xref: /openbmc/linux/net/wireless/nl80211.c (revision 82b5d164) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2019 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <net/net_namespace.h>
24 #include <net/genetlink.h>
25 #include <net/cfg80211.h>
26 #include <net/sock.h>
27 #include <net/inet_connection_sock.h>
28 #include "core.h"
29 #include "nl80211.h"
30 #include "reg.h"
31 #include "rdev-ops.h"
32 
33 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
34 				   struct genl_info *info,
35 				   struct cfg80211_crypto_settings *settings,
36 				   int cipher_limit);
37 
38 /* the netlink family */
39 static struct genl_family nl80211_fam;
40 
41 /* multicast groups */
42 enum nl80211_multicast_groups {
43 	NL80211_MCGRP_CONFIG,
44 	NL80211_MCGRP_SCAN,
45 	NL80211_MCGRP_REGULATORY,
46 	NL80211_MCGRP_MLME,
47 	NL80211_MCGRP_VENDOR,
48 	NL80211_MCGRP_NAN,
49 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
50 };
51 
52 static const struct genl_multicast_group nl80211_mcgrps[] = {
53 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
54 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
55 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
56 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
57 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
58 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
59 #ifdef CONFIG_NL80211_TESTMODE
60 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
61 #endif
62 };
63 
64 /* returns ERR_PTR values */
65 static struct wireless_dev *
66 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
67 {
68 	struct cfg80211_registered_device *rdev;
69 	struct wireless_dev *result = NULL;
70 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
71 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
72 	u64 wdev_id;
73 	int wiphy_idx = -1;
74 	int ifidx = -1;
75 
76 	ASSERT_RTNL();
77 
78 	if (!have_ifidx && !have_wdev_id)
79 		return ERR_PTR(-EINVAL);
80 
81 	if (have_ifidx)
82 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
83 	if (have_wdev_id) {
84 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
85 		wiphy_idx = wdev_id >> 32;
86 	}
87 
88 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
89 		struct wireless_dev *wdev;
90 
91 		if (wiphy_net(&rdev->wiphy) != netns)
92 			continue;
93 
94 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
95 			continue;
96 
97 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
98 			if (have_ifidx && wdev->netdev &&
99 			    wdev->netdev->ifindex == ifidx) {
100 				result = wdev;
101 				break;
102 			}
103 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
104 				result = wdev;
105 				break;
106 			}
107 		}
108 
109 		if (result)
110 			break;
111 	}
112 
113 	if (result)
114 		return result;
115 	return ERR_PTR(-ENODEV);
116 }
117 
118 static struct cfg80211_registered_device *
119 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
120 {
121 	struct cfg80211_registered_device *rdev = NULL, *tmp;
122 	struct net_device *netdev;
123 
124 	ASSERT_RTNL();
125 
126 	if (!attrs[NL80211_ATTR_WIPHY] &&
127 	    !attrs[NL80211_ATTR_IFINDEX] &&
128 	    !attrs[NL80211_ATTR_WDEV])
129 		return ERR_PTR(-EINVAL);
130 
131 	if (attrs[NL80211_ATTR_WIPHY])
132 		rdev = cfg80211_rdev_by_wiphy_idx(
133 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
134 
135 	if (attrs[NL80211_ATTR_WDEV]) {
136 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
137 		struct wireless_dev *wdev;
138 		bool found = false;
139 
140 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
141 		if (tmp) {
142 			/* make sure wdev exists */
143 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
144 				if (wdev->identifier != (u32)wdev_id)
145 					continue;
146 				found = true;
147 				break;
148 			}
149 
150 			if (!found)
151 				tmp = NULL;
152 
153 			if (rdev && tmp != rdev)
154 				return ERR_PTR(-EINVAL);
155 			rdev = tmp;
156 		}
157 	}
158 
159 	if (attrs[NL80211_ATTR_IFINDEX]) {
160 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
161 
162 		netdev = __dev_get_by_index(netns, ifindex);
163 		if (netdev) {
164 			if (netdev->ieee80211_ptr)
165 				tmp = wiphy_to_rdev(
166 					netdev->ieee80211_ptr->wiphy);
167 			else
168 				tmp = NULL;
169 
170 			/* not wireless device -- return error */
171 			if (!tmp)
172 				return ERR_PTR(-EINVAL);
173 
174 			/* mismatch -- return error */
175 			if (rdev && tmp != rdev)
176 				return ERR_PTR(-EINVAL);
177 
178 			rdev = tmp;
179 		}
180 	}
181 
182 	if (!rdev)
183 		return ERR_PTR(-ENODEV);
184 
185 	if (netns != wiphy_net(&rdev->wiphy))
186 		return ERR_PTR(-ENODEV);
187 
188 	return rdev;
189 }
190 
191 /*
192  * This function returns a pointer to the driver
193  * that the genl_info item that is passed refers to.
194  *
195  * The result of this can be a PTR_ERR and hence must
196  * be checked with IS_ERR() for errors.
197  */
198 static struct cfg80211_registered_device *
199 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
200 {
201 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
202 }
203 
204 static int validate_ie_attr(const struct nlattr *attr,
205 			    struct netlink_ext_ack *extack)
206 {
207 	const u8 *data = nla_data(attr);
208 	unsigned int len = nla_len(attr);
209 	const struct element *elem;
210 
211 	for_each_element(elem, data, len) {
212 		/* nothing */
213 	}
214 
215 	if (for_each_element_completed(elem, data, len))
216 		return 0;
217 
218 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
219 	return -EINVAL;
220 }
221 
222 /* policy for the attributes */
223 static const struct nla_policy
224 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
225 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
226 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
227 					.len = U8_MAX },
228 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
229 					     .len = U8_MAX },
230 };
231 
232 static const struct nla_policy
233 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
234 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
235 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
236 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
237 		NLA_POLICY_MAX(NLA_U8, 15),
238 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
239 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
240 		NLA_POLICY_MAX(NLA_U8, 15),
241 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
242 		NLA_POLICY_MAX(NLA_U8, 31),
243 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
244 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
245 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
246 };
247 
248 static const struct nla_policy
249 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
250 	[NL80211_PMSR_TYPE_FTM] =
251 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
252 };
253 
254 static const struct nla_policy
255 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
256 	[NL80211_PMSR_REQ_ATTR_DATA] =
257 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
258 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
259 };
260 
261 static const struct nla_policy
262 nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
263 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
264 	/*
265 	 * we could specify this again to be the top-level policy,
266 	 * but that would open us up to recursion problems ...
267 	 */
268 	[NL80211_PMSR_PEER_ATTR_CHAN] = { .type = NLA_NESTED },
269 	[NL80211_PMSR_PEER_ATTR_REQ] =
270 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
271 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
272 };
273 
274 static const struct nla_policy
275 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
276 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
277 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
278 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
279 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
280 	[NL80211_PMSR_ATTR_PEERS] =
281 		NLA_POLICY_NESTED_ARRAY(nl80211_psmr_peer_attr_policy),
282 };
283 
284 static const struct nla_policy
285 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
286 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
287 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
288 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
289 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
290 };
291 
292 const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
293 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
294 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
295 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
296 				      .len = 20-1 },
297 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
298 
299 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
300 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
301 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
302 						NL80211_EDMG_CHANNELS_MIN,
303 						NL80211_EDMG_CHANNELS_MAX),
304 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
305 						NL80211_EDMG_BW_CONFIG_MIN,
306 						NL80211_EDMG_BW_CONFIG_MAX),
307 
308 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
309 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
310 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
311 
312 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
313 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
314 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
315 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
316 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
317 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
318 
319 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
320 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
321 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
322 
323 	[NL80211_ATTR_MAC] = { .type = NLA_EXACT_LEN_WARN, .len = ETH_ALEN },
324 	[NL80211_ATTR_PREV_BSSID] = {
325 		.type = NLA_EXACT_LEN_WARN,
326 		.len = ETH_ALEN
327 	},
328 
329 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
330 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
331 				    .len = WLAN_MAX_KEY_LEN },
332 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 5),
333 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
334 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
335 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
336 	[NL80211_ATTR_KEY_TYPE] =
337 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
338 
339 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
340 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
341 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
342 				       .len = IEEE80211_MAX_DATA_LEN },
343 	[NL80211_ATTR_BEACON_TAIL] =
344 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
345 				       IEEE80211_MAX_DATA_LEN),
346 	[NL80211_ATTR_STA_AID] =
347 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
348 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
349 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
350 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
351 					       .len = NL80211_MAX_SUPP_RATES },
352 	[NL80211_ATTR_STA_PLINK_ACTION] =
353 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
354 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
355 		NLA_POLICY_RANGE(NLA_U8,
356 				 NL80211_TX_POWER_AUTOMATIC,
357 				 NL80211_TX_POWER_FIXED),
358 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
359 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
360 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
361 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
362 				   .len = IEEE80211_MAX_MESH_ID_LEN },
363 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
364 
365 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
366 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
367 
368 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
369 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
370 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
371 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
372 					   .len = NL80211_MAX_SUPP_RATES },
373 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
374 
375 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
376 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
377 
378 	[NL80211_ATTR_HT_CAPABILITY] = {
379 		.type = NLA_EXACT_LEN_WARN,
380 		.len = NL80211_HT_CAPABILITY_LEN
381 	},
382 
383 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
384 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
385 						   validate_ie_attr,
386 						   IEEE80211_MAX_DATA_LEN),
387 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
388 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
389 
390 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
391 				.len = IEEE80211_MAX_SSID_LEN },
392 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
393 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
394 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
395 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
396 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
397 						  NL80211_MFP_NO,
398 						  NL80211_MFP_OPTIONAL),
399 	[NL80211_ATTR_STA_FLAGS2] = {
400 		.len = sizeof(struct nl80211_sta_flag_update),
401 	},
402 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
403 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
404 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
405 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
406 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
407 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
408 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
409 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
410 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
411 	[NL80211_ATTR_PMKID] = {
412 		.type = NLA_EXACT_LEN_WARN,
413 		.len = WLAN_PMKID_LEN
414 	},
415 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
416 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
417 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
418 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
419 				 .len = IEEE80211_MAX_DATA_LEN },
420 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
421 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
422 						   NL80211_PS_DISABLED,
423 						   NL80211_PS_ENABLED),
424 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
425 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
426 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
427 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
428 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
429 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
430 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
431 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
432 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
433 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
434 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
435 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
436 	[NL80211_ATTR_STA_PLINK_STATE] =
437 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
438 	[NL80211_ATTR_MESH_PEER_AID] =
439 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
440 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
441 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
442 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
443 	[NL80211_ATTR_HIDDEN_SSID] =
444 		NLA_POLICY_RANGE(NLA_U32,
445 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
446 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
447 	[NL80211_ATTR_IE_PROBE_RESP] =
448 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
449 				       IEEE80211_MAX_DATA_LEN),
450 	[NL80211_ATTR_IE_ASSOC_RESP] =
451 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
452 				       IEEE80211_MAX_DATA_LEN),
453 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
454 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
455 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
456 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
457 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
458 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
459 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
460 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
461 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
462 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
463 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
464 				      .len = IEEE80211_MAX_DATA_LEN },
465 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
466 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
467 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
468 		.len = NL80211_HT_CAPABILITY_LEN
469 	},
470 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
471 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
472 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
473 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
474 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
475 	[NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
476 	[NL80211_ATTR_VHT_CAPABILITY] = {
477 		.type = NLA_EXACT_LEN_WARN,
478 		.len = NL80211_VHT_CAPABILITY_LEN
479 	},
480 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
481 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
482 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
483 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
484 		NLA_POLICY_RANGE(NLA_U32,
485 				 NL80211_MESH_POWER_UNKNOWN + 1,
486 				 NL80211_MESH_POWER_MAX),
487 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
488 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
489 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
490 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
491 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
492 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
493 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
494 		.len = NL80211_VHT_CAPABILITY_LEN,
495 	},
496 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
497 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
498 				  .len = IEEE80211_MAX_DATA_LEN },
499 	[NL80211_ATTR_PEER_AID] =
500 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
501 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
502 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
503 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
504 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
505 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
506 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
507 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
508 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
509 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
510 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
511 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
512 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
513 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
514 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
515 	[NL80211_ATTR_MAC_HINT] = {
516 		.type = NLA_EXACT_LEN_WARN,
517 		.len = ETH_ALEN
518 	},
519 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
520 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
521 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
522 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
523 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
524 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
525 	[NL80211_ATTR_USER_PRIO] =
526 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
527 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
528 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
529 	[NL80211_ATTR_MAC_MASK] = {
530 		.type = NLA_EXACT_LEN_WARN,
531 		.len = ETH_ALEN
532 	},
533 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
534 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
535 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
536 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
537 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
538 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
539 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
540 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
541 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
542 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
543 	},
544 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = {
545 		.type = NLA_EXACT_LEN_WARN,
546 		.len = ETH_ALEN
547 	},
548 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
549 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
550 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
551 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
552 				    .len = FILS_MAX_KEK_LEN },
553 	[NL80211_ATTR_FILS_NONCES] = {
554 		.type = NLA_EXACT_LEN_WARN,
555 		.len = 2 * FILS_NONCE_LEN
556 	},
557 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
558 	[NL80211_ATTR_BSSID] = { .type = NLA_EXACT_LEN_WARN, .len = ETH_ALEN },
559 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
560 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
561 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
562 	},
563 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
564 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
565 					     .len = FILS_ERP_MAX_USERNAME_LEN },
566 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
567 					  .len = FILS_ERP_MAX_REALM_LEN },
568 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
569 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
570 					.len = FILS_ERP_MAX_RRK_LEN },
571 	[NL80211_ATTR_FILS_CACHE_ID] = { .type = NLA_EXACT_LEN_WARN, .len = 2 },
572 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
573 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
574 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
575 
576 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
577 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
578 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
579 	[NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY,
580 					 .len = NL80211_HE_MAX_CAPABILITY_LEN },
581 
582 	[NL80211_ATTR_FTM_RESPONDER] = {
583 		.type = NLA_NESTED,
584 		.validation_data = nl80211_ftm_responder_policy,
585 	},
586 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
587 	[NL80211_ATTR_PEER_MEASUREMENTS] =
588 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
589 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
590 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
591 					.len = SAE_PASSWORD_MAX_LEN },
592 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
593 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
594 };
595 
596 /* policy for the key attributes */
597 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
598 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
599 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
600 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
601 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
602 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
603 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
604 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
605 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
606 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
607 };
608 
609 /* policy for the key default flags */
610 static const struct nla_policy
611 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
612 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
613 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
614 };
615 
616 #ifdef CONFIG_PM
617 /* policy for WoWLAN attributes */
618 static const struct nla_policy
619 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
620 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
621 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
622 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
623 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
624 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
625 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
626 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
627 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
628 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
629 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
630 };
631 
632 static const struct nla_policy
633 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
634 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
635 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
636 	[NL80211_WOWLAN_TCP_DST_MAC] = {
637 		.type = NLA_EXACT_LEN_WARN,
638 		.len = ETH_ALEN
639 	},
640 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
641 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
642 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .type = NLA_MIN_LEN, .len = 1 },
643 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
644 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
645 	},
646 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
647 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
648 	},
649 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
650 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .type = NLA_MIN_LEN, .len = 1 },
651 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .type = NLA_MIN_LEN, .len = 1 },
652 };
653 #endif /* CONFIG_PM */
654 
655 /* policy for coalesce rule attributes */
656 static const struct nla_policy
657 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
658 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
659 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
660 		NLA_POLICY_RANGE(NLA_U32,
661 				 NL80211_COALESCE_CONDITION_MATCH,
662 				 NL80211_COALESCE_CONDITION_NO_MATCH),
663 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
664 };
665 
666 /* policy for GTK rekey offload attributes */
667 static const struct nla_policy
668 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
669 	[NL80211_REKEY_DATA_KEK] = {
670 		.type = NLA_EXACT_LEN_WARN,
671 		.len = NL80211_KEK_LEN,
672 	},
673 	[NL80211_REKEY_DATA_KCK] = {
674 		.type = NLA_EXACT_LEN_WARN,
675 		.len = NL80211_KCK_LEN,
676 	},
677 	[NL80211_REKEY_DATA_REPLAY_CTR] = {
678 		.type = NLA_EXACT_LEN_WARN,
679 		.len = NL80211_REPLAY_CTR_LEN
680 	},
681 };
682 
683 static const struct nla_policy
684 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
685 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
686 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
687 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
688 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
689 };
690 
691 static const struct nla_policy
692 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
693 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
694 						 .len = IEEE80211_MAX_SSID_LEN },
695 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = {
696 		.type = NLA_EXACT_LEN_WARN,
697 		.len = ETH_ALEN
698 	},
699 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
700 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
701 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
702 };
703 
704 static const struct nla_policy
705 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
706 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
707 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
708 };
709 
710 static const struct nla_policy
711 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
712 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
713 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
714 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
715 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
716 	},
717 };
718 
719 /* policy for NAN function attributes */
720 static const struct nla_policy
721 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
722 	[NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
723 	[NL80211_NAN_FUNC_SERVICE_ID] = {
724 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
725 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
726 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
727 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
728 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
729 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
730 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = {
731 		.type = NLA_EXACT_LEN_WARN,
732 		.len = ETH_ALEN
733 	},
734 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
735 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
736 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
737 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
738 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
739 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
740 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
741 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
742 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
743 };
744 
745 /* policy for Service Response Filter attributes */
746 static const struct nla_policy
747 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
748 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
749 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
750 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
751 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
752 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
753 };
754 
755 /* policy for packet pattern attributes */
756 static const struct nla_policy
757 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
758 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
759 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
760 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
761 };
762 
763 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
764 			      struct cfg80211_registered_device **rdev,
765 			      struct wireless_dev **wdev)
766 {
767 	int err;
768 
769 	if (!cb->args[0]) {
770 		struct nlattr **attrbuf;
771 
772 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
773 				  GFP_KERNEL);
774 		if (!attrbuf)
775 			return -ENOMEM;
776 
777 		err = nlmsg_parse_deprecated(cb->nlh,
778 					     GENL_HDRLEN + nl80211_fam.hdrsize,
779 					     attrbuf, nl80211_fam.maxattr,
780 					     nl80211_policy, NULL);
781 		if (err) {
782 			kfree(attrbuf);
783 			return err;
784 		}
785 
786 		*wdev = __cfg80211_wdev_from_attrs(sock_net(cb->skb->sk),
787 						   attrbuf);
788 		kfree(attrbuf);
789 		if (IS_ERR(*wdev))
790 			return PTR_ERR(*wdev);
791 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
792 		/* 0 is the first index - add 1 to parse only once */
793 		cb->args[0] = (*rdev)->wiphy_idx + 1;
794 		cb->args[1] = (*wdev)->identifier;
795 	} else {
796 		/* subtract the 1 again here */
797 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
798 		struct wireless_dev *tmp;
799 
800 		if (!wiphy)
801 			return -ENODEV;
802 		*rdev = wiphy_to_rdev(wiphy);
803 		*wdev = NULL;
804 
805 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
806 			if (tmp->identifier == cb->args[1]) {
807 				*wdev = tmp;
808 				break;
809 			}
810 		}
811 
812 		if (!*wdev)
813 			return -ENODEV;
814 	}
815 
816 	return 0;
817 }
818 
819 /* message building helper */
820 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
821 		     int flags, u8 cmd)
822 {
823 	/* since there is no private header just add the generic one */
824 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
825 }
826 
827 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
828 				     const struct ieee80211_reg_rule *rule)
829 {
830 	int j;
831 	struct nlattr *nl_wmm_rules =
832 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
833 
834 	if (!nl_wmm_rules)
835 		goto nla_put_failure;
836 
837 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
838 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
839 
840 		if (!nl_wmm_rule)
841 			goto nla_put_failure;
842 
843 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
844 				rule->wmm_rule.client[j].cw_min) ||
845 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
846 				rule->wmm_rule.client[j].cw_max) ||
847 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
848 			       rule->wmm_rule.client[j].aifsn) ||
849 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
850 			        rule->wmm_rule.client[j].cot))
851 			goto nla_put_failure;
852 
853 		nla_nest_end(msg, nl_wmm_rule);
854 	}
855 	nla_nest_end(msg, nl_wmm_rules);
856 
857 	return 0;
858 
859 nla_put_failure:
860 	return -ENOBUFS;
861 }
862 
863 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
864 				   struct ieee80211_channel *chan,
865 				   bool large)
866 {
867 	/* Some channels must be completely excluded from the
868 	 * list to protect old user-space tools from breaking
869 	 */
870 	if (!large && chan->flags &
871 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
872 		return 0;
873 
874 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
875 			chan->center_freq))
876 		goto nla_put_failure;
877 
878 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
879 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
880 		goto nla_put_failure;
881 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
882 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
883 			goto nla_put_failure;
884 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
885 			goto nla_put_failure;
886 	}
887 	if (chan->flags & IEEE80211_CHAN_RADAR) {
888 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
889 			goto nla_put_failure;
890 		if (large) {
891 			u32 time;
892 
893 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
894 
895 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
896 					chan->dfs_state))
897 				goto nla_put_failure;
898 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
899 					time))
900 				goto nla_put_failure;
901 			if (nla_put_u32(msg,
902 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
903 					chan->dfs_cac_ms))
904 				goto nla_put_failure;
905 		}
906 	}
907 
908 	if (large) {
909 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
910 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
911 			goto nla_put_failure;
912 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
913 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
914 			goto nla_put_failure;
915 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
916 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
917 			goto nla_put_failure;
918 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
919 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
920 			goto nla_put_failure;
921 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
922 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
923 			goto nla_put_failure;
924 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
925 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
926 			goto nla_put_failure;
927 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
928 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
929 			goto nla_put_failure;
930 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
931 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
932 			goto nla_put_failure;
933 	}
934 
935 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
936 			DBM_TO_MBM(chan->max_power)))
937 		goto nla_put_failure;
938 
939 	if (large) {
940 		const struct ieee80211_reg_rule *rule =
941 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
942 
943 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
944 			if (nl80211_msg_put_wmm_rules(msg, rule))
945 				goto nla_put_failure;
946 		}
947 	}
948 
949 	return 0;
950 
951  nla_put_failure:
952 	return -ENOBUFS;
953 }
954 
955 static bool nl80211_put_txq_stats(struct sk_buff *msg,
956 				  struct cfg80211_txq_stats *txqstats,
957 				  int attrtype)
958 {
959 	struct nlattr *txqattr;
960 
961 #define PUT_TXQVAL_U32(attr, memb) do {					  \
962 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
963 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
964 		return false;						  \
965 	} while (0)
966 
967 	txqattr = nla_nest_start_noflag(msg, attrtype);
968 	if (!txqattr)
969 		return false;
970 
971 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
972 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
973 	PUT_TXQVAL_U32(FLOWS, flows);
974 	PUT_TXQVAL_U32(DROPS, drops);
975 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
976 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
977 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
978 	PUT_TXQVAL_U32(COLLISIONS, collisions);
979 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
980 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
981 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
982 	nla_nest_end(msg, txqattr);
983 
984 #undef PUT_TXQVAL_U32
985 	return true;
986 }
987 
988 /* netlink command implementations */
989 
990 struct key_parse {
991 	struct key_params p;
992 	int idx;
993 	int type;
994 	bool def, defmgmt;
995 	bool def_uni, def_multi;
996 };
997 
998 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
999 				 struct key_parse *k)
1000 {
1001 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1002 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1003 					      nl80211_key_policy,
1004 					      info->extack);
1005 	if (err)
1006 		return err;
1007 
1008 	k->def = !!tb[NL80211_KEY_DEFAULT];
1009 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1010 
1011 	if (k->def) {
1012 		k->def_uni = true;
1013 		k->def_multi = true;
1014 	}
1015 	if (k->defmgmt)
1016 		k->def_multi = true;
1017 
1018 	if (tb[NL80211_KEY_IDX])
1019 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1020 
1021 	if (tb[NL80211_KEY_DATA]) {
1022 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1023 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1024 	}
1025 
1026 	if (tb[NL80211_KEY_SEQ]) {
1027 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1028 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1029 	}
1030 
1031 	if (tb[NL80211_KEY_CIPHER])
1032 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1033 
1034 	if (tb[NL80211_KEY_TYPE])
1035 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1036 
1037 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1038 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1039 
1040 		err = nla_parse_nested_deprecated(kdt,
1041 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1042 						  tb[NL80211_KEY_DEFAULT_TYPES],
1043 						  nl80211_key_default_policy,
1044 						  info->extack);
1045 		if (err)
1046 			return err;
1047 
1048 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1049 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1050 	}
1051 
1052 	if (tb[NL80211_KEY_MODE])
1053 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1054 
1055 	return 0;
1056 }
1057 
1058 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1059 {
1060 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1061 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1062 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1063 	}
1064 
1065 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1066 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1067 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1068 	}
1069 
1070 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1071 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1072 
1073 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1074 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1075 
1076 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1077 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1078 
1079 	if (k->def) {
1080 		k->def_uni = true;
1081 		k->def_multi = true;
1082 	}
1083 	if (k->defmgmt)
1084 		k->def_multi = true;
1085 
1086 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1087 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1088 
1089 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1090 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1091 		int err = nla_parse_nested_deprecated(kdt,
1092 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1093 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1094 						      nl80211_key_default_policy,
1095 						      info->extack);
1096 		if (err)
1097 			return err;
1098 
1099 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1100 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1101 	}
1102 
1103 	return 0;
1104 }
1105 
1106 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1107 {
1108 	int err;
1109 
1110 	memset(k, 0, sizeof(*k));
1111 	k->idx = -1;
1112 	k->type = -1;
1113 
1114 	if (info->attrs[NL80211_ATTR_KEY])
1115 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1116 	else
1117 		err = nl80211_parse_key_old(info, k);
1118 
1119 	if (err)
1120 		return err;
1121 
1122 	if (k->def && k->defmgmt) {
1123 		GENL_SET_ERR_MSG(info, "key with def && defmgmt is invalid");
1124 		return -EINVAL;
1125 	}
1126 
1127 	if (k->defmgmt) {
1128 		if (k->def_uni || !k->def_multi) {
1129 			GENL_SET_ERR_MSG(info, "defmgmt key must be mcast");
1130 			return -EINVAL;
1131 		}
1132 	}
1133 
1134 	if (k->idx != -1) {
1135 		if (k->defmgmt) {
1136 			if (k->idx < 4 || k->idx > 5) {
1137 				GENL_SET_ERR_MSG(info,
1138 						 "defmgmt key idx not 4 or 5");
1139 				return -EINVAL;
1140 			}
1141 		} else if (k->def) {
1142 			if (k->idx < 0 || k->idx > 3) {
1143 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1144 				return -EINVAL;
1145 			}
1146 		} else {
1147 			if (k->idx < 0 || k->idx > 5) {
1148 				GENL_SET_ERR_MSG(info, "key idx not 0-5");
1149 				return -EINVAL;
1150 			}
1151 		}
1152 	}
1153 
1154 	return 0;
1155 }
1156 
1157 static struct cfg80211_cached_keys *
1158 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1159 		       struct genl_info *info, bool *no_ht)
1160 {
1161 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1162 	struct key_parse parse;
1163 	struct nlattr *key;
1164 	struct cfg80211_cached_keys *result;
1165 	int rem, err, def = 0;
1166 	bool have_key = false;
1167 
1168 	nla_for_each_nested(key, keys, rem) {
1169 		have_key = true;
1170 		break;
1171 	}
1172 
1173 	if (!have_key)
1174 		return NULL;
1175 
1176 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1177 	if (!result)
1178 		return ERR_PTR(-ENOMEM);
1179 
1180 	result->def = -1;
1181 
1182 	nla_for_each_nested(key, keys, rem) {
1183 		memset(&parse, 0, sizeof(parse));
1184 		parse.idx = -1;
1185 
1186 		err = nl80211_parse_key_new(info, key, &parse);
1187 		if (err)
1188 			goto error;
1189 		err = -EINVAL;
1190 		if (!parse.p.key)
1191 			goto error;
1192 		if (parse.idx < 0 || parse.idx > 3) {
1193 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1194 			goto error;
1195 		}
1196 		if (parse.def) {
1197 			if (def) {
1198 				GENL_SET_ERR_MSG(info,
1199 						 "only one key can be default");
1200 				goto error;
1201 			}
1202 			def = 1;
1203 			result->def = parse.idx;
1204 			if (!parse.def_uni || !parse.def_multi)
1205 				goto error;
1206 		} else if (parse.defmgmt)
1207 			goto error;
1208 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1209 						     parse.idx, false, NULL);
1210 		if (err)
1211 			goto error;
1212 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1213 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1214 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1215 			err = -EINVAL;
1216 			goto error;
1217 		}
1218 		result->params[parse.idx].cipher = parse.p.cipher;
1219 		result->params[parse.idx].key_len = parse.p.key_len;
1220 		result->params[parse.idx].key = result->data[parse.idx];
1221 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1222 
1223 		/* must be WEP key if we got here */
1224 		if (no_ht)
1225 			*no_ht = true;
1226 	}
1227 
1228 	if (result->def < 0) {
1229 		err = -EINVAL;
1230 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1231 		goto error;
1232 	}
1233 
1234 	return result;
1235  error:
1236 	kfree(result);
1237 	return ERR_PTR(err);
1238 }
1239 
1240 static int nl80211_key_allowed(struct wireless_dev *wdev)
1241 {
1242 	ASSERT_WDEV_LOCK(wdev);
1243 
1244 	switch (wdev->iftype) {
1245 	case NL80211_IFTYPE_AP:
1246 	case NL80211_IFTYPE_AP_VLAN:
1247 	case NL80211_IFTYPE_P2P_GO:
1248 	case NL80211_IFTYPE_MESH_POINT:
1249 		break;
1250 	case NL80211_IFTYPE_ADHOC:
1251 	case NL80211_IFTYPE_STATION:
1252 	case NL80211_IFTYPE_P2P_CLIENT:
1253 		if (!wdev->current_bss)
1254 			return -ENOLINK;
1255 		break;
1256 	case NL80211_IFTYPE_UNSPECIFIED:
1257 	case NL80211_IFTYPE_OCB:
1258 	case NL80211_IFTYPE_MONITOR:
1259 	case NL80211_IFTYPE_NAN:
1260 	case NL80211_IFTYPE_P2P_DEVICE:
1261 	case NL80211_IFTYPE_WDS:
1262 	case NUM_NL80211_IFTYPES:
1263 		return -EINVAL;
1264 	}
1265 
1266 	return 0;
1267 }
1268 
1269 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1270 							struct nlattr *tb)
1271 {
1272 	struct ieee80211_channel *chan;
1273 
1274 	if (tb == NULL)
1275 		return NULL;
1276 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
1277 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1278 		return NULL;
1279 	return chan;
1280 }
1281 
1282 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1283 {
1284 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1285 	int i;
1286 
1287 	if (!nl_modes)
1288 		goto nla_put_failure;
1289 
1290 	i = 0;
1291 	while (ifmodes) {
1292 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1293 			goto nla_put_failure;
1294 		ifmodes >>= 1;
1295 		i++;
1296 	}
1297 
1298 	nla_nest_end(msg, nl_modes);
1299 	return 0;
1300 
1301 nla_put_failure:
1302 	return -ENOBUFS;
1303 }
1304 
1305 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1306 					  struct sk_buff *msg,
1307 					  bool large)
1308 {
1309 	struct nlattr *nl_combis;
1310 	int i, j;
1311 
1312 	nl_combis = nla_nest_start_noflag(msg,
1313 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1314 	if (!nl_combis)
1315 		goto nla_put_failure;
1316 
1317 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1318 		const struct ieee80211_iface_combination *c;
1319 		struct nlattr *nl_combi, *nl_limits;
1320 
1321 		c = &wiphy->iface_combinations[i];
1322 
1323 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1324 		if (!nl_combi)
1325 			goto nla_put_failure;
1326 
1327 		nl_limits = nla_nest_start_noflag(msg,
1328 						  NL80211_IFACE_COMB_LIMITS);
1329 		if (!nl_limits)
1330 			goto nla_put_failure;
1331 
1332 		for (j = 0; j < c->n_limits; j++) {
1333 			struct nlattr *nl_limit;
1334 
1335 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1336 			if (!nl_limit)
1337 				goto nla_put_failure;
1338 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1339 					c->limits[j].max))
1340 				goto nla_put_failure;
1341 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1342 						c->limits[j].types))
1343 				goto nla_put_failure;
1344 			nla_nest_end(msg, nl_limit);
1345 		}
1346 
1347 		nla_nest_end(msg, nl_limits);
1348 
1349 		if (c->beacon_int_infra_match &&
1350 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1351 			goto nla_put_failure;
1352 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1353 				c->num_different_channels) ||
1354 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1355 				c->max_interfaces))
1356 			goto nla_put_failure;
1357 		if (large &&
1358 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1359 				c->radar_detect_widths) ||
1360 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1361 				c->radar_detect_regions)))
1362 			goto nla_put_failure;
1363 		if (c->beacon_int_min_gcd &&
1364 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1365 				c->beacon_int_min_gcd))
1366 			goto nla_put_failure;
1367 
1368 		nla_nest_end(msg, nl_combi);
1369 	}
1370 
1371 	nla_nest_end(msg, nl_combis);
1372 
1373 	return 0;
1374 nla_put_failure:
1375 	return -ENOBUFS;
1376 }
1377 
1378 #ifdef CONFIG_PM
1379 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1380 					struct sk_buff *msg)
1381 {
1382 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1383 	struct nlattr *nl_tcp;
1384 
1385 	if (!tcp)
1386 		return 0;
1387 
1388 	nl_tcp = nla_nest_start_noflag(msg,
1389 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1390 	if (!nl_tcp)
1391 		return -ENOBUFS;
1392 
1393 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1394 			tcp->data_payload_max))
1395 		return -ENOBUFS;
1396 
1397 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1398 			tcp->data_payload_max))
1399 		return -ENOBUFS;
1400 
1401 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1402 		return -ENOBUFS;
1403 
1404 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1405 				sizeof(*tcp->tok), tcp->tok))
1406 		return -ENOBUFS;
1407 
1408 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1409 			tcp->data_interval_max))
1410 		return -ENOBUFS;
1411 
1412 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1413 			tcp->wake_payload_max))
1414 		return -ENOBUFS;
1415 
1416 	nla_nest_end(msg, nl_tcp);
1417 	return 0;
1418 }
1419 
1420 static int nl80211_send_wowlan(struct sk_buff *msg,
1421 			       struct cfg80211_registered_device *rdev,
1422 			       bool large)
1423 {
1424 	struct nlattr *nl_wowlan;
1425 
1426 	if (!rdev->wiphy.wowlan)
1427 		return 0;
1428 
1429 	nl_wowlan = nla_nest_start_noflag(msg,
1430 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1431 	if (!nl_wowlan)
1432 		return -ENOBUFS;
1433 
1434 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1435 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1436 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1437 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1438 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1439 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1440 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1441 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1442 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1443 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1444 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1445 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1446 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1447 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1448 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1449 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1450 		return -ENOBUFS;
1451 
1452 	if (rdev->wiphy.wowlan->n_patterns) {
1453 		struct nl80211_pattern_support pat = {
1454 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1455 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1456 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1457 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1458 		};
1459 
1460 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1461 			    sizeof(pat), &pat))
1462 			return -ENOBUFS;
1463 	}
1464 
1465 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1466 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1467 			rdev->wiphy.wowlan->max_nd_match_sets))
1468 		return -ENOBUFS;
1469 
1470 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1471 		return -ENOBUFS;
1472 
1473 	nla_nest_end(msg, nl_wowlan);
1474 
1475 	return 0;
1476 }
1477 #endif
1478 
1479 static int nl80211_send_coalesce(struct sk_buff *msg,
1480 				 struct cfg80211_registered_device *rdev)
1481 {
1482 	struct nl80211_coalesce_rule_support rule;
1483 
1484 	if (!rdev->wiphy.coalesce)
1485 		return 0;
1486 
1487 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1488 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1489 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1490 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1491 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1492 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1493 
1494 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1495 		return -ENOBUFS;
1496 
1497 	return 0;
1498 }
1499 
1500 static int
1501 nl80211_send_iftype_data(struct sk_buff *msg,
1502 			 const struct ieee80211_sband_iftype_data *iftdata)
1503 {
1504 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1505 
1506 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1507 				iftdata->types_mask))
1508 		return -ENOBUFS;
1509 
1510 	if (he_cap->has_he) {
1511 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1512 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1513 			    he_cap->he_cap_elem.mac_cap_info) ||
1514 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1515 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1516 			    he_cap->he_cap_elem.phy_cap_info) ||
1517 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1518 			    sizeof(he_cap->he_mcs_nss_supp),
1519 			    &he_cap->he_mcs_nss_supp) ||
1520 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1521 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1522 			return -ENOBUFS;
1523 	}
1524 
1525 	return 0;
1526 }
1527 
1528 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1529 				      struct ieee80211_supported_band *sband)
1530 {
1531 	struct nlattr *nl_rates, *nl_rate;
1532 	struct ieee80211_rate *rate;
1533 	int i;
1534 
1535 	/* add HT info */
1536 	if (sband->ht_cap.ht_supported &&
1537 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1538 		     sizeof(sband->ht_cap.mcs),
1539 		     &sband->ht_cap.mcs) ||
1540 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1541 			 sband->ht_cap.cap) ||
1542 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1543 			sband->ht_cap.ampdu_factor) ||
1544 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1545 			sband->ht_cap.ampdu_density)))
1546 		return -ENOBUFS;
1547 
1548 	/* add VHT info */
1549 	if (sband->vht_cap.vht_supported &&
1550 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1551 		     sizeof(sband->vht_cap.vht_mcs),
1552 		     &sband->vht_cap.vht_mcs) ||
1553 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1554 			 sband->vht_cap.cap)))
1555 		return -ENOBUFS;
1556 
1557 	if (sband->n_iftype_data) {
1558 		struct nlattr *nl_iftype_data =
1559 			nla_nest_start_noflag(msg,
1560 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1561 		int err;
1562 
1563 		if (!nl_iftype_data)
1564 			return -ENOBUFS;
1565 
1566 		for (i = 0; i < sband->n_iftype_data; i++) {
1567 			struct nlattr *iftdata;
1568 
1569 			iftdata = nla_nest_start_noflag(msg, i + 1);
1570 			if (!iftdata)
1571 				return -ENOBUFS;
1572 
1573 			err = nl80211_send_iftype_data(msg,
1574 						       &sband->iftype_data[i]);
1575 			if (err)
1576 				return err;
1577 
1578 			nla_nest_end(msg, iftdata);
1579 		}
1580 
1581 		nla_nest_end(msg, nl_iftype_data);
1582 	}
1583 
1584 	/* add EDMG info */
1585 	if (sband->edmg_cap.channels &&
1586 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1587 		       sband->edmg_cap.channels) ||
1588 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1589 		       sband->edmg_cap.bw_config)))
1590 
1591 		return -ENOBUFS;
1592 
1593 	/* add bitrates */
1594 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1595 	if (!nl_rates)
1596 		return -ENOBUFS;
1597 
1598 	for (i = 0; i < sband->n_bitrates; i++) {
1599 		nl_rate = nla_nest_start_noflag(msg, i);
1600 		if (!nl_rate)
1601 			return -ENOBUFS;
1602 
1603 		rate = &sband->bitrates[i];
1604 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1605 				rate->bitrate))
1606 			return -ENOBUFS;
1607 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1608 		    nla_put_flag(msg,
1609 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1610 			return -ENOBUFS;
1611 
1612 		nla_nest_end(msg, nl_rate);
1613 	}
1614 
1615 	nla_nest_end(msg, nl_rates);
1616 
1617 	return 0;
1618 }
1619 
1620 static int
1621 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1622 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1623 {
1624 	u16 stypes;
1625 	struct nlattr *nl_ftypes, *nl_ifs;
1626 	enum nl80211_iftype ift;
1627 	int i;
1628 
1629 	if (!mgmt_stypes)
1630 		return 0;
1631 
1632 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1633 	if (!nl_ifs)
1634 		return -ENOBUFS;
1635 
1636 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1637 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1638 		if (!nl_ftypes)
1639 			return -ENOBUFS;
1640 		i = 0;
1641 		stypes = mgmt_stypes[ift].tx;
1642 		while (stypes) {
1643 			if ((stypes & 1) &&
1644 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1645 					(i << 4) | IEEE80211_FTYPE_MGMT))
1646 				return -ENOBUFS;
1647 			stypes >>= 1;
1648 			i++;
1649 		}
1650 		nla_nest_end(msg, nl_ftypes);
1651 	}
1652 
1653 	nla_nest_end(msg, nl_ifs);
1654 
1655 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1656 	if (!nl_ifs)
1657 		return -ENOBUFS;
1658 
1659 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1660 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1661 		if (!nl_ftypes)
1662 			return -ENOBUFS;
1663 		i = 0;
1664 		stypes = mgmt_stypes[ift].rx;
1665 		while (stypes) {
1666 			if ((stypes & 1) &&
1667 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1668 					(i << 4) | IEEE80211_FTYPE_MGMT))
1669 				return -ENOBUFS;
1670 			stypes >>= 1;
1671 			i++;
1672 		}
1673 		nla_nest_end(msg, nl_ftypes);
1674 	}
1675 	nla_nest_end(msg, nl_ifs);
1676 
1677 	return 0;
1678 }
1679 
1680 #define CMD(op, n)							\
1681 	 do {								\
1682 		if (rdev->ops->op) {					\
1683 			i++;						\
1684 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1685 				goto nla_put_failure;			\
1686 		}							\
1687 	} while (0)
1688 
1689 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1690 					struct sk_buff *msg)
1691 {
1692 	int i = 0;
1693 
1694 	/*
1695 	 * do *NOT* add anything into this function, new things need to be
1696 	 * advertised only to new versions of userspace that can deal with
1697 	 * the split (and they can't possibly care about new features...
1698 	 */
1699 	CMD(add_virtual_intf, NEW_INTERFACE);
1700 	CMD(change_virtual_intf, SET_INTERFACE);
1701 	CMD(add_key, NEW_KEY);
1702 	CMD(start_ap, START_AP);
1703 	CMD(add_station, NEW_STATION);
1704 	CMD(add_mpath, NEW_MPATH);
1705 	CMD(update_mesh_config, SET_MESH_CONFIG);
1706 	CMD(change_bss, SET_BSS);
1707 	CMD(auth, AUTHENTICATE);
1708 	CMD(assoc, ASSOCIATE);
1709 	CMD(deauth, DEAUTHENTICATE);
1710 	CMD(disassoc, DISASSOCIATE);
1711 	CMD(join_ibss, JOIN_IBSS);
1712 	CMD(join_mesh, JOIN_MESH);
1713 	CMD(set_pmksa, SET_PMKSA);
1714 	CMD(del_pmksa, DEL_PMKSA);
1715 	CMD(flush_pmksa, FLUSH_PMKSA);
1716 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1717 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1718 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1719 	CMD(mgmt_tx, FRAME);
1720 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1721 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1722 		i++;
1723 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1724 			goto nla_put_failure;
1725 	}
1726 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1727 	    rdev->ops->join_mesh) {
1728 		i++;
1729 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1730 			goto nla_put_failure;
1731 	}
1732 	CMD(set_wds_peer, SET_WDS_PEER);
1733 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1734 		CMD(tdls_mgmt, TDLS_MGMT);
1735 		CMD(tdls_oper, TDLS_OPER);
1736 	}
1737 	if (rdev->wiphy.max_sched_scan_reqs)
1738 		CMD(sched_scan_start, START_SCHED_SCAN);
1739 	CMD(probe_client, PROBE_CLIENT);
1740 	CMD(set_noack_map, SET_NOACK_MAP);
1741 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1742 		i++;
1743 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1744 			goto nla_put_failure;
1745 	}
1746 	CMD(start_p2p_device, START_P2P_DEVICE);
1747 	CMD(set_mcast_rate, SET_MCAST_RATE);
1748 #ifdef CONFIG_NL80211_TESTMODE
1749 	CMD(testmode_cmd, TESTMODE);
1750 #endif
1751 
1752 	if (rdev->ops->connect || rdev->ops->auth) {
1753 		i++;
1754 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1755 			goto nla_put_failure;
1756 	}
1757 
1758 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1759 		i++;
1760 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1761 			goto nla_put_failure;
1762 	}
1763 
1764 	return i;
1765  nla_put_failure:
1766 	return -ENOBUFS;
1767 }
1768 
1769 static int
1770 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1771 			   struct sk_buff *msg)
1772 {
1773 	struct nlattr *ftm;
1774 
1775 	if (!cap->ftm.supported)
1776 		return 0;
1777 
1778 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1779 	if (!ftm)
1780 		return -ENOBUFS;
1781 
1782 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1783 		return -ENOBUFS;
1784 	if (cap->ftm.non_asap &&
1785 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1786 		return -ENOBUFS;
1787 	if (cap->ftm.request_lci &&
1788 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1789 		return -ENOBUFS;
1790 	if (cap->ftm.request_civicloc &&
1791 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1792 		return -ENOBUFS;
1793 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1794 			cap->ftm.preambles))
1795 		return -ENOBUFS;
1796 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
1797 			cap->ftm.bandwidths))
1798 		return -ENOBUFS;
1799 	if (cap->ftm.max_bursts_exponent >= 0 &&
1800 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
1801 			cap->ftm.max_bursts_exponent))
1802 		return -ENOBUFS;
1803 	if (cap->ftm.max_ftms_per_burst &&
1804 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
1805 			cap->ftm.max_ftms_per_burst))
1806 		return -ENOBUFS;
1807 
1808 	nla_nest_end(msg, ftm);
1809 	return 0;
1810 }
1811 
1812 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
1813 				  struct sk_buff *msg)
1814 {
1815 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
1816 	struct nlattr *pmsr, *caps;
1817 
1818 	if (!cap)
1819 		return 0;
1820 
1821 	/*
1822 	 * we don't need to clean up anything here since the caller
1823 	 * will genlmsg_cancel() if we fail
1824 	 */
1825 
1826 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
1827 	if (!pmsr)
1828 		return -ENOBUFS;
1829 
1830 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
1831 		return -ENOBUFS;
1832 
1833 	if (cap->report_ap_tsf &&
1834 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
1835 		return -ENOBUFS;
1836 
1837 	if (cap->randomize_mac_addr &&
1838 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
1839 		return -ENOBUFS;
1840 
1841 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
1842 	if (!caps)
1843 		return -ENOBUFS;
1844 
1845 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
1846 		return -ENOBUFS;
1847 
1848 	nla_nest_end(msg, caps);
1849 	nla_nest_end(msg, pmsr);
1850 
1851 	return 0;
1852 }
1853 
1854 struct nl80211_dump_wiphy_state {
1855 	s64 filter_wiphy;
1856 	long start;
1857 	long split_start, band_start, chan_start, capa_start;
1858 	bool split;
1859 };
1860 
1861 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1862 			      enum nl80211_commands cmd,
1863 			      struct sk_buff *msg, u32 portid, u32 seq,
1864 			      int flags, struct nl80211_dump_wiphy_state *state)
1865 {
1866 	void *hdr;
1867 	struct nlattr *nl_bands, *nl_band;
1868 	struct nlattr *nl_freqs, *nl_freq;
1869 	struct nlattr *nl_cmds;
1870 	enum nl80211_band band;
1871 	struct ieee80211_channel *chan;
1872 	int i;
1873 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1874 				rdev->wiphy.mgmt_stypes;
1875 	u32 features;
1876 
1877 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1878 	if (!hdr)
1879 		return -ENOBUFS;
1880 
1881 	if (WARN_ON(!state))
1882 		return -EINVAL;
1883 
1884 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1885 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1886 			   wiphy_name(&rdev->wiphy)) ||
1887 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1888 			cfg80211_rdev_list_generation))
1889 		goto nla_put_failure;
1890 
1891 	if (cmd != NL80211_CMD_NEW_WIPHY)
1892 		goto finish;
1893 
1894 	switch (state->split_start) {
1895 	case 0:
1896 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1897 			       rdev->wiphy.retry_short) ||
1898 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1899 			       rdev->wiphy.retry_long) ||
1900 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1901 				rdev->wiphy.frag_threshold) ||
1902 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1903 				rdev->wiphy.rts_threshold) ||
1904 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1905 			       rdev->wiphy.coverage_class) ||
1906 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1907 			       rdev->wiphy.max_scan_ssids) ||
1908 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1909 			       rdev->wiphy.max_sched_scan_ssids) ||
1910 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1911 				rdev->wiphy.max_scan_ie_len) ||
1912 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1913 				rdev->wiphy.max_sched_scan_ie_len) ||
1914 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1915 			       rdev->wiphy.max_match_sets) ||
1916 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1917 				rdev->wiphy.max_sched_scan_plans) ||
1918 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1919 				rdev->wiphy.max_sched_scan_plan_interval) ||
1920 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1921 				rdev->wiphy.max_sched_scan_plan_iterations))
1922 			goto nla_put_failure;
1923 
1924 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1925 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1926 			goto nla_put_failure;
1927 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1928 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1929 			goto nla_put_failure;
1930 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1931 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1932 			goto nla_put_failure;
1933 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1934 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1935 			goto nla_put_failure;
1936 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1937 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1938 			goto nla_put_failure;
1939 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1940 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1941 			goto nla_put_failure;
1942 		state->split_start++;
1943 		if (state->split)
1944 			break;
1945 		/* fall through */
1946 	case 1:
1947 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1948 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1949 			    rdev->wiphy.cipher_suites))
1950 			goto nla_put_failure;
1951 
1952 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1953 			       rdev->wiphy.max_num_pmkids))
1954 			goto nla_put_failure;
1955 
1956 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1957 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1958 			goto nla_put_failure;
1959 
1960 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1961 				rdev->wiphy.available_antennas_tx) ||
1962 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1963 				rdev->wiphy.available_antennas_rx))
1964 			goto nla_put_failure;
1965 
1966 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1967 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1968 				rdev->wiphy.probe_resp_offload))
1969 			goto nla_put_failure;
1970 
1971 		if ((rdev->wiphy.available_antennas_tx ||
1972 		     rdev->wiphy.available_antennas_rx) &&
1973 		    rdev->ops->get_antenna) {
1974 			u32 tx_ant = 0, rx_ant = 0;
1975 			int res;
1976 
1977 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1978 			if (!res) {
1979 				if (nla_put_u32(msg,
1980 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1981 						tx_ant) ||
1982 				    nla_put_u32(msg,
1983 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1984 						rx_ant))
1985 					goto nla_put_failure;
1986 			}
1987 		}
1988 
1989 		state->split_start++;
1990 		if (state->split)
1991 			break;
1992 		/* fall through */
1993 	case 2:
1994 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1995 					rdev->wiphy.interface_modes))
1996 				goto nla_put_failure;
1997 		state->split_start++;
1998 		if (state->split)
1999 			break;
2000 		/* fall through */
2001 	case 3:
2002 		nl_bands = nla_nest_start_noflag(msg,
2003 						 NL80211_ATTR_WIPHY_BANDS);
2004 		if (!nl_bands)
2005 			goto nla_put_failure;
2006 
2007 		for (band = state->band_start;
2008 		     band < NUM_NL80211_BANDS; band++) {
2009 			struct ieee80211_supported_band *sband;
2010 
2011 			sband = rdev->wiphy.bands[band];
2012 
2013 			if (!sband)
2014 				continue;
2015 
2016 			nl_band = nla_nest_start_noflag(msg, band);
2017 			if (!nl_band)
2018 				goto nla_put_failure;
2019 
2020 			switch (state->chan_start) {
2021 			case 0:
2022 				if (nl80211_send_band_rateinfo(msg, sband))
2023 					goto nla_put_failure;
2024 				state->chan_start++;
2025 				if (state->split)
2026 					break;
2027 				/* fall through */
2028 			default:
2029 				/* add frequencies */
2030 				nl_freqs = nla_nest_start_noflag(msg,
2031 								 NL80211_BAND_ATTR_FREQS);
2032 				if (!nl_freqs)
2033 					goto nla_put_failure;
2034 
2035 				for (i = state->chan_start - 1;
2036 				     i < sband->n_channels;
2037 				     i++) {
2038 					nl_freq = nla_nest_start_noflag(msg,
2039 									i);
2040 					if (!nl_freq)
2041 						goto nla_put_failure;
2042 
2043 					chan = &sband->channels[i];
2044 
2045 					if (nl80211_msg_put_channel(
2046 							msg, &rdev->wiphy, chan,
2047 							state->split))
2048 						goto nla_put_failure;
2049 
2050 					nla_nest_end(msg, nl_freq);
2051 					if (state->split)
2052 						break;
2053 				}
2054 				if (i < sband->n_channels)
2055 					state->chan_start = i + 2;
2056 				else
2057 					state->chan_start = 0;
2058 				nla_nest_end(msg, nl_freqs);
2059 			}
2060 
2061 			nla_nest_end(msg, nl_band);
2062 
2063 			if (state->split) {
2064 				/* start again here */
2065 				if (state->chan_start)
2066 					band--;
2067 				break;
2068 			}
2069 		}
2070 		nla_nest_end(msg, nl_bands);
2071 
2072 		if (band < NUM_NL80211_BANDS)
2073 			state->band_start = band + 1;
2074 		else
2075 			state->band_start = 0;
2076 
2077 		/* if bands & channels are done, continue outside */
2078 		if (state->band_start == 0 && state->chan_start == 0)
2079 			state->split_start++;
2080 		if (state->split)
2081 			break;
2082 		/* fall through */
2083 	case 4:
2084 		nl_cmds = nla_nest_start_noflag(msg,
2085 						NL80211_ATTR_SUPPORTED_COMMANDS);
2086 		if (!nl_cmds)
2087 			goto nla_put_failure;
2088 
2089 		i = nl80211_add_commands_unsplit(rdev, msg);
2090 		if (i < 0)
2091 			goto nla_put_failure;
2092 		if (state->split) {
2093 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2094 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2095 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2096 				CMD(channel_switch, CHANNEL_SWITCH);
2097 			CMD(set_qos_map, SET_QOS_MAP);
2098 			if (rdev->wiphy.features &
2099 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2100 				CMD(add_tx_ts, ADD_TX_TS);
2101 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2102 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2103 			CMD(update_ft_ies, UPDATE_FT_IES);
2104 		}
2105 #undef CMD
2106 
2107 		nla_nest_end(msg, nl_cmds);
2108 		state->split_start++;
2109 		if (state->split)
2110 			break;
2111 		/* fall through */
2112 	case 5:
2113 		if (rdev->ops->remain_on_channel &&
2114 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2115 		    nla_put_u32(msg,
2116 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2117 				rdev->wiphy.max_remain_on_channel_duration))
2118 			goto nla_put_failure;
2119 
2120 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2121 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2122 			goto nla_put_failure;
2123 
2124 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2125 			goto nla_put_failure;
2126 		state->split_start++;
2127 		if (state->split)
2128 			break;
2129 		/* fall through */
2130 	case 6:
2131 #ifdef CONFIG_PM
2132 		if (nl80211_send_wowlan(msg, rdev, state->split))
2133 			goto nla_put_failure;
2134 		state->split_start++;
2135 		if (state->split)
2136 			break;
2137 #else
2138 		state->split_start++;
2139 #endif
2140 		/* fall through */
2141 	case 7:
2142 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2143 					rdev->wiphy.software_iftypes))
2144 			goto nla_put_failure;
2145 
2146 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2147 						   state->split))
2148 			goto nla_put_failure;
2149 
2150 		state->split_start++;
2151 		if (state->split)
2152 			break;
2153 		/* fall through */
2154 	case 8:
2155 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2156 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2157 				rdev->wiphy.ap_sme_capa))
2158 			goto nla_put_failure;
2159 
2160 		features = rdev->wiphy.features;
2161 		/*
2162 		 * We can only add the per-channel limit information if the
2163 		 * dump is split, otherwise it makes it too big. Therefore
2164 		 * only advertise it in that case.
2165 		 */
2166 		if (state->split)
2167 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2168 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2169 			goto nla_put_failure;
2170 
2171 		if (rdev->wiphy.ht_capa_mod_mask &&
2172 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2173 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2174 			    rdev->wiphy.ht_capa_mod_mask))
2175 			goto nla_put_failure;
2176 
2177 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2178 		    rdev->wiphy.max_acl_mac_addrs &&
2179 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2180 				rdev->wiphy.max_acl_mac_addrs))
2181 			goto nla_put_failure;
2182 
2183 		/*
2184 		 * Any information below this point is only available to
2185 		 * applications that can deal with it being split. This
2186 		 * helps ensure that newly added capabilities don't break
2187 		 * older tools by overrunning their buffers.
2188 		 *
2189 		 * We still increment split_start so that in the split
2190 		 * case we'll continue with more data in the next round,
2191 		 * but break unconditionally so unsplit data stops here.
