xref: /openbmc/linux/net/wireless/nl80211.c (revision 89aba575) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2022 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy
460 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
461 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
462 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
463 };
464 
465 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
466 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
467 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
468 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
469 				      .len = 20-1 },
470 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
471 
472 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
473 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
474 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
475 						NL80211_EDMG_CHANNELS_MIN,
476 						NL80211_EDMG_CHANNELS_MAX),
477 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
478 						NL80211_EDMG_BW_CONFIG_MIN,
479 						NL80211_EDMG_BW_CONFIG_MAX),
480 
481 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
482 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
483 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
484 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
485 
486 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
487 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
488 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
489 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
490 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
491 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
492 
493 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
494 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
495 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
496 
497 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
498 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
499 
500 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
501 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
502 				    .len = WLAN_MAX_KEY_LEN },
503 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
504 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
505 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
506 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
507 	[NL80211_ATTR_KEY_TYPE] =
508 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
509 
510 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
511 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
512 	[NL80211_ATTR_BEACON_HEAD] =
513 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
514 				       IEEE80211_MAX_DATA_LEN),
515 	[NL80211_ATTR_BEACON_TAIL] =
516 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
517 				       IEEE80211_MAX_DATA_LEN),
518 	[NL80211_ATTR_STA_AID] =
519 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
520 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
521 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
522 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
523 					       .len = NL80211_MAX_SUPP_RATES },
524 	[NL80211_ATTR_STA_PLINK_ACTION] =
525 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
526 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
527 		NLA_POLICY_RANGE(NLA_U8,
528 				 NL80211_TX_POWER_AUTOMATIC,
529 				 NL80211_TX_POWER_FIXED),
530 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
531 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
532 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
533 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
534 				   .len = IEEE80211_MAX_MESH_ID_LEN },
535 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
536 
537 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
538 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
539 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
540 
541 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
542 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
543 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
544 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
545 					   .len = NL80211_MAX_SUPP_RATES },
546 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
547 
548 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
549 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
550 
551 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
552 
553 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
554 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
555 						   validate_ie_attr,
556 						   IEEE80211_MAX_DATA_LEN),
557 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
558 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
559 
560 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
561 				.len = IEEE80211_MAX_SSID_LEN },
562 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
563 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
564 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
565 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
566 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
567 						  NL80211_MFP_NO,
568 						  NL80211_MFP_OPTIONAL),
569 	[NL80211_ATTR_STA_FLAGS2] =
570 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
571 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
572 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
573 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
574 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
575 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
576 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
577 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
578 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
579 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
580 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
581 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
582 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
583 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
584 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
585 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
586 				 .len = IEEE80211_MAX_DATA_LEN },
587 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
588 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
589 						   NL80211_PS_DISABLED,
590 						   NL80211_PS_ENABLED),
591 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
592 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
593 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
594 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
595 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
596 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
597 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
598 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
599 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
600 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
601 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
602 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
603 	[NL80211_ATTR_STA_PLINK_STATE] =
604 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
605 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
606 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
607 	[NL80211_ATTR_MESH_PEER_AID] =
608 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
609 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
610 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
611 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
612 	[NL80211_ATTR_HIDDEN_SSID] =
613 		NLA_POLICY_RANGE(NLA_U32,
614 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
615 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
616 	[NL80211_ATTR_IE_PROBE_RESP] =
617 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
618 				       IEEE80211_MAX_DATA_LEN),
619 	[NL80211_ATTR_IE_ASSOC_RESP] =
620 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
621 				       IEEE80211_MAX_DATA_LEN),
622 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
623 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
624 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
625 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
626 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
627 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
628 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
629 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
630 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
631 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
632 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
633 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
634 				      .len = IEEE80211_MAX_DATA_LEN },
635 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
636 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
637 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
638 		.len = NL80211_HT_CAPABILITY_LEN
639 	},
640 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
641 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
642 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
643 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
644 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
645 
646 	/* need to include at least Auth Transaction and Status Code */
647 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
648 
649 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
650 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
651 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
652 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
653 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
654 		NLA_POLICY_RANGE(NLA_U32,
655 				 NL80211_MESH_POWER_UNKNOWN + 1,
656 				 NL80211_MESH_POWER_MAX),
657 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
658 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
659 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
660 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
661 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
662 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
663 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
664 		.len = NL80211_VHT_CAPABILITY_LEN,
665 	},
666 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
667 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
668 				  .len = IEEE80211_MAX_DATA_LEN },
669 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
670 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
671 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
672 	[NL80211_ATTR_PEER_AID] =
673 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
674 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
675 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
676 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
677 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
678 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
679 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
680 	/*
681 	 * The value of the Length field of the Supported Operating
682 	 * Classes element is between 2 and 253.
683 	 */
684 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
685 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
686 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
687 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
688 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
689 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
690 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
691 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
692 						  IEEE80211_QOS_MAP_LEN_MIN,
693 						  IEEE80211_QOS_MAP_LEN_MAX),
694 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
695 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
696 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
697 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
698 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
699 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
700 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
701 	[NL80211_ATTR_USER_PRIO] =
702 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
703 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
704 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
705 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
706 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
707 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
708 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
709 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
710 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
711 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
712 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
713 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
714 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
715 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
716 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
717 	},
718 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
719 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
720 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
721 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
722 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
723 				    .len = FILS_MAX_KEK_LEN },
724 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
725 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
726 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
727 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
728 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
729 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
730 	},
731 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
732 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
733 					     .len = FILS_ERP_MAX_USERNAME_LEN },
734 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
735 					  .len = FILS_ERP_MAX_REALM_LEN },
736 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
737 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
738 					.len = FILS_ERP_MAX_RRK_LEN },
739 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
740 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
741 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
742 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
743 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
744 
745 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
746 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
747 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
748 	[NL80211_ATTR_HE_CAPABILITY] =
749 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
750 				       NL80211_HE_MAX_CAPABILITY_LEN),
751 	[NL80211_ATTR_FTM_RESPONDER] =
752 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
753 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
754 	[NL80211_ATTR_PEER_MEASUREMENTS] =
755 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
756 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
757 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
758 					.len = SAE_PASSWORD_MAX_LEN },
759 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
760 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
761 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
762 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
763 	[NL80211_ATTR_TID_CONFIG] =
764 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
765 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
766 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
767 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
768 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
769 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
770 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
771 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
772 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
773 	[NL80211_ATTR_FILS_DISCOVERY] =
774 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
775 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
776 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
777 	[NL80211_ATTR_S1G_CAPABILITY] =
778 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
779 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
780 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
781 	[NL80211_ATTR_SAE_PWE] =
782 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
783 				 NL80211_SAE_PWE_BOTH),
784 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
785 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
786 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
787 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
788 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
789 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
790 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
791 	[NL80211_ATTR_MBSSID_CONFIG] =
792 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
793 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
794 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
795 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
796 	[NL80211_ATTR_EHT_CAPABILITY] =
797 		NLA_POLICY_RANGE(NLA_BINARY,
798 				 NL80211_EHT_MIN_CAPABILITY_LEN,
799 				 NL80211_EHT_MAX_CAPABILITY_LEN),
800 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
801 	[NL80211_ATTR_MLO_LINKS] =
802 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
803 	[NL80211_ATTR_MLO_LINK_ID] =
804 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
805 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
806 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
807 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
808 };
809 
810 /* policy for the key attributes */
811 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
812 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
813 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
814 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
815 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
816 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
817 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
818 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
819 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
820 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
821 };
822 
823 /* policy for the key default flags */
824 static const struct nla_policy
825 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
826 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
827 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
828 };
829 
830 #ifdef CONFIG_PM
831 /* policy for WoWLAN attributes */
832 static const struct nla_policy
833 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
834 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
835 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
836 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
837 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
838 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
839 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
840 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
841 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
842 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
843 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
844 };
845 
846 static const struct nla_policy
847 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
848 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
849 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
850 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
851 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
852 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
853 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
854 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
855 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
856 	},
857 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
858 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
859 	},
860 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
861 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
862 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
863 };
864 #endif /* CONFIG_PM */
865 
866 /* policy for coalesce rule attributes */
867 static const struct nla_policy
868 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
869 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
870 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
871 		NLA_POLICY_RANGE(NLA_U32,
872 				 NL80211_COALESCE_CONDITION_MATCH,
873 				 NL80211_COALESCE_CONDITION_NO_MATCH),
874 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
875 };
876 
877 /* policy for GTK rekey offload attributes */
878 static const struct nla_policy
879 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
880 	[NL80211_REKEY_DATA_KEK] = {
881 		.type = NLA_BINARY,
882 		.len = NL80211_KEK_EXT_LEN
883 	},
884 	[NL80211_REKEY_DATA_KCK] = {
885 		.type = NLA_BINARY,
886 		.len = NL80211_KCK_EXT_LEN
887 	},
888 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
889 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
890 };
891 
892 static const struct nla_policy
893 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
894 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
895 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
896 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
897 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
898 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
899 };
900 
901 static const struct nla_policy
902 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
903 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
904 						 .len = IEEE80211_MAX_SSID_LEN },
905 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
906 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
907 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
908 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
909 };
910 
911 static const struct nla_policy
912 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
913 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
914 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
915 };
916 
917 static const struct nla_policy
918 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
919 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
920 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
921 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
922 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
923 	},
924 };
925 
926 /* policy for NAN function attributes */
927 static const struct nla_policy
928 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
929 	[NL80211_NAN_FUNC_TYPE] =
930 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
931 	[NL80211_NAN_FUNC_SERVICE_ID] = {
932 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
933 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
934 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
935 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
936 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
937 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
938 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
939 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
940 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
941 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
942 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
943 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
944 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
945 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
946 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
947 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
948 };
949 
950 /* policy for Service Response Filter attributes */
951 static const struct nla_policy
952 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
953 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
954 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
955 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
956 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
957 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
958 };
959 
960 /* policy for packet pattern attributes */
961 static const struct nla_policy
962 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
963 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
964 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
965 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
966 };
967 
968 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
969 				     struct cfg80211_registered_device **rdev,
970 				     struct wireless_dev **wdev,
971 				     struct nlattr **attrbuf)
972 {
973 	int err;
974 
975 	if (!cb->args[0]) {
976 		struct nlattr **attrbuf_free = NULL;
977 
978 		if (!attrbuf) {
979 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
980 					  GFP_KERNEL);
981 			if (!attrbuf)
982 				return -ENOMEM;
983 			attrbuf_free = attrbuf;
984 		}
985 
986 		err = nlmsg_parse_deprecated(cb->nlh,
987 					     GENL_HDRLEN + nl80211_fam.hdrsize,
988 					     attrbuf, nl80211_fam.maxattr,
989 					     nl80211_policy, NULL);
990 		if (err) {
991 			kfree(attrbuf_free);
992 			return err;
993 		}
994 
995 		rtnl_lock();
996 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
997 						   attrbuf);
998 		kfree(attrbuf_free);
999 		if (IS_ERR(*wdev)) {
1000 			rtnl_unlock();
1001 			return PTR_ERR(*wdev);
1002 		}
1003 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1004 		mutex_lock(&(*rdev)->wiphy.mtx);
1005 		rtnl_unlock();
1006 		/* 0 is the first index - add 1 to parse only once */
1007 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1008 		cb->args[1] = (*wdev)->identifier;
1009 	} else {
1010 		/* subtract the 1 again here */
1011 		struct wiphy *wiphy;
1012 		struct wireless_dev *tmp;
1013 
1014 		rtnl_lock();
1015 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1016 		if (!wiphy) {
1017 			rtnl_unlock();
1018 			return -ENODEV;
1019 		}
1020 		*rdev = wiphy_to_rdev(wiphy);
1021 		*wdev = NULL;
1022 
1023 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1024 			if (tmp->identifier == cb->args[1]) {
1025 				*wdev = tmp;
1026 				break;
1027 			}
1028 		}
1029 
1030 		if (!*wdev) {
1031 			rtnl_unlock();
1032 			return -ENODEV;
1033 		}
1034 		mutex_lock(&(*rdev)->wiphy.mtx);
1035 		rtnl_unlock();
1036 	}
1037 
1038 	return 0;
1039 }
1040 
1041 /* message building helper */
1042 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1043 		     int flags, u8 cmd)
1044 {
1045 	/* since there is no private header just add the generic one */
1046 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1047 }
1048 
1049 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1050 				     const struct ieee80211_reg_rule *rule)
1051 {
1052 	int j;
1053 	struct nlattr *nl_wmm_rules =
1054 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1055 
1056 	if (!nl_wmm_rules)
1057 		goto nla_put_failure;
1058 
1059 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1060 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1061 
1062 		if (!nl_wmm_rule)
1063 			goto nla_put_failure;
1064 
1065 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1066 				rule->wmm_rule.client[j].cw_min) ||
1067 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1068 				rule->wmm_rule.client[j].cw_max) ||
1069 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1070 			       rule->wmm_rule.client[j].aifsn) ||
1071 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1072 			        rule->wmm_rule.client[j].cot))
1073 			goto nla_put_failure;
1074 
1075 		nla_nest_end(msg, nl_wmm_rule);
1076 	}
1077 	nla_nest_end(msg, nl_wmm_rules);
1078 
1079 	return 0;
1080 
1081 nla_put_failure:
1082 	return -ENOBUFS;
1083 }
1084 
1085 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1086 				   struct ieee80211_channel *chan,
1087 				   bool large)
1088 {
1089 	/* Some channels must be completely excluded from the
1090 	 * list to protect old user-space tools from breaking
1091 	 */
1092 	if (!large && chan->flags &
1093 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1094 		return 0;
1095 	if (!large && chan->freq_offset)
1096 		return 0;
1097 
1098 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1099 			chan->center_freq))
1100 		goto nla_put_failure;
1101 
1102 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1103 		goto nla_put_failure;
1104 
1105 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1106 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1107 		goto nla_put_failure;
1108 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1109 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1110 			goto nla_put_failure;
1111 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1112 			goto nla_put_failure;
1113 	}
1114 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1115 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1116 			goto nla_put_failure;
1117 		if (large) {
1118 			u32 time;
1119 
1120 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1121 
1122 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1123 					chan->dfs_state))
1124 				goto nla_put_failure;
1125 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1126 					time))
1127 				goto nla_put_failure;
1128 			if (nla_put_u32(msg,
1129 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1130 					chan->dfs_cac_ms))
1131 				goto nla_put_failure;
1132 		}
1133 	}
1134 
1135 	if (large) {
1136 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1137 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1138 			goto nla_put_failure;
1139 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1140 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1141 			goto nla_put_failure;
1142 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1143 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1144 			goto nla_put_failure;
1145 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1146 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1147 			goto nla_put_failure;
1148 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1149 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1150 			goto nla_put_failure;
1151 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1152 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1153 			goto nla_put_failure;
1154 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1155 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1156 			goto nla_put_failure;
1157 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1158 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1159 			goto nla_put_failure;
1160 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1161 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1162 			goto nla_put_failure;
1163 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1164 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1165 			goto nla_put_failure;
1166 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1167 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1168 			goto nla_put_failure;
1169 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1170 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1171 			goto nla_put_failure;
1172 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1173 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1174 			goto nla_put_failure;
1175 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1176 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1177 			goto nla_put_failure;
1178 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1179 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1180 			goto nla_put_failure;
1181 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1182 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1183 			goto nla_put_failure;
1184 	}
1185 
1186 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1187 			DBM_TO_MBM(chan->max_power)))
1188 		goto nla_put_failure;
1189 
1190 	if (large) {
1191 		const struct ieee80211_reg_rule *rule =
1192 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1193 
1194 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1195 			if (nl80211_msg_put_wmm_rules(msg, rule))
1196 				goto nla_put_failure;
1197 		}
1198 	}
1199 
1200 	return 0;
1201 
1202  nla_put_failure:
1203 	return -ENOBUFS;
1204 }
1205 
1206 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1207 				  struct cfg80211_txq_stats *txqstats,
1208 				  int attrtype)
1209 {
1210 	struct nlattr *txqattr;
1211 
1212 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1213 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1214 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1215 		return false;						  \
1216 	} while (0)
1217 
1218 	txqattr = nla_nest_start_noflag(msg, attrtype);
1219 	if (!txqattr)
1220 		return false;
1221 
1222 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1223 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1224 	PUT_TXQVAL_U32(FLOWS, flows);
1225 	PUT_TXQVAL_U32(DROPS, drops);
1226 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1227 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1228 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1229 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1230 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1231 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1232 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1233 	nla_nest_end(msg, txqattr);
1234 
1235 #undef PUT_TXQVAL_U32
1236 	return true;
1237 }
1238 
1239 /* netlink command implementations */
1240 
1241 /**
1242  * nl80211_link_id - return link ID
1243  * @attrs: attributes to look at
1244  *
1245  * Returns: the link ID or 0 if not given
1246  *
1247  * Note this function doesn't do any validation of the link
1248  * ID validity wrt. links that were actually added, so it must
1249  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1250  * or if additional validation is done.
1251  */
1252 static unsigned int nl80211_link_id(struct nlattr **attrs)
1253 {
1254 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1255 
1256 	if (!linkid)
1257 		return 0;
1258 
1259 	return nla_get_u8(linkid);
1260 }
1261 
1262 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1263 {
1264 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1265 
1266 	if (!linkid)
1267 		return -1;
1268 
1269 	return nla_get_u8(linkid);
1270 }
1271 
1272 struct key_parse {
1273 	struct key_params p;
1274 	int idx;
1275 	int type;
1276 	bool def, defmgmt, defbeacon;
1277 	bool def_uni, def_multi;
1278 };
1279 
1280 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1281 				 struct key_parse *k)
1282 {
1283 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1284 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1285 					      nl80211_key_policy,
1286 					      info->extack);
1287 	if (err)
1288 		return err;
1289 
1290 	k->def = !!tb[NL80211_KEY_DEFAULT];
1291 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1292 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1293 
1294 	if (k->def) {
1295 		k->def_uni = true;
1296 		k->def_multi = true;
1297 	}
1298 	if (k->defmgmt || k->defbeacon)
1299 		k->def_multi = true;
1300 
1301 	if (tb[NL80211_KEY_IDX])
1302 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1303 
1304 	if (tb[NL80211_KEY_DATA]) {
1305 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1306 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1307 	}
1308 
1309 	if (tb[NL80211_KEY_SEQ]) {
1310 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1311 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1312 	}
1313 
1314 	if (tb[NL80211_KEY_CIPHER])
1315 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1316 
1317 	if (tb[NL80211_KEY_TYPE])
1318 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1319 
1320 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1321 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1322 
1323 		err = nla_parse_nested_deprecated(kdt,
1324 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1325 						  tb[NL80211_KEY_DEFAULT_TYPES],
1326 						  nl80211_key_default_policy,
1327 						  info->extack);
1328 		if (err)
1329 			return err;
1330 
1331 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1332 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1333 	}
1334 
1335 	if (tb[NL80211_KEY_MODE])
1336 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1337 
1338 	return 0;
1339 }
1340 
1341 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1342 {
1343 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1344 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1345 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1346 	}
1347 
1348 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1349 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1350 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1351 	}
1352 
1353 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1354 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1355 
1356 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1357 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1358 
1359 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1360 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1361 
1362 	if (k->def) {
1363 		k->def_uni = true;
1364 		k->def_multi = true;
1365 	}
1366 	if (k->defmgmt)
1367 		k->def_multi = true;
1368 
1369 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1370 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1371 
1372 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1373 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1374 		int err = nla_parse_nested_deprecated(kdt,
1375 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1376 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1377 						      nl80211_key_default_policy,
1378 						      info->extack);
1379 		if (err)
1380 			return err;
1381 
1382 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1383 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1384 	}
1385 
1386 	return 0;
1387 }
1388 
1389 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1390 {
1391 	int err;
1392 
1393 	memset(k, 0, sizeof(*k));
1394 	k->idx = -1;
1395 	k->type = -1;
1396 
1397 	if (info->attrs[NL80211_ATTR_KEY])
1398 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1399 	else
1400 		err = nl80211_parse_key_old(info, k);
1401 
1402 	if (err)
1403 		return err;
1404 
1405 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1406 	    (k->defbeacon ? 1 : 0) > 1) {
1407 		GENL_SET_ERR_MSG(info,
1408 				 "key with multiple default flags is invalid");
1409 		return -EINVAL;
1410 	}
1411 
1412 	if (k->defmgmt || k->defbeacon) {
1413 		if (k->def_uni || !k->def_multi) {
1414 			GENL_SET_ERR_MSG(info,
1415 					 "defmgmt/defbeacon key must be mcast");
1416 			return -EINVAL;
1417 		}
1418 	}
1419 
1420 	if (k->idx != -1) {
1421 		if (k->defmgmt) {
1422 			if (k->idx < 4 || k->idx > 5) {
1423 				GENL_SET_ERR_MSG(info,
1424 						 "defmgmt key idx not 4 or 5");
1425 				return -EINVAL;
1426 			}
1427 		} else if (k->defbeacon) {
1428 			if (k->idx < 6 || k->idx > 7) {
1429 				GENL_SET_ERR_MSG(info,
1430 						 "defbeacon key idx not 6 or 7");
1431 				return -EINVAL;
1432 			}
1433 		} else if (k->def) {
1434 			if (k->idx < 0 || k->idx > 3) {
1435 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1436 				return -EINVAL;
1437 			}
1438 		} else {
1439 			if (k->idx < 0 || k->idx > 7) {
1440 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1441 				return -EINVAL;
1442 			}
1443 		}
1444 	}
1445 
1446 	return 0;
1447 }
1448 
1449 static struct cfg80211_cached_keys *
1450 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1451 		       struct genl_info *info, bool *no_ht)
1452 {
1453 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1454 	struct key_parse parse;
1455 	struct nlattr *key;
1456 	struct cfg80211_cached_keys *result;
1457 	int rem, err, def = 0;
1458 	bool have_key = false;
1459 
1460 	nla_for_each_nested(key, keys, rem) {
1461 		have_key = true;
1462 		break;
1463 	}
1464 
1465 	if (!have_key)
1466 		return NULL;
1467 
1468 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1469 	if (!result)
1470 		return ERR_PTR(-ENOMEM);
1471 
1472 	result->def = -1;
1473 
1474 	nla_for_each_nested(key, keys, rem) {
1475 		memset(&parse, 0, sizeof(parse));
1476 		parse.idx = -1;
1477 
1478 		err = nl80211_parse_key_new(info, key, &parse);
1479 		if (err)
1480 			goto error;
1481 		err = -EINVAL;
1482 		if (!parse.p.key)
1483 			goto error;
1484 		if (parse.idx < 0 || parse.idx > 3) {
1485 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1486 			goto error;
1487 		}
1488 		if (parse.def) {
1489 			if (def) {
1490 				GENL_SET_ERR_MSG(info,
1491 						 "only one key can be default");
1492 				goto error;
1493 			}
1494 			def = 1;
1495 			result->def = parse.idx;
1496 			if (!parse.def_uni || !parse.def_multi)
1497 				goto error;
1498 		} else if (parse.defmgmt)
1499 			goto error;
1500 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1501 						     parse.idx, false, NULL);
1502 		if (err)
1503 			goto error;
1504 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1505 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1506 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1507 			err = -EINVAL;
1508 			goto error;
1509 		}
1510 		result->params[parse.idx].cipher = parse.p.cipher;
1511 		result->params[parse.idx].key_len = parse.p.key_len;
1512 		result->params[parse.idx].key = result->data[parse.idx];
1513 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1514 
1515 		/* must be WEP key if we got here */
1516 		if (no_ht)
1517 			*no_ht = true;
1518 	}
1519 
1520 	if (result->def < 0) {
1521 		err = -EINVAL;
1522 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1523 		goto error;
1524 	}
1525 
1526 	return result;
1527  error:
1528 	kfree(result);
1529 	return ERR_PTR(err);
1530 }
1531 
1532 static int nl80211_key_allowed(struct wireless_dev *wdev)
1533 {
1534 	ASSERT_WDEV_LOCK(wdev);
1535 
1536 	switch (wdev->iftype) {
1537 	case NL80211_IFTYPE_AP:
1538 	case NL80211_IFTYPE_AP_VLAN:
1539 	case NL80211_IFTYPE_P2P_GO:
1540 	case NL80211_IFTYPE_MESH_POINT:
1541 		break;
1542 	case NL80211_IFTYPE_ADHOC:
1543 		if (wdev->u.ibss.current_bss)
1544 			return 0;
1545 		return -ENOLINK;
1546 	case NL80211_IFTYPE_STATION:
1547 	case NL80211_IFTYPE_P2P_CLIENT:
1548 		/* for MLO, require driver validation of the link ID */
1549 		if (wdev->connected)
1550 			return 0;
1551 		return -ENOLINK;
1552 	case NL80211_IFTYPE_UNSPECIFIED:
1553 	case NL80211_IFTYPE_OCB:
1554 	case NL80211_IFTYPE_MONITOR:
1555 	case NL80211_IFTYPE_NAN:
1556 	case NL80211_IFTYPE_P2P_DEVICE:
1557 	case NL80211_IFTYPE_WDS:
1558 	case NUM_NL80211_IFTYPES:
1559 		return -EINVAL;
1560 	}
1561 
1562 	return 0;
1563 }
1564 
1565 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1566 							u32 freq)
1567 {
1568 	struct ieee80211_channel *chan;
1569 
1570 	chan = ieee80211_get_channel_khz(wiphy, freq);
1571 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1572 		return NULL;
1573 	return chan;
1574 }
1575 
1576 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1577 {
1578 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1579 	int i;
1580 
1581 	if (!nl_modes)
1582 		goto nla_put_failure;
1583 
1584 	i = 0;
1585 	while (ifmodes) {
1586 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1587 			goto nla_put_failure;
1588 		ifmodes >>= 1;
1589 		i++;
1590 	}
1591 
1592 	nla_nest_end(msg, nl_modes);
1593 	return 0;
1594 
1595 nla_put_failure:
1596 	return -ENOBUFS;
1597 }
1598 
1599 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1600 					  struct sk_buff *msg,
1601 					  bool large)
1602 {
1603 	struct nlattr *nl_combis;
1604 	int i, j;
1605 
1606 	nl_combis = nla_nest_start_noflag(msg,
1607 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1608 	if (!nl_combis)
1609 		goto nla_put_failure;
1610 
1611 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1612 		const struct ieee80211_iface_combination *c;
1613 		struct nlattr *nl_combi, *nl_limits;
1614 
1615 		c = &wiphy->iface_combinations[i];
1616 
1617 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1618 		if (!nl_combi)
1619 			goto nla_put_failure;
1620 
1621 		nl_limits = nla_nest_start_noflag(msg,
1622 						  NL80211_IFACE_COMB_LIMITS);
1623 		if (!nl_limits)
1624 			goto nla_put_failure;
1625 
1626 		for (j = 0; j < c->n_limits; j++) {
1627 			struct nlattr *nl_limit;
1628 
1629 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1630 			if (!nl_limit)
1631 				goto nla_put_failure;
1632 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1633 					c->limits[j].max))
1634 				goto nla_put_failure;
1635 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1636 						c->limits[j].types))
1637 				goto nla_put_failure;
1638 			nla_nest_end(msg, nl_limit);
1639 		}
1640 
1641 		nla_nest_end(msg, nl_limits);
1642 
1643 		if (c->beacon_int_infra_match &&
1644 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1645 			goto nla_put_failure;
1646 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1647 				c->num_different_channels) ||
1648 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1649 				c->max_interfaces))
1650 			goto nla_put_failure;
1651 		if (large &&
1652 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1653 				c->radar_detect_widths) ||
1654 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1655 				c->radar_detect_regions)))
1656 			goto nla_put_failure;
1657 		if (c->beacon_int_min_gcd &&
1658 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1659 				c->beacon_int_min_gcd))
1660 			goto nla_put_failure;
1661 
1662 		nla_nest_end(msg, nl_combi);
1663 	}
1664 
1665 	nla_nest_end(msg, nl_combis);
1666 
1667 	return 0;
1668 nla_put_failure:
1669 	return -ENOBUFS;
1670 }
1671 
1672 #ifdef CONFIG_PM
1673 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1674 					struct sk_buff *msg)
1675 {
1676 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1677 	struct nlattr *nl_tcp;
1678 
1679 	if (!tcp)
1680 		return 0;
1681 
1682 	nl_tcp = nla_nest_start_noflag(msg,
1683 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1684 	if (!nl_tcp)
1685 		return -ENOBUFS;
1686 
1687 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1688 			tcp->data_payload_max))
1689 		return -ENOBUFS;
1690 
1691 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1692 			tcp->data_payload_max))
1693 		return -ENOBUFS;
1694 
1695 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1696 		return -ENOBUFS;
1697 
1698 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1699 				sizeof(*tcp->tok), tcp->tok))
1700 		return -ENOBUFS;
1701 
1702 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1703 			tcp->data_interval_max))
1704 		return -ENOBUFS;
1705 
1706 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1707 			tcp->wake_payload_max))
1708 		return -ENOBUFS;
1709 
1710 	nla_nest_end(msg, nl_tcp);
1711 	return 0;
1712 }
1713 
1714 static int nl80211_send_wowlan(struct sk_buff *msg,
1715 			       struct cfg80211_registered_device *rdev,
1716 			       bool large)
1717 {
1718 	struct nlattr *nl_wowlan;
1719 
1720 	if (!rdev->wiphy.wowlan)
1721 		return 0;
1722 
1723 	nl_wowlan = nla_nest_start_noflag(msg,
1724 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1725 	if (!nl_wowlan)
1726 		return -ENOBUFS;
1727 
1728 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1729 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1730 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1731 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1732 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1733 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1734 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1735 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1736 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1737 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1738 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1739 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1740 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1741 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1742 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1743 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1744 		return -ENOBUFS;
1745 
1746 	if (rdev->wiphy.wowlan->n_patterns) {
1747 		struct nl80211_pattern_support pat = {
1748 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1749 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1750 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1751 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1752 		};
1753 
1754 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1755 			    sizeof(pat), &pat))
1756 			return -ENOBUFS;
1757 	}
1758 
1759 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1760 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1761 			rdev->wiphy.wowlan->max_nd_match_sets))
1762 		return -ENOBUFS;
1763 
1764 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1765 		return -ENOBUFS;
1766 
1767 	nla_nest_end(msg, nl_wowlan);
1768 
1769 	return 0;
1770 }
1771 #endif
1772 
1773 static int nl80211_send_coalesce(struct sk_buff *msg,
1774 				 struct cfg80211_registered_device *rdev)
1775 {
1776 	struct nl80211_coalesce_rule_support rule;
1777 
1778 	if (!rdev->wiphy.coalesce)
1779 		return 0;
1780 
1781 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1782 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1783 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1784 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1785 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1786 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1787 
1788 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1789 		return -ENOBUFS;
1790 
1791 	return 0;
1792 }
1793 
1794 static int
1795 nl80211_send_iftype_data(struct sk_buff *msg,
1796 			 const struct ieee80211_supported_band *sband,
1797 			 const struct ieee80211_sband_iftype_data *iftdata)
1798 {
1799 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1800 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1801 
1802 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1803 				iftdata->types_mask))
1804 		return -ENOBUFS;
1805 
1806 	if (he_cap->has_he) {
1807 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1808 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1809 			    he_cap->he_cap_elem.mac_cap_info) ||
1810 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1811 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1812 			    he_cap->he_cap_elem.phy_cap_info) ||
1813 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1814 			    sizeof(he_cap->he_mcs_nss_supp),
1815 			    &he_cap->he_mcs_nss_supp) ||
1816 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1817 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1818 			return -ENOBUFS;
1819 	}
1820 
1821 	if (eht_cap->has_eht && he_cap->has_he) {
1822 		u8 mcs_nss_size, ppe_thresh_size;
1823 		u16 ppe_thres_hdr;
1824 
1825 		mcs_nss_size =
1826 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1827 						   &eht_cap->eht_cap_elem);
1828 
1829 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1830 		ppe_thresh_size =
1831 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1832 					       eht_cap->eht_cap_elem.phy_cap_info);
1833 
1834 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1835 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1836 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1837 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1838 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1839 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1840 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1841 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1842 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1843 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1844 			return -ENOBUFS;
1845 	}
1846 
1847 	if (sband->band == NL80211_BAND_6GHZ &&
1848 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1849 		    sizeof(iftdata->he_6ghz_capa),
1850 		    &iftdata->he_6ghz_capa))
1851 		return -ENOBUFS;
1852 
1853 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1854 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1855 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1856 		return -ENOBUFS;
1857 
1858 	return 0;
1859 }
1860 
1861 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1862 				      struct ieee80211_supported_band *sband,
1863 				      bool large)
1864 {
1865 	struct nlattr *nl_rates, *nl_rate;
1866 	struct ieee80211_rate *rate;
1867 	int i;
1868 
1869 	/* add HT info */
1870 	if (sband->ht_cap.ht_supported &&
1871 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1872 		     sizeof(sband->ht_cap.mcs),
1873 		     &sband->ht_cap.mcs) ||
1874 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1875 			 sband->ht_cap.cap) ||
1876 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1877 			sband->ht_cap.ampdu_factor) ||
1878 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1879 			sband->ht_cap.ampdu_density)))
1880 		return -ENOBUFS;
1881 
1882 	/* add VHT info */
1883 	if (sband->vht_cap.vht_supported &&
1884 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1885 		     sizeof(sband->vht_cap.vht_mcs),
1886 		     &sband->vht_cap.vht_mcs) ||
1887 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1888 			 sband->vht_cap.cap)))
1889 		return -ENOBUFS;
1890 
1891 	if (large && sband->n_iftype_data) {
1892 		struct nlattr *nl_iftype_data =
1893 			nla_nest_start_noflag(msg,
1894 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1895 		int err;
1896 
1897 		if (!nl_iftype_data)
1898 			return -ENOBUFS;
1899 
1900 		for (i = 0; i < sband->n_iftype_data; i++) {
1901 			struct nlattr *iftdata;
1902 
1903 			iftdata = nla_nest_start_noflag(msg, i + 1);
1904 			if (!iftdata)
1905 				return -ENOBUFS;
1906 
1907 			err = nl80211_send_iftype_data(msg, sband,
1908 						       &sband->iftype_data[i]);
1909 			if (err)
1910 				return err;
1911 
1912 			nla_nest_end(msg, iftdata);
1913 		}
1914 
1915 		nla_nest_end(msg, nl_iftype_data);
1916 	}
1917 
1918 	/* add EDMG info */
1919 	if (large && sband->edmg_cap.channels &&
1920 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1921 		       sband->edmg_cap.channels) ||
1922 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1923 		       sband->edmg_cap.bw_config)))
1924 
1925 		return -ENOBUFS;
1926 
1927 	/* add bitrates */
1928 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1929 	if (!nl_rates)
1930 		return -ENOBUFS;
1931 
1932 	for (i = 0; i < sband->n_bitrates; i++) {
1933 		nl_rate = nla_nest_start_noflag(msg, i);
1934 		if (!nl_rate)
1935 			return -ENOBUFS;
1936 
1937 		rate = &sband->bitrates[i];
1938 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1939 				rate->bitrate))
1940 			return -ENOBUFS;
1941 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1942 		    nla_put_flag(msg,
1943 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1944 			return -ENOBUFS;
1945 
1946 		nla_nest_end(msg, nl_rate);
1947 	}
1948 
1949 	nla_nest_end(msg, nl_rates);
1950 
1951 	return 0;
1952 }
1953 
1954 static int
1955 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1956 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1957 {
1958 	u16 stypes;
1959 	struct nlattr *nl_ftypes, *nl_ifs;
1960 	enum nl80211_iftype ift;
1961 	int i;
1962 
1963 	if (!mgmt_stypes)
1964 		return 0;
1965 
1966 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1967 	if (!nl_ifs)
1968 		return -ENOBUFS;
1969 
1970 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1971 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1972 		if (!nl_ftypes)
1973 			return -ENOBUFS;
1974 		i = 0;
1975 		stypes = mgmt_stypes[ift].tx;
1976 		while (stypes) {
1977 			if ((stypes & 1) &&
1978 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1979 					(i << 4) | IEEE80211_FTYPE_MGMT))
1980 				return -ENOBUFS;
1981 			stypes >>= 1;
1982 			i++;
1983 		}
1984 		nla_nest_end(msg, nl_ftypes);
1985 	}
1986 
1987 	nla_nest_end(msg, nl_ifs);
1988 
1989 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1990 	if (!nl_ifs)
1991 		return -ENOBUFS;
1992 
1993 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1994 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1995 		if (!nl_ftypes)
1996 			return -ENOBUFS;
1997 		i = 0;
1998 		stypes = mgmt_stypes[ift].rx;
1999 		while (stypes) {
2000 			if ((stypes & 1) &&
2001 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2002 					(i << 4) | IEEE80211_FTYPE_MGMT))
2003 				return -ENOBUFS;
2004 			stypes >>= 1;
2005 			i++;
2006 		}
2007 		nla_nest_end(msg, nl_ftypes);
2008 	}
2009 	nla_nest_end(msg, nl_ifs);
2010 
2011 	return 0;
2012 }
2013 
2014 #define CMD(op, n)							\
2015 	 do {								\
2016 		if (rdev->ops->op) {					\
2017 			i++;						\
2018 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2019 				goto nla_put_failure;			\
2020 		}							\
2021 	} while (0)
2022 
2023 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2024 					struct sk_buff *msg)
2025 {
2026 	int i = 0;
2027 
2028 	/*
2029 	 * do *NOT* add anything into this function, new things need to be
2030 	 * advertised only to new versions of userspace that can deal with
2031 	 * the split (and they can't possibly care about new features...
