfo_release_content(sinfo);
5035 		return -1;
5036 	}
5037 
5038 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5039 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
5040 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
5041 		goto nla_put_failure;
5042 
5043 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
5044 	if (!sinfoattr)
5045 		goto nla_put_failure;
5046 
5047 #define PUT_SINFO(attr, memb, type) do {				\
5048 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
5049 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5050 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
5051 			     sinfo->memb))				\
5052 		goto nla_put_failure;					\
5053 	} while (0)
5054 #define PUT_SINFO_U64(attr, memb) do {					\
5055 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5056 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
5057 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
5058 		goto nla_put_failure;					\
5059 	} while (0)
5060 
5061 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
5062 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
5063 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
5064 
5065 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
5066 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
5067 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
5068 			(u32)sinfo->rx_bytes))
5069 		goto nla_put_failure;
5070 
5071 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
5072 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
5073 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
5074 			(u32)sinfo->tx_bytes))
5075 		goto nla_put_failure;
5076 
5077 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
5078 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
5079 	PUT_SINFO(LLID, llid, u16);
5080 	PUT_SINFO(PLID, plid, u16);
5081 	PUT_SINFO(PLINK_STATE, plink_state, u8);
5082 	PUT_SINFO_U64(RX_DURATION, rx_duration);
5083 	PUT_SINFO_U64(TX_DURATION, tx_duration);
5084 
5085 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5086 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5087 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
5088 
5089 	switch (rdev->wiphy.signal_type) {
5090 	case CFG80211_SIGNAL_TYPE_MBM:
5091 		PUT_SINFO(SIGNAL, signal, u8);
5092 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
5093 		break;
5094 	default:
5095 		break;
5096 	}
5097 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
5098 		if (!nl80211_put_signal(msg, sinfo->chains,
5099 					sinfo->chain_signal,
5100 					NL80211_STA_INFO_CHAIN_SIGNAL))
5101 			goto nla_put_failure;
5102 	}
5103 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
5104 		if (!nl80211_put_signal(msg, sinfo->chains,
5105 					sinfo->chain_signal_avg,
5106 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
5107 			goto nla_put_failure;
5108 	}
5109 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
5110 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
5111 					  NL80211_STA_INFO_TX_BITRATE))
5112 			goto nla_put_failure;
5113 	}
5114 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
5115 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
5116 					  NL80211_STA_INFO_RX_BITRATE))
5117 			goto nla_put_failure;
5118 	}
5119 
5120 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
5121 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
5122 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
5123 	PUT_SINFO(TX_FAILED, tx_failed, u32);
5124 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
5125 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
5126 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
5127 	PUT_SINFO(LOCAL_PM, local_pm, u32);
5128 	PUT_SINFO(PEER_PM, peer_pm, u32);
5129 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
5130 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
5131 
5132 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
5133 		bss_param = nla_nest_start_noflag(msg,
5134 						  NL80211_STA_INFO_BSS_PARAM);
5135 		if (!bss_param)
5136 			goto nla_put_failure;
5137 
5138 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
5139 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
5140 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
5141 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
5142 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
5143 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
5144 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
5145 			       sinfo->bss_param.dtim_period) ||
5146 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
5147 				sinfo->bss_param.beacon_interval))
5148 			goto nla_put_failure;
5149 
5150 		nla_nest_end(msg, bss_param);
5151 	}
5152 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
5153 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
5154 		    sizeof(struct nl80211_sta_flag_update),
5155 		    &sinfo->sta_flags))
5156 		goto nla_put_failure;
5157 
5158 	PUT_SINFO_U64(T_OFFSET, t_offset);
5159 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
5160 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
5161 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
5162 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
5163 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
5164 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5165 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
5166 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
5167 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
5168 	}
5169 
5170 #undef PUT_SINFO
5171 #undef PUT_SINFO_U64
5172 
5173 	if (sinfo->pertid) {
5174 		struct nlattr *tidsattr;
5175 		int tid;
5176 
5177 		tidsattr = nla_nest_start_noflag(msg,
5178 						 NL80211_STA_INFO_TID_STATS);
5179 		if (!tidsattr)
5180 			goto nla_put_failure;
5181 
5182 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5183 			struct cfg80211_tid_stats *tidstats;
5184 			struct nlattr *tidattr;
5185 
5186 			tidstats = &sinfo->pertid[tid];
5187 
5188 			if (!tidstats->filled)
5189 				continue;
5190 
5191 			tidattr = nla_nest_start_noflag(msg, tid + 1);
5192 			if (!tidattr)
5193 				goto nla_put_failure;
5194 
5195 #define PUT_TIDVAL_U64(attr, memb) do {					\
5196 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
5197 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
5198 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
5199 		goto nla_put_failure;					\
5200 	} while (0)
5201 
5202 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5203 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5204 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5205 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5206 
5207 #undef PUT_TIDVAL_U64
5208 			if ((tidstats->filled &
5209 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5210 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5211 						   NL80211_TID_STATS_TXQ_STATS))
5212 				goto nla_put_failure;
5213 
5214 			nla_nest_end(msg, tidattr);
5215 		}
5216 
5217 		nla_nest_end(msg, tidsattr);
5218 	}
5219 
5220 	nla_nest_end(msg, sinfoattr);
5221 
5222 	if (sinfo->assoc_req_ies_len &&
5223 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5224 		    sinfo->assoc_req_ies))
5225 		goto nla_put_failure;
5226 
5227 	cfg80211_sinfo_release_content(sinfo);
5228 	genlmsg_end(msg, hdr);
5229 	return 0;
5230 
5231  nla_put_failure:
5232 	cfg80211_sinfo_release_content(sinfo);
5233 	genlmsg_cancel(msg, hdr);
5234 	return -EMSGSIZE;
5235 }
5236 
5237 static int nl80211_dump_station(struct sk_buff *skb,
5238 				struct netlink_callback *cb)
5239 {
5240 	struct station_info sinfo;
5241 	struct cfg80211_registered_device *rdev;
5242 	struct wireless_dev *wdev;
5243 	u8 mac_addr[ETH_ALEN];
5244 	int sta_idx = cb->args[2];
5245 	int err;
5246 
5247 	rtnl_lock();
5248 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5249 	if (err)
5250 		goto out_err;
5251 
5252 	if (!wdev->netdev) {
5253 		err = -EINVAL;
5254 		goto out_err;
5255 	}
5256 
5257 	if (!rdev->ops->dump_station) {
5258 		err = -EOPNOTSUPP;
5259 		goto out_err;
5260 	}
5261 
5262 	while (1) {
5263 		memset(&sinfo, 0, sizeof(sinfo));
5264 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5265 					mac_addr, &sinfo);
5266 		if (err == -ENOENT)
5267 			break;
5268 		if (err)
5269 			goto out_err;
5270 
5271 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
5272 				NETLINK_CB(cb->skb).portid,
5273 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5274 				rdev, wdev->netdev, mac_addr,
5275 				&sinfo) < 0)
5276 			goto out;
5277 
5278 		sta_idx++;
5279 	}
5280 
5281  out:
5282 	cb->args[2] = sta_idx;
5283 	err = skb->len;
5284  out_err:
5285 	rtnl_unlock();
5286 
5287 	return err;
5288 }
5289 
5290 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
5291 {
5292 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5293 	struct net_device *dev = info->user_ptr[1];
5294 	struct station_info sinfo;
5295 	struct sk_buff *msg;
5296 	u8 *mac_addr = NULL;
5297 	int err;
5298 
5299 	memset(&sinfo, 0, sizeof(sinfo));
5300 
5301 	if (!info->attrs[NL80211_ATTR_MAC])
5302 		return -EINVAL;
5303 
5304 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5305 
5306 	if (!rdev->ops->get_station)
5307 		return -EOPNOTSUPP;
5308 
5309 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
5310 	if (err)
5311 		return err;
5312 
5313 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5314 	if (!msg) {
5315 		cfg80211_sinfo_release_content(&sinfo);
5316 		return -ENOMEM;
5317 	}
5318 
5319 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
5320 				 info->snd_portid, info->snd_seq, 0,
5321 				 rdev, dev, mac_addr, &sinfo) < 0) {
5322 		nlmsg_free(msg);
5323 		return -ENOBUFS;
5324 	}
5325 
5326 	return genlmsg_reply(msg, info);
5327 }
5328 
5329 int cfg80211_check_station_change(struct wiphy *wiphy,
5330 				  struct station_parameters *params,
5331 				  enum cfg80211_station_type statype)
5332 {
5333 	if (params->listen_interval != -1 &&
5334 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5335 		return -EINVAL;
5336 
5337 	if (params->support_p2p_ps != -1 &&
5338 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5339 		return -EINVAL;
5340 
5341 	if (params->aid &&
5342 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
5343 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5344 		return -EINVAL;
5345 
5346 	/* When you run into this, adjust the code below for the new flag */
5347 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5348 
5349 	switch (statype) {
5350 	case CFG80211_STA_MESH_PEER_KERNEL:
5351 	case CFG80211_STA_MESH_PEER_USER:
5352 		/*
5353 		 * No ignoring the TDLS flag here -- the userspace mesh
5354 		 * code doesn't have the bug of including TDLS in the
5355 		 * mask everywhere.
5356 		 */
5357 		if (params->sta_flags_mask &
5358 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5359 				  BIT(NL80211_STA_FLAG_MFP) |
5360 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
5361 			return -EINVAL;
5362 		break;
5363 	case CFG80211_STA_TDLS_PEER_SETUP:
5364 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5365 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5366 			return -EINVAL;
5367 		/* ignore since it can't change */
5368 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5369 		break;
5370 	default:
5371 		/* disallow mesh-specific things */
5372 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
5373 			return -EINVAL;
5374 		if (params->local_pm)
5375 			return -EINVAL;
5376 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5377 			return -EINVAL;
5378 	}
5379 
5380 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5381 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5382 		/* TDLS can't be set, ... */
5383 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5384 			return -EINVAL;
5385 		/*
5386 		 * ... but don't bother the driver with it. This works around
5387 		 * a hostapd/wpa_supplicant issue -- it always includes the
5388 		 * TLDS_PEER flag in the mask even for AP mode.
5389 		 */
5390 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5391 	}
5392 
5393 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5394 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5395 		/* reject other things that can't change */
5396 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5397 			return -EINVAL;
5398 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5399 			return -EINVAL;
5400 		if (params->supported_rates)
5401 			return -EINVAL;
5402 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
5403 		    params->he_capa)
5404 			return -EINVAL;
5405 	}
5406 
5407 	if (statype != CFG80211_STA_AP_CLIENT &&
5408 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5409 		if (params->vlan)
5410 			return -EINVAL;
5411 	}
5412 
5413 	switch (statype) {
5414 	case CFG80211_STA_AP_MLME_CLIENT:
5415 		/* Use this only for authorizing/unauthorizing a station */
5416 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5417 			return -EOPNOTSUPP;
5418 		break;
5419 	case CFG80211_STA_AP_CLIENT:
5420 	case CFG80211_STA_AP_CLIENT_UNASSOC:
5421 		/* accept only the listed bits */
5422 		if (params->sta_flags_mask &
5423 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5424 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5425 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
5426 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5427 				  BIT(NL80211_STA_FLAG_WME) |
5428 				  BIT(NL80211_STA_FLAG_MFP)))
5429 			return -EINVAL;
5430 
5431 		/* but authenticated/associated only if driver handles it */
5432 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5433 		    params->sta_flags_mask &
5434 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5435 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
5436 			return -EINVAL;
5437 		break;
5438 	case CFG80211_STA_IBSS:
5439 	case CFG80211_STA_AP_STA:
5440 		/* reject any changes other than AUTHORIZED */
5441 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
5442 			return -EINVAL;
5443 		break;
5444 	case CFG80211_STA_TDLS_PEER_SETUP:
5445 		/* reject any changes other than AUTHORIZED or WME */
5446 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5447 					       BIT(NL80211_STA_FLAG_WME)))
5448 			return -EINVAL;
5449 		/* force (at least) rates when authorizing */
5450 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
5451 		    !params->supported_rates)
5452 			return -EINVAL;
5453 		break;
5454 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5455 		/* reject any changes */
5456 		return -EINVAL;
5457 	case CFG80211_STA_MESH_PEER_KERNEL:
5458 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5459 			return -EINVAL;
5460 		break;
5461 	case CFG80211_STA_MESH_PEER_USER:
5462 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
5463 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
5464 			return -EINVAL;
5465 		break;
5466 	}
5467 
5468 	/*
5469 	 * Older kernel versions ignored this attribute entirely, so don't
5470 	 * reject attempts to update it but mark it as unused instead so the
5471 	 * driver won't look at the data.
5472 	 */
5473 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
5474 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
5475 		params->opmode_notif_used = false;
5476 
5477 	return 0;
5478 }
5479 EXPORT_SYMBOL(cfg80211_check_station_change);
5480 
5481 /*
5482  * Get vlan interface making sure it is running and on the right wiphy.
5483  */
5484 static struct net_device *get_vlan(struct genl_info *info,
5485 				   struct cfg80211_registered_device *rdev)
5486 {
5487 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
5488 	struct net_device *v;
5489 	int ret;
5490 
5491 	if (!vlanattr)
5492 		return NULL;
5493 
5494 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
5495 	if (!v)
5496 		return ERR_PTR(-ENODEV);
5497 
5498 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
5499 		ret = -EINVAL;
5500 		goto error;
5501 	}
5502 
5503 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5504 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5505 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5506 		ret = -EINVAL;
5507 		goto error;
5508 	}
5509 
5510 	if (!netif_running(v)) {
5511 		ret = -ENETDOWN;
5512 		goto error;
5513 	}
5514 
5515 	return v;
5516  error:
5517 	dev_put(v);
5518 	return ERR_PTR(ret);
5519 }
5520 
5521 static const struct nla_policy
5522 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5523 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5524 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5525 };
5526 
5527 static int nl80211_parse_sta_wme(struct genl_info *info,
5528 				 struct station_parameters *params)
5529 {
5530 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5531 	struct nlattr *nla;
5532 	int err;
5533 
5534 	/* parse WME attributes if present */
5535 	if (!info->attrs[NL80211_ATTR_STA_WME])
5536 		return 0;
5537 
5538 	nla = info->attrs[NL80211_ATTR_STA_WME];
5539 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
5540 					  nl80211_sta_wme_policy,
5541 					  info->extack);
5542 	if (err)
5543 		return err;
5544 
5545 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5546 		params->uapsd_queues = nla_get_u8(
5547 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
5548 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5549 		return -EINVAL;
5550 
5551 	if (tb[NL80211_STA_WME_MAX_SP])
5552 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5553 
5554 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5555 		return -EINVAL;
5556 
5557 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5558 
5559 	return 0;
5560 }
5561 
5562 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5563 				      struct station_parameters *params)
5564 {
5565 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5566 		params->supported_channels =
5567 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5568 		params->supported_channels_len =
5569 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5570 		/*
5571 		 * Need to include at least one (first channel, number of
5572 		 * channels) tuple for each subband, and must have proper
5573 		 * tuples for the rest of the data as well.
5574 		 */
5575 		if (params->supported_channels_len < 2)
5576 			return -EINVAL;
5577 		if (params->supported_channels_len % 2)
5578 			return -EINVAL;
5579 	}
5580 
5581 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5582 		params->supported_oper_classes =
5583 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5584 		params->supported_oper_classes_len =
5585 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5586 		/*
5587 		 * The value of the Length field of the Supported Operating
5588 		 * Classes element is between 2 and 253.
5589 		 */
5590 		if (params->supported_oper_classes_len < 2 ||
5591 		    params->supported_oper_classes_len > 253)
5592 			return -EINVAL;
5593 	}
5594 	return 0;
5595 }
5596 
5597 static int nl80211_set_station_tdls(struct genl_info *info,
5598 				    struct station_parameters *params)
5599 {
5600 	int err;
5601 	/* Dummy STA entry gets updated once the peer capabilities are known */
5602 	if (info->attrs[NL80211_ATTR_PEER_AID])
5603 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5604 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5605 		params->ht_capa =
5606 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5607 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5608 		params->vht_capa =
5609 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5610 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5611 		params->he_capa =
5612 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5613 		params->he_capa_len =
5614 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5615 
5616 		if (params->he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5617 			return -EINVAL;
5618 	}
5619 
5620 	err = nl80211_parse_sta_channel_info(info, params);
5621 	if (err)
5622 		return err;
5623 
5624 	return nl80211_parse_sta_wme(info, params);
5625 }
5626 
5627 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
5628 					     struct station_parameters *params)
5629 {
5630 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5631 	int idx;
5632 
5633 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
5634 		if (!rdev->ops->set_tx_power ||
5635 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5636 					 NL80211_EXT_FEATURE_STA_TX_PWR))
5637 			return -EOPNOTSUPP;
5638 
5639 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
5640 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
5641 
5642 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
5643 			idx = NL80211_ATTR_STA_TX_POWER;
5644 
5645 			if (info->attrs[idx])
5646 				params->txpwr.power =
5647 					nla_get_s16(info->attrs[idx]);
5648 			else
5649 				return -EINVAL;
5650 		}
5651 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
5652 	}
5653 
5654 	return 0;
5655 }
5656 
5657 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
5658 {
5659 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5660 	struct net_device *dev = info->user_ptr[1];
5661 	struct station_parameters params;
5662 	u8 *mac_addr;
5663 	int err;
5664 
5665 	memset(&params, 0, sizeof(params));
5666 
5667 	if (!rdev->ops->change_station)
5668 		return -EOPNOTSUPP;
5669 
5670 	/*
5671 	 * AID and listen_interval properties can be set only for unassociated
5672 	 * station. Include these parameters here and will check them in
5673 	 * cfg80211_check_station_change().
5674 	 */
5675 	if (info->attrs[NL80211_ATTR_STA_AID])
5676 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5677 
5678 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5679 		params.listen_interval =
5680 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5681 	else
5682 		params.listen_interval = -1;
5683 
5684 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
5685 		params.support_p2p_ps =
5686 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5687 	else
5688 		params.support_p2p_ps = -1;
5689 
5690 	if (!info->attrs[NL80211_ATTR_MAC])
5691 		return -EINVAL;
5692 
5693 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5694 
5695 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
5696 		params.supported_rates =
5697 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5698 		params.supported_rates_len =
5699 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5700 	}
5701 
5702 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5703 		params.capability =
5704 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5705 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5706 	}
5707 
5708 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5709 		params.ext_capab =
5710 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5711 		params.ext_capab_len =
5712 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5713 	}
5714 
5715 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5716 		return -EINVAL;
5717 
5718 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5719 		params.plink_action =
5720 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5721 
5722 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
5723 		params.plink_state =
5724 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
5725 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
5726 			params.peer_aid = nla_get_u16(
5727 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
5728 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
5729 	}
5730 
5731 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
5732 		params.local_pm = nla_get_u32(
5733 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
5734 
5735 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5736 		params.opmode_notif_used = true;
5737 		params.opmode_notif =
5738 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5739 	}
5740 
5741 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
5742 		params.airtime_weight =
5743 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
5744 
5745 	if (params.airtime_weight &&
5746 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5747 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5748 		return -EOPNOTSUPP;
5749 
5750 	err = nl80211_parse_sta_txpower_setting(info, &params);
5751 	if (err)
5752 		return err;
5753 
5754 	/* Include parameters for TDLS peer (will check later) */
5755 	err = nl80211_set_station_tdls(info, &params);
5756 	if (err)
5757 		return err;
5758 
5759 	params.vlan = get_vlan(info, rdev);
5760 	if (IS_ERR(params.vlan))
5761 		return PTR_ERR(params.vlan);
5762 
5763 	switch (dev->ieee80211_ptr->iftype) {
5764 	case NL80211_IFTYPE_AP:
5765 	case NL80211_IFTYPE_AP_VLAN:
5766 	case NL80211_IFTYPE_P2P_GO:
5767 	case NL80211_IFTYPE_P2P_CLIENT:
5768 	case NL80211_IFTYPE_STATION:
5769 	case NL80211_IFTYPE_ADHOC:
5770 	case NL80211_IFTYPE_MESH_POINT:
5771 		break;
5772 	default:
5773 		err = -EOPNOTSUPP;
5774 		goto out_put_vlan;
5775 	}
5776 
5777 	/* driver will call cfg80211_check_station_change() */
5778 	err = rdev_change_station(rdev, dev, mac_addr, &params);
5779 
5780  out_put_vlan:
5781 	if (params.vlan)
5782 		dev_put(params.vlan);
5783 
5784 	return err;
5785 }
5786 
5787 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
5788 {
5789 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5790 	int err;
5791 	struct net_device *dev = info->user_ptr[1];
5792 	struct station_parameters params;
5793 	u8 *mac_addr = NULL;
5794 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5795 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
5796 
5797 	memset(&params, 0, sizeof(params));
5798 
5799 	if (!rdev->ops->add_station)
5800 		return -EOPNOTSUPP;
5801 
5802 	if (!info->attrs[NL80211_ATTR_MAC])
5803 		return -EINVAL;
5804 
5805 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5806 		return -EINVAL;
5807 
5808 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
5809 		return -EINVAL;
5810 
5811 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
5812 	    !info->attrs[NL80211_ATTR_PEER_AID])
5813 		return -EINVAL;
5814 
5815 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5816 	params.supported_rates =
5817 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5818 	params.supported_rates_len =
5819 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5820 	params.listen_interval =
5821 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5822 
5823 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
5824 		params.support_p2p_ps =
5825 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5826 	} else {
5827 		/*
5828 		 * if not specified, assume it's supported for P2P GO interface,
5829 		 * and is NOT supported for AP interface
5830 		 */
5831 		params.support_p2p_ps =
5832 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
5833 	}
5834 
5835 	if (info->attrs[NL80211_ATTR_PEER_AID])
5836 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5837 	else
5838 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5839 
5840 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5841 		params.capability =
5842 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5843 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5844 	}
5845 
5846 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5847 		params.ext_capab =
5848 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5849 		params.ext_capab_len =
5850 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5851 	}
5852 
5853 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5854 		params.ht_capa =
5855 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5856 
5857 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5858 		params.vht_capa =
5859 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5860 
5861 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5862 		params.he_capa =
5863 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5864 		params.he_capa_len =
5865 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5866 
5867 		/* max len is validated in nla policy */
5868 		if (params.he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5869 			return -EINVAL;
5870 	}
5871 
5872 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5873 		params.opmode_notif_used = true;
5874 		params.opmode_notif =
5875 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5876 	}
5877 
5878 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5879 		params.plink_action =
5880 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5881 
5882 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
5883 		params.airtime_weight =
5884 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
5885 
5886 	if (params.airtime_weight &&
5887 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5888 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5889 		return -EOPNOTSUPP;
5890 
5891 	err = nl80211_parse_sta_txpower_setting(info, &params);
5892 	if (err)
5893 		return err;
5894 
5895 	err = nl80211_parse_sta_channel_info(info, &params);
5896 	if (err)
5897 		return err;
5898 
5899 	err = nl80211_parse_sta_wme(info, &params);
5900 	if (err)
5901 		return err;
5902 
5903 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5904 		return -EINVAL;
5905 
5906 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
5907 	 * as userspace might just pass through the capabilities from the IEs
5908 	 * directly, rather than enforcing this restriction and returning an
5909 	 * error in this case.
5910 	 */
5911 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
5912 		params.ht_capa = NULL;
5913 		params.vht_capa = NULL;
5914 
5915 		/* HE requires WME */
5916 		if (params.he_capa_len)
5917 			return -EINVAL;
5918 	}
5919 
5920 	/* When you run into this, adjust the code below for the new flag */
5921 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5922 
5923 	switch (dev->ieee80211_ptr->iftype) {
5924 	case NL80211_IFTYPE_AP:
5925 	case NL80211_IFTYPE_AP_VLAN:
5926 	case NL80211_IFTYPE_P2P_GO:
5927 		/* ignore WME attributes if iface/sta is not capable */
5928 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
5929 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
5930 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5931 
5932 		/* TDLS peers cannot be added */
5933 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5934 		    info->attrs[NL80211_ATTR_PEER_AID])
5935 			return -EINVAL;
5936 		/* but don't bother the driver with it */
5937 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5938 
5939 		/* allow authenticated/associated only if driver handles it */
5940 		if (!(rdev->wiphy.features &
5941 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5942 		    params.sta_flags_mask & auth_assoc)
5943 			return -EINVAL;
5944 
5945 		/* Older userspace, or userspace wanting to be compatible with
5946 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
5947 		 * and assoc flags in the mask, but assumes the station will be
5948 		 * added as associated anyway since this was the required driver
5949 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
5950 		 * introduced.
5951 		 * In order to not bother drivers with this quirk in the API
5952 		 * set the flags in both the mask and set for new stations in
5953 		 * this case.
5954 		 */
5955 		if (!(params.sta_flags_mask & auth_assoc)) {
5956 			params.sta_flags_mask |= auth_assoc;
5957 			params.sta_flags_set |= auth_assoc;
5958 		}
5959 
5960 		/* must be last in here for error handling */
5961 		params.vlan = get_vlan(info, rdev);
5962 		if (IS_ERR(params.vlan))
5963 			return PTR_ERR(params.vlan);
5964 		break;
5965 	case NL80211_IFTYPE_MESH_POINT:
5966 		/* ignore uAPSD data */
5967 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5968 
5969 		/* associated is disallowed */
5970 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
5971 			return -EINVAL;
5972 		/* TDLS peers cannot be added */
5973 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5974 		    info->attrs[NL80211_ATTR_PEER_AID])
5975 			return -EINVAL;
5976 		break;
5977 	case NL80211_IFTYPE_STATION:
5978 	case NL80211_IFTYPE_P2P_CLIENT:
5979 		/* ignore uAPSD data */
5980 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5981 
5982 		/* these are disallowed */
5983 		if (params.sta_flags_mask &
5984 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
5985 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
5986 			return -EINVAL;
5987 		/* Only TDLS peers can be added */
5988 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5989 			return -EINVAL;
5990 		/* Can only add if TDLS ... */
5991 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
5992 			return -EOPNOTSUPP;
5993 		/* ... with external setup is supported */
5994 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
5995 			return -EOPNOTSUPP;
5996 		/*
5997 		 * Older wpa_supplicant versions always mark the TDLS peer
5998 		 * as authorized, but it shouldn't yet be.
5999 		 */
6000 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6001 		break;
6002 	default:
6003 		return -EOPNOTSUPP;
6004 	}
6005 
6006 	/* be aware of params.vlan when changing code here */
6007 
6008 	err = rdev_add_station(rdev, dev, mac_addr, &params);
6009 
6010 	if (params.vlan)
6011 		dev_put(params.vlan);
6012 	return err;
6013 }
6014 
6015 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6016 {
6017 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6018 	struct net_device *dev = info->user_ptr[1];
6019 	struct station_del_parameters params;
6020 
6021 	memset(&params, 0, sizeof(params));
6022 
6023 	if (info->attrs[NL80211_ATTR_MAC])
6024 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6025 
6026 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6027 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6028 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
6029 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6030 		return -EINVAL;
6031 
6032 	if (!rdev->ops->del_station)
6033 		return -EOPNOTSUPP;
6034 
6035 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
6036 		params.subtype =
6037 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
6038 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
6039 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
6040 			return -EINVAL;
6041 	} else {
6042 		/* Default to Deauthentication frame */
6043 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
6044 	}
6045 
6046 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
6047 		params.reason_code =
6048 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6049 		if (params.reason_code == 0)
6050 			return -EINVAL; /* 0 is reserved */
6051 	} else {
6052 		/* Default to reason code 2 */
6053 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
6054 	}
6055 
6056 	return rdev_del_station(rdev, dev, &params);
6057 }
6058 
6059 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
6060 				int flags, struct net_device *dev,
6061 				u8 *dst, u8 *next_hop,
6062 				struct mpath_info *pinfo)
6063 {
6064 	void *hdr;
6065 	struct nlattr *pinfoattr;
6066 
6067 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
6068 	if (!hdr)
6069 		return -1;
6070 
6071 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6072 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
6073 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
6074 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
6075 		goto nla_put_failure;
6076 
6077 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
6078 	if (!pinfoattr)
6079 		goto nla_put_failure;
6080 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
6081 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
6082 			pinfo->frame_qlen))
6083 		goto nla_put_failure;
6084 	if (((pinfo->filled & MPATH_INFO_SN) &&
6085 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
6086 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
6087 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
6088 			 pinfo->metric)) ||
6089 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
6090 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
6091 			 pinfo->exptime)) ||
6092 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
6093 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
6094 			pinfo->flags)) ||
6095 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
6096 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
6097 			 pinfo->discovery_timeout)) ||
6098 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
6099 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
6100 			pinfo->discovery_retries)) ||
6101 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
6102 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
6103 			pinfo->hop_count)) ||
6104 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
6105 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
6106 			 pinfo->path_change_count)))
6107 		goto nla_put_failure;
6108 
6109 	nla_nest_end(msg, pinfoattr);
6110 
6111 	genlmsg_end(msg, hdr);
6112 	return 0;
6113 
6114  nla_put_failure:
6115 	genlmsg_cancel(msg, hdr);
6116 	return -EMSGSIZE;
6117 }
6118 
6119 static int nl80211_dump_mpath(struct sk_buff *skb,
6120 			      struct netlink_callback *cb)
6121 {
6122 	struct mpath_info pinfo;
6123 	struct cfg80211_registered_device *rdev;
6124 	struct wireless_dev *wdev;
6125 	u8 dst[ETH_ALEN];
6126 	u8 next_hop[ETH_ALEN];
6127 	int path_idx = cb->args[2];
6128 	int err;
6129 
6130 	rtnl_lock();
6131 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6132 	if (err)
6133 		goto out_err;
6134 
6135 	if (!rdev->ops->dump_mpath) {
6136 		err = -EOPNOTSUPP;
6137 		goto out_err;
6138 	}
6139 
6140 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6141 		err = -EOPNOTSUPP;
6142 		goto out_err;
6143 	}
6144 
6145 	while (1) {
6146 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
6147 				      next_hop, &pinfo);
6148 		if (err == -ENOENT)
6149 			break;
6150 		if (err)
6151 			goto out_err;
6152 
6153 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6154 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6155 				       wdev->netdev, dst, next_hop,
6156 				       &pinfo) < 0)
6157 			goto out;
6158 
6159 		path_idx++;
6160 	}
6161 
6162  out:
6163 	cb->args[2] = path_idx;
6164 	err = skb->len;
6165  out_err:
6166 	rtnl_unlock();
6167 	return err;
6168 }
6169 
6170 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
6171 {
6172 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6173 	int err;
6174 	struct net_device *dev = info->user_ptr[1];
6175 	struct mpath_info pinfo;
6176 	struct sk_buff *msg;
6177 	u8 *dst = NULL;
6178 	u8 next_hop[ETH_ALEN];
6179 
6180 	memset(&pinfo, 0, sizeof(pinfo));
6181 
6182 	if (!info->attrs[NL80211_ATTR_MAC])
6183 		return -EINVAL;
6184 
6185 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6186 
6187 	if (!rdev->ops->get_mpath)
6188 		return -EOPNOTSUPP;
6189 
6190 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6191 		return -EOPNOTSUPP;
6192 
6193 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
6194 	if (err)
6195 		return err;
6196 
6197 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6198 	if (!msg)
6199 		return -ENOMEM;
6200 
6201 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6202 				 dev, dst, next_hop, &pinfo) < 0) {
6203 		nlmsg_free(msg);
6204 		return -ENOBUFS;
6205 	}
6206 
6207 	return genlmsg_reply(msg, info);
6208 }
6209 
6210 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
6211 {
6212 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6213 	struct net_device *dev = info->user_ptr[1];
6214 	u8 *dst = NULL;
6215 	u8 *next_hop = NULL;
6216 
6217 	if (!info->attrs[NL80211_ATTR_MAC])
6218 		return -EINVAL;
6219 
6220 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6221 		return -EINVAL;
6222 
6223 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6224 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6225 
6226 	if (!rdev->ops->change_mpath)
6227 		return -EOPNOTSUPP;
6228 
6229 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6230 		return -EOPNOTSUPP;
6231 
6232 	return rdev_change_mpath(rdev, dev, dst, next_hop);
6233 }
6234 
6235 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
6236 {
6237 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6238 	struct net_device *dev = info->user_ptr[1];
6239 	u8 *dst = NULL;
6240 	u8 *next_hop = NULL;
6241 
6242 	if (!info->attrs[NL80211_ATTR_MAC])
6243 		return -EINVAL;
6244 
6245 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6246 		return -EINVAL;
6247 
6248 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6249 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6250 
6251 	if (!rdev->ops->add_mpath)
6252 		return -EOPNOTSUPP;
6253 
6254 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6255 		return -EOPNOTSUPP;
6256 
6257 	return rdev_add_mpath(rdev, dev, dst, next_hop);
6258 }
6259 
6260 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
6261 {
6262 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6263 	struct net_device *dev = info->user_ptr[1];
6264 	u8 *dst = NULL;
6265 
6266 	if (info->attrs[NL80211_ATTR_MAC])
6267 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6268 
6269 	if (!rdev->ops->del_mpath)
6270 		return -EOPNOTSUPP;
6271 
6272 	return rdev_del_mpath(rdev, dev, dst);
6273 }
6274 
6275 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
6276 {
6277 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6278 	int err;
6279 	struct net_device *dev = info->user_ptr[1];
6280 	struct mpath_info pinfo;
6281 	struct sk_buff *msg;
6282 	u8 *dst = NULL;
6283 	u8 mpp[ETH_ALEN];
6284 
6285 	memset(&pinfo, 0, sizeof(pinfo));
6286 
6287 	if (!info->attrs[NL80211_ATTR_MAC])
6288 		return -EINVAL;
6289 
6290 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6291 
6292 	if (!rdev->ops->get_mpp)
6293 		return -EOPNOTSUPP;
6294 
6295 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6296 		return -EOPNOTSUPP;
6297 
6298 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
6299 	if (err)
6300 		return err;
6301 
6302 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6303 	if (!msg)
6304 		return -ENOMEM;
6305 
6306 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6307 			       dev, dst, mpp, &pinfo) < 0) {
6308 		nlmsg_free(msg);
6309 		return -ENOBUFS;
6310 	}
6311 
6312 	return genlmsg_reply(msg, info);
6313 }
6314 
6315 static int nl80211_dump_mpp(struct sk_buff *skb,
6316 			    struct netlink_callback *cb)
6317 {
6318 	struct mpath_info pinfo;
6319 	struct cfg80211_registered_device *rdev;
6320 	struct wireless_dev *wdev;
6321 	u8 dst[ETH_ALEN];
6322 	u8 mpp[ETH_ALEN];
6323 	int path_idx = cb->args[2];
6324 	int err;
6325 
6326 	rtnl_lock();
6327 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6328 	if (err)
6329 		goto out_err;
6330 
6331 	if (!rdev->ops->dump_mpp) {
6332 		err = -EOPNOTSUPP;
6333 		goto out_err;
6334 	}
6335 
6336 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6337 		err = -EOPNOTSUPP;
6338 		goto out_err;
6339 	}
6340 
6341 	while (1) {
6342 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
6343 				    mpp, &pinfo);
6344 		if (err == -ENOENT)
6345 			break;
6346 		if (err)
6347 			goto out_err;
6348 
6349 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6350 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6351 				       wdev->netdev, dst, mpp,
6352 				       &pinfo) < 0)
6353 			goto out;
6354 
6355 		path_idx++;
6356 	}
6357 
6358  out:
6359 	cb->args[2] = path_idx;
6360 	err = skb->len;
6361  out_err:
6362 	rtnl_unlock();
6363 	return err;
6364 }
6365 
6366 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
6367 {
6368 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6369 	struct net_device *dev = info->user_ptr[1];
6370 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6371 	struct bss_parameters params;
6372 	int err;
6373 
6374 	memset(&params, 0, sizeof(params));
6375 	/* default to not changing parameters */
6376 	params.use_cts_prot = -1;
6377 	params.use_short_preamble = -1;
6378 	params.use_short_slot_time = -1;
6379 	params.ap_isolate = -1;
6380 	params.ht_opmode = -1;
6381 	params.p2p_ctwindow = -1;
6382 	params.p2p_opp_ps = -1;
6383 
6384 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
6385 		params.use_cts_prot =
6386 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
6387 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
6388 		params.use_short_preamble =
6389 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
6390 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
6391 		params.use_short_slot_time =
6392 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
6393 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6394 		params.basic_rates =
6395 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6396 		params.basic_rates_len =
6397 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6398 	}
6399 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
6400 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
6401 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
6402 		params.ht_opmode =
6403 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
6404 
6405 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6406 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6407 			return -EINVAL;
6408 		params.p2p_ctwindow =
6409 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6410 		if (params.p2p_ctwindow != 0 &&
6411 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
6412 			return -EINVAL;
6413 	}
6414 
6415 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6416 		u8 tmp;
6417 
6418 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6419 			return -EINVAL;
6420 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6421 		params.p2p_opp_ps = tmp;
6422 		if (params.p2p_opp_ps &&
6423 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
6424 			return -EINVAL;
6425 	}
6426 
6427 	if (!rdev->ops->change_bss)
6428 		return -EOPNOTSUPP;
6429 
6430 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6431 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6432 		return -EOPNOTSUPP;
6433 
6434 	wdev_lock(wdev);
6435 	err = rdev_change_bss(rdev, dev, &params);
6436 	wdev_unlock(wdev);
6437 
6438 	return err;
6439 }
6440 
6441 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
6442 {
6443 	char *data = NULL;
6444 	bool is_indoor;
6445 	enum nl80211_user_reg_hint_type user_reg_hint_type;
6446 	u32 owner_nlportid;
6447 
6448 	/*
6449 	 * You should only get this when cfg80211 hasn't yet initialized
6450 	 * completely when built-in to the kernel right between the time
6451 	 * window between nl80211_init() and regulatory_init(), if that is
6452 	 * even possible.