2192 		 */
2193 		state->split_start++;
2194 		break;
2195 	case 9:
2196 		if (rdev->wiphy.extended_capabilities &&
2197 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2198 			     rdev->wiphy.extended_capabilities_len,
2199 			     rdev->wiphy.extended_capabilities) ||
2200 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2201 			     rdev->wiphy.extended_capabilities_len,
2202 			     rdev->wiphy.extended_capabilities_mask)))
2203 			goto nla_put_failure;
2204 
2205 		if (rdev->wiphy.vht_capa_mod_mask &&
2206 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2207 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2208 			    rdev->wiphy.vht_capa_mod_mask))
2209 			goto nla_put_failure;
2210 
2211 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2212 			    rdev->wiphy.perm_addr))
2213 			goto nla_put_failure;
2214 
2215 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2216 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2217 			    rdev->wiphy.addr_mask))
2218 			goto nla_put_failure;
2219 
2220 		if (rdev->wiphy.n_addresses > 1) {
2221 			void *attr;
2222 
2223 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2224 			if (!attr)
2225 				goto nla_put_failure;
2226 
2227 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2228 				if (nla_put(msg, i + 1, ETH_ALEN,
2229 					    rdev->wiphy.addresses[i].addr))
2230 					goto nla_put_failure;
2231 
2232 			nla_nest_end(msg, attr);
2233 		}
2234 
2235 		state->split_start++;
2236 		break;
2237 	case 10:
2238 		if (nl80211_send_coalesce(msg, rdev))
2239 			goto nla_put_failure;
2240 
2241 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2242 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2243 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2244 			goto nla_put_failure;
2245 
2246 		if (rdev->wiphy.max_ap_assoc_sta &&
2247 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2248 				rdev->wiphy.max_ap_assoc_sta))
2249 			goto nla_put_failure;
2250 
2251 		state->split_start++;
2252 		break;
2253 	case 11:
2254 		if (rdev->wiphy.n_vendor_commands) {
2255 			const struct nl80211_vendor_cmd_info *info;
2256 			struct nlattr *nested;
2257 
2258 			nested = nla_nest_start_noflag(msg,
2259 						       NL80211_ATTR_VENDOR_DATA);
2260 			if (!nested)
2261 				goto nla_put_failure;
2262 
2263 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2264 				info = &rdev->wiphy.vendor_commands[i].info;
2265 				if (nla_put(msg, i + 1, sizeof(*info), info))
2266 					goto nla_put_failure;
2267 			}
2268 			nla_nest_end(msg, nested);
2269 		}
2270 
2271 		if (rdev->wiphy.n_vendor_events) {
2272 			const struct nl80211_vendor_cmd_info *info;
2273 			struct nlattr *nested;
2274 
2275 			nested = nla_nest_start_noflag(msg,
2276 						       NL80211_ATTR_VENDOR_EVENTS);
2277 			if (!nested)
2278 				goto nla_put_failure;
2279 
2280 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2281 				info = &rdev->wiphy.vendor_events[i];
2282 				if (nla_put(msg, i + 1, sizeof(*info), info))
2283 					goto nla_put_failure;
2284 			}
2285 			nla_nest_end(msg, nested);
2286 		}
2287 		state->split_start++;
2288 		break;
2289 	case 12:
2290 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2291 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2292 			       rdev->wiphy.max_num_csa_counters))
2293 			goto nla_put_failure;
2294 
2295 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2296 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2297 			goto nla_put_failure;
2298 
2299 		if (rdev->wiphy.max_sched_scan_reqs &&
2300 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2301 				rdev->wiphy.max_sched_scan_reqs))
2302 			goto nla_put_failure;
2303 
2304 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2305 			    sizeof(rdev->wiphy.ext_features),
2306 			    rdev->wiphy.ext_features))
2307 			goto nla_put_failure;
2308 
2309 		if (rdev->wiphy.bss_select_support) {
2310 			struct nlattr *nested;
2311 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2312 
2313 			nested = nla_nest_start_noflag(msg,
2314 						       NL80211_ATTR_BSS_SELECT);
2315 			if (!nested)
2316 				goto nla_put_failure;
2317 
2318 			i = 0;
2319 			while (bss_select_support) {
2320 				if ((bss_select_support & 1) &&
2321 				    nla_put_flag(msg, i))
2322 					goto nla_put_failure;
2323 				i++;
2324 				bss_select_support >>= 1;
2325 			}
2326 			nla_nest_end(msg, nested);
2327 		}
2328 
2329 		state->split_start++;
2330 		break;
2331 	case 13:
2332 		if (rdev->wiphy.num_iftype_ext_capab &&
2333 		    rdev->wiphy.iftype_ext_capab) {
2334 			struct nlattr *nested_ext_capab, *nested;
2335 
2336 			nested = nla_nest_start_noflag(msg,
2337 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2338 			if (!nested)
2339 				goto nla_put_failure;
2340 
2341 			for (i = state->capa_start;
2342 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2343 				const struct wiphy_iftype_ext_capab *capab;
2344 
2345 				capab = &rdev->wiphy.iftype_ext_capab[i];
2346 
2347 				nested_ext_capab = nla_nest_start_noflag(msg,
2348 									 i);
2349 				if (!nested_ext_capab ||
2350 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2351 						capab->iftype) ||
2352 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2353 					    capab->extended_capabilities_len,
2354 					    capab->extended_capabilities) ||
2355 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2356 					    capab->extended_capabilities_len,
2357 					    capab->extended_capabilities_mask))
2358 					goto nla_put_failure;
2359 
2360 				nla_nest_end(msg, nested_ext_capab);
2361 				if (state->split)
2362 					break;
2363 			}
2364 			nla_nest_end(msg, nested);
2365 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2366 				state->capa_start = i + 1;
2367 				break;
2368 			}
2369 		}
2370 
2371 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2372 				rdev->wiphy.nan_supported_bands))
2373 			goto nla_put_failure;
2374 
2375 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2376 					    NL80211_EXT_FEATURE_TXQS)) {
2377 			struct cfg80211_txq_stats txqstats = {};
2378 			int res;
2379 
2380 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2381 			if (!res &&
2382 			    !nl80211_put_txq_stats(msg, &txqstats,
2383 						   NL80211_ATTR_TXQ_STATS))
2384 				goto nla_put_failure;
2385 
2386 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2387 					rdev->wiphy.txq_limit))
2388 				goto nla_put_failure;
2389 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2390 					rdev->wiphy.txq_memory_limit))
2391 				goto nla_put_failure;
2392 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2393 					rdev->wiphy.txq_quantum))
2394 				goto nla_put_failure;
2395 		}
2396 
2397 		state->split_start++;
2398 		break;
2399 	case 14:
2400 		if (nl80211_send_pmsr_capa(rdev, msg))
2401 			goto nla_put_failure;
2402 
2403 		state->split_start++;
2404 		break;
2405 	case 15:
2406 		if (rdev->wiphy.akm_suites &&
2407 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2408 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2409 			    rdev->wiphy.akm_suites))
2410 			goto nla_put_failure;
2411 
2412 		/* done */
2413 		state->split_start = 0;
2414 		break;
2415 	}
2416  finish:
2417 	genlmsg_end(msg, hdr);
2418 	return 0;
2419 
2420  nla_put_failure:
2421 	genlmsg_cancel(msg, hdr);
2422 	return -EMSGSIZE;
2423 }
2424 
2425 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2426 				    struct netlink_callback *cb,
2427 				    struct nl80211_dump_wiphy_state *state)
2428 {
2429 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2430 	int ret;
2431 
2432 	if (!tb)
2433 		return -ENOMEM;
2434 
2435 	ret = nlmsg_parse_deprecated(cb->nlh,
2436 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2437 				     tb, nl80211_fam.maxattr,
2438 				     nl80211_policy, NULL);
2439 	/* ignore parse errors for backward compatibility */
2440 	if (ret) {
2441 		ret = 0;
2442 		goto out;
2443 	}
2444 
2445 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2446 	if (tb[NL80211_ATTR_WIPHY])
2447 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2448 	if (tb[NL80211_ATTR_WDEV])
2449 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2450 	if (tb[NL80211_ATTR_IFINDEX]) {
2451 		struct net_device *netdev;
2452 		struct cfg80211_registered_device *rdev;
2453 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2454 
2455 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2456 		if (!netdev) {
2457 			ret = -ENODEV;
2458 			goto out;
2459 		}
2460 		if (netdev->ieee80211_ptr) {
2461 			rdev = wiphy_to_rdev(
2462 				netdev->ieee80211_ptr->wiphy);
2463 			state->filter_wiphy = rdev->wiphy_idx;
2464 		}
2465 	}
2466 
2467 	ret = 0;
2468 out:
2469 	kfree(tb);
2470 	return ret;
2471 }
2472 
2473 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2474 {
2475 	int idx = 0, ret;
2476 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2477 	struct cfg80211_registered_device *rdev;
2478 
2479 	rtnl_lock();
2480 	if (!state) {
2481 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2482 		if (!state) {
2483 			rtnl_unlock();
2484 			return -ENOMEM;
2485 		}
2486 		state->filter_wiphy = -1;
2487 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2488 		if (ret) {
2489 			kfree(state);
2490 			rtnl_unlock();
2491 			return ret;
2492 		}
2493 		cb->args[0] = (long)state;
2494 	}
2495 
2496 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2497 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2498 			continue;
2499 		if (++idx <= state->start)
2500 			continue;
2501 		if (state->filter_wiphy != -1 &&
2502 		    state->filter_wiphy != rdev->wiphy_idx)
2503 			continue;
2504 		/* attempt to fit multiple wiphy data chunks into the skb */
2505 		do {
2506 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2507 						 skb,
2508 						 NETLINK_CB(cb->skb).portid,
2509 						 cb->nlh->nlmsg_seq,
2510 						 NLM_F_MULTI, state);
2511 			if (ret < 0) {
2512 				/*
2513 				 * If sending the wiphy data didn't fit (ENOBUFS
2514 				 * or EMSGSIZE returned), this SKB is still
2515 				 * empty (so it's not too big because another
2516 				 * wiphy dataset is already in the skb) and
2517 				 * we've not tried to adjust the dump allocation
2518 				 * yet ... then adjust the alloc size to be
2519 				 * bigger, and return 1 but with the empty skb.
2520 				 * This results in an empty message being RX'ed
2521 				 * in userspace, but that is ignored.
2522 				 *
2523 				 * We can then retry with the larger buffer.
2524 				 */
2525 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2526 				    !skb->len && !state->split &&
2527 				    cb->min_dump_alloc < 4096) {
2528 					cb->min_dump_alloc = 4096;
2529 					state->split_start = 0;
2530 					rtnl_unlock();
2531 					return 1;
2532 				}
2533 				idx--;
2534 				break;
2535 			}
2536 		} while (state->split_start > 0);
2537 		break;
2538 	}
2539 	rtnl_unlock();
2540 
2541 	state->start = idx;
2542 
2543 	return skb->len;
2544 }
2545 
2546 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2547 {
2548 	kfree((void *)cb->args[0]);
2549 	return 0;
2550 }
2551 
2552 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2553 {
2554 	struct sk_buff *msg;
2555 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2556 	struct nl80211_dump_wiphy_state state = {};
2557 
2558 	msg = nlmsg_new(4096, GFP_KERNEL);
2559 	if (!msg)
2560 		return -ENOMEM;
2561 
2562 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2563 			       info->snd_portid, info->snd_seq, 0,
2564 			       &state) < 0) {
2565 		nlmsg_free(msg);
2566 		return -ENOBUFS;
2567 	}
2568 
2569 	return genlmsg_reply(msg, info);
2570 }
2571 
2572 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2573 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2574 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2575 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2576 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2577 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2578 };
2579 
2580 static int parse_txq_params(struct nlattr *tb[],
2581 			    struct ieee80211_txq_params *txq_params)
2582 {
2583 	u8 ac;
2584 
2585 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2586 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2587 	    !tb[NL80211_TXQ_ATTR_AIFS])
2588 		return -EINVAL;
2589 
2590 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2591 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2592 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2593 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2594 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2595 
2596 	if (ac >= NL80211_NUM_ACS)
2597 		return -EINVAL;
2598 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2599 	return 0;
2600 }
2601 
2602 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2603 {
2604 	/*
2605 	 * You can only set the channel explicitly for WDS interfaces,
2606 	 * all others have their channel managed via their respective
2607 	 * "establish a connection" command (connect, join, ...)
2608 	 *
2609 	 * For AP/GO and mesh mode, the channel can be set with the
2610 	 * channel userspace API, but is only stored and passed to the
2611 	 * low-level driver when the AP starts or the mesh is joined.
2612 	 * This is for backward compatibility, userspace can also give
2613 	 * the channel in the start-ap or join-mesh commands instead.
2614 	 *
2615 	 * Monitors are special as they are normally slaved to
2616 	 * whatever else is going on, so they have their own special
2617 	 * operation to set the monitor channel if possible.
2618 	 */
2619 	return !wdev ||
2620 		wdev->iftype == NL80211_IFTYPE_AP ||
2621 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2622 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2623 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2624 }
2625 
2626 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2627 			  struct genl_info *info,
2628 			  struct cfg80211_chan_def *chandef)
2629 {
2630 	struct netlink_ext_ack *extack = info->extack;
2631 	struct nlattr **attrs = info->attrs;
2632 	u32 control_freq;
2633 
2634 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2635 		return -EINVAL;
2636 
2637 	control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);
2638 
2639 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2640 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2641 	chandef->center_freq1 = control_freq;
2642 	chandef->center_freq2 = 0;
2643 
2644 	/* Primary channel not allowed */
2645 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2646 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2647 				    "Channel is disabled");
2648 		return -EINVAL;
2649 	}
2650 
2651 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2652 		enum nl80211_channel_type chantype;
2653 
2654 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2655 
2656 		switch (chantype) {
2657 		case NL80211_CHAN_NO_HT:
2658 		case NL80211_CHAN_HT20:
2659 		case NL80211_CHAN_HT40PLUS:
2660 		case NL80211_CHAN_HT40MINUS:
2661 			cfg80211_chandef_create(chandef, chandef->chan,
2662 						chantype);
2663 			/* user input for center_freq is incorrect */
2664 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2665 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2666 				NL_SET_ERR_MSG_ATTR(extack,
2667 						    attrs[NL80211_ATTR_CENTER_FREQ1],
2668 						    "bad center frequency 1");
2669 				return -EINVAL;
2670 			}
2671 			/* center_freq2 must be zero */
2672 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2673 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2674 				NL_SET_ERR_MSG_ATTR(extack,
2675 						    attrs[NL80211_ATTR_CENTER_FREQ2],
2676 						    "center frequency 2 can't be used");
2677 				return -EINVAL;
2678 			}
2679 			break;
2680 		default:
2681 			NL_SET_ERR_MSG_ATTR(extack,
2682 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2683 					    "invalid channel type");
2684 			return -EINVAL;
2685 		}
2686 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2687 		chandef->width =
2688 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2689 		if (attrs[NL80211_ATTR_CENTER_FREQ1])
2690 			chandef->center_freq1 =
2691 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2692 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
2693 			chandef->center_freq2 =
2694 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2695 	}
2696 
2697 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
2698 		chandef->edmg.channels =
2699 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
2700 
2701 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
2702 			chandef->edmg.bw_config =
2703 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
2704 	} else {
2705 		chandef->edmg.bw_config = 0;
2706 		chandef->edmg.channels = 0;
2707 	}
2708 
2709 	if (!cfg80211_chandef_valid(chandef)) {
2710 		NL_SET_ERR_MSG(extack, "invalid channel definition");
2711 		return -EINVAL;
2712 	}
2713 
2714 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2715 				     IEEE80211_CHAN_DISABLED)) {
2716 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
2717 		return -EINVAL;
2718 	}
2719 
2720 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2721 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2722 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
2723 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
2724 		return -EINVAL;
2725 	}
2726 
2727 	return 0;
2728 }
2729 
2730 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2731 				 struct net_device *dev,
2732 				 struct genl_info *info)
2733 {
2734 	struct cfg80211_chan_def chandef;
2735 	int result;
2736 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2737 	struct wireless_dev *wdev = NULL;
2738 
2739 	if (dev)
2740 		wdev = dev->ieee80211_ptr;
2741 	if (!nl80211_can_set_dev_channel(wdev))
2742 		return -EOPNOTSUPP;
2743 	if (wdev)
2744 		iftype = wdev->iftype;
2745 
2746 	result = nl80211_parse_chandef(rdev, info, &chandef);
2747 	if (result)
2748 		return result;
2749 
2750 	switch (iftype) {
2751 	case NL80211_IFTYPE_AP:
2752 	case NL80211_IFTYPE_P2P_GO:
2753 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2754 						   iftype)) {
2755 			result = -EINVAL;
2756 			break;
2757 		}
2758 		if (wdev->beacon_interval) {
2759 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2760 			    !(rdev->wiphy.features &
2761 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2762 				result = -EBUSY;
2763 				break;
2764 			}
2765 
2766 			/* Only allow dynamic channel width changes */
2767 			if (chandef.chan != wdev->preset_chandef.chan) {
2768 				result = -EBUSY;
2769 				break;
2770 			}
2771 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2772 			if (result)
2773 				break;
2774 		}
2775 		wdev->preset_chandef = chandef;
2776 		result = 0;
2777 		break;
2778 	case NL80211_IFTYPE_MESH_POINT:
2779 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2780 		break;
2781 	case NL80211_IFTYPE_MONITOR:
2782 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2783 		break;
2784 	default:
2785 		result = -EINVAL;
2786 	}
2787 
2788 	return result;
2789 }
2790 
2791 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2792 {
2793 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2794 	struct net_device *netdev = info->user_ptr[1];
2795 
2796 	return __nl80211_set_channel(rdev, netdev, info);
2797 }
2798 
2799 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2800 {
2801 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2802 	struct net_device *dev = info->user_ptr[1];
2803 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2804 	const u8 *bssid;
2805 
2806 	if (!info->attrs[NL80211_ATTR_MAC])
2807 		return -EINVAL;
2808 
2809 	if (netif_running(dev))
2810 		return -EBUSY;
2811 
2812 	if (!rdev->ops->set_wds_peer)
2813 		return -EOPNOTSUPP;
2814 
2815 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2816 		return -EOPNOTSUPP;
2817 
2818 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2819 	return rdev_set_wds_peer(rdev, dev, bssid);
2820 }
2821 
2822 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2823 {
2824 	struct cfg80211_registered_device *rdev;
2825 	struct net_device *netdev = NULL;
2826 	struct wireless_dev *wdev;
2827 	int result = 0, rem_txq_params = 0;
2828 	struct nlattr *nl_txq_params;
2829 	u32 changed;
2830 	u8 retry_short = 0, retry_long = 0;
2831 	u32 frag_threshold = 0, rts_threshold = 0;
2832 	u8 coverage_class = 0;
2833 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
2834 
2835 	ASSERT_RTNL();
2836 
2837 	/*
2838 	 * Try to find the wiphy and netdev. Normally this
2839 	 * function shouldn't need the netdev, but this is
2840 	 * done for backward compatibility -- previously
2841 	 * setting the channel was done per wiphy, but now
2842 	 * it is per netdev. Previous userland like hostapd
2843 	 * also passed a netdev to set_wiphy, so that it is
2844 	 * possible to let that go to the right netdev!
2845 	 */
2846 
2847 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2848 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2849 
2850 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2851 		if (netdev && netdev->ieee80211_ptr)
2852 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2853 		else
2854 			netdev = NULL;
2855 	}
2856 
2857 	if (!netdev) {
2858 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2859 						  info->attrs);
2860 		if (IS_ERR(rdev))
2861 			return PTR_ERR(rdev);
2862 		wdev = NULL;
2863 		netdev = NULL;
2864 		result = 0;
2865 	} else
2866 		wdev = netdev->ieee80211_ptr;
2867 
2868 	/*
2869 	 * end workaround code, by now the rdev is available
2870 	 * and locked, and wdev may or may not be NULL.
2871 	 */
2872 
2873 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2874 		result = cfg80211_dev_rename(
2875 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2876 
2877 	if (result)
2878 		return result;
2879 
2880 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2881 		struct ieee80211_txq_params txq_params;
2882 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2883 
2884 		if (!rdev->ops->set_txq_params)
2885 			return -EOPNOTSUPP;
2886 
2887 		if (!netdev)
2888 			return -EINVAL;
2889 
2890 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2891 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2892 			return -EINVAL;
2893 
2894 		if (!netif_running(netdev))
2895 			return -ENETDOWN;
2896 
2897 		nla_for_each_nested(nl_txq_params,
2898 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2899 				    rem_txq_params) {
2900 			result = nla_parse_nested_deprecated(tb,
2901 							     NL80211_TXQ_ATTR_MAX,
2902 							     nl_txq_params,
2903 							     txq_params_policy,
2904 							     info->extack);
2905 			if (result)
2906 				return result;
2907 			result = parse_txq_params(tb, &txq_params);
2908 			if (result)
2909 				return result;
2910 
2911 			result = rdev_set_txq_params(rdev, netdev,
2912 						     &txq_params);
2913 			if (result)
2914 				return result;
2915 		}
2916 	}
2917 
2918 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2919 		result = __nl80211_set_channel(
2920 			rdev,
2921 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2922 			info);
2923 		if (result)
2924 			return result;
2925 	}
2926 
2927 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2928 		struct wireless_dev *txp_wdev = wdev;
2929 		enum nl80211_tx_power_setting type;
2930 		int idx, mbm = 0;
2931 
2932 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2933 			txp_wdev = NULL;
2934 
2935 		if (!rdev->ops->set_tx_power)
2936 			return -EOPNOTSUPP;
2937 
2938 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2939 		type = nla_get_u32(info->attrs[idx]);
2940 
2941 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2942 		    (type != NL80211_TX_POWER_AUTOMATIC))
2943 			return -EINVAL;
2944 
2945 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2946 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2947 			mbm = nla_get_u32(info->attrs[idx]);
2948 		}
2949 
2950 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2951 		if (result)
2952 			return result;
2953 	}
2954 
2955 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2956 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2957 		u32 tx_ant, rx_ant;
2958 
2959 		if ((!rdev->wiphy.available_antennas_tx &&
2960 		     !rdev->wiphy.available_antennas_rx) ||
2961 		    !rdev->ops->set_antenna)
2962 			return -EOPNOTSUPP;
2963 
2964 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2965 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2966 
2967 		/* reject antenna configurations which don't match the
2968 		 * available antenna masks, except for the "all" mask */
2969 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2970 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2971 			return -EINVAL;
2972 
2973 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2974 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2975 
2976 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2977 		if (result)
2978 			return result;
2979 	}
2980 
2981 	changed = 0;
2982 
2983 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2984 		retry_short = nla_get_u8(
2985 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2986 
2987 		changed |= WIPHY_PARAM_RETRY_SHORT;
2988 	}
2989 
2990 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2991 		retry_long = nla_get_u8(
2992 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2993 
2994 		changed |= WIPHY_PARAM_RETRY_LONG;
2995 	}
2996 
2997 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2998 		frag_threshold = nla_get_u32(
2999 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3000 		if (frag_threshold < 256)
3001 			return -EINVAL;
3002 
3003 		if (frag_threshold != (u32) -1) {
3004 			/*
3005 			 * Fragments (apart from the last one) are required to
3006 			 * have even length. Make the fragmentation code
3007 			 * simpler by stripping LSB should someone try to use
3008 			 * odd threshold value.
3009 			 */
3010 			frag_threshold &= ~0x1;
3011 		}
3012 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3013 	}
3014 
3015 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3016 		rts_threshold = nla_get_u32(
3017 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3018 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3019 	}
3020 
3021 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3022 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3023 			return -EINVAL;
3024 
3025 		coverage_class = nla_get_u8(
3026 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3027 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3028 	}
3029 
3030 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3031 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3032 			return -EOPNOTSUPP;
3033 
3034 		changed |= WIPHY_PARAM_DYN_ACK;
3035 	}
3036 
3037 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3038 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3039 					     NL80211_EXT_FEATURE_TXQS))
3040 			return -EOPNOTSUPP;
3041 		txq_limit = nla_get_u32(
3042 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3043 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3044 	}
3045 
3046 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3047 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3048 					     NL80211_EXT_FEATURE_TXQS))
3049 			return -EOPNOTSUPP;
3050 		txq_memory_limit = nla_get_u32(
3051 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3052 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3053 	}
3054 
3055 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3056 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3057 					     NL80211_EXT_FEATURE_TXQS))
3058 			return -EOPNOTSUPP;
3059 		txq_quantum = nla_get_u32(
3060 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3061 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3062 	}
3063 
3064 	if (changed) {
3065 		u8 old_retry_short, old_retry_long;
3066 		u32 old_frag_threshold, old_rts_threshold;
3067 		u8 old_coverage_class;
3068 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3069 
3070 		if (!rdev->ops->set_wiphy_params)
3071 			return -EOPNOTSUPP;
3072 
3073 		old_retry_short = rdev->wiphy.retry_short;
3074 		old_retry_long = rdev->wiphy.retry_long;
3075 		old_frag_threshold = rdev->wiphy.frag_threshold;
3076 		old_rts_threshold = rdev->wiphy.rts_threshold;
3077 		old_coverage_class = rdev->wiphy.coverage_class;
3078 		old_txq_limit = rdev->wiphy.txq_limit;
3079 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3080 		old_txq_quantum = rdev->wiphy.txq_quantum;
3081 
3082 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3083 			rdev->wiphy.retry_short = retry_short;
3084 		if (changed & WIPHY_PARAM_RETRY_LONG)
3085 			rdev->wiphy.retry_long = retry_long;
3086 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3087 			rdev->wiphy.frag_threshold = frag_threshold;
3088 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3089 			rdev->wiphy.rts_threshold = rts_threshold;
3090 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3091 			rdev->wiphy.coverage_class = coverage_class;
3092 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3093 			rdev->wiphy.txq_limit = txq_limit;
3094 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3095 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3096 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3097 			rdev->wiphy.txq_quantum = txq_quantum;
3098 
3099 		result = rdev_set_wiphy_params(rdev, changed);
3100 		if (result) {
3101 			rdev->wiphy.retry_short = old_retry_short;
3102 			rdev->wiphy.retry_long = old_retry_long;
3103 			rdev->wiphy.frag_threshold = old_frag_threshold;
3104 			rdev->wiphy.rts_threshold = old_rts_threshold;
3105 			rdev->wiphy.coverage_class = old_coverage_class;
3106 			rdev->wiphy.txq_limit = old_txq_limit;
3107 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3108 			rdev->wiphy.txq_quantum = old_txq_quantum;
3109 			return result;
3110 		}
3111 	}
3112 	return 0;
3113 }
3114 
3115 static int nl80211_send_chandef(struct sk_buff *msg,
3116 				const struct cfg80211_chan_def *chandef)
3117 {
3118 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3119 		return -EINVAL;
3120 
3121 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3122 			chandef->chan->center_freq))
3123 		return -ENOBUFS;
3124 	switch (chandef->width) {
3125 	case NL80211_CHAN_WIDTH_20_NOHT:
3126 	case NL80211_CHAN_WIDTH_20:
3127 	case NL80211_CHAN_WIDTH_40:
3128 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3129 				cfg80211_get_chandef_type(chandef)))
3130 			return -ENOBUFS;
3131 		break;
3132 	default:
3133 		break;
3134 	}
3135 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3136 		return -ENOBUFS;
3137 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3138 		return -ENOBUFS;
3139 	if (chandef->center_freq2 &&
3140 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3141 		return -ENOBUFS;
3142 	return 0;
3143 }
3144 
3145 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3146 			      struct cfg80211_registered_device *rdev,
3147 			      struct wireless_dev *wdev,
3148 			      enum nl80211_commands cmd)
3149 {
3150 	struct net_device *dev = wdev->netdev;
3151 	void *hdr;
3152 
3153 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3154 		cmd != NL80211_CMD_DEL_INTERFACE &&
3155 		cmd != NL80211_CMD_SET_INTERFACE);
3156 
3157 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3158 	if (!hdr)
3159 		return -1;
3160 
3161 	if (dev &&
3162 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3163 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3164 		goto nla_put_failure;
3165 
3166 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3167 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3168 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3169 			      NL80211_ATTR_PAD) ||
3170 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3171 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3172 			rdev->devlist_generation ^
3173 			(cfg80211_rdev_list_generation << 2)) ||
3174 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3175 		goto nla_put_failure;
3176 
3177 	if (rdev->ops->get_channel) {
3178 		int ret;
3179 		struct cfg80211_chan_def chandef;
3180 
3181 		ret = rdev_get_channel(rdev, wdev, &chandef);
3182 		if (ret == 0) {
3183 			if (nl80211_send_chandef(msg, &chandef))
3184 				goto nla_put_failure;
3185 		}
3186 	}
3187 
3188 	if (rdev->ops->get_tx_power) {
3189 		int dbm, ret;
3190 
3191 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3192 		if (ret == 0 &&
3193 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3194 				DBM_TO_MBM(dbm)))
3195 			goto nla_put_failure;
3196 	}
3197 
3198 	wdev_lock(wdev);
3199 	switch (wdev->iftype) {
3200 	case NL80211_IFTYPE_AP:
3201 		if (wdev->ssid_len &&
3202 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3203 			goto nla_put_failure_locked;
3204 		break;
3205 	case NL80211_IFTYPE_STATION:
3206 	case NL80211_IFTYPE_P2P_CLIENT:
3207 	case NL80211_IFTYPE_ADHOC: {
3208 		const u8 *ssid_ie;
3209 		if (!wdev->current_bss)
3210 			break;
3211 		rcu_read_lock();
3212 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3213 					       WLAN_EID_SSID);
3214 		if (ssid_ie &&
3215 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3216 			goto nla_put_failure_rcu_locked;
3217 		rcu_read_unlock();
3218 		break;
3219 		}
3220 	default:
3221 		/* nothing */
3222 		break;
3223 	}
3224 	wdev_unlock(wdev);
3225 
3226 	if (rdev->ops->get_txq_stats) {
3227 		struct cfg80211_txq_stats txqstats = {};
3228 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3229 
3230 		if (ret == 0 &&
3231 		    !nl80211_put_txq_stats(msg, &txqstats,
3232 					   NL80211_ATTR_TXQ_STATS))
3233 			goto nla_put_failure;
3234 	}
3235 
3236 	genlmsg_end(msg, hdr);
3237 	return 0;
3238 
3239  nla_put_failure_rcu_locked:
3240 	rcu_read_unlock();
3241  nla_put_failure_locked:
3242 	wdev_unlock(wdev);
3243  nla_put_failure:
3244 	genlmsg_cancel(msg, hdr);
3245 	return -EMSGSIZE;
3246 }
3247 
3248 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3249 {
3250 	int wp_idx = 0;
3251 	int if_idx = 0;
3252 	int wp_start = cb->args[0];
3253 	int if_start = cb->args[1];
3254 	int filter_wiphy = -1;
3255 	struct cfg80211_registered_device *rdev;
3256 	struct wireless_dev *wdev;
3257 	int ret;
3258 
3259 	rtnl_lock();
3260 	if (!cb->args[2]) {
3261 		struct nl80211_dump_wiphy_state state = {
3262 			.filter_wiphy = -1,
3263 		};
3264 
3265 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3266 		if (ret)
3267 			goto out_unlock;
3268 
3269 		filter_wiphy = state.filter_wiphy;
3270 
3271 		/*
3272 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3273 		 * value needed to determine that parsing is necessary.
3274 		 */
3275 		if (filter_wiphy >= 0)
3276 			cb->args[2] = filter_wiphy + 1;
3277 		else
3278 			cb->args[2] = -1;
3279 	} else if (cb->args[2] > 0) {
3280 		filter_wiphy = cb->args[2] - 1;
3281 	}
3282 
3283 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3284 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3285 			continue;
3286 		if (wp_idx < wp_start) {
3287 			wp_idx++;
3288 			continue;
3289 		}
3290 
3291 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3292 			continue;
3293 
3294 		if_idx = 0;
3295 
3296 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3297 			if (if_idx < if_start) {
3298 				if_idx++;
3299 				continue;
3300 			}
3301 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3302 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3303 					       rdev, wdev,
3304 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3305 				goto out;
3306 			}
3307 			if_idx++;
3308 		}
3309 
3310 		wp_idx++;
3311 	}
3312  out:
3313 	cb->args[0] = wp_idx;
3314 	cb->args[1] = if_idx;
3315 
3316 	ret = skb->len;
3317  out_unlock:
3318 	rtnl_unlock();
3319 
3320 	return ret;
3321 }
3322 
3323 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3324 {
3325 	struct sk_buff *msg;
3326 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3327 	struct wireless_dev *wdev = info->user_ptr[1];
3328 
3329 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3330 	if (!msg)
3331 		return -ENOMEM;
3332 
3333 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3334 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3335 		nlmsg_free(msg);
3336 		return -ENOBUFS;
3337 	}
3338 
3339 	return genlmsg_reply(msg, info);
3340 }
3341 
3342 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3343 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3344 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3345 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3346 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3347 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3348 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3349 };
3350 
3351 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3352 {
3353 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3354 	int flag;
3355 
3356 	*mntrflags = 0;
3357 
3358 	if (!nla)
3359 		return -EINVAL;
3360 
3361 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3362 		return -EINVAL;
3363 
3364 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3365 		if (flags[flag])
3366 			*mntrflags |= (1<<flag);
3367 
3368 	*mntrflags |= MONITOR_FLAG_CHANGED;
3369 
3370 	return 0;
3371 }
3372 
3373 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3374 				     enum nl80211_iftype type,
3375 				     struct genl_info *info,
3376 				     struct vif_params *params)
3377 {
3378 	bool change = false;
3379 	int err;
3380 
3381 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3382 		if (type != NL80211_IFTYPE_MONITOR)
3383 			return -EINVAL;
3384 
3385 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3386 					  &params->flags);
3387 		if (err)
3388 			return err;
3389 
3390 		change = true;
3391 	}
3392 
3393 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3394 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3395 		return -EOPNOTSUPP;
3396 
3397 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3398 		const u8 *mumimo_groups;
3399 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3400 
3401 		if (type != NL80211_IFTYPE_MONITOR)
3402 			return -EINVAL;
3403 
3404 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3405 			return -EOPNOTSUPP;
3406 
3407 		mumimo_groups =
3408 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3409 
3410 		/* bits 0 and 63 are reserved and must be zero */
3411 		if ((mumimo_groups[0] & BIT(0)) ||
3412 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3413 			return -EINVAL;
3414 
3415 		params->vht_mumimo_groups = mumimo_groups;
3416 		change = true;
3417 	}
3418 
3419 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3420 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3421 
3422 		if (type != NL80211_IFTYPE_MONITOR)
3423 			return -EINVAL;
3424 
3425 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3426 			return -EOPNOTSUPP;
3427 
3428 		params->vht_mumimo_follow_addr =
3429 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3430 		change = true;
3431 	}
3432 
3433 	return change ? 1 : 0;
3434 }
3435 
3436 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3437 			       struct net_device *netdev, u8 use_4addr,
3438 			       enum nl80211_iftype iftype)
3439 {
3440 	if (!use_4addr) {
3441 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
3442 			return -EBUSY;
3443 		return 0;
3444 	}
3445 
3446 	switch (iftype) {
3447 	case NL80211_IFTYPE_AP_VLAN:
3448 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3449 			return 0;
3450 		break;
3451 	case NL80211_IFTYPE_STATION:
3452 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3453 			return 0;
3454 		break;
3455 	default:
3456 		break;
3457 	}
3458 
3459 	return -EOPNOTSUPP;
3460 }
3461 
3462 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3463 {
3464 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3465 	struct vif_params params;
3466 	int err;
3467 	enum nl80211_iftype otype, ntype;
3468 	struct net_device *dev = info->user_ptr[1];
3469 	bool change = false;
3470 
3471 	memset(&params, 0, sizeof(params));
3472 
3473 	otype = ntype = dev->ieee80211_ptr->iftype;
3474 
3475 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3476 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3477 		if (otype != ntype)
3478 			change = true;
3479 	}
3480 
3481 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3482 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3483 
3484 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3485 			return -EINVAL;
3486 		if (netif_running(dev))
3487 			return -EBUSY;
3488 
3489 		wdev_lock(wdev);
3490 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3491 			     IEEE80211_MAX_MESH_ID_LEN);
3492 		wdev->mesh_id_up_len =
3493 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3494 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3495 		       wdev->mesh_id_up_len);
3496 		wdev_unlock(wdev);
3497 	}
3498 
3499 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3500 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3501 		change = true;
3502 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3503 		if (err)
3504 			return err;
3505 	} else {
3506 		params.use_4addr = -1;
3507 	}
3508 
3509 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3510 	if (err < 0)
3511 		return err;
3512 	if (err > 0)
3513 		change = true;
3514 
3515 	if (change)
3516 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3517 	else
3518 		err = 0;
3519 
3520 	if (!err && params.use_4addr != -1)
3521 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3522 
3523 	if (change && !err) {
3524 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3525 
3526 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3527 	}
3528 
3529 	return err;
3530 }
3531 
3532 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3533 {
3534 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3535 	struct vif_params params;
3536 	struct wireless_dev *wdev;
3537 	struct sk_buff *msg;
3538 	int err;
3539 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3540 
3541 	/* to avoid failing a new interface creation due to pending removal */
3542 	cfg80211_destroy_ifaces(rdev);
3543 
3544 	memset(&params, 0, sizeof(params));
3545 
3546 	if (!info->attrs[NL80211_ATTR_IFNAME])
3547 		return -EINVAL;
3548 
3549 	if (info->attrs[NL80211_ATTR_IFTYPE])
3550 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3551 
3552 	if (!rdev->ops->add_virtual_intf)
3553 		return -EOPNOTSUPP;
3554 
3555 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3556 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3557 	    info->attrs[NL80211_ATTR_MAC]) {
3558 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3559 			   ETH_ALEN);
3560 		if (!is_valid_ether_addr(params.macaddr))
3561 			return -EADDRNOTAVAIL;
3562 	}
3563 
3564 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3565 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3566 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3567 		if (err)
3568 			return err;
3569 	}
3570 
3571 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
3572 		return -EOPNOTSUPP;
3573 
3574 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3575 	if (err < 0)
3576 		return err;
3577 
3578 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3579 	if (!msg)
3580 		return -ENOMEM;
3581 
3582 	wdev = rdev_add_virtual_intf(rdev,
3583 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3584 				NET_NAME_USER, type, &params);
3585 	if (WARN_ON(!wdev)) {
3586 		nlmsg_free(msg);
3587 		return -EPROTO;
3588 	} else if (IS_ERR(wdev)) {
3589 		nlmsg_free(msg);
3590 		return PTR_ERR(wdev);
3591 	}
3592 
3593 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3594 		wdev->owner_nlportid = info->snd_portid;
3595 
3596 	switch (type) {
3597 	case NL80211_IFTYPE_MESH_POINT:
3598 		if (!info->attrs[NL80211_ATTR_MESH_ID])
3599 			break;
3600 		wdev_lock(wdev);
3601 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3602 			     IEEE80211_MAX_MESH_ID_LEN);
3603 		wdev->mesh_id_up_len =
3604 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3605 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3606 		       wdev->mesh_id_up_len);
3607 		wdev_unlock(wdev);
3608 		break;
3609 	case NL80211_IFTYPE_NAN:
3610 	case NL80211_IFTYPE_P2P_DEVICE:
3611 		/*
3612 		 * P2P Device and NAN do not have a netdev, so don't go
3613 		 * through the netdev notifier and must be added here
3614 		 */
3615 		cfg80211_init_wdev(rdev, wdev);
3616 		break;
3617 	default:
3618 		break;
3619 	}
3620 
3621 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3622 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3623 		nlmsg_free(msg);
3624 		return -ENOBUFS;
3625 	}
3626 
3627 	return genlmsg_reply(msg, info);
3628 }
3629 
3630 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3631 {
3632 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3633 	struct wireless_dev *wdev = info->user_ptr[1];
3634 
3635 	if (!rdev->ops->del_virtual_intf)
3636 		return -EOPNOTSUPP;
3637 
3638 	/*
3639 	 * If we remove a wireless device without a netdev then clear
3640 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
3641 	 * to check if it needs to do dev_put(). Otherwise it crashes
3642 	 * since the wdev has been freed, unlike with a netdev where
3643 	 * we need the dev_put() for the netdev to really be freed.
3644 	 */
3645 	if (!wdev->netdev)
3646 		info->user_ptr[1] = NULL;
3647 
3648 	return rdev_del_virtual_intf(rdev, wdev);
3649 }
3650 
3651 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3652 {
3653 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3654 	struct net_device *dev = info->user_ptr[1];
3655 	u16 noack_map;
3656 
3657 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3658 		return -EINVAL;
3659 
3660 	if (!rdev->ops->set_noack_map)
3661 		return -EOPNOTSUPP;
3662 
3663 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3664 
3665 	return rdev_set_noack_map(rdev, dev, noack_map);
3666 }
3667 
3668 struct get_key_cookie {
3669 	struct sk_buff *msg;
3670 	int error;
3671 	int idx;
3672 };
3673 
3674 static void get_key_callback(void *c, struct key_params *params)
3675 {
3676 	struct nlattr *key;
3677 	struct get_key_cookie *cookie = c;
3678 
3679 	if ((params->key &&
3680 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3681 		     params->key_len, params->key)) ||
3682 	    (params->seq &&
3683 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3684 		     params->seq_len, params->seq)) ||
3685 	    (params->cipher &&
3686 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3687 			 params->cipher)))
3688 		goto nla_put_failure;
3689 
3690 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
3691 	if (!key)
3692 		goto nla_put_failure;
3693 
3694 	if ((params->key &&
3695 	     nla_put(cookie->msg, NL80211_KEY_DATA,
3696 		     params->key_len, params->key)) ||
3697 	    (params->seq &&
3698 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3699 		     params->seq_len, params->seq)) ||
3700 	    (params->cipher &&
3701 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3702 			 params->cipher)))
3703 		goto nla_put_failure;
3704 
3705 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3706 		goto nla_put_failure;
3707 
3708 	nla_nest_end(cookie->msg, key);
3709 
3710 	return;
3711  nla_put_failure:
3712 	cookie->error = 1;
3713 }
3714 
3715 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3716 {
3717 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3718 	int err;
3719 	struct net_device *dev = info->user_ptr[1];
3720 	u8 key_idx = 0;
3721 	const u8 *mac_addr = NULL;
3722 	bool pairwise;
3723 	struct get_key_cookie cookie = {
3724 		.error = 0,
3725 	};
3726 	void *hdr;
3727 	struct sk_buff *msg;
3728 
3729 	if (info->attrs[NL80211_ATTR_KEY_IDX])
3730 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3731 
3732 	if (info->attrs[NL80211_ATTR_MAC])
3733 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3734 
3735 	pairwise = !!mac_addr;
3736 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3737 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3738 
3739 		if (kt != NL80211_KEYTYPE_GROUP &&
3740 		    kt != NL80211_KEYTYPE_PAIRWISE)
3741 			return -EINVAL;
3742 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3743 	}
3744 
3745 	if (!rdev->ops->get_key)
3746 		return -EOPNOTSUPP;
3747 
3748 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3749 		return -ENOENT;
3750 
3751 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3752 	if (!msg)
3753 		return -ENOMEM;
3754 
3755 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3756 			     NL80211_CMD_NEW_KEY);
3757 	if (!hdr)
3758 		goto nla_put_failure;
3759 
3760 	cookie.msg = msg;
3761 	cookie.idx = key_idx;
3762 
3763 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3764 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3765 		goto nla_put_failure;
3766 	if (mac_addr &&
3767 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3768 		goto nla_put_failure;
3769 
3770 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3771 			   get_key_callback);
3772 
3773 	if (err)
3774 		goto free_msg;
3775 
3776 	if (cookie.error)
3777 		goto nla_put_failure;
3778 
3779 	genlmsg_end(msg, hdr);
3780 	return genlmsg_reply(msg, info);
3781 
3782  nla_put_failure:
3783 	err = -ENOBUFS;
3784  free_msg:
3785 	nlmsg_free(msg);
3786 	return err;
3787 }
3788 
3789 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3790 {
3791 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3792 	struct key_parse key;
3793 	int err;
3794 	struct net_device *dev = info->user_ptr[1];
3795 
3796 	err = nl80211_parse_key(info, &key);
3797 	if (err)
3798 		return err;
3799 
3800 	if (key.idx < 0)
3801 		return -EINVAL;
3802 
3803 	/* Only support setting default key and
3804 	 * Extended Key ID action NL80211_KEY_SET_TX.
3805 	 */
3806 	if (!key.def && !key.defmgmt &&
3807 	    !(key.p.mode == NL80211_KEY_SET_TX))
3808 		return -EINVAL;
3809 
3810 	wdev_lock(dev->ieee80211_ptr);
3811 
3812 	if (key.def) {
3813 		if (!rdev->ops->set_default_key) {
3814 			err = -EOPNOTSUPP;
3815 			goto out;
3816 		}
3817 
3818 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3819 		if (err)
3820 			goto out;
3821 
3822 		err = rdev_set_default_key(rdev, dev, key.idx,
3823 						 key.def_uni, key.def_multi);
3824 
3825 		if (err)
3826 			goto out;
3827 
3828 #ifdef CONFIG_CFG80211_WEXT
3829 		dev->ieee80211_ptr->wext.default_key = key.idx;
3830 #endif
3831 	} else if (key.defmgmt) {
3832 		if (key.def_uni || !key.def_multi) {
3833 			err = -EINVAL;
3834 			goto out;
3835 		}
3836 
3837 		if (!rdev->ops->set_default_mgmt_key) {
3838 			err = -EOPNOTSUPP;
3839 			goto out;
3840 		}
3841 
3842 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3843 		if (err)
3844 			goto out;
3845 
3846 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3847 		if (err)
3848 			goto out;
3849 
3850 #ifdef CONFIG_CFG80211_WEXT
3851 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3852 #endif
3853 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
3854 		   wiphy_ext_feature_isset(&rdev->wiphy,
3855 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
3856 		u8 *mac_addr = NULL;
3857 
3858 		if (info->attrs[NL80211_ATTR_MAC])
3859 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3860 
3861 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
3862 			err = -EINVAL;
3863 			goto out;
3864 		}
3865 
3866 		err = rdev_add_key(rdev, dev, key.idx,
3867 				   NL80211_KEYTYPE_PAIRWISE,
3868 				   mac_addr, &key.p);
3869 	} else {
3870 		err = -EINVAL;
3871 	}
3872  out:
3873 	wdev_unlock(dev->ieee80211_ptr);
3874 
3875 	return err;
3876 }
3877 
3878 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3879 {
3880 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3881 	int err;
3882 	struct net_device *dev = info->user_ptr[1];
3883 	struct key_parse key;
3884 	const u8 *mac_addr = NULL;
3885 
3886 	err = nl80211_parse_key(info, &key);
3887 	if (err)
3888 		return err;
3889 
3890 	if (!key.p.key)
3891 		return -EINVAL;
3892 
3893 	if (info->attrs[NL80211_ATTR_MAC])
3894 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3895 
3896 	if (key.type == -1) {
3897 		if (mac_addr)
3898 			key.type = NL80211_KEYTYPE_PAIRWISE;
3899 		else
3900 			key.type = NL80211_KEYTYPE_GROUP;
3901 	}
3902 
3903 	/* for now */
3904 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3905 	    key.type != NL80211_KEYTYPE_GROUP)
3906 		return -EINVAL;
3907 
3908 	if (!rdev->ops->add_key)
3909 		return -EOPNOTSUPP;
3910 
3911 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3912 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3913 					   mac_addr))
3914 		return -EINVAL;
3915 
3916 	wdev_lock(dev->ieee80211_ptr);
3917 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3918 	if (!err)
3919 		err = rdev_add_key(rdev, dev, key.idx,
3920 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3921 				    mac_addr, &key.p);
3922 	wdev_unlock(dev->ieee80211_ptr);
3923 
3924 	return err;
3925 }
3926 
3927 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3928 {
3929 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3930 	int err;
3931 	struct net_device *dev = info->user_ptr[1];
3932 	u8 *mac_addr = NULL;
3933 	struct key_parse key;
3934 
3935 	err = nl80211_parse_key(info, &key);
3936 	if (err)
3937 		return err;
3938 
3939 	if (info->attrs[NL80211_ATTR_MAC])
3940 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3941 
3942 	if (key.type == -1) {
3943 		if (mac_addr)
3944 			key.type = NL80211_KEYTYPE_PAIRWISE;
3945 		else
3946 			key.type = NL80211_KEYTYPE_GROUP;
3947 	}
3948 
3949 	/* for now */
3950 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3951 	    key.type != NL80211_KEYTYPE_GROUP)
3952 		return -EINVAL;
3953 
3954 	if (!rdev->ops->del_key)
3955 		return -EOPNOTSUPP;
3956 
3957 	wdev_lock(dev->ieee80211_ptr);
3958 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3959 
3960 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3961 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3962 		err = -ENOENT;
3963 
3964 	if (!err)
3965 		err = rdev_del_key(rdev, dev, key.idx,
3966 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3967 				   mac_addr);
3968 
3969 #ifdef CONFIG_CFG80211_WEXT
3970 	if (!err) {
3971 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3972 			dev->ieee80211_ptr->wext.default_key = -1;
3973 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3974 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3975 	}
3976 #endif
3977 	wdev_unlock(dev->ieee80211_ptr);
3978 
3979 	return err;
3980 }
3981 
3982 /* This function returns an error or the number of nested attributes */
3983 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3984 {
3985 	struct nlattr *attr;
3986 	int n_entries = 0, tmp;
3987 
3988 	nla_for_each_nested(attr, nl_attr, tmp) {
3989 		if (nla_len(attr) != ETH_ALEN)
3990 			return -EINVAL;
3991 
3992 		n_entries++;
3993 	}
3994 
3995 	return n_entries;
3996 }
3997 
3998 /*
3999  * This function parses ACL information and allocates memory for ACL data.
4000  * On successful return, the calling function is responsible to free the
4001  * ACL buffer returned by this function.
4002  */
4003 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4004 						struct genl_info *info)
4005 {
4006 	enum nl80211_acl_policy acl_policy;
4007 	struct nlattr *attr;
4008 	struct cfg80211_acl_data *acl;
4009 	int i = 0, n_entries, tmp;
4010 
4011 	if (!wiphy->max_acl_mac_addrs)
4012 		return ERR_PTR(-EOPNOTSUPP);
4013 
4014 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4015 		return ERR_PTR(-EINVAL);
4016 
4017 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4018 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4019 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4020 		return ERR_PTR(-EINVAL);
4021 
4022 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4023 		return ERR_PTR(-EINVAL);
4024 
4025 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4026 	if (n_entries < 0)
4027 		return ERR_PTR(n_entries);
4028 
4029 	if (n_entries > wiphy->max_acl_mac_addrs)
4030 		return ERR_PTR(-ENOTSUPP);
4031 
4032 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4033 	if (!acl)
4034 		return ERR_PTR(-ENOMEM);
4035 
4036 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4037 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4038 		i++;
4039 	}
4040 
4041 	acl->n_acl_entries = n_entries;
4042 	acl->acl_policy = acl_policy;
4043 
4044 	return acl;
4045 }
4046 
4047 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4048 {
4049 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4050 	struct net_device *dev = info->user_ptr[1];
4051 	struct cfg80211_acl_data *acl;
4052 	int err;
4053 
4054 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4055 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4056 		return -EOPNOTSUPP;
4057 
4058 	if (!dev->ieee80211_ptr->beacon_interval)
4059 		return -EINVAL;
4060 
4061 	acl = parse_acl_data(&rdev->wiphy, info);
4062 	if (IS_ERR(acl))
4063 		return PTR_ERR(acl);
4064 
4065 	err = rdev_set_mac_acl(rdev, dev, acl);
4066 
4067 	kfree(acl);
4068 
4069 	return err;
4070 }
4071 
4072 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4073 			   u8 *rates, u8 rates_len)
4074 {
4075 	u8 i;
4076 	u32 mask = 0;
4077 
4078 	for (i = 0; i < rates_len; i++) {
4079 		int rate = (rates[i] & 0x7f) * 5;
4080 		int ridx;
4081 
4082 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4083 			struct ieee80211_rate *srate =
4084 				&sband->bitrates[ridx];
4085 			if (rate == srate->bitrate) {
4086 				mask |= 1 << ridx;
4087 				break;
4088 			}
4089 		}
4090 		if (ridx == sband->n_bitrates)
4091 			return 0; /* rate not found */
4092 	}
4093 
4094 	return mask;
4095 }
4096 
4097 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4098 			       u8 *rates, u8 rates_len,
4099 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4100 {
4101 	u8 i;
4102 
4103 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4104 
4105 	for (i = 0; i < rates_len; i++) {
4106 		int ridx, rbit;
4107 
4108 		ridx = rates[i] / 8;
4109 		rbit = BIT(rates[i] % 8);
4110 
4111 		/* check validity */
4112 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4113 			return false;
4114 
4115 		/* check availability */
4116 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4117 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4118 			mcs[ridx] |= rbit;
4119 		else
4120 			return false;
4121 	}
4122 
4123 	return true;
4124 }
4125 
4126 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4127 {
4128 	u16 mcs_mask = 0;
4129 
4130 	switch (vht_mcs_map) {
4131 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4132 		break;
4133 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4134 		mcs_mask = 0x00FF;
4135 		break;
4136 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4137 		mcs_mask = 0x01FF;
4138 		break;
4139 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4140 		mcs_mask = 0x03FF;
4141 		break;
4142 	default:
4143 		break;
4144 	}
4145 
4146 	return mcs_mask;
4147 }
4148 
4149 static void vht_build_mcs_mask(u16 vht_mcs_map,
4150 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4151 {
4152 	u8 nss;
4153 
4154 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4155 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4156 		vht_mcs_map >>= 2;
4157 	}
4158 }
4159 
4160 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4161 			     struct nl80211_txrate_vht *txrate,
4162 			     u16 mcs[NL80211_VHT_NSS_MAX])
4163 {
4164 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4165 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4166 	u8 i;
4167 
4168 	if (!sband->vht_cap.vht_supported)
4169 		return false;
4170 
4171 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4172 
4173 	/* Build vht_mcs_mask from VHT capabilities */
4174 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4175 
4176 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4177 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4178 			mcs[i] = txrate->mcs[i];
4179 		else
4180 			return false;
4181 	}
4182 
4183 	return true;
4184 }
4185 
4186 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
4187 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
4188 				    .len = NL80211_MAX_SUPP_RATES },
4189 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
4190 				.len = NL80211_MAX_SUPP_HT_RATES },
4191 	[NL80211_TXRATE_VHT] = {
4192 		.type = NLA_EXACT_LEN_WARN,
4193 		.len = sizeof(struct nl80211_txrate_vht),
4194 	},
4195 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
4196 };
4197 
4198 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4199 					 struct cfg80211_bitrate_mask *mask)
4200 {
4201 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4202 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4203 	int rem, i;
4204 	struct nlattr *tx_rates;
4205 	struct ieee80211_supported_band *sband;
4206 	u16 vht_tx_mcs_map;
4207 
4208 	memset(mask, 0, sizeof(*mask));
4209 	/* Default to all rates enabled */
4210 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4211 		sband = rdev->wiphy.bands[i];
4212 
4213 		if (!sband)
4214 			continue;
4215 
4216 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4217 		memcpy(mask->control[i].ht_mcs,
4218 		       sband->ht_cap.mcs.rx_mask,
4219 		       sizeof(mask->control[i].ht_mcs));
4220 
4221 		if (!sband->vht_cap.vht_supported)
4222 			continue;
4223 
4224 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4225 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4226 	}
4227 
4228 	/* if no rates are given set it back to the defaults */
4229 	if (!info->attrs[NL80211_ATTR_TX_RATES])
4230 		goto out;
4231 
4232 	/* The nested attribute uses enum nl80211_band as the index. This maps
4233 	 * directly to the enum nl80211_band values used in cfg80211.
4234 	 */
4235 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4236 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
4237 		enum nl80211_band band = nla_type(tx_rates);
4238 		int err;
4239 
4240 		if (band < 0 || band >= NUM_NL80211_BANDS)
4241 			return -EINVAL;
4242 		sband = rdev->wiphy.bands[band];
4243 		if (sband == NULL)
4244 			return -EINVAL;
4245 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4246 						  tx_rates,
4247 						  nl80211_txattr_policy,
4248 						  info->extack);
4249 		if (err)
4250 			return err;
4251 		if (tb[NL80211_TXRATE_LEGACY]) {
4252 			mask->control[band].legacy = rateset_to_mask(
4253 				sband,
4254 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4255 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4256 			if ((mask->control[band].legacy == 0) &&
4257 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4258 				return -EINVAL;
4259 		}
4260 		if (tb[NL80211_TXRATE_HT]) {
4261 			if (!ht_rateset_to_mask(
4262 					sband,
4263 					nla_data(tb[NL80211_TXRATE_HT]),
4264 					nla_len(tb[NL80211_TXRATE_HT]),
4265 					mask->control[band].ht_mcs))
4266 				return -EINVAL;
4267 		}
4268 		if (tb[NL80211_TXRATE_VHT]) {
4269 			if (!vht_set_mcs_mask(
4270 					sband,
4271 					nla_data(tb[NL80211_TXRATE_VHT]),
4272 					mask->control[band].vht_mcs))
4273 				return -EINVAL;
4274 		}
4275 		if (tb[NL80211_TXRATE_GI]) {
4276 			mask->control[band].gi =
4277 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4278 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4279 				return -EINVAL;
4280 		}
4281 
4282 		if (mask->control[band].legacy == 0) {
4283 			/* don't allow empty legacy rates if HT or VHT
4284 			 * are not even supported.