2032 	 */
2033 	CMD(add_virtual_intf, NEW_INTERFACE);
2034 	CMD(change_virtual_intf, SET_INTERFACE);
2035 	CMD(add_key, NEW_KEY);
2036 	CMD(start_ap, START_AP);
2037 	CMD(add_station, NEW_STATION);
2038 	CMD(add_mpath, NEW_MPATH);
2039 	CMD(update_mesh_config, SET_MESH_CONFIG);
2040 	CMD(change_bss, SET_BSS);
2041 	CMD(auth, AUTHENTICATE);
2042 	CMD(assoc, ASSOCIATE);
2043 	CMD(deauth, DEAUTHENTICATE);
2044 	CMD(disassoc, DISASSOCIATE);
2045 	CMD(join_ibss, JOIN_IBSS);
2046 	CMD(join_mesh, JOIN_MESH);
2047 	CMD(set_pmksa, SET_PMKSA);
2048 	CMD(del_pmksa, DEL_PMKSA);
2049 	CMD(flush_pmksa, FLUSH_PMKSA);
2050 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2051 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2052 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2053 	CMD(mgmt_tx, FRAME);
2054 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2055 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2056 		i++;
2057 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2058 			goto nla_put_failure;
2059 	}
2060 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2061 	    rdev->ops->join_mesh) {
2062 		i++;
2063 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2064 			goto nla_put_failure;
2065 	}
2066 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2067 		CMD(tdls_mgmt, TDLS_MGMT);
2068 		CMD(tdls_oper, TDLS_OPER);
2069 	}
2070 	if (rdev->wiphy.max_sched_scan_reqs)
2071 		CMD(sched_scan_start, START_SCHED_SCAN);
2072 	CMD(probe_client, PROBE_CLIENT);
2073 	CMD(set_noack_map, SET_NOACK_MAP);
2074 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2075 		i++;
2076 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2077 			goto nla_put_failure;
2078 	}
2079 	CMD(start_p2p_device, START_P2P_DEVICE);
2080 	CMD(set_mcast_rate, SET_MCAST_RATE);
2081 #ifdef CONFIG_NL80211_TESTMODE
2082 	CMD(testmode_cmd, TESTMODE);
2083 #endif
2084 
2085 	if (rdev->ops->connect || rdev->ops->auth) {
2086 		i++;
2087 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2088 			goto nla_put_failure;
2089 	}
2090 
2091 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2092 		i++;
2093 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2094 			goto nla_put_failure;
2095 	}
2096 
2097 	return i;
2098  nla_put_failure:
2099 	return -ENOBUFS;
2100 }
2101 
2102 static int
2103 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2104 			   struct sk_buff *msg)
2105 {
2106 	struct nlattr *ftm;
2107 
2108 	if (!cap->ftm.supported)
2109 		return 0;
2110 
2111 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2112 	if (!ftm)
2113 		return -ENOBUFS;
2114 
2115 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2116 		return -ENOBUFS;
2117 	if (cap->ftm.non_asap &&
2118 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2119 		return -ENOBUFS;
2120 	if (cap->ftm.request_lci &&
2121 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2122 		return -ENOBUFS;
2123 	if (cap->ftm.request_civicloc &&
2124 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2125 		return -ENOBUFS;
2126 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2127 			cap->ftm.preambles))
2128 		return -ENOBUFS;
2129 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2130 			cap->ftm.bandwidths))
2131 		return -ENOBUFS;
2132 	if (cap->ftm.max_bursts_exponent >= 0 &&
2133 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2134 			cap->ftm.max_bursts_exponent))
2135 		return -ENOBUFS;
2136 	if (cap->ftm.max_ftms_per_burst &&
2137 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2138 			cap->ftm.max_ftms_per_burst))
2139 		return -ENOBUFS;
2140 	if (cap->ftm.trigger_based &&
2141 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2142 		return -ENOBUFS;
2143 	if (cap->ftm.non_trigger_based &&
2144 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2145 		return -ENOBUFS;
2146 
2147 	nla_nest_end(msg, ftm);
2148 	return 0;
2149 }
2150 
2151 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2152 				  struct sk_buff *msg)
2153 {
2154 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2155 	struct nlattr *pmsr, *caps;
2156 
2157 	if (!cap)
2158 		return 0;
2159 
2160 	/*
2161 	 * we don't need to clean up anything here since the caller
2162 	 * will genlmsg_cancel() if we fail
2163 	 */
2164 
2165 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2166 	if (!pmsr)
2167 		return -ENOBUFS;
2168 
2169 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2170 		return -ENOBUFS;
2171 
2172 	if (cap->report_ap_tsf &&
2173 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2174 		return -ENOBUFS;
2175 
2176 	if (cap->randomize_mac_addr &&
2177 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2178 		return -ENOBUFS;
2179 
2180 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2181 	if (!caps)
2182 		return -ENOBUFS;
2183 
2184 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2185 		return -ENOBUFS;
2186 
2187 	nla_nest_end(msg, caps);
2188 	nla_nest_end(msg, pmsr);
2189 
2190 	return 0;
2191 }
2192 
2193 static int
2194 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2195 			      struct sk_buff *msg)
2196 {
2197 	int i;
2198 	struct nlattr *nested, *nested_akms;
2199 	const struct wiphy_iftype_akm_suites *iftype_akms;
2200 
2201 	if (!rdev->wiphy.num_iftype_akm_suites ||
2202 	    !rdev->wiphy.iftype_akm_suites)
2203 		return 0;
2204 
2205 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2206 	if (!nested)
2207 		return -ENOBUFS;
2208 
2209 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2210 		nested_akms = nla_nest_start(msg, i + 1);
2211 		if (!nested_akms)
2212 			return -ENOBUFS;
2213 
2214 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2215 
2216 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2217 					iftype_akms->iftypes_mask))
2218 			return -ENOBUFS;
2219 
2220 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2221 			    sizeof(u32) * iftype_akms->n_akm_suites,
2222 			    iftype_akms->akm_suites)) {
2223 			return -ENOBUFS;
2224 		}
2225 		nla_nest_end(msg, nested_akms);
2226 	}
2227 
2228 	nla_nest_end(msg, nested);
2229 
2230 	return 0;
2231 }
2232 
2233 static int
2234 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2235 			       struct sk_buff *msg)
2236 {
2237 	struct nlattr *supp;
2238 
2239 	if (!rdev->wiphy.tid_config_support.vif &&
2240 	    !rdev->wiphy.tid_config_support.peer)
2241 		return 0;
2242 
2243 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2244 	if (!supp)
2245 		return -ENOSPC;
2246 
2247 	if (rdev->wiphy.tid_config_support.vif &&
2248 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2249 			      rdev->wiphy.tid_config_support.vif,
2250 			      NL80211_TID_CONFIG_ATTR_PAD))
2251 		goto fail;
2252 
2253 	if (rdev->wiphy.tid_config_support.peer &&
2254 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2255 			      rdev->wiphy.tid_config_support.peer,
2256 			      NL80211_TID_CONFIG_ATTR_PAD))
2257 		goto fail;
2258 
2259 	/* for now we just use the same value ... makes more sense */
2260 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2261 		       rdev->wiphy.tid_config_support.max_retry))
2262 		goto fail;
2263 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2264 		       rdev->wiphy.tid_config_support.max_retry))
2265 		goto fail;
2266 
2267 	nla_nest_end(msg, supp);
2268 
2269 	return 0;
2270 fail:
2271 	nla_nest_cancel(msg, supp);
2272 	return -ENOBUFS;
2273 }
2274 
2275 static int
2276 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2277 		      struct sk_buff *msg)
2278 {
2279 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2280 	u8 num_freq_ranges;
2281 	int i;
2282 
2283 	if (!rdev->wiphy.sar_capa)
2284 		return 0;
2285 
2286 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2287 
2288 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2289 	if (!sar_capa)
2290 		return -ENOSPC;
2291 
2292 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2293 		goto fail;
2294 
2295 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2296 	if (!specs)
2297 		goto fail;
2298 
2299 	/* report supported freq_ranges */
2300 	for (i = 0; i < num_freq_ranges; i++) {
2301 		sub_freq_range = nla_nest_start(msg, i + 1);
2302 		if (!sub_freq_range)
2303 			goto fail;
2304 
2305 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2306 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2307 			goto fail;
2308 
2309 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2310 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2311 			goto fail;
2312 
2313 		nla_nest_end(msg, sub_freq_range);
2314 	}
2315 
2316 	nla_nest_end(msg, specs);
2317 	nla_nest_end(msg, sar_capa);
2318 
2319 	return 0;
2320 fail:
2321 	nla_nest_cancel(msg, sar_capa);
2322 	return -ENOBUFS;
2323 }
2324 
2325 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2326 {
2327 	struct nlattr *config;
2328 
2329 	if (!wiphy->mbssid_max_interfaces)
2330 		return 0;
2331 
2332 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2333 	if (!config)
2334 		return -ENOBUFS;
2335 
2336 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2337 		       wiphy->mbssid_max_interfaces))
2338 		goto fail;
2339 
2340 	if (wiphy->ema_max_profile_periodicity &&
2341 	    nla_put_u8(msg,
2342 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2343 		       wiphy->ema_max_profile_periodicity))
2344 		goto fail;
2345 
2346 	nla_nest_end(msg, config);
2347 	return 0;
2348 
2349 fail:
2350 	nla_nest_cancel(msg, config);
2351 	return -ENOBUFS;
2352 }
2353 
2354 struct nl80211_dump_wiphy_state {
2355 	s64 filter_wiphy;
2356 	long start;
2357 	long split_start, band_start, chan_start, capa_start;
2358 	bool split;
2359 };
2360 
2361 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2362 			      enum nl80211_commands cmd,
2363 			      struct sk_buff *msg, u32 portid, u32 seq,
2364 			      int flags, struct nl80211_dump_wiphy_state *state)
2365 {
2366 	void *hdr;
2367 	struct nlattr *nl_bands, *nl_band;
2368 	struct nlattr *nl_freqs, *nl_freq;
2369 	struct nlattr *nl_cmds;
2370 	enum nl80211_band band;
2371 	struct ieee80211_channel *chan;
2372 	int i;
2373 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2374 				rdev->wiphy.mgmt_stypes;
2375 	u32 features;
2376 
2377 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2378 	if (!hdr)
2379 		return -ENOBUFS;
2380 
2381 	if (WARN_ON(!state))
2382 		return -EINVAL;
2383 
2384 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2385 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2386 			   wiphy_name(&rdev->wiphy)) ||
2387 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2388 			cfg80211_rdev_list_generation))
2389 		goto nla_put_failure;
2390 
2391 	if (cmd != NL80211_CMD_NEW_WIPHY)
2392 		goto finish;
2393 
2394 	switch (state->split_start) {
2395 	case 0:
2396 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2397 			       rdev->wiphy.retry_short) ||
2398 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2399 			       rdev->wiphy.retry_long) ||
2400 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2401 				rdev->wiphy.frag_threshold) ||
2402 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2403 				rdev->wiphy.rts_threshold) ||
2404 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2405 			       rdev->wiphy.coverage_class) ||
2406 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2407 			       rdev->wiphy.max_scan_ssids) ||
2408 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2409 			       rdev->wiphy.max_sched_scan_ssids) ||
2410 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2411 				rdev->wiphy.max_scan_ie_len) ||
2412 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2413 				rdev->wiphy.max_sched_scan_ie_len) ||
2414 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2415 			       rdev->wiphy.max_match_sets))
2416 			goto nla_put_failure;
2417 
2418 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2419 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2420 			goto nla_put_failure;
2421 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2422 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2423 			goto nla_put_failure;
2424 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2425 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2426 			goto nla_put_failure;
2427 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2428 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2429 			goto nla_put_failure;
2430 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2431 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2432 			goto nla_put_failure;
2433 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2434 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2435 			goto nla_put_failure;
2436 		state->split_start++;
2437 		if (state->split)
2438 			break;
2439 		fallthrough;
2440 	case 1:
2441 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2442 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2443 			    rdev->wiphy.cipher_suites))
2444 			goto nla_put_failure;
2445 
2446 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2447 			       rdev->wiphy.max_num_pmkids))
2448 			goto nla_put_failure;
2449 
2450 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2451 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2452 			goto nla_put_failure;
2453 
2454 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2455 				rdev->wiphy.available_antennas_tx) ||
2456 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2457 				rdev->wiphy.available_antennas_rx))
2458 			goto nla_put_failure;
2459 
2460 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2461 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2462 				rdev->wiphy.probe_resp_offload))
2463 			goto nla_put_failure;
2464 
2465 		if ((rdev->wiphy.available_antennas_tx ||
2466 		     rdev->wiphy.available_antennas_rx) &&
2467 		    rdev->ops->get_antenna) {
2468 			u32 tx_ant = 0, rx_ant = 0;
2469 			int res;
2470 
2471 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2472 			if (!res) {
2473 				if (nla_put_u32(msg,
2474 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2475 						tx_ant) ||
2476 				    nla_put_u32(msg,
2477 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2478 						rx_ant))
2479 					goto nla_put_failure;
2480 			}
2481 		}
2482 
2483 		state->split_start++;
2484 		if (state->split)
2485 			break;
2486 		fallthrough;
2487 	case 2:
2488 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2489 					rdev->wiphy.interface_modes))
2490 				goto nla_put_failure;
2491 		state->split_start++;
2492 		if (state->split)
2493 			break;
2494 		fallthrough;
2495 	case 3:
2496 		nl_bands = nla_nest_start_noflag(msg,
2497 						 NL80211_ATTR_WIPHY_BANDS);
2498 		if (!nl_bands)
2499 			goto nla_put_failure;
2500 
2501 		for (band = state->band_start;
2502 		     band < (state->split ?
2503 				NUM_NL80211_BANDS :
2504 				NL80211_BAND_60GHZ + 1);
2505 		     band++) {
2506 			struct ieee80211_supported_band *sband;
2507 
2508 			/* omit higher bands for ancient software */
2509 			if (band > NL80211_BAND_5GHZ && !state->split)
2510 				break;
2511 
2512 			sband = rdev->wiphy.bands[band];
2513 
2514 			if (!sband)
2515 				continue;
2516 
2517 			nl_band = nla_nest_start_noflag(msg, band);
2518 			if (!nl_band)
2519 				goto nla_put_failure;
2520 
2521 			switch (state->chan_start) {
2522 			case 0:
2523 				if (nl80211_send_band_rateinfo(msg, sband,
2524 							       state->split))
2525 					goto nla_put_failure;
2526 				state->chan_start++;
2527 				if (state->split)
2528 					break;
2529 				fallthrough;
2530 			default:
2531 				/* add frequencies */
2532 				nl_freqs = nla_nest_start_noflag(msg,
2533 								 NL80211_BAND_ATTR_FREQS);
2534 				if (!nl_freqs)
2535 					goto nla_put_failure;
2536 
2537 				for (i = state->chan_start - 1;
2538 				     i < sband->n_channels;
2539 				     i++) {
2540 					nl_freq = nla_nest_start_noflag(msg,
2541 									i);
2542 					if (!nl_freq)
2543 						goto nla_put_failure;
2544 
2545 					chan = &sband->channels[i];
2546 
2547 					if (nl80211_msg_put_channel(
2548 							msg, &rdev->wiphy, chan,
2549 							state->split))
2550 						goto nla_put_failure;
2551 
2552 					nla_nest_end(msg, nl_freq);
2553 					if (state->split)
2554 						break;
2555 				}
2556 				if (i < sband->n_channels)
2557 					state->chan_start = i + 2;
2558 				else
2559 					state->chan_start = 0;
2560 				nla_nest_end(msg, nl_freqs);
2561 			}
2562 
2563 			nla_nest_end(msg, nl_band);
2564 
2565 			if (state->split) {
2566 				/* start again here */
2567 				if (state->chan_start)
2568 					band--;
2569 				break;
2570 			}
2571 		}
2572 		nla_nest_end(msg, nl_bands);
2573 
2574 		if (band < NUM_NL80211_BANDS)
2575 			state->band_start = band + 1;
2576 		else
2577 			state->band_start = 0;
2578 
2579 		/* if bands & channels are done, continue outside */
2580 		if (state->band_start == 0 && state->chan_start == 0)
2581 			state->split_start++;
2582 		if (state->split)
2583 			break;
2584 		fallthrough;
2585 	case 4:
2586 		nl_cmds = nla_nest_start_noflag(msg,
2587 						NL80211_ATTR_SUPPORTED_COMMANDS);
2588 		if (!nl_cmds)
2589 			goto nla_put_failure;
2590 
2591 		i = nl80211_add_commands_unsplit(rdev, msg);
2592 		if (i < 0)
2593 			goto nla_put_failure;
2594 		if (state->split) {
2595 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2596 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2597 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2598 				CMD(channel_switch, CHANNEL_SWITCH);
2599 			CMD(set_qos_map, SET_QOS_MAP);
2600 			if (rdev->wiphy.features &
2601 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2602 				CMD(add_tx_ts, ADD_TX_TS);
2603 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2604 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2605 			CMD(update_ft_ies, UPDATE_FT_IES);
2606 			if (rdev->wiphy.sar_capa)
2607 				CMD(set_sar_specs, SET_SAR_SPECS);
2608 		}
2609 #undef CMD
2610 
2611 		nla_nest_end(msg, nl_cmds);
2612 		state->split_start++;
2613 		if (state->split)
2614 			break;
2615 		fallthrough;
2616 	case 5:
2617 		if (rdev->ops->remain_on_channel &&
2618 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2619 		    nla_put_u32(msg,
2620 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2621 				rdev->wiphy.max_remain_on_channel_duration))
2622 			goto nla_put_failure;
2623 
2624 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2625 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2626 			goto nla_put_failure;
2627 
2628 		state->split_start++;
2629 		if (state->split)
2630 			break;
2631 		fallthrough;
2632 	case 6:
2633 #ifdef CONFIG_PM
2634 		if (nl80211_send_wowlan(msg, rdev, state->split))
2635 			goto nla_put_failure;
2636 		state->split_start++;
2637 		if (state->split)
2638 			break;
2639 #else
2640 		state->split_start++;
2641 #endif
2642 		fallthrough;
2643 	case 7:
2644 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2645 					rdev->wiphy.software_iftypes))
2646 			goto nla_put_failure;
2647 
2648 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2649 						   state->split))
2650 			goto nla_put_failure;
2651 
2652 		state->split_start++;
2653 		if (state->split)
2654 			break;
2655 		fallthrough;
2656 	case 8:
2657 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2658 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2659 				rdev->wiphy.ap_sme_capa))
2660 			goto nla_put_failure;
2661 
2662 		features = rdev->wiphy.features;
2663 		/*
2664 		 * We can only add the per-channel limit information if the
2665 		 * dump is split, otherwise it makes it too big. Therefore
2666 		 * only advertise it in that case.
2667 		 */
2668 		if (state->split)
2669 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2670 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2671 			goto nla_put_failure;
2672 
2673 		if (rdev->wiphy.ht_capa_mod_mask &&
2674 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2675 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2676 			    rdev->wiphy.ht_capa_mod_mask))
2677 			goto nla_put_failure;
2678 
2679 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2680 		    rdev->wiphy.max_acl_mac_addrs &&
2681 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2682 				rdev->wiphy.max_acl_mac_addrs))
2683 			goto nla_put_failure;
2684 
2685 		/*
2686 		 * Any information below this point is only available to
2687 		 * applications that can deal with it being split. This
2688 		 * helps ensure that newly added capabilities don't break
2689 		 * older tools by overrunning their buffers.
2690 		 *
2691 		 * We still increment split_start so that in the split
2692 		 * case we'll continue with more data in the next round,
2693 		 * but break unconditionally so unsplit data stops here.
2694 		 */
2695 		if (state->split)
2696 			state->split_start++;
2697 		else
2698 			state->split_start = 0;
2699 		break;
2700 	case 9:
2701 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2702 			goto nla_put_failure;
2703 
2704 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2705 				rdev->wiphy.max_sched_scan_plans) ||
2706 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2707 				rdev->wiphy.max_sched_scan_plan_interval) ||
2708 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2709 				rdev->wiphy.max_sched_scan_plan_iterations))
2710 			goto nla_put_failure;
2711 
2712 		if (rdev->wiphy.extended_capabilities &&
2713 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2714 			     rdev->wiphy.extended_capabilities_len,
2715 			     rdev->wiphy.extended_capabilities) ||
2716 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2717 			     rdev->wiphy.extended_capabilities_len,
2718 			     rdev->wiphy.extended_capabilities_mask)))
2719 			goto nla_put_failure;
2720 
2721 		if (rdev->wiphy.vht_capa_mod_mask &&
2722 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2723 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2724 			    rdev->wiphy.vht_capa_mod_mask))
2725 			goto nla_put_failure;
2726 
2727 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2728 			    rdev->wiphy.perm_addr))
2729 			goto nla_put_failure;
2730 
2731 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2732 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2733 			    rdev->wiphy.addr_mask))
2734 			goto nla_put_failure;
2735 
2736 		if (rdev->wiphy.n_addresses > 1) {
2737 			void *attr;
2738 
2739 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2740 			if (!attr)
2741 				goto nla_put_failure;
2742 
2743 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2744 				if (nla_put(msg, i + 1, ETH_ALEN,
2745 					    rdev->wiphy.addresses[i].addr))
2746 					goto nla_put_failure;
2747 
2748 			nla_nest_end(msg, attr);
2749 		}
2750 
2751 		state->split_start++;
2752 		break;
2753 	case 10:
2754 		if (nl80211_send_coalesce(msg, rdev))
2755 			goto nla_put_failure;
2756 
2757 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2758 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2759 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2760 			goto nla_put_failure;
2761 
2762 		if (rdev->wiphy.max_ap_assoc_sta &&
2763 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2764 				rdev->wiphy.max_ap_assoc_sta))
2765 			goto nla_put_failure;
2766 
2767 		state->split_start++;
2768 		break;
2769 	case 11:
2770 		if (rdev->wiphy.n_vendor_commands) {
2771 			const struct nl80211_vendor_cmd_info *info;
2772 			struct nlattr *nested;
2773 
2774 			nested = nla_nest_start_noflag(msg,
2775 						       NL80211_ATTR_VENDOR_DATA);
2776 			if (!nested)
2777 				goto nla_put_failure;
2778 
2779 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2780 				info = &rdev->wiphy.vendor_commands[i].info;
2781 				if (nla_put(msg, i + 1, sizeof(*info), info))
2782 					goto nla_put_failure;
2783 			}
2784 			nla_nest_end(msg, nested);
2785 		}
2786 
2787 		if (rdev->wiphy.n_vendor_events) {
2788 			const struct nl80211_vendor_cmd_info *info;
2789 			struct nlattr *nested;
2790 
2791 			nested = nla_nest_start_noflag(msg,
2792 						       NL80211_ATTR_VENDOR_EVENTS);
2793 			if (!nested)
2794 				goto nla_put_failure;
2795 
2796 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2797 				info = &rdev->wiphy.vendor_events[i];
2798 				if (nla_put(msg, i + 1, sizeof(*info), info))
2799 					goto nla_put_failure;
2800 			}
2801 			nla_nest_end(msg, nested);
2802 		}
2803 		state->split_start++;
2804 		break;
2805 	case 12:
2806 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2807 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2808 			       rdev->wiphy.max_num_csa_counters))
2809 			goto nla_put_failure;
2810 
2811 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2812 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2813 			goto nla_put_failure;
2814 
2815 		if (rdev->wiphy.max_sched_scan_reqs &&
2816 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2817 				rdev->wiphy.max_sched_scan_reqs))
2818 			goto nla_put_failure;
2819 
2820 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2821 			    sizeof(rdev->wiphy.ext_features),
2822 			    rdev->wiphy.ext_features))
2823 			goto nla_put_failure;
2824 
2825 		if (rdev->wiphy.bss_select_support) {
2826 			struct nlattr *nested;
2827 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2828 
2829 			nested = nla_nest_start_noflag(msg,
2830 						       NL80211_ATTR_BSS_SELECT);
2831 			if (!nested)
2832 				goto nla_put_failure;
2833 
2834 			i = 0;
2835 			while (bss_select_support) {
2836 				if ((bss_select_support & 1) &&
2837 				    nla_put_flag(msg, i))
2838 					goto nla_put_failure;
2839 				i++;
2840 				bss_select_support >>= 1;
2841 			}
2842 			nla_nest_end(msg, nested);
2843 		}
2844 
2845 		state->split_start++;
2846 		break;
2847 	case 13:
2848 		if (rdev->wiphy.num_iftype_ext_capab &&
2849 		    rdev->wiphy.iftype_ext_capab) {
2850 			struct nlattr *nested_ext_capab, *nested;
2851 
2852 			nested = nla_nest_start_noflag(msg,
2853 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2854 			if (!nested)
2855 				goto nla_put_failure;
2856 
2857 			for (i = state->capa_start;
2858 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2859 				const struct wiphy_iftype_ext_capab *capab;
2860 
2861 				capab = &rdev->wiphy.iftype_ext_capab[i];
2862 
2863 				nested_ext_capab = nla_nest_start_noflag(msg,
2864 									 i);
2865 				if (!nested_ext_capab ||
2866 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2867 						capab->iftype) ||
2868 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2869 					    capab->extended_capabilities_len,
2870 					    capab->extended_capabilities) ||
2871 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2872 					    capab->extended_capabilities_len,
2873 					    capab->extended_capabilities_mask))
2874 					goto nla_put_failure;
2875 
2876 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
2877 				    (nla_put_u16(msg,
2878 						 NL80211_ATTR_EML_CAPABILITY,
2879 						 capab->eml_capabilities) ||
2880 				     nla_put_u16(msg,
2881 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
2882 						 capab->mld_capa_and_ops)))
2883 					goto nla_put_failure;
2884 
2885 				nla_nest_end(msg, nested_ext_capab);
2886 				if (state->split)
2887 					break;
2888 			}
2889 			nla_nest_end(msg, nested);
2890 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2891 				state->capa_start = i + 1;
2892 				break;
2893 			}
2894 		}
2895 
2896 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2897 				rdev->wiphy.nan_supported_bands))
2898 			goto nla_put_failure;
2899 
2900 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2901 					    NL80211_EXT_FEATURE_TXQS)) {
2902 			struct cfg80211_txq_stats txqstats = {};
2903 			int res;
2904 
2905 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2906 			if (!res &&
2907 			    !nl80211_put_txq_stats(msg, &txqstats,
2908 						   NL80211_ATTR_TXQ_STATS))
2909 				goto nla_put_failure;
2910 
2911 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2912 					rdev->wiphy.txq_limit))
2913 				goto nla_put_failure;
2914 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2915 					rdev->wiphy.txq_memory_limit))
2916 				goto nla_put_failure;
2917 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2918 					rdev->wiphy.txq_quantum))
2919 				goto nla_put_failure;
2920 		}
2921 
2922 		state->split_start++;
2923 		break;
2924 	case 14:
2925 		if (nl80211_send_pmsr_capa(rdev, msg))
2926 			goto nla_put_failure;
2927 
2928 		state->split_start++;
2929 		break;
2930 	case 15:
2931 		if (rdev->wiphy.akm_suites &&
2932 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2933 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2934 			    rdev->wiphy.akm_suites))
2935 			goto nla_put_failure;
2936 
2937 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2938 			goto nla_put_failure;
2939 
2940 		if (nl80211_put_tid_config_support(rdev, msg))
2941 			goto nla_put_failure;
2942 		state->split_start++;
2943 		break;
2944 	case 16:
2945 		if (nl80211_put_sar_specs(rdev, msg))
2946 			goto nla_put_failure;
2947 
2948 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2949 			goto nla_put_failure;
2950 
2951 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
2952 				rdev->wiphy.max_num_akm_suites))
2953 			goto nla_put_failure;
2954 
2955 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
2956 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
2957 
2958 		/* done */
2959 		state->split_start = 0;
2960 		break;
2961 	}
2962  finish:
2963 	genlmsg_end(msg, hdr);
2964 	return 0;
2965 
2966  nla_put_failure:
2967 	genlmsg_cancel(msg, hdr);
2968 	return -EMSGSIZE;
2969 }
2970 
2971 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2972 				    struct netlink_callback *cb,
2973 				    struct nl80211_dump_wiphy_state *state)
2974 {
2975 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2976 	int ret;
2977 
2978 	if (!tb)
2979 		return -ENOMEM;
2980 
2981 	ret = nlmsg_parse_deprecated(cb->nlh,
2982 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2983 				     tb, nl80211_fam.maxattr,
2984 				     nl80211_policy, NULL);
2985 	/* ignore parse errors for backward compatibility */
2986 	if (ret) {
2987 		ret = 0;
2988 		goto out;
2989 	}
2990 
2991 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2992 	if (tb[NL80211_ATTR_WIPHY])
2993 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2994 	if (tb[NL80211_ATTR_WDEV])
2995 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2996 	if (tb[NL80211_ATTR_IFINDEX]) {
2997 		struct net_device *netdev;
2998 		struct cfg80211_registered_device *rdev;
2999 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3000 
3001 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3002 		if (!netdev) {
3003 			ret = -ENODEV;
3004 			goto out;
3005 		}
3006 		if (netdev->ieee80211_ptr) {
3007 			rdev = wiphy_to_rdev(
3008 				netdev->ieee80211_ptr->wiphy);
3009 			state->filter_wiphy = rdev->wiphy_idx;
3010 		}
3011 	}
3012 
3013 	ret = 0;
3014 out:
3015 	kfree(tb);
3016 	return ret;
3017 }
3018 
3019 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3020 {
3021 	int idx = 0, ret;
3022 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3023 	struct cfg80211_registered_device *rdev;
3024 
3025 	rtnl_lock();
3026 	if (!state) {
3027 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3028 		if (!state) {
3029 			rtnl_unlock();
3030 			return -ENOMEM;
3031 		}
3032 		state->filter_wiphy = -1;
3033 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3034 		if (ret) {
3035 			kfree(state);
3036 			rtnl_unlock();
3037 			return ret;
3038 		}
3039 		cb->args[0] = (long)state;
3040 	}
3041 
3042 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3043 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3044 			continue;
3045 		if (++idx <= state->start)
3046 			continue;
3047 		if (state->filter_wiphy != -1 &&
3048 		    state->filter_wiphy != rdev->wiphy_idx)
3049 			continue;
3050 		/* attempt to fit multiple wiphy data chunks into the skb */
3051 		do {
3052 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3053 						 skb,
3054 						 NETLINK_CB(cb->skb).portid,
3055 						 cb->nlh->nlmsg_seq,
3056 						 NLM_F_MULTI, state);
3057 			if (ret < 0) {
3058 				/*
3059 				 * If sending the wiphy data didn't fit (ENOBUFS
3060 				 * or EMSGSIZE returned), this SKB is still
3061 				 * empty (so it's not too big because another
3062 				 * wiphy dataset is already in the skb) and
3063 				 * we've not tried to adjust the dump allocation
3064 				 * yet ... then adjust the alloc size to be
3065 				 * bigger, and return 1 but with the empty skb.
3066 				 * This results in an empty message being RX'ed
3067 				 * in userspace, but that is ignored.
3068 				 *
3069 				 * We can then retry with the larger buffer.
3070 				 */
3071 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3072 				    !skb->len && !state->split &&
3073 				    cb->min_dump_alloc < 4096) {
3074 					cb->min_dump_alloc = 4096;
3075 					state->split_start = 0;
3076 					rtnl_unlock();
3077 					return 1;
3078 				}
3079 				idx--;
3080 				break;
3081 			}
3082 		} while (state->split_start > 0);
3083 		break;
3084 	}
3085 	rtnl_unlock();
3086 
3087 	state->start = idx;
3088 
3089 	return skb->len;
3090 }
3091 
3092 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3093 {
3094 	kfree((void *)cb->args[0]);
3095 	return 0;
3096 }
3097 
3098 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3099 {
3100 	struct sk_buff *msg;
3101 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3102 	struct nl80211_dump_wiphy_state state = {};
3103 
3104 	msg = nlmsg_new(4096, GFP_KERNEL);
3105 	if (!msg)
3106 		return -ENOMEM;
3107 
3108 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3109 			       info->snd_portid, info->snd_seq, 0,
3110 			       &state) < 0) {
3111 		nlmsg_free(msg);
3112 		return -ENOBUFS;
3113 	}
3114 
3115 	return genlmsg_reply(msg, info);
3116 }
3117 
3118 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3119 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3120 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3121 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3122 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3123 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3124 };
3125 
3126 static int parse_txq_params(struct nlattr *tb[],
3127 			    struct ieee80211_txq_params *txq_params)
3128 {
3129 	u8 ac;
3130 
3131 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3132 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3133 	    !tb[NL80211_TXQ_ATTR_AIFS])
3134 		return -EINVAL;
3135 
3136 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3137 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3138 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3139 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3140 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3141 
3142 	if (ac >= NL80211_NUM_ACS)
3143 		return -EINVAL;
3144 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3145 	return 0;
3146 }
3147 
3148 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3149 {
3150 	/*
3151 	 * You can only set the channel explicitly for some interfaces,
3152 	 * most have their channel managed via their respective
3153 	 * "establish a connection" command (connect, join, ...)