6453 	 */
6454 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
6455 		return -EINPROGRESS;
6456 
6457 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
6458 		user_reg_hint_type =
6459 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
6460 	else
6461 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
6462 
6463 	switch (user_reg_hint_type) {
6464 	case NL80211_USER_REG_HINT_USER:
6465 	case NL80211_USER_REG_HINT_CELL_BASE:
6466 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6467 			return -EINVAL;
6468 
6469 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6470 		return regulatory_hint_user(data, user_reg_hint_type);
6471 	case NL80211_USER_REG_HINT_INDOOR:
6472 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
6473 			owner_nlportid = info->snd_portid;
6474 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
6475 		} else {
6476 			owner_nlportid = 0;
6477 			is_indoor = true;
6478 		}
6479 
6480 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
6481 	default:
6482 		return -EINVAL;
6483 	}
6484 }
6485 
6486 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
6487 {
6488 	return reg_reload_regdb();
6489 }
6490 
6491 static int nl80211_get_mesh_config(struct sk_buff *skb,
6492 				   struct genl_info *info)
6493 {
6494 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6495 	struct net_device *dev = info->user_ptr[1];
6496 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6497 	struct mesh_config cur_params;
6498 	int err = 0;
6499 	void *hdr;
6500 	struct nlattr *pinfoattr;
6501 	struct sk_buff *msg;
6502 
6503 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6504 		return -EOPNOTSUPP;
6505 
6506 	if (!rdev->ops->get_mesh_config)
6507 		return -EOPNOTSUPP;
6508 
6509 	wdev_lock(wdev);
6510 	/* If not connected, get default parameters */
6511 	if (!wdev->mesh_id_len)
6512 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
6513 	else
6514 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
6515 	wdev_unlock(wdev);
6516 
6517 	if (err)
6518 		return err;
6519 
6520 	/* Draw up a netlink message to send back */
6521 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6522 	if (!msg)
6523 		return -ENOMEM;
6524 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6525 			     NL80211_CMD_GET_MESH_CONFIG);
6526 	if (!hdr)
6527 		goto out;
6528 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
6529 	if (!pinfoattr)
6530 		goto nla_put_failure;
6531 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6532 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
6533 			cur_params.dot11MeshRetryTimeout) ||
6534 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6535 			cur_params.dot11MeshConfirmTimeout) ||
6536 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
6537 			cur_params.dot11MeshHoldingTimeout) ||
6538 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
6539 			cur_params.dot11MeshMaxPeerLinks) ||
6540 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
6541 		       cur_params.dot11MeshMaxRetries) ||
6542 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
6543 		       cur_params.dot11MeshTTL) ||
6544 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
6545 		       cur_params.element_ttl) ||
6546 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6547 		       cur_params.auto_open_plinks) ||
6548 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6549 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
6550 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6551 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
6552 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
6553 			cur_params.path_refresh_time) ||
6554 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6555 			cur_params.min_discovery_timeout) ||
6556 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6557 			cur_params.dot11MeshHWMPactivePathTimeout) ||
6558 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6559 			cur_params.dot11MeshHWMPpreqMinInterval) ||
6560 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6561 			cur_params.dot11MeshHWMPperrMinInterval) ||
6562 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6563 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
6564 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
6565 		       cur_params.dot11MeshHWMPRootMode) ||
6566 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6567 			cur_params.dot11MeshHWMPRannInterval) ||
6568 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6569 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
6570 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
6571 		       cur_params.dot11MeshForwarding) ||
6572 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
6573 			cur_params.rssi_threshold) ||
6574 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
6575 			cur_params.ht_opmode) ||
6576 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6577 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
6578 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6579 			cur_params.dot11MeshHWMProotInterval) ||
6580 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6581 			cur_params.dot11MeshHWMPconfirmationInterval) ||
6582 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
6583 			cur_params.power_mode) ||
6584 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
6585 			cur_params.dot11MeshAwakeWindowDuration) ||
6586 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
6587 			cur_params.plink_timeout) ||
6588 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
6589 		       cur_params.dot11MeshConnectedToMeshGate))
6590 		goto nla_put_failure;
6591 	nla_nest_end(msg, pinfoattr);
6592 	genlmsg_end(msg, hdr);
6593 	return genlmsg_reply(msg, info);
6594 
6595  nla_put_failure:
6596  out:
6597 	nlmsg_free(msg);
6598 	return -ENOBUFS;
6599 }
6600 
6601 static const struct nla_policy
6602 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
6603 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
6604 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6605 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
6606 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6607 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
6608 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6609 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
6610 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
6611 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
6612 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6613 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6614 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
6615 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
6616 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
6617 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
6618 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
6619 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
6620 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
6621 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
6622 		NLA_POLICY_MIN(NLA_U16, 1),
6623 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
6624 		NLA_POLICY_MIN(NLA_U16, 1),
6625 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
6626 		NLA_POLICY_MIN(NLA_U16, 1),
6627 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
6628 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
6629 		NLA_POLICY_MIN(NLA_U16, 1),
6630 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
6631 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
6632 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
6633 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
6634 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
6635 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
6636 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
6637 		NLA_POLICY_MIN(NLA_U16, 1),
6638 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
6639 		NLA_POLICY_MIN(NLA_U16, 1),
6640 	[NL80211_MESHCONF_POWER_MODE] =
6641 		NLA_POLICY_RANGE(NLA_U32,
6642 				 NL80211_MESH_POWER_ACTIVE,
6643 				 NL80211_MESH_POWER_MAX),
6644 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
6645 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
6646 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
6647 };
6648 
6649 static const struct nla_policy
6650 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
6651 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
6652 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
6653 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
6654 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
6655 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
6656 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
6657 	[NL80211_MESH_SETUP_IE] =
6658 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
6659 				       IEEE80211_MAX_DATA_LEN),
6660 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
6661 };
6662 
6663 static int nl80211_parse_mesh_config(struct genl_info *info,
6664 				     struct mesh_config *cfg,
6665 				     u32 *mask_out)
6666 {
6667 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
6668 	u32 mask = 0;
6669 	u16 ht_opmode;
6670 
6671 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
6672 do {									\
6673 	if (tb[attr]) {							\
6674 		cfg->param = fn(tb[attr]);				\
6675 		mask |= BIT((attr) - 1);				\
6676 	}								\
6677 } while (0)
6678 
6679 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
6680 		return -EINVAL;
6681 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
6682 		return -EINVAL;
6683 
6684 	/* This makes sure that there aren't more than 32 mesh config
6685 	 * parameters (otherwise our bitfield scheme would not work.) */
6686 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
6687 
6688 	/* Fill in the params struct */
6689 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
6690 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
6691 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
6692 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
6693 				  nla_get_u16);
6694 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
6695 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
6696 				  nla_get_u16);
6697 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
6698 				  NL80211_MESHCONF_MAX_PEER_LINKS,
6699 				  nla_get_u16);
6700 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
6701 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
6702 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
6703 				  NL80211_MESHCONF_TTL, nla_get_u8);
6704 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
6705 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
6706 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
6707 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6708 				  nla_get_u8);
6709 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
6710 				  mask,
6711 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6712 				  nla_get_u32);
6713 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
6714 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6715 				  nla_get_u8);
6716 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
6717 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
6718 				  nla_get_u32);
6719 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
6720 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
6721 		return -EINVAL;
6722 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
6723 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6724 				  nla_get_u16);
6725 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
6726 				  mask,
6727 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6728 				  nla_get_u32);
6729 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
6730 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
6731 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
6732 		return -EINVAL;
6733 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
6734 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6735 				  nla_get_u16);
6736 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
6737 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6738 				  nla_get_u16);
6739 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6740 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
6741 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6742 				  nla_get_u16);
6743 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
6744 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
6745 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
6746 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6747 				  nla_get_u16);
6748 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
6749 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6750 				  nla_get_u8);
6751 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
6752 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
6753 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
6754 				  NL80211_MESHCONF_RSSI_THRESHOLD,
6755 				  nla_get_s32);
6756 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
6757 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
6758 				  nla_get_u8);
6759 	/*
6760 	 * Check HT operation mode based on
6761 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
6762 	 */
6763 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
6764 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
6765 
6766 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
6767 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
6768 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
6769 			return -EINVAL;
6770 
6771 		/* NON_HT_STA bit is reserved, but some programs set it */
6772 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
6773 
6774 		cfg->ht_opmode = ht_opmode;
6775 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
6776 	}
6777 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6778 				  dot11MeshHWMPactivePathToRootTimeout, mask,
6779 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6780 				  nla_get_u32);
6781 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
6782 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
6783 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
6784 		return -EINVAL;
6785 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
6786 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6787 				  nla_get_u16);
6788 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
6789 				  mask,
6790 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6791 				  nla_get_u16);
6792 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
6793 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
6794 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
6795 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
6796 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
6797 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
6798 	if (mask_out)
6799 		*mask_out = mask;
6800 
6801 	return 0;
6802 
6803 #undef FILL_IN_MESH_PARAM_IF_SET
6804 }
6805 
6806 static int nl80211_parse_mesh_setup(struct genl_info *info,
6807 				     struct mesh_setup *setup)
6808 {
6809 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6810 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
6811 
6812 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
6813 		return -EINVAL;
6814 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
6815 		return -EINVAL;
6816 
6817 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
6818 		setup->sync_method =
6819 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
6820 		 IEEE80211_SYNC_METHOD_VENDOR :
6821 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
6822 
6823 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
6824 		setup->path_sel_proto =
6825 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
6826 		 IEEE80211_PATH_PROTOCOL_VENDOR :
6827 		 IEEE80211_PATH_PROTOCOL_HWMP;
6828 
6829 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
6830 		setup->path_metric =
6831 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
6832 		 IEEE80211_PATH_METRIC_VENDOR :
6833 		 IEEE80211_PATH_METRIC_AIRTIME;
6834 
6835 	if (tb[NL80211_MESH_SETUP_IE]) {
6836 		struct nlattr *ieattr =
6837 			tb[NL80211_MESH_SETUP_IE];
6838 		setup->ie = nla_data(ieattr);
6839 		setup->ie_len = nla_len(ieattr);
6840 	}
6841 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
6842 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
6843 		return -EINVAL;
6844 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
6845 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
6846 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
6847 	if (setup->is_secure)
6848 		setup->user_mpm = true;
6849 
6850 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
6851 		if (!setup->user_mpm)
6852 			return -EINVAL;
6853 		setup->auth_id =
6854 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
6855 	}
6856 
6857 	return 0;
6858 }
6859 
6860 static int nl80211_update_mesh_config(struct sk_buff *skb,
6861 				      struct genl_info *info)
6862 {
6863 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6864 	struct net_device *dev = info->user_ptr[1];
6865 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6866 	struct mesh_config cfg;
6867 	u32 mask;
6868 	int err;
6869 
6870 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6871 		return -EOPNOTSUPP;
6872 
6873 	if (!rdev->ops->update_mesh_config)
6874 		return -EOPNOTSUPP;
6875 
6876 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
6877 	if (err)
6878 		return err;
6879 
6880 	wdev_lock(wdev);
6881 	if (!wdev->mesh_id_len)
6882 		err = -ENOLINK;
6883 
6884 	if (!err)
6885 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
6886 
6887 	wdev_unlock(wdev);
6888 
6889 	return err;
6890 }
6891 
6892 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
6893 			      struct sk_buff *msg)
6894 {
6895 	struct nlattr *nl_reg_rules;
6896 	unsigned int i;
6897 
6898 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
6899 	    (regdom->dfs_region &&
6900 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
6901 		goto nla_put_failure;
6902 
6903 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
6904 	if (!nl_reg_rules)
6905 		goto nla_put_failure;
6906 
6907 	for (i = 0; i < regdom->n_reg_rules; i++) {
6908 		struct nlattr *nl_reg_rule;
6909 		const struct ieee80211_reg_rule *reg_rule;
6910 		const struct ieee80211_freq_range *freq_range;
6911 		const struct ieee80211_power_rule *power_rule;
6912 		unsigned int max_bandwidth_khz;
6913 
6914 		reg_rule = &regdom->reg_rules[i];
6915 		freq_range = &reg_rule->freq_range;
6916 		power_rule = &reg_rule->power_rule;
6917 
6918 		nl_reg_rule = nla_nest_start_noflag(msg, i);
6919 		if (!nl_reg_rule)
6920 			goto nla_put_failure;
6921 
6922 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
6923 		if (!max_bandwidth_khz)
6924 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
6925 								  reg_rule);
6926 
6927 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
6928 				reg_rule->flags) ||
6929 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
6930 				freq_range->start_freq_khz) ||
6931 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
6932 				freq_range->end_freq_khz) ||
6933 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
6934 				max_bandwidth_khz) ||
6935 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
6936 				power_rule->max_antenna_gain) ||
6937 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
6938 				power_rule->max_eirp) ||
6939 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
6940 				reg_rule->dfs_cac_ms))
6941 			goto nla_put_failure;
6942 
6943 		nla_nest_end(msg, nl_reg_rule);
6944 	}
6945 
6946 	nla_nest_end(msg, nl_reg_rules);
6947 	return 0;
6948 
6949 nla_put_failure:
6950 	return -EMSGSIZE;
6951 }
6952 
6953 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
6954 {
6955 	const struct ieee80211_regdomain *regdom = NULL;
6956 	struct cfg80211_registered_device *rdev;
6957 	struct wiphy *wiphy = NULL;
6958 	struct sk_buff *msg;
6959 	void *hdr;
6960 
6961 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6962 	if (!msg)
6963 		return -ENOBUFS;
6964 
6965 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6966 			     NL80211_CMD_GET_REG);
6967 	if (!hdr)
6968 		goto put_failure;
6969 
6970 	if (info->attrs[NL80211_ATTR_WIPHY]) {
6971 		bool self_managed;
6972 
6973 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
6974 		if (IS_ERR(rdev)) {
6975 			nlmsg_free(msg);
6976 			return PTR_ERR(rdev);
6977 		}
6978 
6979 		wiphy = &rdev->wiphy;
6980 		self_managed = wiphy->regulatory_flags &
6981 			       REGULATORY_WIPHY_SELF_MANAGED;
6982 		regdom = get_wiphy_regdom(wiphy);
6983 
6984 		/* a self-managed-reg device must have a private regdom */
6985 		if (WARN_ON(!regdom && self_managed)) {
6986 			nlmsg_free(msg);
6987 			return -EINVAL;
6988 		}
6989 
6990 		if (regdom &&
6991 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6992 			goto nla_put_failure;
6993 	}
6994 
6995 	if (!wiphy && reg_last_request_cell_base() &&
6996 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6997 			NL80211_USER_REG_HINT_CELL_BASE))
6998 		goto nla_put_failure;
6999 
7000 	rcu_read_lock();
7001 
7002 	if (!regdom)
7003 		regdom = rcu_dereference(cfg80211_regdomain);
7004 
7005 	if (nl80211_put_regdom(regdom, msg))
7006 		goto nla_put_failure_rcu;
7007 
7008 	rcu_read_unlock();
7009 
7010 	genlmsg_end(msg, hdr);
7011 	return genlmsg_reply(msg, info);
7012 
7013 nla_put_failure_rcu:
7014 	rcu_read_unlock();
7015 nla_put_failure:
7016 put_failure:
7017 	nlmsg_free(msg);
7018 	return -EMSGSIZE;
7019 }
7020 
7021 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
7022 			       u32 seq, int flags, struct wiphy *wiphy,
7023 			       const struct ieee80211_regdomain *regdom)
7024 {
7025 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
7026 				   NL80211_CMD_GET_REG);
7027 
7028 	if (!hdr)
7029 		return -1;
7030 
7031 	genl_dump_check_consistent(cb, hdr);
7032 
7033 	if (nl80211_put_regdom(regdom, msg))
7034 		goto nla_put_failure;
7035 
7036 	if (!wiphy && reg_last_request_cell_base() &&
7037 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7038 			NL80211_USER_REG_HINT_CELL_BASE))
7039 		goto nla_put_failure;
7040 
7041 	if (wiphy &&
7042 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7043 		goto nla_put_failure;
7044 
7045 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
7046 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
7047 		goto nla_put_failure;
7048 
7049 	genlmsg_end(msg, hdr);
7050 	return 0;
7051 
7052 nla_put_failure:
7053 	genlmsg_cancel(msg, hdr);
7054 	return -EMSGSIZE;
7055 }
7056 
7057 static int nl80211_get_reg_dump(struct sk_buff *skb,
7058 				struct netlink_callback *cb)
7059 {
7060 	const struct ieee80211_regdomain *regdom = NULL;
7061 	struct cfg80211_registered_device *rdev;
7062 	int err, reg_idx, start = cb->args[2];
7063 
7064 	rtnl_lock();
7065 
7066 	if (cfg80211_regdomain && start == 0) {
7067 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7068 					  NLM_F_MULTI, NULL,
7069 					  rtnl_dereference(cfg80211_regdomain));
7070 		if (err < 0)
7071 			goto out_err;
7072 	}
7073 
7074 	/* the global regdom is idx 0 */
7075 	reg_idx = 1;
7076 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
7077 		regdom = get_wiphy_regdom(&rdev->wiphy);
7078 		if (!regdom)
7079 			continue;
7080 
7081 		if (++reg_idx <= start)
7082 			continue;
7083 
7084 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7085 					  NLM_F_MULTI, &rdev->wiphy, regdom);
7086 		if (err < 0) {
7087 			reg_idx--;
7088 			break;
7089 		}
7090 	}
7091 
7092 	cb->args[2] = reg_idx;
7093 	err = skb->len;
7094 out_err:
7095 	rtnl_unlock();
7096 	return err;
7097 }
7098 
7099 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
7100 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
7101 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
7102 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
7103 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
7104 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
7105 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
7106 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
7107 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
7108 };
7109 
7110 static int parse_reg_rule(struct nlattr *tb[],
7111 	struct ieee80211_reg_rule *reg_rule)
7112 {
7113 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
7114 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
7115 
7116 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
7117 		return -EINVAL;
7118 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
7119 		return -EINVAL;
7120 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
7121 		return -EINVAL;
7122 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
7123 		return -EINVAL;
7124 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
7125 		return -EINVAL;
7126 
7127 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
7128 
7129 	freq_range->start_freq_khz =
7130 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
7131 	freq_range->end_freq_khz =
7132 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
7133 	freq_range->max_bandwidth_khz =
7134 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
7135 
7136 	power_rule->max_eirp =
7137 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
7138 
7139 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
7140 		power_rule->max_antenna_gain =
7141 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
7142 
7143 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
7144 		reg_rule->dfs_cac_ms =
7145 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
7146 
7147 	return 0;
7148 }
7149 
7150 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
7151 {
7152 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
7153 	struct nlattr *nl_reg_rule;
7154 	char *alpha2;
7155 	int rem_reg_rules, r;
7156 	u32 num_rules = 0, rule_idx = 0;
7157 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
7158 	struct ieee80211_regdomain *rd;
7159 
7160 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7161 		return -EINVAL;
7162 
7163 	if (!info->attrs[NL80211_ATTR_REG_RULES])
7164 		return -EINVAL;
7165 
7166 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7167 
7168 	if (info->attrs[NL80211_ATTR_DFS_REGION])
7169 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
7170 
7171 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7172 			    rem_reg_rules) {
7173 		num_rules++;
7174 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
7175 			return -EINVAL;
7176 	}
7177 
7178 	if (!reg_is_valid_request(alpha2))
7179 		return -EINVAL;
7180 
7181 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
7182 	if (!rd)
7183 		return -ENOMEM;
7184 
7185 	rd->n_reg_rules = num_rules;
7186 	rd->alpha2[0] = alpha2[0];
7187 	rd->alpha2[1] = alpha2[1];
7188 
7189 	/*
7190 	 * Disable DFS master mode if the DFS region was
7191 	 * not supported or known on this kernel.
7192 	 */
7193 	if (reg_supported_dfs_region(dfs_region))
7194 		rd->dfs_region = dfs_region;
7195 
7196 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7197 			    rem_reg_rules) {
7198 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
7199 						nl_reg_rule, reg_rule_policy,
7200 						info->extack);
7201 		if (r)
7202 			goto bad_reg;
7203 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
7204 		if (r)
7205 			goto bad_reg;
7206 
7207 		rule_idx++;
7208 
7209 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
7210 			r = -EINVAL;
7211 			goto bad_reg;
7212 		}
7213 	}
7214 
7215 	/* set_regdom takes ownership of rd */
7216 	return set_regdom(rd, REGD_SOURCE_CRDA);
7217  bad_reg:
7218 	kfree(rd);
7219 	return r;
7220 }
7221 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
7222 
7223 static int validate_scan_freqs(struct nlattr *freqs)
7224 {
7225 	struct nlattr *attr1, *attr2;
7226 	int n_channels = 0, tmp1, tmp2;
7227 
7228 	nla_for_each_nested(attr1, freqs, tmp1)
7229 		if (nla_len(attr1) != sizeof(u32))
7230 			return 0;
7231 
7232 	nla_for_each_nested(attr1, freqs, tmp1) {
7233 		n_channels++;
7234 		/*
7235 		 * Some hardware has a limited channel list for
7236 		 * scanning, and it is pretty much nonsensical
7237 		 * to scan for a channel twice, so disallow that
7238 		 * and don't require drivers to check that the
7239 		 * channel list they get isn't longer than what
7240 		 * they can scan, as long as they can scan all
7241 		 * the channels they registered at once.
7242 		 */
7243 		nla_for_each_nested(attr2, freqs, tmp2)
7244 			if (attr1 != attr2 &&
7245 			    nla_get_u32(attr1) == nla_get_u32(attr2))
7246 				return 0;
7247 	}
7248 
7249 	return n_channels;
7250 }
7251 
7252 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
7253 {
7254 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
7255 }
7256 
7257 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
7258 			    struct cfg80211_bss_selection *bss_select)
7259 {
7260 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
7261 	struct nlattr *nest;
7262 	int err;
7263 	bool found = false;
7264 	int i;
7265 
7266 	/* only process one nested attribute */
7267 	nest = nla_data(nla);
7268 	if (!nla_ok(nest, nla_len(nest)))
7269 		return -EINVAL;
7270 
7271 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
7272 					  nest, nl80211_bss_select_policy,
7273 					  NULL);
7274 	if (err)
7275 		return err;
7276 
7277 	/* only one attribute may be given */
7278 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
7279 		if (attr[i]) {
7280 			if (found)
7281 				return -EINVAL;
7282 			found = true;
7283 		}
7284 	}
7285 
7286 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
7287 
7288 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
7289 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
7290 
7291 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
7292 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
7293 		bss_select->param.band_pref =
7294 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
7295 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
7296 			return -EINVAL;
7297 	}
7298 
7299 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
7300 		struct nl80211_bss_select_rssi_adjust *adj_param;
7301 
7302 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
7303 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
7304 		bss_select->param.adjust.band = adj_param->band;
7305 		bss_select->param.adjust.delta = adj_param->delta;
7306 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
7307 			return -EINVAL;
7308 	}
7309 
7310 	/* user-space did not provide behaviour attribute */
7311 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
7312 		return -EINVAL;
7313 
7314 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
7315 		return -EINVAL;
7316 
7317 	return 0;
7318 }
7319 
7320 int nl80211_parse_random_mac(struct nlattr **attrs,
7321 			     u8 *mac_addr, u8 *mac_addr_mask)
7322 {
7323 	int i;
7324 
7325 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
7326 		eth_zero_addr(mac_addr);
7327 		eth_zero_addr(mac_addr_mask);
7328 		mac_addr[0] = 0x2;
7329 		mac_addr_mask[0] = 0x3;
7330 
7331 		return 0;
7332 	}
7333 
7334 	/* need both or none */
7335 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
7336 		return -EINVAL;
7337 
7338 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
7339 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
7340 
7341 	/* don't allow or configure an mcast address */
7342 	if (!is_multicast_ether_addr(mac_addr_mask) ||
7343 	    is_multicast_ether_addr(mac_addr))
7344 		return -EINVAL;
7345 
7346 	/*
7347 	 * allow users to pass a MAC address that has bits set outside
7348 	 * of the mask, but don't bother drivers with having to deal
7349 	 * with such bits
7350 	 */
7351 	for (i = 0; i < ETH_ALEN; i++)
7352 		mac_addr[i] &= mac_addr_mask[i];
7353 
7354 	return 0;
7355 }
7356 
7357 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
7358 {
7359 	ASSERT_WDEV_LOCK(wdev);
7360 
7361 	if (!cfg80211_beaconing_iface_active(wdev))
7362 		return true;
7363 
7364 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
7365 		return true;
7366 
7367 	return regulatory_pre_cac_allowed(wdev->wiphy);
7368 }
7369 
7370 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
7371 				    enum nl80211_ext_feature_index feat)
7372 {
7373 	if (!(flags & flag))
7374 		return true;
7375 	if (wiphy_ext_feature_isset(wiphy, feat))
7376 		return true;
7377 	return false;
7378 }
7379 
7380 static int
7381 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
7382 			 void *request, struct nlattr **attrs,
7383 			 bool is_sched_scan)
7384 {
7385 	u8 *mac_addr, *mac_addr_mask;
7386 	u32 *flags;
7387 	enum nl80211_feature_flags randomness_flag;
7388 
7389 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
7390 		return 0;
7391 
7392 	if (is_sched_scan) {
7393 		struct cfg80211_sched_scan_request *req = request;
7394 
7395 		randomness_flag = wdev ?
7396 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
7397 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
7398 		flags = &req->flags;
7399 		mac_addr = req->mac_addr;
7400 		mac_addr_mask = req->mac_addr_mask;
7401 	} else {
7402 		struct cfg80211_scan_request *req = request;
7403 
7404 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
7405 		flags = &req->flags;
7406 		mac_addr = req->mac_addr;
7407 		mac_addr_mask = req->mac_addr_mask;
7408 	}
7409 
7410 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
7411 
7412 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
7413 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
7414 	    !nl80211_check_scan_feat(wiphy, *flags,
7415 				     NL80211_SCAN_FLAG_LOW_SPAN,
7416 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
7417 	    !nl80211_check_scan_feat(wiphy, *flags,
7418 				     NL80211_SCAN_FLAG_LOW_POWER,
7419 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
7420 	    !nl80211_check_scan_feat(wiphy, *flags,
7421 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
7422 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
7423 	    !nl80211_check_scan_feat(wiphy, *flags,
7424 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
7425 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
7426 	    !nl80211_check_scan_feat(wiphy, *flags,
7427 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
7428 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
7429 	    !nl80211_check_scan_feat(wiphy, *flags,
7430 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
7431 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
7432 	    !nl80211_check_scan_feat(wiphy, *flags,
7433 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
7434 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
7435 	    !nl80211_check_scan_feat(wiphy, *flags,
7436 				     NL80211_SCAN_FLAG_RANDOM_SN,
7437 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
7438 	    !nl80211_check_scan_feat(wiphy, *flags,
7439 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
7440 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
7441 		return -EOPNOTSUPP;
7442 
7443 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
7444 		int err;
7445 
7446 		if (!(wiphy->features & randomness_flag) ||
7447 		    (wdev && wdev->current_bss))
7448 			return -EOPNOTSUPP;
7449 
7450 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
7451 		if (err)
7452 			return err;
7453 	}
7454 
7455 	return 0;
7456 }
7457 
7458 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
7459 {
7460 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7461 	struct wireless_dev *wdev = info->user_ptr[1];
7462 	struct cfg80211_scan_request *request;
7463 	struct nlattr *attr;
7464 	struct wiphy *wiphy;
7465 	int err, tmp, n_ssids = 0, n_channels, i;
7466 	size_t ie_len;
7467 
7468 	wiphy = &rdev->wiphy;
7469 
7470 	if (wdev->iftype == NL80211_IFTYPE_NAN)
7471 		return -EOPNOTSUPP;
7472 
7473 	if (!rdev->ops->scan)
7474 		return -EOPNOTSUPP;
7475 
7476 	if (rdev->scan_req || rdev->scan_msg) {
7477 		err = -EBUSY;
7478 		goto unlock;
7479 	}
7480 
7481 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7482 		n_channels = validate_scan_freqs(
7483 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7484 		if (!n_channels) {
7485 			err = -EINVAL;
7486 			goto unlock;
7487 		}
7488 	} else {
7489 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7490 	}
7491 
7492 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
7493 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
7494 			n_ssids++;
7495 
7496 	if (n_ssids > wiphy->max_scan_ssids) {
7497 		err = -EINVAL;
7498 		goto unlock;
7499 	}
7500 
7501 	if (info->attrs[NL80211_ATTR_IE])
7502 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7503 	else
7504 		ie_len = 0;
7505 
7506 	if (ie_len > wiphy->max_scan_ie_len) {
7507 		err = -EINVAL;
7508 		goto unlock;
7509 	}
7510 
7511 	request = kzalloc(sizeof(*request)
7512 			+ sizeof(*request->ssids) * n_ssids
7513 			+ sizeof(*request->channels) * n_channels
7514 			+ ie_len, GFP_KERNEL);
7515 	if (!request) {
7516 		err = -ENOMEM;
7517 		goto unlock;
7518 	}
7519 
7520 	if (n_ssids)
7521 		request->ssids = (void *)&request->channels[n_channels];
7522 	request->n_ssids = n_ssids;
7523 	if (ie_len) {
7524 		if (n_ssids)
7525 			request->ie = (void *)(request->ssids + n_ssids);
7526 		else
7527 			request->ie = (void *)(request->channels + n_channels);
7528 	}
7529 
7530 	i = 0;
7531 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7532 		/* user specified, bail out if channel not found */
7533 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
7534 			struct ieee80211_channel *chan;
7535 
7536 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7537 
7538 			if (!chan) {
7539 				err = -EINVAL;
7540 				goto out_free;
7541 			}
7542 
7543 			/* ignore disabled channels */
7544 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7545 				continue;
7546 
7547 			request->channels[i] = chan;
7548 			i++;
7549 		}
7550 	} else {
7551 		enum nl80211_band band;
7552 
7553 		/* all channels */
7554 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7555 			int j;
7556 
7557 			if (!wiphy->bands[band])
7558 				continue;
7559 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7560 				struct ieee80211_channel *chan;
7561 
7562 				chan = &wiphy->bands[band]->channels[j];
7563 
7564 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7565 					continue;
7566 
7567 				request->channels[i] = chan;
7568 				i++;
7569 			}
7570 		}
7571 	}
7572 
7573 	if (!i) {
7574 		err = -EINVAL;
7575 		goto out_free;
7576 	}
7577 
7578 	request->n_channels = i;
7579 
7580 	wdev_lock(wdev);
7581 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
7582 		struct ieee80211_channel *chan;
7583 
7584 		if (request->n_channels != 1) {
7585 			wdev_unlock(wdev);
7586 			err = -EBUSY;
7587 			goto out_free;
7588 		}
7589 
7590 		chan = request->channels[0];
7591 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
7592 			wdev_unlock(wdev);
7593 			err = -EBUSY;
7594 			goto out_free;
7595 		}
7596 	}
7597 	wdev_unlock(wdev);
7598 
7599 	i = 0;
7600 	if (n_ssids) {
7601 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
7602 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7603 				err = -EINVAL;
7604 				goto out_free;
7605 			}
7606 			request->ssids[i].ssid_len = nla_len(attr);
7607 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
7608 			i++;
7609 		}
7610 	}
7611 
7612 	if (info->attrs[NL80211_ATTR_IE]) {
7613 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7614 		memcpy((void *)request->ie,
7615 		       nla_data(info->attrs[NL80211_ATTR_IE]),
7616 		       request->ie_len);
7617 	}
7618 
7619 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7620 		if (wiphy->bands[i])
7621 			request->rates[i] =
7622 				(1 << wiphy->bands[i]->n_bitrates) - 1;
7623 
7624 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
7625 		nla_for_each_nested(attr,
7626 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
7627 				    tmp) {
7628 			enum nl80211_band band = nla_type(attr);
7629 
7630 			if (band < 0 || band >= NUM_NL80211_BANDS) {
7631 				err = -EINVAL;
7632 				goto out_free;
7633 			}
7634 
7635 			if (!wiphy->bands[band])
7636 				continue;
7637 
7638 			err = ieee80211_get_ratemask(wiphy->bands[band],
7639 						     nla_data(attr),
7640 						     nla_len(attr),
7641 						     &request->rates[band]);
7642 			if (err)
7643 				goto out_free;
7644 		}
7645 	}
7646 
7647 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
7648 		if (!wiphy_ext_feature_isset(wiphy,
7649 					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
7650 			err = -EOPNOTSUPP;
7651 			goto out_free;
7652 		}
7653 
7654 		request->duration =
7655 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
7656 		request->duration_mandatory =
7657 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
7658 	}
7659 
7660 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
7661 				       false);
7662 	if (err)
7663 		goto out_free;
7664 
7665 	request->no_cck =
7666 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7667 
7668 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
7669 	 * BSSID to scan for. This was problematic because that same attribute
7670 	 * was already used for another purpose (local random MAC address). The
7671 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
7672 	 * compatibility with older userspace components, also use the
7673 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
7674 	 * the specific BSSID use case instead of the random MAC address
7675 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
7676 	 */
7677 	if (info->attrs[NL80211_ATTR_BSSID])
7678 		memcpy(request->bssid,
7679 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
7680 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
7681 		 info->attrs[NL80211_ATTR_MAC])
7682 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
7683 		       ETH_ALEN);
7684 	else
7685 		eth_broadcast_addr(request->bssid);
7686 
7687 	request->wdev = wdev;
7688 	request->wiphy = &rdev->wiphy;
7689 	request->scan_start = jiffies;
7690 
7691 	rdev->scan_req = request;
7692 	err = rdev_scan(rdev, request);
7693 
7694 	if (!err) {
7695 		nl80211_send_scan_start(rdev, wdev);
7696 		if (wdev->netdev)
7697 			dev_hold(wdev->netdev);
7698 	} else {
7699  out_free:
7700 		rdev->scan_req = NULL;
7701 		kfree(request);
7702 	}
7703 
7704  unlock:
7705 	return err;
7706 }
7707 
7708 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
7709 {
7710 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7711 	struct wireless_dev *wdev = info->user_ptr[1];
7712 
7713 	if (!rdev->ops->abort_scan)
7714 		return -EOPNOTSUPP;
7715 
7716 	if (rdev->scan_msg)
7717 		return 0;
7718 
7719 	if (!rdev->scan_req)
7720 		return -ENOENT;
7721 
7722 	rdev_abort_scan(rdev, wdev);
7723 	return 0;
7724 }
7725 
7726 static int
7727 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
7728 			       struct cfg80211_sched_scan_request *request,
7729 			       struct nlattr **attrs)
7730 {
7731 	int tmp, err, i = 0;
7732 	struct nlattr *attr;
7733 
7734 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7735 		u32 interval;
7736 
7737 		/*
7738 		 * If scan plans are not specified,
7739 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
7740 		 * case one scan plan will be set with the specified scan
7741 		 * interval and infinite number of iterations.
7742 		 */
7743 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
7744 		if (!interval)
7745 			return -EINVAL;
7746 
7747 		request->scan_plans[0].interval =
7748 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
7749 		if (!request->scan_plans[0].interval)
7750 			return -EINVAL;
7751 
7752 		if (request->scan_plans[0].interval >
7753 		    wiphy->max_sched_scan_plan_interval)
7754 			request->scan_plans[0].interval =
7755 				wiphy->max_sched_scan_plan_interval;
7756 
7757 		return 0;
7758 	}
7759 
7760 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
7761 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
7762 
7763 		if (WARN_ON(i >= n_plans))
7764 			return -EINVAL;
7765 
7766 		err = nla_parse_nested_deprecated(plan,
7767 						  NL80211_SCHED_SCAN_PLAN_MAX,
7768 						  attr, nl80211_plan_policy,
7769 						  NULL);
7770 		if (err)
7771 			return err;
7772 
7773 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
7774 			return -EINVAL;
7775 
7776 		request->scan_plans[i].interval =
7777 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
7778 		if (!request->scan_plans[i].interval ||
7779 		    request->scan_plans[i].interval >
7780 		    wiphy->max_sched_scan_plan_interval)
7781 			return -EINVAL;
7782 
7783 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
7784 			request->scan_plans[i].iterations =
7785 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
7786 			if (!request->scan_plans[i].iterations ||
7787 			    (request->scan_plans[i].iterations >
7788 			     wiphy->max_sched_scan_plan_iterations))
7789 				return -EINVAL;
7790 		} else if (i < n_plans - 1) {
7791 			/*
7792 			 * All scan plans but the last one must specify
7793 			 * a finite number of iterations
7794 			 */
7795 			return -EINVAL;
7796 		}
7797 
7798 		i++;
7799 	}
7800 
7801 	/*
7802 	 * The last scan plan must not specify the number of
7803 	 * iterations, it is supposed to run infinitely
7804 	 */
7805 	if (request->scan_plans[n_plans - 1].iterations)
7806 		return  -EINVAL;
7807 
7808 	return 0;
7809 }
7810 
7811 static int
7812 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
7813 				       struct cfg80211_match_set *match_sets,
7814 				       struct nlattr *tb_band_rssi,
7815 				       s32 rssi_thold)
7816 {
7817 	struct nlattr *attr;
7818 	int i, tmp, ret = 0;
7819 
7820 	if (!wiphy_ext_feature_isset(wiphy,
7821 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
7822 		if (tb_band_rssi)
7823 			ret = -EOPNOTSUPP;
7824 		else
7825 			for (i = 0; i < NUM_NL80211_BANDS; i++)
7826 				match_sets->per_band_rssi_thold[i] =
7827 					NL80211_SCAN_RSSI_THOLD_OFF;
7828 		return ret;
7829 	}
7830 
7831 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7832 		match_sets->per_band_rssi_thold[i] = rssi_thold;
7833 
7834 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
7835 		enum nl80211_band band = nla_type(attr);
7836 
7837 		if (band < 0 || band >= NUM_NL80211_BANDS)
7838 			return -EINVAL;
7839 
7840 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
7841 	}
7842 
7843 	return 0;
7844 }
7845 
7846 static struct cfg80211_sched_scan_request *
7847 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
7848 			 struct nlattr **attrs, int max_match_sets)
7849 {
7850 	struct cfg80211_sched_scan_request *request;
7851 	struct nlattr *attr;
7852 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
7853 	enum nl80211_band band;
7854 	size_t ie_len;
7855 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
7856 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
7857 
7858 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7859 		n_channels = validate_scan_freqs(
7860 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7861 		if (!n_channels)
7862 			return ERR_PTR(-EINVAL);
7863 	} else {
7864 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7865 	}
7866 
7867 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
7868 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7869 				    tmp)
7870 			n_ssids++;
7871 
7872 	if (n_ssids > wiphy->max_sched_scan_ssids)
7873 		return ERR_PTR(-EINVAL);
7874 
7875 	/*
7876 	 * First, count the number of 'real' matchsets. Due to an issue with
7877 	 * the old implementation, matchsets containing only the RSSI attribute
7878 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
7879 	 * RSSI for all matchsets, rather than their own matchset for reporting
7880 	 * all APs with a strong RSSI. This is needed to be compatible with
7881 	 * older userspace that treated a matchset with only the RSSI as the
7882 	 * global RSSI for all other matchsets - if there are other matchsets.
7883 	 */
7884 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7885 		nla_for_each_nested(attr,
7886 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7887 				    tmp) {
7888 			struct nlattr *rssi;
7889 
7890 			err = nla_parse_nested_deprecated(tb,
7891 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7892 							  attr,
7893 							  nl80211_match_policy,
7894 							  NULL);
7895 			if (err)
7896 				return ERR_PTR(err);
7897 
7898 			/* SSID and BSSID are mutually exclusive */
7899 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
7900 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
7901 				return ERR_PTR(-EINVAL);
7902 
7903 			/* add other standalone attributes here */
7904 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
7905 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
7906 				n_match_sets++;
7907 				continue;
7908 			}
7909 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7910 			if (rssi)
7911 				default_match_rssi = nla_get_s32(rssi);
7912 		}
7913 	}
7914 
7915 	/* However, if there's no other matchset, add the RSSI one */
7916 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
7917 		n_match_sets = 1;
7918 
7919 	if (n_match_sets > max_match_sets)
7920 		return ERR_PTR(-EINVAL);
7921 
7922 	if (attrs[NL80211_ATTR_IE])
7923 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
7924 	else
7925 		ie_len = 0;
7926 
7927 	if (ie_len > wiphy->max_sched_scan_ie_len)
7928 		return ERR_PTR(-EINVAL);
7929 
7930 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7931 		/*
7932 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
7933 		 * each scan plan already specifies its own interval
7934 		 */
7935 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7936 			return ERR_PTR(-EINVAL);
7937 
7938 		nla_for_each_nested(attr,
7939 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
7940 			n_plans++;
7941 	} else {
7942 		/*
7943 		 * The scan interval attribute is kept for backward
7944 		 * compatibility. If no scan plans are specified and sched scan
7945 		 * interval is specified, one scan plan will be set with this
7946 		 * scan interval and infinite number of iterations.