4285 			 */
4286 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4287 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
4288 				return -EINVAL;
4289 
4290 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4291 				if (mask->control[band].ht_mcs[i])
4292 					goto out;
4293 
4294 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4295 				if (mask->control[band].vht_mcs[i])
4296 					goto out;
4297 
4298 			/* legacy and mcs rates may not be both empty */
4299 			return -EINVAL;
4300 		}
4301 	}
4302 
4303 out:
4304 	return 0;
4305 }
4306 
4307 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4308 				   enum nl80211_band band,
4309 				   struct cfg80211_bitrate_mask *beacon_rate)
4310 {
4311 	u32 count_ht, count_vht, i;
4312 	u32 rate = beacon_rate->control[band].legacy;
4313 
4314 	/* Allow only one rate */
4315 	if (hweight32(rate) > 1)
4316 		return -EINVAL;
4317 
4318 	count_ht = 0;
4319 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4320 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4321 			return -EINVAL;
4322 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4323 			count_ht++;
4324 			if (count_ht > 1)
4325 				return -EINVAL;
4326 		}
4327 		if (count_ht && rate)
4328 			return -EINVAL;
4329 	}
4330 
4331 	count_vht = 0;
4332 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4333 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4334 			return -EINVAL;
4335 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4336 			count_vht++;
4337 			if (count_vht > 1)
4338 				return -EINVAL;
4339 		}
4340 		if (count_vht && rate)
4341 			return -EINVAL;
4342 	}
4343 
4344 	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4345 		return -EINVAL;
4346 
4347 	if (rate &&
4348 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4349 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4350 		return -EINVAL;
4351 	if (count_ht &&
4352 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4353 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4354 		return -EINVAL;
4355 	if (count_vht &&
4356 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4357 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4358 		return -EINVAL;
4359 
4360 	return 0;
4361 }
4362 
4363 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4364 				struct nlattr *attrs[],
4365 				struct cfg80211_beacon_data *bcn)
4366 {
4367 	bool haveinfo = false;
4368 	int err;
4369 
4370 	memset(bcn, 0, sizeof(*bcn));
4371 
4372 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4373 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4374 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4375 		if (!bcn->head_len)
4376 			return -EINVAL;
4377 		haveinfo = true;
4378 	}
4379 
4380 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4381 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4382 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4383 		haveinfo = true;
4384 	}
4385 
4386 	if (!haveinfo)
4387 		return -EINVAL;
4388 
4389 	if (attrs[NL80211_ATTR_IE]) {
4390 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4391 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4392 	}
4393 
4394 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4395 		bcn->proberesp_ies =
4396 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4397 		bcn->proberesp_ies_len =
4398 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4399 	}
4400 
4401 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4402 		bcn->assocresp_ies =
4403 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4404 		bcn->assocresp_ies_len =
4405 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4406 	}
4407 
4408 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
4409 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4410 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4411 	}
4412 
4413 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4414 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4415 
4416 		err = nla_parse_nested_deprecated(tb,
4417 						  NL80211_FTM_RESP_ATTR_MAX,
4418 						  attrs[NL80211_ATTR_FTM_RESPONDER],
4419 						  NULL, NULL);
4420 		if (err)
4421 			return err;
4422 
4423 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4424 		    wiphy_ext_feature_isset(&rdev->wiphy,
4425 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4426 			bcn->ftm_responder = 1;
4427 		else
4428 			return -EOPNOTSUPP;
4429 
4430 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4431 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4432 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4433 		}
4434 
4435 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4436 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4437 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4438 		}
4439 	} else {
4440 		bcn->ftm_responder = -1;
4441 	}
4442 
4443 	return 0;
4444 }
4445 
4446 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
4447 				    struct ieee80211_he_obss_pd *he_obss_pd)
4448 {
4449 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
4450 	int err;
4451 
4452 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
4453 			       he_obss_pd_policy, NULL);
4454 	if (err)
4455 		return err;
4456 
4457 	if (!tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] ||
4458 	    !tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
4459 		return -EINVAL;
4460 
4461 	he_obss_pd->min_offset =
4462 		nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
4463 	he_obss_pd->max_offset =
4464 		nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
4465 
4466 	if (he_obss_pd->min_offset >= he_obss_pd->max_offset)
4467 		return -EINVAL;
4468 
4469 	he_obss_pd->enable = true;
4470 
4471 	return 0;
4472 }
4473 
4474 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4475 					    const u8 *rates)
4476 {
4477 	int i;
4478 
4479 	if (!rates)
4480 		return;
4481 
4482 	for (i = 0; i < rates[1]; i++) {
4483 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4484 			params->ht_required = true;
4485 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4486 			params->vht_required = true;
4487 	}
4488 }
4489 
4490 /*
4491  * Since the nl80211 API didn't include, from the beginning, attributes about
4492  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4493  * benefit of drivers that rebuild IEs in the firmware.
4494  */
4495 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4496 {
4497 	const struct cfg80211_beacon_data *bcn = &params->beacon;
4498 	size_t ies_len = bcn->tail_len;
4499 	const u8 *ies = bcn->tail;
4500 	const u8 *rates;
4501 	const u8 *cap;
4502 
4503 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4504 	nl80211_check_ap_rate_selectors(params, rates);
4505 
4506 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4507 	nl80211_check_ap_rate_selectors(params, rates);
4508 
4509 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4510 	if (cap && cap[1] >= sizeof(*params->ht_cap))
4511 		params->ht_cap = (void *)(cap + 2);
4512 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4513 	if (cap && cap[1] >= sizeof(*params->vht_cap))
4514 		params->vht_cap = (void *)(cap + 2);
4515 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
4516 	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
4517 		params->he_cap = (void *)(cap + 3);
4518 }
4519 
4520 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4521 				   struct cfg80211_ap_settings *params)
4522 {
4523 	struct wireless_dev *wdev;
4524 	bool ret = false;
4525 
4526 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4527 		if (wdev->iftype != NL80211_IFTYPE_AP &&
4528 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
4529 			continue;
4530 
4531 		if (!wdev->preset_chandef.chan)
4532 			continue;
4533 
4534 		params->chandef = wdev->preset_chandef;
4535 		ret = true;
4536 		break;
4537 	}
4538 
4539 	return ret;
4540 }
4541 
4542 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4543 				    enum nl80211_auth_type auth_type,
4544 				    enum nl80211_commands cmd)
4545 {
4546 	if (auth_type > NL80211_AUTHTYPE_MAX)
4547 		return false;
4548 
4549 	switch (cmd) {
4550 	case NL80211_CMD_AUTHENTICATE:
4551 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4552 		    auth_type == NL80211_AUTHTYPE_SAE)
4553 			return false;
4554 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4555 					     NL80211_EXT_FEATURE_FILS_STA) &&
4556 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4557 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4558 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
4559 			return false;
4560 		return true;
4561 	case NL80211_CMD_CONNECT:
4562 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4563 		    !wiphy_ext_feature_isset(&rdev->wiphy,
4564 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
4565 		    auth_type == NL80211_AUTHTYPE_SAE)
4566 			return false;
4567 
4568 		/* FILS with SK PFS or PK not supported yet */
4569 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4570 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4571 			return false;
4572 		if (!wiphy_ext_feature_isset(
4573 			    &rdev->wiphy,
4574 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4575 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
4576 			return false;
4577 		return true;
4578 	case NL80211_CMD_START_AP:
4579 		/* SAE not supported yet */
4580 		if (auth_type == NL80211_AUTHTYPE_SAE)
4581 			return false;
4582 		/* FILS not supported yet */
4583 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4584 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4585 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4586 			return false;
4587 		return true;
4588 	default:
4589 		return false;
4590 	}
4591 }
4592 
4593 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4594 {
4595 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4596 	struct net_device *dev = info->user_ptr[1];
4597 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4598 	struct cfg80211_ap_settings params;
4599 	int err;
4600 
4601 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4602 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4603 		return -EOPNOTSUPP;
4604 
4605 	if (!rdev->ops->start_ap)
4606 		return -EOPNOTSUPP;
4607 
4608 	if (wdev->beacon_interval)
4609 		return -EALREADY;
4610 
4611 	memset(&params, 0, sizeof(params));
4612 
4613 	/* these are required for START_AP */
4614 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
4615 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
4616 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
4617 		return -EINVAL;
4618 
4619 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
4620 	if (err)
4621 		return err;
4622 
4623 	params.beacon_interval =
4624 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4625 	params.dtim_period =
4626 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
4627 
4628 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
4629 					   params.beacon_interval);
4630 	if (err)
4631 		return err;
4632 
4633 	/*
4634 	 * In theory, some of these attributes should be required here
4635 	 * but since they were not used when the command was originally
4636 	 * added, keep them optional for old user space programs to let
4637 	 * them continue to work with drivers that do not need the
4638 	 * additional information -- drivers must check!
4639 	 */
4640 	if (info->attrs[NL80211_ATTR_SSID]) {
4641 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4642 		params.ssid_len =
4643 			nla_len(info->attrs[NL80211_ATTR_SSID]);
4644 		if (params.ssid_len == 0 ||
4645 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
4646 			return -EINVAL;
4647 	}
4648 
4649 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
4650 		params.hidden_ssid = nla_get_u32(
4651 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
4652 
4653 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4654 
4655 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
4656 		params.auth_type = nla_get_u32(
4657 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
4658 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
4659 					     NL80211_CMD_START_AP))
4660 			return -EINVAL;
4661 	} else
4662 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
4663 
4664 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
4665 				      NL80211_MAX_NR_CIPHER_SUITES);
4666 	if (err)
4667 		return err;
4668 
4669 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
4670 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
4671 			return -EOPNOTSUPP;
4672 		params.inactivity_timeout = nla_get_u16(
4673 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
4674 	}
4675 
4676 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4677 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4678 			return -EINVAL;
4679 		params.p2p_ctwindow =
4680 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4681 		if (params.p2p_ctwindow != 0 &&
4682 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4683 			return -EINVAL;
4684 	}
4685 
4686 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4687 		u8 tmp;
4688 
4689 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4690 			return -EINVAL;
4691 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4692 		params.p2p_opp_ps = tmp;
4693 		if (params.p2p_opp_ps != 0 &&
4694 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4695 			return -EINVAL;
4696 	}
4697 
4698 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4699 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
4700 		if (err)
4701 			return err;
4702 	} else if (wdev->preset_chandef.chan) {
4703 		params.chandef = wdev->preset_chandef;
4704 	} else if (!nl80211_get_ap_channel(rdev, &params))
4705 		return -EINVAL;
4706 
4707 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
4708 					   wdev->iftype))
4709 		return -EINVAL;
4710 
4711 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
4712 		err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
4713 		if (err)
4714 			return err;
4715 
4716 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
4717 					      &params.beacon_rate);
4718 		if (err)
4719 			return err;
4720 	}
4721 
4722 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
4723 		params.smps_mode =
4724 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
4725 		switch (params.smps_mode) {
4726 		case NL80211_SMPS_OFF:
4727 			break;
4728 		case NL80211_SMPS_STATIC:
4729 			if (!(rdev->wiphy.features &
4730 			      NL80211_FEATURE_STATIC_SMPS))
4731 				return -EINVAL;
4732 			break;
4733 		case NL80211_SMPS_DYNAMIC:
4734 			if (!(rdev->wiphy.features &
4735 			      NL80211_FEATURE_DYNAMIC_SMPS))
4736 				return -EINVAL;
4737 			break;
4738 		default:
4739 			return -EINVAL;
4740 		}
4741 	} else {
4742 		params.smps_mode = NL80211_SMPS_OFF;
4743 	}
4744 
4745 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
4746 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
4747 		return -EOPNOTSUPP;
4748 
4749 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
4750 		params.acl = parse_acl_data(&rdev->wiphy, info);
4751 		if (IS_ERR(params.acl))
4752 			return PTR_ERR(params.acl);
4753 	}
4754 
4755 	params.twt_responder =
4756 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
4757 
4758 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
4759 		err = nl80211_parse_he_obss_pd(
4760 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
4761 					&params.he_obss_pd);
4762 		if (err)
4763 			return err;
4764 	}
4765 
4766 	nl80211_calculate_ap_params(&params);
4767 
4768 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
4769 		params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
4770 
4771 	wdev_lock(wdev);
4772 	err = rdev_start_ap(rdev, dev, &params);
4773 	if (!err) {
4774 		wdev->preset_chandef = params.chandef;
4775 		wdev->beacon_interval = params.beacon_interval;
4776 		wdev->chandef = params.chandef;
4777 		wdev->ssid_len = params.ssid_len;
4778 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
4779 
4780 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4781 			wdev->conn_owner_nlportid = info->snd_portid;
4782 	}
4783 	wdev_unlock(wdev);
4784 
4785 	kfree(params.acl);
4786 
4787 	return err;
4788 }
4789 
4790 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
4791 {
4792 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4793 	struct net_device *dev = info->user_ptr[1];
4794 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4795 	struct cfg80211_beacon_data params;
4796 	int err;
4797 
4798 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4799 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4800 		return -EOPNOTSUPP;
4801 
4802 	if (!rdev->ops->change_beacon)
4803 		return -EOPNOTSUPP;
4804 
4805 	if (!wdev->beacon_interval)
4806 		return -EINVAL;
4807 
4808 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
4809 	if (err)
4810 		return err;
4811 
4812 	wdev_lock(wdev);
4813 	err = rdev_change_beacon(rdev, dev, &params);
4814 	wdev_unlock(wdev);
4815 
4816 	return err;
4817 }
4818 
4819 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
4820 {
4821 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4822 	struct net_device *dev = info->user_ptr[1];
4823 
4824 	return cfg80211_stop_ap(rdev, dev, false);
4825 }
4826 
4827 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
4828 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
4829 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
4830 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
4831 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
4832 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
4833 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
4834 };
4835 
4836 static int parse_station_flags(struct genl_info *info,
4837 			       enum nl80211_iftype iftype,
4838 			       struct station_parameters *params)
4839 {
4840 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
4841 	struct nlattr *nla;
4842 	int flag;
4843 
4844 	/*
4845 	 * Try parsing the new attribute first so userspace
4846 	 * can specify both for older kernels.
4847 	 */
4848 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
4849 	if (nla) {
4850 		struct nl80211_sta_flag_update *sta_flags;
4851 
4852 		sta_flags = nla_data(nla);
4853 		params->sta_flags_mask = sta_flags->mask;
4854 		params->sta_flags_set = sta_flags->set;
4855 		params->sta_flags_set &= params->sta_flags_mask;
4856 		if ((params->sta_flags_mask |
4857 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
4858 			return -EINVAL;
4859 		return 0;
4860 	}
4861 
4862 	/* if present, parse the old attribute */
4863 
4864 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
4865 	if (!nla)
4866 		return 0;
4867 
4868 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
4869 		return -EINVAL;
4870 
4871 	/*
4872 	 * Only allow certain flags for interface types so that
4873 	 * other attributes are silently ignored. Remember that
4874 	 * this is backward compatibility code with old userspace
4875 	 * and shouldn't be hit in other cases anyway.
4876 	 */
4877 	switch (iftype) {
4878 	case NL80211_IFTYPE_AP:
4879 	case NL80211_IFTYPE_AP_VLAN:
4880 	case NL80211_IFTYPE_P2P_GO:
4881 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4882 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4883 					 BIT(NL80211_STA_FLAG_WME) |
4884 					 BIT(NL80211_STA_FLAG_MFP);
4885 		break;
4886 	case NL80211_IFTYPE_P2P_CLIENT:
4887 	case NL80211_IFTYPE_STATION:
4888 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4889 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
4890 		break;
4891 	case NL80211_IFTYPE_MESH_POINT:
4892 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4893 					 BIT(NL80211_STA_FLAG_MFP) |
4894 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
4895 		break;
4896 	default:
4897 		return -EINVAL;
4898 	}
4899 
4900 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
4901 		if (flags[flag]) {
4902 			params->sta_flags_set |= (1<<flag);
4903 
4904 			/* no longer support new API additions in old API */
4905 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
4906 				return -EINVAL;
4907 		}
4908 	}
4909 
4910 	return 0;
4911 }
4912 
4913 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
4914 {
4915 	struct nlattr *rate;
4916 	u32 bitrate;
4917 	u16 bitrate_compat;
4918 	enum nl80211_rate_info rate_flg;
4919 
4920 	rate = nla_nest_start_noflag(msg, attr);
4921 	if (!rate)
4922 		return false;
4923 
4924 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
4925 	bitrate = cfg80211_calculate_bitrate(info);
4926 	/* report 16-bit bitrate only if we can */
4927 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
4928 	if (bitrate > 0 &&
4929 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
4930 		return false;
4931 	if (bitrate_compat > 0 &&
4932 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
4933 		return false;
4934 
4935 	switch (info->bw) {
4936 	case RATE_INFO_BW_5:
4937 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
4938 		break;
4939 	case RATE_INFO_BW_10:
4940 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
4941 		break;
4942 	default:
4943 		WARN_ON(1);
4944 		/* fall through */
4945 	case RATE_INFO_BW_20:
4946 		rate_flg = 0;
4947 		break;
4948 	case RATE_INFO_BW_40:
4949 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
4950 		break;
4951 	case RATE_INFO_BW_80:
4952 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
4953 		break;
4954 	case RATE_INFO_BW_160:
4955 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
4956 		break;
4957 	case RATE_INFO_BW_HE_RU:
4958 		rate_flg = 0;
4959 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
4960 	}
4961 
4962 	if (rate_flg && nla_put_flag(msg, rate_flg))
4963 		return false;
4964 
4965 	if (info->flags & RATE_INFO_FLAGS_MCS) {
4966 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
4967 			return false;
4968 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4969 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4970 			return false;
4971 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
4972 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
4973 			return false;
4974 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
4975 			return false;
4976 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4977 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4978 			return false;
4979 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
4980 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
4981 			return false;
4982 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
4983 			return false;
4984 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
4985 			return false;
4986 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
4987 			return false;
4988 		if (info->bw == RATE_INFO_BW_HE_RU &&
4989 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
4990 			       info->he_ru_alloc))
4991 			return false;
4992 	}
4993 
4994 	nla_nest_end(msg, rate);
4995 	return true;
4996 }
4997 
4998 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
4999 			       int id)
5000 {
5001 	void *attr;
5002 	int i = 0;
5003 
5004 	if (!mask)
5005 		return true;
5006 
5007 	attr = nla_nest_start_noflag(msg, id);
5008 	if (!attr)
5009 		return false;
5010 
5011 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5012 		if (!(mask & BIT(i)))
5013 			continue;
5014 
5015 		if (nla_put_u8(msg, i, signal[i]))
5016 			return false;
5017 	}
5018 
5019 	nla_nest_end(msg, attr);
5020 
5021 	return true;
5022 }
5023 
5024 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5025 				u32 seq, int flags,
5026 				struct cfg80211_registered_device *rdev,
5027 				struct net_device *dev,
5028 				const u8 *mac_addr, struct station_info *sinfo)
5029 {
5030 	void *hdr;
5031 	struct nlattr *sinfoattr, *bss_param;
5032 
5033 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5034 	if (!hdr) {
5035 		cfg80211_sinfo_release_content(sinfo);
5036 		return -1;
5037 	}
5038 
5039 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5040 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
5041 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
5042 		goto nla_put_failure;
5043 
5044 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
5045 	if (!sinfoattr)
5046 		goto nla_put_failure;
5047 
5048 #define PUT_SINFO(attr, memb, type) do {				\
5049 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
5050 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5051 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
5052 			     sinfo->memb))				\
5053 		goto nla_put_failure;					\
5054 	} while (0)
5055 #define PUT_SINFO_U64(attr, memb) do {					\
5056 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5057 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
5058 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
5059 		goto nla_put_failure;					\
5060 	} while (0)
5061 
5062 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
5063 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
5064 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
5065 
5066 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
5067 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
5068 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
5069 			(u32)sinfo->rx_bytes))
5070 		goto nla_put_failure;
5071 
5072 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
5073 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
5074 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
5075 			(u32)sinfo->tx_bytes))
5076 		goto nla_put_failure;
5077 
5078 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
5079 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
5080 	PUT_SINFO(LLID, llid, u16);
5081 	PUT_SINFO(PLID, plid, u16);
5082 	PUT_SINFO(PLINK_STATE, plink_state, u8);
5083 	PUT_SINFO_U64(RX_DURATION, rx_duration);
5084 	PUT_SINFO_U64(TX_DURATION, tx_duration);
5085 
5086 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5087 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5088 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
5089 
5090 	switch (rdev->wiphy.signal_type) {
5091 	case CFG80211_SIGNAL_TYPE_MBM:
5092 		PUT_SINFO(SIGNAL, signal, u8);
5093 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
5094 		break;
5095 	default:
5096 		break;
5097 	}
5098 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
5099 		if (!nl80211_put_signal(msg, sinfo->chains,
5100 					sinfo->chain_signal,
5101 					NL80211_STA_INFO_CHAIN_SIGNAL))
5102 			goto nla_put_failure;
5103 	}
5104 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
5105 		if (!nl80211_put_signal(msg, sinfo->chains,
5106 					sinfo->chain_signal_avg,
5107 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
5108 			goto nla_put_failure;
5109 	}
5110 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
5111 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
5112 					  NL80211_STA_INFO_TX_BITRATE))
5113 			goto nla_put_failure;
5114 	}
5115 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
5116 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
5117 					  NL80211_STA_INFO_RX_BITRATE))
5118 			goto nla_put_failure;
5119 	}
5120 
5121 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
5122 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
5123 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
5124 	PUT_SINFO(TX_FAILED, tx_failed, u32);
5125 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
5126 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
5127 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
5128 	PUT_SINFO(LOCAL_PM, local_pm, u32);
5129 	PUT_SINFO(PEER_PM, peer_pm, u32);
5130 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
5131 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
5132 
5133 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
5134 		bss_param = nla_nest_start_noflag(msg,
5135 						  NL80211_STA_INFO_BSS_PARAM);
5136 		if (!bss_param)
5137 			goto nla_put_failure;
5138 
5139 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
5140 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
5141 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
5142 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
5143 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
5144 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
5145 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
5146 			       sinfo->bss_param.dtim_period) ||
5147 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
5148 				sinfo->bss_param.beacon_interval))
5149 			goto nla_put_failure;
5150 
5151 		nla_nest_end(msg, bss_param);
5152 	}
5153 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
5154 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
5155 		    sizeof(struct nl80211_sta_flag_update),
5156 		    &sinfo->sta_flags))
5157 		goto nla_put_failure;
5158 
5159 	PUT_SINFO_U64(T_OFFSET, t_offset);
5160 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
5161 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
5162 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
5163 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
5164 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
5165 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5166 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
5167 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
5168 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
5169 	}
5170 
5171 #undef PUT_SINFO
5172 #undef PUT_SINFO_U64
5173 
5174 	if (sinfo->pertid) {
5175 		struct nlattr *tidsattr;
5176 		int tid;
5177 
5178 		tidsattr = nla_nest_start_noflag(msg,
5179 						 NL80211_STA_INFO_TID_STATS);
5180 		if (!tidsattr)
5181 			goto nla_put_failure;
5182 
5183 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5184 			struct cfg80211_tid_stats *tidstats;
5185 			struct nlattr *tidattr;
5186 
5187 			tidstats = &sinfo->pertid[tid];
5188 
5189 			if (!tidstats->filled)
5190 				continue;
5191 
5192 			tidattr = nla_nest_start_noflag(msg, tid + 1);
5193 			if (!tidattr)
5194 				goto nla_put_failure;
5195 
5196 #define PUT_TIDVAL_U64(attr, memb) do {					\
5197 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
5198 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
5199 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
5200 		goto nla_put_failure;					\
5201 	} while (0)
5202 
5203 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5204 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5205 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5206 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5207 
5208 #undef PUT_TIDVAL_U64
5209 			if ((tidstats->filled &
5210 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5211 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5212 						   NL80211_TID_STATS_TXQ_STATS))
5213 				goto nla_put_failure;
5214 
5215 			nla_nest_end(msg, tidattr);
5216 		}
5217 
5218 		nla_nest_end(msg, tidsattr);
5219 	}
5220 
5221 	nla_nest_end(msg, sinfoattr);
5222 
5223 	if (sinfo->assoc_req_ies_len &&
5224 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5225 		    sinfo->assoc_req_ies))
5226 		goto nla_put_failure;
5227 
5228 	cfg80211_sinfo_release_content(sinfo);
5229 	genlmsg_end(msg, hdr);
5230 	return 0;
5231 
5232  nla_put_failure:
5233 	cfg80211_sinfo_release_content(sinfo);
5234 	genlmsg_cancel(msg, hdr);
5235 	return -EMSGSIZE;
5236 }
5237 
5238 static int nl80211_dump_station(struct sk_buff *skb,
5239 				struct netlink_callback *cb)
5240 {
5241 	struct station_info sinfo;
5242 	struct cfg80211_registered_device *rdev;
5243 	struct wireless_dev *wdev;
5244 	u8 mac_addr[ETH_ALEN];
5245 	int sta_idx = cb->args[2];
5246 	int err;
5247 
5248 	rtnl_lock();
5249 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5250 	if (err)
5251 		goto out_err;
5252 
5253 	if (!wdev->netdev) {
5254 		err = -EINVAL;
5255 		goto out_err;
5256 	}
5257 
5258 	if (!rdev->ops->dump_station) {
5259 		err = -EOPNOTSUPP;
5260 		goto out_err;
5261 	}
5262 
5263 	while (1) {
5264 		memset(&sinfo, 0, sizeof(sinfo));
5265 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5266 					mac_addr, &sinfo);
5267 		if (err == -ENOENT)
5268 			break;
5269 		if (err)
5270 			goto out_err;
5271 
5272 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
5273 				NETLINK_CB(cb->skb).portid,
5274 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5275 				rdev, wdev->netdev, mac_addr,
5276 				&sinfo) < 0)
5277 			goto out;
5278 
5279 		sta_idx++;
5280 	}
5281 
5282  out:
5283 	cb->args[2] = sta_idx;
5284 	err = skb->len;
5285  out_err:
5286 	rtnl_unlock();
5287 
5288 	return err;
5289 }
5290 
5291 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
5292 {
5293 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5294 	struct net_device *dev = info->user_ptr[1];
5295 	struct station_info sinfo;
5296 	struct sk_buff *msg;
5297 	u8 *mac_addr = NULL;
5298 	int err;
5299 
5300 	memset(&sinfo, 0, sizeof(sinfo));
5301 
5302 	if (!info->attrs[NL80211_ATTR_MAC])
5303 		return -EINVAL;
5304 
5305 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5306 
5307 	if (!rdev->ops->get_station)
5308 		return -EOPNOTSUPP;
5309 
5310 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
5311 	if (err)
5312 		return err;
5313 
5314 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5315 	if (!msg) {
5316 		cfg80211_sinfo_release_content(&sinfo);
5317 		return -ENOMEM;
5318 	}
5319 
5320 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
5321 				 info->snd_portid, info->snd_seq, 0,
5322 				 rdev, dev, mac_addr, &sinfo) < 0) {
5323 		nlmsg_free(msg);
5324 		return -ENOBUFS;
5325 	}
5326 
5327 	return genlmsg_reply(msg, info);
5328 }
5329 
5330 int cfg80211_check_station_change(struct wiphy *wiphy,
5331 				  struct station_parameters *params,
5332 				  enum cfg80211_station_type statype)
5333 {
5334 	if (params->listen_interval != -1 &&
5335 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5336 		return -EINVAL;
5337 
5338 	if (params->support_p2p_ps != -1 &&
5339 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5340 		return -EINVAL;
5341 
5342 	if (params->aid &&
5343 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
5344 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5345 		return -EINVAL;
5346 
5347 	/* When you run into this, adjust the code below for the new flag */
5348 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5349 
5350 	switch (statype) {
5351 	case CFG80211_STA_MESH_PEER_KERNEL:
5352 	case CFG80211_STA_MESH_PEER_USER:
5353 		/*
5354 		 * No ignoring the TDLS flag here -- the userspace mesh
5355 		 * code doesn't have the bug of including TDLS in the
5356 		 * mask everywhere.
5357 		 */
5358 		if (params->sta_flags_mask &
5359 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5360 				  BIT(NL80211_STA_FLAG_MFP) |
5361 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
5362 			return -EINVAL;
5363 		break;
5364 	case CFG80211_STA_TDLS_PEER_SETUP:
5365 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5366 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5367 			return -EINVAL;
5368 		/* ignore since it can't change */
5369 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5370 		break;
5371 	default:
5372 		/* disallow mesh-specific things */
5373 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
5374 			return -EINVAL;
5375 		if (params->local_pm)
5376 			return -EINVAL;
5377 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5378 			return -EINVAL;
5379 	}
5380 
5381 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5382 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5383 		/* TDLS can't be set, ... */
5384 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5385 			return -EINVAL;
5386 		/*
5387 		 * ... but don't bother the driver with it. This works around
5388 		 * a hostapd/wpa_supplicant issue -- it always includes the
5389 		 * TLDS_PEER flag in the mask even for AP mode.
5390 		 */
5391 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5392 	}
5393 
5394 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5395 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5396 		/* reject other things that can't change */
5397 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5398 			return -EINVAL;
5399 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5400 			return -EINVAL;
5401 		if (params->supported_rates)
5402 			return -EINVAL;
5403 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
5404 		    params->he_capa)
5405 			return -EINVAL;
5406 	}
5407 
5408 	if (statype != CFG80211_STA_AP_CLIENT &&
5409 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5410 		if (params->vlan)
5411 			return -EINVAL;
5412 	}
5413 
5414 	switch (statype) {
5415 	case CFG80211_STA_AP_MLME_CLIENT:
5416 		/* Use this only for authorizing/unauthorizing a station */
5417 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5418 			return -EOPNOTSUPP;
5419 		break;
5420 	case CFG80211_STA_AP_CLIENT:
5421 	case CFG80211_STA_AP_CLIENT_UNASSOC:
5422 		/* accept only the listed bits */
5423 		if (params->sta_flags_mask &
5424 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5425 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5426 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
5427 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5428 				  BIT(NL80211_STA_FLAG_WME) |
5429 				  BIT(NL80211_STA_FLAG_MFP)))
5430 			return -EINVAL;
5431 
5432 		/* but authenticated/associated only if driver handles it */
5433 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5434 		    params->sta_flags_mask &
5435 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5436 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
5437 			return -EINVAL;
5438 		break;
5439 	case CFG80211_STA_IBSS:
5440 	case CFG80211_STA_AP_STA:
5441 		/* reject any changes other than AUTHORIZED */
5442 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
5443 			return -EINVAL;
5444 		break;
5445 	case CFG80211_STA_TDLS_PEER_SETUP:
5446 		/* reject any changes other than AUTHORIZED or WME */
5447 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5448 					       BIT(NL80211_STA_FLAG_WME)))
5449 			return -EINVAL;
5450 		/* force (at least) rates when authorizing */
5451 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
5452 		    !params->supported_rates)
5453 			return -EINVAL;
5454 		break;
5455 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5456 		/* reject any changes */
5457 		return -EINVAL;
5458 	case CFG80211_STA_MESH_PEER_KERNEL:
5459 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5460 			return -EINVAL;
5461 		break;
5462 	case CFG80211_STA_MESH_PEER_USER:
5463 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
5464 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
5465 			return -EINVAL;
5466 		break;
5467 	}
5468 
5469 	/*
5470 	 * Older kernel versions ignored this attribute entirely, so don't
5471 	 * reject attempts to update it but mark it as unused instead so the
5472 	 * driver won't look at the data.
5473 	 */
5474 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
5475 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
5476 		params->opmode_notif_used = false;
5477 
5478 	return 0;
5479 }
5480 EXPORT_SYMBOL(cfg80211_check_station_change);
5481 
5482 /*
5483  * Get vlan interface making sure it is running and on the right wiphy.
5484  */
5485 static struct net_device *get_vlan(struct genl_info *info,
5486 				   struct cfg80211_registered_device *rdev)
5487 {
5488 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
5489 	struct net_device *v;
5490 	int ret;
5491 
5492 	if (!vlanattr)
5493 		return NULL;
5494 
5495 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
5496 	if (!v)
5497 		return ERR_PTR(-ENODEV);
5498 
5499 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
5500 		ret = -EINVAL;
5501 		goto error;
5502 	}
5503 
5504 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5505 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5506 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5507 		ret = -EINVAL;
5508 		goto error;
5509 	}
5510 
5511 	if (!netif_running(v)) {
5512 		ret = -ENETDOWN;
5513 		goto error;
5514 	}
5515 
5516 	return v;
5517  error:
5518 	dev_put(v);
5519 	return ERR_PTR(ret);
5520 }
5521 
5522 static const struct nla_policy
5523 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5524 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5525 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5526 };
5527 
5528 static int nl80211_parse_sta_wme(struct genl_info *info,
5529 				 struct station_parameters *params)
5530 {
5531 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5532 	struct nlattr *nla;
5533 	int err;
5534 
5535 	/* parse WME attributes if present */
5536 	if (!info->attrs[NL80211_ATTR_STA_WME])
5537 		return 0;
5538 
5539 	nla = info->attrs[NL80211_ATTR_STA_WME];
5540 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
5541 					  nl80211_sta_wme_policy,
5542 					  info->extack);
5543 	if (err)
5544 		return err;
5545 
5546 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5547 		params->uapsd_queues = nla_get_u8(
5548 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
5549 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5550 		return -EINVAL;
5551 
5552 	if (tb[NL80211_STA_WME_MAX_SP])
5553 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5554 
5555 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5556 		return -EINVAL;
5557 
5558 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5559 
5560 	return 0;
5561 }
5562 
5563 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5564 				      struct station_parameters *params)
5565 {
5566 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5567 		params->supported_channels =
5568 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5569 		params->supported_channels_len =
5570 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5571 		/*
5572 		 * Need to include at least one (first channel, number of
5573 		 * channels) tuple for each subband, and must have proper
5574 		 * tuples for the rest of the data as well.
5575 		 */
5576 		if (params->supported_channels_len < 2)
5577 			return -EINVAL;
5578 		if (params->supported_channels_len % 2)
5579 			return -EINVAL;
5580 	}
5581 
5582 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5583 		params->supported_oper_classes =
5584 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5585 		params->supported_oper_classes_len =
5586 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5587 		/*
5588 		 * The value of the Length field of the Supported Operating
5589 		 * Classes element is between 2 and 253.
5590 		 */
5591 		if (params->supported_oper_classes_len < 2 ||
5592 		    params->supported_oper_classes_len > 253)
5593 			return -EINVAL;
5594 	}
5595 	return 0;
5596 }
5597 
5598 static int nl80211_set_station_tdls(struct genl_info *info,
5599 				    struct station_parameters *params)
5600 {
5601 	int err;
5602 	/* Dummy STA entry gets updated once the peer capabilities are known */
5603 	if (info->attrs[NL80211_ATTR_PEER_AID])
5604 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5605 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5606 		params->ht_capa =
5607 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5608 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5609 		params->vht_capa =
5610 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5611 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5612 		params->he_capa =
5613 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5614 		params->he_capa_len =
5615 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5616 
5617 		if (params->he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5618 			return -EINVAL;
5619 	}
5620 
5621 	err = nl80211_parse_sta_channel_info(info, params);
5622 	if (err)
5623 		return err;
5624 
5625 	return nl80211_parse_sta_wme(info, params);
5626 }
5627 
5628 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
5629 					     struct station_parameters *params)
5630 {
5631 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5632 	int idx;
5633 
5634 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
5635 		if (!rdev->ops->set_tx_power ||
5636 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5637 					 NL80211_EXT_FEATURE_STA_TX_PWR))
5638 			return -EOPNOTSUPP;
5639 
5640 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
5641 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
5642 
5643 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
5644 			idx = NL80211_ATTR_STA_TX_POWER;
5645 
5646 			if (info->attrs[idx])
5647 				params->txpwr.power =
5648 					nla_get_s16(info->attrs[idx]);
5649 			else
5650 				return -EINVAL;
5651 		}
5652 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
5653 	}
5654 
5655 	return 0;
5656 }
5657 
5658 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
5659 {
5660 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5661 	struct net_device *dev = info->user_ptr[1];
5662 	struct station_parameters params;
5663 	u8 *mac_addr;
5664 	int err;
5665 
5666 	memset(&params, 0, sizeof(params));
5667 
5668 	if (!rdev->ops->change_station)
5669 		return -EOPNOTSUPP;
5670 
5671 	/*
5672 	 * AID and listen_interval properties can be set only for unassociated
5673 	 * station. Include these parameters here and will check them in
5674 	 * cfg80211_check_station_change().
5675 	 */
5676 	if (info->attrs[NL80211_ATTR_STA_AID])
5677 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5678 
5679 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5680 		params.listen_interval =
5681 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5682 	else
5683 		params.listen_interval = -1;
5684 
5685 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
5686 		params.support_p2p_ps =
5687 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5688 	else
5689 		params.support_p2p_ps = -1;
5690 
5691 	if (!info->attrs[NL80211_ATTR_MAC])
5692 		return -EINVAL;
5693 
5694 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5695 
5696 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
5697 		params.supported_rates =
5698 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5699 		params.supported_rates_len =
5700 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5701 	}
5702 
5703 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5704 		params.capability =
5705 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5706 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5707 	}
5708 
5709 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5710 		params.ext_capab =
5711 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5712 		params.ext_capab_len =
5713 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5714 	}
5715 
5716 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5717 		return -EINVAL;
5718 
5719 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5720 		params.plink_action =
5721 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5722 
5723 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
5724 		params.plink_state =
5725 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
5726 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
5727 			params.peer_aid = nla_get_u16(
5728 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
5729 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
5730 	}
5731 
5732 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
5733 		params.local_pm = nla_get_u32(
5734 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
5735 
5736 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5737 		params.opmode_notif_used = true;
5738 		params.opmode_notif =
5739 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5740 	}
5741 
5742 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
5743 		params.airtime_weight =
5744 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
5745 
5746 	if (params.airtime_weight &&
5747 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5748 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5749 		return -EOPNOTSUPP;
5750 
5751 	err = nl80211_parse_sta_txpower_setting(info, &params);
5752 	if (err)
5753 		return err;
5754 
5755 	/* Include parameters for TDLS peer (will check later) */
5756 	err = nl80211_set_station_tdls(info, &params);
5757 	if (err)
5758 		return err;
5759 
5760 	params.vlan = get_vlan(info, rdev);
5761 	if (IS_ERR(params.vlan))
5762 		return PTR_ERR(params.vlan);
5763 
5764 	switch (dev->ieee80211_ptr->iftype) {
5765 	case NL80211_IFTYPE_AP:
5766 	case NL80211_IFTYPE_AP_VLAN:
5767 	case NL80211_IFTYPE_P2P_GO:
5768 	case NL80211_IFTYPE_P2P_CLIENT:
5769 	case NL80211_IFTYPE_STATION:
5770 	case NL80211_IFTYPE_ADHOC:
5771 	case NL80211_IFTYPE_MESH_POINT:
5772 		break;
5773 	default:
5774 		err = -EOPNOTSUPP;
5775 		goto out_put_vlan;
5776 	}
5777 
5778 	/* driver will call cfg80211_check_station_change() */
5779 	err = rdev_change_station(rdev, dev, mac_addr, &params);
5780 
5781  out_put_vlan:
5782 	if (params.vlan)
5783 		dev_put(params.vlan);
5784 
5785 	return err;
5786 }
5787 
5788 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
5789 {
5790 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5791 	int err;
5792 	struct net_device *dev = info->user_ptr[1];
5793 	struct station_parameters params;
5794 	u8 *mac_addr = NULL;
5795 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5796 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
5797 
5798 	memset(&params, 0, sizeof(params));
5799 
5800 	if (!rdev->ops->add_station)
5801 		return -EOPNOTSUPP;
5802 
5803 	if (!info->attrs[NL80211_ATTR_MAC])
5804 		return -EINVAL;
5805 
5806 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5807 		return -EINVAL;
5808 
5809 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
5810 		return -EINVAL;
5811 
5812 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
5813 	    !info->attrs[NL80211_ATTR_PEER_AID])
5814 		return -EINVAL;
5815 
5816 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5817 	params.supported_rates =
5818 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5819 	params.supported_rates_len =
5820 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5821 	params.listen_interval =
5822 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5823 
5824 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
5825 		params.support_p2p_ps =
5826 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5827 	} else {
5828 		/*
5829 		 * if not specified, assume it's supported for P2P GO interface,
5830 		 * and is NOT supported for AP interface
5831 		 */
5832 		params.support_p2p_ps =
5833 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
5834 	}
5835 
5836 	if (info->attrs[NL80211_ATTR_PEER_AID])
5837 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5838 	else
5839 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5840 
5841 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5842 		params.capability =
5843 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5844 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5845 	}
5846 
5847 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5848 		params.ext_capab =
5849 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5850 		params.ext_capab_len =
5851 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5852 	}
5853 
5854 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5855 		params.ht_capa =
5856 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5857 
5858 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5859 		params.vht_capa =
5860 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5861 
5862 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5863 		params.he_capa =
5864 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5865 		params.he_capa_len =
5866 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5867 
5868 		/* max len is validated in nla policy */
5869 		if (params.he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5870 			return -EINVAL;
5871 	}
5872 
5873 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5874 		params.opmode_notif_used = true;
5875 		params.opmode_notif =
5876 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5877 	}
5878 
5879 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5880 		params.plink_action =
5881 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5882 
5883 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
5884 		params.airtime_weight =
5885 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
5886 
5887 	if (params.airtime_weight &&
5888 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5889 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5890 		return -EOPNOTSUPP;
5891 
5892 	err = nl80211_parse_sta_txpower_setting(info, &params);
5893 	if (err)
5894 		return err;
5895 
5896 	err = nl80211_parse_sta_channel_info(info, &params);
5897 	if (err)
5898 		return err;
5899 
5900 	err = nl80211_parse_sta_wme(info, &params);
5901 	if (err)
5902 		return err;
5903 
5904 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5905 		return -EINVAL;
5906 
5907 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
5908 	 * as userspace might just pass through the capabilities from the IEs
5909 	 * directly, rather than enforcing this restriction and returning an
5910 	 * error in this case.
5911 	 */
5912 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
5913 		params.ht_capa = NULL;
5914 		params.vht_capa = NULL;
5915 
5916 		/* HE requires WME */
5917 		if (params.he_capa_len)
5918 			return -EINVAL;
5919 	}
5920 
5921 	/* When you run into this, adjust the code below for the new flag */
5922 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5923 
5924 	switch (dev->ieee80211_ptr->iftype) {
5925 	case NL80211_IFTYPE_AP:
5926 	case NL80211_IFTYPE_AP_VLAN:
5927 	case NL80211_IFTYPE_P2P_GO:
5928 		/* ignore WME attributes if iface/sta is not capable */
5929 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
5930 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
5931 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5932 
5933 		/* TDLS peers cannot be added */
5934 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5935 		    info->attrs[NL80211_ATTR_PEER_AID])
5936 			return -EINVAL;
5937 		/* but don't bother the driver with it */
5938 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5939 
5940 		/* allow authenticated/associated only if driver handles it */
5941 		if (!(rdev->wiphy.features &
5942 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5943 		    params.sta_flags_mask & auth_assoc)
5944 			return -EINVAL;
5945 
5946 		/* Older userspace, or userspace wanting to be compatible with
5947 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
5948 		 * and assoc flags in the mask, but assumes the station will be
5949 		 * added as associated anyway since this was the required driver
5950 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
5951 		 * introduced.
5952 		 * In order to not bother drivers with this quirk in the API
5953 		 * set the flags in both the mask and set for new stations in
5954 		 * this case.
5955 		 */
5956 		if (!(params.sta_flags_mask & auth_assoc)) {
5957 			params.sta_flags_mask |= auth_assoc;
5958 			params.sta_flags_set |= auth_assoc;
5959 		}
5960 
5961 		/* must be last in here for error handling */
5962 		params.vlan = get_vlan(info, rdev);
5963 		if (IS_ERR(params.vlan))
5964 			return PTR_ERR(params.vlan);
5965 		break;
5966 	case NL80211_IFTYPE_MESH_POINT:
5967 		/* ignore uAPSD data */
5968 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5969 
5970 		/* associated is disallowed */
5971 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
5972 			return -EINVAL;
5973 		/* TDLS peers cannot be added */
5974 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5975 		    info->attrs[NL80211_ATTR_PEER_AID])
5976 			return -EINVAL;
5977 		break;
5978 	case NL80211_IFTYPE_STATION:
5979 	case NL80211_IFTYPE_P2P_CLIENT:
5980 		/* ignore uAPSD data */
5981 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5982 
5983 		/* these are disallowed */
5984 		if (params.sta_flags_mask &
5985 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
5986 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
5987 			return -EINVAL;
5988 		/* Only TDLS peers can be added */
5989 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5990 			return -EINVAL;
5991 		/* Can only add if TDLS ... */
5992 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
5993 			return -EOPNOTSUPP;
5994 		/* ... with external setup is supported */
5995 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
5996 			return -EOPNOTSUPP;
5997 		/*
5998 		 * Older wpa_supplicant versions always mark the TDLS peer
5999 		 * as authorized, but it shouldn't yet be.
6000 		 */
6001 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6002 		break;
6003 	default:
6004 		return -EOPNOTSUPP;
6005 	}
6006 
6007 	/* be aware of params.vlan when changing code here */
6008 
6009 	err = rdev_add_station(rdev, dev, mac_addr, &params);
6010 
6011 	if (params.vlan)
6012 		dev_put(params.vlan);
6013 	return err;
6014 }
6015 
6016 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6017 {
6018 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6019 	struct net_device *dev = info->user_ptr[1];
6020 	struct station_del_parameters params;
6021 
6022 	memset(&params, 0, sizeof(params));
6023 
6024 	if (info->attrs[NL80211_ATTR_MAC])
6025 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6026 
6027 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6028 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6029 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
6030 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6031 		return -EINVAL;
6032 
6033 	if (!rdev->ops->del_station)
6034 		return -EOPNOTSUPP;
6035 
6036 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
6037 		params.subtype =
6038 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
6039 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
6040 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
6041 			return -EINVAL;
6042 	} else {
6043 		/* Default to Deauthentication frame */
6044 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
6045 	}
6046 
6047 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
6048 		params.reason_code =
6049 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6050 		if (params.reason_code == 0)
6051 			return -EINVAL; /* 0 is reserved */
6052 	} else {
6053 		/* Default to reason code 2 */
6054 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
6055 	}
6056 
6057 	return rdev_del_station(rdev, dev, &params);
6058 }
6059 
6060 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
6061 				int flags, struct net_device *dev,
6062 				u8 *dst, u8 *next_hop,
6063 				struct mpath_info *pinfo)
6064 {
6065 	void *hdr;
6066 	struct nlattr *pinfoattr;
6067 
6068 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
6069 	if (!hdr)
6070 		return -1;
6071 
6072 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6073 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
6074 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
6075 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
6076 		goto nla_put_failure;
6077 
6078 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
6079 	if (!pinfoattr)
6080 		goto nla_put_failure;
6081 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
6082 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
6083 			pinfo->frame_qlen))
6084 		goto nla_put_failure;
6085 	if (((pinfo->filled & MPATH_INFO_SN) &&
6086 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
6087 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
6088 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
6089 			 pinfo->metric)) ||
6090 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
6091 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
6092 			 pinfo->exptime)) ||
6093 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
6094 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
6095 			pinfo->flags)) ||
6096 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
6097 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
6098 			 pinfo->discovery_timeout)) ||
6099 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
6100 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
6101 			pinfo->discovery_retries)) ||
6102 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
6103 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
6104 			pinfo->hop_count)) ||
6105 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
6106 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
6107 			 pinfo->path_change_count)))
6108 		goto nla_put_failure;
6109 
6110 	nla_nest_end(msg, pinfoattr);
6111 
6112 	genlmsg_end(msg, hdr);
6113 	return 0;
6114 
6115  nla_put_failure:
6116 	genlmsg_cancel(msg, hdr);
6117 	return -EMSGSIZE;
6118 }
6119 
6120 static int nl80211_dump_mpath(struct sk_buff *skb,
6121 			      struct netlink_callback *cb)
6122 {
6123 	struct mpath_info pinfo;
6124 	struct cfg80211_registered_device *rdev;
6125 	struct wireless_dev *wdev;
6126 	u8 dst[ETH_ALEN];
6127 	u8 next_hop[ETH_ALEN];
6128 	int path_idx = cb->args[2];
6129 	int err;
6130 
6131 	rtnl_lock();
6132 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6133 	if (err)
6134 		goto out_err;
6135 
6136 	if (!rdev->ops->dump_mpath) {
6137 		err = -EOPNOTSUPP;
6138 		goto out_err;
6139 	}
6140 
6141 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6142 		err = -EOPNOTSUPP;
6143 		goto out_err;
6144 	}
6145 
6146 	while (1) {
6147 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
6148 				      next_hop, &pinfo);
6149 		if (err == -ENOENT)
6150 			break;
6151 		if (err)
6152 			goto out_err;
6153 
6154 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6155 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6156 				       wdev->netdev, dst, next_hop,
6157 				       &pinfo) < 0)
6158 			goto out;
6159 
6160 		path_idx++;
6161 	}
6162 
6163  out:
6164 	cb->args[2] = path_idx;
6165 	err = skb->len;
6166  out_err:
6167 	rtnl_unlock();
6168 	return err;
6169 }
6170 
6171 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
6172 {
6173 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6174 	int err;
6175 	struct net_device *dev = info->user_ptr[1];
6176 	struct mpath_info pinfo;
6177 	struct sk_buff *msg;
6178 	u8 *dst = NULL;
6179 	u8 next_hop[ETH_ALEN];
6180 
6181 	memset(&pinfo, 0, sizeof(pinfo));
6182 
6183 	if (!info->attrs[NL80211_ATTR_MAC])
6184 		return -EINVAL;
6185 
6186 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6187 
6188 	if (!rdev->ops->get_mpath)
6189 		return -EOPNOTSUPP;
6190 
6191 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6192 		return -EOPNOTSUPP;
6193 
6194 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
6195 	if (err)
6196 		return err;
6197 
6198 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6199 	if (!msg)
6200 		return -ENOMEM;
6201 
6202 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6203 				 dev, dst, next_hop, &pinfo) < 0) {
6204 		nlmsg_free(msg);
6205 		return -ENOBUFS;
6206 	}
6207 
6208 	return genlmsg_reply(msg, info);
6209 }
6210 
6211 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
6212 {
6213 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6214 	struct net_device *dev = info->user_ptr[1];
6215 	u8 *dst = NULL;
6216 	u8 *next_hop = NULL;
6217 
6218 	if (!info->attrs[NL80211_ATTR_MAC])
6219 		return -EINVAL;
6220 
6221 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6222 		return -EINVAL;
6223 
6224 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6225 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6226 
6227 	if (!rdev->ops->change_mpath)
6228 		return -EOPNOTSUPP;
6229 
6230 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6231 		return -EOPNOTSUPP;
6232 
6233 	return rdev_change_mpath(rdev, dev, dst, next_hop);
6234 }
6235 
6236 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
6237 {
6238 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6239 	struct net_device *dev = info->user_ptr[1];
6240 	u8 *dst = NULL;
6241 	u8 *next_hop = NULL;
6242 
6243 	if (!info->attrs[NL80211_ATTR_MAC])
6244 		return -EINVAL;
6245 
6246 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6247 		return -EINVAL;
6248 
6249 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6250 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6251 
6252 	if (!rdev->ops->add_mpath)
6253 		return -EOPNOTSUPP;
6254 
6255 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6256 		return -EOPNOTSUPP;
6257 
6258 	return rdev_add_mpath(rdev, dev, dst, next_hop);
6259 }
6260 
6261 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
6262 {
6263 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6264 	struct net_device *dev = info->user_ptr[1];
6265 	u8 *dst = NULL;
6266 
6267 	if (info->attrs[NL80211_ATTR_MAC])
6268 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6269 
6270 	if (!rdev->ops->del_mpath)
6271 		return -EOPNOTSUPP;
6272 
6273 	return rdev_del_mpath(rdev, dev, dst);
6274 }
6275 
6276 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
6277 {
6278 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6279 	int err;
6280 	struct net_device *dev = info->user_ptr[1];
6281 	struct mpath_info pinfo;
6282 	struct sk_buff *msg;
6283 	u8 *dst = NULL;
6284 	u8 mpp[ETH_ALEN];
6285 
6286 	memset(&pinfo, 0, sizeof(pinfo));
6287 
6288 	if (!info->attrs[NL80211_ATTR_MAC])
6289 		return -EINVAL;
6290 
6291 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6292 
6293 	if (!rdev->ops->get_mpp)
6294 		return -EOPNOTSUPP;
6295 
6296 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6297 		return -EOPNOTSUPP;
6298 
6299 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
6300 	if (err)
6301 		return err;
6302 
6303 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6304 	if (!msg)
6305 		return -ENOMEM;
6306 
6307 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6308 			       dev, dst, mpp, &pinfo) < 0) {
6309 		nlmsg_free(msg);
6310 		return -ENOBUFS;
6311 	}
6312 
6313 	return genlmsg_reply(msg, info);
6314 }
6315 
6316 static int nl80211_dump_mpp(struct sk_buff *skb,
6317 			    struct netlink_callback *cb)
6318 {
6319 	struct mpath_info pinfo;
6320 	struct cfg80211_registered_device *rdev;
6321 	struct wireless_dev *wdev;
6322 	u8 dst[ETH_ALEN];
6323 	u8 mpp[ETH_ALEN];
6324 	int path_idx = cb->args[2];
6325 	int err;
6326 
6327 	rtnl_lock();
6328 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6329 	if (err)
6330 		goto out_err;
6331 
6332 	if (!rdev->ops->dump_mpp) {
6333 		err = -EOPNOTSUPP;
6334 		goto out_err;
6335 	}
6336 
6337 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6338 		err = -EOPNOTSUPP;
6339 		goto out_err;
6340 	}
6341 
6342 	while (1) {
6343 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
6344 				    mpp, &pinfo);
6345 		if (err == -ENOENT)
6346 			break;
6347 		if (err)
6348 			goto out_err;
6349 
6350 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6351 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6352 				       wdev->netdev, dst, mpp,
6353 				       &pinfo) < 0)
6354 			goto out;
6355 
6356 		path_idx++;
6357 	}
6358 
6359  out:
6360 	cb->args[2] = path_idx;
6361 	err = skb->len;
6362  out_err:
6363 	rtnl_unlock();
6364 	return err;
6365 }
6366 
6367 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
6368 {
6369 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6370 	struct net_device *dev = info->user_ptr[1];
6371 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6372 	struct bss_parameters params;
6373 	int err;
6374 
6375 	memset(&params, 0, sizeof(params));
6376 	/* default to not changing parameters */
6377 	params.use_cts_prot = -1;
6378 	params.use_short_preamble = -1;
6379 	params.use_short_slot_time = -1;
6380 	params.ap_isolate = -1;
6381 	params.ht_opmode = -1;
6382 	params.p2p_ctwindow = -1;
6383 	params.p2p_opp_ps = -1;
6384 
6385 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
6386 		params.use_cts_prot =
6387 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
6388 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
6389 		params.use_short_preamble =
6390 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
6391 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
6392 		params.use_short_slot_time =
6393 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
6394 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6395 		params.basic_rates =
6396 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6397 		params.basic_rates_len =
6398 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6399 	}
6400 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
6401 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
6402 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
6403 		params.ht_opmode =
6404 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
6405 
6406 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6407 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6408 			return -EINVAL;
6409 		params.p2p_ctwindow =
6410 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6411 		if (params.p2p_ctwindow != 0 &&
6412 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
6413 			return -EINVAL;
6414 	}
6415 
6416 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6417 		u8 tmp;
6418 
6419 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6420 			return -EINVAL;
6421 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6422 		params.p2p_opp_ps = tmp;
6423 		if (params.p2p_opp_ps &&
6424 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
6425 			return -EINVAL;
6426 	}
6427 
6428 	if (!rdev->ops->change_bss)
6429 		return -EOPNOTSUPP;
6430 
6431 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6432 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6433 		return -EOPNOTSUPP;
6434 
6435 	wdev_lock(wdev);
6436 	err = rdev_change_bss(rdev, dev, &params);
6437 	wdev_unlock(wdev);
6438 
6439 	return err;
6440 }
6441 
6442 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
6443 {
6444 	char *data = NULL;
6445 	bool is_indoor;
6446 	enum nl80211_user_reg_hint_type user_reg_hint_type;
6447 	u32 owner_nlportid;
6448 
6449 	/*
6450 	 * You should only get this when cfg80211 hasn't yet initialized
6451 	 * completely when built-in to the kernel right between the time
6452 	 * window between nl80211_init() and regulatory_init(), if that is
6453 	 * even possible.