3154 	 *
3155 	 * For AP/GO and mesh mode, the channel can be set with the
3156 	 * channel userspace API, but is only stored and passed to the
3157 	 * low-level driver when the AP starts or the mesh is joined.
3158 	 * This is for backward compatibility, userspace can also give
3159 	 * the channel in the start-ap or join-mesh commands instead.
3160 	 *
3161 	 * Monitors are special as they are normally slaved to
3162 	 * whatever else is going on, so they have their own special
3163 	 * operation to set the monitor channel if possible.
3164 	 */
3165 	return !wdev ||
3166 		wdev->iftype == NL80211_IFTYPE_AP ||
3167 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3168 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3169 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3170 }
3171 
3172 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3173 			  struct genl_info *info,
3174 			  struct cfg80211_chan_def *chandef)
3175 {
3176 	struct netlink_ext_ack *extack = info->extack;
3177 	struct nlattr **attrs = info->attrs;
3178 	u32 control_freq;
3179 
3180 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3181 		return -EINVAL;
3182 
3183 	control_freq = MHZ_TO_KHZ(
3184 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3185 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3186 		control_freq +=
3187 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3188 
3189 	memset(chandef, 0, sizeof(*chandef));
3190 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3191 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3192 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3193 	chandef->freq1_offset = control_freq % 1000;
3194 	chandef->center_freq2 = 0;
3195 
3196 	/* Primary channel not allowed */
3197 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3198 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3199 				    "Channel is disabled");
3200 		return -EINVAL;
3201 	}
3202 
3203 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3204 		enum nl80211_channel_type chantype;
3205 
3206 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3207 
3208 		switch (chantype) {
3209 		case NL80211_CHAN_NO_HT:
3210 		case NL80211_CHAN_HT20:
3211 		case NL80211_CHAN_HT40PLUS:
3212 		case NL80211_CHAN_HT40MINUS:
3213 			cfg80211_chandef_create(chandef, chandef->chan,
3214 						chantype);
3215 			/* user input for center_freq is incorrect */
3216 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3217 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3218 				NL_SET_ERR_MSG_ATTR(extack,
3219 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3220 						    "bad center frequency 1");
3221 				return -EINVAL;
3222 			}
3223 			/* center_freq2 must be zero */
3224 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3225 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3226 				NL_SET_ERR_MSG_ATTR(extack,
3227 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3228 						    "center frequency 2 can't be used");
3229 				return -EINVAL;
3230 			}
3231 			break;
3232 		default:
3233 			NL_SET_ERR_MSG_ATTR(extack,
3234 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3235 					    "invalid channel type");
3236 			return -EINVAL;
3237 		}
3238 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3239 		chandef->width =
3240 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3241 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3242 			/* User input error for channel width doesn't match channel  */
3243 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3244 				NL_SET_ERR_MSG_ATTR(extack,
3245 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3246 						    "bad channel width");
3247 				return -EINVAL;
3248 			}
3249 		}
3250 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3251 			chandef->center_freq1 =
3252 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3253 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3254 				chandef->freq1_offset = nla_get_u32(
3255 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3256 			else
3257 				chandef->freq1_offset = 0;
3258 		}
3259 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3260 			chandef->center_freq2 =
3261 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3262 	}
3263 
3264 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3265 		chandef->edmg.channels =
3266 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3267 
3268 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3269 			chandef->edmg.bw_config =
3270 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3271 	} else {
3272 		chandef->edmg.bw_config = 0;
3273 		chandef->edmg.channels = 0;
3274 	}
3275 
3276 	if (!cfg80211_chandef_valid(chandef)) {
3277 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3278 		return -EINVAL;
3279 	}
3280 
3281 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3282 				     IEEE80211_CHAN_DISABLED)) {
3283 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3284 		return -EINVAL;
3285 	}
3286 
3287 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3288 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3289 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3290 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3291 		return -EINVAL;
3292 	}
3293 
3294 	return 0;
3295 }
3296 
3297 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3298 				 struct net_device *dev,
3299 				 struct genl_info *info,
3300 				 int _link_id)
3301 {
3302 	struct cfg80211_chan_def chandef;
3303 	int result;
3304 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3305 	struct wireless_dev *wdev = NULL;
3306 	int link_id = _link_id;
3307 
3308 	if (dev)
3309 		wdev = dev->ieee80211_ptr;
3310 	if (!nl80211_can_set_dev_channel(wdev))
3311 		return -EOPNOTSUPP;
3312 	if (wdev)
3313 		iftype = wdev->iftype;
3314 
3315 	if (link_id < 0) {
3316 		if (wdev && wdev->valid_links)
3317 			return -EINVAL;
3318 		link_id = 0;
3319 	}
3320 
3321 	result = nl80211_parse_chandef(rdev, info, &chandef);
3322 	if (result)
3323 		return result;
3324 
3325 	switch (iftype) {
3326 	case NL80211_IFTYPE_AP:
3327 	case NL80211_IFTYPE_P2P_GO:
3328 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3329 						   iftype))
3330 			return -EINVAL;
3331 		if (wdev->links[link_id].ap.beacon_interval) {
3332 			struct ieee80211_channel *cur_chan;
3333 
3334 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3335 			    !(rdev->wiphy.features &
3336 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3337 				return -EBUSY;
3338 
3339 			/* Only allow dynamic channel width changes */
3340 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3341 			if (chandef.chan != cur_chan)
3342 				return -EBUSY;
3343 
3344 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3345 						       &chandef);
3346 			if (result)
3347 				return result;
3348 			wdev->links[link_id].ap.chandef = chandef;
3349 		} else {
3350 			wdev->u.ap.preset_chandef = chandef;
3351 		}
3352 		return 0;
3353 	case NL80211_IFTYPE_MESH_POINT:
3354 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3355 	case NL80211_IFTYPE_MONITOR:
3356 		return cfg80211_set_monitor_channel(rdev, &chandef);
3357 	default:
3358 		break;
3359 	}
3360 
3361 	return -EINVAL;
3362 }
3363 
3364 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3365 {
3366 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3367 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3368 	struct net_device *netdev = info->user_ptr[1];
3369 	int ret;
3370 
3371 	wdev_lock(netdev->ieee80211_ptr);
3372 	ret = __nl80211_set_channel(rdev, netdev, info, link_id);
3373 	wdev_unlock(netdev->ieee80211_ptr);
3374 
3375 	return ret;
3376 }
3377 
3378 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3379 {
3380 	struct cfg80211_registered_device *rdev = NULL;
3381 	struct net_device *netdev = NULL;
3382 	struct wireless_dev *wdev;
3383 	int result = 0, rem_txq_params = 0;
3384 	struct nlattr *nl_txq_params;
3385 	u32 changed;
3386 	u8 retry_short = 0, retry_long = 0;
3387 	u32 frag_threshold = 0, rts_threshold = 0;
3388 	u8 coverage_class = 0;
3389 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3390 
3391 	rtnl_lock();
3392 	/*
3393 	 * Try to find the wiphy and netdev. Normally this
3394 	 * function shouldn't need the netdev, but this is
3395 	 * done for backward compatibility -- previously
3396 	 * setting the channel was done per wiphy, but now
3397 	 * it is per netdev. Previous userland like hostapd
3398 	 * also passed a netdev to set_wiphy, so that it is
3399 	 * possible to let that go to the right netdev!
3400 	 */
3401 
3402 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3403 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3404 
3405 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3406 		if (netdev && netdev->ieee80211_ptr)
3407 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3408 		else
3409 			netdev = NULL;
3410 	}
3411 
3412 	if (!netdev) {
3413 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3414 						  info->attrs);
3415 		if (IS_ERR(rdev)) {
3416 			rtnl_unlock();
3417 			return PTR_ERR(rdev);
3418 		}
3419 		wdev = NULL;
3420 		netdev = NULL;
3421 		result = 0;
3422 	} else
3423 		wdev = netdev->ieee80211_ptr;
3424 
3425 	wiphy_lock(&rdev->wiphy);
3426 
3427 	/*
3428 	 * end workaround code, by now the rdev is available
3429 	 * and locked, and wdev may or may not be NULL.
3430 	 */
3431 
3432 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3433 		result = cfg80211_dev_rename(
3434 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3435 	rtnl_unlock();
3436 
3437 	if (result)
3438 		goto out;
3439 
3440 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3441 		struct ieee80211_txq_params txq_params;
3442 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3443 
3444 		if (!rdev->ops->set_txq_params) {
3445 			result = -EOPNOTSUPP;
3446 			goto out;
3447 		}
3448 
3449 		if (!netdev) {
3450 			result = -EINVAL;
3451 			goto out;
3452 		}
3453 
3454 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3455 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3456 			result = -EINVAL;
3457 			goto out;
3458 		}
3459 
3460 		if (!netif_running(netdev)) {
3461 			result = -ENETDOWN;
3462 			goto out;
3463 		}
3464 
3465 		nla_for_each_nested(nl_txq_params,
3466 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3467 				    rem_txq_params) {
3468 			result = nla_parse_nested_deprecated(tb,
3469 							     NL80211_TXQ_ATTR_MAX,
3470 							     nl_txq_params,
3471 							     txq_params_policy,
3472 							     info->extack);
3473 			if (result)
3474 				goto out;
3475 			result = parse_txq_params(tb, &txq_params);
3476 			if (result)
3477 				goto out;
3478 
3479 			result = rdev_set_txq_params(rdev, netdev,
3480 						     &txq_params);
3481 			if (result)
3482 				goto out;
3483 		}
3484 	}
3485 
3486 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3487 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3488 
3489 		if (wdev) {
3490 			wdev_lock(wdev);
3491 			result = __nl80211_set_channel(
3492 				rdev,
3493 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3494 				info, link_id);
3495 			wdev_unlock(wdev);
3496 		} else {
3497 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3498 		}
3499 
3500 		if (result)
3501 			goto out;
3502 	}
3503 
3504 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3505 		struct wireless_dev *txp_wdev = wdev;
3506 		enum nl80211_tx_power_setting type;
3507 		int idx, mbm = 0;
3508 
3509 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3510 			txp_wdev = NULL;
3511 
3512 		if (!rdev->ops->set_tx_power) {
3513 			result = -EOPNOTSUPP;
3514 			goto out;
3515 		}
3516 
3517 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3518 		type = nla_get_u32(info->attrs[idx]);
3519 
3520 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3521 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3522 			result = -EINVAL;
3523 			goto out;
3524 		}
3525 
3526 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3527 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3528 			mbm = nla_get_u32(info->attrs[idx]);
3529 		}
3530 
3531 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3532 		if (result)
3533 			goto out;
3534 	}
3535 
3536 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3537 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3538 		u32 tx_ant, rx_ant;
3539 
3540 		if ((!rdev->wiphy.available_antennas_tx &&
3541 		     !rdev->wiphy.available_antennas_rx) ||
3542 		    !rdev->ops->set_antenna) {
3543 			result = -EOPNOTSUPP;
3544 			goto out;
3545 		}
3546 
3547 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3548 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3549 
3550 		/* reject antenna configurations which don't match the
3551 		 * available antenna masks, except for the "all" mask */
3552 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3553 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3554 			result = -EINVAL;
3555 			goto out;
3556 		}
3557 
3558 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3559 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3560 
3561 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3562 		if (result)
3563 			goto out;
3564 	}
3565 
3566 	changed = 0;
3567 
3568 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3569 		retry_short = nla_get_u8(
3570 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3571 
3572 		changed |= WIPHY_PARAM_RETRY_SHORT;
3573 	}
3574 
3575 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3576 		retry_long = nla_get_u8(
3577 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3578 
3579 		changed |= WIPHY_PARAM_RETRY_LONG;
3580 	}
3581 
3582 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3583 		frag_threshold = nla_get_u32(
3584 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3585 		if (frag_threshold < 256) {
3586 			result = -EINVAL;
3587 			goto out;
3588 		}
3589 
3590 		if (frag_threshold != (u32) -1) {
3591 			/*
3592 			 * Fragments (apart from the last one) are required to
3593 			 * have even length. Make the fragmentation code
3594 			 * simpler by stripping LSB should someone try to use
3595 			 * odd threshold value.
3596 			 */
3597 			frag_threshold &= ~0x1;
3598 		}
3599 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3600 	}
3601 
3602 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3603 		rts_threshold = nla_get_u32(
3604 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3605 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3606 	}
3607 
3608 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3609 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3610 			result = -EINVAL;
3611 			goto out;
3612 		}
3613 
3614 		coverage_class = nla_get_u8(
3615 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3616 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3617 	}
3618 
3619 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3620 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3621 			result = -EOPNOTSUPP;
3622 			goto out;
3623 		}
3624 
3625 		changed |= WIPHY_PARAM_DYN_ACK;
3626 	}
3627 
3628 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3629 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3630 					     NL80211_EXT_FEATURE_TXQS)) {
3631 			result = -EOPNOTSUPP;
3632 			goto out;
3633 		}
3634 		txq_limit = nla_get_u32(
3635 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3636 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3637 	}
3638 
3639 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3640 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3641 					     NL80211_EXT_FEATURE_TXQS)) {
3642 			result = -EOPNOTSUPP;
3643 			goto out;
3644 		}
3645 		txq_memory_limit = nla_get_u32(
3646 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3647 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3648 	}
3649 
3650 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3651 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3652 					     NL80211_EXT_FEATURE_TXQS)) {
3653 			result = -EOPNOTSUPP;
3654 			goto out;
3655 		}
3656 		txq_quantum = nla_get_u32(
3657 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3658 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3659 	}
3660 
3661 	if (changed) {
3662 		u8 old_retry_short, old_retry_long;
3663 		u32 old_frag_threshold, old_rts_threshold;
3664 		u8 old_coverage_class;
3665 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3666 
3667 		if (!rdev->ops->set_wiphy_params) {
3668 			result = -EOPNOTSUPP;
3669 			goto out;
3670 		}
3671 
3672 		old_retry_short = rdev->wiphy.retry_short;
3673 		old_retry_long = rdev->wiphy.retry_long;
3674 		old_frag_threshold = rdev->wiphy.frag_threshold;
3675 		old_rts_threshold = rdev->wiphy.rts_threshold;
3676 		old_coverage_class = rdev->wiphy.coverage_class;
3677 		old_txq_limit = rdev->wiphy.txq_limit;
3678 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3679 		old_txq_quantum = rdev->wiphy.txq_quantum;
3680 
3681 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3682 			rdev->wiphy.retry_short = retry_short;
3683 		if (changed & WIPHY_PARAM_RETRY_LONG)
3684 			rdev->wiphy.retry_long = retry_long;
3685 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3686 			rdev->wiphy.frag_threshold = frag_threshold;
3687 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3688 			rdev->wiphy.rts_threshold = rts_threshold;
3689 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3690 			rdev->wiphy.coverage_class = coverage_class;
3691 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3692 			rdev->wiphy.txq_limit = txq_limit;
3693 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3694 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3695 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3696 			rdev->wiphy.txq_quantum = txq_quantum;
3697 
3698 		result = rdev_set_wiphy_params(rdev, changed);
3699 		if (result) {
3700 			rdev->wiphy.retry_short = old_retry_short;
3701 			rdev->wiphy.retry_long = old_retry_long;
3702 			rdev->wiphy.frag_threshold = old_frag_threshold;
3703 			rdev->wiphy.rts_threshold = old_rts_threshold;
3704 			rdev->wiphy.coverage_class = old_coverage_class;
3705 			rdev->wiphy.txq_limit = old_txq_limit;
3706 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3707 			rdev->wiphy.txq_quantum = old_txq_quantum;
3708 			goto out;
3709 		}
3710 	}
3711 
3712 	result = 0;
3713 
3714 out:
3715 	wiphy_unlock(&rdev->wiphy);
3716 	return result;
3717 }
3718 
3719 static int nl80211_send_chandef(struct sk_buff *msg,
3720 				const struct cfg80211_chan_def *chandef)
3721 {
3722 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3723 		return -EINVAL;
3724 
3725 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3726 			chandef->chan->center_freq))
3727 		return -ENOBUFS;
3728 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3729 			chandef->chan->freq_offset))
3730 		return -ENOBUFS;
3731 	switch (chandef->width) {
3732 	case NL80211_CHAN_WIDTH_20_NOHT:
3733 	case NL80211_CHAN_WIDTH_20:
3734 	case NL80211_CHAN_WIDTH_40:
3735 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3736 				cfg80211_get_chandef_type(chandef)))
3737 			return -ENOBUFS;
3738 		break;
3739 	default:
3740 		break;
3741 	}
3742 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3743 		return -ENOBUFS;
3744 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3745 		return -ENOBUFS;
3746 	if (chandef->center_freq2 &&
3747 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3748 		return -ENOBUFS;
3749 	return 0;
3750 }
3751 
3752 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3753 			      struct cfg80211_registered_device *rdev,
3754 			      struct wireless_dev *wdev,
3755 			      enum nl80211_commands cmd)
3756 {
3757 	struct net_device *dev = wdev->netdev;
3758 	void *hdr;
3759 
3760 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3761 		cmd != NL80211_CMD_DEL_INTERFACE &&
3762 		cmd != NL80211_CMD_SET_INTERFACE);
3763 
3764 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3765 	if (!hdr)
3766 		return -1;
3767 
3768 	if (dev &&
3769 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3770 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3771 		goto nla_put_failure;
3772 
3773 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3774 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3775 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3776 			      NL80211_ATTR_PAD) ||
3777 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3778 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3779 			rdev->devlist_generation ^
3780 			(cfg80211_rdev_list_generation << 2)) ||
3781 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3782 		goto nla_put_failure;
3783 
3784 	if (rdev->ops->get_channel && !wdev->valid_links) {
3785 		struct cfg80211_chan_def chandef = {};
3786 		int ret;
3787 
3788 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3789 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3790 			goto nla_put_failure;
3791 	}
3792 
3793 	if (rdev->ops->get_tx_power) {
3794 		int dbm, ret;
3795 
3796 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3797 		if (ret == 0 &&
3798 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3799 				DBM_TO_MBM(dbm)))
3800 			goto nla_put_failure;
3801 	}
3802 
3803 	wdev_lock(wdev);
3804 	switch (wdev->iftype) {
3805 	case NL80211_IFTYPE_AP:
3806 	case NL80211_IFTYPE_P2P_GO:
3807 		if (wdev->u.ap.ssid_len &&
3808 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
3809 			    wdev->u.ap.ssid))
3810 			goto nla_put_failure_locked;
3811 		break;
3812 	case NL80211_IFTYPE_STATION:
3813 	case NL80211_IFTYPE_P2P_CLIENT:
3814 		if (wdev->u.client.ssid_len &&
3815 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
3816 			    wdev->u.client.ssid))
3817 			goto nla_put_failure_locked;
3818 		break;
3819 	case NL80211_IFTYPE_ADHOC:
3820 		if (wdev->u.ibss.ssid_len &&
3821 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
3822 			    wdev->u.ibss.ssid))
3823 			goto nla_put_failure_locked;
3824 		break;
3825 	default:
3826 		/* nothing */
3827 		break;
3828 	}
3829 	wdev_unlock(wdev);
3830 
3831 	if (rdev->ops->get_txq_stats) {
3832 		struct cfg80211_txq_stats txqstats = {};
3833 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3834 
3835 		if (ret == 0 &&
3836 		    !nl80211_put_txq_stats(msg, &txqstats,
3837 					   NL80211_ATTR_TXQ_STATS))
3838 			goto nla_put_failure;
3839 	}
3840 
3841 	if (wdev->valid_links) {
3842 		unsigned int link_id;
3843 		struct nlattr *links = nla_nest_start(msg,
3844 						      NL80211_ATTR_MLO_LINKS);
3845 
3846 		if (!links)
3847 			goto nla_put_failure;
3848 
3849 		for_each_valid_link(wdev, link_id) {
3850 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
3851 
3852 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
3853 				goto nla_put_failure;
3854 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3855 				    wdev->links[link_id].addr))
3856 				goto nla_put_failure;
3857 			nla_nest_end(msg, link);
3858 		}
3859 
3860 		nla_nest_end(msg, links);
3861 	}
3862 
3863 	genlmsg_end(msg, hdr);
3864 	return 0;
3865 
3866  nla_put_failure_locked:
3867 	wdev_unlock(wdev);
3868  nla_put_failure:
3869 	genlmsg_cancel(msg, hdr);
3870 	return -EMSGSIZE;
3871 }
3872 
3873 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3874 {
3875 	int wp_idx = 0;
3876 	int if_idx = 0;
3877 	int wp_start = cb->args[0];
3878 	int if_start = cb->args[1];
3879 	int filter_wiphy = -1;
3880 	struct cfg80211_registered_device *rdev;
3881 	struct wireless_dev *wdev;
3882 	int ret;
3883 
3884 	rtnl_lock();
3885 	if (!cb->args[2]) {
3886 		struct nl80211_dump_wiphy_state state = {
3887 			.filter_wiphy = -1,
3888 		};
3889 
3890 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3891 		if (ret)
3892 			goto out_unlock;
3893 
3894 		filter_wiphy = state.filter_wiphy;
3895 
3896 		/*
3897 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3898 		 * value needed to determine that parsing is necessary.
3899 		 */
3900 		if (filter_wiphy >= 0)
3901 			cb->args[2] = filter_wiphy + 1;
3902 		else
3903 			cb->args[2] = -1;
3904 	} else if (cb->args[2] > 0) {
3905 		filter_wiphy = cb->args[2] - 1;
3906 	}
3907 
3908 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3909 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3910 			continue;
3911 		if (wp_idx < wp_start) {
3912 			wp_idx++;
3913 			continue;
3914 		}
3915 
3916 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3917 			continue;
3918 
3919 		if_idx = 0;
3920 
3921 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3922 			if (if_idx < if_start) {
3923 				if_idx++;
3924 				continue;
3925 			}
3926 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3927 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3928 					       rdev, wdev,
3929 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3930 				goto out;
3931 			}
3932 			if_idx++;
3933 		}
3934 
3935 		wp_idx++;
3936 	}
3937  out:
3938 	cb->args[0] = wp_idx;
3939 	cb->args[1] = if_idx;
3940 
3941 	ret = skb->len;
3942  out_unlock:
3943 	rtnl_unlock();
3944 
3945 	return ret;
3946 }
3947 
3948 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3949 {
3950 	struct sk_buff *msg;
3951 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3952 	struct wireless_dev *wdev = info->user_ptr[1];
3953 
3954 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3955 	if (!msg)
3956 		return -ENOMEM;
3957 
3958 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3959 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3960 		nlmsg_free(msg);
3961 		return -ENOBUFS;
3962 	}
3963 
3964 	return genlmsg_reply(msg, info);
3965 }
3966 
3967 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3968 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3969 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3970 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3971 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3972 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3973 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3974 };
3975 
3976 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3977 {
3978 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3979 	int flag;
3980 
3981 	*mntrflags = 0;
3982 
3983 	if (!nla)
3984 		return -EINVAL;
3985 
3986 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3987 		return -EINVAL;
3988 
3989 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3990 		if (flags[flag])
3991 			*mntrflags |= (1<<flag);
3992 
3993 	*mntrflags |= MONITOR_FLAG_CHANGED;
3994 
3995 	return 0;
3996 }
3997 
3998 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3999 				     enum nl80211_iftype type,
4000 				     struct genl_info *info,
4001 				     struct vif_params *params)
4002 {
4003 	bool change = false;
4004 	int err;
4005 
4006 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4007 		if (type != NL80211_IFTYPE_MONITOR)
4008 			return -EINVAL;
4009 
4010 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4011 					  &params->flags);
4012 		if (err)
4013 			return err;
4014 
4015 		change = true;
4016 	}
4017 
4018 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4019 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4020 		return -EOPNOTSUPP;
4021 
4022 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4023 		const u8 *mumimo_groups;
4024 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4025 
4026 		if (type != NL80211_IFTYPE_MONITOR)
4027 			return -EINVAL;
4028 
4029 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4030 			return -EOPNOTSUPP;
4031 
4032 		mumimo_groups =
4033 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4034 
4035 		/* bits 0 and 63 are reserved and must be zero */
4036 		if ((mumimo_groups[0] & BIT(0)) ||
4037 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4038 			return -EINVAL;
4039 
4040 		params->vht_mumimo_groups = mumimo_groups;
4041 		change = true;
4042 	}
4043 
4044 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4045 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4046 
4047 		if (type != NL80211_IFTYPE_MONITOR)
4048 			return -EINVAL;
4049 
4050 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4051 			return -EOPNOTSUPP;
4052 
4053 		params->vht_mumimo_follow_addr =
4054 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4055 		change = true;
4056 	}
4057 
4058 	return change ? 1 : 0;
4059 }
4060 
4061 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4062 			       struct net_device *netdev, u8 use_4addr,
4063 			       enum nl80211_iftype iftype)
4064 {
4065 	if (!use_4addr) {
4066 		if (netdev && netif_is_bridge_port(netdev))
4067 			return -EBUSY;
4068 		return 0;
4069 	}
4070 
4071 	switch (iftype) {
4072 	case NL80211_IFTYPE_AP_VLAN:
4073 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4074 			return 0;
4075 		break;
4076 	case NL80211_IFTYPE_STATION:
4077 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4078 			return 0;
4079 		break;
4080 	default:
4081 		break;
4082 	}
4083 
4084 	return -EOPNOTSUPP;
4085 }
4086 
4087 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4088 {
4089 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4090 	struct vif_params params;
4091 	int err;
4092 	enum nl80211_iftype otype, ntype;
4093 	struct net_device *dev = info->user_ptr[1];
4094 	bool change = false;
4095 
4096 	memset(&params, 0, sizeof(params));
4097 
4098 	otype = ntype = dev->ieee80211_ptr->iftype;
4099 
4100 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4101 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4102 		if (otype != ntype)
4103 			change = true;
4104 	}
4105 
4106 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4107 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4108 
4109 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4110 			return -EINVAL;
4111 		if (netif_running(dev))
4112 			return -EBUSY;
4113 
4114 		wdev_lock(wdev);
4115 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4116 			     IEEE80211_MAX_MESH_ID_LEN);
4117 		wdev->u.mesh.id_up_len =
4118 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4119 		memcpy(wdev->u.mesh.id,
4120 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4121 		       wdev->u.mesh.id_up_len);
4122 		wdev_unlock(wdev);
4123 	}
4124 
4125 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4126 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4127 		change = true;
4128 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4129 		if (err)
4130 			return err;
4131 	} else {
4132 		params.use_4addr = -1;
4133 	}
4134 
4135 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4136 	if (err < 0)
4137 		return err;
4138 	if (err > 0)
4139 		change = true;
4140 
4141 	if (change)
4142 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4143 	else
4144 		err = 0;
4145 
4146 	if (!err && params.use_4addr != -1)
4147 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4148 
4149 	if (change && !err) {
4150 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4151 
4152 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4153 	}
4154 
4155 	return err;
4156 }
4157 
4158 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4159 {
4160 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4161 	struct vif_params params;
4162 	struct wireless_dev *wdev;
4163 	struct sk_buff *msg;
4164 	int err;
4165 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4166 
4167 	memset(&params, 0, sizeof(params));
4168 
4169 	if (!info->attrs[NL80211_ATTR_IFNAME])
4170 		return -EINVAL;
4171 
4172 	if (info->attrs[NL80211_ATTR_IFTYPE])
4173 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4174 
4175 	if (!rdev->ops->add_virtual_intf)
4176 		return -EOPNOTSUPP;
4177 
4178 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4179 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4180 	    info->attrs[NL80211_ATTR_MAC]) {
4181 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4182 			   ETH_ALEN);
4183 		if (!is_valid_ether_addr(params.macaddr))
4184 			return -EADDRNOTAVAIL;
4185 	}
4186 
4187 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4188 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4189 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4190 		if (err)
4191 			return err;
4192 	}
4193 
4194 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4195 		return -EOPNOTSUPP;
4196 
4197 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4198 	if (err < 0)
4199 		return err;
4200 
4201 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4202 	if (!msg)
4203 		return -ENOMEM;
4204 
4205 	wdev = rdev_add_virtual_intf(rdev,
4206 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4207 				NET_NAME_USER, type, &params);
4208 	if (WARN_ON(!wdev)) {
4209 		nlmsg_free(msg);
4210 		return -EPROTO;
4211 	} else if (IS_ERR(wdev)) {
4212 		nlmsg_free(msg);
4213 		return PTR_ERR(wdev);
4214 	}
4215 
4216 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4217 		wdev->owner_nlportid = info->snd_portid;
4218 
4219 	switch (type) {
4220 	case NL80211_IFTYPE_MESH_POINT:
4221 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4222 			break;
4223 		wdev_lock(wdev);
4224 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4225 			     IEEE80211_MAX_MESH_ID_LEN);
4226 		wdev->u.mesh.id_up_len =
4227 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4228 		memcpy(wdev->u.mesh.id,
4229 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4230 		       wdev->u.mesh.id_up_len);
4231 		wdev_unlock(wdev);
4232 		break;
4233 	case NL80211_IFTYPE_NAN:
4234 	case NL80211_IFTYPE_P2P_DEVICE:
4235 		/*
4236 		 * P2P Device and NAN do not have a netdev, so don't go
4237 		 * through the netdev notifier and must be added here
4238 		 */
4239 		cfg80211_init_wdev(wdev);
4240 		cfg80211_register_wdev(rdev, wdev);
4241 		break;
4242 	default:
4243 		break;
4244 	}
4245 
4246 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4247 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4248 		nlmsg_free(msg);
4249 		return -ENOBUFS;
4250 	}
4251 
4252 	return genlmsg_reply(msg, info);
4253 }
4254 
4255 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4256 {
4257 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4258 	int ret;
4259 
4260 	/* to avoid failing a new interface creation due to pending removal */
4261 	cfg80211_destroy_ifaces(rdev);
4262 
4263 	wiphy_lock(&rdev->wiphy);
4264 	ret = _nl80211_new_interface(skb, info);
4265 	wiphy_unlock(&rdev->wiphy);
4266 
4267 	return ret;
4268 }
4269 
4270 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4271 {
4272 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4273 	struct wireless_dev *wdev = info->user_ptr[1];
4274 
4275 	if (!rdev->ops->del_virtual_intf)
4276 		return -EOPNOTSUPP;
4277 
4278 	/*
4279 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4280 	 * reach 0, and thus the rdev cannot be deleted.
4281 	 *
4282 	 * We need to do it for the dev_close(), since that will call
4283 	 * the netdev notifiers, and we need to acquire the mutex there
4284 	 * but don't know if we get there from here or from some other
4285 	 * place (e.g. "ip link set ... down").
4286 	 */
4287 	mutex_unlock(&rdev->wiphy.mtx);
4288 
4289 	/*
4290 	 * If we remove a wireless device without a netdev then clear
4291 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4292 	 * to check if it needs to do dev_put(). Otherwise it crashes
4293 	 * since the wdev has been freed, unlike with a netdev where
4294 	 * we need the dev_put() for the netdev to really be freed.
4295 	 */
4296 	if (!wdev->netdev)
4297 		info->user_ptr[1] = NULL;
4298 	else
4299 		dev_close(wdev->netdev);
4300 
4301 	mutex_lock(&rdev->wiphy.mtx);
4302 
4303 	return cfg80211_remove_virtual_intf(rdev, wdev);
4304 }
4305 
4306 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4307 {
4308 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4309 	struct net_device *dev = info->user_ptr[1];
4310 	u16 noack_map;
4311 
4312 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4313 		return -EINVAL;
4314 
4315 	if (!rdev->ops->set_noack_map)
4316 		return -EOPNOTSUPP;
4317 
4318 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4319 
4320 	return rdev_set_noack_map(rdev, dev, noack_map);
4321 }
4322 
4323 struct get_key_cookie {
4324 	struct sk_buff *msg;
4325 	int error;
4326 	int idx;
4327 };
4328 
4329 static void get_key_callback(void *c, struct key_params *params)
4330 {
4331 	struct nlattr *key;
4332 	struct get_key_cookie *cookie = c;
4333 
4334 	if ((params->key &&
4335 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4336 		     params->key_len, params->key)) ||
4337 	    (params->seq &&
4338 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4339 		     params->seq_len, params->seq)) ||
4340 	    (params->cipher &&
4341 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4342 			 params->cipher)))
4343 		goto nla_put_failure;
4344 
4345 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4346 	if (!key)
4347 		goto nla_put_failure;
4348 
4349 	if ((params->key &&
4350 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4351 		     params->key_len, params->key)) ||
4352 	    (params->seq &&
4353 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4354 		     params->seq_len, params->seq)) ||
4355 	    (params->cipher &&
4356 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4357 			 params->cipher)))
4358 		goto nla_put_failure;
4359 
4360 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4361 		goto nla_put_failure;
4362 
4363 	nla_nest_end(cookie->msg, key);
4364 
4365 	return;
4366  nla_put_failure:
4367 	cookie->error = 1;
4368 }
4369 
4370 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4371 {
4372 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4373 	int err;
4374 	struct net_device *dev = info->user_ptr[1];
4375 	u8 key_idx = 0;
4376 	const u8 *mac_addr = NULL;
4377 	bool pairwise;
4378 	struct get_key_cookie cookie = {
4379 		.error = 0,
4380 	};
4381 	void *hdr;
4382 	struct sk_buff *msg;
4383 	bool bigtk_support = false;
4384 
4385 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4386 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4387 		bigtk_support = true;
4388 
4389 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4390 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4391 	    wiphy_ext_feature_isset(&rdev->wiphy,
4392 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4393 		bigtk_support = true;
4394 
4395 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4396 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4397 
4398 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4399 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4400 			return -EINVAL;
4401 		}
4402 	}
4403 
4404 	if (info->attrs[NL80211_ATTR_MAC])
4405 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4406 
4407 	pairwise = !!mac_addr;
4408 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4409 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4410 
4411 		if (kt != NL80211_KEYTYPE_GROUP &&
4412 		    kt != NL80211_KEYTYPE_PAIRWISE)
4413 			return -EINVAL;
4414 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4415 	}
4416 
4417 	if (!rdev->ops->get_key)
4418 		return -EOPNOTSUPP;
4419 
4420 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4421 		return -ENOENT;
4422 
4423 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4424 	if (!msg)
4425 		return -ENOMEM;
4426 
4427 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4428 			     NL80211_CMD_NEW_KEY);
4429 	if (!hdr)
4430 		goto nla_put_failure;
4431 
4432 	cookie.msg = msg;
4433 	cookie.idx = key_idx;
4434 
4435 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4436 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4437 		goto nla_put_failure;
4438 	if (mac_addr &&
4439 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4440 		goto nla_put_failure;
4441 
4442 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4443 			   get_key_callback);
4444 
4445 	if (err)
4446 		goto free_msg;
4447 
4448 	if (cookie.error)
4449 		goto nla_put_failure;
4450 
4451 	genlmsg_end(msg, hdr);
4452 	return genlmsg_reply(msg, info);
4453 
4454  nla_put_failure:
4455 	err = -ENOBUFS;
4456  free_msg:
4457 	nlmsg_free(msg);
4458 	return err;
4459 }
4460 
4461 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4462 {
4463 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4464 	struct key_parse key;
4465 	int err;
4466 	struct net_device *dev = info->user_ptr[1];
4467 
4468 	err = nl80211_parse_key(info, &key);
4469 	if (err)
4470 		return err;
4471 
4472 	if (key.idx < 0)
4473 		return -EINVAL;
4474 
4475 	/* Only support setting default key and
4476 	 * Extended Key ID action NL80211_KEY_SET_TX.