7947 		 */
7948 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7949 			return ERR_PTR(-EINVAL);
7950 
7951 		n_plans = 1;
7952 	}
7953 
7954 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
7955 		return ERR_PTR(-EINVAL);
7956 
7957 	if (!wiphy_ext_feature_isset(
7958 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
7959 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
7960 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
7961 		return ERR_PTR(-EINVAL);
7962 
7963 	request = kzalloc(sizeof(*request)
7964 			+ sizeof(*request->ssids) * n_ssids
7965 			+ sizeof(*request->match_sets) * n_match_sets
7966 			+ sizeof(*request->scan_plans) * n_plans
7967 			+ sizeof(*request->channels) * n_channels
7968 			+ ie_len, GFP_KERNEL);
7969 	if (!request)
7970 		return ERR_PTR(-ENOMEM);
7971 
7972 	if (n_ssids)
7973 		request->ssids = (void *)&request->channels[n_channels];
7974 	request->n_ssids = n_ssids;
7975 	if (ie_len) {
7976 		if (n_ssids)
7977 			request->ie = (void *)(request->ssids + n_ssids);
7978 		else
7979 			request->ie = (void *)(request->channels + n_channels);
7980 	}
7981 
7982 	if (n_match_sets) {
7983 		if (request->ie)
7984 			request->match_sets = (void *)(request->ie + ie_len);
7985 		else if (n_ssids)
7986 			request->match_sets =
7987 				(void *)(request->ssids + n_ssids);
7988 		else
7989 			request->match_sets =
7990 				(void *)(request->channels + n_channels);
7991 	}
7992 	request->n_match_sets = n_match_sets;
7993 
7994 	if (n_match_sets)
7995 		request->scan_plans = (void *)(request->match_sets +
7996 					       n_match_sets);
7997 	else if (request->ie)
7998 		request->scan_plans = (void *)(request->ie + ie_len);
7999 	else if (n_ssids)
8000 		request->scan_plans = (void *)(request->ssids + n_ssids);
8001 	else
8002 		request->scan_plans = (void *)(request->channels + n_channels);
8003 
8004 	request->n_scan_plans = n_plans;
8005 
8006 	i = 0;
8007 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8008 		/* user specified, bail out if channel not found */
8009 		nla_for_each_nested(attr,
8010 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
8011 				    tmp) {
8012 			struct ieee80211_channel *chan;
8013 
8014 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
8015 
8016 			if (!chan) {
8017 				err = -EINVAL;
8018 				goto out_free;
8019 			}
8020 
8021 			/* ignore disabled channels */
8022 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8023 				continue;
8024 
8025 			request->channels[i] = chan;
8026 			i++;
8027 		}
8028 	} else {
8029 		/* all channels */
8030 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8031 			int j;
8032 
8033 			if (!wiphy->bands[band])
8034 				continue;
8035 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8036 				struct ieee80211_channel *chan;
8037 
8038 				chan = &wiphy->bands[band]->channels[j];
8039 
8040 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8041 					continue;
8042 
8043 				request->channels[i] = chan;
8044 				i++;
8045 			}
8046 		}
8047 	}
8048 
8049 	if (!i) {
8050 		err = -EINVAL;
8051 		goto out_free;
8052 	}
8053 
8054 	request->n_channels = i;
8055 
8056 	i = 0;
8057 	if (n_ssids) {
8058 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8059 				    tmp) {
8060 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8061 				err = -EINVAL;
8062 				goto out_free;
8063 			}
8064 			request->ssids[i].ssid_len = nla_len(attr);
8065 			memcpy(request->ssids[i].ssid, nla_data(attr),
8066 			       nla_len(attr));
8067 			i++;
8068 		}
8069 	}
8070 
8071 	i = 0;
8072 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8073 		nla_for_each_nested(attr,
8074 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8075 				    tmp) {
8076 			struct nlattr *ssid, *bssid, *rssi;
8077 
8078 			err = nla_parse_nested_deprecated(tb,
8079 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8080 							  attr,
8081 							  nl80211_match_policy,
8082 							  NULL);
8083 			if (err)
8084 				goto out_free;
8085 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
8086 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
8087 
8088 			if (!ssid && !bssid) {
8089 				i++;
8090 				continue;
8091 			}
8092 
8093 			if (WARN_ON(i >= n_match_sets)) {
8094 				/* this indicates a programming error,
8095 				 * the loop above should have verified
8096 				 * things properly
8097 				 */
8098 				err = -EINVAL;
8099 				goto out_free;
8100 			}
8101 
8102 			if (ssid) {
8103 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
8104 					err = -EINVAL;
8105 					goto out_free;
8106 				}
8107 				memcpy(request->match_sets[i].ssid.ssid,
8108 				       nla_data(ssid), nla_len(ssid));
8109 				request->match_sets[i].ssid.ssid_len =
8110 					nla_len(ssid);
8111 			}
8112 			if (bssid) {
8113 				if (nla_len(bssid) != ETH_ALEN) {
8114 					err = -EINVAL;
8115 					goto out_free;
8116 				}
8117 				memcpy(request->match_sets[i].bssid,
8118 				       nla_data(bssid), ETH_ALEN);
8119 			}
8120 
8121 			/* special attribute - old implementation w/a */
8122 			request->match_sets[i].rssi_thold = default_match_rssi;
8123 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8124 			if (rssi)
8125 				request->match_sets[i].rssi_thold =
8126 					nla_get_s32(rssi);
8127 
8128 			/* Parse per band RSSI attribute */
8129 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
8130 				&request->match_sets[i],
8131 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
8132 				request->match_sets[i].rssi_thold);
8133 			if (err)
8134 				goto out_free;
8135 
8136 			i++;
8137 		}
8138 
8139 		/* there was no other matchset, so the RSSI one is alone */
8140 		if (i == 0 && n_match_sets)
8141 			request->match_sets[0].rssi_thold = default_match_rssi;
8142 
8143 		request->min_rssi_thold = INT_MAX;
8144 		for (i = 0; i < n_match_sets; i++)
8145 			request->min_rssi_thold =
8146 				min(request->match_sets[i].rssi_thold,
8147 				    request->min_rssi_thold);
8148 	} else {
8149 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
8150 	}
8151 
8152 	if (ie_len) {
8153 		request->ie_len = ie_len;
8154 		memcpy((void *)request->ie,
8155 		       nla_data(attrs[NL80211_ATTR_IE]),
8156 		       request->ie_len);
8157 	}
8158 
8159 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
8160 	if (err)
8161 		goto out_free;
8162 
8163 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
8164 		request->delay =
8165 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
8166 
8167 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
8168 		request->relative_rssi = nla_get_s8(
8169 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
8170 		request->relative_rssi_set = true;
8171 	}
8172 
8173 	if (request->relative_rssi_set &&
8174 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
8175 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
8176 
8177 		rssi_adjust = nla_data(
8178 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
8179 		request->rssi_adjust.band = rssi_adjust->band;
8180 		request->rssi_adjust.delta = rssi_adjust->delta;
8181 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
8182 			err = -EINVAL;
8183 			goto out_free;
8184 		}
8185 	}
8186 
8187 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
8188 	if (err)
8189 		goto out_free;
8190 
8191 	request->scan_start = jiffies;
8192 
8193 	return request;
8194 
8195 out_free:
8196 	kfree(request);
8197 	return ERR_PTR(err);
8198 }
8199 
8200 static int nl80211_start_sched_scan(struct sk_buff *skb,
8201 				    struct genl_info *info)
8202 {
8203 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8204 	struct net_device *dev = info->user_ptr[1];
8205 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8206 	struct cfg80211_sched_scan_request *sched_scan_req;
8207 	bool want_multi;
8208 	int err;
8209 
8210 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
8211 		return -EOPNOTSUPP;
8212 
8213 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
8214 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
8215 	if (err)
8216 		return err;
8217 
8218 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
8219 						  info->attrs,
8220 						  rdev->wiphy.max_match_sets);
8221 
8222 	err = PTR_ERR_OR_ZERO(sched_scan_req);
8223 	if (err)
8224 		goto out_err;
8225 
8226 	/* leave request id zero for legacy request
8227 	 * or if driver does not support multi-scheduled scan
8228 	 */
8229 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1) {
8230 		while (!sched_scan_req->reqid)
8231 			sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
8232 	}
8233 
8234 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
8235 	if (err)
8236 		goto out_free;
8237 
8238 	sched_scan_req->dev = dev;
8239 	sched_scan_req->wiphy = &rdev->wiphy;
8240 
8241 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
8242 		sched_scan_req->owner_nlportid = info->snd_portid;
8243 
8244 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
8245 
8246 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
8247 	return 0;
8248 
8249 out_free:
8250 	kfree(sched_scan_req);
8251 out_err:
8252 	return err;
8253 }
8254 
8255 static int nl80211_stop_sched_scan(struct sk_buff *skb,
8256 				   struct genl_info *info)
8257 {
8258 	struct cfg80211_sched_scan_request *req;
8259 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8260 	u64 cookie;
8261 
8262 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
8263 		return -EOPNOTSUPP;
8264 
8265 	if (info->attrs[NL80211_ATTR_COOKIE]) {
8266 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8267 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
8268 	}
8269 
8270 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
8271 				     struct cfg80211_sched_scan_request,
8272 				     list);
8273 	if (!req || req->reqid ||
8274 	    (req->owner_nlportid &&
8275 	     req->owner_nlportid != info->snd_portid))
8276 		return -ENOENT;
8277 
8278 	return cfg80211_stop_sched_scan_req(rdev, req, false);
8279 }
8280 
8281 static int nl80211_start_radar_detection(struct sk_buff *skb,
8282 					 struct genl_info *info)
8283 {
8284 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8285 	struct net_device *dev = info->user_ptr[1];
8286 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8287 	struct wiphy *wiphy = wdev->wiphy;
8288 	struct cfg80211_chan_def chandef;
8289 	enum nl80211_dfs_regions dfs_region;
8290 	unsigned int cac_time_ms;
8291 	int err;
8292 
8293 	dfs_region = reg_get_dfs_region(wiphy);
8294 	if (dfs_region == NL80211_DFS_UNSET)
8295 		return -EINVAL;
8296 
8297 	err = nl80211_parse_chandef(rdev, info, &chandef);
8298 	if (err)
8299 		return err;
8300 
8301 	if (netif_carrier_ok(dev))
8302 		return -EBUSY;
8303 
8304 	if (wdev->cac_started)
8305 		return -EBUSY;
8306 
8307 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8308 	if (err < 0)
8309 		return err;
8310 
8311 	if (err == 0)
8312 		return -EINVAL;
8313 
8314 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
8315 		return -EINVAL;
8316 
8317 	/* CAC start is offloaded to HW and can't be started manually */
8318 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
8319 		return -EOPNOTSUPP;
8320 
8321 	if (!rdev->ops->start_radar_detection)
8322 		return -EOPNOTSUPP;
8323 
8324 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
8325 	if (WARN_ON(!cac_time_ms))
8326 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
8327 
8328 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
8329 	if (!err) {
8330 		wdev->chandef = chandef;
8331 		wdev->cac_started = true;
8332 		wdev->cac_start_time = jiffies;
8333 		wdev->cac_time_ms = cac_time_ms;
8334 	}
8335 	return err;
8336 }
8337 
8338 static int nl80211_notify_radar_detection(struct sk_buff *skb,
8339 					  struct genl_info *info)
8340 {
8341 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8342 	struct net_device *dev = info->user_ptr[1];
8343 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8344 	struct wiphy *wiphy = wdev->wiphy;
8345 	struct cfg80211_chan_def chandef;
8346 	enum nl80211_dfs_regions dfs_region;
8347 	int err;
8348 
8349 	dfs_region = reg_get_dfs_region(wiphy);
8350 	if (dfs_region == NL80211_DFS_UNSET) {
8351 		GENL_SET_ERR_MSG(info,
8352 				 "DFS Region is not set. Unexpected Radar indication");
8353 		return -EINVAL;
8354 	}
8355 
8356 	err = nl80211_parse_chandef(rdev, info, &chandef);
8357 	if (err) {
8358 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
8359 		return err;
8360 	}
8361 
8362 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8363 	if (err < 0) {
8364 		GENL_SET_ERR_MSG(info, "chandef is invalid");
8365 		return err;
8366 	}
8367 
8368 	if (err == 0) {
8369 		GENL_SET_ERR_MSG(info,
8370 				 "Unexpected Radar indication for chandef/iftype");
8371 		return -EINVAL;
8372 	}
8373 
8374 	/* Do not process this notification if radar is already detected
8375 	 * by kernel on this channel, and return success.
8376 	 */
8377 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
8378 		return 0;
8379 
8380 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
8381 
8382 	cfg80211_sched_dfs_chan_update(rdev);
8383 
8384 	rdev->radar_chandef = chandef;
8385 
8386 	/* Propagate this notification to other radios as well */
8387 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
8388 
8389 	return 0;
8390 }
8391 
8392 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
8393 {
8394 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8395 	struct net_device *dev = info->user_ptr[1];
8396 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8397 	struct cfg80211_csa_settings params;
8398 	/* csa_attrs is defined static to avoid waste of stack size - this
8399 	 * function is called under RTNL lock, so this should not be a problem.
8400 	 */
8401 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
8402 	int err;
8403 	bool need_new_beacon = false;
8404 	bool need_handle_dfs_flag = true;
8405 	int len, i;
8406 	u32 cs_count;
8407 
8408 	if (!rdev->ops->channel_switch ||
8409 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
8410 		return -EOPNOTSUPP;
8411 
8412 	switch (dev->ieee80211_ptr->iftype) {
8413 	case NL80211_IFTYPE_AP:
8414 	case NL80211_IFTYPE_P2P_GO:
8415 		need_new_beacon = true;
8416 		/* For all modes except AP the handle_dfs flag needs to be
8417 		 * supplied to tell the kernel that userspace will handle radar
8418 		 * events when they happen. Otherwise a switch to a channel
8419 		 * requiring DFS will be rejected.
8420 		 */
8421 		need_handle_dfs_flag = false;
8422 
8423 		/* useless if AP is not running */
8424 		if (!wdev->beacon_interval)
8425 			return -ENOTCONN;
8426 		break;
8427 	case NL80211_IFTYPE_ADHOC:
8428 		if (!wdev->ssid_len)
8429 			return -ENOTCONN;
8430 		break;
8431 	case NL80211_IFTYPE_MESH_POINT:
8432 		if (!wdev->mesh_id_len)
8433 			return -ENOTCONN;
8434 		break;
8435 	default:
8436 		return -EOPNOTSUPP;
8437 	}
8438 
8439 	memset(&params, 0, sizeof(params));
8440 	params.beacon_csa.ftm_responder = -1;
8441 
8442 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8443 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
8444 		return -EINVAL;
8445 
8446 	/* only important for AP, IBSS and mesh create IEs internally */
8447 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
8448 		return -EINVAL;
8449 
8450 	/* Even though the attribute is u32, the specification says
8451 	 * u8, so let's make sure we don't overflow.
8452 	 */
8453 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
8454 	if (cs_count > 255)
8455 		return -EINVAL;
8456 
8457 	params.count = cs_count;
8458 
8459 	if (!need_new_beacon)
8460 		goto skip_beacons;
8461 
8462 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
8463 	if (err)
8464 		return err;
8465 
8466 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
8467 					  info->attrs[NL80211_ATTR_CSA_IES],
8468 					  nl80211_policy, info->extack);
8469 	if (err)
8470 		return err;
8471 
8472 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
8473 	if (err)
8474 		return err;
8475 
8476 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
8477 		return -EINVAL;
8478 
8479 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8480 	if (!len || (len % sizeof(u16)))
8481 		return -EINVAL;
8482 
8483 	params.n_counter_offsets_beacon = len / sizeof(u16);
8484 	if (rdev->wiphy.max_num_csa_counters &&
8485 	    (params.n_counter_offsets_beacon >
8486 	     rdev->wiphy.max_num_csa_counters))
8487 		return -EINVAL;
8488 
8489 	params.counter_offsets_beacon =
8490 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8491 
8492 	/* sanity checks - counters should fit and be the same */
8493 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
8494 		u16 offset = params.counter_offsets_beacon[i];
8495 
8496 		if (offset >= params.beacon_csa.tail_len)
8497 			return -EINVAL;
8498 
8499 		if (params.beacon_csa.tail[offset] != params.count)
8500 			return -EINVAL;
8501 	}
8502 
8503 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
8504 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8505 		if (!len || (len % sizeof(u16)))
8506 			return -EINVAL;
8507 
8508 		params.n_counter_offsets_presp = len / sizeof(u16);
8509 		if (rdev->wiphy.max_num_csa_counters &&
8510 		    (params.n_counter_offsets_presp >
8511 		     rdev->wiphy.max_num_csa_counters))
8512 			return -EINVAL;
8513 
8514 		params.counter_offsets_presp =
8515 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8516 
8517 		/* sanity checks - counters should fit and be the same */
8518 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
8519 			u16 offset = params.counter_offsets_presp[i];
8520 
8521 			if (offset >= params.beacon_csa.probe_resp_len)
8522 				return -EINVAL;
8523 
8524 			if (params.beacon_csa.probe_resp[offset] !=
8525 			    params.count)
8526 				return -EINVAL;
8527 		}
8528 	}
8529 
8530 skip_beacons:
8531 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
8532 	if (err)
8533 		return err;
8534 
8535 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
8536 					   wdev->iftype))
8537 		return -EINVAL;
8538 
8539 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
8540 					    &params.chandef,
8541 					    wdev->iftype);
8542 	if (err < 0)
8543 		return err;
8544 
8545 	if (err > 0) {
8546 		params.radar_required = true;
8547 		if (need_handle_dfs_flag &&
8548 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
8549 			return -EINVAL;
8550 		}
8551 	}
8552 
8553 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
8554 		params.block_tx = true;
8555 
8556 	wdev_lock(wdev);
8557 	err = rdev_channel_switch(rdev, dev, &params);
8558 	wdev_unlock(wdev);
8559 
8560 	return err;
8561 }
8562 
8563 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
8564 			    u32 seq, int flags,
8565 			    struct cfg80211_registered_device *rdev,
8566 			    struct wireless_dev *wdev,
8567 			    struct cfg80211_internal_bss *intbss)
8568 {
8569 	struct cfg80211_bss *res = &intbss->pub;
8570 	const struct cfg80211_bss_ies *ies;
8571 	void *hdr;
8572 	struct nlattr *bss;
8573 
8574 	ASSERT_WDEV_LOCK(wdev);
8575 
8576 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8577 			     NL80211_CMD_NEW_SCAN_RESULTS);
8578 	if (!hdr)
8579 		return -1;
8580 
8581 	genl_dump_check_consistent(cb, hdr);
8582 
8583 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
8584 		goto nla_put_failure;
8585 	if (wdev->netdev &&
8586 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
8587 		goto nla_put_failure;
8588 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
8589 			      NL80211_ATTR_PAD))
8590 		goto nla_put_failure;
8591 
8592 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
8593 	if (!bss)
8594 		goto nla_put_failure;
8595 	if ((!is_zero_ether_addr(res->bssid) &&
8596 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
8597 		goto nla_put_failure;
8598 
8599 	rcu_read_lock();
8600 	/* indicate whether we have probe response data or not */
8601 	if (rcu_access_pointer(res->proberesp_ies) &&
8602 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
8603 		goto fail_unlock_rcu;
8604 
8605 	/* this pointer prefers to be pointed to probe response data
8606 	 * but is always valid
8607 	 */
8608 	ies = rcu_dereference(res->ies);
8609 	if (ies) {
8610 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
8611 				      NL80211_BSS_PAD))
8612 			goto fail_unlock_rcu;
8613 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
8614 					ies->len, ies->data))
8615 			goto fail_unlock_rcu;
8616 	}
8617 
8618 	/* and this pointer is always (unless driver didn't know) beacon data */
8619 	ies = rcu_dereference(res->beacon_ies);
8620 	if (ies && ies->from_beacon) {
8621 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
8622 				      NL80211_BSS_PAD))
8623 			goto fail_unlock_rcu;
8624 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
8625 					ies->len, ies->data))
8626 			goto fail_unlock_rcu;
8627 	}
8628 	rcu_read_unlock();
8629 
8630 	if (res->beacon_interval &&
8631 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
8632 		goto nla_put_failure;
8633 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
8634 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
8635 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
8636 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
8637 			jiffies_to_msecs(jiffies - intbss->ts)))
8638 		goto nla_put_failure;
8639 
8640 	if (intbss->parent_tsf &&
8641 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
8642 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
8643 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
8644 		     intbss->parent_bssid)))
8645 		goto nla_put_failure;
8646 
8647 	if (intbss->ts_boottime &&
8648 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
8649 			      intbss->ts_boottime, NL80211_BSS_PAD))
8650 		goto nla_put_failure;
8651 
8652 	if (!nl80211_put_signal(msg, intbss->pub.chains,
8653 				intbss->pub.chain_signal,
8654 				NL80211_BSS_CHAIN_SIGNAL))
8655 		goto nla_put_failure;
8656 
8657 	switch (rdev->wiphy.signal_type) {
8658 	case CFG80211_SIGNAL_TYPE_MBM:
8659 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
8660 			goto nla_put_failure;
8661 		break;
8662 	case CFG80211_SIGNAL_TYPE_UNSPEC:
8663 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
8664 			goto nla_put_failure;
8665 		break;
8666 	default:
8667 		break;
8668 	}
8669 
8670 	switch (wdev->iftype) {
8671 	case NL80211_IFTYPE_P2P_CLIENT:
8672 	case NL80211_IFTYPE_STATION:
8673 		if (intbss == wdev->current_bss &&
8674 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8675 				NL80211_BSS_STATUS_ASSOCIATED))
8676 			goto nla_put_failure;
8677 		break;
8678 	case NL80211_IFTYPE_ADHOC:
8679 		if (intbss == wdev->current_bss &&
8680 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8681 				NL80211_BSS_STATUS_IBSS_JOINED))
8682 			goto nla_put_failure;
8683 		break;
8684 	default:
8685 		break;
8686 	}
8687 
8688 	nla_nest_end(msg, bss);
8689 
8690 	genlmsg_end(msg, hdr);
8691 	return 0;
8692 
8693  fail_unlock_rcu:
8694 	rcu_read_unlock();
8695  nla_put_failure:
8696 	genlmsg_cancel(msg, hdr);
8697 	return -EMSGSIZE;
8698 }
8699 
8700 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
8701 {
8702 	struct cfg80211_registered_device *rdev;
8703 	struct cfg80211_internal_bss *scan;
8704 	struct wireless_dev *wdev;
8705 	int start = cb->args[2], idx = 0;
8706 	int err;
8707 
8708 	rtnl_lock();
8709 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8710 	if (err) {
8711 		rtnl_unlock();
8712 		return err;
8713 	}
8714 
8715 	wdev_lock(wdev);
8716 	spin_lock_bh(&rdev->bss_lock);
8717 
8718 	/*
8719 	 * dump_scan will be called multiple times to break up the scan results
8720 	 * into multiple messages.  It is unlikely that any more bss-es will be
8721 	 * expired after the first call, so only call only call this on the
8722 	 * first dump_scan invocation.
8723 	 */
8724 	if (start == 0)
8725 		cfg80211_bss_expire(rdev);
8726 
8727 	cb->seq = rdev->bss_generation;
8728 
8729 	list_for_each_entry(scan, &rdev->bss_list, list) {
8730 		if (++idx <= start)
8731 			continue;
8732 		if (nl80211_send_bss(skb, cb,
8733 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8734 				rdev, wdev, scan) < 0) {
8735 			idx--;
8736 			break;
8737 		}
8738 	}
8739 
8740 	spin_unlock_bh(&rdev->bss_lock);
8741 	wdev_unlock(wdev);
8742 
8743 	cb->args[2] = idx;
8744 	rtnl_unlock();
8745 
8746 	return skb->len;
8747 }
8748 
8749 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
8750 			       int flags, struct net_device *dev,
8751 			       bool allow_radio_stats,
8752 			       struct survey_info *survey)
8753 {
8754 	void *hdr;
8755 	struct nlattr *infoattr;
8756 
8757 	/* skip radio stats if userspace didn't request them */
8758 	if (!survey->channel && !allow_radio_stats)
8759 		return 0;
8760 
8761 	hdr = nl80211hdr_put(msg, portid, seq, flags,
8762 			     NL80211_CMD_NEW_SURVEY_RESULTS);
8763 	if (!hdr)
8764 		return -ENOMEM;
8765 
8766 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
8767 		goto nla_put_failure;
8768 
8769 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
8770 	if (!infoattr)
8771 		goto nla_put_failure;
8772 
8773 	if (survey->channel &&
8774 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
8775 			survey->channel->center_freq))
8776 		goto nla_put_failure;
8777 
8778 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
8779 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
8780 		goto nla_put_failure;
8781 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
8782 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
8783 		goto nla_put_failure;
8784 	if ((survey->filled & SURVEY_INFO_TIME) &&
8785 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
8786 			survey->time, NL80211_SURVEY_INFO_PAD))
8787 		goto nla_put_failure;
8788 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
8789 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
8790 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
8791 		goto nla_put_failure;
8792 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
8793 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
8794 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
8795 		goto nla_put_failure;
8796 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
8797 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
8798 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
8799 		goto nla_put_failure;
8800 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
8801 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
8802 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
8803 		goto nla_put_failure;
8804 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
8805 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
8806 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
8807 		goto nla_put_failure;
8808 
8809 	nla_nest_end(msg, infoattr);
8810 
8811 	genlmsg_end(msg, hdr);
8812 	return 0;
8813 
8814  nla_put_failure:
8815 	genlmsg_cancel(msg, hdr);
8816 	return -EMSGSIZE;
8817 }
8818 
8819 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
8820 {
8821 	struct nlattr **attrbuf;
8822 	struct survey_info survey;
8823 	struct cfg80211_registered_device *rdev;
8824 	struct wireless_dev *wdev;
8825 	int survey_idx = cb->args[2];
8826 	int res;
8827 	bool radio_stats;
8828 
8829 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
8830 	if (!attrbuf)
8831 		return -ENOMEM;
8832 
8833 	rtnl_lock();
8834 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8835 	if (res)
8836 		goto out_err;
8837 
8838 	/* prepare_wdev_dump parsed the attributes */
8839 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
8840 
8841 	if (!wdev->netdev) {
8842 		res = -EINVAL;
8843 		goto out_err;
8844 	}
8845 
8846 	if (!rdev->ops->dump_survey) {
8847 		res = -EOPNOTSUPP;
8848 		goto out_err;
8849 	}
8850 
8851 	while (1) {
8852 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
8853 		if (res == -ENOENT)
8854 			break;
8855 		if (res)
8856 			goto out_err;
8857 
8858 		/* don't send disabled channels, but do send non-channel data */
8859 		if (survey.channel &&
8860 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
8861 			survey_idx++;
8862 			continue;
8863 		}
8864 
8865 		if (nl80211_send_survey(skb,
8866 				NETLINK_CB(cb->skb).portid,
8867 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8868 				wdev->netdev, radio_stats, &survey) < 0)
8869 			goto out;
8870 		survey_idx++;
8871 	}
8872 
8873  out:
8874 	cb->args[2] = survey_idx;
8875 	res = skb->len;
8876  out_err:
8877 	kfree(attrbuf);
8878 	rtnl_unlock();
8879 	return res;
8880 }
8881 
8882 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
8883 {
8884 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
8885 				  NL80211_WPA_VERSION_2 |
8886 				  NL80211_WPA_VERSION_3));
8887 }
8888 
8889 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
8890 {
8891 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8892 	struct net_device *dev = info->user_ptr[1];
8893 	struct ieee80211_channel *chan;
8894 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
8895 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
8896 	enum nl80211_auth_type auth_type;
8897 	struct key_parse key;
8898 	bool local_state_change;
8899 
8900 	if (!info->attrs[NL80211_ATTR_MAC])
8901 		return -EINVAL;
8902 
8903 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
8904 		return -EINVAL;
8905 
8906 	if (!info->attrs[NL80211_ATTR_SSID])
8907 		return -EINVAL;
8908 
8909 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8910 		return -EINVAL;
8911 
8912 	err = nl80211_parse_key(info, &key);
8913 	if (err)
8914 		return err;
8915 
8916 	if (key.idx >= 0) {
8917 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
8918 			return -EINVAL;
8919 		if (!key.p.key || !key.p.key_len)
8920 			return -EINVAL;
8921 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
8922 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
8923 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
8924 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
8925 			return -EINVAL;
8926 		if (key.idx > 3)
8927 			return -EINVAL;
8928 	} else {
8929 		key.p.key_len = 0;
8930 		key.p.key = NULL;
8931 	}
8932 
8933 	if (key.idx >= 0) {
8934 		int i;
8935 		bool ok = false;
8936 
8937 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
8938 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
8939 				ok = true;
8940 				break;
8941 			}
8942 		}
8943 		if (!ok)
8944 			return -EINVAL;
8945 	}
8946 
8947 	if (!rdev->ops->auth)
8948 		return -EOPNOTSUPP;
8949 
8950 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8951 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8952 		return -EOPNOTSUPP;
8953 
8954 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8955 	chan = nl80211_get_valid_chan(&rdev->wiphy,
8956 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8957 	if (!chan)
8958 		return -EINVAL;
8959 
8960 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8961 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8962 
8963 	if (info->attrs[NL80211_ATTR_IE]) {
8964 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8965 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8966 	}
8967 
8968 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
8969 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
8970 		return -EINVAL;
8971 
8972 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
8973 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
8974 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
8975 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
8976 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
8977 		return -EINVAL;
8978 
8979 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
8980 		if (auth_type != NL80211_AUTHTYPE_SAE &&
8981 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
8982 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
8983 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
8984 			return -EINVAL;
8985 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
8986 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
8987 		/* need to include at least Auth Transaction and Status Code */
8988 		if (auth_data_len < 4)
8989 			return -EINVAL;
8990 	}
8991 
8992 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8993 
8994 	/*
8995 	 * Since we no longer track auth state, ignore
8996 	 * requests to only change local state.
8997 	 */
8998 	if (local_state_change)
8999 		return 0;
9000 
9001 	wdev_lock(dev->ieee80211_ptr);
9002 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
9003 				 ssid, ssid_len, ie, ie_len,
9004 				 key.p.key, key.p.key_len, key.idx,
9005 				 auth_data, auth_data_len);
9006 	wdev_unlock(dev->ieee80211_ptr);
9007 	return err;
9008 }
9009 
9010 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
9011 				     struct genl_info *info)
9012 {
9013 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9014 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
9015 		return -EINVAL;
9016 	}
9017 
9018 	if (!rdev->ops->tx_control_port ||
9019 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9020 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
9021 		return -EOPNOTSUPP;
9022 
9023 	return 0;
9024 }
9025 
9026 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
9027 				   struct genl_info *info,
9028 				   struct cfg80211_crypto_settings *settings,
9029 				   int cipher_limit)
9030 {
9031 	memset(settings, 0, sizeof(*settings));
9032 
9033 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
9034 
9035 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
9036 		u16 proto;
9037 
9038 		proto = nla_get_u16(
9039 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
9040 		settings->control_port_ethertype = cpu_to_be16(proto);
9041 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
9042 		    proto != ETH_P_PAE)
9043 			return -EINVAL;
9044 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
9045 			settings->control_port_no_encrypt = true;
9046 	} else
9047 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
9048 
9049 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9050 		int r = validate_pae_over_nl80211(rdev, info);
9051 
9052 		if (r < 0)
9053 			return r;
9054 
9055 		settings->control_port_over_nl80211 = true;
9056 	}
9057 
9058 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
9059 		void *data;
9060 		int len, i;
9061 
9062 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9063 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9064 		settings->n_ciphers_pairwise = len / sizeof(u32);
9065 
9066 		if (len % sizeof(u32))
9067 			return -EINVAL;
9068 
9069 		if (settings->n_ciphers_pairwise > cipher_limit)
9070 			return -EINVAL;
9071 
9072 		memcpy(settings->ciphers_pairwise, data, len);
9073 
9074 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
9075 			if (!cfg80211_supported_cipher_suite(
9076 					&rdev->wiphy,
9077 					settings->ciphers_pairwise[i]))
9078 				return -EINVAL;
9079 	}
9080 
9081 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
9082 		settings->cipher_group =
9083 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
9084 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
9085 						     settings->cipher_group))
9086 			return -EINVAL;
9087 	}
9088 
9089 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
9090 		settings->wpa_versions =
9091 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
9092 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
9093 			return -EINVAL;
9094 	}
9095 
9096 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
9097 		void *data;
9098 		int len;
9099 
9100 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
9101 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
9102 		settings->n_akm_suites = len / sizeof(u32);
9103 
9104 		if (len % sizeof(u32))
9105 			return -EINVAL;
9106 
9107 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
9108 			return -EINVAL;
9109 
9110 		memcpy(settings->akm_suites, data, len);
9111 	}
9112 
9113 	if (info->attrs[NL80211_ATTR_PMK]) {
9114 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
9115 			return -EINVAL;
9116 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9117 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK))
9118 			return -EINVAL;
9119 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9120 	}
9121 
9122 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
9123 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9124 					     NL80211_EXT_FEATURE_SAE_OFFLOAD))
9125 			return -EINVAL;
9126 		settings->sae_pwd =
9127 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9128 		settings->sae_pwd_len =
9129 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9130 	}
9131 
9132 	return 0;
9133 }
9134 
9135 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
9136 {
9137 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9138 	struct net_device *dev = info->user_ptr[1];
9139 	struct ieee80211_channel *chan;
9140 	struct cfg80211_assoc_request req = {};
9141 	const u8 *bssid, *ssid;
9142 	int err, ssid_len = 0;
9143 
9144 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9145 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9146 		return -EPERM;
9147 
9148 	if (!info->attrs[NL80211_ATTR_MAC] ||
9149 	    !info->attrs[NL80211_ATTR_SSID] ||
9150 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
9151 		return -EINVAL;
9152 
9153 	if (!rdev->ops->assoc)
9154 		return -EOPNOTSUPP;
9155 
9156 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9157 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9158 		return -EOPNOTSUPP;
9159 
9160 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9161 
9162 	chan = nl80211_get_valid_chan(&rdev->wiphy,
9163 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9164 	if (!chan)
9165 		return -EINVAL;
9166 
9167 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9168 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9169 
9170 	if (info->attrs[NL80211_ATTR_IE]) {
9171 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9172 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9173 	}
9174 
9175 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9176 		enum nl80211_mfp mfp =
9177 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9178 		if (mfp == NL80211_MFP_REQUIRED)
9179 			req.use_mfp = true;
9180 		else if (mfp != NL80211_MFP_NO)
9181 			return -EINVAL;
9182 	}
9183 
9184 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9185 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9186 
9187 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9188 		req.flags |= ASSOC_REQ_DISABLE_HT;
9189 
9190 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9191 		memcpy(&req.ht_capa_mask,
9192 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9193 		       sizeof(req.ht_capa_mask));
9194 
9195 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9196 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9197 			return -EINVAL;
9198 		memcpy(&req.ht_capa,
9199 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9200 		       sizeof(req.ht_capa));
9201 	}
9202 
9203 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9204 		req.flags |= ASSOC_REQ_DISABLE_VHT;
9205 
9206 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9207 		memcpy(&req.vht_capa_mask,
9208 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9209 		       sizeof(req.vht_capa_mask));
9210 
9211 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9212 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9213 			return -EINVAL;
9214 		memcpy(&req.vht_capa,
9215 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9216 		       sizeof(req.vht_capa));
9217 	}
9218 
9219 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9220 		if (!((rdev->wiphy.features &
9221 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9222 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9223 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9224 					     NL80211_EXT_FEATURE_RRM))
9225 			return -EINVAL;
9226 		req.flags |= ASSOC_REQ_USE_RRM;
9227 	}
9228 
9229 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
9230 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
9231 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
9232 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
9233 			return -EINVAL;
9234 		req.fils_nonces =
9235 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
9236 	}
9237 
9238 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
9239 	if (!err) {
9240 		wdev_lock(dev->ieee80211_ptr);
9241 
9242 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
9243 					  ssid, ssid_len, &req);
9244 
9245 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9246 			dev->ieee80211_ptr->conn_owner_nlportid =
9247 				info->snd_portid;
9248 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9249 			       bssid, ETH_ALEN);
9250 		}
9251 
9252 		wdev_unlock(dev->ieee80211_ptr);
9253 	}
9254 
9255 	return err;
9256 }
9257 
9258 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
9259 {
9260 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9261 	struct net_device *dev = info->user_ptr[1];
9262 	const u8 *ie = NULL, *bssid;
9263 	int ie_len = 0, err;
9264 	u16 reason_code;
9265 	bool local_state_change;
9266 
9267 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9268 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9269 		return -EPERM;
9270 
9271 	if (!info->attrs[NL80211_ATTR_MAC])
9272 		return -EINVAL;
9273 
9274 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9275 		return -EINVAL;
9276 
9277 	if (!rdev->ops->deauth)
9278 		return -EOPNOTSUPP;
9279 
9280 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9281 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9282 		return -EOPNOTSUPP;
9283 
9284 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9285 
9286 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9287 	if (reason_code == 0) {
9288 		/* Reason Code 0 is reserved */
9289 		return -EINVAL;
9290 	}
9291 
9292 	if (info->attrs[NL80211_ATTR_IE]) {
9293 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9294 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9295 	}
9296 
9297 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9298 
9299 	wdev_lock(dev->ieee80211_ptr);
9300 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
9301 				   local_state_change);
9302 	wdev_unlock(dev->ieee80211_ptr);
9303 	return err;
9304 }
9305 
9306 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
9307 {
9308 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9309 	struct net_device *dev = info->user_ptr[1];
9310 	const u8 *ie = NULL, *bssid;
9311 	int ie_len = 0, err;
9312 	u16 reason_code;
9313 	bool local_state_change;
9314 
9315 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9316 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9317 		return -EPERM;
9318 
9319 	if (!info->attrs[NL80211_ATTR_MAC])
9320 		return -EINVAL;
9321 
9322 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9323 		return -EINVAL;
9324 
9325 	if (!rdev->ops->disassoc)
9326 		return -EOPNOTSUPP;
9327 
9328 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9329 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9330 		return -EOPNOTSUPP;
9331 
9332 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9333 
9334 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9335 	if (reason_code == 0) {
9336 		/* Reason Code 0 is reserved */
9337 		return -EINVAL;
9338 	}
9339 
9340 	if (info->attrs[NL80211_ATTR_IE]) {
9341 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9342 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9343 	}
9344 
9345 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9346 
9347 	wdev_lock(dev->ieee80211_ptr);
9348 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
9349 				     local_state_change);
9350 	wdev_unlock(dev->ieee80211_ptr);
9351 	return err;
9352 }
9353 
9354 static bool
9355 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
9356 			 int mcast_rate[NUM_NL80211_BANDS],
9357 			 int rateval)
9358 {
9359 	struct wiphy *wiphy = &rdev->wiphy;
9360 	bool found = false;
9361 	int band, i;
9362 
9363 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
9364 		struct ieee80211_supported_band *sband;
9365 
9366 		sband = wiphy->bands[band];
9367 		if (!sband)
9368 			continue;
9369 
9370 		for (i = 0; i < sband->n_bitrates; i++) {
9371 			if (sband->bitrates[i].bitrate == rateval) {
9372 				mcast_rate[band] = i + 1;
9373 				found = true;
9374 				break;
9375 			}
9376 		}
9377 	}
9378 
9379 	return found;
9380 }
9381 
9382 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
9383 {
9384 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9385 	struct net_device *dev = info->user_ptr[1];
9386 	struct cfg80211_ibss_params ibss;
9387 	struct wiphy *wiphy;
9388 	struct cfg80211_cached_keys *connkeys = NULL;
9389 	int err;
9390 
9391 	memset(&ibss, 0, sizeof(ibss));
9392 
9393 	if (!info->attrs[NL80211_ATTR_SSID] ||
9394 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9395 		return -EINVAL;
9396 
9397 	ibss.beacon_interval = 100;
9398 
9399 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
9400 		ibss.beacon_interval =
9401 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9402 
9403 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
9404 					   ibss.beacon_interval);
9405 	if (err)
9406 		return err;
9407 
9408 	if (!rdev->ops->join_ibss)
9409 		return -EOPNOTSUPP;
9410 
9411 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9412 		return -EOPNOTSUPP;
9413 
9414 	wiphy = &rdev->wiphy;
9415 
9416 	if (info->attrs[NL80211_ATTR_MAC]) {
9417 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9418 
9419 		if (!is_valid_ether_addr(ibss.bssid))
9420 			return -EINVAL;
9421 	}
9422 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9423 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9424 
9425 	if (info->attrs[NL80211_ATTR_IE]) {
9426 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9427 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9428 	}
9429 
9430 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
9431 	if (err)
9432 		return err;
9433 
9434 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
9435 				     NL80211_IFTYPE_ADHOC))
9436 		return -EINVAL;
9437 
9438 	switch (ibss.chandef.width) {
9439 	case NL80211_CHAN_WIDTH_5:
9440 	case NL80211_CHAN_WIDTH_10:
9441 	case NL80211_CHAN_WIDTH_20_NOHT:
9442 		break;
9443 	case NL80211_CHAN_WIDTH_20:
9444 	case NL80211_CHAN_WIDTH_40:
9445 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9446 			return -EINVAL;
9447 		break;
9448 	case NL80211_CHAN_WIDTH_80:
9449 	case NL80211_CHAN_WIDTH_80P80:
9450 	case NL80211_CHAN_WIDTH_160:
9451 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9452 			return -EINVAL;
9453 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9454 					     NL80211_EXT_FEATURE_VHT_IBSS))
9455 			return -EINVAL;
9456 		break;
9457 	default:
9458 		return -EINVAL;
9459 	}
9460 
9461 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
9462 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
9463 
9464 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9465 		u8 *rates =
9466 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9467 		int n_rates =
9468 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9469 		struct ieee80211_supported_band *sband =
9470 			wiphy->bands[ibss.chandef.chan->band];
9471 
9472 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9473 					     &ibss.basic_rates);
9474 		if (err)
9475 			return err;
9476 	}
9477 
9478 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9479 		memcpy(&ibss.ht_capa_mask,
9480 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9481 		       sizeof(ibss.ht_capa_mask));
9482 
9483 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9484 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9485 			return -EINVAL;
9486 		memcpy(&ibss.ht_capa,
9487 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9488 		       sizeof(ibss.ht_capa));
9489 	}
9490 
9491 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9492 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
9493 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9494 		return -EINVAL;
9495 
9496 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9497 		bool no_ht = false;
9498 
9499 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
9500 		if (IS_ERR(connkeys))
9501 			return PTR_ERR(connkeys);
9502 
9503 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
9504 		    no_ht) {
9505 			kzfree(connkeys);
9506 			return -EINVAL;
9507 		}
9508 	}
9509 
9510 	ibss.control_port =
9511 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
9512 
9513 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9514 		int r = validate_pae_over_nl80211(rdev, info);
9515 
9516 		if (r < 0) {
9517 			kzfree(connkeys);
9518 			return r;
9519 		}
9520 
9521 		ibss.control_port_over_nl80211 = true;
9522 	}
9523 
9524 	ibss.userspace_handles_dfs =
9525 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
9526 
9527 	wdev_lock(dev->ieee80211_ptr);
9528 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
9529 	if (err)
9530 		kzfree(connkeys);
9531 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9532 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9533 	wdev_unlock(dev->ieee80211_ptr);
9534 
9535 	return err;
9536 }
9537 
9538 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
9539 {
9540 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9541 	struct net_device *dev = info->user_ptr[1];
9542 
9543 	if (!rdev->ops->leave_ibss)
9544 		return -EOPNOTSUPP;
9545 
9546 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9547 		return -EOPNOTSUPP;
9548 
9549 	return cfg80211_leave_ibss(rdev, dev, false);
9550 }
9551 
9552 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
9553 {
9554 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9555 	struct net_device *dev = info->user_ptr[1];
9556 	int mcast_rate[NUM_NL80211_BANDS];
9557 	u32 nla_rate;
9558 	int err;
9559 
9560 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
9561 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
9562 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
9563 		return -EOPNOTSUPP;
9564 
9565 	if (!rdev->ops->set_mcast_rate)
9566 		return -EOPNOTSUPP;
9567 
9568 	memset(mcast_rate, 0, sizeof(mcast_rate));
9569 
9570 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
9571 		return -EINVAL;
9572 
9573 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
9574 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
9575 		return -EINVAL;
9576 
9577 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
9578 
9579 	return err;
9580 }
9581 
9582 static struct sk_buff *
9583 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
9584 			    struct wireless_dev *wdev, int approxlen,
9585 			    u32 portid, u32 seq, enum nl80211_commands cmd,
9586 			    enum nl80211_attrs attr,
9587 			    const struct nl80211_vendor_cmd_info *info,
9588 			    gfp_t gfp)
9589 {
9590 	struct sk_buff *skb;
9591 	void *hdr;
9592 	struct nlattr *data;
9593 
9594 	skb = nlmsg_new(approxlen + 100, gfp);
9595 	if (!skb)
9596 		return NULL;
9597 
9598 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
9599 	if (!hdr) {
9600 		kfree_skb(skb);
9601 		return NULL;
9602 	}
9603 
9604 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
9605 		goto nla_put_failure;
9606 
9607 	if (info) {
9608 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
9609 				info->vendor_id))
9610 			goto nla_put_failure;
9611 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
9612 				info->subcmd))
9613 			goto nla_put_failure;
9614 	}
9615 
9616 	if (wdev) {
9617 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
9618 				      wdev_id(wdev), NL80211_ATTR_PAD))
9619 			goto nla_put_failure;
9620 		if (wdev->netdev &&
9621 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
9622 				wdev->netdev->ifindex))
9623 			goto nla_put_failure;
9624 	}
9625 
9626 	data = nla_nest_start_noflag(skb, attr);
9627 	if (!data)
9628 		goto nla_put_failure;
9629 
9630 	((void **)skb->cb)[0] = rdev;
9631 	((void **)skb->cb)[1] = hdr;
9632 	((void **)skb->cb)[2] = data;
9633 
9634 	return skb;
9635 
9636  nla_put_failure:
9637 	kfree_skb(skb);
9638 	return NULL;
9639 }
9640 
9641 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
9642 					   struct wireless_dev *wdev,
9643 					   enum nl80211_commands cmd,
9644 					   enum nl80211_attrs attr,
9645 					   unsigned int portid,
9646 					   int vendor_event_idx,
9647 					   int approxlen, gfp_t gfp)
9648 {
9649 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9650 	const struct nl80211_vendor_cmd_info *info;
9651 
9652 	switch (cmd) {
9653 	case NL80211_CMD_TESTMODE:
9654 		if (WARN_ON(vendor_event_idx != -1))
9655 			return NULL;
9656 		info = NULL;
9657 		break;
9658 	case NL80211_CMD_VENDOR:
9659 		if (WARN_ON(vendor_event_idx < 0 ||
9660 			    vendor_event_idx >= wiphy->n_vendor_events))
9661 			return NULL;
9662 		info = &wiphy->vendor_events[vendor_event_idx];
9663 		break;
9664 	default:
9665 		WARN_ON(1);
9666 		return NULL;
9667 	}
9668 
9669 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
9670 					   cmd, attr, info, gfp);
9671 }
9672 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
9673 
9674 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
9675 {
9676 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9677 	void *hdr = ((void **)skb->cb)[1];
9678 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
9679 	struct nlattr *data = ((void **)skb->cb)[2];
9680 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
9681 
9682 	/* clear CB data for netlink core to own from now on */
9683 	memset(skb->cb, 0, sizeof(skb->cb));
9684 
9685 	nla_nest_end(skb, data);
9686 	genlmsg_end(skb, hdr);
9687 
9688 	if (nlhdr->nlmsg_pid) {
9689 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
9690 				nlhdr->nlmsg_pid);
9691 	} else {
9692 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
9693 			mcgrp = NL80211_MCGRP_VENDOR;
9694 
9695 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
9696 					skb, 0, mcgrp, gfp);
9697 	}
9698 }
9699 EXPORT_SYMBOL(__cfg80211_send_event_skb);
9700 
9701 #ifdef CONFIG_NL80211_TESTMODE
9702 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
9703 {
9704 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9705 	struct wireless_dev *wdev =
9706 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9707 	int err;
9708 
9709 	if (!rdev->ops->testmode_cmd)
9710 		return -EOPNOTSUPP;
9711 
9712 	if (IS_ERR(wdev)) {
9713 		err = PTR_ERR(wdev);
9714 		if (err != -EINVAL)
9715 			return err;
9716 		wdev = NULL;
9717 	} else if (wdev->wiphy != &rdev->wiphy) {
9718 		return -EINVAL;
9719 	}
9720 
9721 	if (!info->attrs[NL80211_ATTR_TESTDATA])
9722 		return -EINVAL;
9723 
9724 	rdev->cur_cmd_info = info;
9725 	err = rdev_testmode_cmd(rdev, wdev,
9726 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
9727 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
9728 	rdev->cur_cmd_info = NULL;
9729 
9730 	return err;
9731 }
9732 
9733 static int nl80211_testmode_dump(struct sk_buff *skb,
9734 				 struct netlink_callback *cb)
9735 {
9736 	struct cfg80211_registered_device *rdev;
9737 	struct nlattr **attrbuf = NULL;
9738 	int err;
9739 	long phy_idx;
9740 	void *data = NULL;
9741 	int data_len = 0;
9742 
9743 	rtnl_lock();
9744 
9745 	if (cb->args[0]) {
9746 		/*
9747 		 * 0 is a valid index, but not valid for args[0],
9748 		 * so we need to offset by 1.
