xref: /openbmc/linux/net/wireless/nl80211.c (revision 8165c844) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2023 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
327 };
328 
329 static const struct nla_policy
330 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
331 	[NL80211_PMSR_TYPE_FTM] =
332 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
333 };
334 
335 static const struct nla_policy
336 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
337 	[NL80211_PMSR_REQ_ATTR_DATA] =
338 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
339 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
340 };
341 
342 static const struct nla_policy
343 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
344 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
345 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
346 	[NL80211_PMSR_PEER_ATTR_REQ] =
347 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
348 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
349 };
350 
351 static const struct nla_policy
352 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
353 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
357 	[NL80211_PMSR_ATTR_PEERS] =
358 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
359 };
360 
361 static const struct nla_policy
362 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
363 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
364 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
365 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
366 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
367 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
368 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
369 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
370 		NLA_POLICY_EXACT_LEN(8),
371 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
372 		NLA_POLICY_EXACT_LEN(8),
373 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
374 };
375 
376 static const struct nla_policy
377 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
378 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
379 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
380 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
381 };
382 
383 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
384 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
385 				    .len = NL80211_MAX_SUPP_RATES },
386 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
387 				.len = NL80211_MAX_SUPP_HT_RATES },
388 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
389 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
390 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
391 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
392 						   NL80211_RATE_INFO_HE_GI_0_8,
393 						   NL80211_RATE_INFO_HE_GI_3_2),
394 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
395 						   NL80211_RATE_INFO_HE_1XLTF,
396 						   NL80211_RATE_INFO_HE_4XLTF),
397 };
398 
399 static const struct nla_policy
400 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
401 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
403 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
404 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
405 	[NL80211_TID_CONFIG_ATTR_NOACK] =
406 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
409 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
410 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
411 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
412 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
413 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
414 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
415 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
416 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
417 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
418 			NLA_POLICY_NESTED(nl80211_txattr_policy),
419 };
420 
421 static const struct nla_policy
422 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
425 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
426 			NLA_POLICY_RANGE(NLA_BINARY,
427 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
428 					 IEEE80211_MAX_DATA_LEN),
429 };
430 
431 static const struct nla_policy
432 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
434 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
435 						       .len = IEEE80211_MAX_DATA_LEN }
436 };
437 
438 static const struct nla_policy
439 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
440 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
441 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
442 };
443 
444 static const struct nla_policy
445 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
446 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
447 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
448 };
449 
450 static const struct nla_policy
451 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
453 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
454 						NLA_POLICY_MIN(NLA_U8, 1),
455 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
456 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
457 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
458 };
459 
460 static const struct nla_policy
461 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
462 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
463 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
464 };
465 
466 static struct netlink_range_validation nl80211_punct_bitmap_range = {
467 	.min = 0,
468 	.max = 0xffff,
469 };
470 
471 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
472 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
473 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
474 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
475 				      .len = 20-1 },
476 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
477 
478 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
479 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
480 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
481 						NL80211_EDMG_CHANNELS_MIN,
482 						NL80211_EDMG_CHANNELS_MAX),
483 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
484 						NL80211_EDMG_BW_CONFIG_MIN,
485 						NL80211_EDMG_BW_CONFIG_MAX),
486 
487 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
488 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
489 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
490 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
491 
492 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
493 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
494 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
495 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
496 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
497 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
498 
499 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
500 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
501 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
502 
503 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
504 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
505 
506 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
507 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
508 				    .len = WLAN_MAX_KEY_LEN },
509 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
510 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
511 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
512 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
513 	[NL80211_ATTR_KEY_TYPE] =
514 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
515 
516 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
517 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
518 	[NL80211_ATTR_BEACON_HEAD] =
519 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
520 				       IEEE80211_MAX_DATA_LEN),
521 	[NL80211_ATTR_BEACON_TAIL] =
522 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
523 				       IEEE80211_MAX_DATA_LEN),
524 	[NL80211_ATTR_STA_AID] =
525 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
526 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
527 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
528 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
529 					       .len = NL80211_MAX_SUPP_RATES },
530 	[NL80211_ATTR_STA_PLINK_ACTION] =
531 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
532 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
533 		NLA_POLICY_RANGE(NLA_U8,
534 				 NL80211_TX_POWER_AUTOMATIC,
535 				 NL80211_TX_POWER_FIXED),
536 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
537 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
538 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
539 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
540 				   .len = IEEE80211_MAX_MESH_ID_LEN },
541 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
542 
543 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
544 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
545 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
546 
547 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
548 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
549 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
550 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
551 					   .len = NL80211_MAX_SUPP_RATES },
552 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
553 
554 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
555 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
556 
557 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
558 
559 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
560 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
561 						   validate_ie_attr,
562 						   IEEE80211_MAX_DATA_LEN),
563 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
564 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
565 
566 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
567 				.len = IEEE80211_MAX_SSID_LEN },
568 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
569 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
570 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
571 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
572 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
573 						  NL80211_MFP_NO,
574 						  NL80211_MFP_OPTIONAL),
575 	[NL80211_ATTR_STA_FLAGS2] =
576 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
577 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
578 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
579 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
580 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
581 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
582 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
583 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
584 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
585 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
586 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
587 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
588 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
589 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
590 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
591 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
592 				 .len = IEEE80211_MAX_DATA_LEN },
593 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
594 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
595 						   NL80211_PS_DISABLED,
596 						   NL80211_PS_ENABLED),
597 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
598 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
599 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
600 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
601 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
602 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
603 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
604 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
605 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
606 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
607 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
608 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
609 	[NL80211_ATTR_STA_PLINK_STATE] =
610 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
611 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
612 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
613 	[NL80211_ATTR_MESH_PEER_AID] =
614 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
615 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
616 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
617 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
618 	[NL80211_ATTR_HIDDEN_SSID] =
619 		NLA_POLICY_RANGE(NLA_U32,
620 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
621 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
622 	[NL80211_ATTR_IE_PROBE_RESP] =
623 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
624 				       IEEE80211_MAX_DATA_LEN),
625 	[NL80211_ATTR_IE_ASSOC_RESP] =
626 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
627 				       IEEE80211_MAX_DATA_LEN),
628 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
629 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
630 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
631 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
632 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
633 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
634 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
635 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
636 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
637 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
638 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
639 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
640 				      .len = IEEE80211_MAX_DATA_LEN },
641 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
642 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
643 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
644 		.len = NL80211_HT_CAPABILITY_LEN
645 	},
646 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
647 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
648 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
649 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
650 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
651 
652 	/* need to include at least Auth Transaction and Status Code */
653 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
654 
655 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
656 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
657 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
658 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
659 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
660 		NLA_POLICY_RANGE(NLA_U32,
661 				 NL80211_MESH_POWER_UNKNOWN + 1,
662 				 NL80211_MESH_POWER_MAX),
663 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
664 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
665 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
666 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
667 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
668 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
669 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
670 		.len = NL80211_VHT_CAPABILITY_LEN,
671 	},
672 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
673 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
674 				  .len = IEEE80211_MAX_DATA_LEN },
675 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
676 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
677 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
678 	[NL80211_ATTR_PEER_AID] =
679 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
680 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
681 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
682 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
683 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
684 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
685 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
686 	/*
687 	 * The value of the Length field of the Supported Operating
688 	 * Classes element is between 2 and 253.
689 	 */
690 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
691 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
692 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
693 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
694 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
695 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
696 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
697 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
698 						  IEEE80211_QOS_MAP_LEN_MIN,
699 						  IEEE80211_QOS_MAP_LEN_MAX),
700 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
701 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
702 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
703 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
704 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
705 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
706 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
707 	[NL80211_ATTR_USER_PRIO] =
708 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
709 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
710 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
711 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
712 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
713 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
714 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
715 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
716 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
717 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
718 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
719 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
720 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
721 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
722 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
723 	},
724 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
725 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
726 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
727 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
728 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
729 				    .len = FILS_MAX_KEK_LEN },
730 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
731 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
732 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
733 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
734 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
735 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
736 	},
737 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
738 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
739 					     .len = FILS_ERP_MAX_USERNAME_LEN },
740 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
741 					  .len = FILS_ERP_MAX_REALM_LEN },
742 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
743 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
744 					.len = FILS_ERP_MAX_RRK_LEN },
745 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
746 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
747 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
748 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
749 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
750 
751 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
752 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
753 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
754 	[NL80211_ATTR_HE_CAPABILITY] =
755 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
756 				       NL80211_HE_MAX_CAPABILITY_LEN),
757 	[NL80211_ATTR_FTM_RESPONDER] =
758 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
759 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
760 	[NL80211_ATTR_PEER_MEASUREMENTS] =
761 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
762 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
763 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
764 					.len = SAE_PASSWORD_MAX_LEN },
765 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
766 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
767 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
768 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
769 	[NL80211_ATTR_TID_CONFIG] =
770 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
771 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
772 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
773 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
774 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
775 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
776 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
777 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
778 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
779 	[NL80211_ATTR_FILS_DISCOVERY] =
780 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
781 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
782 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
783 	[NL80211_ATTR_S1G_CAPABILITY] =
784 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
785 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
786 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
787 	[NL80211_ATTR_SAE_PWE] =
788 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
789 				 NL80211_SAE_PWE_BOTH),
790 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
791 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
792 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
793 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
794 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
795 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
796 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
797 	[NL80211_ATTR_MBSSID_CONFIG] =
798 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
799 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
800 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
801 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
802 	[NL80211_ATTR_EHT_CAPABILITY] =
803 		NLA_POLICY_RANGE(NLA_BINARY,
804 				 NL80211_EHT_MIN_CAPABILITY_LEN,
805 				 NL80211_EHT_MAX_CAPABILITY_LEN),
806 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
807 	[NL80211_ATTR_MLO_LINKS] =
808 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
809 	[NL80211_ATTR_MLO_LINK_ID] =
810 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
811 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
812 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
813 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
814 	[NL80211_ATTR_PUNCT_BITMAP] =
815 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
816 
817 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
818 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
819 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
820 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
821 };
822 
823 /* policy for the key attributes */
824 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
825 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
826 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
827 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
828 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
829 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
830 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
831 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
832 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
833 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
834 };
835 
836 /* policy for the key default flags */
837 static const struct nla_policy
838 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
839 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
840 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
841 };
842 
843 #ifdef CONFIG_PM
844 /* policy for WoWLAN attributes */
845 static const struct nla_policy
846 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
847 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
848 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
849 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
850 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
851 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
852 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
853 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
854 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
855 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
856 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
857 };
858 
859 static const struct nla_policy
860 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
861 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
862 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
863 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
864 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
865 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
866 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
867 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
868 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
869 	},
870 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
871 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
872 	},
873 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
874 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
875 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
876 };
877 #endif /* CONFIG_PM */
878 
879 /* policy for coalesce rule attributes */
880 static const struct nla_policy
881 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
882 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
883 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
884 		NLA_POLICY_RANGE(NLA_U32,
885 				 NL80211_COALESCE_CONDITION_MATCH,
886 				 NL80211_COALESCE_CONDITION_NO_MATCH),
887 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
888 };
889 
890 /* policy for GTK rekey offload attributes */
891 static const struct nla_policy
892 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
893 	[NL80211_REKEY_DATA_KEK] = {
894 		.type = NLA_BINARY,
895 		.len = NL80211_KEK_EXT_LEN
896 	},
897 	[NL80211_REKEY_DATA_KCK] = {
898 		.type = NLA_BINARY,
899 		.len = NL80211_KCK_EXT_LEN_32
900 	},
901 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
902 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
903 };
904 
905 static const struct nla_policy
906 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
907 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
908 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
909 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
910 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
911 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
912 };
913 
914 static const struct nla_policy
915 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
916 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
917 						 .len = IEEE80211_MAX_SSID_LEN },
918 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
919 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
920 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
921 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
922 };
923 
924 static const struct nla_policy
925 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
926 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
927 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
928 };
929 
930 static const struct nla_policy
931 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
932 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
933 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
934 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
935 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
936 	},
937 };
938 
939 /* policy for NAN function attributes */
940 static const struct nla_policy
941 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
942 	[NL80211_NAN_FUNC_TYPE] =
943 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
944 	[NL80211_NAN_FUNC_SERVICE_ID] = {
945 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
946 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
947 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
948 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
949 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
950 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
951 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
952 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
953 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
954 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
955 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
956 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
957 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
958 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
959 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
960 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
961 };
962 
963 /* policy for Service Response Filter attributes */
964 static const struct nla_policy
965 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
966 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
967 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
968 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
969 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
970 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
971 };
972 
973 /* policy for packet pattern attributes */
974 static const struct nla_policy
975 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
976 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
977 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
978 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
979 };
980 
981 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
982 				     struct cfg80211_registered_device **rdev,
983 				     struct wireless_dev **wdev,
984 				     struct nlattr **attrbuf)
985 {
986 	int err;
987 
988 	if (!cb->args[0]) {
989 		struct nlattr **attrbuf_free = NULL;
990 
991 		if (!attrbuf) {
992 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
993 					  GFP_KERNEL);
994 			if (!attrbuf)
995 				return -ENOMEM;
996 			attrbuf_free = attrbuf;
997 		}
998 
999 		err = nlmsg_parse_deprecated(cb->nlh,
1000 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1001 					     attrbuf, nl80211_fam.maxattr,
1002 					     nl80211_policy, NULL);
1003 		if (err) {
1004 			kfree(attrbuf_free);
1005 			return err;
1006 		}
1007 
1008 		rtnl_lock();
1009 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1010 						   attrbuf);
1011 		kfree(attrbuf_free);
1012 		if (IS_ERR(*wdev)) {
1013 			rtnl_unlock();
1014 			return PTR_ERR(*wdev);
1015 		}
1016 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1017 		mutex_lock(&(*rdev)->wiphy.mtx);
1018 		rtnl_unlock();
1019 		/* 0 is the first index - add 1 to parse only once */
1020 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1021 		cb->args[1] = (*wdev)->identifier;
1022 	} else {
1023 		/* subtract the 1 again here */
1024 		struct wiphy *wiphy;
1025 		struct wireless_dev *tmp;
1026 
1027 		rtnl_lock();
1028 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1029 		if (!wiphy) {
1030 			rtnl_unlock();
1031 			return -ENODEV;
1032 		}
1033 		*rdev = wiphy_to_rdev(wiphy);
1034 		*wdev = NULL;
1035 
1036 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1037 			if (tmp->identifier == cb->args[1]) {
1038 				*wdev = tmp;
1039 				break;
1040 			}
1041 		}
1042 
1043 		if (!*wdev) {
1044 			rtnl_unlock();
1045 			return -ENODEV;
1046 		}
1047 		mutex_lock(&(*rdev)->wiphy.mtx);
1048 		rtnl_unlock();
1049 	}
1050 
1051 	return 0;
1052 }
1053 
1054 /* message building helper */
1055 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1056 		     int flags, u8 cmd)
1057 {
1058 	/* since there is no private header just add the generic one */
1059 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1060 }
1061 
1062 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1063 				     const struct ieee80211_reg_rule *rule)
1064 {
1065 	int j;
1066 	struct nlattr *nl_wmm_rules =
1067 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1068 
1069 	if (!nl_wmm_rules)
1070 		goto nla_put_failure;
1071 
1072 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1073 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1074 
1075 		if (!nl_wmm_rule)
1076 			goto nla_put_failure;
1077 
1078 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1079 				rule->wmm_rule.client[j].cw_min) ||
1080 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1081 				rule->wmm_rule.client[j].cw_max) ||
1082 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1083 			       rule->wmm_rule.client[j].aifsn) ||
1084 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1085 			        rule->wmm_rule.client[j].cot))
1086 			goto nla_put_failure;
1087 
1088 		nla_nest_end(msg, nl_wmm_rule);
1089 	}
1090 	nla_nest_end(msg, nl_wmm_rules);
1091 
1092 	return 0;
1093 
1094 nla_put_failure:
1095 	return -ENOBUFS;
1096 }
1097 
1098 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1099 				   struct ieee80211_channel *chan,
1100 				   bool large)
1101 {
1102 	/* Some channels must be completely excluded from the
1103 	 * list to protect old user-space tools from breaking
1104 	 */
1105 	if (!large && chan->flags &
1106 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1107 		return 0;
1108 	if (!large && chan->freq_offset)
1109 		return 0;
1110 
1111 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1112 			chan->center_freq))
1113 		goto nla_put_failure;
1114 
1115 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1116 		goto nla_put_failure;
1117 
1118 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1119 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1120 		goto nla_put_failure;
1121 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1122 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1123 			goto nla_put_failure;
1124 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1125 			goto nla_put_failure;
1126 	}
1127 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1128 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1129 			goto nla_put_failure;
1130 		if (large) {
1131 			u32 time;
1132 
1133 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1134 
1135 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1136 					chan->dfs_state))
1137 				goto nla_put_failure;
1138 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1139 					time))
1140 				goto nla_put_failure;
1141 			if (nla_put_u32(msg,
1142 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1143 					chan->dfs_cac_ms))
1144 				goto nla_put_failure;
1145 		}
1146 	}
1147 
1148 	if (large) {
1149 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1150 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1151 			goto nla_put_failure;
1152 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1153 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1154 			goto nla_put_failure;
1155 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1156 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1157 			goto nla_put_failure;
1158 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1159 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1160 			goto nla_put_failure;
1161 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1162 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1163 			goto nla_put_failure;
1164 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1165 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1166 			goto nla_put_failure;
1167 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1168 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1169 			goto nla_put_failure;
1170 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1171 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1172 			goto nla_put_failure;
1173 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1174 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1175 			goto nla_put_failure;
1176 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1177 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1178 			goto nla_put_failure;
1179 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1180 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1181 			goto nla_put_failure;
1182 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1183 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1184 			goto nla_put_failure;
1185 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1186 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1187 			goto nla_put_failure;
1188 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1189 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1190 			goto nla_put_failure;
1191 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1192 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1193 			goto nla_put_failure;
1194 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1195 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1196 			goto nla_put_failure;
1197 	}
1198 
1199 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1200 			DBM_TO_MBM(chan->max_power)))
1201 		goto nla_put_failure;
1202 
1203 	if (large) {
1204 		const struct ieee80211_reg_rule *rule =
1205 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1206 
1207 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1208 			if (nl80211_msg_put_wmm_rules(msg, rule))
1209 				goto nla_put_failure;
1210 		}
1211 	}
1212 
1213 	return 0;
1214 
1215  nla_put_failure:
1216 	return -ENOBUFS;
1217 }
1218 
1219 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1220 				  struct cfg80211_txq_stats *txqstats,
1221 				  int attrtype)
1222 {
1223 	struct nlattr *txqattr;
1224 
1225 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1226 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1227 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1228 		return false;						  \
1229 	} while (0)
1230 
1231 	txqattr = nla_nest_start_noflag(msg, attrtype);
1232 	if (!txqattr)
1233 		return false;
1234 
1235 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1236 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1237 	PUT_TXQVAL_U32(FLOWS, flows);
1238 	PUT_TXQVAL_U32(DROPS, drops);
1239 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1240 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1241 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1242 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1243 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1244 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1245 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1246 	nla_nest_end(msg, txqattr);
1247 
1248 #undef PUT_TXQVAL_U32
1249 	return true;
1250 }
1251 
1252 /* netlink command implementations */
1253 
1254 /**
1255  * nl80211_link_id - return link ID
1256  * @attrs: attributes to look at
1257  *
1258  * Returns: the link ID or 0 if not given
1259  *
1260  * Note this function doesn't do any validation of the link
1261  * ID validity wrt. links that were actually added, so it must
1262  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1263  * or if additional validation is done.
1264  */
1265 static unsigned int nl80211_link_id(struct nlattr **attrs)
1266 {
1267 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1268 
1269 	if (!linkid)
1270 		return 0;
1271 
1272 	return nla_get_u8(linkid);
1273 }
1274 
1275 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1276 {
1277 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1278 
1279 	if (!linkid)
1280 		return -1;
1281 
1282 	return nla_get_u8(linkid);
1283 }
1284 
1285 struct key_parse {
1286 	struct key_params p;
1287 	int idx;
1288 	int type;
1289 	bool def, defmgmt, defbeacon;
1290 	bool def_uni, def_multi;
1291 };
1292 
1293 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1294 				 struct key_parse *k)
1295 {
1296 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1297 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1298 					      nl80211_key_policy,
1299 					      info->extack);
1300 	if (err)
1301 		return err;
1302 
1303 	k->def = !!tb[NL80211_KEY_DEFAULT];
1304 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1305 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1306 
1307 	if (k->def) {
1308 		k->def_uni = true;
1309 		k->def_multi = true;
1310 	}
1311 	if (k->defmgmt || k->defbeacon)
1312 		k->def_multi = true;
1313 
1314 	if (tb[NL80211_KEY_IDX])
1315 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1316 
1317 	if (tb[NL80211_KEY_DATA]) {
1318 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1319 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1320 	}
1321 
1322 	if (tb[NL80211_KEY_SEQ]) {
1323 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1324 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1325 	}
1326 
1327 	if (tb[NL80211_KEY_CIPHER])
1328 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1329 
1330 	if (tb[NL80211_KEY_TYPE])
1331 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1332 
1333 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1334 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1335 
1336 		err = nla_parse_nested_deprecated(kdt,
1337 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1338 						  tb[NL80211_KEY_DEFAULT_TYPES],
1339 						  nl80211_key_default_policy,
1340 						  info->extack);
1341 		if (err)
1342 			return err;
1343 
1344 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1345 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1346 	}
1347 
1348 	if (tb[NL80211_KEY_MODE])
1349 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1350 
1351 	return 0;
1352 }
1353 
1354 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1355 {
1356 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1357 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1358 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1359 	}
1360 
1361 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1362 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1363 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1364 	}
1365 
1366 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1367 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1368 
1369 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1370 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1371 
1372 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1373 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1374 
1375 	if (k->def) {
1376 		k->def_uni = true;
1377 		k->def_multi = true;
1378 	}
1379 	if (k->defmgmt)
1380 		k->def_multi = true;
1381 
1382 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1383 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1384 
1385 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1386 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1387 		int err = nla_parse_nested_deprecated(kdt,
1388 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1389 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1390 						      nl80211_key_default_policy,
1391 						      info->extack);
1392 		if (err)
1393 			return err;
1394 
1395 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1396 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1397 	}
1398 
1399 	return 0;
1400 }
1401 
1402 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1403 {
1404 	int err;
1405 
1406 	memset(k, 0, sizeof(*k));
1407 	k->idx = -1;
1408 	k->type = -1;
1409 
1410 	if (info->attrs[NL80211_ATTR_KEY])
1411 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1412 	else
1413 		err = nl80211_parse_key_old(info, k);
1414 
1415 	if (err)
1416 		return err;
1417 
1418 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1419 	    (k->defbeacon ? 1 : 0) > 1) {
1420 		GENL_SET_ERR_MSG(info,
1421 				 "key with multiple default flags is invalid");
1422 		return -EINVAL;
1423 	}
1424 
1425 	if (k->defmgmt || k->defbeacon) {
1426 		if (k->def_uni || !k->def_multi) {
1427 			GENL_SET_ERR_MSG(info,
1428 					 "defmgmt/defbeacon key must be mcast");
1429 			return -EINVAL;
1430 		}
1431 	}
1432 
1433 	if (k->idx != -1) {
1434 		if (k->defmgmt) {
1435 			if (k->idx < 4 || k->idx > 5) {
1436 				GENL_SET_ERR_MSG(info,
1437 						 "defmgmt key idx not 4 or 5");
1438 				return -EINVAL;
1439 			}
1440 		} else if (k->defbeacon) {
1441 			if (k->idx < 6 || k->idx > 7) {
1442 				GENL_SET_ERR_MSG(info,
1443 						 "defbeacon key idx not 6 or 7");
1444 				return -EINVAL;
1445 			}
1446 		} else if (k->def) {
1447 			if (k->idx < 0 || k->idx > 3) {
1448 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1449 				return -EINVAL;
1450 			}
1451 		} else {
1452 			if (k->idx < 0 || k->idx > 7) {
1453 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1454 				return -EINVAL;
1455 			}
1456 		}
1457 	}
1458 
1459 	return 0;
1460 }
1461 
1462 static struct cfg80211_cached_keys *
1463 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1464 		       struct genl_info *info, bool *no_ht)
1465 {
1466 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1467 	struct key_parse parse;
1468 	struct nlattr *key;
1469 	struct cfg80211_cached_keys *result;
1470 	int rem, err, def = 0;
1471 	bool have_key = false;
1472 
1473 	nla_for_each_nested(key, keys, rem) {
1474 		have_key = true;
1475 		break;
1476 	}
1477 
1478 	if (!have_key)
1479 		return NULL;
1480 
1481 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1482 	if (!result)
1483 		return ERR_PTR(-ENOMEM);
1484 
1485 	result->def = -1;
1486 
1487 	nla_for_each_nested(key, keys, rem) {
1488 		memset(&parse, 0, sizeof(parse));
1489 		parse.idx = -1;
1490 
1491 		err = nl80211_parse_key_new(info, key, &parse);
1492 		if (err)
1493 			goto error;
1494 		err = -EINVAL;
1495 		if (!parse.p.key)
1496 			goto error;
1497 		if (parse.idx < 0 || parse.idx > 3) {
1498 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1499 			goto error;
1500 		}
1501 		if (parse.def) {
1502 			if (def) {
1503 				GENL_SET_ERR_MSG(info,
1504 						 "only one key can be default");
1505 				goto error;
1506 			}
1507 			def = 1;
1508 			result->def = parse.idx;
1509 			if (!parse.def_uni || !parse.def_multi)
1510 				goto error;
1511 		} else if (parse.defmgmt)
1512 			goto error;
1513 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1514 						     parse.idx, false, NULL);
1515 		if (err)
1516 			goto error;
1517 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1518 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1519 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1520 			err = -EINVAL;
1521 			goto error;
1522 		}
1523 		result->params[parse.idx].cipher = parse.p.cipher;
1524 		result->params[parse.idx].key_len = parse.p.key_len;
1525 		result->params[parse.idx].key = result->data[parse.idx];
1526 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1527 
1528 		/* must be WEP key if we got here */
1529 		if (no_ht)
1530 			*no_ht = true;
1531 	}
1532 
1533 	if (result->def < 0) {
1534 		err = -EINVAL;
1535 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1536 		goto error;
1537 	}
1538 
1539 	return result;
1540  error:
1541 	kfree(result);
1542 	return ERR_PTR(err);
1543 }
1544 
1545 static int nl80211_key_allowed(struct wireless_dev *wdev)
1546 {
1547 	ASSERT_WDEV_LOCK(wdev);
1548 
1549 	switch (wdev->iftype) {
1550 	case NL80211_IFTYPE_AP:
1551 	case NL80211_IFTYPE_AP_VLAN:
1552 	case NL80211_IFTYPE_P2P_GO:
1553 	case NL80211_IFTYPE_MESH_POINT:
1554 		break;
1555 	case NL80211_IFTYPE_ADHOC:
1556 		if (wdev->u.ibss.current_bss)
1557 			return 0;
1558 		return -ENOLINK;
1559 	case NL80211_IFTYPE_STATION:
1560 	case NL80211_IFTYPE_P2P_CLIENT:
1561 		if (wdev->connected)
1562 			return 0;
1563 		return -ENOLINK;
1564 	case NL80211_IFTYPE_NAN:
1565 		if (wiphy_ext_feature_isset(wdev->wiphy,
1566 					    NL80211_EXT_FEATURE_SECURE_NAN))
1567 			return 0;
1568 		return -EINVAL;
1569 	case NL80211_IFTYPE_UNSPECIFIED:
1570 	case NL80211_IFTYPE_OCB:
1571 	case NL80211_IFTYPE_MONITOR:
1572 	case NL80211_IFTYPE_P2P_DEVICE:
1573 	case NL80211_IFTYPE_WDS:
1574 	case NUM_NL80211_IFTYPES:
1575 		return -EINVAL;
1576 	}
1577 
1578 	return 0;
1579 }
1580 
1581 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1582 							u32 freq)
1583 {
1584 	struct ieee80211_channel *chan;
1585 
1586 	chan = ieee80211_get_channel_khz(wiphy, freq);
1587 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1588 		return NULL;
1589 	return chan;
1590 }
1591 
1592 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1593 {
1594 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1595 	int i;
1596 
1597 	if (!nl_modes)
1598 		goto nla_put_failure;
1599 
1600 	i = 0;
1601 	while (ifmodes) {
1602 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1603 			goto nla_put_failure;
1604 		ifmodes >>= 1;
1605 		i++;
1606 	}
1607 
1608 	nla_nest_end(msg, nl_modes);
1609 	return 0;
1610 
1611 nla_put_failure:
1612 	return -ENOBUFS;
1613 }
1614 
1615 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1616 					  struct sk_buff *msg,
1617 					  bool large)
1618 {
1619 	struct nlattr *nl_combis;
1620 	int i, j;
1621 
1622 	nl_combis = nla_nest_start_noflag(msg,
1623 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1624 	if (!nl_combis)
1625 		goto nla_put_failure;
1626 
1627 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1628 		const struct ieee80211_iface_combination *c;
1629 		struct nlattr *nl_combi, *nl_limits;
1630 
1631 		c = &wiphy->iface_combinations[i];
1632 
1633 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1634 		if (!nl_combi)
1635 			goto nla_put_failure;
1636 
1637 		nl_limits = nla_nest_start_noflag(msg,
1638 						  NL80211_IFACE_COMB_LIMITS);
1639 		if (!nl_limits)
1640 			goto nla_put_failure;
1641 
1642 		for (j = 0; j < c->n_limits; j++) {
1643 			struct nlattr *nl_limit;
1644 
1645 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1646 			if (!nl_limit)
1647 				goto nla_put_failure;
1648 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1649 					c->limits[j].max))
1650 				goto nla_put_failure;
1651 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1652 						c->limits[j].types))
1653 				goto nla_put_failure;
1654 			nla_nest_end(msg, nl_limit);
1655 		}
1656 
1657 		nla_nest_end(msg, nl_limits);
1658 
1659 		if (c->beacon_int_infra_match &&
1660 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1661 			goto nla_put_failure;
1662 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1663 				c->num_different_channels) ||
1664 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1665 				c->max_interfaces))
1666 			goto nla_put_failure;
1667 		if (large &&
1668 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1669 				c->radar_detect_widths) ||
1670 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1671 				c->radar_detect_regions)))
1672 			goto nla_put_failure;
1673 		if (c->beacon_int_min_gcd &&
1674 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1675 				c->beacon_int_min_gcd))
1676 			goto nla_put_failure;
1677 
1678 		nla_nest_end(msg, nl_combi);
1679 	}
1680 
1681 	nla_nest_end(msg, nl_combis);
1682 
1683 	return 0;
1684 nla_put_failure:
1685 	return -ENOBUFS;
1686 }
1687 
1688 #ifdef CONFIG_PM
1689 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1690 					struct sk_buff *msg)
1691 {
1692 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1693 	struct nlattr *nl_tcp;
1694 
1695 	if (!tcp)
1696 		return 0;
1697 
1698 	nl_tcp = nla_nest_start_noflag(msg,
1699 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1700 	if (!nl_tcp)
1701 		return -ENOBUFS;
1702 
1703 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1704 			tcp->data_payload_max))
1705 		return -ENOBUFS;
1706 
1707 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1708 			tcp->data_payload_max))
1709 		return -ENOBUFS;
1710 
1711 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1712 		return -ENOBUFS;
1713 
1714 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1715 				sizeof(*tcp->tok), tcp->tok))
1716 		return -ENOBUFS;
1717 
1718 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1719 			tcp->data_interval_max))
1720 		return -ENOBUFS;
1721 
1722 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1723 			tcp->wake_payload_max))
1724 		return -ENOBUFS;
1725 
1726 	nla_nest_end(msg, nl_tcp);
1727 	return 0;
1728 }
1729 
1730 static int nl80211_send_wowlan(struct sk_buff *msg,
1731 			       struct cfg80211_registered_device *rdev,
1732 			       bool large)
1733 {
1734 	struct nlattr *nl_wowlan;
1735 
1736 	if (!rdev->wiphy.wowlan)
1737 		return 0;
1738 
1739 	nl_wowlan = nla_nest_start_noflag(msg,
1740 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1741 	if (!nl_wowlan)
1742 		return -ENOBUFS;
1743 
1744 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1745 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1746 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1747 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1748 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1749 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1750 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1751 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1752 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1753 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1754 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1755 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1756 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1757 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1758 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1759 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1760 		return -ENOBUFS;
1761 
1762 	if (rdev->wiphy.wowlan->n_patterns) {
1763 		struct nl80211_pattern_support pat = {
1764 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1765 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1766 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1767 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1768 		};
1769 
1770 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1771 			    sizeof(pat), &pat))
1772 			return -ENOBUFS;
1773 	}
1774 
1775 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1776 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1777 			rdev->wiphy.wowlan->max_nd_match_sets))
1778 		return -ENOBUFS;
1779 
1780 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1781 		return -ENOBUFS;
1782 
1783 	nla_nest_end(msg, nl_wowlan);
1784 
1785 	return 0;
1786 }
1787 #endif
1788 
1789 static int nl80211_send_coalesce(struct sk_buff *msg,
1790 				 struct cfg80211_registered_device *rdev)
1791 {
1792 	struct nl80211_coalesce_rule_support rule;
1793 
1794 	if (!rdev->wiphy.coalesce)
1795 		return 0;
1796 
1797 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1798 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1799 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1800 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1801 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1802 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1803 
1804 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1805 		return -ENOBUFS;
1806 
1807 	return 0;
1808 }
1809 
1810 static int
1811 nl80211_send_iftype_data(struct sk_buff *msg,
1812 			 const struct ieee80211_supported_band *sband,
1813 			 const struct ieee80211_sband_iftype_data *iftdata)
1814 {
1815 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1816 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1817 
1818 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1819 				iftdata->types_mask))
1820 		return -ENOBUFS;
1821 
1822 	if (he_cap->has_he) {
1823 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1824 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1825 			    he_cap->he_cap_elem.mac_cap_info) ||
1826 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1827 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1828 			    he_cap->he_cap_elem.phy_cap_info) ||
1829 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1830 			    sizeof(he_cap->he_mcs_nss_supp),
1831 			    &he_cap->he_mcs_nss_supp) ||
1832 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1833 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1834 			return -ENOBUFS;
1835 	}
1836 
1837 	if (eht_cap->has_eht && he_cap->has_he) {
1838 		u8 mcs_nss_size, ppe_thresh_size;
1839 		u16 ppe_thres_hdr;
1840 		bool is_ap;
1841 
1842 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1843 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1844 
1845 		mcs_nss_size =
1846 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1847 						   &eht_cap->eht_cap_elem,
1848 						   is_ap);
1849 
1850 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1851 		ppe_thresh_size =
1852 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1853 					       eht_cap->eht_cap_elem.phy_cap_info);
1854 
1855 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1856 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1857 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1858 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1859 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1860 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1861 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1862 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1863 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1864 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1865 			return -ENOBUFS;
1866 	}
1867 
1868 	if (sband->band == NL80211_BAND_6GHZ &&
1869 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1870 		    sizeof(iftdata->he_6ghz_capa),
1871 		    &iftdata->he_6ghz_capa))
1872 		return -ENOBUFS;
1873 
1874 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1875 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1876 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1877 		return -ENOBUFS;
1878 
1879 	return 0;
1880 }
1881 
1882 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1883 				      struct ieee80211_supported_band *sband,
1884 				      bool large)
1885 {
1886 	struct nlattr *nl_rates, *nl_rate;
1887 	struct ieee80211_rate *rate;
1888 	int i;
1889 
1890 	/* add HT info */
1891 	if (sband->ht_cap.ht_supported &&
1892 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1893 		     sizeof(sband->ht_cap.mcs),
1894 		     &sband->ht_cap.mcs) ||
1895 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1896 			 sband->ht_cap.cap) ||
1897 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1898 			sband->ht_cap.ampdu_factor) ||
1899 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1900 			sband->ht_cap.ampdu_density)))
1901 		return -ENOBUFS;
1902 
1903 	/* add VHT info */
1904 	if (sband->vht_cap.vht_supported &&
1905 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1906 		     sizeof(sband->vht_cap.vht_mcs),
1907 		     &sband->vht_cap.vht_mcs) ||
1908 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1909 			 sband->vht_cap.cap)))
1910 		return -ENOBUFS;
1911 
1912 	if (large && sband->n_iftype_data) {
1913 		struct nlattr *nl_iftype_data =
1914 			nla_nest_start_noflag(msg,
1915 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1916 		int err;
1917 
1918 		if (!nl_iftype_data)
1919 			return -ENOBUFS;
1920 
1921 		for (i = 0; i < sband->n_iftype_data; i++) {
1922 			struct nlattr *iftdata;
1923 
1924 			iftdata = nla_nest_start_noflag(msg, i + 1);
1925 			if (!iftdata)
1926 				return -ENOBUFS;
1927 
1928 			err = nl80211_send_iftype_data(msg, sband,
1929 						       &sband->iftype_data[i]);
1930 			if (err)
1931 				return err;
1932 
1933 			nla_nest_end(msg, iftdata);
1934 		}
1935 
1936 		nla_nest_end(msg, nl_iftype_data);
1937 	}
1938 
1939 	/* add EDMG info */
1940 	if (large && sband->edmg_cap.channels &&
1941 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1942 		       sband->edmg_cap.channels) ||
1943 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1944 		       sband->edmg_cap.bw_config)))
1945 
1946 		return -ENOBUFS;
1947 
1948 	/* add bitrates */
1949 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1950 	if (!nl_rates)
1951 		return -ENOBUFS;
1952 
1953 	for (i = 0; i < sband->n_bitrates; i++) {
1954 		nl_rate = nla_nest_start_noflag(msg, i);
1955 		if (!nl_rate)
1956 			return -ENOBUFS;
1957 
1958 		rate = &sband->bitrates[i];
1959 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1960 				rate->bitrate))
1961 			return -ENOBUFS;
1962 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1963 		    nla_put_flag(msg,
1964 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1965 			return -ENOBUFS;
1966 
1967 		nla_nest_end(msg, nl_rate);
1968 	}
1969 
1970 	nla_nest_end(msg, nl_rates);
1971 
1972 	/* S1G capabilities */
1973 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
1974 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
1975 		     sizeof(sband->s1g_cap.cap),
1976 		     sband->s1g_cap.cap) ||
1977 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
1978 		     sizeof(sband->s1g_cap.nss_mcs),
1979 		     sband->s1g_cap.nss_mcs)))
1980 		return -ENOBUFS;
1981 
1982 	return 0;
1983 }
1984 
1985 static int
1986 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1987 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1988 {
1989 	u16 stypes;
1990 	struct nlattr *nl_ftypes, *nl_ifs;
1991 	enum nl80211_iftype ift;
1992 	int i;
1993 
1994 	if (!mgmt_stypes)
1995 		return 0;
1996 
1997 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1998 	if (!nl_ifs)
1999 		return -ENOBUFS;
2000 
2001 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2002 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2003 		if (!nl_ftypes)
2004 			return -ENOBUFS;
2005 		i = 0;
2006 		stypes = mgmt_stypes[ift].tx;
2007 		while (stypes) {
2008 			if ((stypes & 1) &&
2009 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2010 					(i << 4) | IEEE80211_FTYPE_MGMT))
2011 				return -ENOBUFS;
2012 			stypes >>= 1;
2013 			i++;
2014 		}
2015 		nla_nest_end(msg, nl_ftypes);
2016 	}
2017 
2018 	nla_nest_end(msg, nl_ifs);
2019 
2020 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2021 	if (!nl_ifs)
2022 		return -ENOBUFS;
2023 
2024 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2025 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2026 		if (!nl_ftypes)
2027 			return -ENOBUFS;
2028 		i = 0;
2029 		stypes = mgmt_stypes[ift].rx;
2030 		while (stypes) {
2031 			if ((stypes & 1) &&
2032 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2033 					(i << 4) | IEEE80211_FTYPE_MGMT))
2034 				return -ENOBUFS;
2035 			stypes >>= 1;
2036 			i++;
2037 		}
2038 		nla_nest_end(msg, nl_ftypes);
2039 	}
2040 	nla_nest_end(msg, nl_ifs);
2041 
2042 	return 0;
2043 }
2044 
2045 #define CMD(op, n)							\
2046 	 do {								\
2047 		if (rdev->ops->op) {					\
2048 			i++;						\
2049 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2050 				goto nla_put_failure;			\
2051 		}							\
2052 	} while (0)
2053 
2054 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2055 					struct sk_buff *msg)
2056 {
2057 	int i = 0;
2058 
2059 	/*
2060 	 * do *NOT* add anything into this function, new things need to be
2061 	 * advertised only to new versions of userspace that can deal with
2062 	 * the split (and they can't possibly care about new features...
2063 	 */
2064 	CMD(add_virtual_intf, NEW_INTERFACE);
2065 	CMD(change_virtual_intf, SET_INTERFACE);
2066 	CMD(add_key, NEW_KEY);
2067 	CMD(start_ap, START_AP);
2068 	CMD(add_station, NEW_STATION);
2069 	CMD(add_mpath, NEW_MPATH);
2070 	CMD(update_mesh_config, SET_MESH_CONFIG);
2071 	CMD(change_bss, SET_BSS);
2072 	CMD(auth, AUTHENTICATE);
2073 	CMD(assoc, ASSOCIATE);
2074 	CMD(deauth, DEAUTHENTICATE);
2075 	CMD(disassoc, DISASSOCIATE);
2076 	CMD(join_ibss, JOIN_IBSS);
2077 	CMD(join_mesh, JOIN_MESH);
2078 	CMD(set_pmksa, SET_PMKSA);
2079 	CMD(del_pmksa, DEL_PMKSA);
2080 	CMD(flush_pmksa, FLUSH_PMKSA);
2081 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2082 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2083 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2084 	CMD(mgmt_tx, FRAME);
2085 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2086 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2087 		i++;
2088 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2089 			goto nla_put_failure;
2090 	}
2091 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2092 	    rdev->ops->join_mesh) {
2093 		i++;
2094 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2095 			goto nla_put_failure;
2096 	}
2097 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2098 		CMD(tdls_mgmt, TDLS_MGMT);
2099 		CMD(tdls_oper, TDLS_OPER);
2100 	}
2101 	if (rdev->wiphy.max_sched_scan_reqs)
2102 		CMD(sched_scan_start, START_SCHED_SCAN);
2103 	CMD(probe_client, PROBE_CLIENT);
2104 	CMD(set_noack_map, SET_NOACK_MAP);
2105 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2106 		i++;
2107 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2108 			goto nla_put_failure;
2109 	}
2110 	CMD(start_p2p_device, START_P2P_DEVICE);
2111 	CMD(set_mcast_rate, SET_MCAST_RATE);
2112 #ifdef CONFIG_NL80211_TESTMODE
2113 	CMD(testmode_cmd, TESTMODE);
2114 #endif
2115 
2116 	if (rdev->ops->connect || rdev->ops->auth) {
2117 		i++;
2118 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2119 			goto nla_put_failure;
2120 	}
2121 
2122 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2123 		i++;
2124 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2125 			goto nla_put_failure;
2126 	}
2127 
2128 	return i;
2129  nla_put_failure:
2130 	return -ENOBUFS;
2131 }
2132 
2133 static int
2134 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2135 			   struct sk_buff *msg)
2136 {
2137 	struct nlattr *ftm;
2138 
2139 	if (!cap->ftm.supported)
2140 		return 0;
2141 
2142 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2143 	if (!ftm)
2144 		return -ENOBUFS;
2145 
2146 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2147 		return -ENOBUFS;
2148 	if (cap->ftm.non_asap &&
2149 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2150 		return -ENOBUFS;
2151 	if (cap->ftm.request_lci &&
2152 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2153 		return -ENOBUFS;
2154 	if (cap->ftm.request_civicloc &&
2155 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2156 		return -ENOBUFS;
2157 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2158 			cap->ftm.preambles))
2159 		return -ENOBUFS;
2160 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2161 			cap->ftm.bandwidths))
2162 		return -ENOBUFS;
2163 	if (cap->ftm.max_bursts_exponent >= 0 &&
2164 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2165 			cap->ftm.max_bursts_exponent))
2166 		return -ENOBUFS;
2167 	if (cap->ftm.max_ftms_per_burst &&
2168 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2169 			cap->ftm.max_ftms_per_burst))
2170 		return -ENOBUFS;
2171 	if (cap->ftm.trigger_based &&
2172 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2173 		return -ENOBUFS;
2174 	if (cap->ftm.non_trigger_based &&
2175 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2176 		return -ENOBUFS;
2177 
2178 	nla_nest_end(msg, ftm);
2179 	return 0;
2180 }
2181 
2182 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2183 				  struct sk_buff *msg)
2184 {
2185 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2186 	struct nlattr *pmsr, *caps;
2187 
2188 	if (!cap)
2189 		return 0;
2190 
2191 	/*
2192 	 * we don't need to clean up anything here since the caller
2193 	 * will genlmsg_cancel() if we fail
2194 	 */
2195 
2196 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2197 	if (!pmsr)
2198 		return -ENOBUFS;
2199 
2200 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2201 		return -ENOBUFS;
2202 
2203 	if (cap->report_ap_tsf &&
2204 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2205 		return -ENOBUFS;
2206 
2207 	if (cap->randomize_mac_addr &&
2208 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2209 		return -ENOBUFS;
2210 
2211 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2212 	if (!caps)
2213 		return -ENOBUFS;
2214 
2215 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2216 		return -ENOBUFS;
2217 
2218 	nla_nest_end(msg, caps);
2219 	nla_nest_end(msg, pmsr);
2220 
2221 	return 0;
2222 }
2223 
2224 static int
2225 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2226 			      struct sk_buff *msg)
2227 {
2228 	int i;
2229 	struct nlattr *nested, *nested_akms;
2230 	const struct wiphy_iftype_akm_suites *iftype_akms;
2231 
2232 	if (!rdev->wiphy.num_iftype_akm_suites ||
2233 	    !rdev->wiphy.iftype_akm_suites)
2234 		return 0;
2235 
2236 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2237 	if (!nested)
2238 		return -ENOBUFS;
2239 
2240 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2241 		nested_akms = nla_nest_start(msg, i + 1);
2242 		if (!nested_akms)
2243 			return -ENOBUFS;
2244 
2245 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2246 
2247 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2248 					iftype_akms->iftypes_mask))
2249 			return -ENOBUFS;
2250 
2251 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2252 			    sizeof(u32) * iftype_akms->n_akm_suites,
2253 			    iftype_akms->akm_suites)) {
2254 			return -ENOBUFS;
2255 		}
2256 		nla_nest_end(msg, nested_akms);
2257 	}
2258 
2259 	nla_nest_end(msg, nested);
2260 
2261 	return 0;
2262 }
2263 
2264 static int
2265 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2266 			       struct sk_buff *msg)
2267 {
2268 	struct nlattr *supp;
2269 
2270 	if (!rdev->wiphy.tid_config_support.vif &&
2271 	    !rdev->wiphy.tid_config_support.peer)
2272 		return 0;
2273 
2274 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2275 	if (!supp)
2276 		return -ENOSPC;
2277 
2278 	if (rdev->wiphy.tid_config_support.vif &&
2279 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2280 			      rdev->wiphy.tid_config_support.vif,
2281 			      NL80211_TID_CONFIG_ATTR_PAD))
2282 		goto fail;
2283 
2284 	if (rdev->wiphy.tid_config_support.peer &&
2285 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2286 			      rdev->wiphy.tid_config_support.peer,
2287 			      NL80211_TID_CONFIG_ATTR_PAD))
2288 		goto fail;
2289 
2290 	/* for now we just use the same value ... makes more sense */
2291 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2292 		       rdev->wiphy.tid_config_support.max_retry))
2293 		goto fail;
2294 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2295 		       rdev->wiphy.tid_config_support.max_retry))
2296 		goto fail;
2297 
2298 	nla_nest_end(msg, supp);
2299 
2300 	return 0;
2301 fail:
2302 	nla_nest_cancel(msg, supp);
2303 	return -ENOBUFS;
2304 }
2305 
2306 static int
2307 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2308 		      struct sk_buff *msg)
2309 {
2310 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2311 	u8 num_freq_ranges;
2312 	int i;
2313 
2314 	if (!rdev->wiphy.sar_capa)
2315 		return 0;
2316 
2317 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2318 
2319 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2320 	if (!sar_capa)
2321 		return -ENOSPC;
2322 
2323 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2324 		goto fail;
2325 
2326 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2327 	if (!specs)
2328 		goto fail;
2329 
2330 	/* report supported freq_ranges */
2331 	for (i = 0; i < num_freq_ranges; i++) {
2332 		sub_freq_range = nla_nest_start(msg, i + 1);
2333 		if (!sub_freq_range)
2334 			goto fail;
2335 
2336 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2337 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2338 			goto fail;
2339 
2340 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2341 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2342 			goto fail;
2343 
2344 		nla_nest_end(msg, sub_freq_range);
2345 	}
2346 
2347 	nla_nest_end(msg, specs);
2348 	nla_nest_end(msg, sar_capa);
2349 
2350 	return 0;
2351 fail:
2352 	nla_nest_cancel(msg, sar_capa);
2353 	return -ENOBUFS;
2354 }
2355 
2356 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2357 {
2358 	struct nlattr *config;
2359 
2360 	if (!wiphy->mbssid_max_interfaces)
2361 		return 0;
2362 
2363 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2364 	if (!config)
2365 		return -ENOBUFS;
2366 
2367 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2368 		       wiphy->mbssid_max_interfaces))
2369 		goto fail;
2370 
2371 	if (wiphy->ema_max_profile_periodicity &&
2372 	    nla_put_u8(msg,
2373 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2374 		       wiphy->ema_max_profile_periodicity))
2375 		goto fail;
2376 
2377 	nla_nest_end(msg, config);
2378 	return 0;
2379 
2380 fail:
2381 	nla_nest_cancel(msg, config);
2382 	return -ENOBUFS;
2383 }
2384 
2385 struct nl80211_dump_wiphy_state {
2386 	s64 filter_wiphy;
2387 	long start;
2388 	long split_start, band_start, chan_start, capa_start;
2389 	bool split;
2390 };
2391 
2392 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2393 			      enum nl80211_commands cmd,
2394 			      struct sk_buff *msg, u32 portid, u32 seq,
2395 			      int flags, struct nl80211_dump_wiphy_state *state)
2396 {
2397 	void *hdr;
2398 	struct nlattr *nl_bands, *nl_band;
2399 	struct nlattr *nl_freqs, *nl_freq;
2400 	struct nlattr *nl_cmds;
2401 	enum nl80211_band band;
2402 	struct ieee80211_channel *chan;
2403 	int i;
2404 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2405 				rdev->wiphy.mgmt_stypes;
2406 	u32 features;
2407 
2408 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2409 	if (!hdr)
2410 		return -ENOBUFS;
2411 
2412 	if (WARN_ON(!state))
2413 		return -EINVAL;
2414 
2415 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2416 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2417 			   wiphy_name(&rdev->wiphy)) ||
2418 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2419 			cfg80211_rdev_list_generation))
2420 		goto nla_put_failure;
2421 
2422 	if (cmd != NL80211_CMD_NEW_WIPHY)
2423 		goto finish;
2424 
2425 	switch (state->split_start) {
2426 	case 0:
2427 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2428 			       rdev->wiphy.retry_short) ||
2429 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2430 			       rdev->wiphy.retry_long) ||
2431 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2432 				rdev->wiphy.frag_threshold) ||
2433 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2434 				rdev->wiphy.rts_threshold) ||
2435 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2436 			       rdev->wiphy.coverage_class) ||
2437 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2438 			       rdev->wiphy.max_scan_ssids) ||
2439 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2440 			       rdev->wiphy.max_sched_scan_ssids) ||
2441 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2442 				rdev->wiphy.max_scan_ie_len) ||
2443 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2444 				rdev->wiphy.max_sched_scan_ie_len) ||
2445 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2446 			       rdev->wiphy.max_match_sets))
2447 			goto nla_put_failure;
2448 
2449 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2450 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2451 			goto nla_put_failure;
2452 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2453 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2454 			goto nla_put_failure;
2455 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2456 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2457 			goto nla_put_failure;
2458 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2459 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2460 			goto nla_put_failure;
2461 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2462 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2463 			goto nla_put_failure;
2464 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2465 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2466 			goto nla_put_failure;
2467 		state->split_start++;
2468 		if (state->split)
2469 			break;
2470 		fallthrough;
2471 	case 1:
2472 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2473 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2474 			    rdev->wiphy.cipher_suites))
2475 			goto nla_put_failure;
2476 
2477 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2478 			       rdev->wiphy.max_num_pmkids))
2479 			goto nla_put_failure;
2480 
2481 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2482 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2483 			goto nla_put_failure;
2484 
2485 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2486 				rdev->wiphy.available_antennas_tx) ||
2487 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2488 				rdev->wiphy.available_antennas_rx))
2489 			goto nla_put_failure;
2490 
2491 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2492 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2493 				rdev->wiphy.probe_resp_offload))
2494 			goto nla_put_failure;
2495 
2496 		if ((rdev->wiphy.available_antennas_tx ||
2497 		     rdev->wiphy.available_antennas_rx) &&
2498 		    rdev->ops->get_antenna) {
2499 			u32 tx_ant = 0, rx_ant = 0;
2500 			int res;
2501 
2502 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2503 			if (!res) {
2504 				if (nla_put_u32(msg,
2505 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2506 						tx_ant) ||
2507 				    nla_put_u32(msg,
2508 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2509 						rx_ant))
2510 					goto nla_put_failure;
2511 			}
2512 		}
2513 
2514 		state->split_start++;
2515 		if (state->split)
2516 			break;
2517 		fallthrough;
2518 	case 2:
2519 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2520 					rdev->wiphy.interface_modes))
2521 				goto nla_put_failure;
2522 		state->split_start++;
2523 		if (state->split)
2524 			break;
2525 		fallthrough;
2526 	case 3:
2527 		nl_bands = nla_nest_start_noflag(msg,
2528 						 NL80211_ATTR_WIPHY_BANDS);
2529 		if (!nl_bands)
2530 			goto nla_put_failure;
2531 
2532 		for (band = state->band_start;
2533 		     band < (state->split ?
2534 				NUM_NL80211_BANDS :
2535 				NL80211_BAND_60GHZ + 1);
2536 		     band++) {
2537 			struct ieee80211_supported_band *sband;
2538 
2539 			/* omit higher bands for ancient software */
2540 			if (band > NL80211_BAND_5GHZ && !state->split)
2541 				break;
2542 
2543 			sband = rdev->wiphy.bands[band];
2544 
2545 			if (!sband)
2546 				continue;
2547 
2548 			nl_band = nla_nest_start_noflag(msg, band);
2549 			if (!nl_band)
2550 				goto nla_put_failure;
2551 
2552 			switch (state->chan_start) {
2553 			case 0:
2554 				if (nl80211_send_band_rateinfo(msg, sband,
2555 							       state->split))
2556 					goto nla_put_failure;
2557 				state->chan_start++;
2558 				if (state->split)
2559 					break;
2560 				fallthrough;
2561 			default:
2562 				/* add frequencies */
2563 				nl_freqs = nla_nest_start_noflag(msg,
2564 								 NL80211_BAND_ATTR_FREQS);
2565 				if (!nl_freqs)
2566 					goto nla_put_failure;
2567 
2568 				for (i = state->chan_start - 1;
2569 				     i < sband->n_channels;
2570 				     i++) {
2571 					nl_freq = nla_nest_start_noflag(msg,
2572 									i);
2573 					if (!nl_freq)
2574 						goto nla_put_failure;
2575 
2576 					chan = &sband->channels[i];
2577 
2578 					if (nl80211_msg_put_channel(
2579 							msg, &rdev->wiphy, chan,
2580 							state->split))
2581 						goto nla_put_failure;
2582 
2583 					nla_nest_end(msg, nl_freq);
2584 					if (state->split)
2585 						break;
2586 				}
2587 				if (i < sband->n_channels)
2588 					state->chan_start = i + 2;
2589 				else
2590 					state->chan_start = 0;
2591 				nla_nest_end(msg, nl_freqs);
2592 			}
2593 
2594 			nla_nest_end(msg, nl_band);
2595 
2596 			if (state->split) {
2597 				/* start again here */
2598 				if (state->chan_start)
2599 					band--;
2600 				break;
2601 			}
2602 		}
2603 		nla_nest_end(msg, nl_bands);
2604 
2605 		if (band < NUM_NL80211_BANDS)
2606 			state->band_start = band + 1;
2607 		else
2608 			state->band_start = 0;
2609 
2610 		/* if bands & channels are done, continue outside */
2611 		if (state->band_start == 0 && state->chan_start == 0)
2612 			state->split_start++;
2613 		if (state->split)
2614 			break;
2615 		fallthrough;
2616 	case 4:
2617 		nl_cmds = nla_nest_start_noflag(msg,
2618 						NL80211_ATTR_SUPPORTED_COMMANDS);
2619 		if (!nl_cmds)
2620 			goto nla_put_failure;
2621 
2622 		i = nl80211_add_commands_unsplit(rdev, msg);
2623 		if (i < 0)
2624 			goto nla_put_failure;
2625 		if (state->split) {
2626 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2627 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2628 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2629 				CMD(channel_switch, CHANNEL_SWITCH);
2630 			CMD(set_qos_map, SET_QOS_MAP);
2631 			if (rdev->wiphy.features &
2632 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2633 				CMD(add_tx_ts, ADD_TX_TS);
2634 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2635 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2636 			CMD(update_ft_ies, UPDATE_FT_IES);
2637 			if (rdev->wiphy.sar_capa)
2638 				CMD(set_sar_specs, SET_SAR_SPECS);
2639 		}
2640 #undef CMD
2641 
2642 		nla_nest_end(msg, nl_cmds);
2643 		state->split_start++;
2644 		if (state->split)
2645 			break;
2646 		fallthrough;
2647 	case 5:
2648 		if (rdev->ops->remain_on_channel &&
2649 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2650 		    nla_put_u32(msg,
2651 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2652 				rdev->wiphy.max_remain_on_channel_duration))
2653 			goto nla_put_failure;
2654 
2655 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2656 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2657 			goto nla_put_failure;
2658 
2659 		state->split_start++;
2660 		if (state->split)
2661 			break;
2662 		fallthrough;
2663 	case 6:
2664 #ifdef CONFIG_PM
2665 		if (nl80211_send_wowlan(msg, rdev, state->split))
2666 			goto nla_put_failure;
2667 		state->split_start++;
2668 		if (state->split)
2669 			break;
2670 #else
2671 		state->split_start++;
2672 #endif
2673 		fallthrough;
2674 	case 7:
2675 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2676 					rdev->wiphy.software_iftypes))
2677 			goto nla_put_failure;
2678 
2679 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2680 						   state->split))
2681 			goto nla_put_failure;
2682 
2683 		state->split_start++;
2684 		if (state->split)
2685 			break;
2686 		fallthrough;
2687 	case 8:
2688 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2689 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2690 				rdev->wiphy.ap_sme_capa))
2691 			goto nla_put_failure;
2692 
2693 		features = rdev->wiphy.features;
2694 		/*
2695 		 * We can only add the per-channel limit information if the
2696 		 * dump is split, otherwise it makes it too big. Therefore
2697 		 * only advertise it in that case.
2698 		 */
2699 		if (state->split)
2700 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2701 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2702 			goto nla_put_failure;
2703 
2704 		if (rdev->wiphy.ht_capa_mod_mask &&
2705 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2706 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2707 			    rdev->wiphy.ht_capa_mod_mask))
2708 			goto nla_put_failure;
2709 
2710 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2711 		    rdev->wiphy.max_acl_mac_addrs &&
2712 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2713 				rdev->wiphy.max_acl_mac_addrs))
2714 			goto nla_put_failure;
2715 
2716 		/*
2717 		 * Any information below this point is only available to
2718 		 * applications that can deal with it being split. This
2719 		 * helps ensure that newly added capabilities don't break
2720 		 * older tools by overrunning their buffers.
2721 		 *
2722 		 * We still increment split_start so that in the split
2723 		 * case we'll continue with more data in the next round,
2724 		 * but break unconditionally so unsplit data stops here.