4477 	 */
4478 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4479 	    !(key.p.mode == NL80211_KEY_SET_TX))
4480 		return -EINVAL;
4481 
4482 	wdev_lock(dev->ieee80211_ptr);
4483 
4484 	if (key.def) {
4485 		if (!rdev->ops->set_default_key) {
4486 			err = -EOPNOTSUPP;
4487 			goto out;
4488 		}
4489 
4490 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4491 		if (err)
4492 			goto out;
4493 
4494 		err = rdev_set_default_key(rdev, dev, key.idx,
4495 						 key.def_uni, key.def_multi);
4496 
4497 		if (err)
4498 			goto out;
4499 
4500 #ifdef CONFIG_CFG80211_WEXT
4501 		dev->ieee80211_ptr->wext.default_key = key.idx;
4502 #endif
4503 	} else if (key.defmgmt) {
4504 		if (key.def_uni || !key.def_multi) {
4505 			err = -EINVAL;
4506 			goto out;
4507 		}
4508 
4509 		if (!rdev->ops->set_default_mgmt_key) {
4510 			err = -EOPNOTSUPP;
4511 			goto out;
4512 		}
4513 
4514 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4515 		if (err)
4516 			goto out;
4517 
4518 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4519 		if (err)
4520 			goto out;
4521 
4522 #ifdef CONFIG_CFG80211_WEXT
4523 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4524 #endif
4525 	} else if (key.defbeacon) {
4526 		if (key.def_uni || !key.def_multi) {
4527 			err = -EINVAL;
4528 			goto out;
4529 		}
4530 
4531 		if (!rdev->ops->set_default_beacon_key) {
4532 			err = -EOPNOTSUPP;
4533 			goto out;
4534 		}
4535 
4536 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4537 		if (err)
4538 			goto out;
4539 
4540 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4541 		if (err)
4542 			goto out;
4543 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4544 		   wiphy_ext_feature_isset(&rdev->wiphy,
4545 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4546 		u8 *mac_addr = NULL;
4547 
4548 		if (info->attrs[NL80211_ATTR_MAC])
4549 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4550 
4551 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4552 			err = -EINVAL;
4553 			goto out;
4554 		}
4555 
4556 		err = rdev_add_key(rdev, dev, key.idx,
4557 				   NL80211_KEYTYPE_PAIRWISE,
4558 				   mac_addr, &key.p);
4559 	} else {
4560 		err = -EINVAL;
4561 	}
4562  out:
4563 	wdev_unlock(dev->ieee80211_ptr);
4564 
4565 	return err;
4566 }
4567 
4568 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4569 {
4570 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4571 	int err;
4572 	struct net_device *dev = info->user_ptr[1];
4573 	struct key_parse key;
4574 	const u8 *mac_addr = NULL;
4575 
4576 	err = nl80211_parse_key(info, &key);
4577 	if (err)
4578 		return err;
4579 
4580 	if (!key.p.key) {
4581 		GENL_SET_ERR_MSG(info, "no key");
4582 		return -EINVAL;
4583 	}
4584 
4585 	if (info->attrs[NL80211_ATTR_MAC])
4586 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4587 
4588 	if (key.type == -1) {
4589 		if (mac_addr)
4590 			key.type = NL80211_KEYTYPE_PAIRWISE;
4591 		else
4592 			key.type = NL80211_KEYTYPE_GROUP;
4593 	}
4594 
4595 	/* for now */
4596 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4597 	    key.type != NL80211_KEYTYPE_GROUP) {
4598 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4599 		return -EINVAL;
4600 	}
4601 
4602 	if (key.type == NL80211_KEYTYPE_GROUP &&
4603 	    info->attrs[NL80211_ATTR_VLAN_ID])
4604 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4605 
4606 	if (!rdev->ops->add_key)
4607 		return -EOPNOTSUPP;
4608 
4609 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4610 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4611 					   mac_addr)) {
4612 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4613 		return -EINVAL;
4614 	}
4615 
4616 	wdev_lock(dev->ieee80211_ptr);
4617 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4618 	if (err)
4619 		GENL_SET_ERR_MSG(info, "key not allowed");
4620 	if (!err) {
4621 		err = rdev_add_key(rdev, dev, key.idx,
4622 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4623 				    mac_addr, &key.p);
4624 		if (err)
4625 			GENL_SET_ERR_MSG(info, "key addition failed");
4626 	}
4627 	wdev_unlock(dev->ieee80211_ptr);
4628 
4629 	return err;
4630 }
4631 
4632 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4633 {
4634 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4635 	int err;
4636 	struct net_device *dev = info->user_ptr[1];
4637 	u8 *mac_addr = NULL;
4638 	struct key_parse key;
4639 
4640 	err = nl80211_parse_key(info, &key);
4641 	if (err)
4642 		return err;
4643 
4644 	if (info->attrs[NL80211_ATTR_MAC])
4645 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4646 
4647 	if (key.type == -1) {
4648 		if (mac_addr)
4649 			key.type = NL80211_KEYTYPE_PAIRWISE;
4650 		else
4651 			key.type = NL80211_KEYTYPE_GROUP;
4652 	}
4653 
4654 	/* for now */
4655 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4656 	    key.type != NL80211_KEYTYPE_GROUP)
4657 		return -EINVAL;
4658 
4659 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4660 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4661 		return -EINVAL;
4662 
4663 	if (!rdev->ops->del_key)
4664 		return -EOPNOTSUPP;
4665 
4666 	wdev_lock(dev->ieee80211_ptr);
4667 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4668 
4669 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4670 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4671 		err = -ENOENT;
4672 
4673 	if (!err)
4674 		err = rdev_del_key(rdev, dev, key.idx,
4675 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4676 				   mac_addr);
4677 
4678 #ifdef CONFIG_CFG80211_WEXT
4679 	if (!err) {
4680 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4681 			dev->ieee80211_ptr->wext.default_key = -1;
4682 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4683 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4684 	}
4685 #endif
4686 	wdev_unlock(dev->ieee80211_ptr);
4687 
4688 	return err;
4689 }
4690 
4691 /* This function returns an error or the number of nested attributes */
4692 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4693 {
4694 	struct nlattr *attr;
4695 	int n_entries = 0, tmp;
4696 
4697 	nla_for_each_nested(attr, nl_attr, tmp) {
4698 		if (nla_len(attr) != ETH_ALEN)
4699 			return -EINVAL;
4700 
4701 		n_entries++;
4702 	}
4703 
4704 	return n_entries;
4705 }
4706 
4707 /*
4708  * This function parses ACL information and allocates memory for ACL data.
4709  * On successful return, the calling function is responsible to free the
4710  * ACL buffer returned by this function.
4711  */
4712 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4713 						struct genl_info *info)
4714 {
4715 	enum nl80211_acl_policy acl_policy;
4716 	struct nlattr *attr;
4717 	struct cfg80211_acl_data *acl;
4718 	int i = 0, n_entries, tmp;
4719 
4720 	if (!wiphy->max_acl_mac_addrs)
4721 		return ERR_PTR(-EOPNOTSUPP);
4722 
4723 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4724 		return ERR_PTR(-EINVAL);
4725 
4726 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4727 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4728 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4729 		return ERR_PTR(-EINVAL);
4730 
4731 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4732 		return ERR_PTR(-EINVAL);
4733 
4734 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4735 	if (n_entries < 0)
4736 		return ERR_PTR(n_entries);
4737 
4738 	if (n_entries > wiphy->max_acl_mac_addrs)
4739 		return ERR_PTR(-ENOTSUPP);
4740 
4741 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4742 	if (!acl)
4743 		return ERR_PTR(-ENOMEM);
4744 
4745 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4746 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4747 		i++;
4748 	}
4749 
4750 	acl->n_acl_entries = n_entries;
4751 	acl->acl_policy = acl_policy;
4752 
4753 	return acl;
4754 }
4755 
4756 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4757 {
4758 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4759 	struct net_device *dev = info->user_ptr[1];
4760 	struct cfg80211_acl_data *acl;
4761 	int err;
4762 
4763 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4764 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4765 		return -EOPNOTSUPP;
4766 
4767 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
4768 		return -EINVAL;
4769 
4770 	acl = parse_acl_data(&rdev->wiphy, info);
4771 	if (IS_ERR(acl))
4772 		return PTR_ERR(acl);
4773 
4774 	err = rdev_set_mac_acl(rdev, dev, acl);
4775 
4776 	kfree(acl);
4777 
4778 	return err;
4779 }
4780 
4781 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4782 			   u8 *rates, u8 rates_len)
4783 {
4784 	u8 i;
4785 	u32 mask = 0;
4786 
4787 	for (i = 0; i < rates_len; i++) {
4788 		int rate = (rates[i] & 0x7f) * 5;
4789 		int ridx;
4790 
4791 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4792 			struct ieee80211_rate *srate =
4793 				&sband->bitrates[ridx];
4794 			if (rate == srate->bitrate) {
4795 				mask |= 1 << ridx;
4796 				break;
4797 			}
4798 		}
4799 		if (ridx == sband->n_bitrates)
4800 			return 0; /* rate not found */
4801 	}
4802 
4803 	return mask;
4804 }
4805 
4806 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4807 			       u8 *rates, u8 rates_len,
4808 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4809 {
4810 	u8 i;
4811 
4812 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4813 
4814 	for (i = 0; i < rates_len; i++) {
4815 		int ridx, rbit;
4816 
4817 		ridx = rates[i] / 8;
4818 		rbit = BIT(rates[i] % 8);
4819 
4820 		/* check validity */
4821 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4822 			return false;
4823 
4824 		/* check availability */
4825 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4826 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4827 			mcs[ridx] |= rbit;
4828 		else
4829 			return false;
4830 	}
4831 
4832 	return true;
4833 }
4834 
4835 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4836 {
4837 	u16 mcs_mask = 0;
4838 
4839 	switch (vht_mcs_map) {
4840 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4841 		break;
4842 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4843 		mcs_mask = 0x00FF;
4844 		break;
4845 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4846 		mcs_mask = 0x01FF;
4847 		break;
4848 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4849 		mcs_mask = 0x03FF;
4850 		break;
4851 	default:
4852 		break;
4853 	}
4854 
4855 	return mcs_mask;
4856 }
4857 
4858 static void vht_build_mcs_mask(u16 vht_mcs_map,
4859 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4860 {
4861 	u8 nss;
4862 
4863 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4864 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4865 		vht_mcs_map >>= 2;
4866 	}
4867 }
4868 
4869 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4870 			     struct nl80211_txrate_vht *txrate,
4871 			     u16 mcs[NL80211_VHT_NSS_MAX])
4872 {
4873 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4874 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4875 	u8 i;
4876 
4877 	if (!sband->vht_cap.vht_supported)
4878 		return false;
4879 
4880 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4881 
4882 	/* Build vht_mcs_mask from VHT capabilities */
4883 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4884 
4885 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4886 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4887 			mcs[i] = txrate->mcs[i];
4888 		else
4889 			return false;
4890 	}
4891 
4892 	return true;
4893 }
4894 
4895 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4896 {
4897 	switch (he_mcs_map) {
4898 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4899 		return 0;
4900 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4901 		return 0x00FF;
4902 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4903 		return 0x03FF;
4904 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4905 		return 0xFFF;
4906 	default:
4907 		break;
4908 	}
4909 	return 0;
4910 }
4911 
4912 static void he_build_mcs_mask(u16 he_mcs_map,
4913 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4914 {
4915 	u8 nss;
4916 
4917 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4918 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4919 		he_mcs_map >>= 2;
4920 	}
4921 }
4922 
4923 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
4924 			   const struct ieee80211_sta_he_cap *he_cap)
4925 {
4926 	struct net_device *dev = info->user_ptr[1];
4927 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4928 	struct cfg80211_chan_def *chandef;
4929 	__le16 tx_mcs;
4930 
4931 	chandef = wdev_chandef(wdev, link_id);
4932 	if (!chandef) {
4933 		/*
4934 		 * This is probably broken, but we never maintained
4935 		 * a chandef in these cases, so it always was.
4936 		 */
4937 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
4938 	}
4939 
4940 	switch (chandef->width) {
4941 	case NL80211_CHAN_WIDTH_80P80:
4942 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4943 		break;
4944 	case NL80211_CHAN_WIDTH_160:
4945 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4946 		break;
4947 	default:
4948 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4949 		break;
4950 	}
4951 
4952 	return le16_to_cpu(tx_mcs);
4953 }
4954 
4955 static bool he_set_mcs_mask(struct genl_info *info,
4956 			    struct wireless_dev *wdev,
4957 			    struct ieee80211_supported_band *sband,
4958 			    struct nl80211_txrate_he *txrate,
4959 			    u16 mcs[NL80211_HE_NSS_MAX],
4960 			    unsigned int link_id)
4961 {
4962 	const struct ieee80211_sta_he_cap *he_cap;
4963 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4964 	u16 tx_mcs_map = 0;
4965 	u8 i;
4966 
4967 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4968 	if (!he_cap)
4969 		return false;
4970 
4971 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4972 
4973 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
4974 
4975 	/* Build he_mcs_mask from HE capabilities */
4976 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4977 
4978 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4979 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4980 			mcs[i] = txrate->mcs[i];
4981 		else
4982 			return false;
4983 	}
4984 
4985 	return true;
4986 }
4987 
4988 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4989 					 struct nlattr *attrs[],
4990 					 enum nl80211_attrs attr,
4991 					 struct cfg80211_bitrate_mask *mask,
4992 					 struct net_device *dev,
4993 					 bool default_all_enabled,
4994 					 unsigned int link_id)
4995 {
4996 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4997 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4998 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4999 	int rem, i;
5000 	struct nlattr *tx_rates;
5001 	struct ieee80211_supported_band *sband;
5002 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5003 
5004 	memset(mask, 0, sizeof(*mask));
5005 	/* Default to all rates enabled */
5006 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5007 		const struct ieee80211_sta_he_cap *he_cap;
5008 
5009 		if (!default_all_enabled)
5010 			break;
5011 
5012 		sband = rdev->wiphy.bands[i];
5013 
5014 		if (!sband)
5015 			continue;
5016 
5017 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5018 		memcpy(mask->control[i].ht_mcs,
5019 		       sband->ht_cap.mcs.rx_mask,
5020 		       sizeof(mask->control[i].ht_mcs));
5021 
5022 		if (sband->vht_cap.vht_supported) {
5023 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5024 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5025 		}
5026 
5027 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5028 		if (!he_cap)
5029 			continue;
5030 
5031 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5032 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5033 
5034 		mask->control[i].he_gi = 0xFF;
5035 		mask->control[i].he_ltf = 0xFF;
5036 	}
5037 
5038 	/* if no rates are given set it back to the defaults */
5039 	if (!attrs[attr])
5040 		goto out;
5041 
5042 	/* The nested attribute uses enum nl80211_band as the index. This maps
5043 	 * directly to the enum nl80211_band values used in cfg80211.
5044 	 */
5045 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5046 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5047 		enum nl80211_band band = nla_type(tx_rates);
5048 		int err;
5049 
5050 		if (band < 0 || band >= NUM_NL80211_BANDS)
5051 			return -EINVAL;
5052 		sband = rdev->wiphy.bands[band];
5053 		if (sband == NULL)
5054 			return -EINVAL;
5055 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5056 						  tx_rates,
5057 						  nl80211_txattr_policy,
5058 						  info->extack);
5059 		if (err)
5060 			return err;
5061 		if (tb[NL80211_TXRATE_LEGACY]) {
5062 			mask->control[band].legacy = rateset_to_mask(
5063 				sband,
5064 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5065 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5066 			if ((mask->control[band].legacy == 0) &&
5067 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5068 				return -EINVAL;
5069 		}
5070 		if (tb[NL80211_TXRATE_HT]) {
5071 			if (!ht_rateset_to_mask(
5072 					sband,
5073 					nla_data(tb[NL80211_TXRATE_HT]),
5074 					nla_len(tb[NL80211_TXRATE_HT]),
5075 					mask->control[band].ht_mcs))
5076 				return -EINVAL;
5077 		}
5078 
5079 		if (tb[NL80211_TXRATE_VHT]) {
5080 			if (!vht_set_mcs_mask(
5081 					sband,
5082 					nla_data(tb[NL80211_TXRATE_VHT]),
5083 					mask->control[band].vht_mcs))
5084 				return -EINVAL;
5085 		}
5086 
5087 		if (tb[NL80211_TXRATE_GI]) {
5088 			mask->control[band].gi =
5089 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5090 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5091 				return -EINVAL;
5092 		}
5093 		if (tb[NL80211_TXRATE_HE] &&
5094 		    !he_set_mcs_mask(info, wdev, sband,
5095 				     nla_data(tb[NL80211_TXRATE_HE]),
5096 				     mask->control[band].he_mcs,
5097 				     link_id))
5098 			return -EINVAL;
5099 
5100 		if (tb[NL80211_TXRATE_HE_GI])
5101 			mask->control[band].he_gi =
5102 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5103 		if (tb[NL80211_TXRATE_HE_LTF])
5104 			mask->control[band].he_ltf =
5105 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5106 
5107 		if (mask->control[band].legacy == 0) {
5108 			/* don't allow empty legacy rates if HT, VHT or HE
5109 			 * are not even supported.
5110 			 */
5111 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5112 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5113 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5114 				return -EINVAL;
5115 
5116 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5117 				if (mask->control[band].ht_mcs[i])
5118 					goto out;
5119 
5120 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5121 				if (mask->control[band].vht_mcs[i])
5122 					goto out;
5123 
5124 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5125 				if (mask->control[band].he_mcs[i])
5126 					goto out;
5127 
5128 			/* legacy and mcs rates may not be both empty */
5129 			return -EINVAL;
5130 		}
5131 	}
5132 
5133 out:
5134 	return 0;
5135 }
5136 
5137 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5138 				   enum nl80211_band band,
5139 				   struct cfg80211_bitrate_mask *beacon_rate)
5140 {
5141 	u32 count_ht, count_vht, count_he, i;
5142 	u32 rate = beacon_rate->control[band].legacy;
5143 
5144 	/* Allow only one rate */
5145 	if (hweight32(rate) > 1)
5146 		return -EINVAL;
5147 
5148 	count_ht = 0;
5149 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5150 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5151 			return -EINVAL;
5152 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5153 			count_ht++;
5154 			if (count_ht > 1)
5155 				return -EINVAL;
5156 		}
5157 		if (count_ht && rate)
5158 			return -EINVAL;
5159 	}
5160 
5161 	count_vht = 0;
5162 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5163 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5164 			return -EINVAL;
5165 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5166 			count_vht++;
5167 			if (count_vht > 1)
5168 				return -EINVAL;
5169 		}
5170 		if (count_vht && rate)
5171 			return -EINVAL;
5172 	}
5173 
5174 	count_he = 0;
5175 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5176 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5177 			return -EINVAL;
5178 		} else if (beacon_rate->control[band].he_mcs[i]) {
5179 			count_he++;
5180 			if (count_he > 1)
5181 				return -EINVAL;
5182 		}
5183 		if (count_he && rate)
5184 			return -EINVAL;
5185 	}
5186 
5187 	if ((count_ht && count_vht && count_he) ||
5188 	    (!rate && !count_ht && !count_vht && !count_he))
5189 		return -EINVAL;
5190 
5191 	if (rate &&
5192 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5193 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5194 		return -EINVAL;
5195 	if (count_ht &&
5196 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5197 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5198 		return -EINVAL;
5199 	if (count_vht &&
5200 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5201 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5202 		return -EINVAL;
5203 	if (count_he &&
5204 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5205 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5206 		return -EINVAL;
5207 
5208 	return 0;
5209 }
5210 
5211 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5212 				       struct net_device *dev,
5213 				       struct nlattr *attrs,
5214 				       struct cfg80211_mbssid_config *config,
5215 				       u8 num_elems)
5216 {
5217 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5218 
5219 	if (!wiphy->mbssid_max_interfaces)
5220 		return -EOPNOTSUPP;
5221 
5222 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5223 			     NULL) ||
5224 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5225 		return -EINVAL;
5226 
5227 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5228 	if (config->ema) {
5229 		if (!wiphy->ema_max_profile_periodicity)
5230 			return -EOPNOTSUPP;
5231 
5232 		if (num_elems > wiphy->ema_max_profile_periodicity)
5233 			return -EINVAL;
5234 	}
5235 
5236 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5237 	if (config->index >= wiphy->mbssid_max_interfaces ||
5238 	    (!config->index && !num_elems))
5239 		return -EINVAL;
5240 
5241 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5242 		u32 tx_ifindex =
5243 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5244 
5245 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5246 		    (config->index && tx_ifindex == dev->ifindex))
5247 			return -EINVAL;
5248 
5249 		if (tx_ifindex != dev->ifindex) {
5250 			struct net_device *tx_netdev =
5251 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5252 
5253 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5254 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5255 			    tx_netdev->ieee80211_ptr->iftype !=
5256 							NL80211_IFTYPE_AP) {
5257 				dev_put(tx_netdev);
5258 				return -EINVAL;
5259 			}
5260 
5261 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5262 		} else {
5263 			config->tx_wdev = dev->ieee80211_ptr;
5264 		}
5265 	} else if (!config->index) {
5266 		config->tx_wdev = dev->ieee80211_ptr;
5267 	} else {
5268 		return -EINVAL;
5269 	}
5270 
5271 	return 0;
5272 }
5273 
5274 static struct cfg80211_mbssid_elems *
5275 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5276 {
5277 	struct nlattr *nl_elems;
5278 	struct cfg80211_mbssid_elems *elems;
5279 	int rem_elems;
5280 	u8 i = 0, num_elems = 0;
5281 
5282 	if (!wiphy->mbssid_max_interfaces)
5283 		return ERR_PTR(-EINVAL);
5284 
5285 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5286 		num_elems++;
5287 
5288 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5289 	if (!elems)
5290 		return ERR_PTR(-ENOMEM);
5291 
5292 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5293 		elems->elem[i].data = nla_data(nl_elems);
5294 		elems->elem[i].len = nla_len(nl_elems);
5295 		i++;
5296 	}
5297 	elems->cnt = num_elems;
5298 	return elems;
5299 }
5300 
5301 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5302 				      struct cfg80211_he_bss_color *he_bss_color)
5303 {
5304 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5305 	int err;
5306 
5307 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5308 			       he_bss_color_policy, NULL);
5309 	if (err)
5310 		return err;
5311 
5312 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5313 		return -EINVAL;
5314 
5315 	he_bss_color->color =
5316 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5317 	he_bss_color->enabled =
5318 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5319 	he_bss_color->partial =
5320 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5321 
5322 	return 0;
5323 }
5324 
5325 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5326 				struct nlattr *attrs[],
5327 				struct cfg80211_beacon_data *bcn)
5328 {
5329 	bool haveinfo = false;
5330 	int err;
5331 
5332 	memset(bcn, 0, sizeof(*bcn));
5333 
5334 	bcn->link_id = nl80211_link_id(attrs);
5335 
5336 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5337 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5338 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5339 		if (!bcn->head_len)
5340 			return -EINVAL;
5341 		haveinfo = true;
5342 	}
5343 
5344 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5345 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5346 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5347 		haveinfo = true;
5348 	}
5349 
5350 	if (!haveinfo)
5351 		return -EINVAL;
5352 
5353 	if (attrs[NL80211_ATTR_IE]) {
5354 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5355 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5356 	}
5357 
5358 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5359 		bcn->proberesp_ies =
5360 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5361 		bcn->proberesp_ies_len =
5362 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5363 	}
5364 
5365 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5366 		bcn->assocresp_ies =
5367 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5368 		bcn->assocresp_ies_len =
5369 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5370 	}
5371 
5372 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5373 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5374 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5375 	}
5376 
5377 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5378 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5379 
5380 		err = nla_parse_nested_deprecated(tb,
5381 						  NL80211_FTM_RESP_ATTR_MAX,
5382 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5383 						  NULL, NULL);
5384 		if (err)
5385 			return err;
5386 
5387 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5388 		    wiphy_ext_feature_isset(&rdev->wiphy,
5389 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5390 			bcn->ftm_responder = 1;
5391 		else
5392 			return -EOPNOTSUPP;
5393 
5394 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5395 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5396 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5397 		}
5398 
5399 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5400 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5401 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5402 		}
5403 	} else {
5404 		bcn->ftm_responder = -1;
5405 	}
5406 
5407 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5408 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5409 						 &bcn->he_bss_color);
5410 		if (err)
5411 			return err;
5412 		bcn->he_bss_color_valid = true;
5413 	}
5414 
5415 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5416 		struct cfg80211_mbssid_elems *mbssid =
5417 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5418 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5419 
5420 		if (IS_ERR(mbssid))
5421 			return PTR_ERR(mbssid);
5422 
5423 		bcn->mbssid_ies = mbssid;
5424 	}
5425 
5426 	return 0;
5427 }
5428 
5429 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5430 				    struct ieee80211_he_obss_pd *he_obss_pd)
5431 {
5432 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5433 	int err;
5434 
5435 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5436 			       he_obss_pd_policy, NULL);
5437 	if (err)
5438 		return err;
5439 
5440 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5441 		return -EINVAL;
5442 
5443 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5444 
5445 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5446 		he_obss_pd->min_offset =
5447 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5448 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5449 		he_obss_pd->max_offset =
5450 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5451 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5452 		he_obss_pd->non_srg_max_offset =
5453 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5454 
5455 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5456 		return -EINVAL;
5457 
5458 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5459 		memcpy(he_obss_pd->bss_color_bitmap,
5460 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5461 		       sizeof(he_obss_pd->bss_color_bitmap));
5462 
5463 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5464 		memcpy(he_obss_pd->partial_bssid_bitmap,
5465 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5466 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5467 
5468 	he_obss_pd->enable = true;
5469 
5470 	return 0;
5471 }
5472 
5473 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5474 					struct nlattr *attrs,
5475 					struct cfg80211_ap_settings *params)
5476 {
5477 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5478 	int ret;
5479 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5480 
5481 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5482 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5483 		return -EINVAL;
5484 
5485 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5486 			       NULL, NULL);
5487 	if (ret)
5488 		return ret;
5489 
5490 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5491 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5492 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5493 		return -EINVAL;
5494 
5495 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5496 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5497 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5498 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5499 
5500 	return 0;
5501 }
5502 
5503 static int
5504 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5505 				     struct nlattr *attrs,
5506 				     struct cfg80211_ap_settings *params)
5507 {
5508 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5509 	int ret;
5510 	struct cfg80211_unsol_bcast_probe_resp *presp =
5511 					&params->unsol_bcast_probe_resp;
5512 
5513 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5514 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5515 		return -EINVAL;
5516 
5517 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5518 			       attrs, NULL, NULL);
5519 	if (ret)
5520 		return ret;
5521 
5522 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5523 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5524 		return -EINVAL;
5525 
5526 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5527 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5528 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5529 	return 0;
5530 }
5531 
5532 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5533 					    const struct element *rates)
5534 {
5535 	int i;
5536 
5537 	if (!rates)
5538 		return;
5539 
5540 	for (i = 0; i < rates->datalen; i++) {
5541 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5542 			params->ht_required = true;
5543 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5544 			params->vht_required = true;
5545 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5546 			params->he_required = true;
5547 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5548 			params->sae_h2e_required = true;
5549 	}
5550 }
5551 
5552 /*
5553  * Since the nl80211 API didn't include, from the beginning, attributes about
5554  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5555  * benefit of drivers that rebuild IEs in the firmware.
5556  */
5557 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5558 {
5559 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5560 	size_t ies_len = bcn->tail_len;
5561 	const u8 *ies = bcn->tail;
5562 	const struct element *rates;
5563 	const struct element *cap;
5564 
5565 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5566 	nl80211_check_ap_rate_selectors(params, rates);
5567 
5568 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5569 	nl80211_check_ap_rate_selectors(params, rates);
5570 
5571 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5572 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5573 		params->ht_cap = (void *)cap->data;
5574 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5575 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5576 		params->vht_cap = (void *)cap->data;
5577 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5578 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5579 		params->he_cap = (void *)(cap->data + 1);
5580 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5581 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5582 		params->he_oper = (void *)(cap->data + 1);
5583 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5584 	if (cap) {
5585 		if (!cap->datalen)
5586 			return -EINVAL;
5587 		params->eht_cap = (void *)(cap->data + 1);
5588 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5589 						(const u8 *)params->eht_cap,
5590 						cap->datalen - 1))
5591 			return -EINVAL;
5592 	}
5593 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5594 	if (cap) {
5595 		if (!cap->datalen)
5596 			return -EINVAL;
5597 		params->eht_oper = (void *)(cap->data + 1);
5598 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5599 						cap->datalen - 1))
5600 			return -EINVAL;
5601 	}
5602 	return 0;
5603 }
5604 
5605 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5606 				   struct cfg80211_ap_settings *params)
5607 {
5608 	struct wireless_dev *wdev;
5609 
5610 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5611 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5612 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5613 			continue;
5614 
5615 		if (!wdev->u.ap.preset_chandef.chan)
5616 			continue;
5617 
5618 		params->chandef = wdev->u.ap.preset_chandef;
5619 		return true;
5620 	}
5621 
5622 	return false;
5623 }
5624 
5625 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5626 				    enum nl80211_auth_type auth_type,
5627 				    enum nl80211_commands cmd)
5628 {
5629 	if (auth_type > NL80211_AUTHTYPE_MAX)
5630 		return false;
5631 
5632 	switch (cmd) {
5633 	case NL80211_CMD_AUTHENTICATE:
5634 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5635 		    auth_type == NL80211_AUTHTYPE_SAE)
5636 			return false;
5637 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5638 					     NL80211_EXT_FEATURE_FILS_STA) &&
5639 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5640 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5641 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5642 			return false;
5643 		return true;
5644 	case NL80211_CMD_CONNECT:
5645 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5646 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5647 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5648 		    auth_type == NL80211_AUTHTYPE_SAE)
5649 			return false;
5650 
5651 		/* FILS with SK PFS or PK not supported yet */
5652 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5653 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5654 			return false;
5655 		if (!wiphy_ext_feature_isset(
5656 			    &rdev->wiphy,
5657 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5658 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5659 			return false;
5660 		return true;
5661 	case NL80211_CMD_START_AP:
5662 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5663 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5664 		    auth_type == NL80211_AUTHTYPE_SAE)
5665 			return false;
5666 		/* FILS not supported yet */
5667 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5668 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5669 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5670 			return false;
5671 		return true;
5672 	default:
5673 		return false;
5674 	}
5675 }
5676 
5677 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5678 {
5679 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5680 	unsigned int link_id = nl80211_link_id(info->attrs);
5681 	struct net_device *dev = info->user_ptr[1];
5682 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5683 	struct cfg80211_ap_settings *params;
5684 	int err;
5685 
5686 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5687 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5688 		return -EOPNOTSUPP;
5689 
5690 	if (!rdev->ops->start_ap)
5691 		return -EOPNOTSUPP;
5692 
5693 	if (wdev->links[link_id].ap.beacon_interval)
5694 		return -EALREADY;
5695 
5696 	/* these are required for START_AP */
5697 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5698 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5699 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5700 		return -EINVAL;
5701 
5702 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5703 	if (!params)
5704 		return -ENOMEM;
5705 
5706 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5707 	if (err)
5708 		goto out;
5709 
5710 	params->beacon_interval =
5711 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5712 	params->dtim_period =
5713 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5714 
5715 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5716 					   params->beacon_interval);
5717 	if (err)
5718 		goto out;
5719 
5720 	/*
5721 	 * In theory, some of these attributes should be required here
5722 	 * but since they were not used when the command was originally
5723 	 * added, keep them optional for old user space programs to let
5724 	 * them continue to work with drivers that do not need the
5725 	 * additional information -- drivers must check!
5726 	 */
5727 	if (info->attrs[NL80211_ATTR_SSID]) {
5728 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5729 		params->ssid_len =
5730 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5731 		if (params->ssid_len == 0) {
5732 			err = -EINVAL;
5733 			goto out;
5734 		}
5735 
5736 		if (wdev->u.ap.ssid_len &&
5737 		    (wdev->u.ap.ssid_len != params->ssid_len ||
5738 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
5739 			/* require identical SSID for MLO */
5740 			err = -EINVAL;
5741 			goto out;
5742 		}
5743 	} else if (wdev->valid_links) {
5744 		/* require SSID for MLO */
5745 		err = -EINVAL;
5746 		goto out;
5747 	}
5748 
5749 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5750 		params->hidden_ssid = nla_get_u32(
5751 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5752 
5753 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5754 
5755 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5756 		params->auth_type = nla_get_u32(
5757 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5758 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5759 					     NL80211_CMD_START_AP)) {
5760 			err = -EINVAL;
5761 			goto out;
5762 		}
5763 	} else
5764 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5765 
5766 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5767 				      NL80211_MAX_NR_CIPHER_SUITES);
5768 	if (err)
5769 		goto out;
5770 
5771 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5772 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5773 			err = -EOPNOTSUPP;
5774 			goto out;
5775 		}
5776 		params->inactivity_timeout = nla_get_u16(
5777 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5778 	}
5779 
5780 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5781 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5782 			err = -EINVAL;
5783 			goto out;
5784 		}
5785 		params->p2p_ctwindow =
5786 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5787 		if (params->p2p_ctwindow != 0 &&
5788 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5789 			err = -EINVAL;
5790 			goto out;
5791 		}
5792 	}
5793 
5794 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5795 		u8 tmp;
5796 
5797 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5798 			err = -EINVAL;
5799 			goto out;
5800 		}
5801 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5802 		params->p2p_opp_ps = tmp;
5803 		if (params->p2p_opp_ps != 0 &&
5804 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5805 			err = -EINVAL;
5806 			goto out;
5807 		}
5808 	}
5809 
5810 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5811 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5812 		if (err)
5813 			goto out;
5814 	} else if (wdev->valid_links) {
5815 		/* with MLD need to specify the channel configuration */
5816 		err = -EINVAL;
5817 		goto out;
5818 	} else if (wdev->u.ap.preset_chandef.chan) {
5819 		params->chandef = wdev->u.ap.preset_chandef;
5820 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5821 		err = -EINVAL;
5822 		goto out;
5823 	}
5824 
5825 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5826 					   wdev->iftype)) {
5827 		err = -EINVAL;
5828 		goto out;
5829 	}
5830 
5831 	wdev_lock(wdev);
5832 
5833 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5834 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5835 						    NL80211_ATTR_TX_RATES,
5836 						    &params->beacon_rate,
5837 						    dev, false, link_id);
5838 		if (err)
5839 			goto out_unlock;
5840 
5841 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
5842 					      &params->beacon_rate);
5843 		if (err)
5844 			goto out_unlock;
5845 	}
5846 
5847 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5848 		params->smps_mode =
5849 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5850 		switch (params->smps_mode) {
5851 		case NL80211_SMPS_OFF:
5852 			break;
5853 		case NL80211_SMPS_STATIC:
5854 			if (!(rdev->wiphy.features &
5855 			      NL80211_FEATURE_STATIC_SMPS)) {
5856 				err = -EINVAL;
5857 				goto out_unlock;
5858 			}
5859 			break;
5860 		case NL80211_SMPS_DYNAMIC:
5861 			if (!(rdev->wiphy.features &
5862 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
5863 				err = -EINVAL;
5864 				goto out_unlock;
5865 			}
5866 			break;
5867 		default:
5868 			err = -EINVAL;
5869 			goto out_unlock;
5870 		}
5871 	} else {
5872 		params->smps_mode = NL80211_SMPS_OFF;
5873 	}
5874 
5875 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5876 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
5877 		err = -EOPNOTSUPP;
5878 		goto out_unlock;
5879 	}
5880 
5881 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5882 		params->acl = parse_acl_data(&rdev->wiphy, info);
5883 		if (IS_ERR(params->acl)) {
5884 			err = PTR_ERR(params->acl);
5885 			params->acl = NULL;
5886 			goto out_unlock;
5887 		}
5888 	}
5889 
5890 	params->twt_responder =
5891 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5892 
5893 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5894 		err = nl80211_parse_he_obss_pd(
5895 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5896 					&params->he_obss_pd);
5897 		if (err)
5898 			goto out_unlock;
5899 	}
5900 
5901 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5902 		err = nl80211_parse_fils_discovery(rdev,
5903 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5904 						   params);
5905 		if (err)
5906 			goto out_unlock;
5907 	}
5908 
5909 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5910 		err = nl80211_parse_unsol_bcast_probe_resp(
5911 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5912 			params);
5913 		if (err)
5914 			goto out_unlock;
5915 	}
5916 
5917 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
5918 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
5919 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
5920 						  &params->mbssid_config,
5921 						  params->beacon.mbssid_ies ?