9749 		 */
9750 		phy_idx = cb->args[0] - 1;
9751 
9752 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
9753 		if (!rdev) {
9754 			err = -ENOENT;
9755 			goto out_err;
9756 		}
9757 	} else {
9758 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
9759 				  GFP_KERNEL);
9760 		if (!attrbuf) {
9761 			err = -ENOMEM;
9762 			goto out_err;
9763 		}
9764 
9765 		err = nlmsg_parse_deprecated(cb->nlh,
9766 					     GENL_HDRLEN + nl80211_fam.hdrsize,
9767 					     attrbuf, nl80211_fam.maxattr,
9768 					     nl80211_policy, NULL);
9769 		if (err)
9770 			goto out_err;
9771 
9772 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
9773 		if (IS_ERR(rdev)) {
9774 			err = PTR_ERR(rdev);
9775 			goto out_err;
9776 		}
9777 		phy_idx = rdev->wiphy_idx;
9778 
9779 		if (attrbuf[NL80211_ATTR_TESTDATA])
9780 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
9781 	}
9782 
9783 	if (cb->args[1]) {
9784 		data = nla_data((void *)cb->args[1]);
9785 		data_len = nla_len((void *)cb->args[1]);
9786 	}
9787 
9788 	if (!rdev->ops->testmode_dump) {
9789 		err = -EOPNOTSUPP;
9790 		goto out_err;
9791 	}
9792 
9793 	while (1) {
9794 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
9795 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
9796 					   NL80211_CMD_TESTMODE);
9797 		struct nlattr *tmdata;
9798 
9799 		if (!hdr)
9800 			break;
9801 
9802 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
9803 			genlmsg_cancel(skb, hdr);
9804 			break;
9805 		}
9806 
9807 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
9808 		if (!tmdata) {
9809 			genlmsg_cancel(skb, hdr);
9810 			break;
9811 		}
9812 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
9813 		nla_nest_end(skb, tmdata);
9814 
9815 		if (err == -ENOBUFS || err == -ENOENT) {
9816 			genlmsg_cancel(skb, hdr);
9817 			break;
9818 		} else if (err) {
9819 			genlmsg_cancel(skb, hdr);
9820 			goto out_err;
9821 		}
9822 
9823 		genlmsg_end(skb, hdr);
9824 	}
9825 
9826 	err = skb->len;
9827 	/* see above */
9828 	cb->args[0] = phy_idx + 1;
9829  out_err:
9830 	kfree(attrbuf);
9831 	rtnl_unlock();
9832 	return err;
9833 }
9834 #endif
9835 
9836 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
9837 {
9838 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9839 	struct net_device *dev = info->user_ptr[1];
9840 	struct cfg80211_connect_params connect;
9841 	struct wiphy *wiphy;
9842 	struct cfg80211_cached_keys *connkeys = NULL;
9843 	int err;
9844 
9845 	memset(&connect, 0, sizeof(connect));
9846 
9847 	if (!info->attrs[NL80211_ATTR_SSID] ||
9848 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9849 		return -EINVAL;
9850 
9851 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9852 		connect.auth_type =
9853 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9854 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
9855 					     NL80211_CMD_CONNECT))
9856 			return -EINVAL;
9857 	} else
9858 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
9859 
9860 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
9861 
9862 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
9863 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9864 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
9865 		return -EINVAL;
9866 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
9867 
9868 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
9869 				      NL80211_MAX_NR_CIPHER_SUITES);
9870 	if (err)
9871 		return err;
9872 
9873 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9874 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9875 		return -EOPNOTSUPP;
9876 
9877 	wiphy = &rdev->wiphy;
9878 
9879 	connect.bg_scan_period = -1;
9880 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
9881 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
9882 		connect.bg_scan_period =
9883 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
9884 	}
9885 
9886 	if (info->attrs[NL80211_ATTR_MAC])
9887 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9888 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
9889 		connect.bssid_hint =
9890 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
9891 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9892 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9893 
9894 	if (info->attrs[NL80211_ATTR_IE]) {
9895 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9896 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9897 	}
9898 
9899 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9900 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9901 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
9902 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9903 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
9904 			return -EOPNOTSUPP;
9905 	} else {
9906 		connect.mfp = NL80211_MFP_NO;
9907 	}
9908 
9909 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9910 		connect.prev_bssid =
9911 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9912 
9913 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9914 		connect.channel = nl80211_get_valid_chan(
9915 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9916 		if (!connect.channel)
9917 			return -EINVAL;
9918 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
9919 		connect.channel_hint = nl80211_get_valid_chan(
9920 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
9921 		if (!connect.channel_hint)
9922 			return -EINVAL;
9923 	}
9924 
9925 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
9926 		connect.edmg.channels =
9927 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
9928 
9929 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
9930 			connect.edmg.bw_config =
9931 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
9932 	}
9933 
9934 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9935 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
9936 		if (IS_ERR(connkeys))
9937 			return PTR_ERR(connkeys);
9938 	}
9939 
9940 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9941 		connect.flags |= ASSOC_REQ_DISABLE_HT;
9942 
9943 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9944 		memcpy(&connect.ht_capa_mask,
9945 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9946 		       sizeof(connect.ht_capa_mask));
9947 
9948 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9949 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
9950 			kzfree(connkeys);
9951 			return -EINVAL;
9952 		}
9953 		memcpy(&connect.ht_capa,
9954 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9955 		       sizeof(connect.ht_capa));
9956 	}
9957 
9958 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9959 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
9960 
9961 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9962 		memcpy(&connect.vht_capa_mask,
9963 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9964 		       sizeof(connect.vht_capa_mask));
9965 
9966 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9967 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
9968 			kzfree(connkeys);
9969 			return -EINVAL;
9970 		}
9971 		memcpy(&connect.vht_capa,
9972 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9973 		       sizeof(connect.vht_capa));
9974 	}
9975 
9976 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9977 		if (!((rdev->wiphy.features &
9978 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9979 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9980 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9981 					     NL80211_EXT_FEATURE_RRM)) {
9982 			kzfree(connkeys);
9983 			return -EINVAL;
9984 		}
9985 		connect.flags |= ASSOC_REQ_USE_RRM;
9986 	}
9987 
9988 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
9989 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
9990 		kzfree(connkeys);
9991 		return -EOPNOTSUPP;
9992 	}
9993 
9994 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
9995 		/* bss selection makes no sense if bssid is set */
9996 		if (connect.bssid) {
9997 			kzfree(connkeys);
9998 			return -EINVAL;
9999 		}
10000 
10001 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
10002 				       wiphy, &connect.bss_select);
10003 		if (err) {
10004 			kzfree(connkeys);
10005 			return err;
10006 		}
10007 	}
10008 
10009 	if (wiphy_ext_feature_isset(&rdev->wiphy,
10010 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
10011 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10012 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10013 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10014 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10015 		connect.fils_erp_username =
10016 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10017 		connect.fils_erp_username_len =
10018 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10019 		connect.fils_erp_realm =
10020 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10021 		connect.fils_erp_realm_len =
10022 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10023 		connect.fils_erp_next_seq_num =
10024 			nla_get_u16(
10025 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10026 		connect.fils_erp_rrk =
10027 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10028 		connect.fils_erp_rrk_len =
10029 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10030 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10031 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10032 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10033 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10034 		kzfree(connkeys);
10035 		return -EINVAL;
10036 	}
10037 
10038 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
10039 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10040 			kzfree(connkeys);
10041 			GENL_SET_ERR_MSG(info,
10042 					 "external auth requires connection ownership");
10043 			return -EINVAL;
10044 		}
10045 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
10046 	}
10047 
10048 	wdev_lock(dev->ieee80211_ptr);
10049 
10050 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
10051 			       connect.prev_bssid);
10052 	if (err)
10053 		kzfree(connkeys);
10054 
10055 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10056 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10057 		if (connect.bssid)
10058 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10059 			       connect.bssid, ETH_ALEN);
10060 		else
10061 			memset(dev->ieee80211_ptr->disconnect_bssid,
10062 			       0, ETH_ALEN);
10063 	}
10064 
10065 	wdev_unlock(dev->ieee80211_ptr);
10066 
10067 	return err;
10068 }
10069 
10070 static int nl80211_update_connect_params(struct sk_buff *skb,
10071 					 struct genl_info *info)
10072 {
10073 	struct cfg80211_connect_params connect = {};
10074 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10075 	struct net_device *dev = info->user_ptr[1];
10076 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10077 	bool fils_sk_offload;
10078 	u32 auth_type;
10079 	u32 changed = 0;
10080 	int ret;
10081 
10082 	if (!rdev->ops->update_connect_params)
10083 		return -EOPNOTSUPP;
10084 
10085 	if (info->attrs[NL80211_ATTR_IE]) {
10086 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10087 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10088 		changed |= UPDATE_ASSOC_IES;
10089 	}
10090 
10091 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
10092 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
10093 
10094 	/*
10095 	 * when driver supports fils-sk offload all attributes must be
10096 	 * provided. So the else covers "fils-sk-not-all" and
10097 	 * "no-fils-sk-any".
10098 	 */
10099 	if (fils_sk_offload &&
10100 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10101 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10102 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10103 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10104 		connect.fils_erp_username =
10105 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10106 		connect.fils_erp_username_len =
10107 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10108 		connect.fils_erp_realm =
10109 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10110 		connect.fils_erp_realm_len =
10111 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10112 		connect.fils_erp_next_seq_num =
10113 			nla_get_u16(
10114 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10115 		connect.fils_erp_rrk =
10116 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10117 		connect.fils_erp_rrk_len =
10118 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10119 		changed |= UPDATE_FILS_ERP_INFO;
10120 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10121 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10122 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10123 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10124 		return -EINVAL;
10125 	}
10126 
10127 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10128 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10129 		if (!nl80211_valid_auth_type(rdev, auth_type,
10130 					     NL80211_CMD_CONNECT))
10131 			return -EINVAL;
10132 
10133 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
10134 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
10135 			return -EINVAL;
10136 
10137 		connect.auth_type = auth_type;
10138 		changed |= UPDATE_AUTH_TYPE;
10139 	}
10140 
10141 	wdev_lock(dev->ieee80211_ptr);
10142 	if (!wdev->current_bss)
10143 		ret = -ENOLINK;
10144 	else
10145 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
10146 	wdev_unlock(dev->ieee80211_ptr);
10147 
10148 	return ret;
10149 }
10150 
10151 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
10152 {
10153 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10154 	struct net_device *dev = info->user_ptr[1];
10155 	u16 reason;
10156 	int ret;
10157 
10158 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10159 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10160 		return -EPERM;
10161 
10162 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10163 		reason = WLAN_REASON_DEAUTH_LEAVING;
10164 	else
10165 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10166 
10167 	if (reason == 0)
10168 		return -EINVAL;
10169 
10170 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10171 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10172 		return -EOPNOTSUPP;
10173 
10174 	wdev_lock(dev->ieee80211_ptr);
10175 	ret = cfg80211_disconnect(rdev, dev, reason, true);
10176 	wdev_unlock(dev->ieee80211_ptr);
10177 	return ret;
10178 }
10179 
10180 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
10181 {
10182 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10183 	struct net *net;
10184 	int err;
10185 
10186 	if (info->attrs[NL80211_ATTR_PID]) {
10187 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
10188 
10189 		net = get_net_ns_by_pid(pid);
10190 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
10191 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
10192 
10193 		net = get_net_ns_by_fd(fd);
10194 	} else {
10195 		return -EINVAL;
10196 	}
10197 
10198 	if (IS_ERR(net))
10199 		return PTR_ERR(net);
10200 
10201 	err = 0;
10202 
10203 	/* check if anything to do */
10204 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
10205 		err = cfg80211_switch_netns(rdev, net);
10206 
10207 	put_net(net);
10208 	return err;
10209 }
10210 
10211 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
10212 {
10213 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10214 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
10215 			struct cfg80211_pmksa *pmksa) = NULL;
10216 	struct net_device *dev = info->user_ptr[1];
10217 	struct cfg80211_pmksa pmksa;
10218 
10219 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
10220 
10221 	if (!info->attrs[NL80211_ATTR_PMKID])
10222 		return -EINVAL;
10223 
10224 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
10225 
10226 	if (info->attrs[NL80211_ATTR_MAC]) {
10227 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10228 	} else if (info->attrs[NL80211_ATTR_SSID] &&
10229 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
10230 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
10231 		    info->attrs[NL80211_ATTR_PMK])) {
10232 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10233 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10234 		pmksa.cache_id =
10235 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
10236 	} else {
10237 		return -EINVAL;
10238 	}
10239 	if (info->attrs[NL80211_ATTR_PMK]) {
10240 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10241 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
10242 	}
10243 
10244 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10245 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
10246 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
10247 	      wiphy_ext_feature_isset(&rdev->wiphy,
10248 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
10249 		return -EOPNOTSUPP;
10250 
10251 	switch (info->genlhdr->cmd) {
10252 	case NL80211_CMD_SET_PMKSA:
10253 		rdev_ops = rdev->ops->set_pmksa;
10254 		break;
10255 	case NL80211_CMD_DEL_PMKSA:
10256 		rdev_ops = rdev->ops->del_pmksa;
10257 		break;
10258 	default:
10259 		WARN_ON(1);
10260 		break;
10261 	}
10262 
10263 	if (!rdev_ops)
10264 		return -EOPNOTSUPP;
10265 
10266 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
10267 }
10268 
10269 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
10270 {
10271 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10272 	struct net_device *dev = info->user_ptr[1];
10273 
10274 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10275 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10276 		return -EOPNOTSUPP;
10277 
10278 	if (!rdev->ops->flush_pmksa)
10279 		return -EOPNOTSUPP;
10280 
10281 	return rdev_flush_pmksa(rdev, dev);
10282 }
10283 
10284 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
10285 {
10286 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10287 	struct net_device *dev = info->user_ptr[1];
10288 	u8 action_code, dialog_token;
10289 	u32 peer_capability = 0;
10290 	u16 status_code;
10291 	u8 *peer;
10292 	bool initiator;
10293 
10294 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10295 	    !rdev->ops->tdls_mgmt)
10296 		return -EOPNOTSUPP;
10297 
10298 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
10299 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
10300 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
10301 	    !info->attrs[NL80211_ATTR_IE] ||
10302 	    !info->attrs[NL80211_ATTR_MAC])
10303 		return -EINVAL;
10304 
10305 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10306 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
10307 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
10308 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
10309 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
10310 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
10311 		peer_capability =
10312 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
10313 
10314 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
10315 			      dialog_token, status_code, peer_capability,
10316 			      initiator,
10317 			      nla_data(info->attrs[NL80211_ATTR_IE]),
10318 			      nla_len(info->attrs[NL80211_ATTR_IE]));
10319 }
10320 
10321 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
10322 {
10323 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10324 	struct net_device *dev = info->user_ptr[1];
10325 	enum nl80211_tdls_operation operation;
10326 	u8 *peer;
10327 
10328 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10329 	    !rdev->ops->tdls_oper)
10330 		return -EOPNOTSUPP;
10331 
10332 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
10333 	    !info->attrs[NL80211_ATTR_MAC])
10334 		return -EINVAL;
10335 
10336 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
10337 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10338 
10339 	return rdev_tdls_oper(rdev, dev, peer, operation);
10340 }
10341 
10342 static int nl80211_remain_on_channel(struct sk_buff *skb,
10343 				     struct genl_info *info)
10344 {
10345 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10346 	struct wireless_dev *wdev = info->user_ptr[1];
10347 	struct cfg80211_chan_def chandef;
10348 	const struct cfg80211_chan_def *compat_chandef;
10349 	struct sk_buff *msg;
10350 	void *hdr;
10351 	u64 cookie;
10352 	u32 duration;
10353 	int err;
10354 
10355 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10356 	    !info->attrs[NL80211_ATTR_DURATION])
10357 		return -EINVAL;
10358 
10359 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10360 
10361 	if (!rdev->ops->remain_on_channel ||
10362 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
10363 		return -EOPNOTSUPP;
10364 
10365 	/*
10366 	 * We should be on that channel for at least a minimum amount of
10367 	 * time (10ms) but no longer than the driver supports.
10368 	 */
10369 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10370 	    duration > rdev->wiphy.max_remain_on_channel_duration)
10371 		return -EINVAL;
10372 
10373 	err = nl80211_parse_chandef(rdev, info, &chandef);
10374 	if (err)
10375 		return err;
10376 
10377 	wdev_lock(wdev);
10378 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
10379 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
10380 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
10381 							     &chandef);
10382 		if (compat_chandef != &chandef) {
10383 			wdev_unlock(wdev);
10384 			return -EBUSY;
10385 		}
10386 	}
10387 	wdev_unlock(wdev);
10388 
10389 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10390 	if (!msg)
10391 		return -ENOMEM;
10392 
10393 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10394 			     NL80211_CMD_REMAIN_ON_CHANNEL);
10395 	if (!hdr) {
10396 		err = -ENOBUFS;
10397 		goto free_msg;
10398 	}
10399 
10400 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
10401 				     duration, &cookie);
10402 
10403 	if (err)
10404 		goto free_msg;
10405 
10406 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10407 			      NL80211_ATTR_PAD))
10408 		goto nla_put_failure;
10409 
10410 	genlmsg_end(msg, hdr);
10411 
10412 	return genlmsg_reply(msg, info);
10413 
10414  nla_put_failure:
10415 	err = -ENOBUFS;
10416  free_msg:
10417 	nlmsg_free(msg);
10418 	return err;
10419 }
10420 
10421 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
10422 					    struct genl_info *info)
10423 {
10424 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10425 	struct wireless_dev *wdev = info->user_ptr[1];
10426 	u64 cookie;
10427 
10428 	if (!info->attrs[NL80211_ATTR_COOKIE])
10429 		return -EINVAL;
10430 
10431 	if (!rdev->ops->cancel_remain_on_channel)
10432 		return -EOPNOTSUPP;
10433 
10434 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10435 
10436 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
10437 }
10438 
10439 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
10440 				       struct genl_info *info)
10441 {
10442 	struct cfg80211_bitrate_mask mask;
10443 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10444 	struct net_device *dev = info->user_ptr[1];
10445 	int err;
10446 
10447 	if (!rdev->ops->set_bitrate_mask)
10448 		return -EOPNOTSUPP;
10449 
10450 	err = nl80211_parse_tx_bitrate_mask(info, &mask);
10451 	if (err)
10452 		return err;
10453 
10454 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
10455 }
10456 
10457 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
10458 {
10459 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10460 	struct wireless_dev *wdev = info->user_ptr[1];
10461 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
10462 
10463 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
10464 		return -EINVAL;
10465 
10466 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
10467 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
10468 
10469 	switch (wdev->iftype) {
10470 	case NL80211_IFTYPE_STATION:
10471 	case NL80211_IFTYPE_ADHOC:
10472 	case NL80211_IFTYPE_P2P_CLIENT:
10473 	case NL80211_IFTYPE_AP:
10474 	case NL80211_IFTYPE_AP_VLAN:
10475 	case NL80211_IFTYPE_MESH_POINT:
10476 	case NL80211_IFTYPE_P2P_GO:
10477 	case NL80211_IFTYPE_P2P_DEVICE:
10478 		break;
10479 	case NL80211_IFTYPE_NAN:
10480 	default:
10481 		return -EOPNOTSUPP;
10482 	}
10483 
10484 	/* not much point in registering if we can't reply */
10485 	if (!rdev->ops->mgmt_tx)
10486 		return -EOPNOTSUPP;
10487 
10488 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
10489 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10490 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
10491 }
10492 
10493 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
10494 {
10495 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10496 	struct wireless_dev *wdev = info->user_ptr[1];
10497 	struct cfg80211_chan_def chandef;
10498 	int err;
10499 	void *hdr = NULL;
10500 	u64 cookie;
10501 	struct sk_buff *msg = NULL;
10502 	struct cfg80211_mgmt_tx_params params = {
10503 		.dont_wait_for_ack =
10504 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
10505 	};
10506 
10507 	if (!info->attrs[NL80211_ATTR_FRAME])
10508 		return -EINVAL;
10509 
10510 	if (!rdev->ops->mgmt_tx)
10511 		return -EOPNOTSUPP;
10512 
10513 	switch (wdev->iftype) {
10514 	case NL80211_IFTYPE_P2P_DEVICE:
10515 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10516 			return -EINVAL;
10517 	case NL80211_IFTYPE_STATION:
10518 	case NL80211_IFTYPE_ADHOC:
10519 	case NL80211_IFTYPE_P2P_CLIENT:
10520 	case NL80211_IFTYPE_AP:
10521 	case NL80211_IFTYPE_AP_VLAN:
10522 	case NL80211_IFTYPE_MESH_POINT:
10523 	case NL80211_IFTYPE_P2P_GO:
10524 		break;
10525 	case NL80211_IFTYPE_NAN:
10526 	default:
10527 		return -EOPNOTSUPP;
10528 	}
10529 
10530 	if (info->attrs[NL80211_ATTR_DURATION]) {
10531 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10532 			return -EINVAL;
10533 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10534 
10535 		/*
10536 		 * We should wait on the channel for at least a minimum amount
10537 		 * of time (10ms) but no longer than the driver supports.
10538 		 */
10539 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10540 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
10541 			return -EINVAL;
10542 	}
10543 
10544 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
10545 
10546 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10547 		return -EINVAL;
10548 
10549 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10550 
10551 	/* get the channel if any has been specified, otherwise pass NULL to
10552 	 * the driver. The latter will use the current one
10553 	 */
10554 	chandef.chan = NULL;
10555 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10556 		err = nl80211_parse_chandef(rdev, info, &chandef);
10557 		if (err)
10558 			return err;
10559 	}
10560 
10561 	if (!chandef.chan && params.offchan)
10562 		return -EINVAL;
10563 
10564 	wdev_lock(wdev);
10565 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
10566 		wdev_unlock(wdev);
10567 		return -EBUSY;
10568 	}
10569 	wdev_unlock(wdev);
10570 
10571 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
10572 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
10573 
10574 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
10575 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10576 		int i;
10577 
10578 		if (len % sizeof(u16))
10579 			return -EINVAL;
10580 
10581 		params.n_csa_offsets = len / sizeof(u16);
10582 		params.csa_offsets =
10583 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10584 
10585 		/* check that all the offsets fit the frame */
10586 		for (i = 0; i < params.n_csa_offsets; i++) {
10587 			if (params.csa_offsets[i] >= params.len)
10588 				return -EINVAL;
10589 		}
10590 	}
10591 
10592 	if (!params.dont_wait_for_ack) {
10593 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10594 		if (!msg)
10595 			return -ENOMEM;
10596 
10597 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10598 				     NL80211_CMD_FRAME);
10599 		if (!hdr) {
10600 			err = -ENOBUFS;
10601 			goto free_msg;
10602 		}
10603 	}
10604 
10605 	params.chan = chandef.chan;
10606 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
10607 	if (err)
10608 		goto free_msg;
10609 
10610 	if (msg) {
10611 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10612 				      NL80211_ATTR_PAD))
10613 			goto nla_put_failure;
10614 
10615 		genlmsg_end(msg, hdr);
10616 		return genlmsg_reply(msg, info);
10617 	}
10618 
10619 	return 0;
10620 
10621  nla_put_failure:
10622 	err = -ENOBUFS;
10623  free_msg:
10624 	nlmsg_free(msg);
10625 	return err;
10626 }
10627 
10628 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
10629 {
10630 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10631 	struct wireless_dev *wdev = info->user_ptr[1];
10632 	u64 cookie;
10633 
10634 	if (!info->attrs[NL80211_ATTR_COOKIE])
10635 		return -EINVAL;
10636 
10637 	if (!rdev->ops->mgmt_tx_cancel_wait)
10638 		return -EOPNOTSUPP;
10639 
10640 	switch (wdev->iftype) {
10641 	case NL80211_IFTYPE_STATION:
10642 	case NL80211_IFTYPE_ADHOC:
10643 	case NL80211_IFTYPE_P2P_CLIENT:
10644 	case NL80211_IFTYPE_AP:
10645 	case NL80211_IFTYPE_AP_VLAN:
10646 	case NL80211_IFTYPE_P2P_GO:
10647 	case NL80211_IFTYPE_P2P_DEVICE:
10648 		break;
10649 	case NL80211_IFTYPE_NAN:
10650 	default:
10651 		return -EOPNOTSUPP;
10652 	}
10653 
10654 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10655 
10656 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
10657 }
10658 
10659 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
10660 {
10661 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10662 	struct wireless_dev *wdev;
10663 	struct net_device *dev = info->user_ptr[1];
10664 	u8 ps_state;
10665 	bool state;
10666 	int err;
10667 
10668 	if (!info->attrs[NL80211_ATTR_PS_STATE])
10669 		return -EINVAL;
10670 
10671 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
10672 
10673 	wdev = dev->ieee80211_ptr;
10674 
10675 	if (!rdev->ops->set_power_mgmt)
10676 		return -EOPNOTSUPP;
10677 
10678 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
10679 
10680 	if (state == wdev->ps)
10681 		return 0;
10682 
10683 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
10684 	if (!err)
10685 		wdev->ps = state;
10686 	return err;
10687 }
10688 
10689 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
10690 {
10691 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10692 	enum nl80211_ps_state ps_state;
10693 	struct wireless_dev *wdev;
10694 	struct net_device *dev = info->user_ptr[1];
10695 	struct sk_buff *msg;
10696 	void *hdr;
10697 	int err;
10698 
10699 	wdev = dev->ieee80211_ptr;
10700 
10701 	if (!rdev->ops->set_power_mgmt)
10702 		return -EOPNOTSUPP;
10703 
10704 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10705 	if (!msg)
10706 		return -ENOMEM;
10707 
10708 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10709 			     NL80211_CMD_GET_POWER_SAVE);
10710 	if (!hdr) {
10711 		err = -ENOBUFS;
10712 		goto free_msg;
10713 	}
10714 
10715 	if (wdev->ps)
10716 		ps_state = NL80211_PS_ENABLED;
10717 	else
10718 		ps_state = NL80211_PS_DISABLED;
10719 
10720 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
10721 		goto nla_put_failure;
10722 
10723 	genlmsg_end(msg, hdr);
10724 	return genlmsg_reply(msg, info);
10725 
10726  nla_put_failure:
10727 	err = -ENOBUFS;
10728  free_msg:
10729 	nlmsg_free(msg);
10730 	return err;
10731 }
10732 
10733 static const struct nla_policy
10734 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
10735 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
10736 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
10737 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
10738 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
10739 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
10740 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
10741 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
10742 };
10743 
10744 static int nl80211_set_cqm_txe(struct genl_info *info,
10745 			       u32 rate, u32 pkts, u32 intvl)
10746 {
10747 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10748 	struct net_device *dev = info->user_ptr[1];
10749 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10750 
10751 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
10752 		return -EINVAL;
10753 
10754 	if (!rdev->ops->set_cqm_txe_config)
10755 		return -EOPNOTSUPP;
10756 
10757 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10758 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10759 		return -EOPNOTSUPP;
10760 
10761 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
10762 }
10763 
10764 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
10765 				    struct net_device *dev)
10766 {
10767 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10768 	s32 last, low, high;
10769 	u32 hyst;
10770 	int i, n, low_index;
10771 	int err;
10772 
10773 	/* RSSI reporting disabled? */
10774 	if (!wdev->cqm_config)
10775 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
10776 
10777 	/*
10778 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
10779 	 * event has been received yet, we should receive an event after a
10780 	 * connection is established and enough beacons received to calculate
10781 	 * the average.