2725 		 */
2726 		if (state->split)
2727 			state->split_start++;
2728 		else
2729 			state->split_start = 0;
2730 		break;
2731 	case 9:
2732 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2733 			goto nla_put_failure;
2734 
2735 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2736 				rdev->wiphy.max_sched_scan_plans) ||
2737 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2738 				rdev->wiphy.max_sched_scan_plan_interval) ||
2739 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2740 				rdev->wiphy.max_sched_scan_plan_iterations))
2741 			goto nla_put_failure;
2742 
2743 		if (rdev->wiphy.extended_capabilities &&
2744 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2745 			     rdev->wiphy.extended_capabilities_len,
2746 			     rdev->wiphy.extended_capabilities) ||
2747 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2748 			     rdev->wiphy.extended_capabilities_len,
2749 			     rdev->wiphy.extended_capabilities_mask)))
2750 			goto nla_put_failure;
2751 
2752 		if (rdev->wiphy.vht_capa_mod_mask &&
2753 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2754 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2755 			    rdev->wiphy.vht_capa_mod_mask))
2756 			goto nla_put_failure;
2757 
2758 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2759 			    rdev->wiphy.perm_addr))
2760 			goto nla_put_failure;
2761 
2762 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2763 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2764 			    rdev->wiphy.addr_mask))
2765 			goto nla_put_failure;
2766 
2767 		if (rdev->wiphy.n_addresses > 1) {
2768 			void *attr;
2769 
2770 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2771 			if (!attr)
2772 				goto nla_put_failure;
2773 
2774 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2775 				if (nla_put(msg, i + 1, ETH_ALEN,
2776 					    rdev->wiphy.addresses[i].addr))
2777 					goto nla_put_failure;
2778 
2779 			nla_nest_end(msg, attr);
2780 		}
2781 
2782 		state->split_start++;
2783 		break;
2784 	case 10:
2785 		if (nl80211_send_coalesce(msg, rdev))
2786 			goto nla_put_failure;
2787 
2788 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2789 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2790 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2791 			goto nla_put_failure;
2792 
2793 		if (rdev->wiphy.max_ap_assoc_sta &&
2794 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2795 				rdev->wiphy.max_ap_assoc_sta))
2796 			goto nla_put_failure;
2797 
2798 		state->split_start++;
2799 		break;
2800 	case 11:
2801 		if (rdev->wiphy.n_vendor_commands) {
2802 			const struct nl80211_vendor_cmd_info *info;
2803 			struct nlattr *nested;
2804 
2805 			nested = nla_nest_start_noflag(msg,
2806 						       NL80211_ATTR_VENDOR_DATA);
2807 			if (!nested)
2808 				goto nla_put_failure;
2809 
2810 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2811 				info = &rdev->wiphy.vendor_commands[i].info;
2812 				if (nla_put(msg, i + 1, sizeof(*info), info))
2813 					goto nla_put_failure;
2814 			}
2815 			nla_nest_end(msg, nested);
2816 		}
2817 
2818 		if (rdev->wiphy.n_vendor_events) {
2819 			const struct nl80211_vendor_cmd_info *info;
2820 			struct nlattr *nested;
2821 
2822 			nested = nla_nest_start_noflag(msg,
2823 						       NL80211_ATTR_VENDOR_EVENTS);
2824 			if (!nested)
2825 				goto nla_put_failure;
2826 
2827 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2828 				info = &rdev->wiphy.vendor_events[i];
2829 				if (nla_put(msg, i + 1, sizeof(*info), info))
2830 					goto nla_put_failure;
2831 			}
2832 			nla_nest_end(msg, nested);
2833 		}
2834 		state->split_start++;
2835 		break;
2836 	case 12:
2837 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2838 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2839 			       rdev->wiphy.max_num_csa_counters))
2840 			goto nla_put_failure;
2841 
2842 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2843 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2844 			goto nla_put_failure;
2845 
2846 		if (rdev->wiphy.max_sched_scan_reqs &&
2847 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2848 				rdev->wiphy.max_sched_scan_reqs))
2849 			goto nla_put_failure;
2850 
2851 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2852 			    sizeof(rdev->wiphy.ext_features),
2853 			    rdev->wiphy.ext_features))
2854 			goto nla_put_failure;
2855 
2856 		if (rdev->wiphy.bss_select_support) {
2857 			struct nlattr *nested;
2858 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2859 
2860 			nested = nla_nest_start_noflag(msg,
2861 						       NL80211_ATTR_BSS_SELECT);
2862 			if (!nested)
2863 				goto nla_put_failure;
2864 
2865 			i = 0;
2866 			while (bss_select_support) {
2867 				if ((bss_select_support & 1) &&
2868 				    nla_put_flag(msg, i))
2869 					goto nla_put_failure;
2870 				i++;
2871 				bss_select_support >>= 1;
2872 			}
2873 			nla_nest_end(msg, nested);
2874 		}
2875 
2876 		state->split_start++;
2877 		break;
2878 	case 13:
2879 		if (rdev->wiphy.num_iftype_ext_capab &&
2880 		    rdev->wiphy.iftype_ext_capab) {
2881 			struct nlattr *nested_ext_capab, *nested;
2882 
2883 			nested = nla_nest_start_noflag(msg,
2884 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2885 			if (!nested)
2886 				goto nla_put_failure;
2887 
2888 			for (i = state->capa_start;
2889 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2890 				const struct wiphy_iftype_ext_capab *capab;
2891 
2892 				capab = &rdev->wiphy.iftype_ext_capab[i];
2893 
2894 				nested_ext_capab = nla_nest_start_noflag(msg,
2895 									 i);
2896 				if (!nested_ext_capab ||
2897 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2898 						capab->iftype) ||
2899 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2900 					    capab->extended_capabilities_len,
2901 					    capab->extended_capabilities) ||
2902 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2903 					    capab->extended_capabilities_len,
2904 					    capab->extended_capabilities_mask))
2905 					goto nla_put_failure;
2906 
2907 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
2908 				    (nla_put_u16(msg,
2909 						 NL80211_ATTR_EML_CAPABILITY,
2910 						 capab->eml_capabilities) ||
2911 				     nla_put_u16(msg,
2912 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
2913 						 capab->mld_capa_and_ops)))
2914 					goto nla_put_failure;
2915 
2916 				nla_nest_end(msg, nested_ext_capab);
2917 				if (state->split)
2918 					break;
2919 			}
2920 			nla_nest_end(msg, nested);
2921 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2922 				state->capa_start = i + 1;
2923 				break;
2924 			}
2925 		}
2926 
2927 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2928 				rdev->wiphy.nan_supported_bands))
2929 			goto nla_put_failure;
2930 
2931 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2932 					    NL80211_EXT_FEATURE_TXQS)) {
2933 			struct cfg80211_txq_stats txqstats = {};
2934 			int res;
2935 
2936 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2937 			if (!res &&
2938 			    !nl80211_put_txq_stats(msg, &txqstats,
2939 						   NL80211_ATTR_TXQ_STATS))
2940 				goto nla_put_failure;
2941 
2942 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2943 					rdev->wiphy.txq_limit))
2944 				goto nla_put_failure;
2945 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2946 					rdev->wiphy.txq_memory_limit))
2947 				goto nla_put_failure;
2948 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2949 					rdev->wiphy.txq_quantum))
2950 				goto nla_put_failure;
2951 		}
2952 
2953 		state->split_start++;
2954 		break;
2955 	case 14:
2956 		if (nl80211_send_pmsr_capa(rdev, msg))
2957 			goto nla_put_failure;
2958 
2959 		state->split_start++;
2960 		break;
2961 	case 15:
2962 		if (rdev->wiphy.akm_suites &&
2963 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2964 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2965 			    rdev->wiphy.akm_suites))
2966 			goto nla_put_failure;
2967 
2968 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2969 			goto nla_put_failure;
2970 
2971 		if (nl80211_put_tid_config_support(rdev, msg))
2972 			goto nla_put_failure;
2973 		state->split_start++;
2974 		break;
2975 	case 16:
2976 		if (nl80211_put_sar_specs(rdev, msg))
2977 			goto nla_put_failure;
2978 
2979 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2980 			goto nla_put_failure;
2981 
2982 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
2983 				rdev->wiphy.max_num_akm_suites))
2984 			goto nla_put_failure;
2985 
2986 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
2987 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
2988 
2989 		if (rdev->wiphy.hw_timestamp_max_peers &&
2990 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
2991 				rdev->wiphy.hw_timestamp_max_peers))
2992 			goto nla_put_failure;
2993 
2994 		/* done */
2995 		state->split_start = 0;
2996 		break;
2997 	}
2998  finish:
2999 	genlmsg_end(msg, hdr);
3000 	return 0;
3001 
3002  nla_put_failure:
3003 	genlmsg_cancel(msg, hdr);
3004 	return -EMSGSIZE;
3005 }
3006 
3007 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3008 				    struct netlink_callback *cb,
3009 				    struct nl80211_dump_wiphy_state *state)
3010 {
3011 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3012 	int ret;
3013 
3014 	if (!tb)
3015 		return -ENOMEM;
3016 
3017 	ret = nlmsg_parse_deprecated(cb->nlh,
3018 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3019 				     tb, nl80211_fam.maxattr,
3020 				     nl80211_policy, NULL);
3021 	/* ignore parse errors for backward compatibility */
3022 	if (ret) {
3023 		ret = 0;
3024 		goto out;
3025 	}
3026 
3027 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3028 	if (tb[NL80211_ATTR_WIPHY])
3029 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3030 	if (tb[NL80211_ATTR_WDEV])
3031 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3032 	if (tb[NL80211_ATTR_IFINDEX]) {
3033 		struct net_device *netdev;
3034 		struct cfg80211_registered_device *rdev;
3035 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3036 
3037 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3038 		if (!netdev) {
3039 			ret = -ENODEV;
3040 			goto out;
3041 		}
3042 		if (netdev->ieee80211_ptr) {
3043 			rdev = wiphy_to_rdev(
3044 				netdev->ieee80211_ptr->wiphy);
3045 			state->filter_wiphy = rdev->wiphy_idx;
3046 		}
3047 	}
3048 
3049 	ret = 0;
3050 out:
3051 	kfree(tb);
3052 	return ret;
3053 }
3054 
3055 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3056 {
3057 	int idx = 0, ret;
3058 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3059 	struct cfg80211_registered_device *rdev;
3060 
3061 	rtnl_lock();
3062 	if (!state) {
3063 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3064 		if (!state) {
3065 			rtnl_unlock();
3066 			return -ENOMEM;
3067 		}
3068 		state->filter_wiphy = -1;
3069 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3070 		if (ret) {
3071 			kfree(state);
3072 			rtnl_unlock();
3073 			return ret;
3074 		}
3075 		cb->args[0] = (long)state;
3076 	}
3077 
3078 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3079 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3080 			continue;
3081 		if (++idx <= state->start)
3082 			continue;
3083 		if (state->filter_wiphy != -1 &&
3084 		    state->filter_wiphy != rdev->wiphy_idx)
3085 			continue;
3086 		wiphy_lock(&rdev->wiphy);
3087 		/* attempt to fit multiple wiphy data chunks into the skb */
3088 		do {
3089 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3090 						 skb,
3091 						 NETLINK_CB(cb->skb).portid,
3092 						 cb->nlh->nlmsg_seq,
3093 						 NLM_F_MULTI, state);
3094 			if (ret < 0) {
3095 				/*
3096 				 * If sending the wiphy data didn't fit (ENOBUFS
3097 				 * or EMSGSIZE returned), this SKB is still
3098 				 * empty (so it's not too big because another
3099 				 * wiphy dataset is already in the skb) and
3100 				 * we've not tried to adjust the dump allocation
3101 				 * yet ... then adjust the alloc size to be
3102 				 * bigger, and return 1 but with the empty skb.
3103 				 * This results in an empty message being RX'ed
3104 				 * in userspace, but that is ignored.
3105 				 *
3106 				 * We can then retry with the larger buffer.
3107 				 */
3108 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3109 				    !skb->len && !state->split &&
3110 				    cb->min_dump_alloc < 4096) {
3111 					cb->min_dump_alloc = 4096;
3112 					state->split_start = 0;
3113 					wiphy_unlock(&rdev->wiphy);
3114 					rtnl_unlock();
3115 					return 1;
3116 				}
3117 				idx--;
3118 				break;
3119 			}
3120 		} while (state->split_start > 0);
3121 		wiphy_unlock(&rdev->wiphy);
3122 		break;
3123 	}
3124 	rtnl_unlock();
3125 
3126 	state->start = idx;
3127 
3128 	return skb->len;
3129 }
3130 
3131 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3132 {
3133 	kfree((void *)cb->args[0]);
3134 	return 0;
3135 }
3136 
3137 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3138 {
3139 	struct sk_buff *msg;
3140 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3141 	struct nl80211_dump_wiphy_state state = {};
3142 
3143 	msg = nlmsg_new(4096, GFP_KERNEL);
3144 	if (!msg)
3145 		return -ENOMEM;
3146 
3147 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3148 			       info->snd_portid, info->snd_seq, 0,
3149 			       &state) < 0) {
3150 		nlmsg_free(msg);
3151 		return -ENOBUFS;
3152 	}
3153 
3154 	return genlmsg_reply(msg, info);
3155 }
3156 
3157 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3158 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3159 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3160 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3161 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3162 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3163 };
3164 
3165 static int parse_txq_params(struct nlattr *tb[],
3166 			    struct ieee80211_txq_params *txq_params)
3167 {
3168 	u8 ac;
3169 
3170 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3171 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3172 	    !tb[NL80211_TXQ_ATTR_AIFS])
3173 		return -EINVAL;
3174 
3175 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3176 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3177 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3178 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3179 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3180 
3181 	if (ac >= NL80211_NUM_ACS)
3182 		return -EINVAL;
3183 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3184 	return 0;
3185 }
3186 
3187 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3188 {
3189 	/*
3190 	 * You can only set the channel explicitly for some interfaces,
3191 	 * most have their channel managed via their respective
3192 	 * "establish a connection" command (connect, join, ...)
3193 	 *
3194 	 * For AP/GO and mesh mode, the channel can be set with the
3195 	 * channel userspace API, but is only stored and passed to the
3196 	 * low-level driver when the AP starts or the mesh is joined.
3197 	 * This is for backward compatibility, userspace can also give
3198 	 * the channel in the start-ap or join-mesh commands instead.
3199 	 *
3200 	 * Monitors are special as they are normally slaved to
3201 	 * whatever else is going on, so they have their own special
3202 	 * operation to set the monitor channel if possible.
3203 	 */
3204 	return !wdev ||
3205 		wdev->iftype == NL80211_IFTYPE_AP ||
3206 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3207 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3208 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3209 }
3210 
3211 static int nl80211_parse_punct_bitmap(struct cfg80211_registered_device *rdev,
3212 				      struct genl_info *info,
3213 				      const struct cfg80211_chan_def *chandef,
3214 				      u16 *punct_bitmap)
3215 {
3216 	if (!wiphy_ext_feature_isset(&rdev->wiphy, NL80211_EXT_FEATURE_PUNCT))
3217 		return -EINVAL;
3218 
3219 	*punct_bitmap = nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3220 	if (!cfg80211_valid_disable_subchannel_bitmap(punct_bitmap, chandef))
3221 		return -EINVAL;
3222 
3223 	return 0;
3224 }
3225 
3226 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3227 			  struct genl_info *info,
3228 			  struct cfg80211_chan_def *chandef)
3229 {
3230 	struct netlink_ext_ack *extack = info->extack;
3231 	struct nlattr **attrs = info->attrs;
3232 	u32 control_freq;
3233 
3234 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3235 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3236 				    "Frequency is missing");
3237 		return -EINVAL;
3238 	}
3239 
3240 	control_freq = MHZ_TO_KHZ(
3241 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3242 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3243 		control_freq +=
3244 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3245 
3246 	memset(chandef, 0, sizeof(*chandef));
3247 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3248 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3249 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3250 	chandef->freq1_offset = control_freq % 1000;
3251 	chandef->center_freq2 = 0;
3252 
3253 	/* Primary channel not allowed */
3254 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3255 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3256 				    "Channel is disabled");
3257 		return -EINVAL;
3258 	}
3259 
3260 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3261 		enum nl80211_channel_type chantype;
3262 
3263 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3264 
3265 		switch (chantype) {
3266 		case NL80211_CHAN_NO_HT:
3267 		case NL80211_CHAN_HT20:
3268 		case NL80211_CHAN_HT40PLUS:
3269 		case NL80211_CHAN_HT40MINUS:
3270 			cfg80211_chandef_create(chandef, chandef->chan,
3271 						chantype);
3272 			/* user input for center_freq is incorrect */
3273 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3274 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3275 				NL_SET_ERR_MSG_ATTR(extack,
3276 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3277 						    "bad center frequency 1");
3278 				return -EINVAL;
3279 			}
3280 			/* center_freq2 must be zero */
3281 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3282 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3283 				NL_SET_ERR_MSG_ATTR(extack,
3284 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3285 						    "center frequency 2 can't be used");
3286 				return -EINVAL;
3287 			}
3288 			break;
3289 		default:
3290 			NL_SET_ERR_MSG_ATTR(extack,
3291 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3292 					    "invalid channel type");
3293 			return -EINVAL;
3294 		}
3295 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3296 		chandef->width =
3297 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3298 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3299 			/* User input error for channel width doesn't match channel  */
3300 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3301 				NL_SET_ERR_MSG_ATTR(extack,
3302 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3303 						    "bad channel width");
3304 				return -EINVAL;
3305 			}
3306 		}
3307 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3308 			chandef->center_freq1 =
3309 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3310 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3311 				chandef->freq1_offset = nla_get_u32(
3312 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3313 			else
3314 				chandef->freq1_offset = 0;
3315 		}
3316 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3317 			chandef->center_freq2 =
3318 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3319 	}
3320 
3321 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3322 		chandef->edmg.channels =
3323 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3324 
3325 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3326 			chandef->edmg.bw_config =
3327 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3328 	} else {
3329 		chandef->edmg.bw_config = 0;
3330 		chandef->edmg.channels = 0;
3331 	}
3332 
3333 	if (!cfg80211_chandef_valid(chandef)) {
3334 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3335 		return -EINVAL;
3336 	}
3337 
3338 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3339 				     IEEE80211_CHAN_DISABLED)) {
3340 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3341 		return -EINVAL;
3342 	}
3343 
3344 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3345 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3346 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3347 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3348 		return -EINVAL;
3349 	}
3350 
3351 	return 0;
3352 }
3353 
3354 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3355 				 struct net_device *dev,
3356 				 struct genl_info *info,
3357 				 int _link_id)
3358 {
3359 	struct cfg80211_chan_def chandef;
3360 	int result;
3361 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3362 	struct wireless_dev *wdev = NULL;
3363 	int link_id = _link_id;
3364 
3365 	if (dev)
3366 		wdev = dev->ieee80211_ptr;
3367 	if (!nl80211_can_set_dev_channel(wdev))
3368 		return -EOPNOTSUPP;
3369 	if (wdev)
3370 		iftype = wdev->iftype;
3371 
3372 	if (link_id < 0) {
3373 		if (wdev && wdev->valid_links)
3374 			return -EINVAL;
3375 		link_id = 0;
3376 	}
3377 
3378 	result = nl80211_parse_chandef(rdev, info, &chandef);
3379 	if (result)
3380 		return result;
3381 
3382 	switch (iftype) {
3383 	case NL80211_IFTYPE_AP:
3384 	case NL80211_IFTYPE_P2P_GO:
3385 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3386 						   iftype))
3387 			return -EINVAL;
3388 		if (wdev->links[link_id].ap.beacon_interval) {
3389 			struct ieee80211_channel *cur_chan;
3390 
3391 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3392 			    !(rdev->wiphy.features &
3393 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3394 				return -EBUSY;
3395 
3396 			/* Only allow dynamic channel width changes */
3397 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3398 			if (chandef.chan != cur_chan)
3399 				return -EBUSY;
3400 
3401 			/* only allow this for regular channel widths */
3402 			switch (wdev->links[link_id].ap.chandef.width) {
3403 			case NL80211_CHAN_WIDTH_20_NOHT:
3404 			case NL80211_CHAN_WIDTH_20:
3405 			case NL80211_CHAN_WIDTH_40:
3406 			case NL80211_CHAN_WIDTH_80:
3407 			case NL80211_CHAN_WIDTH_80P80:
3408 			case NL80211_CHAN_WIDTH_160:
3409 			case NL80211_CHAN_WIDTH_320:
3410 				break;
3411 			default:
3412 				return -EINVAL;
3413 			}
3414 
3415 			switch (chandef.width) {
3416 			case NL80211_CHAN_WIDTH_20_NOHT:
3417 			case NL80211_CHAN_WIDTH_20:
3418 			case NL80211_CHAN_WIDTH_40:
3419 			case NL80211_CHAN_WIDTH_80:
3420 			case NL80211_CHAN_WIDTH_80P80:
3421 			case NL80211_CHAN_WIDTH_160:
3422 			case NL80211_CHAN_WIDTH_320:
3423 				break;
3424 			default:
3425 				return -EINVAL;
3426 			}
3427 
3428 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3429 						       &chandef);
3430 			if (result)
3431 				return result;
3432 			wdev->links[link_id].ap.chandef = chandef;
3433 		} else {
3434 			wdev->u.ap.preset_chandef = chandef;
3435 		}
3436 		return 0;
3437 	case NL80211_IFTYPE_MESH_POINT:
3438 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3439 	case NL80211_IFTYPE_MONITOR:
3440 		return cfg80211_set_monitor_channel(rdev, &chandef);
3441 	default:
3442 		break;
3443 	}
3444 
3445 	return -EINVAL;
3446 }
3447 
3448 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3449 {
3450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3451 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3452 	struct net_device *netdev = info->user_ptr[1];
3453 	int ret;
3454 
3455 	wdev_lock(netdev->ieee80211_ptr);
3456 	ret = __nl80211_set_channel(rdev, netdev, info, link_id);
3457 	wdev_unlock(netdev->ieee80211_ptr);
3458 
3459 	return ret;
3460 }
3461 
3462 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3463 {
3464 	struct cfg80211_registered_device *rdev = NULL;
3465 	struct net_device *netdev = NULL;
3466 	struct wireless_dev *wdev;
3467 	int result = 0, rem_txq_params = 0;
3468 	struct nlattr *nl_txq_params;
3469 	u32 changed;
3470 	u8 retry_short = 0, retry_long = 0;
3471 	u32 frag_threshold = 0, rts_threshold = 0;
3472 	u8 coverage_class = 0;
3473 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3474 
3475 	rtnl_lock();
3476 	/*
3477 	 * Try to find the wiphy and netdev. Normally this
3478 	 * function shouldn't need the netdev, but this is
3479 	 * done for backward compatibility -- previously
3480 	 * setting the channel was done per wiphy, but now
3481 	 * it is per netdev. Previous userland like hostapd
3482 	 * also passed a netdev to set_wiphy, so that it is
3483 	 * possible to let that go to the right netdev!
3484 	 */
3485 
3486 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3487 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3488 
3489 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3490 		if (netdev && netdev->ieee80211_ptr)
3491 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3492 		else
3493 			netdev = NULL;
3494 	}
3495 
3496 	if (!netdev) {
3497 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3498 						  info->attrs);
3499 		if (IS_ERR(rdev)) {
3500 			rtnl_unlock();
3501 			return PTR_ERR(rdev);
3502 		}
3503 		wdev = NULL;
3504 		netdev = NULL;
3505 		result = 0;
3506 	} else
3507 		wdev = netdev->ieee80211_ptr;
3508 
3509 	wiphy_lock(&rdev->wiphy);
3510 
3511 	/*
3512 	 * end workaround code, by now the rdev is available
3513 	 * and locked, and wdev may or may not be NULL.
3514 	 */
3515 
3516 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3517 		result = cfg80211_dev_rename(
3518 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3519 	rtnl_unlock();
3520 
3521 	if (result)
3522 		goto out;
3523 
3524 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3525 		struct ieee80211_txq_params txq_params;
3526 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3527 
3528 		if (!rdev->ops->set_txq_params) {
3529 			result = -EOPNOTSUPP;
3530 			goto out;
3531 		}
3532 
3533 		if (!netdev) {
3534 			result = -EINVAL;
3535 			goto out;
3536 		}
3537 
3538 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3539 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3540 			result = -EINVAL;
3541 			goto out;
3542 		}
3543 
3544 		if (!netif_running(netdev)) {
3545 			result = -ENETDOWN;
3546 			goto out;
3547 		}
3548 
3549 		nla_for_each_nested(nl_txq_params,
3550 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3551 				    rem_txq_params) {
3552 			result = nla_parse_nested_deprecated(tb,
3553 							     NL80211_TXQ_ATTR_MAX,
3554 							     nl_txq_params,
3555 							     txq_params_policy,
3556 							     info->extack);
3557 			if (result)
3558 				goto out;
3559 			result = parse_txq_params(tb, &txq_params);
3560 			if (result)
3561 				goto out;
3562 
3563 			txq_params.link_id =
3564 				nl80211_link_id_or_invalid(info->attrs);
3565 
3566 			wdev_lock(netdev->ieee80211_ptr);
3567 			if (txq_params.link_id >= 0 &&
3568 			    !(netdev->ieee80211_ptr->valid_links &
3569 			      BIT(txq_params.link_id)))
3570 				result = -ENOLINK;
3571 			else if (txq_params.link_id >= 0 &&
3572 				 !netdev->ieee80211_ptr->valid_links)
3573 				result = -EINVAL;
3574 			else
3575 				result = rdev_set_txq_params(rdev, netdev,
3576 							     &txq_params);
3577 			wdev_unlock(netdev->ieee80211_ptr);
3578 			if (result)
3579 				goto out;
3580 		}
3581 	}
3582 
3583 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3584 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3585 
3586 		if (wdev) {
3587 			wdev_lock(wdev);
3588 			result = __nl80211_set_channel(
3589 				rdev,
3590 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3591 				info, link_id);
3592 			wdev_unlock(wdev);
3593 		} else {
3594 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3595 		}
3596 
3597 		if (result)
3598 			goto out;
3599 	}
3600 
3601 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3602 		struct wireless_dev *txp_wdev = wdev;
3603 		enum nl80211_tx_power_setting type;
3604 		int idx, mbm = 0;
3605 
3606 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3607 			txp_wdev = NULL;
3608 
3609 		if (!rdev->ops->set_tx_power) {
3610 			result = -EOPNOTSUPP;
3611 			goto out;
3612 		}
3613 
3614 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3615 		type = nla_get_u32(info->attrs[idx]);
3616 
3617 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3618 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3619 			result = -EINVAL;
3620 			goto out;
3621 		}
3622 
3623 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3624 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3625 			mbm = nla_get_u32(info->attrs[idx]);
3626 		}
3627 
3628 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3629 		if (result)
3630 			goto out;
3631 	}
3632 
3633 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3634 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3635 		u32 tx_ant, rx_ant;
3636 
3637 		if ((!rdev->wiphy.available_antennas_tx &&
3638 		     !rdev->wiphy.available_antennas_rx) ||
3639 		    !rdev->ops->set_antenna) {
3640 			result = -EOPNOTSUPP;
3641 			goto out;
3642 		}
3643 
3644 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3645 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3646 
3647 		/* reject antenna configurations which don't match the
3648 		 * available antenna masks, except for the "all" mask */
3649 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3650 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3651 			result = -EINVAL;
3652 			goto out;
3653 		}
3654 
3655 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3656 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3657 
3658 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3659 		if (result)
3660 			goto out;
3661 	}
3662 
3663 	changed = 0;
3664 
3665 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3666 		retry_short = nla_get_u8(
3667 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3668 
3669 		changed |= WIPHY_PARAM_RETRY_SHORT;
3670 	}
3671 
3672 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3673 		retry_long = nla_get_u8(
3674 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3675 
3676 		changed |= WIPHY_PARAM_RETRY_LONG;
3677 	}
3678 
3679 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3680 		frag_threshold = nla_get_u32(
3681 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3682 		if (frag_threshold < 256) {
3683 			result = -EINVAL;
3684 			goto out;
3685 		}
3686 
3687 		if (frag_threshold != (u32) -1) {
3688 			/*
3689 			 * Fragments (apart from the last one) are required to
3690 			 * have even length. Make the fragmentation code
3691 			 * simpler by stripping LSB should someone try to use
3692 			 * odd threshold value.
3693 			 */
3694 			frag_threshold &= ~0x1;
3695 		}
3696 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3697 	}
3698 
3699 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3700 		rts_threshold = nla_get_u32(
3701 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3702 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3703 	}
3704 
3705 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3706 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3707 			result = -EINVAL;
3708 			goto out;
3709 		}
3710 
3711 		coverage_class = nla_get_u8(
3712 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3713 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3714 	}
3715 
3716 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3717 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3718 			result = -EOPNOTSUPP;
3719 			goto out;
3720 		}
3721 
3722 		changed |= WIPHY_PARAM_DYN_ACK;
3723 	}
3724 
3725 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3726 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3727 					     NL80211_EXT_FEATURE_TXQS)) {
3728 			result = -EOPNOTSUPP;
3729 			goto out;
3730 		}
3731 		txq_limit = nla_get_u32(
3732 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3733 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3734 	}
3735 
3736 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3737 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3738 					     NL80211_EXT_FEATURE_TXQS)) {
3739 			result = -EOPNOTSUPP;
3740 			goto out;
3741 		}
3742 		txq_memory_limit = nla_get_u32(
3743 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3744 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3745 	}
3746 
3747 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3748 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3749 					     NL80211_EXT_FEATURE_TXQS)) {
3750 			result = -EOPNOTSUPP;
3751 			goto out;
3752 		}
3753 		txq_quantum = nla_get_u32(
3754 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3755 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3756 	}
3757 
3758 	if (changed) {
3759 		u8 old_retry_short, old_retry_long;
3760 		u32 old_frag_threshold, old_rts_threshold;
3761 		u8 old_coverage_class;
3762 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3763 
3764 		if (!rdev->ops->set_wiphy_params) {
3765 			result = -EOPNOTSUPP;
3766 			goto out;
3767 		}
3768 
3769 		old_retry_short = rdev->wiphy.retry_short;
3770 		old_retry_long = rdev->wiphy.retry_long;
3771 		old_frag_threshold = rdev->wiphy.frag_threshold;
3772 		old_rts_threshold = rdev->wiphy.rts_threshold;
3773 		old_coverage_class = rdev->wiphy.coverage_class;
3774 		old_txq_limit = rdev->wiphy.txq_limit;
3775 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3776 		old_txq_quantum = rdev->wiphy.txq_quantum;
3777 
3778 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3779 			rdev->wiphy.retry_short = retry_short;
3780 		if (changed & WIPHY_PARAM_RETRY_LONG)
3781 			rdev->wiphy.retry_long = retry_long;
3782 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3783 			rdev->wiphy.frag_threshold = frag_threshold;
3784 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3785 			rdev->wiphy.rts_threshold = rts_threshold;
3786 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3787 			rdev->wiphy.coverage_class = coverage_class;
3788 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3789 			rdev->wiphy.txq_limit = txq_limit;
3790 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3791 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3792 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3793 			rdev->wiphy.txq_quantum = txq_quantum;
3794 
3795 		result = rdev_set_wiphy_params(rdev, changed);
3796 		if (result) {
3797 			rdev->wiphy.retry_short = old_retry_short;
3798 			rdev->wiphy.retry_long = old_retry_long;
3799 			rdev->wiphy.frag_threshold = old_frag_threshold;
3800 			rdev->wiphy.rts_threshold = old_rts_threshold;
3801 			rdev->wiphy.coverage_class = old_coverage_class;
3802 			rdev->wiphy.txq_limit = old_txq_limit;
3803 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3804 			rdev->wiphy.txq_quantum = old_txq_quantum;
3805 			goto out;
3806 		}
3807 	}
3808 
3809 	result = 0;
3810 
3811 out:
3812 	wiphy_unlock(&rdev->wiphy);
3813 	return result;
3814 }
3815 
3816 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3817 {
3818 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3819 		return -EINVAL;
3820 
3821 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3822 			chandef->chan->center_freq))
3823 		return -ENOBUFS;
3824 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3825 			chandef->chan->freq_offset))
3826 		return -ENOBUFS;
3827 	switch (chandef->width) {
3828 	case NL80211_CHAN_WIDTH_20_NOHT:
3829 	case NL80211_CHAN_WIDTH_20:
3830 	case NL80211_CHAN_WIDTH_40:
3831 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3832 				cfg80211_get_chandef_type(chandef)))
3833 			return -ENOBUFS;
3834 		break;
3835 	default:
3836 		break;
3837 	}
3838 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3839 		return -ENOBUFS;
3840 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3841 		return -ENOBUFS;
3842 	if (chandef->center_freq2 &&
3843 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3844 		return -ENOBUFS;
3845 	return 0;
3846 }
3847 EXPORT_SYMBOL(nl80211_send_chandef);
3848 
3849 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3850 			      struct cfg80211_registered_device *rdev,
3851 			      struct wireless_dev *wdev,
3852 			      enum nl80211_commands cmd)
3853 {
3854 	struct net_device *dev = wdev->netdev;
3855 	void *hdr;
3856 
3857 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3858 		cmd != NL80211_CMD_DEL_INTERFACE &&
3859 		cmd != NL80211_CMD_SET_INTERFACE);
3860 
3861 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3862 	if (!hdr)
3863 		return -1;
3864 
3865 	if (dev &&
3866 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3867 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3868 		goto nla_put_failure;
3869 
3870 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3871 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3872 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3873 			      NL80211_ATTR_PAD) ||
3874 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3875 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3876 			rdev->devlist_generation ^
3877 			(cfg80211_rdev_list_generation << 2)) ||
3878 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3879 		goto nla_put_failure;
3880 
3881 	if (rdev->ops->get_channel && !wdev->valid_links) {
3882 		struct cfg80211_chan_def chandef = {};
3883 		int ret;
3884 
3885 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3886 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3887 			goto nla_put_failure;
3888 	}
3889 
3890 	if (rdev->ops->get_tx_power) {
3891 		int dbm, ret;
3892 
3893 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3894 		if (ret == 0 &&
3895 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3896 				DBM_TO_MBM(dbm)))
3897 			goto nla_put_failure;
3898 	}
3899 
3900 	wdev_lock(wdev);
3901 	switch (wdev->iftype) {
3902 	case NL80211_IFTYPE_AP:
3903 	case NL80211_IFTYPE_P2P_GO:
3904 		if (wdev->u.ap.ssid_len &&
3905 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
3906 			    wdev->u.ap.ssid))
3907 			goto nla_put_failure_locked;
3908 		break;
3909 	case NL80211_IFTYPE_STATION:
3910 	case NL80211_IFTYPE_P2P_CLIENT:
3911 		if (wdev->u.client.ssid_len &&
3912 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
3913 			    wdev->u.client.ssid))
3914 			goto nla_put_failure_locked;
3915 		break;
3916 	case NL80211_IFTYPE_ADHOC:
3917 		if (wdev->u.ibss.ssid_len &&
3918 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
3919 			    wdev->u.ibss.ssid))
3920 			goto nla_put_failure_locked;
3921 		break;
3922 	default:
3923 		/* nothing */
3924 		break;
3925 	}
3926 	wdev_unlock(wdev);
3927 
3928 	if (rdev->ops->get_txq_stats) {
3929 		struct cfg80211_txq_stats txqstats = {};
3930 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3931 
3932 		if (ret == 0 &&
3933 		    !nl80211_put_txq_stats(msg, &txqstats,
3934 					   NL80211_ATTR_TXQ_STATS))
3935 			goto nla_put_failure;
3936 	}
3937 
3938 	if (wdev->valid_links) {
3939 		unsigned int link_id;
3940 		struct nlattr *links = nla_nest_start(msg,
3941 						      NL80211_ATTR_MLO_LINKS);
3942 
3943 		if (!links)
3944 			goto nla_put_failure;
3945 
3946 		for_each_valid_link(wdev, link_id) {
3947 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
3948 			struct cfg80211_chan_def chandef = {};
3949 			int ret;
3950 
3951 			if (!link)
3952 				goto nla_put_failure;
3953 
3954 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
3955 				goto nla_put_failure;
3956 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3957 				    wdev->links[link_id].addr))
3958 				goto nla_put_failure;
3959 
3960 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
3961 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3962 				goto nla_put_failure;
3963 
3964 			nla_nest_end(msg, link);
3965 		}
3966 
3967 		nla_nest_end(msg, links);
3968 	}
3969 
3970 	genlmsg_end(msg, hdr);
3971 	return 0;
3972 
3973  nla_put_failure_locked:
3974 	wdev_unlock(wdev);
3975  nla_put_failure:
3976 	genlmsg_cancel(msg, hdr);
3977 	return -EMSGSIZE;
3978 }
3979 
3980 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3981 {
3982 	int wp_idx = 0;
3983 	int if_idx = 0;
3984 	int wp_start = cb->args[0];
3985 	int if_start = cb->args[1];
3986 	int filter_wiphy = -1;
3987 	struct cfg80211_registered_device *rdev;
3988 	struct wireless_dev *wdev;
3989 	int ret;
3990 
3991 	rtnl_lock();
3992 	if (!cb->args[2]) {
3993 		struct nl80211_dump_wiphy_state state = {
3994 			.filter_wiphy = -1,
3995 		};
3996 
3997 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3998 		if (ret)
3999 			goto out_unlock;
4000 
4001 		filter_wiphy = state.filter_wiphy;
4002 
4003 		/*
4004 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4005 		 * value needed to determine that parsing is necessary.
4006 		 */
4007 		if (filter_wiphy >= 0)
4008 			cb->args[2] = filter_wiphy + 1;
4009 		else
4010 			cb->args[2] = -1;
4011 	} else if (cb->args[2] > 0) {
4012 		filter_wiphy = cb->args[2] - 1;
4013 	}
4014 
4015 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
4016 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4017 			continue;
4018 		if (wp_idx < wp_start) {
4019 			wp_idx++;
4020 			continue;
4021 		}
4022 
4023 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4024 			continue;
4025 
4026 		if_idx = 0;
4027 
4028 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4029 			if (if_idx < if_start) {
4030 				if_idx++;
4031 				continue;
4032 			}
4033 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4034 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4035 					       rdev, wdev,
4036 					       NL80211_CMD_NEW_INTERFACE) < 0) {
4037 				goto out;
4038 			}
4039 			if_idx++;
4040 		}
4041 
4042 		if_start = 0;
4043 		wp_idx++;
4044 	}
4045  out:
4046 	cb->args[0] = wp_idx;
4047 	cb->args[1] = if_idx;
4048 
4049 	ret = skb->len;
4050  out_unlock:
4051 	rtnl_unlock();
4052 
4053 	return ret;
4054 }
4055 
4056 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4057 {
4058 	struct sk_buff *msg;
4059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4060 	struct wireless_dev *wdev = info->user_ptr[1];
4061 
4062 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4063 	if (!msg)
4064 		return -ENOMEM;
4065 
4066 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4067 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4068 		nlmsg_free(msg);
4069 		return -ENOBUFS;
4070 	}
4071 
4072 	return genlmsg_reply(msg, info);
4073 }
4074 
4075 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4076 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4077 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4078 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4079 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4080 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4081 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4082 };
4083 
4084 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4085 {
4086 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4087 	int flag;
4088 
4089 	*mntrflags = 0;
4090 
4091 	if (!nla)
4092 		return -EINVAL;
4093 
4094 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4095 		return -EINVAL;
4096 
4097 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4098 		if (flags[flag])
4099 			*mntrflags |= (1<<flag);
4100 
4101 	*mntrflags |= MONITOR_FLAG_CHANGED;
4102 
4103 	return 0;
4104 }
4105 
4106 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4107 				     enum nl80211_iftype type,
4108 				     struct genl_info *info,
4109 				     struct vif_params *params)
4110 {
4111 	bool change = false;
4112 	int err;
4113 
4114 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4115 		if (type != NL80211_IFTYPE_MONITOR)
4116 			return -EINVAL;
4117 
4118 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4119 					  &params->flags);
4120 		if (err)
4121 			return err;
4122 
4123 		change = true;
4124 	}
4125 
4126 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4127 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4128 		return -EOPNOTSUPP;
4129 
4130 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4131 		const u8 *mumimo_groups;
4132 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4133 
4134 		if (type != NL80211_IFTYPE_MONITOR)
4135 			return -EINVAL;
4136 
4137 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4138 			return -EOPNOTSUPP;
4139 
4140 		mumimo_groups =
4141 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4142 
4143 		/* bits 0 and 63 are reserved and must be zero */
4144 		if ((mumimo_groups[0] & BIT(0)) ||
4145 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4146 			return -EINVAL;
4147 
4148 		params->vht_mumimo_groups = mumimo_groups;
4149 		change = true;
4150 	}
4151 
4152 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4153 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4154 
4155 		if (type != NL80211_IFTYPE_MONITOR)
4156 			return -EINVAL;
4157 
4158 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4159 			return -EOPNOTSUPP;
4160 
4161 		params->vht_mumimo_follow_addr =
4162 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4163 		change = true;
4164 	}
4165 
4166 	return change ? 1 : 0;
4167 }
4168 
4169 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4170 			       struct net_device *netdev, u8 use_4addr,
4171 			       enum nl80211_iftype iftype)
4172 {
4173 	if (!use_4addr) {
4174 		if (netdev && netif_is_bridge_port(netdev))
4175 			return -EBUSY;
4176 		return 0;
4177 	}
4178 
4179 	switch (iftype) {
4180 	case NL80211_IFTYPE_AP_VLAN:
4181 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4182 			return 0;
4183 		break;
4184 	case NL80211_IFTYPE_STATION:
4185 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4186 			return 0;
4187 		break;
4188 	default:
4189 		break;
4190 	}
4191 
4192 	return -EOPNOTSUPP;
4193 }
4194 
4195 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4196 {
4197 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4198 	struct vif_params params;
4199 	int err;
4200 	enum nl80211_iftype otype, ntype;
4201 	struct net_device *dev = info->user_ptr[1];
4202 	bool change = false;
4203 
4204 	memset(&params, 0, sizeof(params));
4205 
4206 	otype = ntype = dev->ieee80211_ptr->iftype;
4207 
4208 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4209 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4210 		if (otype != ntype)
4211 			change = true;
4212 	}
4213 
4214 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4215 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4216 
4217 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4218 			return -EINVAL;
4219 		if (otype != NL80211_IFTYPE_MESH_POINT)
4220 			return -EINVAL;
4221 		if (netif_running(dev))
4222 			return -EBUSY;
4223 
4224 		wdev_lock(wdev);
4225 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4226 			     IEEE80211_MAX_MESH_ID_LEN);
4227 		wdev->u.mesh.id_up_len =
4228 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4229 		memcpy(wdev->u.mesh.id,
4230 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4231 		       wdev->u.mesh.id_up_len);
4232 		wdev_unlock(wdev);
4233 	}
4234 
4235 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4236 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4237 		change = true;
4238 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4239 		if (err)
4240 			return err;
4241 	} else {
4242 		params.use_4addr = -1;
4243 	}
4244 
4245 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4246 	if (err < 0)
4247 		return err;
4248 	if (err > 0)
4249 		change = true;
4250 
4251 	if (change)
4252 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4253 	else
4254 		err = 0;
4255 
4256 	if (!err && params.use_4addr != -1)
4257 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4258 
4259 	if (change && !err) {
4260 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4261 
4262 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4263 	}
4264 
4265 	return err;
4266 }
4267 
4268 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4269 {
4270 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4271 	struct vif_params params;
4272 	struct wireless_dev *wdev;
4273 	struct sk_buff *msg;
4274 	int err;
4275 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4276 
4277 	memset(&params, 0, sizeof(params));
4278 
4279 	if (!info->attrs[NL80211_ATTR_IFNAME])
4280 		return -EINVAL;
4281 
4282 	if (info->attrs[NL80211_ATTR_IFTYPE])
4283 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4284 
4285 	if (!rdev->ops->add_virtual_intf)
4286 		return -EOPNOTSUPP;
4287 
4288 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4289 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4290 	    info->attrs[NL80211_ATTR_MAC]) {
4291 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4292 			   ETH_ALEN);
4293 		if (!is_valid_ether_addr(params.macaddr))
4294 			return -EADDRNOTAVAIL;
4295 	}
4296 
4297 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4298 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4299 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4300 		if (err)
4301 			return err;
4302 	}
4303 
4304 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4305 		return -EOPNOTSUPP;
4306 
4307 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4308 	if (err < 0)
4309 		return err;
4310 
4311 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4312 	if (!msg)
4313 		return -ENOMEM;
4314 
4315 	wdev = rdev_add_virtual_intf(rdev,
4316 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4317 				NET_NAME_USER, type, &params);
4318 	if (WARN_ON(!wdev)) {
4319 		nlmsg_free(msg);
4320 		return -EPROTO;
4321 	} else if (IS_ERR(wdev)) {
4322 		nlmsg_free(msg);
4323 		return PTR_ERR(wdev);
4324 	}
4325 
4326 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4327 		wdev->owner_nlportid = info->snd_portid;
4328 
4329 	switch (type) {
4330 	case NL80211_IFTYPE_MESH_POINT:
4331 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4332 			break;
4333 		wdev_lock(wdev);
4334 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4335 			     IEEE80211_MAX_MESH_ID_LEN);
4336 		wdev->u.mesh.id_up_len =
4337 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4338 		memcpy(wdev->u.mesh.id,
4339 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4340 		       wdev->u.mesh.id_up_len);
4341 		wdev_unlock(wdev);
4342 		break;
4343 	case NL80211_IFTYPE_NAN:
4344 	case NL80211_IFTYPE_P2P_DEVICE:
4345 		/*
4346 		 * P2P Device and NAN do not have a netdev, so don't go
4347 		 * through the netdev notifier and must be added here
4348 		 */
4349 		cfg80211_init_wdev(wdev);
4350 		cfg80211_register_wdev(rdev, wdev);
4351 		break;
4352 	default:
4353 		break;
4354 	}
4355 
4356 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4357 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4358 		nlmsg_free(msg);
4359 		return -ENOBUFS;
4360 	}
4361 
4362 	return genlmsg_reply(msg, info);
4363 }
4364 
4365 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4366 {
4367 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4368 	int ret;
4369 
4370 	/* to avoid failing a new interface creation due to pending removal */
4371 	cfg80211_destroy_ifaces(rdev);
4372 
4373 	wiphy_lock(&rdev->wiphy);
4374 	ret = _nl80211_new_interface(skb, info);
4375 	wiphy_unlock(&rdev->wiphy);
4376 
4377 	return ret;
4378 }
4379 
4380 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4381 {
4382 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4383 	struct wireless_dev *wdev = info->user_ptr[1];
4384 
4385 	if (!rdev->ops->del_virtual_intf)
4386 		return -EOPNOTSUPP;
4387 
4388 	/*
4389 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4390 	 * reach 0, and thus the rdev cannot be deleted.
4391 	 *
4392 	 * We need to do it for the dev_close(), since that will call
4393 	 * the netdev notifiers, and we need to acquire the mutex there
4394 	 * but don't know if we get there from here or from some other
4395 	 * place (e.g. "ip link set ... down").
4396 	 */
4397 	mutex_unlock(&rdev->wiphy.mtx);
4398 
4399 	/*
4400 	 * If we remove a wireless device without a netdev then clear
4401 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4402 	 * to check if it needs to do dev_put(). Otherwise it crashes
4403 	 * since the wdev has been freed, unlike with a netdev where
4404 	 * we need the dev_put() for the netdev to really be freed.
4405 	 */
4406 	if (!wdev->netdev)
4407 		info->user_ptr[1] = NULL;
4408 	else
4409 		dev_close(wdev->netdev);
4410 
4411 	mutex_lock(&rdev->wiphy.mtx);
4412 
4413 	return cfg80211_remove_virtual_intf(rdev, wdev);
4414 }
4415 
4416 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4417 {
4418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4419 	struct net_device *dev = info->user_ptr[1];
4420 	u16 noack_map;
4421 
4422 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4423 		return -EINVAL;
4424 
4425 	if (!rdev->ops->set_noack_map)
4426 		return -EOPNOTSUPP;
4427 
4428 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4429 
4430 	return rdev_set_noack_map(rdev, dev, noack_map);
4431 }
4432 
4433 static int nl80211_validate_key_link_id(struct genl_info *info,
4434 					struct wireless_dev *wdev,
4435 					int link_id, bool pairwise)
4436 {
4437 	if (pairwise) {
4438 		if (link_id != -1) {
4439 			GENL_SET_ERR_MSG(info,
4440 					 "link ID not allowed for pairwise key");
4441 			return -EINVAL;
4442 		}
4443 
4444 		return 0;
4445 	}
4446 
4447 	if (wdev->valid_links) {
4448 		if (link_id == -1) {
4449 			GENL_SET_ERR_MSG(info,
4450 					 "link ID must for MLO group key");
4451 			return -EINVAL;
4452 		}
4453 		if (!(wdev->valid_links & BIT(link_id))) {
4454 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4455 			return -EINVAL;
4456 		}
4457 	} else if (link_id != -1) {
4458 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4459 		return -EINVAL;
4460 	}
4461 
4462 	return 0;
4463 }
4464 
4465 struct get_key_cookie {
4466 	struct sk_buff *msg;
4467 	int error;
4468 	int idx;
4469 };
4470 
4471 static void get_key_callback(void *c, struct key_params *params)
4472 {
4473 	struct nlattr *key;
4474 	struct get_key_cookie *cookie = c;
4475 
4476 	if ((params->seq &&
4477 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4478 		     params->seq_len, params->seq)) ||
4479 	    (params->cipher &&
4480 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4481 			 params->cipher)))
4482 		goto nla_put_failure;
4483 
4484 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4485 	if (!key)
4486 		goto nla_put_failure;
4487 
4488 	if ((params->seq &&
4489 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4490 		     params->seq_len, params->seq)) ||
4491 	    (params->cipher &&
4492 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4493 			 params->cipher)))
4494 		goto nla_put_failure;
4495 
4496 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4497 		goto nla_put_failure;
4498 
4499 	nla_nest_end(cookie->msg, key);
4500 
4501 	return;
4502  nla_put_failure:
4503 	cookie->error = 1;
4504 }
4505 
4506 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4507 {
4508 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4509 	int err;
4510 	struct net_device *dev = info->user_ptr[1];
4511 	u8 key_idx = 0;
4512 	const u8 *mac_addr = NULL;
4513 	bool pairwise;
4514 	struct get_key_cookie cookie = {
4515 		.error = 0,
4516 	};
4517 	void *hdr;
4518 	struct sk_buff *msg;
4519 	bool bigtk_support = false;
4520 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4521 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4522 
4523 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4524 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4525 		bigtk_support = true;
4526 
4527 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4528 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4529 	    wiphy_ext_feature_isset(&rdev->wiphy,
4530 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4531 		bigtk_support = true;
4532 
4533 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4534 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4535 
4536 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4537 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4538 			return -EINVAL;
4539 		}
4540 	}
4541 
4542 	if (info->attrs[NL80211_ATTR_MAC])
4543 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4544 
4545 	pairwise = !!mac_addr;
4546 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4547 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4548 
4549 		if (kt != NL80211_KEYTYPE_GROUP &&
4550 		    kt != NL80211_KEYTYPE_PAIRWISE)
4551 			return -EINVAL;
4552 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4553 	}
4554 
4555 	if (!rdev->ops->get_key)
4556 		return -EOPNOTSUPP;
4557 
4558 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4559 		return -ENOENT;
4560 
4561 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4562 	if (!msg)
4563 		return -ENOMEM;
4564 
4565 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4566 			     NL80211_CMD_NEW_KEY);
4567 	if (!hdr)
4568 		goto nla_put_failure;
4569 
4570 	cookie.msg = msg;
4571 	cookie.idx = key_idx;
4572 
4573 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4574 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4575 		goto nla_put_failure;
4576 	if (mac_addr &&
4577 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4578 		goto nla_put_failure;
4579 
4580 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4581 	if (err)
4582 		goto free_msg;
4583 
4584 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4585 			   &cookie, get_key_callback);
4586 
4587 	if (err)
4588 		goto free_msg;
4589 
4590 	if (cookie.error)
4591 		goto nla_put_failure;
4592 
4593 	genlmsg_end(msg, hdr);
4594 	return genlmsg_reply(msg, info);
4595 
4596  nla_put_failure:
4597 	err = -ENOBUFS;
4598  free_msg:
4599 	nlmsg_free(msg);
4600 	return err;
4601 }
4602 
4603 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4604 {
4605 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4606 	struct key_parse key;
4607 	int err;
4608 	struct net_device *dev = info->user_ptr[1];
4609 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4610 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4611 
4612 	err = nl80211_parse_key(info, &key);
4613 	if (err)
4614 		return err;
4615 
4616 	if (key.idx < 0)
4617 		return -EINVAL;
4618 
4619 	/* Only support setting default key and
4620 	 * Extended Key ID action NL80211_KEY_SET_TX.
4621 	 */
4622 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4623 	    !(key.p.mode == NL80211_KEY_SET_TX))
4624 		return -EINVAL;
4625 
4626 	wdev_lock(wdev);
4627 
4628 	if (key.def) {
4629 		if (!rdev->ops->set_default_key) {
4630 			err = -EOPNOTSUPP;
4631 			goto out;
4632 		}
4633 
4634 		err = nl80211_key_allowed(wdev);
4635 		if (err)
4636 			goto out;
4637 
4638 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4639 		if (err)
4640 			goto out;
4641 
4642 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4643 					   key.def_uni, key.def_multi);
4644 
4645 		if (err)
4646 			goto out;
4647 
4648 #ifdef CONFIG_CFG80211_WEXT
4649 		wdev->wext.default_key = key.idx;
4650 #endif
4651 	} else if (key.defmgmt) {
4652 		if (key.def_uni || !key.def_multi) {
4653 			err = -EINVAL;
4654 			goto out;
4655 		}
4656 
4657 		if (!rdev->ops->set_default_mgmt_key) {
4658 			err = -EOPNOTSUPP;
4659 			goto out;
4660 		}
4661 
4662 		err = nl80211_key_allowed(wdev);
4663 		if (err)
4664 			goto out;
4665 
4666 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4667 		if (err)
4668 			goto out;
4669 
4670 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4671 		if (err)
4672 			goto out;
4673 
4674 #ifdef CONFIG_CFG80211_WEXT
4675 		wdev->wext.default_mgmt_key = key.idx;
4676 #endif
4677 	} else if (key.defbeacon) {
4678 		if (key.def_uni || !key.def_multi) {
4679 			err = -EINVAL;
4680 			goto out;
4681 		}
4682 
4683 		if (!rdev->ops->set_default_beacon_key) {
4684 			err = -EOPNOTSUPP;
4685 			goto out;
4686 		}
4687 
4688 		err = nl80211_key_allowed(wdev);
4689 		if (err)
4690 			goto out;
4691 
4692 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4693 		if (err)
4694 			goto out;
4695 
4696 		err = rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4697 		if (err)
4698 			goto out;
4699 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4700 		   wiphy_ext_feature_isset(&rdev->wiphy,
4701 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4702 		u8 *mac_addr = NULL;
4703 
4704 		if (info->attrs[NL80211_ATTR_MAC])
4705 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4706 
4707 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4708 			err = -EINVAL;
4709 			goto out;
4710 		}
4711 
4712 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4713 		if (err)
4714 			goto out;
4715 
4716 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4717 				   NL80211_KEYTYPE_PAIRWISE,
4718 				   mac_addr, &key.p);
4719 	} else {
4720 		err = -EINVAL;
4721 	}
4722  out:
4723 	wdev_unlock(wdev);
4724 
4725 	return err;
4726 }
4727 
4728 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4729 {
4730 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4731 	int err;
4732 	struct net_device *dev = info->user_ptr[1];
4733 	struct key_parse key;
4734 	const u8 *mac_addr = NULL;
4735 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4736 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4737 
4738 	err = nl80211_parse_key(info, &key);
4739 	if (err)
4740 		return err;
4741 
4742 	if (!key.p.key) {
4743 		GENL_SET_ERR_MSG(info, "no key");
4744 		return -EINVAL;
4745 	}
4746 
4747 	if (info->attrs[NL80211_ATTR_MAC])
4748 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4749 
4750 	if (key.type == -1) {
4751 		if (mac_addr)
4752 			key.type = NL80211_KEYTYPE_PAIRWISE;
4753 		else
4754 			key.type = NL80211_KEYTYPE_GROUP;
4755 	}
4756 
4757 	/* for now */
4758 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4759 	    key.type != NL80211_KEYTYPE_GROUP) {
4760 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4761 		return -EINVAL;
4762 	}
4763 
4764 	if (key.type == NL80211_KEYTYPE_GROUP &&
4765 	    info->attrs[NL80211_ATTR_VLAN_ID])
4766 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4767 
4768 	if (!rdev->ops->add_key)
4769 		return -EOPNOTSUPP;
4770 
4771 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4772 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4773 					   mac_addr)) {
4774 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4775 		return -EINVAL;
4776 	}
4777 
4778 	wdev_lock(wdev);
4779 	err = nl80211_key_allowed(wdev);
4780 	if (err)
4781 		GENL_SET_ERR_MSG(info, "key not allowed");
4782 
4783 	if (!err)
4784 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4785 				key.type == NL80211_KEYTYPE_PAIRWISE);
4786 
4787 	if (!err) {
4788 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4789 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4790 				    mac_addr, &key.p);
4791 		if (err)
4792 			GENL_SET_ERR_MSG(info, "key addition failed");
4793 	}
4794 	wdev_unlock(wdev);
4795 
4796 	return err;
4797 }
4798 
4799 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4800 {
4801 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4802 	int err;
4803 	struct net_device *dev = info->user_ptr[1];
4804 	u8 *mac_addr = NULL;
4805 	struct key_parse key;
4806 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4807 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4808 
4809 	err = nl80211_parse_key(info, &key);
4810 	if (err)
4811 		return err;
4812 
4813 	if (info->attrs[NL80211_ATTR_MAC])
4814 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4815 
4816 	if (key.type == -1) {
4817 		if (mac_addr)
4818 			key.type = NL80211_KEYTYPE_PAIRWISE;
4819 		else
4820 			key.type = NL80211_KEYTYPE_GROUP;
4821 	}
4822 
4823 	/* for now */
4824 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4825 	    key.type != NL80211_KEYTYPE_GROUP)
4826 		return -EINVAL;
4827 
4828 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4829 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4830 		return -EINVAL;
4831 
4832 	if (!rdev->ops->del_key)
4833 		return -EOPNOTSUPP;
4834 
4835 	wdev_lock(wdev);
4836 	err = nl80211_key_allowed(wdev);
4837 
4838 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4839 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4840 		err = -ENOENT;
4841 
4842 	if (!err)
4843 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4844 				key.type == NL80211_KEYTYPE_PAIRWISE);
4845 
4846 	if (!err)
4847 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4848 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4849 				   mac_addr);
4850 
4851 #ifdef CONFIG_CFG80211_WEXT
4852 	if (!err) {
4853 		if (key.idx == wdev->wext.default_key)
4854 			wdev->wext.default_key = -1;
4855 		else if (key.idx == wdev->wext.default_mgmt_key)
4856 			wdev->wext.default_mgmt_key = -1;
4857 	}
4858 #endif
4859 	wdev_unlock(wdev);
4860 
4861 	return err;
4862 }
4863 
4864 /* This function returns an error or the number of nested attributes */
4865 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4866 {
4867 	struct nlattr *attr;
4868 	int n_entries = 0, tmp;
4869 
4870 	nla_for_each_nested(attr, nl_attr, tmp) {
4871 		if (nla_len(attr) != ETH_ALEN)
4872 			return -EINVAL;
4873 
4874 		n_entries++;
4875 	}
4876 
4877 	return n_entries;
4878 }
4879 
4880 /*
4881  * This function parses ACL information and allocates memory for ACL data.
4882  * On successful return, the calling function is responsible to free the
4883  * ACL buffer returned by this function.
4884  */
4885 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4886 						struct genl_info *info)
4887 {
4888 	enum nl80211_acl_policy acl_policy;
4889 	struct nlattr *attr;
4890 	struct cfg80211_acl_data *acl;
4891 	int i = 0, n_entries, tmp;
4892 
4893 	if (!wiphy->max_acl_mac_addrs)
4894 		return ERR_PTR(-EOPNOTSUPP);
4895 
4896 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4897 		return ERR_PTR(-EINVAL);
4898 
4899 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4900 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4901 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4902 		return ERR_PTR(-EINVAL);
4903 
4904 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4905 		return ERR_PTR(-EINVAL);
4906 
4907 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4908 	if (n_entries < 0)
4909 		return ERR_PTR(n_entries);
4910 
4911 	if (n_entries > wiphy->max_acl_mac_addrs)
4912 		return ERR_PTR(-ENOTSUPP);
4913 
4914 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4915 	if (!acl)
4916 		return ERR_PTR(-ENOMEM);
4917 	acl->n_acl_entries = n_entries;
4918 
4919 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4920 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4921 		i++;
4922 	}
4923 	acl->acl_policy = acl_policy;
4924 
4925 	return acl;
4926 }
4927 
4928 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4929 {
4930 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4931 	struct net_device *dev = info->user_ptr[1];
4932 	struct cfg80211_acl_data *acl;
4933 	int err;
4934 
4935 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4936 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4937 		return -EOPNOTSUPP;
4938 
4939 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
4940 		return -EINVAL;
4941 
4942 	acl = parse_acl_data(&rdev->wiphy, info);
4943 	if (IS_ERR(acl))
4944 		return PTR_ERR(acl);
4945 
4946 	err = rdev_set_mac_acl(rdev, dev, acl);
4947 
4948 	kfree(acl);
4949 
4950 	return err;
4951 }
4952 
4953 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4954 			   u8 *rates, u8 rates_len)
4955 {
4956 	u8 i;
4957 	u32 mask = 0;
4958 
4959 	for (i = 0; i < rates_len; i++) {
4960 		int rate = (rates[i] & 0x7f) * 5;
4961 		int ridx;
4962 
4963 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4964 			struct ieee80211_rate *srate =
4965 				&sband->bitrates[ridx];
4966 			if (rate == srate->bitrate) {
4967 				mask |= 1 << ridx;
4968 				break;
4969 			}
4970 		}
4971 		if (ridx == sband->n_bitrates)
4972 			return 0; /* rate not found */
4973 	}
4974 
4975 	return mask;
4976 }
4977 
4978 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4979 			       u8 *rates, u8 rates_len,
4980 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4981 {
4982 	u8 i;
4983 
4984 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4985 
4986 	for (i = 0; i < rates_len; i++) {
4987 		int ridx, rbit;
4988 
4989 		ridx = rates[i] / 8;
4990 		rbit = BIT(rates[i] % 8);
4991 
4992 		/* check validity */
4993 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4994 			return false;
4995 
4996 		/* check availability */
4997 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4998 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4999 			mcs[ridx] |= rbit;
5000 		else
5001 			return false;
5002 	}
5003 
5004 	return true;
5005 }
5006 
5007 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5008 {
5009 	u16 mcs_mask = 0;
5010 
5011 	switch (vht_mcs_map) {
5012 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5013 		break;
5014 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5015 		mcs_mask = 0x00FF;
5016 		break;
5017 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5018 		mcs_mask = 0x01FF;
5019 		break;
5020 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5021 		mcs_mask = 0x03FF;
5022 		break;
5023 	default:
5024 		break;
5025 	}
5026 
5027 	return mcs_mask;
5028 }
5029 
5030 static void vht_build_mcs_mask(u16 vht_mcs_map,
5031 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5032 {
5033 	u8 nss;
5034 
5035 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5036 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5037 		vht_mcs_map >>= 2;
5038 	}
5039 }
5040 
5041 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5042 			     struct nl80211_txrate_vht *txrate,
5043 			     u16 mcs[NL80211_VHT_NSS_MAX])
5044 {
5045 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5046 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5047 	u8 i;
5048 
5049 	if (!sband->vht_cap.vht_supported)
5050 		return false;
5051 
5052 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5053 
5054 	/* Build vht_mcs_mask from VHT capabilities */
5055 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5056 
5057 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5058 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5059 			mcs[i] = txrate->mcs[i];
5060 		else
5061 			return false;
5062 	}
5063 
5064 	return true;
5065 }
5066 
5067 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5068 {
5069 	switch (he_mcs_map) {
5070 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5071 		return 0;
5072 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5073 		return 0x00FF;
5074 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5075 		return 0x03FF;
5076 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5077 		return 0xFFF;
5078 	default:
5079 		break;
5080 	}
5081 	return 0;
5082 }
5083 
5084 static void he_build_mcs_mask(u16 he_mcs_map,
5085 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5086 {
5087 	u8 nss;
5088 
5089 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5090 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5091 		he_mcs_map >>= 2;
5092 	}
5093 }
5094 
5095 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5096 			   const struct ieee80211_sta_he_cap *he_cap)
5097 {
5098 	struct net_device *dev = info->user_ptr[1];
5099 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5100 	struct cfg80211_chan_def *chandef;
5101 	__le16 tx_mcs;
5102 
5103 	chandef = wdev_chandef(wdev, link_id);
5104 	if (!chandef) {
5105 		/*
5106 		 * This is probably broken, but we never maintained
5107 		 * a chandef in these cases, so it always was.
5108 		 */
5109 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5110 	}
5111 
5112 	switch (chandef->width) {
5113 	case NL80211_CHAN_WIDTH_80P80:
5114 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5115 		break;
5116 	case NL80211_CHAN_WIDTH_160:
5117 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5118 		break;
5119 	default:
5120 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5121 		break;
5122 	}
5123 
5124 	return le16_to_cpu(tx_mcs);
5125 }
5126 
5127 static bool he_set_mcs_mask(struct genl_info *info,
5128 			    struct wireless_dev *wdev,
5129 			    struct ieee80211_supported_band *sband,
5130 			    struct nl80211_txrate_he *txrate,
5131 			    u16 mcs[NL80211_HE_NSS_MAX],
5132 			    unsigned int link_id)
5133 {
5134 	const struct ieee80211_sta_he_cap *he_cap;
5135 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5136 	u16 tx_mcs_map = 0;
5137 	u8 i;
5138 
5139 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5140 	if (!he_cap)
5141 		return false;
5142 
5143 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5144 
5145 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5146 
5147 	/* Build he_mcs_mask from HE capabilities */
5148 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5149 
5150 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5151 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5152 			mcs[i] = txrate->mcs[i];
5153 		else
5154 			return false;
5155 	}
5156 
5157 	return true;
5158 }
5159 
5160 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5161 					 struct nlattr *attrs[],
5162 					 enum nl80211_attrs attr,
5163 					 struct cfg80211_bitrate_mask *mask,
5164 					 struct net_device *dev,
5165 					 bool default_all_enabled,
5166 					 unsigned int link_id)
5167 {
5168 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5169 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5170 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5171 	int rem, i;
5172 	struct nlattr *tx_rates;
5173 	struct ieee80211_supported_band *sband;
5174 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5175 
5176 	memset(mask, 0, sizeof(*mask));
5177 	/* Default to all rates enabled */
5178 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5179 		const struct ieee80211_sta_he_cap *he_cap;
5180 
5181 		if (!default_all_enabled)
5182 			break;
5183 
5184 		sband = rdev->wiphy.bands[i];
5185 
5186 		if (!sband)
5187 			continue;
5188 
5189 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5190 		memcpy(mask->control[i].ht_mcs,
5191 		       sband->ht_cap.mcs.rx_mask,
5192 		       sizeof(mask->control[i].ht_mcs));
5193 
5194 		if (sband->vht_cap.vht_supported) {
5195 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5196 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5197 		}
5198 
5199 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5200 		if (!he_cap)
5201 			continue;
5202 
5203 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5204 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5205 
5206 		mask->control[i].he_gi = 0xFF;
5207 		mask->control[i].he_ltf = 0xFF;
5208 	}
5209 
5210 	/* if no rates are given set it back to the defaults */
5211 	if (!attrs[attr])
5212 		goto out;
5213 
5214 	/* The nested attribute uses enum nl80211_band as the index. This maps
5215 	 * directly to the enum nl80211_band values used in cfg80211.
5216 	 */
5217 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5218 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5219 		enum nl80211_band band = nla_type(tx_rates);
5220 		int err;
5221 
5222 		if (band < 0 || band >= NUM_NL80211_BANDS)
5223 			return -EINVAL;
5224 		sband = rdev->wiphy.bands[band];
5225 		if (sband == NULL)
5226 			return -EINVAL;
5227 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5228 						  tx_rates,
5229 						  nl80211_txattr_policy,
5230 						  info->extack);
5231 		if (err)
5232 			return err;
5233 		if (tb[NL80211_TXRATE_LEGACY]) {
5234 			mask->control[band].legacy = rateset_to_mask(
5235 				sband,
5236 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5237 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5238 			if ((mask->control[band].legacy == 0) &&
5239 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5240 				return -EINVAL;
5241 		}
5242 		if (tb[NL80211_TXRATE_HT]) {
5243 			if (!ht_rateset_to_mask(
5244 					sband,
5245 					nla_data(tb[NL80211_TXRATE_HT]),
5246 					nla_len(tb[NL80211_TXRATE_HT]),
5247 					mask->control[band].ht_mcs))
5248 				return -EINVAL;
5249 		}
5250 
5251 		if (tb[NL80211_TXRATE_VHT]) {
5252 			if (!vht_set_mcs_mask(
5253 					sband,
5254 					nla_data(tb[NL80211_TXRATE_VHT]),
5255 					mask->control[band].vht_mcs))
5256 				return -EINVAL;
5257 		}
5258 
5259 		if (tb[NL80211_TXRATE_GI]) {
5260 			mask->control[band].gi =
5261 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5262 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5263 				return -EINVAL;
5264 		}
5265 		if (tb[NL80211_TXRATE_HE] &&
5266 		    !he_set_mcs_mask(info, wdev, sband,
5267 				     nla_data(tb[NL80211_TXRATE_HE]),
5268 				     mask->control[band].he_mcs,
5269 				     link_id))
5270 			return -EINVAL;
5271 
5272 		if (tb[NL80211_TXRATE_HE_GI])
5273 			mask->control[band].he_gi =
5274 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5275 		if (tb[NL80211_TXRATE_HE_LTF])
5276 			mask->control[band].he_ltf =
5277 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5278 
5279 		if (mask->control[band].legacy == 0) {
5280 			/* don't allow empty legacy rates if HT, VHT or HE
5281 			 * are not even supported.