6454 	 */
6455 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
6456 		return -EINPROGRESS;
6457 
6458 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
6459 		user_reg_hint_type =
6460 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
6461 	else
6462 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
6463 
6464 	switch (user_reg_hint_type) {
6465 	case NL80211_USER_REG_HINT_USER:
6466 	case NL80211_USER_REG_HINT_CELL_BASE:
6467 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6468 			return -EINVAL;
6469 
6470 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6471 		return regulatory_hint_user(data, user_reg_hint_type);
6472 	case NL80211_USER_REG_HINT_INDOOR:
6473 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
6474 			owner_nlportid = info->snd_portid;
6475 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
6476 		} else {
6477 			owner_nlportid = 0;
6478 			is_indoor = true;
6479 		}
6480 
6481 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
6482 	default:
6483 		return -EINVAL;
6484 	}
6485 }
6486 
6487 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
6488 {
6489 	return reg_reload_regdb();
6490 }
6491 
6492 static int nl80211_get_mesh_config(struct sk_buff *skb,
6493 				   struct genl_info *info)
6494 {
6495 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6496 	struct net_device *dev = info->user_ptr[1];
6497 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6498 	struct mesh_config cur_params;
6499 	int err = 0;
6500 	void *hdr;
6501 	struct nlattr *pinfoattr;
6502 	struct sk_buff *msg;
6503 
6504 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6505 		return -EOPNOTSUPP;
6506 
6507 	if (!rdev->ops->get_mesh_config)
6508 		return -EOPNOTSUPP;
6509 
6510 	wdev_lock(wdev);
6511 	/* If not connected, get default parameters */
6512 	if (!wdev->mesh_id_len)
6513 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
6514 	else
6515 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
6516 	wdev_unlock(wdev);
6517 
6518 	if (err)
6519 		return err;
6520 
6521 	/* Draw up a netlink message to send back */
6522 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6523 	if (!msg)
6524 		return -ENOMEM;
6525 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6526 			     NL80211_CMD_GET_MESH_CONFIG);
6527 	if (!hdr)
6528 		goto out;
6529 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
6530 	if (!pinfoattr)
6531 		goto nla_put_failure;
6532 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6533 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
6534 			cur_params.dot11MeshRetryTimeout) ||
6535 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6536 			cur_params.dot11MeshConfirmTimeout) ||
6537 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
6538 			cur_params.dot11MeshHoldingTimeout) ||
6539 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
6540 			cur_params.dot11MeshMaxPeerLinks) ||
6541 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
6542 		       cur_params.dot11MeshMaxRetries) ||
6543 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
6544 		       cur_params.dot11MeshTTL) ||
6545 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
6546 		       cur_params.element_ttl) ||
6547 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6548 		       cur_params.auto_open_plinks) ||
6549 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6550 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
6551 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6552 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
6553 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
6554 			cur_params.path_refresh_time) ||
6555 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6556 			cur_params.min_discovery_timeout) ||
6557 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6558 			cur_params.dot11MeshHWMPactivePathTimeout) ||
6559 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6560 			cur_params.dot11MeshHWMPpreqMinInterval) ||
6561 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6562 			cur_params.dot11MeshHWMPperrMinInterval) ||
6563 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6564 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
6565 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
6566 		       cur_params.dot11MeshHWMPRootMode) ||
6567 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6568 			cur_params.dot11MeshHWMPRannInterval) ||
6569 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6570 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
6571 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
6572 		       cur_params.dot11MeshForwarding) ||
6573 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
6574 			cur_params.rssi_threshold) ||
6575 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
6576 			cur_params.ht_opmode) ||
6577 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6578 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
6579 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6580 			cur_params.dot11MeshHWMProotInterval) ||
6581 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6582 			cur_params.dot11MeshHWMPconfirmationInterval) ||
6583 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
6584 			cur_params.power_mode) ||
6585 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
6586 			cur_params.dot11MeshAwakeWindowDuration) ||
6587 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
6588 			cur_params.plink_timeout) ||
6589 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
6590 		       cur_params.dot11MeshConnectedToMeshGate))
6591 		goto nla_put_failure;
6592 	nla_nest_end(msg, pinfoattr);
6593 	genlmsg_end(msg, hdr);
6594 	return genlmsg_reply(msg, info);
6595 
6596  nla_put_failure:
6597  out:
6598 	nlmsg_free(msg);
6599 	return -ENOBUFS;
6600 }
6601 
6602 static const struct nla_policy
6603 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
6604 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
6605 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6606 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
6607 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6608 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
6609 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6610 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
6611 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
6612 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
6613 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6614 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6615 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
6616 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
6617 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
6618 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
6619 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
6620 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
6621 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
6622 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
6623 		NLA_POLICY_MIN(NLA_U16, 1),
6624 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
6625 		NLA_POLICY_MIN(NLA_U16, 1),
6626 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
6627 		NLA_POLICY_MIN(NLA_U16, 1),
6628 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
6629 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
6630 		NLA_POLICY_MIN(NLA_U16, 1),
6631 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
6632 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
6633 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
6634 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
6635 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
6636 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
6637 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
6638 		NLA_POLICY_MIN(NLA_U16, 1),
6639 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
6640 		NLA_POLICY_MIN(NLA_U16, 1),
6641 	[NL80211_MESHCONF_POWER_MODE] =
6642 		NLA_POLICY_RANGE(NLA_U32,
6643 				 NL80211_MESH_POWER_ACTIVE,
6644 				 NL80211_MESH_POWER_MAX),
6645 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
6646 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
6647 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
6648 };
6649 
6650 static const struct nla_policy
6651 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
6652 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
6653 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
6654 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
6655 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
6656 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
6657 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
6658 	[NL80211_MESH_SETUP_IE] =
6659 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
6660 				       IEEE80211_MAX_DATA_LEN),
6661 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
6662 };
6663 
6664 static int nl80211_parse_mesh_config(struct genl_info *info,
6665 				     struct mesh_config *cfg,
6666 				     u32 *mask_out)
6667 {
6668 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
6669 	u32 mask = 0;
6670 	u16 ht_opmode;
6671 
6672 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
6673 do {									\
6674 	if (tb[attr]) {							\
6675 		cfg->param = fn(tb[attr]);				\
6676 		mask |= BIT((attr) - 1);				\
6677 	}								\
6678 } while (0)
6679 
6680 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
6681 		return -EINVAL;
6682 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
6683 		return -EINVAL;
6684 
6685 	/* This makes sure that there aren't more than 32 mesh config
6686 	 * parameters (otherwise our bitfield scheme would not work.) */
6687 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
6688 
6689 	/* Fill in the params struct */
6690 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
6691 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
6692 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
6693 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
6694 				  nla_get_u16);
6695 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
6696 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
6697 				  nla_get_u16);
6698 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
6699 				  NL80211_MESHCONF_MAX_PEER_LINKS,
6700 				  nla_get_u16);
6701 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
6702 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
6703 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
6704 				  NL80211_MESHCONF_TTL, nla_get_u8);
6705 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
6706 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
6707 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
6708 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6709 				  nla_get_u8);
6710 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
6711 				  mask,
6712 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6713 				  nla_get_u32);
6714 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
6715 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6716 				  nla_get_u8);
6717 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
6718 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
6719 				  nla_get_u32);
6720 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
6721 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
6722 		return -EINVAL;
6723 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
6724 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6725 				  nla_get_u16);
6726 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
6727 				  mask,
6728 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6729 				  nla_get_u32);
6730 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
6731 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
6732 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
6733 		return -EINVAL;
6734 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
6735 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6736 				  nla_get_u16);
6737 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
6738 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6739 				  nla_get_u16);
6740 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6741 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
6742 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6743 				  nla_get_u16);
6744 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
6745 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
6746 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
6747 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6748 				  nla_get_u16);
6749 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
6750 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6751 				  nla_get_u8);
6752 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
6753 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
6754 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
6755 				  NL80211_MESHCONF_RSSI_THRESHOLD,
6756 				  nla_get_s32);
6757 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
6758 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
6759 				  nla_get_u8);
6760 	/*
6761 	 * Check HT operation mode based on
6762 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
6763 	 */
6764 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
6765 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
6766 
6767 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
6768 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
6769 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
6770 			return -EINVAL;
6771 
6772 		/* NON_HT_STA bit is reserved, but some programs set it */
6773 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
6774 
6775 		cfg->ht_opmode = ht_opmode;
6776 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
6777 	}
6778 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6779 				  dot11MeshHWMPactivePathToRootTimeout, mask,
6780 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6781 				  nla_get_u32);
6782 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
6783 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
6784 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
6785 		return -EINVAL;
6786 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
6787 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6788 				  nla_get_u16);
6789 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
6790 				  mask,
6791 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6792 				  nla_get_u16);
6793 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
6794 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
6795 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
6796 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
6797 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
6798 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
6799 	if (mask_out)
6800 		*mask_out = mask;
6801 
6802 	return 0;
6803 
6804 #undef FILL_IN_MESH_PARAM_IF_SET
6805 }
6806 
6807 static int nl80211_parse_mesh_setup(struct genl_info *info,
6808 				     struct mesh_setup *setup)
6809 {
6810 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6811 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
6812 
6813 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
6814 		return -EINVAL;
6815 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
6816 		return -EINVAL;
6817 
6818 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
6819 		setup->sync_method =
6820 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
6821 		 IEEE80211_SYNC_METHOD_VENDOR :
6822 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
6823 
6824 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
6825 		setup->path_sel_proto =
6826 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
6827 		 IEEE80211_PATH_PROTOCOL_VENDOR :
6828 		 IEEE80211_PATH_PROTOCOL_HWMP;
6829 
6830 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
6831 		setup->path_metric =
6832 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
6833 		 IEEE80211_PATH_METRIC_VENDOR :
6834 		 IEEE80211_PATH_METRIC_AIRTIME;
6835 
6836 	if (tb[NL80211_MESH_SETUP_IE]) {
6837 		struct nlattr *ieattr =
6838 			tb[NL80211_MESH_SETUP_IE];
6839 		setup->ie = nla_data(ieattr);
6840 		setup->ie_len = nla_len(ieattr);
6841 	}
6842 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
6843 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
6844 		return -EINVAL;
6845 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
6846 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
6847 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
6848 	if (setup->is_secure)
6849 		setup->user_mpm = true;
6850 
6851 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
6852 		if (!setup->user_mpm)
6853 			return -EINVAL;
6854 		setup->auth_id =
6855 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
6856 	}
6857 
6858 	return 0;
6859 }
6860 
6861 static int nl80211_update_mesh_config(struct sk_buff *skb,
6862 				      struct genl_info *info)
6863 {
6864 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6865 	struct net_device *dev = info->user_ptr[1];
6866 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6867 	struct mesh_config cfg;
6868 	u32 mask;
6869 	int err;
6870 
6871 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6872 		return -EOPNOTSUPP;
6873 
6874 	if (!rdev->ops->update_mesh_config)
6875 		return -EOPNOTSUPP;
6876 
6877 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
6878 	if (err)
6879 		return err;
6880 
6881 	wdev_lock(wdev);
6882 	if (!wdev->mesh_id_len)
6883 		err = -ENOLINK;
6884 
6885 	if (!err)
6886 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
6887 
6888 	wdev_unlock(wdev);
6889 
6890 	return err;
6891 }
6892 
6893 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
6894 			      struct sk_buff *msg)
6895 {
6896 	struct nlattr *nl_reg_rules;
6897 	unsigned int i;
6898 
6899 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
6900 	    (regdom->dfs_region &&
6901 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
6902 		goto nla_put_failure;
6903 
6904 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
6905 	if (!nl_reg_rules)
6906 		goto nla_put_failure;
6907 
6908 	for (i = 0; i < regdom->n_reg_rules; i++) {
6909 		struct nlattr *nl_reg_rule;
6910 		const struct ieee80211_reg_rule *reg_rule;
6911 		const struct ieee80211_freq_range *freq_range;
6912 		const struct ieee80211_power_rule *power_rule;
6913 		unsigned int max_bandwidth_khz;
6914 
6915 		reg_rule = &regdom->reg_rules[i];
6916 		freq_range = &reg_rule->freq_range;
6917 		power_rule = &reg_rule->power_rule;
6918 
6919 		nl_reg_rule = nla_nest_start_noflag(msg, i);
6920 		if (!nl_reg_rule)
6921 			goto nla_put_failure;
6922 
6923 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
6924 		if (!max_bandwidth_khz)
6925 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
6926 								  reg_rule);
6927 
6928 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
6929 				reg_rule->flags) ||
6930 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
6931 				freq_range->start_freq_khz) ||
6932 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
6933 				freq_range->end_freq_khz) ||
6934 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
6935 				max_bandwidth_khz) ||
6936 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
6937 				power_rule->max_antenna_gain) ||
6938 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
6939 				power_rule->max_eirp) ||
6940 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
6941 				reg_rule->dfs_cac_ms))
6942 			goto nla_put_failure;
6943 
6944 		nla_nest_end(msg, nl_reg_rule);
6945 	}
6946 
6947 	nla_nest_end(msg, nl_reg_rules);
6948 	return 0;
6949 
6950 nla_put_failure:
6951 	return -EMSGSIZE;
6952 }
6953 
6954 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
6955 {
6956 	const struct ieee80211_regdomain *regdom = NULL;
6957 	struct cfg80211_registered_device *rdev;
6958 	struct wiphy *wiphy = NULL;
6959 	struct sk_buff *msg;
6960 	void *hdr;
6961 
6962 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6963 	if (!msg)
6964 		return -ENOBUFS;
6965 
6966 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6967 			     NL80211_CMD_GET_REG);
6968 	if (!hdr)
6969 		goto put_failure;
6970 
6971 	if (info->attrs[NL80211_ATTR_WIPHY]) {
6972 		bool self_managed;
6973 
6974 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
6975 		if (IS_ERR(rdev)) {
6976 			nlmsg_free(msg);
6977 			return PTR_ERR(rdev);
6978 		}
6979 
6980 		wiphy = &rdev->wiphy;
6981 		self_managed = wiphy->regulatory_flags &
6982 			       REGULATORY_WIPHY_SELF_MANAGED;
6983 		regdom = get_wiphy_regdom(wiphy);
6984 
6985 		/* a self-managed-reg device must have a private regdom */
6986 		if (WARN_ON(!regdom && self_managed)) {
6987 			nlmsg_free(msg);
6988 			return -EINVAL;
6989 		}
6990 
6991 		if (regdom &&
6992 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6993 			goto nla_put_failure;
6994 	}
6995 
6996 	if (!wiphy && reg_last_request_cell_base() &&
6997 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6998 			NL80211_USER_REG_HINT_CELL_BASE))
6999 		goto nla_put_failure;
7000 
7001 	rcu_read_lock();
7002 
7003 	if (!regdom)
7004 		regdom = rcu_dereference(cfg80211_regdomain);
7005 
7006 	if (nl80211_put_regdom(regdom, msg))
7007 		goto nla_put_failure_rcu;
7008 
7009 	rcu_read_unlock();
7010 
7011 	genlmsg_end(msg, hdr);
7012 	return genlmsg_reply(msg, info);
7013 
7014 nla_put_failure_rcu:
7015 	rcu_read_unlock();
7016 nla_put_failure:
7017 put_failure:
7018 	nlmsg_free(msg);
7019 	return -EMSGSIZE;
7020 }
7021 
7022 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
7023 			       u32 seq, int flags, struct wiphy *wiphy,
7024 			       const struct ieee80211_regdomain *regdom)
7025 {
7026 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
7027 				   NL80211_CMD_GET_REG);
7028 
7029 	if (!hdr)
7030 		return -1;
7031 
7032 	genl_dump_check_consistent(cb, hdr);
7033 
7034 	if (nl80211_put_regdom(regdom, msg))
7035 		goto nla_put_failure;
7036 
7037 	if (!wiphy && reg_last_request_cell_base() &&
7038 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7039 			NL80211_USER_REG_HINT_CELL_BASE))
7040 		goto nla_put_failure;
7041 
7042 	if (wiphy &&
7043 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7044 		goto nla_put_failure;
7045 
7046 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
7047 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
7048 		goto nla_put_failure;
7049 
7050 	genlmsg_end(msg, hdr);
7051 	return 0;
7052 
7053 nla_put_failure:
7054 	genlmsg_cancel(msg, hdr);
7055 	return -EMSGSIZE;
7056 }
7057 
7058 static int nl80211_get_reg_dump(struct sk_buff *skb,
7059 				struct netlink_callback *cb)
7060 {
7061 	const struct ieee80211_regdomain *regdom = NULL;
7062 	struct cfg80211_registered_device *rdev;
7063 	int err, reg_idx, start = cb->args[2];
7064 
7065 	rtnl_lock();
7066 
7067 	if (cfg80211_regdomain && start == 0) {
7068 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7069 					  NLM_F_MULTI, NULL,
7070 					  rtnl_dereference(cfg80211_regdomain));
7071 		if (err < 0)
7072 			goto out_err;
7073 	}
7074 
7075 	/* the global regdom is idx 0 */
7076 	reg_idx = 1;
7077 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
7078 		regdom = get_wiphy_regdom(&rdev->wiphy);
7079 		if (!regdom)
7080 			continue;
7081 
7082 		if (++reg_idx <= start)
7083 			continue;
7084 
7085 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7086 					  NLM_F_MULTI, &rdev->wiphy, regdom);
7087 		if (err < 0) {
7088 			reg_idx--;
7089 			break;
7090 		}
7091 	}
7092 
7093 	cb->args[2] = reg_idx;
7094 	err = skb->len;
7095 out_err:
7096 	rtnl_unlock();
7097 	return err;
7098 }
7099 
7100 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
7101 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
7102 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
7103 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
7104 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
7105 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
7106 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
7107 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
7108 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
7109 };
7110 
7111 static int parse_reg_rule(struct nlattr *tb[],
7112 	struct ieee80211_reg_rule *reg_rule)
7113 {
7114 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
7115 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
7116 
7117 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
7118 		return -EINVAL;
7119 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
7120 		return -EINVAL;
7121 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
7122 		return -EINVAL;
7123 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
7124 		return -EINVAL;
7125 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
7126 		return -EINVAL;
7127 
7128 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
7129 
7130 	freq_range->start_freq_khz =
7131 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
7132 	freq_range->end_freq_khz =
7133 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
7134 	freq_range->max_bandwidth_khz =
7135 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
7136 
7137 	power_rule->max_eirp =
7138 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
7139 
7140 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
7141 		power_rule->max_antenna_gain =
7142 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
7143 
7144 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
7145 		reg_rule->dfs_cac_ms =
7146 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
7147 
7148 	return 0;
7149 }
7150 
7151 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
7152 {
7153 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
7154 	struct nlattr *nl_reg_rule;
7155 	char *alpha2;
7156 	int rem_reg_rules, r;
7157 	u32 num_rules = 0, rule_idx = 0;
7158 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
7159 	struct ieee80211_regdomain *rd;
7160 
7161 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7162 		return -EINVAL;
7163 
7164 	if (!info->attrs[NL80211_ATTR_REG_RULES])
7165 		return -EINVAL;
7166 
7167 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7168 
7169 	if (info->attrs[NL80211_ATTR_DFS_REGION])
7170 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
7171 
7172 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7173 			    rem_reg_rules) {
7174 		num_rules++;
7175 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
7176 			return -EINVAL;
7177 	}
7178 
7179 	if (!reg_is_valid_request(alpha2))
7180 		return -EINVAL;
7181 
7182 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
7183 	if (!rd)
7184 		return -ENOMEM;
7185 
7186 	rd->n_reg_rules = num_rules;
7187 	rd->alpha2[0] = alpha2[0];
7188 	rd->alpha2[1] = alpha2[1];
7189 
7190 	/*
7191 	 * Disable DFS master mode if the DFS region was
7192 	 * not supported or known on this kernel.
7193 	 */
7194 	if (reg_supported_dfs_region(dfs_region))
7195 		rd->dfs_region = dfs_region;
7196 
7197 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7198 			    rem_reg_rules) {
7199 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
7200 						nl_reg_rule, reg_rule_policy,
7201 						info->extack);
7202 		if (r)
7203 			goto bad_reg;
7204 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
7205 		if (r)
7206 			goto bad_reg;
7207 
7208 		rule_idx++;
7209 
7210 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
7211 			r = -EINVAL;
7212 			goto bad_reg;
7213 		}
7214 	}
7215 
7216 	/* set_regdom takes ownership of rd */
7217 	return set_regdom(rd, REGD_SOURCE_CRDA);
7218  bad_reg:
7219 	kfree(rd);
7220 	return r;
7221 }
7222 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
7223 
7224 static int validate_scan_freqs(struct nlattr *freqs)
7225 {
7226 	struct nlattr *attr1, *attr2;
7227 	int n_channels = 0, tmp1, tmp2;
7228 
7229 	nla_for_each_nested(attr1, freqs, tmp1)
7230 		if (nla_len(attr1) != sizeof(u32))
7231 			return 0;
7232 
7233 	nla_for_each_nested(attr1, freqs, tmp1) {
7234 		n_channels++;
7235 		/*
7236 		 * Some hardware has a limited channel list for
7237 		 * scanning, and it is pretty much nonsensical
7238 		 * to scan for a channel twice, so disallow that
7239 		 * and don't require drivers to check that the
7240 		 * channel list they get isn't longer than what
7241 		 * they can scan, as long as they can scan all
7242 		 * the channels they registered at once.
7243 		 */
7244 		nla_for_each_nested(attr2, freqs, tmp2)
7245 			if (attr1 != attr2 &&
7246 			    nla_get_u32(attr1) == nla_get_u32(attr2))
7247 				return 0;
7248 	}
7249 
7250 	return n_channels;
7251 }
7252 
7253 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
7254 {
7255 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
7256 }
7257 
7258 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
7259 			    struct cfg80211_bss_selection *bss_select)
7260 {
7261 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
7262 	struct nlattr *nest;
7263 	int err;
7264 	bool found = false;
7265 	int i;
7266 
7267 	/* only process one nested attribute */
7268 	nest = nla_data(nla);
7269 	if (!nla_ok(nest, nla_len(nest)))
7270 		return -EINVAL;
7271 
7272 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
7273 					  nest, nl80211_bss_select_policy,
7274 					  NULL);
7275 	if (err)
7276 		return err;
7277 
7278 	/* only one attribute may be given */
7279 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
7280 		if (attr[i]) {
7281 			if (found)
7282 				return -EINVAL;
7283 			found = true;
7284 		}
7285 	}
7286 
7287 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
7288 
7289 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
7290 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
7291 
7292 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
7293 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
7294 		bss_select->param.band_pref =
7295 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
7296 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
7297 			return -EINVAL;
7298 	}
7299 
7300 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
7301 		struct nl80211_bss_select_rssi_adjust *adj_param;
7302 
7303 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
7304 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
7305 		bss_select->param.adjust.band = adj_param->band;
7306 		bss_select->param.adjust.delta = adj_param->delta;
7307 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
7308 			return -EINVAL;
7309 	}
7310 
7311 	/* user-space did not provide behaviour attribute */
7312 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
7313 		return -EINVAL;
7314 
7315 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
7316 		return -EINVAL;
7317 
7318 	return 0;
7319 }
7320 
7321 int nl80211_parse_random_mac(struct nlattr **attrs,
7322 			     u8 *mac_addr, u8 *mac_addr_mask)
7323 {
7324 	int i;
7325 
7326 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
7327 		eth_zero_addr(mac_addr);
7328 		eth_zero_addr(mac_addr_mask);
7329 		mac_addr[0] = 0x2;
7330 		mac_addr_mask[0] = 0x3;
7331 
7332 		return 0;
7333 	}
7334 
7335 	/* need both or none */
7336 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
7337 		return -EINVAL;
7338 
7339 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
7340 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
7341 
7342 	/* don't allow or configure an mcast address */
7343 	if (!is_multicast_ether_addr(mac_addr_mask) ||
7344 	    is_multicast_ether_addr(mac_addr))
7345 		return -EINVAL;
7346 
7347 	/*
7348 	 * allow users to pass a MAC address that has bits set outside
7349 	 * of the mask, but don't bother drivers with having to deal
7350 	 * with such bits
7351 	 */
7352 	for (i = 0; i < ETH_ALEN; i++)
7353 		mac_addr[i] &= mac_addr_mask[i];
7354 
7355 	return 0;
7356 }
7357 
7358 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
7359 {
7360 	ASSERT_WDEV_LOCK(wdev);
7361 
7362 	if (!cfg80211_beaconing_iface_active(wdev))
7363 		return true;
7364 
7365 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
7366 		return true;
7367 
7368 	return regulatory_pre_cac_allowed(wdev->wiphy);
7369 }
7370 
7371 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
7372 				    enum nl80211_ext_feature_index feat)
7373 {
7374 	if (!(flags & flag))
7375 		return true;
7376 	if (wiphy_ext_feature_isset(wiphy, feat))
7377 		return true;
7378 	return false;
7379 }
7380 
7381 static int
7382 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
7383 			 void *request, struct nlattr **attrs,
7384 			 bool is_sched_scan)
7385 {
7386 	u8 *mac_addr, *mac_addr_mask;
7387 	u32 *flags;
7388 	enum nl80211_feature_flags randomness_flag;
7389 
7390 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
7391 		return 0;
7392 
7393 	if (is_sched_scan) {
7394 		struct cfg80211_sched_scan_request *req = request;
7395 
7396 		randomness_flag = wdev ?
7397 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
7398 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
7399 		flags = &req->flags;
7400 		mac_addr = req->mac_addr;
7401 		mac_addr_mask = req->mac_addr_mask;
7402 	} else {
7403 		struct cfg80211_scan_request *req = request;
7404 
7405 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
7406 		flags = &req->flags;
7407 		mac_addr = req->mac_addr;
7408 		mac_addr_mask = req->mac_addr_mask;
7409 	}
7410 
7411 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
7412 
7413 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
7414 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
7415 	    !nl80211_check_scan_feat(wiphy, *flags,
7416 				     NL80211_SCAN_FLAG_LOW_SPAN,
7417 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
7418 	    !nl80211_check_scan_feat(wiphy, *flags,
7419 				     NL80211_SCAN_FLAG_LOW_POWER,
7420 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
7421 	    !nl80211_check_scan_feat(wiphy, *flags,
7422 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
7423 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
7424 	    !nl80211_check_scan_feat(wiphy, *flags,
7425 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
7426 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
7427 	    !nl80211_check_scan_feat(wiphy, *flags,
7428 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
7429 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
7430 	    !nl80211_check_scan_feat(wiphy, *flags,
7431 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
7432 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
7433 	    !nl80211_check_scan_feat(wiphy, *flags,
7434 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
7435 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
7436 	    !nl80211_check_scan_feat(wiphy, *flags,
7437 				     NL80211_SCAN_FLAG_RANDOM_SN,
7438 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
7439 	    !nl80211_check_scan_feat(wiphy, *flags,
7440 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
7441 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
7442 		return -EOPNOTSUPP;
7443 
7444 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
7445 		int err;
7446 
7447 		if (!(wiphy->features & randomness_flag) ||
7448 		    (wdev && wdev->current_bss))
7449 			return -EOPNOTSUPP;
7450 
7451 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
7452 		if (err)
7453 			return err;
7454 	}
7455 
7456 	return 0;
7457 }
7458 
7459 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
7460 {
7461 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7462 	struct wireless_dev *wdev = info->user_ptr[1];
7463 	struct cfg80211_scan_request *request;
7464 	struct nlattr *attr;
7465 	struct wiphy *wiphy;
7466 	int err, tmp, n_ssids = 0, n_channels, i;
7467 	size_t ie_len;
7468 
7469 	wiphy = &rdev->wiphy;
7470 
7471 	if (wdev->iftype == NL80211_IFTYPE_NAN)
7472 		return -EOPNOTSUPP;
7473 
7474 	if (!rdev->ops->scan)
7475 		return -EOPNOTSUPP;
7476 
7477 	if (rdev->scan_req || rdev->scan_msg) {
7478 		err = -EBUSY;
7479 		goto unlock;
7480 	}
7481 
7482 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7483 		n_channels = validate_scan_freqs(
7484 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7485 		if (!n_channels) {
7486 			err = -EINVAL;
7487 			goto unlock;
7488 		}
7489 	} else {
7490 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7491 	}
7492 
7493 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
7494 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
7495 			n_ssids++;
7496 
7497 	if (n_ssids > wiphy->max_scan_ssids) {
7498 		err = -EINVAL;
7499 		goto unlock;
7500 	}
7501 
7502 	if (info->attrs[NL80211_ATTR_IE])
7503 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7504 	else
7505 		ie_len = 0;
7506 
7507 	if (ie_len > wiphy->max_scan_ie_len) {
7508 		err = -EINVAL;
7509 		goto unlock;
7510 	}
7511 
7512 	request = kzalloc(sizeof(*request)
7513 			+ sizeof(*request->ssids) * n_ssids
7514 			+ sizeof(*request->channels) * n_channels
7515 			+ ie_len, GFP_KERNEL);
7516 	if (!request) {
7517 		err = -ENOMEM;
7518 		goto unlock;
7519 	}
7520 
7521 	if (n_ssids)
7522 		request->ssids = (void *)&request->channels[n_channels];
7523 	request->n_ssids = n_ssids;
7524 	if (ie_len) {
7525 		if (n_ssids)
7526 			request->ie = (void *)(request->ssids + n_ssids);
7527 		else
7528 			request->ie = (void *)(request->channels + n_channels);
7529 	}
7530 
7531 	i = 0;
7532 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7533 		/* user specified, bail out if channel not found */
7534 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
7535 			struct ieee80211_channel *chan;
7536 
7537 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7538 
7539 			if (!chan) {
7540 				err = -EINVAL;
7541 				goto out_free;
7542 			}
7543 
7544 			/* ignore disabled channels */
7545 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7546 				continue;
7547 
7548 			request->channels[i] = chan;
7549 			i++;
7550 		}
7551 	} else {
7552 		enum nl80211_band band;
7553 
7554 		/* all channels */
7555 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7556 			int j;
7557 
7558 			if (!wiphy->bands[band])
7559 				continue;
7560 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7561 				struct ieee80211_channel *chan;
7562 
7563 				chan = &wiphy->bands[band]->channels[j];
7564 
7565 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7566 					continue;
7567 
7568 				request->channels[i] = chan;
7569 				i++;
7570 			}
7571 		}
7572 	}
7573 
7574 	if (!i) {
7575 		err = -EINVAL;
7576 		goto out_free;
7577 	}
7578 
7579 	request->n_channels = i;
7580 
7581 	wdev_lock(wdev);
7582 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
7583 		struct ieee80211_channel *chan;
7584 
7585 		if (request->n_channels != 1) {
7586 			wdev_unlock(wdev);
7587 			err = -EBUSY;
7588 			goto out_free;
7589 		}
7590 
7591 		chan = request->channels[0];
7592 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
7593 			wdev_unlock(wdev);
7594 			err = -EBUSY;
7595 			goto out_free;
7596 		}
7597 	}
7598 	wdev_unlock(wdev);
7599 
7600 	i = 0;
7601 	if (n_ssids) {
7602 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
7603 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7604 				err = -EINVAL;
7605 				goto out_free;
7606 			}
7607 			request->ssids[i].ssid_len = nla_len(attr);
7608 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
7609 			i++;
7610 		}
7611 	}
7612 
7613 	if (info->attrs[NL80211_ATTR_IE]) {
7614 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7615 		memcpy((void *)request->ie,
7616 		       nla_data(info->attrs[NL80211_ATTR_IE]),
7617 		       request->ie_len);
7618 	}
7619 
7620 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7621 		if (wiphy->bands[i])
7622 			request->rates[i] =
7623 				(1 << wiphy->bands[i]->n_bitrates) - 1;
7624 
7625 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
7626 		nla_for_each_nested(attr,
7627 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
7628 				    tmp) {
7629 			enum nl80211_band band = nla_type(attr);
7630 
7631 			if (band < 0 || band >= NUM_NL80211_BANDS) {
7632 				err = -EINVAL;
7633 				goto out_free;
7634 			}
7635 
7636 			if (!wiphy->bands[band])
7637 				continue;
7638 
7639 			err = ieee80211_get_ratemask(wiphy->bands[band],
7640 						     nla_data(attr),
7641 						     nla_len(attr),
7642 						     &request->rates[band]);
7643 			if (err)
7644 				goto out_free;
7645 		}
7646 	}
7647 
7648 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
7649 		if (!wiphy_ext_feature_isset(wiphy,
7650 					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
7651 			err = -EOPNOTSUPP;
7652 			goto out_free;
7653 		}
7654 
7655 		request->duration =
7656 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
7657 		request->duration_mandatory =
7658 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
7659 	}
7660 
7661 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
7662 				       false);
7663 	if (err)
7664 		goto out_free;
7665 
7666 	request->no_cck =
7667 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7668 
7669 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
7670 	 * BSSID to scan for. This was problematic because that same attribute
7671 	 * was already used for another purpose (local random MAC address). The
7672 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
7673 	 * compatibility with older userspace components, also use the
7674 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
7675 	 * the specific BSSID use case instead of the random MAC address
7676 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
7677 	 */
7678 	if (info->attrs[NL80211_ATTR_BSSID])
7679 		memcpy(request->bssid,
7680 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
7681 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
7682 		 info->attrs[NL80211_ATTR_MAC])
7683 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
7684 		       ETH_ALEN);
7685 	else
7686 		eth_broadcast_addr(request->bssid);
7687 
7688 	request->wdev = wdev;
7689 	request->wiphy = &rdev->wiphy;
7690 	request->scan_start = jiffies;
7691 
7692 	rdev->scan_req = request;
7693 	err = rdev_scan(rdev, request);
7694 
7695 	if (!err) {
7696 		nl80211_send_scan_start(rdev, wdev);
7697 		if (wdev->netdev)
7698 			dev_hold(wdev->netdev);
7699 	} else {
7700  out_free:
7701 		rdev->scan_req = NULL;
7702 		kfree(request);
7703 	}
7704 
7705  unlock:
7706 	return err;
7707 }
7708 
7709 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
7710 {
7711 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7712 	struct wireless_dev *wdev = info->user_ptr[1];
7713 
7714 	if (!rdev->ops->abort_scan)
7715 		return -EOPNOTSUPP;
7716 
7717 	if (rdev->scan_msg)
7718 		return 0;
7719 
7720 	if (!rdev->scan_req)
7721 		return -ENOENT;
7722 
7723 	rdev_abort_scan(rdev, wdev);
7724 	return 0;
7725 }
7726 
7727 static int
7728 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
7729 			       struct cfg80211_sched_scan_request *request,
7730 			       struct nlattr **attrs)
7731 {
7732 	int tmp, err, i = 0;
7733 	struct nlattr *attr;
7734 
7735 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7736 		u32 interval;
7737 
7738 		/*
7739 		 * If scan plans are not specified,
7740 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
7741 		 * case one scan plan will be set with the specified scan
7742 		 * interval and infinite number of iterations.
7743 		 */
7744 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
7745 		if (!interval)
7746 			return -EINVAL;
7747 
7748 		request->scan_plans[0].interval =
7749 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
7750 		if (!request->scan_plans[0].interval)
7751 			return -EINVAL;
7752 
7753 		if (request->scan_plans[0].interval >
7754 		    wiphy->max_sched_scan_plan_interval)
7755 			request->scan_plans[0].interval =
7756 				wiphy->max_sched_scan_plan_interval;
7757 
7758 		return 0;
7759 	}
7760 
7761 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
7762 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
7763 
7764 		if (WARN_ON(i >= n_plans))
7765 			return -EINVAL;
7766 
7767 		err = nla_parse_nested_deprecated(plan,
7768 						  NL80211_SCHED_SCAN_PLAN_MAX,
7769 						  attr, nl80211_plan_policy,
7770 						  NULL);
7771 		if (err)
7772 			return err;
7773 
7774 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
7775 			return -EINVAL;
7776 
7777 		request->scan_plans[i].interval =
7778 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
7779 		if (!request->scan_plans[i].interval ||
7780 		    request->scan_plans[i].interval >
7781 		    wiphy->max_sched_scan_plan_interval)
7782 			return -EINVAL;
7783 
7784 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
7785 			request->scan_plans[i].iterations =
7786 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
7787 			if (!request->scan_plans[i].iterations ||
7788 			    (request->scan_plans[i].iterations >
7789 			     wiphy->max_sched_scan_plan_iterations))
7790 				return -EINVAL;
7791 		} else if (i < n_plans - 1) {
7792 			/*
7793 			 * All scan plans but the last one must specify
7794 			 * a finite number of iterations
7795 			 */
7796 			return -EINVAL;
7797 		}
7798 
7799 		i++;
7800 	}
7801 
7802 	/*
7803 	 * The last scan plan must not specify the number of
7804 	 * iterations, it is supposed to run infinitely
7805 	 */
7806 	if (request->scan_plans[n_plans - 1].iterations)
7807 		return  -EINVAL;
7808 
7809 	return 0;
7810 }
7811 
7812 static int
7813 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
7814 				       struct cfg80211_match_set *match_sets,
7815 				       struct nlattr *tb_band_rssi,
7816 				       s32 rssi_thold)
7817 {
7818 	struct nlattr *attr;
7819 	int i, tmp, ret = 0;
7820 
7821 	if (!wiphy_ext_feature_isset(wiphy,
7822 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
7823 		if (tb_band_rssi)
7824 			ret = -EOPNOTSUPP;
7825 		else
7826 			for (i = 0; i < NUM_NL80211_BANDS; i++)
7827 				match_sets->per_band_rssi_thold[i] =
7828 					NL80211_SCAN_RSSI_THOLD_OFF;
7829 		return ret;
7830 	}
7831 
7832 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7833 		match_sets->per_band_rssi_thold[i] = rssi_thold;
7834 
7835 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
7836 		enum nl80211_band band = nla_type(attr);
7837 
7838 		if (band < 0 || band >= NUM_NL80211_BANDS)
7839 			return -EINVAL;
7840 
7841 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
7842 	}
7843 
7844 	return 0;
7845 }
7846 
7847 static struct cfg80211_sched_scan_request *
7848 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
7849 			 struct nlattr **attrs, int max_match_sets)
7850 {
7851 	struct cfg80211_sched_scan_request *request;
7852 	struct nlattr *attr;
7853 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
7854 	enum nl80211_band band;
7855 	size_t ie_len;
7856 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
7857 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
7858 
7859 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7860 		n_channels = validate_scan_freqs(
7861 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7862 		if (!n_channels)
7863 			return ERR_PTR(-EINVAL);
7864 	} else {
7865 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7866 	}
7867 
7868 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
7869 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7870 				    tmp)
7871 			n_ssids++;
7872 
7873 	if (n_ssids > wiphy->max_sched_scan_ssids)
7874 		return ERR_PTR(-EINVAL);
7875 
7876 	/*
7877 	 * First, count the number of 'real' matchsets. Due to an issue with
7878 	 * the old implementation, matchsets containing only the RSSI attribute
7879 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
7880 	 * RSSI for all matchsets, rather than their own matchset for reporting
7881 	 * all APs with a strong RSSI. This is needed to be compatible with
7882 	 * older userspace that treated a matchset with only the RSSI as the
7883 	 * global RSSI for all other matchsets - if there are other matchsets.
7884 	 */
7885 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7886 		nla_for_each_nested(attr,
7887 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7888 				    tmp) {
7889 			struct nlattr *rssi;
7890 
7891 			err = nla_parse_nested_deprecated(tb,
7892 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7893 							  attr,
7894 							  nl80211_match_policy,
7895 							  NULL);
7896 			if (err)
7897 				return ERR_PTR(err);
7898 
7899 			/* SSID and BSSID are mutually exclusive */
7900 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
7901 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
7902 				return ERR_PTR(-EINVAL);
7903 
7904 			/* add other standalone attributes here */
7905 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
7906 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
7907 				n_match_sets++;
7908 				continue;
7909 			}
7910 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7911 			if (rssi)
7912 				default_match_rssi = nla_get_s32(rssi);
7913 		}
7914 	}
7915 
7916 	/* However, if there's no other matchset, add the RSSI one */
7917 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
7918 		n_match_sets = 1;
7919 
7920 	if (n_match_sets > max_match_sets)
7921 		return ERR_PTR(-EINVAL);
7922 
7923 	if (attrs[NL80211_ATTR_IE])
7924 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
7925 	else
7926 		ie_len = 0;
7927 
7928 	if (ie_len > wiphy->max_sched_scan_ie_len)
7929 		return ERR_PTR(-EINVAL);
7930 
7931 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7932 		/*
7933 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
7934 		 * each scan plan already specifies its own interval
7935 		 */
7936 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7937 			return ERR_PTR(-EINVAL);
7938 
7939 		nla_for_each_nested(attr,
7940 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
7941 			n_plans++;
7942 	} else {
7943 		/*
7944 		 * The scan interval attribute is kept for backward
7945 		 * compatibility. If no scan plans are specified and sched scan
7946 		 * interval is specified, one scan plan will be set with this
7947 		 * scan interval and infinite number of iterations.
7948 		 */
7949 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7950 			return ERR_PTR(-EINVAL);
7951 
7952 		n_plans = 1;
7953 	}
7954 
7955 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
7956 		return ERR_PTR(-EINVAL);
7957 
7958 	if (!wiphy_ext_feature_isset(
7959 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
7960 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
7961 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
7962 		return ERR_PTR(-EINVAL);
7963 
7964 	request = kzalloc(sizeof(*request)
7965 			+ sizeof(*request->ssids) * n_ssids
7966 			+ sizeof(*request->match_sets) * n_match_sets
7967 			+ sizeof(*request->scan_plans) * n_plans
7968 			+ sizeof(*request->channels) * n_channels
7969 			+ ie_len, GFP_KERNEL);
7970 	if (!request)
7971 		return ERR_PTR(-ENOMEM);
7972 
7973 	if (n_ssids)
7974 		request->ssids = (void *)&request->channels[n_channels];
7975 	request->n_ssids = n_ssids;
7976 	if (ie_len) {
7977 		if (n_ssids)
7978 			request->ie = (void *)(request->ssids + n_ssids);
7979 		else
7980 			request->ie = (void *)(request->channels + n_channels);
7981 	}
7982 
7983 	if (n_match_sets) {
7984 		if (request->ie)
7985 			request->match_sets = (void *)(request->ie + ie_len);
7986 		else if (n_ssids)
7987 			request->match_sets =
7988 				(void *)(request->ssids + n_ssids);
7989 		else
7990 			request->match_sets =
7991 				(void *)(request->channels + n_channels);
7992 	}
7993 	request->n_match_sets = n_match_sets;
7994 
7995 	if (n_match_sets)
7996 		request->scan_plans = (void *)(request->match_sets +
7997 					       n_match_sets);
7998 	else if (request->ie)
7999 		request->scan_plans = (void *)(request->ie + ie_len);
8000 	else if (n_ssids)
8001 		request->scan_plans = (void *)(request->ssids + n_ssids);
8002 	else
8003 		request->scan_plans = (void *)(request->channels + n_channels);
8004 
8005 	request->n_scan_plans = n_plans;
8006 
8007 	i = 0;
8008 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8009 		/* user specified, bail out if channel not found */
8010 		nla_for_each_nested(attr,
8011 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
8012 				    tmp) {
8013 			struct ieee80211_channel *chan;
8014 
8015 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
8016 
8017 			if (!chan) {
8018 				err = -EINVAL;
8019 				goto out_free;
8020 			}
8021 
8022 			/* ignore disabled channels */
8023 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8024 				continue;
8025 
8026 			request->channels[i] = chan;
8027 			i++;
8028 		}
8029 	} else {
8030 		/* all channels */
8031 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8032 			int j;
8033 
8034 			if (!wiphy->bands[band])
8035 				continue;
8036 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8037 				struct ieee80211_channel *chan;
8038 
8039 				chan = &wiphy->bands[band]->channels[j];
8040 
8041 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8042 					continue;
8043 
8044 				request->channels[i] = chan;
8045 				i++;
8046 			}
8047 		}
8048 	}
8049 
8050 	if (!i) {
8051 		err = -EINVAL;
8052 		goto out_free;
8053 	}
8054 
8055 	request->n_channels = i;
8056 
8057 	i = 0;
8058 	if (n_ssids) {
8059 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8060 				    tmp) {
8061 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8062 				err = -EINVAL;
8063 				goto out_free;
8064 			}
8065 			request->ssids[i].ssid_len = nla_len(attr);
8066 			memcpy(request->ssids[i].ssid, nla_data(attr),
8067 			       nla_len(attr));
8068 			i++;
8069 		}
8070 	}
8071 
8072 	i = 0;
8073 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8074 		nla_for_each_nested(attr,
8075 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8076 				    tmp) {
8077 			struct nlattr *ssid, *bssid, *rssi;
8078 
8079 			err = nla_parse_nested_deprecated(tb,
8080 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8081 							  attr,
8082 							  nl80211_match_policy,
8083 							  NULL);
8084 			if (err)
8085 				goto out_free;
8086 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
8087 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
8088 
8089 			if (!ssid && !bssid) {
8090 				i++;
8091 				continue;
8092 			}
8093 
8094 			if (WARN_ON(i >= n_match_sets)) {
8095 				/* this indicates a programming error,
8096 				 * the loop above should have verified
8097 				 * things properly
8098 				 */
8099 				err = -EINVAL;
8100 				goto out_free;
8101 			}
8102 
8103 			if (ssid) {
8104 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
8105 					err = -EINVAL;
8106 					goto out_free;
8107 				}
8108 				memcpy(request->match_sets[i].ssid.ssid,
8109 				       nla_data(ssid), nla_len(ssid));
8110 				request->match_sets[i].ssid.ssid_len =
8111 					nla_len(ssid);
8112 			}
8113 			if (bssid) {
8114 				if (nla_len(bssid) != ETH_ALEN) {
8115 					err = -EINVAL;
8116 					goto out_free;
8117 				}
8118 				memcpy(request->match_sets[i].bssid,
8119 				       nla_data(bssid), ETH_ALEN);
8120 			}
8121 
8122 			/* special attribute - old implementation w/a */
8123 			request->match_sets[i].rssi_thold = default_match_rssi;
8124 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8125 			if (rssi)
8126 				request->match_sets[i].rssi_thold =
8127 					nla_get_s32(rssi);
8128 
8129 			/* Parse per band RSSI attribute */
8130 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
8131 				&request->match_sets[i],
8132 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
8133 				request->match_sets[i].rssi_thold);
8134 			if (err)
8135 				goto out_free;
8136 
8137 			i++;
8138 		}
8139 
8140 		/* there was no other matchset, so the RSSI one is alone */
8141 		if (i == 0 && n_match_sets)
8142 			request->match_sets[0].rssi_thold = default_match_rssi;
8143 
8144 		request->min_rssi_thold = INT_MAX;
8145 		for (i = 0; i < n_match_sets; i++)
8146 			request->min_rssi_thold =
8147 				min(request->match_sets[i].rssi_thold,
8148 				    request->min_rssi_thold);
8149 	} else {
8150 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
8151 	}
8152 
8153 	if (ie_len) {
8154 		request->ie_len = ie_len;
8155 		memcpy((void *)request->ie,
8156 		       nla_data(attrs[NL80211_ATTR_IE]),
8157 		       request->ie_len);
8158 	}
8159 
8160 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
8161 	if (err)
8162 		goto out_free;
8163 
8164 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
8165 		request->delay =
8166 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
8167 
8168 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
8169 		request->relative_rssi = nla_get_s8(
8170 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
8171 		request->relative_rssi_set = true;
8172 	}
8173 
8174 	if (request->relative_rssi_set &&
8175 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
8176 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
8177 
8178 		rssi_adjust = nla_data(
8179 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
8180 		request->rssi_adjust.band = rssi_adjust->band;
8181 		request->rssi_adjust.delta = rssi_adjust->delta;
8182 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
8183 			err = -EINVAL;
8184 			goto out_free;
8185 		}
8186 	}
8187 
8188 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
8189 	if (err)
8190 		goto out_free;
8191 
8192 	request->scan_start = jiffies;
8193 
8194 	return request;
8195 
8196 out_free:
8197 	kfree(request);
8198 	return ERR_PTR(err);
8199 }
8200 
8201 static int nl80211_start_sched_scan(struct sk_buff *skb,
8202 				    struct genl_info *info)
8203 {
8204 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8205 	struct net_device *dev = info->user_ptr[1];
8206 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8207 	struct cfg80211_sched_scan_request *sched_scan_req;
8208 	bool want_multi;
8209 	int err;
8210 
8211 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
8212 		return -EOPNOTSUPP;
8213 
8214 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
8215 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
8216 	if (err)
8217 		return err;
8218 
8219 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
8220 						  info->attrs,
8221 						  rdev->wiphy.max_match_sets);
8222 
8223 	err = PTR_ERR_OR_ZERO(sched_scan_req);
8224 	if (err)
8225 		goto out_err;
8226 
8227 	/* leave request id zero for legacy request
8228 	 * or if driver does not support multi-scheduled scan
8229 	 */
8230 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1) {
8231 		while (!sched_scan_req->reqid)
8232 			sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
8233 	}
8234 
8235 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
8236 	if (err)
8237 		goto out_free;
8238 
8239 	sched_scan_req->dev = dev;
8240 	sched_scan_req->wiphy = &rdev->wiphy;
8241 
8242 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
8243 		sched_scan_req->owner_nlportid = info->snd_portid;
8244 
8245 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
8246 
8247 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
8248 	return 0;
8249 
8250 out_free:
8251 	kfree(sched_scan_req);
8252 out_err:
8253 	return err;
8254 }
8255 
8256 static int nl80211_stop_sched_scan(struct sk_buff *skb,
8257 				   struct genl_info *info)
8258 {
8259 	struct cfg80211_sched_scan_request *req;
8260 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8261 	u64 cookie;
8262 
8263 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
8264 		return -EOPNOTSUPP;
8265 
8266 	if (info->attrs[NL80211_ATTR_COOKIE]) {
8267 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8268 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
8269 	}
8270 
8271 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
8272 				     struct cfg80211_sched_scan_request,
8273 				     list);
8274 	if (!req || req->reqid ||
8275 	    (req->owner_nlportid &&
8276 	     req->owner_nlportid != info->snd_portid))
8277 		return -ENOENT;
8278 
8279 	return cfg80211_stop_sched_scan_req(rdev, req, false);
8280 }
8281 
8282 static int nl80211_start_radar_detection(struct sk_buff *skb,
8283 					 struct genl_info *info)
8284 {
8285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8286 	struct net_device *dev = info->user_ptr[1];
8287 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8288 	struct wiphy *wiphy = wdev->wiphy;
8289 	struct cfg80211_chan_def chandef;
8290 	enum nl80211_dfs_regions dfs_region;
8291 	unsigned int cac_time_ms;
8292 	int err;
8293 
8294 	dfs_region = reg_get_dfs_region(wiphy);
8295 	if (dfs_region == NL80211_DFS_UNSET)
8296 		return -EINVAL;
8297 
8298 	err = nl80211_parse_chandef(rdev, info, &chandef);
8299 	if (err)
8300 		return err;
8301 
8302 	if (netif_carrier_ok(dev))
8303 		return -EBUSY;
8304 
8305 	if (wdev->cac_started)
8306 		return -EBUSY;
8307 
8308 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8309 	if (err < 0)
8310 		return err;
8311 
8312 	if (err == 0)
8313 		return -EINVAL;
8314 
8315 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
8316 		return -EINVAL;
8317 
8318 	/* CAC start is offloaded to HW and can't be started manually */
8319 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
8320 		return -EOPNOTSUPP;
8321 
8322 	if (!rdev->ops->start_radar_detection)
8323 		return -EOPNOTSUPP;
8324 
8325 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
8326 	if (WARN_ON(!cac_time_ms))
8327 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
8328 
8329 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
8330 	if (!err) {
8331 		wdev->chandef = chandef;
8332 		wdev->cac_started = true;
8333 		wdev->cac_start_time = jiffies;
8334 		wdev->cac_time_ms = cac_time_ms;
8335 	}
8336 	return err;
8337 }
8338 
8339 static int nl80211_notify_radar_detection(struct sk_buff *skb,
8340 					  struct genl_info *info)
8341 {
8342 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8343 	struct net_device *dev = info->user_ptr[1];
8344 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8345 	struct wiphy *wiphy = wdev->wiphy;
8346 	struct cfg80211_chan_def chandef;
8347 	enum nl80211_dfs_regions dfs_region;
8348 	int err;
8349 
8350 	dfs_region = reg_get_dfs_region(wiphy);
8351 	if (dfs_region == NL80211_DFS_UNSET) {
8352 		GENL_SET_ERR_MSG(info,
8353 				 "DFS Region is not set. Unexpected Radar indication");
8354 		return -EINVAL;
8355 	}
8356 
8357 	err = nl80211_parse_chandef(rdev, info, &chandef);
8358 	if (err) {
8359 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
8360 		return err;
8361 	}
8362 
8363 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8364 	if (err < 0) {
8365 		GENL_SET_ERR_MSG(info, "chandef is invalid");
8366 		return err;
8367 	}
8368 
8369 	if (err == 0) {
8370 		GENL_SET_ERR_MSG(info,
8371 				 "Unexpected Radar indication for chandef/iftype");
8372 		return -EINVAL;
8373 	}
8374 
8375 	/* Do not process this notification if radar is already detected
8376 	 * by kernel on this channel, and return success.
8377 	 */
8378 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
8379 		return 0;
8380 
8381 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
8382 
8383 	cfg80211_sched_dfs_chan_update(rdev);
8384 
8385 	rdev->radar_chandef = chandef;
8386 
8387 	/* Propagate this notification to other radios as well */
8388 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
8389 
8390 	return 0;
8391 }
8392 
8393 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
8394 {
8395 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8396 	struct net_device *dev = info->user_ptr[1];
8397 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8398 	struct cfg80211_csa_settings params;
8399 	/* csa_attrs is defined static to avoid waste of stack size - this
8400 	 * function is called under RTNL lock, so this should not be a problem.
8401 	 */
8402 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
8403 	int err;
8404 	bool need_new_beacon = false;
8405 	bool need_handle_dfs_flag = true;
8406 	int len, i;
8407 	u32 cs_count;
8408 
8409 	if (!rdev->ops->channel_switch ||
8410 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
8411 		return -EOPNOTSUPP;
8412 
8413 	switch (dev->ieee80211_ptr->iftype) {
8414 	case NL80211_IFTYPE_AP:
8415 	case NL80211_IFTYPE_P2P_GO:
8416 		need_new_beacon = true;
8417 		/* For all modes except AP the handle_dfs flag needs to be
8418 		 * supplied to tell the kernel that userspace will handle radar
8419 		 * events when they happen. Otherwise a switch to a channel
8420 		 * requiring DFS will be rejected.
8421 		 */
8422 		need_handle_dfs_flag = false;
8423 
8424 		/* useless if AP is not running */
8425 		if (!wdev->beacon_interval)
8426 			return -ENOTCONN;
8427 		break;
8428 	case NL80211_IFTYPE_ADHOC:
8429 		if (!wdev->ssid_len)
8430 			return -ENOTCONN;
8431 		break;
8432 	case NL80211_IFTYPE_MESH_POINT:
8433 		if (!wdev->mesh_id_len)
8434 			return -ENOTCONN;
8435 		break;
8436 	default:
8437 		return -EOPNOTSUPP;
8438 	}
8439 
8440 	memset(&params, 0, sizeof(params));
8441 	params.beacon_csa.ftm_responder = -1;
8442 
8443 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8444 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
8445 		return -EINVAL;
8446 
8447 	/* only important for AP, IBSS and mesh create IEs internally */
8448 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
8449 		return -EINVAL;
8450 
8451 	/* Even though the attribute is u32, the specification says
8452 	 * u8, so let's make sure we don't overflow.