10782 	 */
10783 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
10784 	    rdev->ops->get_station) {
10785 		struct station_info sinfo = {};
10786 		u8 *mac_addr;
10787 
10788 		mac_addr = wdev->current_bss->pub.bssid;
10789 
10790 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
10791 		if (err)
10792 			return err;
10793 
10794 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
10795 			wdev->cqm_config->last_rssi_event_value =
10796 				(s8) sinfo.rx_beacon_signal_avg;
10797 	}
10798 
10799 	last = wdev->cqm_config->last_rssi_event_value;
10800 	hyst = wdev->cqm_config->rssi_hyst;
10801 	n = wdev->cqm_config->n_rssi_thresholds;
10802 
10803 	for (i = 0; i < n; i++)
10804 		if (last < wdev->cqm_config->rssi_thresholds[i])
10805 			break;
10806 
10807 	low_index = i - 1;
10808 	if (low_index >= 0) {
10809 		low_index = array_index_nospec(low_index, n);
10810 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
10811 	} else {
10812 		low = S32_MIN;
10813 	}
10814 	if (i < n) {
10815 		i = array_index_nospec(i, n);
10816 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
10817 	} else {
10818 		high = S32_MAX;
10819 	}
10820 
10821 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
10822 }
10823 
10824 static int nl80211_set_cqm_rssi(struct genl_info *info,
10825 				const s32 *thresholds, int n_thresholds,
10826 				u32 hysteresis)
10827 {
10828 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10829 	struct net_device *dev = info->user_ptr[1];
10830 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10831 	int i, err;
10832 	s32 prev = S32_MIN;
10833 
10834 	/* Check all values negative and sorted */
10835 	for (i = 0; i < n_thresholds; i++) {
10836 		if (thresholds[i] > 0 || thresholds[i] <= prev)
10837 			return -EINVAL;
10838 
10839 		prev = thresholds[i];
10840 	}
10841 
10842 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10843 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10844 		return -EOPNOTSUPP;
10845 
10846 	wdev_lock(wdev);
10847 	cfg80211_cqm_config_free(wdev);
10848 	wdev_unlock(wdev);
10849 
10850 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
10851 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
10852 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
10853 
10854 		return rdev_set_cqm_rssi_config(rdev, dev,
10855 						thresholds[0], hysteresis);
10856 	}
10857 
10858 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
10859 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
10860 		return -EOPNOTSUPP;
10861 
10862 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
10863 		n_thresholds = 0;
10864 
10865 	wdev_lock(wdev);
10866 	if (n_thresholds) {
10867 		struct cfg80211_cqm_config *cqm_config;
10868 
10869 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
10870 				     n_thresholds * sizeof(s32), GFP_KERNEL);
10871 		if (!cqm_config) {
10872 			err = -ENOMEM;
10873 			goto unlock;
10874 		}
10875 
10876 		cqm_config->rssi_hyst = hysteresis;
10877 		cqm_config->n_rssi_thresholds = n_thresholds;
10878 		memcpy(cqm_config->rssi_thresholds, thresholds,
10879 		       n_thresholds * sizeof(s32));
10880 
10881 		wdev->cqm_config = cqm_config;
10882 	}
10883 
10884 	err = cfg80211_cqm_rssi_update(rdev, dev);
10885 
10886 unlock:
10887 	wdev_unlock(wdev);
10888 
10889 	return err;
10890 }
10891 
10892 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
10893 {
10894 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
10895 	struct nlattr *cqm;
10896 	int err;
10897 
10898 	cqm = info->attrs[NL80211_ATTR_CQM];
10899 	if (!cqm)
10900 		return -EINVAL;
10901 
10902 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
10903 					  nl80211_attr_cqm_policy,
10904 					  info->extack);
10905 	if (err)
10906 		return err;
10907 
10908 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
10909 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
10910 		const s32 *thresholds =
10911 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10912 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10913 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
10914 
10915 		if (len % 4)
10916 			return -EINVAL;
10917 
10918 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
10919 					    hysteresis);
10920 	}
10921 
10922 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
10923 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
10924 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
10925 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
10926 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
10927 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
10928 
10929 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
10930 	}
10931 
10932 	return -EINVAL;
10933 }
10934 
10935 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
10936 {
10937 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10938 	struct net_device *dev = info->user_ptr[1];
10939 	struct ocb_setup setup = {};
10940 	int err;
10941 
10942 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10943 	if (err)
10944 		return err;
10945 
10946 	return cfg80211_join_ocb(rdev, dev, &setup);
10947 }
10948 
10949 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
10950 {
10951 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10952 	struct net_device *dev = info->user_ptr[1];
10953 
10954 	return cfg80211_leave_ocb(rdev, dev);
10955 }
10956 
10957 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
10958 {
10959 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10960 	struct net_device *dev = info->user_ptr[1];
10961 	struct mesh_config cfg;
10962 	struct mesh_setup setup;
10963 	int err;
10964 
10965 	/* start with default */
10966 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
10967 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
10968 
10969 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
10970 		/* and parse parameters if given */
10971 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
10972 		if (err)
10973 			return err;
10974 	}
10975 
10976 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
10977 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
10978 		return -EINVAL;
10979 
10980 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
10981 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
10982 
10983 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10984 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
10985 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10986 			return -EINVAL;
10987 
10988 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
10989 		setup.beacon_interval =
10990 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10991 
10992 		err = cfg80211_validate_beacon_int(rdev,
10993 						   NL80211_IFTYPE_MESH_POINT,
10994 						   setup.beacon_interval);
10995 		if (err)
10996 			return err;
10997 	}
10998 
10999 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
11000 		setup.dtim_period =
11001 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
11002 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
11003 			return -EINVAL;
11004 	}
11005 
11006 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
11007 		/* parse additional setup parameters if given */
11008 		err = nl80211_parse_mesh_setup(info, &setup);
11009 		if (err)
11010 			return err;
11011 	}
11012 
11013 	if (setup.user_mpm)
11014 		cfg.auto_open_plinks = false;
11015 
11016 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11017 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11018 		if (err)
11019 			return err;
11020 	} else {
11021 		/* __cfg80211_join_mesh() will sort it out */
11022 		setup.chandef.chan = NULL;
11023 	}
11024 
11025 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11026 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11027 		int n_rates =
11028 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11029 		struct ieee80211_supported_band *sband;
11030 
11031 		if (!setup.chandef.chan)
11032 			return -EINVAL;
11033 
11034 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
11035 
11036 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11037 					     &setup.basic_rates);
11038 		if (err)
11039 			return err;
11040 	}
11041 
11042 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
11043 		err = nl80211_parse_tx_bitrate_mask(info, &setup.beacon_rate);
11044 		if (err)
11045 			return err;
11046 
11047 		if (!setup.chandef.chan)
11048 			return -EINVAL;
11049 
11050 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
11051 					      &setup.beacon_rate);
11052 		if (err)
11053 			return err;
11054 	}
11055 
11056 	setup.userspace_handles_dfs =
11057 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11058 
11059 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11060 		int r = validate_pae_over_nl80211(rdev, info);
11061 
11062 		if (r < 0)
11063 			return r;
11064 
11065 		setup.control_port_over_nl80211 = true;
11066 	}
11067 
11068 	wdev_lock(dev->ieee80211_ptr);
11069 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
11070 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
11071 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11072 	wdev_unlock(dev->ieee80211_ptr);
11073 
11074 	return err;
11075 }
11076 
11077 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
11078 {
11079 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11080 	struct net_device *dev = info->user_ptr[1];
11081 
11082 	return cfg80211_leave_mesh(rdev, dev);
11083 }
11084 
11085 #ifdef CONFIG_PM
11086 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
11087 					struct cfg80211_registered_device *rdev)
11088 {
11089 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
11090 	struct nlattr *nl_pats, *nl_pat;
11091 	int i, pat_len;
11092 
11093 	if (!wowlan->n_patterns)
11094 		return 0;
11095 
11096 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
11097 	if (!nl_pats)
11098 		return -ENOBUFS;
11099 
11100 	for (i = 0; i < wowlan->n_patterns; i++) {
11101 		nl_pat = nla_nest_start_noflag(msg, i + 1);
11102 		if (!nl_pat)
11103 			return -ENOBUFS;
11104 		pat_len = wowlan->patterns[i].pattern_len;
11105 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
11106 			    wowlan->patterns[i].mask) ||
11107 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11108 			    wowlan->patterns[i].pattern) ||
11109 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11110 				wowlan->patterns[i].pkt_offset))
11111 			return -ENOBUFS;
11112 		nla_nest_end(msg, nl_pat);
11113 	}
11114 	nla_nest_end(msg, nl_pats);
11115 
11116 	return 0;
11117 }
11118 
11119 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
11120 				   struct cfg80211_wowlan_tcp *tcp)
11121 {
11122 	struct nlattr *nl_tcp;
11123 
11124 	if (!tcp)
11125 		return 0;
11126 
11127 	nl_tcp = nla_nest_start_noflag(msg,
11128 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
11129 	if (!nl_tcp)
11130 		return -ENOBUFS;
11131 
11132 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
11133 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
11134 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
11135 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
11136 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
11137 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
11138 		    tcp->payload_len, tcp->payload) ||
11139 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
11140 			tcp->data_interval) ||
11141 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
11142 		    tcp->wake_len, tcp->wake_data) ||
11143 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
11144 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
11145 		return -ENOBUFS;
11146 
11147 	if (tcp->payload_seq.len &&
11148 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
11149 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
11150 		return -ENOBUFS;
11151 
11152 	if (tcp->payload_tok.len &&
11153 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
11154 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
11155 		    &tcp->payload_tok))
11156 		return -ENOBUFS;
11157 
11158 	nla_nest_end(msg, nl_tcp);
11159 
11160 	return 0;
11161 }
11162 
11163 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
11164 				  struct cfg80211_sched_scan_request *req)
11165 {
11166 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
11167 	int i;
11168 
11169 	if (!req)
11170 		return 0;
11171 
11172 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
11173 	if (!nd)
11174 		return -ENOBUFS;
11175 
11176 	if (req->n_scan_plans == 1 &&
11177 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
11178 			req->scan_plans[0].interval * 1000))
11179 		return -ENOBUFS;
11180 
11181 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
11182 		return -ENOBUFS;
11183 
11184 	if (req->relative_rssi_set) {
11185 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
11186 
11187 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
11188 			       req->relative_rssi))
11189 			return -ENOBUFS;
11190 
11191 		rssi_adjust.band = req->rssi_adjust.band;
11192 		rssi_adjust.delta = req->rssi_adjust.delta;
11193 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
11194 			    sizeof(rssi_adjust), &rssi_adjust))
11195 			return -ENOBUFS;
11196 	}
11197 
11198 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11199 	if (!freqs)
11200 		return -ENOBUFS;
11201 
11202 	for (i = 0; i < req->n_channels; i++) {
11203 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11204 			return -ENOBUFS;
11205 	}
11206 
11207 	nla_nest_end(msg, freqs);
11208 
11209 	if (req->n_match_sets) {
11210 		matches = nla_nest_start_noflag(msg,
11211 						NL80211_ATTR_SCHED_SCAN_MATCH);
11212 		if (!matches)
11213 			return -ENOBUFS;
11214 
11215 		for (i = 0; i < req->n_match_sets; i++) {
11216 			match = nla_nest_start_noflag(msg, i);
11217 			if (!match)
11218 				return -ENOBUFS;
11219 
11220 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
11221 				    req->match_sets[i].ssid.ssid_len,
11222 				    req->match_sets[i].ssid.ssid))
11223 				return -ENOBUFS;
11224 			nla_nest_end(msg, match);
11225 		}
11226 		nla_nest_end(msg, matches);
11227 	}
11228 
11229 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
11230 	if (!scan_plans)
11231 		return -ENOBUFS;
11232 
11233 	for (i = 0; i < req->n_scan_plans; i++) {
11234 		scan_plan = nla_nest_start_noflag(msg, i + 1);
11235 		if (!scan_plan)
11236 			return -ENOBUFS;
11237 
11238 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
11239 				req->scan_plans[i].interval) ||
11240 		    (req->scan_plans[i].iterations &&
11241 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
11242 				 req->scan_plans[i].iterations)))
11243 			return -ENOBUFS;
11244 		nla_nest_end(msg, scan_plan);
11245 	}
11246 	nla_nest_end(msg, scan_plans);
11247 
11248 	nla_nest_end(msg, nd);
11249 
11250 	return 0;
11251 }
11252 
11253 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
11254 {
11255 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11256 	struct sk_buff *msg;
11257 	void *hdr;
11258 	u32 size = NLMSG_DEFAULT_SIZE;
11259 
11260 	if (!rdev->wiphy.wowlan)
11261 		return -EOPNOTSUPP;
11262 
11263 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
11264 		/* adjust size to have room for all the data */
11265 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
11266 			rdev->wiphy.wowlan_config->tcp->payload_len +
11267 			rdev->wiphy.wowlan_config->tcp->wake_len +
11268 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
11269 	}
11270 
11271 	msg = nlmsg_new(size, GFP_KERNEL);
11272 	if (!msg)
11273 		return -ENOMEM;
11274 
11275 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11276 			     NL80211_CMD_GET_WOWLAN);
11277 	if (!hdr)
11278 		goto nla_put_failure;
11279 
11280 	if (rdev->wiphy.wowlan_config) {
11281 		struct nlattr *nl_wowlan;
11282 
11283 		nl_wowlan = nla_nest_start_noflag(msg,
11284 						  NL80211_ATTR_WOWLAN_TRIGGERS);
11285 		if (!nl_wowlan)
11286 			goto nla_put_failure;
11287 
11288 		if ((rdev->wiphy.wowlan_config->any &&
11289 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
11290 		    (rdev->wiphy.wowlan_config->disconnect &&
11291 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
11292 		    (rdev->wiphy.wowlan_config->magic_pkt &&
11293 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
11294 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
11295 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
11296 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
11297 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
11298 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
11299 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
11300 		    (rdev->wiphy.wowlan_config->rfkill_release &&
11301 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
11302 			goto nla_put_failure;
11303 
11304 		if (nl80211_send_wowlan_patterns(msg, rdev))
11305 			goto nla_put_failure;
11306 
11307 		if (nl80211_send_wowlan_tcp(msg,
11308 					    rdev->wiphy.wowlan_config->tcp))
11309 			goto nla_put_failure;
11310 
11311 		if (nl80211_send_wowlan_nd(
11312 			    msg,
11313 			    rdev->wiphy.wowlan_config->nd_config))
11314 			goto nla_put_failure;
11315 
11316 		nla_nest_end(msg, nl_wowlan);
11317 	}
11318 
11319 	genlmsg_end(msg, hdr);
11320 	return genlmsg_reply(msg, info);
11321 
11322 nla_put_failure:
11323 	nlmsg_free(msg);
11324 	return -ENOBUFS;
11325 }
11326 
11327 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
11328 				    struct nlattr *attr,
11329 				    struct cfg80211_wowlan *trig)
11330 {
11331 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
11332 	struct cfg80211_wowlan_tcp *cfg;
11333 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
11334 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
11335 	u32 size;
11336 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
11337 	int err, port;
11338 
11339 	if (!rdev->wiphy.wowlan->tcp)
11340 		return -EINVAL;
11341 
11342 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
11343 					  nl80211_wowlan_tcp_policy, NULL);
11344 	if (err)
11345 		return err;
11346 
11347 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
11348 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
11349 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
11350 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
11351 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
11352 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
11353 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
11354 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
11355 		return -EINVAL;
11356 
11357 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
11358 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
11359 		return -EINVAL;
11360 
11361 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
11362 			rdev->wiphy.wowlan->tcp->data_interval_max ||
11363 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
11364 		return -EINVAL;
11365 
11366 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
11367 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
11368 		return -EINVAL;
11369 
11370 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
11371 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
11372 		return -EINVAL;
11373 
11374 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
11375 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11376 
11377 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11378 		tokens_size = tokln - sizeof(*tok);
11379 
11380 		if (!tok->len || tokens_size % tok->len)
11381 			return -EINVAL;
11382 		if (!rdev->wiphy.wowlan->tcp->tok)
11383 			return -EINVAL;
11384 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
11385 			return -EINVAL;
11386 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
11387 			return -EINVAL;
11388 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
11389 			return -EINVAL;
11390 		if (tok->offset + tok->len > data_size)
11391 			return -EINVAL;
11392 	}
11393 
11394 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
11395 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
11396 		if (!rdev->wiphy.wowlan->tcp->seq)
11397 			return -EINVAL;
11398 		if (seq->len == 0 || seq->len > 4)
11399 			return -EINVAL;
11400 		if (seq->len + seq->offset > data_size)
11401 			return -EINVAL;
11402 	}
11403 
11404 	size = sizeof(*cfg);
11405 	size += data_size;
11406 	size += wake_size + wake_mask_size;
11407 	size += tokens_size;
11408 
11409 	cfg = kzalloc(size, GFP_KERNEL);
11410 	if (!cfg)
11411 		return -ENOMEM;
11412 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
11413 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
11414 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
11415 	       ETH_ALEN);
11416 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
11417 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
11418 	else
11419 		port = 0;
11420 #ifdef CONFIG_INET
11421 	/* allocate a socket and port for it and use it */
11422 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
11423 			    IPPROTO_TCP, &cfg->sock, 1);
11424 	if (err) {
11425 		kfree(cfg);
11426 		return err;
11427 	}
11428 	if (inet_csk_get_port(cfg->sock->sk, port)) {
11429 		sock_release(cfg->sock);
11430 		kfree(cfg);
11431 		return -EADDRINUSE;
11432 	}
11433 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
11434 #else
11435 	if (!port) {
11436 		kfree(cfg);
11437 		return -EINVAL;
11438 	}
11439 	cfg->src_port = port;
11440 #endif
11441 
11442 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
11443 	cfg->payload_len = data_size;
11444 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
11445 	memcpy((void *)cfg->payload,
11446 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
11447 	       data_size);
11448 	if (seq)
11449 		cfg->payload_seq = *seq;
11450 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
11451 	cfg->wake_len = wake_size;
11452 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
11453 	memcpy((void *)cfg->wake_data,
11454 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
11455 	       wake_size);
11456 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
11457 			 data_size + wake_size;
11458 	memcpy((void *)cfg->wake_mask,
11459 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
11460 	       wake_mask_size);
11461 	if (tok) {
11462 		cfg->tokens_size = tokens_size;
11463 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
11464 	}
11465 
11466 	trig->tcp = cfg;
11467 
11468 	return 0;
11469 }
11470 
11471 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
11472 				   const struct wiphy_wowlan_support *wowlan,
11473 				   struct nlattr *attr,
11474 				   struct cfg80211_wowlan *trig)
11475 {
11476 	struct nlattr **tb;
11477 	int err;
11478 
11479 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
11480 	if (!tb)
11481 		return -ENOMEM;
11482 
11483 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
11484 		err = -EOPNOTSUPP;
11485 		goto out;
11486 	}
11487 
11488 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
11489 					  nl80211_policy, NULL);
11490 	if (err)
11491 		goto out;
11492 
11493 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
11494 						   wowlan->max_nd_match_sets);
11495 	err = PTR_ERR_OR_ZERO(trig->nd_config);
11496 	if (err)
11497 		trig->nd_config = NULL;
11498 
11499 out:
11500 	kfree(tb);
11501 	return err;
11502 }
11503 
11504 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
11505 {
11506 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11507 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
11508 	struct cfg80211_wowlan new_triggers = {};
11509 	struct cfg80211_wowlan *ntrig;
11510 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
11511 	int err, i;
11512 	bool prev_enabled = rdev->wiphy.wowlan_config;
11513 	bool regular = false;
11514 
11515 	if (!wowlan)
11516 		return -EOPNOTSUPP;
11517 
11518 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
11519 		cfg80211_rdev_free_wowlan(rdev);
11520 		rdev->wiphy.wowlan_config = NULL;
11521 		goto set_wakeup;
11522 	}
11523 
11524 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
11525 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
11526 					  nl80211_wowlan_policy, info->extack);
11527 	if (err)
11528 		return err;
11529 
11530 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
11531 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
11532 			return -EINVAL;
11533 		new_triggers.any = true;
11534 	}
11535 
11536 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
11537 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
11538 			return -EINVAL;
11539 		new_triggers.disconnect = true;
11540 		regular = true;
11541 	}
11542 
11543 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
11544 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
11545 			return -EINVAL;
11546 		new_triggers.magic_pkt = true;
11547 		regular = true;
11548 	}
11549 
11550 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
11551 		return -EINVAL;
11552 
11553 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
11554 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
11555 			return -EINVAL;
11556 		new_triggers.gtk_rekey_failure = true;
11557 		regular = true;
11558 	}
11559 
11560 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
11561 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
11562 			return -EINVAL;
11563 		new_triggers.eap_identity_req = true;
11564 		regular = true;
11565 	}
11566 
11567 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
11568 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
11569 			return -EINVAL;
11570 		new_triggers.four_way_handshake = true;
11571 		regular = true;
11572 	}
11573 
11574 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
11575 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
11576 			return -EINVAL;
11577 		new_triggers.rfkill_release = true;
11578 		regular = true;
11579 	}
11580 
11581 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
11582 		struct nlattr *pat;
11583 		int n_patterns = 0;
11584 		int rem, pat_len, mask_len, pkt_offset;
11585 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11586 
11587 		regular = true;
11588 
11589 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11590 				    rem)
11591 			n_patterns++;
11592 		if (n_patterns > wowlan->n_patterns)
11593 			return -EINVAL;
11594 
11595 		new_triggers.patterns = kcalloc(n_patterns,
11596 						sizeof(new_triggers.patterns[0]),
11597 						GFP_KERNEL);
11598 		if (!new_triggers.patterns)
11599 			return -ENOMEM;
11600 
11601 		new_triggers.n_patterns = n_patterns;
11602 		i = 0;
11603 
11604 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11605 				    rem) {
11606 			u8 *mask_pat;
11607 
11608 			err = nla_parse_nested_deprecated(pat_tb,
11609 							  MAX_NL80211_PKTPAT,
11610 							  pat,
11611 							  nl80211_packet_pattern_policy,
11612 							  info->extack);
11613 			if (err)
11614 				goto error;
11615 
11616 			err = -EINVAL;
11617 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
11618 			    !pat_tb[NL80211_PKTPAT_PATTERN])
11619 				goto error;
11620 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11621 			mask_len = DIV_ROUND_UP(pat_len, 8);
11622 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11623 				goto error;
11624 			if (pat_len > wowlan->pattern_max_len ||
11625 			    pat_len < wowlan->pattern_min_len)
11626 				goto error;
11627 
11628 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
11629 				pkt_offset = 0;
11630 			else
11631 				pkt_offset = nla_get_u32(
11632 					pat_tb[NL80211_PKTPAT_OFFSET]);
11633 			if (pkt_offset > wowlan->max_pkt_offset)
11634 				goto error;
11635 			new_triggers.patterns[i].pkt_offset = pkt_offset;
11636 
11637 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11638 			if (!mask_pat) {
11639 				err = -ENOMEM;
11640 				goto error;
11641 			}
11642 			new_triggers.patterns[i].mask = mask_pat;
11643 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11644 			       mask_len);
11645 			mask_pat += mask_len;
11646 			new_triggers.patterns[i].pattern = mask_pat;
11647 			new_triggers.patterns[i].pattern_len = pat_len;
11648 			memcpy(mask_pat,
11649 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11650 			       pat_len);
11651 			i++;
11652 		}
11653 	}
11654 
11655 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
11656 		regular = true;
11657 		err = nl80211_parse_wowlan_tcp(
11658 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
11659 			&new_triggers);
11660 		if (err)
11661 			goto error;
11662 	}
11663 
11664 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
11665 		regular = true;
11666 		err = nl80211_parse_wowlan_nd(
11667 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
11668 			&new_triggers);
11669 		if (err)
11670 			goto error;
11671 	}
11672 
11673 	/* The 'any' trigger means the device continues operating more or less
11674 	 * as in its normal operation mode and wakes up the host on most of the
11675 	 * normal interrupts (like packet RX, ...)
11676 	 * It therefore makes little sense to combine with the more constrained
11677 	 * wakeup trigger modes.
11678 	 */
11679 	if (new_triggers.any && regular) {
11680 		err = -EINVAL;
11681 		goto error;
11682 	}
11683 
11684 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
11685 	if (!ntrig) {
11686 		err = -ENOMEM;
11687 		goto error;
11688 	}
11689 	cfg80211_rdev_free_wowlan(rdev);
11690 	rdev->wiphy.wowlan_config = ntrig;
11691 
11692  set_wakeup:
11693 	if (rdev->ops->set_wakeup &&
11694 	    prev_enabled != !!rdev->wiphy.wowlan_config)
11695 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
11696 
11697 	return 0;
11698  error:
11699 	for (i = 0; i < new_triggers.n_patterns; i++)
11700 		kfree(new_triggers.patterns[i].mask);
11701 	kfree(new_triggers.patterns);
11702 	if (new_triggers.tcp && new_triggers.tcp->sock)
11703 		sock_release(new_triggers.tcp->sock);
11704 	kfree(new_triggers.tcp);
11705 	kfree(new_triggers.nd_config);
11706 	return err;
11707 }
11708 #endif
11709 
11710 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
11711 				       struct cfg80211_registered_device *rdev)
11712 {
11713 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
11714 	int i, j, pat_len;
11715 	struct cfg80211_coalesce_rules *rule;
11716 
11717 	if (!rdev->coalesce->n_rules)
11718 		return 0;
11719 
11720 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
11721 	if (!nl_rules)
11722 		return -ENOBUFS;
11723 
11724 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
11725 		nl_rule = nla_nest_start_noflag(msg, i + 1);
11726 		if (!nl_rule)
11727 			return -ENOBUFS;
11728 
11729 		rule = &rdev->coalesce->rules[i];
11730 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
11731 				rule->delay))
11732 			return -ENOBUFS;
11733 
11734 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
11735 				rule->condition))
11736 			return -ENOBUFS;
11737 
11738 		nl_pats = nla_nest_start_noflag(msg,
11739 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
11740 		if (!nl_pats)
11741 			return -ENOBUFS;
11742 
11743 		for (j = 0; j < rule->n_patterns; j++) {
11744 			nl_pat = nla_nest_start_noflag(msg, j + 1);
11745 			if (!nl_pat)
11746 				return -ENOBUFS;
11747 			pat_len = rule->patterns[j].pattern_len;
11748 			if (nla_put(msg, NL80211_PKTPAT_MASK,
11749 				    DIV_ROUND_UP(pat_len, 8),
11750 				    rule->patterns[j].mask) ||
11751 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11752 				    rule->patterns[j].pattern) ||
11753 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11754 					rule->patterns[j].pkt_offset))
11755 				return -ENOBUFS;
11756 			nla_nest_end(msg, nl_pat);
11757 		}
11758 		nla_nest_end(msg, nl_pats);
11759 		nla_nest_end(msg, nl_rule);
11760 	}
11761 	nla_nest_end(msg, nl_rules);
11762 
11763 	return 0;
11764 }
11765 
11766 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
11767 {
11768 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11769 	struct sk_buff *msg;
11770 	void *hdr;
11771 
11772 	if (!rdev->wiphy.coalesce)
11773 		return -EOPNOTSUPP;
11774 
11775 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11776 	if (!msg)
11777 		return -ENOMEM;
11778 
11779 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11780 			     NL80211_CMD_GET_COALESCE);
11781 	if (!hdr)
11782 		goto nla_put_failure;
11783 
11784 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
11785 		goto nla_put_failure;
11786 
11787 	genlmsg_end(msg, hdr);
11788 	return genlmsg_reply(msg, info);
11789 
11790 nla_put_failure:
11791 	nlmsg_free(msg);
11792 	return -ENOBUFS;
11793 }
11794 
11795 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
11796 {
11797 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
11798 	int i, j;
11799 	struct cfg80211_coalesce_rules *rule;
11800 
11801 	if (!coalesce)
11802 		return;
11803 
11804 	for (i = 0; i < coalesce->n_rules; i++) {
11805 		rule = &coalesce->rules[i];
11806 		for (j = 0; j < rule->n_patterns; j++)
11807 			kfree(rule->patterns[j].mask);
11808 		kfree(rule->patterns);
11809 	}
11810 	kfree(coalesce->rules);
11811 	kfree(coalesce);
11812 	rdev->coalesce = NULL;
11813 }
11814 
11815 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
11816 				       struct nlattr *rule,
11817 				       struct cfg80211_coalesce_rules *new_rule)
11818 {
11819 	int err, i;
11820 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11821 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
11822 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
11823 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11824 
11825 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
11826 					  rule, nl80211_coalesce_policy, NULL);
11827 	if (err)
11828 		return err;
11829 
11830 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
11831 		new_rule->delay =
11832 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
11833 	if (new_rule->delay > coalesce->max_delay)
11834 		return -EINVAL;
11835 
11836 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
11837 		new_rule->condition =
11838 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
11839 
11840 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
11841 		return -EINVAL;
11842 
11843 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11844 			    rem)
11845 		n_patterns++;
11846 	if (n_patterns > coalesce->n_patterns)
11847 		return -EINVAL;
11848 
11849 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
11850 				     GFP_KERNEL);
11851 	if (!new_rule->patterns)
11852 		return -ENOMEM;
11853 
11854 	new_rule->n_patterns = n_patterns;
11855 	i = 0;
11856 
11857 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11858 			    rem) {
11859 		u8 *mask_pat;
11860 
11861 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
11862 						  pat,
11863 						  nl80211_packet_pattern_policy,
11864 						  NULL);
11865 		if (err)
11866 			return err;
11867 
11868 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
11869 		    !pat_tb[NL80211_PKTPAT_PATTERN])
11870 			return -EINVAL;
11871 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11872 		mask_len = DIV_ROUND_UP(pat_len, 8);
11873 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11874 			return -EINVAL;
11875 		if (pat_len > coalesce->pattern_max_len ||
11876 		    pat_len < coalesce->pattern_min_len)
11877 			return -EINVAL;
11878 
11879 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
11880 			pkt_offset = 0;
11881 		else
11882 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
11883 		if (pkt_offset > coalesce->max_pkt_offset)
11884 			return -EINVAL;
11885 		new_rule->patterns[i].pkt_offset = pkt_offset;
11886 
11887 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11888 		if (!mask_pat)
11889 			return -ENOMEM;
11890 
11891 		new_rule->patterns[i].mask = mask_pat;
11892 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11893 		       mask_len);
11894 
11895 		mask_pat += mask_len;
11896 		new_rule->patterns[i].pattern = mask_pat;
11897 		new_rule->patterns[i].pattern_len = pat_len;
11898 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11899 		       pat_len);
11900 		i++;
11901 	}
11902 
11903 	return 0;
11904 }
11905 
11906 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
11907 {
11908 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11909 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11910 	struct cfg80211_coalesce new_coalesce = {};
11911 	struct cfg80211_coalesce *n_coalesce;
11912 	int err, rem_rule, n_rules = 0, i, j;
11913 	struct nlattr *rule;
11914 	struct cfg80211_coalesce_rules *tmp_rule;
11915 
11916 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
11917 		return -EOPNOTSUPP;
11918 
11919 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
11920 		cfg80211_rdev_free_coalesce(rdev);
11921 		rdev_set_coalesce(rdev, NULL);
11922 		return 0;
11923 	}
11924 
11925 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11926 			    rem_rule)
11927 		n_rules++;
11928 	if (n_rules > coalesce->n_rules)
11929 		return -EINVAL;
11930 
11931 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
11932 				     GFP_KERNEL);
11933 	if (!new_coalesce.rules)
11934 		return -ENOMEM;
11935 
11936 	new_coalesce.n_rules = n_rules;
11937 	i = 0;
11938 
11939 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11940 			    rem_rule) {
11941 		err = nl80211_parse_coalesce_rule(rdev, rule,
11942 						  &new_coalesce.rules[i]);
11943 		if (err)
11944 			goto error;
11945 
11946 		i++;
11947 	}
11948 
11949 	err = rdev_set_coalesce(rdev, &new_coalesce);
11950 	if (err)
11951 		goto error;
11952 
11953 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
11954 	if (!n_coalesce) {
11955 		err = -ENOMEM;
11956 		goto error;
11957 	}
11958 	cfg80211_rdev_free_coalesce(rdev);
11959 	rdev->coalesce = n_coalesce;
11960 
11961 	return 0;
11962 error:
11963 	for (i = 0; i < new_coalesce.n_rules; i++) {
11964 		tmp_rule = &new_coalesce.rules[i];
11965 		for (j = 0; j < tmp_rule->n_patterns; j++)
11966 			kfree(tmp_rule->patterns[j].mask);
11967 		kfree(tmp_rule->patterns);
11968 	}
11969 	kfree(new_coalesce.rules);
11970 
11971 	return err;
11972 }
11973 
11974 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
11975 {
11976 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11977 	struct net_device *dev = info->user_ptr[1];
11978 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11979 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
11980 	struct cfg80211_gtk_rekey_data rekey_data;
11981 	int err;
11982 
11983 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
11984 		return -EINVAL;
11985 
11986 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
11987 					  info->attrs[NL80211_ATTR_REKEY_DATA],
11988 					  nl80211_rekey_policy, info->extack);
11989 	if (err)
11990 		return err;
11991 
11992 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
11993 	    !tb[NL80211_REKEY_DATA_KCK])
11994 		return -EINVAL;
11995 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
11996 		return -ERANGE;
11997 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
11998 		return -ERANGE;
11999 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
12000 		return -ERANGE;
12001 
12002 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
12003 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
12004 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
12005 
12006 	wdev_lock(wdev);
12007 	if (!wdev->current_bss) {
12008 		err = -ENOTCONN;
12009 		goto out;
12010 	}
12011 
12012 	if (!rdev->ops->set_rekey_data) {
12013 		err = -EOPNOTSUPP;
12014 		goto out;
12015 	}
12016 
12017 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
12018  out:
12019 	wdev_unlock(wdev);
12020 	return err;
12021 }
12022 
12023 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
12024 					     struct genl_info *info)
12025 {
12026 	struct net_device *dev = info->user_ptr[1];
12027 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12028 
12029 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12030 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12031 		return -EINVAL;
12032 
12033 	if (wdev->ap_unexpected_nlportid)
12034 		return -EBUSY;
12035 
12036 	wdev->ap_unexpected_nlportid = info->snd_portid;
12037 	return 0;
12038 }
12039 
12040 static int nl80211_probe_client(struct sk_buff *skb,
12041 				struct genl_info *info)
12042 {
12043 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12044 	struct net_device *dev = info->user_ptr[1];
12045 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12046 	struct sk_buff *msg;
12047 	void *hdr;
12048 	const u8 *addr;
12049 	u64 cookie;
12050 	int err;
12051 
12052 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12053 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12054 		return -EOPNOTSUPP;
12055 
12056 	if (!info->attrs[NL80211_ATTR_MAC])
12057 		return -EINVAL;
12058 
12059 	if (!rdev->ops->probe_client)
12060 		return -EOPNOTSUPP;
12061 
12062 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12063 	if (!msg)
12064 		return -ENOMEM;
12065 
12066 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12067 			     NL80211_CMD_PROBE_CLIENT);
12068 	if (!hdr) {
12069 		err = -ENOBUFS;
12070 		goto free_msg;
12071 	}
12072 
12073 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12074 
12075 	err = rdev_probe_client(rdev, dev, addr, &cookie);
12076 	if (err)
12077 		goto free_msg;
12078 
12079 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12080 			      NL80211_ATTR_PAD))
12081 		goto nla_put_failure;
12082 
12083 	genlmsg_end(msg, hdr);
12084 
12085 	return genlmsg_reply(msg, info);
12086 
12087  nla_put_failure:
12088 	err = -ENOBUFS;
12089  free_msg:
12090 	nlmsg_free(msg);
12091 	return err;
12092 }
12093 
12094 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
12095 {
12096 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12097 	struct cfg80211_beacon_registration *reg, *nreg;
12098 	int rv;
12099 
12100 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
12101 		return -EOPNOTSUPP;
12102 
12103 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
12104 	if (!nreg)
12105 		return -ENOMEM;
12106 
12107 	/* First, check if already registered. */
12108 	spin_lock_bh(&rdev->beacon_registrations_lock);
12109 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
12110 		if (reg->nlportid == info->snd_portid) {
12111 			rv = -EALREADY;
12112 			goto out_err;
12113 		}
12114 	}
12115 	/* Add it to the list */
12116 	nreg->nlportid = info->snd_portid;
12117 	list_add(&nreg->list, &rdev->beacon_registrations);
12118 
12119 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12120 
12121 	return 0;
12122 out_err:
12123 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12124 	kfree(nreg);
12125 	return rv;
12126 }
12127 
12128 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
12129 {
12130 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12131 	struct wireless_dev *wdev = info->user_ptr[1];
12132 	int err;
12133 
12134 	if (!rdev->ops->start_p2p_device)
12135 		return -EOPNOTSUPP;
12136 
12137 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12138 		return -EOPNOTSUPP;
12139 
12140 	if (wdev_running(wdev))
12141 		return 0;
12142 
12143 	if (rfkill_blocked(rdev->rfkill))
12144 		return -ERFKILL;
12145 
12146 	err = rdev_start_p2p_device(rdev, wdev);
12147 	if (err)
12148 		return err;
12149 
12150 	wdev->is_running = true;
12151 	rdev->opencount++;
12152 
12153 	return 0;
12154 }
12155 
12156 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
12157 {
12158 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12159 	struct wireless_dev *wdev = info->user_ptr[1];
12160 
12161 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12162 		return -EOPNOTSUPP;
12163 
12164 	if (!rdev->ops->stop_p2p_device)
12165 		return -EOPNOTSUPP;
12166 
12167 	cfg80211_stop_p2p_device(rdev, wdev);
12168 
12169 	return 0;
12170 }
12171 
12172 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
12173 {
12174 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12175 	struct wireless_dev *wdev = info->user_ptr[1];
12176 	struct cfg80211_nan_conf conf = {};
12177 	int err;
12178 
12179 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12180 		return -EOPNOTSUPP;
12181 
12182 	if (wdev_running(wdev))
12183 		return -EEXIST;
12184 
12185 	if (rfkill_blocked(rdev->rfkill))
12186 		return -ERFKILL;
12187 
12188 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
12189 		return -EINVAL;
12190 
12191 	conf.master_pref =
12192 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12193 
12194 	if (info->attrs[NL80211_ATTR_BANDS]) {
12195 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12196 
12197 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12198 			return -EOPNOTSUPP;
12199 
12200 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12201 			return -EINVAL;
12202 
12203 		conf.bands = bands;
12204 	}
12205 
12206 	err = rdev_start_nan(rdev, wdev, &conf);
12207 	if (err)
12208 		return err;
12209 
12210 	wdev->is_running = true;
12211 	rdev->opencount++;
12212 
12213 	return 0;
12214 }
12215 
12216 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
12217 {
12218 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12219 	struct wireless_dev *wdev = info->user_ptr[1];
12220 
12221 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12222 		return -EOPNOTSUPP;
12223 
12224 	cfg80211_stop_nan(rdev, wdev);
12225 
12226 	return 0;
12227 }
12228 
12229 static int validate_nan_filter(struct nlattr *filter_attr)
12230 {
12231 	struct nlattr *attr;
12232 	int len = 0, n_entries = 0, rem;
12233 
12234 	nla_for_each_nested(attr, filter_attr, rem) {
12235 		len += nla_len(attr);
12236 		n_entries++;
12237 	}
12238 
12239 	if (len >= U8_MAX)
12240 		return -EINVAL;
12241 
12242 	return n_entries;
12243 }
12244 
12245 static int handle_nan_filter(struct nlattr *attr_filter,
12246 			     struct cfg80211_nan_func *func,
12247 			     bool tx)
12248 {
12249 	struct nlattr *attr;
12250 	int n_entries, rem, i;
12251 	struct cfg80211_nan_func_filter *filter;
12252 
12253 	n_entries = validate_nan_filter(attr_filter);
12254 	if (n_entries < 0)
12255 		return n_entries;
12256 
12257 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
12258 
12259 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
12260 	if (!filter)
12261 		return -ENOMEM;
12262 
12263 	i = 0;
12264 	nla_for_each_nested(attr, attr_filter, rem) {
12265 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
12266 		filter[i].len = nla_len(attr);
12267 		i++;
12268 	}
12269 	if (tx) {
12270 		func->num_tx_filters = n_entries;
12271 		func->tx_filters = filter;
12272 	} else {
12273 		func->num_rx_filters = n_entries;
12274 		func->rx_filters = filter;
12275 	}
12276 
12277 	return 0;
12278 }
12279 
12280 static int nl80211_nan_add_func(struct sk_buff *skb,
12281 				struct genl_info *info)
12282 {
12283 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12284 	struct wireless_dev *wdev = info->user_ptr[1];
12285 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
12286 	struct cfg80211_nan_func *func;
12287 	struct sk_buff *msg = NULL;
12288 	void *hdr = NULL;
12289 	int err = 0;
12290 
12291 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12292 		return -EOPNOTSUPP;
12293 
12294 	if (!wdev_running(wdev))