5282 			 */
5283 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5284 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5285 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5286 				return -EINVAL;
5287 
5288 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5289 				if (mask->control[band].ht_mcs[i])
5290 					goto out;
5291 
5292 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5293 				if (mask->control[band].vht_mcs[i])
5294 					goto out;
5295 
5296 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5297 				if (mask->control[band].he_mcs[i])
5298 					goto out;
5299 
5300 			/* legacy and mcs rates may not be both empty */
5301 			return -EINVAL;
5302 		}
5303 	}
5304 
5305 out:
5306 	return 0;
5307 }
5308 
5309 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5310 				   enum nl80211_band band,
5311 				   struct cfg80211_bitrate_mask *beacon_rate)
5312 {
5313 	u32 count_ht, count_vht, count_he, i;
5314 	u32 rate = beacon_rate->control[band].legacy;
5315 
5316 	/* Allow only one rate */
5317 	if (hweight32(rate) > 1)
5318 		return -EINVAL;
5319 
5320 	count_ht = 0;
5321 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5322 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5323 			return -EINVAL;
5324 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5325 			count_ht++;
5326 			if (count_ht > 1)
5327 				return -EINVAL;
5328 		}
5329 		if (count_ht && rate)
5330 			return -EINVAL;
5331 	}
5332 
5333 	count_vht = 0;
5334 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5335 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5336 			return -EINVAL;
5337 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5338 			count_vht++;
5339 			if (count_vht > 1)
5340 				return -EINVAL;
5341 		}
5342 		if (count_vht && rate)
5343 			return -EINVAL;
5344 	}
5345 
5346 	count_he = 0;
5347 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5348 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5349 			return -EINVAL;
5350 		} else if (beacon_rate->control[band].he_mcs[i]) {
5351 			count_he++;
5352 			if (count_he > 1)
5353 				return -EINVAL;
5354 		}
5355 		if (count_he && rate)
5356 			return -EINVAL;
5357 	}
5358 
5359 	if ((count_ht && count_vht && count_he) ||
5360 	    (!rate && !count_ht && !count_vht && !count_he))
5361 		return -EINVAL;
5362 
5363 	if (rate &&
5364 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5365 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5366 		return -EINVAL;
5367 	if (count_ht &&
5368 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5369 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5370 		return -EINVAL;
5371 	if (count_vht &&
5372 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5373 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5374 		return -EINVAL;
5375 	if (count_he &&
5376 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5377 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5378 		return -EINVAL;
5379 
5380 	return 0;
5381 }
5382 
5383 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5384 				       struct net_device *dev,
5385 				       struct nlattr *attrs,
5386 				       struct cfg80211_mbssid_config *config,
5387 				       u8 num_elems)
5388 {
5389 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5390 
5391 	if (!wiphy->mbssid_max_interfaces)
5392 		return -EOPNOTSUPP;
5393 
5394 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5395 			     NULL) ||
5396 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5397 		return -EINVAL;
5398 
5399 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5400 	if (config->ema) {
5401 		if (!wiphy->ema_max_profile_periodicity)
5402 			return -EOPNOTSUPP;
5403 
5404 		if (num_elems > wiphy->ema_max_profile_periodicity)
5405 			return -EINVAL;
5406 	}
5407 
5408 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5409 	if (config->index >= wiphy->mbssid_max_interfaces ||
5410 	    (!config->index && !num_elems))
5411 		return -EINVAL;
5412 
5413 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5414 		u32 tx_ifindex =
5415 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5416 
5417 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5418 		    (config->index && tx_ifindex == dev->ifindex))
5419 			return -EINVAL;
5420 
5421 		if (tx_ifindex != dev->ifindex) {
5422 			struct net_device *tx_netdev =
5423 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5424 
5425 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5426 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5427 			    tx_netdev->ieee80211_ptr->iftype !=
5428 							NL80211_IFTYPE_AP) {
5429 				dev_put(tx_netdev);
5430 				return -EINVAL;
5431 			}
5432 
5433 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5434 		} else {
5435 			config->tx_wdev = dev->ieee80211_ptr;
5436 		}
5437 	} else if (!config->index) {
5438 		config->tx_wdev = dev->ieee80211_ptr;
5439 	} else {
5440 		return -EINVAL;
5441 	}
5442 
5443 	return 0;
5444 }
5445 
5446 static struct cfg80211_mbssid_elems *
5447 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5448 {
5449 	struct nlattr *nl_elems;
5450 	struct cfg80211_mbssid_elems *elems;
5451 	int rem_elems;
5452 	u8 i = 0, num_elems = 0;
5453 
5454 	if (!wiphy->mbssid_max_interfaces)
5455 		return ERR_PTR(-EINVAL);
5456 
5457 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5458 		if (num_elems >= 255)
5459 			return ERR_PTR(-EINVAL);
5460 		num_elems++;
5461 	}
5462 
5463 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5464 	if (!elems)
5465 		return ERR_PTR(-ENOMEM);
5466 	elems->cnt = num_elems;
5467 
5468 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5469 		elems->elem[i].data = nla_data(nl_elems);
5470 		elems->elem[i].len = nla_len(nl_elems);
5471 		i++;
5472 	}
5473 	return elems;
5474 }
5475 
5476 static struct cfg80211_rnr_elems *
5477 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5478 			struct netlink_ext_ack *extack)
5479 {
5480 	struct nlattr *nl_elems;
5481 	struct cfg80211_rnr_elems *elems;
5482 	int rem_elems;
5483 	u8 i = 0, num_elems = 0;
5484 
5485 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5486 		int ret;
5487 
5488 		ret = validate_ie_attr(nl_elems, extack);
5489 		if (ret)
5490 			return ERR_PTR(ret);
5491 
5492 		num_elems++;
5493 	}
5494 
5495 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5496 	if (!elems)
5497 		return ERR_PTR(-ENOMEM);
5498 	elems->cnt = num_elems;
5499 
5500 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5501 		elems->elem[i].data = nla_data(nl_elems);
5502 		elems->elem[i].len = nla_len(nl_elems);
5503 		i++;
5504 	}
5505 	return elems;
5506 }
5507 
5508 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5509 				      struct cfg80211_he_bss_color *he_bss_color)
5510 {
5511 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5512 	int err;
5513 
5514 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5515 			       he_bss_color_policy, NULL);
5516 	if (err)
5517 		return err;
5518 
5519 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5520 		return -EINVAL;
5521 
5522 	he_bss_color->color =
5523 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5524 	he_bss_color->enabled =
5525 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5526 	he_bss_color->partial =
5527 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5528 
5529 	return 0;
5530 }
5531 
5532 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5533 				struct nlattr *attrs[],
5534 				struct cfg80211_beacon_data *bcn,
5535 				struct netlink_ext_ack *extack)
5536 {
5537 	bool haveinfo = false;
5538 	int err;
5539 
5540 	memset(bcn, 0, sizeof(*bcn));
5541 
5542 	bcn->link_id = nl80211_link_id(attrs);
5543 
5544 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5545 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5546 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5547 		if (!bcn->head_len)
5548 			return -EINVAL;
5549 		haveinfo = true;
5550 	}
5551 
5552 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5553 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5554 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5555 		haveinfo = true;
5556 	}
5557 
5558 	if (!haveinfo)
5559 		return -EINVAL;
5560 
5561 	if (attrs[NL80211_ATTR_IE]) {
5562 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5563 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5564 	}
5565 
5566 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5567 		bcn->proberesp_ies =
5568 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5569 		bcn->proberesp_ies_len =
5570 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5571 	}
5572 
5573 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5574 		bcn->assocresp_ies =
5575 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5576 		bcn->assocresp_ies_len =
5577 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5578 	}
5579 
5580 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5581 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5582 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5583 	}
5584 
5585 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5586 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5587 
5588 		err = nla_parse_nested_deprecated(tb,
5589 						  NL80211_FTM_RESP_ATTR_MAX,
5590 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5591 						  NULL, NULL);
5592 		if (err)
5593 			return err;
5594 
5595 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5596 		    wiphy_ext_feature_isset(&rdev->wiphy,
5597 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5598 			bcn->ftm_responder = 1;
5599 		else
5600 			return -EOPNOTSUPP;
5601 
5602 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5603 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5604 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5605 		}
5606 
5607 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5608 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5609 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5610 		}
5611 	} else {
5612 		bcn->ftm_responder = -1;
5613 	}
5614 
5615 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5616 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5617 						 &bcn->he_bss_color);
5618 		if (err)
5619 			return err;
5620 		bcn->he_bss_color_valid = true;
5621 	}
5622 
5623 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5624 		struct cfg80211_mbssid_elems *mbssid =
5625 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5626 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5627 
5628 		if (IS_ERR(mbssid))
5629 			return PTR_ERR(mbssid);
5630 
5631 		bcn->mbssid_ies = mbssid;
5632 
5633 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5634 			struct cfg80211_rnr_elems *rnr =
5635 				nl80211_parse_rnr_elems(&rdev->wiphy,
5636 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5637 							extack);
5638 
5639 			if (IS_ERR(rnr))
5640 				return PTR_ERR(rnr);
5641 
5642 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5643 				return -EINVAL;
5644 
5645 			bcn->rnr_ies = rnr;
5646 		}
5647 	}
5648 
5649 	return 0;
5650 }
5651 
5652 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5653 				    struct ieee80211_he_obss_pd *he_obss_pd)
5654 {
5655 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5656 	int err;
5657 
5658 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5659 			       he_obss_pd_policy, NULL);
5660 	if (err)
5661 		return err;
5662 
5663 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5664 		return -EINVAL;
5665 
5666 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5667 
5668 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5669 		he_obss_pd->min_offset =
5670 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5671 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5672 		he_obss_pd->max_offset =
5673 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5674 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5675 		he_obss_pd->non_srg_max_offset =
5676 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5677 
5678 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5679 		return -EINVAL;
5680 
5681 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5682 		memcpy(he_obss_pd->bss_color_bitmap,
5683 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5684 		       sizeof(he_obss_pd->bss_color_bitmap));
5685 
5686 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5687 		memcpy(he_obss_pd->partial_bssid_bitmap,
5688 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5689 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5690 
5691 	he_obss_pd->enable = true;
5692 
5693 	return 0;
5694 }
5695 
5696 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5697 					struct nlattr *attrs,
5698 					struct cfg80211_ap_settings *params)
5699 {
5700 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5701 	int ret;
5702 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5703 
5704 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5705 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5706 		return -EINVAL;
5707 
5708 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5709 			       NULL, NULL);
5710 	if (ret)
5711 		return ret;
5712 
5713 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5714 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5715 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5716 		return -EINVAL;
5717 
5718 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5719 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5720 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5721 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5722 
5723 	return 0;
5724 }
5725 
5726 static int
5727 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5728 				     struct nlattr *attrs,
5729 				     struct cfg80211_ap_settings *params)
5730 {
5731 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5732 	int ret;
5733 	struct cfg80211_unsol_bcast_probe_resp *presp =
5734 					&params->unsol_bcast_probe_resp;
5735 
5736 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5737 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5738 		return -EINVAL;
5739 
5740 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5741 			       attrs, NULL, NULL);
5742 	if (ret)
5743 		return ret;
5744 
5745 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5746 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5747 		return -EINVAL;
5748 
5749 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5750 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5751 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5752 	return 0;
5753 }
5754 
5755 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5756 					    const struct element *rates)
5757 {
5758 	int i;
5759 
5760 	if (!rates)
5761 		return;
5762 
5763 	for (i = 0; i < rates->datalen; i++) {
5764 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5765 			params->ht_required = true;
5766 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5767 			params->vht_required = true;
5768 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5769 			params->he_required = true;
5770 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5771 			params->sae_h2e_required = true;
5772 	}
5773 }
5774 
5775 /*
5776  * Since the nl80211 API didn't include, from the beginning, attributes about
5777  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5778  * benefit of drivers that rebuild IEs in the firmware.
5779  */
5780 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5781 {
5782 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5783 	size_t ies_len = bcn->tail_len;
5784 	const u8 *ies = bcn->tail;
5785 	const struct element *rates;
5786 	const struct element *cap;
5787 
5788 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5789 	nl80211_check_ap_rate_selectors(params, rates);
5790 
5791 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5792 	nl80211_check_ap_rate_selectors(params, rates);
5793 
5794 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5795 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5796 		params->ht_cap = (void *)cap->data;
5797 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5798 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5799 		params->vht_cap = (void *)cap->data;
5800 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5801 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5802 		params->he_cap = (void *)(cap->data + 1);
5803 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5804 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5805 		params->he_oper = (void *)(cap->data + 1);
5806 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5807 	if (cap) {
5808 		if (!cap->datalen)
5809 			return -EINVAL;
5810 		params->eht_cap = (void *)(cap->data + 1);
5811 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5812 						(const u8 *)params->eht_cap,
5813 						cap->datalen - 1, true))
5814 			return -EINVAL;
5815 	}
5816 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5817 	if (cap) {
5818 		if (!cap->datalen)
5819 			return -EINVAL;
5820 		params->eht_oper = (void *)(cap->data + 1);
5821 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5822 						cap->datalen - 1))
5823 			return -EINVAL;
5824 	}
5825 	return 0;
5826 }
5827 
5828 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5829 				   struct cfg80211_ap_settings *params)
5830 {
5831 	struct wireless_dev *wdev;
5832 
5833 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5834 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5835 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5836 			continue;
5837 
5838 		if (!wdev->u.ap.preset_chandef.chan)
5839 			continue;
5840 
5841 		params->chandef = wdev->u.ap.preset_chandef;
5842 		return true;
5843 	}
5844 
5845 	return false;
5846 }
5847 
5848 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5849 				    enum nl80211_auth_type auth_type,
5850 				    enum nl80211_commands cmd)
5851 {
5852 	if (auth_type > NL80211_AUTHTYPE_MAX)
5853 		return false;
5854 
5855 	switch (cmd) {
5856 	case NL80211_CMD_AUTHENTICATE:
5857 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5858 		    auth_type == NL80211_AUTHTYPE_SAE)
5859 			return false;
5860 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5861 					     NL80211_EXT_FEATURE_FILS_STA) &&
5862 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5863 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5864 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5865 			return false;
5866 		return true;
5867 	case NL80211_CMD_CONNECT:
5868 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5869 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5870 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5871 		    auth_type == NL80211_AUTHTYPE_SAE)
5872 			return false;
5873 
5874 		/* FILS with SK PFS or PK not supported yet */
5875 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5876 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5877 			return false;
5878 		if (!wiphy_ext_feature_isset(
5879 			    &rdev->wiphy,
5880 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5881 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5882 			return false;
5883 		return true;
5884 	case NL80211_CMD_START_AP:
5885 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5886 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5887 		    auth_type == NL80211_AUTHTYPE_SAE)
5888 			return false;
5889 		/* FILS not supported yet */
5890 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5891 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5892 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5893 			return false;
5894 		return true;
5895 	default:
5896 		return false;
5897 	}
5898 }
5899 
5900 static void nl80211_send_ap_started(struct wireless_dev *wdev,
5901 				    unsigned int link_id)
5902 {
5903 	struct wiphy *wiphy = wdev->wiphy;
5904 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
5905 	struct sk_buff *msg;
5906 	void *hdr;
5907 
5908 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5909 	if (!msg)
5910 		return;
5911 
5912 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
5913 	if (!hdr)
5914 		goto out;
5915 
5916 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
5917 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
5918 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
5919 			      NL80211_ATTR_PAD) ||
5920 	    (wdev->u.ap.ssid_len &&
5921 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
5922 		     wdev->u.ap.ssid)) ||
5923 	    (wdev->valid_links &&
5924 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
5925 		goto out;
5926 
5927 	genlmsg_end(msg, hdr);
5928 
5929 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
5930 				NL80211_MCGRP_MLME, GFP_KERNEL);
5931 	return;
5932 out:
5933 	nlmsg_free(msg);
5934 }
5935 
5936 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
5937 {
5938 	struct ieee80211_channel *channel = params->chandef.chan;
5939 
5940 	if ((params->he_cap ||  params->he_oper) &&
5941 	    (channel->flags & IEEE80211_CHAN_NO_HE))
5942 		return -EOPNOTSUPP;
5943 
5944 	if ((params->eht_cap || params->eht_oper) &&
5945 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
5946 		return -EOPNOTSUPP;
5947 
5948 	return 0;
5949 }
5950 
5951 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5952 {
5953 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5954 	unsigned int link_id = nl80211_link_id(info->attrs);
5955 	struct net_device *dev = info->user_ptr[1];
5956 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5957 	struct cfg80211_ap_settings *params;
5958 	int err;
5959 
5960 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5961 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5962 		return -EOPNOTSUPP;
5963 
5964 	if (!rdev->ops->start_ap)
5965 		return -EOPNOTSUPP;
5966 
5967 	if (wdev->links[link_id].ap.beacon_interval)
5968 		return -EALREADY;
5969 
5970 	/* these are required for START_AP */
5971 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5972 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5973 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5974 		return -EINVAL;
5975 
5976 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5977 	if (!params)
5978 		return -ENOMEM;
5979 
5980 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
5981 				   info->extack);
5982 	if (err)
5983 		goto out;
5984 
5985 	params->beacon_interval =
5986 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5987 	params->dtim_period =
5988 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5989 
5990 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5991 					   params->beacon_interval);
5992 	if (err)
5993 		goto out;
5994 
5995 	/*
5996 	 * In theory, some of these attributes should be required here
5997 	 * but since they were not used when the command was originally
5998 	 * added, keep them optional for old user space programs to let
5999 	 * them continue to work with drivers that do not need the
6000 	 * additional information -- drivers must check!
6001 	 */
6002 	if (info->attrs[NL80211_ATTR_SSID]) {
6003 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6004 		params->ssid_len =
6005 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6006 		if (params->ssid_len == 0) {
6007 			err = -EINVAL;
6008 			goto out;
6009 		}
6010 
6011 		if (wdev->u.ap.ssid_len &&
6012 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6013 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6014 			/* require identical SSID for MLO */
6015 			err = -EINVAL;
6016 			goto out;
6017 		}
6018 	} else if (wdev->valid_links) {
6019 		/* require SSID for MLO */
6020 		err = -EINVAL;
6021 		goto out;
6022 	}
6023 
6024 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6025 		params->hidden_ssid = nla_get_u32(
6026 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6027 
6028 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6029 
6030 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6031 		params->auth_type = nla_get_u32(
6032 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6033 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6034 					     NL80211_CMD_START_AP)) {
6035 			err = -EINVAL;
6036 			goto out;
6037 		}
6038 	} else
6039 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6040 
6041 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6042 				      NL80211_MAX_NR_CIPHER_SUITES);
6043 	if (err)
6044 		goto out;
6045 
6046 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6047 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6048 			err = -EOPNOTSUPP;
6049 			goto out;
6050 		}
6051 		params->inactivity_timeout = nla_get_u16(
6052 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6053 	}
6054 
6055 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6056 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6057 			err = -EINVAL;
6058 			goto out;
6059 		}
6060 		params->p2p_ctwindow =
6061 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6062 		if (params->p2p_ctwindow != 0 &&
6063 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6064 			err = -EINVAL;
6065 			goto out;
6066 		}
6067 	}
6068 
6069 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6070 		u8 tmp;
6071 
6072 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6073 			err = -EINVAL;
6074 			goto out;
6075 		}
6076 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6077 		params->p2p_opp_ps = tmp;
6078 		if (params->p2p_opp_ps != 0 &&
6079 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6080 			err = -EINVAL;
6081 			goto out;
6082 		}
6083 	}
6084 
6085 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6086 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6087 		if (err)
6088 			goto out;
6089 	} else if (wdev->valid_links) {
6090 		/* with MLD need to specify the channel configuration */
6091 		err = -EINVAL;
6092 		goto out;
6093 	} else if (wdev->u.ap.preset_chandef.chan) {
6094 		params->chandef = wdev->u.ap.preset_chandef;
6095 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6096 		err = -EINVAL;
6097 		goto out;
6098 	}
6099 
6100 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
6101 		err = nl80211_parse_punct_bitmap(rdev, info,
6102 						 &params->chandef,
6103 						 &params->punct_bitmap);
6104 		if (err)
6105 			goto out;
6106 	}
6107 
6108 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
6109 					   wdev->iftype)) {
6110 		err = -EINVAL;
6111 		goto out;
6112 	}
6113 
6114 	wdev_lock(wdev);
6115 
6116 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6117 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6118 						    NL80211_ATTR_TX_RATES,
6119 						    &params->beacon_rate,
6120 						    dev, false, link_id);
6121 		if (err)
6122 			goto out_unlock;
6123 
6124 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6125 					      &params->beacon_rate);
6126 		if (err)
6127 			goto out_unlock;
6128 	}
6129 
6130 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
6131 		params->smps_mode =
6132 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
6133 		switch (params->smps_mode) {
6134 		case NL80211_SMPS_OFF:
6135 			break;
6136 		case NL80211_SMPS_STATIC:
6137 			if (!(rdev->wiphy.features &
6138 			      NL80211_FEATURE_STATIC_SMPS)) {
6139 				err = -EINVAL;
6140 				goto out_unlock;
6141 			}
6142 			break;
6143 		case NL80211_SMPS_DYNAMIC:
6144 			if (!(rdev->wiphy.features &
6145 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
6146 				err = -EINVAL;
6147 				goto out_unlock;
6148 			}
6149 			break;
6150 		default:
6151 			err = -EINVAL;
6152 			goto out_unlock;
6153 		}
6154 	} else {
6155 		params->smps_mode = NL80211_SMPS_OFF;
6156 	}
6157 
6158 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6159 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6160 		err = -EOPNOTSUPP;
6161 		goto out_unlock;
6162 	}
6163 
6164 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6165 		params->acl = parse_acl_data(&rdev->wiphy, info);
6166 		if (IS_ERR(params->acl)) {
6167 			err = PTR_ERR(params->acl);
6168 			params->acl = NULL;
6169 			goto out_unlock;
6170 		}
6171 	}
6172 
6173 	params->twt_responder =
6174 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6175 
6176 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6177 		err = nl80211_parse_he_obss_pd(
6178 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6179 					&params->he_obss_pd);
6180 		if (err)
6181 			goto out_unlock;
6182 	}
6183 
6184 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6185 		err = nl80211_parse_fils_discovery(rdev,
6186 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6187 						   params);
6188 		if (err)
6189 			goto out_unlock;
6190 	}
6191 
6192 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6193 		err = nl80211_parse_unsol_bcast_probe_resp(
6194 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6195 			params);
6196 		if (err)
6197 			goto out_unlock;
6198 	}
6199 
6200 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6201 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6202 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6203 						  &params->mbssid_config,
6204 						  params->beacon.mbssid_ies ?
6205 							params->beacon.mbssid_ies->cnt :
6206 							0);
6207 		if (err)
6208 			goto out_unlock;
6209 	}
6210 
6211 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6212 		err = -EINVAL;
6213 		goto out_unlock;
6214 	}
6215 
6216 	err = nl80211_calculate_ap_params(params);
6217 	if (err)
6218 		goto out_unlock;
6219 
6220 	err = nl80211_validate_ap_phy_operation(params);
6221 	if (err)
6222 		goto out_unlock;
6223 
6224 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6225 		params->flags = nla_get_u32(
6226 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6227 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6228 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6229 
6230 	if (wdev->conn_owner_nlportid &&
6231 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6232 	    wdev->conn_owner_nlportid != info->snd_portid) {
6233 		err = -EINVAL;
6234 		goto out_unlock;
6235 	}
6236 
6237 	/* FIXME: validate MLO/link-id against driver capabilities */
6238 
6239 	err = rdev_start_ap(rdev, dev, params);
6240 	if (!err) {
6241 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6242 		wdev->links[link_id].ap.chandef = params->chandef;
6243 		wdev->u.ap.ssid_len = params->ssid_len;
6244 		memcpy(wdev->u.ap.ssid, params->ssid,
6245 		       params->ssid_len);
6246 
6247 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6248 			wdev->conn_owner_nlportid = info->snd_portid;
6249 
6250 		nl80211_send_ap_started(wdev, link_id);
6251 	}
6252 out_unlock:
6253 	wdev_unlock(wdev);
6254 out:
6255 	kfree(params->acl);
6256 	kfree(params->beacon.mbssid_ies);
6257 	if (params->mbssid_config.tx_wdev &&
6258 	    params->mbssid_config.tx_wdev->netdev &&
6259 	    params->mbssid_config.tx_wdev->netdev != dev)
6260 		dev_put(params->mbssid_config.tx_wdev->netdev);
6261 	kfree(params->beacon.rnr_ies);
6262 	kfree(params);
6263 
6264 	return err;
6265 }
6266 
6267 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6268 {
6269 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6270 	unsigned int link_id = nl80211_link_id(info->attrs);
6271 	struct net_device *dev = info->user_ptr[1];
6272 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6273 	struct cfg80211_beacon_data params;
6274 	int err;
6275 
6276 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6277 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6278 		return -EOPNOTSUPP;
6279 
6280 	if (!rdev->ops->change_beacon)
6281 		return -EOPNOTSUPP;
6282 
6283 	if (!wdev->links[link_id].ap.beacon_interval)
6284 		return -EINVAL;
6285 
6286 	err = nl80211_parse_beacon(rdev, info->attrs, &params, info->extack);
6287 	if (err)
6288 		goto out;
6289 
6290 	wdev_lock(wdev);
6291 	err = rdev_change_beacon(rdev, dev, &params);
6292 	wdev_unlock(wdev);
6293 
6294 out:
6295 	kfree(params.mbssid_ies);
6296 	kfree(params.rnr_ies);
6297 	return err;
6298 }
6299 
6300 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6301 {
6302 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6303 	unsigned int link_id = nl80211_link_id(info->attrs);
6304 	struct net_device *dev = info->user_ptr[1];
6305 
6306 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6307 }
6308 
6309 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6310 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6311 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6312 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6313 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6314 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6315 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6316 };
6317 
6318 static int parse_station_flags(struct genl_info *info,
6319 			       enum nl80211_iftype iftype,
6320 			       struct station_parameters *params)
6321 {
6322 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6323 	struct nlattr *nla;
6324 	int flag;
6325 
6326 	/*
6327 	 * Try parsing the new attribute first so userspace
6328 	 * can specify both for older kernels.
6329 	 */
6330 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6331 	if (nla) {
6332 		struct nl80211_sta_flag_update *sta_flags;
6333 
6334 		sta_flags = nla_data(nla);
6335 		params->sta_flags_mask = sta_flags->mask;
6336 		params->sta_flags_set = sta_flags->set;
6337 		params->sta_flags_set &= params->sta_flags_mask;
6338 		if ((params->sta_flags_mask |
6339 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6340 			return -EINVAL;
6341 		return 0;
6342 	}
6343 
6344 	/* if present, parse the old attribute */
6345 
6346 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6347 	if (!nla)
6348 		return 0;
6349 
6350 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6351 		return -EINVAL;
6352 
6353 	/*
6354 	 * Only allow certain flags for interface types so that
6355 	 * other attributes are silently ignored. Remember that
6356 	 * this is backward compatibility code with old userspace
6357 	 * and shouldn't be hit in other cases anyway.
6358 	 */
6359 	switch (iftype) {
6360 	case NL80211_IFTYPE_AP:
6361 	case NL80211_IFTYPE_AP_VLAN:
6362 	case NL80211_IFTYPE_P2P_GO:
6363 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6364 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6365 					 BIT(NL80211_STA_FLAG_WME) |
6366 					 BIT(NL80211_STA_FLAG_MFP);
6367 		break;
6368 	case NL80211_IFTYPE_P2P_CLIENT:
6369 	case NL80211_IFTYPE_STATION:
6370 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6371 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6372 		break;
6373 	case NL80211_IFTYPE_MESH_POINT:
6374 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6375 					 BIT(NL80211_STA_FLAG_MFP) |
6376 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6377 		break;
6378 	default:
6379 		return -EINVAL;
6380 	}
6381 
6382 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6383 		if (flags[flag]) {
6384 			params->sta_flags_set |= (1<<flag);
6385 
6386 			/* no longer support new API additions in old API */
6387 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6388 				return -EINVAL;
6389 		}
6390 	}
6391 
6392 	return 0;
6393 }
6394 
6395 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6396 {
6397 	struct nlattr *rate;
6398 	u32 bitrate;
6399 	u16 bitrate_compat;
6400 	enum nl80211_rate_info rate_flg;
6401 
6402 	rate = nla_nest_start_noflag(msg, attr);
6403 	if (!rate)
6404 		return false;
6405 
6406 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6407 	bitrate = cfg80211_calculate_bitrate(info);
6408 	/* report 16-bit bitrate only if we can */
6409 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6410 	if (bitrate > 0 &&
6411 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6412 		return false;
6413 	if (bitrate_compat > 0 &&
6414 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6415 		return false;
6416 
6417 	switch (info->bw) {
6418 	case RATE_INFO_BW_1:
6419 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6420 		break;
6421 	case RATE_INFO_BW_2:
6422 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6423 		break;
6424 	case RATE_INFO_BW_4:
6425 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6426 		break;
6427 	case RATE_INFO_BW_5:
6428 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6429 		break;
6430 	case RATE_INFO_BW_8:
6431 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6432 		break;
6433 	case RATE_INFO_BW_10:
6434 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6435 		break;
6436 	case RATE_INFO_BW_16:
6437 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6438 		break;
6439 	default:
6440 		WARN_ON(1);
6441 		fallthrough;
6442 	case RATE_INFO_BW_20:
6443 		rate_flg = 0;
6444 		break;
6445 	case RATE_INFO_BW_40:
6446 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6447 		break;
6448 	case RATE_INFO_BW_80:
6449 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6450 		break;
6451 	case RATE_INFO_BW_160:
6452 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6453 		break;
6454 	case RATE_INFO_BW_HE_RU:
6455 		rate_flg = 0;
6456 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6457 		break;
6458 	case RATE_INFO_BW_320:
6459 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6460 		break;
6461 	case RATE_INFO_BW_EHT_RU:
6462 		rate_flg = 0;
6463 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6464 		break;
6465 	}
6466 
6467 	if (rate_flg && nla_put_flag(msg, rate_flg))
6468 		return false;
6469 
6470 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6471 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6472 			return false;
6473 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6474 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6475 			return false;
6476 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6477 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6478 			return false;
6479 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6480 			return false;
6481 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6482 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6483 			return false;
6484 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6485 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6486 			return false;
6487 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6488 			return false;
6489 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6490 			return false;
6491 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6492 			return false;
6493 		if (info->bw == RATE_INFO_BW_HE_RU &&
6494 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6495 			       info->he_ru_alloc))
6496 			return false;
6497 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6498 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6499 			return false;
6500 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6501 			return false;
6502 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6503 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6504 			return false;
6505 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6506 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6507 			return false;
6508 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6509 			return false;
6510 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6511 			return false;
6512 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6513 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6514 			       info->eht_ru_alloc))
6515 			return false;
6516 	}
6517 
6518 	nla_nest_end(msg, rate);
6519 	return true;
6520 }
6521 
6522 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6523 			       int id)
6524 {
6525 	void *attr;
6526 	int i = 0;
6527 
6528 	if (!mask)
6529 		return true;
6530 
6531 	attr = nla_nest_start_noflag(msg, id);
6532 	if (!attr)
6533 		return false;
6534 
6535 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6536 		if (!(mask & BIT(i)))
6537 			continue;
6538 
6539 		if (nla_put_u8(msg, i, signal[i]))
6540 			return false;
6541 	}
6542 
6543 	nla_nest_end(msg, attr);
6544 
6545 	return true;
6546 }
6547 
6548 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6549 				u32 seq, int flags,
6550 				struct cfg80211_registered_device *rdev,
6551 				struct net_device *dev,
6552 				const u8 *mac_addr, struct station_info *sinfo)
6553 {
6554 	void *hdr;
6555 	struct nlattr *sinfoattr, *bss_param;
6556 
6557 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6558 	if (!hdr) {
6559 		cfg80211_sinfo_release_content(sinfo);
6560 		return -1;
6561 	}
6562 
6563 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6564 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6565 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6566 		goto nla_put_failure;
6567 
6568 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6569 	if (!sinfoattr)
6570 		goto nla_put_failure;
6571 
6572 #define PUT_SINFO(attr, memb, type) do {				\
6573 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6574 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6575 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6576 			     sinfo->memb))				\
6577 		goto nla_put_failure;					\
6578 	} while (0)
6579 #define PUT_SINFO_U64(attr, memb) do {					\
6580 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6581 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6582 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6583 		goto nla_put_failure;					\
6584 	} while (0)
6585 
6586 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6587 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6588 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6589 
6590 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6591 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6592 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6593 			(u32)sinfo->rx_bytes))
6594 		goto nla_put_failure;
6595 
6596 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6597 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6598 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6599 			(u32)sinfo->tx_bytes))
6600 		goto nla_put_failure;
6601 
6602 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6603 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6604 	PUT_SINFO(LLID, llid, u16);
6605 	PUT_SINFO(PLID, plid, u16);
6606 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6607 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6608 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6609 
6610 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6611 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6612 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6613 
6614 	switch (rdev->wiphy.signal_type) {
6615 	case CFG80211_SIGNAL_TYPE_MBM:
6616 		PUT_SINFO(SIGNAL, signal, u8);
6617 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6618 		break;
6619 	default:
6620 		break;
6621 	}
6622 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6623 		if (!nl80211_put_signal(msg, sinfo->chains,
6624 					sinfo->chain_signal,
6625 					NL80211_STA_INFO_CHAIN_SIGNAL))
6626 			goto nla_put_failure;
6627 	}
6628 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6629 		if (!nl80211_put_signal(msg, sinfo->chains,
6630 					sinfo->chain_signal_avg,
6631 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6632 			goto nla_put_failure;
6633 	}
6634 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6635 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6636 					  NL80211_STA_INFO_TX_BITRATE))
6637 			goto nla_put_failure;
6638 	}
6639 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6640 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6641 					  NL80211_STA_INFO_RX_BITRATE))
6642 			goto nla_put_failure;
6643 	}
6644 
6645 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6646 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6647 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6648 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6649 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6650 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6651 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6652 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6653 	PUT_SINFO(PEER_PM, peer_pm, u32);
6654 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6655 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6656 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6657 
6658 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6659 		bss_param = nla_nest_start_noflag(msg,
6660 						  NL80211_STA_INFO_BSS_PARAM);
6661 		if (!bss_param)
6662 			goto nla_put_failure;
6663 
6664 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6665 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6666 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6667 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6668 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6669 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6670 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6671 			       sinfo->bss_param.dtim_period) ||
6672 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6673 				sinfo->bss_param.beacon_interval))
6674 			goto nla_put_failure;
6675 
6676 		nla_nest_end(msg, bss_param);
6677 	}
6678 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6679 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6680 		    sizeof(struct nl80211_sta_flag_update),
6681 		    &sinfo->sta_flags))
6682 		goto nla_put_failure;
6683 
6684 	PUT_SINFO_U64(T_OFFSET, t_offset);
6685 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6686 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6687 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6688 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6689 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6690 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6691 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6692 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6693 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6694 	}
6695 
6696 #undef PUT_SINFO
6697 #undef PUT_SINFO_U64
6698 
6699 	if (sinfo->pertid) {
6700 		struct nlattr *tidsattr;
6701 		int tid;
6702 
6703 		tidsattr = nla_nest_start_noflag(msg,
6704 						 NL80211_STA_INFO_TID_STATS);
6705 		if (!tidsattr)
6706 			goto nla_put_failure;
6707 
6708 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6709 			struct cfg80211_tid_stats *tidstats;
6710 			struct nlattr *tidattr;
6711 
6712 			tidstats = &sinfo->pertid[tid];
6713 
6714 			if (!tidstats->filled)
6715 				continue;
6716 
6717 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6718 			if (!tidattr)
6719 				goto nla_put_failure;
6720 
6721 #define PUT_TIDVAL_U64(attr, memb) do {					\
6722 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6723 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6724 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6725 		goto nla_put_failure;					\
6726 	} while (0)
6727 
6728 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6729 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6730 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6731 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6732 
6733 #undef PUT_TIDVAL_U64
6734 			if ((tidstats->filled &
6735 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6736 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6737 						   NL80211_TID_STATS_TXQ_STATS))
6738 				goto nla_put_failure;
6739 
6740 			nla_nest_end(msg, tidattr);
6741 		}
6742 
6743 		nla_nest_end(msg, tidsattr);
6744 	}
6745 
6746 	nla_nest_end(msg, sinfoattr);
6747 
6748 	if (sinfo->assoc_req_ies_len &&
6749 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6750 		    sinfo->assoc_req_ies))
6751 		goto nla_put_failure;
6752 
6753 	if (sinfo->assoc_resp_ies_len &&
6754 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6755 		    sinfo->assoc_resp_ies))
6756 		goto nla_put_failure;
6757 
6758 	if (sinfo->mlo_params_valid) {
6759 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6760 			       sinfo->assoc_link_id))
6761 			goto nla_put_failure;
6762 
6763 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6764 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6765 			    sinfo->mld_addr))
6766 			goto nla_put_failure;
6767 	}
6768 
6769 	cfg80211_sinfo_release_content(sinfo);
6770 	genlmsg_end(msg, hdr);
6771 	return 0;
6772 
6773  nla_put_failure:
6774 	cfg80211_sinfo_release_content(sinfo);
6775 	genlmsg_cancel(msg, hdr);
6776 	return -EMSGSIZE;
6777 }
6778 
6779 static int nl80211_dump_station(struct sk_buff *skb,
6780 				struct netlink_callback *cb)
6781 {
6782 	struct station_info sinfo;
6783 	struct cfg80211_registered_device *rdev;
6784 	struct wireless_dev *wdev;
6785 	u8 mac_addr[ETH_ALEN];
6786 	int sta_idx = cb->args[2];
6787 	int err;
6788 
6789 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6790 	if (err)
6791 		return err;
6792 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6793 	__acquire(&rdev->wiphy.mtx);
6794 
6795 	if (!wdev->netdev) {
6796 		err = -EINVAL;
6797 		goto out_err;
6798 	}
6799 
6800 	if (!rdev->ops->dump_station) {
6801 		err = -EOPNOTSUPP;
6802 		goto out_err;
6803 	}
6804 
6805 	while (1) {
6806 		memset(&sinfo, 0, sizeof(sinfo));
6807 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6808 					mac_addr, &sinfo);
6809 		if (err == -ENOENT)
6810 			break;
6811 		if (err)
6812 			goto out_err;
6813 
6814 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6815 				NETLINK_CB(cb->skb).portid,
6816 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6817 				rdev, wdev->netdev, mac_addr,
6818 				&sinfo) < 0)
6819 			goto out;
6820 
6821 		sta_idx++;
6822 	}
6823 
6824  out:
6825 	cb->args[2] = sta_idx;
6826 	err = skb->len;
6827  out_err:
6828 	wiphy_unlock(&rdev->wiphy);
6829 
6830 	return err;
6831 }
6832 
6833 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6834 {
6835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6836 	struct net_device *dev = info->user_ptr[1];
6837 	struct station_info sinfo;
6838 	struct sk_buff *msg;
6839 	u8 *mac_addr = NULL;
6840 	int err;
6841 
6842 	memset(&sinfo, 0, sizeof(sinfo));
6843 
6844 	if (!info->attrs[NL80211_ATTR_MAC])
6845 		return -EINVAL;
6846 
6847 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6848 
6849 	if (!rdev->ops->get_station)
6850 		return -EOPNOTSUPP;
6851 
6852 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6853 	if (err)
6854 		return err;
6855 
6856 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6857 	if (!msg) {
6858 		cfg80211_sinfo_release_content(&sinfo);
6859 		return -ENOMEM;
6860 	}
6861 
6862 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6863 				 info->snd_portid, info->snd_seq, 0,
6864 				 rdev, dev, mac_addr, &sinfo) < 0) {
6865 		nlmsg_free(msg);
6866 		return -ENOBUFS;
6867 	}
6868 
6869 	return genlmsg_reply(msg, info);
6870 }
6871 
6872 int cfg80211_check_station_change(struct wiphy *wiphy,
6873 				  struct station_parameters *params,
6874 				  enum cfg80211_station_type statype)
6875 {
6876 	if (params->listen_interval != -1 &&
6877 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6878 		return -EINVAL;
6879 
6880 	if (params->support_p2p_ps != -1 &&
6881 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6882 		return -EINVAL;
6883 
6884 	if (params->aid &&
6885 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6886 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6887 		return -EINVAL;
6888 
6889 	/* When you run into this, adjust the code below for the new flag */
6890 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6891 
6892 	switch (statype) {
6893 	case CFG80211_STA_MESH_PEER_KERNEL:
6894 	case CFG80211_STA_MESH_PEER_USER:
6895 		/*
6896 		 * No ignoring the TDLS flag here -- the userspace mesh
6897 		 * code doesn't have the bug of including TDLS in the
6898 		 * mask everywhere.
6899 		 */
6900 		if (params->sta_flags_mask &
6901 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6902 				  BIT(NL80211_STA_FLAG_MFP) |
6903 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6904 			return -EINVAL;
6905 		break;
6906 	case CFG80211_STA_TDLS_PEER_SETUP:
6907 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6908 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6909 			return -EINVAL;
6910 		/* ignore since it can't change */
6911 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6912 		break;
6913 	default:
6914 		/* disallow mesh-specific things */
6915 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6916 			return -EINVAL;
6917 		if (params->local_pm)
6918 			return -EINVAL;
6919 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6920 			return -EINVAL;
6921 	}
6922 
6923 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6924 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6925 		/* TDLS can't be set, ... */
6926 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6927 			return -EINVAL;
6928 		/*
6929 		 * ... but don't bother the driver with it. This works around
6930 		 * a hostapd/wpa_supplicant issue -- it always includes the
6931 		 * TLDS_PEER flag in the mask even for AP mode.
6932 		 */
6933 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6934 	}
6935 
6936 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6937 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6938 		/* reject other things that can't change */
6939 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6940 			return -EINVAL;
6941 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6942 			return -EINVAL;
6943 		if (params->link_sta_params.supported_rates)
6944 			return -EINVAL;
6945 		if (params->ext_capab || params->link_sta_params.ht_capa ||
6946 		    params->link_sta_params.vht_capa ||
6947 		    params->link_sta_params.he_capa ||
6948 		    params->link_sta_params.eht_capa)
6949 			return -EINVAL;
6950 	}
6951 
6952 	if (statype != CFG80211_STA_AP_CLIENT &&
6953 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6954 		if (params->vlan)
6955 			return -EINVAL;
6956 	}
6957 
6958 	switch (statype) {
6959 	case CFG80211_STA_AP_MLME_CLIENT:
6960 		/* Use this only for authorizing/unauthorizing a station */
6961 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6962 			return -EOPNOTSUPP;
6963 		break;
6964 	case CFG80211_STA_AP_CLIENT:
6965 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6966 		/* accept only the listed bits */
6967 		if (params->sta_flags_mask &
6968 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6969 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6970 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6971 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6972 				  BIT(NL80211_STA_FLAG_WME) |
6973 				  BIT(NL80211_STA_FLAG_MFP)))
6974 			return -EINVAL;
6975 
6976 		/* but authenticated/associated only if driver handles it */
6977 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6978 		    params->sta_flags_mask &
6979 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6980 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6981 			return -EINVAL;
6982 		break;
6983 	case CFG80211_STA_IBSS:
6984 	case CFG80211_STA_AP_STA:
6985 		/* reject any changes other than AUTHORIZED */
6986 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6987 			return -EINVAL;
6988 		break;
6989 	case CFG80211_STA_TDLS_PEER_SETUP:
6990 		/* reject any changes other than AUTHORIZED or WME */
6991 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6992 					       BIT(NL80211_STA_FLAG_WME)))
6993 			return -EINVAL;
6994 		/* force (at least) rates when authorizing */
6995 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6996 		    !params->link_sta_params.supported_rates)
6997 			return -EINVAL;
6998 		break;
6999 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7000 		/* reject any changes */
7001 		return -EINVAL;
7002 	case CFG80211_STA_MESH_PEER_KERNEL:
7003 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7004 			return -EINVAL;
7005 		break;
7006 	case CFG80211_STA_MESH_PEER_USER:
7007 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
7008 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
7009 			return -EINVAL;
7010 		break;
7011 	}
7012 
7013 	/*
7014 	 * Older kernel versions ignored this attribute entirely, so don't
7015 	 * reject attempts to update it but mark it as unused instead so the
7016 	 * driver won't look at the data.
7017 	 */
7018 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7019 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
7020 		params->link_sta_params.opmode_notif_used = false;
7021 
7022 	return 0;
7023 }
7024 EXPORT_SYMBOL(cfg80211_check_station_change);
7025 
7026 /*
7027  * Get vlan interface making sure it is running and on the right wiphy.
7028  */
7029 static struct net_device *get_vlan(struct genl_info *info,
7030 				   struct cfg80211_registered_device *rdev)
7031 {
7032 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7033 	struct net_device *v;
7034 	int ret;
7035 
7036 	if (!vlanattr)
7037 		return NULL;
7038 
7039 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7040 	if (!v)
7041 		return ERR_PTR(-ENODEV);
7042 
7043 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7044 		ret = -EINVAL;
7045 		goto error;
7046 	}
7047 
7048 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7049 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7050 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7051 		ret = -EINVAL;
7052 		goto error;
7053 	}
7054 
7055 	if (!netif_running(v)) {
7056 		ret = -ENETDOWN;
7057 		goto error;
7058 	}
7059 
7060 	return v;
7061  error:
7062 	dev_put(v);
7063 	return ERR_PTR(ret);
7064 }
7065 
7066 static int nl80211_parse_sta_wme(struct genl_info *info,
7067 				 struct station_parameters *params)
7068 {
7069 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7070 	struct nlattr *nla;
7071 	int err;
7072 
7073 	/* parse WME attributes if present */
7074 	if (!info->attrs[NL80211_ATTR_STA_WME])
7075 		return 0;
7076 
7077 	nla = info->attrs[NL80211_ATTR_STA_WME];
7078 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7079 					  nl80211_sta_wme_policy,
7080 					  info->extack);
7081 	if (err)
7082 		return err;
7083 
7084 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7085 		params->uapsd_queues = nla_get_u8(
7086 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7087 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7088 		return -EINVAL;
7089 
7090 	if (tb[NL80211_STA_WME_MAX_SP])
7091 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7092 
7093 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7094 		return -EINVAL;
7095 
7096 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7097 
7098 	return 0;
7099 }
7100 
7101 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7102 				      struct station_parameters *params)
7103 {
7104 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7105 		params->supported_channels =
7106 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7107 		params->supported_channels_len =
7108 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7109 		/*
7110 		 * Need to include at least one (first channel, number of
7111 		 * channels) tuple for each subband (checked in policy),
7112 		 * and must have proper tuples for the rest of the data as well.
7113 		 */
7114 		if (params->supported_channels_len % 2)
7115 			return -EINVAL;
7116 	}
7117 
7118 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7119 		params->supported_oper_classes =
7120 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7121 		params->supported_oper_classes_len =
7122 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7123 	}
7124 	return 0;
7125 }
7126 
7127 static int nl80211_set_station_tdls(struct genl_info *info,
7128 				    struct station_parameters *params)
7129 {
7130 	int err;
7131 	/* Dummy STA entry gets updated once the peer capabilities are known */
7132 	if (info->attrs[NL80211_ATTR_PEER_AID])
7133 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7134 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7135 		params->link_sta_params.ht_capa =
7136 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7137 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7138 		params->link_sta_params.vht_capa =
7139 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7140 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7141 		params->link_sta_params.he_capa =
7142 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7143 		params->link_sta_params.he_capa_len =
7144 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7145 
7146 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7147 			params->link_sta_params.eht_capa =
7148 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7149 			params->link_sta_params.eht_capa_len =
7150 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7151 
7152 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7153 							(const u8 *)params->link_sta_params.eht_capa,
7154 							params->link_sta_params.eht_capa_len,
7155 							false))
7156 				return -EINVAL;
7157 		}
7158 	}
7159 
7160 	err = nl80211_parse_sta_channel_info(info, params);
7161 	if (err)
7162 		return err;
7163 
7164 	return nl80211_parse_sta_wme(info, params);
7165 }
7166 
7167 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7168 					     struct sta_txpwr *txpwr,
7169 					     bool *txpwr_set)
7170 {
7171 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7172 	int idx;
7173 
7174 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7175 		if (!rdev->ops->set_tx_power ||
7176 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7177 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7178 			return -EOPNOTSUPP;
7179 
7180 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7181 		txpwr->type = nla_get_u8(info->attrs[idx]);
7182 
7183 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7184 			idx = NL80211_ATTR_STA_TX_POWER;
7185 
7186 			if (info->attrs[idx])
7187 				txpwr->power = nla_get_s16(info->attrs[idx]);
7188 			else
7189 				return -EINVAL;
7190 		}
7191 
7192 		*txpwr_set = true;
7193 	} else {
7194 		*txpwr_set = false;
7195 	}
7196 
7197 	return 0;
7198 }
7199 
7200 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7201 {
7202 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7203 	struct net_device *dev = info->user_ptr[1];
7204 	struct station_parameters params;
7205 	u8 *mac_addr;
7206 	int err;
7207 
7208 	memset(&params, 0, sizeof(params));
7209 
7210 	if (!rdev->ops->change_station)
7211 		return -EOPNOTSUPP;
7212 
7213 	/*
7214 	 * AID and listen_interval properties can be set only for unassociated
7215 	 * station. Include these parameters here and will check them in
7216 	 * cfg80211_check_station_change().
7217 	 */
7218 	if (info->attrs[NL80211_ATTR_STA_AID])
7219 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7220 
7221 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7222 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7223 
7224 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7225 		params.listen_interval =
7226 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7227 	else
7228 		params.listen_interval = -1;
7229 
7230 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7231 		params.support_p2p_ps =
7232 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7233 	else
7234 		params.support_p2p_ps = -1;
7235 
7236 	if (!info->attrs[NL80211_ATTR_MAC])
7237 		return -EINVAL;
7238 
7239 	params.link_sta_params.link_id =
7240 		nl80211_link_id_or_invalid(info->attrs);
7241 
7242 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7243 		/* If MLD_ADDR attribute is set then this is an MLD station
7244 		 * and the MLD_ADDR attribute holds the MLD address and the
7245 		 * MAC attribute holds for the LINK address.
7246 		 * In that case, the link_id is also expected to be valid.
7247 		 */
7248 		if (params.link_sta_params.link_id < 0)
7249 			return -EINVAL;
7250 
7251 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7252 		params.link_sta_params.mld_mac = mac_addr;
7253 		params.link_sta_params.link_mac =
7254 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7255 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7256 			return -EINVAL;
7257 	} else {
7258 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7259 	}
7260 
7261 
7262 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7263 		params.link_sta_params.supported_rates =
7264 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7265 		params.link_sta_params.supported_rates_len =
7266 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7267 	}
7268 
7269 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7270 		params.capability =
7271 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7272 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7273 	}
7274 
7275 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7276 		params.ext_capab =
7277 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7278 		params.ext_capab_len =
7279 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7280 	}
7281 
7282 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7283 		return -EINVAL;
7284 
7285 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7286 		params.plink_action =
7287 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7288 
7289 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7290 		params.plink_state =
7291 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7292 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7293 			params.peer_aid = nla_get_u16(
7294 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7295 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7296 	}
7297 
7298 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7299 		params.local_pm = nla_get_u32(
7300 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7301 
7302 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7303 		params.link_sta_params.opmode_notif_used = true;
7304 		params.link_sta_params.opmode_notif =
7305 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7306 	}
7307 
7308 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7309 		params.link_sta_params.he_6ghz_capa =
7310 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7311 
7312 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7313 		params.airtime_weight =
7314 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7315 
7316 	if (params.airtime_weight &&
7317 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7318 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7319 		return -EOPNOTSUPP;
7320 
7321 	err = nl80211_parse_sta_txpower_setting(info,
7322 						&params.link_sta_params.txpwr,
7323 						&params.link_sta_params.txpwr_set);
7324 	if (err)
7325 		return err;
7326 
7327 	/* Include parameters for TDLS peer (will check later) */
7328 	err = nl80211_set_station_tdls(info, &params);
7329 	if (err)
7330 		return err;
7331 
7332 	params.vlan = get_vlan(info, rdev);
7333 	if (IS_ERR(params.vlan))
7334 		return PTR_ERR(params.vlan);
7335 
7336 	switch (dev->ieee80211_ptr->iftype) {
7337 	case NL80211_IFTYPE_AP:
7338 	case NL80211_IFTYPE_AP_VLAN:
7339 	case NL80211_IFTYPE_P2P_GO:
7340 	case NL80211_IFTYPE_P2P_CLIENT:
7341 	case NL80211_IFTYPE_STATION:
7342 	case NL80211_IFTYPE_ADHOC:
7343 	case NL80211_IFTYPE_MESH_POINT:
7344 		break;
7345 	default:
7346 		err = -EOPNOTSUPP;
7347 		goto out_put_vlan;
7348 	}
7349 
7350 	/* driver will call cfg80211_check_station_change() */
7351 	wdev_lock(dev->ieee80211_ptr);
7352 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7353 	wdev_unlock(dev->ieee80211_ptr);
7354 
7355  out_put_vlan:
7356 	dev_put(params.vlan);
7357 
7358 	return err;
7359 }
7360 
7361 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7362 {
7363 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7364 	int err;
7365 	struct net_device *dev = info->user_ptr[1];
7366 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7367 	struct station_parameters params;
7368 	u8 *mac_addr = NULL;
7369 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7370 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7371 
7372 	memset(&params, 0, sizeof(params));
7373 
7374 	if (!rdev->ops->add_station)
7375 		return -EOPNOTSUPP;
7376 
7377 	if (!info->attrs[NL80211_ATTR_MAC])
7378 		return -EINVAL;
7379 
7380 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7381 		return -EINVAL;
7382 
7383 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7384 		return -EINVAL;
7385 
7386 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7387 	    !info->attrs[NL80211_ATTR_PEER_AID])
7388 		return -EINVAL;
7389 
7390 	params.link_sta_params.link_id =
7391 		nl80211_link_id_or_invalid(info->attrs);
7392 
7393 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7394 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7395 		params.link_sta_params.mld_mac = mac_addr;
7396 		params.link_sta_params.link_mac =
7397 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7398 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7399 			return -EINVAL;
7400 	} else {
7401 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7402 	}
7403 
7404 	params.link_sta_params.supported_rates =
7405 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7406 	params.link_sta_params.supported_rates_len =
7407 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7408 	params.listen_interval =
7409 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7410 
7411 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7412 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7413 
7414 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7415 		params.support_p2p_ps =
7416 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7417 	} else {
7418 		/*
7419 		 * if not specified, assume it's supported for P2P GO interface,
7420 		 * and is NOT supported for AP interface
7421 		 */
7422 		params.support_p2p_ps =
7423 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7424 	}
7425 
7426 	if (info->attrs[NL80211_ATTR_PEER_AID])
7427 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7428 	else
7429 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7430 
7431 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7432 		params.capability =
7433 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7434 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7435 	}
7436 
7437 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7438 		params.ext_capab =
7439 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7440 		params.ext_capab_len =
7441 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7442 	}
7443 
7444 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7445 		params.link_sta_params.ht_capa =
7446 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7447 
7448 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7449 		params.link_sta_params.vht_capa =
7450 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7451 
7452 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7453 		params.link_sta_params.he_capa =
7454 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7455 		params.link_sta_params.he_capa_len =
7456 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7457 
7458 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7459 			params.link_sta_params.eht_capa =
7460 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7461 			params.link_sta_params.eht_capa_len =
7462 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7463 
7464 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7465 							(const u8 *)params.link_sta_params.eht_capa,
7466 							params.link_sta_params.eht_capa_len,
7467 							false))
7468 				return -EINVAL;
7469 		}
7470 	}
7471 
7472 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7473 		params.link_sta_params.he_6ghz_capa =
7474 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7475 
7476 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7477 		params.link_sta_params.opmode_notif_used = true;
7478 		params.link_sta_params.opmode_notif =
7479 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7480 	}
7481 
7482 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7483 		params.plink_action =
7484 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7485 
7486 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7487 		params.airtime_weight =
7488 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7489 
7490 	if (params.airtime_weight &&
7491 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7492 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7493 		return -EOPNOTSUPP;
7494 
7495 	err = nl80211_parse_sta_txpower_setting(info,
7496 						&params.link_sta_params.txpwr,
7497 						&params.link_sta_params.txpwr_set);
7498 	if (err)
7499 		return err;
7500 
7501 	err = nl80211_parse_sta_channel_info(info, &params);
7502 	if (err)
7503 		return err;
7504 
7505 	err = nl80211_parse_sta_wme(info, &params);
7506 	if (err)
7507 		return err;
7508 
7509 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7510 		return -EINVAL;
7511 
7512 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7513 	 * as userspace might just pass through the capabilities from the IEs
7514 	 * directly, rather than enforcing this restriction and returning an
7515 	 * error in this case.
7516 	 */
7517 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7518 		params.link_sta_params.ht_capa = NULL;
7519 		params.link_sta_params.vht_capa = NULL;
7520 
7521 		/* HE and EHT require WME */
7522 		if (params.link_sta_params.he_capa_len ||
7523 		    params.link_sta_params.he_6ghz_capa ||
7524 		    params.link_sta_params.eht_capa_len)
7525 			return -EINVAL;
7526 	}
7527 
7528 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7529 	if (params.link_sta_params.he_6ghz_capa &&
7530 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7531 		return -EINVAL;
7532 
7533 	/* When you run into this, adjust the code below for the new flag */
7534 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
7535 
7536 	switch (dev->ieee80211_ptr->iftype) {
7537 	case NL80211_IFTYPE_AP:
7538 	case NL80211_IFTYPE_AP_VLAN:
7539 	case NL80211_IFTYPE_P2P_GO:
7540 		/* ignore WME attributes if iface/sta is not capable */
7541 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7542 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7543 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7544 
7545 		/* TDLS peers cannot be added */
7546 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7547 		    info->attrs[NL80211_ATTR_PEER_AID])
7548 			return -EINVAL;
7549 		/* but don't bother the driver with it */
7550 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7551 
7552 		/* allow authenticated/associated only if driver handles it */
7553 		if (!(rdev->wiphy.features &
7554 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7555 		    params.sta_flags_mask & auth_assoc)
7556 			return -EINVAL;
7557 
7558 		/* Older userspace, or userspace wanting to be compatible with
7559 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7560 		 * and assoc flags in the mask, but assumes the station will be
7561 		 * added as associated anyway since this was the required driver
7562 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7563 		 * introduced.
7564 		 * In order to not bother drivers with this quirk in the API
7565 		 * set the flags in both the mask and set for new stations in
7566 		 * this case.
7567 		 */
7568 		if (!(params.sta_flags_mask & auth_assoc)) {
7569 			params.sta_flags_mask |= auth_assoc;
7570 			params.sta_flags_set |= auth_assoc;
7571 		}
7572 
7573 		/* must be last in here for error handling */
7574 		params.vlan = get_vlan(info, rdev);
7575 		if (IS_ERR(params.vlan))
7576 			return PTR_ERR(params.vlan);
7577 		break;
7578 	case NL80211_IFTYPE_MESH_POINT:
7579 		/* ignore uAPSD data */
7580 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7581 
7582 		/* associated is disallowed */
7583 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7584 			return -EINVAL;
7585 		/* TDLS peers cannot be added */
7586 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7587 		    info->attrs[NL80211_ATTR_PEER_AID])
7588 			return -EINVAL;
7589 		break;
7590 	case NL80211_IFTYPE_STATION:
7591 	case NL80211_IFTYPE_P2P_CLIENT:
7592 		/* ignore uAPSD data */
7593 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7594 
7595 		/* these are disallowed */
7596 		if (params.sta_flags_mask &
7597 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7598 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7599 			return -EINVAL;
7600 		/* Only TDLS peers can be added */
7601 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7602 			return -EINVAL;
7603 		/* Can only add if TDLS ... */
7604 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7605 			return -EOPNOTSUPP;
7606 		/* ... with external setup is supported */
7607 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7608 			return -EOPNOTSUPP;
7609 		/*
7610 		 * Older wpa_supplicant versions always mark the TDLS peer
7611 		 * as authorized, but it shouldn't yet be.