8453 	 */
8454 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
8455 	if (cs_count > 255)
8456 		return -EINVAL;
8457 
8458 	params.count = cs_count;
8459 
8460 	if (!need_new_beacon)
8461 		goto skip_beacons;
8462 
8463 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
8464 	if (err)
8465 		return err;
8466 
8467 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
8468 					  info->attrs[NL80211_ATTR_CSA_IES],
8469 					  nl80211_policy, info->extack);
8470 	if (err)
8471 		return err;
8472 
8473 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
8474 	if (err)
8475 		return err;
8476 
8477 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
8478 		return -EINVAL;
8479 
8480 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8481 	if (!len || (len % sizeof(u16)))
8482 		return -EINVAL;
8483 
8484 	params.n_counter_offsets_beacon = len / sizeof(u16);
8485 	if (rdev->wiphy.max_num_csa_counters &&
8486 	    (params.n_counter_offsets_beacon >
8487 	     rdev->wiphy.max_num_csa_counters))
8488 		return -EINVAL;
8489 
8490 	params.counter_offsets_beacon =
8491 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8492 
8493 	/* sanity checks - counters should fit and be the same */
8494 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
8495 		u16 offset = params.counter_offsets_beacon[i];
8496 
8497 		if (offset >= params.beacon_csa.tail_len)
8498 			return -EINVAL;
8499 
8500 		if (params.beacon_csa.tail[offset] != params.count)
8501 			return -EINVAL;
8502 	}
8503 
8504 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
8505 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8506 		if (!len || (len % sizeof(u16)))
8507 			return -EINVAL;
8508 
8509 		params.n_counter_offsets_presp = len / sizeof(u16);
8510 		if (rdev->wiphy.max_num_csa_counters &&
8511 		    (params.n_counter_offsets_presp >
8512 		     rdev->wiphy.max_num_csa_counters))
8513 			return -EINVAL;
8514 
8515 		params.counter_offsets_presp =
8516 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8517 
8518 		/* sanity checks - counters should fit and be the same */
8519 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
8520 			u16 offset = params.counter_offsets_presp[i];
8521 
8522 			if (offset >= params.beacon_csa.probe_resp_len)
8523 				return -EINVAL;
8524 
8525 			if (params.beacon_csa.probe_resp[offset] !=
8526 			    params.count)
8527 				return -EINVAL;
8528 		}
8529 	}
8530 
8531 skip_beacons:
8532 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
8533 	if (err)
8534 		return err;
8535 
8536 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
8537 					   wdev->iftype))
8538 		return -EINVAL;
8539 
8540 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
8541 					    &params.chandef,
8542 					    wdev->iftype);
8543 	if (err < 0)
8544 		return err;
8545 
8546 	if (err > 0) {
8547 		params.radar_required = true;
8548 		if (need_handle_dfs_flag &&
8549 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
8550 			return -EINVAL;
8551 		}
8552 	}
8553 
8554 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
8555 		params.block_tx = true;
8556 
8557 	wdev_lock(wdev);
8558 	err = rdev_channel_switch(rdev, dev, &params);
8559 	wdev_unlock(wdev);
8560 
8561 	return err;
8562 }
8563 
8564 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
8565 			    u32 seq, int flags,
8566 			    struct cfg80211_registered_device *rdev,
8567 			    struct wireless_dev *wdev,
8568 			    struct cfg80211_internal_bss *intbss)
8569 {
8570 	struct cfg80211_bss *res = &intbss->pub;
8571 	const struct cfg80211_bss_ies *ies;
8572 	void *hdr;
8573 	struct nlattr *bss;
8574 
8575 	ASSERT_WDEV_LOCK(wdev);
8576 
8577 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8578 			     NL80211_CMD_NEW_SCAN_RESULTS);
8579 	if (!hdr)
8580 		return -1;
8581 
8582 	genl_dump_check_consistent(cb, hdr);
8583 
8584 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
8585 		goto nla_put_failure;
8586 	if (wdev->netdev &&
8587 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
8588 		goto nla_put_failure;
8589 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
8590 			      NL80211_ATTR_PAD))
8591 		goto nla_put_failure;
8592 
8593 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
8594 	if (!bss)
8595 		goto nla_put_failure;
8596 	if ((!is_zero_ether_addr(res->bssid) &&
8597 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
8598 		goto nla_put_failure;
8599 
8600 	rcu_read_lock();
8601 	/* indicate whether we have probe response data or not */
8602 	if (rcu_access_pointer(res->proberesp_ies) &&
8603 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
8604 		goto fail_unlock_rcu;
8605 
8606 	/* this pointer prefers to be pointed to probe response data
8607 	 * but is always valid
8608 	 */
8609 	ies = rcu_dereference(res->ies);
8610 	if (ies) {
8611 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
8612 				      NL80211_BSS_PAD))
8613 			goto fail_unlock_rcu;
8614 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
8615 					ies->len, ies->data))
8616 			goto fail_unlock_rcu;
8617 	}
8618 
8619 	/* and this pointer is always (unless driver didn't know) beacon data */
8620 	ies = rcu_dereference(res->beacon_ies);
8621 	if (ies && ies->from_beacon) {
8622 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
8623 				      NL80211_BSS_PAD))
8624 			goto fail_unlock_rcu;
8625 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
8626 					ies->len, ies->data))
8627 			goto fail_unlock_rcu;
8628 	}
8629 	rcu_read_unlock();
8630 
8631 	if (res->beacon_interval &&
8632 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
8633 		goto nla_put_failure;
8634 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
8635 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
8636 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
8637 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
8638 			jiffies_to_msecs(jiffies - intbss->ts)))
8639 		goto nla_put_failure;
8640 
8641 	if (intbss->parent_tsf &&
8642 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
8643 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
8644 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
8645 		     intbss->parent_bssid)))
8646 		goto nla_put_failure;
8647 
8648 	if (intbss->ts_boottime &&
8649 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
8650 			      intbss->ts_boottime, NL80211_BSS_PAD))
8651 		goto nla_put_failure;
8652 
8653 	if (!nl80211_put_signal(msg, intbss->pub.chains,
8654 				intbss->pub.chain_signal,
8655 				NL80211_BSS_CHAIN_SIGNAL))
8656 		goto nla_put_failure;
8657 
8658 	switch (rdev->wiphy.signal_type) {
8659 	case CFG80211_SIGNAL_TYPE_MBM:
8660 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
8661 			goto nla_put_failure;
8662 		break;
8663 	case CFG80211_SIGNAL_TYPE_UNSPEC:
8664 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
8665 			goto nla_put_failure;
8666 		break;
8667 	default:
8668 		break;
8669 	}
8670 
8671 	switch (wdev->iftype) {
8672 	case NL80211_IFTYPE_P2P_CLIENT:
8673 	case NL80211_IFTYPE_STATION:
8674 		if (intbss == wdev->current_bss &&
8675 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8676 				NL80211_BSS_STATUS_ASSOCIATED))
8677 			goto nla_put_failure;
8678 		break;
8679 	case NL80211_IFTYPE_ADHOC:
8680 		if (intbss == wdev->current_bss &&
8681 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8682 				NL80211_BSS_STATUS_IBSS_JOINED))
8683 			goto nla_put_failure;
8684 		break;
8685 	default:
8686 		break;
8687 	}
8688 
8689 	nla_nest_end(msg, bss);
8690 
8691 	genlmsg_end(msg, hdr);
8692 	return 0;
8693 
8694  fail_unlock_rcu:
8695 	rcu_read_unlock();
8696  nla_put_failure:
8697 	genlmsg_cancel(msg, hdr);
8698 	return -EMSGSIZE;
8699 }
8700 
8701 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
8702 {
8703 	struct cfg80211_registered_device *rdev;
8704 	struct cfg80211_internal_bss *scan;
8705 	struct wireless_dev *wdev;
8706 	int start = cb->args[2], idx = 0;
8707 	int err;
8708 
8709 	rtnl_lock();
8710 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8711 	if (err) {
8712 		rtnl_unlock();
8713 		return err;
8714 	}
8715 
8716 	wdev_lock(wdev);
8717 	spin_lock_bh(&rdev->bss_lock);
8718 
8719 	/*
8720 	 * dump_scan will be called multiple times to break up the scan results
8721 	 * into multiple messages.  It is unlikely that any more bss-es will be
8722 	 * expired after the first call, so only call only call this on the
8723 	 * first dump_scan invocation.
8724 	 */
8725 	if (start == 0)
8726 		cfg80211_bss_expire(rdev);
8727 
8728 	cb->seq = rdev->bss_generation;
8729 
8730 	list_for_each_entry(scan, &rdev->bss_list, list) {
8731 		if (++idx <= start)
8732 			continue;
8733 		if (nl80211_send_bss(skb, cb,
8734 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8735 				rdev, wdev, scan) < 0) {
8736 			idx--;
8737 			break;
8738 		}
8739 	}
8740 
8741 	spin_unlock_bh(&rdev->bss_lock);
8742 	wdev_unlock(wdev);
8743 
8744 	cb->args[2] = idx;
8745 	rtnl_unlock();
8746 
8747 	return skb->len;
8748 }
8749 
8750 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
8751 			       int flags, struct net_device *dev,
8752 			       bool allow_radio_stats,
8753 			       struct survey_info *survey)
8754 {
8755 	void *hdr;
8756 	struct nlattr *infoattr;
8757 
8758 	/* skip radio stats if userspace didn't request them */
8759 	if (!survey->channel && !allow_radio_stats)
8760 		return 0;
8761 
8762 	hdr = nl80211hdr_put(msg, portid, seq, flags,
8763 			     NL80211_CMD_NEW_SURVEY_RESULTS);
8764 	if (!hdr)
8765 		return -ENOMEM;
8766 
8767 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
8768 		goto nla_put_failure;
8769 
8770 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
8771 	if (!infoattr)
8772 		goto nla_put_failure;
8773 
8774 	if (survey->channel &&
8775 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
8776 			survey->channel->center_freq))
8777 		goto nla_put_failure;
8778 
8779 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
8780 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
8781 		goto nla_put_failure;
8782 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
8783 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
8784 		goto nla_put_failure;
8785 	if ((survey->filled & SURVEY_INFO_TIME) &&
8786 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
8787 			survey->time, NL80211_SURVEY_INFO_PAD))
8788 		goto nla_put_failure;
8789 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
8790 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
8791 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
8792 		goto nla_put_failure;
8793 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
8794 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
8795 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
8796 		goto nla_put_failure;
8797 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
8798 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
8799 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
8800 		goto nla_put_failure;
8801 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
8802 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
8803 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
8804 		goto nla_put_failure;
8805 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
8806 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
8807 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
8808 		goto nla_put_failure;
8809 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
8810 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
8811 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
8812 		goto nla_put_failure;
8813 
8814 	nla_nest_end(msg, infoattr);
8815 
8816 	genlmsg_end(msg, hdr);
8817 	return 0;
8818 
8819  nla_put_failure:
8820 	genlmsg_cancel(msg, hdr);
8821 	return -EMSGSIZE;
8822 }
8823 
8824 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
8825 {
8826 	struct nlattr **attrbuf;
8827 	struct survey_info survey;
8828 	struct cfg80211_registered_device *rdev;
8829 	struct wireless_dev *wdev;
8830 	int survey_idx = cb->args[2];
8831 	int res;
8832 	bool radio_stats;
8833 
8834 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
8835 	if (!attrbuf)
8836 		return -ENOMEM;
8837 
8838 	rtnl_lock();
8839 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8840 	if (res)
8841 		goto out_err;
8842 
8843 	/* prepare_wdev_dump parsed the attributes */
8844 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
8845 
8846 	if (!wdev->netdev) {
8847 		res = -EINVAL;
8848 		goto out_err;
8849 	}
8850 
8851 	if (!rdev->ops->dump_survey) {
8852 		res = -EOPNOTSUPP;
8853 		goto out_err;
8854 	}
8855 
8856 	while (1) {
8857 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
8858 		if (res == -ENOENT)
8859 			break;
8860 		if (res)
8861 			goto out_err;
8862 
8863 		/* don't send disabled channels, but do send non-channel data */
8864 		if (survey.channel &&
8865 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
8866 			survey_idx++;
8867 			continue;
8868 		}
8869 
8870 		if (nl80211_send_survey(skb,
8871 				NETLINK_CB(cb->skb).portid,
8872 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8873 				wdev->netdev, radio_stats, &survey) < 0)
8874 			goto out;
8875 		survey_idx++;
8876 	}
8877 
8878  out:
8879 	cb->args[2] = survey_idx;
8880 	res = skb->len;
8881  out_err:
8882 	kfree(attrbuf);
8883 	rtnl_unlock();
8884 	return res;
8885 }
8886 
8887 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
8888 {
8889 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
8890 				  NL80211_WPA_VERSION_2 |
8891 				  NL80211_WPA_VERSION_3));
8892 }
8893 
8894 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
8895 {
8896 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8897 	struct net_device *dev = info->user_ptr[1];
8898 	struct ieee80211_channel *chan;
8899 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
8900 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
8901 	enum nl80211_auth_type auth_type;
8902 	struct key_parse key;
8903 	bool local_state_change;
8904 
8905 	if (!info->attrs[NL80211_ATTR_MAC])
8906 		return -EINVAL;
8907 
8908 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
8909 		return -EINVAL;
8910 
8911 	if (!info->attrs[NL80211_ATTR_SSID])
8912 		return -EINVAL;
8913 
8914 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8915 		return -EINVAL;
8916 
8917 	err = nl80211_parse_key(info, &key);
8918 	if (err)
8919 		return err;
8920 
8921 	if (key.idx >= 0) {
8922 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
8923 			return -EINVAL;
8924 		if (!key.p.key || !key.p.key_len)
8925 			return -EINVAL;
8926 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
8927 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
8928 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
8929 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
8930 			return -EINVAL;
8931 		if (key.idx > 3)
8932 			return -EINVAL;
8933 	} else {
8934 		key.p.key_len = 0;
8935 		key.p.key = NULL;
8936 	}
8937 
8938 	if (key.idx >= 0) {
8939 		int i;
8940 		bool ok = false;
8941 
8942 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
8943 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
8944 				ok = true;
8945 				break;
8946 			}
8947 		}
8948 		if (!ok)
8949 			return -EINVAL;
8950 	}
8951 
8952 	if (!rdev->ops->auth)
8953 		return -EOPNOTSUPP;
8954 
8955 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8956 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8957 		return -EOPNOTSUPP;
8958 
8959 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8960 	chan = nl80211_get_valid_chan(&rdev->wiphy,
8961 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8962 	if (!chan)
8963 		return -EINVAL;
8964 
8965 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8966 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8967 
8968 	if (info->attrs[NL80211_ATTR_IE]) {
8969 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8970 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8971 	}
8972 
8973 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
8974 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
8975 		return -EINVAL;
8976 
8977 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
8978 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
8979 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
8980 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
8981 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
8982 		return -EINVAL;
8983 
8984 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
8985 		if (auth_type != NL80211_AUTHTYPE_SAE &&
8986 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
8987 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
8988 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
8989 			return -EINVAL;
8990 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
8991 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
8992 		/* need to include at least Auth Transaction and Status Code */
8993 		if (auth_data_len < 4)
8994 			return -EINVAL;
8995 	}
8996 
8997 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8998 
8999 	/*
9000 	 * Since we no longer track auth state, ignore
9001 	 * requests to only change local state.
9002 	 */
9003 	if (local_state_change)
9004 		return 0;
9005 
9006 	wdev_lock(dev->ieee80211_ptr);
9007 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
9008 				 ssid, ssid_len, ie, ie_len,
9009 				 key.p.key, key.p.key_len, key.idx,
9010 				 auth_data, auth_data_len);
9011 	wdev_unlock(dev->ieee80211_ptr);
9012 	return err;
9013 }
9014 
9015 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
9016 				     struct genl_info *info)
9017 {
9018 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9019 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
9020 		return -EINVAL;
9021 	}
9022 
9023 	if (!rdev->ops->tx_control_port ||
9024 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9025 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
9026 		return -EOPNOTSUPP;
9027 
9028 	return 0;
9029 }
9030 
9031 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
9032 				   struct genl_info *info,
9033 				   struct cfg80211_crypto_settings *settings,
9034 				   int cipher_limit)
9035 {
9036 	memset(settings, 0, sizeof(*settings));
9037 
9038 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
9039 
9040 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
9041 		u16 proto;
9042 
9043 		proto = nla_get_u16(
9044 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
9045 		settings->control_port_ethertype = cpu_to_be16(proto);
9046 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
9047 		    proto != ETH_P_PAE)
9048 			return -EINVAL;
9049 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
9050 			settings->control_port_no_encrypt = true;
9051 	} else
9052 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
9053 
9054 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9055 		int r = validate_pae_over_nl80211(rdev, info);
9056 
9057 		if (r < 0)
9058 			return r;
9059 
9060 		settings->control_port_over_nl80211 = true;
9061 	}
9062 
9063 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
9064 		void *data;
9065 		int len, i;
9066 
9067 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9068 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9069 		settings->n_ciphers_pairwise = len / sizeof(u32);
9070 
9071 		if (len % sizeof(u32))
9072 			return -EINVAL;
9073 
9074 		if (settings->n_ciphers_pairwise > cipher_limit)
9075 			return -EINVAL;
9076 
9077 		memcpy(settings->ciphers_pairwise, data, len);
9078 
9079 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
9080 			if (!cfg80211_supported_cipher_suite(
9081 					&rdev->wiphy,
9082 					settings->ciphers_pairwise[i]))
9083 				return -EINVAL;
9084 	}
9085 
9086 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
9087 		settings->cipher_group =
9088 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
9089 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
9090 						     settings->cipher_group))
9091 			return -EINVAL;
9092 	}
9093 
9094 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
9095 		settings->wpa_versions =
9096 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
9097 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
9098 			return -EINVAL;
9099 	}
9100 
9101 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
9102 		void *data;
9103 		int len;
9104 
9105 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
9106 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
9107 		settings->n_akm_suites = len / sizeof(u32);
9108 
9109 		if (len % sizeof(u32))
9110 			return -EINVAL;
9111 
9112 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
9113 			return -EINVAL;
9114 
9115 		memcpy(settings->akm_suites, data, len);
9116 	}
9117 
9118 	if (info->attrs[NL80211_ATTR_PMK]) {
9119 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
9120 			return -EINVAL;
9121 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9122 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK))
9123 			return -EINVAL;
9124 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9125 	}
9126 
9127 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
9128 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9129 					     NL80211_EXT_FEATURE_SAE_OFFLOAD))
9130 			return -EINVAL;
9131 		settings->sae_pwd =
9132 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9133 		settings->sae_pwd_len =
9134 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9135 	}
9136 
9137 	return 0;
9138 }
9139 
9140 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
9141 {
9142 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9143 	struct net_device *dev = info->user_ptr[1];
9144 	struct ieee80211_channel *chan;
9145 	struct cfg80211_assoc_request req = {};
9146 	const u8 *bssid, *ssid;
9147 	int err, ssid_len = 0;
9148 
9149 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9150 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9151 		return -EPERM;
9152 
9153 	if (!info->attrs[NL80211_ATTR_MAC] ||
9154 	    !info->attrs[NL80211_ATTR_SSID] ||
9155 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
9156 		return -EINVAL;
9157 
9158 	if (!rdev->ops->assoc)
9159 		return -EOPNOTSUPP;
9160 
9161 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9162 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9163 		return -EOPNOTSUPP;
9164 
9165 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9166 
9167 	chan = nl80211_get_valid_chan(&rdev->wiphy,
9168 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9169 	if (!chan)
9170 		return -EINVAL;
9171 
9172 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9173 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9174 
9175 	if (info->attrs[NL80211_ATTR_IE]) {
9176 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9177 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9178 	}
9179 
9180 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9181 		enum nl80211_mfp mfp =
9182 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9183 		if (mfp == NL80211_MFP_REQUIRED)
9184 			req.use_mfp = true;
9185 		else if (mfp != NL80211_MFP_NO)
9186 			return -EINVAL;
9187 	}
9188 
9189 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9190 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9191 
9192 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9193 		req.flags |= ASSOC_REQ_DISABLE_HT;
9194 
9195 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9196 		memcpy(&req.ht_capa_mask,
9197 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9198 		       sizeof(req.ht_capa_mask));
9199 
9200 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9201 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9202 			return -EINVAL;
9203 		memcpy(&req.ht_capa,
9204 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9205 		       sizeof(req.ht_capa));
9206 	}
9207 
9208 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9209 		req.flags |= ASSOC_REQ_DISABLE_VHT;
9210 
9211 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9212 		memcpy(&req.vht_capa_mask,
9213 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9214 		       sizeof(req.vht_capa_mask));
9215 
9216 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9217 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9218 			return -EINVAL;
9219 		memcpy(&req.vht_capa,
9220 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9221 		       sizeof(req.vht_capa));
9222 	}
9223 
9224 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9225 		if (!((rdev->wiphy.features &
9226 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9227 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9228 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9229 					     NL80211_EXT_FEATURE_RRM))
9230 			return -EINVAL;
9231 		req.flags |= ASSOC_REQ_USE_RRM;
9232 	}
9233 
9234 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
9235 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
9236 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
9237 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
9238 			return -EINVAL;
9239 		req.fils_nonces =
9240 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
9241 	}
9242 
9243 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
9244 	if (!err) {
9245 		wdev_lock(dev->ieee80211_ptr);
9246 
9247 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
9248 					  ssid, ssid_len, &req);
9249 
9250 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9251 			dev->ieee80211_ptr->conn_owner_nlportid =
9252 				info->snd_portid;
9253 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9254 			       bssid, ETH_ALEN);
9255 		}
9256 
9257 		wdev_unlock(dev->ieee80211_ptr);
9258 	}
9259 
9260 	return err;
9261 }
9262 
9263 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
9264 {
9265 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9266 	struct net_device *dev = info->user_ptr[1];
9267 	const u8 *ie = NULL, *bssid;
9268 	int ie_len = 0, err;
9269 	u16 reason_code;
9270 	bool local_state_change;
9271 
9272 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9273 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9274 		return -EPERM;
9275 
9276 	if (!info->attrs[NL80211_ATTR_MAC])
9277 		return -EINVAL;
9278 
9279 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9280 		return -EINVAL;
9281 
9282 	if (!rdev->ops->deauth)
9283 		return -EOPNOTSUPP;
9284 
9285 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9286 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9287 		return -EOPNOTSUPP;
9288 
9289 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9290 
9291 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9292 	if (reason_code == 0) {
9293 		/* Reason Code 0 is reserved */
9294 		return -EINVAL;
9295 	}
9296 
9297 	if (info->attrs[NL80211_ATTR_IE]) {
9298 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9299 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9300 	}
9301 
9302 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9303 
9304 	wdev_lock(dev->ieee80211_ptr);
9305 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
9306 				   local_state_change);
9307 	wdev_unlock(dev->ieee80211_ptr);
9308 	return err;
9309 }
9310 
9311 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
9312 {
9313 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9314 	struct net_device *dev = info->user_ptr[1];
9315 	const u8 *ie = NULL, *bssid;
9316 	int ie_len = 0, err;
9317 	u16 reason_code;
9318 	bool local_state_change;
9319 
9320 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9321 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9322 		return -EPERM;
9323 
9324 	if (!info->attrs[NL80211_ATTR_MAC])
9325 		return -EINVAL;
9326 
9327 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9328 		return -EINVAL;
9329 
9330 	if (!rdev->ops->disassoc)
9331 		return -EOPNOTSUPP;
9332 
9333 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9334 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9335 		return -EOPNOTSUPP;
9336 
9337 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9338 
9339 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9340 	if (reason_code == 0) {
9341 		/* Reason Code 0 is reserved */
9342 		return -EINVAL;
9343 	}
9344 
9345 	if (info->attrs[NL80211_ATTR_IE]) {
9346 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9347 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9348 	}
9349 
9350 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9351 
9352 	wdev_lock(dev->ieee80211_ptr);
9353 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
9354 				     local_state_change);
9355 	wdev_unlock(dev->ieee80211_ptr);
9356 	return err;
9357 }
9358 
9359 static bool
9360 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
9361 			 int mcast_rate[NUM_NL80211_BANDS],
9362 			 int rateval)
9363 {
9364 	struct wiphy *wiphy = &rdev->wiphy;
9365 	bool found = false;
9366 	int band, i;
9367 
9368 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
9369 		struct ieee80211_supported_band *sband;
9370 
9371 		sband = wiphy->bands[band];
9372 		if (!sband)
9373 			continue;
9374 
9375 		for (i = 0; i < sband->n_bitrates; i++) {
9376 			if (sband->bitrates[i].bitrate == rateval) {
9377 				mcast_rate[band] = i + 1;
9378 				found = true;
9379 				break;
9380 			}
9381 		}
9382 	}
9383 
9384 	return found;
9385 }
9386 
9387 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
9388 {
9389 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9390 	struct net_device *dev = info->user_ptr[1];
9391 	struct cfg80211_ibss_params ibss;
9392 	struct wiphy *wiphy;
9393 	struct cfg80211_cached_keys *connkeys = NULL;
9394 	int err;
9395 
9396 	memset(&ibss, 0, sizeof(ibss));
9397 
9398 	if (!info->attrs[NL80211_ATTR_SSID] ||
9399 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9400 		return -EINVAL;
9401 
9402 	ibss.beacon_interval = 100;
9403 
9404 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
9405 		ibss.beacon_interval =
9406 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9407 
9408 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
9409 					   ibss.beacon_interval);
9410 	if (err)
9411 		return err;
9412 
9413 	if (!rdev->ops->join_ibss)
9414 		return -EOPNOTSUPP;
9415 
9416 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9417 		return -EOPNOTSUPP;
9418 
9419 	wiphy = &rdev->wiphy;
9420 
9421 	if (info->attrs[NL80211_ATTR_MAC]) {
9422 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9423 
9424 		if (!is_valid_ether_addr(ibss.bssid))
9425 			return -EINVAL;
9426 	}
9427 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9428 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9429 
9430 	if (info->attrs[NL80211_ATTR_IE]) {
9431 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9432 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9433 	}
9434 
9435 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
9436 	if (err)
9437 		return err;
9438 
9439 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
9440 				     NL80211_IFTYPE_ADHOC))
9441 		return -EINVAL;
9442 
9443 	switch (ibss.chandef.width) {
9444 	case NL80211_CHAN_WIDTH_5:
9445 	case NL80211_CHAN_WIDTH_10:
9446 	case NL80211_CHAN_WIDTH_20_NOHT:
9447 		break;
9448 	case NL80211_CHAN_WIDTH_20:
9449 	case NL80211_CHAN_WIDTH_40:
9450 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9451 			return -EINVAL;
9452 		break;
9453 	case NL80211_CHAN_WIDTH_80:
9454 	case NL80211_CHAN_WIDTH_80P80:
9455 	case NL80211_CHAN_WIDTH_160:
9456 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9457 			return -EINVAL;
9458 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9459 					     NL80211_EXT_FEATURE_VHT_IBSS))
9460 			return -EINVAL;
9461 		break;
9462 	default:
9463 		return -EINVAL;
9464 	}
9465 
9466 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
9467 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
9468 
9469 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9470 		u8 *rates =
9471 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9472 		int n_rates =
9473 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9474 		struct ieee80211_supported_band *sband =
9475 			wiphy->bands[ibss.chandef.chan->band];
9476 
9477 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9478 					     &ibss.basic_rates);
9479 		if (err)
9480 			return err;
9481 	}
9482 
9483 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9484 		memcpy(&ibss.ht_capa_mask,
9485 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9486 		       sizeof(ibss.ht_capa_mask));
9487 
9488 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9489 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9490 			return -EINVAL;
9491 		memcpy(&ibss.ht_capa,
9492 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9493 		       sizeof(ibss.ht_capa));
9494 	}
9495 
9496 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9497 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
9498 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9499 		return -EINVAL;
9500 
9501 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9502 		bool no_ht = false;
9503 
9504 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
9505 		if (IS_ERR(connkeys))
9506 			return PTR_ERR(connkeys);
9507 
9508 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
9509 		    no_ht) {
9510 			kzfree(connkeys);
9511 			return -EINVAL;
9512 		}
9513 	}
9514 
9515 	ibss.control_port =
9516 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
9517 
9518 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9519 		int r = validate_pae_over_nl80211(rdev, info);
9520 
9521 		if (r < 0) {
9522 			kzfree(connkeys);
9523 			return r;
9524 		}
9525 
9526 		ibss.control_port_over_nl80211 = true;
9527 	}
9528 
9529 	ibss.userspace_handles_dfs =
9530 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
9531 
9532 	wdev_lock(dev->ieee80211_ptr);
9533 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
9534 	if (err)
9535 		kzfree(connkeys);
9536 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9537 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9538 	wdev_unlock(dev->ieee80211_ptr);
9539 
9540 	return err;
9541 }
9542 
9543 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
9544 {
9545 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9546 	struct net_device *dev = info->user_ptr[1];
9547 
9548 	if (!rdev->ops->leave_ibss)
9549 		return -EOPNOTSUPP;
9550 
9551 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9552 		return -EOPNOTSUPP;
9553 
9554 	return cfg80211_leave_ibss(rdev, dev, false);
9555 }
9556 
9557 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
9558 {
9559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9560 	struct net_device *dev = info->user_ptr[1];
9561 	int mcast_rate[NUM_NL80211_BANDS];
9562 	u32 nla_rate;
9563 	int err;
9564 
9565 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
9566 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
9567 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
9568 		return -EOPNOTSUPP;
9569 
9570 	if (!rdev->ops->set_mcast_rate)
9571 		return -EOPNOTSUPP;
9572 
9573 	memset(mcast_rate, 0, sizeof(mcast_rate));
9574 
9575 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
9576 		return -EINVAL;
9577 
9578 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
9579 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
9580 		return -EINVAL;
9581 
9582 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
9583 
9584 	return err;
9585 }
9586 
9587 static struct sk_buff *
9588 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
9589 			    struct wireless_dev *wdev, int approxlen,
9590 			    u32 portid, u32 seq, enum nl80211_commands cmd,
9591 			    enum nl80211_attrs attr,
9592 			    const struct nl80211_vendor_cmd_info *info,
9593 			    gfp_t gfp)
9594 {
9595 	struct sk_buff *skb;
9596 	void *hdr;
9597 	struct nlattr *data;
9598 
9599 	skb = nlmsg_new(approxlen + 100, gfp);
9600 	if (!skb)
9601 		return NULL;
9602 
9603 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
9604 	if (!hdr) {
9605 		kfree_skb(skb);
9606 		return NULL;
9607 	}
9608 
9609 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
9610 		goto nla_put_failure;
9611 
9612 	if (info) {
9613 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
9614 				info->vendor_id))
9615 			goto nla_put_failure;
9616 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
9617 				info->subcmd))
9618 			goto nla_put_failure;
9619 	}
9620 
9621 	if (wdev) {
9622 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
9623 				      wdev_id(wdev), NL80211_ATTR_PAD))
9624 			goto nla_put_failure;
9625 		if (wdev->netdev &&
9626 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
9627 				wdev->netdev->ifindex))
9628 			goto nla_put_failure;
9629 	}
9630 
9631 	data = nla_nest_start_noflag(skb, attr);
9632 	if (!data)
9633 		goto nla_put_failure;
9634 
9635 	((void **)skb->cb)[0] = rdev;
9636 	((void **)skb->cb)[1] = hdr;
9637 	((void **)skb->cb)[2] = data;
9638 
9639 	return skb;
9640 
9641  nla_put_failure:
9642 	kfree_skb(skb);
9643 	return NULL;
9644 }
9645 
9646 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
9647 					   struct wireless_dev *wdev,
9648 					   enum nl80211_commands cmd,
9649 					   enum nl80211_attrs attr,
9650 					   unsigned int portid,
9651 					   int vendor_event_idx,
9652 					   int approxlen, gfp_t gfp)
9653 {
9654 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9655 	const struct nl80211_vendor_cmd_info *info;
9656 
9657 	switch (cmd) {
9658 	case NL80211_CMD_TESTMODE:
9659 		if (WARN_ON(vendor_event_idx != -1))
9660 			return NULL;
9661 		info = NULL;
9662 		break;
9663 	case NL80211_CMD_VENDOR:
9664 		if (WARN_ON(vendor_event_idx < 0 ||
9665 			    vendor_event_idx >= wiphy->n_vendor_events))
9666 			return NULL;
9667 		info = &wiphy->vendor_events[vendor_event_idx];
9668 		break;
9669 	default:
9670 		WARN_ON(1);
9671 		return NULL;
9672 	}
9673 
9674 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
9675 					   cmd, attr, info, gfp);
9676 }
9677 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
9678 
9679 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
9680 {
9681 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9682 	void *hdr = ((void **)skb->cb)[1];
9683 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
9684 	struct nlattr *data = ((void **)skb->cb)[2];
9685 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
9686 
9687 	/* clear CB data for netlink core to own from now on */
9688 	memset(skb->cb, 0, sizeof(skb->cb));
9689 
9690 	nla_nest_end(skb, data);
9691 	genlmsg_end(skb, hdr);
9692 
9693 	if (nlhdr->nlmsg_pid) {
9694 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
9695 				nlhdr->nlmsg_pid);
9696 	} else {
9697 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
9698 			mcgrp = NL80211_MCGRP_VENDOR;
9699 
9700 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
9701 					skb, 0, mcgrp, gfp);
9702 	}
9703 }
9704 EXPORT_SYMBOL(__cfg80211_send_event_skb);
9705 
9706 #ifdef CONFIG_NL80211_TESTMODE
9707 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
9708 {
9709 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9710 	struct wireless_dev *wdev =
9711 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9712 	int err;
9713 
9714 	if (!rdev->ops->testmode_cmd)
9715 		return -EOPNOTSUPP;
9716 
9717 	if (IS_ERR(wdev)) {
9718 		err = PTR_ERR(wdev);
9719 		if (err != -EINVAL)
9720 			return err;
9721 		wdev = NULL;
9722 	} else if (wdev->wiphy != &rdev->wiphy) {
9723 		return -EINVAL;
9724 	}
9725 
9726 	if (!info->attrs[NL80211_ATTR_TESTDATA])
9727 		return -EINVAL;
9728 
9729 	rdev->cur_cmd_info = info;
9730 	err = rdev_testmode_cmd(rdev, wdev,
9731 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
9732 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
9733 	rdev->cur_cmd_info = NULL;
9734 
9735 	return err;
9736 }
9737 
9738 static int nl80211_testmode_dump(struct sk_buff *skb,
9739 				 struct netlink_callback *cb)
9740 {
9741 	struct cfg80211_registered_device *rdev;
9742 	struct nlattr **attrbuf = NULL;
9743 	int err;
9744 	long phy_idx;
9745 	void *data = NULL;
9746 	int data_len = 0;
9747 
9748 	rtnl_lock();
9749 
9750 	if (cb->args[0]) {
9751 		/*
9752 		 * 0 is a valid index, but not valid for args[0],
9753 		 * so we need to offset by 1.
9754 		 */
9755 		phy_idx = cb->args[0] - 1;
9756 
9757 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
9758 		if (!rdev) {
9759 			err = -ENOENT;
9760 			goto out_err;
9761 		}
9762 	} else {
9763 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
9764 				  GFP_KERNEL);
9765 		if (!attrbuf) {
9766 			err = -ENOMEM;
9767 			goto out_err;
9768 		}
9769 
9770 		err = nlmsg_parse_deprecated(cb->nlh,
9771 					     GENL_HDRLEN + nl80211_fam.hdrsize,
9772 					     attrbuf, nl80211_fam.maxattr,
9773 					     nl80211_policy, NULL);
9774 		if (err)
9775 			goto out_err;
9776 
9777 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
9778 		if (IS_ERR(rdev)) {
9779 			err = PTR_ERR(rdev);
9780 			goto out_err;
9781 		}
9782 		phy_idx = rdev->wiphy_idx;
9783 
9784 		if (attrbuf[NL80211_ATTR_TESTDATA])
9785 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
9786 	}
9787 
9788 	if (cb->args[1]) {
9789 		data = nla_data((void *)cb->args[1]);
9790 		data_len = nla_len((void *)cb->args[1]);
9791 	}
9792 
9793 	if (!rdev->ops->testmode_dump) {
9794 		err = -EOPNOTSUPP;
9795 		goto out_err;
9796 	}
9797 
9798 	while (1) {
9799 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
9800 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
9801 					   NL80211_CMD_TESTMODE);
9802 		struct nlattr *tmdata;
9803 
9804 		if (!hdr)
9805 			break;
9806 
9807 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
9808 			genlmsg_cancel(skb, hdr);
9809 			break;
9810 		}
9811 
9812 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
9813 		if (!tmdata) {
9814 			genlmsg_cancel(skb, hdr);
9815 			break;
9816 		}
9817 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
9818 		nla_nest_end(skb, tmdata);
9819 
9820 		if (err == -ENOBUFS || err == -ENOENT) {
9821 			genlmsg_cancel(skb, hdr);
9822 			break;
9823 		} else if (err) {
9824 			genlmsg_cancel(skb, hdr);
9825 			goto out_err;
9826 		}
9827 
9828 		genlmsg_end(skb, hdr);
9829 	}
9830 
9831 	err = skb->len;
9832 	/* see above */
9833 	cb->args[0] = phy_idx + 1;
9834  out_err:
9835 	kfree(attrbuf);
9836 	rtnl_unlock();
9837 	return err;
9838 }
9839 #endif
9840 
9841 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
9842 {
9843 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9844 	struct net_device *dev = info->user_ptr[1];
9845 	struct cfg80211_connect_params connect;
9846 	struct wiphy *wiphy;
9847 	struct cfg80211_cached_keys *connkeys = NULL;
9848 	int err;
9849 
9850 	memset(&connect, 0, sizeof(connect));
9851 
9852 	if (!info->attrs[NL80211_ATTR_SSID] ||
9853 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9854 		return -EINVAL;
9855 
9856 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9857 		connect.auth_type =
9858 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9859 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
9860 					     NL80211_CMD_CONNECT))
9861 			return -EINVAL;
9862 	} else
9863 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
9864 
9865 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
9866 
9867 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
9868 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9869 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
9870 		return -EINVAL;
9871 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
9872 
9873 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
9874 				      NL80211_MAX_NR_CIPHER_SUITES);
9875 	if (err)
9876 		return err;
9877 
9878 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9879 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9880 		return -EOPNOTSUPP;
9881 
9882 	wiphy = &rdev->wiphy;
9883 
9884 	connect.bg_scan_period = -1;
9885 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
9886 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
9887 		connect.bg_scan_period =
9888 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
9889 	}
9890 
9891 	if (info->attrs[NL80211_ATTR_MAC])
9892 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9893 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
9894 		connect.bssid_hint =
9895 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
9896 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9897 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9898 
9899 	if (info->attrs[NL80211_ATTR_IE]) {
9900 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9901 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9902 	}
9903 
9904 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9905 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9906 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
9907 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9908 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
9909 			return -EOPNOTSUPP;
9910 	} else {
9911 		connect.mfp = NL80211_MFP_NO;
9912 	}
9913 
9914 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9915 		connect.prev_bssid =
9916 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9917 
9918 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9919 		connect.channel = nl80211_get_valid_chan(
9920 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9921 		if (!connect.channel)
9922 			return -EINVAL;
9923 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
9924 		connect.channel_hint = nl80211_get_valid_chan(
9925 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
9926 		if (!connect.channel_hint)
9927 			return -EINVAL;
9928 	}
9929 
9930 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
9931 		connect.edmg.channels =
9932 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
9933 
9934 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
9935 			connect.edmg.bw_config =
9936 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
9937 	}
9938 
9939 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9940 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
9941 		if (IS_ERR(connkeys))
9942 			return PTR_ERR(connkeys);
9943 	}
9944 
9945 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9946 		connect.flags |= ASSOC_REQ_DISABLE_HT;
9947 
9948 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9949 		memcpy(&connect.ht_capa_mask,
9950 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9951 		       sizeof(connect.ht_capa_mask));
9952 
9953 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9954 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
9955 			kzfree(connkeys);
9956 			return -EINVAL;
9957 		}
9958 		memcpy(&connect.ht_capa,
9959 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9960 		       sizeof(connect.ht_capa));
9961 	}
9962 
9963 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9964 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
9965 
9966 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9967 		memcpy(&connect.vht_capa_mask,
9968 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9969 		       sizeof(connect.vht_capa_mask));
9970 
9971 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9972 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
9973 			kzfree(connkeys);
9974 			return -EINVAL;
9975 		}
9976 		memcpy(&connect.vht_capa,
9977 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9978 		       sizeof(connect.vht_capa));
9979 	}
9980 
9981 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9982 		if (!((rdev->wiphy.features &
9983 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9984 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9985 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9986 					     NL80211_EXT_FEATURE_RRM)) {
9987 			kzfree(connkeys);
9988 			return -EINVAL;
9989 		}
9990 		connect.flags |= ASSOC_REQ_USE_RRM;
9991 	}
9992 
9993 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
9994 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
9995 		kzfree(connkeys);
9996 		return -EOPNOTSUPP;
9997 	}
9998 
9999 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
10000 		/* bss selection makes no sense if bssid is set */
10001 		if (connect.bssid) {
10002 			kzfree(connkeys);
10003 			return -EINVAL;
10004 		}
10005 
10006 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
10007 				       wiphy, &connect.bss_select);
10008 		if (err) {
10009 			kzfree(connkeys);
10010 			return err;
10011 		}
10012 	}
10013 
10014 	if (wiphy_ext_feature_isset(&rdev->wiphy,
10015 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
10016 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10017 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10018 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10019 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10020 		connect.fils_erp_username =
10021 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10022 		connect.fils_erp_username_len =
10023 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10024 		connect.fils_erp_realm =
10025 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10026 		connect.fils_erp_realm_len =
10027 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10028 		connect.fils_erp_next_seq_num =
10029 			nla_get_u16(
10030 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10031 		connect.fils_erp_rrk =
10032 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10033 		connect.fils_erp_rrk_len =
10034 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10035 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10036 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10037 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10038 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10039 		kzfree(connkeys);
10040 		return -EINVAL;
10041 	}
10042 
10043 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
10044 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10045 			kzfree(connkeys);
10046 			GENL_SET_ERR_MSG(info,
10047 					 "external auth requires connection ownership");
10048 			return -EINVAL;
10049 		}
10050 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
10051 	}
10052 
10053 	wdev_lock(dev->ieee80211_ptr);
10054 
10055 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
10056 			       connect.prev_bssid);
10057 	if (err)
10058 		kzfree(connkeys);
10059 
10060 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10061 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10062 		if (connect.bssid)
10063 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10064 			       connect.bssid, ETH_ALEN);
10065 		else
10066 			memset(dev->ieee80211_ptr->disconnect_bssid,
10067 			       0, ETH_ALEN);
10068 	}
10069 
10070 	wdev_unlock(dev->ieee80211_ptr);
10071 
10072 	return err;
10073 }
10074 
10075 static int nl80211_update_connect_params(struct sk_buff *skb,
10076 					 struct genl_info *info)
10077 {
10078 	struct cfg80211_connect_params connect = {};
10079 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10080 	struct net_device *dev = info->user_ptr[1];
10081 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10082 	bool fils_sk_offload;
10083 	u32 auth_type;
10084 	u32 changed = 0;
10085 	int ret;
10086 
10087 	if (!rdev->ops->update_connect_params)
10088 		return -EOPNOTSUPP;
10089 
10090 	if (info->attrs[NL80211_ATTR_IE]) {
10091 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10092 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10093 		changed |= UPDATE_ASSOC_IES;
10094 	}
10095 
10096 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
10097 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
10098 
10099 	/*
10100 	 * when driver supports fils-sk offload all attributes must be
10101 	 * provided. So the else covers "fils-sk-not-all" and
10102 	 * "no-fils-sk-any".
10103 	 */
10104 	if (fils_sk_offload &&
10105 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10106 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10107 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10108 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10109 		connect.fils_erp_username =
10110 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10111 		connect.fils_erp_username_len =
10112 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10113 		connect.fils_erp_realm =
10114 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10115 		connect.fils_erp_realm_len =
10116 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10117 		connect.fils_erp_next_seq_num =
10118 			nla_get_u16(
10119 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10120 		connect.fils_erp_rrk =
10121 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10122 		connect.fils_erp_rrk_len =
10123 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10124 		changed |= UPDATE_FILS_ERP_INFO;
10125 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10126 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10127 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10128 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10129 		return -EINVAL;
10130 	}
10131 
10132 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10133 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10134 		if (!nl80211_valid_auth_type(rdev, auth_type,
10135 					     NL80211_CMD_CONNECT))
10136 			return -EINVAL;
10137 
10138 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
10139 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
10140 			return -EINVAL;
10141 
10142 		connect.auth_type = auth_type;
10143 		changed |= UPDATE_AUTH_TYPE;
10144 	}
10145 
10146 	wdev_lock(dev->ieee80211_ptr);
10147 	if (!wdev->current_bss)
10148 		ret = -ENOLINK;
10149 	else
10150 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
10151 	wdev_unlock(dev->ieee80211_ptr);
10152 
10153 	return ret;
10154 }
10155 
10156 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
10157 {
10158 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10159 	struct net_device *dev = info->user_ptr[1];
10160 	u16 reason;
10161 	int ret;
10162 
10163 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10164 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10165 		return -EPERM;
10166 
10167 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10168 		reason = WLAN_REASON_DEAUTH_LEAVING;
10169 	else
10170 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10171 
10172 	if (reason == 0)
10173 		return -EINVAL;
10174 
10175 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10176 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10177 		return -EOPNOTSUPP;
10178 
10179 	wdev_lock(dev->ieee80211_ptr);
10180 	ret = cfg80211_disconnect(rdev, dev, reason, true);
10181 	wdev_unlock(dev->ieee80211_ptr);
10182 	return ret;
10183 }
10184 
10185 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
10186 {
10187 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10188 	struct net *net;
10189 	int err;
10190 
10191 	if (info->attrs[NL80211_ATTR_PID]) {
10192 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
10193 
10194 		net = get_net_ns_by_pid(pid);
10195 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
10196 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
10197 
10198 		net = get_net_ns_by_fd(fd);
10199 	} else {
10200 		return -EINVAL;
10201 	}
10202 
10203 	if (IS_ERR(net))
10204 		return PTR_ERR(net);
10205 
10206 	err = 0;
10207 
10208 	/* check if anything to do */
10209 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
10210 		err = cfg80211_switch_netns(rdev, net);
10211 
10212 	put_net(net);
10213 	return err;
10214 }
10215 
10216 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
10217 {
10218 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10219 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
10220 			struct cfg80211_pmksa *pmksa) = NULL;
10221 	struct net_device *dev = info->user_ptr[1];
10222 	struct cfg80211_pmksa pmksa;
10223 
10224 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
10225 
10226 	if (!info->attrs[NL80211_ATTR_PMKID])
10227 		return -EINVAL;
10228 
10229 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
10230 
10231 	if (info->attrs[NL80211_ATTR_MAC]) {
10232 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10233 	} else if (info->attrs[NL80211_ATTR_SSID] &&
10234 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
10235 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
10236 		    info->attrs[NL80211_ATTR_PMK])) {
10237 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10238 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10239 		pmksa.cache_id =
10240 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
10241 	} else {
10242 		return -EINVAL;
10243 	}
10244 	if (info->attrs[NL80211_ATTR_PMK]) {
10245 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10246 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
10247 	}
10248 
10249 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10250 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
10251 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
10252 	      wiphy_ext_feature_isset(&rdev->wiphy,
10253 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
10254 		return -EOPNOTSUPP;
10255 
10256 	switch (info->genlhdr->cmd) {
10257 	case NL80211_CMD_SET_PMKSA:
10258 		rdev_ops = rdev->ops->set_pmksa;
10259 		break;
10260 	case NL80211_CMD_DEL_PMKSA:
10261 		rdev_ops = rdev->ops->del_pmksa;
10262 		break;
10263 	default:
10264 		WARN_ON(1);
10265 		break;
10266 	}
10267 
10268 	if (!rdev_ops)
10269 		return -EOPNOTSUPP;
10270 
10271 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
10272 }
10273 
10274 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
10275 {
10276 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10277 	struct net_device *dev = info->user_ptr[1];
10278 
10279 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10280 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10281 		return -EOPNOTSUPP;
10282 
10283 	if (!rdev->ops->flush_pmksa)
10284 		return -EOPNOTSUPP;
10285 
10286 	return rdev_flush_pmksa(rdev, dev);
10287 }
10288 
10289 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
10290 {
10291 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10292 	struct net_device *dev = info->user_ptr[1];
10293 	u8 action_code, dialog_token;
10294 	u32 peer_capability = 0;
10295 	u16 status_code;
10296 	u8 *peer;
10297 	bool initiator;
10298 
10299 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10300 	    !rdev->ops->tdls_mgmt)
10301 		return -EOPNOTSUPP;
10302 
10303 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
10304 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
10305 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
10306 	    !info->attrs[NL80211_ATTR_IE] ||
10307 	    !info->attrs[NL80211_ATTR_MAC])
10308 		return -EINVAL;
10309 
10310 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10311 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
10312 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
10313 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
10314 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
10315 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
10316 		peer_capability =
10317 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
10318 
10319 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
10320 			      dialog_token, status_code, peer_capability,
10321 			      initiator,
10322 			      nla_data(info->attrs[NL80211_ATTR_IE]),
10323 			      nla_len(info->attrs[NL80211_ATTR_IE]));
10324 }
10325 
10326 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
10327 {
10328 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10329 	struct net_device *dev = info->user_ptr[1];
10330 	enum nl80211_tdls_operation operation;
10331 	u8 *peer;
10332 
10333 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10334 	    !rdev->ops->tdls_oper)
10335 		return -EOPNOTSUPP;
10336 
10337 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
10338 	    !info->attrs[NL80211_ATTR_MAC])
10339 		return -EINVAL;
10340 
10341 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
10342 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10343 
10344 	return rdev_tdls_oper(rdev, dev, peer, operation);
10345 }
10346 
10347 static int nl80211_remain_on_channel(struct sk_buff *skb,
10348 				     struct genl_info *info)
10349 {
10350 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10351 	struct wireless_dev *wdev = info->user_ptr[1];
10352 	struct cfg80211_chan_def chandef;
10353 	const struct cfg80211_chan_def *compat_chandef;
10354 	struct sk_buff *msg;
10355 	void *hdr;
10356 	u64 cookie;
10357 	u32 duration;
10358 	int err;
10359 
10360 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10361 	    !info->attrs[NL80211_ATTR_DURATION])
10362 		return -EINVAL;
10363 
10364 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10365 
10366 	if (!rdev->ops->remain_on_channel ||
10367 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
10368 		return -EOPNOTSUPP;
10369 
10370 	/*
10371 	 * We should be on that channel for at least a minimum amount of
10372 	 * time (10ms) but no longer than the driver supports.
10373 	 */
10374 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10375 	    duration > rdev->wiphy.max_remain_on_channel_duration)
10376 		return -EINVAL;
10377 
10378 	err = nl80211_parse_chandef(rdev, info, &chandef);
10379 	if (err)
10380 		return err;
10381 
10382 	wdev_lock(wdev);
10383 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
10384 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
10385 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
10386 							     &chandef);
10387 		if (compat_chandef != &chandef) {
10388 			wdev_unlock(wdev);
10389 			return -EBUSY;
10390 		}
10391 	}
10392 	wdev_unlock(wdev);
10393 
10394 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10395 	if (!msg)
10396 		return -ENOMEM;
10397 
10398 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10399 			     NL80211_CMD_REMAIN_ON_CHANNEL);
10400 	if (!hdr) {
10401 		err = -ENOBUFS;
10402 		goto free_msg;
10403 	}
10404 
10405 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
10406 				     duration, &cookie);
10407 
10408 	if (err)
10409 		goto free_msg;
10410 
10411 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10412 			      NL80211_ATTR_PAD))
10413 		goto nla_put_failure;
10414 
10415 	genlmsg_end(msg, hdr);
10416 
10417 	return genlmsg_reply(msg, info);
10418 
10419  nla_put_failure:
10420 	err = -ENOBUFS;
10421  free_msg:
10422 	nlmsg_free(msg);
10423 	return err;
10424 }
10425 
10426 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
10427 					    struct genl_info *info)
10428 {
10429 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10430 	struct wireless_dev *wdev = info->user_ptr[1];
10431 	u64 cookie;
10432 
10433 	if (!info->attrs[NL80211_ATTR_COOKIE])
10434 		return -EINVAL;
10435 
10436 	if (!rdev->ops->cancel_remain_on_channel)
10437 		return -EOPNOTSUPP;
10438 
10439 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10440 
10441 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
10442 }
10443 
10444 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
10445 				       struct genl_info *info)
10446 {
10447 	struct cfg80211_bitrate_mask mask;
10448 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10449 	struct net_device *dev = info->user_ptr[1];
10450 	int err;
10451 
10452 	if (!rdev->ops->set_bitrate_mask)
10453 		return -EOPNOTSUPP;
10454 
10455 	err = nl80211_parse_tx_bitrate_mask(info, &mask);
10456 	if (err)
10457 		return err;
10458 
10459 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
10460 }
10461 
10462 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
10463 {
10464 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10465 	struct wireless_dev *wdev = info->user_ptr[1];
10466 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
10467 
10468 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
10469 		return -EINVAL;
10470 
10471 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
10472 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
10473 
10474 	switch (wdev->iftype) {
10475 	case NL80211_IFTYPE_STATION:
10476 	case NL80211_IFTYPE_ADHOC:
10477 	case NL80211_IFTYPE_P2P_CLIENT:
10478 	case NL80211_IFTYPE_AP:
10479 	case NL80211_IFTYPE_AP_VLAN:
10480 	case NL80211_IFTYPE_MESH_POINT:
10481 	case NL80211_IFTYPE_P2P_GO:
10482 	case NL80211_IFTYPE_P2P_DEVICE:
10483 		break;
10484 	case NL80211_IFTYPE_NAN:
10485 	default:
10486 		return -EOPNOTSUPP;
10487 	}
10488 
10489 	/* not much point in registering if we can't reply */
10490 	if (!rdev->ops->mgmt_tx)
10491 		return -EOPNOTSUPP;
10492 
10493 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
10494 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10495 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
10496 }
10497 
10498 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
10499 {
10500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10501 	struct wireless_dev *wdev = info->user_ptr[1];
10502 	struct cfg80211_chan_def chandef;
10503 	int err;
10504 	void *hdr = NULL;
10505 	u64 cookie;
10506 	struct sk_buff *msg = NULL;
10507 	struct cfg80211_mgmt_tx_params params = {
10508 		.dont_wait_for_ack =
10509 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
10510 	};
10511 
10512 	if (!info->attrs[NL80211_ATTR_FRAME])
10513 		return -EINVAL;
10514 
10515 	if (!rdev->ops->mgmt_tx)
10516 		return -EOPNOTSUPP;
10517 
10518 	switch (wdev->iftype) {
10519 	case NL80211_IFTYPE_P2P_DEVICE:
10520 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10521 			return -EINVAL;
10522 	case NL80211_IFTYPE_STATION:
10523 	case NL80211_IFTYPE_ADHOC:
10524 	case NL80211_IFTYPE_P2P_CLIENT:
10525 	case NL80211_IFTYPE_AP:
10526 	case NL80211_IFTYPE_AP_VLAN:
10527 	case NL80211_IFTYPE_MESH_POINT:
10528 	case NL80211_IFTYPE_P2P_GO:
10529 		break;
10530 	case NL80211_IFTYPE_NAN:
10531 	default:
10532 		return -EOPNOTSUPP;
10533 	}
10534 
10535 	if (info->attrs[NL80211_ATTR_DURATION]) {
10536 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10537 			return -EINVAL;
10538 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10539 
10540 		/*
10541 		 * We should wait on the channel for at least a minimum amount
10542 		 * of time (10ms) but no longer than the driver supports.