12295 		return -ENOTCONN;
12296 
12297 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
12298 		return -EINVAL;
12299 
12300 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
12301 					  info->attrs[NL80211_ATTR_NAN_FUNC],
12302 					  nl80211_nan_func_policy,
12303 					  info->extack);
12304 	if (err)
12305 		return err;
12306 
12307 	func = kzalloc(sizeof(*func), GFP_KERNEL);
12308 	if (!func)
12309 		return -ENOMEM;
12310 
12311 	func->cookie = cfg80211_assign_cookie(rdev);
12312 
12313 	if (!tb[NL80211_NAN_FUNC_TYPE] ||
12314 	    nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]) > NL80211_NAN_FUNC_MAX_TYPE) {
12315 		err = -EINVAL;
12316 		goto out;
12317 	}
12318 
12319 
12320 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
12321 
12322 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
12323 		err = -EINVAL;
12324 		goto out;
12325 	}
12326 
12327 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
12328 	       sizeof(func->service_id));
12329 
12330 	func->close_range =
12331 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
12332 
12333 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
12334 		func->serv_spec_info_len =
12335 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
12336 		func->serv_spec_info =
12337 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
12338 				func->serv_spec_info_len,
12339 				GFP_KERNEL);
12340 		if (!func->serv_spec_info) {
12341 			err = -ENOMEM;
12342 			goto out;
12343 		}
12344 	}
12345 
12346 	if (tb[NL80211_NAN_FUNC_TTL])
12347 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
12348 
12349 	switch (func->type) {
12350 	case NL80211_NAN_FUNC_PUBLISH:
12351 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
12352 			err = -EINVAL;
12353 			goto out;
12354 		}
12355 
12356 		func->publish_type =
12357 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
12358 		func->publish_bcast =
12359 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
12360 
12361 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
12362 			func->publish_bcast) {
12363 			err = -EINVAL;
12364 			goto out;
12365 		}
12366 		break;
12367 	case NL80211_NAN_FUNC_SUBSCRIBE:
12368 		func->subscribe_active =
12369 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
12370 		break;
12371 	case NL80211_NAN_FUNC_FOLLOW_UP:
12372 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
12373 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
12374 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
12375 			err = -EINVAL;
12376 			goto out;
12377 		}
12378 
12379 		func->followup_id =
12380 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
12381 		func->followup_reqid =
12382 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
12383 		memcpy(func->followup_dest.addr,
12384 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
12385 		       sizeof(func->followup_dest.addr));
12386 		if (func->ttl) {
12387 			err = -EINVAL;
12388 			goto out;
12389 		}
12390 		break;
12391 	default:
12392 		err = -EINVAL;
12393 		goto out;
12394 	}
12395 
12396 	if (tb[NL80211_NAN_FUNC_SRF]) {
12397 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
12398 
12399 		err = nla_parse_nested_deprecated(srf_tb,
12400 						  NL80211_NAN_SRF_ATTR_MAX,
12401 						  tb[NL80211_NAN_FUNC_SRF],
12402 						  nl80211_nan_srf_policy,
12403 						  info->extack);
12404 		if (err)
12405 			goto out;
12406 
12407 		func->srf_include =
12408 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
12409 
12410 		if (srf_tb[NL80211_NAN_SRF_BF]) {
12411 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
12412 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
12413 				err = -EINVAL;
12414 				goto out;
12415 			}
12416 
12417 			func->srf_bf_len =
12418 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
12419 			func->srf_bf =
12420 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
12421 					func->srf_bf_len, GFP_KERNEL);
12422 			if (!func->srf_bf) {
12423 				err = -ENOMEM;
12424 				goto out;
12425 			}
12426 
12427 			func->srf_bf_idx =
12428 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
12429 		} else {
12430 			struct nlattr *attr, *mac_attr =
12431 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
12432 			int n_entries, rem, i = 0;
12433 
12434 			if (!mac_attr) {
12435 				err = -EINVAL;
12436 				goto out;
12437 			}
12438 
12439 			n_entries = validate_acl_mac_addrs(mac_attr);
12440 			if (n_entries <= 0) {
12441 				err = -EINVAL;
12442 				goto out;
12443 			}
12444 
12445 			func->srf_num_macs = n_entries;
12446 			func->srf_macs =
12447 				kcalloc(n_entries, sizeof(*func->srf_macs),
12448 					GFP_KERNEL);
12449 			if (!func->srf_macs) {
12450 				err = -ENOMEM;
12451 				goto out;
12452 			}
12453 
12454 			nla_for_each_nested(attr, mac_attr, rem)
12455 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
12456 				       sizeof(*func->srf_macs));
12457 		}
12458 	}
12459 
12460 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
12461 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
12462 					func, true);
12463 		if (err)
12464 			goto out;
12465 	}
12466 
12467 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
12468 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
12469 					func, false);
12470 		if (err)
12471 			goto out;
12472 	}
12473 
12474 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12475 	if (!msg) {
12476 		err = -ENOMEM;
12477 		goto out;
12478 	}
12479 
12480 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12481 			     NL80211_CMD_ADD_NAN_FUNCTION);
12482 	/* This can't really happen - we just allocated 4KB */
12483 	if (WARN_ON(!hdr)) {
12484 		err = -ENOMEM;
12485 		goto out;
12486 	}
12487 
12488 	err = rdev_add_nan_func(rdev, wdev, func);
12489 out:
12490 	if (err < 0) {
12491 		cfg80211_free_nan_func(func);
12492 		nlmsg_free(msg);
12493 		return err;
12494 	}
12495 
12496 	/* propagate the instance id and cookie to userspace  */
12497 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
12498 			      NL80211_ATTR_PAD))
12499 		goto nla_put_failure;
12500 
12501 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12502 	if (!func_attr)
12503 		goto nla_put_failure;
12504 
12505 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
12506 		       func->instance_id))
12507 		goto nla_put_failure;
12508 
12509 	nla_nest_end(msg, func_attr);
12510 
12511 	genlmsg_end(msg, hdr);
12512 	return genlmsg_reply(msg, info);
12513 
12514 nla_put_failure:
12515 	nlmsg_free(msg);
12516 	return -ENOBUFS;
12517 }
12518 
12519 static int nl80211_nan_del_func(struct sk_buff *skb,
12520 			       struct genl_info *info)
12521 {
12522 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12523 	struct wireless_dev *wdev = info->user_ptr[1];
12524 	u64 cookie;
12525 
12526 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12527 		return -EOPNOTSUPP;
12528 
12529 	if (!wdev_running(wdev))
12530 		return -ENOTCONN;
12531 
12532 	if (!info->attrs[NL80211_ATTR_COOKIE])
12533 		return -EINVAL;
12534 
12535 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12536 
12537 	rdev_del_nan_func(rdev, wdev, cookie);
12538 
12539 	return 0;
12540 }
12541 
12542 static int nl80211_nan_change_config(struct sk_buff *skb,
12543 				     struct genl_info *info)
12544 {
12545 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12546 	struct wireless_dev *wdev = info->user_ptr[1];
12547 	struct cfg80211_nan_conf conf = {};
12548 	u32 changed = 0;
12549 
12550 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12551 		return -EOPNOTSUPP;
12552 
12553 	if (!wdev_running(wdev))
12554 		return -ENOTCONN;
12555 
12556 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
12557 		conf.master_pref =
12558 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12559 		if (conf.master_pref <= 1 || conf.master_pref == 255)
12560 			return -EINVAL;
12561 
12562 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
12563 	}
12564 
12565 	if (info->attrs[NL80211_ATTR_BANDS]) {
12566 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12567 
12568 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12569 			return -EOPNOTSUPP;
12570 
12571 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12572 			return -EINVAL;
12573 
12574 		conf.bands = bands;
12575 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
12576 	}
12577 
12578 	if (!changed)
12579 		return -EINVAL;
12580 
12581 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
12582 }
12583 
12584 void cfg80211_nan_match(struct wireless_dev *wdev,
12585 			struct cfg80211_nan_match_params *match, gfp_t gfp)
12586 {
12587 	struct wiphy *wiphy = wdev->wiphy;
12588 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12589 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
12590 	struct sk_buff *msg;
12591 	void *hdr;
12592 
12593 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
12594 		return;
12595 
12596 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12597 	if (!msg)
12598 		return;
12599 
12600 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
12601 	if (!hdr) {
12602 		nlmsg_free(msg);
12603 		return;
12604 	}
12605 
12606 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12607 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12608 					 wdev->netdev->ifindex)) ||
12609 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12610 			      NL80211_ATTR_PAD))
12611 		goto nla_put_failure;
12612 
12613 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
12614 			      NL80211_ATTR_PAD) ||
12615 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
12616 		goto nla_put_failure;
12617 
12618 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
12619 	if (!match_attr)
12620 		goto nla_put_failure;
12621 
12622 	local_func_attr = nla_nest_start_noflag(msg,
12623 						NL80211_NAN_MATCH_FUNC_LOCAL);
12624 	if (!local_func_attr)
12625 		goto nla_put_failure;
12626 
12627 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
12628 		goto nla_put_failure;
12629 
12630 	nla_nest_end(msg, local_func_attr);
12631 
12632 	peer_func_attr = nla_nest_start_noflag(msg,
12633 					       NL80211_NAN_MATCH_FUNC_PEER);
12634 	if (!peer_func_attr)
12635 		goto nla_put_failure;
12636 
12637 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
12638 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
12639 		goto nla_put_failure;
12640 
12641 	if (match->info && match->info_len &&
12642 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
12643 		    match->info))
12644 		goto nla_put_failure;
12645 
12646 	nla_nest_end(msg, peer_func_attr);
12647 	nla_nest_end(msg, match_attr);
12648 	genlmsg_end(msg, hdr);
12649 
12650 	if (!wdev->owner_nlportid)
12651 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12652 					msg, 0, NL80211_MCGRP_NAN, gfp);
12653 	else
12654 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12655 				wdev->owner_nlportid);
12656 
12657 	return;
12658 
12659 nla_put_failure:
12660 	nlmsg_free(msg);
12661 }
12662 EXPORT_SYMBOL(cfg80211_nan_match);
12663 
12664 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
12665 				  u8 inst_id,
12666 				  enum nl80211_nan_func_term_reason reason,
12667 				  u64 cookie, gfp_t gfp)
12668 {
12669 	struct wiphy *wiphy = wdev->wiphy;
12670 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12671 	struct sk_buff *msg;
12672 	struct nlattr *func_attr;
12673 	void *hdr;
12674 
12675 	if (WARN_ON(!inst_id))
12676 		return;
12677 
12678 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12679 	if (!msg)
12680 		return;
12681 
12682 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
12683 	if (!hdr) {
12684 		nlmsg_free(msg);
12685 		return;
12686 	}
12687 
12688 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12689 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12690 					 wdev->netdev->ifindex)) ||
12691 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12692 			      NL80211_ATTR_PAD))
12693 		goto nla_put_failure;
12694 
12695 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12696 			      NL80211_ATTR_PAD))
12697 		goto nla_put_failure;
12698 
12699 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12700 	if (!func_attr)
12701 		goto nla_put_failure;
12702 
12703 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
12704 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
12705 		goto nla_put_failure;
12706 
12707 	nla_nest_end(msg, func_attr);
12708 	genlmsg_end(msg, hdr);
12709 
12710 	if (!wdev->owner_nlportid)
12711 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12712 					msg, 0, NL80211_MCGRP_NAN, gfp);
12713 	else
12714 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12715 				wdev->owner_nlportid);
12716 
12717 	return;
12718 
12719 nla_put_failure:
12720 	nlmsg_free(msg);
12721 }
12722 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
12723 
12724 static int nl80211_get_protocol_features(struct sk_buff *skb,
12725 					 struct genl_info *info)
12726 {
12727 	void *hdr;
12728 	struct sk_buff *msg;
12729 
12730 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12731 	if (!msg)
12732 		return -ENOMEM;
12733 
12734 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12735 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
12736 	if (!hdr)
12737 		goto nla_put_failure;
12738 
12739 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
12740 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
12741 		goto nla_put_failure;
12742 
12743 	genlmsg_end(msg, hdr);
12744 	return genlmsg_reply(msg, info);
12745 
12746  nla_put_failure:
12747 	kfree_skb(msg);
12748 	return -ENOBUFS;
12749 }
12750 
12751 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
12752 {
12753 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12754 	struct cfg80211_update_ft_ies_params ft_params;
12755 	struct net_device *dev = info->user_ptr[1];
12756 
12757 	if (!rdev->ops->update_ft_ies)
12758 		return -EOPNOTSUPP;
12759 
12760 	if (!info->attrs[NL80211_ATTR_MDID] ||
12761 	    !info->attrs[NL80211_ATTR_IE])
12762 		return -EINVAL;
12763 
12764 	memset(&ft_params, 0, sizeof(ft_params));
12765 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
12766 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12767 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12768 
12769 	return rdev_update_ft_ies(rdev, dev, &ft_params);
12770 }
12771 
12772 static int nl80211_crit_protocol_start(struct sk_buff *skb,
12773 				       struct genl_info *info)
12774 {
12775 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12776 	struct wireless_dev *wdev = info->user_ptr[1];
12777 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
12778 	u16 duration;
12779 	int ret;
12780 
12781 	if (!rdev->ops->crit_proto_start)
12782 		return -EOPNOTSUPP;
12783 
12784 	if (WARN_ON(!rdev->ops->crit_proto_stop))
12785 		return -EINVAL;
12786 
12787 	if (rdev->crit_proto_nlportid)
12788 		return -EBUSY;
12789 
12790 	/* determine protocol if provided */
12791 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
12792 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
12793 
12794 	if (proto >= NUM_NL80211_CRIT_PROTO)
12795 		return -EINVAL;
12796 
12797 	/* timeout must be provided */
12798 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
12799 		return -EINVAL;
12800 
12801 	duration =
12802 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
12803 
12804 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
12805 		return -ERANGE;
12806 
12807 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
12808 	if (!ret)
12809 		rdev->crit_proto_nlportid = info->snd_portid;
12810 
12811 	return ret;
12812 }
12813 
12814 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
12815 				      struct genl_info *info)
12816 {
12817 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12818 	struct wireless_dev *wdev = info->user_ptr[1];
12819 
12820 	if (!rdev->ops->crit_proto_stop)
12821 		return -EOPNOTSUPP;
12822 
12823 	if (rdev->crit_proto_nlportid) {
12824 		rdev->crit_proto_nlportid = 0;
12825 		rdev_crit_proto_stop(rdev, wdev);
12826 	}
12827 	return 0;
12828 }
12829 
12830 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
12831 				       struct nlattr *attr,
12832 				       struct netlink_ext_ack *extack)
12833 {
12834 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
12835 		if (attr->nla_type & NLA_F_NESTED) {
12836 			NL_SET_ERR_MSG_ATTR(extack, attr,
12837 					    "unexpected nested data");
12838 			return -EINVAL;
12839 		}
12840 
12841 		return 0;
12842 	}
12843 
12844 	if (!(attr->nla_type & NLA_F_NESTED)) {
12845 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
12846 		return -EINVAL;
12847 	}
12848 
12849 	return nl80211_validate_nested(attr, vcmd->maxattr, vcmd->policy,
12850 				       extack);
12851 }
12852 
12853 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
12854 {
12855 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12856 	struct wireless_dev *wdev =
12857 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
12858 	int i, err;
12859 	u32 vid, subcmd;
12860 
12861 	if (!rdev->wiphy.vendor_commands)
12862 		return -EOPNOTSUPP;
12863 
12864 	if (IS_ERR(wdev)) {
12865 		err = PTR_ERR(wdev);
12866 		if (err != -EINVAL)
12867 			return err;
12868 		wdev = NULL;
12869 	} else if (wdev->wiphy != &rdev->wiphy) {
12870 		return -EINVAL;
12871 	}
12872 
12873 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
12874 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
12875 		return -EINVAL;
12876 
12877 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
12878 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
12879 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
12880 		const struct wiphy_vendor_command *vcmd;
12881 		void *data = NULL;
12882 		int len = 0;
12883 
12884 		vcmd = &rdev->wiphy.vendor_commands[i];
12885 
12886 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12887 			continue;
12888 
12889 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12890 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12891 			if (!wdev)
12892 				return -EINVAL;
12893 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12894 			    !wdev->netdev)
12895 				return -EINVAL;
12896 
12897 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12898 				if (!wdev_running(wdev))
12899 					return -ENETDOWN;
12900 			}
12901 
12902 			if (!vcmd->doit)
12903 				return -EOPNOTSUPP;
12904 		} else {
12905 			wdev = NULL;
12906 		}
12907 
12908 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
12909 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12910 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12911 
12912 			err = nl80211_vendor_check_policy(vcmd,
12913 					info->attrs[NL80211_ATTR_VENDOR_DATA],
12914 					info->extack);
12915 			if (err)
12916 				return err;
12917 		}
12918 
12919 		rdev->cur_cmd_info = info;
12920 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
12921 		rdev->cur_cmd_info = NULL;
12922 		return err;
12923 	}
12924 
12925 	return -EOPNOTSUPP;
12926 }
12927 
12928 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
12929 				       struct netlink_callback *cb,
12930 				       struct cfg80211_registered_device **rdev,
12931 				       struct wireless_dev **wdev)
12932 {
12933 	struct nlattr **attrbuf;
12934 	u32 vid, subcmd;
12935 	unsigned int i;
12936 	int vcmd_idx = -1;
12937 	int err;
12938 	void *data = NULL;
12939 	unsigned int data_len = 0;
12940 
12941 	if (cb->args[0]) {
12942 		/* subtract the 1 again here */
12943 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
12944 		struct wireless_dev *tmp;
12945 
12946 		if (!wiphy)
12947 			return -ENODEV;
12948 		*rdev = wiphy_to_rdev(wiphy);
12949 		*wdev = NULL;
12950 
12951 		if (cb->args[1]) {
12952 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
12953 				if (tmp->identifier == cb->args[1] - 1) {
12954 					*wdev = tmp;
12955 					break;
12956 				}
12957 			}
12958 		}
12959 
12960 		/* keep rtnl locked in successful case */
12961 		return 0;
12962 	}
12963 
12964 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
12965 	if (!attrbuf)
12966 		return -ENOMEM;
12967 
12968 	err = nlmsg_parse_deprecated(cb->nlh,
12969 				     GENL_HDRLEN + nl80211_fam.hdrsize,
12970 				     attrbuf, nl80211_fam.maxattr,
12971 				     nl80211_policy, NULL);
12972 	if (err)
12973 		goto out;
12974 
12975 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
12976 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
12977 		err = -EINVAL;
12978 		goto out;
12979 	}
12980 
12981 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
12982 	if (IS_ERR(*wdev))
12983 		*wdev = NULL;
12984 
12985 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
12986 	if (IS_ERR(*rdev)) {
12987 		err = PTR_ERR(*rdev);
12988 		goto out;
12989 	}
12990 
12991 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
12992 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
12993 
12994 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
12995 		const struct wiphy_vendor_command *vcmd;
12996 
12997 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
12998 
12999 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13000 			continue;
13001 
13002 		if (!vcmd->dumpit) {
13003 			err = -EOPNOTSUPP;
13004 			goto out;
13005 		}
13006 
13007 		vcmd_idx = i;
13008 		break;
13009 	}
13010 
13011 	if (vcmd_idx < 0) {
13012 		err = -EOPNOTSUPP;
13013 		goto out;
13014 	}
13015 
13016 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
13017 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13018 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13019 
13020 		err = nl80211_vendor_check_policy(
13021 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
13022 				attrbuf[NL80211_ATTR_VENDOR_DATA],
13023 				cb->extack);
13024 		if (err)
13025 			goto out;
13026 	}
13027 
13028 	/* 0 is the first index - add 1 to parse only once */
13029 	cb->args[0] = (*rdev)->wiphy_idx + 1;
13030 	/* add 1 to know if it was NULL */
13031 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
13032 	cb->args[2] = vcmd_idx;
13033 	cb->args[3] = (unsigned long)data;
13034 	cb->args[4] = data_len;
13035 
13036 	/* keep rtnl locked in successful case */
13037 	err = 0;
13038 out:
13039 	kfree(attrbuf);
13040 	return err;
13041 }
13042 
13043 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
13044 				   struct netlink_callback *cb)
13045 {
13046 	struct cfg80211_registered_device *rdev;
13047 	struct wireless_dev *wdev;
13048 	unsigned int vcmd_idx;
13049 	const struct wiphy_vendor_command *vcmd;
13050 	void *data;
13051 	int data_len;
13052 	int err;
13053 	struct nlattr *vendor_data;
13054 
13055 	rtnl_lock();
13056 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
13057 	if (err)
13058 		goto out;
13059 
13060 	vcmd_idx = cb->args[2];
13061 	data = (void *)cb->args[3];
13062 	data_len = cb->args[4];
13063 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
13064 
13065 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13066 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13067 		if (!wdev) {
13068 			err = -EINVAL;
13069 			goto out;
13070 		}
13071 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13072 		    !wdev->netdev) {
13073 			err = -EINVAL;
13074 			goto out;
13075 		}
13076 
13077 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13078 			if (!wdev_running(wdev)) {
13079 				err = -ENETDOWN;
13080 				goto out;
13081 			}
13082 		}
13083 	}
13084 
13085 	while (1) {
13086 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13087 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13088 					   NL80211_CMD_VENDOR);
13089 		if (!hdr)
13090 			break;
13091 
13092 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13093 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13094 					       wdev_id(wdev),
13095 					       NL80211_ATTR_PAD))) {
13096 			genlmsg_cancel(skb, hdr);
13097 			break;
13098 		}
13099 
13100 		vendor_data = nla_nest_start_noflag(skb,
13101 						    NL80211_ATTR_VENDOR_DATA);
13102 		if (!vendor_data) {
13103 			genlmsg_cancel(skb, hdr);
13104 			break;
13105 		}
13106 
13107 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
13108 				   (unsigned long *)&cb->args[5]);
13109 		nla_nest_end(skb, vendor_data);
13110 
13111 		if (err == -ENOBUFS || err == -ENOENT) {
13112 			genlmsg_cancel(skb, hdr);
13113 			break;
13114 		} else if (err) {
13115 			genlmsg_cancel(skb, hdr);
13116 			goto out;
13117 		}
13118 
13119 		genlmsg_end(skb, hdr);
13120 	}
13121 
13122 	err = skb->len;
13123  out:
13124 	rtnl_unlock();
13125 	return err;
13126 }
13127 
13128 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
13129 					   enum nl80211_commands cmd,
13130 					   enum nl80211_attrs attr,
13131 					   int approxlen)
13132 {
13133 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13134 
13135 	if (WARN_ON(!rdev->cur_cmd_info))
13136 		return NULL;
13137 
13138 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
13139 					   rdev->cur_cmd_info->snd_portid,
13140 					   rdev->cur_cmd_info->snd_seq,
13141 					   cmd, attr, NULL, GFP_KERNEL);
13142 }
13143 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
13144 
13145 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
13146 {
13147 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13148 	void *hdr = ((void **)skb->cb)[1];
13149 	struct nlattr *data = ((void **)skb->cb)[2];
13150 
13151 	/* clear CB data for netlink core to own from now on */
13152 	memset(skb->cb, 0, sizeof(skb->cb));
13153 
13154 	if (WARN_ON(!rdev->cur_cmd_info)) {
13155 		kfree_skb(skb);
13156 		return -EINVAL;
13157 	}
13158 
13159 	nla_nest_end(skb, data);
13160 	genlmsg_end(skb, hdr);
13161 	return genlmsg_reply(skb, rdev->cur_cmd_info);
13162 }
13163 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
13164 
13165 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
13166 {
13167 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13168 
13169 	if (WARN_ON(!rdev->cur_cmd_info))
13170 		return 0;
13171 
13172 	return rdev->cur_cmd_info->snd_portid;
13173 }
13174 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
13175 
13176 static int nl80211_set_qos_map(struct sk_buff *skb,
13177 			       struct genl_info *info)
13178 {
13179 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13180 	struct cfg80211_qos_map *qos_map = NULL;
13181 	struct net_device *dev = info->user_ptr[1];
13182 	u8 *pos, len, num_des, des_len, des;
13183 	int ret;
13184 
13185 	if (!rdev->ops->set_qos_map)
13186 		return -EOPNOTSUPP;
13187 
13188 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
13189 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
13190 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
13191 
13192 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
13193 		    len > IEEE80211_QOS_MAP_LEN_MAX)
13194 			return -EINVAL;
13195 
13196 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
13197 		if (!qos_map)
13198 			return -ENOMEM;
13199 
13200 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
13201 		if (num_des) {
13202 			des_len = num_des *
13203 				sizeof(struct cfg80211_dscp_exception);
13204 			memcpy(qos_map->dscp_exception, pos, des_len);
13205 			qos_map->num_des = num_des;
13206 			for (des = 0; des < num_des; des++) {
13207 				if (qos_map->dscp_exception[des].up > 7) {
13208 					kfree(qos_map);
13209 					return -EINVAL;
13210 				}
13211 			}
13212 			pos += des_len;
13213 		}
13214 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
13215 	}
13216 
13217 	wdev_lock(dev->ieee80211_ptr);
13218 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
13219 	if (!ret)
13220 		ret = rdev_set_qos_map(rdev, dev, qos_map);
13221 	wdev_unlock(dev->ieee80211_ptr);
13222 
13223 	kfree(qos_map);
13224 	return ret;
13225 }
13226 
13227 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
13228 {
13229 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13230 	struct net_device *dev = info->user_ptr[1];
13231 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13232 	const u8 *peer;
13233 	u8 tsid, up;
13234 	u16 admitted_time = 0;
13235 	int err;
13236 
13237 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
13238 		return -EOPNOTSUPP;
13239 
13240 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
13241 	    !info->attrs[NL80211_ATTR_USER_PRIO])
13242 		return -EINVAL;
13243 
13244 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13245 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
13246 
13247 	/* WMM uses TIDs 0-7 even for TSPEC */
13248 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
13249 		/* TODO: handle 802.11 TSPEC/admission control
13250 		 * need more attributes for that (e.g. BA session requirement);
13251 		 * change the WMM adminssion test above to allow both then
13252 		 */
13253 		return -EINVAL;
13254 	}
13255 
13256 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13257 
13258 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
13259 		admitted_time =
13260 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
13261 		if (!admitted_time)
13262 			return -EINVAL;
13263 	}
13264 
13265 	wdev_lock(wdev);
13266 	switch (wdev->iftype) {
13267 	case NL80211_IFTYPE_STATION:
13268 	case NL80211_IFTYPE_P2P_CLIENT:
13269 		if (wdev->current_bss)
13270 			break;
13271 		err = -ENOTCONN;
13272 		goto out;
13273 	default:
13274 		err = -EOPNOTSUPP;
13275 		goto out;
13276 	}
13277 
13278 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
13279 
13280  out:
13281 	wdev_unlock(wdev);
13282 	return err;
13283 }
13284 
13285 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
13286 {
13287 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13288 	struct net_device *dev = info->user_ptr[1];
13289 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13290 	const u8 *peer;
13291 	u8 tsid;
13292 	int err;
13293 
13294 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
13295 		return -EINVAL;
13296 
13297 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13298 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13299 
13300 	wdev_lock(wdev);
13301 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
13302 	wdev_unlock(wdev);
13303 
13304 	return err;
13305 }
13306 
13307 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
13308 				       struct genl_info *info)
13309 {
13310 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13311 	struct net_device *dev = info->user_ptr[1];
13312 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13313 	struct cfg80211_chan_def chandef = {};
13314 	const u8 *addr;
13315 	u8 oper_class;
13316 	int err;
13317 
13318 	if (!rdev->ops->tdls_channel_switch ||
13319 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13320 		return -EOPNOTSUPP;
13321 
13322 	switch (dev->ieee80211_ptr->iftype) {
13323 	case NL80211_IFTYPE_STATION:
13324 	case NL80211_IFTYPE_P2P_CLIENT:
13325 		break;
13326 	default:
13327 		return -EOPNOTSUPP;
13328 	}
13329 
13330 	if (!info->attrs[NL80211_ATTR_MAC] ||
13331 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
13332 		return -EINVAL;
13333 
13334 	err = nl80211_parse_chandef(rdev, info, &chandef);
13335 	if (err)
13336 		return err;
13337 
13338 	/*
13339 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
13340 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
13341 	 * specification is not defined for them.
13342 	 */
13343 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
13344 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
13345 	    chandef.width != NL80211_CHAN_WIDTH_20)
13346 		return -EINVAL;
13347 
13348 	/* we will be active on the TDLS link */
13349 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
13350 					   wdev->iftype))
13351 		return -EINVAL;
13352 
13353 	/* don't allow switching to DFS channels */
13354 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
13355 		return -EINVAL;
13356 
13357 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13358 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
13359 
13360 	wdev_lock(wdev);
13361 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
13362 	wdev_unlock(wdev);
13363 
13364 	return err;
13365 }
13366 
13367 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
13368 					      struct genl_info *info)
13369 {
13370 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13371 	struct net_device *dev = info->user_ptr[1];
13372 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13373 	const u8 *addr;
13374 
13375 	if (!rdev->ops->tdls_channel_switch ||
13376 	    !rdev->ops->tdls_cancel_channel_switch ||
13377 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13378 		return -EOPNOTSUPP;
13379 
13380 	switch (dev->ieee80211_ptr->iftype) {
13381 	case NL80211_IFTYPE_STATION:
13382 	case NL80211_IFTYPE_P2P_CLIENT:
13383 		break;
13384 	default:
13385 		return -EOPNOTSUPP;
13386 	}
13387 
13388 	if (!info->attrs[NL80211_ATTR_MAC])
13389 		return -EINVAL;
13390 
13391 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13392 
13393 	wdev_lock(wdev);
13394 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
13395 	wdev_unlock(wdev);
13396 
13397 	return 0;
13398 }
13399 
13400 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
13401 					    struct genl_info *info)
13402 {
13403 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13404 	struct net_device *dev = info->user_ptr[1];
13405 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13406 	const struct nlattr *nla;
13407 	bool enabled;
13408 
13409 	if (!rdev->ops->set_multicast_to_unicast)
13410 		return -EOPNOTSUPP;
13411 
13412 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13413 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13414 		return -EOPNOTSUPP;
13415 
13416 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
13417 	enabled = nla_get_flag(nla);
13418 
13419 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
13420 }
13421 
13422 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
13423 {
13424 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13425 	struct net_device *dev = info->user_ptr[1];
13426 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13427 	struct cfg80211_pmk_conf pmk_conf = {};
13428 	int ret;
13429 
13430 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13431 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13432 		return -EOPNOTSUPP;
13433 
13434 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13435 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13436 		return -EOPNOTSUPP;
13437 
13438 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
13439 		return -EINVAL;
13440 
13441 	wdev_lock(wdev);
13442 	if (!wdev->current_bss) {
13443 		ret = -ENOTCONN;
13444 		goto out;
13445 	}
13446 
13447 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13448 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
13449 		ret = -EINVAL;
13450 		goto out;
13451 	}
13452 
13453 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13454 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13455 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
13456 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
13457 		ret = -EINVAL;
13458 		goto out;
13459 	}
13460 
13461 	if (info->attrs[NL80211_ATTR_PMKR0_NAME]) {
13462 		int r0_name_len = nla_len(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13463 
13464 		if (r0_name_len != WLAN_PMK_NAME_LEN) {
13465 			ret = -EINVAL;
13466 			goto out;
13467 		}
13468 
13469 		pmk_conf.pmk_r0_name =
13470 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13471 	}
13472 
13473 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
13474 out:
13475 	wdev_unlock(wdev);
13476 	return ret;
13477 }
13478 
13479 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
13480 {
13481 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13482 	struct net_device *dev = info->user_ptr[1];
13483 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13484 	const u8 *aa;
13485 	int ret;
13486 
13487 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13488 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13489 		return -EOPNOTSUPP;
13490 
13491 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13492 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13493 		return -EOPNOTSUPP;
13494 
13495 	if (!info->attrs[NL80211_ATTR_MAC])
13496 		return -EINVAL;
13497 
13498 	wdev_lock(wdev);
13499 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13500 	ret = rdev_del_pmk(rdev, dev, aa);
13501 	wdev_unlock(wdev);
13502 
13503 	return ret;
13504 }
13505 
13506 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
13507 {
13508 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13509 	struct net_device *dev = info->user_ptr[1];
13510 	struct cfg80211_external_auth_params params;
13511 
13512 	if (!rdev->ops->external_auth)
13513 		return -EOPNOTSUPP;
13514 
13515 	if (!info->attrs[NL80211_ATTR_SSID] &&
13516 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
13517 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
13518 		return -EINVAL;
13519 
13520 	if (!info->attrs[NL80211_ATTR_BSSID])
13521 		return -EINVAL;
13522 
13523 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
13524 		return -EINVAL;
13525 
13526 	memset(&params, 0, sizeof(params));
13527 
13528 	if (info->attrs[NL80211_ATTR_SSID]) {
13529 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13530 		if (params.ssid.ssid_len == 0 ||
13531 		    params.ssid.ssid_len > IEEE80211_MAX_SSID_LEN)
13532 			return -EINVAL;
13533 		memcpy(params.ssid.ssid,
13534 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
13535 		       params.ssid.ssid_len);
13536 	}
13537 
13538 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
13539 	       ETH_ALEN);
13540 
13541 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13542 
13543 	if (info->attrs[NL80211_ATTR_PMKID])
13544 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13545 
13546 	return rdev_external_auth(rdev, dev, &params);
13547 }
13548 
13549 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
13550 {
13551 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13552 	struct net_device *dev = info->user_ptr[1];
13553 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13554 	const u8 *buf;
13555 	size_t len;
13556 	u8 *dest;
13557 	u16 proto;
13558 	bool noencrypt;
13559 	int err;
13560 
13561 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13562 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
13563 		return -EOPNOTSUPP;
13564 
13565 	if (!rdev->ops->tx_control_port)
13566 		return -EOPNOTSUPP;
13567 
13568 	if (!info->attrs[NL80211_ATTR_FRAME] ||
13569 	    !info->attrs[NL80211_ATTR_MAC] ||
13570 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
13571 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
13572 		return -EINVAL;
13573 	}
13574 
13575 	wdev_lock(wdev);
13576 
13577 	switch (wdev->iftype) {
13578 	case NL80211_IFTYPE_AP:
13579 	case NL80211_IFTYPE_P2P_GO:
13580 	case NL80211_IFTYPE_MESH_POINT:
13581 		break;
13582 	case NL80211_IFTYPE_ADHOC:
13583 	case NL80211_IFTYPE_STATION:
13584 	case NL80211_IFTYPE_P2P_CLIENT:
13585 		if (wdev->current_bss)
13586 			break;
13587 		err = -ENOTCONN;
13588 		goto out;
13589 	default:
13590 		err = -EOPNOTSUPP;
13591 		goto out;
13592 	}
13593 
13594 	wdev_unlock(wdev);
13595 
13596 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13597 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13598 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13599 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
13600 	noencrypt =
13601 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
13602 
13603 	return rdev_tx_control_port(rdev, dev, buf, len,
13604 				    dest, cpu_to_be16(proto), noencrypt);
13605 
13606  out:
13607 	wdev_unlock(wdev);
13608 	return err;
13609 }
13610 
13611 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
13612 					   struct genl_info *info)
13613 {
13614 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13615 	struct net_device *dev = info->user_ptr[1];
13616 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13617 	struct cfg80211_ftm_responder_stats ftm_stats = {};
13618 	struct sk_buff *msg;
13619 	void *hdr;
13620 	struct nlattr *ftm_stats_attr;
13621 	int err;
13622 
13623 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
13624 		return -EOPNOTSUPP;
13625 
13626 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
13627 	if (err)
13628 		return err;
13629 
13630 	if (!ftm_stats.filled)
13631 		return -ENODATA;
13632 
13633 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13634 	if (!msg)
13635 		return -ENOMEM;
13636 
13637 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13638 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
13639 	if (!hdr)
13640 		return -ENOBUFS;
13641 
13642 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
13643 		goto nla_put_failure;
13644 
13645 	ftm_stats_attr = nla_nest_start_noflag(msg,
13646 					       NL80211_ATTR_FTM_RESPONDER_STATS);
13647 	if (!ftm_stats_attr)
13648 		goto nla_put_failure;
13649 
13650 #define SET_FTM(field, name, type)					 \
13651 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13652 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
13653 			     ftm_stats.field))				 \
13654 		goto nla_put_failure; } while (0)
13655 #define SET_FTM_U64(field, name)					 \
13656 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13657 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
13658 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
13659 		goto nla_put_failure; } while (0)
13660 
13661 	SET_FTM(success_num, SUCCESS_NUM, u32);
13662 	SET_FTM(partial_num, PARTIAL_NUM, u32);
13663 	SET_FTM(failed_num, FAILED_NUM, u32);
13664 	SET_FTM(asap_num, ASAP_NUM, u32);
13665 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
13666 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
13667 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
13668 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
13669 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
13670 #undef SET_FTM
13671 
13672 	nla_nest_end(msg, ftm_stats_attr);
13673 
13674 	genlmsg_end(msg, hdr);
13675 	return genlmsg_reply(msg, info);
13676 
13677 nla_put_failure:
13678 	nlmsg_free(msg);
13679 	return -ENOBUFS;
13680 }
13681 
13682 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
13683 {
13684 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13685 	struct cfg80211_update_owe_info owe_info;
13686 	struct net_device *dev = info->user_ptr[1];
13687 
13688 	if (!rdev->ops->update_owe_info)
13689 		return -EOPNOTSUPP;
13690 
13691 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
13692 	    !info->attrs[NL80211_ATTR_MAC])
13693 		return -EINVAL;
13694 
13695 	memset(&owe_info, 0, sizeof(owe_info));
13696 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13697 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
13698 
13699 	if (info->attrs[NL80211_ATTR_IE]) {
13700 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13701 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13702 	}
13703 
13704 	return rdev_update_owe_info(rdev, dev, &owe_info);
13705 }
13706 
13707 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
13708 {
13709 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13710 	struct net_device *dev = info->user_ptr[1];
13711 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13712 	struct station_info sinfo = {};
13713 	const u8 *buf;
13714 	size_t len;
13715 	u8 *dest;
13716 	int err;
13717 
13718 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
13719 		return -EOPNOTSUPP;
13720 
13721 	if (!info->attrs[NL80211_ATTR_MAC] ||
13722 	    !info->attrs[NL80211_ATTR_FRAME]) {
13723 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
13724 		return -EINVAL;
13725 	}
13726 
13727 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
13728 		return -EOPNOTSUPP;
13729 
13730 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13731 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13732 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13733 
13734 	if (len < sizeof(struct ethhdr))
13735 		return -EINVAL;
13736 
13737 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
13738 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
13739 		return -EINVAL;
13740 
13741 	err = rdev_get_station(rdev, dev, dest, &sinfo);
13742 	if (err)
13743 		return err;
13744 
13745 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
13746 }
13747 
13748 #define NL80211_FLAG_NEED_WIPHY		0x01
13749 #define NL80211_FLAG_NEED_NETDEV	0x02
13750 #define NL80211_FLAG_NEED_RTNL		0x04
13751 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
13752 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
13753 					 NL80211_FLAG_CHECK_NETDEV_UP)
13754 #define NL80211_FLAG_NEED_WDEV		0x10
13755 /* If a netdev is associated, it must be UP, P2P must be started */
13756 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
13757 					 NL80211_FLAG_CHECK_NETDEV_UP)
13758 #define NL80211_FLAG_CLEAR_SKB		0x20
13759 
13760 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
13761 			    struct genl_info *info)
13762 {
13763 	struct cfg80211_registered_device *rdev;
13764 	struct wireless_dev *wdev;
13765 	struct net_device *dev;
13766 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
13767 
13768 	if (rtnl)
13769 		rtnl_lock();
13770 
13771 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
13772 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
13773 		if (IS_ERR(rdev)) {
13774 			if (rtnl)
13775 				rtnl_unlock();
13776 			return PTR_ERR(rdev);
13777 		}
13778 		info->user_ptr[0] = rdev;
13779 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
13780 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13781 		ASSERT_RTNL();
13782 
13783 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
13784 						  info->attrs);
13785 		if (IS_ERR(wdev)) {
13786 			if (rtnl)
13787 				rtnl_unlock();
13788 			return PTR_ERR(wdev);
13789 		}
13790 
13791 		dev = wdev->netdev;
13792 		rdev = wiphy_to_rdev(wdev->wiphy);
13793 
13794 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
13795 			if (!dev) {
13796 				if (rtnl)
13797 					rtnl_unlock();
13798 				return -EINVAL;
13799 			}
13800 
13801 			info->user_ptr[1] = dev;
13802 		} else {
13803 			info->user_ptr[1] = wdev;
13804 		}
13805 
13806 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
13807 		    !wdev_running(wdev)) {
13808 			if (rtnl)
13809 				rtnl_unlock();
13810 			return -ENETDOWN;
13811 		}
13812 
13813 		if (dev)
13814 			dev_hold(dev);
13815 
13816 		info->user_ptr[0] = rdev;
13817 	}
13818 
13819 	return 0;
13820 }
13821 
13822 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
13823 			      struct genl_info *info)
13824 {
13825 	if (info->user_ptr[1]) {
13826 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13827 			struct wireless_dev *wdev = info->user_ptr[1];
13828 
13829 			if (wdev->netdev)
13830 				dev_put(wdev->netdev);
13831 		} else {
13832 			dev_put(info->user_ptr[1]);
13833 		}
13834 	}
13835 
13836 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
13837 		rtnl_unlock();
13838 
13839 	/* If needed, clear the netlink message payload from the SKB
13840 	 * as it might contain key data that shouldn't stick around on
13841 	 * the heap after the SKB is freed. The netlink message header
13842 	 * is still needed for further processing, so leave it intact.