7612 		 */
7613 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7614 		break;
7615 	default:
7616 		return -EOPNOTSUPP;
7617 	}
7618 
7619 	/* be aware of params.vlan when changing code here */
7620 
7621 	wdev_lock(dev->ieee80211_ptr);
7622 	if (wdev->valid_links) {
7623 		if (params.link_sta_params.link_id < 0) {
7624 			err = -EINVAL;
7625 			goto out;
7626 		}
7627 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7628 			err = -ENOLINK;
7629 			goto out;
7630 		}
7631 	} else {
7632 		if (params.link_sta_params.link_id >= 0) {
7633 			err = -EINVAL;
7634 			goto out;
7635 		}
7636 	}
7637 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7638 out:
7639 	wdev_unlock(dev->ieee80211_ptr);
7640 	dev_put(params.vlan);
7641 	return err;
7642 }
7643 
7644 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7645 {
7646 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7647 	struct net_device *dev = info->user_ptr[1];
7648 	struct station_del_parameters params;
7649 	int ret;
7650 
7651 	memset(&params, 0, sizeof(params));
7652 
7653 	if (info->attrs[NL80211_ATTR_MAC])
7654 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7655 
7656 	switch (dev->ieee80211_ptr->iftype) {
7657 	case NL80211_IFTYPE_AP:
7658 	case NL80211_IFTYPE_AP_VLAN:
7659 	case NL80211_IFTYPE_MESH_POINT:
7660 	case NL80211_IFTYPE_P2P_GO:
7661 		/* always accept these */
7662 		break;
7663 	case NL80211_IFTYPE_ADHOC:
7664 		/* conditionally accept */
7665 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7666 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7667 			break;
7668 		return -EINVAL;
7669 	default:
7670 		return -EINVAL;
7671 	}
7672 
7673 	if (!rdev->ops->del_station)
7674 		return -EOPNOTSUPP;
7675 
7676 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7677 		params.subtype =
7678 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7679 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7680 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7681 			return -EINVAL;
7682 	} else {
7683 		/* Default to Deauthentication frame */
7684 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7685 	}
7686 
7687 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7688 		params.reason_code =
7689 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7690 		if (params.reason_code == 0)
7691 			return -EINVAL; /* 0 is reserved */
7692 	} else {
7693 		/* Default to reason code 2 */
7694 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7695 	}
7696 
7697 	wdev_lock(dev->ieee80211_ptr);
7698 	ret = rdev_del_station(rdev, dev, &params);
7699 	wdev_unlock(dev->ieee80211_ptr);
7700 
7701 	return ret;
7702 }
7703 
7704 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7705 				int flags, struct net_device *dev,
7706 				u8 *dst, u8 *next_hop,
7707 				struct mpath_info *pinfo)
7708 {
7709 	void *hdr;
7710 	struct nlattr *pinfoattr;
7711 
7712 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7713 	if (!hdr)
7714 		return -1;
7715 
7716 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7717 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7718 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7719 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7720 		goto nla_put_failure;
7721 
7722 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7723 	if (!pinfoattr)
7724 		goto nla_put_failure;
7725 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7726 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7727 			pinfo->frame_qlen))
7728 		goto nla_put_failure;
7729 	if (((pinfo->filled & MPATH_INFO_SN) &&
7730 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7731 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7732 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7733 			 pinfo->metric)) ||
7734 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7735 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7736 			 pinfo->exptime)) ||
7737 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7738 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7739 			pinfo->flags)) ||
7740 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7741 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7742 			 pinfo->discovery_timeout)) ||
7743 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7744 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7745 			pinfo->discovery_retries)) ||
7746 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7747 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7748 			pinfo->hop_count)) ||
7749 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7750 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7751 			 pinfo->path_change_count)))
7752 		goto nla_put_failure;
7753 
7754 	nla_nest_end(msg, pinfoattr);
7755 
7756 	genlmsg_end(msg, hdr);
7757 	return 0;
7758 
7759  nla_put_failure:
7760 	genlmsg_cancel(msg, hdr);
7761 	return -EMSGSIZE;
7762 }
7763 
7764 static int nl80211_dump_mpath(struct sk_buff *skb,
7765 			      struct netlink_callback *cb)
7766 {
7767 	struct mpath_info pinfo;
7768 	struct cfg80211_registered_device *rdev;
7769 	struct wireless_dev *wdev;
7770 	u8 dst[ETH_ALEN];
7771 	u8 next_hop[ETH_ALEN];
7772 	int path_idx = cb->args[2];
7773 	int err;
7774 
7775 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7776 	if (err)
7777 		return err;
7778 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7779 	__acquire(&rdev->wiphy.mtx);
7780 
7781 	if (!rdev->ops->dump_mpath) {
7782 		err = -EOPNOTSUPP;
7783 		goto out_err;
7784 	}
7785 
7786 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7787 		err = -EOPNOTSUPP;
7788 		goto out_err;
7789 	}
7790 
7791 	while (1) {
7792 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7793 				      next_hop, &pinfo);
7794 		if (err == -ENOENT)
7795 			break;
7796 		if (err)
7797 			goto out_err;
7798 
7799 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7800 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7801 				       wdev->netdev, dst, next_hop,
7802 				       &pinfo) < 0)
7803 			goto out;
7804 
7805 		path_idx++;
7806 	}
7807 
7808  out:
7809 	cb->args[2] = path_idx;
7810 	err = skb->len;
7811  out_err:
7812 	wiphy_unlock(&rdev->wiphy);
7813 	return err;
7814 }
7815 
7816 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7817 {
7818 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7819 	int err;
7820 	struct net_device *dev = info->user_ptr[1];
7821 	struct mpath_info pinfo;
7822 	struct sk_buff *msg;
7823 	u8 *dst = NULL;
7824 	u8 next_hop[ETH_ALEN];
7825 
7826 	memset(&pinfo, 0, sizeof(pinfo));
7827 
7828 	if (!info->attrs[NL80211_ATTR_MAC])
7829 		return -EINVAL;
7830 
7831 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7832 
7833 	if (!rdev->ops->get_mpath)
7834 		return -EOPNOTSUPP;
7835 
7836 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7837 		return -EOPNOTSUPP;
7838 
7839 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7840 	if (err)
7841 		return err;
7842 
7843 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7844 	if (!msg)
7845 		return -ENOMEM;
7846 
7847 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7848 				 dev, dst, next_hop, &pinfo) < 0) {
7849 		nlmsg_free(msg);
7850 		return -ENOBUFS;
7851 	}
7852 
7853 	return genlmsg_reply(msg, info);
7854 }
7855 
7856 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7857 {
7858 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7859 	struct net_device *dev = info->user_ptr[1];
7860 	u8 *dst = NULL;
7861 	u8 *next_hop = NULL;
7862 
7863 	if (!info->attrs[NL80211_ATTR_MAC])
7864 		return -EINVAL;
7865 
7866 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7867 		return -EINVAL;
7868 
7869 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7870 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7871 
7872 	if (!rdev->ops->change_mpath)
7873 		return -EOPNOTSUPP;
7874 
7875 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7876 		return -EOPNOTSUPP;
7877 
7878 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7879 }
7880 
7881 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7882 {
7883 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7884 	struct net_device *dev = info->user_ptr[1];
7885 	u8 *dst = NULL;
7886 	u8 *next_hop = NULL;
7887 
7888 	if (!info->attrs[NL80211_ATTR_MAC])
7889 		return -EINVAL;
7890 
7891 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7892 		return -EINVAL;
7893 
7894 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7895 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7896 
7897 	if (!rdev->ops->add_mpath)
7898 		return -EOPNOTSUPP;
7899 
7900 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7901 		return -EOPNOTSUPP;
7902 
7903 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7904 }
7905 
7906 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7907 {
7908 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7909 	struct net_device *dev = info->user_ptr[1];
7910 	u8 *dst = NULL;
7911 
7912 	if (info->attrs[NL80211_ATTR_MAC])
7913 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7914 
7915 	if (!rdev->ops->del_mpath)
7916 		return -EOPNOTSUPP;
7917 
7918 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7919 		return -EOPNOTSUPP;
7920 
7921 	return rdev_del_mpath(rdev, dev, dst);
7922 }
7923 
7924 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7925 {
7926 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7927 	int err;
7928 	struct net_device *dev = info->user_ptr[1];
7929 	struct mpath_info pinfo;
7930 	struct sk_buff *msg;
7931 	u8 *dst = NULL;
7932 	u8 mpp[ETH_ALEN];
7933 
7934 	memset(&pinfo, 0, sizeof(pinfo));
7935 
7936 	if (!info->attrs[NL80211_ATTR_MAC])
7937 		return -EINVAL;
7938 
7939 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7940 
7941 	if (!rdev->ops->get_mpp)
7942 		return -EOPNOTSUPP;
7943 
7944 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7945 		return -EOPNOTSUPP;
7946 
7947 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7948 	if (err)
7949 		return err;
7950 
7951 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7952 	if (!msg)
7953 		return -ENOMEM;
7954 
7955 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7956 			       dev, dst, mpp, &pinfo) < 0) {
7957 		nlmsg_free(msg);
7958 		return -ENOBUFS;
7959 	}
7960 
7961 	return genlmsg_reply(msg, info);
7962 }
7963 
7964 static int nl80211_dump_mpp(struct sk_buff *skb,
7965 			    struct netlink_callback *cb)
7966 {
7967 	struct mpath_info pinfo;
7968 	struct cfg80211_registered_device *rdev;
7969 	struct wireless_dev *wdev;
7970 	u8 dst[ETH_ALEN];
7971 	u8 mpp[ETH_ALEN];
7972 	int path_idx = cb->args[2];
7973 	int err;
7974 
7975 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7976 	if (err)
7977 		return err;
7978 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7979 	__acquire(&rdev->wiphy.mtx);
7980 
7981 	if (!rdev->ops->dump_mpp) {
7982 		err = -EOPNOTSUPP;
7983 		goto out_err;
7984 	}
7985 
7986 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7987 		err = -EOPNOTSUPP;
7988 		goto out_err;
7989 	}
7990 
7991 	while (1) {
7992 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7993 				    mpp, &pinfo);
7994 		if (err == -ENOENT)
7995 			break;
7996 		if (err)
7997 			goto out_err;
7998 
7999 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8000 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8001 				       wdev->netdev, dst, mpp,
8002 				       &pinfo) < 0)
8003 			goto out;
8004 
8005 		path_idx++;
8006 	}
8007 
8008  out:
8009 	cb->args[2] = path_idx;
8010 	err = skb->len;
8011  out_err:
8012 	wiphy_unlock(&rdev->wiphy);
8013 	return err;
8014 }
8015 
8016 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
8017 {
8018 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8019 	struct net_device *dev = info->user_ptr[1];
8020 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8021 	struct bss_parameters params;
8022 	int err;
8023 
8024 	memset(&params, 0, sizeof(params));
8025 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8026 	/* default to not changing parameters */
8027 	params.use_cts_prot = -1;
8028 	params.use_short_preamble = -1;
8029 	params.use_short_slot_time = -1;
8030 	params.ap_isolate = -1;
8031 	params.ht_opmode = -1;
8032 	params.p2p_ctwindow = -1;
8033 	params.p2p_opp_ps = -1;
8034 
8035 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8036 		params.use_cts_prot =
8037 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8038 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8039 		params.use_short_preamble =
8040 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8041 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8042 		params.use_short_slot_time =
8043 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8044 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8045 		params.basic_rates =
8046 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8047 		params.basic_rates_len =
8048 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8049 	}
8050 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8051 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8052 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8053 		params.ht_opmode =
8054 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8055 
8056 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8057 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8058 			return -EINVAL;
8059 		params.p2p_ctwindow =
8060 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8061 		if (params.p2p_ctwindow != 0 &&
8062 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8063 			return -EINVAL;
8064 	}
8065 
8066 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8067 		u8 tmp;
8068 
8069 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8070 			return -EINVAL;
8071 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8072 		params.p2p_opp_ps = tmp;
8073 		if (params.p2p_opp_ps &&
8074 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8075 			return -EINVAL;
8076 	}
8077 
8078 	if (!rdev->ops->change_bss)
8079 		return -EOPNOTSUPP;
8080 
8081 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8082 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8083 		return -EOPNOTSUPP;
8084 
8085 	wdev_lock(wdev);
8086 	err = rdev_change_bss(rdev, dev, &params);
8087 	wdev_unlock(wdev);
8088 
8089 	return err;
8090 }
8091 
8092 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8093 {
8094 	char *data = NULL;
8095 	bool is_indoor;
8096 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8097 	u32 owner_nlportid;
8098 
8099 	/*
8100 	 * You should only get this when cfg80211 hasn't yet initialized
8101 	 * completely when built-in to the kernel right between the time
8102 	 * window between nl80211_init() and regulatory_init(), if that is
8103 	 * even possible.
8104 	 */
8105 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8106 		return -EINPROGRESS;
8107 
8108 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
8109 		user_reg_hint_type =
8110 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
8111 	else
8112 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
8113 
8114 	switch (user_reg_hint_type) {
8115 	case NL80211_USER_REG_HINT_USER:
8116 	case NL80211_USER_REG_HINT_CELL_BASE:
8117 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8118 			return -EINVAL;
8119 
8120 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8121 		return regulatory_hint_user(data, user_reg_hint_type);
8122 	case NL80211_USER_REG_HINT_INDOOR:
8123 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8124 			owner_nlportid = info->snd_portid;
8125 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8126 		} else {
8127 			owner_nlportid = 0;
8128 			is_indoor = true;
8129 		}
8130 
8131 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
8132 	default:
8133 		return -EINVAL;
8134 	}
8135 }
8136 
8137 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8138 {
8139 	return reg_reload_regdb();
8140 }
8141 
8142 static int nl80211_get_mesh_config(struct sk_buff *skb,
8143 				   struct genl_info *info)
8144 {
8145 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8146 	struct net_device *dev = info->user_ptr[1];
8147 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8148 	struct mesh_config cur_params;
8149 	int err = 0;
8150 	void *hdr;
8151 	struct nlattr *pinfoattr;
8152 	struct sk_buff *msg;
8153 
8154 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8155 		return -EOPNOTSUPP;
8156 
8157 	if (!rdev->ops->get_mesh_config)
8158 		return -EOPNOTSUPP;
8159 
8160 	wdev_lock(wdev);
8161 	/* If not connected, get default parameters */
8162 	if (!wdev->u.mesh.id_len)
8163 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8164 	else
8165 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8166 	wdev_unlock(wdev);
8167 
8168 	if (err)
8169 		return err;
8170 
8171 	/* Draw up a netlink message to send back */
8172 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8173 	if (!msg)
8174 		return -ENOMEM;
8175 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8176 			     NL80211_CMD_GET_MESH_CONFIG);
8177 	if (!hdr)
8178 		goto out;
8179 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8180 	if (!pinfoattr)
8181 		goto nla_put_failure;
8182 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8183 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8184 			cur_params.dot11MeshRetryTimeout) ||
8185 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8186 			cur_params.dot11MeshConfirmTimeout) ||
8187 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8188 			cur_params.dot11MeshHoldingTimeout) ||
8189 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8190 			cur_params.dot11MeshMaxPeerLinks) ||
8191 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8192 		       cur_params.dot11MeshMaxRetries) ||
8193 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8194 		       cur_params.dot11MeshTTL) ||
8195 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8196 		       cur_params.element_ttl) ||
8197 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8198 		       cur_params.auto_open_plinks) ||
8199 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8200 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8201 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8202 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8203 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8204 			cur_params.path_refresh_time) ||
8205 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8206 			cur_params.min_discovery_timeout) ||
8207 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8208 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8209 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8210 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8211 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8212 			cur_params.dot11MeshHWMPperrMinInterval) ||
8213 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8214 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8215 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8216 		       cur_params.dot11MeshHWMPRootMode) ||
8217 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8218 			cur_params.dot11MeshHWMPRannInterval) ||
8219 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8220 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8221 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8222 		       cur_params.dot11MeshForwarding) ||
8223 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8224 			cur_params.rssi_threshold) ||
8225 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8226 			cur_params.ht_opmode) ||
8227 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8228 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8229 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8230 			cur_params.dot11MeshHWMProotInterval) ||
8231 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8232 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8233 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8234 			cur_params.power_mode) ||
8235 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8236 			cur_params.dot11MeshAwakeWindowDuration) ||
8237 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8238 			cur_params.plink_timeout) ||
8239 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8240 		       cur_params.dot11MeshConnectedToMeshGate) ||
8241 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8242 		       cur_params.dot11MeshNolearn) ||
8243 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8244 		       cur_params.dot11MeshConnectedToAuthServer))
8245 		goto nla_put_failure;
8246 	nla_nest_end(msg, pinfoattr);
8247 	genlmsg_end(msg, hdr);
8248 	return genlmsg_reply(msg, info);
8249 
8250  nla_put_failure:
8251  out:
8252 	nlmsg_free(msg);
8253 	return -ENOBUFS;
8254 }
8255 
8256 static const struct nla_policy
8257 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8258 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8259 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8260 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8261 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8262 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8263 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8264 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8265 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8266 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8267 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8268 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8269 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8270 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8271 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8272 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8273 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8274 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8275 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8276 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8277 		NLA_POLICY_MIN(NLA_U16, 1),
8278 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8279 		NLA_POLICY_MIN(NLA_U16, 1),
8280 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8281 		NLA_POLICY_MIN(NLA_U16, 1),
8282 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8283 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8284 		NLA_POLICY_MIN(NLA_U16, 1),
8285 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8286 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8287 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8288 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8289 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8290 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8291 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8292 		NLA_POLICY_MIN(NLA_U16, 1),
8293 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8294 		NLA_POLICY_MIN(NLA_U16, 1),
8295 	[NL80211_MESHCONF_POWER_MODE] =
8296 		NLA_POLICY_RANGE(NLA_U32,
8297 				 NL80211_MESH_POWER_ACTIVE,
8298 				 NL80211_MESH_POWER_MAX),
8299 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8300 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8301 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8302 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8303 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8304 };
8305 
8306 static const struct nla_policy
8307 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8308 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8309 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8310 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8311 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8312 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8313 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8314 	[NL80211_MESH_SETUP_IE] =
8315 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8316 				       IEEE80211_MAX_DATA_LEN),
8317 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8318 };
8319 
8320 static int nl80211_parse_mesh_config(struct genl_info *info,
8321 				     struct mesh_config *cfg,
8322 				     u32 *mask_out)
8323 {
8324 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8325 	u32 mask = 0;
8326 	u16 ht_opmode;
8327 
8328 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8329 do {									\
8330 	if (tb[attr]) {							\
8331 		cfg->param = fn(tb[attr]);				\
8332 		mask |= BIT((attr) - 1);				\
8333 	}								\
8334 } while (0)
8335 
8336 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8337 		return -EINVAL;
8338 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8339 		return -EINVAL;
8340 
8341 	/* This makes sure that there aren't more than 32 mesh config
8342 	 * parameters (otherwise our bitfield scheme would not work.) */
8343 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8344 
8345 	/* Fill in the params struct */
8346 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8347 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8348 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8349 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8350 				  nla_get_u16);
8351 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8352 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8353 				  nla_get_u16);
8354 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8355 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8356 				  nla_get_u16);
8357 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8358 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8359 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8360 				  NL80211_MESHCONF_TTL, nla_get_u8);
8361 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8362 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8363 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8364 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8365 				  nla_get_u8);
8366 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8367 				  mask,
8368 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8369 				  nla_get_u32);
8370 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8371 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8372 				  nla_get_u8);
8373 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8374 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8375 				  nla_get_u32);
8376 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8377 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8378 		return -EINVAL;
8379 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8380 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8381 				  nla_get_u16);
8382 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8383 				  mask,
8384 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8385 				  nla_get_u32);
8386 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8387 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8388 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8389 		return -EINVAL;
8390 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8391 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8392 				  nla_get_u16);
8393 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8394 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8395 				  nla_get_u16);
8396 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8397 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8398 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8399 				  nla_get_u16);
8400 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8401 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8402 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8403 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8404 				  nla_get_u16);
8405 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8406 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8407 				  nla_get_u8);
8408 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8409 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8410 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8411 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8412 				  nla_get_s32);
8413 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8414 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8415 				  nla_get_u8);
8416 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8417 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8418 				  nla_get_u8);
8419 	/*
8420 	 * Check HT operation mode based on
8421 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8422 	 */
8423 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8424 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8425 
8426 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8427 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8428 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8429 			return -EINVAL;
8430 
8431 		/* NON_HT_STA bit is reserved, but some programs set it */
8432 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8433 
8434 		cfg->ht_opmode = ht_opmode;
8435 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8436 	}
8437 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8438 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8439 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8440 				  nla_get_u32);
8441 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8442 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8443 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8444 		return -EINVAL;
8445 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8446 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8447 				  nla_get_u16);
8448 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8449 				  mask,
8450 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8451 				  nla_get_u16);
8452 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8453 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8454 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8455 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8456 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8457 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8458 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8459 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8460 	if (mask_out)
8461 		*mask_out = mask;
8462 
8463 	return 0;
8464 
8465 #undef FILL_IN_MESH_PARAM_IF_SET
8466 }
8467 
8468 static int nl80211_parse_mesh_setup(struct genl_info *info,
8469 				     struct mesh_setup *setup)
8470 {
8471 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8472 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8473 
8474 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8475 		return -EINVAL;
8476 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8477 		return -EINVAL;
8478 
8479 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8480 		setup->sync_method =
8481 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8482 		 IEEE80211_SYNC_METHOD_VENDOR :
8483 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8484 
8485 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8486 		setup->path_sel_proto =
8487 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8488 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8489 		 IEEE80211_PATH_PROTOCOL_HWMP;
8490 
8491 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8492 		setup->path_metric =
8493 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8494 		 IEEE80211_PATH_METRIC_VENDOR :
8495 		 IEEE80211_PATH_METRIC_AIRTIME;
8496 
8497 	if (tb[NL80211_MESH_SETUP_IE]) {
8498 		struct nlattr *ieattr =
8499 			tb[NL80211_MESH_SETUP_IE];
8500 		setup->ie = nla_data(ieattr);
8501 		setup->ie_len = nla_len(ieattr);
8502 	}
8503 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8504 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8505 		return -EINVAL;
8506 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8507 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8508 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8509 	if (setup->is_secure)
8510 		setup->user_mpm = true;
8511 
8512 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8513 		if (!setup->user_mpm)
8514 			return -EINVAL;
8515 		setup->auth_id =
8516 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8517 	}
8518 
8519 	return 0;
8520 }
8521 
8522 static int nl80211_update_mesh_config(struct sk_buff *skb,
8523 				      struct genl_info *info)
8524 {
8525 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8526 	struct net_device *dev = info->user_ptr[1];
8527 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8528 	struct mesh_config cfg = {};
8529 	u32 mask;
8530 	int err;
8531 
8532 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8533 		return -EOPNOTSUPP;
8534 
8535 	if (!rdev->ops->update_mesh_config)
8536 		return -EOPNOTSUPP;
8537 
8538 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8539 	if (err)
8540 		return err;
8541 
8542 	wdev_lock(wdev);
8543 	if (!wdev->u.mesh.id_len)
8544 		err = -ENOLINK;
8545 
8546 	if (!err)
8547 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8548 
8549 	wdev_unlock(wdev);
8550 
8551 	return err;
8552 }
8553 
8554 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8555 			      struct sk_buff *msg)
8556 {
8557 	struct nlattr *nl_reg_rules;
8558 	unsigned int i;
8559 
8560 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8561 	    (regdom->dfs_region &&
8562 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8563 		goto nla_put_failure;
8564 
8565 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8566 	if (!nl_reg_rules)
8567 		goto nla_put_failure;
8568 
8569 	for (i = 0; i < regdom->n_reg_rules; i++) {
8570 		struct nlattr *nl_reg_rule;
8571 		const struct ieee80211_reg_rule *reg_rule;
8572 		const struct ieee80211_freq_range *freq_range;
8573 		const struct ieee80211_power_rule *power_rule;
8574 		unsigned int max_bandwidth_khz;
8575 
8576 		reg_rule = &regdom->reg_rules[i];
8577 		freq_range = &reg_rule->freq_range;
8578 		power_rule = &reg_rule->power_rule;
8579 
8580 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8581 		if (!nl_reg_rule)
8582 			goto nla_put_failure;
8583 
8584 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8585 		if (!max_bandwidth_khz)
8586 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8587 								  reg_rule);
8588 
8589 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8590 				reg_rule->flags) ||
8591 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8592 				freq_range->start_freq_khz) ||
8593 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8594 				freq_range->end_freq_khz) ||
8595 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8596 				max_bandwidth_khz) ||
8597 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8598 				power_rule->max_antenna_gain) ||
8599 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8600 				power_rule->max_eirp) ||
8601 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8602 				reg_rule->dfs_cac_ms))
8603 			goto nla_put_failure;
8604 
8605 		nla_nest_end(msg, nl_reg_rule);
8606 	}
8607 
8608 	nla_nest_end(msg, nl_reg_rules);
8609 	return 0;
8610 
8611 nla_put_failure:
8612 	return -EMSGSIZE;
8613 }
8614 
8615 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8616 {
8617 	const struct ieee80211_regdomain *regdom = NULL;
8618 	struct cfg80211_registered_device *rdev;
8619 	struct wiphy *wiphy = NULL;
8620 	struct sk_buff *msg;
8621 	int err = -EMSGSIZE;
8622 	void *hdr;
8623 
8624 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8625 	if (!msg)
8626 		return -ENOBUFS;
8627 
8628 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8629 			     NL80211_CMD_GET_REG);
8630 	if (!hdr)
8631 		goto put_failure;
8632 
8633 	rtnl_lock();
8634 
8635 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8636 		bool self_managed;
8637 
8638 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8639 		if (IS_ERR(rdev)) {
8640 			err = PTR_ERR(rdev);
8641 			goto nla_put_failure;
8642 		}
8643 
8644 		wiphy = &rdev->wiphy;
8645 		self_managed = wiphy->regulatory_flags &
8646 			       REGULATORY_WIPHY_SELF_MANAGED;
8647 
8648 		rcu_read_lock();
8649 
8650 		regdom = get_wiphy_regdom(wiphy);
8651 
8652 		/* a self-managed-reg device must have a private regdom */
8653 		if (WARN_ON(!regdom && self_managed)) {
8654 			err = -EINVAL;
8655 			goto nla_put_failure_rcu;
8656 		}
8657 
8658 		if (regdom &&
8659 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8660 			goto nla_put_failure_rcu;
8661 	} else {
8662 		rcu_read_lock();
8663 	}
8664 
8665 	if (!wiphy && reg_last_request_cell_base() &&
8666 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8667 			NL80211_USER_REG_HINT_CELL_BASE))
8668 		goto nla_put_failure_rcu;
8669 
8670 	if (!regdom)
8671 		regdom = rcu_dereference(cfg80211_regdomain);
8672 
8673 	if (nl80211_put_regdom(regdom, msg))
8674 		goto nla_put_failure_rcu;
8675 
8676 	rcu_read_unlock();
8677 
8678 	genlmsg_end(msg, hdr);
8679 	rtnl_unlock();
8680 	return genlmsg_reply(msg, info);
8681 
8682 nla_put_failure_rcu:
8683 	rcu_read_unlock();
8684 nla_put_failure:
8685 	rtnl_unlock();
8686 put_failure:
8687 	nlmsg_free(msg);
8688 	return err;
8689 }
8690 
8691 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8692 			       u32 seq, int flags, struct wiphy *wiphy,
8693 			       const struct ieee80211_regdomain *regdom)
8694 {
8695 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8696 				   NL80211_CMD_GET_REG);
8697 
8698 	if (!hdr)
8699 		return -1;
8700 
8701 	genl_dump_check_consistent(cb, hdr);
8702 
8703 	if (nl80211_put_regdom(regdom, msg))
8704 		goto nla_put_failure;
8705 
8706 	if (!wiphy && reg_last_request_cell_base() &&
8707 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8708 			NL80211_USER_REG_HINT_CELL_BASE))
8709 		goto nla_put_failure;
8710 
8711 	if (wiphy &&
8712 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8713 		goto nla_put_failure;
8714 
8715 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8716 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8717 		goto nla_put_failure;
8718 
8719 	genlmsg_end(msg, hdr);
8720 	return 0;
8721 
8722 nla_put_failure:
8723 	genlmsg_cancel(msg, hdr);
8724 	return -EMSGSIZE;
8725 }
8726 
8727 static int nl80211_get_reg_dump(struct sk_buff *skb,
8728 				struct netlink_callback *cb)
8729 {
8730 	const struct ieee80211_regdomain *regdom = NULL;
8731 	struct cfg80211_registered_device *rdev;
8732 	int err, reg_idx, start = cb->args[2];
8733 
8734 	rcu_read_lock();
8735 
8736 	if (cfg80211_regdomain && start == 0) {
8737 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8738 					  NLM_F_MULTI, NULL,
8739 					  rcu_dereference(cfg80211_regdomain));
8740 		if (err < 0)
8741 			goto out_err;
8742 	}
8743 
8744 	/* the global regdom is idx 0 */
8745 	reg_idx = 1;
8746 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8747 		regdom = get_wiphy_regdom(&rdev->wiphy);
8748 		if (!regdom)
8749 			continue;
8750 
8751 		if (++reg_idx <= start)
8752 			continue;
8753 
8754 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8755 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8756 		if (err < 0) {
8757 			reg_idx--;
8758 			break;
8759 		}
8760 	}
8761 
8762 	cb->args[2] = reg_idx;
8763 	err = skb->len;
8764 out_err:
8765 	rcu_read_unlock();
8766 	return err;
8767 }
8768 
8769 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8770 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8771 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8772 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8773 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8774 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8775 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8776 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8777 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8778 };
8779 
8780 static int parse_reg_rule(struct nlattr *tb[],
8781 	struct ieee80211_reg_rule *reg_rule)
8782 {
8783 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8784 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8785 
8786 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8787 		return -EINVAL;
8788 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8789 		return -EINVAL;
8790 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8791 		return -EINVAL;
8792 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8793 		return -EINVAL;
8794 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8795 		return -EINVAL;
8796 
8797 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8798 
8799 	freq_range->start_freq_khz =
8800 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8801 	freq_range->end_freq_khz =
8802 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8803 	freq_range->max_bandwidth_khz =
8804 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8805 
8806 	power_rule->max_eirp =
8807 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8808 
8809 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8810 		power_rule->max_antenna_gain =
8811 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8812 
8813 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8814 		reg_rule->dfs_cac_ms =
8815 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8816 
8817 	return 0;
8818 }
8819 
8820 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8821 {
8822 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8823 	struct nlattr *nl_reg_rule;
8824 	char *alpha2;
8825 	int rem_reg_rules, r;
8826 	u32 num_rules = 0, rule_idx = 0;
8827 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8828 	struct ieee80211_regdomain *rd;
8829 
8830 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8831 		return -EINVAL;
8832 
8833 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8834 		return -EINVAL;
8835 
8836 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8837 
8838 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8839 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8840 
8841 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8842 			    rem_reg_rules) {
8843 		num_rules++;
8844 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8845 			return -EINVAL;
8846 	}
8847 
8848 	rtnl_lock();
8849 	if (!reg_is_valid_request(alpha2)) {
8850 		r = -EINVAL;
8851 		goto out;
8852 	}
8853 
8854 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8855 	if (!rd) {
8856 		r = -ENOMEM;
8857 		goto out;
8858 	}
8859 
8860 	rd->n_reg_rules = num_rules;
8861 	rd->alpha2[0] = alpha2[0];
8862 	rd->alpha2[1] = alpha2[1];
8863 
8864 	/*
8865 	 * Disable DFS master mode if the DFS region was
8866 	 * not supported or known on this kernel.
8867 	 */
8868 	if (reg_supported_dfs_region(dfs_region))
8869 		rd->dfs_region = dfs_region;
8870 
8871 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8872 			    rem_reg_rules) {
8873 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8874 						nl_reg_rule, reg_rule_policy,
8875 						info->extack);
8876 		if (r)
8877 			goto bad_reg;
8878 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8879 		if (r)
8880 			goto bad_reg;
8881 
8882 		rule_idx++;
8883 
8884 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8885 			r = -EINVAL;
8886 			goto bad_reg;
8887 		}
8888 	}
8889 
8890 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8891 	/* set_regdom takes ownership of rd */
8892 	rd = NULL;
8893  bad_reg:
8894 	kfree(rd);
8895  out:
8896 	rtnl_unlock();
8897 	return r;
8898 }
8899 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8900 
8901 static int validate_scan_freqs(struct nlattr *freqs)
8902 {
8903 	struct nlattr *attr1, *attr2;
8904 	int n_channels = 0, tmp1, tmp2;
8905 
8906 	nla_for_each_nested(attr1, freqs, tmp1)
8907 		if (nla_len(attr1) != sizeof(u32))
8908 			return 0;
8909 
8910 	nla_for_each_nested(attr1, freqs, tmp1) {
8911 		n_channels++;
8912 		/*
8913 		 * Some hardware has a limited channel list for
8914 		 * scanning, and it is pretty much nonsensical
8915 		 * to scan for a channel twice, so disallow that
8916 		 * and don't require drivers to check that the
8917 		 * channel list they get isn't longer than what
8918 		 * they can scan, as long as they can scan all
8919 		 * the channels they registered at once.
8920 		 */
8921 		nla_for_each_nested(attr2, freqs, tmp2)
8922 			if (attr1 != attr2 &&
8923 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8924 				return 0;
8925 	}
8926 
8927 	return n_channels;
8928 }
8929 
8930 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8931 {
8932 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8933 }
8934 
8935 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8936 			    struct cfg80211_bss_selection *bss_select)
8937 {
8938 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8939 	struct nlattr *nest;
8940 	int err;
8941 	bool found = false;
8942 	int i;
8943 
8944 	/* only process one nested attribute */
8945 	nest = nla_data(nla);
8946 	if (!nla_ok(nest, nla_len(nest)))
8947 		return -EINVAL;
8948 
8949 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8950 					  nest, nl80211_bss_select_policy,
8951 					  NULL);
8952 	if (err)
8953 		return err;
8954 
8955 	/* only one attribute may be given */
8956 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8957 		if (attr[i]) {
8958 			if (found)
8959 				return -EINVAL;
8960 			found = true;
8961 		}
8962 	}
8963 
8964 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8965 
8966 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8967 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8968 
8969 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8970 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8971 		bss_select->param.band_pref =
8972 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8973 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8974 			return -EINVAL;
8975 	}
8976 
8977 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8978 		struct nl80211_bss_select_rssi_adjust *adj_param;
8979 
8980 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8981 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8982 		bss_select->param.adjust.band = adj_param->band;
8983 		bss_select->param.adjust.delta = adj_param->delta;
8984 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8985 			return -EINVAL;
8986 	}
8987 
8988 	/* user-space did not provide behaviour attribute */
8989 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8990 		return -EINVAL;
8991 
8992 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8993 		return -EINVAL;
8994 
8995 	return 0;
8996 }
8997 
8998 int nl80211_parse_random_mac(struct nlattr **attrs,
8999 			     u8 *mac_addr, u8 *mac_addr_mask)
9000 {
9001 	int i;
9002 
9003 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
9004 		eth_zero_addr(mac_addr);
9005 		eth_zero_addr(mac_addr_mask);
9006 		mac_addr[0] = 0x2;
9007 		mac_addr_mask[0] = 0x3;
9008 
9009 		return 0;
9010 	}
9011 
9012 	/* need both or none */
9013 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
9014 		return -EINVAL;
9015 
9016 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
9017 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
9018 
9019 	/* don't allow or configure an mcast address */
9020 	if (!is_multicast_ether_addr(mac_addr_mask) ||
9021 	    is_multicast_ether_addr(mac_addr))
9022 		return -EINVAL;
9023 
9024 	/*
9025 	 * allow users to pass a MAC address that has bits set outside
9026 	 * of the mask, but don't bother drivers with having to deal
9027 	 * with such bits
9028 	 */
9029 	for (i = 0; i < ETH_ALEN; i++)
9030 		mac_addr[i] &= mac_addr_mask[i];
9031 
9032 	return 0;
9033 }
9034 
9035 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9036 					      struct ieee80211_channel *chan)
9037 {
9038 	unsigned int link_id;
9039 	bool all_ok = true;
9040 
9041 	ASSERT_WDEV_LOCK(wdev);
9042 
9043 	if (!cfg80211_beaconing_iface_active(wdev))
9044 		return true;
9045 
9046 	/*
9047 	 * FIXME: check if we have a free HW resource/link for chan
9048 	 *
9049 	 * This, as well as the FIXME below, requires knowing the link
9050 	 * capabilities of the hardware.
9051 	 */
9052 
9053 	/* we cannot leave radar channels */
9054 	for_each_valid_link(wdev, link_id) {
9055 		struct cfg80211_chan_def *chandef;
9056 
9057 		chandef = wdev_chandef(wdev, link_id);
9058 		if (!chandef || !chandef->chan)
9059 			continue;
9060 
9061 		/*
9062 		 * FIXME: don't require all_ok, but rather check only the
9063 		 *	  correct HW resource/link onto which 'chan' falls,
9064 		 *	  as only that link leaves the channel for doing
9065 		 *	  the off-channel operation.
9066 		 */
9067 
9068 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9069 			all_ok = false;
9070 	}
9071 
9072 	if (all_ok)
9073 		return true;
9074 
9075 	return regulatory_pre_cac_allowed(wdev->wiphy);
9076 }
9077 
9078 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9079 				    enum nl80211_ext_feature_index feat)
9080 {
9081 	if (!(flags & flag))
9082 		return true;
9083 	if (wiphy_ext_feature_isset(wiphy, feat))
9084 		return true;
9085 	return false;
9086 }
9087 
9088 static int
9089 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9090 			 void *request, struct nlattr **attrs,
9091 			 bool is_sched_scan)
9092 {
9093 	u8 *mac_addr, *mac_addr_mask;
9094 	u32 *flags;
9095 	enum nl80211_feature_flags randomness_flag;
9096 
9097 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9098 		return 0;
9099 
9100 	if (is_sched_scan) {
9101 		struct cfg80211_sched_scan_request *req = request;
9102 
9103 		randomness_flag = wdev ?
9104 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9105 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9106 		flags = &req->flags;
9107 		mac_addr = req->mac_addr;
9108 		mac_addr_mask = req->mac_addr_mask;
9109 	} else {
9110 		struct cfg80211_scan_request *req = request;
9111 
9112 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9113 		flags = &req->flags;
9114 		mac_addr = req->mac_addr;
9115 		mac_addr_mask = req->mac_addr_mask;
9116 	}
9117 
9118 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9119 
9120 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9121 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9122 	    !nl80211_check_scan_feat(wiphy, *flags,
9123 				     NL80211_SCAN_FLAG_LOW_SPAN,
9124 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9125 	    !nl80211_check_scan_feat(wiphy, *flags,
9126 				     NL80211_SCAN_FLAG_LOW_POWER,
9127 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9128 	    !nl80211_check_scan_feat(wiphy, *flags,
9129 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9130 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9131 	    !nl80211_check_scan_feat(wiphy, *flags,
9132 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9133 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9134 	    !nl80211_check_scan_feat(wiphy, *flags,
9135 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9136 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9137 	    !nl80211_check_scan_feat(wiphy, *flags,
9138 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9139 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9140 	    !nl80211_check_scan_feat(wiphy, *flags,
9141 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9142 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9143 	    !nl80211_check_scan_feat(wiphy, *flags,
9144 				     NL80211_SCAN_FLAG_RANDOM_SN,
9145 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9146 	    !nl80211_check_scan_feat(wiphy, *flags,
9147 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9148 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9149 		return -EOPNOTSUPP;
9150 
9151 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9152 		int err;
9153 
9154 		if (!(wiphy->features & randomness_flag) ||
9155 		    (wdev && wdev->connected))
9156 			return -EOPNOTSUPP;
9157 
9158 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9159 		if (err)
9160 			return err;
9161 	}
9162 
9163 	return 0;
9164 }
9165 
9166 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9167 {
9168 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9169 	struct wireless_dev *wdev = info->user_ptr[1];
9170 	struct cfg80211_scan_request *request;
9171 	struct nlattr *scan_freqs = NULL;
9172 	bool scan_freqs_khz = false;
9173 	struct nlattr *attr;
9174 	struct wiphy *wiphy;
9175 	int err, tmp, n_ssids = 0, n_channels, i;
9176 	size_t ie_len, size;
9177 	size_t ssids_offset, ie_offset;
9178 
9179 	wiphy = &rdev->wiphy;
9180 
9181 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9182 		return -EOPNOTSUPP;
9183 
9184 	if (!rdev->ops->scan)
9185 		return -EOPNOTSUPP;
9186 
9187 	if (rdev->scan_req || rdev->scan_msg)
9188 		return -EBUSY;
9189 
9190 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9191 		if (!wiphy_ext_feature_isset(wiphy,
9192 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9193 			return -EOPNOTSUPP;
9194 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9195 		scan_freqs_khz = true;
9196 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9197 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9198 
9199 	if (scan_freqs) {
9200 		n_channels = validate_scan_freqs(scan_freqs);
9201 		if (!n_channels)
9202 			return -EINVAL;
9203 	} else {
9204 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9205 	}
9206 
9207 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9208 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9209 			n_ssids++;
9210 
9211 	if (n_ssids > wiphy->max_scan_ssids)
9212 		return -EINVAL;
9213 
9214 	if (info->attrs[NL80211_ATTR_IE])
9215 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9216 	else
9217 		ie_len = 0;
9218 
9219 	if (ie_len > wiphy->max_scan_ie_len)
9220 		return -EINVAL;
9221 
9222 	size = struct_size(request, channels, n_channels);
9223 	ssids_offset = size;
9224 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9225 	ie_offset = size;
9226 	size = size_add(size, ie_len);
9227 	request = kzalloc(size, GFP_KERNEL);
9228 	if (!request)
9229 		return -ENOMEM;
9230 	request->n_channels = n_channels;
9231 
9232 	if (n_ssids)
9233 		request->ssids = (void *)request + ssids_offset;
9234 	request->n_ssids = n_ssids;
9235 	if (ie_len)
9236 		request->ie = (void *)request + ie_offset;
9237 
9238 	i = 0;
9239 	if (scan_freqs) {
9240 		/* user specified, bail out if channel not found */
9241 		nla_for_each_nested(attr, scan_freqs, tmp) {
9242 			struct ieee80211_channel *chan;
9243 			int freq = nla_get_u32(attr);
9244 
9245 			if (!scan_freqs_khz)
9246 				freq = MHZ_TO_KHZ(freq);
9247 
9248 			chan = ieee80211_get_channel_khz(wiphy, freq);
9249 			if (!chan) {
9250 				err = -EINVAL;
9251 				goto out_free;
9252 			}
9253 
9254 			/* ignore disabled channels */
9255 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9256 				continue;
9257 
9258 			request->channels[i] = chan;
9259 			i++;
9260 		}
9261 	} else {
9262 		enum nl80211_band band;
9263 
9264 		/* all channels */
9265 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9266 			int j;
9267 
9268 			if (!wiphy->bands[band])
9269 				continue;
9270 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9271 				struct ieee80211_channel *chan;
9272 
9273 				chan = &wiphy->bands[band]->channels[j];
9274 
9275 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9276 					continue;
9277 
9278 				request->channels[i] = chan;
9279 				i++;
9280 			}
9281 		}
9282 	}
9283 
9284 	if (!i) {
9285 		err = -EINVAL;
9286 		goto out_free;
9287 	}
9288 
9289 	request->n_channels = i;
9290 
9291 	wdev_lock(wdev);
9292 	for (i = 0; i < request->n_channels; i++) {
9293 		struct ieee80211_channel *chan = request->channels[i];
9294 
9295 		/* if we can go off-channel to the target channel we're good */
9296 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9297 			continue;
9298 
9299 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9300 			wdev_unlock(wdev);
9301 			err = -EBUSY;
9302 			goto out_free;
9303 		}
9304 	}
9305 	wdev_unlock(wdev);
9306 
9307 	i = 0;
9308 	if (n_ssids) {
9309 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9310 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9311 				err = -EINVAL;
9312 				goto out_free;
9313 			}
9314 			request->ssids[i].ssid_len = nla_len(attr);
9315 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9316 			i++;
9317 		}
9318 	}
9319 
9320 	if (info->attrs[NL80211_ATTR_IE]) {
9321 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9322 		memcpy((void *)request->ie,
9323 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9324 		       request->ie_len);
9325 	}
9326 
9327 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9328 		if (wiphy->bands[i])
9329 			request->rates[i] =
9330 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9331 
9332 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9333 		nla_for_each_nested(attr,
9334 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9335 				    tmp) {
9336 			enum nl80211_band band = nla_type(attr);
9337 
9338 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9339 				err = -EINVAL;
9340 				goto out_free;
9341 			}
9342 
9343 			if (!wiphy->bands[band])
9344 				continue;
9345 
9346 			err = ieee80211_get_ratemask(wiphy->bands[band],
9347 						     nla_data(attr),
9348 						     nla_len(attr),
9349 						     &request->rates[band]);
9350 			if (err)
9351 				goto out_free;
9352 		}
9353 	}
9354 
9355 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9356 		request->duration =
9357 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9358 		request->duration_mandatory =
9359 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9360 	}
9361 
9362 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9363 				       false);
9364 	if (err)
9365 		goto out_free;
9366 
9367 	request->no_cck =
9368 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9369 
9370 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9371 	 * BSSID to scan for. This was problematic because that same attribute
9372 	 * was already used for another purpose (local random MAC address). The
9373 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9374 	 * compatibility with older userspace components, also use the
9375 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9376 	 * the specific BSSID use case instead of the random MAC address
9377 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9378 	 */
9379 	if (info->attrs[NL80211_ATTR_BSSID])
9380 		memcpy(request->bssid,
9381 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9382 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9383 		 info->attrs[NL80211_ATTR_MAC])
9384 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9385 		       ETH_ALEN);
9386 	else
9387 		eth_broadcast_addr(request->bssid);
9388 
9389 	request->wdev = wdev;
9390 	request->wiphy = &rdev->wiphy;
9391 	request->scan_start = jiffies;
9392 
9393 	rdev->scan_req = request;
9394 	err = cfg80211_scan(rdev);
9395 
9396 	if (err)
9397 		goto out_free;
9398 
9399 	nl80211_send_scan_start(rdev, wdev);
9400 	dev_hold(wdev->netdev);
9401 
9402 	return 0;
9403 
9404  out_free:
9405 	rdev->scan_req = NULL;
9406 	kfree(request);
9407 
9408 	return err;
9409 }
9410 
9411 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9412 {
9413 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9414 	struct wireless_dev *wdev = info->user_ptr[1];
9415 
9416 	if (!rdev->ops->abort_scan)
9417 		return -EOPNOTSUPP;
9418 
9419 	if (rdev->scan_msg)
9420 		return 0;
9421 
9422 	if (!rdev->scan_req)
9423 		return -ENOENT;
9424 
9425 	rdev_abort_scan(rdev, wdev);
9426 	return 0;
9427 }
9428 
9429 static int
9430 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9431 			       struct cfg80211_sched_scan_request *request,
9432 			       struct nlattr **attrs)
9433 {
9434 	int tmp, err, i = 0;
9435 	struct nlattr *attr;
9436 
9437 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9438 		u32 interval;
9439 
9440 		/*
9441 		 * If scan plans are not specified,
9442 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9443 		 * case one scan plan will be set with the specified scan
9444 		 * interval and infinite number of iterations.
9445 		 */
9446 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9447 		if (!interval)
9448 			return -EINVAL;
9449 
9450 		request->scan_plans[0].interval =
9451 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9452 		if (!request->scan_plans[0].interval)
9453 			return -EINVAL;
9454 
9455 		if (request->scan_plans[0].interval >
9456 		    wiphy->max_sched_scan_plan_interval)
9457 			request->scan_plans[0].interval =
9458 				wiphy->max_sched_scan_plan_interval;
9459 
9460 		return 0;
9461 	}
9462 
9463 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9464 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9465 
9466 		if (WARN_ON(i >= n_plans))
9467 			return -EINVAL;
9468 
9469 		err = nla_parse_nested_deprecated(plan,
9470 						  NL80211_SCHED_SCAN_PLAN_MAX,
9471 						  attr, nl80211_plan_policy,
9472 						  NULL);
9473 		if (err)
9474 			return err;
9475 
9476 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9477 			return -EINVAL;
9478 
9479 		request->scan_plans[i].interval =
9480 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9481 		if (!request->scan_plans[i].interval ||
9482 		    request->scan_plans[i].interval >
9483 		    wiphy->max_sched_scan_plan_interval)
9484 			return -EINVAL;
9485 
9486 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9487 			request->scan_plans[i].iterations =
9488 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9489 			if (!request->scan_plans[i].iterations ||
9490 			    (request->scan_plans[i].iterations >
9491 			     wiphy->max_sched_scan_plan_iterations))
9492 				return -EINVAL;
9493 		} else if (i < n_plans - 1) {
9494 			/*
9495 			 * All scan plans but the last one must specify
9496 			 * a finite number of iterations
9497 			 */
9498 			return -EINVAL;
9499 		}
9500 
9501 		i++;
9502 	}
9503 
9504 	/*
9505 	 * The last scan plan must not specify the number of
9506 	 * iterations, it is supposed to run infinitely
9507 	 */
9508 	if (request->scan_plans[n_plans - 1].iterations)
9509 		return  -EINVAL;
9510 
9511 	return 0;
9512 }
9513 
9514 static int
9515 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
9516 				       struct cfg80211_match_set *match_sets,
9517 				       struct nlattr *tb_band_rssi,
9518 				       s32 rssi_thold)
9519 {
9520 	struct nlattr *attr;
9521 	int i, tmp, ret = 0;
9522 
9523 	if (!wiphy_ext_feature_isset(wiphy,
9524 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
9525 		if (tb_band_rssi)
9526 			ret = -EOPNOTSUPP;
9527 		else
9528 			for (i = 0; i < NUM_NL80211_BANDS; i++)
9529 				match_sets->per_band_rssi_thold[i] =
9530 					NL80211_SCAN_RSSI_THOLD_OFF;
9531 		return ret;
9532 	}
9533 
9534 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9535 		match_sets->per_band_rssi_thold[i] = rssi_thold;
9536 
9537 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
9538 		enum nl80211_band band = nla_type(attr);
9539 
9540 		if (band < 0 || band >= NUM_NL80211_BANDS)
9541 			return -EINVAL;
9542 
9543 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
9544 	}
9545 
9546 	return 0;
9547 }
9548 
9549 static struct cfg80211_sched_scan_request *
9550 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9551 			 struct nlattr **attrs, int max_match_sets)
9552 {
9553 	struct cfg80211_sched_scan_request *request;
9554 	struct nlattr *attr;
9555 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9556 	enum nl80211_band band;
9557 	size_t ie_len, size;
9558 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9559 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9560 
9561 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9562 		n_channels = validate_scan_freqs(
9563 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9564 		if (!n_channels)
9565 			return ERR_PTR(-EINVAL);
9566 	} else {
9567 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9568 	}
9569 
9570 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9571 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9572 				    tmp)
9573 			n_ssids++;
9574 
9575 	if (n_ssids > wiphy->max_sched_scan_ssids)
9576 		return ERR_PTR(-EINVAL);
9577 
9578 	/*
9579 	 * First, count the number of 'real' matchsets. Due to an issue with
9580 	 * the old implementation, matchsets containing only the RSSI attribute
9581 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9582 	 * RSSI for all matchsets, rather than their own matchset for reporting
9583 	 * all APs with a strong RSSI. This is needed to be compatible with
9584 	 * older userspace that treated a matchset with only the RSSI as the
9585 	 * global RSSI for all other matchsets - if there are other matchsets.
9586 	 */
9587 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9588 		nla_for_each_nested(attr,
9589 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9590 				    tmp) {
9591 			struct nlattr *rssi;
9592 
9593 			err = nla_parse_nested_deprecated(tb,
9594 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9595 							  attr,
9596 							  nl80211_match_policy,
9597 							  NULL);
9598 			if (err)
9599 				return ERR_PTR(err);
9600 
9601 			/* SSID and BSSID are mutually exclusive */
9602 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9603 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9604 				return ERR_PTR(-EINVAL);
9605 
9606 			/* add other standalone attributes here */
9607 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9608 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9609 				n_match_sets++;
9610 				continue;
9611 			}
9612 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9613 			if (rssi)
9614 				default_match_rssi = nla_get_s32(rssi);
9615 		}
9616 	}
9617 
9618 	/* However, if there's no other matchset, add the RSSI one */
9619 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9620 		n_match_sets = 1;
9621 
9622 	if (n_match_sets > max_match_sets)
9623 		return ERR_PTR(-EINVAL);
9624 
9625 	if (attrs[NL80211_ATTR_IE])
9626 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9627 	else
9628 		ie_len = 0;
9629 
9630 	if (ie_len > wiphy->max_sched_scan_ie_len)
9631 		return ERR_PTR(-EINVAL);
9632 
9633 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9634 		/*
9635 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9636 		 * each scan plan already specifies its own interval
9637 		 */
9638 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9639 			return ERR_PTR(-EINVAL);
9640 
9641 		nla_for_each_nested(attr,
9642 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9643 			n_plans++;
9644 	} else {
9645 		/*
9646 		 * The scan interval attribute is kept for backward
9647 		 * compatibility. If no scan plans are specified and sched scan
9648 		 * interval is specified, one scan plan will be set with this
9649 		 * scan interval and infinite number of iterations.
9650 		 */
9651 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9652 			return ERR_PTR(-EINVAL);
9653 
9654 		n_plans = 1;
9655 	}
9656 
9657 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9658 		return ERR_PTR(-EINVAL);
9659 
9660 	if (!wiphy_ext_feature_isset(
9661 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9662 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9663 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9664 		return ERR_PTR(-EINVAL);
9665 
9666 	size = struct_size(request, channels, n_channels);
9667 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9668 	size = size_add(size, array_size(sizeof(*request->match_sets),
9669 					 n_match_sets));
9670 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9671 					 n_plans));
9672 	size = size_add(size, ie_len);
9673 	request = kzalloc(size, GFP_KERNEL);
9674 	if (!request)
9675 		return ERR_PTR(-ENOMEM);
9676 
9677 	if (n_ssids)
9678 		request->ssids = (void *)&request->channels[n_channels];
9679 	request->n_ssids = n_ssids;
9680 	if (ie_len) {
9681 		if (n_ssids)
9682 			request->ie = (void *)(request->ssids + n_ssids);
9683 		else
9684 			request->ie = (void *)(request->channels + n_channels);
9685 	}
9686 
9687 	if (n_match_sets) {
9688 		if (request->ie)
9689 			request->match_sets = (void *)(request->ie + ie_len);
9690 		else if (n_ssids)
9691 			request->match_sets =
9692 				(void *)(request->ssids + n_ssids);
9693 		else
9694 			request->match_sets =
9695 				(void *)(request->channels + n_channels);
9696 	}
9697 	request->n_match_sets = n_match_sets;
9698 
9699 	if (n_match_sets)
9700 		request->scan_plans = (void *)(request->match_sets +
9701 					       n_match_sets);
9702 	else if (request->ie)
9703 		request->scan_plans = (void *)(request->ie + ie_len);
9704 	else if (n_ssids)
9705 		request->scan_plans = (void *)(request->ssids + n_ssids);
9706 	else
9707 		request->scan_plans = (void *)(request->channels + n_channels);
9708 
9709 	request->n_scan_plans = n_plans;
9710 
9711 	i = 0;
9712 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9713 		/* user specified, bail out if channel not found */
9714 		nla_for_each_nested(attr,
9715 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9716 				    tmp) {
9717 			struct ieee80211_channel *chan;
9718 
9719 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9720 
9721 			if (!chan) {
9722 				err = -EINVAL;
9723 				goto out_free;
9724 			}
9725 
9726 			/* ignore disabled channels */
9727 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9728 				continue;
9729 
9730 			request->channels[i] = chan;
9731 			i++;
9732 		}
9733 	} else {
9734 		/* all channels */
9735 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9736 			int j;
9737 
9738 			if (!wiphy->bands[band])
9739 				continue;
9740 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9741 				struct ieee80211_channel *chan;
9742 
9743 				chan = &wiphy->bands[band]->channels[j];
9744 
9745 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9746 					continue;
9747 
9748 				request->channels[i] = chan;
9749 				i++;
9750 			}
9751 		}
9752 	}
9753 
9754 	if (!i) {
9755 		err = -EINVAL;
9756 		goto out_free;
9757 	}
9758 
9759 	request->n_channels = i;
9760 
9761 	i = 0;
9762 	if (n_ssids) {
9763 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9764 				    tmp) {
9765 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9766 				err = -EINVAL;
9767 				goto out_free;
9768 			}
9769 			request->ssids[i].ssid_len = nla_len(attr);
9770 			memcpy(request->ssids[i].ssid, nla_data(attr),
9771 			       nla_len(attr));
9772 			i++;
9773 		}
9774 	}
9775 
9776 	i = 0;
9777 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9778 		nla_for_each_nested(attr,
9779 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9780 				    tmp) {
9781 			struct nlattr *ssid, *bssid, *rssi;
9782 
9783 			err = nla_parse_nested_deprecated(tb,
9784 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9785 							  attr,
9786 							  nl80211_match_policy,
9787 							  NULL);
9788 			if (err)
9789 				goto out_free;
9790 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9791 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9792 
9793 			if (!ssid && !bssid) {
9794 				i++;
9795 				continue;
9796 			}
9797 
9798 			if (WARN_ON(i >= n_match_sets)) {
9799 				/* this indicates a programming error,
9800 				 * the loop above should have verified
9801 				 * things properly
9802 				 */
9803 				err = -EINVAL;
9804 				goto out_free;
9805 			}
9806 
9807 			if (ssid) {
9808 				memcpy(request->match_sets[i].ssid.ssid,
9809 				       nla_data(ssid), nla_len(ssid));
9810 				request->match_sets[i].ssid.ssid_len =
9811 					nla_len(ssid);
9812 			}
9813 			if (bssid)
9814 				memcpy(request->match_sets[i].bssid,
9815 				       nla_data(bssid), ETH_ALEN);
9816 
9817 			/* special attribute - old implementation w/a */
9818 			request->match_sets[i].rssi_thold = default_match_rssi;
9819 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9820 			if (rssi)
9821 				request->match_sets[i].rssi_thold =
9822 					nla_get_s32(rssi);
9823 
9824 			/* Parse per band RSSI attribute */
9825 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9826 				&request->match_sets[i],
9827 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9828 				request->match_sets[i].rssi_thold);
9829 			if (err)
9830 				goto out_free;
9831 
9832 			i++;
9833 		}
9834 
9835 		/* there was no other matchset, so the RSSI one is alone */
9836 		if (i == 0 && n_match_sets)
9837 			request->match_sets[0].rssi_thold = default_match_rssi;
9838 
9839 		request->min_rssi_thold = INT_MAX;
9840 		for (i = 0; i < n_match_sets; i++)
9841 			request->min_rssi_thold =
9842 				min(request->match_sets[i].rssi_thold,
9843 				    request->min_rssi_thold);
9844 	} else {
9845 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9846 	}
9847 
9848 	if (ie_len) {
9849 		request->ie_len = ie_len;
9850 		memcpy((void *)request->ie,
9851 		       nla_data(attrs[NL80211_ATTR_IE]),
9852 		       request->ie_len);
9853 	}
9854 
9855 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9856 	if (err)
9857 		goto out_free;
9858 
9859 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9860 		request->delay =
9861 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9862 
9863 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9864 		request->relative_rssi = nla_get_s8(
9865 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9866 		request->relative_rssi_set = true;
9867 	}
9868 
9869 	if (request->relative_rssi_set &&
9870 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9871 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9872 
9873 		rssi_adjust = nla_data(
9874 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9875 		request->rssi_adjust.band = rssi_adjust->band;
9876 		request->rssi_adjust.delta = rssi_adjust->delta;
9877 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9878 			err = -EINVAL;
9879 			goto out_free;
9880 		}
9881 	}
9882 
9883 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9884 	if (err)
9885 		goto out_free;
9886 
9887 	request->scan_start = jiffies;
9888 
9889 	return request;
9890 
9891 out_free:
9892 	kfree(request);
9893 	return ERR_PTR(err);
9894 }
9895 
9896 static int nl80211_start_sched_scan(struct sk_buff *skb,
9897 				    struct genl_info *info)
9898 {
9899 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9900 	struct net_device *dev = info->user_ptr[1];
9901 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9902 	struct cfg80211_sched_scan_request *sched_scan_req;
9903 	bool want_multi;
9904 	int err;
9905 
9906 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9907 		return -EOPNOTSUPP;
9908 
9909 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9910 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9911 	if (err)
9912 		return err;
9913 
9914 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9915 						  info->attrs,
9916 						  rdev->wiphy.max_match_sets);
9917 
9918 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9919 	if (err)
9920 		goto out_err;
9921 
9922 	/* leave request id zero for legacy request
9923 	 * or if driver does not support multi-scheduled scan
9924 	 */
9925 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9926 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9927 
9928 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9929 	if (err)
9930 		goto out_free;
9931 
9932 	sched_scan_req->dev = dev;
9933 	sched_scan_req->wiphy = &rdev->wiphy;
9934 
9935 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9936 		sched_scan_req->owner_nlportid = info->snd_portid;
9937 
9938 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9939 
9940 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9941 	return 0;
9942 
9943 out_free:
9944 	kfree(sched_scan_req);
9945 out_err:
9946 	return err;
9947 }
9948 
9949 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9950 				   struct genl_info *info)
9951 {
9952 	struct cfg80211_sched_scan_request *req;
9953 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9954 	u64 cookie;
9955 
9956 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9957 		return -EOPNOTSUPP;
9958 
9959 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9960 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9961 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9962 	}
9963 
9964 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9965 				     struct cfg80211_sched_scan_request,
9966 				     list);
9967 	if (!req || req->reqid ||
9968 	    (req->owner_nlportid &&
9969 	     req->owner_nlportid != info->snd_portid))
9970 		return -ENOENT;
9971 
9972 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9973 }
9974 
9975 static int nl80211_start_radar_detection(struct sk_buff *skb,
9976 					 struct genl_info *info)
9977 {
9978 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9979 	struct net_device *dev = info->user_ptr[1];
9980 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9981 	struct wiphy *wiphy = wdev->wiphy;
9982 	struct cfg80211_chan_def chandef;
9983 	enum nl80211_dfs_regions dfs_region;
9984 	unsigned int cac_time_ms;
9985 	int err = -EINVAL;
9986 
9987 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9988 
9989 	wiphy_lock(wiphy);
9990 
9991 	dfs_region = reg_get_dfs_region(wiphy);
9992 	if (dfs_region == NL80211_DFS_UNSET)
9993 		goto unlock;
9994 
9995 	err = nl80211_parse_chandef(rdev, info, &chandef);
9996 	if (err)
9997 		goto unlock;
9998 
9999 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10000 	if (err < 0)
10001 		goto unlock;
10002 
10003 	if (err == 0) {
10004 		err = -EINVAL;
10005 		goto unlock;
10006 	}
10007 
10008 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
10009 		err = -EINVAL;
10010 		goto unlock;
10011 	}
10012 
10013 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
10014 		err = cfg80211_start_background_radar_detection(rdev, wdev,
10015 								&chandef);
10016 		goto unlock;
10017 	}
10018 
10019 	if (netif_carrier_ok(dev)) {
10020 		err = -EBUSY;
10021 		goto unlock;
10022 	}
10023 
10024 	if (wdev->cac_started) {
10025 		err = -EBUSY;
10026 		goto unlock;
10027 	}
10028 
10029 	/* CAC start is offloaded to HW and can't be started manually */
10030 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
10031 		err = -EOPNOTSUPP;
10032 		goto unlock;
10033 	}
10034 
10035 	if (!rdev->ops->start_radar_detection) {
10036 		err = -EOPNOTSUPP;
10037 		goto unlock;
10038 	}
10039 
10040 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10041 	if (WARN_ON(!cac_time_ms))
10042 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10043 
10044 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
10045 	if (!err) {
10046 		wdev->links[0].ap.chandef = chandef;
10047 		wdev->cac_started = true;
10048 		wdev->cac_start_time = jiffies;
10049 		wdev->cac_time_ms = cac_time_ms;
10050 	}
10051 unlock:
10052 	wiphy_unlock(wiphy);
10053 
10054 	return err;
10055 }
10056 
10057 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10058 					  struct genl_info *info)
10059 {
10060 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10061 	struct net_device *dev = info->user_ptr[1];
10062 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10063 	struct wiphy *wiphy = wdev->wiphy;
10064 	struct cfg80211_chan_def chandef;
10065 	enum nl80211_dfs_regions dfs_region;
10066 	int err;
10067 
10068 	dfs_region = reg_get_dfs_region(wiphy);
10069 	if (dfs_region == NL80211_DFS_UNSET) {
10070 		GENL_SET_ERR_MSG(info,
10071 				 "DFS Region is not set. Unexpected Radar indication");
10072 		return -EINVAL;
10073 	}
10074 
10075 	err = nl80211_parse_chandef(rdev, info, &chandef);
10076 	if (err) {
10077 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10078 		return err;
10079 	}
10080 
10081 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10082 	if (err < 0) {
10083 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10084 		return err;
10085 	}
10086 
10087 	if (err == 0) {
10088 		GENL_SET_ERR_MSG(info,
10089 				 "Unexpected Radar indication for chandef/iftype");
10090 		return -EINVAL;
10091 	}
10092 
10093 	/* Do not process this notification if radar is already detected
10094 	 * by kernel on this channel, and return success.
10095 	 */
10096 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10097 		return 0;
10098 
10099 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10100 
10101 	cfg80211_sched_dfs_chan_update(rdev);
10102 
10103 	rdev->radar_chandef = chandef;
10104 
10105 	/* Propagate this notification to other radios as well */
10106 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10107 
10108 	return 0;
10109 }
10110 
10111 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10112 {
10113 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10114 	unsigned int link_id = nl80211_link_id(info->attrs);
10115 	struct net_device *dev = info->user_ptr[1];
10116 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10117 	struct cfg80211_csa_settings params;
10118 	struct nlattr **csa_attrs = NULL;
10119 	int err;
10120 	bool need_new_beacon = false;
10121 	bool need_handle_dfs_flag = true;
10122 	int len, i;
10123 	u32 cs_count;
10124 
10125 	if (!rdev->ops->channel_switch ||
10126 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10127 		return -EOPNOTSUPP;
10128 
10129 	switch (dev->ieee80211_ptr->iftype) {
10130 	case NL80211_IFTYPE_AP:
10131 	case NL80211_IFTYPE_P2P_GO:
10132 		need_new_beacon = true;
10133 		/* For all modes except AP the handle_dfs flag needs to be
10134 		 * supplied to tell the kernel that userspace will handle radar
10135 		 * events when they happen. Otherwise a switch to a channel
10136 		 * requiring DFS will be rejected.
10137 		 */
10138 		need_handle_dfs_flag = false;
10139 
10140 		/* useless if AP is not running */
10141 		if (!wdev->links[link_id].ap.beacon_interval)
10142 			return -ENOTCONN;
10143 		break;
10144 	case NL80211_IFTYPE_ADHOC:
10145 		if (!wdev->u.ibss.ssid_len)
10146 			return -ENOTCONN;
10147 		break;
10148 	case NL80211_IFTYPE_MESH_POINT:
10149 		if (!wdev->u.mesh.id_len)
10150 			return -ENOTCONN;
10151 		break;
10152 	default:
10153 		return -EOPNOTSUPP;
10154 	}
10155 
10156 	memset(&params, 0, sizeof(params));
10157 	params.beacon_csa.ftm_responder = -1;
10158 
10159 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10160 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10161 		return -EINVAL;
10162 
10163 	/* only important for AP, IBSS and mesh create IEs internally */
10164 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10165 		return -EINVAL;
10166 
10167 	/* Even though the attribute is u32, the specification says
10168 	 * u8, so let's make sure we don't overflow.