10543 		 */
10544 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10545 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
10546 			return -EINVAL;
10547 	}
10548 
10549 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
10550 
10551 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10552 		return -EINVAL;
10553 
10554 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10555 
10556 	/* get the channel if any has been specified, otherwise pass NULL to
10557 	 * the driver. The latter will use the current one
10558 	 */
10559 	chandef.chan = NULL;
10560 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10561 		err = nl80211_parse_chandef(rdev, info, &chandef);
10562 		if (err)
10563 			return err;
10564 	}
10565 
10566 	if (!chandef.chan && params.offchan)
10567 		return -EINVAL;
10568 
10569 	wdev_lock(wdev);
10570 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
10571 		wdev_unlock(wdev);
10572 		return -EBUSY;
10573 	}
10574 	wdev_unlock(wdev);
10575 
10576 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
10577 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
10578 
10579 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
10580 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10581 		int i;
10582 
10583 		if (len % sizeof(u16))
10584 			return -EINVAL;
10585 
10586 		params.n_csa_offsets = len / sizeof(u16);
10587 		params.csa_offsets =
10588 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10589 
10590 		/* check that all the offsets fit the frame */
10591 		for (i = 0; i < params.n_csa_offsets; i++) {
10592 			if (params.csa_offsets[i] >= params.len)
10593 				return -EINVAL;
10594 		}
10595 	}
10596 
10597 	if (!params.dont_wait_for_ack) {
10598 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10599 		if (!msg)
10600 			return -ENOMEM;
10601 
10602 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10603 				     NL80211_CMD_FRAME);
10604 		if (!hdr) {
10605 			err = -ENOBUFS;
10606 			goto free_msg;
10607 		}
10608 	}
10609 
10610 	params.chan = chandef.chan;
10611 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
10612 	if (err)
10613 		goto free_msg;
10614 
10615 	if (msg) {
10616 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10617 				      NL80211_ATTR_PAD))
10618 			goto nla_put_failure;
10619 
10620 		genlmsg_end(msg, hdr);
10621 		return genlmsg_reply(msg, info);
10622 	}
10623 
10624 	return 0;
10625 
10626  nla_put_failure:
10627 	err = -ENOBUFS;
10628  free_msg:
10629 	nlmsg_free(msg);
10630 	return err;
10631 }
10632 
10633 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
10634 {
10635 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10636 	struct wireless_dev *wdev = info->user_ptr[1];
10637 	u64 cookie;
10638 
10639 	if (!info->attrs[NL80211_ATTR_COOKIE])
10640 		return -EINVAL;
10641 
10642 	if (!rdev->ops->mgmt_tx_cancel_wait)
10643 		return -EOPNOTSUPP;
10644 
10645 	switch (wdev->iftype) {
10646 	case NL80211_IFTYPE_STATION:
10647 	case NL80211_IFTYPE_ADHOC:
10648 	case NL80211_IFTYPE_P2P_CLIENT:
10649 	case NL80211_IFTYPE_AP:
10650 	case NL80211_IFTYPE_AP_VLAN:
10651 	case NL80211_IFTYPE_P2P_GO:
10652 	case NL80211_IFTYPE_P2P_DEVICE:
10653 		break;
10654 	case NL80211_IFTYPE_NAN:
10655 	default:
10656 		return -EOPNOTSUPP;
10657 	}
10658 
10659 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10660 
10661 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
10662 }
10663 
10664 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
10665 {
10666 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10667 	struct wireless_dev *wdev;
10668 	struct net_device *dev = info->user_ptr[1];
10669 	u8 ps_state;
10670 	bool state;
10671 	int err;
10672 
10673 	if (!info->attrs[NL80211_ATTR_PS_STATE])
10674 		return -EINVAL;
10675 
10676 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
10677 
10678 	wdev = dev->ieee80211_ptr;
10679 
10680 	if (!rdev->ops->set_power_mgmt)
10681 		return -EOPNOTSUPP;
10682 
10683 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
10684 
10685 	if (state == wdev->ps)
10686 		return 0;
10687 
10688 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
10689 	if (!err)
10690 		wdev->ps = state;
10691 	return err;
10692 }
10693 
10694 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
10695 {
10696 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10697 	enum nl80211_ps_state ps_state;
10698 	struct wireless_dev *wdev;
10699 	struct net_device *dev = info->user_ptr[1];
10700 	struct sk_buff *msg;
10701 	void *hdr;
10702 	int err;
10703 
10704 	wdev = dev->ieee80211_ptr;
10705 
10706 	if (!rdev->ops->set_power_mgmt)
10707 		return -EOPNOTSUPP;
10708 
10709 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10710 	if (!msg)
10711 		return -ENOMEM;
10712 
10713 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10714 			     NL80211_CMD_GET_POWER_SAVE);
10715 	if (!hdr) {
10716 		err = -ENOBUFS;
10717 		goto free_msg;
10718 	}
10719 
10720 	if (wdev->ps)
10721 		ps_state = NL80211_PS_ENABLED;
10722 	else
10723 		ps_state = NL80211_PS_DISABLED;
10724 
10725 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
10726 		goto nla_put_failure;
10727 
10728 	genlmsg_end(msg, hdr);
10729 	return genlmsg_reply(msg, info);
10730 
10731  nla_put_failure:
10732 	err = -ENOBUFS;
10733  free_msg:
10734 	nlmsg_free(msg);
10735 	return err;
10736 }
10737 
10738 static const struct nla_policy
10739 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
10740 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
10741 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
10742 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
10743 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
10744 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
10745 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
10746 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
10747 };
10748 
10749 static int nl80211_set_cqm_txe(struct genl_info *info,
10750 			       u32 rate, u32 pkts, u32 intvl)
10751 {
10752 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10753 	struct net_device *dev = info->user_ptr[1];
10754 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10755 
10756 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
10757 		return -EINVAL;
10758 
10759 	if (!rdev->ops->set_cqm_txe_config)
10760 		return -EOPNOTSUPP;
10761 
10762 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10763 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10764 		return -EOPNOTSUPP;
10765 
10766 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
10767 }
10768 
10769 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
10770 				    struct net_device *dev)
10771 {
10772 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10773 	s32 last, low, high;
10774 	u32 hyst;
10775 	int i, n, low_index;
10776 	int err;
10777 
10778 	/* RSSI reporting disabled? */
10779 	if (!wdev->cqm_config)
10780 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
10781 
10782 	/*
10783 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
10784 	 * event has been received yet, we should receive an event after a
10785 	 * connection is established and enough beacons received to calculate
10786 	 * the average.
10787 	 */
10788 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
10789 	    rdev->ops->get_station) {
10790 		struct station_info sinfo = {};
10791 		u8 *mac_addr;
10792 
10793 		mac_addr = wdev->current_bss->pub.bssid;
10794 
10795 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
10796 		if (err)
10797 			return err;
10798 
10799 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
10800 			wdev->cqm_config->last_rssi_event_value =
10801 				(s8) sinfo.rx_beacon_signal_avg;
10802 	}
10803 
10804 	last = wdev->cqm_config->last_rssi_event_value;
10805 	hyst = wdev->cqm_config->rssi_hyst;
10806 	n = wdev->cqm_config->n_rssi_thresholds;
10807 
10808 	for (i = 0; i < n; i++) {
10809 		i = array_index_nospec(i, n);
10810 		if (last < wdev->cqm_config->rssi_thresholds[i])
10811 			break;
10812 	}
10813 
10814 	low_index = i - 1;
10815 	if (low_index >= 0) {
10816 		low_index = array_index_nospec(low_index, n);
10817 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
10818 	} else {
10819 		low = S32_MIN;
10820 	}
10821 	if (i < n) {
10822 		i = array_index_nospec(i, n);
10823 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
10824 	} else {
10825 		high = S32_MAX;
10826 	}
10827 
10828 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
10829 }
10830 
10831 static int nl80211_set_cqm_rssi(struct genl_info *info,
10832 				const s32 *thresholds, int n_thresholds,
10833 				u32 hysteresis)
10834 {
10835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10836 	struct net_device *dev = info->user_ptr[1];
10837 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10838 	int i, err;
10839 	s32 prev = S32_MIN;
10840 
10841 	/* Check all values negative and sorted */
10842 	for (i = 0; i < n_thresholds; i++) {
10843 		if (thresholds[i] > 0 || thresholds[i] <= prev)
10844 			return -EINVAL;
10845 
10846 		prev = thresholds[i];
10847 	}
10848 
10849 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10850 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10851 		return -EOPNOTSUPP;
10852 
10853 	wdev_lock(wdev);
10854 	cfg80211_cqm_config_free(wdev);
10855 	wdev_unlock(wdev);
10856 
10857 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
10858 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
10859 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
10860 
10861 		return rdev_set_cqm_rssi_config(rdev, dev,
10862 						thresholds[0], hysteresis);
10863 	}
10864 
10865 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
10866 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
10867 		return -EOPNOTSUPP;
10868 
10869 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
10870 		n_thresholds = 0;
10871 
10872 	wdev_lock(wdev);
10873 	if (n_thresholds) {
10874 		struct cfg80211_cqm_config *cqm_config;
10875 
10876 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
10877 				     n_thresholds * sizeof(s32), GFP_KERNEL);
10878 		if (!cqm_config) {
10879 			err = -ENOMEM;
10880 			goto unlock;
10881 		}
10882 
10883 		cqm_config->rssi_hyst = hysteresis;
10884 		cqm_config->n_rssi_thresholds = n_thresholds;
10885 		memcpy(cqm_config->rssi_thresholds, thresholds,
10886 		       n_thresholds * sizeof(s32));
10887 
10888 		wdev->cqm_config = cqm_config;
10889 	}
10890 
10891 	err = cfg80211_cqm_rssi_update(rdev, dev);
10892 
10893 unlock:
10894 	wdev_unlock(wdev);
10895 
10896 	return err;
10897 }
10898 
10899 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
10900 {
10901 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
10902 	struct nlattr *cqm;
10903 	int err;
10904 
10905 	cqm = info->attrs[NL80211_ATTR_CQM];
10906 	if (!cqm)
10907 		return -EINVAL;
10908 
10909 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
10910 					  nl80211_attr_cqm_policy,
10911 					  info->extack);
10912 	if (err)
10913 		return err;
10914 
10915 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
10916 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
10917 		const s32 *thresholds =
10918 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10919 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10920 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
10921 
10922 		if (len % 4)
10923 			return -EINVAL;
10924 
10925 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
10926 					    hysteresis);
10927 	}
10928 
10929 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
10930 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
10931 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
10932 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
10933 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
10934 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
10935 
10936 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
10937 	}
10938 
10939 	return -EINVAL;
10940 }
10941 
10942 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
10943 {
10944 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10945 	struct net_device *dev = info->user_ptr[1];
10946 	struct ocb_setup setup = {};
10947 	int err;
10948 
10949 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10950 	if (err)
10951 		return err;
10952 
10953 	return cfg80211_join_ocb(rdev, dev, &setup);
10954 }
10955 
10956 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
10957 {
10958 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10959 	struct net_device *dev = info->user_ptr[1];
10960 
10961 	return cfg80211_leave_ocb(rdev, dev);
10962 }
10963 
10964 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
10965 {
10966 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10967 	struct net_device *dev = info->user_ptr[1];
10968 	struct mesh_config cfg;
10969 	struct mesh_setup setup;
10970 	int err;
10971 
10972 	/* start with default */
10973 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
10974 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
10975 
10976 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
10977 		/* and parse parameters if given */
10978 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
10979 		if (err)
10980 			return err;
10981 	}
10982 
10983 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
10984 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
10985 		return -EINVAL;
10986 
10987 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
10988 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
10989 
10990 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10991 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
10992 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10993 			return -EINVAL;
10994 
10995 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
10996 		setup.beacon_interval =
10997 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10998 
10999 		err = cfg80211_validate_beacon_int(rdev,
11000 						   NL80211_IFTYPE_MESH_POINT,
11001 						   setup.beacon_interval);
11002 		if (err)
11003 			return err;
11004 	}
11005 
11006 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
11007 		setup.dtim_period =
11008 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
11009 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
11010 			return -EINVAL;
11011 	}
11012 
11013 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
11014 		/* parse additional setup parameters if given */
11015 		err = nl80211_parse_mesh_setup(info, &setup);
11016 		if (err)
11017 			return err;
11018 	}
11019 
11020 	if (setup.user_mpm)
11021 		cfg.auto_open_plinks = false;
11022 
11023 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11024 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11025 		if (err)
11026 			return err;
11027 	} else {
11028 		/* __cfg80211_join_mesh() will sort it out */
11029 		setup.chandef.chan = NULL;
11030 	}
11031 
11032 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11033 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11034 		int n_rates =
11035 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11036 		struct ieee80211_supported_band *sband;
11037 
11038 		if (!setup.chandef.chan)
11039 			return -EINVAL;
11040 
11041 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
11042 
11043 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11044 					     &setup.basic_rates);
11045 		if (err)
11046 			return err;
11047 	}
11048 
11049 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
11050 		err = nl80211_parse_tx_bitrate_mask(info, &setup.beacon_rate);
11051 		if (err)
11052 			return err;
11053 
11054 		if (!setup.chandef.chan)
11055 			return -EINVAL;
11056 
11057 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
11058 					      &setup.beacon_rate);
11059 		if (err)
11060 			return err;
11061 	}
11062 
11063 	setup.userspace_handles_dfs =
11064 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11065 
11066 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11067 		int r = validate_pae_over_nl80211(rdev, info);
11068 
11069 		if (r < 0)
11070 			return r;
11071 
11072 		setup.control_port_over_nl80211 = true;
11073 	}
11074 
11075 	wdev_lock(dev->ieee80211_ptr);
11076 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
11077 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
11078 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11079 	wdev_unlock(dev->ieee80211_ptr);
11080 
11081 	return err;
11082 }
11083 
11084 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
11085 {
11086 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11087 	struct net_device *dev = info->user_ptr[1];
11088 
11089 	return cfg80211_leave_mesh(rdev, dev);
11090 }
11091 
11092 #ifdef CONFIG_PM
11093 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
11094 					struct cfg80211_registered_device *rdev)
11095 {
11096 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
11097 	struct nlattr *nl_pats, *nl_pat;
11098 	int i, pat_len;
11099 
11100 	if (!wowlan->n_patterns)
11101 		return 0;
11102 
11103 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
11104 	if (!nl_pats)
11105 		return -ENOBUFS;
11106 
11107 	for (i = 0; i < wowlan->n_patterns; i++) {
11108 		nl_pat = nla_nest_start_noflag(msg, i + 1);
11109 		if (!nl_pat)
11110 			return -ENOBUFS;
11111 		pat_len = wowlan->patterns[i].pattern_len;
11112 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
11113 			    wowlan->patterns[i].mask) ||
11114 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11115 			    wowlan->patterns[i].pattern) ||
11116 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11117 				wowlan->patterns[i].pkt_offset))
11118 			return -ENOBUFS;
11119 		nla_nest_end(msg, nl_pat);
11120 	}
11121 	nla_nest_end(msg, nl_pats);
11122 
11123 	return 0;
11124 }
11125 
11126 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
11127 				   struct cfg80211_wowlan_tcp *tcp)
11128 {
11129 	struct nlattr *nl_tcp;
11130 
11131 	if (!tcp)
11132 		return 0;
11133 
11134 	nl_tcp = nla_nest_start_noflag(msg,
11135 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
11136 	if (!nl_tcp)
11137 		return -ENOBUFS;
11138 
11139 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
11140 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
11141 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
11142 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
11143 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
11144 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
11145 		    tcp->payload_len, tcp->payload) ||
11146 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
11147 			tcp->data_interval) ||
11148 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
11149 		    tcp->wake_len, tcp->wake_data) ||
11150 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
11151 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
11152 		return -ENOBUFS;
11153 
11154 	if (tcp->payload_seq.len &&
11155 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
11156 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
11157 		return -ENOBUFS;
11158 
11159 	if (tcp->payload_tok.len &&
11160 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
11161 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
11162 		    &tcp->payload_tok))
11163 		return -ENOBUFS;
11164 
11165 	nla_nest_end(msg, nl_tcp);
11166 
11167 	return 0;
11168 }
11169 
11170 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
11171 				  struct cfg80211_sched_scan_request *req)
11172 {
11173 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
11174 	int i;
11175 
11176 	if (!req)
11177 		return 0;
11178 
11179 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
11180 	if (!nd)
11181 		return -ENOBUFS;
11182 
11183 	if (req->n_scan_plans == 1 &&
11184 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
11185 			req->scan_plans[0].interval * 1000))
11186 		return -ENOBUFS;
11187 
11188 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
11189 		return -ENOBUFS;
11190 
11191 	if (req->relative_rssi_set) {
11192 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
11193 
11194 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
11195 			       req->relative_rssi))
11196 			return -ENOBUFS;
11197 
11198 		rssi_adjust.band = req->rssi_adjust.band;
11199 		rssi_adjust.delta = req->rssi_adjust.delta;
11200 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
11201 			    sizeof(rssi_adjust), &rssi_adjust))
11202 			return -ENOBUFS;
11203 	}
11204 
11205 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11206 	if (!freqs)
11207 		return -ENOBUFS;
11208 
11209 	for (i = 0; i < req->n_channels; i++) {
11210 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11211 			return -ENOBUFS;
11212 	}
11213 
11214 	nla_nest_end(msg, freqs);
11215 
11216 	if (req->n_match_sets) {
11217 		matches = nla_nest_start_noflag(msg,
11218 						NL80211_ATTR_SCHED_SCAN_MATCH);
11219 		if (!matches)
11220 			return -ENOBUFS;
11221 
11222 		for (i = 0; i < req->n_match_sets; i++) {
11223 			match = nla_nest_start_noflag(msg, i);
11224 			if (!match)
11225 				return -ENOBUFS;
11226 
11227 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
11228 				    req->match_sets[i].ssid.ssid_len,
11229 				    req->match_sets[i].ssid.ssid))
11230 				return -ENOBUFS;
11231 			nla_nest_end(msg, match);
11232 		}
11233 		nla_nest_end(msg, matches);
11234 	}
11235 
11236 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
11237 	if (!scan_plans)
11238 		return -ENOBUFS;
11239 
11240 	for (i = 0; i < req->n_scan_plans; i++) {
11241 		scan_plan = nla_nest_start_noflag(msg, i + 1);
11242 		if (!scan_plan)
11243 			return -ENOBUFS;
11244 
11245 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
11246 				req->scan_plans[i].interval) ||
11247 		    (req->scan_plans[i].iterations &&
11248 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
11249 				 req->scan_plans[i].iterations)))
11250 			return -ENOBUFS;
11251 		nla_nest_end(msg, scan_plan);
11252 	}
11253 	nla_nest_end(msg, scan_plans);
11254 
11255 	nla_nest_end(msg, nd);
11256 
11257 	return 0;
11258 }
11259 
11260 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
11261 {
11262 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11263 	struct sk_buff *msg;
11264 	void *hdr;
11265 	u32 size = NLMSG_DEFAULT_SIZE;
11266 
11267 	if (!rdev->wiphy.wowlan)
11268 		return -EOPNOTSUPP;
11269 
11270 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
11271 		/* adjust size to have room for all the data */
11272 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
11273 			rdev->wiphy.wowlan_config->tcp->payload_len +
11274 			rdev->wiphy.wowlan_config->tcp->wake_len +
11275 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
11276 	}
11277 
11278 	msg = nlmsg_new(size, GFP_KERNEL);
11279 	if (!msg)
11280 		return -ENOMEM;
11281 
11282 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11283 			     NL80211_CMD_GET_WOWLAN);
11284 	if (!hdr)
11285 		goto nla_put_failure;
11286 
11287 	if (rdev->wiphy.wowlan_config) {
11288 		struct nlattr *nl_wowlan;
11289 
11290 		nl_wowlan = nla_nest_start_noflag(msg,
11291 						  NL80211_ATTR_WOWLAN_TRIGGERS);
11292 		if (!nl_wowlan)
11293 			goto nla_put_failure;
11294 
11295 		if ((rdev->wiphy.wowlan_config->any &&
11296 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
11297 		    (rdev->wiphy.wowlan_config->disconnect &&
11298 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
11299 		    (rdev->wiphy.wowlan_config->magic_pkt &&
11300 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
11301 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
11302 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
11303 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
11304 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
11305 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
11306 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
11307 		    (rdev->wiphy.wowlan_config->rfkill_release &&
11308 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
11309 			goto nla_put_failure;
11310 
11311 		if (nl80211_send_wowlan_patterns(msg, rdev))
11312 			goto nla_put_failure;
11313 
11314 		if (nl80211_send_wowlan_tcp(msg,
11315 					    rdev->wiphy.wowlan_config->tcp))
11316 			goto nla_put_failure;
11317 
11318 		if (nl80211_send_wowlan_nd(
11319 			    msg,
11320 			    rdev->wiphy.wowlan_config->nd_config))
11321 			goto nla_put_failure;
11322 
11323 		nla_nest_end(msg, nl_wowlan);
11324 	}
11325 
11326 	genlmsg_end(msg, hdr);
11327 	return genlmsg_reply(msg, info);
11328 
11329 nla_put_failure:
11330 	nlmsg_free(msg);
11331 	return -ENOBUFS;
11332 }
11333 
11334 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
11335 				    struct nlattr *attr,
11336 				    struct cfg80211_wowlan *trig)
11337 {
11338 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
11339 	struct cfg80211_wowlan_tcp *cfg;
11340 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
11341 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
11342 	u32 size;
11343 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
11344 	int err, port;
11345 
11346 	if (!rdev->wiphy.wowlan->tcp)
11347 		return -EINVAL;
11348 
11349 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
11350 					  nl80211_wowlan_tcp_policy, NULL);
11351 	if (err)
11352 		return err;
11353 
11354 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
11355 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
11356 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
11357 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
11358 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
11359 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
11360 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
11361 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
11362 		return -EINVAL;
11363 
11364 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
11365 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
11366 		return -EINVAL;
11367 
11368 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
11369 			rdev->wiphy.wowlan->tcp->data_interval_max ||
11370 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
11371 		return -EINVAL;
11372 
11373 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
11374 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
11375 		return -EINVAL;
11376 
11377 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
11378 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
11379 		return -EINVAL;
11380 
11381 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
11382 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11383 
11384 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11385 		tokens_size = tokln - sizeof(*tok);
11386 
11387 		if (!tok->len || tokens_size % tok->len)
11388 			return -EINVAL;
11389 		if (!rdev->wiphy.wowlan->tcp->tok)
11390 			return -EINVAL;
11391 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
11392 			return -EINVAL;
11393 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
11394 			return -EINVAL;
11395 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
11396 			return -EINVAL;
11397 		if (tok->offset + tok->len > data_size)
11398 			return -EINVAL;
11399 	}
11400 
11401 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
11402 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
11403 		if (!rdev->wiphy.wowlan->tcp->seq)
11404 			return -EINVAL;
11405 		if (seq->len == 0 || seq->len > 4)
11406 			return -EINVAL;
11407 		if (seq->len + seq->offset > data_size)
11408 			return -EINVAL;
11409 	}
11410 
11411 	size = sizeof(*cfg);
11412 	size += data_size;
11413 	size += wake_size + wake_mask_size;
11414 	size += tokens_size;
11415 
11416 	cfg = kzalloc(size, GFP_KERNEL);
11417 	if (!cfg)
11418 		return -ENOMEM;
11419 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
11420 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
11421 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
11422 	       ETH_ALEN);
11423 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
11424 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
11425 	else
11426 		port = 0;
11427 #ifdef CONFIG_INET
11428 	/* allocate a socket and port for it and use it */
11429 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
11430 			    IPPROTO_TCP, &cfg->sock, 1);
11431 	if (err) {
11432 		kfree(cfg);
11433 		return err;
11434 	}
11435 	if (inet_csk_get_port(cfg->sock->sk, port)) {
11436 		sock_release(cfg->sock);
11437 		kfree(cfg);
11438 		return -EADDRINUSE;
11439 	}
11440 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
11441 #else
11442 	if (!port) {
11443 		kfree(cfg);
11444 		return -EINVAL;
11445 	}
11446 	cfg->src_port = port;
11447 #endif
11448 
11449 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
11450 	cfg->payload_len = data_size;
11451 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
11452 	memcpy((void *)cfg->payload,
11453 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
11454 	       data_size);
11455 	if (seq)
11456 		cfg->payload_seq = *seq;
11457 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
11458 	cfg->wake_len = wake_size;
11459 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
11460 	memcpy((void *)cfg->wake_data,
11461 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
11462 	       wake_size);
11463 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
11464 			 data_size + wake_size;
11465 	memcpy((void *)cfg->wake_mask,
11466 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
11467 	       wake_mask_size);
11468 	if (tok) {
11469 		cfg->tokens_size = tokens_size;
11470 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
11471 	}
11472 
11473 	trig->tcp = cfg;
11474 
11475 	return 0;
11476 }
11477 
11478 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
11479 				   const struct wiphy_wowlan_support *wowlan,
11480 				   struct nlattr *attr,
11481 				   struct cfg80211_wowlan *trig)
11482 {
11483 	struct nlattr **tb;
11484 	int err;
11485 
11486 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
11487 	if (!tb)
11488 		return -ENOMEM;
11489 
11490 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
11491 		err = -EOPNOTSUPP;
11492 		goto out;
11493 	}
11494 
11495 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
11496 					  nl80211_policy, NULL);
11497 	if (err)
11498 		goto out;
11499 
11500 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
11501 						   wowlan->max_nd_match_sets);
11502 	err = PTR_ERR_OR_ZERO(trig->nd_config);
11503 	if (err)
11504 		trig->nd_config = NULL;
11505 
11506 out:
11507 	kfree(tb);
11508 	return err;
11509 }
11510 
11511 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
11512 {
11513 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11514 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
11515 	struct cfg80211_wowlan new_triggers = {};
11516 	struct cfg80211_wowlan *ntrig;
11517 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
11518 	int err, i;
11519 	bool prev_enabled = rdev->wiphy.wowlan_config;
11520 	bool regular = false;
11521 
11522 	if (!wowlan)
11523 		return -EOPNOTSUPP;
11524 
11525 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
11526 		cfg80211_rdev_free_wowlan(rdev);
11527 		rdev->wiphy.wowlan_config = NULL;
11528 		goto set_wakeup;
11529 	}
11530 
11531 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
11532 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
11533 					  nl80211_wowlan_policy, info->extack);
11534 	if (err)
11535 		return err;
11536 
11537 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
11538 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
11539 			return -EINVAL;
11540 		new_triggers.any = true;
11541 	}
11542 
11543 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
11544 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
11545 			return -EINVAL;
11546 		new_triggers.disconnect = true;
11547 		regular = true;
11548 	}
11549 
11550 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
11551 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
11552 			return -EINVAL;
11553 		new_triggers.magic_pkt = true;
11554 		regular = true;
11555 	}
11556 
11557 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
11558 		return -EINVAL;
11559 
11560 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
11561 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
11562 			return -EINVAL;
11563 		new_triggers.gtk_rekey_failure = true;
11564 		regular = true;
11565 	}
11566 
11567 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
11568 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
11569 			return -EINVAL;
11570 		new_triggers.eap_identity_req = true;
11571 		regular = true;
11572 	}
11573 
11574 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
11575 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
11576 			return -EINVAL;
11577 		new_triggers.four_way_handshake = true;
11578 		regular = true;
11579 	}
11580 
11581 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
11582 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
11583 			return -EINVAL;
11584 		new_triggers.rfkill_release = true;
11585 		regular = true;
11586 	}
11587 
11588 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
11589 		struct nlattr *pat;
11590 		int n_patterns = 0;
11591 		int rem, pat_len, mask_len, pkt_offset;
11592 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11593 
11594 		regular = true;
11595 
11596 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11597 				    rem)
11598 			n_patterns++;
11599 		if (n_patterns > wowlan->n_patterns)
11600 			return -EINVAL;
11601 
11602 		new_triggers.patterns = kcalloc(n_patterns,
11603 						sizeof(new_triggers.patterns[0]),
11604 						GFP_KERNEL);
11605 		if (!new_triggers.patterns)
11606 			return -ENOMEM;
11607 
11608 		new_triggers.n_patterns = n_patterns;
11609 		i = 0;
11610 
11611 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11612 				    rem) {
11613 			u8 *mask_pat;
11614 
11615 			err = nla_parse_nested_deprecated(pat_tb,
11616 							  MAX_NL80211_PKTPAT,
11617 							  pat,
11618 							  nl80211_packet_pattern_policy,
11619 							  info->extack);
11620 			if (err)
11621 				goto error;
11622 
11623 			err = -EINVAL;
11624 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
11625 			    !pat_tb[NL80211_PKTPAT_PATTERN])
11626 				goto error;
11627 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11628 			mask_len = DIV_ROUND_UP(pat_len, 8);
11629 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11630 				goto error;
11631 			if (pat_len > wowlan->pattern_max_len ||
11632 			    pat_len < wowlan->pattern_min_len)
11633 				goto error;
11634 
11635 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
11636 				pkt_offset = 0;
11637 			else
11638 				pkt_offset = nla_get_u32(
11639 					pat_tb[NL80211_PKTPAT_OFFSET]);
11640 			if (pkt_offset > wowlan->max_pkt_offset)
11641 				goto error;
11642 			new_triggers.patterns[i].pkt_offset = pkt_offset;
11643 
11644 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11645 			if (!mask_pat) {
11646 				err = -ENOMEM;
11647 				goto error;
11648 			}
11649 			new_triggers.patterns[i].mask = mask_pat;
11650 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11651 			       mask_len);
11652 			mask_pat += mask_len;
11653 			new_triggers.patterns[i].pattern = mask_pat;
11654 			new_triggers.patterns[i].pattern_len = pat_len;
11655 			memcpy(mask_pat,
11656 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11657 			       pat_len);
11658 			i++;
11659 		}
11660 	}
11661 
11662 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
11663 		regular = true;
11664 		err = nl80211_parse_wowlan_tcp(
11665 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
11666 			&new_triggers);
11667 		if (err)
11668 			goto error;
11669 	}
11670 
11671 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
11672 		regular = true;
11673 		err = nl80211_parse_wowlan_nd(
11674 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
11675 			&new_triggers);
11676 		if (err)
11677 			goto error;
11678 	}
11679 
11680 	/* The 'any' trigger means the device continues operating more or less
11681 	 * as in its normal operation mode and wakes up the host on most of the
11682 	 * normal interrupts (like packet RX, ...)
11683 	 * It therefore makes little sense to combine with the more constrained
11684 	 * wakeup trigger modes.
11685 	 */
11686 	if (new_triggers.any && regular) {
11687 		err = -EINVAL;
11688 		goto error;
11689 	}
11690 
11691 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
11692 	if (!ntrig) {
11693 		err = -ENOMEM;
11694 		goto error;
11695 	}
11696 	cfg80211_rdev_free_wowlan(rdev);
11697 	rdev->wiphy.wowlan_config = ntrig;
11698 
11699  set_wakeup:
11700 	if (rdev->ops->set_wakeup &&
11701 	    prev_enabled != !!rdev->wiphy.wowlan_config)
11702 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
11703 
11704 	return 0;
11705  error:
11706 	for (i = 0; i < new_triggers.n_patterns; i++)
11707 		kfree(new_triggers.patterns[i].mask);
11708 	kfree(new_triggers.patterns);
11709 	if (new_triggers.tcp && new_triggers.tcp->sock)
11710 		sock_release(new_triggers.tcp->sock);
11711 	kfree(new_triggers.tcp);
11712 	kfree(new_triggers.nd_config);
11713 	return err;
11714 }
11715 #endif
11716 
11717 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
11718 				       struct cfg80211_registered_device *rdev)
11719 {
11720 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
11721 	int i, j, pat_len;
11722 	struct cfg80211_coalesce_rules *rule;
11723 
11724 	if (!rdev->coalesce->n_rules)
11725 		return 0;
11726 
11727 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
11728 	if (!nl_rules)
11729 		return -ENOBUFS;
11730 
11731 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
11732 		nl_rule = nla_nest_start_noflag(msg, i + 1);
11733 		if (!nl_rule)
11734 			return -ENOBUFS;
11735 
11736 		rule = &rdev->coalesce->rules[i];
11737 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
11738 				rule->delay))
11739 			return -ENOBUFS;
11740 
11741 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
11742 				rule->condition))
11743 			return -ENOBUFS;
11744 
11745 		nl_pats = nla_nest_start_noflag(msg,
11746 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
11747 		if (!nl_pats)
11748 			return -ENOBUFS;
11749 
11750 		for (j = 0; j < rule->n_patterns; j++) {
11751 			nl_pat = nla_nest_start_noflag(msg, j + 1);
11752 			if (!nl_pat)
11753 				return -ENOBUFS;
11754 			pat_len = rule->patterns[j].pattern_len;
11755 			if (nla_put(msg, NL80211_PKTPAT_MASK,
11756 				    DIV_ROUND_UP(pat_len, 8),
11757 				    rule->patterns[j].mask) ||
11758 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11759 				    rule->patterns[j].pattern) ||
11760 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11761 					rule->patterns[j].pkt_offset))
11762 				return -ENOBUFS;
11763 			nla_nest_end(msg, nl_pat);
11764 		}
11765 		nla_nest_end(msg, nl_pats);
11766 		nla_nest_end(msg, nl_rule);
11767 	}
11768 	nla_nest_end(msg, nl_rules);
11769 
11770 	return 0;
11771 }
11772 
11773 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
11774 {
11775 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11776 	struct sk_buff *msg;
11777 	void *hdr;
11778 
11779 	if (!rdev->wiphy.coalesce)
11780 		return -EOPNOTSUPP;
11781 
11782 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11783 	if (!msg)
11784 		return -ENOMEM;
11785 
11786 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11787 			     NL80211_CMD_GET_COALESCE);
11788 	if (!hdr)
11789 		goto nla_put_failure;
11790 
11791 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
11792 		goto nla_put_failure;
11793 
11794 	genlmsg_end(msg, hdr);
11795 	return genlmsg_reply(msg, info);
11796 
11797 nla_put_failure:
11798 	nlmsg_free(msg);
11799 	return -ENOBUFS;
11800 }
11801 
11802 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
11803 {
11804 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
11805 	int i, j;
11806 	struct cfg80211_coalesce_rules *rule;
11807 
11808 	if (!coalesce)
11809 		return;
11810 
11811 	for (i = 0; i < coalesce->n_rules; i++) {
11812 		rule = &coalesce->rules[i];
11813 		for (j = 0; j < rule->n_patterns; j++)
11814 			kfree(rule->patterns[j].mask);
11815 		kfree(rule->patterns);
11816 	}
11817 	kfree(coalesce->rules);
11818 	kfree(coalesce);
11819 	rdev->coalesce = NULL;
11820 }
11821 
11822 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
11823 				       struct nlattr *rule,
11824 				       struct cfg80211_coalesce_rules *new_rule)
11825 {
11826 	int err, i;
11827 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11828 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
11829 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
11830 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11831 
11832 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
11833 					  rule, nl80211_coalesce_policy, NULL);
11834 	if (err)
11835 		return err;
11836 
11837 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
11838 		new_rule->delay =
11839 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
11840 	if (new_rule->delay > coalesce->max_delay)
11841 		return -EINVAL;
11842 
11843 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
11844 		new_rule->condition =
11845 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
11846 
11847 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
11848 		return -EINVAL;
11849 
11850 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11851 			    rem)
11852 		n_patterns++;
11853 	if (n_patterns > coalesce->n_patterns)
11854 		return -EINVAL;
11855 
11856 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
11857 				     GFP_KERNEL);
11858 	if (!new_rule->patterns)
11859 		return -ENOMEM;
11860 
11861 	new_rule->n_patterns = n_patterns;
11862 	i = 0;
11863 
11864 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11865 			    rem) {
11866 		u8 *mask_pat;
11867 
11868 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
11869 						  pat,
11870 						  nl80211_packet_pattern_policy,
11871 						  NULL);
11872 		if (err)
11873 			return err;
11874 
11875 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
11876 		    !pat_tb[NL80211_PKTPAT_PATTERN])
11877 			return -EINVAL;
11878 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11879 		mask_len = DIV_ROUND_UP(pat_len, 8);
11880 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11881 			return -EINVAL;
11882 		if (pat_len > coalesce->pattern_max_len ||
11883 		    pat_len < coalesce->pattern_min_len)
11884 			return -EINVAL;
11885 
11886 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
11887 			pkt_offset = 0;
11888 		else
11889 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
11890 		if (pkt_offset > coalesce->max_pkt_offset)
11891 			return -EINVAL;
11892 		new_rule->patterns[i].pkt_offset = pkt_offset;
11893 
11894 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11895 		if (!mask_pat)
11896 			return -ENOMEM;
11897 
11898 		new_rule->patterns[i].mask = mask_pat;
11899 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11900 		       mask_len);
11901 
11902 		mask_pat += mask_len;
11903 		new_rule->patterns[i].pattern = mask_pat;
11904 		new_rule->patterns[i].pattern_len = pat_len;
11905 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11906 		       pat_len);
11907 		i++;
11908 	}
11909 
11910 	return 0;
11911 }
11912 
11913 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
11914 {
11915 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11916 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11917 	struct cfg80211_coalesce new_coalesce = {};
11918 	struct cfg80211_coalesce *n_coalesce;
11919 	int err, rem_rule, n_rules = 0, i, j;
11920 	struct nlattr *rule;
11921 	struct cfg80211_coalesce_rules *tmp_rule;
11922 
11923 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
11924 		return -EOPNOTSUPP;
11925 
11926 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
11927 		cfg80211_rdev_free_coalesce(rdev);
11928 		rdev_set_coalesce(rdev, NULL);
11929 		return 0;
11930 	}
11931 
11932 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11933 			    rem_rule)
11934 		n_rules++;
11935 	if (n_rules > coalesce->n_rules)
11936 		return -EINVAL;
11937 
11938 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
11939 				     GFP_KERNEL);
11940 	if (!new_coalesce.rules)
11941 		return -ENOMEM;
11942 
11943 	new_coalesce.n_rules = n_rules;
11944 	i = 0;
11945 
11946 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11947 			    rem_rule) {
11948 		err = nl80211_parse_coalesce_rule(rdev, rule,
11949 						  &new_coalesce.rules[i]);
11950 		if (err)
11951 			goto error;
11952 
11953 		i++;
11954 	}
11955 
11956 	err = rdev_set_coalesce(rdev, &new_coalesce);
11957 	if (err)
11958 		goto error;
11959 
11960 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
11961 	if (!n_coalesce) {
11962 		err = -ENOMEM;
11963 		goto error;
11964 	}
11965 	cfg80211_rdev_free_coalesce(rdev);
11966 	rdev->coalesce = n_coalesce;
11967 
11968 	return 0;
11969 error:
11970 	for (i = 0; i < new_coalesce.n_rules; i++) {
11971 		tmp_rule = &new_coalesce.rules[i];
11972 		for (j = 0; j < tmp_rule->n_patterns; j++)
11973 			kfree(tmp_rule->patterns[j].mask);
11974 		kfree(tmp_rule->patterns);
11975 	}
11976 	kfree(new_coalesce.rules);
11977 
11978 	return err;
11979 }
11980 
11981 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
11982 {
11983 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11984 	struct net_device *dev = info->user_ptr[1];
11985 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11986 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
11987 	struct cfg80211_gtk_rekey_data rekey_data;
11988 	int err;
11989 
11990 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
11991 		return -EINVAL;
11992 
11993 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
11994 					  info->attrs[NL80211_ATTR_REKEY_DATA],
11995 					  nl80211_rekey_policy, info->extack);
11996 	if (err)
11997 		return err;
11998 
11999 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
12000 	    !tb[NL80211_REKEY_DATA_KCK])
12001 		return -EINVAL;
12002 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
12003 		return -ERANGE;
12004 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
12005 		return -ERANGE;
12006 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
12007 		return -ERANGE;
12008 
12009 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
12010 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
12011 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
12012 
12013 	wdev_lock(wdev);
12014 	if (!wdev->current_bss) {
12015 		err = -ENOTCONN;
12016 		goto out;
12017 	}
12018 
12019 	if (!rdev->ops->set_rekey_data) {
12020 		err = -EOPNOTSUPP;
12021 		goto out;
12022 	}
12023 
12024 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
12025  out:
12026 	wdev_unlock(wdev);
12027 	return err;
12028 }
12029 
12030 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
12031 					     struct genl_info *info)
12032 {
12033 	struct net_device *dev = info->user_ptr[1];
12034 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12035 
12036 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12037 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12038 		return -EINVAL;
12039 
12040 	if (wdev->ap_unexpected_nlportid)
12041 		return -EBUSY;
12042 
12043 	wdev->ap_unexpected_nlportid = info->snd_portid;
12044 	return 0;
12045 }
12046 
12047 static int nl80211_probe_client(struct sk_buff *skb,
12048 				struct genl_info *info)
12049 {
12050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12051 	struct net_device *dev = info->user_ptr[1];
12052 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12053 	struct sk_buff *msg;
12054 	void *hdr;
12055 	const u8 *addr;
12056 	u64 cookie;
12057 	int err;
12058 
12059 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12060 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12061 		return -EOPNOTSUPP;
12062 
12063 	if (!info->attrs[NL80211_ATTR_MAC])
12064 		return -EINVAL;
12065 
12066 	if (!rdev->ops->probe_client)
12067 		return -EOPNOTSUPP;
12068 
12069 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12070 	if (!msg)
12071 		return -ENOMEM;
12072 
12073 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12074 			     NL80211_CMD_PROBE_CLIENT);
12075 	if (!hdr) {
12076 		err = -ENOBUFS;
12077 		goto free_msg;
12078 	}
12079 
12080 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12081 
12082 	err = rdev_probe_client(rdev, dev, addr, &cookie);
12083 	if (err)
12084 		goto free_msg;
12085 
12086 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12087 			      NL80211_ATTR_PAD))
12088 		goto nla_put_failure;
12089 
12090 	genlmsg_end(msg, hdr);
12091 
12092 	return genlmsg_reply(msg, info);
12093 
12094  nla_put_failure:
12095 	err = -ENOBUFS;
12096  free_msg:
12097 	nlmsg_free(msg);
12098 	return err;
12099 }
12100 
12101 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
12102 {
12103 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12104 	struct cfg80211_beacon_registration *reg, *nreg;
12105 	int rv;
12106 
12107 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
12108 		return -EOPNOTSUPP;
12109 
12110 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
12111 	if (!nreg)
12112 		return -ENOMEM;
12113 
12114 	/* First, check if already registered. */
12115 	spin_lock_bh(&rdev->beacon_registrations_lock);
12116 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
12117 		if (reg->nlportid == info->snd_portid) {
12118 			rv = -EALREADY;
12119 			goto out_err;
12120 		}
12121 	}
12122 	/* Add it to the list */
12123 	nreg->nlportid = info->snd_portid;
12124 	list_add(&nreg->list, &rdev->beacon_registrations);
12125 
12126 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12127 
12128 	return 0;
12129 out_err:
12130 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12131 	kfree(nreg);
12132 	return rv;
12133 }
12134 
12135 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
12136 {
12137 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12138 	struct wireless_dev *wdev = info->user_ptr[1];
12139 	int err;
12140 
12141 	if (!rdev->ops->start_p2p_device)
12142 		return -EOPNOTSUPP;
12143 
12144 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12145 		return -EOPNOTSUPP;
12146 
12147 	if (wdev_running(wdev))
12148 		return 0;
12149 
12150 	if (rfkill_blocked(rdev->rfkill))
12151 		return -ERFKILL;
12152 
12153 	err = rdev_start_p2p_device(rdev, wdev);
12154 	if (err)
12155 		return err;
12156 
12157 	wdev->is_running = true;
12158 	rdev->opencount++;
12159 
12160 	return 0;
12161 }
12162 
12163 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
12164 {
12165 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12166 	struct wireless_dev *wdev = info->user_ptr[1];
12167 
12168 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12169 		return -EOPNOTSUPP;
12170 
12171 	if (!rdev->ops->stop_p2p_device)
12172 		return -EOPNOTSUPP;
12173 
12174 	cfg80211_stop_p2p_device(rdev, wdev);
12175 
12176 	return 0;
12177 }
12178 
12179 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
12180 {
12181 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12182 	struct wireless_dev *wdev = info->user_ptr[1];
12183 	struct cfg80211_nan_conf conf = {};
12184 	int err;
12185 
12186 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12187 		return -EOPNOTSUPP;
12188 
12189 	if (wdev_running(wdev))
12190 		return -EEXIST;
12191 
12192 	if (rfkill_blocked(rdev->rfkill))
12193 		return -ERFKILL;
12194 
12195 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
12196 		return -EINVAL;
12197 
12198 	conf.master_pref =
12199 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12200 
12201 	if (info->attrs[NL80211_ATTR_BANDS]) {
12202 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12203 
12204 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12205 			return -EOPNOTSUPP;
12206 
12207 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12208 			return -EINVAL;
12209 
12210 		conf.bands = bands;
12211 	}
12212 
12213 	err = rdev_start_nan(rdev, wdev, &conf);
12214 	if (err)
12215 		return err;
12216 
12217 	wdev->is_running = true;
12218 	rdev->opencount++;
12219 
12220 	return 0;
12221 }
12222 
12223 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
12224 {
12225 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12226 	struct wireless_dev *wdev = info->user_ptr[1];
12227 
12228 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12229 		return -EOPNOTSUPP;
12230 
12231 	cfg80211_stop_nan(rdev, wdev);
12232 
12233 	return 0;
12234 }
12235 
12236 static int validate_nan_filter(struct nlattr *filter_attr)
12237 {
12238 	struct nlattr *attr;
12239 	int len = 0, n_entries = 0, rem;
12240 
12241 	nla_for_each_nested(attr, filter_attr, rem) {
12242 		len += nla_len(attr);
12243 		n_entries++;
12244 	}
12245 
12246 	if (len >= U8_MAX)
12247 		return -EINVAL;
12248 
12249 	return n_entries;
12250 }
12251 
12252 static int handle_nan_filter(struct nlattr *attr_filter,
12253 			     struct cfg80211_nan_func *func,
12254 			     bool tx)
12255 {
12256 	struct nlattr *attr;
12257 	int n_entries, rem, i;
12258 	struct cfg80211_nan_func_filter *filter;
12259 
12260 	n_entries = validate_nan_filter(attr_filter);
12261 	if (n_entries < 0)
12262 		return n_entries;
12263 
12264 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
12265 
12266 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
12267 	if (!filter)
12268 		return -ENOMEM;
12269 
12270 	i = 0;
12271 	nla_for_each_nested(attr, attr_filter, rem) {
12272 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
12273 		filter[i].len = nla_len(attr);
12274 		i++;
12275 	}
12276 	if (tx) {
12277 		func->num_tx_filters = n_entries;
12278 		func->tx_filters = filter;
12279 	} else {
12280 		func->num_rx_filters = n_entries;
12281 		func->rx_filters = filter;
12282 	}
12283 
12284 	return 0;
12285 }
12286 
12287 static int nl80211_nan_add_func(struct sk_buff *skb,
12288 				struct genl_info *info)
12289 {
12290 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12291 	struct wireless_dev *wdev = info->user_ptr[1];
12292 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
12293 	struct cfg80211_nan_func *func;
12294 	struct sk_buff *msg = NULL;
12295 	void *hdr = NULL;
12296 	int err = 0;
12297 
12298 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12299 		return -EOPNOTSUPP;
12300 
12301 	if (!wdev_running(wdev))
12302 		return -ENOTCONN;
12303 
12304 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
12305 		return -EINVAL;
12306 
12307 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
12308 					  info->attrs[NL80211_ATTR_NAN_FUNC],
12309 					  nl80211_nan_func_policy,
12310 					  info->extack);
12311 	if (err)
12312 		return err;
12313 
12314 	func = kzalloc(sizeof(*func), GFP_KERNEL);
12315 	if (!func)
12316 		return -ENOMEM;
12317 
12318 	func->cookie = cfg80211_assign_cookie(rdev);
12319 
12320 	if (!tb[NL80211_NAN_FUNC_TYPE] ||
12321 	    nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]) > NL80211_NAN_FUNC_MAX_TYPE) {
12322 		err = -EINVAL;
12323 		goto out;
12324 	}
12325 
12326 
12327 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
12328 
12329 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
12330 		err = -EINVAL;
12331 		goto out;
12332 	}
12333 
12334 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
12335 	       sizeof(func->service_id));
12336 
12337 	func->close_range =
12338 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
12339 
12340 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
12341 		func->serv_spec_info_len =
12342 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
12343 		func->serv_spec_info =
12344 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
12345 				func->serv_spec_info_len,
12346 				GFP_KERNEL);
12347 		if (!func->serv_spec_info) {
12348 			err = -ENOMEM;
12349 			goto out;
12350 		}
12351 	}
12352 
12353 	if (tb[NL80211_NAN_FUNC_TTL])
12354 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
12355 
12356 	switch (func->type) {
12357 	case NL80211_NAN_FUNC_PUBLISH:
12358 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
12359 			err = -EINVAL;
12360 			goto out;
12361 		}
12362 
12363 		func->publish_type =
12364 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
12365 		func->publish_bcast =
12366 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
12367 
12368 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
12369 			func->publish_bcast) {
12370 			err = -EINVAL;
12371 			goto out;
12372 		}
12373 		break;
12374 	case NL80211_NAN_FUNC_SUBSCRIBE:
12375 		func->subscribe_active =
12376 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
12377 		break;
12378 	case NL80211_NAN_FUNC_FOLLOW_UP:
12379 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
12380 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
12381 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
12382 			err = -EINVAL;
12383 			goto out;
12384 		}
12385 
12386 		func->followup_id =
12387 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
12388 		func->followup_reqid =
12389 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
12390 		memcpy(func->followup_dest.addr,
12391 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
12392 		       sizeof(func->followup_dest.addr));
12393 		if (func->ttl) {
12394 			err = -EINVAL;
12395 			goto out;
12396 		}
12397 		break;
12398 	default:
12399 		err = -EINVAL;
12400 		goto out;
12401 	}
12402 
12403 	if (tb[NL80211_NAN_FUNC_SRF]) {
12404 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
12405 
12406 		err = nla_parse_nested_deprecated(srf_tb,
12407 						  NL80211_NAN_SRF_ATTR_MAX,
12408 						  tb[NL80211_NAN_FUNC_SRF],
12409 						  nl80211_nan_srf_policy,
12410 						  info->extack);
12411 		if (err)
12412 			goto out;
12413 
12414 		func->srf_include =
12415 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
12416 
12417 		if (srf_tb[NL80211_NAN_SRF_BF]) {
12418 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
12419 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
12420 				err = -EINVAL;
12421 				goto out;
12422 			}
12423 
12424 			func->srf_bf_len =
12425 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
12426 			func->srf_bf =
12427 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
12428 					func->srf_bf_len, GFP_KERNEL);
12429 			if (!func->srf_bf) {
12430 				err = -ENOMEM;
12431 				goto out;
12432 			}
12433 
12434 			func->srf_bf_idx =
12435 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
12436 		} else {
12437 			struct nlattr *attr, *mac_attr =
12438 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
12439 			int n_entries, rem, i = 0;
12440 
12441 			if (!mac_attr) {
12442 				err = -EINVAL;
12443 				goto out;
12444 			}
12445 
12446 			n_entries = validate_acl_mac_addrs(mac_attr);
12447 			if (n_entries <= 0) {
12448 				err = -EINVAL;
12449 				goto out;
12450 			}
12451 
12452 			func->srf_num_macs = n_entries;
12453 			func->srf_macs =
12454 				kcalloc(n_entries, sizeof(*func->srf_macs),
12455 					GFP_KERNEL);
12456 			if (!func->srf_macs) {
12457 				err = -ENOMEM;
12458 				goto out;
12459 			}
12460 
12461 			nla_for_each_nested(attr, mac_attr, rem)
12462 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
12463 				       sizeof(*func->srf_macs));
12464 		}
12465 	}
12466 
12467 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
12468 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
12469 					func, true);
12470 		if (err)
12471 			goto out;
12472 	}
12473 
12474 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
12475 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
12476 					func, false);
12477 		if (err)
12478 			goto out;
12479 	}
12480 
12481 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12482 	if (!msg) {
12483 		err = -ENOMEM;
12484 		goto out;
12485 	}
12486 
12487 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12488 			     NL80211_CMD_ADD_NAN_FUNCTION);
12489 	/* This can't really happen - we just allocated 4KB */
12490 	if (WARN_ON(!hdr)) {
12491 		err = -ENOMEM;
12492 		goto out;
12493 	}
12494 
12495 	err = rdev_add_nan_func(rdev, wdev, func);
12496 out:
12497 	if (err < 0) {
12498 		cfg80211_free_nan_func(func);
12499 		nlmsg_free(msg);
12500 		return err;
12501 	}
12502 
12503 	/* propagate the instance id and cookie to userspace  */
12504 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
12505 			      NL80211_ATTR_PAD))
12506 		goto nla_put_failure;
12507 
12508 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12509 	if (!func_attr)
12510 		goto nla_put_failure;
12511 
12512 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
12513 		       func->instance_id))
12514 		goto nla_put_failure;
12515 
12516 	nla_nest_end(msg, func_attr);
12517 
12518 	genlmsg_end(msg, hdr);
12519 	return genlmsg_reply(msg, info);
12520 
12521 nla_put_failure:
12522 	nlmsg_free(msg);
12523 	return -ENOBUFS;
12524 }
12525 
12526 static int nl80211_nan_del_func(struct sk_buff *skb,
12527 			       struct genl_info *info)
12528 {
12529 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12530 	struct wireless_dev *wdev = info->user_ptr[1];
12531 	u64 cookie;
12532 
12533 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12534 		return -EOPNOTSUPP;
12535 
12536 	if (!wdev_running(wdev))
12537 		return -ENOTCONN;
12538 
12539 	if (!info->attrs[NL80211_ATTR_COOKIE])
12540 		return -EINVAL;
12541 
12542 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12543 
12544 	rdev_del_nan_func(rdev, wdev, cookie);
12545 
12546 	return 0;
12547 }
12548 
12549 static int nl80211_nan_change_config(struct sk_buff *skb,
12550 				     struct genl_info *info)
12551 {
12552 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12553 	struct wireless_dev *wdev = info->user_ptr[1];
12554 	struct cfg80211_nan_conf conf = {};
12555 	u32 changed = 0;
12556 
12557 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12558 		return -EOPNOTSUPP;
12559 
12560 	if (!wdev_running(wdev))
12561 		return -ENOTCONN;
12562 
12563 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
12564 		conf.master_pref =
12565 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12566 		if (conf.master_pref <= 1 || conf.master_pref == 255)
12567 			return -EINVAL;
12568 
12569 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
12570 	}
12571 
12572 	if (info->attrs[NL80211_ATTR_BANDS]) {
12573 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12574 
12575 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12576 			return -EOPNOTSUPP;
12577 
12578 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12579 			return -EINVAL;
12580 
12581 		conf.bands = bands;
12582 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
12583 	}
12584 
12585 	if (!changed)
12586 		return -EINVAL;
12587 
12588 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
12589 }
12590 
12591 void cfg80211_nan_match(struct wireless_dev *wdev,
12592 			struct cfg80211_nan_match_params *match, gfp_t gfp)
12593 {
12594 	struct wiphy *wiphy = wdev->wiphy;
12595 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12596 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
12597 	struct sk_buff *msg;
12598 	void *hdr;
12599 
12600 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
12601 		return;
12602 
12603 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12604 	if (!msg)
12605 		return;
12606 
12607 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
12608 	if (!hdr) {
12609 		nlmsg_free(msg);
12610 		return;
12611 	}
12612 
12613 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12614 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12615 					 wdev->netdev->ifindex)) ||
12616 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12617 			      NL80211_ATTR_PAD))
12618 		goto nla_put_failure;
12619 
12620 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
12621 			      NL80211_ATTR_PAD) ||
12622 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
12623 		goto nla_put_failure;
12624 
12625 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
12626 	if (!match_attr)
12627 		goto nla_put_failure;
12628 
12629 	local_func_attr = nla_nest_start_noflag(msg,
12630 						NL80211_NAN_MATCH_FUNC_LOCAL);
12631 	if (!local_func_attr)
12632 		goto nla_put_failure;
12633 
12634 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
12635 		goto nla_put_failure;
12636 
12637 	nla_nest_end(msg, local_func_attr);
12638 
12639 	peer_func_attr = nla_nest_start_noflag(msg,
12640 					       NL80211_NAN_MATCH_FUNC_PEER);
12641 	if (!peer_func_attr)
12642 		goto nla_put_failure;
12643 
12644 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
12645 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
12646 		goto nla_put_failure;
12647 
12648 	if (match->info && match->info_len &&
12649 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
12650 		    match->info))
12651 		goto nla_put_failure;
12652 
12653 	nla_nest_end(msg, peer_func_attr);
12654 	nla_nest_end(msg, match_attr);
12655 	genlmsg_end(msg, hdr);
12656 
12657 	if (!wdev->owner_nlportid)
12658 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12659 					msg, 0, NL80211_MCGRP_NAN, gfp);
12660 	else
12661 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12662 				wdev->owner_nlportid);
12663 
12664 	return;
12665 
12666 nla_put_failure:
12667 	nlmsg_free(msg);
12668 }
12669 EXPORT_SYMBOL(cfg80211_nan_match);
12670 
12671 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
12672 				  u8 inst_id,
12673 				  enum nl80211_nan_func_term_reason reason,
12674 				  u64 cookie, gfp_t gfp)
12675 {
12676 	struct wiphy *wiphy = wdev->wiphy;
12677 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12678 	struct sk_buff *msg;
12679 	struct nlattr *func_attr;
12680 	void *hdr;
12681 
12682 	if (WARN_ON(!inst_id))
12683 		return;
12684 
12685 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12686 	if (!msg)
12687 		return;
12688 
12689 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
12690 	if (!hdr) {
12691 		nlmsg_free(msg);
12692 		return;
12693 	}
12694 
12695 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12696 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12697 					 wdev->netdev->ifindex)) ||
12698 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12699 			      NL80211_ATTR_PAD))
12700 		goto nla_put_failure;
12701 
12702 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12703 			      NL80211_ATTR_PAD))
12704 		goto nla_put_failure;
12705 
12706 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12707 	if (!func_attr)
12708 		goto nla_put_failure;
12709 
12710 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
12711 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
12712 		goto nla_put_failure;
12713 
12714 	nla_nest_end(msg, func_attr);
12715 	genlmsg_end(msg, hdr);
12716 
12717 	if (!wdev->owner_nlportid)
12718 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12719 					msg, 0, NL80211_MCGRP_NAN, gfp);
12720 	else
12721 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12722 				wdev->owner_nlportid);
12723 
12724 	return;
12725 
12726 nla_put_failure:
12727 	nlmsg_free(msg);
12728 }
12729 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
12730 
12731 static int nl80211_get_protocol_features(struct sk_buff *skb,
12732 					 struct genl_info *info)
12733 {
12734 	void *hdr;
12735 	struct sk_buff *msg;
12736 
12737 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12738 	if (!msg)
12739 		return -ENOMEM;
12740 
12741 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12742 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
12743 	if (!hdr)
12744 		goto nla_put_failure;
12745 
12746 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
12747 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
12748 		goto nla_put_failure;
12749 
12750 	genlmsg_end(msg, hdr);
12751 	return genlmsg_reply(msg, info);
12752 
12753  nla_put_failure:
12754 	kfree_skb(msg);
12755 	return -ENOBUFS;
12756 }
12757 
12758 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
12759 {
12760 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12761 	struct cfg80211_update_ft_ies_params ft_params;
12762 	struct net_device *dev = info->user_ptr[1];
12763 
12764 	if (!rdev->ops->update_ft_ies)
12765 		return -EOPNOTSUPP;
12766 
12767 	if (!info->attrs[NL80211_ATTR_MDID] ||
12768 	    !info->attrs[NL80211_ATTR_IE])
12769 		return -EINVAL;
12770 
12771 	memset(&ft_params, 0, sizeof(ft_params));
12772 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
12773 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12774 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12775 
12776 	return rdev_update_ft_ies(rdev, dev, &ft_params);
12777 }
12778 
12779 static int nl80211_crit_protocol_start(struct sk_buff *skb,
12780 				       struct genl_info *info)
12781 {
12782 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12783 	struct wireless_dev *wdev = info->user_ptr[1];
12784 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
12785 	u16 duration;
12786 	int ret;
12787 
12788 	if (!rdev->ops->crit_proto_start)
12789 		return -EOPNOTSUPP;
12790 
12791 	if (WARN_ON(!rdev->ops->crit_proto_stop))
12792 		return -EINVAL;
12793 
12794 	if (rdev->crit_proto_nlportid)
12795 		return -EBUSY;
12796 
12797 	/* determine protocol if provided */
12798 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
12799 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
12800 
12801 	if (proto >= NUM_NL80211_CRIT_PROTO)
12802 		return -EINVAL;
12803 
12804 	/* timeout must be provided */
12805 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
12806 		return -EINVAL;
12807 
12808 	duration =
12809 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
12810 
12811 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
12812 		return -ERANGE;
12813 
12814 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
12815 	if (!ret)
12816 		rdev->crit_proto_nlportid = info->snd_portid;
12817 
12818 	return ret;
12819 }
12820 
12821 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
12822 				      struct genl_info *info)
12823 {
12824 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12825 	struct wireless_dev *wdev = info->user_ptr[1];
12826 
12827 	if (!rdev->ops->crit_proto_stop)
12828 		return -EOPNOTSUPP;
12829 
12830 	if (rdev->crit_proto_nlportid) {
12831 		rdev->crit_proto_nlportid = 0;
12832 		rdev_crit_proto_stop(rdev, wdev);
12833 	}
12834 	return 0;
12835 }
12836 
12837 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
12838 				       struct nlattr *attr,
12839 				       struct netlink_ext_ack *extack)
12840 {
12841 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
12842 		if (attr->nla_type & NLA_F_NESTED) {
12843 			NL_SET_ERR_MSG_ATTR(extack, attr,
12844 					    "unexpected nested data");
12845 			return -EINVAL;
12846 		}
12847 
12848 		return 0;
12849 	}
12850 
12851 	if (!(attr->nla_type & NLA_F_NESTED)) {
12852 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
12853 		return -EINVAL;
12854 	}
12855 
12856 	return nl80211_validate_nested(attr, vcmd->maxattr, vcmd->policy,
12857 				       extack);
12858 }
12859 
12860 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
12861 {
12862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12863 	struct wireless_dev *wdev =
12864 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
12865 	int i, err;
12866 	u32 vid, subcmd;
12867 
12868 	if (!rdev->wiphy.vendor_commands)
12869 		return -EOPNOTSUPP;
12870 
12871 	if (IS_ERR(wdev)) {
12872 		err = PTR_ERR(wdev);
12873 		if (err != -EINVAL)
12874 			return err;
12875 		wdev = NULL;
12876 	} else if (wdev->wiphy != &rdev->wiphy) {
12877 		return -EINVAL;
12878 	}
12879 
12880 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
12881 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
12882 		return -EINVAL;
12883 
12884 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
12885 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
12886 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
12887 		const struct wiphy_vendor_command *vcmd;
12888 		void *data = NULL;
12889 		int len = 0;
12890 
12891 		vcmd = &rdev->wiphy.vendor_commands[i];
12892 
12893 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12894 			continue;
12895 
12896 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12897 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12898 			if (!wdev)
12899 				return -EINVAL;
12900 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12901 			    !wdev->netdev)
12902 				return -EINVAL;
12903 
12904 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12905 				if (!wdev_running(wdev))
12906 					return -ENETDOWN;
12907 			}
12908 
12909 			if (!vcmd->doit)
12910 				return -EOPNOTSUPP;
12911 		} else {
12912 			wdev = NULL;
12913 		}
12914 
12915 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
12916 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12917 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12918 
12919 			err = nl80211_vendor_check_policy(vcmd,
12920 					info->attrs[NL80211_ATTR_VENDOR_DATA],
12921 					info->extack);
12922 			if (err)
12923 				return err;
12924 		}
12925 
12926 		rdev->cur_cmd_info = info;
12927 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
12928 		rdev->cur_cmd_info = NULL;
12929 		return err;
12930 	}
12931 
12932 	return -EOPNOTSUPP;
12933 }
12934 
12935 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
12936 				       struct netlink_callback *cb,
12937 				       struct cfg80211_registered_device **rdev,
12938 				       struct wireless_dev **wdev)
12939 {
12940 	struct nlattr **attrbuf;
12941 	u32 vid, subcmd;
12942 	unsigned int i;
12943 	int vcmd_idx = -1;
12944 	int err;
12945 	void *data = NULL;
12946 	unsigned int data_len = 0;
12947 
12948 	if (cb->args[0]) {
12949 		/* subtract the 1 again here */
12950 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
12951 		struct wireless_dev *tmp;
12952 
12953 		if (!wiphy)
12954 			return -ENODEV;
12955 		*rdev = wiphy_to_rdev(wiphy);
12956 		*wdev = NULL;
12957 
12958 		if (cb->args[1]) {
12959 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
12960 				if (tmp->identifier == cb->args[1] - 1) {
12961 					*wdev = tmp;
12962 					break;
12963 				}
12964 			}
12965 		}
12966 
12967 		/* keep rtnl locked in successful case */
12968 		return 0;
12969 	}
12970 
12971 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
12972 	if (!attrbuf)
12973 		return -ENOMEM;
12974 
12975 	err = nlmsg_parse_deprecated(cb->nlh,
12976 				     GENL_HDRLEN + nl80211_fam.hdrsize,
12977 				     attrbuf, nl80211_fam.maxattr,
12978 				     nl80211_policy, NULL);
12979 	if (err)
12980 		goto out;
12981 
12982 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
12983 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
12984 		err = -EINVAL;
12985 		goto out;
12986 	}
12987 
12988 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
12989 	if (IS_ERR(*wdev))
12990 		*wdev = NULL;
12991 
12992 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
12993 	if (IS_ERR(*rdev)) {
12994 		err = PTR_ERR(*rdev);
12995 		goto out;
12996 	}
12997 
12998 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
12999 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
13000 
13001 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
13002 		const struct wiphy_vendor_command *vcmd;
13003 
13004 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
13005 
13006 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13007 			continue;
13008 
13009 		if (!vcmd->dumpit) {
13010 			err = -EOPNOTSUPP;
13011 			goto out;
13012 		}
13013 
13014 		vcmd_idx = i;
13015 		break;
13016 	}
13017 
13018 	if (vcmd_idx < 0) {
13019 		err = -EOPNOTSUPP;
13020 		goto out;
13021 	}
13022 
13023 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
13024 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13025 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13026 
13027 		err = nl80211_vendor_check_policy(
13028 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
13029 				attrbuf[NL80211_ATTR_VENDOR_DATA],
13030 				cb->extack);
13031 		if (err)
13032 			goto out;
13033 	}
13034 
13035 	/* 0 is the first index - add 1 to parse only once */
13036 	cb->args[0] = (*rdev)->wiphy_idx + 1;
13037 	/* add 1 to know if it was NULL */
13038 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
13039 	cb->args[2] = vcmd_idx;
13040 	cb->args[3] = (unsigned long)data;
13041 	cb->args[4] = data_len;
13042 
13043 	/* keep rtnl locked in successful case */
13044 	err = 0;
13045 out:
13046 	kfree(attrbuf);
13047 	return err;
13048 }
13049 
13050 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
13051 				   struct netlink_callback *cb)
13052 {
13053 	struct cfg80211_registered_device *rdev;
13054 	struct wireless_dev *wdev;
13055 	unsigned int vcmd_idx;
13056 	const struct wiphy_vendor_command *vcmd;
13057 	void *data;
13058 	int data_len;
13059 	int err;
13060 	struct nlattr *vendor_data;
13061 
13062 	rtnl_lock();
13063 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
13064 	if (err)
13065 		goto out;
13066 
13067 	vcmd_idx = cb->args[2];
13068 	data = (void *)cb->args[3];
13069 	data_len = cb->args[4];
13070 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
13071 
13072 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13073 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13074 		if (!wdev) {
13075 			err = -EINVAL;
13076 			goto out;
13077 		}
13078 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13079 		    !wdev->netdev) {
13080 			err = -EINVAL;
13081 			goto out;
13082 		}
13083 
13084 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13085 			if (!wdev_running(wdev)) {
13086 				err = -ENETDOWN;
13087 				goto out;
13088 			}
13089 		}
13090 	}
13091 
13092 	while (1) {
13093 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13094 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13095 					   NL80211_CMD_VENDOR);
13096 		if (!hdr)
13097 			break;
13098 
13099 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13100 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13101 					       wdev_id(wdev),
13102 					       NL80211_ATTR_PAD))) {
13103 			genlmsg_cancel(skb, hdr);
13104 			break;
13105 		}
13106 
13107 		vendor_data = nla_nest_start_noflag(skb,
13108 						    NL80211_ATTR_VENDOR_DATA);
13109 		if (!vendor_data) {
13110 			genlmsg_cancel(skb, hdr);
13111 			break;
13112 		}
13113 
13114 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
13115 				   (unsigned long *)&cb->args[5]);
13116 		nla_nest_end(skb, vendor_data);
13117 
13118 		if (err == -ENOBUFS || err == -ENOENT) {
13119 			genlmsg_cancel(skb, hdr);
13120 			break;
13121 		} else if (err) {
13122 			genlmsg_cancel(skb, hdr);
13123 			goto out;
13124 		}
13125 
13126 		genlmsg_end(skb, hdr);
13127 	}
13128 
13129 	err = skb->len;
13130  out:
13131 	rtnl_unlock();
13132 	return err;
13133 }
13134 
13135 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
13136 					   enum nl80211_commands cmd,
13137 					   enum nl80211_attrs attr,
13138 					   int approxlen)
13139 {
13140 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13141 
13142 	if (WARN_ON(!rdev->cur_cmd_info))
13143 		return NULL;
13144 
13145 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
13146 					   rdev->cur_cmd_info->snd_portid,
13147 					   rdev->cur_cmd_info->snd_seq,
13148 					   cmd, attr, NULL, GFP_KERNEL);
13149 }
13150 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
13151 
13152 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
13153 {
13154 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13155 	void *hdr = ((void **)skb->cb)[1];
13156 	struct nlattr *data = ((void **)skb->cb)[2];
13157 
13158 	/* clear CB data for netlink core to own from now on */
13159 	memset(skb->cb, 0, sizeof(skb->cb));
13160 
13161 	if (WARN_ON(!rdev->cur_cmd_info)) {
13162 		kfree_skb(skb);
13163 		return -EINVAL;
13164 	}
13165 
13166 	nla_nest_end(skb, data);
13167 	genlmsg_end(skb, hdr);
13168 	return genlmsg_reply(skb, rdev->cur_cmd_info);
13169 }
13170 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
13171 
13172 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
13173 {
13174 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13175 
13176 	if (WARN_ON(!rdev->cur_cmd_info))
13177 		return 0;
13178 
13179 	return rdev->cur_cmd_info->snd_portid;
13180 }
13181 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
13182 
13183 static int nl80211_set_qos_map(struct sk_buff *skb,
13184 			       struct genl_info *info)
13185 {
13186 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13187 	struct cfg80211_qos_map *qos_map = NULL;
13188 	struct net_device *dev = info->user_ptr[1];
13189 	u8 *pos, len, num_des, des_len, des;
13190 	int ret;
13191 
13192 	if (!rdev->ops->set_qos_map)
13193 		return -EOPNOTSUPP;
13194 
13195 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
13196 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
13197 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
13198 
13199 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
13200 		    len > IEEE80211_QOS_MAP_LEN_MAX)
13201 			return -EINVAL;
13202 
13203 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
13204 		if (!qos_map)
13205 			return -ENOMEM;
13206 
13207 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
13208 		if (num_des) {
13209 			des_len = num_des *
13210 				sizeof(struct cfg80211_dscp_exception);
13211 			memcpy(qos_map->dscp_exception, pos, des_len);
13212 			qos_map->num_des = num_des;
13213 			for (des = 0; des < num_des; des++) {
13214 				if (qos_map->dscp_exception[des].up > 7) {
13215 					kfree(qos_map);
13216 					return -EINVAL;
13217 				}
13218 			}
13219 			pos += des_len;
13220 		}
13221 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
13222 	}
13223 
13224 	wdev_lock(dev->ieee80211_ptr);
13225 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
13226 	if (!ret)
13227 		ret = rdev_set_qos_map(rdev, dev, qos_map);
13228 	wdev_unlock(dev->ieee80211_ptr);
13229 
13230 	kfree(qos_map);
13231 	return ret;
13232 }
13233 
13234 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
13235 {
13236 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13237 	struct net_device *dev = info->user_ptr[1];
13238 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13239 	const u8 *peer;
13240 	u8 tsid, up;
13241 	u16 admitted_time = 0;
13242 	int err;
13243 
13244 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
13245 		return -EOPNOTSUPP;
13246 
13247 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
13248 	    !info->attrs[NL80211_ATTR_USER_PRIO])
13249 		return -EINVAL;
13250 
13251 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13252 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
13253 
13254 	/* WMM uses TIDs 0-7 even for TSPEC */
13255 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
13256 		/* TODO: handle 802.11 TSPEC/admission control
13257 		 * need more attributes for that (e.g. BA session requirement);
13258 		 * change the WMM adminssion test above to allow both then
13259 		 */
13260 		return -EINVAL;
13261 	}
13262 
13263 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13264 
13265 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
13266 		admitted_time =
13267 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
13268 		if (!admitted_time)
13269 			return -EINVAL;
13270 	}
13271 
13272 	wdev_lock(wdev);
13273 	switch (wdev->iftype) {
13274 	case NL80211_IFTYPE_STATION:
13275 	case NL80211_IFTYPE_P2P_CLIENT:
13276 		if (wdev->current_bss)
13277 			break;
13278 		err = -ENOTCONN;
13279 		goto out;
13280 	default:
13281 		err = -EOPNOTSUPP;
13282 		goto out;
13283 	}
13284 
13285 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
13286 
13287  out:
13288 	wdev_unlock(wdev);
13289 	return err;
13290 }
13291 
13292 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
13293 {
13294 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13295 	struct net_device *dev = info->user_ptr[1];
13296 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13297 	const u8 *peer;
13298 	u8 tsid;
13299 	int err;
13300 
13301 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
13302 		return -EINVAL;
13303 
13304 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13305 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13306 
13307 	wdev_lock(wdev);
13308 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
13309 	wdev_unlock(wdev);
13310 
13311 	return err;
13312 }
13313 
13314 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
13315 				       struct genl_info *info)
13316 {
13317 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13318 	struct net_device *dev = info->user_ptr[1];
13319 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13320 	struct cfg80211_chan_def chandef = {};
13321 	const u8 *addr;
13322 	u8 oper_class;
13323 	int err;
13324 
13325 	if (!rdev->ops->tdls_channel_switch ||
13326 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13327 		return -EOPNOTSUPP;
13328 
13329 	switch (dev->ieee80211_ptr->iftype) {
13330 	case NL80211_IFTYPE_STATION:
13331 	case NL80211_IFTYPE_P2P_CLIENT:
13332 		break;
13333 	default:
13334 		return -EOPNOTSUPP;
13335 	}
13336 
13337 	if (!info->attrs[NL80211_ATTR_MAC] ||
13338 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
13339 		return -EINVAL;
13340 
13341 	err = nl80211_parse_chandef(rdev, info, &chandef);
13342 	if (err)
13343 		return err;
13344 
13345 	/*
13346 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
13347 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
13348 	 * specification is not defined for them.