5922 							params->beacon.mbssid_ies->cnt :
5923 							0);
5924 		if (err)
5925 			goto out_unlock;
5926 	}
5927 
5928 	err = nl80211_calculate_ap_params(params);
5929 	if (err)
5930 		goto out_unlock;
5931 
5932 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
5933 		params->flags = nla_get_u32(
5934 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
5935 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5936 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5937 
5938 	if (wdev->conn_owner_nlportid &&
5939 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
5940 	    wdev->conn_owner_nlportid != info->snd_portid) {
5941 		err = -EINVAL;
5942 		goto out_unlock;
5943 	}
5944 
5945 	/* FIXME: validate MLO/link-id against driver capabilities */
5946 
5947 	err = rdev_start_ap(rdev, dev, params);
5948 	if (!err) {
5949 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
5950 		wdev->links[link_id].ap.chandef = params->chandef;
5951 		wdev->u.ap.ssid_len = params->ssid_len;
5952 		memcpy(wdev->u.ap.ssid, params->ssid,
5953 		       params->ssid_len);
5954 
5955 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5956 			wdev->conn_owner_nlportid = info->snd_portid;
5957 	}
5958 out_unlock:
5959 	wdev_unlock(wdev);
5960 out:
5961 	kfree(params->acl);
5962 	kfree(params->beacon.mbssid_ies);
5963 	if (params->mbssid_config.tx_wdev &&
5964 	    params->mbssid_config.tx_wdev->netdev &&
5965 	    params->mbssid_config.tx_wdev->netdev != dev)
5966 		dev_put(params->mbssid_config.tx_wdev->netdev);
5967 	kfree(params);
5968 
5969 	return err;
5970 }
5971 
5972 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5973 {
5974 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5975 	unsigned int link_id = nl80211_link_id(info->attrs);
5976 	struct net_device *dev = info->user_ptr[1];
5977 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5978 	struct cfg80211_beacon_data params;
5979 	int err;
5980 
5981 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5982 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5983 		return -EOPNOTSUPP;
5984 
5985 	if (!rdev->ops->change_beacon)
5986 		return -EOPNOTSUPP;
5987 
5988 	if (!wdev->links[link_id].ap.beacon_interval)
5989 		return -EINVAL;
5990 
5991 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5992 	if (err)
5993 		goto out;
5994 
5995 	wdev_lock(wdev);
5996 	err = rdev_change_beacon(rdev, dev, &params);
5997 	wdev_unlock(wdev);
5998 
5999 out:
6000 	kfree(params.mbssid_ies);
6001 	return err;
6002 }
6003 
6004 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6005 {
6006 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6007 	unsigned int link_id = nl80211_link_id(info->attrs);
6008 	struct net_device *dev = info->user_ptr[1];
6009 
6010 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6011 }
6012 
6013 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6014 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6015 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6016 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6017 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6018 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6019 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6020 };
6021 
6022 static int parse_station_flags(struct genl_info *info,
6023 			       enum nl80211_iftype iftype,
6024 			       struct station_parameters *params)
6025 {
6026 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6027 	struct nlattr *nla;
6028 	int flag;
6029 
6030 	/*
6031 	 * Try parsing the new attribute first so userspace
6032 	 * can specify both for older kernels.
6033 	 */
6034 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6035 	if (nla) {
6036 		struct nl80211_sta_flag_update *sta_flags;
6037 
6038 		sta_flags = nla_data(nla);
6039 		params->sta_flags_mask = sta_flags->mask;
6040 		params->sta_flags_set = sta_flags->set;
6041 		params->sta_flags_set &= params->sta_flags_mask;
6042 		if ((params->sta_flags_mask |
6043 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6044 			return -EINVAL;
6045 		return 0;
6046 	}
6047 
6048 	/* if present, parse the old attribute */
6049 
6050 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6051 	if (!nla)
6052 		return 0;
6053 
6054 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6055 		return -EINVAL;
6056 
6057 	/*
6058 	 * Only allow certain flags for interface types so that
6059 	 * other attributes are silently ignored. Remember that
6060 	 * this is backward compatibility code with old userspace
6061 	 * and shouldn't be hit in other cases anyway.
6062 	 */
6063 	switch (iftype) {
6064 	case NL80211_IFTYPE_AP:
6065 	case NL80211_IFTYPE_AP_VLAN:
6066 	case NL80211_IFTYPE_P2P_GO:
6067 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6068 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6069 					 BIT(NL80211_STA_FLAG_WME) |
6070 					 BIT(NL80211_STA_FLAG_MFP);
6071 		break;
6072 	case NL80211_IFTYPE_P2P_CLIENT:
6073 	case NL80211_IFTYPE_STATION:
6074 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6075 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6076 		break;
6077 	case NL80211_IFTYPE_MESH_POINT:
6078 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6079 					 BIT(NL80211_STA_FLAG_MFP) |
6080 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6081 		break;
6082 	default:
6083 		return -EINVAL;
6084 	}
6085 
6086 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6087 		if (flags[flag]) {
6088 			params->sta_flags_set |= (1<<flag);
6089 
6090 			/* no longer support new API additions in old API */
6091 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6092 				return -EINVAL;
6093 		}
6094 	}
6095 
6096 	return 0;
6097 }
6098 
6099 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6100 {
6101 	struct nlattr *rate;
6102 	u32 bitrate;
6103 	u16 bitrate_compat;
6104 	enum nl80211_rate_info rate_flg;
6105 
6106 	rate = nla_nest_start_noflag(msg, attr);
6107 	if (!rate)
6108 		return false;
6109 
6110 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6111 	bitrate = cfg80211_calculate_bitrate(info);
6112 	/* report 16-bit bitrate only if we can */
6113 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6114 	if (bitrate > 0 &&
6115 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6116 		return false;
6117 	if (bitrate_compat > 0 &&
6118 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6119 		return false;
6120 
6121 	switch (info->bw) {
6122 	case RATE_INFO_BW_5:
6123 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6124 		break;
6125 	case RATE_INFO_BW_10:
6126 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6127 		break;
6128 	default:
6129 		WARN_ON(1);
6130 		fallthrough;
6131 	case RATE_INFO_BW_20:
6132 		rate_flg = 0;
6133 		break;
6134 	case RATE_INFO_BW_40:
6135 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6136 		break;
6137 	case RATE_INFO_BW_80:
6138 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6139 		break;
6140 	case RATE_INFO_BW_160:
6141 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6142 		break;
6143 	case RATE_INFO_BW_HE_RU:
6144 		rate_flg = 0;
6145 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6146 		break;
6147 	case RATE_INFO_BW_320:
6148 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6149 		break;
6150 	case RATE_INFO_BW_EHT_RU:
6151 		rate_flg = 0;
6152 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6153 		break;
6154 	}
6155 
6156 	if (rate_flg && nla_put_flag(msg, rate_flg))
6157 		return false;
6158 
6159 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6160 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6161 			return false;
6162 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6163 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6164 			return false;
6165 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6166 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6167 			return false;
6168 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6169 			return false;
6170 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6171 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6172 			return false;
6173 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6174 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6175 			return false;
6176 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6177 			return false;
6178 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6179 			return false;
6180 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6181 			return false;
6182 		if (info->bw == RATE_INFO_BW_HE_RU &&
6183 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6184 			       info->he_ru_alloc))
6185 			return false;
6186 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6187 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6188 			return false;
6189 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6190 			return false;
6191 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6192 			return false;
6193 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6194 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6195 			       info->eht_ru_alloc))
6196 			return false;
6197 	}
6198 
6199 	nla_nest_end(msg, rate);
6200 	return true;
6201 }
6202 
6203 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6204 			       int id)
6205 {
6206 	void *attr;
6207 	int i = 0;
6208 
6209 	if (!mask)
6210 		return true;
6211 
6212 	attr = nla_nest_start_noflag(msg, id);
6213 	if (!attr)
6214 		return false;
6215 
6216 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6217 		if (!(mask & BIT(i)))
6218 			continue;
6219 
6220 		if (nla_put_u8(msg, i, signal[i]))
6221 			return false;
6222 	}
6223 
6224 	nla_nest_end(msg, attr);
6225 
6226 	return true;
6227 }
6228 
6229 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6230 				u32 seq, int flags,
6231 				struct cfg80211_registered_device *rdev,
6232 				struct net_device *dev,
6233 				const u8 *mac_addr, struct station_info *sinfo)
6234 {
6235 	void *hdr;
6236 	struct nlattr *sinfoattr, *bss_param;
6237 
6238 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6239 	if (!hdr) {
6240 		cfg80211_sinfo_release_content(sinfo);
6241 		return -1;
6242 	}
6243 
6244 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6245 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6246 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6247 		goto nla_put_failure;
6248 
6249 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6250 	if (!sinfoattr)
6251 		goto nla_put_failure;
6252 
6253 #define PUT_SINFO(attr, memb, type) do {				\
6254 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6255 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6256 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6257 			     sinfo->memb))				\
6258 		goto nla_put_failure;					\
6259 	} while (0)
6260 #define PUT_SINFO_U64(attr, memb) do {					\
6261 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6262 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6263 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6264 		goto nla_put_failure;					\
6265 	} while (0)
6266 
6267 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6268 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6269 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6270 
6271 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6272 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6273 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6274 			(u32)sinfo->rx_bytes))
6275 		goto nla_put_failure;
6276 
6277 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6278 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6279 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6280 			(u32)sinfo->tx_bytes))
6281 		goto nla_put_failure;
6282 
6283 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6284 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6285 	PUT_SINFO(LLID, llid, u16);
6286 	PUT_SINFO(PLID, plid, u16);
6287 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6288 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6289 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6290 
6291 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6292 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6293 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6294 
6295 	switch (rdev->wiphy.signal_type) {
6296 	case CFG80211_SIGNAL_TYPE_MBM:
6297 		PUT_SINFO(SIGNAL, signal, u8);
6298 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6299 		break;
6300 	default:
6301 		break;
6302 	}
6303 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6304 		if (!nl80211_put_signal(msg, sinfo->chains,
6305 					sinfo->chain_signal,
6306 					NL80211_STA_INFO_CHAIN_SIGNAL))
6307 			goto nla_put_failure;
6308 	}
6309 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6310 		if (!nl80211_put_signal(msg, sinfo->chains,
6311 					sinfo->chain_signal_avg,
6312 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6313 			goto nla_put_failure;
6314 	}
6315 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6316 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6317 					  NL80211_STA_INFO_TX_BITRATE))
6318 			goto nla_put_failure;
6319 	}
6320 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6321 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6322 					  NL80211_STA_INFO_RX_BITRATE))
6323 			goto nla_put_failure;
6324 	}
6325 
6326 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6327 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6328 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6329 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6330 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6331 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6332 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6333 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6334 	PUT_SINFO(PEER_PM, peer_pm, u32);
6335 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6336 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6337 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6338 
6339 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6340 		bss_param = nla_nest_start_noflag(msg,
6341 						  NL80211_STA_INFO_BSS_PARAM);
6342 		if (!bss_param)
6343 			goto nla_put_failure;
6344 
6345 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6346 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6347 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6348 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6349 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6350 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6351 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6352 			       sinfo->bss_param.dtim_period) ||
6353 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6354 				sinfo->bss_param.beacon_interval))
6355 			goto nla_put_failure;
6356 
6357 		nla_nest_end(msg, bss_param);
6358 	}
6359 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6360 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6361 		    sizeof(struct nl80211_sta_flag_update),
6362 		    &sinfo->sta_flags))
6363 		goto nla_put_failure;
6364 
6365 	PUT_SINFO_U64(T_OFFSET, t_offset);
6366 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6367 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6368 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6369 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6370 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6371 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6372 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6373 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6374 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6375 	}
6376 
6377 #undef PUT_SINFO
6378 #undef PUT_SINFO_U64
6379 
6380 	if (sinfo->pertid) {
6381 		struct nlattr *tidsattr;
6382 		int tid;
6383 
6384 		tidsattr = nla_nest_start_noflag(msg,
6385 						 NL80211_STA_INFO_TID_STATS);
6386 		if (!tidsattr)
6387 			goto nla_put_failure;
6388 
6389 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6390 			struct cfg80211_tid_stats *tidstats;
6391 			struct nlattr *tidattr;
6392 
6393 			tidstats = &sinfo->pertid[tid];
6394 
6395 			if (!tidstats->filled)
6396 				continue;
6397 
6398 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6399 			if (!tidattr)
6400 				goto nla_put_failure;
6401 
6402 #define PUT_TIDVAL_U64(attr, memb) do {					\
6403 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6404 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6405 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6406 		goto nla_put_failure;					\
6407 	} while (0)
6408 
6409 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6410 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6411 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6412 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6413 
6414 #undef PUT_TIDVAL_U64
6415 			if ((tidstats->filled &
6416 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6417 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6418 						   NL80211_TID_STATS_TXQ_STATS))
6419 				goto nla_put_failure;
6420 
6421 			nla_nest_end(msg, tidattr);
6422 		}
6423 
6424 		nla_nest_end(msg, tidsattr);
6425 	}
6426 
6427 	nla_nest_end(msg, sinfoattr);
6428 
6429 	if (sinfo->assoc_req_ies_len &&
6430 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6431 		    sinfo->assoc_req_ies))
6432 		goto nla_put_failure;
6433 
6434 	cfg80211_sinfo_release_content(sinfo);
6435 	genlmsg_end(msg, hdr);
6436 	return 0;
6437 
6438  nla_put_failure:
6439 	cfg80211_sinfo_release_content(sinfo);
6440 	genlmsg_cancel(msg, hdr);
6441 	return -EMSGSIZE;
6442 }
6443 
6444 static int nl80211_dump_station(struct sk_buff *skb,
6445 				struct netlink_callback *cb)
6446 {
6447 	struct station_info sinfo;
6448 	struct cfg80211_registered_device *rdev;
6449 	struct wireless_dev *wdev;
6450 	u8 mac_addr[ETH_ALEN];
6451 	int sta_idx = cb->args[2];
6452 	int err;
6453 
6454 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6455 	if (err)
6456 		return err;
6457 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6458 	__acquire(&rdev->wiphy.mtx);
6459 
6460 	if (!wdev->netdev) {
6461 		err = -EINVAL;
6462 		goto out_err;
6463 	}
6464 
6465 	if (!rdev->ops->dump_station) {
6466 		err = -EOPNOTSUPP;
6467 		goto out_err;
6468 	}
6469 
6470 	while (1) {
6471 		memset(&sinfo, 0, sizeof(sinfo));
6472 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6473 					mac_addr, &sinfo);
6474 		if (err == -ENOENT)
6475 			break;
6476 		if (err)
6477 			goto out_err;
6478 
6479 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6480 				NETLINK_CB(cb->skb).portid,
6481 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6482 				rdev, wdev->netdev, mac_addr,
6483 				&sinfo) < 0)
6484 			goto out;
6485 
6486 		sta_idx++;
6487 	}
6488 
6489  out:
6490 	cb->args[2] = sta_idx;
6491 	err = skb->len;
6492  out_err:
6493 	wiphy_unlock(&rdev->wiphy);
6494 
6495 	return err;
6496 }
6497 
6498 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6499 {
6500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6501 	struct net_device *dev = info->user_ptr[1];
6502 	struct station_info sinfo;
6503 	struct sk_buff *msg;
6504 	u8 *mac_addr = NULL;
6505 	int err;
6506 
6507 	memset(&sinfo, 0, sizeof(sinfo));
6508 
6509 	if (!info->attrs[NL80211_ATTR_MAC])
6510 		return -EINVAL;
6511 
6512 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6513 
6514 	if (!rdev->ops->get_station)
6515 		return -EOPNOTSUPP;
6516 
6517 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6518 	if (err)
6519 		return err;
6520 
6521 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6522 	if (!msg) {
6523 		cfg80211_sinfo_release_content(&sinfo);
6524 		return -ENOMEM;
6525 	}
6526 
6527 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6528 				 info->snd_portid, info->snd_seq, 0,
6529 				 rdev, dev, mac_addr, &sinfo) < 0) {
6530 		nlmsg_free(msg);
6531 		return -ENOBUFS;
6532 	}
6533 
6534 	return genlmsg_reply(msg, info);
6535 }
6536 
6537 int cfg80211_check_station_change(struct wiphy *wiphy,
6538 				  struct station_parameters *params,
6539 				  enum cfg80211_station_type statype)
6540 {
6541 	if (params->listen_interval != -1 &&
6542 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6543 		return -EINVAL;
6544 
6545 	if (params->support_p2p_ps != -1 &&
6546 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6547 		return -EINVAL;
6548 
6549 	if (params->aid &&
6550 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6551 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6552 		return -EINVAL;
6553 
6554 	/* When you run into this, adjust the code below for the new flag */
6555 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6556 
6557 	switch (statype) {
6558 	case CFG80211_STA_MESH_PEER_KERNEL:
6559 	case CFG80211_STA_MESH_PEER_USER:
6560 		/*
6561 		 * No ignoring the TDLS flag here -- the userspace mesh
6562 		 * code doesn't have the bug of including TDLS in the
6563 		 * mask everywhere.
6564 		 */
6565 		if (params->sta_flags_mask &
6566 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6567 				  BIT(NL80211_STA_FLAG_MFP) |
6568 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6569 			return -EINVAL;
6570 		break;
6571 	case CFG80211_STA_TDLS_PEER_SETUP:
6572 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6573 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6574 			return -EINVAL;
6575 		/* ignore since it can't change */
6576 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6577 		break;
6578 	default:
6579 		/* disallow mesh-specific things */
6580 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6581 			return -EINVAL;
6582 		if (params->local_pm)
6583 			return -EINVAL;
6584 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6585 			return -EINVAL;
6586 	}
6587 
6588 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6589 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6590 		/* TDLS can't be set, ... */
6591 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6592 			return -EINVAL;
6593 		/*
6594 		 * ... but don't bother the driver with it. This works around
6595 		 * a hostapd/wpa_supplicant issue -- it always includes the
6596 		 * TLDS_PEER flag in the mask even for AP mode.
6597 		 */
6598 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6599 	}
6600 
6601 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6602 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6603 		/* reject other things that can't change */
6604 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6605 			return -EINVAL;
6606 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6607 			return -EINVAL;
6608 		if (params->link_sta_params.supported_rates)
6609 			return -EINVAL;
6610 		if (params->ext_capab || params->link_sta_params.ht_capa ||
6611 		    params->link_sta_params.vht_capa ||
6612 		    params->link_sta_params.he_capa ||
6613 		    params->link_sta_params.eht_capa)
6614 			return -EINVAL;
6615 	}
6616 
6617 	if (statype != CFG80211_STA_AP_CLIENT &&
6618 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6619 		if (params->vlan)
6620 			return -EINVAL;
6621 	}
6622 
6623 	switch (statype) {
6624 	case CFG80211_STA_AP_MLME_CLIENT:
6625 		/* Use this only for authorizing/unauthorizing a station */
6626 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6627 			return -EOPNOTSUPP;
6628 		break;
6629 	case CFG80211_STA_AP_CLIENT:
6630 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6631 		/* accept only the listed bits */
6632 		if (params->sta_flags_mask &
6633 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6634 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6635 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6636 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6637 				  BIT(NL80211_STA_FLAG_WME) |
6638 				  BIT(NL80211_STA_FLAG_MFP)))
6639 			return -EINVAL;
6640 
6641 		/* but authenticated/associated only if driver handles it */
6642 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6643 		    params->sta_flags_mask &
6644 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6645 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6646 			return -EINVAL;
6647 		break;
6648 	case CFG80211_STA_IBSS:
6649 	case CFG80211_STA_AP_STA:
6650 		/* reject any changes other than AUTHORIZED */
6651 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6652 			return -EINVAL;
6653 		break;
6654 	case CFG80211_STA_TDLS_PEER_SETUP:
6655 		/* reject any changes other than AUTHORIZED or WME */
6656 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6657 					       BIT(NL80211_STA_FLAG_WME)))
6658 			return -EINVAL;
6659 		/* force (at least) rates when authorizing */
6660 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6661 		    !params->link_sta_params.supported_rates)
6662 			return -EINVAL;
6663 		break;
6664 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6665 		/* reject any changes */
6666 		return -EINVAL;
6667 	case CFG80211_STA_MESH_PEER_KERNEL:
6668 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6669 			return -EINVAL;
6670 		break;
6671 	case CFG80211_STA_MESH_PEER_USER:
6672 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6673 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6674 			return -EINVAL;
6675 		break;
6676 	}
6677 
6678 	/*
6679 	 * Older kernel versions ignored this attribute entirely, so don't
6680 	 * reject attempts to update it but mark it as unused instead so the
6681 	 * driver won't look at the data.
6682 	 */
6683 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6684 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6685 		params->link_sta_params.opmode_notif_used = false;
6686 
6687 	return 0;
6688 }
6689 EXPORT_SYMBOL(cfg80211_check_station_change);
6690 
6691 /*
6692  * Get vlan interface making sure it is running and on the right wiphy.
6693  */
6694 static struct net_device *get_vlan(struct genl_info *info,
6695 				   struct cfg80211_registered_device *rdev)
6696 {
6697 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6698 	struct net_device *v;
6699 	int ret;
6700 
6701 	if (!vlanattr)
6702 		return NULL;
6703 
6704 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6705 	if (!v)
6706 		return ERR_PTR(-ENODEV);
6707 
6708 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6709 		ret = -EINVAL;
6710 		goto error;
6711 	}
6712 
6713 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6714 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6715 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6716 		ret = -EINVAL;
6717 		goto error;
6718 	}
6719 
6720 	if (!netif_running(v)) {
6721 		ret = -ENETDOWN;
6722 		goto error;
6723 	}
6724 
6725 	return v;
6726  error:
6727 	dev_put(v);
6728 	return ERR_PTR(ret);
6729 }
6730 
6731 static int nl80211_parse_sta_wme(struct genl_info *info,
6732 				 struct station_parameters *params)
6733 {
6734 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6735 	struct nlattr *nla;
6736 	int err;
6737 
6738 	/* parse WME attributes if present */
6739 	if (!info->attrs[NL80211_ATTR_STA_WME])
6740 		return 0;
6741 
6742 	nla = info->attrs[NL80211_ATTR_STA_WME];
6743 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6744 					  nl80211_sta_wme_policy,
6745 					  info->extack);
6746 	if (err)
6747 		return err;
6748 
6749 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6750 		params->uapsd_queues = nla_get_u8(
6751 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6752 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6753 		return -EINVAL;
6754 
6755 	if (tb[NL80211_STA_WME_MAX_SP])
6756 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6757 
6758 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6759 		return -EINVAL;
6760 
6761 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6762 
6763 	return 0;
6764 }
6765 
6766 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6767 				      struct station_parameters *params)
6768 {
6769 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6770 		params->supported_channels =
6771 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6772 		params->supported_channels_len =
6773 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6774 		/*
6775 		 * Need to include at least one (first channel, number of
6776 		 * channels) tuple for each subband (checked in policy),
6777 		 * and must have proper tuples for the rest of the data as well.
6778 		 */
6779 		if (params->supported_channels_len % 2)
6780 			return -EINVAL;
6781 	}
6782 
6783 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6784 		params->supported_oper_classes =
6785 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6786 		params->supported_oper_classes_len =
6787 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6788 	}
6789 	return 0;
6790 }
6791 
6792 static int nl80211_set_station_tdls(struct genl_info *info,
6793 				    struct station_parameters *params)
6794 {
6795 	int err;
6796 	/* Dummy STA entry gets updated once the peer capabilities are known */
6797 	if (info->attrs[NL80211_ATTR_PEER_AID])
6798 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6799 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6800 		params->link_sta_params.ht_capa =
6801 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6802 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6803 		params->link_sta_params.vht_capa =
6804 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6805 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6806 		params->link_sta_params.he_capa =
6807 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6808 		params->link_sta_params.he_capa_len =
6809 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6810 
6811 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6812 			params->link_sta_params.eht_capa =
6813 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6814 			params->link_sta_params.eht_capa_len =
6815 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6816 
6817 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
6818 							(const u8 *)params->link_sta_params.eht_capa,
6819 							params->link_sta_params.eht_capa_len))
6820 				return -EINVAL;
6821 		}
6822 	}
6823 
6824 	err = nl80211_parse_sta_channel_info(info, params);
6825 	if (err)
6826 		return err;
6827 
6828 	return nl80211_parse_sta_wme(info, params);
6829 }
6830 
6831 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6832 					     struct sta_txpwr *txpwr,
6833 					     bool *txpwr_set)
6834 {
6835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6836 	int idx;
6837 
6838 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6839 		if (!rdev->ops->set_tx_power ||
6840 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6841 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6842 			return -EOPNOTSUPP;
6843 
6844 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6845 		txpwr->type = nla_get_u8(info->attrs[idx]);
6846 
6847 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
6848 			idx = NL80211_ATTR_STA_TX_POWER;
6849 
6850 			if (info->attrs[idx])
6851 				txpwr->power = nla_get_s16(info->attrs[idx]);
6852 			else
6853 				return -EINVAL;
6854 		}
6855 
6856 		*txpwr_set = true;
6857 	} else {
6858 		*txpwr_set = false;
6859 	}
6860 
6861 	return 0;
6862 }
6863 
6864 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6865 {
6866 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6867 	struct net_device *dev = info->user_ptr[1];
6868 	struct station_parameters params;
6869 	u8 *mac_addr;
6870 	int err;
6871 
6872 	memset(&params, 0, sizeof(params));
6873 
6874 	if (!rdev->ops->change_station)
6875 		return -EOPNOTSUPP;
6876 
6877 	/*
6878 	 * AID and listen_interval properties can be set only for unassociated
6879 	 * station. Include these parameters here and will check them in
6880 	 * cfg80211_check_station_change().
6881 	 */
6882 	if (info->attrs[NL80211_ATTR_STA_AID])
6883 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6884 
6885 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6886 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6887 
6888 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6889 		params.listen_interval =
6890 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6891 	else
6892 		params.listen_interval = -1;
6893 
6894 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6895 		params.support_p2p_ps =
6896 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6897 	else
6898 		params.support_p2p_ps = -1;
6899 
6900 	if (!info->attrs[NL80211_ATTR_MAC])
6901 		return -EINVAL;
6902 
6903 	params.link_sta_params.link_id =
6904 		nl80211_link_id_or_invalid(info->attrs);
6905 
6906 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
6907 		/* If MLD_ADDR attribute is set then this is an MLD station
6908 		 * and the MLD_ADDR attribute holds the MLD address and the
6909 		 * MAC attribute holds for the LINK address.
6910 		 * In that case, the link_id is also expected to be valid.
6911 		 */
6912 		if (params.link_sta_params.link_id < 0)
6913 			return -EINVAL;
6914 
6915 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
6916 		params.link_sta_params.mld_mac = mac_addr;
6917 		params.link_sta_params.link_mac =
6918 			nla_data(info->attrs[NL80211_ATTR_MAC]);
6919 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
6920 			return -EINVAL;
6921 	} else {
6922 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6923 	}
6924 
6925 
6926 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6927 		params.link_sta_params.supported_rates =
6928 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6929 		params.link_sta_params.supported_rates_len =
6930 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6931 	}
6932 
6933 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6934 		params.capability =
6935 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6936 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6937 	}
6938 
6939 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6940 		params.ext_capab =
6941 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6942 		params.ext_capab_len =
6943 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6944 	}
6945 
6946 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6947 		return -EINVAL;
6948 
6949 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6950 		params.plink_action =
6951 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6952 
6953 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6954 		params.plink_state =
6955 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6956 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6957 			params.peer_aid = nla_get_u16(
6958 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6959 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6960 	}
6961 
6962 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6963 		params.local_pm = nla_get_u32(
6964 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6965 
6966 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6967 		params.link_sta_params.opmode_notif_used = true;
6968 		params.link_sta_params.opmode_notif =
6969 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6970 	}
6971 
6972 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6973 		params.link_sta_params.he_6ghz_capa =
6974 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6975 
6976 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6977 		params.airtime_weight =
6978 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6979 
6980 	if (params.airtime_weight &&
6981 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6982 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6983 		return -EOPNOTSUPP;
6984 
6985 	err = nl80211_parse_sta_txpower_setting(info,
6986 						&params.link_sta_params.txpwr,
6987 						&params.link_sta_params.txpwr_set);
6988 	if (err)
6989 		return err;
6990 
6991 	/* Include parameters for TDLS peer (will check later) */
6992 	err = nl80211_set_station_tdls(info, &params);
6993 	if (err)
6994 		return err;
6995 
6996 	params.vlan = get_vlan(info, rdev);
6997 	if (IS_ERR(params.vlan))
6998 		return PTR_ERR(params.vlan);
6999 
7000 	switch (dev->ieee80211_ptr->iftype) {
7001 	case NL80211_IFTYPE_AP:
7002 	case NL80211_IFTYPE_AP_VLAN:
7003 	case NL80211_IFTYPE_P2P_GO:
7004 	case NL80211_IFTYPE_P2P_CLIENT:
7005 	case NL80211_IFTYPE_STATION:
7006 	case NL80211_IFTYPE_ADHOC:
7007 	case NL80211_IFTYPE_MESH_POINT:
7008 		break;
7009 	default:
7010 		err = -EOPNOTSUPP;
7011 		goto out_put_vlan;
7012 	}
7013 
7014 	/* driver will call cfg80211_check_station_change() */
7015 	wdev_lock(dev->ieee80211_ptr);
7016 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7017 	wdev_unlock(dev->ieee80211_ptr);
7018 
7019  out_put_vlan:
7020 	dev_put(params.vlan);
7021 
7022 	return err;
7023 }
7024 
7025 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7026 {
7027 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7028 	int err;
7029 	struct net_device *dev = info->user_ptr[1];
7030 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7031 	struct station_parameters params;
7032 	u8 *mac_addr = NULL;
7033 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7034 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7035 
7036 	memset(&params, 0, sizeof(params));
7037 
7038 	if (!rdev->ops->add_station)
7039 		return -EOPNOTSUPP;
7040 
7041 	if (!info->attrs[NL80211_ATTR_MAC])
7042 		return -EINVAL;
7043 
7044 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7045 		return -EINVAL;
7046 
7047 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7048 		return -EINVAL;
7049 
7050 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7051 	    !info->attrs[NL80211_ATTR_PEER_AID])
7052 		return -EINVAL;
7053 
7054 	params.link_sta_params.link_id =
7055 		nl80211_link_id_or_invalid(info->attrs);
7056 
7057 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7058 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7059 		params.link_sta_params.mld_mac = mac_addr;
7060 		params.link_sta_params.link_mac =
7061 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7062 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7063 			return -EINVAL;
7064 	} else {
7065 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7066 	}
7067 
7068 	params.link_sta_params.supported_rates =
7069 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7070 	params.link_sta_params.supported_rates_len =
7071 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7072 	params.listen_interval =
7073 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7074 
7075 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7076 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7077 
7078 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7079 		params.support_p2p_ps =
7080 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7081 	} else {
7082 		/*
7083 		 * if not specified, assume it's supported for P2P GO interface,
7084 		 * and is NOT supported for AP interface
7085 		 */
7086 		params.support_p2p_ps =
7087 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7088 	}
7089 
7090 	if (info->attrs[NL80211_ATTR_PEER_AID])
7091 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7092 	else
7093 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7094 
7095 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7096 		params.capability =
7097 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7098 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7099 	}
7100 
7101 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7102 		params.ext_capab =
7103 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7104 		params.ext_capab_len =
7105 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7106 	}
7107 
7108 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7109 		params.link_sta_params.ht_capa =
7110 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7111 
7112 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7113 		params.link_sta_params.vht_capa =
7114 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7115 
7116 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7117 		params.link_sta_params.he_capa =
7118 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7119 		params.link_sta_params.he_capa_len =
7120 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7121 
7122 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7123 			params.link_sta_params.eht_capa =
7124 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7125 			params.link_sta_params.eht_capa_len =
7126 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7127 
7128 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7129 							(const u8 *)params.link_sta_params.eht_capa,
7130 							params.link_sta_params.eht_capa_len))
7131 				return -EINVAL;
7132 		}
7133 	}
7134 
7135 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7136 		params.link_sta_params.he_6ghz_capa =
7137 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7138 
7139 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7140 		params.link_sta_params.opmode_notif_used = true;
7141 		params.link_sta_params.opmode_notif =
7142 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7143 	}
7144 
7145 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7146 		params.plink_action =
7147 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7148 
7149 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7150 		params.airtime_weight =
7151 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7152 
7153 	if (params.airtime_weight &&
7154 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7155 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7156 		return -EOPNOTSUPP;
7157 
7158 	err = nl80211_parse_sta_txpower_setting(info,
7159 						&params.link_sta_params.txpwr,
7160 						&params.link_sta_params.txpwr_set);
7161 	if (err)
7162 		return err;
7163 
7164 	err = nl80211_parse_sta_channel_info(info, &params);
7165 	if (err)
7166 		return err;
7167 
7168 	err = nl80211_parse_sta_wme(info, &params);
7169 	if (err)
7170 		return err;
7171 
7172 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7173 		return -EINVAL;
7174 
7175 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7176 	 * as userspace might just pass through the capabilities from the IEs
7177 	 * directly, rather than enforcing this restriction and returning an
7178 	 * error in this case.