10169 	 */
10170 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10171 	if (cs_count > 255)
10172 		return -EINVAL;
10173 
10174 	params.count = cs_count;
10175 
10176 	if (!need_new_beacon)
10177 		goto skip_beacons;
10178 
10179 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10180 				   info->extack);
10181 	if (err)
10182 		goto free;
10183 
10184 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10185 			    GFP_KERNEL);
10186 	if (!csa_attrs) {
10187 		err = -ENOMEM;
10188 		goto free;
10189 	}
10190 
10191 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10192 					  info->attrs[NL80211_ATTR_CSA_IES],
10193 					  nl80211_policy, info->extack);
10194 	if (err)
10195 		goto free;
10196 
10197 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10198 				   info->extack);
10199 	if (err)
10200 		goto free;
10201 
10202 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10203 		err = -EINVAL;
10204 		goto free;
10205 	}
10206 
10207 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10208 	if (!len || (len % sizeof(u16))) {
10209 		err = -EINVAL;
10210 		goto free;
10211 	}
10212 
10213 	params.n_counter_offsets_beacon = len / sizeof(u16);
10214 	if (rdev->wiphy.max_num_csa_counters &&
10215 	    (params.n_counter_offsets_beacon >
10216 	     rdev->wiphy.max_num_csa_counters)) {
10217 		err = -EINVAL;
10218 		goto free;
10219 	}
10220 
10221 	params.counter_offsets_beacon =
10222 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10223 
10224 	/* sanity checks - counters should fit and be the same */
10225 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
10226 		u16 offset = params.counter_offsets_beacon[i];
10227 
10228 		if (offset >= params.beacon_csa.tail_len) {
10229 			err = -EINVAL;
10230 			goto free;
10231 		}
10232 
10233 		if (params.beacon_csa.tail[offset] != params.count) {
10234 			err = -EINVAL;
10235 			goto free;
10236 		}
10237 	}
10238 
10239 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
10240 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10241 		if (!len || (len % sizeof(u16))) {
10242 			err = -EINVAL;
10243 			goto free;
10244 		}
10245 
10246 		params.n_counter_offsets_presp = len / sizeof(u16);
10247 		if (rdev->wiphy.max_num_csa_counters &&
10248 		    (params.n_counter_offsets_presp >
10249 		     rdev->wiphy.max_num_csa_counters)) {
10250 			err = -EINVAL;
10251 			goto free;
10252 		}
10253 
10254 		params.counter_offsets_presp =
10255 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10256 
10257 		/* sanity checks - counters should fit and be the same */
10258 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
10259 			u16 offset = params.counter_offsets_presp[i];
10260 
10261 			if (offset >= params.beacon_csa.probe_resp_len) {
10262 				err = -EINVAL;
10263 				goto free;
10264 			}
10265 
10266 			if (params.beacon_csa.probe_resp[offset] !=
10267 			    params.count) {
10268 				err = -EINVAL;
10269 				goto free;
10270 			}
10271 		}
10272 	}
10273 
10274 skip_beacons:
10275 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10276 	if (err)
10277 		goto free;
10278 
10279 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10280 					   wdev->iftype)) {
10281 		err = -EINVAL;
10282 		goto free;
10283 	}
10284 
10285 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10286 					    &params.chandef,
10287 					    wdev->iftype);
10288 	if (err < 0)
10289 		goto free;
10290 
10291 	if (err > 0) {
10292 		params.radar_required = true;
10293 		if (need_handle_dfs_flag &&
10294 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10295 			err = -EINVAL;
10296 			goto free;
10297 		}
10298 	}
10299 
10300 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10301 		params.block_tx = true;
10302 
10303 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
10304 		err = nl80211_parse_punct_bitmap(rdev, info,
10305 						 &params.chandef,
10306 						 &params.punct_bitmap);
10307 		if (err)
10308 			goto free;
10309 	}
10310 
10311 	wdev_lock(wdev);
10312 	err = rdev_channel_switch(rdev, dev, &params);
10313 	wdev_unlock(wdev);
10314 
10315 free:
10316 	kfree(params.beacon_after.mbssid_ies);
10317 	kfree(params.beacon_csa.mbssid_ies);
10318 	kfree(params.beacon_after.rnr_ies);
10319 	kfree(params.beacon_csa.rnr_ies);
10320 	kfree(csa_attrs);
10321 	return err;
10322 }
10323 
10324 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10325 			    u32 seq, int flags,
10326 			    struct cfg80211_registered_device *rdev,
10327 			    struct wireless_dev *wdev,
10328 			    struct cfg80211_internal_bss *intbss)
10329 {
10330 	struct cfg80211_bss *res = &intbss->pub;
10331 	const struct cfg80211_bss_ies *ies;
10332 	unsigned int link_id;
10333 	void *hdr;
10334 	struct nlattr *bss;
10335 
10336 	ASSERT_WDEV_LOCK(wdev);
10337 
10338 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10339 			     NL80211_CMD_NEW_SCAN_RESULTS);
10340 	if (!hdr)
10341 		return -1;
10342 
10343 	genl_dump_check_consistent(cb, hdr);
10344 
10345 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10346 		goto nla_put_failure;
10347 	if (wdev->netdev &&
10348 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10349 		goto nla_put_failure;
10350 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10351 			      NL80211_ATTR_PAD))
10352 		goto nla_put_failure;
10353 
10354 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10355 	if (!bss)
10356 		goto nla_put_failure;
10357 	if ((!is_zero_ether_addr(res->bssid) &&
10358 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10359 		goto nla_put_failure;
10360 
10361 	rcu_read_lock();
10362 	/* indicate whether we have probe response data or not */
10363 	if (rcu_access_pointer(res->proberesp_ies) &&
10364 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10365 		goto fail_unlock_rcu;
10366 
10367 	/* this pointer prefers to be pointed to probe response data
10368 	 * but is always valid
10369 	 */
10370 	ies = rcu_dereference(res->ies);
10371 	if (ies) {
10372 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10373 				      NL80211_BSS_PAD))
10374 			goto fail_unlock_rcu;
10375 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10376 					ies->len, ies->data))
10377 			goto fail_unlock_rcu;
10378 	}
10379 
10380 	/* and this pointer is always (unless driver didn't know) beacon data */
10381 	ies = rcu_dereference(res->beacon_ies);
10382 	if (ies && ies->from_beacon) {
10383 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10384 				      NL80211_BSS_PAD))
10385 			goto fail_unlock_rcu;
10386 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10387 					ies->len, ies->data))
10388 			goto fail_unlock_rcu;
10389 	}
10390 	rcu_read_unlock();
10391 
10392 	if (res->beacon_interval &&
10393 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10394 		goto nla_put_failure;
10395 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10396 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10397 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10398 			res->channel->freq_offset) ||
10399 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
10400 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10401 			jiffies_to_msecs(jiffies - intbss->ts)))
10402 		goto nla_put_failure;
10403 
10404 	if (intbss->parent_tsf &&
10405 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10406 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10407 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10408 		     intbss->parent_bssid)))
10409 		goto nla_put_failure;
10410 
10411 	if (intbss->ts_boottime &&
10412 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10413 			      intbss->ts_boottime, NL80211_BSS_PAD))
10414 		goto nla_put_failure;
10415 
10416 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10417 				intbss->pub.chain_signal,
10418 				NL80211_BSS_CHAIN_SIGNAL))
10419 		goto nla_put_failure;
10420 
10421 	switch (rdev->wiphy.signal_type) {
10422 	case CFG80211_SIGNAL_TYPE_MBM:
10423 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
10424 			goto nla_put_failure;
10425 		break;
10426 	case CFG80211_SIGNAL_TYPE_UNSPEC:
10427 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
10428 			goto nla_put_failure;
10429 		break;
10430 	default:
10431 		break;
10432 	}
10433 
10434 	switch (wdev->iftype) {
10435 	case NL80211_IFTYPE_P2P_CLIENT:
10436 	case NL80211_IFTYPE_STATION:
10437 		for_each_valid_link(wdev, link_id) {
10438 			if (intbss == wdev->links[link_id].client.current_bss &&
10439 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10440 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10441 			     (wdev->valid_links &&
10442 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10443 					  link_id) ||
10444 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10445 				       wdev->u.client.connected_addr)))))
10446 				goto nla_put_failure;
10447 		}
10448 		break;
10449 	case NL80211_IFTYPE_ADHOC:
10450 		if (intbss == wdev->u.ibss.current_bss &&
10451 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10452 				NL80211_BSS_STATUS_IBSS_JOINED))
10453 			goto nla_put_failure;
10454 		break;
10455 	default:
10456 		break;
10457 	}
10458 
10459 	nla_nest_end(msg, bss);
10460 
10461 	genlmsg_end(msg, hdr);
10462 	return 0;
10463 
10464  fail_unlock_rcu:
10465 	rcu_read_unlock();
10466  nla_put_failure:
10467 	genlmsg_cancel(msg, hdr);
10468 	return -EMSGSIZE;
10469 }
10470 
10471 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10472 {
10473 	struct cfg80211_registered_device *rdev;
10474 	struct cfg80211_internal_bss *scan;
10475 	struct wireless_dev *wdev;
10476 	int start = cb->args[2], idx = 0;
10477 	int err;
10478 
10479 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
10480 	if (err)
10481 		return err;
10482 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10483 	__acquire(&rdev->wiphy.mtx);
10484 
10485 	wdev_lock(wdev);
10486 	spin_lock_bh(&rdev->bss_lock);
10487 
10488 	/*
10489 	 * dump_scan will be called multiple times to break up the scan results
10490 	 * into multiple messages.  It is unlikely that any more bss-es will be
10491 	 * expired after the first call, so only call only call this on the
10492 	 * first dump_scan invocation.
10493 	 */
10494 	if (start == 0)
10495 		cfg80211_bss_expire(rdev);
10496 
10497 	cb->seq = rdev->bss_generation;
10498 
10499 	list_for_each_entry(scan, &rdev->bss_list, list) {
10500 		if (++idx <= start)
10501 			continue;
10502 		if (nl80211_send_bss(skb, cb,
10503 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10504 				rdev, wdev, scan) < 0) {
10505 			idx--;
10506 			break;
10507 		}
10508 	}
10509 
10510 	spin_unlock_bh(&rdev->bss_lock);
10511 	wdev_unlock(wdev);
10512 
10513 	cb->args[2] = idx;
10514 	wiphy_unlock(&rdev->wiphy);
10515 
10516 	return skb->len;
10517 }
10518 
10519 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10520 			       int flags, struct net_device *dev,
10521 			       bool allow_radio_stats,
10522 			       struct survey_info *survey)
10523 {
10524 	void *hdr;
10525 	struct nlattr *infoattr;
10526 
10527 	/* skip radio stats if userspace didn't request them */
10528 	if (!survey->channel && !allow_radio_stats)
10529 		return 0;
10530 
10531 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10532 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10533 	if (!hdr)
10534 		return -ENOMEM;
10535 
10536 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10537 		goto nla_put_failure;
10538 
10539 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10540 	if (!infoattr)
10541 		goto nla_put_failure;
10542 
10543 	if (survey->channel &&
10544 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10545 			survey->channel->center_freq))
10546 		goto nla_put_failure;
10547 
10548 	if (survey->channel && survey->channel->freq_offset &&
10549 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10550 			survey->channel->freq_offset))
10551 		goto nla_put_failure;
10552 
10553 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10554 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10555 		goto nla_put_failure;
10556 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10557 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10558 		goto nla_put_failure;
10559 	if ((survey->filled & SURVEY_INFO_TIME) &&
10560 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10561 			survey->time, NL80211_SURVEY_INFO_PAD))
10562 		goto nla_put_failure;
10563 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10564 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10565 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10566 		goto nla_put_failure;
10567 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10568 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10569 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10570 		goto nla_put_failure;
10571 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10572 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10573 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10574 		goto nla_put_failure;
10575 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10576 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10577 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10578 		goto nla_put_failure;
10579 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10580 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10581 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10582 		goto nla_put_failure;
10583 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10584 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10585 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10586 		goto nla_put_failure;
10587 
10588 	nla_nest_end(msg, infoattr);
10589 
10590 	genlmsg_end(msg, hdr);
10591 	return 0;
10592 
10593  nla_put_failure:
10594 	genlmsg_cancel(msg, hdr);
10595 	return -EMSGSIZE;
10596 }
10597 
10598 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10599 {
10600 	struct nlattr **attrbuf;
10601 	struct survey_info survey;
10602 	struct cfg80211_registered_device *rdev;
10603 	struct wireless_dev *wdev;
10604 	int survey_idx = cb->args[2];
10605 	int res;
10606 	bool radio_stats;
10607 
10608 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10609 	if (!attrbuf)
10610 		return -ENOMEM;
10611 
10612 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10613 	if (res) {
10614 		kfree(attrbuf);
10615 		return res;
10616 	}
10617 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10618 	__acquire(&rdev->wiphy.mtx);
10619 
10620 	/* prepare_wdev_dump parsed the attributes */
10621 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10622 
10623 	if (!wdev->netdev) {
10624 		res = -EINVAL;
10625 		goto out_err;
10626 	}
10627 
10628 	if (!rdev->ops->dump_survey) {
10629 		res = -EOPNOTSUPP;
10630 		goto out_err;
10631 	}
10632 
10633 	while (1) {
10634 		wdev_lock(wdev);
10635 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10636 		wdev_unlock(wdev);
10637 		if (res == -ENOENT)
10638 			break;
10639 		if (res)
10640 			goto out_err;
10641 
10642 		/* don't send disabled channels, but do send non-channel data */
10643 		if (survey.channel &&
10644 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10645 			survey_idx++;
10646 			continue;
10647 		}
10648 
10649 		if (nl80211_send_survey(skb,
10650 				NETLINK_CB(cb->skb).portid,
10651 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10652 				wdev->netdev, radio_stats, &survey) < 0)
10653 			goto out;
10654 		survey_idx++;
10655 	}
10656 
10657  out:
10658 	cb->args[2] = survey_idx;
10659 	res = skb->len;
10660  out_err:
10661 	kfree(attrbuf);
10662 	wiphy_unlock(&rdev->wiphy);
10663 	return res;
10664 }
10665 
10666 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10667 {
10668 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10669 				  NL80211_WPA_VERSION_2 |
10670 				  NL80211_WPA_VERSION_3));
10671 }
10672 
10673 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10674 {
10675 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10676 	struct net_device *dev = info->user_ptr[1];
10677 	struct ieee80211_channel *chan;
10678 	const u8 *bssid, *ssid;
10679 	int err, ssid_len;
10680 	enum nl80211_auth_type auth_type;
10681 	struct key_parse key;
10682 	bool local_state_change;
10683 	struct cfg80211_auth_request req = {};
10684 	u32 freq;
10685 
10686 	if (!info->attrs[NL80211_ATTR_MAC])
10687 		return -EINVAL;
10688 
10689 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10690 		return -EINVAL;
10691 
10692 	if (!info->attrs[NL80211_ATTR_SSID])
10693 		return -EINVAL;
10694 
10695 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10696 		return -EINVAL;
10697 
10698 	err = nl80211_parse_key(info, &key);
10699 	if (err)
10700 		return err;
10701 
10702 	if (key.idx >= 0) {
10703 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10704 			return -EINVAL;
10705 		if (!key.p.key || !key.p.key_len)
10706 			return -EINVAL;
10707 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10708 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10709 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10710 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10711 			return -EINVAL;
10712 		if (key.idx > 3)
10713 			return -EINVAL;
10714 	} else {
10715 		key.p.key_len = 0;
10716 		key.p.key = NULL;
10717 	}
10718 
10719 	if (key.idx >= 0) {
10720 		int i;
10721 		bool ok = false;
10722 
10723 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10724 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10725 				ok = true;
10726 				break;
10727 			}
10728 		}
10729 		if (!ok)
10730 			return -EINVAL;
10731 	}
10732 
10733 	if (!rdev->ops->auth)
10734 		return -EOPNOTSUPP;
10735 
10736 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10737 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10738 		return -EOPNOTSUPP;
10739 
10740 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10741 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10742 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10743 		freq +=
10744 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10745 
10746 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10747 	if (!chan)
10748 		return -EINVAL;
10749 
10750 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10751 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10752 
10753 	if (info->attrs[NL80211_ATTR_IE]) {
10754 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10755 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10756 	}
10757 
10758 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10759 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10760 		return -EINVAL;
10761 
10762 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10763 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10764 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10765 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10766 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10767 		return -EINVAL;
10768 
10769 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10770 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10771 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10772 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10773 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10774 			return -EINVAL;
10775 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10776 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10777 	}
10778 
10779 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10780 
10781 	/*
10782 	 * Since we no longer track auth state, ignore
10783 	 * requests to only change local state.
10784 	 */
10785 	if (local_state_change)
10786 		return 0;
10787 
10788 	req.auth_type = auth_type;
10789 	req.key = key.p.key;
10790 	req.key_len = key.p.key_len;
10791 	req.key_idx = key.idx;
10792 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10793 	if (req.link_id >= 0) {
10794 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10795 			return -EINVAL;
10796 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10797 			return -EINVAL;
10798 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10799 		if (!is_valid_ether_addr(req.ap_mld_addr))
10800 			return -EINVAL;
10801 	}
10802 
10803 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10804 				   IEEE80211_BSS_TYPE_ESS,
10805 				   IEEE80211_PRIVACY_ANY);
10806 	if (!req.bss)
10807 		return -ENOENT;
10808 
10809 	wdev_lock(dev->ieee80211_ptr);
10810 	err = cfg80211_mlme_auth(rdev, dev, &req);
10811 	wdev_unlock(dev->ieee80211_ptr);
10812 
10813 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10814 
10815 	return err;
10816 }
10817 
10818 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10819 				     struct genl_info *info)
10820 {
10821 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10822 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10823 		return -EINVAL;
10824 	}
10825 
10826 	if (!rdev->ops->tx_control_port ||
10827 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10828 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10829 		return -EOPNOTSUPP;
10830 
10831 	return 0;
10832 }
10833 
10834 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10835 				   struct genl_info *info,
10836 				   struct cfg80211_crypto_settings *settings,
10837 				   int cipher_limit)
10838 {
10839 	memset(settings, 0, sizeof(*settings));
10840 
10841 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10842 
10843 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10844 		u16 proto;
10845 
10846 		proto = nla_get_u16(
10847 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10848 		settings->control_port_ethertype = cpu_to_be16(proto);
10849 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10850 		    proto != ETH_P_PAE)
10851 			return -EINVAL;
10852 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10853 			settings->control_port_no_encrypt = true;
10854 	} else
10855 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10856 
10857 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10858 		int r = validate_pae_over_nl80211(rdev, info);
10859 
10860 		if (r < 0)
10861 			return r;
10862 
10863 		settings->control_port_over_nl80211 = true;
10864 
10865 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10866 			settings->control_port_no_preauth = true;
10867 	}
10868 
10869 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10870 		void *data;
10871 		int len, i;
10872 
10873 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10874 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10875 		settings->n_ciphers_pairwise = len / sizeof(u32);
10876 
10877 		if (len % sizeof(u32))
10878 			return -EINVAL;
10879 
10880 		if (settings->n_ciphers_pairwise > cipher_limit)
10881 			return -EINVAL;
10882 
10883 		memcpy(settings->ciphers_pairwise, data, len);
10884 
10885 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10886 			if (!cfg80211_supported_cipher_suite(
10887 					&rdev->wiphy,
10888 					settings->ciphers_pairwise[i]))
10889 				return -EINVAL;
10890 	}
10891 
10892 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10893 		settings->cipher_group =
10894 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10895 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10896 						     settings->cipher_group))
10897 			return -EINVAL;
10898 	}
10899 
10900 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10901 		settings->wpa_versions =
10902 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10903 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10904 			return -EINVAL;
10905 	}
10906 
10907 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10908 		void *data;
10909 		int len;
10910 
10911 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10912 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10913 		settings->n_akm_suites = len / sizeof(u32);
10914 
10915 		if (len % sizeof(u32))
10916 			return -EINVAL;
10917 
10918 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
10919 			return -EINVAL;
10920 
10921 		memcpy(settings->akm_suites, data, len);
10922 	}
10923 
10924 	if (info->attrs[NL80211_ATTR_PMK]) {
10925 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10926 			return -EINVAL;
10927 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10928 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10929 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10930 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10931 			return -EINVAL;
10932 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10933 	}
10934 
10935 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10936 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10937 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10938 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10939 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10940 			return -EINVAL;
10941 		settings->sae_pwd =
10942 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10943 		settings->sae_pwd_len =
10944 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10945 	}
10946 
10947 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10948 		settings->sae_pwe =
10949 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10950 	else
10951 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10952 
10953 	return 0;
10954 }
10955 
10956 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
10957 					      const u8 *ssid, int ssid_len,
10958 					      struct nlattr **attrs)
10959 {
10960 	struct ieee80211_channel *chan;
10961 	struct cfg80211_bss *bss;
10962 	const u8 *bssid;
10963 	u32 freq;
10964 
10965 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
10966 		return ERR_PTR(-EINVAL);
10967 
10968 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
10969 
10970 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
10971 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10972 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10973 
10974 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10975 	if (!chan)
10976 		return ERR_PTR(-EINVAL);
10977 
10978 	bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid,
10979 			       ssid, ssid_len,
10980 			       IEEE80211_BSS_TYPE_ESS,
10981 			       IEEE80211_PRIVACY_ANY);
10982 	if (!bss)
10983 		return ERR_PTR(-ENOENT);
10984 
10985 	return bss;
10986 }
10987 
10988 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10989 {
10990 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10991 	struct net_device *dev = info->user_ptr[1];
10992 	struct cfg80211_assoc_request req = {};
10993 	struct nlattr **attrs = NULL;
10994 	const u8 *ap_addr, *ssid;
10995 	unsigned int link_id;
10996 	int err, ssid_len;
10997 
10998 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10999 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11000 		return -EPERM;
11001 
11002 	if (!info->attrs[NL80211_ATTR_SSID])
11003 		return -EINVAL;
11004 
11005 	if (!rdev->ops->assoc)
11006 		return -EOPNOTSUPP;
11007 
11008 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11009 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11010 		return -EOPNOTSUPP;
11011 
11012 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11013 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11014 
11015 	if (info->attrs[NL80211_ATTR_IE]) {
11016 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11017 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11018 
11019 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11020 					   req.ie, req.ie_len)) {
11021 			GENL_SET_ERR_MSG(info,
11022 					 "non-inheritance makes no sense");
11023 			return -EINVAL;
11024 		}
11025 	}
11026 
11027 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11028 		enum nl80211_mfp mfp =
11029 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11030 		if (mfp == NL80211_MFP_REQUIRED)
11031 			req.use_mfp = true;
11032 		else if (mfp != NL80211_MFP_NO)
11033 			return -EINVAL;
11034 	}
11035 
11036 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11037 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11038 
11039 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11040 		req.flags |= ASSOC_REQ_DISABLE_HT;
11041 
11042 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11043 		memcpy(&req.ht_capa_mask,
11044 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11045 		       sizeof(req.ht_capa_mask));
11046 
11047 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11048 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11049 			return -EINVAL;
11050 		memcpy(&req.ht_capa,
11051 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11052 		       sizeof(req.ht_capa));
11053 	}
11054 
11055 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11056 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11057 
11058 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11059 		req.flags |= ASSOC_REQ_DISABLE_HE;
11060 
11061 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11062 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11063 
11064 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11065 		memcpy(&req.vht_capa_mask,
11066 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11067 		       sizeof(req.vht_capa_mask));
11068 
11069 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11070 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11071 			return -EINVAL;
11072 		memcpy(&req.vht_capa,
11073 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11074 		       sizeof(req.vht_capa));
11075 	}
11076 
11077 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11078 		if (!((rdev->wiphy.features &
11079 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11080 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11081 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11082 					     NL80211_EXT_FEATURE_RRM))
11083 			return -EINVAL;
11084 		req.flags |= ASSOC_REQ_USE_RRM;
11085 	}
11086 
11087 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11088 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11089 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11090 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11091 			return -EINVAL;
11092 		req.fils_nonces =
11093 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11094 	}
11095 
11096 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11097 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11098 			return -EINVAL;
11099 		memcpy(&req.s1g_capa_mask,
11100 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11101 		       sizeof(req.s1g_capa_mask));
11102 	}
11103 
11104 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11105 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11106 			return -EINVAL;
11107 		memcpy(&req.s1g_capa,
11108 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11109 		       sizeof(req.s1g_capa));
11110 	}
11111 
11112 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11113 
11114 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11115 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
11116 		struct nlattr *link;
11117 		int rem = 0;
11118 
11119 		if (req.link_id < 0)
11120 			return -EINVAL;
11121 
11122 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11123 			return -EINVAL;
11124 
11125 		if (info->attrs[NL80211_ATTR_MAC] ||
11126 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11127 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11128 			return -EINVAL;
11129 
11130 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11131 		ap_addr = req.ap_mld_addr;
11132 
11133 		attrs = kzalloc(attrsize, GFP_KERNEL);
11134 		if (!attrs)
11135 			return -ENOMEM;
11136 
11137 		nla_for_each_nested(link,
11138 				    info->attrs[NL80211_ATTR_MLO_LINKS],
11139 				    rem) {
11140 			memset(attrs, 0, attrsize);
11141 
11142 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
11143 					 link, NULL, NULL);
11144 
11145 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11146 				err = -EINVAL;
11147 				goto free;
11148 			}
11149 
11150 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11151 			/* cannot use the same link ID again */
11152 			if (req.links[link_id].bss) {
11153 				err = -EINVAL;
11154 				goto free;
11155 			}
11156 			req.links[link_id].bss =
11157 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs);
11158 			if (IS_ERR(req.links[link_id].bss)) {
11159 				err = PTR_ERR(req.links[link_id].bss);
11160 				req.links[link_id].bss = NULL;
11161 				goto free;
11162 			}
11163 
11164 			if (attrs[NL80211_ATTR_IE]) {
11165 				req.links[link_id].elems =
11166 					nla_data(attrs[NL80211_ATTR_IE]);
11167 				req.links[link_id].elems_len =
11168 					nla_len(attrs[NL80211_ATTR_IE]);
11169 
11170 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11171 						       req.links[link_id].elems,
11172 						       req.links[link_id].elems_len)) {
11173 					GENL_SET_ERR_MSG(info,
11174 							 "cannot deal with fragmentation");
11175 					err = -EINVAL;
11176 					goto free;
11177 				}
11178 
11179 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11180 							   req.links[link_id].elems,
11181 							   req.links[link_id].elems_len)) {
11182 					GENL_SET_ERR_MSG(info,
11183 							 "cannot deal with non-inheritance");
11184 					err = -EINVAL;
11185 					goto free;
11186 				}
11187 			}
11188 
11189 			req.links[link_id].disabled =
11190 				nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11191 		}
11192 
11193 		if (!req.links[req.link_id].bss) {
11194 			err = -EINVAL;
11195 			goto free;
11196 		}
11197 
11198 		if (req.links[req.link_id].elems_len) {
11199 			GENL_SET_ERR_MSG(info,
11200 					 "cannot have per-link elems on assoc link");
11201 			err = -EINVAL;
11202 			goto free;
11203 		}
11204 
11205 		if (req.links[req.link_id].disabled) {
11206 			GENL_SET_ERR_MSG(info,
11207 					 "cannot have assoc link disabled");
11208 			err = -EINVAL;
11209 			goto free;
11210 		}
11211 
11212 		kfree(attrs);
11213 		attrs = NULL;
11214 	} else {
11215 		if (req.link_id >= 0)
11216 			return -EINVAL;
11217 
11218 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs);
11219 		if (IS_ERR(req.bss))
11220 			return PTR_ERR(req.bss);
11221 		ap_addr = req.bss->bssid;
11222 	}
11223 
11224 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11225 	if (!err) {
11226 		wdev_lock(dev->ieee80211_ptr);
11227 
11228 		err = cfg80211_mlme_assoc(rdev, dev, &req);
11229 
11230 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11231 			dev->ieee80211_ptr->conn_owner_nlportid =
11232 				info->snd_portid;
11233 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11234 			       ap_addr, ETH_ALEN);
11235 		}
11236 
11237 		wdev_unlock(dev->ieee80211_ptr);
11238 	}
11239 
11240 free:
11241 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11242 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11243 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11244 	kfree(attrs);
11245 
11246 	return err;
11247 }
11248 
11249 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11250 {
11251 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11252 	struct net_device *dev = info->user_ptr[1];
11253 	const u8 *ie = NULL, *bssid;
11254 	int ie_len = 0, err;
11255 	u16 reason_code;
11256 	bool local_state_change;
11257 
11258 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11259 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11260 		return -EPERM;
11261 
11262 	if (!info->attrs[NL80211_ATTR_MAC])
11263 		return -EINVAL;
11264 
11265 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11266 		return -EINVAL;
11267 
11268 	if (!rdev->ops->deauth)
11269 		return -EOPNOTSUPP;
11270 
11271 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11272 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11273 		return -EOPNOTSUPP;
11274 
11275 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11276 
11277 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11278 	if (reason_code == 0) {
11279 		/* Reason Code 0 is reserved */
11280 		return -EINVAL;
11281 	}
11282 
11283 	if (info->attrs[NL80211_ATTR_IE]) {
11284 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11285 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11286 	}
11287 
11288 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11289 
11290 	wdev_lock(dev->ieee80211_ptr);
11291 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11292 				   local_state_change);
11293 	wdev_unlock(dev->ieee80211_ptr);
11294 	return err;
11295 }
11296 
11297 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11298 {
11299 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11300 	struct net_device *dev = info->user_ptr[1];
11301 	const u8 *ie = NULL, *bssid;
11302 	int ie_len = 0, err;
11303 	u16 reason_code;
11304 	bool local_state_change;
11305 
11306 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11307 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11308 		return -EPERM;
11309 
11310 	if (!info->attrs[NL80211_ATTR_MAC])
11311 		return -EINVAL;
11312 
11313 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11314 		return -EINVAL;
11315 
11316 	if (!rdev->ops->disassoc)
11317 		return -EOPNOTSUPP;
11318 
11319 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11320 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11321 		return -EOPNOTSUPP;
11322 
11323 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11324 
11325 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11326 	if (reason_code == 0) {
11327 		/* Reason Code 0 is reserved */
11328 		return -EINVAL;
11329 	}
11330 
11331 	if (info->attrs[NL80211_ATTR_IE]) {
11332 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11333 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11334 	}
11335 
11336 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11337 
11338 	wdev_lock(dev->ieee80211_ptr);
11339 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11340 				     local_state_change);
11341 	wdev_unlock(dev->ieee80211_ptr);
11342 	return err;
11343 }
11344 
11345 static bool
11346 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11347 			 int mcast_rate[NUM_NL80211_BANDS],
11348 			 int rateval)
11349 {
11350 	struct wiphy *wiphy = &rdev->wiphy;
11351 	bool found = false;
11352 	int band, i;
11353 
11354 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11355 		struct ieee80211_supported_band *sband;
11356 
11357 		sband = wiphy->bands[band];
11358 		if (!sband)
11359 			continue;
11360 
11361 		for (i = 0; i < sband->n_bitrates; i++) {
11362 			if (sband->bitrates[i].bitrate == rateval) {
11363 				mcast_rate[band] = i + 1;
11364 				found = true;
11365 				break;
11366 			}
11367 		}
11368 	}
11369 
11370 	return found;
11371 }
11372 
11373 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11374 {
11375 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11376 	struct net_device *dev = info->user_ptr[1];
11377 	struct cfg80211_ibss_params ibss;
11378 	struct wiphy *wiphy;
11379 	struct cfg80211_cached_keys *connkeys = NULL;
11380 	int err;
11381 
11382 	memset(&ibss, 0, sizeof(ibss));
11383 
11384 	if (!info->attrs[NL80211_ATTR_SSID] ||
11385 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11386 		return -EINVAL;
11387 
11388 	ibss.beacon_interval = 100;
11389 
11390 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11391 		ibss.beacon_interval =
11392 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11393 
11394 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11395 					   ibss.beacon_interval);
11396 	if (err)
11397 		return err;
11398 
11399 	if (!rdev->ops->join_ibss)
11400 		return -EOPNOTSUPP;
11401 
11402 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11403 		return -EOPNOTSUPP;
11404 
11405 	wiphy = &rdev->wiphy;
11406 
11407 	if (info->attrs[NL80211_ATTR_MAC]) {
11408 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11409 
11410 		if (!is_valid_ether_addr(ibss.bssid))
11411 			return -EINVAL;
11412 	}
11413 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11414 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11415 
11416 	if (info->attrs[NL80211_ATTR_IE]) {
11417 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11418 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11419 	}
11420 
11421 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11422 	if (err)
11423 		return err;
11424 
11425 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11426 				     NL80211_IFTYPE_ADHOC))
11427 		return -EINVAL;
11428 
11429 	switch (ibss.chandef.width) {
11430 	case NL80211_CHAN_WIDTH_5:
11431 	case NL80211_CHAN_WIDTH_10:
11432 	case NL80211_CHAN_WIDTH_20_NOHT:
11433 		break;
11434 	case NL80211_CHAN_WIDTH_20:
11435 	case NL80211_CHAN_WIDTH_40:
11436 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11437 			return -EINVAL;
11438 		break;
11439 	case NL80211_CHAN_WIDTH_80:
11440 	case NL80211_CHAN_WIDTH_80P80:
11441 	case NL80211_CHAN_WIDTH_160:
11442 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11443 			return -EINVAL;
11444 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11445 					     NL80211_EXT_FEATURE_VHT_IBSS))
11446 			return -EINVAL;
11447 		break;
11448 	case NL80211_CHAN_WIDTH_320:
11449 		return -EINVAL;
11450 	default:
11451 		return -EINVAL;
11452 	}
11453 
11454 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11455 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11456 
11457 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11458 		u8 *rates =
11459 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11460 		int n_rates =
11461 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11462 		struct ieee80211_supported_band *sband =
11463 			wiphy->bands[ibss.chandef.chan->band];
11464 
11465 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11466 					     &ibss.basic_rates);
11467 		if (err)
11468 			return err;
11469 	}
11470 
11471 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11472 		memcpy(&ibss.ht_capa_mask,
11473 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11474 		       sizeof(ibss.ht_capa_mask));
11475 
11476 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11477 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11478 			return -EINVAL;
11479 		memcpy(&ibss.ht_capa,
11480 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11481 		       sizeof(ibss.ht_capa));
11482 	}
11483 
11484 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11485 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11486 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11487 		return -EINVAL;
11488 
11489 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11490 		bool no_ht = false;
11491 
11492 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11493 		if (IS_ERR(connkeys))
11494 			return PTR_ERR(connkeys);
11495 
11496 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11497 		    no_ht) {
11498 			kfree_sensitive(connkeys);
11499 			return -EINVAL;
11500 		}
11501 	}
11502 
11503 	ibss.control_port =
11504 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11505 
11506 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11507 		int r = validate_pae_over_nl80211(rdev, info);
11508 
11509 		if (r < 0) {
11510 			kfree_sensitive(connkeys);
11511 			return r;
11512 		}
11513 
11514 		ibss.control_port_over_nl80211 = true;
11515 	}
11516 
11517 	ibss.userspace_handles_dfs =
11518 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11519 
11520 	wdev_lock(dev->ieee80211_ptr);
11521 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11522 	if (err)
11523 		kfree_sensitive(connkeys);
11524 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11525 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11526 	wdev_unlock(dev->ieee80211_ptr);
11527 
11528 	return err;
11529 }
11530 
11531 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11532 {
11533 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11534 	struct net_device *dev = info->user_ptr[1];
11535 
11536 	if (!rdev->ops->leave_ibss)
11537 		return -EOPNOTSUPP;
11538 
11539 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11540 		return -EOPNOTSUPP;
11541 
11542 	return cfg80211_leave_ibss(rdev, dev, false);
11543 }
11544 
11545 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11546 {
11547 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11548 	struct net_device *dev = info->user_ptr[1];
11549 	int mcast_rate[NUM_NL80211_BANDS];
11550 	u32 nla_rate;
11551 
11552 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11553 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11554 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11555 		return -EOPNOTSUPP;
11556 
11557 	if (!rdev->ops->set_mcast_rate)
11558 		return -EOPNOTSUPP;
11559 
11560 	memset(mcast_rate, 0, sizeof(mcast_rate));
11561 
11562 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11563 		return -EINVAL;
11564 
11565 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11566 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11567 		return -EINVAL;
11568 
11569 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11570 }
11571 
11572 static struct sk_buff *
11573 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11574 			    struct wireless_dev *wdev, int approxlen,
11575 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11576 			    enum nl80211_attrs attr,
11577 			    const struct nl80211_vendor_cmd_info *info,
11578 			    gfp_t gfp)
11579 {
11580 	struct sk_buff *skb;
11581 	void *hdr;
11582 	struct nlattr *data;
11583 
11584 	skb = nlmsg_new(approxlen + 100, gfp);
11585 	if (!skb)
11586 		return NULL;
11587 
11588 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11589 	if (!hdr) {
11590 		kfree_skb(skb);
11591 		return NULL;
11592 	}
11593 
11594 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11595 		goto nla_put_failure;
11596 
11597 	if (info) {
11598 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11599 				info->vendor_id))
11600 			goto nla_put_failure;
11601 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11602 				info->subcmd))
11603 			goto nla_put_failure;
11604 	}
11605 
11606 	if (wdev) {
11607 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11608 				      wdev_id(wdev), NL80211_ATTR_PAD))
11609 			goto nla_put_failure;
11610 		if (wdev->netdev &&
11611 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11612 				wdev->netdev->ifindex))
11613 			goto nla_put_failure;
11614 	}
11615 
11616 	data = nla_nest_start_noflag(skb, attr);
11617 	if (!data)
11618 		goto nla_put_failure;
11619 
11620 	((void **)skb->cb)[0] = rdev;
11621 	((void **)skb->cb)[1] = hdr;
11622 	((void **)skb->cb)[2] = data;
11623 
11624 	return skb;
11625 
11626  nla_put_failure:
11627 	kfree_skb(skb);
11628 	return NULL;
11629 }
11630 
11631 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11632 					   struct wireless_dev *wdev,
11633 					   enum nl80211_commands cmd,
11634 					   enum nl80211_attrs attr,
11635 					   unsigned int portid,
11636 					   int vendor_event_idx,
11637 					   int approxlen, gfp_t gfp)
11638 {
11639 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11640 	const struct nl80211_vendor_cmd_info *info;
11641 
11642 	switch (cmd) {
11643 	case NL80211_CMD_TESTMODE:
11644 		if (WARN_ON(vendor_event_idx != -1))
11645 			return NULL;
11646 		info = NULL;
11647 		break;
11648 	case NL80211_CMD_VENDOR:
11649 		if (WARN_ON(vendor_event_idx < 0 ||
11650 			    vendor_event_idx >= wiphy->n_vendor_events))
11651 			return NULL;
11652 		info = &wiphy->vendor_events[vendor_event_idx];
11653 		break;
11654 	default:
11655 		WARN_ON(1);
11656 		return NULL;
11657 	}
11658 
11659 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11660 					   cmd, attr, info, gfp);
11661 }
11662 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11663 
11664 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11665 {
11666 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11667 	void *hdr = ((void **)skb->cb)[1];
11668 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11669 	struct nlattr *data = ((void **)skb->cb)[2];
11670 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11671 
11672 	/* clear CB data for netlink core to own from now on */
11673 	memset(skb->cb, 0, sizeof(skb->cb));
11674 
11675 	nla_nest_end(skb, data);
11676 	genlmsg_end(skb, hdr);
11677 
11678 	if (nlhdr->nlmsg_pid) {
11679 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11680 				nlhdr->nlmsg_pid);
11681 	} else {
11682 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11683 			mcgrp = NL80211_MCGRP_VENDOR;
11684 
11685 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11686 					skb, 0, mcgrp, gfp);
11687 	}
11688 }
11689 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11690 
11691 #ifdef CONFIG_NL80211_TESTMODE
11692 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11693 {
11694 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11695 	struct wireless_dev *wdev;
11696 	int err;
11697 
11698 	lockdep_assert_held(&rdev->wiphy.mtx);
11699 
11700 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11701 					  info->attrs);
11702 
11703 	if (!rdev->ops->testmode_cmd)
11704 		return -EOPNOTSUPP;
11705 
11706 	if (IS_ERR(wdev)) {
11707 		err = PTR_ERR(wdev);
11708 		if (err != -EINVAL)
11709 			return err;
11710 		wdev = NULL;
11711 	} else if (wdev->wiphy != &rdev->wiphy) {
11712 		return -EINVAL;
11713 	}
11714 
11715 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11716 		return -EINVAL;
11717 
11718 	rdev->cur_cmd_info = info;
11719 	err = rdev_testmode_cmd(rdev, wdev,
11720 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11721 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11722 	rdev->cur_cmd_info = NULL;
11723 
11724 	return err;
11725 }
11726 
11727 static int nl80211_testmode_dump(struct sk_buff *skb,
11728 				 struct netlink_callback *cb)
11729 {
11730 	struct cfg80211_registered_device *rdev;
11731 	struct nlattr **attrbuf = NULL;
11732 	int err;
11733 	long phy_idx;
11734 	void *data = NULL;
11735 	int data_len = 0;
11736 
11737 	rtnl_lock();
11738 
11739 	if (cb->args[0]) {
11740 		/*
11741 		 * 0 is a valid index, but not valid for args[0],
11742 		 * so we need to offset by 1.
11743 		 */
11744 		phy_idx = cb->args[0] - 1;
11745 
11746 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11747 		if (!rdev) {
11748 			err = -ENOENT;
11749 			goto out_err;
11750 		}
11751 	} else {
11752 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11753 				  GFP_KERNEL);
11754 		if (!attrbuf) {
11755 			err = -ENOMEM;
11756 			goto out_err;
11757 		}
11758 
11759 		err = nlmsg_parse_deprecated(cb->nlh,
11760 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11761 					     attrbuf, nl80211_fam.maxattr,
11762 					     nl80211_policy, NULL);
11763 		if (err)
11764 			goto out_err;
11765 
11766 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11767 		if (IS_ERR(rdev)) {
11768 			err = PTR_ERR(rdev);
11769 			goto out_err;
11770 		}
11771 		phy_idx = rdev->wiphy_idx;
11772 
11773 		if (attrbuf[NL80211_ATTR_TESTDATA])
11774 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11775 	}
11776 
11777 	if (cb->args[1]) {
11778 		data = nla_data((void *)cb->args[1]);
11779 		data_len = nla_len((void *)cb->args[1]);
11780 	}
11781 
11782 	if (!rdev->ops->testmode_dump) {
11783 		err = -EOPNOTSUPP;
11784 		goto out_err;
11785 	}
11786 
11787 	while (1) {
11788 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11789 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11790 					   NL80211_CMD_TESTMODE);
11791 		struct nlattr *tmdata;
11792 
11793 		if (!hdr)
11794 			break;
11795 
11796 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11797 			genlmsg_cancel(skb, hdr);
11798 			break;
11799 		}
11800 
11801 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11802 		if (!tmdata) {
11803 			genlmsg_cancel(skb, hdr);
11804 			break;
11805 		}
11806 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11807 		nla_nest_end(skb, tmdata);
11808 
11809 		if (err == -ENOBUFS || err == -ENOENT) {
11810 			genlmsg_cancel(skb, hdr);
11811 			break;
11812 		} else if (err) {
11813 			genlmsg_cancel(skb, hdr);
11814 			goto out_err;
11815 		}
11816 
11817 		genlmsg_end(skb, hdr);
11818 	}
11819 
11820 	err = skb->len;
11821 	/* see above */
11822 	cb->args[0] = phy_idx + 1;
11823  out_err:
11824 	kfree(attrbuf);
11825 	rtnl_unlock();
11826 	return err;
11827 }
11828 #endif
11829 
11830 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11831 {
11832 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11833 	struct net_device *dev = info->user_ptr[1];
11834 	struct cfg80211_connect_params connect;
11835 	struct wiphy *wiphy;
11836 	struct cfg80211_cached_keys *connkeys = NULL;
11837 	u32 freq = 0;
11838 	int err;
11839 
11840 	memset(&connect, 0, sizeof(connect));
11841 
11842 	if (!info->attrs[NL80211_ATTR_SSID] ||
11843 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11844 		return -EINVAL;
11845 
11846 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11847 		connect.auth_type =
11848 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11849 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11850 					     NL80211_CMD_CONNECT))
11851 			return -EINVAL;
11852 	} else
11853 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11854 
11855 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11856 
11857 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11858 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11859 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11860 		return -EINVAL;
11861 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11862 
11863 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11864 				      NL80211_MAX_NR_CIPHER_SUITES);
11865 	if (err)
11866 		return err;
11867 
11868 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11869 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11870 		return -EOPNOTSUPP;
11871 
11872 	wiphy = &rdev->wiphy;
11873 
11874 	connect.bg_scan_period = -1;
11875 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11876 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11877 		connect.bg_scan_period =
11878 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11879 	}
11880 
11881 	if (info->attrs[NL80211_ATTR_MAC])
11882 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11883 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11884 		connect.bssid_hint =
11885 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11886 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11887 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11888 
11889 	if (info->attrs[NL80211_ATTR_IE]) {
11890 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11891 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11892 	}
11893 
11894 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11895 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11896 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11897 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11898 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11899 			return -EOPNOTSUPP;
11900 	} else {
11901 		connect.mfp = NL80211_MFP_NO;
11902 	}
11903 
11904 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11905 		connect.prev_bssid =
11906 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11907 
11908 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11909 		freq = MHZ_TO_KHZ(nla_get_u32(
11910 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11911 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11912 		freq +=
11913 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11914 
11915 	if (freq) {
11916 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11917 		if (!connect.channel)
11918 			return -EINVAL;
11919 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11920 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11921 		freq = MHZ_TO_KHZ(freq);
11922 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11923 		if (!connect.channel_hint)
11924 			return -EINVAL;
11925 	}
11926 
11927 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11928 		connect.edmg.channels =
11929 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11930 
11931 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11932 			connect.edmg.bw_config =
11933 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11934 	}
11935 
11936 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11937 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11938 		if (IS_ERR(connkeys))
11939 			return PTR_ERR(connkeys);
11940 	}
11941 
11942 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11943 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11944 
11945 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11946 		memcpy(&connect.ht_capa_mask,
11947 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11948 		       sizeof(connect.ht_capa_mask));
11949 
11950 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11951 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11952 			kfree_sensitive(connkeys);
11953 			return -EINVAL;
11954 		}
11955 		memcpy(&connect.ht_capa,
11956 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11957 		       sizeof(connect.ht_capa));
11958 	}
11959 
11960 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11961 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11962 
11963 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11964 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11965 
11966 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11967 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
11968 
11969 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11970 		memcpy(&connect.vht_capa_mask,
11971 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11972 		       sizeof(connect.vht_capa_mask));
11973 
11974 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11975 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11976 			kfree_sensitive(connkeys);
11977 			return -EINVAL;
11978 		}
11979 		memcpy(&connect.vht_capa,
11980 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11981 		       sizeof(connect.vht_capa));
11982 	}
11983 
11984 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11985 		if (!((rdev->wiphy.features &
11986 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11987 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11988 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11989 					     NL80211_EXT_FEATURE_RRM)) {
11990 			kfree_sensitive(connkeys);
11991 			return -EINVAL;
11992 		}
11993 		connect.flags |= ASSOC_REQ_USE_RRM;
11994 	}
11995 
11996 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11997 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11998 		kfree_sensitive(connkeys);
11999 		return -EOPNOTSUPP;
12000 	}
12001 
12002 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
12003 		/* bss selection makes no sense if bssid is set */
12004 		if (connect.bssid) {
12005 			kfree_sensitive(connkeys);
12006 			return -EINVAL;
12007 		}
12008 
12009 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
12010 				       wiphy, &connect.bss_select);
12011 		if (err) {
12012 			kfree_sensitive(connkeys);
12013 			return err;
12014 		}
12015 	}
12016 
12017 	if (wiphy_ext_feature_isset(&rdev->wiphy,
12018 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
12019 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12020 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12021 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12022 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12023 		connect.fils_erp_username =
12024 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12025 		connect.fils_erp_username_len =
12026 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12027 		connect.fils_erp_realm =
12028 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12029 		connect.fils_erp_realm_len =
12030 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12031 		connect.fils_erp_next_seq_num =
12032 			nla_get_u16(
12033 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12034 		connect.fils_erp_rrk =
12035 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12036 		connect.fils_erp_rrk_len =
12037 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12038 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12039 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12040 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12041 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12042 		kfree_sensitive(connkeys);
12043 		return -EINVAL;
12044 	}
12045 
12046 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12047 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12048 			kfree_sensitive(connkeys);
12049 			GENL_SET_ERR_MSG(info,
12050 					 "external auth requires connection ownership");
12051 			return -EINVAL;
12052 		}
12053 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12054 	}
12055 
12056 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12057 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12058 
12059 	wdev_lock(dev->ieee80211_ptr);
12060 
12061 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12062 			       connect.prev_bssid);
12063 	if (err)
12064 		kfree_sensitive(connkeys);
12065 
12066 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12067 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12068 		if (connect.bssid)
12069 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12070 			       connect.bssid, ETH_ALEN);
12071 		else
12072 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12073 	}
12074 
12075 	wdev_unlock(dev->ieee80211_ptr);
12076 
12077 	return err;
12078 }
12079 
12080 static int nl80211_update_connect_params(struct sk_buff *skb,
12081 					 struct genl_info *info)
12082 {
12083 	struct cfg80211_connect_params connect = {};
12084 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12085 	struct net_device *dev = info->user_ptr[1];
12086 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12087 	bool fils_sk_offload;
12088 	u32 auth_type;
12089 	u32 changed = 0;
12090 	int ret;
12091 
12092 	if (!rdev->ops->update_connect_params)
12093 		return -EOPNOTSUPP;
12094 
12095 	if (info->attrs[NL80211_ATTR_IE]) {
12096 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12097 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12098 		changed |= UPDATE_ASSOC_IES;
12099 	}
12100 
12101 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12102 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12103 
12104 	/*
12105 	 * when driver supports fils-sk offload all attributes must be
12106 	 * provided. So the else covers "fils-sk-not-all" and
12107 	 * "no-fils-sk-any".
12108 	 */
12109 	if (fils_sk_offload &&
12110 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12111 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12112 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12113 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12114 		connect.fils_erp_username =
12115 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12116 		connect.fils_erp_username_len =
12117 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12118 		connect.fils_erp_realm =
12119 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12120 		connect.fils_erp_realm_len =
12121 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12122 		connect.fils_erp_next_seq_num =
12123 			nla_get_u16(
12124 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12125 		connect.fils_erp_rrk =
12126 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12127 		connect.fils_erp_rrk_len =
12128 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12129 		changed |= UPDATE_FILS_ERP_INFO;
12130 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12131 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12132 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12133 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12134 		return -EINVAL;
12135 	}
12136 
12137 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12138 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12139 		if (!nl80211_valid_auth_type(rdev, auth_type,
12140 					     NL80211_CMD_CONNECT))
12141 			return -EINVAL;
12142 
12143 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12144 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12145 			return -EINVAL;
12146 
12147 		connect.auth_type = auth_type;
12148 		changed |= UPDATE_AUTH_TYPE;
12149 	}
12150 
12151 	wdev_lock(dev->ieee80211_ptr);
12152 	if (!wdev->connected)
12153 		ret = -ENOLINK;
12154 	else
12155 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
12156 	wdev_unlock(dev->ieee80211_ptr);
12157 
12158 	return ret;
12159 }
12160 
12161 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12162 {
12163 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12164 	struct net_device *dev = info->user_ptr[1];
12165 	u16 reason;
12166 	int ret;
12167 
12168 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12169 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12170 		return -EPERM;
12171 
12172 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12173 		reason = WLAN_REASON_DEAUTH_LEAVING;
12174 	else
12175 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12176 
12177 	if (reason == 0)
12178 		return -EINVAL;
12179 
12180 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12181 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12182 		return -EOPNOTSUPP;
12183 
12184 	wdev_lock(dev->ieee80211_ptr);
12185 	ret = cfg80211_disconnect(rdev, dev, reason, true);
12186 	wdev_unlock(dev->ieee80211_ptr);
12187 	return ret;
12188 }
12189 
12190 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12191 {
12192 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12193 	struct net *net;
12194 	int err;
12195 
12196 	if (info->attrs[NL80211_ATTR_PID]) {
12197 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12198 
12199 		net = get_net_ns_by_pid(pid);
12200 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12201 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12202 
12203 		net = get_net_ns_by_fd(fd);
12204 	} else {
12205 		return -EINVAL;
12206 	}
12207 
12208 	if (IS_ERR(net))
12209 		return PTR_ERR(net);
12210 
12211 	err = 0;
12212 
12213 	/* check if anything to do */
12214 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12215 		err = cfg80211_switch_netns(rdev, net);
12216 
12217 	put_net(net);
12218 	return err;
12219 }
12220 
12221 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
12222 {
12223 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12224 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
12225 			struct cfg80211_pmksa *pmksa) = NULL;
12226 	struct net_device *dev = info->user_ptr[1];
12227 	struct cfg80211_pmksa pmksa;
12228 
12229 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12230 
12231 	if (!info->attrs[NL80211_ATTR_PMKID])
12232 		return -EINVAL;
12233 
12234 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12235 
12236 	if (info->attrs[NL80211_ATTR_MAC]) {
12237 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12238 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12239 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12240 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
12241 		    info->attrs[NL80211_ATTR_PMK])) {
12242 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12243 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12244 		pmksa.cache_id =
12245 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12246 	} else {
12247 		return -EINVAL;
12248 	}
12249 	if (info->attrs[NL80211_ATTR_PMK]) {
12250 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12251 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12252 	}
12253 
12254 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12255 		pmksa.pmk_lifetime =
12256 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12257 
12258 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12259 		pmksa.pmk_reauth_threshold =
12260 			nla_get_u8(
12261 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12262 
12263 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12264 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12265 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
12266 	      wiphy_ext_feature_isset(&rdev->wiphy,
12267 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
12268 		return -EOPNOTSUPP;
12269 
12270 	switch (info->genlhdr->cmd) {
12271 	case NL80211_CMD_SET_PMKSA:
12272 		rdev_ops = rdev->ops->set_pmksa;
12273 		break;
12274 	case NL80211_CMD_DEL_PMKSA:
12275 		rdev_ops = rdev->ops->del_pmksa;
12276 		break;
12277 	default:
12278 		WARN_ON(1);
12279 		break;
12280 	}
12281 
12282 	if (!rdev_ops)
12283 		return -EOPNOTSUPP;
12284 
12285 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
12286 }
12287 
12288 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12289 {
12290 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12291 	struct net_device *dev = info->user_ptr[1];
12292 
12293 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12294 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12295 		return -EOPNOTSUPP;
12296 
12297 	if (!rdev->ops->flush_pmksa)
12298 		return -EOPNOTSUPP;
12299 
12300 	return rdev_flush_pmksa(rdev, dev);
12301 }
12302 
12303 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12304 {
12305 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12306 	struct net_device *dev = info->user_ptr[1];
12307 	u8 action_code, dialog_token;
12308 	u32 peer_capability = 0;
12309 	u16 status_code;
12310 	u8 *peer;
12311 	int link_id;
12312 	bool initiator;
12313 
12314 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12315 	    !rdev->ops->tdls_mgmt)
12316 		return -EOPNOTSUPP;
12317 
12318 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12319 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12320 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12321 	    !info->attrs[NL80211_ATTR_IE] ||
12322 	    !info->attrs[NL80211_ATTR_MAC])
12323 		return -EINVAL;
12324 
12325 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12326 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12327 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12328 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12329 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12330 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12331 		peer_capability =
12332 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12333 	link_id = nl80211_link_id_or_invalid(info->attrs);
12334 
12335 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12336 			      dialog_token, status_code, peer_capability,
12337 			      initiator,
12338 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12339 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12340 }
12341 
12342 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12343 {
12344 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12345 	struct net_device *dev = info->user_ptr[1];
12346 	enum nl80211_tdls_operation operation;
12347 	u8 *peer;
12348 
12349 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12350 	    !rdev->ops->tdls_oper)
12351 		return -EOPNOTSUPP;
12352 
12353 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12354 	    !info->attrs[NL80211_ATTR_MAC])
12355 		return -EINVAL;
12356 
12357 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12358 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12359 
12360 	return rdev_tdls_oper(rdev, dev, peer, operation);
12361 }
12362 
12363 static int nl80211_remain_on_channel(struct sk_buff *skb,
12364 				     struct genl_info *info)
12365 {
12366 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12367 	unsigned int link_id = nl80211_link_id(info->attrs);
12368 	struct wireless_dev *wdev = info->user_ptr[1];
12369 	struct cfg80211_chan_def chandef;
12370 	struct sk_buff *msg;
12371 	void *hdr;
12372 	u64 cookie;
12373 	u32 duration;
12374 	int err;
12375 
12376 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12377 	    !info->attrs[NL80211_ATTR_DURATION])
12378 		return -EINVAL;
12379 
12380 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12381 
12382 	if (!rdev->ops->remain_on_channel ||
12383 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12384 		return -EOPNOTSUPP;
12385 
12386 	/*
12387 	 * We should be on that channel for at least a minimum amount of
12388 	 * time (10ms) but no longer than the driver supports.
12389 	 */
12390 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12391 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12392 		return -EINVAL;
12393 
12394 	err = nl80211_parse_chandef(rdev, info, &chandef);
12395 	if (err)
12396 		return err;
12397 
12398 	wdev_lock(wdev);
12399 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12400 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12401 
12402 		oper_chandef = wdev_chandef(wdev, link_id);
12403 
12404 		if (WARN_ON(!oper_chandef)) {
12405 			/* cannot happen since we must beacon to get here */
12406 			WARN_ON(1);
12407 			wdev_unlock(wdev);
12408 			return -EBUSY;
12409 		}
12410 
12411 		/* note: returns first one if identical chandefs */
12412 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12413 							     oper_chandef);
12414 
12415 		if (compat_chandef != &chandef) {
12416 			wdev_unlock(wdev);
12417 			return -EBUSY;
12418 		}
12419 	}
12420 	wdev_unlock(wdev);
12421 
12422 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12423 	if (!msg)
12424 		return -ENOMEM;
12425 
12426 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12427 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12428 	if (!hdr) {
12429 		err = -ENOBUFS;
12430 		goto free_msg;
12431 	}
12432 
12433 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12434 				     duration, &cookie);
12435 
12436 	if (err)
12437 		goto free_msg;
12438 
12439 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12440 			      NL80211_ATTR_PAD))
12441 		goto nla_put_failure;
12442 
12443 	genlmsg_end(msg, hdr);
12444 
12445 	return genlmsg_reply(msg, info);
12446 
12447  nla_put_failure:
12448 	err = -ENOBUFS;
12449  free_msg:
12450 	nlmsg_free(msg);
12451 	return err;
12452 }
12453 
12454 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12455 					    struct genl_info *info)
12456 {
12457 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12458 	struct wireless_dev *wdev = info->user_ptr[1];
12459 	u64 cookie;
12460 
12461 	if (!info->attrs[NL80211_ATTR_COOKIE])
12462 		return -EINVAL;
12463 
12464 	if (!rdev->ops->cancel_remain_on_channel)
12465 		return -EOPNOTSUPP;
12466 
12467 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12468 
12469 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12470 }
12471 
12472 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12473 				       struct genl_info *info)
12474 {
12475 	struct cfg80211_bitrate_mask mask;
12476 	unsigned int link_id = nl80211_link_id(info->attrs);
12477 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12478 	struct net_device *dev = info->user_ptr[1];
12479 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12480 	int err;
12481 
12482 	if (!rdev->ops->set_bitrate_mask)
12483 		return -EOPNOTSUPP;
12484 
12485 	wdev_lock(wdev);
12486 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12487 					    NL80211_ATTR_TX_RATES, &mask,
12488 					    dev, true, link_id);
12489 	if (err)
12490 		goto out;
12491 
12492 	err = rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12493 out:
12494 	wdev_unlock(wdev);
12495 	return err;
12496 }
12497 
12498 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12499 {
12500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12501 	struct wireless_dev *wdev = info->user_ptr[1];
12502 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12503 
12504 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12505 		return -EINVAL;
12506 
12507 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12508 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12509 
12510 	switch (wdev->iftype) {
12511 	case NL80211_IFTYPE_STATION:
12512 	case NL80211_IFTYPE_ADHOC:
12513 	case NL80211_IFTYPE_P2P_CLIENT:
12514 	case NL80211_IFTYPE_AP:
12515 	case NL80211_IFTYPE_AP_VLAN:
12516 	case NL80211_IFTYPE_MESH_POINT:
12517 	case NL80211_IFTYPE_P2P_GO:
12518 	case NL80211_IFTYPE_P2P_DEVICE:
12519 		break;
12520 	case NL80211_IFTYPE_NAN:
12521 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12522 					     NL80211_EXT_FEATURE_SECURE_NAN))
12523 			return -EOPNOTSUPP;
12524 		break;
12525 	default:
12526 		return -EOPNOTSUPP;
12527 	}
12528 
12529 	/* not much point in registering if we can't reply */
12530 	if (!rdev->ops->mgmt_tx)
12531 		return -EOPNOTSUPP;
12532 
12533 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12534 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12535 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12536 		GENL_SET_ERR_MSG(info,
12537 				 "multicast RX registrations are not supported");
12538 		return -EOPNOTSUPP;
12539 	}
12540 
12541 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12542 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12543 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12544 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12545 					   info->extack);
12546 }
12547 
12548 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12549 {
12550 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12551 	struct wireless_dev *wdev = info->user_ptr[1];
12552 	struct cfg80211_chan_def chandef;
12553 	int err;
12554 	void *hdr = NULL;
12555 	u64 cookie;
12556 	struct sk_buff *msg = NULL;
12557 	struct cfg80211_mgmt_tx_params params = {
12558 		.dont_wait_for_ack =
12559 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12560 	};
12561 
12562 	if (!info->attrs[NL80211_ATTR_FRAME])
12563 		return -EINVAL;
12564 
12565 	if (!rdev->ops->mgmt_tx)
12566 		return -EOPNOTSUPP;
12567 
12568 	switch (wdev->iftype) {
12569 	case NL80211_IFTYPE_P2P_DEVICE:
12570 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12571 			return -EINVAL;
12572 		break;
12573 	case NL80211_IFTYPE_STATION:
12574 	case NL80211_IFTYPE_ADHOC:
12575 	case NL80211_IFTYPE_P2P_CLIENT:
12576 	case NL80211_IFTYPE_AP:
12577 	case NL80211_IFTYPE_AP_VLAN:
12578 	case NL80211_IFTYPE_MESH_POINT:
12579 	case NL80211_IFTYPE_P2P_GO:
12580 		break;
12581 	case NL80211_IFTYPE_NAN:
12582 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12583 					     NL80211_EXT_FEATURE_SECURE_NAN))
12584 			return -EOPNOTSUPP;
12585 		break;
12586 	default:
12587 		return -EOPNOTSUPP;
12588 	}
12589 
12590 	if (info->attrs[NL80211_ATTR_DURATION]) {
12591 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12592 			return -EINVAL;
12593 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12594 
12595 		/*
12596 		 * We should wait on the channel for at least a minimum amount
12597 		 * of time (10ms) but no longer than the driver supports.
12598 		 */
12599 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12600 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12601 			return -EINVAL;
12602 	}
12603 
12604 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12605 
12606 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12607 		return -EINVAL;
12608 
12609 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12610 
12611 	/* get the channel if any has been specified, otherwise pass NULL to
12612 	 * the driver. The latter will use the current one
12613 	 */
12614 	chandef.chan = NULL;
12615 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12616 		err = nl80211_parse_chandef(rdev, info, &chandef);
12617 		if (err)
12618 			return err;
12619 	}
12620 
12621 	if (!chandef.chan && params.offchan)
12622 		return -EINVAL;
12623 
12624 	wdev_lock(wdev);
12625 	if (params.offchan &&
12626 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12627 		wdev_unlock(wdev);
12628 		return -EBUSY;
12629 	}
12630 
12631 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12632 	/*
12633 	 * This now races due to the unlock, but we cannot check
12634 	 * the valid links for the _station_ anyway, so that's up
12635 	 * to the driver.
12636 	 */
12637 	if (params.link_id >= 0 &&
12638 	    !(wdev->valid_links & BIT(params.link_id))) {
12639 		wdev_unlock(wdev);
12640 		return -EINVAL;
12641 	}
12642 	wdev_unlock(wdev);
12643 
12644 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12645 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12646 
12647 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
12648 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12649 		int i;
12650 
12651 		if (len % sizeof(u16))
12652 			return -EINVAL;
12653 
12654 		params.n_csa_offsets = len / sizeof(u16);
12655 		params.csa_offsets =
12656 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12657 
12658 		/* check that all the offsets fit the frame */
12659 		for (i = 0; i < params.n_csa_offsets; i++) {
12660 			if (params.csa_offsets[i] >= params.len)
12661 				return -EINVAL;
12662 		}
12663 	}
12664 
12665 	if (!params.dont_wait_for_ack) {
12666 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12667 		if (!msg)
12668 			return -ENOMEM;
12669 
12670 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12671 				     NL80211_CMD_FRAME);
12672 		if (!hdr) {
12673 			err = -ENOBUFS;
12674 			goto free_msg;
12675 		}
12676 	}
12677 
12678 	params.chan = chandef.chan;
12679 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12680 	if (err)
12681 		goto free_msg;
12682 
12683 	if (msg) {
12684 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12685 				      NL80211_ATTR_PAD))
12686 			goto nla_put_failure;
12687 
12688 		genlmsg_end(msg, hdr);
12689 		return genlmsg_reply(msg, info);
12690 	}
12691 
12692 	return 0;
12693 
12694  nla_put_failure:
12695 	err = -ENOBUFS;
12696  free_msg:
12697 	nlmsg_free(msg);
12698 	return err;
12699 }
12700 
12701 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12702 {
12703 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12704 	struct wireless_dev *wdev = info->user_ptr[1];
12705 	u64 cookie;
12706 
12707 	if (!info->attrs[NL80211_ATTR_COOKIE])
12708 		return -EINVAL;
12709 
12710 	if (!rdev->ops->mgmt_tx_cancel_wait)
12711 		return -EOPNOTSUPP;
12712 
12713 	switch (wdev->iftype) {
12714 	case NL80211_IFTYPE_STATION:
12715 	case NL80211_IFTYPE_ADHOC:
12716 	case NL80211_IFTYPE_P2P_CLIENT:
12717 	case NL80211_IFTYPE_AP:
12718 	case NL80211_IFTYPE_AP_VLAN:
12719 	case NL80211_IFTYPE_P2P_GO:
12720 	case NL80211_IFTYPE_P2P_DEVICE:
12721 		break;
12722 	case NL80211_IFTYPE_NAN:
12723 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12724 					     NL80211_EXT_FEATURE_SECURE_NAN))
12725 			return -EOPNOTSUPP;
12726 		break;
12727 	default:
12728 		return -EOPNOTSUPP;
12729 	}
12730 
12731 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12732 
12733 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12734 }
12735 
12736 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12737 {
12738 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12739 	struct wireless_dev *wdev;
12740 	struct net_device *dev = info->user_ptr[1];
12741 	u8 ps_state;
12742 	bool state;
12743 	int err;
12744 
12745 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12746 		return -EINVAL;
12747 
12748 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12749 
12750 	wdev = dev->ieee80211_ptr;
12751 
12752 	if (!rdev->ops->set_power_mgmt)
12753 		return -EOPNOTSUPP;
12754 
12755 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12756 
12757 	if (state == wdev->ps)
12758 		return 0;
12759 
12760 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12761 	if (!err)
12762 		wdev->ps = state;
12763 	return err;
12764 }
12765 
12766 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12767 {
12768 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12769 	enum nl80211_ps_state ps_state;
12770 	struct wireless_dev *wdev;
12771 	struct net_device *dev = info->user_ptr[1];
12772 	struct sk_buff *msg;
12773 	void *hdr;
12774 	int err;
12775 
12776 	wdev = dev->ieee80211_ptr;
12777 
12778 	if (!rdev->ops->set_power_mgmt)
12779 		return -EOPNOTSUPP;
12780 
12781 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12782 	if (!msg)
12783 		return -ENOMEM;
12784 
12785 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12786 			     NL80211_CMD_GET_POWER_SAVE);
12787 	if (!hdr) {
12788 		err = -ENOBUFS;
12789 		goto free_msg;
12790 	}
12791 
12792 	if (wdev->ps)
12793 		ps_state = NL80211_PS_ENABLED;
12794 	else
12795 		ps_state = NL80211_PS_DISABLED;
12796 
12797 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12798 		goto nla_put_failure;
12799 
12800 	genlmsg_end(msg, hdr);
12801 	return genlmsg_reply(msg, info);
12802 
12803  nla_put_failure:
12804 	err = -ENOBUFS;
12805  free_msg:
12806 	nlmsg_free(msg);
12807 	return err;
12808 }
12809 
12810 static const struct nla_policy
12811 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12812 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12813 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12814 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12815 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12816 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12817 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12818 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12819 };
12820 
12821 static int nl80211_set_cqm_txe(struct genl_info *info,
12822 			       u32 rate, u32 pkts, u32 intvl)
12823 {
12824 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12825 	struct net_device *dev = info->user_ptr[1];
12826 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12827 
12828 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12829 		return -EINVAL;
12830 
12831 	if (!rdev->ops->set_cqm_txe_config)
12832 		return -EOPNOTSUPP;
12833 
12834 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12835 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12836 		return -EOPNOTSUPP;
12837 
12838 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12839 }
12840 
12841 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12842 				    struct net_device *dev,
12843 				    struct cfg80211_cqm_config *cqm_config)
12844 {
12845 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12846 	s32 last, low, high;
12847 	u32 hyst;
12848 	int i, n, low_index;
12849 	int err;
12850 
12851 	/*
12852 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12853 	 * event has been received yet, we should receive an event after a
12854 	 * connection is established and enough beacons received to calculate
12855 	 * the average.