13349 	 */
13350 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
13351 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
13352 	    chandef.width != NL80211_CHAN_WIDTH_20)
13353 		return -EINVAL;
13354 
13355 	/* we will be active on the TDLS link */
13356 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
13357 					   wdev->iftype))
13358 		return -EINVAL;
13359 
13360 	/* don't allow switching to DFS channels */
13361 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
13362 		return -EINVAL;
13363 
13364 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13365 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
13366 
13367 	wdev_lock(wdev);
13368 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
13369 	wdev_unlock(wdev);
13370 
13371 	return err;
13372 }
13373 
13374 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
13375 					      struct genl_info *info)
13376 {
13377 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13378 	struct net_device *dev = info->user_ptr[1];
13379 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13380 	const u8 *addr;
13381 
13382 	if (!rdev->ops->tdls_channel_switch ||
13383 	    !rdev->ops->tdls_cancel_channel_switch ||
13384 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13385 		return -EOPNOTSUPP;
13386 
13387 	switch (dev->ieee80211_ptr->iftype) {
13388 	case NL80211_IFTYPE_STATION:
13389 	case NL80211_IFTYPE_P2P_CLIENT:
13390 		break;
13391 	default:
13392 		return -EOPNOTSUPP;
13393 	}
13394 
13395 	if (!info->attrs[NL80211_ATTR_MAC])
13396 		return -EINVAL;
13397 
13398 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13399 
13400 	wdev_lock(wdev);
13401 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
13402 	wdev_unlock(wdev);
13403 
13404 	return 0;
13405 }
13406 
13407 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
13408 					    struct genl_info *info)
13409 {
13410 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13411 	struct net_device *dev = info->user_ptr[1];
13412 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13413 	const struct nlattr *nla;
13414 	bool enabled;
13415 
13416 	if (!rdev->ops->set_multicast_to_unicast)
13417 		return -EOPNOTSUPP;
13418 
13419 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13420 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13421 		return -EOPNOTSUPP;
13422 
13423 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
13424 	enabled = nla_get_flag(nla);
13425 
13426 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
13427 }
13428 
13429 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
13430 {
13431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13432 	struct net_device *dev = info->user_ptr[1];
13433 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13434 	struct cfg80211_pmk_conf pmk_conf = {};
13435 	int ret;
13436 
13437 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13438 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13439 		return -EOPNOTSUPP;
13440 
13441 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13442 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13443 		return -EOPNOTSUPP;
13444 
13445 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
13446 		return -EINVAL;
13447 
13448 	wdev_lock(wdev);
13449 	if (!wdev->current_bss) {
13450 		ret = -ENOTCONN;
13451 		goto out;
13452 	}
13453 
13454 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13455 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
13456 		ret = -EINVAL;
13457 		goto out;
13458 	}
13459 
13460 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13461 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13462 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
13463 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
13464 		ret = -EINVAL;
13465 		goto out;
13466 	}
13467 
13468 	if (info->attrs[NL80211_ATTR_PMKR0_NAME]) {
13469 		int r0_name_len = nla_len(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13470 
13471 		if (r0_name_len != WLAN_PMK_NAME_LEN) {
13472 			ret = -EINVAL;
13473 			goto out;
13474 		}
13475 
13476 		pmk_conf.pmk_r0_name =
13477 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13478 	}
13479 
13480 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
13481 out:
13482 	wdev_unlock(wdev);
13483 	return ret;
13484 }
13485 
13486 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
13487 {
13488 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13489 	struct net_device *dev = info->user_ptr[1];
13490 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13491 	const u8 *aa;
13492 	int ret;
13493 
13494 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13495 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13496 		return -EOPNOTSUPP;
13497 
13498 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13499 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13500 		return -EOPNOTSUPP;
13501 
13502 	if (!info->attrs[NL80211_ATTR_MAC])
13503 		return -EINVAL;
13504 
13505 	wdev_lock(wdev);
13506 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13507 	ret = rdev_del_pmk(rdev, dev, aa);
13508 	wdev_unlock(wdev);
13509 
13510 	return ret;
13511 }
13512 
13513 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
13514 {
13515 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13516 	struct net_device *dev = info->user_ptr[1];
13517 	struct cfg80211_external_auth_params params;
13518 
13519 	if (!rdev->ops->external_auth)
13520 		return -EOPNOTSUPP;
13521 
13522 	if (!info->attrs[NL80211_ATTR_SSID] &&
13523 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
13524 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
13525 		return -EINVAL;
13526 
13527 	if (!info->attrs[NL80211_ATTR_BSSID])
13528 		return -EINVAL;
13529 
13530 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
13531 		return -EINVAL;
13532 
13533 	memset(&params, 0, sizeof(params));
13534 
13535 	if (info->attrs[NL80211_ATTR_SSID]) {
13536 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13537 		if (params.ssid.ssid_len == 0 ||
13538 		    params.ssid.ssid_len > IEEE80211_MAX_SSID_LEN)
13539 			return -EINVAL;
13540 		memcpy(params.ssid.ssid,
13541 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
13542 		       params.ssid.ssid_len);
13543 	}
13544 
13545 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
13546 	       ETH_ALEN);
13547 
13548 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13549 
13550 	if (info->attrs[NL80211_ATTR_PMKID])
13551 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13552 
13553 	return rdev_external_auth(rdev, dev, &params);
13554 }
13555 
13556 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
13557 {
13558 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13559 	struct net_device *dev = info->user_ptr[1];
13560 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13561 	const u8 *buf;
13562 	size_t len;
13563 	u8 *dest;
13564 	u16 proto;
13565 	bool noencrypt;
13566 	int err;
13567 
13568 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13569 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
13570 		return -EOPNOTSUPP;
13571 
13572 	if (!rdev->ops->tx_control_port)
13573 		return -EOPNOTSUPP;
13574 
13575 	if (!info->attrs[NL80211_ATTR_FRAME] ||
13576 	    !info->attrs[NL80211_ATTR_MAC] ||
13577 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
13578 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
13579 		return -EINVAL;
13580 	}
13581 
13582 	wdev_lock(wdev);
13583 
13584 	switch (wdev->iftype) {
13585 	case NL80211_IFTYPE_AP:
13586 	case NL80211_IFTYPE_P2P_GO:
13587 	case NL80211_IFTYPE_MESH_POINT:
13588 		break;
13589 	case NL80211_IFTYPE_ADHOC:
13590 	case NL80211_IFTYPE_STATION:
13591 	case NL80211_IFTYPE_P2P_CLIENT:
13592 		if (wdev->current_bss)
13593 			break;
13594 		err = -ENOTCONN;
13595 		goto out;
13596 	default:
13597 		err = -EOPNOTSUPP;
13598 		goto out;
13599 	}
13600 
13601 	wdev_unlock(wdev);
13602 
13603 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13604 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13605 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13606 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
13607 	noencrypt =
13608 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
13609 
13610 	return rdev_tx_control_port(rdev, dev, buf, len,
13611 				    dest, cpu_to_be16(proto), noencrypt);
13612 
13613  out:
13614 	wdev_unlock(wdev);
13615 	return err;
13616 }
13617 
13618 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
13619 					   struct genl_info *info)
13620 {
13621 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13622 	struct net_device *dev = info->user_ptr[1];
13623 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13624 	struct cfg80211_ftm_responder_stats ftm_stats = {};
13625 	struct sk_buff *msg;
13626 	void *hdr;
13627 	struct nlattr *ftm_stats_attr;
13628 	int err;
13629 
13630 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
13631 		return -EOPNOTSUPP;
13632 
13633 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
13634 	if (err)
13635 		return err;
13636 
13637 	if (!ftm_stats.filled)
13638 		return -ENODATA;
13639 
13640 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13641 	if (!msg)
13642 		return -ENOMEM;
13643 
13644 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13645 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
13646 	if (!hdr)
13647 		return -ENOBUFS;
13648 
13649 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
13650 		goto nla_put_failure;
13651 
13652 	ftm_stats_attr = nla_nest_start_noflag(msg,
13653 					       NL80211_ATTR_FTM_RESPONDER_STATS);
13654 	if (!ftm_stats_attr)
13655 		goto nla_put_failure;
13656 
13657 #define SET_FTM(field, name, type)					 \
13658 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13659 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
13660 			     ftm_stats.field))				 \
13661 		goto nla_put_failure; } while (0)
13662 #define SET_FTM_U64(field, name)					 \
13663 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13664 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
13665 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
13666 		goto nla_put_failure; } while (0)
13667 
13668 	SET_FTM(success_num, SUCCESS_NUM, u32);
13669 	SET_FTM(partial_num, PARTIAL_NUM, u32);
13670 	SET_FTM(failed_num, FAILED_NUM, u32);
13671 	SET_FTM(asap_num, ASAP_NUM, u32);
13672 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
13673 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
13674 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
13675 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
13676 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
13677 #undef SET_FTM
13678 
13679 	nla_nest_end(msg, ftm_stats_attr);
13680 
13681 	genlmsg_end(msg, hdr);
13682 	return genlmsg_reply(msg, info);
13683 
13684 nla_put_failure:
13685 	nlmsg_free(msg);
13686 	return -ENOBUFS;
13687 }
13688 
13689 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
13690 {
13691 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13692 	struct cfg80211_update_owe_info owe_info;
13693 	struct net_device *dev = info->user_ptr[1];
13694 
13695 	if (!rdev->ops->update_owe_info)
13696 		return -EOPNOTSUPP;
13697 
13698 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
13699 	    !info->attrs[NL80211_ATTR_MAC])
13700 		return -EINVAL;
13701 
13702 	memset(&owe_info, 0, sizeof(owe_info));
13703 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13704 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
13705 
13706 	if (info->attrs[NL80211_ATTR_IE]) {
13707 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13708 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13709 	}
13710 
13711 	return rdev_update_owe_info(rdev, dev, &owe_info);
13712 }
13713 
13714 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
13715 {
13716 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13717 	struct net_device *dev = info->user_ptr[1];
13718 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13719 	struct station_info sinfo = {};
13720 	const u8 *buf;
13721 	size_t len;
13722 	u8 *dest;
13723 	int err;
13724 
13725 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
13726 		return -EOPNOTSUPP;
13727 
13728 	if (!info->attrs[NL80211_ATTR_MAC] ||
13729 	    !info->attrs[NL80211_ATTR_FRAME]) {
13730 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
13731 		return -EINVAL;
13732 	}
13733 
13734 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
13735 		return -EOPNOTSUPP;
13736 
13737 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13738 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13739 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13740 
13741 	if (len < sizeof(struct ethhdr))
13742 		return -EINVAL;
13743 
13744 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
13745 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
13746 		return -EINVAL;
13747 
13748 	err = rdev_get_station(rdev, dev, dest, &sinfo);
13749 	if (err)
13750 		return err;
13751 
13752 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
13753 }
13754 
13755 #define NL80211_FLAG_NEED_WIPHY		0x01
13756 #define NL80211_FLAG_NEED_NETDEV	0x02
13757 #define NL80211_FLAG_NEED_RTNL		0x04
13758 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
13759 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
13760 					 NL80211_FLAG_CHECK_NETDEV_UP)
13761 #define NL80211_FLAG_NEED_WDEV		0x10
13762 /* If a netdev is associated, it must be UP, P2P must be started */
13763 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
13764 					 NL80211_FLAG_CHECK_NETDEV_UP)
13765 #define NL80211_FLAG_CLEAR_SKB		0x20
13766 
13767 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
13768 			    struct genl_info *info)
13769 {
13770 	struct cfg80211_registered_device *rdev;
13771 	struct wireless_dev *wdev;
13772 	struct net_device *dev;
13773 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
13774 
13775 	if (rtnl)
13776 		rtnl_lock();
13777 
13778 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
13779 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
13780 		if (IS_ERR(rdev)) {
13781 			if (rtnl)
13782 				rtnl_unlock();
13783 			return PTR_ERR(rdev);
13784 		}
13785 		info->user_ptr[0] = rdev;
13786 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
13787 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13788 		ASSERT_RTNL();
13789 
13790 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
13791 						  info->attrs);
13792 		if (IS_ERR(wdev)) {
13793 			if (rtnl)
13794 				rtnl_unlock();
13795 			return PTR_ERR(wdev);
13796 		}
13797 
13798 		dev = wdev->netdev;
13799 		rdev = wiphy_to_rdev(wdev->wiphy);
13800 
13801 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
13802 			if (!dev) {
13803 				if (rtnl)
13804 					rtnl_unlock();
13805 				return -EINVAL;
13806 			}
13807 
13808 			info->user_ptr[1] = dev;
13809 		} else {
13810 			info->user_ptr[1] = wdev;
13811 		}
13812 
13813 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
13814 		    !wdev_running(wdev)) {
13815 			if (rtnl)
13816 				rtnl_unlock();
13817 			return -ENETDOWN;
13818 		}
13819 
13820 		if (dev)
13821 			dev_hold(dev);
13822 
13823 		info->user_ptr[0] = rdev;
13824 	}
13825 
13826 	return 0;
13827 }
13828 
13829 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
13830 			      struct genl_info *info)
13831 {
13832 	if (info->user_ptr[1]) {
13833 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13834 			struct wireless_dev *wdev = info->user_ptr[1];
13835 
13836 			if (wdev->netdev)
13837 				dev_put(wdev->netdev);
13838 		} else {
13839 			dev_put(info->user_ptr[1]);
13840 		}
13841 	}
13842 
13843 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
13844 		rtnl_unlock();
13845 
13846 	/* If needed, clear the netlink message payload from the SKB
13847 	 * as it might contain key data that shouldn't stick around on
13848 	 * the heap after the SKB is freed. The netlink message header
13849 	 * is still needed for further processing, so leave it intact.
13850 	 */
13851 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
13852 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
13853 
13854 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
13855 	}
13856 }
13857 
13858 static const struct genl_ops nl80211_ops[] = {
13859 	{
13860 		.cmd = NL80211_CMD_GET_WIPHY,
13861 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13862 		.doit = nl80211_get_wiphy,
13863 		.dumpit = nl80211_dump_wiphy,
13864 		.done = nl80211_dump_wiphy_done,
13865 		/* can be retrieved by unprivileged users */
13866 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13867 				  NL80211_FLAG_NEED_RTNL,
13868 	},
13869 	{
13870 		.cmd = NL80211_CMD_SET_WIPHY,
13871 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13872 		.doit = nl80211_set_wiphy,
13873 		.flags = GENL_UNS_ADMIN_PERM,
13874 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13875 	},
13876 	{
13877 		.cmd = NL80211_CMD_GET_INTERFACE,
13878 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13879 		.doit = nl80211_get_interface,
13880 		.dumpit = nl80211_dump_interface,
13881 		/* can be retrieved by unprivileged users */
13882 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13883 				  NL80211_FLAG_NEED_RTNL,
13884 	},
13885 	{
13886 		.cmd = NL80211_CMD_SET_INTERFACE,
13887 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13888 		.doit = nl80211_set_interface,
13889 		.flags = GENL_UNS_ADMIN_PERM,
13890 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13891 				  NL80211_FLAG_NEED_RTNL,
13892 	},
13893 	{
13894 		.cmd = NL80211_CMD_NEW_INTERFACE,
13895 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13896 		.doit = nl80211_new_interface,
13897 		.flags = GENL_UNS_ADMIN_PERM,
13898 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13899 				  NL80211_FLAG_NEED_RTNL,
13900 	},
13901 	{
13902 		.cmd = NL80211_CMD_DEL_INTERFACE,
13903 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13904 		.doit = nl80211_del_interface,
13905 		.flags = GENL_UNS_ADMIN_PERM,
13906 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13907 				  NL80211_FLAG_NEED_RTNL,
13908 	},
13909 	{
13910 		.cmd = NL80211_CMD_GET_KEY,
13911 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13912 		.doit = nl80211_get_key,
13913 		.flags = GENL_UNS_ADMIN_PERM,
13914 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13915 				  NL80211_FLAG_NEED_RTNL,
13916 	},
13917 	{
13918 		.cmd = NL80211_CMD_SET_KEY,
13919 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13920 		.doit = nl80211_set_key,
13921 		.flags = GENL_UNS_ADMIN_PERM,
13922 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13923 				  NL80211_FLAG_NEED_RTNL |
13924 				  NL80211_FLAG_CLEAR_SKB,
13925 	},
13926 	{
13927 		.cmd = NL80211_CMD_NEW_KEY,
13928 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13929 		.doit = nl80211_new_key,
13930 		.flags = GENL_UNS_ADMIN_PERM,
13931 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13932 				  NL80211_FLAG_NEED_RTNL |
13933 				  NL80211_FLAG_CLEAR_SKB,
13934 	},
13935 	{
13936 		.cmd = NL80211_CMD_DEL_KEY,
13937 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13938 		.doit = nl80211_del_key,
13939 		.flags = GENL_UNS_ADMIN_PERM,
13940 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13941 				  NL80211_FLAG_NEED_RTNL,
13942 	},
13943 	{
13944 		.cmd = NL80211_CMD_SET_BEACON,
13945 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13946 		.flags = GENL_UNS_ADMIN_PERM,
13947 		.doit = nl80211_set_beacon,
13948 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13949 				  NL80211_FLAG_NEED_RTNL,
13950 	},
13951 	{
13952 		.cmd = NL80211_CMD_START_AP,
13953 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13954 		.flags = GENL_UNS_ADMIN_PERM,
13955 		.doit = nl80211_start_ap,
13956 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13957 				  NL80211_FLAG_NEED_RTNL,
13958 	},
13959 	{
13960 		.cmd = NL80211_CMD_STOP_AP,
13961 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13962 		.flags = GENL_UNS_ADMIN_PERM,
13963 		.doit = nl80211_stop_ap,
13964 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13965 				  NL80211_FLAG_NEED_RTNL,
13966 	},
13967 	{
13968 		.cmd = NL80211_CMD_GET_STATION,
13969 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13970 		.doit = nl80211_get_station,
13971 		.dumpit = nl80211_dump_station,
13972 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13973 				  NL80211_FLAG_NEED_RTNL,
13974 	},
13975 	{
13976 		.cmd = NL80211_CMD_SET_STATION,
13977 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13978 		.doit = nl80211_set_station,
13979 		.flags = GENL_UNS_ADMIN_PERM,
13980 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13981 				  NL80211_FLAG_NEED_RTNL,
13982 	},
13983 	{
13984 		.cmd = NL80211_CMD_NEW_STATION,
13985 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13986 		.doit = nl80211_new_station,
13987 		.flags = GENL_UNS_ADMIN_PERM,
13988 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13989 				  NL80211_FLAG_NEED_RTNL,
13990 	},
13991 	{
13992 		.cmd = NL80211_CMD_DEL_STATION,
13993 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13994 		.doit = nl80211_del_station,
13995 		.flags = GENL_UNS_ADMIN_PERM,
13996 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13997 				  NL80211_FLAG_NEED_RTNL,
13998 	},
13999 	{
14000 		.cmd = NL80211_CMD_GET_MPATH,
14001 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14002 		.doit = nl80211_get_mpath,
14003 		.dumpit = nl80211_dump_mpath,
14004 		.flags = GENL_UNS_ADMIN_PERM,
14005 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14006 				  NL80211_FLAG_NEED_RTNL,
14007 	},
14008 	{
14009 		.cmd = NL80211_CMD_GET_MPP,
14010 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14011 		.doit = nl80211_get_mpp,
14012 		.dumpit = nl80211_dump_mpp,
14013 		.flags = GENL_UNS_ADMIN_PERM,
14014 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14015 				  NL80211_FLAG_NEED_RTNL,
14016 	},
14017 	{
14018 		.cmd = NL80211_CMD_SET_MPATH,
14019 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14020 		.doit = nl80211_set_mpath,
14021 		.flags = GENL_UNS_ADMIN_PERM,
14022 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14023 				  NL80211_FLAG_NEED_RTNL,
14024 	},
14025 	{
14026 		.cmd = NL80211_CMD_NEW_MPATH,
14027 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14028 		.doit = nl80211_new_mpath,
14029 		.flags = GENL_UNS_ADMIN_PERM,
14030 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14031 				  NL80211_FLAG_NEED_RTNL,
14032 	},
14033 	{
14034 		.cmd = NL80211_CMD_DEL_MPATH,
14035 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14036 		.doit = nl80211_del_mpath,
14037 		.flags = GENL_UNS_ADMIN_PERM,
14038 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14039 				  NL80211_FLAG_NEED_RTNL,
14040 	},
14041 	{
14042 		.cmd = NL80211_CMD_SET_BSS,
14043 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14044 		.doit = nl80211_set_bss,
14045 		.flags = GENL_UNS_ADMIN_PERM,
14046 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14047 				  NL80211_FLAG_NEED_RTNL,
14048 	},
14049 	{
14050 		.cmd = NL80211_CMD_GET_REG,
14051 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14052 		.doit = nl80211_get_reg_do,
14053 		.dumpit = nl80211_get_reg_dump,
14054 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14055 		/* can be retrieved by unprivileged users */
14056 	},
14057 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
14058 	{
14059 		.cmd = NL80211_CMD_SET_REG,
14060 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14061 		.doit = nl80211_set_reg,
14062 		.flags = GENL_ADMIN_PERM,
14063 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14064 	},
14065 #endif
14066 	{
14067 		.cmd = NL80211_CMD_REQ_SET_REG,
14068 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14069 		.doit = nl80211_req_set_reg,
14070 		.flags = GENL_ADMIN_PERM,
14071 	},
14072 	{
14073 		.cmd = NL80211_CMD_RELOAD_REGDB,
14074 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14075 		.doit = nl80211_reload_regdb,
14076 		.flags = GENL_ADMIN_PERM,
14077 	},
14078 	{
14079 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
14080 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14081 		.doit = nl80211_get_mesh_config,
14082 		/* can be retrieved by unprivileged users */
14083 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14084 				  NL80211_FLAG_NEED_RTNL,
14085 	},
14086 	{
14087 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
14088 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14089 		.doit = nl80211_update_mesh_config,
14090 		.flags = GENL_UNS_ADMIN_PERM,
14091 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14092 				  NL80211_FLAG_NEED_RTNL,
14093 	},
14094 	{
14095 		.cmd = NL80211_CMD_TRIGGER_SCAN,
14096 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14097 		.doit = nl80211_trigger_scan,
14098 		.flags = GENL_UNS_ADMIN_PERM,
14099 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14100 				  NL80211_FLAG_NEED_RTNL,
14101 	},
14102 	{
14103 		.cmd = NL80211_CMD_ABORT_SCAN,
14104 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14105 		.doit = nl80211_abort_scan,
14106 		.flags = GENL_UNS_ADMIN_PERM,
14107 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14108 				  NL80211_FLAG_NEED_RTNL,
14109 	},
14110 	{
14111 		.cmd = NL80211_CMD_GET_SCAN,
14112 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14113 		.dumpit = nl80211_dump_scan,
14114 	},
14115 	{
14116 		.cmd = NL80211_CMD_START_SCHED_SCAN,
14117 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14118 		.doit = nl80211_start_sched_scan,
14119 		.flags = GENL_UNS_ADMIN_PERM,
14120 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14121 				  NL80211_FLAG_NEED_RTNL,
14122 	},
14123 	{
14124 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
14125 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14126 		.doit = nl80211_stop_sched_scan,
14127 		.flags = GENL_UNS_ADMIN_PERM,
14128 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14129 				  NL80211_FLAG_NEED_RTNL,
14130 	},
14131 	{
14132 		.cmd = NL80211_CMD_AUTHENTICATE,
14133 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14134 		.doit = nl80211_authenticate,
14135 		.flags = GENL_UNS_ADMIN_PERM,
14136 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14137 				  NL80211_FLAG_NEED_RTNL |
14138 				  NL80211_FLAG_CLEAR_SKB,
14139 	},
14140 	{
14141 		.cmd = NL80211_CMD_ASSOCIATE,
14142 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14143 		.doit = nl80211_associate,
14144 		.flags = GENL_UNS_ADMIN_PERM,
14145 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14146 				  NL80211_FLAG_NEED_RTNL |
14147 				  NL80211_FLAG_CLEAR_SKB,
14148 	},
14149 	{
14150 		.cmd = NL80211_CMD_DEAUTHENTICATE,
14151 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14152 		.doit = nl80211_deauthenticate,
14153 		.flags = GENL_UNS_ADMIN_PERM,
14154 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14155 				  NL80211_FLAG_NEED_RTNL,
14156 	},
14157 	{
14158 		.cmd = NL80211_CMD_DISASSOCIATE,
14159 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14160 		.doit = nl80211_disassociate,
14161 		.flags = GENL_UNS_ADMIN_PERM,
14162 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14163 				  NL80211_FLAG_NEED_RTNL,
14164 	},
14165 	{
14166 		.cmd = NL80211_CMD_JOIN_IBSS,
14167 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14168 		.doit = nl80211_join_ibss,
14169 		.flags = GENL_UNS_ADMIN_PERM,
14170 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14171 				  NL80211_FLAG_NEED_RTNL,
14172 	},
14173 	{
14174 		.cmd = NL80211_CMD_LEAVE_IBSS,
14175 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14176 		.doit = nl80211_leave_ibss,
14177 		.flags = GENL_UNS_ADMIN_PERM,
14178 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14179 				  NL80211_FLAG_NEED_RTNL,
14180 	},
14181 #ifdef CONFIG_NL80211_TESTMODE
14182 	{
14183 		.cmd = NL80211_CMD_TESTMODE,
14184 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14185 		.doit = nl80211_testmode_do,
14186 		.dumpit = nl80211_testmode_dump,
14187 		.flags = GENL_UNS_ADMIN_PERM,
14188 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14189 				  NL80211_FLAG_NEED_RTNL,
14190 	},
14191 #endif
14192 	{
14193 		.cmd = NL80211_CMD_CONNECT,
14194 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14195 		.doit = nl80211_connect,
14196 		.flags = GENL_UNS_ADMIN_PERM,
14197 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14198 				  NL80211_FLAG_NEED_RTNL |
14199 				  NL80211_FLAG_CLEAR_SKB,
14200 	},
14201 	{
14202 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
14203 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14204 		.doit = nl80211_update_connect_params,
14205 		.flags = GENL_ADMIN_PERM,
14206 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14207 				  NL80211_FLAG_NEED_RTNL |
14208 				  NL80211_FLAG_CLEAR_SKB,
14209 	},
14210 	{
14211 		.cmd = NL80211_CMD_DISCONNECT,
14212 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14213 		.doit = nl80211_disconnect,
14214 		.flags = GENL_UNS_ADMIN_PERM,
14215 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14216 				  NL80211_FLAG_NEED_RTNL,
14217 	},
14218 	{
14219 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
14220 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14221 		.doit = nl80211_wiphy_netns,
14222 		.flags = GENL_UNS_ADMIN_PERM,
14223 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14224 				  NL80211_FLAG_NEED_RTNL,
14225 	},
14226 	{
14227 		.cmd = NL80211_CMD_GET_SURVEY,
14228 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14229 		.dumpit = nl80211_dump_survey,
14230 	},
14231 	{
14232 		.cmd = NL80211_CMD_SET_PMKSA,
14233 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14234 		.doit = nl80211_setdel_pmksa,
14235 		.flags = GENL_UNS_ADMIN_PERM,
14236 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14237 				  NL80211_FLAG_NEED_RTNL |
14238 				  NL80211_FLAG_CLEAR_SKB,
14239 	},
14240 	{
14241 		.cmd = NL80211_CMD_DEL_PMKSA,
14242 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14243 		.doit = nl80211_setdel_pmksa,
14244 		.flags = GENL_UNS_ADMIN_PERM,
14245 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14246 				  NL80211_FLAG_NEED_RTNL,
14247 	},
14248 	{
14249 		.cmd = NL80211_CMD_FLUSH_PMKSA,
14250 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14251 		.doit = nl80211_flush_pmksa,
14252 		.flags = GENL_UNS_ADMIN_PERM,
14253 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14254 				  NL80211_FLAG_NEED_RTNL,
14255 	},
14256 	{
14257 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
14258 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14259 		.doit = nl80211_remain_on_channel,
14260 		.flags = GENL_UNS_ADMIN_PERM,
14261 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14262 				  NL80211_FLAG_NEED_RTNL,
14263 	},
14264 	{
14265 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
14266 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14267 		.doit = nl80211_cancel_remain_on_channel,
14268 		.flags = GENL_UNS_ADMIN_PERM,
14269 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14270 				  NL80211_FLAG_NEED_RTNL,
14271 	},
14272 	{
14273 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
14274 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14275 		.doit = nl80211_set_tx_bitrate_mask,
14276 		.flags = GENL_UNS_ADMIN_PERM,
14277 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14278 				  NL80211_FLAG_NEED_RTNL,
14279 	},
14280 	{
14281 		.cmd = NL80211_CMD_REGISTER_FRAME,
14282 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14283 		.doit = nl80211_register_mgmt,
14284 		.flags = GENL_UNS_ADMIN_PERM,
14285 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14286 				  NL80211_FLAG_NEED_RTNL,
14287 	},
14288 	{
14289 		.cmd = NL80211_CMD_FRAME,
14290 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14291 		.doit = nl80211_tx_mgmt,
14292 		.flags = GENL_UNS_ADMIN_PERM,
14293 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14294 				  NL80211_FLAG_NEED_RTNL,
14295 	},
14296 	{
14297 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
14298 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14299 		.doit = nl80211_tx_mgmt_cancel_wait,
14300 		.flags = GENL_UNS_ADMIN_PERM,
14301 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14302 				  NL80211_FLAG_NEED_RTNL,
14303 	},
14304 	{
14305 		.cmd = NL80211_CMD_SET_POWER_SAVE,
14306 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14307 		.doit = nl80211_set_power_save,
14308 		.flags = GENL_UNS_ADMIN_PERM,
14309 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14310 				  NL80211_FLAG_NEED_RTNL,
14311 	},
14312 	{
14313 		.cmd = NL80211_CMD_GET_POWER_SAVE,
14314 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14315 		.doit = nl80211_get_power_save,
14316 		/* can be retrieved by unprivileged users */
14317 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14318 				  NL80211_FLAG_NEED_RTNL,
14319 	},
14320 	{
14321 		.cmd = NL80211_CMD_SET_CQM,
14322 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14323 		.doit = nl80211_set_cqm,
14324 		.flags = GENL_UNS_ADMIN_PERM,
14325 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14326 				  NL80211_FLAG_NEED_RTNL,
14327 	},
14328 	{
14329 		.cmd = NL80211_CMD_SET_CHANNEL,
14330 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14331 		.doit = nl80211_set_channel,
14332 		.flags = GENL_UNS_ADMIN_PERM,
14333 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14334 				  NL80211_FLAG_NEED_RTNL,
14335 	},
14336 	{
14337 		.cmd = NL80211_CMD_SET_WDS_PEER,
14338 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14339 		.doit = nl80211_set_wds_peer,
14340 		.flags = GENL_UNS_ADMIN_PERM,
14341 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14342 				  NL80211_FLAG_NEED_RTNL,
14343 	},
14344 	{
14345 		.cmd = NL80211_CMD_JOIN_MESH,
14346 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14347 		.doit = nl80211_join_mesh,
14348 		.flags = GENL_UNS_ADMIN_PERM,
14349 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14350 				  NL80211_FLAG_NEED_RTNL,
14351 	},
14352 	{
14353 		.cmd = NL80211_CMD_LEAVE_MESH,
14354 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14355 		.doit = nl80211_leave_mesh,
14356 		.flags = GENL_UNS_ADMIN_PERM,
14357 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14358 				  NL80211_FLAG_NEED_RTNL,
14359 	},
14360 	{
14361 		.cmd = NL80211_CMD_JOIN_OCB,
14362 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14363 		.doit = nl80211_join_ocb,
14364 		.flags = GENL_UNS_ADMIN_PERM,
14365 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14366 				  NL80211_FLAG_NEED_RTNL,
14367 	},
14368 	{
14369 		.cmd = NL80211_CMD_LEAVE_OCB,
14370 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14371 		.doit = nl80211_leave_ocb,
14372 		.flags = GENL_UNS_ADMIN_PERM,
14373 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14374 				  NL80211_FLAG_NEED_RTNL,
14375 	},
14376 #ifdef CONFIG_PM
14377 	{
14378 		.cmd = NL80211_CMD_GET_WOWLAN,
14379 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14380 		.doit = nl80211_get_wowlan,
14381 		/* can be retrieved by unprivileged users */
14382 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14383 				  NL80211_FLAG_NEED_RTNL,
14384 	},
14385 	{
14386 		.cmd = NL80211_CMD_SET_WOWLAN,
14387 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14388 		.doit = nl80211_set_wowlan,
14389 		.flags = GENL_UNS_ADMIN_PERM,
14390 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14391 				  NL80211_FLAG_NEED_RTNL,
14392 	},
14393 #endif
14394 	{
14395 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
14396 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14397 		.doit = nl80211_set_rekey_data,
14398 		.flags = GENL_UNS_ADMIN_PERM,
14399 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14400 				  NL80211_FLAG_NEED_RTNL |
14401 				  NL80211_FLAG_CLEAR_SKB,
14402 	},
14403 	{
14404 		.cmd = NL80211_CMD_TDLS_MGMT,
14405 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14406 		.doit = nl80211_tdls_mgmt,
14407 		.flags = GENL_UNS_ADMIN_PERM,
14408 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14409 				  NL80211_FLAG_NEED_RTNL,
14410 	},
14411 	{
14412 		.cmd = NL80211_CMD_TDLS_OPER,
14413 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14414 		.doit = nl80211_tdls_oper,
14415 		.flags = GENL_UNS_ADMIN_PERM,
14416 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14417 				  NL80211_FLAG_NEED_RTNL,
14418 	},
14419 	{
14420 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
14421 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14422 		.doit = nl80211_register_unexpected_frame,
14423 		.flags = GENL_UNS_ADMIN_PERM,
14424 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14425 				  NL80211_FLAG_NEED_RTNL,
14426 	},
14427 	{
14428 		.cmd = NL80211_CMD_PROBE_CLIENT,
14429 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14430 		.doit = nl80211_probe_client,
14431 		.flags = GENL_UNS_ADMIN_PERM,
14432 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14433 				  NL80211_FLAG_NEED_RTNL,
14434 	},
14435 	{
14436 		.cmd = NL80211_CMD_REGISTER_BEACONS,
14437 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14438 		.doit = nl80211_register_beacons,
14439 		.flags = GENL_UNS_ADMIN_PERM,
14440 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14441 				  NL80211_FLAG_NEED_RTNL,
14442 	},
14443 	{
14444 		.cmd = NL80211_CMD_SET_NOACK_MAP,
14445 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14446 		.doit = nl80211_set_noack_map,
14447 		.flags = GENL_UNS_ADMIN_PERM,
14448 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14449 				  NL80211_FLAG_NEED_RTNL,
14450 	},
14451 	{
14452 		.cmd = NL80211_CMD_START_P2P_DEVICE,
14453 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14454 		.doit = nl80211_start_p2p_device,
14455 		.flags = GENL_UNS_ADMIN_PERM,
14456 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14457 				  NL80211_FLAG_NEED_RTNL,
14458 	},
14459 	{
14460 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
14461 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14462 		.doit = nl80211_stop_p2p_device,
14463 		.flags = GENL_UNS_ADMIN_PERM,
14464 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14465 				  NL80211_FLAG_NEED_RTNL,
14466 	},
14467 	{
14468 		.cmd = NL80211_CMD_START_NAN,
14469 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14470 		.doit = nl80211_start_nan,
14471 		.flags = GENL_ADMIN_PERM,
14472 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14473 				  NL80211_FLAG_NEED_RTNL,
14474 	},
14475 	{
14476 		.cmd = NL80211_CMD_STOP_NAN,
14477 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14478 		.doit = nl80211_stop_nan,
14479 		.flags = GENL_ADMIN_PERM,
14480 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14481 				  NL80211_FLAG_NEED_RTNL,
14482 	},
14483 	{
14484 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
14485 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14486 		.doit = nl80211_nan_add_func,
14487 		.flags = GENL_ADMIN_PERM,
14488 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14489 				  NL80211_FLAG_NEED_RTNL,
14490 	},
14491 	{
14492 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
14493 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14494 		.doit = nl80211_nan_del_func,
14495 		.flags = GENL_ADMIN_PERM,
14496 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14497 				  NL80211_FLAG_NEED_RTNL,
14498 	},
14499 	{
14500 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
14501 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14502 		.doit = nl80211_nan_change_config,
14503 		.flags = GENL_ADMIN_PERM,
14504 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14505 				  NL80211_FLAG_NEED_RTNL,
14506 	},
14507 	{
14508 		.cmd = NL80211_CMD_SET_MCAST_RATE,
14509 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14510 		.doit = nl80211_set_mcast_rate,
14511 		.flags = GENL_UNS_ADMIN_PERM,
14512 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14513 				  NL80211_FLAG_NEED_RTNL,
14514 	},
14515 	{
14516 		.cmd = NL80211_CMD_SET_MAC_ACL,
14517 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14518 		.doit = nl80211_set_mac_acl,
14519 		.flags = GENL_UNS_ADMIN_PERM,
14520 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14521 				  NL80211_FLAG_NEED_RTNL,
14522 	},
14523 	{
14524 		.cmd = NL80211_CMD_RADAR_DETECT,
14525 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14526 		.doit = nl80211_start_radar_detection,
14527 		.flags = GENL_UNS_ADMIN_PERM,
14528 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14529 				  NL80211_FLAG_NEED_RTNL,
14530 	},
14531 	{
14532 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
14533 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14534 		.doit = nl80211_get_protocol_features,
14535 	},
14536 	{
14537 		.cmd = NL80211_CMD_UPDATE_FT_IES,
14538 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14539 		.doit = nl80211_update_ft_ies,
14540 		.flags = GENL_UNS_ADMIN_PERM,
14541 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14542 				  NL80211_FLAG_NEED_RTNL,
14543 	},
14544 	{
14545 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
14546 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14547 		.doit = nl80211_crit_protocol_start,
14548 		.flags = GENL_UNS_ADMIN_PERM,
14549 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14550 				  NL80211_FLAG_NEED_RTNL,
14551 	},
14552 	{
14553 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
14554 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14555 		.doit = nl80211_crit_protocol_stop,
14556 		.flags = GENL_UNS_ADMIN_PERM,
14557 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14558 				  NL80211_FLAG_NEED_RTNL,
14559 	},
14560 	{
14561 		.cmd = NL80211_CMD_GET_COALESCE,
14562 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14563 		.doit = nl80211_get_coalesce,
14564 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14565 				  NL80211_FLAG_NEED_RTNL,
14566 	},
14567 	{
14568 		.cmd = NL80211_CMD_SET_COALESCE,
14569 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14570 		.doit = nl80211_set_coalesce,
14571 		.flags = GENL_UNS_ADMIN_PERM,
14572 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14573 				  NL80211_FLAG_NEED_RTNL,
14574 	},
14575 	{
14576 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
14577 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14578 		.doit = nl80211_channel_switch,
14579 		.flags = GENL_UNS_ADMIN_PERM,
14580 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14581 				  NL80211_FLAG_NEED_RTNL,
14582 	},
14583 	{
14584 		.cmd = NL80211_CMD_VENDOR,
14585 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14586 		.doit = nl80211_vendor_cmd,
14587 		.dumpit = nl80211_vendor_cmd_dump,
14588 		.flags = GENL_UNS_ADMIN_PERM,
14589 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14590 				  NL80211_FLAG_NEED_RTNL |
14591 				  NL80211_FLAG_CLEAR_SKB,
14592 	},
14593 	{
14594 		.cmd = NL80211_CMD_SET_QOS_MAP,
14595 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14596 		.doit = nl80211_set_qos_map,
14597 		.flags = GENL_UNS_ADMIN_PERM,
14598 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14599 				  NL80211_FLAG_NEED_RTNL,
14600 	},
14601 	{
14602 		.cmd = NL80211_CMD_ADD_TX_TS,
14603 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14604 		.doit = nl80211_add_tx_ts,
14605 		.flags = GENL_UNS_ADMIN_PERM,
14606 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14607 				  NL80211_FLAG_NEED_RTNL,
14608 	},
14609 	{
14610 		.cmd = NL80211_CMD_DEL_TX_TS,
14611 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14612 		.doit = nl80211_del_tx_ts,
14613 		.flags = GENL_UNS_ADMIN_PERM,
14614 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14615 				  NL80211_FLAG_NEED_RTNL,
14616 	},
14617 	{
14618 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
14619 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14620 		.doit = nl80211_tdls_channel_switch,
14621 		.flags = GENL_UNS_ADMIN_PERM,
14622 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14623 				  NL80211_FLAG_NEED_RTNL,
14624 	},
14625 	{
14626 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
14627 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14628 		.doit = nl80211_tdls_cancel_channel_switch,
14629 		.flags = GENL_UNS_ADMIN_PERM,
14630 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14631 				  NL80211_FLAG_NEED_RTNL,
14632 	},
14633 	{
14634 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
14635 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14636 		.doit = nl80211_set_multicast_to_unicast,
14637 		.flags = GENL_UNS_ADMIN_PERM,
14638 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14639 				  NL80211_FLAG_NEED_RTNL,
14640 	},
14641 	{
14642 		.cmd = NL80211_CMD_SET_PMK,
14643 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14644 		.doit = nl80211_set_pmk,
14645 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14646 				  NL80211_FLAG_NEED_RTNL |
14647 				  NL80211_FLAG_CLEAR_SKB,
14648 	},
14649 	{
14650 		.cmd = NL80211_CMD_DEL_PMK,
14651 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14652 		.doit = nl80211_del_pmk,
14653 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14654 				  NL80211_FLAG_NEED_RTNL,
14655 	},
14656 	{
14657 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
14658 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14659 		.doit = nl80211_external_auth,
14660 		.flags = GENL_ADMIN_PERM,
14661 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14662 				  NL80211_FLAG_NEED_RTNL,
14663 	},
14664 	{
14665 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
14666 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14667 		.doit = nl80211_tx_control_port,
14668 		.flags = GENL_UNS_ADMIN_PERM,
14669 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14670 				  NL80211_FLAG_NEED_RTNL,
14671 	},
14672 	{
14673 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
14674 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14675 		.doit = nl80211_get_ftm_responder_stats,
14676 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14677 				  NL80211_FLAG_NEED_RTNL,
14678 	},
14679 	{
14680 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
14681 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14682 		.doit = nl80211_pmsr_start,
14683 		.flags = GENL_UNS_ADMIN_PERM,
14684 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14685 				  NL80211_FLAG_NEED_RTNL,
14686 	},
14687 	{
14688 		.cmd = NL80211_CMD_NOTIFY_RADAR,
14689 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14690 		.doit = nl80211_notify_radar_detection,
14691 		.flags = GENL_UNS_ADMIN_PERM,
14692 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14693 				  NL80211_FLAG_NEED_RTNL,
14694 	},
14695 	{
14696 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
14697 		.doit = nl80211_update_owe_info,
14698 		.flags = GENL_ADMIN_PERM,
14699 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14700 				  NL80211_FLAG_NEED_RTNL,
14701 	},
14702 	{
14703 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
14704 		.doit = nl80211_probe_mesh_link,
14705 		.flags = GENL_UNS_ADMIN_PERM,
14706 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14707 				  NL80211_FLAG_NEED_RTNL,
14708 	},
14709 };
14710 
14711 static struct genl_family nl80211_fam __ro_after_init = {
14712 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
14713 	.hdrsize = 0,			/* no private header */
14714 	.version = 1,			/* no particular meaning now */
14715 	.maxattr = NL80211_ATTR_MAX,
14716 	.policy = nl80211_policy,
14717 	.netnsok = true,
14718 	.pre_doit = nl80211_pre_doit,
14719 	.post_doit = nl80211_post_doit,
14720 	.module = THIS_MODULE,
14721 	.ops = nl80211_ops,
14722 	.n_ops = ARRAY_SIZE(nl80211_ops),
14723 	.mcgrps = nl80211_mcgrps,
14724 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
14725 	.parallel_ops = true,
14726 };
14727 
14728 /* notification functions */
14729 
14730 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
14731 			  enum nl80211_commands cmd)
14732 {
14733 	struct sk_buff *msg;
14734 	struct nl80211_dump_wiphy_state state = {};
14735 
14736 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
14737 		cmd != NL80211_CMD_DEL_WIPHY);
14738 
14739 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14740 	if (!msg)
14741 		return;
14742 
14743 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
14744 		nlmsg_free(msg);
14745 		return;
14746 	}
14747 
14748 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14749 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
14750 }
14751 
14752 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
14753 				struct wireless_dev *wdev,
14754 				enum nl80211_commands cmd)
14755 {
14756 	struct sk_buff *msg;
14757 
14758 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14759 	if (!msg)
14760 		return;
14761 
14762 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
14763 		nlmsg_free(msg);
14764 		return;
14765 	}
14766 
14767 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14768 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
14769 }
14770 
14771 static int nl80211_add_scan_req(struct sk_buff *msg,
14772 				struct cfg80211_registered_device *rdev)
14773 {
14774 	struct cfg80211_scan_request *req = rdev->scan_req;
14775 	struct nlattr *nest;
14776 	int i;
14777 
14778 	if (WARN_ON(!req))
14779 		return 0;
14780 
14781 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
14782 	if (!nest)
14783 		goto nla_put_failure;
14784 	for (i = 0; i < req->n_ssids; i++) {
14785 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
14786 			goto nla_put_failure;
14787 	}
14788 	nla_nest_end(msg, nest);
14789 
14790 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14791 	if (!nest)
14792 		goto nla_put_failure;
14793 	for (i = 0; i < req->n_channels; i++) {
14794 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14795 			goto nla_put_failure;
14796 	}
14797 	nla_nest_end(msg, nest);
14798 
14799 	if (req->ie &&
14800 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
14801 		goto nla_put_failure;
14802 
14803 	if (req->flags &&
14804 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
14805 		goto nla_put_failure;
14806 
14807 	if (req->info.scan_start_tsf &&
14808 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
14809 			       req->info.scan_start_tsf, NL80211_BSS_PAD) ||
14810 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
14811 		     req->info.tsf_bssid)))
14812 		goto nla_put_failure;
14813 
14814 	return 0;
14815  nla_put_failure:
14816 	return -ENOBUFS;
14817 }
14818 
14819 static int nl80211_prep_scan_msg(struct sk_buff *msg,
14820 				 struct cfg80211_registered_device *rdev,
14821 				 struct wireless_dev *wdev,
14822 				 u32 portid, u32 seq, int flags,
14823 				 u32 cmd)
14824 {
14825 	void *hdr;
14826 
14827 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
14828 	if (!hdr)
14829 		return -1;
14830 
14831 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14832 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14833 					 wdev->netdev->ifindex)) ||
14834 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14835 			      NL80211_ATTR_PAD))
14836 		goto nla_put_failure;
14837 
14838 	/* ignore errors and send incomplete event anyway */
14839 	nl80211_add_scan_req(msg, rdev);
14840 
14841 	genlmsg_end(msg, hdr);
14842 	return 0;
14843 
14844  nla_put_failure:
14845 	genlmsg_cancel(msg, hdr);
14846 	return -EMSGSIZE;
14847 }
14848 
14849 static int
14850 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
14851 			    struct cfg80211_sched_scan_request *req, u32 cmd)
14852 {
14853 	void *hdr;
14854 
14855 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14856 	if (!hdr)
14857 		return -1;
14858 
14859 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
14860 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
14861 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
14862 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
14863 			      NL80211_ATTR_PAD))
14864 		goto nla_put_failure;
14865 
14866 	genlmsg_end(msg, hdr);
14867 	return 0;
14868 
14869  nla_put_failure:
14870 	genlmsg_cancel(msg, hdr);
14871 	return -EMSGSIZE;
14872 }
14873 
14874 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
14875 			     struct wireless_dev *wdev)
14876 {
14877 	struct sk_buff *msg;
14878 
14879 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14880 	if (!msg)
14881 		return;
14882 
14883 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14884 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
14885 		nlmsg_free(msg);
14886 		return;
14887 	}
14888 
14889 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14890 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14891 }
14892 
14893 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
14894 				       struct wireless_dev *wdev, bool aborted)
14895 {
14896 	struct sk_buff *msg;
14897 
14898 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14899 	if (!msg)
14900 		return NULL;
14901 
14902 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14903 				  aborted ? NL80211_CMD_SCAN_ABORTED :
14904 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
14905 		nlmsg_free(msg);
14906 		return NULL;
14907 	}
14908 
14909 	return msg;
14910 }
14911 
14912 /* send message created by nl80211_build_scan_msg() */
14913 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
14914 			   struct sk_buff *msg)
14915 {
14916 	if (!msg)
14917 		return;
14918 
14919 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14920 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14921 }
14922 
14923 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
14924 {
14925 	struct sk_buff *msg;
14926 
14927 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14928 	if (!msg)
14929 		return;
14930 
14931 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
14932 		nlmsg_free(msg);
14933 		return;
14934 	}
14935 
14936 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
14937 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14938 }
14939 
14940 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
14941 					  struct regulatory_request *request)
14942 {
14943 	/* Userspace can always count this one always being set */
14944 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
14945 		goto nla_put_failure;
14946 
14947 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
14948 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14949 			       NL80211_REGDOM_TYPE_WORLD))
14950 			goto nla_put_failure;
14951 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
14952 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14953 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
14954 			goto nla_put_failure;
14955 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
14956 		   request->intersect) {
14957 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14958 			       NL80211_REGDOM_TYPE_INTERSECTION))
14959 			goto nla_put_failure;
14960 	} else {
14961 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14962 			       NL80211_REGDOM_TYPE_COUNTRY) ||
14963 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
14964 				   request->alpha2))
14965 			goto nla_put_failure;
14966 	}
14967 
14968 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
14969 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
14970 
14971 		if (wiphy &&
14972 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
14973 			goto nla_put_failure;
14974 
14975 		if (wiphy &&
14976 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
14977 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
14978 			goto nla_put_failure;
14979 	}
14980 
14981 	return true;
14982 
14983 nla_put_failure:
14984 	return false;
14985 }
14986 
14987 /*
14988  * This can happen on global regulatory changes or device specific settings
14989  * based on custom regulatory domains.