7179 	 */
7180 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7181 		params.link_sta_params.ht_capa = NULL;
7182 		params.link_sta_params.vht_capa = NULL;
7183 
7184 		/* HE and EHT require WME */
7185 		if (params.link_sta_params.he_capa_len ||
7186 		    params.link_sta_params.he_6ghz_capa ||
7187 		    params.link_sta_params.eht_capa_len)
7188 			return -EINVAL;
7189 	}
7190 
7191 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7192 	if (params.link_sta_params.he_6ghz_capa &&
7193 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7194 		return -EINVAL;
7195 
7196 	/* When you run into this, adjust the code below for the new flag */
7197 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
7198 
7199 	switch (dev->ieee80211_ptr->iftype) {
7200 	case NL80211_IFTYPE_AP:
7201 	case NL80211_IFTYPE_AP_VLAN:
7202 	case NL80211_IFTYPE_P2P_GO:
7203 		/* ignore WME attributes if iface/sta is not capable */
7204 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7205 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7206 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7207 
7208 		/* TDLS peers cannot be added */
7209 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7210 		    info->attrs[NL80211_ATTR_PEER_AID])
7211 			return -EINVAL;
7212 		/* but don't bother the driver with it */
7213 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7214 
7215 		/* allow authenticated/associated only if driver handles it */
7216 		if (!(rdev->wiphy.features &
7217 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7218 		    params.sta_flags_mask & auth_assoc)
7219 			return -EINVAL;
7220 
7221 		/* Older userspace, or userspace wanting to be compatible with
7222 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7223 		 * and assoc flags in the mask, but assumes the station will be
7224 		 * added as associated anyway since this was the required driver
7225 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7226 		 * introduced.
7227 		 * In order to not bother drivers with this quirk in the API
7228 		 * set the flags in both the mask and set for new stations in
7229 		 * this case.
7230 		 */
7231 		if (!(params.sta_flags_mask & auth_assoc)) {
7232 			params.sta_flags_mask |= auth_assoc;
7233 			params.sta_flags_set |= auth_assoc;
7234 		}
7235 
7236 		/* must be last in here for error handling */
7237 		params.vlan = get_vlan(info, rdev);
7238 		if (IS_ERR(params.vlan))
7239 			return PTR_ERR(params.vlan);
7240 		break;
7241 	case NL80211_IFTYPE_MESH_POINT:
7242 		/* ignore uAPSD data */
7243 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7244 
7245 		/* associated is disallowed */
7246 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7247 			return -EINVAL;
7248 		/* TDLS peers cannot be added */
7249 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7250 		    info->attrs[NL80211_ATTR_PEER_AID])
7251 			return -EINVAL;
7252 		break;
7253 	case NL80211_IFTYPE_STATION:
7254 	case NL80211_IFTYPE_P2P_CLIENT:
7255 		/* ignore uAPSD data */
7256 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7257 
7258 		/* these are disallowed */
7259 		if (params.sta_flags_mask &
7260 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7261 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7262 			return -EINVAL;
7263 		/* Only TDLS peers can be added */
7264 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7265 			return -EINVAL;
7266 		/* Can only add if TDLS ... */
7267 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7268 			return -EOPNOTSUPP;
7269 		/* ... with external setup is supported */
7270 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7271 			return -EOPNOTSUPP;
7272 		/*
7273 		 * Older wpa_supplicant versions always mark the TDLS peer
7274 		 * as authorized, but it shouldn't yet be.
7275 		 */
7276 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7277 		break;
7278 	default:
7279 		return -EOPNOTSUPP;
7280 	}
7281 
7282 	/* be aware of params.vlan when changing code here */
7283 
7284 	wdev_lock(dev->ieee80211_ptr);
7285 	if (wdev->valid_links) {
7286 		if (params.link_sta_params.link_id < 0) {
7287 			err = -EINVAL;
7288 			goto out;
7289 		}
7290 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7291 			err = -ENOLINK;
7292 			goto out;
7293 		}
7294 	} else {
7295 		if (params.link_sta_params.link_id >= 0) {
7296 			err = -EINVAL;
7297 			goto out;
7298 		}
7299 	}
7300 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7301 out:
7302 	wdev_unlock(dev->ieee80211_ptr);
7303 	dev_put(params.vlan);
7304 	return err;
7305 }
7306 
7307 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7308 {
7309 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7310 	struct net_device *dev = info->user_ptr[1];
7311 	struct station_del_parameters params;
7312 	int ret;
7313 
7314 	memset(&params, 0, sizeof(params));
7315 
7316 	if (info->attrs[NL80211_ATTR_MAC])
7317 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7318 
7319 	switch (dev->ieee80211_ptr->iftype) {
7320 	case NL80211_IFTYPE_AP:
7321 	case NL80211_IFTYPE_AP_VLAN:
7322 	case NL80211_IFTYPE_MESH_POINT:
7323 	case NL80211_IFTYPE_P2P_GO:
7324 		/* always accept these */
7325 		break;
7326 	case NL80211_IFTYPE_ADHOC:
7327 		/* conditionally accept */
7328 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7329 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7330 			break;
7331 		return -EINVAL;
7332 	default:
7333 		return -EINVAL;
7334 	}
7335 
7336 	if (!rdev->ops->del_station)
7337 		return -EOPNOTSUPP;
7338 
7339 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7340 		params.subtype =
7341 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7342 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7343 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7344 			return -EINVAL;
7345 	} else {
7346 		/* Default to Deauthentication frame */
7347 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7348 	}
7349 
7350 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7351 		params.reason_code =
7352 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7353 		if (params.reason_code == 0)
7354 			return -EINVAL; /* 0 is reserved */
7355 	} else {
7356 		/* Default to reason code 2 */
7357 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7358 	}
7359 
7360 	wdev_lock(dev->ieee80211_ptr);
7361 	ret = rdev_del_station(rdev, dev, &params);
7362 	wdev_unlock(dev->ieee80211_ptr);
7363 
7364 	return ret;
7365 }
7366 
7367 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7368 				int flags, struct net_device *dev,
7369 				u8 *dst, u8 *next_hop,
7370 				struct mpath_info *pinfo)
7371 {
7372 	void *hdr;
7373 	struct nlattr *pinfoattr;
7374 
7375 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7376 	if (!hdr)
7377 		return -1;
7378 
7379 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7380 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7381 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7382 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7383 		goto nla_put_failure;
7384 
7385 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7386 	if (!pinfoattr)
7387 		goto nla_put_failure;
7388 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7389 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7390 			pinfo->frame_qlen))
7391 		goto nla_put_failure;
7392 	if (((pinfo->filled & MPATH_INFO_SN) &&
7393 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7394 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7395 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7396 			 pinfo->metric)) ||
7397 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7398 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7399 			 pinfo->exptime)) ||
7400 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7401 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7402 			pinfo->flags)) ||
7403 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7404 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7405 			 pinfo->discovery_timeout)) ||
7406 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7407 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7408 			pinfo->discovery_retries)) ||
7409 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7410 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7411 			pinfo->hop_count)) ||
7412 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7413 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7414 			 pinfo->path_change_count)))
7415 		goto nla_put_failure;
7416 
7417 	nla_nest_end(msg, pinfoattr);
7418 
7419 	genlmsg_end(msg, hdr);
7420 	return 0;
7421 
7422  nla_put_failure:
7423 	genlmsg_cancel(msg, hdr);
7424 	return -EMSGSIZE;
7425 }
7426 
7427 static int nl80211_dump_mpath(struct sk_buff *skb,
7428 			      struct netlink_callback *cb)
7429 {
7430 	struct mpath_info pinfo;
7431 	struct cfg80211_registered_device *rdev;
7432 	struct wireless_dev *wdev;
7433 	u8 dst[ETH_ALEN];
7434 	u8 next_hop[ETH_ALEN];
7435 	int path_idx = cb->args[2];
7436 	int err;
7437 
7438 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7439 	if (err)
7440 		return err;
7441 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7442 	__acquire(&rdev->wiphy.mtx);
7443 
7444 	if (!rdev->ops->dump_mpath) {
7445 		err = -EOPNOTSUPP;
7446 		goto out_err;
7447 	}
7448 
7449 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7450 		err = -EOPNOTSUPP;
7451 		goto out_err;
7452 	}
7453 
7454 	while (1) {
7455 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7456 				      next_hop, &pinfo);
7457 		if (err == -ENOENT)
7458 			break;
7459 		if (err)
7460 			goto out_err;
7461 
7462 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7463 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7464 				       wdev->netdev, dst, next_hop,
7465 				       &pinfo) < 0)
7466 			goto out;
7467 
7468 		path_idx++;
7469 	}
7470 
7471  out:
7472 	cb->args[2] = path_idx;
7473 	err = skb->len;
7474  out_err:
7475 	wiphy_unlock(&rdev->wiphy);
7476 	return err;
7477 }
7478 
7479 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7480 {
7481 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7482 	int err;
7483 	struct net_device *dev = info->user_ptr[1];
7484 	struct mpath_info pinfo;
7485 	struct sk_buff *msg;
7486 	u8 *dst = NULL;
7487 	u8 next_hop[ETH_ALEN];
7488 
7489 	memset(&pinfo, 0, sizeof(pinfo));
7490 
7491 	if (!info->attrs[NL80211_ATTR_MAC])
7492 		return -EINVAL;
7493 
7494 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7495 
7496 	if (!rdev->ops->get_mpath)
7497 		return -EOPNOTSUPP;
7498 
7499 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7500 		return -EOPNOTSUPP;
7501 
7502 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7503 	if (err)
7504 		return err;
7505 
7506 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7507 	if (!msg)
7508 		return -ENOMEM;
7509 
7510 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7511 				 dev, dst, next_hop, &pinfo) < 0) {
7512 		nlmsg_free(msg);
7513 		return -ENOBUFS;
7514 	}
7515 
7516 	return genlmsg_reply(msg, info);
7517 }
7518 
7519 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7520 {
7521 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7522 	struct net_device *dev = info->user_ptr[1];
7523 	u8 *dst = NULL;
7524 	u8 *next_hop = NULL;
7525 
7526 	if (!info->attrs[NL80211_ATTR_MAC])
7527 		return -EINVAL;
7528 
7529 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7530 		return -EINVAL;
7531 
7532 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7533 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7534 
7535 	if (!rdev->ops->change_mpath)
7536 		return -EOPNOTSUPP;
7537 
7538 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7539 		return -EOPNOTSUPP;
7540 
7541 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7542 }
7543 
7544 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7545 {
7546 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7547 	struct net_device *dev = info->user_ptr[1];
7548 	u8 *dst = NULL;
7549 	u8 *next_hop = NULL;
7550 
7551 	if (!info->attrs[NL80211_ATTR_MAC])
7552 		return -EINVAL;
7553 
7554 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7555 		return -EINVAL;
7556 
7557 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7558 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7559 
7560 	if (!rdev->ops->add_mpath)
7561 		return -EOPNOTSUPP;
7562 
7563 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7564 		return -EOPNOTSUPP;
7565 
7566 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7567 }
7568 
7569 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7570 {
7571 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7572 	struct net_device *dev = info->user_ptr[1];
7573 	u8 *dst = NULL;
7574 
7575 	if (info->attrs[NL80211_ATTR_MAC])
7576 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7577 
7578 	if (!rdev->ops->del_mpath)
7579 		return -EOPNOTSUPP;
7580 
7581 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7582 		return -EOPNOTSUPP;
7583 
7584 	return rdev_del_mpath(rdev, dev, dst);
7585 }
7586 
7587 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7588 {
7589 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7590 	int err;
7591 	struct net_device *dev = info->user_ptr[1];
7592 	struct mpath_info pinfo;
7593 	struct sk_buff *msg;
7594 	u8 *dst = NULL;
7595 	u8 mpp[ETH_ALEN];
7596 
7597 	memset(&pinfo, 0, sizeof(pinfo));
7598 
7599 	if (!info->attrs[NL80211_ATTR_MAC])
7600 		return -EINVAL;
7601 
7602 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7603 
7604 	if (!rdev->ops->get_mpp)
7605 		return -EOPNOTSUPP;
7606 
7607 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7608 		return -EOPNOTSUPP;
7609 
7610 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7611 	if (err)
7612 		return err;
7613 
7614 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7615 	if (!msg)
7616 		return -ENOMEM;
7617 
7618 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7619 			       dev, dst, mpp, &pinfo) < 0) {
7620 		nlmsg_free(msg);
7621 		return -ENOBUFS;
7622 	}
7623 
7624 	return genlmsg_reply(msg, info);
7625 }
7626 
7627 static int nl80211_dump_mpp(struct sk_buff *skb,
7628 			    struct netlink_callback *cb)
7629 {
7630 	struct mpath_info pinfo;
7631 	struct cfg80211_registered_device *rdev;
7632 	struct wireless_dev *wdev;
7633 	u8 dst[ETH_ALEN];
7634 	u8 mpp[ETH_ALEN];
7635 	int path_idx = cb->args[2];
7636 	int err;
7637 
7638 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7639 	if (err)
7640 		return err;
7641 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7642 	__acquire(&rdev->wiphy.mtx);
7643 
7644 	if (!rdev->ops->dump_mpp) {
7645 		err = -EOPNOTSUPP;
7646 		goto out_err;
7647 	}
7648 
7649 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7650 		err = -EOPNOTSUPP;
7651 		goto out_err;
7652 	}
7653 
7654 	while (1) {
7655 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7656 				    mpp, &pinfo);
7657 		if (err == -ENOENT)
7658 			break;
7659 		if (err)
7660 			goto out_err;
7661 
7662 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7663 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7664 				       wdev->netdev, dst, mpp,
7665 				       &pinfo) < 0)
7666 			goto out;
7667 
7668 		path_idx++;
7669 	}
7670 
7671  out:
7672 	cb->args[2] = path_idx;
7673 	err = skb->len;
7674  out_err:
7675 	wiphy_unlock(&rdev->wiphy);
7676 	return err;
7677 }
7678 
7679 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7680 {
7681 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7682 	struct net_device *dev = info->user_ptr[1];
7683 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7684 	struct bss_parameters params;
7685 	int err;
7686 
7687 	memset(&params, 0, sizeof(params));
7688 	/* default to not changing parameters */
7689 	params.use_cts_prot = -1;
7690 	params.use_short_preamble = -1;
7691 	params.use_short_slot_time = -1;
7692 	params.ap_isolate = -1;
7693 	params.ht_opmode = -1;
7694 	params.p2p_ctwindow = -1;
7695 	params.p2p_opp_ps = -1;
7696 
7697 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7698 		params.use_cts_prot =
7699 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7700 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7701 		params.use_short_preamble =
7702 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7703 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7704 		params.use_short_slot_time =
7705 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7706 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7707 		params.basic_rates =
7708 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7709 		params.basic_rates_len =
7710 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7711 	}
7712 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7713 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7714 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7715 		params.ht_opmode =
7716 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7717 
7718 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7719 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7720 			return -EINVAL;
7721 		params.p2p_ctwindow =
7722 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7723 		if (params.p2p_ctwindow != 0 &&
7724 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7725 			return -EINVAL;
7726 	}
7727 
7728 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7729 		u8 tmp;
7730 
7731 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7732 			return -EINVAL;
7733 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7734 		params.p2p_opp_ps = tmp;
7735 		if (params.p2p_opp_ps &&
7736 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7737 			return -EINVAL;
7738 	}
7739 
7740 	if (!rdev->ops->change_bss)
7741 		return -EOPNOTSUPP;
7742 
7743 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7744 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7745 		return -EOPNOTSUPP;
7746 
7747 	wdev_lock(wdev);
7748 	err = rdev_change_bss(rdev, dev, &params);
7749 	wdev_unlock(wdev);
7750 
7751 	return err;
7752 }
7753 
7754 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7755 {
7756 	char *data = NULL;
7757 	bool is_indoor;
7758 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7759 	u32 owner_nlportid;
7760 
7761 	/*
7762 	 * You should only get this when cfg80211 hasn't yet initialized
7763 	 * completely when built-in to the kernel right between the time
7764 	 * window between nl80211_init() and regulatory_init(), if that is
7765 	 * even possible.
7766 	 */
7767 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7768 		return -EINPROGRESS;
7769 
7770 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7771 		user_reg_hint_type =
7772 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7773 	else
7774 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7775 
7776 	switch (user_reg_hint_type) {
7777 	case NL80211_USER_REG_HINT_USER:
7778 	case NL80211_USER_REG_HINT_CELL_BASE:
7779 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7780 			return -EINVAL;
7781 
7782 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7783 		return regulatory_hint_user(data, user_reg_hint_type);
7784 	case NL80211_USER_REG_HINT_INDOOR:
7785 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7786 			owner_nlportid = info->snd_portid;
7787 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7788 		} else {
7789 			owner_nlportid = 0;
7790 			is_indoor = true;
7791 		}
7792 
7793 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7794 	default:
7795 		return -EINVAL;
7796 	}
7797 }
7798 
7799 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7800 {
7801 	return reg_reload_regdb();
7802 }
7803 
7804 static int nl80211_get_mesh_config(struct sk_buff *skb,
7805 				   struct genl_info *info)
7806 {
7807 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7808 	struct net_device *dev = info->user_ptr[1];
7809 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7810 	struct mesh_config cur_params;
7811 	int err = 0;
7812 	void *hdr;
7813 	struct nlattr *pinfoattr;
7814 	struct sk_buff *msg;
7815 
7816 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7817 		return -EOPNOTSUPP;
7818 
7819 	if (!rdev->ops->get_mesh_config)
7820 		return -EOPNOTSUPP;
7821 
7822 	wdev_lock(wdev);
7823 	/* If not connected, get default parameters */
7824 	if (!wdev->u.mesh.id_len)
7825 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7826 	else
7827 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7828 	wdev_unlock(wdev);
7829 
7830 	if (err)
7831 		return err;
7832 
7833 	/* Draw up a netlink message to send back */
7834 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7835 	if (!msg)
7836 		return -ENOMEM;
7837 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7838 			     NL80211_CMD_GET_MESH_CONFIG);
7839 	if (!hdr)
7840 		goto out;
7841 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7842 	if (!pinfoattr)
7843 		goto nla_put_failure;
7844 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7845 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7846 			cur_params.dot11MeshRetryTimeout) ||
7847 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7848 			cur_params.dot11MeshConfirmTimeout) ||
7849 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7850 			cur_params.dot11MeshHoldingTimeout) ||
7851 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7852 			cur_params.dot11MeshMaxPeerLinks) ||
7853 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7854 		       cur_params.dot11MeshMaxRetries) ||
7855 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7856 		       cur_params.dot11MeshTTL) ||
7857 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7858 		       cur_params.element_ttl) ||
7859 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7860 		       cur_params.auto_open_plinks) ||
7861 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7862 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7863 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7864 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7865 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7866 			cur_params.path_refresh_time) ||
7867 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7868 			cur_params.min_discovery_timeout) ||
7869 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7870 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7871 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7872 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7873 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7874 			cur_params.dot11MeshHWMPperrMinInterval) ||
7875 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7876 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7877 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7878 		       cur_params.dot11MeshHWMPRootMode) ||
7879 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7880 			cur_params.dot11MeshHWMPRannInterval) ||
7881 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7882 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7883 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7884 		       cur_params.dot11MeshForwarding) ||
7885 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7886 			cur_params.rssi_threshold) ||
7887 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7888 			cur_params.ht_opmode) ||
7889 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7890 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7891 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7892 			cur_params.dot11MeshHWMProotInterval) ||
7893 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7894 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7895 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7896 			cur_params.power_mode) ||
7897 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7898 			cur_params.dot11MeshAwakeWindowDuration) ||
7899 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7900 			cur_params.plink_timeout) ||
7901 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7902 		       cur_params.dot11MeshConnectedToMeshGate) ||
7903 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7904 		       cur_params.dot11MeshNolearn) ||
7905 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7906 		       cur_params.dot11MeshConnectedToAuthServer))
7907 		goto nla_put_failure;
7908 	nla_nest_end(msg, pinfoattr);
7909 	genlmsg_end(msg, hdr);
7910 	return genlmsg_reply(msg, info);
7911 
7912  nla_put_failure:
7913  out:
7914 	nlmsg_free(msg);
7915 	return -ENOBUFS;
7916 }
7917 
7918 static const struct nla_policy
7919 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7920 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7921 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7922 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7923 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7924 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7925 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7926 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7927 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7928 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7929 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7930 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7931 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7932 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7933 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7934 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7935 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7936 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7937 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7938 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7939 		NLA_POLICY_MIN(NLA_U16, 1),
7940 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7941 		NLA_POLICY_MIN(NLA_U16, 1),
7942 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7943 		NLA_POLICY_MIN(NLA_U16, 1),
7944 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7945 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7946 		NLA_POLICY_MIN(NLA_U16, 1),
7947 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7948 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7949 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7950 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7951 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7952 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7953 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7954 		NLA_POLICY_MIN(NLA_U16, 1),
7955 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7956 		NLA_POLICY_MIN(NLA_U16, 1),
7957 	[NL80211_MESHCONF_POWER_MODE] =
7958 		NLA_POLICY_RANGE(NLA_U32,
7959 				 NL80211_MESH_POWER_ACTIVE,
7960 				 NL80211_MESH_POWER_MAX),
7961 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7962 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7963 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7964 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7965 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7966 };
7967 
7968 static const struct nla_policy
7969 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7970 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7971 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7972 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7973 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7974 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7975 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7976 	[NL80211_MESH_SETUP_IE] =
7977 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7978 				       IEEE80211_MAX_DATA_LEN),
7979 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7980 };
7981 
7982 static int nl80211_parse_mesh_config(struct genl_info *info,
7983 				     struct mesh_config *cfg,
7984 				     u32 *mask_out)
7985 {
7986 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7987 	u32 mask = 0;
7988 	u16 ht_opmode;
7989 
7990 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7991 do {									\
7992 	if (tb[attr]) {							\
7993 		cfg->param = fn(tb[attr]);				\
7994 		mask |= BIT((attr) - 1);				\
7995 	}								\
7996 } while (0)
7997 
7998 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7999 		return -EINVAL;
8000 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8001 		return -EINVAL;
8002 
8003 	/* This makes sure that there aren't more than 32 mesh config
8004 	 * parameters (otherwise our bitfield scheme would not work.) */
8005 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8006 
8007 	/* Fill in the params struct */
8008 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8009 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8010 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8011 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8012 				  nla_get_u16);
8013 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8014 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8015 				  nla_get_u16);
8016 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8017 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8018 				  nla_get_u16);
8019 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8020 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8021 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8022 				  NL80211_MESHCONF_TTL, nla_get_u8);
8023 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8024 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8025 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8026 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8027 				  nla_get_u8);
8028 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8029 				  mask,
8030 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8031 				  nla_get_u32);
8032 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8033 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8034 				  nla_get_u8);
8035 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8036 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8037 				  nla_get_u32);
8038 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8039 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8040 		return -EINVAL;
8041 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8042 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8043 				  nla_get_u16);
8044 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8045 				  mask,
8046 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8047 				  nla_get_u32);
8048 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8049 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8050 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8051 		return -EINVAL;
8052 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8053 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8054 				  nla_get_u16);
8055 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8056 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8057 				  nla_get_u16);
8058 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8059 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8060 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8061 				  nla_get_u16);
8062 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8063 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8064 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8065 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8066 				  nla_get_u16);
8067 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8068 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8069 				  nla_get_u8);
8070 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8071 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8072 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8073 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8074 				  nla_get_s32);
8075 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8076 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8077 				  nla_get_u8);
8078 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8079 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8080 				  nla_get_u8);
8081 	/*
8082 	 * Check HT operation mode based on
8083 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8084 	 */
8085 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8086 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8087 
8088 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8089 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8090 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8091 			return -EINVAL;
8092 
8093 		/* NON_HT_STA bit is reserved, but some programs set it */
8094 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8095 
8096 		cfg->ht_opmode = ht_opmode;
8097 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8098 	}
8099 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8100 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8101 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8102 				  nla_get_u32);
8103 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8104 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8105 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8106 		return -EINVAL;
8107 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8108 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8109 				  nla_get_u16);
8110 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8111 				  mask,
8112 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8113 				  nla_get_u16);
8114 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8115 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8116 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8117 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8118 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8119 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8120 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8121 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8122 	if (mask_out)
8123 		*mask_out = mask;
8124 
8125 	return 0;
8126 
8127 #undef FILL_IN_MESH_PARAM_IF_SET
8128 }
8129 
8130 static int nl80211_parse_mesh_setup(struct genl_info *info,
8131 				     struct mesh_setup *setup)
8132 {
8133 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8134 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8135 
8136 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8137 		return -EINVAL;
8138 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8139 		return -EINVAL;
8140 
8141 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8142 		setup->sync_method =
8143 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8144 		 IEEE80211_SYNC_METHOD_VENDOR :
8145 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8146 
8147 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8148 		setup->path_sel_proto =
8149 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8150 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8151 		 IEEE80211_PATH_PROTOCOL_HWMP;
8152 
8153 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8154 		setup->path_metric =
8155 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8156 		 IEEE80211_PATH_METRIC_VENDOR :
8157 		 IEEE80211_PATH_METRIC_AIRTIME;
8158 
8159 	if (tb[NL80211_MESH_SETUP_IE]) {
8160 		struct nlattr *ieattr =
8161 			tb[NL80211_MESH_SETUP_IE];
8162 		setup->ie = nla_data(ieattr);
8163 		setup->ie_len = nla_len(ieattr);
8164 	}
8165 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8166 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8167 		return -EINVAL;
8168 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8169 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8170 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8171 	if (setup->is_secure)
8172 		setup->user_mpm = true;
8173 
8174 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8175 		if (!setup->user_mpm)
8176 			return -EINVAL;
8177 		setup->auth_id =
8178 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8179 	}
8180 
8181 	return 0;
8182 }
8183 
8184 static int nl80211_update_mesh_config(struct sk_buff *skb,
8185 				      struct genl_info *info)
8186 {
8187 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8188 	struct net_device *dev = info->user_ptr[1];
8189 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8190 	struct mesh_config cfg;
8191 	u32 mask;
8192 	int err;
8193 
8194 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8195 		return -EOPNOTSUPP;
8196 
8197 	if (!rdev->ops->update_mesh_config)
8198 		return -EOPNOTSUPP;
8199 
8200 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8201 	if (err)
8202 		return err;
8203 
8204 	wdev_lock(wdev);
8205 	if (!wdev->u.mesh.id_len)
8206 		err = -ENOLINK;
8207 
8208 	if (!err)
8209 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8210 
8211 	wdev_unlock(wdev);
8212 
8213 	return err;
8214 }
8215 
8216 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8217 			      struct sk_buff *msg)
8218 {
8219 	struct nlattr *nl_reg_rules;
8220 	unsigned int i;
8221 
8222 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8223 	    (regdom->dfs_region &&
8224 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8225 		goto nla_put_failure;
8226 
8227 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8228 	if (!nl_reg_rules)
8229 		goto nla_put_failure;
8230 
8231 	for (i = 0; i < regdom->n_reg_rules; i++) {
8232 		struct nlattr *nl_reg_rule;
8233 		const struct ieee80211_reg_rule *reg_rule;
8234 		const struct ieee80211_freq_range *freq_range;
8235 		const struct ieee80211_power_rule *power_rule;
8236 		unsigned int max_bandwidth_khz;
8237 
8238 		reg_rule = &regdom->reg_rules[i];
8239 		freq_range = &reg_rule->freq_range;
8240 		power_rule = &reg_rule->power_rule;
8241 
8242 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8243 		if (!nl_reg_rule)
8244 			goto nla_put_failure;
8245 
8246 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8247 		if (!max_bandwidth_khz)
8248 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8249 								  reg_rule);
8250 
8251 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8252 				reg_rule->flags) ||
8253 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8254 				freq_range->start_freq_khz) ||
8255 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8256 				freq_range->end_freq_khz) ||
8257 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8258 				max_bandwidth_khz) ||
8259 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8260 				power_rule->max_antenna_gain) ||
8261 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8262 				power_rule->max_eirp) ||
8263 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8264 				reg_rule->dfs_cac_ms))
8265 			goto nla_put_failure;
8266 
8267 		nla_nest_end(msg, nl_reg_rule);
8268 	}
8269 
8270 	nla_nest_end(msg, nl_reg_rules);
8271 	return 0;
8272 
8273 nla_put_failure:
8274 	return -EMSGSIZE;
8275 }
8276 
8277 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8278 {
8279 	const struct ieee80211_regdomain *regdom = NULL;
8280 	struct cfg80211_registered_device *rdev;
8281 	struct wiphy *wiphy = NULL;
8282 	struct sk_buff *msg;
8283 	int err = -EMSGSIZE;
8284 	void *hdr;
8285 
8286 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8287 	if (!msg)
8288 		return -ENOBUFS;
8289 
8290 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8291 			     NL80211_CMD_GET_REG);
8292 	if (!hdr)
8293 		goto put_failure;
8294 
8295 	rtnl_lock();
8296 
8297 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8298 		bool self_managed;
8299 
8300 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8301 		if (IS_ERR(rdev)) {
8302 			err = PTR_ERR(rdev);
8303 			goto nla_put_failure;
8304 		}
8305 
8306 		wiphy = &rdev->wiphy;
8307 		self_managed = wiphy->regulatory_flags &
8308 			       REGULATORY_WIPHY_SELF_MANAGED;
8309 
8310 		rcu_read_lock();
8311 
8312 		regdom = get_wiphy_regdom(wiphy);
8313 
8314 		/* a self-managed-reg device must have a private regdom */
8315 		if (WARN_ON(!regdom && self_managed)) {
8316 			err = -EINVAL;
8317 			goto nla_put_failure_rcu;
8318 		}
8319 
8320 		if (regdom &&
8321 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8322 			goto nla_put_failure_rcu;
8323 	} else {
8324 		rcu_read_lock();
8325 	}
8326 
8327 	if (!wiphy && reg_last_request_cell_base() &&
8328 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8329 			NL80211_USER_REG_HINT_CELL_BASE))
8330 		goto nla_put_failure_rcu;
8331 
8332 	if (!regdom)
8333 		regdom = rcu_dereference(cfg80211_regdomain);
8334 
8335 	if (nl80211_put_regdom(regdom, msg))
8336 		goto nla_put_failure_rcu;
8337 
8338 	rcu_read_unlock();
8339 
8340 	genlmsg_end(msg, hdr);
8341 	rtnl_unlock();
8342 	return genlmsg_reply(msg, info);
8343 
8344 nla_put_failure_rcu:
8345 	rcu_read_unlock();
8346 nla_put_failure:
8347 	rtnl_unlock();
8348 put_failure:
8349 	nlmsg_free(msg);
8350 	return err;
8351 }
8352 
8353 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8354 			       u32 seq, int flags, struct wiphy *wiphy,
8355 			       const struct ieee80211_regdomain *regdom)
8356 {
8357 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8358 				   NL80211_CMD_GET_REG);
8359 
8360 	if (!hdr)
8361 		return -1;
8362 
8363 	genl_dump_check_consistent(cb, hdr);
8364 
8365 	if (nl80211_put_regdom(regdom, msg))
8366 		goto nla_put_failure;
8367 
8368 	if (!wiphy && reg_last_request_cell_base() &&
8369 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8370 			NL80211_USER_REG_HINT_CELL_BASE))
8371 		goto nla_put_failure;
8372 
8373 	if (wiphy &&
8374 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8375 		goto nla_put_failure;
8376 
8377 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8378 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8379 		goto nla_put_failure;
8380 
8381 	genlmsg_end(msg, hdr);
8382 	return 0;
8383 
8384 nla_put_failure:
8385 	genlmsg_cancel(msg, hdr);
8386 	return -EMSGSIZE;
8387 }
8388 
8389 static int nl80211_get_reg_dump(struct sk_buff *skb,
8390 				struct netlink_callback *cb)
8391 {
8392 	const struct ieee80211_regdomain *regdom = NULL;
8393 	struct cfg80211_registered_device *rdev;
8394 	int err, reg_idx, start = cb->args[2];
8395 
8396 	rcu_read_lock();
8397 
8398 	if (cfg80211_regdomain && start == 0) {
8399 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8400 					  NLM_F_MULTI, NULL,
8401 					  rcu_dereference(cfg80211_regdomain));
8402 		if (err < 0)
8403 			goto out_err;
8404 	}
8405 
8406 	/* the global regdom is idx 0 */
8407 	reg_idx = 1;
8408 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8409 		regdom = get_wiphy_regdom(&rdev->wiphy);
8410 		if (!regdom)
8411 			continue;
8412 
8413 		if (++reg_idx <= start)
8414 			continue;
8415 
8416 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8417 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8418 		if (err < 0) {
8419 			reg_idx--;
8420 			break;
8421 		}
8422 	}
8423 
8424 	cb->args[2] = reg_idx;
8425 	err = skb->len;
8426 out_err:
8427 	rcu_read_unlock();
8428 	return err;
8429 }
8430 
8431 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8432 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8433 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8434 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8435 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8436 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8437 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8438 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8439 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8440 };
8441 
8442 static int parse_reg_rule(struct nlattr *tb[],
8443 	struct ieee80211_reg_rule *reg_rule)
8444 {
8445 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8446 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8447 
8448 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8449 		return -EINVAL;
8450 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8451 		return -EINVAL;
8452 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8453 		return -EINVAL;
8454 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8455 		return -EINVAL;
8456 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8457 		return -EINVAL;
8458 
8459 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8460 
8461 	freq_range->start_freq_khz =
8462 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8463 	freq_range->end_freq_khz =
8464 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8465 	freq_range->max_bandwidth_khz =
8466 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8467 
8468 	power_rule->max_eirp =
8469 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8470 
8471 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8472 		power_rule->max_antenna_gain =
8473 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8474 
8475 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8476 		reg_rule->dfs_cac_ms =
8477 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8478 
8479 	return 0;
8480 }
8481 
8482 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8483 {
8484 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8485 	struct nlattr *nl_reg_rule;
8486 	char *alpha2;
8487 	int rem_reg_rules, r;
8488 	u32 num_rules = 0, rule_idx = 0;
8489 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8490 	struct ieee80211_regdomain *rd;
8491 
8492 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8493 		return -EINVAL;
8494 
8495 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8496 		return -EINVAL;
8497 
8498 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8499 
8500 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8501 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8502 
8503 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8504 			    rem_reg_rules) {
8505 		num_rules++;
8506 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8507 			return -EINVAL;
8508 	}
8509 
8510 	rtnl_lock();
8511 	if (!reg_is_valid_request(alpha2)) {
8512 		r = -EINVAL;
8513 		goto out;
8514 	}
8515 
8516 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8517 	if (!rd) {
8518 		r = -ENOMEM;
8519 		goto out;
8520 	}
8521 
8522 	rd->n_reg_rules = num_rules;
8523 	rd->alpha2[0] = alpha2[0];
8524 	rd->alpha2[1] = alpha2[1];
8525 
8526 	/*
8527 	 * Disable DFS master mode if the DFS region was
8528 	 * not supported or known on this kernel.