12856 	 */
12857 	if (!cqm_config->last_rssi_event_value &&
12858 	    wdev->links[0].client.current_bss &&
12859 	    rdev->ops->get_station) {
12860 		struct station_info sinfo = {};
12861 		u8 *mac_addr;
12862 
12863 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
12864 
12865 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12866 		if (err)
12867 			return err;
12868 
12869 		cfg80211_sinfo_release_content(&sinfo);
12870 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12871 			cqm_config->last_rssi_event_value =
12872 				(s8) sinfo.rx_beacon_signal_avg;
12873 	}
12874 
12875 	last = cqm_config->last_rssi_event_value;
12876 	hyst = cqm_config->rssi_hyst;
12877 	n = cqm_config->n_rssi_thresholds;
12878 
12879 	for (i = 0; i < n; i++) {
12880 		i = array_index_nospec(i, n);
12881 		if (last < cqm_config->rssi_thresholds[i])
12882 			break;
12883 	}
12884 
12885 	low_index = i - 1;
12886 	if (low_index >= 0) {
12887 		low_index = array_index_nospec(low_index, n);
12888 		low = cqm_config->rssi_thresholds[low_index] - hyst;
12889 	} else {
12890 		low = S32_MIN;
12891 	}
12892 	if (i < n) {
12893 		i = array_index_nospec(i, n);
12894 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
12895 	} else {
12896 		high = S32_MAX;
12897 	}
12898 
12899 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12900 }
12901 
12902 static int nl80211_set_cqm_rssi(struct genl_info *info,
12903 				const s32 *thresholds, int n_thresholds,
12904 				u32 hysteresis)
12905 {
12906 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12907 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
12908 	struct net_device *dev = info->user_ptr[1];
12909 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12910 	int i, err;
12911 	s32 prev = S32_MIN;
12912 
12913 	/* Check all values negative and sorted */
12914 	for (i = 0; i < n_thresholds; i++) {
12915 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12916 			return -EINVAL;
12917 
12918 		prev = thresholds[i];
12919 	}
12920 
12921 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12922 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12923 		return -EOPNOTSUPP;
12924 
12925 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12926 		n_thresholds = 0;
12927 
12928 	wdev_lock(wdev);
12929 	old = rcu_dereference_protected(wdev->cqm_config,
12930 					lockdep_is_held(&wdev->mtx));
12931 
12932 	/* if already disabled just succeed */
12933 	if (!n_thresholds && !old) {
12934 		err = 0;
12935 		goto unlock;
12936 	}
12937 
12938 	if (n_thresholds > 1) {
12939 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12940 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
12941 		    !rdev->ops->set_cqm_rssi_range_config) {
12942 			err = -EOPNOTSUPP;
12943 			goto unlock;
12944 		}
12945 	} else {
12946 		if (!rdev->ops->set_cqm_rssi_config) {
12947 			err = -EOPNOTSUPP;
12948 			goto unlock;
12949 		}
12950 	}
12951 
12952 	if (n_thresholds) {
12953 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12954 						 n_thresholds),
12955 				     GFP_KERNEL);
12956 		if (!cqm_config) {
12957 			err = -ENOMEM;
12958 			goto unlock;
12959 		}
12960 
12961 		cqm_config->rssi_hyst = hysteresis;
12962 		cqm_config->n_rssi_thresholds = n_thresholds;
12963 		memcpy(cqm_config->rssi_thresholds, thresholds,
12964 		       flex_array_size(cqm_config, rssi_thresholds,
12965 				       n_thresholds));
12966 		cqm_config->use_range_api = n_thresholds > 1 ||
12967 					    !rdev->ops->set_cqm_rssi_config;
12968 
12969 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
12970 
12971 		if (cqm_config->use_range_api)
12972 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
12973 		else
12974 			err = rdev_set_cqm_rssi_config(rdev, dev,
12975 						       thresholds[0],
12976 						       hysteresis);
12977 	} else {
12978 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
12979 		/* if enabled as range also disable via range */
12980 		if (old->use_range_api)
12981 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12982 		else
12983 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12984 	}
12985 
12986 	if (err) {
12987 		rcu_assign_pointer(wdev->cqm_config, old);
12988 		kfree_rcu(cqm_config, rcu_head);
12989 	} else {
12990 		kfree_rcu(old, rcu_head);
12991 	}
12992 unlock:
12993 	wdev_unlock(wdev);
12994 
12995 	return err;
12996 }
12997 
12998 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12999 {
13000 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
13001 	struct nlattr *cqm;
13002 	int err;
13003 
13004 	cqm = info->attrs[NL80211_ATTR_CQM];
13005 	if (!cqm)
13006 		return -EINVAL;
13007 
13008 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
13009 					  nl80211_attr_cqm_policy,
13010 					  info->extack);
13011 	if (err)
13012 		return err;
13013 
13014 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
13015 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
13016 		const s32 *thresholds =
13017 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13018 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13019 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
13020 
13021 		if (len % 4)
13022 			return -EINVAL;
13023 
13024 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13025 					    hysteresis);
13026 	}
13027 
13028 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13029 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13030 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13031 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13032 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13033 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13034 
13035 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13036 	}
13037 
13038 	return -EINVAL;
13039 }
13040 
13041 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13042 {
13043 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13044 	struct net_device *dev = info->user_ptr[1];
13045 	struct ocb_setup setup = {};
13046 	int err;
13047 
13048 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13049 	if (err)
13050 		return err;
13051 
13052 	return cfg80211_join_ocb(rdev, dev, &setup);
13053 }
13054 
13055 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13056 {
13057 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13058 	struct net_device *dev = info->user_ptr[1];
13059 
13060 	return cfg80211_leave_ocb(rdev, dev);
13061 }
13062 
13063 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13064 {
13065 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13066 	struct net_device *dev = info->user_ptr[1];
13067 	struct mesh_config cfg;
13068 	struct mesh_setup setup;
13069 	int err;
13070 
13071 	/* start with default */
13072 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13073 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13074 
13075 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13076 		/* and parse parameters if given */
13077 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13078 		if (err)
13079 			return err;
13080 	}
13081 
13082 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13083 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13084 		return -EINVAL;
13085 
13086 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13087 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13088 
13089 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13090 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13091 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13092 			return -EINVAL;
13093 
13094 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13095 		setup.beacon_interval =
13096 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13097 
13098 		err = cfg80211_validate_beacon_int(rdev,
13099 						   NL80211_IFTYPE_MESH_POINT,
13100 						   setup.beacon_interval);
13101 		if (err)
13102 			return err;
13103 	}
13104 
13105 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13106 		setup.dtim_period =
13107 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13108 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13109 			return -EINVAL;
13110 	}
13111 
13112 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13113 		/* parse additional setup parameters if given */
13114 		err = nl80211_parse_mesh_setup(info, &setup);
13115 		if (err)
13116 			return err;
13117 	}
13118 
13119 	if (setup.user_mpm)
13120 		cfg.auto_open_plinks = false;
13121 
13122 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13123 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13124 		if (err)
13125 			return err;
13126 	} else {
13127 		/* __cfg80211_join_mesh() will sort it out */
13128 		setup.chandef.chan = NULL;
13129 	}
13130 
13131 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13132 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13133 		int n_rates =
13134 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13135 		struct ieee80211_supported_band *sband;
13136 
13137 		if (!setup.chandef.chan)
13138 			return -EINVAL;
13139 
13140 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13141 
13142 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13143 					     &setup.basic_rates);
13144 		if (err)
13145 			return err;
13146 	}
13147 
13148 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13149 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13150 						    NL80211_ATTR_TX_RATES,
13151 						    &setup.beacon_rate,
13152 						    dev, false, 0);
13153 		if (err)
13154 			return err;
13155 
13156 		if (!setup.chandef.chan)
13157 			return -EINVAL;
13158 
13159 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13160 					      &setup.beacon_rate);
13161 		if (err)
13162 			return err;
13163 	}
13164 
13165 	setup.userspace_handles_dfs =
13166 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13167 
13168 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13169 		int r = validate_pae_over_nl80211(rdev, info);
13170 
13171 		if (r < 0)
13172 			return r;
13173 
13174 		setup.control_port_over_nl80211 = true;
13175 	}
13176 
13177 	wdev_lock(dev->ieee80211_ptr);
13178 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13179 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13180 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13181 	wdev_unlock(dev->ieee80211_ptr);
13182 
13183 	return err;
13184 }
13185 
13186 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13187 {
13188 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13189 	struct net_device *dev = info->user_ptr[1];
13190 
13191 	return cfg80211_leave_mesh(rdev, dev);
13192 }
13193 
13194 #ifdef CONFIG_PM
13195 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13196 					struct cfg80211_registered_device *rdev)
13197 {
13198 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13199 	struct nlattr *nl_pats, *nl_pat;
13200 	int i, pat_len;
13201 
13202 	if (!wowlan->n_patterns)
13203 		return 0;
13204 
13205 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13206 	if (!nl_pats)
13207 		return -ENOBUFS;
13208 
13209 	for (i = 0; i < wowlan->n_patterns; i++) {
13210 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13211 		if (!nl_pat)
13212 			return -ENOBUFS;
13213 		pat_len = wowlan->patterns[i].pattern_len;
13214 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13215 			    wowlan->patterns[i].mask) ||
13216 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13217 			    wowlan->patterns[i].pattern) ||
13218 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13219 				wowlan->patterns[i].pkt_offset))
13220 			return -ENOBUFS;
13221 		nla_nest_end(msg, nl_pat);
13222 	}
13223 	nla_nest_end(msg, nl_pats);
13224 
13225 	return 0;
13226 }
13227 
13228 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13229 				   struct cfg80211_wowlan_tcp *tcp)
13230 {
13231 	struct nlattr *nl_tcp;
13232 
13233 	if (!tcp)
13234 		return 0;
13235 
13236 	nl_tcp = nla_nest_start_noflag(msg,
13237 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13238 	if (!nl_tcp)
13239 		return -ENOBUFS;
13240 
13241 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13242 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13243 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13244 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13245 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13246 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13247 		    tcp->payload_len, tcp->payload) ||
13248 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13249 			tcp->data_interval) ||
13250 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13251 		    tcp->wake_len, tcp->wake_data) ||
13252 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13253 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13254 		return -ENOBUFS;
13255 
13256 	if (tcp->payload_seq.len &&
13257 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13258 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13259 		return -ENOBUFS;
13260 
13261 	if (tcp->payload_tok.len &&
13262 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13263 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13264 		    &tcp->payload_tok))
13265 		return -ENOBUFS;
13266 
13267 	nla_nest_end(msg, nl_tcp);
13268 
13269 	return 0;
13270 }
13271 
13272 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13273 				  struct cfg80211_sched_scan_request *req)
13274 {
13275 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13276 	int i;
13277 
13278 	if (!req)
13279 		return 0;
13280 
13281 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13282 	if (!nd)
13283 		return -ENOBUFS;
13284 
13285 	if (req->n_scan_plans == 1 &&
13286 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13287 			req->scan_plans[0].interval * 1000))
13288 		return -ENOBUFS;
13289 
13290 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13291 		return -ENOBUFS;
13292 
13293 	if (req->relative_rssi_set) {
13294 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13295 
13296 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13297 			       req->relative_rssi))
13298 			return -ENOBUFS;
13299 
13300 		rssi_adjust.band = req->rssi_adjust.band;
13301 		rssi_adjust.delta = req->rssi_adjust.delta;
13302 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13303 			    sizeof(rssi_adjust), &rssi_adjust))
13304 			return -ENOBUFS;
13305 	}
13306 
13307 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13308 	if (!freqs)
13309 		return -ENOBUFS;
13310 
13311 	for (i = 0; i < req->n_channels; i++) {
13312 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13313 			return -ENOBUFS;
13314 	}
13315 
13316 	nla_nest_end(msg, freqs);
13317 
13318 	if (req->n_match_sets) {
13319 		matches = nla_nest_start_noflag(msg,
13320 						NL80211_ATTR_SCHED_SCAN_MATCH);
13321 		if (!matches)
13322 			return -ENOBUFS;
13323 
13324 		for (i = 0; i < req->n_match_sets; i++) {
13325 			match = nla_nest_start_noflag(msg, i);
13326 			if (!match)
13327 				return -ENOBUFS;
13328 
13329 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13330 				    req->match_sets[i].ssid.ssid_len,
13331 				    req->match_sets[i].ssid.ssid))
13332 				return -ENOBUFS;
13333 			nla_nest_end(msg, match);
13334 		}
13335 		nla_nest_end(msg, matches);
13336 	}
13337 
13338 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13339 	if (!scan_plans)
13340 		return -ENOBUFS;
13341 
13342 	for (i = 0; i < req->n_scan_plans; i++) {
13343 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13344 		if (!scan_plan)
13345 			return -ENOBUFS;
13346 
13347 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13348 				req->scan_plans[i].interval) ||
13349 		    (req->scan_plans[i].iterations &&
13350 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13351 				 req->scan_plans[i].iterations)))
13352 			return -ENOBUFS;
13353 		nla_nest_end(msg, scan_plan);
13354 	}
13355 	nla_nest_end(msg, scan_plans);
13356 
13357 	nla_nest_end(msg, nd);
13358 
13359 	return 0;
13360 }
13361 
13362 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13363 {
13364 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13365 	struct sk_buff *msg;
13366 	void *hdr;
13367 	u32 size = NLMSG_DEFAULT_SIZE;
13368 
13369 	if (!rdev->wiphy.wowlan)
13370 		return -EOPNOTSUPP;
13371 
13372 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13373 		/* adjust size to have room for all the data */
13374 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13375 			rdev->wiphy.wowlan_config->tcp->payload_len +
13376 			rdev->wiphy.wowlan_config->tcp->wake_len +
13377 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13378 	}
13379 
13380 	msg = nlmsg_new(size, GFP_KERNEL);
13381 	if (!msg)
13382 		return -ENOMEM;
13383 
13384 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13385 			     NL80211_CMD_GET_WOWLAN);
13386 	if (!hdr)
13387 		goto nla_put_failure;
13388 
13389 	if (rdev->wiphy.wowlan_config) {
13390 		struct nlattr *nl_wowlan;
13391 
13392 		nl_wowlan = nla_nest_start_noflag(msg,
13393 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13394 		if (!nl_wowlan)
13395 			goto nla_put_failure;
13396 
13397 		if ((rdev->wiphy.wowlan_config->any &&
13398 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13399 		    (rdev->wiphy.wowlan_config->disconnect &&
13400 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13401 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13402 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13403 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13404 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13405 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13406 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13407 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13408 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13409 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13410 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13411 			goto nla_put_failure;
13412 
13413 		if (nl80211_send_wowlan_patterns(msg, rdev))
13414 			goto nla_put_failure;
13415 
13416 		if (nl80211_send_wowlan_tcp(msg,
13417 					    rdev->wiphy.wowlan_config->tcp))
13418 			goto nla_put_failure;
13419 
13420 		if (nl80211_send_wowlan_nd(
13421 			    msg,
13422 			    rdev->wiphy.wowlan_config->nd_config))
13423 			goto nla_put_failure;
13424 
13425 		nla_nest_end(msg, nl_wowlan);
13426 	}
13427 
13428 	genlmsg_end(msg, hdr);
13429 	return genlmsg_reply(msg, info);
13430 
13431 nla_put_failure:
13432 	nlmsg_free(msg);
13433 	return -ENOBUFS;
13434 }
13435 
13436 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13437 				    struct nlattr *attr,
13438 				    struct cfg80211_wowlan *trig)
13439 {
13440 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13441 	struct cfg80211_wowlan_tcp *cfg;
13442 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13443 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13444 	u32 size;
13445 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13446 	int err, port;
13447 
13448 	if (!rdev->wiphy.wowlan->tcp)
13449 		return -EINVAL;
13450 
13451 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13452 					  nl80211_wowlan_tcp_policy, NULL);
13453 	if (err)
13454 		return err;
13455 
13456 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13457 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13458 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13459 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13460 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13461 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13462 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13463 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13464 		return -EINVAL;
13465 
13466 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13467 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13468 		return -EINVAL;
13469 
13470 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13471 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13472 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13473 		return -EINVAL;
13474 
13475 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13476 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13477 		return -EINVAL;
13478 
13479 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13480 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13481 		return -EINVAL;
13482 
13483 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13484 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13485 
13486 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13487 		tokens_size = tokln - sizeof(*tok);
13488 
13489 		if (!tok->len || tokens_size % tok->len)
13490 			return -EINVAL;
13491 		if (!rdev->wiphy.wowlan->tcp->tok)
13492 			return -EINVAL;
13493 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13494 			return -EINVAL;
13495 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13496 			return -EINVAL;
13497 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13498 			return -EINVAL;
13499 		if (tok->offset + tok->len > data_size)
13500 			return -EINVAL;
13501 	}
13502 
13503 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13504 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13505 		if (!rdev->wiphy.wowlan->tcp->seq)
13506 			return -EINVAL;
13507 		if (seq->len == 0 || seq->len > 4)
13508 			return -EINVAL;
13509 		if (seq->len + seq->offset > data_size)
13510 			return -EINVAL;
13511 	}
13512 
13513 	size = sizeof(*cfg);
13514 	size += data_size;
13515 	size += wake_size + wake_mask_size;
13516 	size += tokens_size;
13517 
13518 	cfg = kzalloc(size, GFP_KERNEL);
13519 	if (!cfg)
13520 		return -ENOMEM;
13521 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13522 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13523 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13524 	       ETH_ALEN);
13525 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13526 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13527 	else
13528 		port = 0;
13529 #ifdef CONFIG_INET
13530 	/* allocate a socket and port for it and use it */
13531 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13532 			    IPPROTO_TCP, &cfg->sock, 1);
13533 	if (err) {
13534 		kfree(cfg);
13535 		return err;
13536 	}
13537 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13538 		sock_release(cfg->sock);
13539 		kfree(cfg);
13540 		return -EADDRINUSE;
13541 	}
13542 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13543 #else
13544 	if (!port) {
13545 		kfree(cfg);
13546 		return -EINVAL;
13547 	}
13548 	cfg->src_port = port;
13549 #endif
13550 
13551 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13552 	cfg->payload_len = data_size;
13553 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13554 	memcpy((void *)cfg->payload,
13555 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13556 	       data_size);
13557 	if (seq)
13558 		cfg->payload_seq = *seq;
13559 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13560 	cfg->wake_len = wake_size;
13561 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13562 	memcpy((void *)cfg->wake_data,
13563 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13564 	       wake_size);
13565 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13566 			 data_size + wake_size;
13567 	memcpy((void *)cfg->wake_mask,
13568 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13569 	       wake_mask_size);
13570 	if (tok) {
13571 		cfg->tokens_size = tokens_size;
13572 		cfg->payload_tok = *tok;
13573 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13574 		       tokens_size);
13575 	}
13576 
13577 	trig->tcp = cfg;
13578 
13579 	return 0;
13580 }
13581 
13582 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13583 				   const struct wiphy_wowlan_support *wowlan,
13584 				   struct nlattr *attr,
13585 				   struct cfg80211_wowlan *trig)
13586 {
13587 	struct nlattr **tb;
13588 	int err;
13589 
13590 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13591 	if (!tb)
13592 		return -ENOMEM;
13593 
13594 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13595 		err = -EOPNOTSUPP;
13596 		goto out;
13597 	}
13598 
13599 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13600 					  nl80211_policy, NULL);
13601 	if (err)
13602 		goto out;
13603 
13604 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13605 						   wowlan->max_nd_match_sets);
13606 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13607 	if (err)
13608 		trig->nd_config = NULL;
13609 
13610 out:
13611 	kfree(tb);
13612 	return err;
13613 }
13614 
13615 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13616 {
13617 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13618 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13619 	struct cfg80211_wowlan new_triggers = {};
13620 	struct cfg80211_wowlan *ntrig;
13621 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13622 	int err, i;
13623 	bool prev_enabled = rdev->wiphy.wowlan_config;
13624 	bool regular = false;
13625 
13626 	if (!wowlan)
13627 		return -EOPNOTSUPP;
13628 
13629 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13630 		cfg80211_rdev_free_wowlan(rdev);
13631 		rdev->wiphy.wowlan_config = NULL;
13632 		goto set_wakeup;
13633 	}
13634 
13635 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13636 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13637 					  nl80211_wowlan_policy, info->extack);
13638 	if (err)
13639 		return err;
13640 
13641 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13642 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13643 			return -EINVAL;
13644 		new_triggers.any = true;
13645 	}
13646 
13647 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13648 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13649 			return -EINVAL;
13650 		new_triggers.disconnect = true;
13651 		regular = true;
13652 	}
13653 
13654 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13655 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13656 			return -EINVAL;
13657 		new_triggers.magic_pkt = true;
13658 		regular = true;
13659 	}
13660 
13661 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13662 		return -EINVAL;
13663 
13664 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13665 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13666 			return -EINVAL;
13667 		new_triggers.gtk_rekey_failure = true;
13668 		regular = true;
13669 	}
13670 
13671 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13672 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13673 			return -EINVAL;
13674 		new_triggers.eap_identity_req = true;
13675 		regular = true;
13676 	}
13677 
13678 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13679 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13680 			return -EINVAL;
13681 		new_triggers.four_way_handshake = true;
13682 		regular = true;
13683 	}
13684 
13685 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13686 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13687 			return -EINVAL;
13688 		new_triggers.rfkill_release = true;
13689 		regular = true;
13690 	}
13691 
13692 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13693 		struct nlattr *pat;
13694 		int n_patterns = 0;
13695 		int rem, pat_len, mask_len, pkt_offset;
13696 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13697 
13698 		regular = true;
13699 
13700 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13701 				    rem)
13702 			n_patterns++;
13703 		if (n_patterns > wowlan->n_patterns)
13704 			return -EINVAL;
13705 
13706 		new_triggers.patterns = kcalloc(n_patterns,
13707 						sizeof(new_triggers.patterns[0]),
13708 						GFP_KERNEL);
13709 		if (!new_triggers.patterns)
13710 			return -ENOMEM;
13711 
13712 		new_triggers.n_patterns = n_patterns;
13713 		i = 0;
13714 
13715 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13716 				    rem) {
13717 			u8 *mask_pat;
13718 
13719 			err = nla_parse_nested_deprecated(pat_tb,
13720 							  MAX_NL80211_PKTPAT,
13721 							  pat,
13722 							  nl80211_packet_pattern_policy,
13723 							  info->extack);
13724 			if (err)
13725 				goto error;
13726 
13727 			err = -EINVAL;
13728 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13729 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13730 				goto error;
13731 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13732 			mask_len = DIV_ROUND_UP(pat_len, 8);
13733 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13734 				goto error;
13735 			if (pat_len > wowlan->pattern_max_len ||
13736 			    pat_len < wowlan->pattern_min_len)
13737 				goto error;
13738 
13739 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13740 				pkt_offset = 0;
13741 			else
13742 				pkt_offset = nla_get_u32(
13743 					pat_tb[NL80211_PKTPAT_OFFSET]);
13744 			if (pkt_offset > wowlan->max_pkt_offset)
13745 				goto error;
13746 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13747 
13748 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13749 			if (!mask_pat) {
13750 				err = -ENOMEM;
13751 				goto error;
13752 			}
13753 			new_triggers.patterns[i].mask = mask_pat;
13754 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13755 			       mask_len);
13756 			mask_pat += mask_len;
13757 			new_triggers.patterns[i].pattern = mask_pat;
13758 			new_triggers.patterns[i].pattern_len = pat_len;
13759 			memcpy(mask_pat,
13760 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13761 			       pat_len);
13762 			i++;
13763 		}
13764 	}
13765 
13766 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13767 		regular = true;
13768 		err = nl80211_parse_wowlan_tcp(
13769 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13770 			&new_triggers);
13771 		if (err)
13772 			goto error;
13773 	}
13774 
13775 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13776 		regular = true;
13777 		err = nl80211_parse_wowlan_nd(
13778 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13779 			&new_triggers);
13780 		if (err)
13781 			goto error;
13782 	}
13783 
13784 	/* The 'any' trigger means the device continues operating more or less
13785 	 * as in its normal operation mode and wakes up the host on most of the
13786 	 * normal interrupts (like packet RX, ...)
13787 	 * It therefore makes little sense to combine with the more constrained
13788 	 * wakeup trigger modes.
13789 	 */
13790 	if (new_triggers.any && regular) {
13791 		err = -EINVAL;
13792 		goto error;
13793 	}
13794 
13795 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13796 	if (!ntrig) {
13797 		err = -ENOMEM;
13798 		goto error;
13799 	}
13800 	cfg80211_rdev_free_wowlan(rdev);
13801 	rdev->wiphy.wowlan_config = ntrig;
13802 
13803  set_wakeup:
13804 	if (rdev->ops->set_wakeup &&
13805 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13806 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13807 
13808 	return 0;
13809  error:
13810 	for (i = 0; i < new_triggers.n_patterns; i++)
13811 		kfree(new_triggers.patterns[i].mask);
13812 	kfree(new_triggers.patterns);
13813 	if (new_triggers.tcp && new_triggers.tcp->sock)
13814 		sock_release(new_triggers.tcp->sock);
13815 	kfree(new_triggers.tcp);
13816 	kfree(new_triggers.nd_config);
13817 	return err;
13818 }
13819 #endif
13820 
13821 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13822 				       struct cfg80211_registered_device *rdev)
13823 {
13824 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13825 	int i, j, pat_len;
13826 	struct cfg80211_coalesce_rules *rule;
13827 
13828 	if (!rdev->coalesce->n_rules)
13829 		return 0;
13830 
13831 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13832 	if (!nl_rules)
13833 		return -ENOBUFS;
13834 
13835 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13836 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13837 		if (!nl_rule)
13838 			return -ENOBUFS;
13839 
13840 		rule = &rdev->coalesce->rules[i];
13841 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13842 				rule->delay))
13843 			return -ENOBUFS;
13844 
13845 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13846 				rule->condition))
13847 			return -ENOBUFS;
13848 
13849 		nl_pats = nla_nest_start_noflag(msg,
13850 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13851 		if (!nl_pats)
13852 			return -ENOBUFS;
13853 
13854 		for (j = 0; j < rule->n_patterns; j++) {
13855 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13856 			if (!nl_pat)
13857 				return -ENOBUFS;
13858 			pat_len = rule->patterns[j].pattern_len;
13859 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13860 				    DIV_ROUND_UP(pat_len, 8),
13861 				    rule->patterns[j].mask) ||
13862 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13863 				    rule->patterns[j].pattern) ||
13864 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13865 					rule->patterns[j].pkt_offset))
13866 				return -ENOBUFS;
13867 			nla_nest_end(msg, nl_pat);
13868 		}
13869 		nla_nest_end(msg, nl_pats);
13870 		nla_nest_end(msg, nl_rule);
13871 	}
13872 	nla_nest_end(msg, nl_rules);
13873 
13874 	return 0;
13875 }
13876 
13877 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13878 {
13879 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13880 	struct sk_buff *msg;
13881 	void *hdr;
13882 
13883 	if (!rdev->wiphy.coalesce)
13884 		return -EOPNOTSUPP;
13885 
13886 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13887 	if (!msg)
13888 		return -ENOMEM;
13889 
13890 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13891 			     NL80211_CMD_GET_COALESCE);
13892 	if (!hdr)
13893 		goto nla_put_failure;
13894 
13895 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13896 		goto nla_put_failure;
13897 
13898 	genlmsg_end(msg, hdr);
13899 	return genlmsg_reply(msg, info);
13900 
13901 nla_put_failure:
13902 	nlmsg_free(msg);
13903 	return -ENOBUFS;
13904 }
13905 
13906 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13907 {
13908 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13909 	int i, j;
13910 	struct cfg80211_coalesce_rules *rule;
13911 
13912 	if (!coalesce)
13913 		return;
13914 
13915 	for (i = 0; i < coalesce->n_rules; i++) {
13916 		rule = &coalesce->rules[i];
13917 		for (j = 0; j < rule->n_patterns; j++)
13918 			kfree(rule->patterns[j].mask);
13919 		kfree(rule->patterns);
13920 	}
13921 	kfree(coalesce->rules);
13922 	kfree(coalesce);
13923 	rdev->coalesce = NULL;
13924 }
13925 
13926 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13927 				       struct nlattr *rule,
13928 				       struct cfg80211_coalesce_rules *new_rule)
13929 {
13930 	int err, i;
13931 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13932 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13933 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13934 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13935 
13936 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13937 					  rule, nl80211_coalesce_policy, NULL);
13938 	if (err)
13939 		return err;
13940 
13941 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13942 		new_rule->delay =
13943 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13944 	if (new_rule->delay > coalesce->max_delay)
13945 		return -EINVAL;
13946 
13947 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13948 		new_rule->condition =
13949 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13950 
13951 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13952 		return -EINVAL;
13953 
13954 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13955 			    rem)
13956 		n_patterns++;
13957 	if (n_patterns > coalesce->n_patterns)
13958 		return -EINVAL;
13959 
13960 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13961 				     GFP_KERNEL);
13962 	if (!new_rule->patterns)
13963 		return -ENOMEM;
13964 
13965 	new_rule->n_patterns = n_patterns;
13966 	i = 0;
13967 
13968 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13969 			    rem) {
13970 		u8 *mask_pat;
13971 
13972 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13973 						  pat,
13974 						  nl80211_packet_pattern_policy,
13975 						  NULL);
13976 		if (err)
13977 			return err;
13978 
13979 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13980 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13981 			return -EINVAL;
13982 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13983 		mask_len = DIV_ROUND_UP(pat_len, 8);
13984 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13985 			return -EINVAL;
13986 		if (pat_len > coalesce->pattern_max_len ||
13987 		    pat_len < coalesce->pattern_min_len)
13988 			return -EINVAL;
13989 
13990 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13991 			pkt_offset = 0;
13992 		else
13993 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13994 		if (pkt_offset > coalesce->max_pkt_offset)
13995 			return -EINVAL;
13996 		new_rule->patterns[i].pkt_offset = pkt_offset;
13997 
13998 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13999 		if (!mask_pat)
14000 			return -ENOMEM;
14001 
14002 		new_rule->patterns[i].mask = mask_pat;
14003 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14004 		       mask_len);
14005 
14006 		mask_pat += mask_len;
14007 		new_rule->patterns[i].pattern = mask_pat;
14008 		new_rule->patterns[i].pattern_len = pat_len;
14009 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14010 		       pat_len);
14011 		i++;
14012 	}
14013 
14014 	return 0;
14015 }
14016 
14017 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
14018 {
14019 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14020 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14021 	struct cfg80211_coalesce new_coalesce = {};
14022 	struct cfg80211_coalesce *n_coalesce;
14023 	int err, rem_rule, n_rules = 0, i, j;
14024 	struct nlattr *rule;
14025 	struct cfg80211_coalesce_rules *tmp_rule;
14026 
14027 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14028 		return -EOPNOTSUPP;
14029 
14030 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14031 		cfg80211_rdev_free_coalesce(rdev);
14032 		rdev_set_coalesce(rdev, NULL);
14033 		return 0;
14034 	}
14035 
14036 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14037 			    rem_rule)
14038 		n_rules++;
14039 	if (n_rules > coalesce->n_rules)
14040 		return -EINVAL;
14041 
14042 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
14043 				     GFP_KERNEL);
14044 	if (!new_coalesce.rules)
14045 		return -ENOMEM;
14046 
14047 	new_coalesce.n_rules = n_rules;
14048 	i = 0;
14049 
14050 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14051 			    rem_rule) {
14052 		err = nl80211_parse_coalesce_rule(rdev, rule,
14053 						  &new_coalesce.rules[i]);
14054 		if (err)
14055 			goto error;
14056 
14057 		i++;
14058 	}
14059 
14060 	err = rdev_set_coalesce(rdev, &new_coalesce);
14061 	if (err)
14062 		goto error;
14063 
14064 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
14065 	if (!n_coalesce) {
14066 		err = -ENOMEM;
14067 		goto error;
14068 	}
14069 	cfg80211_rdev_free_coalesce(rdev);
14070 	rdev->coalesce = n_coalesce;
14071 
14072 	return 0;
14073 error:
14074 	for (i = 0; i < new_coalesce.n_rules; i++) {
14075 		tmp_rule = &new_coalesce.rules[i];
14076 		if (!tmp_rule)
14077 			continue;
14078 		for (j = 0; j < tmp_rule->n_patterns; j++)
14079 			kfree(tmp_rule->patterns[j].mask);
14080 		kfree(tmp_rule->patterns);
14081 	}
14082 	kfree(new_coalesce.rules);
14083 
14084 	return err;
14085 }
14086 
14087 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14088 {
14089 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14090 	struct net_device *dev = info->user_ptr[1];
14091 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14092 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14093 	struct cfg80211_gtk_rekey_data rekey_data = {};
14094 	int err;
14095 
14096 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14097 		return -EINVAL;
14098 
14099 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14100 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14101 					  nl80211_rekey_policy, info->extack);
14102 	if (err)
14103 		return err;
14104 
14105 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14106 	    !tb[NL80211_REKEY_DATA_KCK])
14107 		return -EINVAL;
14108 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14109 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14110 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14111 		return -ERANGE;
14112 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14113 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14114 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14115 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14116 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14117 		return -ERANGE;
14118 
14119 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14120 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14121 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14122 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14123 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14124 	if (tb[NL80211_REKEY_DATA_AKM])
14125 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14126 
14127 	wdev_lock(wdev);
14128 	if (!wdev->connected) {
14129 		err = -ENOTCONN;
14130 		goto out;
14131 	}
14132 
14133 	if (!rdev->ops->set_rekey_data) {
14134 		err = -EOPNOTSUPP;
14135 		goto out;
14136 	}
14137 
14138 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
14139  out:
14140 	wdev_unlock(wdev);
14141 	return err;
14142 }
14143 
14144 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14145 					     struct genl_info *info)
14146 {
14147 	struct net_device *dev = info->user_ptr[1];
14148 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14149 
14150 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14151 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14152 		return -EINVAL;
14153 
14154 	if (wdev->ap_unexpected_nlportid)
14155 		return -EBUSY;
14156 
14157 	wdev->ap_unexpected_nlportid = info->snd_portid;
14158 	return 0;
14159 }
14160 
14161 static int nl80211_probe_client(struct sk_buff *skb,
14162 				struct genl_info *info)
14163 {
14164 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14165 	struct net_device *dev = info->user_ptr[1];
14166 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14167 	struct sk_buff *msg;
14168 	void *hdr;
14169 	const u8 *addr;
14170 	u64 cookie;
14171 	int err;
14172 
14173 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14174 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14175 		return -EOPNOTSUPP;
14176 
14177 	if (!info->attrs[NL80211_ATTR_MAC])
14178 		return -EINVAL;
14179 
14180 	if (!rdev->ops->probe_client)
14181 		return -EOPNOTSUPP;
14182 
14183 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14184 	if (!msg)
14185 		return -ENOMEM;
14186 
14187 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14188 			     NL80211_CMD_PROBE_CLIENT);
14189 	if (!hdr) {
14190 		err = -ENOBUFS;
14191 		goto free_msg;
14192 	}
14193 
14194 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14195 
14196 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14197 	if (err)
14198 		goto free_msg;
14199 
14200 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14201 			      NL80211_ATTR_PAD))
14202 		goto nla_put_failure;
14203 
14204 	genlmsg_end(msg, hdr);
14205 
14206 	return genlmsg_reply(msg, info);
14207 
14208  nla_put_failure:
14209 	err = -ENOBUFS;
14210  free_msg:
14211 	nlmsg_free(msg);
14212 	return err;
14213 }
14214 
14215 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14216 {
14217 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14218 	struct cfg80211_beacon_registration *reg, *nreg;
14219 	int rv;
14220 
14221 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14222 		return -EOPNOTSUPP;
14223 
14224 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14225 	if (!nreg)
14226 		return -ENOMEM;
14227 
14228 	/* First, check if already registered. */
14229 	spin_lock_bh(&rdev->beacon_registrations_lock);
14230 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14231 		if (reg->nlportid == info->snd_portid) {
14232 			rv = -EALREADY;
14233 			goto out_err;
14234 		}
14235 	}
14236 	/* Add it to the list */
14237 	nreg->nlportid = info->snd_portid;
14238 	list_add(&nreg->list, &rdev->beacon_registrations);
14239 
14240 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14241 
14242 	return 0;
14243 out_err:
14244 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14245 	kfree(nreg);
14246 	return rv;
14247 }
14248 
14249 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14250 {
14251 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14252 	struct wireless_dev *wdev = info->user_ptr[1];
14253 	int err;
14254 
14255 	if (!rdev->ops->start_p2p_device)
14256 		return -EOPNOTSUPP;
14257 
14258 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14259 		return -EOPNOTSUPP;
14260 
14261 	if (wdev_running(wdev))
14262 		return 0;
14263 
14264 	if (rfkill_blocked(rdev->wiphy.rfkill))
14265 		return -ERFKILL;
14266 
14267 	err = rdev_start_p2p_device(rdev, wdev);
14268 	if (err)
14269 		return err;
14270 
14271 	wdev->is_running = true;
14272 	rdev->opencount++;
14273 
14274 	return 0;
14275 }
14276 
14277 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14278 {
14279 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14280 	struct wireless_dev *wdev = info->user_ptr[1];
14281 
14282 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14283 		return -EOPNOTSUPP;
14284 
14285 	if (!rdev->ops->stop_p2p_device)
14286 		return -EOPNOTSUPP;
14287 
14288 	cfg80211_stop_p2p_device(rdev, wdev);
14289 
14290 	return 0;
14291 }
14292 
14293 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14294 {
14295 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14296 	struct wireless_dev *wdev = info->user_ptr[1];
14297 	struct cfg80211_nan_conf conf = {};
14298 	int err;
14299 
14300 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14301 		return -EOPNOTSUPP;
14302 
14303 	if (wdev_running(wdev))
14304 		return -EEXIST;
14305 
14306 	if (rfkill_blocked(rdev->wiphy.rfkill))
14307 		return -ERFKILL;
14308 
14309 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14310 		return -EINVAL;
14311 
14312 	conf.master_pref =
14313 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14314 
14315 	if (info->attrs[NL80211_ATTR_BANDS]) {
14316 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14317 
14318 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14319 			return -EOPNOTSUPP;
14320 
14321 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14322 			return -EINVAL;
14323 
14324 		conf.bands = bands;
14325 	}
14326 
14327 	err = rdev_start_nan(rdev, wdev, &conf);
14328 	if (err)
14329 		return err;
14330 
14331 	wdev->is_running = true;
14332 	rdev->opencount++;
14333 
14334 	return 0;
14335 }
14336 
14337 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14338 {
14339 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14340 	struct wireless_dev *wdev = info->user_ptr[1];
14341 
14342 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14343 		return -EOPNOTSUPP;
14344 
14345 	cfg80211_stop_nan(rdev, wdev);
14346 
14347 	return 0;
14348 }
14349 
14350 static int validate_nan_filter(struct nlattr *filter_attr)
14351 {
14352 	struct nlattr *attr;
14353 	int len = 0, n_entries = 0, rem;
14354 
14355 	nla_for_each_nested(attr, filter_attr, rem) {
14356 		len += nla_len(attr);
14357 		n_entries++;
14358 	}
14359 
14360 	if (len >= U8_MAX)
14361 		return -EINVAL;
14362 
14363 	return n_entries;
14364 }
14365 
14366 static int handle_nan_filter(struct nlattr *attr_filter,
14367 			     struct cfg80211_nan_func *func,
14368 			     bool tx)
14369 {
14370 	struct nlattr *attr;
14371 	int n_entries, rem, i;
14372 	struct cfg80211_nan_func_filter *filter;
14373 
14374 	n_entries = validate_nan_filter(attr_filter);
14375 	if (n_entries < 0)
14376 		return n_entries;
14377 
14378 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14379 
14380 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14381 	if (!filter)
14382 		return -ENOMEM;
14383 
14384 	i = 0;
14385 	nla_for_each_nested(attr, attr_filter, rem) {
14386 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14387 		if (!filter[i].filter)
14388 			goto err;
14389 
14390 		filter[i].len = nla_len(attr);
14391 		i++;
14392 	}
14393 	if (tx) {
14394 		func->num_tx_filters = n_entries;
14395 		func->tx_filters = filter;
14396 	} else {
14397 		func->num_rx_filters = n_entries;
14398 		func->rx_filters = filter;
14399 	}
14400 
14401 	return 0;
14402 
14403 err:
14404 	i = 0;
14405 	nla_for_each_nested(attr, attr_filter, rem) {
14406 		kfree(filter[i].filter);
14407 		i++;
14408 	}
14409 	kfree(filter);
14410 	return -ENOMEM;
14411 }
14412 
14413 static int nl80211_nan_add_func(struct sk_buff *skb,
14414 				struct genl_info *info)
14415 {
14416 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14417 	struct wireless_dev *wdev = info->user_ptr[1];
14418 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14419 	struct cfg80211_nan_func *func;
14420 	struct sk_buff *msg = NULL;
14421 	void *hdr = NULL;
14422 	int err = 0;
14423 
14424 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14425 		return -EOPNOTSUPP;
14426 
14427 	if (!wdev_running(wdev))
14428 		return -ENOTCONN;
14429 
14430 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14431 		return -EINVAL;
14432 
14433 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14434 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14435 					  nl80211_nan_func_policy,
14436 					  info->extack);
14437 	if (err)
14438 		return err;
14439 
14440 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14441 	if (!func)
14442 		return -ENOMEM;
14443 
14444 	func->cookie = cfg80211_assign_cookie(rdev);
14445 
14446 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14447 		err = -EINVAL;
14448 		goto out;
14449 	}
14450 
14451 
14452 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14453 
14454 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14455 		err = -EINVAL;
14456 		goto out;
14457 	}
14458 
14459 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14460 	       sizeof(func->service_id));
14461 
14462 	func->close_range =
14463 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14464 
14465 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14466 		func->serv_spec_info_len =
14467 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14468 		func->serv_spec_info =
14469 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14470 				func->serv_spec_info_len,
14471 				GFP_KERNEL);
14472 		if (!func->serv_spec_info) {
14473 			err = -ENOMEM;
14474 			goto out;
14475 		}
14476 	}
14477 
14478 	if (tb[NL80211_NAN_FUNC_TTL])
14479 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14480 
14481 	switch (func->type) {
14482 	case NL80211_NAN_FUNC_PUBLISH:
14483 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14484 			err = -EINVAL;
14485 			goto out;
14486 		}
14487 
14488 		func->publish_type =
14489 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14490 		func->publish_bcast =
14491 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14492 
14493 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14494 			func->publish_bcast) {
14495 			err = -EINVAL;
14496 			goto out;
14497 		}
14498 		break;
14499 	case NL80211_NAN_FUNC_SUBSCRIBE:
14500 		func->subscribe_active =
14501 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14502 		break;
14503 	case NL80211_NAN_FUNC_FOLLOW_UP:
14504 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14505 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14506 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14507 			err = -EINVAL;
14508 			goto out;
14509 		}
14510 
14511 		func->followup_id =
14512 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14513 		func->followup_reqid =
14514 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14515 		memcpy(func->followup_dest.addr,
14516 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14517 		       sizeof(func->followup_dest.addr));
14518 		if (func->ttl) {
14519 			err = -EINVAL;
14520 			goto out;
14521 		}
14522 		break;
14523 	default:
14524 		err = -EINVAL;
14525 		goto out;
14526 	}
14527 
14528 	if (tb[NL80211_NAN_FUNC_SRF]) {
14529 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14530 
14531 		err = nla_parse_nested_deprecated(srf_tb,
14532 						  NL80211_NAN_SRF_ATTR_MAX,
14533 						  tb[NL80211_NAN_FUNC_SRF],
14534 						  nl80211_nan_srf_policy,
14535 						  info->extack);
14536 		if (err)
14537 			goto out;
14538 
14539 		func->srf_include =
14540 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14541 
14542 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14543 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14544 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14545 				err = -EINVAL;
14546 				goto out;
14547 			}
14548 
14549 			func->srf_bf_len =
14550 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14551 			func->srf_bf =
14552 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14553 					func->srf_bf_len, GFP_KERNEL);
14554 			if (!func->srf_bf) {
14555 				err = -ENOMEM;
14556 				goto out;
14557 			}
14558 
14559 			func->srf_bf_idx =
14560 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14561 		} else {
14562 			struct nlattr *attr, *mac_attr =
14563 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14564 			int n_entries, rem, i = 0;
14565 
14566 			if (!mac_attr) {
14567 				err = -EINVAL;
14568 				goto out;
14569 			}
14570 
14571 			n_entries = validate_acl_mac_addrs(mac_attr);
14572 			if (n_entries <= 0) {
14573 				err = -EINVAL;
14574 				goto out;
14575 			}
14576 
14577 			func->srf_num_macs = n_entries;
14578 			func->srf_macs =
14579 				kcalloc(n_entries, sizeof(*func->srf_macs),
14580 					GFP_KERNEL);
14581 			if (!func->srf_macs) {
14582 				err = -ENOMEM;
14583 				goto out;
14584 			}
14585 
14586 			nla_for_each_nested(attr, mac_attr, rem)
14587 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14588 				       sizeof(*func->srf_macs));
14589 		}
14590 	}
14591 
14592 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14593 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14594 					func, true);
14595 		if (err)
14596 			goto out;
14597 	}
14598 
14599 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14600 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14601 					func, false);
14602 		if (err)
14603 			goto out;
14604 	}
14605 
14606 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14607 	if (!msg) {
14608 		err = -ENOMEM;
14609 		goto out;
14610 	}
14611 
14612 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14613 			     NL80211_CMD_ADD_NAN_FUNCTION);
14614 	/* This can't really happen - we just allocated 4KB */
14615 	if (WARN_ON(!hdr)) {
14616 		err = -ENOMEM;
14617 		goto out;
14618 	}
14619 
14620 	err = rdev_add_nan_func(rdev, wdev, func);
14621 out:
14622 	if (err < 0) {
14623 		cfg80211_free_nan_func(func);
14624 		nlmsg_free(msg);
14625 		return err;
14626 	}
14627 
14628 	/* propagate the instance id and cookie to userspace  */
14629 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14630 			      NL80211_ATTR_PAD))
14631 		goto nla_put_failure;
14632 
14633 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14634 	if (!func_attr)
14635 		goto nla_put_failure;
14636 
14637 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14638 		       func->instance_id))
14639 		goto nla_put_failure;
14640 
14641 	nla_nest_end(msg, func_attr);
14642 
14643 	genlmsg_end(msg, hdr);
14644 	return genlmsg_reply(msg, info);
14645 
14646 nla_put_failure:
14647 	nlmsg_free(msg);
14648 	return -ENOBUFS;
14649 }
14650 
14651 static int nl80211_nan_del_func(struct sk_buff *skb,
14652 			       struct genl_info *info)
14653 {
14654 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14655 	struct wireless_dev *wdev = info->user_ptr[1];
14656 	u64 cookie;
14657 
14658 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14659 		return -EOPNOTSUPP;
14660 
14661 	if (!wdev_running(wdev))
14662 		return -ENOTCONN;
14663 
14664 	if (!info->attrs[NL80211_ATTR_COOKIE])
14665 		return -EINVAL;
14666 
14667 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14668 
14669 	rdev_del_nan_func(rdev, wdev, cookie);
14670 
14671 	return 0;
14672 }
14673 
14674 static int nl80211_nan_change_config(struct sk_buff *skb,
14675 				     struct genl_info *info)
14676 {
14677 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14678 	struct wireless_dev *wdev = info->user_ptr[1];
14679 	struct cfg80211_nan_conf conf = {};
14680 	u32 changed = 0;
14681 
14682 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14683 		return -EOPNOTSUPP;
14684 
14685 	if (!wdev_running(wdev))
14686 		return -ENOTCONN;
14687 
14688 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14689 		conf.master_pref =
14690 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14691 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14692 			return -EINVAL;
14693 
14694 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14695 	}
14696 
14697 	if (info->attrs[NL80211_ATTR_BANDS]) {
14698 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14699 
14700 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14701 			return -EOPNOTSUPP;
14702 
14703 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14704 			return -EINVAL;
14705 
14706 		conf.bands = bands;
14707 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14708 	}
14709 
14710 	if (!changed)
14711 		return -EINVAL;
14712 
14713 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14714 }
14715 
14716 void cfg80211_nan_match(struct wireless_dev *wdev,
14717 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14718 {
14719 	struct wiphy *wiphy = wdev->wiphy;
14720 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14721 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14722 	struct sk_buff *msg;
14723 	void *hdr;
14724 
14725 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14726 		return;
14727 
14728 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14729 	if (!msg)
14730 		return;
14731 
14732 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14733 	if (!hdr) {
14734 		nlmsg_free(msg);
14735 		return;
14736 	}
14737 
14738 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14739 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14740 					 wdev->netdev->ifindex)) ||
14741 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14742 			      NL80211_ATTR_PAD))
14743 		goto nla_put_failure;
14744 
14745 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14746 			      NL80211_ATTR_PAD) ||
14747 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14748 		goto nla_put_failure;
14749 
14750 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14751 	if (!match_attr)
14752 		goto nla_put_failure;
14753 
14754 	local_func_attr = nla_nest_start_noflag(msg,
14755 						NL80211_NAN_MATCH_FUNC_LOCAL);
14756 	if (!local_func_attr)
14757 		goto nla_put_failure;
14758 
14759 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14760 		goto nla_put_failure;
14761 
14762 	nla_nest_end(msg, local_func_attr);
14763 
14764 	peer_func_attr = nla_nest_start_noflag(msg,
14765 					       NL80211_NAN_MATCH_FUNC_PEER);
14766 	if (!peer_func_attr)
14767 		goto nla_put_failure;
14768 
14769 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14770 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14771 		goto nla_put_failure;
14772 
14773 	if (match->info && match->info_len &&
14774 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14775 		    match->info))
14776 		goto nla_put_failure;
14777 
14778 	nla_nest_end(msg, peer_func_attr);
14779 	nla_nest_end(msg, match_attr);
14780 	genlmsg_end(msg, hdr);
14781 
14782 	if (!wdev->owner_nlportid)
14783 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14784 					msg, 0, NL80211_MCGRP_NAN, gfp);
14785 	else
14786 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14787 				wdev->owner_nlportid);
14788 
14789 	return;
14790 
14791 nla_put_failure:
14792 	nlmsg_free(msg);
14793 }
14794 EXPORT_SYMBOL(cfg80211_nan_match);
14795 
14796 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14797 				  u8 inst_id,
14798 				  enum nl80211_nan_func_term_reason reason,
14799 				  u64 cookie, gfp_t gfp)
14800 {
14801 	struct wiphy *wiphy = wdev->wiphy;
14802 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14803 	struct sk_buff *msg;
14804 	struct nlattr *func_attr;
14805 	void *hdr;
14806 
14807 	if (WARN_ON(!inst_id))
14808 		return;
14809 
14810 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14811 	if (!msg)
14812 		return;
14813 
14814 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14815 	if (!hdr) {
14816 		nlmsg_free(msg);
14817 		return;
14818 	}
14819 
14820 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14821 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14822 					 wdev->netdev->ifindex)) ||
14823 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14824 			      NL80211_ATTR_PAD))
14825 		goto nla_put_failure;
14826 
14827 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14828 			      NL80211_ATTR_PAD))
14829 		goto nla_put_failure;
14830 
14831 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14832 	if (!func_attr)
14833 		goto nla_put_failure;
14834 
14835 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14836 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14837 		goto nla_put_failure;
14838 
14839 	nla_nest_end(msg, func_attr);
14840 	genlmsg_end(msg, hdr);
14841 
14842 	if (!wdev->owner_nlportid)
14843 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14844 					msg, 0, NL80211_MCGRP_NAN, gfp);
14845 	else
14846 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14847 				wdev->owner_nlportid);
14848 
14849 	return;
14850 
14851 nla_put_failure:
14852 	nlmsg_free(msg);
14853 }
14854 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14855 
14856 static int nl80211_get_protocol_features(struct sk_buff *skb,
14857 					 struct genl_info *info)
14858 {
14859 	void *hdr;
14860 	struct sk_buff *msg;
14861 
14862 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14863 	if (!msg)
14864 		return -ENOMEM;
14865 
14866 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14867 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14868 	if (!hdr)
14869 		goto nla_put_failure;
14870 
14871 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14872 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14873 		goto nla_put_failure;
14874 
14875 	genlmsg_end(msg, hdr);
14876 	return genlmsg_reply(msg, info);
14877 
14878  nla_put_failure:
14879 	kfree_skb(msg);
14880 	return -ENOBUFS;
14881 }
14882 
14883 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14884 {
14885 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14886 	struct cfg80211_update_ft_ies_params ft_params;
14887 	struct net_device *dev = info->user_ptr[1];
14888 
14889 	if (!rdev->ops->update_ft_ies)
14890 		return -EOPNOTSUPP;
14891 
14892 	if (!info->attrs[NL80211_ATTR_MDID] ||
14893 	    !info->attrs[NL80211_ATTR_IE])
14894 		return -EINVAL;
14895 
14896 	memset(&ft_params, 0, sizeof(ft_params));
14897 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14898 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14899 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14900 
14901 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14902 }
14903 
14904 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14905 				       struct genl_info *info)
14906 {
14907 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14908 	struct wireless_dev *wdev = info->user_ptr[1];
14909 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14910 	u16 duration;
14911 	int ret;
14912 
14913 	if (!rdev->ops->crit_proto_start)
14914 		return -EOPNOTSUPP;
14915 
14916 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14917 		return -EINVAL;
14918 
14919 	if (rdev->crit_proto_nlportid)
14920 		return -EBUSY;
14921 
14922 	/* determine protocol if provided */
14923 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14924 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14925 
14926 	if (proto >= NUM_NL80211_CRIT_PROTO)
14927 		return -EINVAL;
14928 
14929 	/* timeout must be provided */
14930 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14931 		return -EINVAL;
14932 
14933 	duration =
14934 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14935 
14936 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14937 	if (!ret)
14938 		rdev->crit_proto_nlportid = info->snd_portid;
14939 
14940 	return ret;
14941 }
14942 
14943 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14944 				      struct genl_info *info)
14945 {
14946 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14947 	struct wireless_dev *wdev = info->user_ptr[1];
14948 
14949 	if (!rdev->ops->crit_proto_stop)
14950 		return -EOPNOTSUPP;
14951 
14952 	if (rdev->crit_proto_nlportid) {
14953 		rdev->crit_proto_nlportid = 0;
14954 		rdev_crit_proto_stop(rdev, wdev);
14955 	}
14956 	return 0;
14957 }
14958 
14959 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14960 				       struct nlattr *attr,
14961 				       struct netlink_ext_ack *extack)
14962 {
14963 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14964 		if (attr->nla_type & NLA_F_NESTED) {
14965 			NL_SET_ERR_MSG_ATTR(extack, attr,
14966 					    "unexpected nested data");
14967 			return -EINVAL;
14968 		}
14969 
14970 		return 0;
14971 	}
14972 
14973 	if (!(attr->nla_type & NLA_F_NESTED)) {
14974 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14975 		return -EINVAL;
14976 	}
14977 
14978 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14979 }
14980 
14981 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14982 {
14983 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14984 	struct wireless_dev *wdev =
14985 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14986 					   info->attrs);
14987 	int i, err;
14988 	u32 vid, subcmd;
14989 
14990 	if (!rdev->wiphy.vendor_commands)
14991 		return -EOPNOTSUPP;
14992 
14993 	if (IS_ERR(wdev)) {
14994 		err = PTR_ERR(wdev);
14995 		if (err != -EINVAL)
14996 			return err;
14997 		wdev = NULL;
14998 	} else if (wdev->wiphy != &rdev->wiphy) {
14999 		return -EINVAL;
15000 	}
15001 
15002 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
15003 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
15004 		return -EINVAL;
15005 
15006 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
15007 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
15008 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
15009 		const struct wiphy_vendor_command *vcmd;
15010 		void *data = NULL;
15011 		int len = 0;
15012 
15013 		vcmd = &rdev->wiphy.vendor_commands[i];
15014 
15015 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15016 			continue;
15017 
15018 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15019 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15020 			if (!wdev)
15021 				return -EINVAL;
15022 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15023 			    !wdev->netdev)
15024 				return -EINVAL;
15025 
15026 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15027 				if (!wdev_running(wdev))
15028 					return -ENETDOWN;
15029 			}
15030 		} else {
15031 			wdev = NULL;
15032 		}
15033 
15034 		if (!vcmd->doit)
15035 			return -EOPNOTSUPP;
15036 
15037 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15038 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15039 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15040 
15041 			err = nl80211_vendor_check_policy(vcmd,
15042 					info->attrs[NL80211_ATTR_VENDOR_DATA],
15043 					info->extack);
15044 			if (err)
15045 				return err;
15046 		}
15047 
15048 		rdev->cur_cmd_info = info;
15049 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15050 		rdev->cur_cmd_info = NULL;
15051 		return err;
15052 	}
15053 
15054 	return -EOPNOTSUPP;
15055 }
15056 
15057 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15058 				       struct netlink_callback *cb,
15059 				       struct cfg80211_registered_device **rdev,
15060 				       struct wireless_dev **wdev)
15061 {
15062 	struct nlattr **attrbuf;
15063 	u32 vid, subcmd;
15064 	unsigned int i;
15065 	int vcmd_idx = -1;
15066 	int err;
15067 	void *data = NULL;
15068 	unsigned int data_len = 0;
15069 
15070 	if (cb->args[0]) {
15071 		/* subtract the 1 again here */
15072 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15073 		struct wireless_dev *tmp;
15074 
15075 		if (!wiphy)
15076 			return -ENODEV;
15077 		*rdev = wiphy_to_rdev(wiphy);
15078 		*wdev = NULL;
15079 
15080 		if (cb->args[1]) {
15081 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15082 				if (tmp->identifier == cb->args[1] - 1) {
15083 					*wdev = tmp;
15084 					break;
15085 				}
15086 			}
15087 		}
15088 
15089 		/* keep rtnl locked in successful case */
15090 		return 0;
15091 	}
15092 
15093 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15094 	if (!attrbuf)
15095 		return -ENOMEM;
15096 
15097 	err = nlmsg_parse_deprecated(cb->nlh,
15098 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15099 				     attrbuf, nl80211_fam.maxattr,
15100 				     nl80211_policy, NULL);
15101 	if (err)
15102 		goto out;
15103 
15104 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15105 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15106 		err = -EINVAL;
15107 		goto out;
15108 	}
15109 
15110 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15111 	if (IS_ERR(*wdev))
15112 		*wdev = NULL;
15113 
15114 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15115 	if (IS_ERR(*rdev)) {
15116 		err = PTR_ERR(*rdev);
15117 		goto out;
15118 	}
15119 
15120 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15121 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15122 
15123 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15124 		const struct wiphy_vendor_command *vcmd;
15125 
15126 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15127 
15128 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15129 			continue;
15130 
15131 		if (!vcmd->dumpit) {
15132 			err = -EOPNOTSUPP;
15133 			goto out;
15134 		}
15135 
15136 		vcmd_idx = i;
15137 		break;
15138 	}
15139 
15140 	if (vcmd_idx < 0) {
15141 		err = -EOPNOTSUPP;
15142 		goto out;
15143 	}
15144 
15145 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15146 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15147 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15148 
15149 		err = nl80211_vendor_check_policy(
15150 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15151 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15152 				cb->extack);
15153 		if (err)
15154 			goto out;
15155 	}
15156 
15157 	/* 0 is the first index - add 1 to parse only once */
15158 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15159 	/* add 1 to know if it was NULL */
15160 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15161 	cb->args[2] = vcmd_idx;
15162 	cb->args[3] = (unsigned long)data;
15163 	cb->args[4] = data_len;
15164 
15165 	/* keep rtnl locked in successful case */
15166 	err = 0;
15167 out:
15168 	kfree(attrbuf);
15169 	return err;
15170 }
15171 
15172 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15173 				   struct netlink_callback *cb)
15174 {
15175 	struct cfg80211_registered_device *rdev;
15176 	struct wireless_dev *wdev;
15177 	unsigned int vcmd_idx;
15178 	const struct wiphy_vendor_command *vcmd;
15179 	void *data;
15180 	int data_len;
15181 	int err;
15182 	struct nlattr *vendor_data;
15183 
15184 	rtnl_lock();
15185 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15186 	if (err)
15187 		goto out;
15188 
15189 	vcmd_idx = cb->args[2];
15190 	data = (void *)cb->args[3];
15191 	data_len = cb->args[4];
15192 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15193 
15194 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15195 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15196 		if (!wdev) {
15197 			err = -EINVAL;
15198 			goto out;
15199 		}
15200 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15201 		    !wdev->netdev) {
15202 			err = -EINVAL;
15203 			goto out;
15204 		}
15205 
15206 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15207 			if (!wdev_running(wdev)) {
15208 				err = -ENETDOWN;
15209 				goto out;
15210 			}
15211 		}
15212 	}
15213 
15214 	while (1) {
15215 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15216 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15217 					   NL80211_CMD_VENDOR);
15218 		if (!hdr)
15219 			break;
15220 
15221 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15222 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15223 					       wdev_id(wdev),
15224 					       NL80211_ATTR_PAD))) {
15225 			genlmsg_cancel(skb, hdr);
15226 			break;
15227 		}
15228 
15229 		vendor_data = nla_nest_start_noflag(skb,
15230 						    NL80211_ATTR_VENDOR_DATA);
15231 		if (!vendor_data) {
15232 			genlmsg_cancel(skb, hdr);
15233 			break;
15234 		}
15235 
15236 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15237 				   (unsigned long *)&cb->args[5]);
15238 		nla_nest_end(skb, vendor_data);
15239 
15240 		if (err == -ENOBUFS || err == -ENOENT) {
15241 			genlmsg_cancel(skb, hdr);
15242 			break;
15243 		} else if (err <= 0) {
15244 			genlmsg_cancel(skb, hdr);
15245 			goto out;
15246 		}
15247 
15248 		genlmsg_end(skb, hdr);
15249 	}
15250 
15251 	err = skb->len;
15252  out:
15253 	rtnl_unlock();
15254 	return err;
15255 }
15256 
15257 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15258 					   enum nl80211_commands cmd,
15259 					   enum nl80211_attrs attr,
15260 					   int approxlen)
15261 {
15262 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15263 
15264 	if (WARN_ON(!rdev->cur_cmd_info))
15265 		return NULL;
15266 
15267 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15268 					   rdev->cur_cmd_info->snd_portid,
15269 					   rdev->cur_cmd_info->snd_seq,
15270 					   cmd, attr, NULL, GFP_KERNEL);
15271 }
15272 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15273 
15274 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15275 {
15276 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15277 	void *hdr = ((void **)skb->cb)[1];
15278 	struct nlattr *data = ((void **)skb->cb)[2];
15279 
15280 	/* clear CB data for netlink core to own from now on */
15281 	memset(skb->cb, 0, sizeof(skb->cb));
15282 
15283 	if (WARN_ON(!rdev->cur_cmd_info)) {
15284 		kfree_skb(skb);
15285 		return -EINVAL;
15286 	}
15287 
15288 	nla_nest_end(skb, data);
15289 	genlmsg_end(skb, hdr);
15290 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15291 }
15292 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15293 
15294 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15295 {
15296 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15297 
15298 	if (WARN_ON(!rdev->cur_cmd_info))
15299 		return 0;
15300 
15301 	return rdev->cur_cmd_info->snd_portid;
15302 }
15303 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15304 
15305 static int nl80211_set_qos_map(struct sk_buff *skb,
15306 			       struct genl_info *info)
15307 {
15308 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15309 	struct cfg80211_qos_map *qos_map = NULL;
15310 	struct net_device *dev = info->user_ptr[1];
15311 	u8 *pos, len, num_des, des_len, des;
15312 	int ret;
15313 
15314 	if (!rdev->ops->set_qos_map)
15315 		return -EOPNOTSUPP;
15316 
15317 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15318 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15319 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15320 
15321 		if (len % 2)
15322 			return -EINVAL;
15323 
15324 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15325 		if (!qos_map)
15326 			return -ENOMEM;
15327 
15328 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15329 		if (num_des) {
15330 			des_len = num_des *
15331 				sizeof(struct cfg80211_dscp_exception);
15332 			memcpy(qos_map->dscp_exception, pos, des_len);
15333 			qos_map->num_des = num_des;
15334 			for (des = 0; des < num_des; des++) {
15335 				if (qos_map->dscp_exception[des].up > 7) {
15336 					kfree(qos_map);
15337 					return -EINVAL;
15338 				}
15339 			}
15340 			pos += des_len;
15341 		}
15342 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15343 	}
15344 
15345 	wdev_lock(dev->ieee80211_ptr);
15346 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15347 	if (!ret)
15348 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15349 	wdev_unlock(dev->ieee80211_ptr);
15350 
15351 	kfree(qos_map);
15352 	return ret;
15353 }
15354 
15355 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15356 {
15357 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15358 	struct net_device *dev = info->user_ptr[1];
15359 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15360 	const u8 *peer;
15361 	u8 tsid, up;
15362 	u16 admitted_time = 0;
15363 	int err;
15364 
15365 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15366 		return -EOPNOTSUPP;
15367 
15368 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15369 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15370 		return -EINVAL;
15371 
15372 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15373 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15374 
15375 	/* WMM uses TIDs 0-7 even for TSPEC */
15376 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15377 		/* TODO: handle 802.11 TSPEC/admission control
15378 		 * need more attributes for that (e.g. BA session requirement);
15379 		 * change the WMM adminssion test above to allow both then
15380 		 */
15381 		return -EINVAL;
15382 	}
15383 
15384 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15385 
15386 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15387 		admitted_time =
15388 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15389 		if (!admitted_time)
15390 			return -EINVAL;
15391 	}
15392 
15393 	wdev_lock(wdev);
15394 	switch (wdev->iftype) {
15395 	case NL80211_IFTYPE_STATION:
15396 	case NL80211_IFTYPE_P2P_CLIENT:
15397 		if (wdev->connected)
15398 			break;
15399 		err = -ENOTCONN;
15400 		goto out;
15401 	default:
15402 		err = -EOPNOTSUPP;
15403 		goto out;
15404 	}
15405 
15406 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15407 
15408  out:
15409 	wdev_unlock(wdev);
15410 	return err;
15411 }
15412 
15413 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15414 {
15415 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15416 	struct net_device *dev = info->user_ptr[1];
15417 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15418 	const u8 *peer;
15419 	u8 tsid;
15420 	int err;
15421 
15422 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15423 		return -EINVAL;
15424 
15425 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15426 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15427 
15428 	wdev_lock(wdev);
15429 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
15430 	wdev_unlock(wdev);
15431 
15432 	return err;
15433 }
15434 
15435 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15436 				       struct genl_info *info)
15437 {
15438 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15439 	struct net_device *dev = info->user_ptr[1];
15440 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15441 	struct cfg80211_chan_def chandef = {};
15442 	const u8 *addr;
15443 	u8 oper_class;
15444 	int err;
15445 
15446 	if (!rdev->ops->tdls_channel_switch ||
15447 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15448 		return -EOPNOTSUPP;
15449 
15450 	switch (dev->ieee80211_ptr->iftype) {
15451 	case NL80211_IFTYPE_STATION:
15452 	case NL80211_IFTYPE_P2P_CLIENT:
15453 		break;
15454 	default:
15455 		return -EOPNOTSUPP;
15456 	}
15457 
15458 	if (!info->attrs[NL80211_ATTR_MAC] ||
15459 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15460 		return -EINVAL;
15461 
15462 	err = nl80211_parse_chandef(rdev, info, &chandef);
15463 	if (err)
15464 		return err;
15465 
15466 	/*
15467 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15468 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15469 	 * specification is not defined for them.