14990  */
14991 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
14992 				     struct regulatory_request *request)
14993 {
14994 	struct sk_buff *msg;
14995 	void *hdr;
14996 
14997 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14998 	if (!msg)
14999 		return;
15000 
15001 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
15002 	if (!hdr)
15003 		goto nla_put_failure;
15004 
15005 	if (!nl80211_reg_change_event_fill(msg, request))
15006 		goto nla_put_failure;
15007 
15008 	genlmsg_end(msg, hdr);
15009 
15010 	rcu_read_lock();
15011 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15012 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15013 	rcu_read_unlock();
15014 
15015 	return;
15016 
15017 nla_put_failure:
15018 	nlmsg_free(msg);
15019 }
15020 
15021 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
15022 				    struct net_device *netdev,
15023 				    const u8 *buf, size_t len,
15024 				    enum nl80211_commands cmd, gfp_t gfp,
15025 				    int uapsd_queues, const u8 *req_ies,
15026 				    size_t req_ies_len)
15027 {
15028 	struct sk_buff *msg;
15029 	void *hdr;
15030 
15031 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
15032 	if (!msg)
15033 		return;
15034 
15035 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15036 	if (!hdr) {
15037 		nlmsg_free(msg);
15038 		return;
15039 	}
15040 
15041 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15042 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15043 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15044 	    (req_ies &&
15045 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
15046 		goto nla_put_failure;
15047 
15048 	if (uapsd_queues >= 0) {
15049 		struct nlattr *nla_wmm =
15050 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
15051 		if (!nla_wmm)
15052 			goto nla_put_failure;
15053 
15054 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
15055 			       uapsd_queues))
15056 			goto nla_put_failure;
15057 
15058 		nla_nest_end(msg, nla_wmm);
15059 	}
15060 
15061 	genlmsg_end(msg, hdr);
15062 
15063 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15064 				NL80211_MCGRP_MLME, gfp);
15065 	return;
15066 
15067  nla_put_failure:
15068 	nlmsg_free(msg);
15069 }
15070 
15071 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
15072 			  struct net_device *netdev, const u8 *buf,
15073 			  size_t len, gfp_t gfp)
15074 {
15075 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15076 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0);
15077 }
15078 
15079 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
15080 			   struct net_device *netdev, const u8 *buf,
15081 			   size_t len, gfp_t gfp, int uapsd_queues,
15082 			   const u8 *req_ies, size_t req_ies_len)
15083 {
15084 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15085 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
15086 				req_ies, req_ies_len);
15087 }
15088 
15089 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
15090 			 struct net_device *netdev, const u8 *buf,
15091 			 size_t len, gfp_t gfp)
15092 {
15093 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15094 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0);
15095 }
15096 
15097 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
15098 			   struct net_device *netdev, const u8 *buf,
15099 			   size_t len, gfp_t gfp)
15100 {
15101 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15102 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0);
15103 }
15104 
15105 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
15106 				  size_t len)
15107 {
15108 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15109 	struct wiphy *wiphy = wdev->wiphy;
15110 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15111 	const struct ieee80211_mgmt *mgmt = (void *)buf;
15112 	u32 cmd;
15113 
15114 	if (WARN_ON(len < 2))
15115 		return;
15116 
15117 	if (ieee80211_is_deauth(mgmt->frame_control))
15118 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
15119 	else
15120 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
15121 
15122 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
15123 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
15124 				NULL, 0);
15125 }
15126 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
15127 
15128 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
15129 				      struct net_device *netdev, int cmd,
15130 				      const u8 *addr, gfp_t gfp)
15131 {
15132 	struct sk_buff *msg;
15133 	void *hdr;
15134 
15135 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15136 	if (!msg)
15137 		return;
15138 
15139 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15140 	if (!hdr) {
15141 		nlmsg_free(msg);
15142 		return;
15143 	}
15144 
15145 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15146 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15147 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
15148 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
15149 		goto nla_put_failure;
15150 
15151 	genlmsg_end(msg, hdr);
15152 
15153 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15154 				NL80211_MCGRP_MLME, gfp);
15155 	return;
15156 
15157  nla_put_failure:
15158 	nlmsg_free(msg);
15159 }
15160 
15161 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
15162 			       struct net_device *netdev, const u8 *addr,
15163 			       gfp_t gfp)
15164 {
15165 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
15166 				  addr, gfp);
15167 }
15168 
15169 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
15170 				struct net_device *netdev, const u8 *addr,
15171 				gfp_t gfp)
15172 {
15173 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
15174 				  addr, gfp);
15175 }
15176 
15177 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
15178 				 struct net_device *netdev,
15179 				 struct cfg80211_connect_resp_params *cr,
15180 				 gfp_t gfp)
15181 {
15182 	struct sk_buff *msg;
15183 	void *hdr;
15184 
15185 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
15186 			cr->fils.kek_len + cr->fils.pmk_len +
15187 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
15188 	if (!msg)
15189 		return;
15190 
15191 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
15192 	if (!hdr) {
15193 		nlmsg_free(msg);
15194 		return;
15195 	}
15196 
15197 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15198 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15199 	    (cr->bssid &&
15200 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
15201 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
15202 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
15203 			cr->status) ||
15204 	    (cr->status < 0 &&
15205 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
15206 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
15207 			  cr->timeout_reason))) ||
15208 	    (cr->req_ie &&
15209 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
15210 	    (cr->resp_ie &&
15211 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
15212 		     cr->resp_ie)) ||
15213 	    (cr->fils.update_erp_next_seq_num &&
15214 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15215 			 cr->fils.erp_next_seq_num)) ||
15216 	    (cr->status == WLAN_STATUS_SUCCESS &&
15217 	     ((cr->fils.kek &&
15218 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
15219 		       cr->fils.kek)) ||
15220 	      (cr->fils.pmk &&
15221 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
15222 	      (cr->fils.pmkid &&
15223 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
15224 		goto nla_put_failure;
15225 
15226 	genlmsg_end(msg, hdr);
15227 
15228 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15229 				NL80211_MCGRP_MLME, gfp);
15230 	return;
15231 
15232  nla_put_failure:
15233 	nlmsg_free(msg);
15234 }
15235 
15236 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
15237 			 struct net_device *netdev,
15238 			 struct cfg80211_roam_info *info, gfp_t gfp)
15239 {
15240 	struct sk_buff *msg;
15241 	void *hdr;
15242 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
15243 
15244 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
15245 			info->fils.kek_len + info->fils.pmk_len +
15246 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
15247 	if (!msg)
15248 		return;
15249 
15250 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
15251 	if (!hdr) {
15252 		nlmsg_free(msg);
15253 		return;
15254 	}
15255 
15256 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15257 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15258 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
15259 	    (info->req_ie &&
15260 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
15261 		     info->req_ie)) ||
15262 	    (info->resp_ie &&
15263 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
15264 		     info->resp_ie)) ||
15265 	    (info->fils.update_erp_next_seq_num &&
15266 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15267 			 info->fils.erp_next_seq_num)) ||
15268 	    (info->fils.kek &&
15269 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
15270 		     info->fils.kek)) ||
15271 	    (info->fils.pmk &&
15272 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
15273 	    (info->fils.pmkid &&
15274 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
15275 		goto nla_put_failure;
15276 
15277 	genlmsg_end(msg, hdr);
15278 
15279 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15280 				NL80211_MCGRP_MLME, gfp);
15281 	return;
15282 
15283  nla_put_failure:
15284 	nlmsg_free(msg);
15285 }
15286 
15287 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
15288 				  struct net_device *netdev, const u8 *bssid)
15289 {
15290 	struct sk_buff *msg;
15291 	void *hdr;
15292 
15293 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15294 	if (!msg)
15295 		return;
15296 
15297 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
15298 	if (!hdr) {
15299 		nlmsg_free(msg);
15300 		return;
15301 	}
15302 
15303 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15304 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15305 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15306 		goto nla_put_failure;
15307 
15308 	genlmsg_end(msg, hdr);
15309 
15310 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15311 				NL80211_MCGRP_MLME, GFP_KERNEL);
15312 	return;
15313 
15314  nla_put_failure:
15315 	nlmsg_free(msg);
15316 }
15317 
15318 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
15319 			       struct net_device *netdev, u16 reason,
15320 			       const u8 *ie, size_t ie_len, bool from_ap)
15321 {
15322 	struct sk_buff *msg;
15323 	void *hdr;
15324 
15325 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
15326 	if (!msg)
15327 		return;
15328 
15329 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
15330 	if (!hdr) {
15331 		nlmsg_free(msg);
15332 		return;
15333 	}
15334 
15335 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15336 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15337 	    (reason &&
15338 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
15339 	    (from_ap &&
15340 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
15341 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
15342 		goto nla_put_failure;
15343 
15344 	genlmsg_end(msg, hdr);
15345 
15346 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15347 				NL80211_MCGRP_MLME, GFP_KERNEL);
15348 	return;
15349 
15350  nla_put_failure:
15351 	nlmsg_free(msg);
15352 }
15353 
15354 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
15355 			     struct net_device *netdev, const u8 *bssid,
15356 			     gfp_t gfp)
15357 {
15358 	struct sk_buff *msg;
15359 	void *hdr;
15360 
15361 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15362 	if (!msg)
15363 		return;
15364 
15365 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
15366 	if (!hdr) {
15367 		nlmsg_free(msg);
15368 		return;
15369 	}
15370 
15371 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15372 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15373 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15374 		goto nla_put_failure;
15375 
15376 	genlmsg_end(msg, hdr);
15377 
15378 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15379 				NL80211_MCGRP_MLME, gfp);
15380 	return;
15381 
15382  nla_put_failure:
15383 	nlmsg_free(msg);
15384 }
15385 
15386 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
15387 					const u8 *ie, u8 ie_len,
15388 					int sig_dbm, gfp_t gfp)
15389 {
15390 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15391 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15392 	struct sk_buff *msg;
15393 	void *hdr;
15394 
15395 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
15396 		return;
15397 
15398 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
15399 
15400 	msg = nlmsg_new(100 + ie_len, gfp);
15401 	if (!msg)
15402 		return;
15403 
15404 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
15405 	if (!hdr) {
15406 		nlmsg_free(msg);
15407 		return;
15408 	}
15409 
15410 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15411 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15412 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15413 	    (ie_len && ie &&
15414 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
15415 	    (sig_dbm &&
15416 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
15417 		goto nla_put_failure;
15418 
15419 	genlmsg_end(msg, hdr);
15420 
15421 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15422 				NL80211_MCGRP_MLME, gfp);
15423 	return;
15424 
15425  nla_put_failure:
15426 	nlmsg_free(msg);
15427 }
15428 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
15429 
15430 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
15431 				 struct net_device *netdev, const u8 *addr,
15432 				 enum nl80211_key_type key_type, int key_id,
15433 				 const u8 *tsc, gfp_t gfp)
15434 {
15435 	struct sk_buff *msg;
15436 	void *hdr;
15437 
15438 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15439 	if (!msg)
15440 		return;
15441 
15442 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
15443 	if (!hdr) {
15444 		nlmsg_free(msg);
15445 		return;
15446 	}
15447 
15448 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15449 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15450 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
15451 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
15452 	    (key_id != -1 &&
15453 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
15454 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
15455 		goto nla_put_failure;
15456 
15457 	genlmsg_end(msg, hdr);
15458 
15459 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15460 				NL80211_MCGRP_MLME, gfp);
15461 	return;
15462 
15463  nla_put_failure:
15464 	nlmsg_free(msg);
15465 }
15466 
15467 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
15468 				    struct ieee80211_channel *channel_before,
15469 				    struct ieee80211_channel *channel_after)
15470 {
15471 	struct sk_buff *msg;
15472 	void *hdr;
15473 	struct nlattr *nl_freq;
15474 
15475 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
15476 	if (!msg)
15477 		return;
15478 
15479 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
15480 	if (!hdr) {
15481 		nlmsg_free(msg);
15482 		return;
15483 	}
15484 
15485 	/*
15486 	 * Since we are applying the beacon hint to a wiphy we know its
15487 	 * wiphy_idx is valid
15488 	 */
15489 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
15490 		goto nla_put_failure;
15491 
15492 	/* Before */
15493 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
15494 	if (!nl_freq)
15495 		goto nla_put_failure;
15496 
15497 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
15498 		goto nla_put_failure;
15499 	nla_nest_end(msg, nl_freq);
15500 
15501 	/* After */
15502 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
15503 	if (!nl_freq)
15504 		goto nla_put_failure;
15505 
15506 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
15507 		goto nla_put_failure;
15508 	nla_nest_end(msg, nl_freq);
15509 
15510 	genlmsg_end(msg, hdr);
15511 
15512 	rcu_read_lock();
15513 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15514 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15515 	rcu_read_unlock();
15516 
15517 	return;
15518 
15519 nla_put_failure:
15520 	nlmsg_free(msg);
15521 }
15522 
15523 static void nl80211_send_remain_on_chan_event(
15524 	int cmd, struct cfg80211_registered_device *rdev,
15525 	struct wireless_dev *wdev, u64 cookie,
15526 	struct ieee80211_channel *chan,
15527 	unsigned int duration, gfp_t gfp)
15528 {
15529 	struct sk_buff *msg;
15530 	void *hdr;
15531 
15532 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15533 	if (!msg)
15534 		return;
15535 
15536 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15537 	if (!hdr) {
15538 		nlmsg_free(msg);
15539 		return;
15540 	}
15541 
15542 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15543 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15544 					 wdev->netdev->ifindex)) ||
15545 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15546 			      NL80211_ATTR_PAD) ||
15547 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
15548 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
15549 			NL80211_CHAN_NO_HT) ||
15550 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15551 			      NL80211_ATTR_PAD))
15552 		goto nla_put_failure;
15553 
15554 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
15555 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
15556 		goto nla_put_failure;
15557 
15558 	genlmsg_end(msg, hdr);
15559 
15560 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15561 				NL80211_MCGRP_MLME, gfp);
15562 	return;
15563 
15564  nla_put_failure:
15565 	nlmsg_free(msg);
15566 }
15567 
15568 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
15569 			       struct ieee80211_channel *chan,
15570 			       unsigned int duration, gfp_t gfp)
15571 {
15572 	struct wiphy *wiphy = wdev->wiphy;
15573 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15574 
15575 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
15576 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
15577 					  rdev, wdev, cookie, chan,
15578 					  duration, gfp);
15579 }
15580 EXPORT_SYMBOL(cfg80211_ready_on_channel);
15581 
15582 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
15583 					struct ieee80211_channel *chan,
15584 					gfp_t gfp)
15585 {
15586 	struct wiphy *wiphy = wdev->wiphy;
15587 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15588 
15589 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
15590 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15591 					  rdev, wdev, cookie, chan, 0, gfp);
15592 }
15593 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
15594 
15595 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
15596 					struct ieee80211_channel *chan,
15597 					gfp_t gfp)
15598 {
15599 	struct wiphy *wiphy = wdev->wiphy;
15600 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15601 
15602 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
15603 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
15604 					  rdev, wdev, cookie, chan, 0, gfp);
15605 }
15606 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
15607 
15608 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
15609 		      struct station_info *sinfo, gfp_t gfp)
15610 {
15611 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15612 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15613 	struct sk_buff *msg;
15614 
15615 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
15616 
15617 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15618 	if (!msg)
15619 		return;
15620 
15621 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
15622 				 rdev, dev, mac_addr, sinfo) < 0) {
15623 		nlmsg_free(msg);
15624 		return;
15625 	}
15626 
15627 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15628 				NL80211_MCGRP_MLME, gfp);
15629 }
15630 EXPORT_SYMBOL(cfg80211_new_sta);
15631 
15632 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
15633 			    struct station_info *sinfo, gfp_t gfp)
15634 {
15635 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15636 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15637 	struct sk_buff *msg;
15638 	struct station_info empty_sinfo = {};
15639 
15640 	if (!sinfo)
15641 		sinfo = &empty_sinfo;
15642 
15643 	trace_cfg80211_del_sta(dev, mac_addr);
15644 
15645 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15646 	if (!msg) {
15647 		cfg80211_sinfo_release_content(sinfo);
15648 		return;
15649 	}
15650 
15651 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
15652 				 rdev, dev, mac_addr, sinfo) < 0) {
15653 		nlmsg_free(msg);
15654 		return;
15655 	}
15656 
15657 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15658 				NL80211_MCGRP_MLME, gfp);
15659 }
15660 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
15661 
15662 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
15663 			  enum nl80211_connect_failed_reason reason,
15664 			  gfp_t gfp)
15665 {
15666 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15667 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15668 	struct sk_buff *msg;
15669 	void *hdr;
15670 
15671 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
15672 	if (!msg)
15673 		return;
15674 
15675 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
15676 	if (!hdr) {
15677 		nlmsg_free(msg);
15678 		return;
15679 	}
15680 
15681 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15682 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
15683 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
15684 		goto nla_put_failure;
15685 
15686 	genlmsg_end(msg, hdr);
15687 
15688 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15689 				NL80211_MCGRP_MLME, gfp);
15690 	return;
15691 
15692  nla_put_failure:
15693 	nlmsg_free(msg);
15694 }
15695 EXPORT_SYMBOL(cfg80211_conn_failed);
15696 
15697 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
15698 				       const u8 *addr, gfp_t gfp)
15699 {
15700 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15701 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15702 	struct sk_buff *msg;
15703 	void *hdr;
15704 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
15705 
15706 	if (!nlportid)
15707 		return false;
15708 
15709 	msg = nlmsg_new(100, gfp);
15710 	if (!msg)
15711 		return true;
15712 
15713 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15714 	if (!hdr) {
15715 		nlmsg_free(msg);
15716 		return true;
15717 	}
15718 
15719 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15720 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15721 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
15722 		goto nla_put_failure;
15723 
15724 	genlmsg_end(msg, hdr);
15725 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15726 	return true;
15727 
15728  nla_put_failure:
15729 	nlmsg_free(msg);
15730 	return true;
15731 }
15732 
15733 bool cfg80211_rx_spurious_frame(struct net_device *dev,
15734 				const u8 *addr, gfp_t gfp)
15735 {
15736 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15737 	bool ret;
15738 
15739 	trace_cfg80211_rx_spurious_frame(dev, addr);
15740 
15741 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15742 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
15743 		trace_cfg80211_return_bool(false);
15744 		return false;
15745 	}
15746 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
15747 					 addr, gfp);
15748 	trace_cfg80211_return_bool(ret);
15749 	return ret;
15750 }
15751 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
15752 
15753 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
15754 					const u8 *addr, gfp_t gfp)
15755 {
15756 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15757 	bool ret;
15758 
15759 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
15760 
15761 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15762 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
15763 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
15764 		trace_cfg80211_return_bool(false);
15765 		return false;
15766 	}
15767 	ret = __nl80211_unexpected_frame(dev,
15768 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
15769 					 addr, gfp);
15770 	trace_cfg80211_return_bool(ret);
15771 	return ret;
15772 }
15773 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
15774 
15775 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
15776 		      struct wireless_dev *wdev, u32 nlportid,
15777 		      int freq, int sig_dbm,
15778 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
15779 {
15780 	struct net_device *netdev = wdev->netdev;
15781 	struct sk_buff *msg;
15782 	void *hdr;
15783 
15784 	msg = nlmsg_new(100 + len, gfp);
15785 	if (!msg)
15786 		return -ENOMEM;
15787 
15788 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
15789 	if (!hdr) {
15790 		nlmsg_free(msg);
15791 		return -ENOMEM;
15792 	}
15793 
15794 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15795 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15796 					netdev->ifindex)) ||
15797 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15798 			      NL80211_ATTR_PAD) ||
15799 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
15800 	    (sig_dbm &&
15801 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
15802 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15803 	    (flags &&
15804 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
15805 		goto nla_put_failure;
15806 
15807 	genlmsg_end(msg, hdr);
15808 
15809 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15810 
15811  nla_put_failure:
15812 	nlmsg_free(msg);
15813 	return -ENOBUFS;
15814 }
15815 
15816 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
15817 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
15818 {
15819 	struct wiphy *wiphy = wdev->wiphy;
15820 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15821 	struct net_device *netdev = wdev->netdev;
15822 	struct sk_buff *msg;
15823 	void *hdr;
15824 
15825 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
15826 
15827 	msg = nlmsg_new(100 + len, gfp);
15828 	if (!msg)
15829 		return;
15830 
15831 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
15832 	if (!hdr) {
15833 		nlmsg_free(msg);
15834 		return;
15835 	}
15836 
15837 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15838 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15839 				   netdev->ifindex)) ||
15840 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15841 			      NL80211_ATTR_PAD) ||
15842 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15843 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15844 			      NL80211_ATTR_PAD) ||
15845 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
15846 		goto nla_put_failure;
15847 
15848 	genlmsg_end(msg, hdr);
15849 
15850 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15851 				NL80211_MCGRP_MLME, gfp);
15852 	return;
15853 
15854  nla_put_failure:
15855 	nlmsg_free(msg);
15856 }
15857 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
15858 
15859 static int __nl80211_rx_control_port(struct net_device *dev,
15860 				     struct sk_buff *skb,
15861 				     bool unencrypted, gfp_t gfp)
15862 {
15863 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15864 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15865 	struct ethhdr *ehdr = eth_hdr(skb);
15866 	const u8 *addr = ehdr->h_source;
15867 	u16 proto = be16_to_cpu(skb->protocol);
15868 	struct sk_buff *msg;
15869 	void *hdr;
15870 	struct nlattr *frame;
15871 
15872 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
15873 
15874 	if (!nlportid)
15875 		return -ENOENT;
15876 
15877 	msg = nlmsg_new(100 + skb->len, gfp);
15878 	if (!msg)
15879 		return -ENOMEM;
15880 
15881 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
15882 	if (!hdr) {
15883 		nlmsg_free(msg);
15884 		return -ENOBUFS;
15885 	}
15886 
15887 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15888 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15889 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15890 			      NL80211_ATTR_PAD) ||
15891 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15892 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
15893 	    (unencrypted && nla_put_flag(msg,
15894 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
15895 		goto nla_put_failure;
15896 
15897 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
15898 	if (!frame)
15899 		goto nla_put_failure;
15900 
15901 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
15902 	genlmsg_end(msg, hdr);
15903 
15904 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15905 
15906  nla_put_failure:
15907 	nlmsg_free(msg);
15908 	return -ENOBUFS;
15909 }
15910 
15911 bool cfg80211_rx_control_port(struct net_device *dev,
15912 			      struct sk_buff *skb, bool unencrypted)
15913 {
15914 	int ret;
15915 
15916 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
15917 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
15918 	trace_cfg80211_return_bool(ret == 0);
15919 	return ret == 0;
15920 }
15921 EXPORT_SYMBOL(cfg80211_rx_control_port);
15922 
15923 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
15924 					    const char *mac, gfp_t gfp)
15925 {
15926 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15927 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15928 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15929 	void **cb;
15930 
15931 	if (!msg)
15932 		return NULL;
15933 
15934 	cb = (void **)msg->cb;
15935 
15936 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
15937 	if (!cb[0]) {
15938 		nlmsg_free(msg);
15939 		return NULL;
15940 	}
15941 
15942 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15943 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15944 		goto nla_put_failure;
15945 
15946 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
15947 		goto nla_put_failure;
15948 
15949 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
15950 	if (!cb[1])
15951 		goto nla_put_failure;
15952 
15953 	cb[2] = rdev;
15954 
15955 	return msg;
15956  nla_put_failure:
15957 	nlmsg_free(msg);
15958 	return NULL;
15959 }
15960 
15961 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
15962 {
15963 	void **cb = (void **)msg->cb;
15964 	struct cfg80211_registered_device *rdev = cb[2];
15965 
15966 	nla_nest_end(msg, cb[1]);
15967 	genlmsg_end(msg, cb[0]);
15968 
15969 	memset(msg->cb, 0, sizeof(msg->cb));
15970 
15971 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15972 				NL80211_MCGRP_MLME, gfp);
15973 }
15974 
15975 void cfg80211_cqm_rssi_notify(struct net_device *dev,
15976 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
15977 			      s32 rssi_level, gfp_t gfp)
15978 {
15979 	struct sk_buff *msg;
15980 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15981 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15982 
15983 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
15984 
15985 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
15986 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
15987 		return;
15988 
15989 	if (wdev->cqm_config) {
15990 		wdev->cqm_config->last_rssi_event_value = rssi_level;
15991 
15992 		cfg80211_cqm_rssi_update(rdev, dev);
15993 
15994 		if (rssi_level == 0)
15995 			rssi_level = wdev->cqm_config->last_rssi_event_value;
15996 	}
15997 
15998 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15999 	if (!msg)
16000 		return;
16001 
16002 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
16003 			rssi_event))
16004 		goto nla_put_failure;
16005 
16006 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
16007 				      rssi_level))
16008 		goto nla_put_failure;
16009 
16010 	cfg80211_send_cqm(msg, gfp);
16011 
16012 	return;
16013 
16014  nla_put_failure:
16015 	nlmsg_free(msg);
16016 }
16017 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
16018 
16019 void cfg80211_cqm_txe_notify(struct net_device *dev,
16020 			     const u8 *peer, u32 num_packets,
16021 			     u32 rate, u32 intvl, gfp_t gfp)
16022 {
16023 	struct sk_buff *msg;
16024 
16025 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16026 	if (!msg)
16027 		return;
16028 
16029 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
16030 		goto nla_put_failure;
16031 
16032 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
16033 		goto nla_put_failure;
16034 
16035 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
16036 		goto nla_put_failure;
16037 
16038 	cfg80211_send_cqm(msg, gfp);
16039 	return;
16040 
16041  nla_put_failure:
16042 	nlmsg_free(msg);
16043 }
16044 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
16045 
16046 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
16047 				 const u8 *peer, u32 num_packets, gfp_t gfp)
16048 {
16049 	struct sk_buff *msg;
16050 
16051 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
16052 
16053 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16054 	if (!msg)
16055 		return;
16056 
16057 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
16058 		goto nla_put_failure;
16059 
16060 	cfg80211_send_cqm(msg, gfp);
16061 	return;
16062 
16063  nla_put_failure:
16064 	nlmsg_free(msg);
16065 }
16066 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
16067 
16068 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
16069 {
16070 	struct sk_buff *msg;
16071 
16072 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16073 	if (!msg)
16074 		return;
16075 
16076 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
16077 		goto nla_put_failure;
16078 
16079 	cfg80211_send_cqm(msg, gfp);
16080 	return;
16081 
16082  nla_put_failure:
16083 	nlmsg_free(msg);
16084 }
16085 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
16086 
16087 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
16088 				     struct net_device *netdev, const u8 *bssid,
16089 				     const u8 *replay_ctr, gfp_t gfp)
16090 {
16091 	struct sk_buff *msg;
16092 	struct nlattr *rekey_attr;
16093 	void *hdr;
16094 
16095 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16096 	if (!msg)
16097 		return;
16098 
16099 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
16100 	if (!hdr) {
16101 		nlmsg_free(msg);
16102 		return;
16103 	}
16104 
16105 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16106 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16107 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16108 		goto nla_put_failure;
16109 
16110 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
16111 	if (!rekey_attr)
16112 		goto nla_put_failure;
16113 
16114 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
16115 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
16116 		goto nla_put_failure;
16117 
16118 	nla_nest_end(msg, rekey_attr);
16119 
16120 	genlmsg_end(msg, hdr);
16121 
16122 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16123 				NL80211_MCGRP_MLME, gfp);
16124 	return;
16125 
16126  nla_put_failure:
16127 	nlmsg_free(msg);
16128 }
16129 
16130 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
16131 			       const u8 *replay_ctr, gfp_t gfp)
16132 {
16133 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16134 	struct wiphy *wiphy = wdev->wiphy;
16135 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16136 
16137 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
16138 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
16139 }
16140 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
16141 
16142 static void
16143 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
16144 			       struct net_device *netdev, int index,
16145 			       const u8 *bssid, bool preauth, gfp_t gfp)
16146 {
16147 	struct sk_buff *msg;
16148 	struct nlattr *attr;
16149 	void *hdr;
16150 
16151 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16152 	if (!msg)
16153 		return;
16154 
16155 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
16156 	if (!hdr) {
16157 		nlmsg_free(msg);
16158 		return;
16159 	}
16160 
16161 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16162 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
16163 		goto nla_put_failure;
16164 
16165 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
16166 	if (!attr)
16167 		goto nla_put_failure;
16168 
16169 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
16170 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
16171 	    (preauth &&
16172 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
16173 		goto nla_put_failure;
16174 
16175 	nla_nest_end(msg, attr);
16176 
16177 	genlmsg_end(msg, hdr);
16178 
16179 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16180 				NL80211_MCGRP_MLME, gfp);
16181 	return;
16182 
16183  nla_put_failure:
16184 	nlmsg_free(msg);
16185 }
16186 
16187 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
16188 				     const u8 *bssid, bool preauth, gfp_t gfp)
16189 {
16190 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16191 	struct wiphy *wiphy = wdev->wiphy;
16192 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16193 
16194 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
16195 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
16196 }
16197 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
16198 
16199 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
16200 				     struct net_device *netdev,
16201 				     struct cfg80211_chan_def *chandef,
16202 				     gfp_t gfp,
16203 				     enum nl80211_commands notif,
16204 				     u8 count)
16205 {
16206 	struct sk_buff *msg;
16207 	void *hdr;
16208 
16209 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16210 	if (!msg)
16211 		return;
16212 
16213 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
16214 	if (!hdr) {
16215 		nlmsg_free(msg);
16216 		return;
16217 	}
16218 
16219 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
16220 		goto nla_put_failure;
16221 
16222 	if (nl80211_send_chandef(msg, chandef))
16223 		goto nla_put_failure;
16224 
16225 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
16226 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
16227 			goto nla_put_failure;
16228 
16229 	genlmsg_end(msg, hdr);
16230 
16231 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16232 				NL80211_MCGRP_MLME, gfp);
16233 	return;
16234 
16235  nla_put_failure:
16236 	nlmsg_free(msg);
16237 }
16238 
16239 void cfg80211_ch_switch_notify(struct net_device *dev,
16240 			       struct cfg80211_chan_def *chandef)
16241 {
16242 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16243 	struct wiphy *wiphy = wdev->wiphy;
16244 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16245 
16246 	ASSERT_WDEV_LOCK(wdev);
16247 
16248 	trace_cfg80211_ch_switch_notify(dev, chandef);
16249 
16250 	wdev->chandef = *chandef;
16251 	wdev->preset_chandef = *chandef;
16252 
16253 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
16254 	    !WARN_ON(!wdev->current_bss))
16255 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
16256 
16257 	cfg80211_sched_dfs_chan_update(rdev);
16258 
16259 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
16260 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
16261 }
16262 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
16263 
16264 void cfg80211_ch_switch_started_notify(struct net_device *dev,
16265 				       struct cfg80211_chan_def *chandef,
16266 				       u8 count)
16267 {
16268 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16269 	struct wiphy *wiphy = wdev->wiphy;
16270 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16271 
16272 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
16273 
16274 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
16275 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
16276 }
16277 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
16278 
16279 void
16280 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
16281 		     const struct cfg80211_chan_def *chandef,
16282 		     enum nl80211_radar_event event,
16283 		     struct net_device *netdev, gfp_t gfp)
16284 {
16285 	struct sk_buff *msg;
16286 	void *hdr;
16287 
16288 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16289 	if (!msg)
16290 		return;
16291 
16292 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
16293 	if (!hdr) {
16294 		nlmsg_free(msg);
16295 		return;
16296 	}
16297 
16298 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16299 		goto nla_put_failure;
16300 
16301 	/* NOP and radar events don't need a netdev parameter */
16302 	if (netdev) {
16303 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
16304 
16305 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16306 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16307 				      NL80211_ATTR_PAD))
16308 			goto nla_put_failure;
16309 	}
16310 
16311 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
16312 		goto nla_put_failure;
16313 
16314 	if (nl80211_send_chandef(msg, chandef))
16315 		goto nla_put_failure;
16316 
16317 	genlmsg_end(msg, hdr);
16318 
16319 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16320 				NL80211_MCGRP_MLME, gfp);
16321 	return;
16322 
16323  nla_put_failure:
16324 	nlmsg_free(msg);
16325 }
16326 
16327 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
16328 				       struct sta_opmode_info *sta_opmode,
16329 				       gfp_t gfp)
16330 {
16331 	struct sk_buff *msg;
16332 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16333 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16334 	void *hdr;
16335 
16336 	if (WARN_ON(!mac))
16337 		return;
16338 
16339 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16340 	if (!msg)
16341 		return;
16342 
16343 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
16344 	if (!hdr) {
16345 		nlmsg_free(msg);
16346 		return;
16347 	}
16348 
16349 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16350 		goto nla_put_failure;
16351 
16352 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16353 		goto nla_put_failure;
16354 
16355 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
16356 		goto nla_put_failure;
16357 
16358 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
16359 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
16360 		goto nla_put_failure;
16361 
16362 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
16363 	    nla_put_u8(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
16364 		goto nla_put_failure;
16365 
16366 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
16367 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
16368 		goto nla_put_failure;
16369 
16370 	genlmsg_end(msg, hdr);
16371 
16372 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16373 				NL80211_MCGRP_MLME, gfp);
16374 
16375 	return;
16376 
16377 nla_put_failure:
16378 	nlmsg_free(msg);
16379 }
16380 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
16381 
16382 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
16383 			   u64 cookie, bool acked, s32 ack_signal,
16384 			   bool is_valid_ack_signal, gfp_t gfp)
16385 {
16386 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16387 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16388 	struct sk_buff *msg;
16389 	void *hdr;
16390 
16391 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
16392 
16393 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16394 
16395 	if (!msg)
16396 		return;
16397 
16398 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
16399 	if (!hdr) {
16400 		nlmsg_free(msg);
16401 		return;
16402 	}
16403 
16404 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16405 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16406 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16407 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16408 			      NL80211_ATTR_PAD) ||
16409 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
16410 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
16411 						ack_signal)))
16412 		goto nla_put_failure;
16413 
16414 	genlmsg_end(msg, hdr);
16415 
16416 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16417 				NL80211_MCGRP_MLME, gfp);
16418 	return;
16419 
16420  nla_put_failure:
16421 	nlmsg_free(msg);
16422 }
16423 EXPORT_SYMBOL(cfg80211_probe_status);
16424 
16425 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
16426 				 const u8 *frame, size_t len,
16427 				 int freq, int sig_dbm)
16428 {
16429 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16430 	struct sk_buff *msg;
16431 	void *hdr;
16432 	struct cfg80211_beacon_registration *reg;
16433 
16434 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
16435 
16436 	spin_lock_bh(&rdev->beacon_registrations_lock);
16437 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
16438 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
16439 		if (!msg) {
16440 			spin_unlock_bh(&rdev->beacon_registrations_lock);
16441 			return;
16442 		}
16443 
16444 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16445 		if (!hdr)
16446 			goto nla_put_failure;
16447 
16448 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16449 		    (freq &&
16450 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
16451 		    (sig_dbm &&
16452 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16453 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
16454 			goto nla_put_failure;
16455 
16456 		genlmsg_end(msg, hdr);
16457 
16458 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
16459 	}
16460 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16461 	return;
16462 
16463  nla_put_failure:
16464 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16465 	nlmsg_free(msg);
16466 }
16467 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
16468 
16469 #ifdef CONFIG_PM
16470 static int cfg80211_net_detect_results(struct sk_buff *msg,
16471 				       struct cfg80211_wowlan_wakeup *wakeup)
16472 {
16473 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
16474 	struct nlattr *nl_results, *nl_match, *nl_freqs;
16475 	int i, j;
16476 
16477 	nl_results = nla_nest_start_noflag(msg,
16478 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
16479 	if (!nl_results)
16480 		return -EMSGSIZE;
16481 
16482 	for (i = 0; i < nd->n_matches; i++) {
16483 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
16484 
16485 		nl_match = nla_nest_start_noflag(msg, i);
16486 		if (!nl_match)
16487 			break;
16488 
16489 		/* The SSID attribute is optional in nl80211, but for
16490 		 * simplicity reasons it's always present in the
16491 		 * cfg80211 structure.  If a driver can't pass the
16492 		 * SSID, that needs to be changed.  A zero length SSID
16493 		 * is still a valid SSID (wildcard), so it cannot be
16494 		 * used for this purpose.
16495 		 */
16496 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
16497 			    match->ssid.ssid)) {
16498 			nla_nest_cancel(msg, nl_match);
16499 			goto out;
16500 		}
16501 
16502 		if (match->n_channels) {
16503 			nl_freqs = nla_nest_start_noflag(msg,
16504 							 NL80211_ATTR_SCAN_FREQUENCIES);
16505 			if (!nl_freqs) {
16506 				nla_nest_cancel(msg, nl_match);
16507 				goto out;
16508 			}
16509 
16510 			for (j = 0; j < match->n_channels; j++) {
16511 				if (nla_put_u32(msg, j, match->channels[j])) {
16512 					nla_nest_cancel(msg, nl_freqs);
16513 					nla_nest_cancel(msg, nl_match);
16514 					goto out;
16515 				}
16516 			}
16517 
16518 			nla_nest_end(msg, nl_freqs);
16519 		}
16520 
16521 		nla_nest_end(msg, nl_match);
16522 	}
16523 
16524 out:
16525 	nla_nest_end(msg, nl_results);
16526 	return 0;
16527 }
16528 
16529 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
16530 				   struct cfg80211_wowlan_wakeup *wakeup,
16531 				   gfp_t gfp)
16532 {
16533 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16534 	struct sk_buff *msg;
16535 	void *hdr;
16536 	int size = 200;
16537 
16538 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
16539 
16540 	if (wakeup)
16541 		size += wakeup->packet_present_len;
16542 
16543 	msg = nlmsg_new(size, gfp);
16544 	if (!msg)
16545 		return;
16546 
16547 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
16548 	if (!hdr)
16549 		goto free_msg;
16550 
16551 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16552 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16553 			      NL80211_ATTR_PAD))
16554 		goto free_msg;
16555 
16556 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16557 					wdev->netdev->ifindex))
16558 		goto free_msg;
16559 
16560 	if (wakeup) {
16561 		struct nlattr *reasons;
16562 
16563 		reasons = nla_nest_start_noflag(msg,
16564 						NL80211_ATTR_WOWLAN_TRIGGERS);
16565 		if (!reasons)
16566 			goto free_msg;
16567 
16568 		if (wakeup->disconnect &&
16569 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
16570 			goto free_msg;
16571 		if (wakeup->magic_pkt &&
16572 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
16573 			goto free_msg;
16574 		if (wakeup->gtk_rekey_failure &&
16575 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
16576 			goto free_msg;
16577 		if (wakeup->eap_identity_req &&
16578 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
16579 			goto free_msg;
16580 		if (wakeup->four_way_handshake &&
16581 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
16582 			goto free_msg;
16583 		if (wakeup->rfkill_release &&
16584 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
16585 			goto free_msg;
16586 
16587 		if (wakeup->pattern_idx >= 0 &&
16588 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
16589 				wakeup->pattern_idx))
16590 			goto free_msg;
16591 
16592 		if (wakeup->tcp_match &&
16593 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
16594 			goto free_msg;
16595 
16596 		if (wakeup->tcp_connlost &&
16597 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
16598 			goto free_msg;
16599 
16600 		if (wakeup->tcp_nomoretokens &&
16601 		    nla_put_flag(msg,
16602 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
16603 			goto free_msg;
16604 
16605 		if (wakeup->packet) {
16606 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
16607 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
16608 
16609 			if (!wakeup->packet_80211) {
16610 				pkt_attr =
16611 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
16612 				len_attr =
16613 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
16614 			}
16615 
16616 			if (wakeup->packet_len &&
16617 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
16618 				goto free_msg;
16619 
16620 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
16621 				    wakeup->packet))
16622 				goto free_msg;
16623 		}
16624 
16625 		if (wakeup->net_detect &&
16626 		    cfg80211_net_detect_results(msg, wakeup))
16627 				goto free_msg;
16628 
16629 		nla_nest_end(msg, reasons);
16630 	}
16631 
16632 	genlmsg_end(msg, hdr);
16633 
16634 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16635 				NL80211_MCGRP_MLME, gfp);
16636 	return;
16637 
16638  free_msg:
16639 	nlmsg_free(msg);
16640 }
16641 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
16642 #endif
16643 
16644 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
16645 				enum nl80211_tdls_operation oper,
16646 				u16 reason_code, gfp_t gfp)
16647 {
16648 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16649 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16650 	struct sk_buff *msg;
16651 	void *hdr;
16652 
16653 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
16654 					 reason_code);
16655 
16656 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16657 	if (!msg)
16658 		return;
16659 
16660 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
16661 	if (!hdr) {
16662 		nlmsg_free(msg);
16663 		return;
16664 	}
16665 
16666 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16667 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16668 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
16669 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
16670 	    (reason_code > 0 &&
16671 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
16672 		goto nla_put_failure;
16673 
16674 	genlmsg_end(msg, hdr);
16675 
16676 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16677 				NL80211_MCGRP_MLME, gfp);
16678 	return;
16679 
16680  nla_put_failure:
16681 	nlmsg_free(msg);
16682 }
16683 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
16684 
16685 static int nl80211_netlink_notify(struct notifier_block * nb,
16686 				  unsigned long state,
16687 				  void *_notify)
16688 {
16689 	struct netlink_notify *notify = _notify;
16690 	struct cfg80211_registered_device *rdev;
16691 	struct wireless_dev *wdev;
16692 	struct cfg80211_beacon_registration *reg, *tmp;
16693 
16694 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
16695 		return NOTIFY_DONE;
16696 
16697 	rcu_read_lock();
16698 
16699 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
16700 		struct cfg80211_sched_scan_request *sched_scan_req;
16701 
16702 		list_for_each_entry_rcu(sched_scan_req,
16703 					&rdev->sched_scan_req_list,
16704 					list) {
16705 			if (sched_scan_req->owner_nlportid == notify->portid) {
16706 				sched_scan_req->nl_owner_dead = true;
16707 				schedule_work(&rdev->sched_scan_stop_wk);
16708 			}
16709 		}
16710 
16711 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
16712 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
16713 
16714 			if (wdev->owner_nlportid == notify->portid) {
16715 				wdev->nl_owner_dead = true;
16716 				schedule_work(&rdev->destroy_work);
16717 			} else if (wdev->conn_owner_nlportid == notify->portid) {
16718 				schedule_work(&wdev->disconnect_wk);
16719 			}
16720 
16721 			cfg80211_release_pmsr(wdev, notify->portid);
16722 		}
16723 
16724 		spin_lock_bh(&rdev->beacon_registrations_lock);
16725 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
16726 					 list) {
16727 			if (reg->nlportid == notify->portid) {
16728 				list_del(&reg->list);
16729 				kfree(reg);
16730 				break;
16731 			}
16732 		}
16733 		spin_unlock_bh(&rdev->beacon_registrations_lock);
16734 	}
16735 
16736 	rcu_read_unlock();
16737 
16738 	/*
16739 	 * It is possible that the user space process that is controlling the
16740 	 * indoor setting disappeared, so notify the regulatory core.
16741 	 */
16742 	regulatory_netlink_notify(notify->portid);
16743 	return NOTIFY_OK;
16744 }
16745 
16746 static struct notifier_block nl80211_netlink_notifier = {
16747 	.notifier_call = nl80211_netlink_notify,
16748 };
16749 
16750 void cfg80211_ft_event(struct net_device *netdev,
16751 		       struct cfg80211_ft_event_params *ft_event)
16752 {
16753 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
16754 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16755 	struct sk_buff *msg;
16756 	void *hdr;
16757 
16758 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
16759 
16760 	if (!ft_event->target_ap)
16761 		return;
16762 
16763 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
16764 			GFP_KERNEL);
16765 	if (!msg)
16766 		return;
16767 
16768 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
16769 	if (!hdr)
16770 		goto out;
16771 
16772 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16773 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16774 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
16775 		goto out;
16776 
16777 	if (ft_event->ies &&
16778 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
16779 		goto out;
16780 	if (ft_event->ric_ies &&
16781 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
16782 		    ft_event->ric_ies))
16783 		goto out;
16784 
16785 	genlmsg_end(msg, hdr);
16786 
16787 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16788 				NL80211_MCGRP_MLME, GFP_KERNEL);
16789 	return;
16790  out:
16791 	nlmsg_free(msg);
16792 }
16793 EXPORT_SYMBOL(cfg80211_ft_event);
16794 
16795 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
16796 {
16797 	struct cfg80211_registered_device *rdev;
16798 	struct sk_buff *msg;
16799 	void *hdr;
16800 	u32 nlportid;
16801 
16802 	rdev = wiphy_to_rdev(wdev->wiphy);
16803 	if (!rdev->crit_proto_nlportid)
16804 		return;
16805 
16806 	nlportid = rdev->crit_proto_nlportid;
16807 	rdev->crit_proto_nlportid = 0;
16808 
16809 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16810 	if (!msg)
16811 		return;
16812 
16813 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
16814 	if (!hdr)
16815 		goto nla_put_failure;
16816 
16817 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16818 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16819 			      NL80211_ATTR_PAD))
16820 		goto nla_put_failure;
16821 
16822 	genlmsg_end(msg, hdr);
16823 
16824 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16825 	return;
16826 
16827  nla_put_failure:
16828 	nlmsg_free(msg);
16829 }
16830 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
16831 
16832 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
16833 {
16834 	struct wiphy *wiphy = wdev->wiphy;
16835 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16836 	struct sk_buff *msg;
16837 	void *hdr;
16838 
16839 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16840 	if (!msg)
16841 		return;
16842 
16843 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
16844 	if (!hdr)
16845 		goto out;
16846 
16847 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16848 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
16849 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16850 			      NL80211_ATTR_PAD))
16851 		goto out;
16852 
16853 	genlmsg_end(msg, hdr);
16854 
16855 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
16856 				NL80211_MCGRP_MLME, GFP_KERNEL);
16857 	return;
16858  out:
16859 	nlmsg_free(msg);
16860 }
16861 
16862 int cfg80211_external_auth_request(struct net_device *dev,
16863 				   struct cfg80211_external_auth_params *params,
16864 				   gfp_t gfp)
16865 {
16866 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16867 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16868 	struct sk_buff *msg;
16869 	void *hdr;
16870 
16871 	if (!wdev->conn_owner_nlportid)
16872 		return -EINVAL;
16873 
16874 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16875 	if (!msg)
16876 		return -ENOMEM;
16877 
16878 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
16879 	if (!hdr)
16880 		goto nla_put_failure;
16881 
16882 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16883 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16884 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
16885 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
16886 			params->action) ||
16887 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
16888 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
16889 		    params->ssid.ssid))
16890 		goto nla_put_failure;
16891 
16892 	genlmsg_end(msg, hdr);
16893 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16894 			wdev->conn_owner_nlportid);
16895 	return 0;
16896 
16897  nla_put_failure:
16898 	nlmsg_free(msg);
16899 	return -ENOBUFS;
16900 }
16901 EXPORT_SYMBOL(cfg80211_external_auth_request);
16902 
16903 void cfg80211_update_owe_info_event(struct net_device *netdev,
16904 				    struct cfg80211_update_owe_info *owe_info,
16905 				    gfp_t gfp)
16906 {
16907 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
16908 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16909 	struct sk_buff *msg;
16910 	void *hdr;
16911 
16912 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
16913 
16914 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16915 	if (!msg)
16916 		return;
16917 
16918 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
16919 	if (!hdr)
16920 		goto nla_put_failure;
16921 
16922 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16923 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16924 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
16925 		goto nla_put_failure;
16926 
16927 	if (!owe_info->ie_len ||
16928 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
16929 		goto nla_put_failure;
16930 
16931 	genlmsg_end(msg, hdr);
16932 
16933 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16934 				NL80211_MCGRP_MLME, gfp);
16935 	return;
16936 
16937 nla_put_failure:
16938 	genlmsg_cancel(msg, hdr);
16939 	nlmsg_free(msg);
16940 }
16941 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
16942 
16943 /* initialisation/exit functions */
16944 
16945 int __init nl80211_init(void)
16946 {
16947 	int err;
16948 
16949 	err = genl_register_family(&nl80211_fam);
16950 	if (err)
16951 		return err;
16952 
16953 	err = netlink_register_notifier(&nl80211_netlink_notifier);
16954 	if (err)
16955 		goto err_out;
16956 
16957 	return 0;
16958  err_out:
16959 	genl_unregister_family(&nl80211_fam);
16960 	return err;
16961 }
16962 
16963 void nl80211_exit(void)
16964 {
16965 	netlink_unregister_notifier(&nl80211_netlink_notifier);
16966 	genl_unregister_family(&nl80211_fam);
16967 }
16968