8529 	 */
8530 	if (reg_supported_dfs_region(dfs_region))
8531 		rd->dfs_region = dfs_region;
8532 
8533 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8534 			    rem_reg_rules) {
8535 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8536 						nl_reg_rule, reg_rule_policy,
8537 						info->extack);
8538 		if (r)
8539 			goto bad_reg;
8540 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8541 		if (r)
8542 			goto bad_reg;
8543 
8544 		rule_idx++;
8545 
8546 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8547 			r = -EINVAL;
8548 			goto bad_reg;
8549 		}
8550 	}
8551 
8552 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8553 	/* set_regdom takes ownership of rd */
8554 	rd = NULL;
8555  bad_reg:
8556 	kfree(rd);
8557  out:
8558 	rtnl_unlock();
8559 	return r;
8560 }
8561 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8562 
8563 static int validate_scan_freqs(struct nlattr *freqs)
8564 {
8565 	struct nlattr *attr1, *attr2;
8566 	int n_channels = 0, tmp1, tmp2;
8567 
8568 	nla_for_each_nested(attr1, freqs, tmp1)
8569 		if (nla_len(attr1) != sizeof(u32))
8570 			return 0;
8571 
8572 	nla_for_each_nested(attr1, freqs, tmp1) {
8573 		n_channels++;
8574 		/*
8575 		 * Some hardware has a limited channel list for
8576 		 * scanning, and it is pretty much nonsensical
8577 		 * to scan for a channel twice, so disallow that
8578 		 * and don't require drivers to check that the
8579 		 * channel list they get isn't longer than what
8580 		 * they can scan, as long as they can scan all
8581 		 * the channels they registered at once.
8582 		 */
8583 		nla_for_each_nested(attr2, freqs, tmp2)
8584 			if (attr1 != attr2 &&
8585 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8586 				return 0;
8587 	}
8588 
8589 	return n_channels;
8590 }
8591 
8592 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8593 {
8594 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8595 }
8596 
8597 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8598 			    struct cfg80211_bss_selection *bss_select)
8599 {
8600 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8601 	struct nlattr *nest;
8602 	int err;
8603 	bool found = false;
8604 	int i;
8605 
8606 	/* only process one nested attribute */
8607 	nest = nla_data(nla);
8608 	if (!nla_ok(nest, nla_len(nest)))
8609 		return -EINVAL;
8610 
8611 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8612 					  nest, nl80211_bss_select_policy,
8613 					  NULL);
8614 	if (err)
8615 		return err;
8616 
8617 	/* only one attribute may be given */
8618 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8619 		if (attr[i]) {
8620 			if (found)
8621 				return -EINVAL;
8622 			found = true;
8623 		}
8624 	}
8625 
8626 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8627 
8628 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8629 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8630 
8631 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8632 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8633 		bss_select->param.band_pref =
8634 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8635 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8636 			return -EINVAL;
8637 	}
8638 
8639 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8640 		struct nl80211_bss_select_rssi_adjust *adj_param;
8641 
8642 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8643 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8644 		bss_select->param.adjust.band = adj_param->band;
8645 		bss_select->param.adjust.delta = adj_param->delta;
8646 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8647 			return -EINVAL;
8648 	}
8649 
8650 	/* user-space did not provide behaviour attribute */
8651 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8652 		return -EINVAL;
8653 
8654 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8655 		return -EINVAL;
8656 
8657 	return 0;
8658 }
8659 
8660 int nl80211_parse_random_mac(struct nlattr **attrs,
8661 			     u8 *mac_addr, u8 *mac_addr_mask)
8662 {
8663 	int i;
8664 
8665 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8666 		eth_zero_addr(mac_addr);
8667 		eth_zero_addr(mac_addr_mask);
8668 		mac_addr[0] = 0x2;
8669 		mac_addr_mask[0] = 0x3;
8670 
8671 		return 0;
8672 	}
8673 
8674 	/* need both or none */
8675 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8676 		return -EINVAL;
8677 
8678 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8679 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8680 
8681 	/* don't allow or configure an mcast address */
8682 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8683 	    is_multicast_ether_addr(mac_addr))
8684 		return -EINVAL;
8685 
8686 	/*
8687 	 * allow users to pass a MAC address that has bits set outside
8688 	 * of the mask, but don't bother drivers with having to deal
8689 	 * with such bits
8690 	 */
8691 	for (i = 0; i < ETH_ALEN; i++)
8692 		mac_addr[i] &= mac_addr_mask[i];
8693 
8694 	return 0;
8695 }
8696 
8697 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
8698 					      struct ieee80211_channel *chan)
8699 {
8700 	unsigned int link_id;
8701 	bool all_ok = true;
8702 
8703 	ASSERT_WDEV_LOCK(wdev);
8704 
8705 	if (!cfg80211_beaconing_iface_active(wdev))
8706 		return true;
8707 
8708 	/*
8709 	 * FIXME: check if we have a free HW resource/link for chan
8710 	 *
8711 	 * This, as well as the FIXME below, requires knowing the link
8712 	 * capabilities of the hardware.
8713 	 */
8714 
8715 	/* we cannot leave radar channels */
8716 	for_each_valid_link(wdev, link_id) {
8717 		struct cfg80211_chan_def *chandef;
8718 
8719 		chandef = wdev_chandef(wdev, link_id);
8720 		if (!chandef)
8721 			continue;
8722 
8723 		/*
8724 		 * FIXME: don't require all_ok, but rather check only the
8725 		 *	  correct HW resource/link onto which 'chan' falls,
8726 		 *	  as only that link leaves the channel for doing
8727 		 *	  the off-channel operation.
8728 		 */
8729 
8730 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
8731 			all_ok = false;
8732 	}
8733 
8734 	if (all_ok)
8735 		return true;
8736 
8737 	return regulatory_pre_cac_allowed(wdev->wiphy);
8738 }
8739 
8740 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8741 				    enum nl80211_ext_feature_index feat)
8742 {
8743 	if (!(flags & flag))
8744 		return true;
8745 	if (wiphy_ext_feature_isset(wiphy, feat))
8746 		return true;
8747 	return false;
8748 }
8749 
8750 static int
8751 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8752 			 void *request, struct nlattr **attrs,
8753 			 bool is_sched_scan)
8754 {
8755 	u8 *mac_addr, *mac_addr_mask;
8756 	u32 *flags;
8757 	enum nl80211_feature_flags randomness_flag;
8758 
8759 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8760 		return 0;
8761 
8762 	if (is_sched_scan) {
8763 		struct cfg80211_sched_scan_request *req = request;
8764 
8765 		randomness_flag = wdev ?
8766 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8767 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8768 		flags = &req->flags;
8769 		mac_addr = req->mac_addr;
8770 		mac_addr_mask = req->mac_addr_mask;
8771 	} else {
8772 		struct cfg80211_scan_request *req = request;
8773 
8774 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8775 		flags = &req->flags;
8776 		mac_addr = req->mac_addr;
8777 		mac_addr_mask = req->mac_addr_mask;
8778 	}
8779 
8780 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8781 
8782 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8783 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8784 	    !nl80211_check_scan_feat(wiphy, *flags,
8785 				     NL80211_SCAN_FLAG_LOW_SPAN,
8786 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8787 	    !nl80211_check_scan_feat(wiphy, *flags,
8788 				     NL80211_SCAN_FLAG_LOW_POWER,
8789 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8790 	    !nl80211_check_scan_feat(wiphy, *flags,
8791 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8792 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8793 	    !nl80211_check_scan_feat(wiphy, *flags,
8794 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8795 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8796 	    !nl80211_check_scan_feat(wiphy, *flags,
8797 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8798 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8799 	    !nl80211_check_scan_feat(wiphy, *flags,
8800 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8801 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8802 	    !nl80211_check_scan_feat(wiphy, *flags,
8803 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8804 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8805 	    !nl80211_check_scan_feat(wiphy, *flags,
8806 				     NL80211_SCAN_FLAG_RANDOM_SN,
8807 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8808 	    !nl80211_check_scan_feat(wiphy, *flags,
8809 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8810 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8811 		return -EOPNOTSUPP;
8812 
8813 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8814 		int err;
8815 
8816 		if (!(wiphy->features & randomness_flag) ||
8817 		    (wdev && wdev->connected))
8818 			return -EOPNOTSUPP;
8819 
8820 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8821 		if (err)
8822 			return err;
8823 	}
8824 
8825 	return 0;
8826 }
8827 
8828 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8829 {
8830 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8831 	struct wireless_dev *wdev = info->user_ptr[1];
8832 	struct cfg80211_scan_request *request;
8833 	struct nlattr *scan_freqs = NULL;
8834 	bool scan_freqs_khz = false;
8835 	struct nlattr *attr;
8836 	struct wiphy *wiphy;
8837 	int err, tmp, n_ssids = 0, n_channels, i;
8838 	size_t ie_len;
8839 
8840 	wiphy = &rdev->wiphy;
8841 
8842 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8843 		return -EOPNOTSUPP;
8844 
8845 	if (!rdev->ops->scan)
8846 		return -EOPNOTSUPP;
8847 
8848 	if (rdev->scan_req || rdev->scan_msg)
8849 		return -EBUSY;
8850 
8851 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8852 		if (!wiphy_ext_feature_isset(wiphy,
8853 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8854 			return -EOPNOTSUPP;
8855 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8856 		scan_freqs_khz = true;
8857 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8858 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8859 
8860 	if (scan_freqs) {
8861 		n_channels = validate_scan_freqs(scan_freqs);
8862 		if (!n_channels)
8863 			return -EINVAL;
8864 	} else {
8865 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8866 	}
8867 
8868 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8869 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8870 			n_ssids++;
8871 
8872 	if (n_ssids > wiphy->max_scan_ssids)
8873 		return -EINVAL;
8874 
8875 	if (info->attrs[NL80211_ATTR_IE])
8876 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8877 	else
8878 		ie_len = 0;
8879 
8880 	if (ie_len > wiphy->max_scan_ie_len)
8881 		return -EINVAL;
8882 
8883 	request = kzalloc(sizeof(*request)
8884 			+ sizeof(*request->ssids) * n_ssids
8885 			+ sizeof(*request->channels) * n_channels
8886 			+ ie_len, GFP_KERNEL);
8887 	if (!request)
8888 		return -ENOMEM;
8889 
8890 	if (n_ssids)
8891 		request->ssids = (void *)&request->channels[n_channels];
8892 	request->n_ssids = n_ssids;
8893 	if (ie_len) {
8894 		if (n_ssids)
8895 			request->ie = (void *)(request->ssids + n_ssids);
8896 		else
8897 			request->ie = (void *)(request->channels + n_channels);
8898 	}
8899 
8900 	i = 0;
8901 	if (scan_freqs) {
8902 		/* user specified, bail out if channel not found */
8903 		nla_for_each_nested(attr, scan_freqs, tmp) {
8904 			struct ieee80211_channel *chan;
8905 			int freq = nla_get_u32(attr);
8906 
8907 			if (!scan_freqs_khz)
8908 				freq = MHZ_TO_KHZ(freq);
8909 
8910 			chan = ieee80211_get_channel_khz(wiphy, freq);
8911 			if (!chan) {
8912 				err = -EINVAL;
8913 				goto out_free;
8914 			}
8915 
8916 			/* ignore disabled channels */
8917 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8918 				continue;
8919 
8920 			request->channels[i] = chan;
8921 			i++;
8922 		}
8923 	} else {
8924 		enum nl80211_band band;
8925 
8926 		/* all channels */
8927 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8928 			int j;
8929 
8930 			if (!wiphy->bands[band])
8931 				continue;
8932 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8933 				struct ieee80211_channel *chan;
8934 
8935 				chan = &wiphy->bands[band]->channels[j];
8936 
8937 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8938 					continue;
8939 
8940 				request->channels[i] = chan;
8941 				i++;
8942 			}
8943 		}
8944 	}
8945 
8946 	if (!i) {
8947 		err = -EINVAL;
8948 		goto out_free;
8949 	}
8950 
8951 	request->n_channels = i;
8952 
8953 	wdev_lock(wdev);
8954 	for (i = 0; i < request->n_channels; i++) {
8955 		struct ieee80211_channel *chan = request->channels[i];
8956 
8957 		/* if we can go off-channel to the target channel we're good */
8958 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
8959 			continue;
8960 
8961 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
8962 			wdev_unlock(wdev);
8963 			err = -EBUSY;
8964 			goto out_free;
8965 		}
8966 	}
8967 	wdev_unlock(wdev);
8968 
8969 	i = 0;
8970 	if (n_ssids) {
8971 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8972 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8973 				err = -EINVAL;
8974 				goto out_free;
8975 			}
8976 			request->ssids[i].ssid_len = nla_len(attr);
8977 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8978 			i++;
8979 		}
8980 	}
8981 
8982 	if (info->attrs[NL80211_ATTR_IE]) {
8983 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8984 		memcpy((void *)request->ie,
8985 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8986 		       request->ie_len);
8987 	}
8988 
8989 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8990 		if (wiphy->bands[i])
8991 			request->rates[i] =
8992 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8993 
8994 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8995 		nla_for_each_nested(attr,
8996 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8997 				    tmp) {
8998 			enum nl80211_band band = nla_type(attr);
8999 
9000 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9001 				err = -EINVAL;
9002 				goto out_free;
9003 			}
9004 
9005 			if (!wiphy->bands[band])
9006 				continue;
9007 
9008 			err = ieee80211_get_ratemask(wiphy->bands[band],
9009 						     nla_data(attr),
9010 						     nla_len(attr),
9011 						     &request->rates[band]);
9012 			if (err)
9013 				goto out_free;
9014 		}
9015 	}
9016 
9017 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9018 		request->duration =
9019 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9020 		request->duration_mandatory =
9021 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9022 	}
9023 
9024 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9025 				       false);
9026 	if (err)
9027 		goto out_free;
9028 
9029 	request->no_cck =
9030 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9031 
9032 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9033 	 * BSSID to scan for. This was problematic because that same attribute
9034 	 * was already used for another purpose (local random MAC address). The
9035 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9036 	 * compatibility with older userspace components, also use the
9037 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9038 	 * the specific BSSID use case instead of the random MAC address
9039 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9040 	 */
9041 	if (info->attrs[NL80211_ATTR_BSSID])
9042 		memcpy(request->bssid,
9043 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9044 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9045 		 info->attrs[NL80211_ATTR_MAC])
9046 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9047 		       ETH_ALEN);
9048 	else
9049 		eth_broadcast_addr(request->bssid);
9050 
9051 	request->wdev = wdev;
9052 	request->wiphy = &rdev->wiphy;
9053 	request->scan_start = jiffies;
9054 
9055 	rdev->scan_req = request;
9056 	err = cfg80211_scan(rdev);
9057 
9058 	if (err)
9059 		goto out_free;
9060 
9061 	nl80211_send_scan_start(rdev, wdev);
9062 	dev_hold(wdev->netdev);
9063 
9064 	return 0;
9065 
9066  out_free:
9067 	rdev->scan_req = NULL;
9068 	kfree(request);
9069 
9070 	return err;
9071 }
9072 
9073 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9074 {
9075 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9076 	struct wireless_dev *wdev = info->user_ptr[1];
9077 
9078 	if (!rdev->ops->abort_scan)
9079 		return -EOPNOTSUPP;
9080 
9081 	if (rdev->scan_msg)
9082 		return 0;
9083 
9084 	if (!rdev->scan_req)
9085 		return -ENOENT;
9086 
9087 	rdev_abort_scan(rdev, wdev);
9088 	return 0;
9089 }
9090 
9091 static int
9092 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9093 			       struct cfg80211_sched_scan_request *request,
9094 			       struct nlattr **attrs)
9095 {
9096 	int tmp, err, i = 0;
9097 	struct nlattr *attr;
9098 
9099 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9100 		u32 interval;
9101 
9102 		/*
9103 		 * If scan plans are not specified,
9104 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9105 		 * case one scan plan will be set with the specified scan
9106 		 * interval and infinite number of iterations.
9107 		 */
9108 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9109 		if (!interval)
9110 			return -EINVAL;
9111 
9112 		request->scan_plans[0].interval =
9113 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9114 		if (!request->scan_plans[0].interval)
9115 			return -EINVAL;
9116 
9117 		if (request->scan_plans[0].interval >
9118 		    wiphy->max_sched_scan_plan_interval)
9119 			request->scan_plans[0].interval =
9120 				wiphy->max_sched_scan_plan_interval;
9121 
9122 		return 0;
9123 	}
9124 
9125 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9126 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9127 
9128 		if (WARN_ON(i >= n_plans))
9129 			return -EINVAL;
9130 
9131 		err = nla_parse_nested_deprecated(plan,
9132 						  NL80211_SCHED_SCAN_PLAN_MAX,
9133 						  attr, nl80211_plan_policy,
9134 						  NULL);
9135 		if (err)
9136 			return err;
9137 
9138 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9139 			return -EINVAL;
9140 
9141 		request->scan_plans[i].interval =
9142 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9143 		if (!request->scan_plans[i].interval ||
9144 		    request->scan_plans[i].interval >
9145 		    wiphy->max_sched_scan_plan_interval)
9146 			return -EINVAL;
9147 
9148 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9149 			request->scan_plans[i].iterations =
9150 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9151 			if (!request->scan_plans[i].iterations ||
9152 			    (request->scan_plans[i].iterations >
9153 			     wiphy->max_sched_scan_plan_iterations))
9154 				return -EINVAL;
9155 		} else if (i < n_plans - 1) {
9156 			/*
9157 			 * All scan plans but the last one must specify
9158 			 * a finite number of iterations
9159 			 */
9160 			return -EINVAL;
9161 		}
9162 
9163 		i++;
9164 	}
9165 
9166 	/*
9167 	 * The last scan plan must not specify the number of
9168 	 * iterations, it is supposed to run infinitely
9169 	 */
9170 	if (request->scan_plans[n_plans - 1].iterations)
9171 		return  -EINVAL;
9172 
9173 	return 0;
9174 }
9175 
9176 static int
9177 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
9178 				       struct cfg80211_match_set *match_sets,
9179 				       struct nlattr *tb_band_rssi,
9180 				       s32 rssi_thold)
9181 {
9182 	struct nlattr *attr;
9183 	int i, tmp, ret = 0;
9184 
9185 	if (!wiphy_ext_feature_isset(wiphy,
9186 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
9187 		if (tb_band_rssi)
9188 			ret = -EOPNOTSUPP;
9189 		else
9190 			for (i = 0; i < NUM_NL80211_BANDS; i++)
9191 				match_sets->per_band_rssi_thold[i] =
9192 					NL80211_SCAN_RSSI_THOLD_OFF;
9193 		return ret;
9194 	}
9195 
9196 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9197 		match_sets->per_band_rssi_thold[i] = rssi_thold;
9198 
9199 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
9200 		enum nl80211_band band = nla_type(attr);
9201 
9202 		if (band < 0 || band >= NUM_NL80211_BANDS)
9203 			return -EINVAL;
9204 
9205 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
9206 	}
9207 
9208 	return 0;
9209 }
9210 
9211 static struct cfg80211_sched_scan_request *
9212 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9213 			 struct nlattr **attrs, int max_match_sets)
9214 {
9215 	struct cfg80211_sched_scan_request *request;
9216 	struct nlattr *attr;
9217 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9218 	enum nl80211_band band;
9219 	size_t ie_len;
9220 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9221 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9222 
9223 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9224 		n_channels = validate_scan_freqs(
9225 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9226 		if (!n_channels)
9227 			return ERR_PTR(-EINVAL);
9228 	} else {
9229 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9230 	}
9231 
9232 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9233 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9234 				    tmp)
9235 			n_ssids++;
9236 
9237 	if (n_ssids > wiphy->max_sched_scan_ssids)
9238 		return ERR_PTR(-EINVAL);
9239 
9240 	/*
9241 	 * First, count the number of 'real' matchsets. Due to an issue with
9242 	 * the old implementation, matchsets containing only the RSSI attribute
9243 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9244 	 * RSSI for all matchsets, rather than their own matchset for reporting
9245 	 * all APs with a strong RSSI. This is needed to be compatible with
9246 	 * older userspace that treated a matchset with only the RSSI as the
9247 	 * global RSSI for all other matchsets - if there are other matchsets.
9248 	 */
9249 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9250 		nla_for_each_nested(attr,
9251 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9252 				    tmp) {
9253 			struct nlattr *rssi;
9254 
9255 			err = nla_parse_nested_deprecated(tb,
9256 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9257 							  attr,
9258 							  nl80211_match_policy,
9259 							  NULL);
9260 			if (err)
9261 				return ERR_PTR(err);
9262 
9263 			/* SSID and BSSID are mutually exclusive */
9264 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9265 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9266 				return ERR_PTR(-EINVAL);
9267 
9268 			/* add other standalone attributes here */
9269 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9270 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9271 				n_match_sets++;
9272 				continue;
9273 			}
9274 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9275 			if (rssi)
9276 				default_match_rssi = nla_get_s32(rssi);
9277 		}
9278 	}
9279 
9280 	/* However, if there's no other matchset, add the RSSI one */
9281 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9282 		n_match_sets = 1;
9283 
9284 	if (n_match_sets > max_match_sets)
9285 		return ERR_PTR(-EINVAL);
9286 
9287 	if (attrs[NL80211_ATTR_IE])
9288 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9289 	else
9290 		ie_len = 0;
9291 
9292 	if (ie_len > wiphy->max_sched_scan_ie_len)
9293 		return ERR_PTR(-EINVAL);
9294 
9295 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9296 		/*
9297 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9298 		 * each scan plan already specifies its own interval
9299 		 */
9300 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9301 			return ERR_PTR(-EINVAL);
9302 
9303 		nla_for_each_nested(attr,
9304 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9305 			n_plans++;
9306 	} else {
9307 		/*
9308 		 * The scan interval attribute is kept for backward
9309 		 * compatibility. If no scan plans are specified and sched scan
9310 		 * interval is specified, one scan plan will be set with this
9311 		 * scan interval and infinite number of iterations.
9312 		 */
9313 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9314 			return ERR_PTR(-EINVAL);
9315 
9316 		n_plans = 1;
9317 	}
9318 
9319 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9320 		return ERR_PTR(-EINVAL);
9321 
9322 	if (!wiphy_ext_feature_isset(
9323 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9324 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9325 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9326 		return ERR_PTR(-EINVAL);
9327 
9328 	request = kzalloc(sizeof(*request)
9329 			+ sizeof(*request->ssids) * n_ssids
9330 			+ sizeof(*request->match_sets) * n_match_sets
9331 			+ sizeof(*request->scan_plans) * n_plans
9332 			+ sizeof(*request->channels) * n_channels
9333 			+ ie_len, GFP_KERNEL);
9334 	if (!request)
9335 		return ERR_PTR(-ENOMEM);
9336 
9337 	if (n_ssids)
9338 		request->ssids = (void *)&request->channels[n_channels];
9339 	request->n_ssids = n_ssids;
9340 	if (ie_len) {
9341 		if (n_ssids)
9342 			request->ie = (void *)(request->ssids + n_ssids);
9343 		else
9344 			request->ie = (void *)(request->channels + n_channels);
9345 	}
9346 
9347 	if (n_match_sets) {
9348 		if (request->ie)
9349 			request->match_sets = (void *)(request->ie + ie_len);
9350 		else if (n_ssids)
9351 			request->match_sets =
9352 				(void *)(request->ssids + n_ssids);
9353 		else
9354 			request->match_sets =
9355 				(void *)(request->channels + n_channels);
9356 	}
9357 	request->n_match_sets = n_match_sets;
9358 
9359 	if (n_match_sets)
9360 		request->scan_plans = (void *)(request->match_sets +
9361 					       n_match_sets);
9362 	else if (request->ie)
9363 		request->scan_plans = (void *)(request->ie + ie_len);
9364 	else if (n_ssids)
9365 		request->scan_plans = (void *)(request->ssids + n_ssids);
9366 	else
9367 		request->scan_plans = (void *)(request->channels + n_channels);
9368 
9369 	request->n_scan_plans = n_plans;
9370 
9371 	i = 0;
9372 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9373 		/* user specified, bail out if channel not found */
9374 		nla_for_each_nested(attr,
9375 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9376 				    tmp) {
9377 			struct ieee80211_channel *chan;
9378 
9379 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9380 
9381 			if (!chan) {
9382 				err = -EINVAL;
9383 				goto out_free;
9384 			}
9385 
9386 			/* ignore disabled channels */
9387 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9388 				continue;
9389 
9390 			request->channels[i] = chan;
9391 			i++;
9392 		}
9393 	} else {
9394 		/* all channels */
9395 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9396 			int j;
9397 
9398 			if (!wiphy->bands[band])
9399 				continue;
9400 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9401 				struct ieee80211_channel *chan;
9402 
9403 				chan = &wiphy->bands[band]->channels[j];
9404 
9405 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9406 					continue;
9407 
9408 				request->channels[i] = chan;
9409 				i++;
9410 			}
9411 		}
9412 	}
9413 
9414 	if (!i) {
9415 		err = -EINVAL;
9416 		goto out_free;
9417 	}
9418 
9419 	request->n_channels = i;
9420 
9421 	i = 0;
9422 	if (n_ssids) {
9423 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9424 				    tmp) {
9425 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9426 				err = -EINVAL;
9427 				goto out_free;
9428 			}
9429 			request->ssids[i].ssid_len = nla_len(attr);
9430 			memcpy(request->ssids[i].ssid, nla_data(attr),
9431 			       nla_len(attr));
9432 			i++;
9433 		}
9434 	}
9435 
9436 	i = 0;
9437 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9438 		nla_for_each_nested(attr,
9439 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9440 				    tmp) {
9441 			struct nlattr *ssid, *bssid, *rssi;
9442 
9443 			err = nla_parse_nested_deprecated(tb,
9444 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9445 							  attr,
9446 							  nl80211_match_policy,
9447 							  NULL);
9448 			if (err)
9449 				goto out_free;
9450 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9451 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9452 
9453 			if (!ssid && !bssid) {
9454 				i++;
9455 				continue;
9456 			}
9457 
9458 			if (WARN_ON(i >= n_match_sets)) {
9459 				/* this indicates a programming error,
9460 				 * the loop above should have verified
9461 				 * things properly
9462 				 */
9463 				err = -EINVAL;
9464 				goto out_free;
9465 			}
9466 
9467 			if (ssid) {
9468 				memcpy(request->match_sets[i].ssid.ssid,
9469 				       nla_data(ssid), nla_len(ssid));
9470 				request->match_sets[i].ssid.ssid_len =
9471 					nla_len(ssid);
9472 			}
9473 			if (bssid)
9474 				memcpy(request->match_sets[i].bssid,
9475 				       nla_data(bssid), ETH_ALEN);
9476 
9477 			/* special attribute - old implementation w/a */
9478 			request->match_sets[i].rssi_thold = default_match_rssi;
9479 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9480 			if (rssi)
9481 				request->match_sets[i].rssi_thold =
9482 					nla_get_s32(rssi);
9483 
9484 			/* Parse per band RSSI attribute */
9485 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9486 				&request->match_sets[i],
9487 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9488 				request->match_sets[i].rssi_thold);
9489 			if (err)
9490 				goto out_free;
9491 
9492 			i++;
9493 		}
9494 
9495 		/* there was no other matchset, so the RSSI one is alone */
9496 		if (i == 0 && n_match_sets)
9497 			request->match_sets[0].rssi_thold = default_match_rssi;
9498 
9499 		request->min_rssi_thold = INT_MAX;
9500 		for (i = 0; i < n_match_sets; i++)
9501 			request->min_rssi_thold =
9502 				min(request->match_sets[i].rssi_thold,
9503 				    request->min_rssi_thold);
9504 	} else {
9505 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9506 	}
9507 
9508 	if (ie_len) {
9509 		request->ie_len = ie_len;
9510 		memcpy((void *)request->ie,
9511 		       nla_data(attrs[NL80211_ATTR_IE]),
9512 		       request->ie_len);
9513 	}
9514 
9515 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9516 	if (err)
9517 		goto out_free;
9518 
9519 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9520 		request->delay =
9521 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9522 
9523 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9524 		request->relative_rssi = nla_get_s8(
9525 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9526 		request->relative_rssi_set = true;
9527 	}
9528 
9529 	if (request->relative_rssi_set &&
9530 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9531 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9532 
9533 		rssi_adjust = nla_data(
9534 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9535 		request->rssi_adjust.band = rssi_adjust->band;
9536 		request->rssi_adjust.delta = rssi_adjust->delta;
9537 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9538 			err = -EINVAL;
9539 			goto out_free;
9540 		}
9541 	}
9542 
9543 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9544 	if (err)
9545 		goto out_free;
9546 
9547 	request->scan_start = jiffies;
9548 
9549 	return request;
9550 
9551 out_free:
9552 	kfree(request);
9553 	return ERR_PTR(err);
9554 }
9555 
9556 static int nl80211_start_sched_scan(struct sk_buff *skb,
9557 				    struct genl_info *info)
9558 {
9559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9560 	struct net_device *dev = info->user_ptr[1];
9561 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9562 	struct cfg80211_sched_scan_request *sched_scan_req;
9563 	bool want_multi;
9564 	int err;
9565 
9566 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9567 		return -EOPNOTSUPP;
9568 
9569 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9570 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9571 	if (err)
9572 		return err;
9573 
9574 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9575 						  info->attrs,
9576 						  rdev->wiphy.max_match_sets);
9577 
9578 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9579 	if (err)
9580 		goto out_err;
9581 
9582 	/* leave request id zero for legacy request
9583 	 * or if driver does not support multi-scheduled scan
9584 	 */
9585 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9586 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9587 
9588 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9589 	if (err)
9590 		goto out_free;
9591 
9592 	sched_scan_req->dev = dev;
9593 	sched_scan_req->wiphy = &rdev->wiphy;
9594 
9595 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9596 		sched_scan_req->owner_nlportid = info->snd_portid;
9597 
9598 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9599 
9600 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9601 	return 0;
9602 
9603 out_free:
9604 	kfree(sched_scan_req);
9605 out_err:
9606 	return err;
9607 }
9608 
9609 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9610 				   struct genl_info *info)
9611 {
9612 	struct cfg80211_sched_scan_request *req;
9613 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9614 	u64 cookie;
9615 
9616 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9617 		return -EOPNOTSUPP;
9618 
9619 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9620 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9621 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9622 	}
9623 
9624 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9625 				     struct cfg80211_sched_scan_request,
9626 				     list);
9627 	if (!req || req->reqid ||
9628 	    (req->owner_nlportid &&
9629 	     req->owner_nlportid != info->snd_portid))
9630 		return -ENOENT;
9631 
9632 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9633 }
9634 
9635 static int nl80211_start_radar_detection(struct sk_buff *skb,
9636 					 struct genl_info *info)
9637 {
9638 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9639 	struct net_device *dev = info->user_ptr[1];
9640 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9641 	struct wiphy *wiphy = wdev->wiphy;
9642 	struct cfg80211_chan_def chandef;
9643 	enum nl80211_dfs_regions dfs_region;
9644 	unsigned int cac_time_ms;
9645 	int err = -EINVAL;
9646 
9647 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9648 
9649 	wiphy_lock(wiphy);
9650 
9651 	dfs_region = reg_get_dfs_region(wiphy);
9652 	if (dfs_region == NL80211_DFS_UNSET)
9653 		goto unlock;
9654 
9655 	err = nl80211_parse_chandef(rdev, info, &chandef);
9656 	if (err)
9657 		goto unlock;
9658 
9659 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9660 	if (err < 0)
9661 		goto unlock;
9662 
9663 	if (err == 0) {
9664 		err = -EINVAL;
9665 		goto unlock;
9666 	}
9667 
9668 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9669 		err = -EINVAL;
9670 		goto unlock;
9671 	}
9672 
9673 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9674 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9675 								&chandef);
9676 		goto unlock;
9677 	}
9678 
9679 	if (netif_carrier_ok(dev)) {
9680 		err = -EBUSY;
9681 		goto unlock;
9682 	}
9683 
9684 	if (wdev->cac_started) {
9685 		err = -EBUSY;
9686 		goto unlock;
9687 	}
9688 
9689 	/* CAC start is offloaded to HW and can't be started manually */
9690 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9691 		err = -EOPNOTSUPP;
9692 		goto unlock;
9693 	}
9694 
9695 	if (!rdev->ops->start_radar_detection) {
9696 		err = -EOPNOTSUPP;
9697 		goto unlock;
9698 	}
9699 
9700 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9701 	if (WARN_ON(!cac_time_ms))
9702 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9703 
9704 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9705 	if (!err) {
9706 		wdev->links[0].ap.chandef = chandef;
9707 		wdev->cac_started = true;
9708 		wdev->cac_start_time = jiffies;
9709 		wdev->cac_time_ms = cac_time_ms;
9710 	}
9711 unlock:
9712 	wiphy_unlock(wiphy);
9713 
9714 	return err;
9715 }
9716 
9717 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9718 					  struct genl_info *info)
9719 {
9720 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9721 	struct net_device *dev = info->user_ptr[1];
9722 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9723 	struct wiphy *wiphy = wdev->wiphy;
9724 	struct cfg80211_chan_def chandef;
9725 	enum nl80211_dfs_regions dfs_region;
9726 	int err;
9727 
9728 	dfs_region = reg_get_dfs_region(wiphy);
9729 	if (dfs_region == NL80211_DFS_UNSET) {
9730 		GENL_SET_ERR_MSG(info,
9731 				 "DFS Region is not set. Unexpected Radar indication");
9732 		return -EINVAL;
9733 	}
9734 
9735 	err = nl80211_parse_chandef(rdev, info, &chandef);
9736 	if (err) {
9737 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9738 		return err;
9739 	}
9740 
9741 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9742 	if (err < 0) {
9743 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9744 		return err;
9745 	}
9746 
9747 	if (err == 0) {
9748 		GENL_SET_ERR_MSG(info,
9749 				 "Unexpected Radar indication for chandef/iftype");
9750 		return -EINVAL;
9751 	}
9752 
9753 	/* Do not process this notification if radar is already detected
9754 	 * by kernel on this channel, and return success.
9755 	 */
9756 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9757 		return 0;
9758 
9759 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9760 
9761 	cfg80211_sched_dfs_chan_update(rdev);
9762 
9763 	rdev->radar_chandef = chandef;
9764 
9765 	/* Propagate this notification to other radios as well */
9766 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9767 
9768 	return 0;
9769 }
9770 
9771 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9772 {
9773 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9774 	unsigned int link_id = nl80211_link_id(info->attrs);
9775 	struct net_device *dev = info->user_ptr[1];
9776 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9777 	struct cfg80211_csa_settings params;
9778 	struct nlattr **csa_attrs = NULL;
9779 	int err;
9780 	bool need_new_beacon = false;
9781 	bool need_handle_dfs_flag = true;
9782 	int len, i;
9783 	u32 cs_count;
9784 
9785 	if (!rdev->ops->channel_switch ||
9786 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9787 		return -EOPNOTSUPP;
9788 
9789 	switch (dev->ieee80211_ptr->iftype) {
9790 	case NL80211_IFTYPE_AP:
9791 	case NL80211_IFTYPE_P2P_GO:
9792 		need_new_beacon = true;
9793 		/* For all modes except AP the handle_dfs flag needs to be
9794 		 * supplied to tell the kernel that userspace will handle radar
9795 		 * events when they happen. Otherwise a switch to a channel
9796 		 * requiring DFS will be rejected.