15470 	 */
15471 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15472 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15473 	    chandef.width != NL80211_CHAN_WIDTH_20)
15474 		return -EINVAL;
15475 
15476 	/* we will be active on the TDLS link */
15477 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15478 					   wdev->iftype))
15479 		return -EINVAL;
15480 
15481 	/* don't allow switching to DFS channels */
15482 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15483 		return -EINVAL;
15484 
15485 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15486 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15487 
15488 	wdev_lock(wdev);
15489 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15490 	wdev_unlock(wdev);
15491 
15492 	return err;
15493 }
15494 
15495 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15496 					      struct genl_info *info)
15497 {
15498 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15499 	struct net_device *dev = info->user_ptr[1];
15500 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15501 	const u8 *addr;
15502 
15503 	if (!rdev->ops->tdls_channel_switch ||
15504 	    !rdev->ops->tdls_cancel_channel_switch ||
15505 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15506 		return -EOPNOTSUPP;
15507 
15508 	switch (dev->ieee80211_ptr->iftype) {
15509 	case NL80211_IFTYPE_STATION:
15510 	case NL80211_IFTYPE_P2P_CLIENT:
15511 		break;
15512 	default:
15513 		return -EOPNOTSUPP;
15514 	}
15515 
15516 	if (!info->attrs[NL80211_ATTR_MAC])
15517 		return -EINVAL;
15518 
15519 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15520 
15521 	wdev_lock(wdev);
15522 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15523 	wdev_unlock(wdev);
15524 
15525 	return 0;
15526 }
15527 
15528 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15529 					    struct genl_info *info)
15530 {
15531 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15532 	struct net_device *dev = info->user_ptr[1];
15533 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15534 	const struct nlattr *nla;
15535 	bool enabled;
15536 
15537 	if (!rdev->ops->set_multicast_to_unicast)
15538 		return -EOPNOTSUPP;
15539 
15540 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15541 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15542 		return -EOPNOTSUPP;
15543 
15544 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15545 	enabled = nla_get_flag(nla);
15546 
15547 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15548 }
15549 
15550 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15551 {
15552 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15553 	struct net_device *dev = info->user_ptr[1];
15554 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15555 	struct cfg80211_pmk_conf pmk_conf = {};
15556 	int ret;
15557 
15558 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15559 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15560 		return -EOPNOTSUPP;
15561 
15562 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15563 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15564 		return -EOPNOTSUPP;
15565 
15566 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15567 		return -EINVAL;
15568 
15569 	wdev_lock(wdev);
15570 	if (!wdev->connected) {
15571 		ret = -ENOTCONN;
15572 		goto out;
15573 	}
15574 
15575 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15576 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN)) {
15577 		ret = -EINVAL;
15578 		goto out;
15579 	}
15580 
15581 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15582 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15583 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15584 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
15585 		ret = -EINVAL;
15586 		goto out;
15587 	}
15588 
15589 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15590 		pmk_conf.pmk_r0_name =
15591 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15592 
15593 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
15594 out:
15595 	wdev_unlock(wdev);
15596 	return ret;
15597 }
15598 
15599 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15600 {
15601 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15602 	struct net_device *dev = info->user_ptr[1];
15603 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15604 	const u8 *aa;
15605 	int ret;
15606 
15607 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15608 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15609 		return -EOPNOTSUPP;
15610 
15611 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15612 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15613 		return -EOPNOTSUPP;
15614 
15615 	if (!info->attrs[NL80211_ATTR_MAC])
15616 		return -EINVAL;
15617 
15618 	wdev_lock(wdev);
15619 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15620 	ret = rdev_del_pmk(rdev, dev, aa);
15621 	wdev_unlock(wdev);
15622 
15623 	return ret;
15624 }
15625 
15626 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15627 {
15628 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15629 	struct net_device *dev = info->user_ptr[1];
15630 	struct cfg80211_external_auth_params params;
15631 
15632 	if (!rdev->ops->external_auth)
15633 		return -EOPNOTSUPP;
15634 
15635 	if (!info->attrs[NL80211_ATTR_SSID] &&
15636 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15637 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15638 		return -EINVAL;
15639 
15640 	if (!info->attrs[NL80211_ATTR_BSSID])
15641 		return -EINVAL;
15642 
15643 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15644 		return -EINVAL;
15645 
15646 	memset(&params, 0, sizeof(params));
15647 
15648 	if (info->attrs[NL80211_ATTR_SSID]) {
15649 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15650 		if (params.ssid.ssid_len == 0)
15651 			return -EINVAL;
15652 		memcpy(params.ssid.ssid,
15653 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15654 		       params.ssid.ssid_len);
15655 	}
15656 
15657 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15658 	       ETH_ALEN);
15659 
15660 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15661 
15662 	if (info->attrs[NL80211_ATTR_PMKID])
15663 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15664 
15665 	return rdev_external_auth(rdev, dev, &params);
15666 }
15667 
15668 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15669 {
15670 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15671 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15672 	struct net_device *dev = info->user_ptr[1];
15673 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15674 	const u8 *buf;
15675 	size_t len;
15676 	u8 *dest;
15677 	u16 proto;
15678 	bool noencrypt;
15679 	u64 cookie = 0;
15680 	int link_id;
15681 	int err;
15682 
15683 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15684 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15685 		return -EOPNOTSUPP;
15686 
15687 	if (!rdev->ops->tx_control_port)
15688 		return -EOPNOTSUPP;
15689 
15690 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15691 	    !info->attrs[NL80211_ATTR_MAC] ||
15692 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15693 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15694 		return -EINVAL;
15695 	}
15696 
15697 	wdev_lock(wdev);
15698 
15699 	switch (wdev->iftype) {
15700 	case NL80211_IFTYPE_AP:
15701 	case NL80211_IFTYPE_P2P_GO:
15702 	case NL80211_IFTYPE_MESH_POINT:
15703 		break;
15704 	case NL80211_IFTYPE_ADHOC:
15705 		if (wdev->u.ibss.current_bss)
15706 			break;
15707 		err = -ENOTCONN;
15708 		goto out;
15709 	case NL80211_IFTYPE_STATION:
15710 	case NL80211_IFTYPE_P2P_CLIENT:
15711 		if (wdev->connected)
15712 			break;
15713 		err = -ENOTCONN;
15714 		goto out;
15715 	default:
15716 		err = -EOPNOTSUPP;
15717 		goto out;
15718 	}
15719 
15720 	wdev_unlock(wdev);
15721 
15722 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15723 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15724 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15725 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15726 	noencrypt =
15727 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15728 
15729 	link_id = nl80211_link_id_or_invalid(info->attrs);
15730 
15731 	err = rdev_tx_control_port(rdev, dev, buf, len,
15732 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15733 				   dont_wait_for_ack ? NULL : &cookie);
15734 	if (!err && !dont_wait_for_ack)
15735 		nl_set_extack_cookie_u64(info->extack, cookie);
15736 	return err;
15737  out:
15738 	wdev_unlock(wdev);
15739 	return err;
15740 }
15741 
15742 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15743 					   struct genl_info *info)
15744 {
15745 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15746 	struct net_device *dev = info->user_ptr[1];
15747 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15748 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15749 	unsigned int link_id = nl80211_link_id(info->attrs);
15750 	struct sk_buff *msg;
15751 	void *hdr;
15752 	struct nlattr *ftm_stats_attr;
15753 	int err;
15754 
15755 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15756 	    !wdev->links[link_id].ap.beacon_interval)
15757 		return -EOPNOTSUPP;
15758 
15759 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15760 	if (err)
15761 		return err;
15762 
15763 	if (!ftm_stats.filled)
15764 		return -ENODATA;
15765 
15766 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15767 	if (!msg)
15768 		return -ENOMEM;
15769 
15770 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15771 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15772 	if (!hdr)
15773 		goto nla_put_failure;
15774 
15775 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15776 		goto nla_put_failure;
15777 
15778 	ftm_stats_attr = nla_nest_start_noflag(msg,
15779 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15780 	if (!ftm_stats_attr)
15781 		goto nla_put_failure;
15782 
15783 #define SET_FTM(field, name, type)					 \
15784 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15785 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15786 			     ftm_stats.field))				 \
15787 		goto nla_put_failure; } while (0)
15788 #define SET_FTM_U64(field, name)					 \
15789 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15790 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15791 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15792 		goto nla_put_failure; } while (0)
15793 
15794 	SET_FTM(success_num, SUCCESS_NUM, u32);
15795 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15796 	SET_FTM(failed_num, FAILED_NUM, u32);
15797 	SET_FTM(asap_num, ASAP_NUM, u32);
15798 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15799 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15800 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15801 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15802 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15803 #undef SET_FTM
15804 
15805 	nla_nest_end(msg, ftm_stats_attr);
15806 
15807 	genlmsg_end(msg, hdr);
15808 	return genlmsg_reply(msg, info);
15809 
15810 nla_put_failure:
15811 	nlmsg_free(msg);
15812 	return -ENOBUFS;
15813 }
15814 
15815 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15816 {
15817 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15818 	struct cfg80211_update_owe_info owe_info;
15819 	struct net_device *dev = info->user_ptr[1];
15820 
15821 	if (!rdev->ops->update_owe_info)
15822 		return -EOPNOTSUPP;
15823 
15824 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15825 	    !info->attrs[NL80211_ATTR_MAC])
15826 		return -EINVAL;
15827 
15828 	memset(&owe_info, 0, sizeof(owe_info));
15829 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15830 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15831 
15832 	if (info->attrs[NL80211_ATTR_IE]) {
15833 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15834 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15835 	}
15836 
15837 	return rdev_update_owe_info(rdev, dev, &owe_info);
15838 }
15839 
15840 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15841 {
15842 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15843 	struct net_device *dev = info->user_ptr[1];
15844 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15845 	struct station_info sinfo = {};
15846 	const u8 *buf;
15847 	size_t len;
15848 	u8 *dest;
15849 	int err;
15850 
15851 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15852 		return -EOPNOTSUPP;
15853 
15854 	if (!info->attrs[NL80211_ATTR_MAC] ||
15855 	    !info->attrs[NL80211_ATTR_FRAME]) {
15856 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15857 		return -EINVAL;
15858 	}
15859 
15860 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15861 		return -EOPNOTSUPP;
15862 
15863 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15864 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15865 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15866 
15867 	if (len < sizeof(struct ethhdr))
15868 		return -EINVAL;
15869 
15870 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15871 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15872 		return -EINVAL;
15873 
15874 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15875 	if (err)
15876 		return err;
15877 
15878 	cfg80211_sinfo_release_content(&sinfo);
15879 
15880 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15881 }
15882 
15883 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15884 			  struct nlattr *attrs[], struct net_device *dev,
15885 			  struct cfg80211_tid_cfg *tid_conf,
15886 			  struct genl_info *info, const u8 *peer,
15887 			  unsigned int link_id)
15888 {
15889 	struct netlink_ext_ack *extack = info->extack;
15890 	u64 mask;
15891 	int err;
15892 
15893 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15894 		return -EINVAL;
15895 
15896 	tid_conf->config_override =
15897 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15898 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15899 
15900 	if (tid_conf->config_override) {
15901 		if (rdev->ops->reset_tid_config) {
15902 			err = rdev_reset_tid_config(rdev, dev, peer,
15903 						    tid_conf->tids);
15904 			if (err)
15905 				return err;
15906 		} else {
15907 			return -EINVAL;
15908 		}
15909 	}
15910 
15911 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15912 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15913 		tid_conf->noack =
15914 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15915 	}
15916 
15917 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15918 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15919 		tid_conf->retry_short =
15920 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15921 
15922 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15923 			return -EINVAL;
15924 	}
15925 
15926 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15927 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15928 		tid_conf->retry_long =
15929 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15930 
15931 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15932 			return -EINVAL;
15933 	}
15934 
15935 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15936 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15937 		tid_conf->ampdu =
15938 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15939 	}
15940 
15941 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15942 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15943 		tid_conf->rtscts =
15944 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15945 	}
15946 
15947 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15948 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15949 		tid_conf->amsdu =
15950 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15951 	}
15952 
15953 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15954 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15955 
15956 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15957 
15958 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15959 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15960 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15961 						    &tid_conf->txrate_mask, dev,
15962 						    true, link_id);
15963 			if (err)
15964 				return err;
15965 
15966 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15967 		}
15968 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15969 	}
15970 
15971 	if (peer)
15972 		mask = rdev->wiphy.tid_config_support.peer;
15973 	else
15974 		mask = rdev->wiphy.tid_config_support.vif;
15975 
15976 	if (tid_conf->mask & ~mask) {
15977 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15978 		return -ENOTSUPP;
15979 	}
15980 
15981 	return 0;
15982 }
15983 
15984 static int nl80211_set_tid_config(struct sk_buff *skb,
15985 				  struct genl_info *info)
15986 {
15987 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15988 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15989 	unsigned int link_id = nl80211_link_id(info->attrs);
15990 	struct net_device *dev = info->user_ptr[1];
15991 	struct cfg80211_tid_config *tid_config;
15992 	struct nlattr *tid;
15993 	int conf_idx = 0, rem_conf;
15994 	int ret = -EINVAL;
15995 	u32 num_conf = 0;
15996 
15997 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15998 		return -EINVAL;
15999 
16000 	if (!rdev->ops->set_tid_config)
16001 		return -EOPNOTSUPP;
16002 
16003 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16004 			    rem_conf)
16005 		num_conf++;
16006 
16007 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
16008 			     GFP_KERNEL);
16009 	if (!tid_config)
16010 		return -ENOMEM;
16011 
16012 	tid_config->n_tid_conf = num_conf;
16013 
16014 	if (info->attrs[NL80211_ATTR_MAC])
16015 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16016 
16017 	wdev_lock(dev->ieee80211_ptr);
16018 
16019 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16020 			    rem_conf) {
16021 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
16022 				       tid, NULL, NULL);
16023 
16024 		if (ret)
16025 			goto bad_tid_conf;
16026 
16027 		ret = parse_tid_conf(rdev, attrs, dev,
16028 				     &tid_config->tid_conf[conf_idx],
16029 				     info, tid_config->peer, link_id);
16030 		if (ret)
16031 			goto bad_tid_conf;
16032 
16033 		conf_idx++;
16034 	}
16035 
16036 	ret = rdev_set_tid_config(rdev, dev, tid_config);
16037 
16038 bad_tid_conf:
16039 	kfree(tid_config);
16040 	wdev_unlock(dev->ieee80211_ptr);
16041 	return ret;
16042 }
16043 
16044 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
16045 {
16046 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16047 	struct cfg80211_color_change_settings params = {};
16048 	struct net_device *dev = info->user_ptr[1];
16049 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16050 	struct nlattr **tb;
16051 	u16 offset;
16052 	int err;
16053 
16054 	if (!rdev->ops->color_change)
16055 		return -EOPNOTSUPP;
16056 
16057 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16058 				     NL80211_EXT_FEATURE_BSS_COLOR))
16059 		return -EOPNOTSUPP;
16060 
16061 	if (wdev->iftype != NL80211_IFTYPE_AP)
16062 		return -EOPNOTSUPP;
16063 
16064 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16065 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16066 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16067 		return -EINVAL;
16068 
16069 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16070 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16071 
16072 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16073 				   info->extack);
16074 	if (err)
16075 		return err;
16076 
16077 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16078 	if (!tb)
16079 		return -ENOMEM;
16080 
16081 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16082 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16083 			       nl80211_policy, info->extack);
16084 	if (err)
16085 		goto out;
16086 
16087 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16088 				   info->extack);
16089 	if (err)
16090 		goto out;
16091 
16092 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16093 		err = -EINVAL;
16094 		goto out;
16095 	}
16096 
16097 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16098 		err = -EINVAL;
16099 		goto out;
16100 	}
16101 
16102 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16103 	if (offset >= params.beacon_color_change.tail_len) {
16104 		err = -EINVAL;
16105 		goto out;
16106 	}
16107 
16108 	if (params.beacon_color_change.tail[offset] != params.count) {
16109 		err = -EINVAL;
16110 		goto out;
16111 	}
16112 
16113 	params.counter_offset_beacon = offset;
16114 
16115 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16116 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16117 		    sizeof(u16)) {
16118 			err = -EINVAL;
16119 			goto out;
16120 		}
16121 
16122 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16123 		if (offset >= params.beacon_color_change.probe_resp_len) {
16124 			err = -EINVAL;
16125 			goto out;
16126 		}
16127 
16128 		if (params.beacon_color_change.probe_resp[offset] !=
16129 		    params.count) {
16130 			err = -EINVAL;
16131 			goto out;
16132 		}
16133 
16134 		params.counter_offset_presp = offset;
16135 	}
16136 
16137 	wdev_lock(wdev);
16138 	err = rdev_color_change(rdev, dev, &params);
16139 	wdev_unlock(wdev);
16140 
16141 out:
16142 	kfree(params.beacon_next.mbssid_ies);
16143 	kfree(params.beacon_color_change.mbssid_ies);
16144 	kfree(params.beacon_next.rnr_ies);
16145 	kfree(params.beacon_color_change.rnr_ies);
16146 	kfree(tb);
16147 	return err;
16148 }
16149 
16150 static int nl80211_set_fils_aad(struct sk_buff *skb,
16151 				struct genl_info *info)
16152 {
16153 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16154 	struct net_device *dev = info->user_ptr[1];
16155 	struct cfg80211_fils_aad fils_aad = {};
16156 	u8 *nonces;
16157 
16158 	if (!info->attrs[NL80211_ATTR_MAC] ||
16159 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16160 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16161 		return -EINVAL;
16162 
16163 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16164 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16165 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16166 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16167 	fils_aad.snonce = nonces;
16168 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16169 
16170 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16171 }
16172 
16173 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16174 {
16175 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16176 	unsigned int link_id = nl80211_link_id(info->attrs);
16177 	struct net_device *dev = info->user_ptr[1];
16178 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16179 	int ret;
16180 
16181 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16182 		return -EINVAL;
16183 
16184 	switch (wdev->iftype) {
16185 	case NL80211_IFTYPE_AP:
16186 		break;
16187 	default:
16188 		return -EINVAL;
16189 	}
16190 
16191 	if (!info->attrs[NL80211_ATTR_MAC] ||
16192 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16193 		return -EINVAL;
16194 
16195 	wdev_lock(wdev);
16196 	wdev->valid_links |= BIT(link_id);
16197 	ether_addr_copy(wdev->links[link_id].addr,
16198 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16199 
16200 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16201 	if (ret) {
16202 		wdev->valid_links &= ~BIT(link_id);
16203 		eth_zero_addr(wdev->links[link_id].addr);
16204 	}
16205 	wdev_unlock(wdev);
16206 
16207 	return ret;
16208 }
16209 
16210 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16211 {
16212 	unsigned int link_id = nl80211_link_id(info->attrs);
16213 	struct net_device *dev = info->user_ptr[1];
16214 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16215 
16216 	/* cannot remove if there's no link */
16217 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16218 		return -EINVAL;
16219 
16220 	switch (wdev->iftype) {
16221 	case NL80211_IFTYPE_AP:
16222 		break;
16223 	default:
16224 		return -EINVAL;
16225 	}
16226 
16227 	wdev_lock(wdev);
16228 	cfg80211_remove_link(wdev, link_id);
16229 	wdev_unlock(wdev);
16230 
16231 	return 0;
16232 }
16233 
16234 static int
16235 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16236 			     bool add)
16237 {
16238 	struct link_station_parameters params = {};
16239 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16240 	struct net_device *dev = info->user_ptr[1];
16241 	int err;
16242 
16243 	if ((add && !rdev->ops->add_link_station) ||
16244 	    (!add && !rdev->ops->mod_link_station))
16245 		return -EOPNOTSUPP;
16246 
16247 	if (add && !info->attrs[NL80211_ATTR_MAC])
16248 		return -EINVAL;
16249 
16250 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16251 		return -EINVAL;
16252 
16253 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16254 		return -EINVAL;
16255 
16256 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16257 
16258 	if (info->attrs[NL80211_ATTR_MAC]) {
16259 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16260 		if (!is_valid_ether_addr(params.link_mac))
16261 			return -EINVAL;
16262 	}
16263 
16264 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16265 		return -EINVAL;
16266 
16267 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16268 
16269 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16270 		params.supported_rates =
16271 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16272 		params.supported_rates_len =
16273 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16274 	}
16275 
16276 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16277 		params.ht_capa =
16278 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16279 
16280 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16281 		params.vht_capa =
16282 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16283 
16284 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16285 		params.he_capa =
16286 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16287 		params.he_capa_len =
16288 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16289 
16290 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16291 			params.eht_capa =
16292 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16293 			params.eht_capa_len =
16294 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16295 
16296 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16297 							(const u8 *)params.eht_capa,
16298 							params.eht_capa_len,
16299 							false))
16300 				return -EINVAL;
16301 		}
16302 	}
16303 
16304 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16305 		params.he_6ghz_capa =
16306 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16307 
16308 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16309 		params.opmode_notif_used = true;
16310 		params.opmode_notif =
16311 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16312 	}
16313 
16314 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16315 						&params.txpwr_set);
16316 	if (err)
16317 		return err;
16318 
16319 	wdev_lock(dev->ieee80211_ptr);
16320 	if (add)
16321 		err = rdev_add_link_station(rdev, dev, &params);
16322 	else
16323 		err = rdev_mod_link_station(rdev, dev, &params);
16324 	wdev_unlock(dev->ieee80211_ptr);
16325 
16326 	return err;
16327 }
16328 
16329 static int
16330 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16331 {
16332 	return nl80211_add_mod_link_station(skb, info, true);
16333 }
16334 
16335 static int
16336 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16337 {
16338 	return nl80211_add_mod_link_station(skb, info, false);
16339 }
16340 
16341 static int
16342 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16343 {
16344 	struct link_station_del_parameters params = {};
16345 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16346 	struct net_device *dev = info->user_ptr[1];
16347 	int ret;
16348 
16349 	if (!rdev->ops->del_link_station)
16350 		return -EOPNOTSUPP;
16351 
16352 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16353 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16354 		return -EINVAL;
16355 
16356 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16357 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16358 
16359 	wdev_lock(dev->ieee80211_ptr);
16360 	ret = rdev_del_link_station(rdev, dev, &params);
16361 	wdev_unlock(dev->ieee80211_ptr);
16362 
16363 	return ret;
16364 }
16365 
16366 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16367 				    struct genl_info *info)
16368 {
16369 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16370 	struct net_device *dev = info->user_ptr[1];
16371 	struct cfg80211_set_hw_timestamp hwts = {};
16372 
16373 	if (!rdev->wiphy.hw_timestamp_max_peers)
16374 		return -EOPNOTSUPP;
16375 
16376 	if (!info->attrs[NL80211_ATTR_MAC] &&
16377 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16378 		return -EOPNOTSUPP;
16379 
16380 	if (info->attrs[NL80211_ATTR_MAC])
16381 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16382 
16383 	hwts.enable =
16384 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16385 
16386 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16387 }
16388 
16389 #define NL80211_FLAG_NEED_WIPHY		0x01
16390 #define NL80211_FLAG_NEED_NETDEV	0x02
16391 #define NL80211_FLAG_NEED_RTNL		0x04
16392 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16393 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16394 					 NL80211_FLAG_CHECK_NETDEV_UP)
16395 #define NL80211_FLAG_NEED_WDEV		0x10
16396 /* If a netdev is associated, it must be UP, P2P must be started */
16397 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16398 					 NL80211_FLAG_CHECK_NETDEV_UP)
16399 #define NL80211_FLAG_CLEAR_SKB		0x20
16400 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16401 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16402 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16403 
16404 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16405 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16406 	SELECTOR(__sel, WIPHY,				\
16407 		 NL80211_FLAG_NEED_WIPHY)		\
16408 	SELECTOR(__sel, WDEV,				\
16409 		 NL80211_FLAG_NEED_WDEV)		\
16410 	SELECTOR(__sel, NETDEV,				\
16411 		 NL80211_FLAG_NEED_NETDEV)		\
16412 	SELECTOR(__sel, NETDEV_LINK,			\
16413 		 NL80211_FLAG_NEED_NETDEV |		\
16414 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16415 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16416 		 NL80211_FLAG_NEED_NETDEV |		\
16417 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16418 	SELECTOR(__sel, WIPHY_RTNL,			\
16419 		 NL80211_FLAG_NEED_WIPHY |		\
16420 		 NL80211_FLAG_NEED_RTNL)		\
16421 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16422 		 NL80211_FLAG_NEED_WIPHY |		\
16423 		 NL80211_FLAG_NEED_RTNL |		\
16424 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16425 	SELECTOR(__sel, WDEV_RTNL,			\
16426 		 NL80211_FLAG_NEED_WDEV |		\
16427 		 NL80211_FLAG_NEED_RTNL)		\
16428 	SELECTOR(__sel, NETDEV_RTNL,			\
16429 		 NL80211_FLAG_NEED_NETDEV |		\
16430 		 NL80211_FLAG_NEED_RTNL)		\
16431 	SELECTOR(__sel, NETDEV_UP,			\
16432 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16433 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16434 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16435 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16436 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16437 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16438 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16439 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16440 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16441 		 NL80211_FLAG_CLEAR_SKB |		\
16442 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16443 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16444 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16445 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16446 	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
16447 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16448 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16449 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16450 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16451 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16452 		 NL80211_FLAG_CLEAR_SKB)		\
16453 	SELECTOR(__sel, WDEV_UP,			\
16454 		 NL80211_FLAG_NEED_WDEV_UP)		\
16455 	SELECTOR(__sel, WDEV_UP_LINK,			\
16456 		 NL80211_FLAG_NEED_WDEV_UP |		\
16457 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16458 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16459 		 NL80211_FLAG_NEED_WDEV_UP |		\
16460 		 NL80211_FLAG_NEED_RTNL)		\
16461 	SELECTOR(__sel, WIPHY_CLEAR,			\
16462 		 NL80211_FLAG_NEED_WIPHY |		\
16463 		 NL80211_FLAG_CLEAR_SKB)
16464 
16465 enum nl80211_internal_flags_selector {
16466 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16467 	INTERNAL_FLAG_SELECTORS(_)
16468 #undef SELECTOR
16469 };
16470 
16471 static u32 nl80211_internal_flags[] = {
16472 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16473 	INTERNAL_FLAG_SELECTORS(_)
16474 #undef SELECTOR
16475 };
16476 
16477 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16478 			    struct sk_buff *skb,
16479 			    struct genl_info *info)
16480 {
16481 	struct cfg80211_registered_device *rdev = NULL;
16482 	struct wireless_dev *wdev = NULL;
16483 	struct net_device *dev = NULL;
16484 	u32 internal_flags;
16485 	int err;
16486 
16487 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16488 		return -EINVAL;
16489 
16490 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16491 
16492 	rtnl_lock();
16493 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16494 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16495 		if (IS_ERR(rdev)) {
16496 			err = PTR_ERR(rdev);
16497 			goto out_unlock;
16498 		}
16499 		info->user_ptr[0] = rdev;
16500 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16501 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16502 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16503 						  info->attrs);
16504 		if (IS_ERR(wdev)) {
16505 			err = PTR_ERR(wdev);
16506 			goto out_unlock;
16507 		}
16508 
16509 		dev = wdev->netdev;
16510 		dev_hold(dev);
16511 		rdev = wiphy_to_rdev(wdev->wiphy);
16512 
16513 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16514 			if (!dev) {
16515 				err = -EINVAL;
16516 				goto out_unlock;
16517 			}
16518 
16519 			info->user_ptr[1] = dev;
16520 		} else {
16521 			info->user_ptr[1] = wdev;
16522 		}
16523 
16524 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16525 		    !wdev_running(wdev)) {
16526 			err = -ENETDOWN;
16527 			goto out_unlock;
16528 		}
16529 
16530 		info->user_ptr[0] = rdev;
16531 	}
16532 
16533 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16534 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16535 
16536 		if (!wdev) {
16537 			err = -EINVAL;
16538 			goto out_unlock;
16539 		}
16540 
16541 		/* MLO -> require valid link ID */
16542 		if (wdev->valid_links &&
16543 		    (!link_id ||
16544 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16545 			err = -EINVAL;
16546 			goto out_unlock;
16547 		}
16548 
16549 		/* non-MLO -> no link ID attribute accepted */
16550 		if (!wdev->valid_links && link_id) {
16551 			err = -EINVAL;
16552 			goto out_unlock;
16553 		}
16554 	}
16555 
16556 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16557 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16558 		    (wdev && wdev->valid_links)) {
16559 			err = -EINVAL;
16560 			goto out_unlock;
16561 		}
16562 	}
16563 
16564 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16565 		wiphy_lock(&rdev->wiphy);
16566 		/* we keep the mutex locked until post_doit */
16567 		__release(&rdev->wiphy.mtx);
16568 	}
16569 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16570 		rtnl_unlock();
16571 
16572 	return 0;
16573 out_unlock:
16574 	rtnl_unlock();
16575 	dev_put(dev);
16576 	return err;
16577 }
16578 
16579 static void nl80211_post_doit(const struct genl_split_ops *ops,
16580 			      struct sk_buff *skb,
16581 			      struct genl_info *info)
16582 {
16583 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16584 
16585 	if (info->user_ptr[1]) {
16586 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16587 			struct wireless_dev *wdev = info->user_ptr[1];
16588 
16589 			dev_put(wdev->netdev);
16590 		} else {
16591 			dev_put(info->user_ptr[1]);
16592 		}
16593 	}
16594 
16595 	if (info->user_ptr[0] &&
16596 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16597 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16598 
16599 		/* we kept the mutex locked since pre_doit */
16600 		__acquire(&rdev->wiphy.mtx);
16601 		wiphy_unlock(&rdev->wiphy);
16602 	}
16603 
16604 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16605 		rtnl_unlock();
16606 
16607 	/* If needed, clear the netlink message payload from the SKB
16608 	 * as it might contain key data that shouldn't stick around on
16609 	 * the heap after the SKB is freed. The netlink message header
16610 	 * is still needed for further processing, so leave it intact.
16611 	 */
16612 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16613 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16614 
16615 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16616 	}
16617 }
16618 
16619 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16620 				     struct cfg80211_sar_specs *sar_specs,
16621 				     struct nlattr *spec[], int index)
16622 {
16623 	u32 range_index, i;
16624 
16625 	if (!sar_specs || !spec)
16626 		return -EINVAL;
16627 
16628 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16629 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16630 		return -EINVAL;
16631 
16632 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16633 
16634 	/* check if range_index exceeds num_freq_ranges */
16635 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16636 		return -EINVAL;
16637 
16638 	/* check if range_index duplicates */
16639 	for (i = 0; i < index; i++) {
16640 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16641 			return -EINVAL;
16642 	}
16643 
16644 	sar_specs->sub_specs[index].power =
16645 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16646 
16647 	sar_specs->sub_specs[index].freq_range_index = range_index;
16648 
16649 	return 0;
16650 }
16651 
16652 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16653 {
16654 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16655 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16656 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16657 	struct cfg80211_sar_specs *sar_spec;
16658 	enum nl80211_sar_type type;
16659 	struct nlattr *spec_list;
16660 	u32 specs;
16661 	int rem, err;
16662 
16663 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16664 		return -EOPNOTSUPP;
16665 
16666 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16667 		return -EINVAL;
16668 
16669 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16670 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16671 			 NULL, NULL);
16672 
16673 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16674 		return -EINVAL;
16675 
16676 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16677 	if (type != rdev->wiphy.sar_capa->type)
16678 		return -EINVAL;
16679 
16680 	specs = 0;
16681 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16682 		specs++;
16683 
16684 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16685 		return -EINVAL;
16686 
16687 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16688 	if (!sar_spec)
16689 		return -ENOMEM;
16690 
16691 	sar_spec->type = type;
16692 	specs = 0;
16693 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16694 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16695 				 spec_list, NULL, NULL);
16696 
16697 		switch (type) {
16698 		case NL80211_SAR_TYPE_POWER:
16699 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16700 						      spec, specs)) {
16701 				err = -EINVAL;
16702 				goto error;
16703 			}
16704 			break;
16705 		default:
16706 			err = -EINVAL;
16707 			goto error;
16708 		}
16709 		specs++;
16710 	}
16711 
16712 	sar_spec->num_sub_specs = specs;
16713 
16714 	rdev->cur_cmd_info = info;
16715 	err = rdev_set_sar_specs(rdev, sar_spec);
16716 	rdev->cur_cmd_info = NULL;
16717 error:
16718 	kfree(sar_spec);
16719 	return err;
16720 }
16721 
16722 #define SELECTOR(__sel, name, value) \
16723 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16724 int __missing_selector(void);
16725 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16726 
16727 static const struct genl_ops nl80211_ops[] = {
16728 	{
16729 		.cmd = NL80211_CMD_GET_WIPHY,
16730 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16731 		.doit = nl80211_get_wiphy,
16732 		.dumpit = nl80211_dump_wiphy,
16733 		.done = nl80211_dump_wiphy_done,
16734 		/* can be retrieved by unprivileged users */
16735 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16736 	},
16737 };
16738 
16739 static const struct genl_small_ops nl80211_small_ops[] = {
16740 	{
16741 		.cmd = NL80211_CMD_SET_WIPHY,
16742 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16743 		.doit = nl80211_set_wiphy,
16744 		.flags = GENL_UNS_ADMIN_PERM,
16745 	},
16746 	{
16747 		.cmd = NL80211_CMD_GET_INTERFACE,
16748 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16749 		.doit = nl80211_get_interface,
16750 		.dumpit = nl80211_dump_interface,
16751 		/* can be retrieved by unprivileged users */
16752 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16753 	},
16754 	{
16755 		.cmd = NL80211_CMD_SET_INTERFACE,
16756 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16757 		.doit = nl80211_set_interface,
16758 		.flags = GENL_UNS_ADMIN_PERM,
16759 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16760 					 NL80211_FLAG_NEED_RTNL),
16761 	},
16762 	{
16763 		.cmd = NL80211_CMD_NEW_INTERFACE,
16764 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16765 		.doit = nl80211_new_interface,
16766 		.flags = GENL_UNS_ADMIN_PERM,
16767 		.internal_flags =
16768 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16769 			       NL80211_FLAG_NEED_RTNL |
16770 			       /* we take the wiphy mutex later ourselves */
16771 			       NL80211_FLAG_NO_WIPHY_MTX),
16772 	},
16773 	{
16774 		.cmd = NL80211_CMD_DEL_INTERFACE,
16775 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16776 		.doit = nl80211_del_interface,
16777 		.flags = GENL_UNS_ADMIN_PERM,
16778 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16779 					 NL80211_FLAG_NEED_RTNL),
16780 	},
16781 	{
16782 		.cmd = NL80211_CMD_GET_KEY,
16783 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16784 		.doit = nl80211_get_key,
16785 		.flags = GENL_UNS_ADMIN_PERM,
16786 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16787 	},
16788 	{
16789 		.cmd = NL80211_CMD_SET_KEY,
16790 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16791 		.doit = nl80211_set_key,
16792 		.flags = GENL_UNS_ADMIN_PERM,
16793 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16794 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16795 					 NL80211_FLAG_CLEAR_SKB),
16796 	},
16797 	{
16798 		.cmd = NL80211_CMD_NEW_KEY,
16799 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16800 		.doit = nl80211_new_key,
16801 		.flags = GENL_UNS_ADMIN_PERM,
16802 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16803 					 NL80211_FLAG_CLEAR_SKB),
16804 	},
16805 	{
16806 		.cmd = NL80211_CMD_DEL_KEY,
16807 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16808 		.doit = nl80211_del_key,
16809 		.flags = GENL_UNS_ADMIN_PERM,
16810 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16811 	},
16812 	{
16813 		.cmd = NL80211_CMD_SET_BEACON,
16814 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16815 		.flags = GENL_UNS_ADMIN_PERM,
16816 		.doit = nl80211_set_beacon,
16817 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16818 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16819 	},
16820 	{
16821 		.cmd = NL80211_CMD_START_AP,
16822 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16823 		.flags = GENL_UNS_ADMIN_PERM,
16824 		.doit = nl80211_start_ap,
16825 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16826 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16827 	},
16828 	{
16829 		.cmd = NL80211_CMD_STOP_AP,
16830 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16831 		.flags = GENL_UNS_ADMIN_PERM,
16832 		.doit = nl80211_stop_ap,
16833 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16834 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16835 	},
16836 	{
16837 		.cmd = NL80211_CMD_GET_STATION,
16838 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16839 		.doit = nl80211_get_station,
16840 		.dumpit = nl80211_dump_station,
16841 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16842 	},
16843 	{
16844 		.cmd = NL80211_CMD_SET_STATION,
16845 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16846 		.doit = nl80211_set_station,
16847 		.flags = GENL_UNS_ADMIN_PERM,
16848 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16849 	},
16850 	{
16851 		.cmd = NL80211_CMD_NEW_STATION,
16852 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16853 		.doit = nl80211_new_station,
16854 		.flags = GENL_UNS_ADMIN_PERM,
16855 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16856 	},
16857 	{
16858 		.cmd = NL80211_CMD_DEL_STATION,
16859 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16860 		.doit = nl80211_del_station,
16861 		.flags = GENL_UNS_ADMIN_PERM,
16862 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16863 	},
16864 	{
16865 		.cmd = NL80211_CMD_GET_MPATH,
16866 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16867 		.doit = nl80211_get_mpath,
16868 		.dumpit = nl80211_dump_mpath,
16869 		.flags = GENL_UNS_ADMIN_PERM,
16870 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16871 	},
16872 	{
16873 		.cmd = NL80211_CMD_GET_MPP,
16874 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16875 		.doit = nl80211_get_mpp,
16876 		.dumpit = nl80211_dump_mpp,
16877 		.flags = GENL_UNS_ADMIN_PERM,
16878 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16879 	},
16880 	{
16881 		.cmd = NL80211_CMD_SET_MPATH,
16882 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16883 		.doit = nl80211_set_mpath,
16884 		.flags = GENL_UNS_ADMIN_PERM,
16885 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16886 	},
16887 	{
16888 		.cmd = NL80211_CMD_NEW_MPATH,
16889 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16890 		.doit = nl80211_new_mpath,
16891 		.flags = GENL_UNS_ADMIN_PERM,
16892 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16893 	},
16894 	{
16895 		.cmd = NL80211_CMD_DEL_MPATH,
16896 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16897 		.doit = nl80211_del_mpath,
16898 		.flags = GENL_UNS_ADMIN_PERM,
16899 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16900 	},
16901 	{
16902 		.cmd = NL80211_CMD_SET_BSS,
16903 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16904 		.doit = nl80211_set_bss,
16905 		.flags = GENL_UNS_ADMIN_PERM,
16906 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16907 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16908 	},
16909 	{
16910 		.cmd = NL80211_CMD_GET_REG,
16911 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16912 		.doit = nl80211_get_reg_do,
16913 		.dumpit = nl80211_get_reg_dump,
16914 		/* can be retrieved by unprivileged users */
16915 	},
16916 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
16917 	{
16918 		.cmd = NL80211_CMD_SET_REG,
16919 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16920 		.doit = nl80211_set_reg,
16921 		.flags = GENL_ADMIN_PERM,
16922 	},
16923 #endif
16924 	{
16925 		.cmd = NL80211_CMD_REQ_SET_REG,
16926 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16927 		.doit = nl80211_req_set_reg,
16928 		.flags = GENL_ADMIN_PERM,
16929 	},
16930 	{
16931 		.cmd = NL80211_CMD_RELOAD_REGDB,
16932 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16933 		.doit = nl80211_reload_regdb,
16934 		.flags = GENL_ADMIN_PERM,
16935 	},
16936 	{
16937 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
16938 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16939 		.doit = nl80211_get_mesh_config,
16940 		/* can be retrieved by unprivileged users */
16941 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16942 	},
16943 	{
16944 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
16945 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16946 		.doit = nl80211_update_mesh_config,
16947 		.flags = GENL_UNS_ADMIN_PERM,
16948 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16949 	},
16950 	{
16951 		.cmd = NL80211_CMD_TRIGGER_SCAN,
16952 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16953 		.doit = nl80211_trigger_scan,
16954 		.flags = GENL_UNS_ADMIN_PERM,
16955 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16956 	},
16957 	{
16958 		.cmd = NL80211_CMD_ABORT_SCAN,
16959 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16960 		.doit = nl80211_abort_scan,
16961 		.flags = GENL_UNS_ADMIN_PERM,
16962 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16963 	},
16964 	{
16965 		.cmd = NL80211_CMD_GET_SCAN,
16966 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16967 		.dumpit = nl80211_dump_scan,
16968 	},
16969 	{
16970 		.cmd = NL80211_CMD_START_SCHED_SCAN,
16971 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16972 		.doit = nl80211_start_sched_scan,
16973 		.flags = GENL_UNS_ADMIN_PERM,
16974 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16975 	},
16976 	{
16977 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
16978 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16979 		.doit = nl80211_stop_sched_scan,
16980 		.flags = GENL_UNS_ADMIN_PERM,
16981 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16982 	},
16983 	{
16984 		.cmd = NL80211_CMD_AUTHENTICATE,
16985 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16986 		.doit = nl80211_authenticate,
16987 		.flags = GENL_UNS_ADMIN_PERM,
16988 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16989 					 NL80211_FLAG_CLEAR_SKB),
16990 	},
16991 	{
16992 		.cmd = NL80211_CMD_ASSOCIATE,
16993 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16994 		.doit = nl80211_associate,
16995 		.flags = GENL_UNS_ADMIN_PERM,
16996 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16997 					 NL80211_FLAG_CLEAR_SKB),
16998 	},
16999 	{
17000 		.cmd = NL80211_CMD_DEAUTHENTICATE,
17001 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17002 		.doit = nl80211_deauthenticate,
17003 		.flags = GENL_UNS_ADMIN_PERM,
17004 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17005 	},
17006 	{
17007 		.cmd = NL80211_CMD_DISASSOCIATE,
17008 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17009 		.doit = nl80211_disassociate,
17010 		.flags = GENL_UNS_ADMIN_PERM,
17011 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17012 	},
17013 	{
17014 		.cmd = NL80211_CMD_JOIN_IBSS,
17015 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17016 		.doit = nl80211_join_ibss,
17017 		.flags = GENL_UNS_ADMIN_PERM,
17018 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17019 	},
17020 	{
17021 		.cmd = NL80211_CMD_LEAVE_IBSS,
17022 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17023 		.doit = nl80211_leave_ibss,
17024 		.flags = GENL_UNS_ADMIN_PERM,
17025 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17026 	},
17027 #ifdef CONFIG_NL80211_TESTMODE
17028 	{
17029 		.cmd = NL80211_CMD_TESTMODE,
17030 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17031 		.doit = nl80211_testmode_do,
17032 		.dumpit = nl80211_testmode_dump,
17033 		.flags = GENL_UNS_ADMIN_PERM,
17034 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17035 	},
17036 #endif
17037 	{
17038 		.cmd = NL80211_CMD_CONNECT,
17039 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17040 		.doit = nl80211_connect,
17041 		.flags = GENL_UNS_ADMIN_PERM,
17042 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17043 					 NL80211_FLAG_CLEAR_SKB),
17044 	},
17045 	{
17046 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17047 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17048 		.doit = nl80211_update_connect_params,
17049 		.flags = GENL_ADMIN_PERM,
17050 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17051 					 NL80211_FLAG_CLEAR_SKB),
17052 	},
17053 	{
17054 		.cmd = NL80211_CMD_DISCONNECT,
17055 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17056 		.doit = nl80211_disconnect,
17057 		.flags = GENL_UNS_ADMIN_PERM,
17058 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17059 	},
17060 	{
17061 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17062 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17063 		.doit = nl80211_wiphy_netns,
17064 		.flags = GENL_UNS_ADMIN_PERM,
17065 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17066 					 NL80211_FLAG_NEED_RTNL |
17067 					 NL80211_FLAG_NO_WIPHY_MTX),
17068 	},
17069 	{
17070 		.cmd = NL80211_CMD_GET_SURVEY,
17071 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17072 		.dumpit = nl80211_dump_survey,
17073 	},
17074 	{
17075 		.cmd = NL80211_CMD_SET_PMKSA,
17076 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17077 		.doit = nl80211_setdel_pmksa,
17078 		.flags = GENL_UNS_ADMIN_PERM,
17079 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17080 					 NL80211_FLAG_CLEAR_SKB),
17081 	},
17082 	{
17083 		.cmd = NL80211_CMD_DEL_PMKSA,
17084 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17085 		.doit = nl80211_setdel_pmksa,
17086 		.flags = GENL_UNS_ADMIN_PERM,
17087 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17088 	},
17089 	{
17090 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17091 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17092 		.doit = nl80211_flush_pmksa,
17093 		.flags = GENL_UNS_ADMIN_PERM,
17094 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17095 	},
17096 	{
17097 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17098 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17099 		.doit = nl80211_remain_on_channel,
17100 		.flags = GENL_UNS_ADMIN_PERM,
17101 		/* FIXME: requiring a link ID here is probably not good */
17102 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17103 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17104 	},
17105 	{
17106 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17107 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17108 		.doit = nl80211_cancel_remain_on_channel,
17109 		.flags = GENL_UNS_ADMIN_PERM,
17110 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17111 	},
17112 	{
17113 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17114 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17115 		.doit = nl80211_set_tx_bitrate_mask,
17116 		.flags = GENL_UNS_ADMIN_PERM,
17117 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17118 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17119 	},
17120 	{
17121 		.cmd = NL80211_CMD_REGISTER_FRAME,
17122 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17123 		.doit = nl80211_register_mgmt,
17124 		.flags = GENL_UNS_ADMIN_PERM,
17125 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17126 	},
17127 	{
17128 		.cmd = NL80211_CMD_FRAME,
17129 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17130 		.doit = nl80211_tx_mgmt,
17131 		.flags = GENL_UNS_ADMIN_PERM,
17132 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17133 	},
17134 	{
17135 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17136 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17137 		.doit = nl80211_tx_mgmt_cancel_wait,
17138 		.flags = GENL_UNS_ADMIN_PERM,
17139 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17140 	},
17141 	{
17142 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17143 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17144 		.doit = nl80211_set_power_save,
17145 		.flags = GENL_UNS_ADMIN_PERM,
17146 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17147 	},
17148 	{
17149 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17150 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17151 		.doit = nl80211_get_power_save,
17152 		/* can be retrieved by unprivileged users */
17153 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17154 	},
17155 	{
17156 		.cmd = NL80211_CMD_SET_CQM,
17157 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17158 		.doit = nl80211_set_cqm,
17159 		.flags = GENL_UNS_ADMIN_PERM,
17160 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17161 	},
17162 	{
17163 		.cmd = NL80211_CMD_SET_CHANNEL,
17164 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17165 		.doit = nl80211_set_channel,
17166 		.flags = GENL_UNS_ADMIN_PERM,
17167 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17168 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17169 	},
17170 	{
17171 		.cmd = NL80211_CMD_JOIN_MESH,
17172 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17173 		.doit = nl80211_join_mesh,
17174 		.flags = GENL_UNS_ADMIN_PERM,
17175 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17176 	},
17177 	{
17178 		.cmd = NL80211_CMD_LEAVE_MESH,
17179 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17180 		.doit = nl80211_leave_mesh,
17181 		.flags = GENL_UNS_ADMIN_PERM,
17182 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17183 	},
17184 	{
17185 		.cmd = NL80211_CMD_JOIN_OCB,
17186 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17187 		.doit = nl80211_join_ocb,
17188 		.flags = GENL_UNS_ADMIN_PERM,
17189 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17190 	},
17191 	{
17192 		.cmd = NL80211_CMD_LEAVE_OCB,
17193 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17194 		.doit = nl80211_leave_ocb,
17195 		.flags = GENL_UNS_ADMIN_PERM,
17196 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17197 	},
17198 #ifdef CONFIG_PM
17199 	{
17200 		.cmd = NL80211_CMD_GET_WOWLAN,
17201 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17202 		.doit = nl80211_get_wowlan,
17203 		/* can be retrieved by unprivileged users */
17204 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17205 	},
17206 	{
17207 		.cmd = NL80211_CMD_SET_WOWLAN,
17208 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17209 		.doit = nl80211_set_wowlan,
17210 		.flags = GENL_UNS_ADMIN_PERM,
17211 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17212 	},
17213 #endif
17214 	{
17215 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17216 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17217 		.doit = nl80211_set_rekey_data,
17218 		.flags = GENL_UNS_ADMIN_PERM,
17219 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17220 					 NL80211_FLAG_CLEAR_SKB),
17221 	},
17222 	{
17223 		.cmd = NL80211_CMD_TDLS_MGMT,
17224 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17225 		.doit = nl80211_tdls_mgmt,
17226 		.flags = GENL_UNS_ADMIN_PERM,
17227 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17228 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17229 	},
17230 	{
17231 		.cmd = NL80211_CMD_TDLS_OPER,
17232 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17233 		.doit = nl80211_tdls_oper,
17234 		.flags = GENL_UNS_ADMIN_PERM,
17235 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17236 	},
17237 	{
17238 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17239 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17240 		.doit = nl80211_register_unexpected_frame,
17241 		.flags = GENL_UNS_ADMIN_PERM,
17242 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17243 	},
17244 	{
17245 		.cmd = NL80211_CMD_PROBE_CLIENT,
17246 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17247 		.doit = nl80211_probe_client,
17248 		.flags = GENL_UNS_ADMIN_PERM,
17249 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17250 	},
17251 	{
17252 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17253 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17254 		.doit = nl80211_register_beacons,
17255 		.flags = GENL_UNS_ADMIN_PERM,
17256 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17257 	},
17258 	{
17259 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17260 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17261 		.doit = nl80211_set_noack_map,
17262 		.flags = GENL_UNS_ADMIN_PERM,
17263 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17264 	},
17265 	{
17266 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17267 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17268 		.doit = nl80211_start_p2p_device,
17269 		.flags = GENL_UNS_ADMIN_PERM,
17270 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17271 					 NL80211_FLAG_NEED_RTNL),
17272 	},
17273 	{
17274 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17275 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17276 		.doit = nl80211_stop_p2p_device,
17277 		.flags = GENL_UNS_ADMIN_PERM,
17278 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17279 					 NL80211_FLAG_NEED_RTNL),
17280 	},
17281 	{
17282 		.cmd = NL80211_CMD_START_NAN,
17283 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17284 		.doit = nl80211_start_nan,
17285 		.flags = GENL_ADMIN_PERM,
17286 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17287 					 NL80211_FLAG_NEED_RTNL),
17288 	},
17289 	{
17290 		.cmd = NL80211_CMD_STOP_NAN,
17291 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17292 		.doit = nl80211_stop_nan,
17293 		.flags = GENL_ADMIN_PERM,
17294 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17295 					 NL80211_FLAG_NEED_RTNL),
17296 	},
17297 	{
17298 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17299 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17300 		.doit = nl80211_nan_add_func,
17301 		.flags = GENL_ADMIN_PERM,
17302 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17303 	},
17304 	{
17305 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17306 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17307 		.doit = nl80211_nan_del_func,
17308 		.flags = GENL_ADMIN_PERM,
17309 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17310 	},
17311 	{
17312 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17313 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17314 		.doit = nl80211_nan_change_config,
17315 		.flags = GENL_ADMIN_PERM,
17316 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17317 	},
17318 	{
17319 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17320 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17321 		.doit = nl80211_set_mcast_rate,
17322 		.flags = GENL_UNS_ADMIN_PERM,
17323 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17324 	},
17325 	{
17326 		.cmd = NL80211_CMD_SET_MAC_ACL,
17327 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17328 		.doit = nl80211_set_mac_acl,
17329 		.flags = GENL_UNS_ADMIN_PERM,
17330 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17331 					 NL80211_FLAG_MLO_UNSUPPORTED),
17332 	},
17333 	{
17334 		.cmd = NL80211_CMD_RADAR_DETECT,
17335 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17336 		.doit = nl80211_start_radar_detection,
17337 		.flags = GENL_UNS_ADMIN_PERM,
17338 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17339 					 NL80211_FLAG_NO_WIPHY_MTX |
17340 					 NL80211_FLAG_MLO_UNSUPPORTED),
17341 	},
17342 	{
17343 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17344 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17345 		.doit = nl80211_get_protocol_features,
17346 	},
17347 	{
17348 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17349 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17350 		.doit = nl80211_update_ft_ies,
17351 		.flags = GENL_UNS_ADMIN_PERM,
17352 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17353 	},
17354 	{
17355 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17356 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17357 		.doit = nl80211_crit_protocol_start,
17358 		.flags = GENL_UNS_ADMIN_PERM,
17359 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17360 	},
17361 	{
17362 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17363 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17364 		.doit = nl80211_crit_protocol_stop,
17365 		.flags = GENL_UNS_ADMIN_PERM,
17366 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17367 	},
17368 	{
17369 		.cmd = NL80211_CMD_GET_COALESCE,
17370 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17371 		.doit = nl80211_get_coalesce,
17372 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17373 	},
17374 	{
17375 		.cmd = NL80211_CMD_SET_COALESCE,
17376 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17377 		.doit = nl80211_set_coalesce,
17378 		.flags = GENL_UNS_ADMIN_PERM,
17379 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17380 	},
17381 	{
17382 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17383 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17384 		.doit = nl80211_channel_switch,
17385 		.flags = GENL_UNS_ADMIN_PERM,
17386 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17387 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17388 	},
17389 	{
17390 		.cmd = NL80211_CMD_VENDOR,
17391 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17392 		.doit = nl80211_vendor_cmd,
17393 		.dumpit = nl80211_vendor_cmd_dump,
17394 		.flags = GENL_UNS_ADMIN_PERM,
17395 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17396 					 NL80211_FLAG_CLEAR_SKB),
17397 	},
17398 	{
17399 		.cmd = NL80211_CMD_SET_QOS_MAP,
17400 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17401 		.doit = nl80211_set_qos_map,
17402 		.flags = GENL_UNS_ADMIN_PERM,
17403 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17404 	},
17405 	{
17406 		.cmd = NL80211_CMD_ADD_TX_TS,
17407 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17408 		.doit = nl80211_add_tx_ts,
17409 		.flags = GENL_UNS_ADMIN_PERM,
17410 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17411 					 NL80211_FLAG_MLO_UNSUPPORTED),
17412 	},
17413 	{
17414 		.cmd = NL80211_CMD_DEL_TX_TS,
17415 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17416 		.doit = nl80211_del_tx_ts,
17417 		.flags = GENL_UNS_ADMIN_PERM,
17418 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17419 	},
17420 	{
17421 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17422 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17423 		.doit = nl80211_tdls_channel_switch,
17424 		.flags = GENL_UNS_ADMIN_PERM,
17425 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17426 	},
17427 	{
17428 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17429 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17430 		.doit = nl80211_tdls_cancel_channel_switch,
17431 		.flags = GENL_UNS_ADMIN_PERM,
17432 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17433 	},
17434 	{
17435 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17436 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17437 		.doit = nl80211_set_multicast_to_unicast,
17438 		.flags = GENL_UNS_ADMIN_PERM,
17439 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17440 	},
17441 	{
17442 		.cmd = NL80211_CMD_SET_PMK,
17443 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17444 		.doit = nl80211_set_pmk,
17445 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17446 					 NL80211_FLAG_CLEAR_SKB),
17447 	},
17448 	{
17449 		.cmd = NL80211_CMD_DEL_PMK,
17450 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17451 		.doit = nl80211_del_pmk,
17452 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17453 	},
17454 	{
17455 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17456 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17457 		.doit = nl80211_external_auth,
17458 		.flags = GENL_ADMIN_PERM,
17459 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17460 	},
17461 	{
17462 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17463 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17464 		.doit = nl80211_tx_control_port,
17465 		.flags = GENL_UNS_ADMIN_PERM,
17466 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17467 	},
17468 	{
17469 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17470 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17471 		.doit = nl80211_get_ftm_responder_stats,
17472 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17473 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17474 	},
17475 	{
17476 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17477 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17478 		.doit = nl80211_pmsr_start,
17479 		.flags = GENL_UNS_ADMIN_PERM,
17480 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17481 	},
17482 	{
17483 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17484 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17485 		.doit = nl80211_notify_radar_detection,
17486 		.flags = GENL_UNS_ADMIN_PERM,
17487 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17488 	},
17489 	{
17490 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17491 		.doit = nl80211_update_owe_info,
17492 		.flags = GENL_ADMIN_PERM,
17493 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17494 	},
17495 	{
17496 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17497 		.doit = nl80211_probe_mesh_link,
17498 		.flags = GENL_UNS_ADMIN_PERM,
17499 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17500 	},
17501 	{
17502 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17503 		.doit = nl80211_set_tid_config,
17504 		.flags = GENL_UNS_ADMIN_PERM,
17505 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17506 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17507 	},
17508 	{
17509 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17510 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17511 		.doit = nl80211_set_sar_specs,
17512 		.flags = GENL_UNS_ADMIN_PERM,
17513 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17514 					 NL80211_FLAG_NEED_RTNL),
17515 	},
17516 	{
17517 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17518 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17519 		.doit = nl80211_color_change,
17520 		.flags = GENL_UNS_ADMIN_PERM,
17521 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17522 	},
17523 	{
17524 		.cmd = NL80211_CMD_SET_FILS_AAD,
17525 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17526 		.doit = nl80211_set_fils_aad,
17527 		.flags = GENL_UNS_ADMIN_PERM,
17528 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17529 	},
17530 	{
17531 		.cmd = NL80211_CMD_ADD_LINK,
17532 		.doit = nl80211_add_link,
17533 		.flags = GENL_UNS_ADMIN_PERM,
17534 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17535 	},
17536 	{
17537 		.cmd = NL80211_CMD_REMOVE_LINK,
17538 		.doit = nl80211_remove_link,
17539 		.flags = GENL_UNS_ADMIN_PERM,
17540 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17541 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17542 	},
17543 	{
17544 		.cmd = NL80211_CMD_ADD_LINK_STA,
17545 		.doit = nl80211_add_link_station,
17546 		.flags = GENL_UNS_ADMIN_PERM,
17547 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17548 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17549 	},
17550 	{
17551 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17552 		.doit = nl80211_modify_link_station,
17553 		.flags = GENL_UNS_ADMIN_PERM,
17554 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17555 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17556 	},
17557 	{
17558 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17559 		.doit = nl80211_remove_link_station,
17560 		.flags = GENL_UNS_ADMIN_PERM,
17561 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17562 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17563 	},
17564 	{
17565 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17566 		.doit = nl80211_set_hw_timestamp,
17567 		.flags = GENL_UNS_ADMIN_PERM,
17568 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17569 	},
17570 };
17571 
17572 static struct genl_family nl80211_fam __ro_after_init = {
17573 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17574 	.hdrsize = 0,			/* no private header */
17575 	.version = 1,			/* no particular meaning now */
17576 	.maxattr = NL80211_ATTR_MAX,
17577 	.policy = nl80211_policy,
17578 	.netnsok = true,
17579 	.pre_doit = nl80211_pre_doit,
17580 	.post_doit = nl80211_post_doit,
17581 	.module = THIS_MODULE,
17582 	.ops = nl80211_ops,
17583 	.n_ops = ARRAY_SIZE(nl80211_ops),
17584 	.small_ops = nl80211_small_ops,
17585 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17586 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17587 	.mcgrps = nl80211_mcgrps,
17588 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17589 	.parallel_ops = true,
17590 };
17591 
17592 /* notification functions */
17593 
17594 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17595 			  enum nl80211_commands cmd)
17596 {
17597 	struct sk_buff *msg;
17598 	struct nl80211_dump_wiphy_state state = {};
17599 
17600 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17601 		cmd != NL80211_CMD_DEL_WIPHY);
17602 
17603 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17604 	if (!msg)
17605 		return;
17606 
17607 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17608 		nlmsg_free(msg);
17609 		return;
17610 	}
17611 
17612 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17613 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17614 }
17615 
17616 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17617 				struct wireless_dev *wdev,
17618 				enum nl80211_commands cmd)
17619 {
17620 	struct sk_buff *msg;
17621 
17622 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17623 	if (!msg)
17624 		return;
17625 
17626 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17627 		nlmsg_free(msg);
17628 		return;
17629 	}
17630 
17631 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17632 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17633 }
17634 
17635 static int nl80211_add_scan_req(struct sk_buff *msg,
17636 				struct cfg80211_registered_device *rdev)
17637 {
17638 	struct cfg80211_scan_request *req = rdev->scan_req;
17639 	struct nlattr *nest;
17640 	int i;
17641 	struct cfg80211_scan_info *info;
17642 
17643 	if (WARN_ON(!req))
17644 		return 0;
17645 
17646 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17647 	if (!nest)
17648 		goto nla_put_failure;
17649 	for (i = 0; i < req->n_ssids; i++) {
17650 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17651 			goto nla_put_failure;
17652 	}
17653 	nla_nest_end(msg, nest);
17654 
17655 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17656 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17657 		if (!nest)
17658 			goto nla_put_failure;
17659 		for (i = 0; i < req->n_channels; i++) {
17660 			if (nla_put_u32(msg, i,
17661 				   ieee80211_channel_to_khz(req->channels[i])))
17662 				goto nla_put_failure;
17663 		}
17664 		nla_nest_end(msg, nest);
17665 	} else {
17666 		nest = nla_nest_start_noflag(msg,
17667 					     NL80211_ATTR_SCAN_FREQUENCIES);
17668 		if (!nest)
17669 			goto nla_put_failure;
17670 		for (i = 0; i < req->n_channels; i++) {
17671 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17672 				goto nla_put_failure;
17673 		}
17674 		nla_nest_end(msg, nest);
17675 	}
17676 
17677 	if (req->ie &&
17678 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17679 		goto nla_put_failure;
17680 
17681 	if (req->flags &&
17682 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17683 		goto nla_put_failure;
17684 
17685 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17686 		&rdev->scan_req->info;
17687 	if (info->scan_start_tsf &&
17688 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17689 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17690 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17691 		     info->tsf_bssid)))
17692 		goto nla_put_failure;
17693 
17694 	return 0;
17695  nla_put_failure:
17696 	return -ENOBUFS;
17697 }
17698 
17699 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17700 				 struct cfg80211_registered_device *rdev,
17701 				 struct wireless_dev *wdev,
17702 				 u32 portid, u32 seq, int flags,
17703 				 u32 cmd)
17704 {
17705 	void *hdr;
17706 
17707 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17708 	if (!hdr)
17709 		return -1;
17710 
17711 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17712 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17713 					 wdev->netdev->ifindex)) ||
17714 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17715 			      NL80211_ATTR_PAD))
17716 		goto nla_put_failure;
17717 
17718 	/* ignore errors and send incomplete event anyway */
17719 	nl80211_add_scan_req(msg, rdev);
17720 
17721 	genlmsg_end(msg, hdr);
17722 	return 0;
17723 
17724  nla_put_failure:
17725 	genlmsg_cancel(msg, hdr);
17726 	return -EMSGSIZE;
17727 }
17728 
17729 static int
17730 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17731 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17732 {
17733 	void *hdr;
17734 
17735 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17736 	if (!hdr)
17737 		return -1;
17738 
17739 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17740 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17741 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17742 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17743 			      NL80211_ATTR_PAD))
17744 		goto nla_put_failure;
17745 
17746 	genlmsg_end(msg, hdr);
17747 	return 0;
17748 
17749  nla_put_failure:
17750 	genlmsg_cancel(msg, hdr);
17751 	return -EMSGSIZE;
17752 }
17753 
17754 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17755 			     struct wireless_dev *wdev)
17756 {
17757 	struct sk_buff *msg;
17758 
17759 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17760 	if (!msg)
17761 		return;
17762 
17763 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17764 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17765 		nlmsg_free(msg);
17766 		return;
17767 	}
17768 
17769 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17770 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17771 }
17772 
17773 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17774 				       struct wireless_dev *wdev, bool aborted)
17775 {
17776 	struct sk_buff *msg;
17777 
17778 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17779 	if (!msg)
17780 		return NULL;
17781 
17782 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17783 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17784 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17785 		nlmsg_free(msg);
17786 		return NULL;
17787 	}
17788 
17789 	return msg;
17790 }
17791 
17792 /* send message created by nl80211_build_scan_msg() */
17793 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17794 			   struct sk_buff *msg)
17795 {
17796 	if (!msg)
17797 		return;
17798 
17799 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17800 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17801 }
17802 
17803 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17804 {
17805 	struct sk_buff *msg;
17806 
17807 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17808 	if (!msg)
17809 		return;
17810 
17811 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17812 		nlmsg_free(msg);
17813 		return;
17814 	}
17815 
17816 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17817 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17818 }
17819 
17820 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17821 					  struct regulatory_request *request)
17822 {
17823 	/* Userspace can always count this one always being set */
17824 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17825 		goto nla_put_failure;
17826 
17827 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17828 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17829 			       NL80211_REGDOM_TYPE_WORLD))
17830 			goto nla_put_failure;
17831 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17832 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17833 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17834 			goto nla_put_failure;
17835 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17836 		   request->intersect) {
17837 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17838 			       NL80211_REGDOM_TYPE_INTERSECTION))
17839 			goto nla_put_failure;
17840 	} else {
17841 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17842 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17843 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17844 				   request->alpha2))
17845 			goto nla_put_failure;
17846 	}
17847 
17848 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17849 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17850 
17851 		if (wiphy &&
17852 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17853 			goto nla_put_failure;
17854 
17855 		if (wiphy &&
17856 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17857 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17858 			goto nla_put_failure;
17859 	}
17860 
17861 	return true;
17862 
17863 nla_put_failure:
17864 	return false;
17865 }
17866 
17867 /*
17868  * This can happen on global regulatory changes or device specific settings
17869  * based on custom regulatory domains.