13843 	 */
13844 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
13845 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
13846 
13847 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
13848 	}
13849 }
13850 
13851 static const struct genl_ops nl80211_ops[] = {
13852 	{
13853 		.cmd = NL80211_CMD_GET_WIPHY,
13854 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13855 		.doit = nl80211_get_wiphy,
13856 		.dumpit = nl80211_dump_wiphy,
13857 		.done = nl80211_dump_wiphy_done,
13858 		/* can be retrieved by unprivileged users */
13859 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13860 				  NL80211_FLAG_NEED_RTNL,
13861 	},
13862 	{
13863 		.cmd = NL80211_CMD_SET_WIPHY,
13864 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13865 		.doit = nl80211_set_wiphy,
13866 		.flags = GENL_UNS_ADMIN_PERM,
13867 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13868 	},
13869 	{
13870 		.cmd = NL80211_CMD_GET_INTERFACE,
13871 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13872 		.doit = nl80211_get_interface,
13873 		.dumpit = nl80211_dump_interface,
13874 		/* can be retrieved by unprivileged users */
13875 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13876 				  NL80211_FLAG_NEED_RTNL,
13877 	},
13878 	{
13879 		.cmd = NL80211_CMD_SET_INTERFACE,
13880 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13881 		.doit = nl80211_set_interface,
13882 		.flags = GENL_UNS_ADMIN_PERM,
13883 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13884 				  NL80211_FLAG_NEED_RTNL,
13885 	},
13886 	{
13887 		.cmd = NL80211_CMD_NEW_INTERFACE,
13888 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13889 		.doit = nl80211_new_interface,
13890 		.flags = GENL_UNS_ADMIN_PERM,
13891 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13892 				  NL80211_FLAG_NEED_RTNL,
13893 	},
13894 	{
13895 		.cmd = NL80211_CMD_DEL_INTERFACE,
13896 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13897 		.doit = nl80211_del_interface,
13898 		.flags = GENL_UNS_ADMIN_PERM,
13899 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13900 				  NL80211_FLAG_NEED_RTNL,
13901 	},
13902 	{
13903 		.cmd = NL80211_CMD_GET_KEY,
13904 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13905 		.doit = nl80211_get_key,
13906 		.flags = GENL_UNS_ADMIN_PERM,
13907 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13908 				  NL80211_FLAG_NEED_RTNL,
13909 	},
13910 	{
13911 		.cmd = NL80211_CMD_SET_KEY,
13912 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13913 		.doit = nl80211_set_key,
13914 		.flags = GENL_UNS_ADMIN_PERM,
13915 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13916 				  NL80211_FLAG_NEED_RTNL |
13917 				  NL80211_FLAG_CLEAR_SKB,
13918 	},
13919 	{
13920 		.cmd = NL80211_CMD_NEW_KEY,
13921 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13922 		.doit = nl80211_new_key,
13923 		.flags = GENL_UNS_ADMIN_PERM,
13924 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13925 				  NL80211_FLAG_NEED_RTNL |
13926 				  NL80211_FLAG_CLEAR_SKB,
13927 	},
13928 	{
13929 		.cmd = NL80211_CMD_DEL_KEY,
13930 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13931 		.doit = nl80211_del_key,
13932 		.flags = GENL_UNS_ADMIN_PERM,
13933 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13934 				  NL80211_FLAG_NEED_RTNL,
13935 	},
13936 	{
13937 		.cmd = NL80211_CMD_SET_BEACON,
13938 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13939 		.flags = GENL_UNS_ADMIN_PERM,
13940 		.doit = nl80211_set_beacon,
13941 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13942 				  NL80211_FLAG_NEED_RTNL,
13943 	},
13944 	{
13945 		.cmd = NL80211_CMD_START_AP,
13946 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13947 		.flags = GENL_UNS_ADMIN_PERM,
13948 		.doit = nl80211_start_ap,
13949 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13950 				  NL80211_FLAG_NEED_RTNL,
13951 	},
13952 	{
13953 		.cmd = NL80211_CMD_STOP_AP,
13954 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13955 		.flags = GENL_UNS_ADMIN_PERM,
13956 		.doit = nl80211_stop_ap,
13957 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13958 				  NL80211_FLAG_NEED_RTNL,
13959 	},
13960 	{
13961 		.cmd = NL80211_CMD_GET_STATION,
13962 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13963 		.doit = nl80211_get_station,
13964 		.dumpit = nl80211_dump_station,
13965 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13966 				  NL80211_FLAG_NEED_RTNL,
13967 	},
13968 	{
13969 		.cmd = NL80211_CMD_SET_STATION,
13970 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13971 		.doit = nl80211_set_station,
13972 		.flags = GENL_UNS_ADMIN_PERM,
13973 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13974 				  NL80211_FLAG_NEED_RTNL,
13975 	},
13976 	{
13977 		.cmd = NL80211_CMD_NEW_STATION,
13978 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13979 		.doit = nl80211_new_station,
13980 		.flags = GENL_UNS_ADMIN_PERM,
13981 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13982 				  NL80211_FLAG_NEED_RTNL,
13983 	},
13984 	{
13985 		.cmd = NL80211_CMD_DEL_STATION,
13986 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13987 		.doit = nl80211_del_station,
13988 		.flags = GENL_UNS_ADMIN_PERM,
13989 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13990 				  NL80211_FLAG_NEED_RTNL,
13991 	},
13992 	{
13993 		.cmd = NL80211_CMD_GET_MPATH,
13994 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13995 		.doit = nl80211_get_mpath,
13996 		.dumpit = nl80211_dump_mpath,
13997 		.flags = GENL_UNS_ADMIN_PERM,
13998 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13999 				  NL80211_FLAG_NEED_RTNL,
14000 	},
14001 	{
14002 		.cmd = NL80211_CMD_GET_MPP,
14003 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14004 		.doit = nl80211_get_mpp,
14005 		.dumpit = nl80211_dump_mpp,
14006 		.flags = GENL_UNS_ADMIN_PERM,
14007 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14008 				  NL80211_FLAG_NEED_RTNL,
14009 	},
14010 	{
14011 		.cmd = NL80211_CMD_SET_MPATH,
14012 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14013 		.doit = nl80211_set_mpath,
14014 		.flags = GENL_UNS_ADMIN_PERM,
14015 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14016 				  NL80211_FLAG_NEED_RTNL,
14017 	},
14018 	{
14019 		.cmd = NL80211_CMD_NEW_MPATH,
14020 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14021 		.doit = nl80211_new_mpath,
14022 		.flags = GENL_UNS_ADMIN_PERM,
14023 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14024 				  NL80211_FLAG_NEED_RTNL,
14025 	},
14026 	{
14027 		.cmd = NL80211_CMD_DEL_MPATH,
14028 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14029 		.doit = nl80211_del_mpath,
14030 		.flags = GENL_UNS_ADMIN_PERM,
14031 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14032 				  NL80211_FLAG_NEED_RTNL,
14033 	},
14034 	{
14035 		.cmd = NL80211_CMD_SET_BSS,
14036 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14037 		.doit = nl80211_set_bss,
14038 		.flags = GENL_UNS_ADMIN_PERM,
14039 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14040 				  NL80211_FLAG_NEED_RTNL,
14041 	},
14042 	{
14043 		.cmd = NL80211_CMD_GET_REG,
14044 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14045 		.doit = nl80211_get_reg_do,
14046 		.dumpit = nl80211_get_reg_dump,
14047 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14048 		/* can be retrieved by unprivileged users */
14049 	},
14050 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
14051 	{
14052 		.cmd = NL80211_CMD_SET_REG,
14053 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14054 		.doit = nl80211_set_reg,
14055 		.flags = GENL_ADMIN_PERM,
14056 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14057 	},
14058 #endif
14059 	{
14060 		.cmd = NL80211_CMD_REQ_SET_REG,
14061 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14062 		.doit = nl80211_req_set_reg,
14063 		.flags = GENL_ADMIN_PERM,
14064 	},
14065 	{
14066 		.cmd = NL80211_CMD_RELOAD_REGDB,
14067 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14068 		.doit = nl80211_reload_regdb,
14069 		.flags = GENL_ADMIN_PERM,
14070 	},
14071 	{
14072 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
14073 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14074 		.doit = nl80211_get_mesh_config,
14075 		/* can be retrieved by unprivileged users */
14076 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14077 				  NL80211_FLAG_NEED_RTNL,
14078 	},
14079 	{
14080 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
14081 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14082 		.doit = nl80211_update_mesh_config,
14083 		.flags = GENL_UNS_ADMIN_PERM,
14084 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14085 				  NL80211_FLAG_NEED_RTNL,
14086 	},
14087 	{
14088 		.cmd = NL80211_CMD_TRIGGER_SCAN,
14089 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14090 		.doit = nl80211_trigger_scan,
14091 		.flags = GENL_UNS_ADMIN_PERM,
14092 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14093 				  NL80211_FLAG_NEED_RTNL,
14094 	},
14095 	{
14096 		.cmd = NL80211_CMD_ABORT_SCAN,
14097 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14098 		.doit = nl80211_abort_scan,
14099 		.flags = GENL_UNS_ADMIN_PERM,
14100 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14101 				  NL80211_FLAG_NEED_RTNL,
14102 	},
14103 	{
14104 		.cmd = NL80211_CMD_GET_SCAN,
14105 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14106 		.dumpit = nl80211_dump_scan,
14107 	},
14108 	{
14109 		.cmd = NL80211_CMD_START_SCHED_SCAN,
14110 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14111 		.doit = nl80211_start_sched_scan,
14112 		.flags = GENL_UNS_ADMIN_PERM,
14113 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14114 				  NL80211_FLAG_NEED_RTNL,
14115 	},
14116 	{
14117 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
14118 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14119 		.doit = nl80211_stop_sched_scan,
14120 		.flags = GENL_UNS_ADMIN_PERM,
14121 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14122 				  NL80211_FLAG_NEED_RTNL,
14123 	},
14124 	{
14125 		.cmd = NL80211_CMD_AUTHENTICATE,
14126 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14127 		.doit = nl80211_authenticate,
14128 		.flags = GENL_UNS_ADMIN_PERM,
14129 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14130 				  NL80211_FLAG_NEED_RTNL |
14131 				  NL80211_FLAG_CLEAR_SKB,
14132 	},
14133 	{
14134 		.cmd = NL80211_CMD_ASSOCIATE,
14135 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14136 		.doit = nl80211_associate,
14137 		.flags = GENL_UNS_ADMIN_PERM,
14138 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14139 				  NL80211_FLAG_NEED_RTNL |
14140 				  NL80211_FLAG_CLEAR_SKB,
14141 	},
14142 	{
14143 		.cmd = NL80211_CMD_DEAUTHENTICATE,
14144 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14145 		.doit = nl80211_deauthenticate,
14146 		.flags = GENL_UNS_ADMIN_PERM,
14147 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14148 				  NL80211_FLAG_NEED_RTNL,
14149 	},
14150 	{
14151 		.cmd = NL80211_CMD_DISASSOCIATE,
14152 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14153 		.doit = nl80211_disassociate,
14154 		.flags = GENL_UNS_ADMIN_PERM,
14155 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14156 				  NL80211_FLAG_NEED_RTNL,
14157 	},
14158 	{
14159 		.cmd = NL80211_CMD_JOIN_IBSS,
14160 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14161 		.doit = nl80211_join_ibss,
14162 		.flags = GENL_UNS_ADMIN_PERM,
14163 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14164 				  NL80211_FLAG_NEED_RTNL,
14165 	},
14166 	{
14167 		.cmd = NL80211_CMD_LEAVE_IBSS,
14168 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14169 		.doit = nl80211_leave_ibss,
14170 		.flags = GENL_UNS_ADMIN_PERM,
14171 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14172 				  NL80211_FLAG_NEED_RTNL,
14173 	},
14174 #ifdef CONFIG_NL80211_TESTMODE
14175 	{
14176 		.cmd = NL80211_CMD_TESTMODE,
14177 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14178 		.doit = nl80211_testmode_do,
14179 		.dumpit = nl80211_testmode_dump,
14180 		.flags = GENL_UNS_ADMIN_PERM,
14181 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14182 				  NL80211_FLAG_NEED_RTNL,
14183 	},
14184 #endif
14185 	{
14186 		.cmd = NL80211_CMD_CONNECT,
14187 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14188 		.doit = nl80211_connect,
14189 		.flags = GENL_UNS_ADMIN_PERM,
14190 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14191 				  NL80211_FLAG_NEED_RTNL |
14192 				  NL80211_FLAG_CLEAR_SKB,
14193 	},
14194 	{
14195 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
14196 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14197 		.doit = nl80211_update_connect_params,
14198 		.flags = GENL_ADMIN_PERM,
14199 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14200 				  NL80211_FLAG_NEED_RTNL |
14201 				  NL80211_FLAG_CLEAR_SKB,
14202 	},
14203 	{
14204 		.cmd = NL80211_CMD_DISCONNECT,
14205 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14206 		.doit = nl80211_disconnect,
14207 		.flags = GENL_UNS_ADMIN_PERM,
14208 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14209 				  NL80211_FLAG_NEED_RTNL,
14210 	},
14211 	{
14212 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
14213 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14214 		.doit = nl80211_wiphy_netns,
14215 		.flags = GENL_UNS_ADMIN_PERM,
14216 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14217 				  NL80211_FLAG_NEED_RTNL,
14218 	},
14219 	{
14220 		.cmd = NL80211_CMD_GET_SURVEY,
14221 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14222 		.dumpit = nl80211_dump_survey,
14223 	},
14224 	{
14225 		.cmd = NL80211_CMD_SET_PMKSA,
14226 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14227 		.doit = nl80211_setdel_pmksa,
14228 		.flags = GENL_UNS_ADMIN_PERM,
14229 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14230 				  NL80211_FLAG_NEED_RTNL |
14231 				  NL80211_FLAG_CLEAR_SKB,
14232 	},
14233 	{
14234 		.cmd = NL80211_CMD_DEL_PMKSA,
14235 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14236 		.doit = nl80211_setdel_pmksa,
14237 		.flags = GENL_UNS_ADMIN_PERM,
14238 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14239 				  NL80211_FLAG_NEED_RTNL,
14240 	},
14241 	{
14242 		.cmd = NL80211_CMD_FLUSH_PMKSA,
14243 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14244 		.doit = nl80211_flush_pmksa,
14245 		.flags = GENL_UNS_ADMIN_PERM,
14246 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14247 				  NL80211_FLAG_NEED_RTNL,
14248 	},
14249 	{
14250 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
14251 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14252 		.doit = nl80211_remain_on_channel,
14253 		.flags = GENL_UNS_ADMIN_PERM,
14254 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14255 				  NL80211_FLAG_NEED_RTNL,
14256 	},
14257 	{
14258 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
14259 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14260 		.doit = nl80211_cancel_remain_on_channel,
14261 		.flags = GENL_UNS_ADMIN_PERM,
14262 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14263 				  NL80211_FLAG_NEED_RTNL,
14264 	},
14265 	{
14266 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
14267 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14268 		.doit = nl80211_set_tx_bitrate_mask,
14269 		.flags = GENL_UNS_ADMIN_PERM,
14270 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14271 				  NL80211_FLAG_NEED_RTNL,
14272 	},
14273 	{
14274 		.cmd = NL80211_CMD_REGISTER_FRAME,
14275 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14276 		.doit = nl80211_register_mgmt,
14277 		.flags = GENL_UNS_ADMIN_PERM,
14278 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14279 				  NL80211_FLAG_NEED_RTNL,
14280 	},
14281 	{
14282 		.cmd = NL80211_CMD_FRAME,
14283 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14284 		.doit = nl80211_tx_mgmt,
14285 		.flags = GENL_UNS_ADMIN_PERM,
14286 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14287 				  NL80211_FLAG_NEED_RTNL,
14288 	},
14289 	{
14290 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
14291 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14292 		.doit = nl80211_tx_mgmt_cancel_wait,
14293 		.flags = GENL_UNS_ADMIN_PERM,
14294 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14295 				  NL80211_FLAG_NEED_RTNL,
14296 	},
14297 	{
14298 		.cmd = NL80211_CMD_SET_POWER_SAVE,
14299 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14300 		.doit = nl80211_set_power_save,
14301 		.flags = GENL_UNS_ADMIN_PERM,
14302 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14303 				  NL80211_FLAG_NEED_RTNL,
14304 	},
14305 	{
14306 		.cmd = NL80211_CMD_GET_POWER_SAVE,
14307 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14308 		.doit = nl80211_get_power_save,
14309 		/* can be retrieved by unprivileged users */
14310 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14311 				  NL80211_FLAG_NEED_RTNL,
14312 	},
14313 	{
14314 		.cmd = NL80211_CMD_SET_CQM,
14315 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14316 		.doit = nl80211_set_cqm,
14317 		.flags = GENL_UNS_ADMIN_PERM,
14318 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14319 				  NL80211_FLAG_NEED_RTNL,
14320 	},
14321 	{
14322 		.cmd = NL80211_CMD_SET_CHANNEL,
14323 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14324 		.doit = nl80211_set_channel,
14325 		.flags = GENL_UNS_ADMIN_PERM,
14326 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14327 				  NL80211_FLAG_NEED_RTNL,
14328 	},
14329 	{
14330 		.cmd = NL80211_CMD_SET_WDS_PEER,
14331 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14332 		.doit = nl80211_set_wds_peer,
14333 		.flags = GENL_UNS_ADMIN_PERM,
14334 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14335 				  NL80211_FLAG_NEED_RTNL,
14336 	},
14337 	{
14338 		.cmd = NL80211_CMD_JOIN_MESH,
14339 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14340 		.doit = nl80211_join_mesh,
14341 		.flags = GENL_UNS_ADMIN_PERM,
14342 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14343 				  NL80211_FLAG_NEED_RTNL,
14344 	},
14345 	{
14346 		.cmd = NL80211_CMD_LEAVE_MESH,
14347 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14348 		.doit = nl80211_leave_mesh,
14349 		.flags = GENL_UNS_ADMIN_PERM,
14350 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14351 				  NL80211_FLAG_NEED_RTNL,
14352 	},
14353 	{
14354 		.cmd = NL80211_CMD_JOIN_OCB,
14355 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14356 		.doit = nl80211_join_ocb,
14357 		.flags = GENL_UNS_ADMIN_PERM,
14358 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14359 				  NL80211_FLAG_NEED_RTNL,
14360 	},
14361 	{
14362 		.cmd = NL80211_CMD_LEAVE_OCB,
14363 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14364 		.doit = nl80211_leave_ocb,
14365 		.flags = GENL_UNS_ADMIN_PERM,
14366 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14367 				  NL80211_FLAG_NEED_RTNL,
14368 	},
14369 #ifdef CONFIG_PM
14370 	{
14371 		.cmd = NL80211_CMD_GET_WOWLAN,
14372 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14373 		.doit = nl80211_get_wowlan,
14374 		/* can be retrieved by unprivileged users */
14375 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14376 				  NL80211_FLAG_NEED_RTNL,
14377 	},
14378 	{
14379 		.cmd = NL80211_CMD_SET_WOWLAN,
14380 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14381 		.doit = nl80211_set_wowlan,
14382 		.flags = GENL_UNS_ADMIN_PERM,
14383 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14384 				  NL80211_FLAG_NEED_RTNL,
14385 	},
14386 #endif
14387 	{
14388 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
14389 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14390 		.doit = nl80211_set_rekey_data,
14391 		.flags = GENL_UNS_ADMIN_PERM,
14392 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14393 				  NL80211_FLAG_NEED_RTNL |
14394 				  NL80211_FLAG_CLEAR_SKB,
14395 	},
14396 	{
14397 		.cmd = NL80211_CMD_TDLS_MGMT,
14398 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14399 		.doit = nl80211_tdls_mgmt,
14400 		.flags = GENL_UNS_ADMIN_PERM,
14401 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14402 				  NL80211_FLAG_NEED_RTNL,
14403 	},
14404 	{
14405 		.cmd = NL80211_CMD_TDLS_OPER,
14406 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14407 		.doit = nl80211_tdls_oper,
14408 		.flags = GENL_UNS_ADMIN_PERM,
14409 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14410 				  NL80211_FLAG_NEED_RTNL,
14411 	},
14412 	{
14413 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
14414 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14415 		.doit = nl80211_register_unexpected_frame,
14416 		.flags = GENL_UNS_ADMIN_PERM,
14417 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14418 				  NL80211_FLAG_NEED_RTNL,
14419 	},
14420 	{
14421 		.cmd = NL80211_CMD_PROBE_CLIENT,
14422 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14423 		.doit = nl80211_probe_client,
14424 		.flags = GENL_UNS_ADMIN_PERM,
14425 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14426 				  NL80211_FLAG_NEED_RTNL,
14427 	},
14428 	{
14429 		.cmd = NL80211_CMD_REGISTER_BEACONS,
14430 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14431 		.doit = nl80211_register_beacons,
14432 		.flags = GENL_UNS_ADMIN_PERM,
14433 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14434 				  NL80211_FLAG_NEED_RTNL,
14435 	},
14436 	{
14437 		.cmd = NL80211_CMD_SET_NOACK_MAP,
14438 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14439 		.doit = nl80211_set_noack_map,
14440 		.flags = GENL_UNS_ADMIN_PERM,
14441 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14442 				  NL80211_FLAG_NEED_RTNL,
14443 	},
14444 	{
14445 		.cmd = NL80211_CMD_START_P2P_DEVICE,
14446 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14447 		.doit = nl80211_start_p2p_device,
14448 		.flags = GENL_UNS_ADMIN_PERM,
14449 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14450 				  NL80211_FLAG_NEED_RTNL,
14451 	},
14452 	{
14453 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
14454 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14455 		.doit = nl80211_stop_p2p_device,
14456 		.flags = GENL_UNS_ADMIN_PERM,
14457 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14458 				  NL80211_FLAG_NEED_RTNL,
14459 	},
14460 	{
14461 		.cmd = NL80211_CMD_START_NAN,
14462 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14463 		.doit = nl80211_start_nan,
14464 		.flags = GENL_ADMIN_PERM,
14465 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14466 				  NL80211_FLAG_NEED_RTNL,
14467 	},
14468 	{
14469 		.cmd = NL80211_CMD_STOP_NAN,
14470 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14471 		.doit = nl80211_stop_nan,
14472 		.flags = GENL_ADMIN_PERM,
14473 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14474 				  NL80211_FLAG_NEED_RTNL,
14475 	},
14476 	{
14477 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
14478 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14479 		.doit = nl80211_nan_add_func,
14480 		.flags = GENL_ADMIN_PERM,
14481 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14482 				  NL80211_FLAG_NEED_RTNL,
14483 	},
14484 	{
14485 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
14486 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14487 		.doit = nl80211_nan_del_func,
14488 		.flags = GENL_ADMIN_PERM,
14489 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14490 				  NL80211_FLAG_NEED_RTNL,
14491 	},
14492 	{
14493 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
14494 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14495 		.doit = nl80211_nan_change_config,
14496 		.flags = GENL_ADMIN_PERM,
14497 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14498 				  NL80211_FLAG_NEED_RTNL,
14499 	},
14500 	{
14501 		.cmd = NL80211_CMD_SET_MCAST_RATE,
14502 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14503 		.doit = nl80211_set_mcast_rate,
14504 		.flags = GENL_UNS_ADMIN_PERM,
14505 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14506 				  NL80211_FLAG_NEED_RTNL,
14507 	},
14508 	{
14509 		.cmd = NL80211_CMD_SET_MAC_ACL,
14510 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14511 		.doit = nl80211_set_mac_acl,
14512 		.flags = GENL_UNS_ADMIN_PERM,
14513 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14514 				  NL80211_FLAG_NEED_RTNL,
14515 	},
14516 	{
14517 		.cmd = NL80211_CMD_RADAR_DETECT,
14518 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14519 		.doit = nl80211_start_radar_detection,
14520 		.flags = GENL_UNS_ADMIN_PERM,
14521 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14522 				  NL80211_FLAG_NEED_RTNL,
14523 	},
14524 	{
14525 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
14526 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14527 		.doit = nl80211_get_protocol_features,
14528 	},
14529 	{
14530 		.cmd = NL80211_CMD_UPDATE_FT_IES,
14531 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14532 		.doit = nl80211_update_ft_ies,
14533 		.flags = GENL_UNS_ADMIN_PERM,
14534 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14535 				  NL80211_FLAG_NEED_RTNL,
14536 	},
14537 	{
14538 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
14539 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14540 		.doit = nl80211_crit_protocol_start,
14541 		.flags = GENL_UNS_ADMIN_PERM,
14542 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14543 				  NL80211_FLAG_NEED_RTNL,
14544 	},
14545 	{
14546 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
14547 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14548 		.doit = nl80211_crit_protocol_stop,
14549 		.flags = GENL_UNS_ADMIN_PERM,
14550 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14551 				  NL80211_FLAG_NEED_RTNL,
14552 	},
14553 	{
14554 		.cmd = NL80211_CMD_GET_COALESCE,
14555 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14556 		.doit = nl80211_get_coalesce,
14557 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14558 				  NL80211_FLAG_NEED_RTNL,
14559 	},
14560 	{
14561 		.cmd = NL80211_CMD_SET_COALESCE,
14562 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14563 		.doit = nl80211_set_coalesce,
14564 		.flags = GENL_UNS_ADMIN_PERM,
14565 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14566 				  NL80211_FLAG_NEED_RTNL,
14567 	},
14568 	{
14569 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
14570 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14571 		.doit = nl80211_channel_switch,
14572 		.flags = GENL_UNS_ADMIN_PERM,
14573 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14574 				  NL80211_FLAG_NEED_RTNL,
14575 	},
14576 	{
14577 		.cmd = NL80211_CMD_VENDOR,
14578 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14579 		.doit = nl80211_vendor_cmd,
14580 		.dumpit = nl80211_vendor_cmd_dump,
14581 		.flags = GENL_UNS_ADMIN_PERM,
14582 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14583 				  NL80211_FLAG_NEED_RTNL |
14584 				  NL80211_FLAG_CLEAR_SKB,
14585 	},
14586 	{
14587 		.cmd = NL80211_CMD_SET_QOS_MAP,
14588 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14589 		.doit = nl80211_set_qos_map,
14590 		.flags = GENL_UNS_ADMIN_PERM,
14591 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14592 				  NL80211_FLAG_NEED_RTNL,
14593 	},
14594 	{
14595 		.cmd = NL80211_CMD_ADD_TX_TS,
14596 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14597 		.doit = nl80211_add_tx_ts,
14598 		.flags = GENL_UNS_ADMIN_PERM,
14599 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14600 				  NL80211_FLAG_NEED_RTNL,
14601 	},
14602 	{
14603 		.cmd = NL80211_CMD_DEL_TX_TS,
14604 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14605 		.doit = nl80211_del_tx_ts,
14606 		.flags = GENL_UNS_ADMIN_PERM,
14607 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14608 				  NL80211_FLAG_NEED_RTNL,
14609 	},
14610 	{
14611 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
14612 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14613 		.doit = nl80211_tdls_channel_switch,
14614 		.flags = GENL_UNS_ADMIN_PERM,
14615 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14616 				  NL80211_FLAG_NEED_RTNL,
14617 	},
14618 	{
14619 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
14620 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14621 		.doit = nl80211_tdls_cancel_channel_switch,
14622 		.flags = GENL_UNS_ADMIN_PERM,
14623 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14624 				  NL80211_FLAG_NEED_RTNL,
14625 	},
14626 	{
14627 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
14628 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14629 		.doit = nl80211_set_multicast_to_unicast,
14630 		.flags = GENL_UNS_ADMIN_PERM,
14631 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14632 				  NL80211_FLAG_NEED_RTNL,
14633 	},
14634 	{
14635 		.cmd = NL80211_CMD_SET_PMK,
14636 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14637 		.doit = nl80211_set_pmk,
14638 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14639 				  NL80211_FLAG_NEED_RTNL |
14640 				  NL80211_FLAG_CLEAR_SKB,
14641 	},
14642 	{
14643 		.cmd = NL80211_CMD_DEL_PMK,
14644 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14645 		.doit = nl80211_del_pmk,
14646 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14647 				  NL80211_FLAG_NEED_RTNL,
14648 	},
14649 	{
14650 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
14651 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14652 		.doit = nl80211_external_auth,
14653 		.flags = GENL_ADMIN_PERM,
14654 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14655 				  NL80211_FLAG_NEED_RTNL,
14656 	},
14657 	{
14658 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
14659 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14660 		.doit = nl80211_tx_control_port,
14661 		.flags = GENL_UNS_ADMIN_PERM,
14662 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14663 				  NL80211_FLAG_NEED_RTNL,
14664 	},
14665 	{
14666 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
14667 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14668 		.doit = nl80211_get_ftm_responder_stats,
14669 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14670 				  NL80211_FLAG_NEED_RTNL,
14671 	},
14672 	{
14673 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
14674 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14675 		.doit = nl80211_pmsr_start,
14676 		.flags = GENL_UNS_ADMIN_PERM,
14677 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14678 				  NL80211_FLAG_NEED_RTNL,
14679 	},
14680 	{
14681 		.cmd = NL80211_CMD_NOTIFY_RADAR,
14682 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14683 		.doit = nl80211_notify_radar_detection,
14684 		.flags = GENL_UNS_ADMIN_PERM,
14685 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14686 				  NL80211_FLAG_NEED_RTNL,
14687 	},
14688 	{
14689 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
14690 		.doit = nl80211_update_owe_info,
14691 		.flags = GENL_ADMIN_PERM,
14692 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14693 				  NL80211_FLAG_NEED_RTNL,
14694 	},
14695 	{
14696 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
14697 		.doit = nl80211_probe_mesh_link,
14698 		.flags = GENL_UNS_ADMIN_PERM,
14699 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14700 				  NL80211_FLAG_NEED_RTNL,
14701 	},
14702 };
14703 
14704 static struct genl_family nl80211_fam __ro_after_init = {
14705 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
14706 	.hdrsize = 0,			/* no private header */
14707 	.version = 1,			/* no particular meaning now */
14708 	.maxattr = NL80211_ATTR_MAX,
14709 	.policy = nl80211_policy,
14710 	.netnsok = true,
14711 	.pre_doit = nl80211_pre_doit,
14712 	.post_doit = nl80211_post_doit,
14713 	.module = THIS_MODULE,
14714 	.ops = nl80211_ops,
14715 	.n_ops = ARRAY_SIZE(nl80211_ops),
14716 	.mcgrps = nl80211_mcgrps,
14717 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
14718 	.parallel_ops = true,
14719 };
14720 
14721 /* notification functions */
14722 
14723 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
14724 			  enum nl80211_commands cmd)
14725 {
14726 	struct sk_buff *msg;
14727 	struct nl80211_dump_wiphy_state state = {};
14728 
14729 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
14730 		cmd != NL80211_CMD_DEL_WIPHY);
14731 
14732 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14733 	if (!msg)
14734 		return;
14735 
14736 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
14737 		nlmsg_free(msg);
14738 		return;
14739 	}
14740 
14741 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14742 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
14743 }
14744 
14745 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
14746 				struct wireless_dev *wdev,
14747 				enum nl80211_commands cmd)
14748 {
14749 	struct sk_buff *msg;
14750 
14751 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14752 	if (!msg)
14753 		return;
14754 
14755 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
14756 		nlmsg_free(msg);
14757 		return;
14758 	}
14759 
14760 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14761 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
14762 }
14763 
14764 static int nl80211_add_scan_req(struct sk_buff *msg,
14765 				struct cfg80211_registered_device *rdev)
14766 {
14767 	struct cfg80211_scan_request *req = rdev->scan_req;
14768 	struct nlattr *nest;
14769 	int i;
14770 
14771 	if (WARN_ON(!req))
14772 		return 0;
14773 
14774 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
14775 	if (!nest)
14776 		goto nla_put_failure;
14777 	for (i = 0; i < req->n_ssids; i++) {
14778 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
14779 			goto nla_put_failure;
14780 	}
14781 	nla_nest_end(msg, nest);
14782 
14783 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14784 	if (!nest)
14785 		goto nla_put_failure;
14786 	for (i = 0; i < req->n_channels; i++) {
14787 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14788 			goto nla_put_failure;
14789 	}
14790 	nla_nest_end(msg, nest);
14791 
14792 	if (req->ie &&
14793 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
14794 		goto nla_put_failure;
14795 
14796 	if (req->flags &&
14797 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
14798 		goto nla_put_failure;
14799 
14800 	if (req->info.scan_start_tsf &&
14801 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
14802 			       req->info.scan_start_tsf, NL80211_BSS_PAD) ||
14803 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
14804 		     req->info.tsf_bssid)))
14805 		goto nla_put_failure;
14806 
14807 	return 0;
14808  nla_put_failure:
14809 	return -ENOBUFS;
14810 }
14811 
14812 static int nl80211_prep_scan_msg(struct sk_buff *msg,
14813 				 struct cfg80211_registered_device *rdev,
14814 				 struct wireless_dev *wdev,
14815 				 u32 portid, u32 seq, int flags,
14816 				 u32 cmd)
14817 {
14818 	void *hdr;
14819 
14820 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
14821 	if (!hdr)
14822 		return -1;
14823 
14824 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14825 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14826 					 wdev->netdev->ifindex)) ||
14827 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14828 			      NL80211_ATTR_PAD))
14829 		goto nla_put_failure;
14830 
14831 	/* ignore errors and send incomplete event anyway */
14832 	nl80211_add_scan_req(msg, rdev);
14833 
14834 	genlmsg_end(msg, hdr);
14835 	return 0;
14836 
14837  nla_put_failure:
14838 	genlmsg_cancel(msg, hdr);
14839 	return -EMSGSIZE;
14840 }
14841 
14842 static int
14843 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
14844 			    struct cfg80211_sched_scan_request *req, u32 cmd)
14845 {
14846 	void *hdr;
14847 
14848 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14849 	if (!hdr)
14850 		return -1;
14851 
14852 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
14853 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
14854 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
14855 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
14856 			      NL80211_ATTR_PAD))
14857 		goto nla_put_failure;
14858 
14859 	genlmsg_end(msg, hdr);
14860 	return 0;
14861 
14862  nla_put_failure:
14863 	genlmsg_cancel(msg, hdr);
14864 	return -EMSGSIZE;
14865 }
14866 
14867 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
14868 			     struct wireless_dev *wdev)
14869 {
14870 	struct sk_buff *msg;
14871 
14872 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14873 	if (!msg)
14874 		return;
14875 
14876 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14877 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
14878 		nlmsg_free(msg);
14879 		return;
14880 	}
14881 
14882 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14883 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14884 }
14885 
14886 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
14887 				       struct wireless_dev *wdev, bool aborted)
14888 {
14889 	struct sk_buff *msg;
14890 
14891 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14892 	if (!msg)
14893 		return NULL;
14894 
14895 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14896 				  aborted ? NL80211_CMD_SCAN_ABORTED :
14897 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
14898 		nlmsg_free(msg);
14899 		return NULL;
14900 	}
14901 
14902 	return msg;
14903 }
14904 
14905 /* send message created by nl80211_build_scan_msg() */
14906 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
14907 			   struct sk_buff *msg)
14908 {
14909 	if (!msg)
14910 		return;
14911 
14912 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14913 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14914 }
14915 
14916 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
14917 {
14918 	struct sk_buff *msg;
14919 
14920 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14921 	if (!msg)
14922 		return;
14923 
14924 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
14925 		nlmsg_free(msg);
14926 		return;
14927 	}
14928 
14929 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
14930 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14931 }
14932 
14933 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
14934 					  struct regulatory_request *request)
14935 {
14936 	/* Userspace can always count this one always being set */
14937 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
14938 		goto nla_put_failure;
14939 
14940 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
14941 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14942 			       NL80211_REGDOM_TYPE_WORLD))
14943 			goto nla_put_failure;
14944 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
14945 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14946 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
14947 			goto nla_put_failure;
14948 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
14949 		   request->intersect) {
14950 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14951 			       NL80211_REGDOM_TYPE_INTERSECTION))
14952 			goto nla_put_failure;
14953 	} else {
14954 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14955 			       NL80211_REGDOM_TYPE_COUNTRY) ||
14956 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
14957 				   request->alpha2))
14958 			goto nla_put_failure;
14959 	}
14960 
14961 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
14962 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
14963 
14964 		if (wiphy &&
14965 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
14966 			goto nla_put_failure;
14967 
14968 		if (wiphy &&
14969 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
14970 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
14971 			goto nla_put_failure;
14972 	}
14973 
14974 	return true;
14975 
14976 nla_put_failure:
14977 	return false;
14978 }
14979 
14980 /*
14981  * This can happen on global regulatory changes or device specific settings
14982  * based on custom regulatory domains.