17870  */
17871 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17872 				     struct regulatory_request *request)
17873 {
17874 	struct sk_buff *msg;
17875 	void *hdr;
17876 
17877 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17878 	if (!msg)
17879 		return;
17880 
17881 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17882 	if (!hdr)
17883 		goto nla_put_failure;
17884 
17885 	if (!nl80211_reg_change_event_fill(msg, request))
17886 		goto nla_put_failure;
17887 
17888 	genlmsg_end(msg, hdr);
17889 
17890 	rcu_read_lock();
17891 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17892 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17893 	rcu_read_unlock();
17894 
17895 	return;
17896 
17897 nla_put_failure:
17898 	nlmsg_free(msg);
17899 }
17900 
17901 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17902 				    struct net_device *netdev,
17903 				    const u8 *buf, size_t len,
17904 				    enum nl80211_commands cmd, gfp_t gfp,
17905 				    int uapsd_queues, const u8 *req_ies,
17906 				    size_t req_ies_len, bool reconnect)
17907 {
17908 	struct sk_buff *msg;
17909 	void *hdr;
17910 
17911 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
17912 	if (!msg)
17913 		return;
17914 
17915 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17916 	if (!hdr) {
17917 		nlmsg_free(msg);
17918 		return;
17919 	}
17920 
17921 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17922 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17923 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17924 	    (req_ies &&
17925 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
17926 		goto nla_put_failure;
17927 
17928 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
17929 		goto nla_put_failure;
17930 
17931 	if (uapsd_queues >= 0) {
17932 		struct nlattr *nla_wmm =
17933 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
17934 		if (!nla_wmm)
17935 			goto nla_put_failure;
17936 
17937 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
17938 			       uapsd_queues))
17939 			goto nla_put_failure;
17940 
17941 		nla_nest_end(msg, nla_wmm);
17942 	}
17943 
17944 	genlmsg_end(msg, hdr);
17945 
17946 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17947 				NL80211_MCGRP_MLME, gfp);
17948 	return;
17949 
17950  nla_put_failure:
17951 	nlmsg_free(msg);
17952 }
17953 
17954 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
17955 			  struct net_device *netdev, const u8 *buf,
17956 			  size_t len, gfp_t gfp)
17957 {
17958 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17959 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
17960 				false);
17961 }
17962 
17963 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
17964 			   struct net_device *netdev,
17965 			   struct cfg80211_rx_assoc_resp *data)
17966 {
17967 	nl80211_send_mlme_event(rdev, netdev, data->buf, data->len,
17968 				NL80211_CMD_ASSOCIATE, GFP_KERNEL,
17969 				data->uapsd_queues,
17970 				data->req_ies, data->req_ies_len, false);
17971 }
17972 
17973 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
17974 			 struct net_device *netdev, const u8 *buf,
17975 			 size_t len, bool reconnect, gfp_t gfp)
17976 {
17977 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17978 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
17979 				reconnect);
17980 }
17981 
17982 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
17983 			   struct net_device *netdev, const u8 *buf,
17984 			   size_t len, bool reconnect, gfp_t gfp)
17985 {
17986 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17987 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
17988 				reconnect);
17989 }
17990 
17991 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
17992 				  size_t len)
17993 {
17994 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17995 	struct wiphy *wiphy = wdev->wiphy;
17996 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17997 	const struct ieee80211_mgmt *mgmt = (void *)buf;
17998 	u32 cmd;
17999 
18000 	if (WARN_ON(len < 2))
18001 		return;
18002 
18003 	if (ieee80211_is_deauth(mgmt->frame_control)) {
18004 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
18005 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
18006 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
18007 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
18008 		if (wdev->unprot_beacon_reported &&
18009 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
18010 			return;
18011 		cmd = NL80211_CMD_UNPROT_BEACON;
18012 		wdev->unprot_beacon_reported = jiffies;
18013 	} else {
18014 		return;
18015 	}
18016 
18017 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
18018 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
18019 				NULL, 0, false);
18020 }
18021 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
18022 
18023 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18024 				      struct net_device *netdev, int cmd,
18025 				      const u8 *addr, gfp_t gfp)
18026 {
18027 	struct sk_buff *msg;
18028 	void *hdr;
18029 
18030 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18031 	if (!msg)
18032 		return;
18033 
18034 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18035 	if (!hdr) {
18036 		nlmsg_free(msg);
18037 		return;
18038 	}
18039 
18040 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18041 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18042 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18043 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18044 		goto nla_put_failure;
18045 
18046 	genlmsg_end(msg, hdr);
18047 
18048 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18049 				NL80211_MCGRP_MLME, gfp);
18050 	return;
18051 
18052  nla_put_failure:
18053 	nlmsg_free(msg);
18054 }
18055 
18056 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18057 			       struct net_device *netdev, const u8 *addr,
18058 			       gfp_t gfp)
18059 {
18060 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18061 				  addr, gfp);
18062 }
18063 
18064 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18065 				struct net_device *netdev, const u8 *addr,
18066 				gfp_t gfp)
18067 {
18068 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18069 				  addr, gfp);
18070 }
18071 
18072 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18073 				 struct net_device *netdev,
18074 				 struct cfg80211_connect_resp_params *cr,
18075 				 gfp_t gfp)
18076 {
18077 	struct sk_buff *msg;
18078 	void *hdr;
18079 	unsigned int link;
18080 	size_t link_info_size = 0;
18081 	const u8 *connected_addr = cr->valid_links ?
18082 				   cr->ap_mld_addr : cr->links[0].bssid;
18083 
18084 	if (cr->valid_links) {
18085 		for_each_valid_link(cr, link) {
18086 			/* Nested attribute header */
18087 			link_info_size += NLA_HDRLEN;
18088 			/* Link ID */
18089 			link_info_size += nla_total_size(sizeof(u8));
18090 			link_info_size += cr->links[link].addr ?
18091 					  nla_total_size(ETH_ALEN) : 0;
18092 			link_info_size += (cr->links[link].bssid ||
18093 					   cr->links[link].bss) ?
18094 					  nla_total_size(ETH_ALEN) : 0;
18095 			link_info_size += nla_total_size(sizeof(u16));
18096 		}
18097 	}
18098 
18099 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18100 			cr->fils.kek_len + cr->fils.pmk_len +
18101 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18102 			gfp);
18103 	if (!msg)
18104 		return;
18105 
18106 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18107 	if (!hdr) {
18108 		nlmsg_free(msg);
18109 		return;
18110 	}
18111 
18112 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18113 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18114 	    (connected_addr &&
18115 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18116 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18117 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18118 			cr->status) ||
18119 	    (cr->status < 0 &&
18120 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18121 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18122 			  cr->timeout_reason))) ||
18123 	    (cr->req_ie &&
18124 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18125 	    (cr->resp_ie &&
18126 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18127 		     cr->resp_ie)) ||
18128 	    (cr->fils.update_erp_next_seq_num &&
18129 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18130 			 cr->fils.erp_next_seq_num)) ||
18131 	    (cr->status == WLAN_STATUS_SUCCESS &&
18132 	     ((cr->fils.kek &&
18133 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18134 		       cr->fils.kek)) ||
18135 	      (cr->fils.pmk &&
18136 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18137 	      (cr->fils.pmkid &&
18138 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18139 		goto nla_put_failure;
18140 
18141 	if (cr->valid_links) {
18142 		int i = 1;
18143 		struct nlattr *nested;
18144 
18145 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18146 		if (!nested)
18147 			goto nla_put_failure;
18148 
18149 		for_each_valid_link(cr, link) {
18150 			struct nlattr *nested_mlo_links;
18151 			const u8 *bssid = cr->links[link].bss ?
18152 					  cr->links[link].bss->bssid :
18153 					  cr->links[link].bssid;
18154 
18155 			nested_mlo_links = nla_nest_start(msg, i);
18156 			if (!nested_mlo_links)
18157 				goto nla_put_failure;
18158 
18159 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18160 			    (bssid &&
18161 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18162 			    (cr->links[link].addr &&
18163 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18164 				     cr->links[link].addr)) ||
18165 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18166 					cr->links[link].status))
18167 				goto nla_put_failure;
18168 
18169 			nla_nest_end(msg, nested_mlo_links);
18170 			i++;
18171 		}
18172 		nla_nest_end(msg, nested);
18173 	}
18174 
18175 	genlmsg_end(msg, hdr);
18176 
18177 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18178 				NL80211_MCGRP_MLME, gfp);
18179 	return;
18180 
18181  nla_put_failure:
18182 	nlmsg_free(msg);
18183 }
18184 
18185 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18186 			 struct net_device *netdev,
18187 			 struct cfg80211_roam_info *info, gfp_t gfp)
18188 {
18189 	struct sk_buff *msg;
18190 	void *hdr;
18191 	size_t link_info_size = 0;
18192 	unsigned int link;
18193 	const u8 *connected_addr = info->ap_mld_addr ?
18194 				   info->ap_mld_addr :
18195 				   (info->links[0].bss ?
18196 				    info->links[0].bss->bssid :
18197 				    info->links[0].bssid);
18198 
18199 	if (info->valid_links) {
18200 		for_each_valid_link(info, link) {
18201 			/* Nested attribute header */
18202 			link_info_size += NLA_HDRLEN;
18203 			/* Link ID */
18204 			link_info_size += nla_total_size(sizeof(u8));
18205 			link_info_size += info->links[link].addr ?
18206 					  nla_total_size(ETH_ALEN) : 0;
18207 			link_info_size += (info->links[link].bssid ||
18208 					   info->links[link].bss) ?
18209 					  nla_total_size(ETH_ALEN) : 0;
18210 		}
18211 	}
18212 
18213 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18214 			info->fils.kek_len + info->fils.pmk_len +
18215 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18216 			link_info_size, gfp);
18217 	if (!msg)
18218 		return;
18219 
18220 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18221 	if (!hdr) {
18222 		nlmsg_free(msg);
18223 		return;
18224 	}
18225 
18226 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18227 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18228 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18229 	    (info->req_ie &&
18230 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18231 		     info->req_ie)) ||
18232 	    (info->resp_ie &&
18233 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18234 		     info->resp_ie)) ||
18235 	    (info->fils.update_erp_next_seq_num &&
18236 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18237 			 info->fils.erp_next_seq_num)) ||
18238 	    (info->fils.kek &&
18239 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18240 		     info->fils.kek)) ||
18241 	    (info->fils.pmk &&
18242 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18243 	    (info->fils.pmkid &&
18244 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18245 		goto nla_put_failure;
18246 
18247 	if (info->valid_links) {
18248 		int i = 1;
18249 		struct nlattr *nested;
18250 
18251 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18252 		if (!nested)
18253 			goto nla_put_failure;
18254 
18255 		for_each_valid_link(info, link) {
18256 			struct nlattr *nested_mlo_links;
18257 			const u8 *bssid = info->links[link].bss ?
18258 					  info->links[link].bss->bssid :
18259 					  info->links[link].bssid;
18260 
18261 			nested_mlo_links = nla_nest_start(msg, i);
18262 			if (!nested_mlo_links)
18263 				goto nla_put_failure;
18264 
18265 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18266 			    (bssid &&
18267 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18268 			    (info->links[link].addr &&
18269 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18270 				     info->links[link].addr)))
18271 				goto nla_put_failure;
18272 
18273 			nla_nest_end(msg, nested_mlo_links);
18274 			i++;
18275 		}
18276 		nla_nest_end(msg, nested);
18277 	}
18278 
18279 	genlmsg_end(msg, hdr);
18280 
18281 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18282 				NL80211_MCGRP_MLME, gfp);
18283 	return;
18284 
18285  nla_put_failure:
18286 	nlmsg_free(msg);
18287 }
18288 
18289 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18290 				  struct net_device *netdev, const u8 *bssid,
18291 				  const u8 *td_bitmap, u8 td_bitmap_len)
18292 {
18293 	struct sk_buff *msg;
18294 	void *hdr;
18295 
18296 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18297 	if (!msg)
18298 		return;
18299 
18300 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18301 	if (!hdr) {
18302 		nlmsg_free(msg);
18303 		return;
18304 	}
18305 
18306 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18307 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18308 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18309 		goto nla_put_failure;
18310 
18311 	if ((td_bitmap_len > 0) && td_bitmap)
18312 		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
18313 			    td_bitmap_len, td_bitmap))
18314 			goto nla_put_failure;
18315 
18316 	genlmsg_end(msg, hdr);
18317 
18318 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18319 				NL80211_MCGRP_MLME, GFP_KERNEL);
18320 	return;
18321 
18322  nla_put_failure:
18323 	nlmsg_free(msg);
18324 }
18325 
18326 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18327 			       struct net_device *netdev, u16 reason,
18328 			       const u8 *ie, size_t ie_len, bool from_ap)
18329 {
18330 	struct sk_buff *msg;
18331 	void *hdr;
18332 
18333 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18334 	if (!msg)
18335 		return;
18336 
18337 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18338 	if (!hdr) {
18339 		nlmsg_free(msg);
18340 		return;
18341 	}
18342 
18343 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18344 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18345 	    (reason &&
18346 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18347 	    (from_ap &&
18348 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18349 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18350 		goto nla_put_failure;
18351 
18352 	genlmsg_end(msg, hdr);
18353 
18354 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18355 				NL80211_MCGRP_MLME, GFP_KERNEL);
18356 	return;
18357 
18358  nla_put_failure:
18359 	nlmsg_free(msg);
18360 }
18361 
18362 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18363 {
18364 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18365 	struct wiphy *wiphy = wdev->wiphy;
18366 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18367 	struct sk_buff *msg;
18368 	struct nlattr *links;
18369 	void *hdr;
18370 
18371 	ASSERT_WDEV_LOCK(wdev);
18372 	trace_cfg80211_links_removed(dev, link_mask);
18373 
18374 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18375 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18376 		return;
18377 
18378 	if (WARN_ON(!wdev->valid_links || !link_mask ||
18379 		    (wdev->valid_links & link_mask) != link_mask ||
18380 		    wdev->valid_links == link_mask))
18381 		return;
18382 
18383 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18384 	wdev->valid_links &= ~link_mask;
18385 
18386 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18387 	if (!msg)
18388 		return;
18389 
18390 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18391 	if (!hdr) {
18392 		nlmsg_free(msg);
18393 		return;
18394 	}
18395 
18396 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18397 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18398 		goto nla_put_failure;
18399 
18400 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18401 	if (!links)
18402 		goto nla_put_failure;
18403 
18404 	while (link_mask) {
18405 		struct nlattr *link;
18406 		int link_id = __ffs(link_mask);
18407 
18408 		link = nla_nest_start(msg, link_id + 1);
18409 		if (!link)
18410 			goto nla_put_failure;
18411 
18412 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18413 			goto nla_put_failure;
18414 
18415 		nla_nest_end(msg, link);
18416 		link_mask &= ~(1 << link_id);
18417 	}
18418 
18419 	nla_nest_end(msg, links);
18420 
18421 	genlmsg_end(msg, hdr);
18422 
18423 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18424 				NL80211_MCGRP_MLME, GFP_KERNEL);
18425 	return;
18426 
18427  nla_put_failure:
18428 	nlmsg_free(msg);
18429 }
18430 EXPORT_SYMBOL(cfg80211_links_removed);
18431 
18432 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18433 			     struct net_device *netdev, const u8 *bssid,
18434 			     gfp_t gfp)
18435 {
18436 	struct sk_buff *msg;
18437 	void *hdr;
18438 
18439 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18440 	if (!msg)
18441 		return;
18442 
18443 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18444 	if (!hdr) {
18445 		nlmsg_free(msg);
18446 		return;
18447 	}
18448 
18449 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18450 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18451 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18452 		goto nla_put_failure;
18453 
18454 	genlmsg_end(msg, hdr);
18455 
18456 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18457 				NL80211_MCGRP_MLME, gfp);
18458 	return;
18459 
18460  nla_put_failure:
18461 	nlmsg_free(msg);
18462 }
18463 
18464 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18465 					const u8 *ie, u8 ie_len,
18466 					int sig_dbm, gfp_t gfp)
18467 {
18468 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18469 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18470 	struct sk_buff *msg;
18471 	void *hdr;
18472 
18473 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18474 		return;
18475 
18476 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18477 
18478 	msg = nlmsg_new(100 + ie_len, gfp);
18479 	if (!msg)
18480 		return;
18481 
18482 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18483 	if (!hdr) {
18484 		nlmsg_free(msg);
18485 		return;
18486 	}
18487 
18488 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18489 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18490 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18491 	    (ie_len && ie &&
18492 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18493 	    (sig_dbm &&
18494 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18495 		goto nla_put_failure;
18496 
18497 	genlmsg_end(msg, hdr);
18498 
18499 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18500 				NL80211_MCGRP_MLME, gfp);
18501 	return;
18502 
18503  nla_put_failure:
18504 	nlmsg_free(msg);
18505 }
18506 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18507 
18508 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18509 				 struct net_device *netdev, const u8 *addr,
18510 				 enum nl80211_key_type key_type, int key_id,
18511 				 const u8 *tsc, gfp_t gfp)
18512 {
18513 	struct sk_buff *msg;
18514 	void *hdr;
18515 
18516 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18517 	if (!msg)
18518 		return;
18519 
18520 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18521 	if (!hdr) {
18522 		nlmsg_free(msg);
18523 		return;
18524 	}
18525 
18526 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18527 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18528 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18529 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18530 	    (key_id != -1 &&
18531 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18532 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18533 		goto nla_put_failure;
18534 
18535 	genlmsg_end(msg, hdr);
18536 
18537 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18538 				NL80211_MCGRP_MLME, gfp);
18539 	return;
18540 
18541  nla_put_failure:
18542 	nlmsg_free(msg);
18543 }
18544 
18545 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18546 				    struct ieee80211_channel *channel_before,
18547 				    struct ieee80211_channel *channel_after)
18548 {
18549 	struct sk_buff *msg;
18550 	void *hdr;
18551 	struct nlattr *nl_freq;
18552 
18553 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18554 	if (!msg)
18555 		return;
18556 
18557 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18558 	if (!hdr) {
18559 		nlmsg_free(msg);
18560 		return;
18561 	}
18562 
18563 	/*
18564 	 * Since we are applying the beacon hint to a wiphy we know its
18565 	 * wiphy_idx is valid
18566 	 */
18567 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18568 		goto nla_put_failure;
18569 
18570 	/* Before */
18571 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18572 	if (!nl_freq)
18573 		goto nla_put_failure;
18574 
18575 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18576 		goto nla_put_failure;
18577 	nla_nest_end(msg, nl_freq);
18578 
18579 	/* After */
18580 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18581 	if (!nl_freq)
18582 		goto nla_put_failure;
18583 
18584 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18585 		goto nla_put_failure;
18586 	nla_nest_end(msg, nl_freq);
18587 
18588 	genlmsg_end(msg, hdr);
18589 
18590 	rcu_read_lock();
18591 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18592 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18593 	rcu_read_unlock();
18594 
18595 	return;
18596 
18597 nla_put_failure:
18598 	nlmsg_free(msg);
18599 }
18600 
18601 static void nl80211_send_remain_on_chan_event(
18602 	int cmd, struct cfg80211_registered_device *rdev,
18603 	struct wireless_dev *wdev, u64 cookie,
18604 	struct ieee80211_channel *chan,
18605 	unsigned int duration, gfp_t gfp)
18606 {
18607 	struct sk_buff *msg;
18608 	void *hdr;
18609 
18610 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18611 	if (!msg)
18612 		return;
18613 
18614 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18615 	if (!hdr) {
18616 		nlmsg_free(msg);
18617 		return;
18618 	}
18619 
18620 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18621 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18622 					 wdev->netdev->ifindex)) ||
18623 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18624 			      NL80211_ATTR_PAD) ||
18625 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18626 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18627 			NL80211_CHAN_NO_HT) ||
18628 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18629 			      NL80211_ATTR_PAD))
18630 		goto nla_put_failure;
18631 
18632 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18633 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18634 		goto nla_put_failure;
18635 
18636 	genlmsg_end(msg, hdr);
18637 
18638 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18639 				NL80211_MCGRP_MLME, gfp);
18640 	return;
18641 
18642  nla_put_failure:
18643 	nlmsg_free(msg);
18644 }
18645 
18646 void cfg80211_assoc_comeback(struct net_device *netdev,
18647 			     const u8 *ap_addr, u32 timeout)
18648 {
18649 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18650 	struct wiphy *wiphy = wdev->wiphy;
18651 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18652 	struct sk_buff *msg;
18653 	void *hdr;
18654 
18655 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18656 
18657 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18658 	if (!msg)
18659 		return;
18660 
18661 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18662 	if (!hdr) {
18663 		nlmsg_free(msg);
18664 		return;
18665 	}
18666 
18667 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18668 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18669 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18670 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18671 		goto nla_put_failure;
18672 
18673 	genlmsg_end(msg, hdr);
18674 
18675 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18676 				NL80211_MCGRP_MLME, GFP_KERNEL);
18677 	return;
18678 
18679  nla_put_failure:
18680 	nlmsg_free(msg);
18681 }
18682 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18683 
18684 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18685 			       struct ieee80211_channel *chan,
18686 			       unsigned int duration, gfp_t gfp)
18687 {
18688 	struct wiphy *wiphy = wdev->wiphy;
18689 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18690 
18691 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18692 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18693 					  rdev, wdev, cookie, chan,
18694 					  duration, gfp);
18695 }
18696 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18697 
18698 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18699 					struct ieee80211_channel *chan,
18700 					gfp_t gfp)
18701 {
18702 	struct wiphy *wiphy = wdev->wiphy;
18703 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18704 
18705 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18706 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18707 					  rdev, wdev, cookie, chan, 0, gfp);
18708 }
18709 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18710 
18711 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18712 					struct ieee80211_channel *chan,
18713 					gfp_t gfp)
18714 {
18715 	struct wiphy *wiphy = wdev->wiphy;
18716 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18717 
18718 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18719 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18720 					  rdev, wdev, cookie, chan, 0, gfp);
18721 }
18722 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18723 
18724 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18725 		      struct station_info *sinfo, gfp_t gfp)
18726 {
18727 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18728 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18729 	struct sk_buff *msg;
18730 
18731 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18732 
18733 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18734 	if (!msg)
18735 		return;
18736 
18737 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18738 				 rdev, dev, mac_addr, sinfo) < 0) {
18739 		nlmsg_free(msg);
18740 		return;
18741 	}
18742 
18743 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18744 				NL80211_MCGRP_MLME, gfp);
18745 }
18746 EXPORT_SYMBOL(cfg80211_new_sta);
18747 
18748 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18749 			    struct station_info *sinfo, gfp_t gfp)
18750 {
18751 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18752 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18753 	struct sk_buff *msg;
18754 	struct station_info empty_sinfo = {};
18755 
18756 	if (!sinfo)
18757 		sinfo = &empty_sinfo;
18758 
18759 	trace_cfg80211_del_sta(dev, mac_addr);
18760 
18761 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18762 	if (!msg) {
18763 		cfg80211_sinfo_release_content(sinfo);
18764 		return;
18765 	}
18766 
18767 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18768 				 rdev, dev, mac_addr, sinfo) < 0) {
18769 		nlmsg_free(msg);
18770 		return;
18771 	}
18772 
18773 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18774 				NL80211_MCGRP_MLME, gfp);
18775 }
18776 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18777 
18778 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18779 			  enum nl80211_connect_failed_reason reason,
18780 			  gfp_t gfp)
18781 {
18782 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18783 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18784 	struct sk_buff *msg;
18785 	void *hdr;
18786 
18787 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18788 	if (!msg)
18789 		return;
18790 
18791 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18792 	if (!hdr) {
18793 		nlmsg_free(msg);
18794 		return;
18795 	}
18796 
18797 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18798 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18799 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18800 		goto nla_put_failure;
18801 
18802 	genlmsg_end(msg, hdr);
18803 
18804 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18805 				NL80211_MCGRP_MLME, gfp);
18806 	return;
18807 
18808  nla_put_failure:
18809 	nlmsg_free(msg);
18810 }
18811 EXPORT_SYMBOL(cfg80211_conn_failed);
18812 
18813 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18814 				       const u8 *addr, gfp_t gfp)
18815 {
18816 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18817 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18818 	struct sk_buff *msg;
18819 	void *hdr;
18820 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18821 
18822 	if (!nlportid)
18823 		return false;
18824 
18825 	msg = nlmsg_new(100, gfp);
18826 	if (!msg)
18827 		return true;
18828 
18829 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18830 	if (!hdr) {
18831 		nlmsg_free(msg);
18832 		return true;
18833 	}
18834 
18835 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18836 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18837 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18838 		goto nla_put_failure;
18839 
18840 	genlmsg_end(msg, hdr);
18841 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18842 	return true;
18843 
18844  nla_put_failure:
18845 	nlmsg_free(msg);
18846 	return true;
18847 }
18848 
18849 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18850 				const u8 *addr, gfp_t gfp)
18851 {
18852 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18853 	bool ret;
18854 
18855 	trace_cfg80211_rx_spurious_frame(dev, addr);
18856 
18857 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18858 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18859 		trace_cfg80211_return_bool(false);
18860 		return false;
18861 	}
18862 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18863 					 addr, gfp);
18864 	trace_cfg80211_return_bool(ret);
18865 	return ret;
18866 }
18867 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18868 
18869 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18870 					const u8 *addr, gfp_t gfp)
18871 {
18872 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18873 	bool ret;
18874 
18875 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18876 
18877 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18878 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18879 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18880 		trace_cfg80211_return_bool(false);
18881 		return false;
18882 	}
18883 	ret = __nl80211_unexpected_frame(dev,
18884 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
18885 					 addr, gfp);
18886 	trace_cfg80211_return_bool(ret);
18887 	return ret;
18888 }
18889 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
18890 
18891 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
18892 		      struct wireless_dev *wdev, u32 nlportid,
18893 		      struct cfg80211_rx_info *info, gfp_t gfp)
18894 {
18895 	struct net_device *netdev = wdev->netdev;
18896 	struct sk_buff *msg;
18897 	void *hdr;
18898 
18899 	msg = nlmsg_new(100 + info->len, gfp);
18900 	if (!msg)
18901 		return -ENOMEM;
18902 
18903 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18904 	if (!hdr) {
18905 		nlmsg_free(msg);
18906 		return -ENOMEM;
18907 	}
18908 
18909 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18910 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18911 					netdev->ifindex)) ||
18912 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18913 			      NL80211_ATTR_PAD) ||
18914 	    (info->have_link_id &&
18915 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
18916 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
18917 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
18918 	    (info->sig_dbm &&
18919 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
18920 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
18921 	    (info->flags &&
18922 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
18923 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
18924 						  NL80211_ATTR_RX_HW_TIMESTAMP,
18925 						  info->rx_tstamp,
18926 						  NL80211_ATTR_PAD)) ||
18927 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
18928 						   NL80211_ATTR_TX_HW_TIMESTAMP,
18929 						   info->ack_tstamp,
18930 						   NL80211_ATTR_PAD)))
18931 		goto nla_put_failure;
18932 
18933 	genlmsg_end(msg, hdr);
18934 
18935 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18936 
18937  nla_put_failure:
18938 	nlmsg_free(msg);
18939 	return -ENOBUFS;
18940 }
18941 
18942 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
18943 				    struct cfg80211_tx_status *status,
18944 				    gfp_t gfp, enum nl80211_commands command)
18945 {
18946 	struct wiphy *wiphy = wdev->wiphy;
18947 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18948 	struct net_device *netdev = wdev->netdev;
18949 	struct sk_buff *msg;
18950 	void *hdr;
18951 
18952 	if (command == NL80211_CMD_FRAME_TX_STATUS)
18953 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
18954 					      status->ack);
18955 	else
18956 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
18957 						      status->ack);
18958 
18959 	msg = nlmsg_new(100 + status->len, gfp);
18960 	if (!msg)
18961 		return;
18962 
18963 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
18964 	if (!hdr) {
18965 		nlmsg_free(msg);
18966 		return;
18967 	}
18968 
18969 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18970 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18971 				   netdev->ifindex)) ||
18972 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18973 			      NL80211_ATTR_PAD) ||
18974 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
18975 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
18976 			      NL80211_ATTR_PAD) ||
18977 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18978 	    (status->tx_tstamp &&
18979 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
18980 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
18981 	    (status->ack_tstamp &&
18982 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
18983 			       status->ack_tstamp, NL80211_ATTR_PAD)))
18984 		goto nla_put_failure;
18985 
18986 	genlmsg_end(msg, hdr);
18987 
18988 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18989 				NL80211_MCGRP_MLME, gfp);
18990 	return;
18991 
18992 nla_put_failure:
18993 	nlmsg_free(msg);
18994 }
18995 
18996 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
18997 				     const u8 *buf, size_t len, bool ack,
18998 				     gfp_t gfp)
18999 {
19000 	struct cfg80211_tx_status status = {
19001 		.cookie = cookie,
19002 		.buf = buf,
19003 		.len = len,
19004 		.ack = ack
19005 	};
19006 
19007 	nl80211_frame_tx_status(wdev, &status, gfp,
19008 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
19009 }
19010 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
19011 
19012 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
19013 				 struct cfg80211_tx_status *status, gfp_t gfp)
19014 {
19015 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
19016 }
19017 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
19018 
19019 static int __nl80211_rx_control_port(struct net_device *dev,
19020 				     struct sk_buff *skb,
19021 				     bool unencrypted,
19022 				     int link_id,
19023 				     gfp_t gfp)
19024 {
19025 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19026 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19027 	struct ethhdr *ehdr = eth_hdr(skb);
19028 	const u8 *addr = ehdr->h_source;
19029 	u16 proto = be16_to_cpu(skb->protocol);
19030 	struct sk_buff *msg;
19031 	void *hdr;
19032 	struct nlattr *frame;
19033 
19034 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19035 
19036 	if (!nlportid)
19037 		return -ENOENT;
19038 
19039 	msg = nlmsg_new(100 + skb->len, gfp);
19040 	if (!msg)
19041 		return -ENOMEM;
19042 
19043 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19044 	if (!hdr) {
19045 		nlmsg_free(msg);
19046 		return -ENOBUFS;
19047 	}
19048 
19049 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19050 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19051 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19052 			      NL80211_ATTR_PAD) ||
19053 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19054 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19055 	    (link_id >= 0 &&
19056 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19057 	    (unencrypted && nla_put_flag(msg,
19058 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19059 		goto nla_put_failure;
19060 
19061 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19062 	if (!frame)
19063 		goto nla_put_failure;
19064 
19065 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19066 	genlmsg_end(msg, hdr);
19067 
19068 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19069 
19070  nla_put_failure:
19071 	nlmsg_free(msg);
19072 	return -ENOBUFS;
19073 }
19074 
19075 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19076 			      bool unencrypted, int link_id)
19077 {
19078 	int ret;
19079 
19080 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19081 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19082 					GFP_ATOMIC);
19083 	trace_cfg80211_return_bool(ret == 0);
19084 	return ret == 0;
19085 }
19086 EXPORT_SYMBOL(cfg80211_rx_control_port);
19087 
19088 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19089 					    const char *mac, gfp_t gfp)
19090 {
19091 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19092 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19093 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19094 	void **cb;
19095 
19096 	if (!msg)
19097 		return NULL;
19098 
19099 	cb = (void **)msg->cb;
19100 
19101 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19102 	if (!cb[0]) {
19103 		nlmsg_free(msg);
19104 		return NULL;
19105 	}
19106 
19107 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19108 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19109 		goto nla_put_failure;
19110 
19111 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19112 		goto nla_put_failure;
19113 
19114 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19115 	if (!cb[1])
19116 		goto nla_put_failure;
19117 
19118 	cb[2] = rdev;
19119 
19120 	return msg;
19121  nla_put_failure:
19122 	nlmsg_free(msg);
19123 	return NULL;
19124 }
19125 
19126 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19127 {
19128 	void **cb = (void **)msg->cb;
19129 	struct cfg80211_registered_device *rdev = cb[2];
19130 
19131 	nla_nest_end(msg, cb[1]);
19132 	genlmsg_end(msg, cb[0]);
19133 
19134 	memset(msg->cb, 0, sizeof(msg->cb));
19135 
19136 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19137 				NL80211_MCGRP_MLME, gfp);
19138 }
19139 
19140 void cfg80211_cqm_rssi_notify(struct net_device *dev,
19141 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19142 			      s32 rssi_level, gfp_t gfp)
19143 {
19144 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19145 	struct cfg80211_cqm_config *cqm_config;
19146 
19147 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19148 
19149 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19150 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19151 		return;
19152 
19153 	rcu_read_lock();
19154 	cqm_config = rcu_dereference(wdev->cqm_config);
19155 	if (cqm_config) {
19156 		cqm_config->last_rssi_event_value = rssi_level;
19157 		cqm_config->last_rssi_event_type = rssi_event;
19158 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
19159 	}
19160 	rcu_read_unlock();
19161 }
19162 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19163 
19164 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
19165 {
19166 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
19167 						 cqm_rssi_work);
19168 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19169 	enum nl80211_cqm_rssi_threshold_event rssi_event;
19170 	struct cfg80211_cqm_config *cqm_config;
19171 	struct sk_buff *msg;
19172 	s32 rssi_level;
19173 
19174 	wdev_lock(wdev);
19175 	cqm_config = rcu_dereference_protected(wdev->cqm_config,
19176 					       lockdep_is_held(&wdev->mtx));
19177 	if (!cqm_config)
19178 		goto unlock;
19179 
19180 	if (cqm_config->use_range_api)
19181 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
19182 
19183 	rssi_level = cqm_config->last_rssi_event_value;
19184 	rssi_event = cqm_config->last_rssi_event_type;
19185 
19186 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
19187 	if (!msg)
19188 		goto unlock;
19189 
19190 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19191 			rssi_event))
19192 		goto nla_put_failure;
19193 
19194 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19195 				      rssi_level))
19196 		goto nla_put_failure;
19197 
19198 	cfg80211_send_cqm(msg, GFP_KERNEL);
19199 
19200 	goto unlock;
19201 
19202  nla_put_failure:
19203 	nlmsg_free(msg);
19204  unlock:
19205 	wdev_unlock(wdev);
19206 }
19207 
19208 void cfg80211_cqm_txe_notify(struct net_device *dev,
19209 			     const u8 *peer, u32 num_packets,
19210 			     u32 rate, u32 intvl, gfp_t gfp)
19211 {
19212 	struct sk_buff *msg;
19213 
19214 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19215 	if (!msg)
19216 		return;
19217 
19218 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19219 		goto nla_put_failure;
19220 
19221 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19222 		goto nla_put_failure;
19223 
19224 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19225 		goto nla_put_failure;
19226 
19227 	cfg80211_send_cqm(msg, gfp);
19228 	return;
19229 
19230  nla_put_failure:
19231 	nlmsg_free(msg);
19232 }
19233 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19234 
19235 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19236 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19237 {
19238 	struct sk_buff *msg;
19239 
19240 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19241 
19242 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19243 	if (!msg)
19244 		return;
19245 
19246 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19247 		goto nla_put_failure;
19248 
19249 	cfg80211_send_cqm(msg, gfp);
19250 	return;
19251 
19252  nla_put_failure:
19253 	nlmsg_free(msg);
19254 }
19255 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19256 
19257 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19258 {
19259 	struct sk_buff *msg;
19260 
19261 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19262 	if (!msg)
19263 		return;
19264 
19265 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19266 		goto nla_put_failure;
19267 
19268 	cfg80211_send_cqm(msg, gfp);
19269 	return;
19270 
19271  nla_put_failure:
19272 	nlmsg_free(msg);
19273 }
19274 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19275 
19276 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19277 				     struct net_device *netdev, const u8 *bssid,
19278 				     const u8 *replay_ctr, gfp_t gfp)
19279 {
19280 	struct sk_buff *msg;
19281 	struct nlattr *rekey_attr;
19282 	void *hdr;
19283 
19284 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19285 	if (!msg)
19286 		return;
19287 
19288 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19289 	if (!hdr) {
19290 		nlmsg_free(msg);
19291 		return;
19292 	}
19293 
19294 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19295 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19296 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19297 		goto nla_put_failure;
19298 
19299 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19300 	if (!rekey_attr)
19301 		goto nla_put_failure;
19302 
19303 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19304 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19305 		goto nla_put_failure;
19306 
19307 	nla_nest_end(msg, rekey_attr);
19308 
19309 	genlmsg_end(msg, hdr);
19310 
19311 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19312 				NL80211_MCGRP_MLME, gfp);
19313 	return;
19314 
19315  nla_put_failure:
19316 	nlmsg_free(msg);
19317 }
19318 
19319 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19320 			       const u8 *replay_ctr, gfp_t gfp)
19321 {
19322 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19323 	struct wiphy *wiphy = wdev->wiphy;
19324 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19325 
19326 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19327 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19328 }
19329 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19330 
19331 static void
19332 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19333 			       struct net_device *netdev, int index,
19334 			       const u8 *bssid, bool preauth, gfp_t gfp)
19335 {
19336 	struct sk_buff *msg;
19337 	struct nlattr *attr;
19338 	void *hdr;
19339 
19340 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19341 	if (!msg)
19342 		return;
19343 
19344 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19345 	if (!hdr) {
19346 		nlmsg_free(msg);
19347 		return;
19348 	}
19349 
19350 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19351 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19352 		goto nla_put_failure;
19353 
19354 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19355 	if (!attr)
19356 		goto nla_put_failure;
19357 
19358 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19359 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19360 	    (preauth &&
19361 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19362 		goto nla_put_failure;
19363 
19364 	nla_nest_end(msg, attr);
19365 
19366 	genlmsg_end(msg, hdr);
19367 
19368 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19369 				NL80211_MCGRP_MLME, gfp);
19370 	return;
19371 
19372  nla_put_failure:
19373 	nlmsg_free(msg);
19374 }
19375 
19376 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19377 				     const u8 *bssid, bool preauth, gfp_t gfp)
19378 {
19379 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19380 	struct wiphy *wiphy = wdev->wiphy;
19381 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19382 
19383 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19384 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19385 }
19386 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19387 
19388 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19389 				     struct net_device *netdev,
19390 				     unsigned int link_id,
19391 				     struct cfg80211_chan_def *chandef,
19392 				     gfp_t gfp,
19393 				     enum nl80211_commands notif,
19394 				     u8 count, bool quiet, u16 punct_bitmap)
19395 {
19396 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19397 	struct sk_buff *msg;
19398 	void *hdr;
19399 
19400 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19401 	if (!msg)
19402 		return;
19403 
19404 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19405 	if (!hdr) {
19406 		nlmsg_free(msg);
19407 		return;
19408 	}
19409 
19410 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19411 		goto nla_put_failure;
19412 
19413 	if (wdev->valid_links &&
19414 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19415 		goto nla_put_failure;
19416 
19417 	if (nl80211_send_chandef(msg, chandef))
19418 		goto nla_put_failure;
19419 
19420 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19421 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19422 			goto nla_put_failure;
19423 		if (quiet &&
19424 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19425 			goto nla_put_failure;
19426 	}
19427 
19428 	if (nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, punct_bitmap))
19429 		goto nla_put_failure;
19430 
19431 	genlmsg_end(msg, hdr);
19432 
19433 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19434 				NL80211_MCGRP_MLME, gfp);
19435 	return;
19436 
19437  nla_put_failure:
19438 	nlmsg_free(msg);
19439 }
19440 
19441 void cfg80211_ch_switch_notify(struct net_device *dev,
19442 			       struct cfg80211_chan_def *chandef,
19443 			       unsigned int link_id, u16 punct_bitmap)
19444 {
19445 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19446 	struct wiphy *wiphy = wdev->wiphy;
19447 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19448 
19449 	ASSERT_WDEV_LOCK(wdev);
19450 	WARN_INVALID_LINK_ID(wdev, link_id);
19451 
19452 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id, punct_bitmap);
19453 
19454 	switch (wdev->iftype) {
19455 	case NL80211_IFTYPE_STATION:
19456 	case NL80211_IFTYPE_P2P_CLIENT:
19457 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19458 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19459 							chandef->chan);
19460 		break;
19461 	case NL80211_IFTYPE_MESH_POINT:
19462 		wdev->u.mesh.chandef = *chandef;
19463 		wdev->u.mesh.preset_chandef = *chandef;
19464 		break;
19465 	case NL80211_IFTYPE_AP:
19466 	case NL80211_IFTYPE_P2P_GO:
19467 		wdev->links[link_id].ap.chandef = *chandef;
19468 		break;
19469 	case NL80211_IFTYPE_ADHOC:
19470 		wdev->u.ibss.chandef = *chandef;
19471 		break;
19472 	default:
19473 		WARN_ON(1);
19474 		break;
19475 	}
19476 
19477 	cfg80211_sched_dfs_chan_update(rdev);
19478 
19479 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19480 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false,
19481 				 punct_bitmap);
19482 }
19483 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19484 
19485 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19486 				       struct cfg80211_chan_def *chandef,
19487 				       unsigned int link_id, u8 count,
19488 				       bool quiet, u16 punct_bitmap)
19489 {
19490 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19491 	struct wiphy *wiphy = wdev->wiphy;
19492 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19493 
19494 	ASSERT_WDEV_LOCK(wdev);
19495 	WARN_INVALID_LINK_ID(wdev, link_id);
19496 
19497 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id,
19498 						punct_bitmap);
19499 
19500 
19501 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19502 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19503 				 count, quiet, punct_bitmap);
19504 }
19505 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19506 
19507 int cfg80211_bss_color_notify(struct net_device *dev,
19508 			      enum nl80211_commands cmd, u8 count,
19509 			      u64 color_bitmap)
19510 {
19511 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19512 	struct wiphy *wiphy = wdev->wiphy;
19513 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19514 	struct sk_buff *msg;
19515 	void *hdr;
19516 
19517 	ASSERT_WDEV_LOCK(wdev);
19518 
19519 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19520 
19521 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19522 	if (!msg)
19523 		return -ENOMEM;
19524 
19525 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19526 	if (!hdr)
19527 		goto nla_put_failure;
19528 
19529 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19530 		goto nla_put_failure;
19531 
19532 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19533 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19534 		goto nla_put_failure;
19535 
19536 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19537 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19538 			      color_bitmap, NL80211_ATTR_PAD))
19539 		goto nla_put_failure;
19540 
19541 	genlmsg_end(msg, hdr);
19542 
19543 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19544 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19545 
19546 nla_put_failure:
19547 	nlmsg_free(msg);
19548 	return -EINVAL;
19549 }
19550 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19551 
19552 void
19553 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19554 		     const struct cfg80211_chan_def *chandef,
19555 		     enum nl80211_radar_event event,
19556 		     struct net_device *netdev, gfp_t gfp)
19557 {
19558 	struct sk_buff *msg;
19559 	void *hdr;
19560 
19561 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19562 	if (!msg)
19563 		return;
19564 
19565 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19566 	if (!hdr) {
19567 		nlmsg_free(msg);
19568 		return;
19569 	}
19570 
19571 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19572 		goto nla_put_failure;
19573 
19574 	/* NOP and radar events don't need a netdev parameter */
19575 	if (netdev) {
19576 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19577 
19578 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19579 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19580 				      NL80211_ATTR_PAD))
19581 			goto nla_put_failure;
19582 	}
19583 
19584 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19585 		goto nla_put_failure;
19586 
19587 	if (nl80211_send_chandef(msg, chandef))
19588 		goto nla_put_failure;
19589 
19590 	genlmsg_end(msg, hdr);
19591 
19592 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19593 				NL80211_MCGRP_MLME, gfp);
19594 	return;
19595 
19596  nla_put_failure:
19597 	nlmsg_free(msg);
19598 }
19599 
19600 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19601 				       struct sta_opmode_info *sta_opmode,
19602 				       gfp_t gfp)
19603 {
19604 	struct sk_buff *msg;
19605 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19606 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19607 	void *hdr;
19608 
19609 	if (WARN_ON(!mac))
19610 		return;
19611 
19612 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19613 	if (!msg)
19614 		return;
19615 
19616 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19617 	if (!hdr) {
19618 		nlmsg_free(msg);
19619 		return;
19620 	}
19621 
19622 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19623 		goto nla_put_failure;
19624 
19625 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19626 		goto nla_put_failure;
19627 
19628 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19629 		goto nla_put_failure;
19630 
19631 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19632 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19633 		goto nla_put_failure;
19634 
19635 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19636 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19637 		goto nla_put_failure;
19638 
19639 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19640 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19641 		goto nla_put_failure;
19642 
19643 	genlmsg_end(msg, hdr);
19644 
19645 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19646 				NL80211_MCGRP_MLME, gfp);
19647 
19648 	return;
19649 
19650 nla_put_failure:
19651 	nlmsg_free(msg);
19652 }
19653 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19654 
19655 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19656 			   u64 cookie, bool acked, s32 ack_signal,
19657 			   bool is_valid_ack_signal, gfp_t gfp)
19658 {
19659 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19660 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19661 	struct sk_buff *msg;
19662 	void *hdr;
19663 
19664 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19665 
19666 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19667 
19668 	if (!msg)
19669 		return;
19670 
19671 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19672 	if (!hdr) {
19673 		nlmsg_free(msg);
19674 		return;
19675 	}
19676 
19677 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19678 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19679 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19680 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19681 			      NL80211_ATTR_PAD) ||
19682 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19683 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19684 						ack_signal)))
19685 		goto nla_put_failure;
19686 
19687 	genlmsg_end(msg, hdr);
19688 
19689 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19690 				NL80211_MCGRP_MLME, gfp);
19691 	return;
19692 
19693  nla_put_failure:
19694 	nlmsg_free(msg);
19695 }
19696 EXPORT_SYMBOL(cfg80211_probe_status);
19697 
19698 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19699 				     size_t len, int freq, int sig_dbm)
19700 {
19701 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19702 	struct sk_buff *msg;
19703 	void *hdr;
19704 	struct cfg80211_beacon_registration *reg;
19705 
19706 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19707 
19708 	spin_lock_bh(&rdev->beacon_registrations_lock);
19709 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19710 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19711 		if (!msg) {
19712 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19713 			return;
19714 		}
19715 
19716 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19717 		if (!hdr)
19718 			goto nla_put_failure;
19719 
19720 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19721 		    (freq &&
19722 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19723 				  KHZ_TO_MHZ(freq)) ||
19724 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19725 				  freq % 1000))) ||
19726 		    (sig_dbm &&
19727 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19728 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19729 			goto nla_put_failure;
19730 
19731 		genlmsg_end(msg, hdr);
19732 
19733 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19734 	}
19735 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19736 	return;
19737 
19738  nla_put_failure:
19739 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19740 	nlmsg_free(msg);
19741 }
19742 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19743 
19744 #ifdef CONFIG_PM
19745 static int cfg80211_net_detect_results(struct sk_buff *msg,
19746 				       struct cfg80211_wowlan_wakeup *wakeup)
19747 {
19748 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19749 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19750 	int i, j;
19751 
19752 	nl_results = nla_nest_start_noflag(msg,
19753 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19754 	if (!nl_results)
19755 		return -EMSGSIZE;
19756 
19757 	for (i = 0; i < nd->n_matches; i++) {
19758 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19759 
19760 		nl_match = nla_nest_start_noflag(msg, i);
19761 		if (!nl_match)
19762 			break;
19763 
19764 		/* The SSID attribute is optional in nl80211, but for
19765 		 * simplicity reasons it's always present in the
19766 		 * cfg80211 structure.  If a driver can't pass the
19767 		 * SSID, that needs to be changed.  A zero length SSID
19768 		 * is still a valid SSID (wildcard), so it cannot be
19769 		 * used for this purpose.
19770 		 */
19771 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19772 			    match->ssid.ssid)) {
19773 			nla_nest_cancel(msg, nl_match);
19774 			goto out;
19775 		}
19776 
19777 		if (match->n_channels) {
19778 			nl_freqs = nla_nest_start_noflag(msg,
19779 							 NL80211_ATTR_SCAN_FREQUENCIES);
19780 			if (!nl_freqs) {
19781 				nla_nest_cancel(msg, nl_match);
19782 				goto out;
19783 			}
19784 
19785 			for (j = 0; j < match->n_channels; j++) {
19786 				if (nla_put_u32(msg, j, match->channels[j])) {
19787 					nla_nest_cancel(msg, nl_freqs);
19788 					nla_nest_cancel(msg, nl_match);
19789 					goto out;
19790 				}
19791 			}
19792 
19793 			nla_nest_end(msg, nl_freqs);
19794 		}
19795 
19796 		nla_nest_end(msg, nl_match);
19797 	}
19798 
19799 out:
19800 	nla_nest_end(msg, nl_results);
19801 	return 0;
19802 }
19803 
19804 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19805 				   struct cfg80211_wowlan_wakeup *wakeup,
19806 				   gfp_t gfp)
19807 {
19808 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19809 	struct sk_buff *msg;
19810 	void *hdr;
19811 	int size = 200;
19812 
19813 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19814 
19815 	if (wakeup)
19816 		size += wakeup->packet_present_len;
19817 
19818 	msg = nlmsg_new(size, gfp);
19819 	if (!msg)
19820 		return;
19821 
19822 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19823 	if (!hdr)
19824 		goto free_msg;
19825 
19826 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19827 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19828 			      NL80211_ATTR_PAD))
19829 		goto free_msg;
19830 
19831 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19832 					wdev->netdev->ifindex))
19833 		goto free_msg;
19834 
19835 	if (wakeup) {
19836 		struct nlattr *reasons;
19837 
19838 		reasons = nla_nest_start_noflag(msg,
19839 						NL80211_ATTR_WOWLAN_TRIGGERS);
19840 		if (!reasons)
19841 			goto free_msg;
19842 
19843 		if (wakeup->disconnect &&
19844 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19845 			goto free_msg;
19846 		if (wakeup->magic_pkt &&
19847 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19848 			goto free_msg;
19849 		if (wakeup->gtk_rekey_failure &&
19850 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19851 			goto free_msg;
19852 		if (wakeup->eap_identity_req &&
19853 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19854 			goto free_msg;
19855 		if (wakeup->four_way_handshake &&
19856 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19857 			goto free_msg;
19858 		if (wakeup->rfkill_release &&
19859 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19860 			goto free_msg;
19861 
19862 		if (wakeup->pattern_idx >= 0 &&
19863 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19864 				wakeup->pattern_idx))
19865 			goto free_msg;
19866 
19867 		if (wakeup->tcp_match &&
19868 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19869 			goto free_msg;
19870 
19871 		if (wakeup->tcp_connlost &&
19872 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
19873 			goto free_msg;
19874 
19875 		if (wakeup->tcp_nomoretokens &&
19876 		    nla_put_flag(msg,
19877 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
19878 			goto free_msg;
19879 
19880 		if (wakeup->packet) {
19881 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
19882 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19883 
19884 			if (!wakeup->packet_80211) {
19885 				pkt_attr =
19886 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
19887 				len_attr =
19888 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
19889 			}
19890 
19891 			if (wakeup->packet_len &&
19892 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
19893 				goto free_msg;
19894 
19895 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
19896 				    wakeup->packet))
19897 				goto free_msg;
19898 		}
19899 
19900 		if (wakeup->net_detect &&
19901 		    cfg80211_net_detect_results(msg, wakeup))
19902 				goto free_msg;
19903 
19904 		nla_nest_end(msg, reasons);
19905 	}
19906 
19907 	genlmsg_end(msg, hdr);
19908 
19909 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19910 				NL80211_MCGRP_MLME, gfp);
19911 	return;
19912 
19913  free_msg:
19914 	nlmsg_free(msg);
19915 }
19916 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
19917 #endif
19918 
19919 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
19920 				enum nl80211_tdls_operation oper,
19921 				u16 reason_code, gfp_t gfp)
19922 {
19923 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19924 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19925 	struct sk_buff *msg;
19926 	void *hdr;
19927 
19928 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
19929 					 reason_code);
19930 
19931 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19932 	if (!msg)
19933 		return;
19934 
19935 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
19936 	if (!hdr) {
19937 		nlmsg_free(msg);
19938 		return;
19939 	}
19940 
19941 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19942 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19943 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
19944 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
19945 	    (reason_code > 0 &&
19946 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
19947 		goto nla_put_failure;
19948 
19949 	genlmsg_end(msg, hdr);
19950 
19951 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19952 				NL80211_MCGRP_MLME, gfp);
19953 	return;
19954 
19955  nla_put_failure:
19956 	nlmsg_free(msg);
19957 }
19958 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
19959 
19960 static int nl80211_netlink_notify(struct notifier_block * nb,
19961 				  unsigned long state,
19962 				  void *_notify)
19963 {
19964 	struct netlink_notify *notify = _notify;
19965 	struct cfg80211_registered_device *rdev;
19966 	struct wireless_dev *wdev;
19967 	struct cfg80211_beacon_registration *reg, *tmp;
19968 
19969 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
19970 		return NOTIFY_DONE;
19971 
19972 	rcu_read_lock();
19973 
19974 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
19975 		struct cfg80211_sched_scan_request *sched_scan_req;
19976 
19977 		list_for_each_entry_rcu(sched_scan_req,
19978 					&rdev->sched_scan_req_list,
19979 					list) {
19980 			if (sched_scan_req->owner_nlportid == notify->portid) {
19981 				sched_scan_req->nl_owner_dead = true;
19982 				wiphy_work_queue(&rdev->wiphy,
19983 						 &rdev->sched_scan_stop_wk);
19984 			}
19985 		}
19986 
19987 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
19988 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
19989 
19990 			if (wdev->owner_nlportid == notify->portid) {
19991 				wdev->nl_owner_dead = true;
19992 				schedule_work(&rdev->destroy_work);
19993 			} else if (wdev->conn_owner_nlportid == notify->portid) {
19994 				schedule_work(&wdev->disconnect_wk);
19995 			}
19996 
19997 			cfg80211_release_pmsr(wdev, notify->portid);
19998 		}
19999 
20000 		spin_lock_bh(&rdev->beacon_registrations_lock);
20001 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
20002 					 list) {
20003 			if (reg->nlportid == notify->portid) {
20004 				list_del(&reg->list);
20005 				kfree(reg);
20006 				break;
20007 			}
20008 		}
20009 		spin_unlock_bh(&rdev->beacon_registrations_lock);
20010 	}
20011 
20012 	rcu_read_unlock();
20013 
20014 	/*
20015 	 * It is possible that the user space process that is controlling the
20016 	 * indoor setting disappeared, so notify the regulatory core.
20017 	 */
20018 	regulatory_netlink_notify(notify->portid);
20019 	return NOTIFY_OK;
20020 }
20021 
20022 static struct notifier_block nl80211_netlink_notifier = {
20023 	.notifier_call = nl80211_netlink_notify,
20024 };
20025 
20026 void cfg80211_ft_event(struct net_device *netdev,
20027 		       struct cfg80211_ft_event_params *ft_event)
20028 {
20029 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20030 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20031 	struct sk_buff *msg;
20032 	void *hdr;
20033 
20034 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20035 
20036 	if (!ft_event->target_ap)
20037 		return;
20038 
20039 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20040 			GFP_KERNEL);
20041 	if (!msg)
20042 		return;
20043 
20044 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20045 	if (!hdr)
20046 		goto out;
20047 
20048 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20049 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20050 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20051 		goto out;
20052 
20053 	if (ft_event->ies &&
20054 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20055 		goto out;
20056 	if (ft_event->ric_ies &&
20057 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20058 		    ft_event->ric_ies))
20059 		goto out;
20060 
20061 	genlmsg_end(msg, hdr);
20062 
20063 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20064 				NL80211_MCGRP_MLME, GFP_KERNEL);
20065 	return;
20066  out:
20067 	nlmsg_free(msg);
20068 }
20069 EXPORT_SYMBOL(cfg80211_ft_event);
20070 
20071 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20072 {
20073 	struct cfg80211_registered_device *rdev;
20074 	struct sk_buff *msg;
20075 	void *hdr;
20076 	u32 nlportid;
20077 
20078 	rdev = wiphy_to_rdev(wdev->wiphy);
20079 	if (!rdev->crit_proto_nlportid)
20080 		return;
20081 
20082 	nlportid = rdev->crit_proto_nlportid;
20083 	rdev->crit_proto_nlportid = 0;
20084 
20085 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20086 	if (!msg)
20087 		return;
20088 
20089 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20090 	if (!hdr)
20091 		goto nla_put_failure;
20092 
20093 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20094 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20095 			      NL80211_ATTR_PAD))
20096 		goto nla_put_failure;
20097 
20098 	genlmsg_end(msg, hdr);
20099 
20100 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20101 	return;
20102 
20103  nla_put_failure:
20104 	nlmsg_free(msg);
20105 }
20106 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20107 
20108 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20109 {
20110 	struct wiphy *wiphy = wdev->wiphy;
20111 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20112 	struct sk_buff *msg;
20113 	void *hdr;
20114 
20115 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20116 	if (!msg)
20117 		return;
20118 
20119 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20120 	if (!hdr)
20121 		goto out;
20122 
20123 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20124 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20125 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20126 			      NL80211_ATTR_PAD) ||
20127 	    (wdev->valid_links &&
20128 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20129 		goto out;
20130 
20131 	genlmsg_end(msg, hdr);
20132 
20133 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20134 				NL80211_MCGRP_MLME, GFP_KERNEL);
20135 	return;
20136  out:
20137 	nlmsg_free(msg);
20138 }
20139 
20140 int cfg80211_external_auth_request(struct net_device *dev,
20141 				   struct cfg80211_external_auth_params *params,
20142 				   gfp_t gfp)
20143 {
20144 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20145 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20146 	struct sk_buff *msg;
20147 	void *hdr;
20148 
20149 	if (!wdev->conn_owner_nlportid)
20150 		return -EINVAL;
20151 
20152 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20153 	if (!msg)
20154 		return -ENOMEM;
20155 
20156 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20157 	if (!hdr)
20158 		goto nla_put_failure;
20159 
20160 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20161 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20162 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
20163 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20164 			params->action) ||
20165 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20166 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20167 		    params->ssid.ssid) ||
20168 	    (!is_zero_ether_addr(params->mld_addr) &&
20169 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20170 		goto nla_put_failure;
20171 
20172 	genlmsg_end(msg, hdr);
20173 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20174 			wdev->conn_owner_nlportid);
20175 	return 0;
20176 
20177  nla_put_failure:
20178 	nlmsg_free(msg);
20179 	return -ENOBUFS;
20180 }
20181 EXPORT_SYMBOL(cfg80211_external_auth_request);
20182 
20183 void cfg80211_update_owe_info_event(struct net_device *netdev,
20184 				    struct cfg80211_update_owe_info *owe_info,
20185 				    gfp_t gfp)
20186 {
20187 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20188 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20189 	struct sk_buff *msg;
20190 	void *hdr;
20191 
20192 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20193 
20194 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20195 	if (!msg)
20196 		return;
20197 
20198 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20199 	if (!hdr)
20200 		goto nla_put_failure;
20201 
20202 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20203 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20204 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20205 		goto nla_put_failure;
20206 
20207 	if (!owe_info->ie_len ||
20208 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20209 		goto nla_put_failure;
20210 
20211 	if (owe_info->assoc_link_id != -1) {
20212 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20213 			       owe_info->assoc_link_id))
20214 			goto nla_put_failure;
20215 
20216 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20217 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20218 			    owe_info->peer_mld_addr))
20219 			goto nla_put_failure;
20220 	}
20221 
20222 	genlmsg_end(msg, hdr);
20223 
20224 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20225 				NL80211_MCGRP_MLME, gfp);
20226 	return;
20227 
20228 nla_put_failure:
20229 	genlmsg_cancel(msg, hdr);
20230 	nlmsg_free(msg);
20231 }
20232 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20233 
20234 /* initialisation/exit functions */
20235 
20236 int __init nl80211_init(void)
20237 {
20238 	int err;
20239 
20240 	err = genl_register_family(&nl80211_fam);
20241 	if (err)
20242 		return err;
20243 
20244 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20245 	if (err)
20246 		goto err_out;
20247 
20248 	return 0;
20249  err_out:
20250 	genl_unregister_family(&nl80211_fam);
20251 	return err;
20252 }
20253 
20254 void nl80211_exit(void)
20255 {
20256 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20257 	genl_unregister_family(&nl80211_fam);
20258 }
20259