14983  */
14984 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
14985 				     struct regulatory_request *request)
14986 {
14987 	struct sk_buff *msg;
14988 	void *hdr;
14989 
14990 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14991 	if (!msg)
14992 		return;
14993 
14994 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
14995 	if (!hdr) {
14996 		nlmsg_free(msg);
14997 		return;
14998 	}
14999 
15000 	if (nl80211_reg_change_event_fill(msg, request) == false)
15001 		goto nla_put_failure;
15002 
15003 	genlmsg_end(msg, hdr);
15004 
15005 	rcu_read_lock();
15006 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15007 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15008 	rcu_read_unlock();
15009 
15010 	return;
15011 
15012 nla_put_failure:
15013 	nlmsg_free(msg);
15014 }
15015 
15016 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
15017 				    struct net_device *netdev,
15018 				    const u8 *buf, size_t len,
15019 				    enum nl80211_commands cmd, gfp_t gfp,
15020 				    int uapsd_queues, const u8 *req_ies,
15021 				    size_t req_ies_len)
15022 {
15023 	struct sk_buff *msg;
15024 	void *hdr;
15025 
15026 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
15027 	if (!msg)
15028 		return;
15029 
15030 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15031 	if (!hdr) {
15032 		nlmsg_free(msg);
15033 		return;
15034 	}
15035 
15036 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15037 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15038 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15039 	    (req_ies &&
15040 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
15041 		goto nla_put_failure;
15042 
15043 	if (uapsd_queues >= 0) {
15044 		struct nlattr *nla_wmm =
15045 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
15046 		if (!nla_wmm)
15047 			goto nla_put_failure;
15048 
15049 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
15050 			       uapsd_queues))
15051 			goto nla_put_failure;
15052 
15053 		nla_nest_end(msg, nla_wmm);
15054 	}
15055 
15056 	genlmsg_end(msg, hdr);
15057 
15058 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15059 				NL80211_MCGRP_MLME, gfp);
15060 	return;
15061 
15062  nla_put_failure:
15063 	nlmsg_free(msg);
15064 }
15065 
15066 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
15067 			  struct net_device *netdev, const u8 *buf,
15068 			  size_t len, gfp_t gfp)
15069 {
15070 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15071 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0);
15072 }
15073 
15074 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
15075 			   struct net_device *netdev, const u8 *buf,
15076 			   size_t len, gfp_t gfp, int uapsd_queues,
15077 			   const u8 *req_ies, size_t req_ies_len)
15078 {
15079 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15080 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
15081 				req_ies, req_ies_len);
15082 }
15083 
15084 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
15085 			 struct net_device *netdev, const u8 *buf,
15086 			 size_t len, gfp_t gfp)
15087 {
15088 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15089 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0);
15090 }
15091 
15092 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
15093 			   struct net_device *netdev, const u8 *buf,
15094 			   size_t len, gfp_t gfp)
15095 {
15096 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15097 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0);
15098 }
15099 
15100 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
15101 				  size_t len)
15102 {
15103 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15104 	struct wiphy *wiphy = wdev->wiphy;
15105 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15106 	const struct ieee80211_mgmt *mgmt = (void *)buf;
15107 	u32 cmd;
15108 
15109 	if (WARN_ON(len < 2))
15110 		return;
15111 
15112 	if (ieee80211_is_deauth(mgmt->frame_control))
15113 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
15114 	else
15115 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
15116 
15117 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
15118 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
15119 				NULL, 0);
15120 }
15121 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
15122 
15123 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
15124 				      struct net_device *netdev, int cmd,
15125 				      const u8 *addr, gfp_t gfp)
15126 {
15127 	struct sk_buff *msg;
15128 	void *hdr;
15129 
15130 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15131 	if (!msg)
15132 		return;
15133 
15134 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15135 	if (!hdr) {
15136 		nlmsg_free(msg);
15137 		return;
15138 	}
15139 
15140 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15141 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15142 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
15143 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
15144 		goto nla_put_failure;
15145 
15146 	genlmsg_end(msg, hdr);
15147 
15148 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15149 				NL80211_MCGRP_MLME, gfp);
15150 	return;
15151 
15152  nla_put_failure:
15153 	nlmsg_free(msg);
15154 }
15155 
15156 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
15157 			       struct net_device *netdev, const u8 *addr,
15158 			       gfp_t gfp)
15159 {
15160 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
15161 				  addr, gfp);
15162 }
15163 
15164 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
15165 				struct net_device *netdev, const u8 *addr,
15166 				gfp_t gfp)
15167 {
15168 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
15169 				  addr, gfp);
15170 }
15171 
15172 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
15173 				 struct net_device *netdev,
15174 				 struct cfg80211_connect_resp_params *cr,
15175 				 gfp_t gfp)
15176 {
15177 	struct sk_buff *msg;
15178 	void *hdr;
15179 
15180 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
15181 			cr->fils.kek_len + cr->fils.pmk_len +
15182 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
15183 	if (!msg)
15184 		return;
15185 
15186 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
15187 	if (!hdr) {
15188 		nlmsg_free(msg);
15189 		return;
15190 	}
15191 
15192 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15193 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15194 	    (cr->bssid &&
15195 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
15196 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
15197 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
15198 			cr->status) ||
15199 	    (cr->status < 0 &&
15200 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
15201 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
15202 			  cr->timeout_reason))) ||
15203 	    (cr->req_ie &&
15204 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
15205 	    (cr->resp_ie &&
15206 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
15207 		     cr->resp_ie)) ||
15208 	    (cr->fils.update_erp_next_seq_num &&
15209 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15210 			 cr->fils.erp_next_seq_num)) ||
15211 	    (cr->status == WLAN_STATUS_SUCCESS &&
15212 	     ((cr->fils.kek &&
15213 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
15214 		       cr->fils.kek)) ||
15215 	      (cr->fils.pmk &&
15216 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
15217 	      (cr->fils.pmkid &&
15218 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
15219 		goto nla_put_failure;
15220 
15221 	genlmsg_end(msg, hdr);
15222 
15223 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15224 				NL80211_MCGRP_MLME, gfp);
15225 	return;
15226 
15227  nla_put_failure:
15228 	nlmsg_free(msg);
15229 }
15230 
15231 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
15232 			 struct net_device *netdev,
15233 			 struct cfg80211_roam_info *info, gfp_t gfp)
15234 {
15235 	struct sk_buff *msg;
15236 	void *hdr;
15237 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
15238 
15239 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
15240 			info->fils.kek_len + info->fils.pmk_len +
15241 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
15242 	if (!msg)
15243 		return;
15244 
15245 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
15246 	if (!hdr) {
15247 		nlmsg_free(msg);
15248 		return;
15249 	}
15250 
15251 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15252 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15253 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
15254 	    (info->req_ie &&
15255 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
15256 		     info->req_ie)) ||
15257 	    (info->resp_ie &&
15258 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
15259 		     info->resp_ie)) ||
15260 	    (info->fils.update_erp_next_seq_num &&
15261 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15262 			 info->fils.erp_next_seq_num)) ||
15263 	    (info->fils.kek &&
15264 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
15265 		     info->fils.kek)) ||
15266 	    (info->fils.pmk &&
15267 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
15268 	    (info->fils.pmkid &&
15269 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
15270 		goto nla_put_failure;
15271 
15272 	genlmsg_end(msg, hdr);
15273 
15274 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15275 				NL80211_MCGRP_MLME, gfp);
15276 	return;
15277 
15278  nla_put_failure:
15279 	nlmsg_free(msg);
15280 }
15281 
15282 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
15283 				  struct net_device *netdev, const u8 *bssid)
15284 {
15285 	struct sk_buff *msg;
15286 	void *hdr;
15287 
15288 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15289 	if (!msg)
15290 		return;
15291 
15292 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
15293 	if (!hdr) {
15294 		nlmsg_free(msg);
15295 		return;
15296 	}
15297 
15298 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15299 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15300 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15301 		goto nla_put_failure;
15302 
15303 	genlmsg_end(msg, hdr);
15304 
15305 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15306 				NL80211_MCGRP_MLME, GFP_KERNEL);
15307 	return;
15308 
15309  nla_put_failure:
15310 	nlmsg_free(msg);
15311 }
15312 
15313 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
15314 			       struct net_device *netdev, u16 reason,
15315 			       const u8 *ie, size_t ie_len, bool from_ap)
15316 {
15317 	struct sk_buff *msg;
15318 	void *hdr;
15319 
15320 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
15321 	if (!msg)
15322 		return;
15323 
15324 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
15325 	if (!hdr) {
15326 		nlmsg_free(msg);
15327 		return;
15328 	}
15329 
15330 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15331 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15332 	    (reason &&
15333 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
15334 	    (from_ap &&
15335 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
15336 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
15337 		goto nla_put_failure;
15338 
15339 	genlmsg_end(msg, hdr);
15340 
15341 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15342 				NL80211_MCGRP_MLME, GFP_KERNEL);
15343 	return;
15344 
15345  nla_put_failure:
15346 	nlmsg_free(msg);
15347 }
15348 
15349 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
15350 			     struct net_device *netdev, const u8 *bssid,
15351 			     gfp_t gfp)
15352 {
15353 	struct sk_buff *msg;
15354 	void *hdr;
15355 
15356 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15357 	if (!msg)
15358 		return;
15359 
15360 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
15361 	if (!hdr) {
15362 		nlmsg_free(msg);
15363 		return;
15364 	}
15365 
15366 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15367 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15368 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15369 		goto nla_put_failure;
15370 
15371 	genlmsg_end(msg, hdr);
15372 
15373 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15374 				NL80211_MCGRP_MLME, gfp);
15375 	return;
15376 
15377  nla_put_failure:
15378 	nlmsg_free(msg);
15379 }
15380 
15381 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
15382 					const u8 *ie, u8 ie_len,
15383 					int sig_dbm, gfp_t gfp)
15384 {
15385 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15386 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15387 	struct sk_buff *msg;
15388 	void *hdr;
15389 
15390 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
15391 		return;
15392 
15393 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
15394 
15395 	msg = nlmsg_new(100 + ie_len, gfp);
15396 	if (!msg)
15397 		return;
15398 
15399 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
15400 	if (!hdr) {
15401 		nlmsg_free(msg);
15402 		return;
15403 	}
15404 
15405 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15406 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15407 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15408 	    (ie_len && ie &&
15409 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
15410 	    (sig_dbm &&
15411 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
15412 		goto nla_put_failure;
15413 
15414 	genlmsg_end(msg, hdr);
15415 
15416 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15417 				NL80211_MCGRP_MLME, gfp);
15418 	return;
15419 
15420  nla_put_failure:
15421 	nlmsg_free(msg);
15422 }
15423 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
15424 
15425 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
15426 				 struct net_device *netdev, const u8 *addr,
15427 				 enum nl80211_key_type key_type, int key_id,
15428 				 const u8 *tsc, gfp_t gfp)
15429 {
15430 	struct sk_buff *msg;
15431 	void *hdr;
15432 
15433 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15434 	if (!msg)
15435 		return;
15436 
15437 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
15438 	if (!hdr) {
15439 		nlmsg_free(msg);
15440 		return;
15441 	}
15442 
15443 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15444 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15445 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
15446 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
15447 	    (key_id != -1 &&
15448 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
15449 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
15450 		goto nla_put_failure;
15451 
15452 	genlmsg_end(msg, hdr);
15453 
15454 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15455 				NL80211_MCGRP_MLME, gfp);
15456 	return;
15457 
15458  nla_put_failure:
15459 	nlmsg_free(msg);
15460 }
15461 
15462 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
15463 				    struct ieee80211_channel *channel_before,
15464 				    struct ieee80211_channel *channel_after)
15465 {
15466 	struct sk_buff *msg;
15467 	void *hdr;
15468 	struct nlattr *nl_freq;
15469 
15470 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
15471 	if (!msg)
15472 		return;
15473 
15474 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
15475 	if (!hdr) {
15476 		nlmsg_free(msg);
15477 		return;
15478 	}
15479 
15480 	/*
15481 	 * Since we are applying the beacon hint to a wiphy we know its
15482 	 * wiphy_idx is valid
15483 	 */
15484 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
15485 		goto nla_put_failure;
15486 
15487 	/* Before */
15488 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
15489 	if (!nl_freq)
15490 		goto nla_put_failure;
15491 
15492 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
15493 		goto nla_put_failure;
15494 	nla_nest_end(msg, nl_freq);
15495 
15496 	/* After */
15497 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
15498 	if (!nl_freq)
15499 		goto nla_put_failure;
15500 
15501 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
15502 		goto nla_put_failure;
15503 	nla_nest_end(msg, nl_freq);
15504 
15505 	genlmsg_end(msg, hdr);
15506 
15507 	rcu_read_lock();
15508 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15509 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15510 	rcu_read_unlock();
15511 
15512 	return;
15513 
15514 nla_put_failure:
15515 	nlmsg_free(msg);
15516 }
15517 
15518 static void nl80211_send_remain_on_chan_event(
15519 	int cmd, struct cfg80211_registered_device *rdev,
15520 	struct wireless_dev *wdev, u64 cookie,
15521 	struct ieee80211_channel *chan,
15522 	unsigned int duration, gfp_t gfp)
15523 {
15524 	struct sk_buff *msg;
15525 	void *hdr;
15526 
15527 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15528 	if (!msg)
15529 		return;
15530 
15531 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15532 	if (!hdr) {
15533 		nlmsg_free(msg);
15534 		return;
15535 	}
15536 
15537 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15538 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15539 					 wdev->netdev->ifindex)) ||
15540 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15541 			      NL80211_ATTR_PAD) ||
15542 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
15543 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
15544 			NL80211_CHAN_NO_HT) ||
15545 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15546 			      NL80211_ATTR_PAD))
15547 		goto nla_put_failure;
15548 
15549 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
15550 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
15551 		goto nla_put_failure;
15552 
15553 	genlmsg_end(msg, hdr);
15554 
15555 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15556 				NL80211_MCGRP_MLME, gfp);
15557 	return;
15558 
15559  nla_put_failure:
15560 	nlmsg_free(msg);
15561 }
15562 
15563 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
15564 			       struct ieee80211_channel *chan,
15565 			       unsigned int duration, gfp_t gfp)
15566 {
15567 	struct wiphy *wiphy = wdev->wiphy;
15568 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15569 
15570 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
15571 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
15572 					  rdev, wdev, cookie, chan,
15573 					  duration, gfp);
15574 }
15575 EXPORT_SYMBOL(cfg80211_ready_on_channel);
15576 
15577 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
15578 					struct ieee80211_channel *chan,
15579 					gfp_t gfp)
15580 {
15581 	struct wiphy *wiphy = wdev->wiphy;
15582 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15583 
15584 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
15585 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15586 					  rdev, wdev, cookie, chan, 0, gfp);
15587 }
15588 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
15589 
15590 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
15591 					struct ieee80211_channel *chan,
15592 					gfp_t gfp)
15593 {
15594 	struct wiphy *wiphy = wdev->wiphy;
15595 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15596 
15597 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
15598 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
15599 					  rdev, wdev, cookie, chan, 0, gfp);
15600 }
15601 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
15602 
15603 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
15604 		      struct station_info *sinfo, gfp_t gfp)
15605 {
15606 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15607 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15608 	struct sk_buff *msg;
15609 
15610 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
15611 
15612 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15613 	if (!msg)
15614 		return;
15615 
15616 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
15617 				 rdev, dev, mac_addr, sinfo) < 0) {
15618 		nlmsg_free(msg);
15619 		return;
15620 	}
15621 
15622 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15623 				NL80211_MCGRP_MLME, gfp);
15624 }
15625 EXPORT_SYMBOL(cfg80211_new_sta);
15626 
15627 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
15628 			    struct station_info *sinfo, gfp_t gfp)
15629 {
15630 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15631 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15632 	struct sk_buff *msg;
15633 	struct station_info empty_sinfo = {};
15634 
15635 	if (!sinfo)
15636 		sinfo = &empty_sinfo;
15637 
15638 	trace_cfg80211_del_sta(dev, mac_addr);
15639 
15640 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15641 	if (!msg) {
15642 		cfg80211_sinfo_release_content(sinfo);
15643 		return;
15644 	}
15645 
15646 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
15647 				 rdev, dev, mac_addr, sinfo) < 0) {
15648 		nlmsg_free(msg);
15649 		return;
15650 	}
15651 
15652 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15653 				NL80211_MCGRP_MLME, gfp);
15654 }
15655 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
15656 
15657 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
15658 			  enum nl80211_connect_failed_reason reason,
15659 			  gfp_t gfp)
15660 {
15661 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15662 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15663 	struct sk_buff *msg;
15664 	void *hdr;
15665 
15666 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
15667 	if (!msg)
15668 		return;
15669 
15670 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
15671 	if (!hdr) {
15672 		nlmsg_free(msg);
15673 		return;
15674 	}
15675 
15676 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15677 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
15678 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
15679 		goto nla_put_failure;
15680 
15681 	genlmsg_end(msg, hdr);
15682 
15683 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15684 				NL80211_MCGRP_MLME, gfp);
15685 	return;
15686 
15687  nla_put_failure:
15688 	nlmsg_free(msg);
15689 }
15690 EXPORT_SYMBOL(cfg80211_conn_failed);
15691 
15692 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
15693 				       const u8 *addr, gfp_t gfp)
15694 {
15695 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15696 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15697 	struct sk_buff *msg;
15698 	void *hdr;
15699 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
15700 
15701 	if (!nlportid)
15702 		return false;
15703 
15704 	msg = nlmsg_new(100, gfp);
15705 	if (!msg)
15706 		return true;
15707 
15708 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15709 	if (!hdr) {
15710 		nlmsg_free(msg);
15711 		return true;
15712 	}
15713 
15714 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15715 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15716 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
15717 		goto nla_put_failure;
15718 
15719 	genlmsg_end(msg, hdr);
15720 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15721 	return true;
15722 
15723  nla_put_failure:
15724 	nlmsg_free(msg);
15725 	return true;
15726 }
15727 
15728 bool cfg80211_rx_spurious_frame(struct net_device *dev,
15729 				const u8 *addr, gfp_t gfp)
15730 {
15731 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15732 	bool ret;
15733 
15734 	trace_cfg80211_rx_spurious_frame(dev, addr);
15735 
15736 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15737 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
15738 		trace_cfg80211_return_bool(false);
15739 		return false;
15740 	}
15741 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
15742 					 addr, gfp);
15743 	trace_cfg80211_return_bool(ret);
15744 	return ret;
15745 }
15746 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
15747 
15748 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
15749 					const u8 *addr, gfp_t gfp)
15750 {
15751 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15752 	bool ret;
15753 
15754 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
15755 
15756 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15757 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
15758 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
15759 		trace_cfg80211_return_bool(false);
15760 		return false;
15761 	}
15762 	ret = __nl80211_unexpected_frame(dev,
15763 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
15764 					 addr, gfp);
15765 	trace_cfg80211_return_bool(ret);
15766 	return ret;
15767 }
15768 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
15769 
15770 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
15771 		      struct wireless_dev *wdev, u32 nlportid,
15772 		      int freq, int sig_dbm,
15773 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
15774 {
15775 	struct net_device *netdev = wdev->netdev;
15776 	struct sk_buff *msg;
15777 	void *hdr;
15778 
15779 	msg = nlmsg_new(100 + len, gfp);
15780 	if (!msg)
15781 		return -ENOMEM;
15782 
15783 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
15784 	if (!hdr) {
15785 		nlmsg_free(msg);
15786 		return -ENOMEM;
15787 	}
15788 
15789 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15790 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15791 					netdev->ifindex)) ||
15792 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15793 			      NL80211_ATTR_PAD) ||
15794 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
15795 	    (sig_dbm &&
15796 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
15797 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15798 	    (flags &&
15799 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
15800 		goto nla_put_failure;
15801 
15802 	genlmsg_end(msg, hdr);
15803 
15804 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15805 
15806  nla_put_failure:
15807 	nlmsg_free(msg);
15808 	return -ENOBUFS;
15809 }
15810 
15811 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
15812 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
15813 {
15814 	struct wiphy *wiphy = wdev->wiphy;
15815 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15816 	struct net_device *netdev = wdev->netdev;
15817 	struct sk_buff *msg;
15818 	void *hdr;
15819 
15820 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
15821 
15822 	msg = nlmsg_new(100 + len, gfp);
15823 	if (!msg)
15824 		return;
15825 
15826 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
15827 	if (!hdr) {
15828 		nlmsg_free(msg);
15829 		return;
15830 	}
15831 
15832 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15833 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15834 				   netdev->ifindex)) ||
15835 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15836 			      NL80211_ATTR_PAD) ||
15837 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15838 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15839 			      NL80211_ATTR_PAD) ||
15840 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
15841 		goto nla_put_failure;
15842 
15843 	genlmsg_end(msg, hdr);
15844 
15845 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15846 				NL80211_MCGRP_MLME, gfp);
15847 	return;
15848 
15849  nla_put_failure:
15850 	nlmsg_free(msg);
15851 }
15852 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
15853 
15854 static int __nl80211_rx_control_port(struct net_device *dev,
15855 				     struct sk_buff *skb,
15856 				     bool unencrypted, gfp_t gfp)
15857 {
15858 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15859 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15860 	struct ethhdr *ehdr = eth_hdr(skb);
15861 	const u8 *addr = ehdr->h_source;
15862 	u16 proto = be16_to_cpu(skb->protocol);
15863 	struct sk_buff *msg;
15864 	void *hdr;
15865 	struct nlattr *frame;
15866 
15867 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
15868 
15869 	if (!nlportid)
15870 		return -ENOENT;
15871 
15872 	msg = nlmsg_new(100 + skb->len, gfp);
15873 	if (!msg)
15874 		return -ENOMEM;
15875 
15876 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
15877 	if (!hdr) {
15878 		nlmsg_free(msg);
15879 		return -ENOBUFS;
15880 	}
15881 
15882 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15883 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15884 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15885 			      NL80211_ATTR_PAD) ||
15886 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15887 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
15888 	    (unencrypted && nla_put_flag(msg,
15889 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
15890 		goto nla_put_failure;
15891 
15892 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
15893 	if (!frame)
15894 		goto nla_put_failure;
15895 
15896 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
15897 	genlmsg_end(msg, hdr);
15898 
15899 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15900 
15901  nla_put_failure:
15902 	nlmsg_free(msg);
15903 	return -ENOBUFS;
15904 }
15905 
15906 bool cfg80211_rx_control_port(struct net_device *dev,
15907 			      struct sk_buff *skb, bool unencrypted)
15908 {
15909 	int ret;
15910 
15911 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
15912 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
15913 	trace_cfg80211_return_bool(ret == 0);
15914 	return ret == 0;
15915 }
15916 EXPORT_SYMBOL(cfg80211_rx_control_port);
15917 
15918 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
15919 					    const char *mac, gfp_t gfp)
15920 {
15921 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15922 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15923 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15924 	void **cb;
15925 
15926 	if (!msg)
15927 		return NULL;
15928 
15929 	cb = (void **)msg->cb;
15930 
15931 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
15932 	if (!cb[0]) {
15933 		nlmsg_free(msg);
15934 		return NULL;
15935 	}
15936 
15937 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15938 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15939 		goto nla_put_failure;
15940 
15941 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
15942 		goto nla_put_failure;
15943 
15944 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
15945 	if (!cb[1])
15946 		goto nla_put_failure;
15947 
15948 	cb[2] = rdev;
15949 
15950 	return msg;
15951  nla_put_failure:
15952 	nlmsg_free(msg);
15953 	return NULL;
15954 }
15955 
15956 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
15957 {
15958 	void **cb = (void **)msg->cb;
15959 	struct cfg80211_registered_device *rdev = cb[2];
15960 
15961 	nla_nest_end(msg, cb[1]);
15962 	genlmsg_end(msg, cb[0]);
15963 
15964 	memset(msg->cb, 0, sizeof(msg->cb));
15965 
15966 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15967 				NL80211_MCGRP_MLME, gfp);
15968 }
15969 
15970 void cfg80211_cqm_rssi_notify(struct net_device *dev,
15971 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
15972 			      s32 rssi_level, gfp_t gfp)
15973 {
15974 	struct sk_buff *msg;
15975 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15976 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15977 
15978 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
15979 
15980 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
15981 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
15982 		return;
15983 
15984 	if (wdev->cqm_config) {
15985 		wdev->cqm_config->last_rssi_event_value = rssi_level;
15986 
15987 		cfg80211_cqm_rssi_update(rdev, dev);
15988 
15989 		if (rssi_level == 0)
15990 			rssi_level = wdev->cqm_config->last_rssi_event_value;
15991 	}
15992 
15993 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15994 	if (!msg)
15995 		return;
15996 
15997 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
15998 			rssi_event))
15999 		goto nla_put_failure;
16000 
16001 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
16002 				      rssi_level))
16003 		goto nla_put_failure;
16004 
16005 	cfg80211_send_cqm(msg, gfp);
16006 
16007 	return;
16008 
16009  nla_put_failure:
16010 	nlmsg_free(msg);
16011 }
16012 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
16013 
16014 void cfg80211_cqm_txe_notify(struct net_device *dev,
16015 			     const u8 *peer, u32 num_packets,
16016 			     u32 rate, u32 intvl, gfp_t gfp)
16017 {
16018 	struct sk_buff *msg;
16019 
16020 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16021 	if (!msg)
16022 		return;
16023 
16024 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
16025 		goto nla_put_failure;
16026 
16027 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
16028 		goto nla_put_failure;
16029 
16030 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
16031 		goto nla_put_failure;
16032 
16033 	cfg80211_send_cqm(msg, gfp);
16034 	return;
16035 
16036  nla_put_failure:
16037 	nlmsg_free(msg);
16038 }
16039 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
16040 
16041 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
16042 				 const u8 *peer, u32 num_packets, gfp_t gfp)
16043 {
16044 	struct sk_buff *msg;
16045 
16046 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
16047 
16048 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16049 	if (!msg)
16050 		return;
16051 
16052 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
16053 		goto nla_put_failure;
16054 
16055 	cfg80211_send_cqm(msg, gfp);
16056 	return;
16057 
16058  nla_put_failure:
16059 	nlmsg_free(msg);
16060 }
16061 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
16062 
16063 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
16064 {
16065 	struct sk_buff *msg;
16066 
16067 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16068 	if (!msg)
16069 		return;
16070 
16071 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
16072 		goto nla_put_failure;
16073 
16074 	cfg80211_send_cqm(msg, gfp);
16075 	return;
16076 
16077  nla_put_failure:
16078 	nlmsg_free(msg);
16079 }
16080 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
16081 
16082 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
16083 				     struct net_device *netdev, const u8 *bssid,
16084 				     const u8 *replay_ctr, gfp_t gfp)
16085 {
16086 	struct sk_buff *msg;
16087 	struct nlattr *rekey_attr;
16088 	void *hdr;
16089 
16090 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16091 	if (!msg)
16092 		return;
16093 
16094 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
16095 	if (!hdr) {
16096 		nlmsg_free(msg);
16097 		return;
16098 	}
16099 
16100 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16101 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16102 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16103 		goto nla_put_failure;
16104 
16105 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
16106 	if (!rekey_attr)
16107 		goto nla_put_failure;
16108 
16109 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
16110 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
16111 		goto nla_put_failure;
16112 
16113 	nla_nest_end(msg, rekey_attr);
16114 
16115 	genlmsg_end(msg, hdr);
16116 
16117 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16118 				NL80211_MCGRP_MLME, gfp);
16119 	return;
16120 
16121  nla_put_failure:
16122 	nlmsg_free(msg);
16123 }
16124 
16125 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
16126 			       const u8 *replay_ctr, gfp_t gfp)
16127 {
16128 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16129 	struct wiphy *wiphy = wdev->wiphy;
16130 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16131 
16132 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
16133 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
16134 }
16135 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
16136 
16137 static void
16138 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
16139 			       struct net_device *netdev, int index,
16140 			       const u8 *bssid, bool preauth, gfp_t gfp)
16141 {
16142 	struct sk_buff *msg;
16143 	struct nlattr *attr;
16144 	void *hdr;
16145 
16146 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16147 	if (!msg)
16148 		return;
16149 
16150 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
16151 	if (!hdr) {
16152 		nlmsg_free(msg);
16153 		return;
16154 	}
16155 
16156 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16157 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
16158 		goto nla_put_failure;
16159 
16160 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
16161 	if (!attr)
16162 		goto nla_put_failure;
16163 
16164 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
16165 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
16166 	    (preauth &&
16167 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
16168 		goto nla_put_failure;
16169 
16170 	nla_nest_end(msg, attr);
16171 
16172 	genlmsg_end(msg, hdr);
16173 
16174 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16175 				NL80211_MCGRP_MLME, gfp);
16176 	return;
16177 
16178  nla_put_failure:
16179 	nlmsg_free(msg);
16180 }
16181 
16182 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
16183 				     const u8 *bssid, bool preauth, gfp_t gfp)
16184 {
16185 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16186 	struct wiphy *wiphy = wdev->wiphy;
16187 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16188 
16189 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
16190 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
16191 }
16192 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
16193 
16194 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
16195 				     struct net_device *netdev,
16196 				     struct cfg80211_chan_def *chandef,
16197 				     gfp_t gfp,
16198 				     enum nl80211_commands notif,
16199 				     u8 count)
16200 {
16201 	struct sk_buff *msg;
16202 	void *hdr;
16203 
16204 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16205 	if (!msg)
16206 		return;
16207 
16208 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
16209 	if (!hdr) {
16210 		nlmsg_free(msg);
16211 		return;
16212 	}
16213 
16214 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
16215 		goto nla_put_failure;
16216 
16217 	if (nl80211_send_chandef(msg, chandef))
16218 		goto nla_put_failure;
16219 
16220 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
16221 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
16222 			goto nla_put_failure;
16223 
16224 	genlmsg_end(msg, hdr);
16225 
16226 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16227 				NL80211_MCGRP_MLME, gfp);
16228 	return;
16229 
16230  nla_put_failure:
16231 	nlmsg_free(msg);
16232 }
16233 
16234 void cfg80211_ch_switch_notify(struct net_device *dev,
16235 			       struct cfg80211_chan_def *chandef)
16236 {
16237 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16238 	struct wiphy *wiphy = wdev->wiphy;
16239 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16240 
16241 	ASSERT_WDEV_LOCK(wdev);
16242 
16243 	trace_cfg80211_ch_switch_notify(dev, chandef);
16244 
16245 	wdev->chandef = *chandef;
16246 	wdev->preset_chandef = *chandef;
16247 
16248 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
16249 	    !WARN_ON(!wdev->current_bss))
16250 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
16251 
16252 	cfg80211_sched_dfs_chan_update(rdev);
16253 
16254 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
16255 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
16256 }
16257 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
16258 
16259 void cfg80211_ch_switch_started_notify(struct net_device *dev,
16260 				       struct cfg80211_chan_def *chandef,
16261 				       u8 count)
16262 {
16263 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16264 	struct wiphy *wiphy = wdev->wiphy;
16265 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16266 
16267 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
16268 
16269 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
16270 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
16271 }
16272 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
16273 
16274 void
16275 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
16276 		     const struct cfg80211_chan_def *chandef,
16277 		     enum nl80211_radar_event event,
16278 		     struct net_device *netdev, gfp_t gfp)
16279 {
16280 	struct sk_buff *msg;
16281 	void *hdr;
16282 
16283 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16284 	if (!msg)
16285 		return;
16286 
16287 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
16288 	if (!hdr) {
16289 		nlmsg_free(msg);
16290 		return;
16291 	}
16292 
16293 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16294 		goto nla_put_failure;
16295 
16296 	/* NOP and radar events don't need a netdev parameter */
16297 	if (netdev) {
16298 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
16299 
16300 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16301 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16302 				      NL80211_ATTR_PAD))
16303 			goto nla_put_failure;
16304 	}
16305 
16306 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
16307 		goto nla_put_failure;
16308 
16309 	if (nl80211_send_chandef(msg, chandef))
16310 		goto nla_put_failure;
16311 
16312 	genlmsg_end(msg, hdr);
16313 
16314 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16315 				NL80211_MCGRP_MLME, gfp);
16316 	return;
16317 
16318  nla_put_failure:
16319 	nlmsg_free(msg);
16320 }
16321 
16322 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
16323 				       struct sta_opmode_info *sta_opmode,
16324 				       gfp_t gfp)
16325 {
16326 	struct sk_buff *msg;
16327 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16328 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16329 	void *hdr;
16330 
16331 	if (WARN_ON(!mac))
16332 		return;
16333 
16334 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16335 	if (!msg)
16336 		return;
16337 
16338 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
16339 	if (!hdr) {
16340 		nlmsg_free(msg);
16341 		return;
16342 	}
16343 
16344 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16345 		goto nla_put_failure;
16346 
16347 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16348 		goto nla_put_failure;
16349 
16350 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
16351 		goto nla_put_failure;
16352 
16353 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
16354 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
16355 		goto nla_put_failure;
16356 
16357 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
16358 	    nla_put_u8(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
16359 		goto nla_put_failure;
16360 
16361 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
16362 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
16363 		goto nla_put_failure;
16364 
16365 	genlmsg_end(msg, hdr);
16366 
16367 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16368 				NL80211_MCGRP_MLME, gfp);
16369 
16370 	return;
16371 
16372 nla_put_failure:
16373 	nlmsg_free(msg);
16374 }
16375 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
16376 
16377 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
16378 			   u64 cookie, bool acked, s32 ack_signal,
16379 			   bool is_valid_ack_signal, gfp_t gfp)
16380 {
16381 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16382 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16383 	struct sk_buff *msg;
16384 	void *hdr;
16385 
16386 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
16387 
16388 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16389 
16390 	if (!msg)
16391 		return;
16392 
16393 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
16394 	if (!hdr) {
16395 		nlmsg_free(msg);
16396 		return;
16397 	}
16398 
16399 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16400 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16401 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16402 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16403 			      NL80211_ATTR_PAD) ||
16404 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
16405 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
16406 						ack_signal)))
16407 		goto nla_put_failure;
16408 
16409 	genlmsg_end(msg, hdr);
16410 
16411 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16412 				NL80211_MCGRP_MLME, gfp);
16413 	return;
16414 
16415  nla_put_failure:
16416 	nlmsg_free(msg);
16417 }
16418 EXPORT_SYMBOL(cfg80211_probe_status);
16419 
16420 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
16421 				 const u8 *frame, size_t len,
16422 				 int freq, int sig_dbm)
16423 {
16424 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16425 	struct sk_buff *msg;
16426 	void *hdr;
16427 	struct cfg80211_beacon_registration *reg;
16428 
16429 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
16430 
16431 	spin_lock_bh(&rdev->beacon_registrations_lock);
16432 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
16433 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
16434 		if (!msg) {
16435 			spin_unlock_bh(&rdev->beacon_registrations_lock);
16436 			return;
16437 		}
16438 
16439 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16440 		if (!hdr)
16441 			goto nla_put_failure;
16442 
16443 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16444 		    (freq &&
16445 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
16446 		    (sig_dbm &&
16447 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16448 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
16449 			goto nla_put_failure;
16450 
16451 		genlmsg_end(msg, hdr);
16452 
16453 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
16454 	}
16455 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16456 	return;
16457 
16458  nla_put_failure:
16459 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16460 	nlmsg_free(msg);
16461 }
16462 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
16463 
16464 #ifdef CONFIG_PM
16465 static int cfg80211_net_detect_results(struct sk_buff *msg,
16466 				       struct cfg80211_wowlan_wakeup *wakeup)
16467 {
16468 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
16469 	struct nlattr *nl_results, *nl_match, *nl_freqs;
16470 	int i, j;
16471 
16472 	nl_results = nla_nest_start_noflag(msg,
16473 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
16474 	if (!nl_results)
16475 		return -EMSGSIZE;
16476 
16477 	for (i = 0; i < nd->n_matches; i++) {
16478 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
16479 
16480 		nl_match = nla_nest_start_noflag(msg, i);
16481 		if (!nl_match)
16482 			break;
16483 
16484 		/* The SSID attribute is optional in nl80211, but for
16485 		 * simplicity reasons it's always present in the
16486 		 * cfg80211 structure.  If a driver can't pass the
16487 		 * SSID, that needs to be changed.  A zero length SSID
16488 		 * is still a valid SSID (wildcard), so it cannot be
16489 		 * used for this purpose.
16490 		 */
16491 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
16492 			    match->ssid.ssid)) {
16493 			nla_nest_cancel(msg, nl_match);
16494 			goto out;
16495 		}
16496 
16497 		if (match->n_channels) {
16498 			nl_freqs = nla_nest_start_noflag(msg,
16499 							 NL80211_ATTR_SCAN_FREQUENCIES);
16500 			if (!nl_freqs) {
16501 				nla_nest_cancel(msg, nl_match);
16502 				goto out;
16503 			}
16504 
16505 			for (j = 0; j < match->n_channels; j++) {
16506 				if (nla_put_u32(msg, j, match->channels[j])) {
16507 					nla_nest_cancel(msg, nl_freqs);
16508 					nla_nest_cancel(msg, nl_match);
16509 					goto out;
16510 				}
16511 			}
16512 
16513 			nla_nest_end(msg, nl_freqs);
16514 		}
16515 
16516 		nla_nest_end(msg, nl_match);
16517 	}
16518 
16519 out:
16520 	nla_nest_end(msg, nl_results);
16521 	return 0;
16522 }
16523 
16524 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
16525 				   struct cfg80211_wowlan_wakeup *wakeup,
16526 				   gfp_t gfp)
16527 {
16528 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16529 	struct sk_buff *msg;
16530 	void *hdr;
16531 	int size = 200;
16532 
16533 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
16534 
16535 	if (wakeup)
16536 		size += wakeup->packet_present_len;
16537 
16538 	msg = nlmsg_new(size, gfp);
16539 	if (!msg)
16540 		return;
16541 
16542 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
16543 	if (!hdr)
16544 		goto free_msg;
16545 
16546 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16547 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16548 			      NL80211_ATTR_PAD))
16549 		goto free_msg;
16550 
16551 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16552 					wdev->netdev->ifindex))
16553 		goto free_msg;
16554 
16555 	if (wakeup) {
16556 		struct nlattr *reasons;
16557 
16558 		reasons = nla_nest_start_noflag(msg,
16559 						NL80211_ATTR_WOWLAN_TRIGGERS);
16560 		if (!reasons)
16561 			goto free_msg;
16562 
16563 		if (wakeup->disconnect &&
16564 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
16565 			goto free_msg;
16566 		if (wakeup->magic_pkt &&
16567 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
16568 			goto free_msg;
16569 		if (wakeup->gtk_rekey_failure &&
16570 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
16571 			goto free_msg;
16572 		if (wakeup->eap_identity_req &&
16573 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
16574 			goto free_msg;
16575 		if (wakeup->four_way_handshake &&
16576 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
16577 			goto free_msg;
16578 		if (wakeup->rfkill_release &&
16579 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
16580 			goto free_msg;
16581 
16582 		if (wakeup->pattern_idx >= 0 &&
16583 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
16584 				wakeup->pattern_idx))
16585 			goto free_msg;
16586 
16587 		if (wakeup->tcp_match &&
16588 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
16589 			goto free_msg;
16590 
16591 		if (wakeup->tcp_connlost &&
16592 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
16593 			goto free_msg;
16594 
16595 		if (wakeup->tcp_nomoretokens &&
16596 		    nla_put_flag(msg,
16597 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
16598 			goto free_msg;
16599 
16600 		if (wakeup->packet) {
16601 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
16602 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
16603 
16604 			if (!wakeup->packet_80211) {
16605 				pkt_attr =
16606 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
16607 				len_attr =
16608 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
16609 			}
16610 
16611 			if (wakeup->packet_len &&
16612 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
16613 				goto free_msg;
16614 
16615 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
16616 				    wakeup->packet))
16617 				goto free_msg;
16618 		}
16619 
16620 		if (wakeup->net_detect &&
16621 		    cfg80211_net_detect_results(msg, wakeup))
16622 				goto free_msg;
16623 
16624 		nla_nest_end(msg, reasons);
16625 	}
16626 
16627 	genlmsg_end(msg, hdr);
16628 
16629 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16630 				NL80211_MCGRP_MLME, gfp);
16631 	return;
16632 
16633  free_msg:
16634 	nlmsg_free(msg);
16635 }
16636 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
16637 #endif
16638 
16639 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
16640 				enum nl80211_tdls_operation oper,
16641 				u16 reason_code, gfp_t gfp)
16642 {
16643 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16644 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16645 	struct sk_buff *msg;
16646 	void *hdr;
16647 
16648 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
16649 					 reason_code);
16650 
16651 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16652 	if (!msg)
16653 		return;
16654 
16655 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
16656 	if (!hdr) {
16657 		nlmsg_free(msg);
16658 		return;
16659 	}
16660 
16661 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16662 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16663 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
16664 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
16665 	    (reason_code > 0 &&
16666 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
16667 		goto nla_put_failure;
16668 
16669 	genlmsg_end(msg, hdr);
16670 
16671 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16672 				NL80211_MCGRP_MLME, gfp);
16673 	return;
16674 
16675  nla_put_failure:
16676 	nlmsg_free(msg);
16677 }
16678 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
16679 
16680 static int nl80211_netlink_notify(struct notifier_block * nb,
16681 				  unsigned long state,
16682 				  void *_notify)
16683 {
16684 	struct netlink_notify *notify = _notify;
16685 	struct cfg80211_registered_device *rdev;
16686 	struct wireless_dev *wdev;
16687 	struct cfg80211_beacon_registration *reg, *tmp;
16688 
16689 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
16690 		return NOTIFY_DONE;
16691 
16692 	rcu_read_lock();
16693 
16694 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
16695 		struct cfg80211_sched_scan_request *sched_scan_req;
16696 
16697 		list_for_each_entry_rcu(sched_scan_req,
16698 					&rdev->sched_scan_req_list,
16699 					list) {
16700 			if (sched_scan_req->owner_nlportid == notify->portid) {
16701 				sched_scan_req->nl_owner_dead = true;
16702 				schedule_work(&rdev->sched_scan_stop_wk);
16703 			}
16704 		}
16705 
16706 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
16707 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
16708 
16709 			if (wdev->owner_nlportid == notify->portid) {
16710 				wdev->nl_owner_dead = true;
16711 				schedule_work(&rdev->destroy_work);
16712 			} else if (wdev->conn_owner_nlportid == notify->portid) {
16713 				schedule_work(&wdev->disconnect_wk);
16714 			}
16715 
16716 			cfg80211_release_pmsr(wdev, notify->portid);
16717 		}
16718 
16719 		spin_lock_bh(&rdev->beacon_registrations_lock);
16720 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
16721 					 list) {
16722 			if (reg->nlportid == notify->portid) {
16723 				list_del(&reg->list);
16724 				kfree(reg);
16725 				break;
16726 			}
16727 		}
16728 		spin_unlock_bh(&rdev->beacon_registrations_lock);
16729 	}
16730 
16731 	rcu_read_unlock();
16732 
16733 	/*
16734 	 * It is possible that the user space process that is controlling the
16735 	 * indoor setting disappeared, so notify the regulatory core.
16736 	 */
16737 	regulatory_netlink_notify(notify->portid);
16738 	return NOTIFY_OK;
16739 }
16740 
16741 static struct notifier_block nl80211_netlink_notifier = {
16742 	.notifier_call = nl80211_netlink_notify,
16743 };
16744 
16745 void cfg80211_ft_event(struct net_device *netdev,
16746 		       struct cfg80211_ft_event_params *ft_event)
16747 {
16748 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
16749 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16750 	struct sk_buff *msg;
16751 	void *hdr;
16752 
16753 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
16754 
16755 	if (!ft_event->target_ap)
16756 		return;
16757 
16758 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
16759 			GFP_KERNEL);
16760 	if (!msg)
16761 		return;
16762 
16763 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
16764 	if (!hdr)
16765 		goto out;
16766 
16767 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16768 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16769 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
16770 		goto out;
16771 
16772 	if (ft_event->ies &&
16773 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
16774 		goto out;
16775 	if (ft_event->ric_ies &&
16776 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
16777 		    ft_event->ric_ies))
16778 		goto out;
16779 
16780 	genlmsg_end(msg, hdr);
16781 
16782 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16783 				NL80211_MCGRP_MLME, GFP_KERNEL);
16784 	return;
16785  out:
16786 	nlmsg_free(msg);
16787 }
16788 EXPORT_SYMBOL(cfg80211_ft_event);
16789 
16790 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
16791 {
16792 	struct cfg80211_registered_device *rdev;
16793 	struct sk_buff *msg;
16794 	void *hdr;
16795 	u32 nlportid;
16796 
16797 	rdev = wiphy_to_rdev(wdev->wiphy);
16798 	if (!rdev->crit_proto_nlportid)
16799 		return;
16800 
16801 	nlportid = rdev->crit_proto_nlportid;
16802 	rdev->crit_proto_nlportid = 0;
16803 
16804 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16805 	if (!msg)
16806 		return;
16807 
16808 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
16809 	if (!hdr)
16810 		goto nla_put_failure;
16811 
16812 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16813 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16814 			      NL80211_ATTR_PAD))
16815 		goto nla_put_failure;
16816 
16817 	genlmsg_end(msg, hdr);
16818 
16819 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16820 	return;
16821 
16822  nla_put_failure:
16823 	nlmsg_free(msg);
16824 }
16825 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
16826 
16827 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
16828 {
16829 	struct wiphy *wiphy = wdev->wiphy;
16830 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16831 	struct sk_buff *msg;
16832 	void *hdr;
16833 
16834 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16835 	if (!msg)
16836 		return;
16837 
16838 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
16839 	if (!hdr)
16840 		goto out;
16841 
16842 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16843 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
16844 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16845 			      NL80211_ATTR_PAD))
16846 		goto out;
16847 
16848 	genlmsg_end(msg, hdr);
16849 
16850 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
16851 				NL80211_MCGRP_MLME, GFP_KERNEL);
16852 	return;
16853  out:
16854 	nlmsg_free(msg);
16855 }
16856 
16857 int cfg80211_external_auth_request(struct net_device *dev,
16858 				   struct cfg80211_external_auth_params *params,
16859 				   gfp_t gfp)
16860 {
16861 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16862 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16863 	struct sk_buff *msg;
16864 	void *hdr;
16865 
16866 	if (!wdev->conn_owner_nlportid)
16867 		return -EINVAL;
16868 
16869 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16870 	if (!msg)
16871 		return -ENOMEM;
16872 
16873 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
16874 	if (!hdr)
16875 		goto nla_put_failure;
16876 
16877 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16878 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16879 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
16880 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
16881 			params->action) ||
16882 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
16883 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
16884 		    params->ssid.ssid))
16885 		goto nla_put_failure;
16886 
16887 	genlmsg_end(msg, hdr);
16888 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16889 			wdev->conn_owner_nlportid);
16890 	return 0;
16891 
16892  nla_put_failure:
16893 	nlmsg_free(msg);
16894 	return -ENOBUFS;
16895 }
16896 EXPORT_SYMBOL(cfg80211_external_auth_request);
16897 
16898 void cfg80211_update_owe_info_event(struct net_device *netdev,
16899 				    struct cfg80211_update_owe_info *owe_info,
16900 				    gfp_t gfp)
16901 {
16902 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
16903 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16904 	struct sk_buff *msg;
16905 	void *hdr;
16906 
16907 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
16908 
16909 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16910 	if (!msg)
16911 		return;
16912 
16913 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
16914 	if (!hdr)
16915 		goto nla_put_failure;
16916 
16917 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16918 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16919 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
16920 		goto nla_put_failure;
16921 
16922 	if (!owe_info->ie_len ||
16923 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
16924 		goto nla_put_failure;
16925 
16926 	genlmsg_end(msg, hdr);
16927 
16928 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16929 				NL80211_MCGRP_MLME, gfp);
16930 	return;
16931 
16932 nla_put_failure:
16933 	genlmsg_cancel(msg, hdr);
16934 	nlmsg_free(msg);
16935 }
16936 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
16937 
16938 /* initialisation/exit functions */
16939 
16940 int __init nl80211_init(void)
16941 {
16942 	int err;
16943 
16944 	err = genl_register_family(&nl80211_fam);
16945 	if (err)
16946 		return err;
16947 
16948 	err = netlink_register_notifier(&nl80211_netlink_notifier);
16949 	if (err)
16950 		goto err_out;
16951 
16952 	return 0;
16953  err_out:
16954 	genl_unregister_family(&nl80211_fam);
16955 	return err;
16956 }
16957 
16958 void nl80211_exit(void)
16959 {
16960 	netlink_unregister_notifier(&nl80211_netlink_notifier);
16961 	genl_unregister_family(&nl80211_fam);
16962 }
16963