9797 		 */
9798 		need_handle_dfs_flag = false;
9799 
9800 		/* useless if AP is not running */
9801 		if (!wdev->links[link_id].ap.beacon_interval)
9802 			return -ENOTCONN;
9803 		break;
9804 	case NL80211_IFTYPE_ADHOC:
9805 		if (!wdev->u.ibss.ssid_len)
9806 			return -ENOTCONN;
9807 		break;
9808 	case NL80211_IFTYPE_MESH_POINT:
9809 		if (!wdev->u.mesh.id_len)
9810 			return -ENOTCONN;
9811 		break;
9812 	default:
9813 		return -EOPNOTSUPP;
9814 	}
9815 
9816 	memset(&params, 0, sizeof(params));
9817 	params.beacon_csa.ftm_responder = -1;
9818 
9819 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9820 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9821 		return -EINVAL;
9822 
9823 	/* only important for AP, IBSS and mesh create IEs internally */
9824 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9825 		return -EINVAL;
9826 
9827 	/* Even though the attribute is u32, the specification says
9828 	 * u8, so let's make sure we don't overflow.
9829 	 */
9830 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9831 	if (cs_count > 255)
9832 		return -EINVAL;
9833 
9834 	params.count = cs_count;
9835 
9836 	if (!need_new_beacon)
9837 		goto skip_beacons;
9838 
9839 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9840 	if (err)
9841 		goto free;
9842 
9843 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9844 			    GFP_KERNEL);
9845 	if (!csa_attrs) {
9846 		err = -ENOMEM;
9847 		goto free;
9848 	}
9849 
9850 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9851 					  info->attrs[NL80211_ATTR_CSA_IES],
9852 					  nl80211_policy, info->extack);
9853 	if (err)
9854 		goto free;
9855 
9856 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9857 	if (err)
9858 		goto free;
9859 
9860 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9861 		err = -EINVAL;
9862 		goto free;
9863 	}
9864 
9865 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9866 	if (!len || (len % sizeof(u16))) {
9867 		err = -EINVAL;
9868 		goto free;
9869 	}
9870 
9871 	params.n_counter_offsets_beacon = len / sizeof(u16);
9872 	if (rdev->wiphy.max_num_csa_counters &&
9873 	    (params.n_counter_offsets_beacon >
9874 	     rdev->wiphy.max_num_csa_counters)) {
9875 		err = -EINVAL;
9876 		goto free;
9877 	}
9878 
9879 	params.counter_offsets_beacon =
9880 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9881 
9882 	/* sanity checks - counters should fit and be the same */
9883 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9884 		u16 offset = params.counter_offsets_beacon[i];
9885 
9886 		if (offset >= params.beacon_csa.tail_len) {
9887 			err = -EINVAL;
9888 			goto free;
9889 		}
9890 
9891 		if (params.beacon_csa.tail[offset] != params.count) {
9892 			err = -EINVAL;
9893 			goto free;
9894 		}
9895 	}
9896 
9897 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9898 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9899 		if (!len || (len % sizeof(u16))) {
9900 			err = -EINVAL;
9901 			goto free;
9902 		}
9903 
9904 		params.n_counter_offsets_presp = len / sizeof(u16);
9905 		if (rdev->wiphy.max_num_csa_counters &&
9906 		    (params.n_counter_offsets_presp >
9907 		     rdev->wiphy.max_num_csa_counters)) {
9908 			err = -EINVAL;
9909 			goto free;
9910 		}
9911 
9912 		params.counter_offsets_presp =
9913 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9914 
9915 		/* sanity checks - counters should fit and be the same */
9916 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9917 			u16 offset = params.counter_offsets_presp[i];
9918 
9919 			if (offset >= params.beacon_csa.probe_resp_len) {
9920 				err = -EINVAL;
9921 				goto free;
9922 			}
9923 
9924 			if (params.beacon_csa.probe_resp[offset] !=
9925 			    params.count) {
9926 				err = -EINVAL;
9927 				goto free;
9928 			}
9929 		}
9930 	}
9931 
9932 skip_beacons:
9933 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9934 	if (err)
9935 		goto free;
9936 
9937 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9938 					   wdev->iftype)) {
9939 		err = -EINVAL;
9940 		goto free;
9941 	}
9942 
9943 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9944 					    &params.chandef,
9945 					    wdev->iftype);
9946 	if (err < 0)
9947 		goto free;
9948 
9949 	if (err > 0) {
9950 		params.radar_required = true;
9951 		if (need_handle_dfs_flag &&
9952 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9953 			err = -EINVAL;
9954 			goto free;
9955 		}
9956 	}
9957 
9958 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9959 		params.block_tx = true;
9960 
9961 	wdev_lock(wdev);
9962 	err = rdev_channel_switch(rdev, dev, &params);
9963 	wdev_unlock(wdev);
9964 
9965 free:
9966 	kfree(params.beacon_after.mbssid_ies);
9967 	kfree(params.beacon_csa.mbssid_ies);
9968 	kfree(csa_attrs);
9969 	return err;
9970 }
9971 
9972 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9973 			    u32 seq, int flags,
9974 			    struct cfg80211_registered_device *rdev,
9975 			    struct wireless_dev *wdev,
9976 			    struct cfg80211_internal_bss *intbss)
9977 {
9978 	struct cfg80211_bss *res = &intbss->pub;
9979 	const struct cfg80211_bss_ies *ies;
9980 	unsigned int link_id;
9981 	void *hdr;
9982 	struct nlattr *bss;
9983 
9984 	ASSERT_WDEV_LOCK(wdev);
9985 
9986 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9987 			     NL80211_CMD_NEW_SCAN_RESULTS);
9988 	if (!hdr)
9989 		return -1;
9990 
9991 	genl_dump_check_consistent(cb, hdr);
9992 
9993 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9994 		goto nla_put_failure;
9995 	if (wdev->netdev &&
9996 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9997 		goto nla_put_failure;
9998 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9999 			      NL80211_ATTR_PAD))
10000 		goto nla_put_failure;
10001 
10002 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10003 	if (!bss)
10004 		goto nla_put_failure;
10005 	if ((!is_zero_ether_addr(res->bssid) &&
10006 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10007 		goto nla_put_failure;
10008 
10009 	rcu_read_lock();
10010 	/* indicate whether we have probe response data or not */
10011 	if (rcu_access_pointer(res->proberesp_ies) &&
10012 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10013 		goto fail_unlock_rcu;
10014 
10015 	/* this pointer prefers to be pointed to probe response data
10016 	 * but is always valid
10017 	 */
10018 	ies = rcu_dereference(res->ies);
10019 	if (ies) {
10020 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10021 				      NL80211_BSS_PAD))
10022 			goto fail_unlock_rcu;
10023 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10024 					ies->len, ies->data))
10025 			goto fail_unlock_rcu;
10026 	}
10027 
10028 	/* and this pointer is always (unless driver didn't know) beacon data */
10029 	ies = rcu_dereference(res->beacon_ies);
10030 	if (ies && ies->from_beacon) {
10031 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10032 				      NL80211_BSS_PAD))
10033 			goto fail_unlock_rcu;
10034 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10035 					ies->len, ies->data))
10036 			goto fail_unlock_rcu;
10037 	}
10038 	rcu_read_unlock();
10039 
10040 	if (res->beacon_interval &&
10041 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10042 		goto nla_put_failure;
10043 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10044 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10045 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10046 			res->channel->freq_offset) ||
10047 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
10048 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10049 			jiffies_to_msecs(jiffies - intbss->ts)))
10050 		goto nla_put_failure;
10051 
10052 	if (intbss->parent_tsf &&
10053 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10054 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10055 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10056 		     intbss->parent_bssid)))
10057 		goto nla_put_failure;
10058 
10059 	if (intbss->ts_boottime &&
10060 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10061 			      intbss->ts_boottime, NL80211_BSS_PAD))
10062 		goto nla_put_failure;
10063 
10064 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10065 				intbss->pub.chain_signal,
10066 				NL80211_BSS_CHAIN_SIGNAL))
10067 		goto nla_put_failure;
10068 
10069 	switch (rdev->wiphy.signal_type) {
10070 	case CFG80211_SIGNAL_TYPE_MBM:
10071 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
10072 			goto nla_put_failure;
10073 		break;
10074 	case CFG80211_SIGNAL_TYPE_UNSPEC:
10075 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
10076 			goto nla_put_failure;
10077 		break;
10078 	default:
10079 		break;
10080 	}
10081 
10082 	switch (wdev->iftype) {
10083 	case NL80211_IFTYPE_P2P_CLIENT:
10084 	case NL80211_IFTYPE_STATION:
10085 		for_each_valid_link(wdev, link_id) {
10086 			if (intbss == wdev->links[link_id].client.current_bss &&
10087 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10088 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10089 			     (wdev->valid_links &&
10090 			      nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10091 					 link_id))))
10092 				goto nla_put_failure;
10093 		}
10094 		break;
10095 	case NL80211_IFTYPE_ADHOC:
10096 		if (intbss == wdev->u.ibss.current_bss &&
10097 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10098 				NL80211_BSS_STATUS_IBSS_JOINED))
10099 			goto nla_put_failure;
10100 		break;
10101 	default:
10102 		break;
10103 	}
10104 
10105 	nla_nest_end(msg, bss);
10106 
10107 	genlmsg_end(msg, hdr);
10108 	return 0;
10109 
10110  fail_unlock_rcu:
10111 	rcu_read_unlock();
10112  nla_put_failure:
10113 	genlmsg_cancel(msg, hdr);
10114 	return -EMSGSIZE;
10115 }
10116 
10117 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10118 {
10119 	struct cfg80211_registered_device *rdev;
10120 	struct cfg80211_internal_bss *scan;
10121 	struct wireless_dev *wdev;
10122 	int start = cb->args[2], idx = 0;
10123 	int err;
10124 
10125 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
10126 	if (err)
10127 		return err;
10128 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10129 	__acquire(&rdev->wiphy.mtx);
10130 
10131 	wdev_lock(wdev);
10132 	spin_lock_bh(&rdev->bss_lock);
10133 
10134 	/*
10135 	 * dump_scan will be called multiple times to break up the scan results
10136 	 * into multiple messages.  It is unlikely that any more bss-es will be
10137 	 * expired after the first call, so only call only call this on the
10138 	 * first dump_scan invocation.
10139 	 */
10140 	if (start == 0)
10141 		cfg80211_bss_expire(rdev);
10142 
10143 	cb->seq = rdev->bss_generation;
10144 
10145 	list_for_each_entry(scan, &rdev->bss_list, list) {
10146 		if (++idx <= start)
10147 			continue;
10148 		if (nl80211_send_bss(skb, cb,
10149 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10150 				rdev, wdev, scan) < 0) {
10151 			idx--;
10152 			break;
10153 		}
10154 	}
10155 
10156 	spin_unlock_bh(&rdev->bss_lock);
10157 	wdev_unlock(wdev);
10158 
10159 	cb->args[2] = idx;
10160 	wiphy_unlock(&rdev->wiphy);
10161 
10162 	return skb->len;
10163 }
10164 
10165 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10166 			       int flags, struct net_device *dev,
10167 			       bool allow_radio_stats,
10168 			       struct survey_info *survey)
10169 {
10170 	void *hdr;
10171 	struct nlattr *infoattr;
10172 
10173 	/* skip radio stats if userspace didn't request them */
10174 	if (!survey->channel && !allow_radio_stats)
10175 		return 0;
10176 
10177 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10178 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10179 	if (!hdr)
10180 		return -ENOMEM;
10181 
10182 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10183 		goto nla_put_failure;
10184 
10185 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10186 	if (!infoattr)
10187 		goto nla_put_failure;
10188 
10189 	if (survey->channel &&
10190 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10191 			survey->channel->center_freq))
10192 		goto nla_put_failure;
10193 
10194 	if (survey->channel && survey->channel->freq_offset &&
10195 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10196 			survey->channel->freq_offset))
10197 		goto nla_put_failure;
10198 
10199 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10200 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10201 		goto nla_put_failure;
10202 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10203 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10204 		goto nla_put_failure;
10205 	if ((survey->filled & SURVEY_INFO_TIME) &&
10206 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10207 			survey->time, NL80211_SURVEY_INFO_PAD))
10208 		goto nla_put_failure;
10209 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10210 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10211 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10212 		goto nla_put_failure;
10213 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10214 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10215 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10216 		goto nla_put_failure;
10217 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10218 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10219 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10220 		goto nla_put_failure;
10221 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10222 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10223 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10224 		goto nla_put_failure;
10225 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10226 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10227 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10228 		goto nla_put_failure;
10229 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10230 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10231 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10232 		goto nla_put_failure;
10233 
10234 	nla_nest_end(msg, infoattr);
10235 
10236 	genlmsg_end(msg, hdr);
10237 	return 0;
10238 
10239  nla_put_failure:
10240 	genlmsg_cancel(msg, hdr);
10241 	return -EMSGSIZE;
10242 }
10243 
10244 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10245 {
10246 	struct nlattr **attrbuf;
10247 	struct survey_info survey;
10248 	struct cfg80211_registered_device *rdev;
10249 	struct wireless_dev *wdev;
10250 	int survey_idx = cb->args[2];
10251 	int res;
10252 	bool radio_stats;
10253 
10254 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10255 	if (!attrbuf)
10256 		return -ENOMEM;
10257 
10258 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10259 	if (res) {
10260 		kfree(attrbuf);
10261 		return res;
10262 	}
10263 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10264 	__acquire(&rdev->wiphy.mtx);
10265 
10266 	/* prepare_wdev_dump parsed the attributes */
10267 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10268 
10269 	if (!wdev->netdev) {
10270 		res = -EINVAL;
10271 		goto out_err;
10272 	}
10273 
10274 	if (!rdev->ops->dump_survey) {
10275 		res = -EOPNOTSUPP;
10276 		goto out_err;
10277 	}
10278 
10279 	while (1) {
10280 		wdev_lock(wdev);
10281 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10282 		wdev_unlock(wdev);
10283 		if (res == -ENOENT)
10284 			break;
10285 		if (res)
10286 			goto out_err;
10287 
10288 		/* don't send disabled channels, but do send non-channel data */
10289 		if (survey.channel &&
10290 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10291 			survey_idx++;
10292 			continue;
10293 		}
10294 
10295 		if (nl80211_send_survey(skb,
10296 				NETLINK_CB(cb->skb).portid,
10297 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10298 				wdev->netdev, radio_stats, &survey) < 0)
10299 			goto out;
10300 		survey_idx++;
10301 	}
10302 
10303  out:
10304 	cb->args[2] = survey_idx;
10305 	res = skb->len;
10306  out_err:
10307 	kfree(attrbuf);
10308 	wiphy_unlock(&rdev->wiphy);
10309 	return res;
10310 }
10311 
10312 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10313 {
10314 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10315 				  NL80211_WPA_VERSION_2 |
10316 				  NL80211_WPA_VERSION_3));
10317 }
10318 
10319 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10320 {
10321 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10322 	struct net_device *dev = info->user_ptr[1];
10323 	struct ieee80211_channel *chan;
10324 	const u8 *bssid, *ssid;
10325 	int err, ssid_len;
10326 	enum nl80211_auth_type auth_type;
10327 	struct key_parse key;
10328 	bool local_state_change;
10329 	struct cfg80211_auth_request req = {};
10330 	u32 freq;
10331 
10332 	if (!info->attrs[NL80211_ATTR_MAC])
10333 		return -EINVAL;
10334 
10335 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10336 		return -EINVAL;
10337 
10338 	if (!info->attrs[NL80211_ATTR_SSID])
10339 		return -EINVAL;
10340 
10341 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10342 		return -EINVAL;
10343 
10344 	err = nl80211_parse_key(info, &key);
10345 	if (err)
10346 		return err;
10347 
10348 	if (key.idx >= 0) {
10349 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10350 			return -EINVAL;
10351 		if (!key.p.key || !key.p.key_len)
10352 			return -EINVAL;
10353 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10354 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10355 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10356 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10357 			return -EINVAL;
10358 		if (key.idx > 3)
10359 			return -EINVAL;
10360 	} else {
10361 		key.p.key_len = 0;
10362 		key.p.key = NULL;
10363 	}
10364 
10365 	if (key.idx >= 0) {
10366 		int i;
10367 		bool ok = false;
10368 
10369 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10370 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10371 				ok = true;
10372 				break;
10373 			}
10374 		}
10375 		if (!ok)
10376 			return -EINVAL;
10377 	}
10378 
10379 	if (!rdev->ops->auth)
10380 		return -EOPNOTSUPP;
10381 
10382 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10383 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10384 		return -EOPNOTSUPP;
10385 
10386 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10387 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10388 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10389 		freq +=
10390 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10391 
10392 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10393 	if (!chan)
10394 		return -EINVAL;
10395 
10396 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10397 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10398 
10399 	if (info->attrs[NL80211_ATTR_IE]) {
10400 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10401 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10402 	}
10403 
10404 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10405 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10406 		return -EINVAL;
10407 
10408 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10409 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10410 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10411 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10412 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10413 		return -EINVAL;
10414 
10415 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10416 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10417 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10418 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10419 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10420 			return -EINVAL;
10421 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10422 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10423 	}
10424 
10425 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10426 
10427 	/*
10428 	 * Since we no longer track auth state, ignore
10429 	 * requests to only change local state.
10430 	 */
10431 	if (local_state_change)
10432 		return 0;
10433 
10434 	req.auth_type = auth_type;
10435 	req.key = key.p.key;
10436 	req.key_len = key.p.key_len;
10437 	req.key_idx = key.idx;
10438 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10439 	if (req.link_id >= 0) {
10440 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10441 			return -EINVAL;
10442 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10443 			return -EINVAL;
10444 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10445 	}
10446 
10447 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10448 				   IEEE80211_BSS_TYPE_ESS,
10449 				   IEEE80211_PRIVACY_ANY);
10450 	if (!req.bss)
10451 		return -ENOENT;
10452 
10453 	wdev_lock(dev->ieee80211_ptr);
10454 	err = cfg80211_mlme_auth(rdev, dev, &req);
10455 	wdev_unlock(dev->ieee80211_ptr);
10456 
10457 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10458 
10459 	return err;
10460 }
10461 
10462 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10463 				     struct genl_info *info)
10464 {
10465 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10466 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10467 		return -EINVAL;
10468 	}
10469 
10470 	if (!rdev->ops->tx_control_port ||
10471 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10472 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10473 		return -EOPNOTSUPP;
10474 
10475 	return 0;
10476 }
10477 
10478 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10479 				   struct genl_info *info,
10480 				   struct cfg80211_crypto_settings *settings,
10481 				   int cipher_limit)
10482 {
10483 	memset(settings, 0, sizeof(*settings));
10484 
10485 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10486 
10487 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10488 		u16 proto;
10489 
10490 		proto = nla_get_u16(
10491 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10492 		settings->control_port_ethertype = cpu_to_be16(proto);
10493 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10494 		    proto != ETH_P_PAE)
10495 			return -EINVAL;
10496 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10497 			settings->control_port_no_encrypt = true;
10498 	} else
10499 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10500 
10501 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10502 		int r = validate_pae_over_nl80211(rdev, info);
10503 
10504 		if (r < 0)
10505 			return r;
10506 
10507 		settings->control_port_over_nl80211 = true;
10508 
10509 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10510 			settings->control_port_no_preauth = true;
10511 	}
10512 
10513 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10514 		void *data;
10515 		int len, i;
10516 
10517 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10518 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10519 		settings->n_ciphers_pairwise = len / sizeof(u32);
10520 
10521 		if (len % sizeof(u32))
10522 			return -EINVAL;
10523 
10524 		if (settings->n_ciphers_pairwise > cipher_limit)
10525 			return -EINVAL;
10526 
10527 		memcpy(settings->ciphers_pairwise, data, len);
10528 
10529 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10530 			if (!cfg80211_supported_cipher_suite(
10531 					&rdev->wiphy,
10532 					settings->ciphers_pairwise[i]))
10533 				return -EINVAL;
10534 	}
10535 
10536 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10537 		settings->cipher_group =
10538 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10539 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10540 						     settings->cipher_group))
10541 			return -EINVAL;
10542 	}
10543 
10544 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10545 		settings->wpa_versions =
10546 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10547 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10548 			return -EINVAL;
10549 	}
10550 
10551 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10552 		void *data;
10553 		int len;
10554 
10555 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10556 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10557 		settings->n_akm_suites = len / sizeof(u32);
10558 
10559 		if (len % sizeof(u32))
10560 			return -EINVAL;
10561 
10562 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
10563 			return -EINVAL;
10564 
10565 		memcpy(settings->akm_suites, data, len);
10566 	}
10567 
10568 	if (info->attrs[NL80211_ATTR_PMK]) {
10569 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10570 			return -EINVAL;
10571 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10572 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10573 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10574 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10575 			return -EINVAL;
10576 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10577 	}
10578 
10579 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10580 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10581 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10582 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10583 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10584 			return -EINVAL;
10585 		settings->sae_pwd =
10586 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10587 		settings->sae_pwd_len =
10588 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10589 	}
10590 
10591 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10592 		settings->sae_pwe =
10593 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10594 	else
10595 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10596 
10597 	return 0;
10598 }
10599 
10600 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
10601 					      const u8 *ssid, int ssid_len,
10602 					      struct nlattr **attrs,
10603 					      const u8 **bssid_out)
10604 {
10605 	struct ieee80211_channel *chan;
10606 	struct cfg80211_bss *bss;
10607 	const u8 *bssid;
10608 	u32 freq;
10609 
10610 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
10611 		return ERR_PTR(-EINVAL);
10612 
10613 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
10614 
10615 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
10616 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10617 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10618 
10619 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10620 	if (!chan)
10621 		return ERR_PTR(-EINVAL);
10622 
10623 	bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid,
10624 			       ssid, ssid_len,
10625 			       IEEE80211_BSS_TYPE_ESS,
10626 			       IEEE80211_PRIVACY_ANY);
10627 	if (!bss)
10628 		return ERR_PTR(-ENOENT);
10629 
10630 	*bssid_out = bssid;
10631 	return bss;
10632 }
10633 
10634 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10635 {
10636 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10637 	struct net_device *dev = info->user_ptr[1];
10638 	struct cfg80211_assoc_request req = {};
10639 	struct nlattr **attrs = NULL;
10640 	const u8 *bssid, *ssid;
10641 	unsigned int link_id;
10642 	int err, ssid_len;
10643 
10644 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10645 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10646 		return -EPERM;
10647 
10648 	if (!info->attrs[NL80211_ATTR_SSID])
10649 		return -EINVAL;
10650 
10651 	if (!rdev->ops->assoc)
10652 		return -EOPNOTSUPP;
10653 
10654 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10655 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10656 		return -EOPNOTSUPP;
10657 
10658 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10659 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10660 
10661 	if (info->attrs[NL80211_ATTR_IE]) {
10662 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10663 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10664 
10665 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
10666 					   req.ie, req.ie_len)) {
10667 			GENL_SET_ERR_MSG(info,
10668 					 "non-inheritance makes no sense");
10669 			return -EINVAL;
10670 		}
10671 	}
10672 
10673 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10674 		enum nl80211_mfp mfp =
10675 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10676 		if (mfp == NL80211_MFP_REQUIRED)
10677 			req.use_mfp = true;
10678 		else if (mfp != NL80211_MFP_NO)
10679 			return -EINVAL;
10680 	}
10681 
10682 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10683 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10684 
10685 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10686 		req.flags |= ASSOC_REQ_DISABLE_HT;
10687 
10688 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10689 		memcpy(&req.ht_capa_mask,
10690 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10691 		       sizeof(req.ht_capa_mask));
10692 
10693 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10694 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10695 			return -EINVAL;
10696 		memcpy(&req.ht_capa,
10697 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10698 		       sizeof(req.ht_capa));
10699 	}
10700 
10701 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10702 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10703 
10704 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10705 		req.flags |= ASSOC_REQ_DISABLE_HE;
10706 
10707 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
10708 		req.flags |= ASSOC_REQ_DISABLE_EHT;
10709 
10710 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10711 		memcpy(&req.vht_capa_mask,
10712 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10713 		       sizeof(req.vht_capa_mask));
10714 
10715 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10716 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10717 			return -EINVAL;
10718 		memcpy(&req.vht_capa,
10719 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10720 		       sizeof(req.vht_capa));
10721 	}
10722 
10723 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10724 		if (!((rdev->wiphy.features &
10725 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10726 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10727 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10728 					     NL80211_EXT_FEATURE_RRM))
10729 			return -EINVAL;
10730 		req.flags |= ASSOC_REQ_USE_RRM;
10731 	}
10732 
10733 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10734 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10735 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10736 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10737 			return -EINVAL;
10738 		req.fils_nonces =
10739 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10740 	}
10741 
10742 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10743 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10744 			return -EINVAL;
10745 		memcpy(&req.s1g_capa_mask,
10746 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10747 		       sizeof(req.s1g_capa_mask));
10748 	}
10749 
10750 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10751 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10752 			return -EINVAL;
10753 		memcpy(&req.s1g_capa,
10754 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10755 		       sizeof(req.s1g_capa));
10756 	}
10757 
10758 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10759 
10760 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
10761 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
10762 		struct nlattr *link;
10763 		int rem = 0;
10764 
10765 		if (req.link_id < 0)
10766 			return -EINVAL;
10767 
10768 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10769 			return -EINVAL;
10770 
10771 		if (info->attrs[NL80211_ATTR_MAC] ||
10772 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10773 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
10774 			return -EINVAL;
10775 
10776 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10777 
10778 		attrs = kzalloc(attrsize, GFP_KERNEL);
10779 		if (!attrs)
10780 			return -ENOMEM;
10781 
10782 		nla_for_each_nested(link,
10783 				    info->attrs[NL80211_ATTR_MLO_LINKS],
10784 				    rem) {
10785 			memset(attrs, 0, attrsize);
10786 
10787 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
10788 					 link, NULL, NULL);
10789 
10790 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
10791 				err = -EINVAL;
10792 				goto free;
10793 			}
10794 
10795 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
10796 			/* cannot use the same link ID again */
10797 			if (req.links[link_id].bss) {
10798 				err = -EINVAL;
10799 				goto free;
10800 			}
10801 			req.links[link_id].bss =
10802 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
10803 						  &bssid);
10804 			if (IS_ERR(req.links[link_id].bss)) {
10805 				err = PTR_ERR(req.links[link_id].bss);
10806 				req.links[link_id].bss = NULL;
10807 				goto free;
10808 			}
10809 
10810 			if (attrs[NL80211_ATTR_IE]) {
10811 				req.links[link_id].elems =
10812 					nla_data(attrs[NL80211_ATTR_IE]);
10813 				req.links[link_id].elems_len =
10814 					nla_len(attrs[NL80211_ATTR_IE]);
10815 
10816 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
10817 						       req.links[link_id].elems,
10818 						       req.links[link_id].elems_len)) {
10819 					GENL_SET_ERR_MSG(info,
10820 							 "cannot deal with fragmentation");
10821 					err = -EINVAL;
10822 					goto free;
10823 				}
10824 
10825 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
10826 							   req.links[link_id].elems,
10827 							   req.links[link_id].elems_len)) {
10828 					GENL_SET_ERR_MSG(info,
10829 							 "cannot deal with non-inheritance");
10830 					err = -EINVAL;
10831 					goto free;
10832 				}
10833 			}
10834 		}
10835 
10836 		if (!req.links[req.link_id].bss) {
10837 			err = -EINVAL;
10838 			goto free;
10839 		}
10840 
10841 		if (req.links[req.link_id].elems_len) {
10842 			GENL_SET_ERR_MSG(info,
10843 					 "cannot have per-link elems on assoc link");
10844 			err = -EINVAL;
10845 			goto free;
10846 		}
10847 
10848 		kfree(attrs);
10849 		attrs = NULL;
10850 	} else {
10851 		if (req.link_id >= 0)
10852 			return -EINVAL;
10853 
10854 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
10855 					    &bssid);
10856 		if (IS_ERR(req.bss))
10857 			return PTR_ERR(req.bss);
10858 	}
10859 
10860 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10861 	if (!err) {
10862 		wdev_lock(dev->ieee80211_ptr);
10863 
10864 		err = cfg80211_mlme_assoc(rdev, dev, &req);
10865 
10866 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10867 			dev->ieee80211_ptr->conn_owner_nlportid =
10868 				info->snd_portid;
10869 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10870 			       bssid, ETH_ALEN);
10871 		}
10872 
10873 		wdev_unlock(dev->ieee80211_ptr);
10874 	}
10875 
10876 free:
10877 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
10878 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
10879 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10880 	kfree(attrs);
10881 
10882 	return err;
10883 }
10884 
10885 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10886 {
10887 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10888 	struct net_device *dev = info->user_ptr[1];
10889 	const u8 *ie = NULL, *bssid;
10890 	int ie_len = 0, err;
10891 	u16 reason_code;
10892 	bool local_state_change;
10893 
10894 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10895 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10896 		return -EPERM;
10897 
10898 	if (!info->attrs[NL80211_ATTR_MAC])
10899 		return -EINVAL;
10900 
10901 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10902 		return -EINVAL;
10903 
10904 	if (!rdev->ops->deauth)
10905 		return -EOPNOTSUPP;
10906 
10907 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10908 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10909 		return -EOPNOTSUPP;
10910 
10911 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10912 
10913 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10914 	if (reason_code == 0) {
10915 		/* Reason Code 0 is reserved */
10916 		return -EINVAL;
10917 	}
10918 
10919 	if (info->attrs[NL80211_ATTR_IE]) {
10920 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10921 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10922 	}
10923 
10924 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10925 
10926 	wdev_lock(dev->ieee80211_ptr);
10927 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10928 				   local_state_change);
10929 	wdev_unlock(dev->ieee80211_ptr);
10930 	return err;
10931 }
10932 
10933 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10934 {
10935 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10936 	struct net_device *dev = info->user_ptr[1];
10937 	const u8 *ie = NULL, *bssid;
10938 	int ie_len = 0, err;
10939 	u16 reason_code;
10940 	bool local_state_change;
10941 
10942 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10943 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10944 		return -EPERM;
10945 
10946 	if (!info->attrs[NL80211_ATTR_MAC])
10947 		return -EINVAL;
10948 
10949 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10950 		return -EINVAL;
10951 
10952 	if (!rdev->ops->disassoc)
10953 		return -EOPNOTSUPP;
10954 
10955 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10956 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10957 		return -EOPNOTSUPP;
10958 
10959 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10960 
10961 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10962 	if (reason_code == 0) {
10963 		/* Reason Code 0 is reserved */
10964 		return -EINVAL;
10965 	}
10966 
10967 	if (info->attrs[NL80211_ATTR_IE]) {
10968 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10969 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10970 	}
10971 
10972 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10973 
10974 	wdev_lock(dev->ieee80211_ptr);
10975 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10976 				     local_state_change);
10977 	wdev_unlock(dev->ieee80211_ptr);
10978 	return err;
10979 }
10980 
10981 static bool
10982 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10983 			 int mcast_rate[NUM_NL80211_BANDS],
10984 			 int rateval)
10985 {
10986 	struct wiphy *wiphy = &rdev->wiphy;
10987 	bool found = false;
10988 	int band, i;
10989 
10990 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10991 		struct ieee80211_supported_band *sband;
10992 
10993 		sband = wiphy->bands[band];
10994 		if (!sband)
10995 			continue;
10996 
10997 		for (i = 0; i < sband->n_bitrates; i++) {
10998 			if (sband->bitrates[i].bitrate == rateval) {
10999 				mcast_rate[band] = i + 1;
11000 				found = true;
11001 				break;
11002 			}
11003 		}
11004 	}
11005 
11006 	return found;
11007 }
11008 
11009 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11010 {
11011 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11012 	struct net_device *dev = info->user_ptr[1];
11013 	struct cfg80211_ibss_params ibss;
11014 	struct wiphy *wiphy;
11015 	struct cfg80211_cached_keys *connkeys = NULL;
11016 	int err;
11017 
11018 	memset(&ibss, 0, sizeof(ibss));
11019 
11020 	if (!info->attrs[NL80211_ATTR_SSID] ||
11021 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11022 		return -EINVAL;
11023 
11024 	ibss.beacon_interval = 100;
11025 
11026 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11027 		ibss.beacon_interval =
11028 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11029 
11030 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11031 					   ibss.beacon_interval);
11032 	if (err)
11033 		return err;
11034 
11035 	if (!rdev->ops->join_ibss)
11036 		return -EOPNOTSUPP;
11037 
11038 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11039 		return -EOPNOTSUPP;
11040 
11041 	wiphy = &rdev->wiphy;
11042 
11043 	if (info->attrs[NL80211_ATTR_MAC]) {
11044 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11045 
11046 		if (!is_valid_ether_addr(ibss.bssid))
11047 			return -EINVAL;
11048 	}
11049 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11050 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11051 
11052 	if (info->attrs[NL80211_ATTR_IE]) {
11053 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11054 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11055 	}
11056 
11057 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11058 	if (err)
11059 		return err;
11060 
11061 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11062 				     NL80211_IFTYPE_ADHOC))
11063 		return -EINVAL;
11064 
11065 	switch (ibss.chandef.width) {
11066 	case NL80211_CHAN_WIDTH_5:
11067 	case NL80211_CHAN_WIDTH_10:
11068 	case NL80211_CHAN_WIDTH_20_NOHT:
11069 		break;
11070 	case NL80211_CHAN_WIDTH_20:
11071 	case NL80211_CHAN_WIDTH_40:
11072 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11073 			return -EINVAL;
11074 		break;
11075 	case NL80211_CHAN_WIDTH_80:
11076 	case NL80211_CHAN_WIDTH_80P80:
11077 	case NL80211_CHAN_WIDTH_160:
11078 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11079 			return -EINVAL;
11080 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11081 					     NL80211_EXT_FEATURE_VHT_IBSS))
11082 			return -EINVAL;
11083 		break;
11084 	case NL80211_CHAN_WIDTH_320:
11085 		return -EINVAL;
11086 	default:
11087 		return -EINVAL;
11088 	}
11089 
11090 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11091 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11092 
11093 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11094 		u8 *rates =
11095 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11096 		int n_rates =
11097 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11098 		struct ieee80211_supported_band *sband =
11099 			wiphy->bands[ibss.chandef.chan->band];
11100 
11101 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11102 					     &ibss.basic_rates);
11103 		if (err)
11104 			return err;
11105 	}
11106 
11107 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11108 		memcpy(&ibss.ht_capa_mask,
11109 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11110 		       sizeof(ibss.ht_capa_mask));
11111 
11112 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11113 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11114 			return -EINVAL;
11115 		memcpy(&ibss.ht_capa,
11116 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11117 		       sizeof(ibss.ht_capa));
11118 	}
11119 
11120 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11121 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11122 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11123 		return -EINVAL;
11124 
11125 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11126 		bool no_ht = false;
11127 
11128 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11129 		if (IS_ERR(connkeys))
11130 			return PTR_ERR(connkeys);
11131 
11132 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11133 		    no_ht) {
11134 			kfree_sensitive(connkeys);
11135 			return -EINVAL;
11136 		}
11137 	}
11138 
11139 	ibss.control_port =
11140 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11141 
11142 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11143 		int r = validate_pae_over_nl80211(rdev, info);
11144 
11145 		if (r < 0) {
11146 			kfree_sensitive(connkeys);
11147 			return r;
11148 		}
11149 
11150 		ibss.control_port_over_nl80211 = true;
11151 	}
11152 
11153 	ibss.userspace_handles_dfs =
11154 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11155 
11156 	wdev_lock(dev->ieee80211_ptr);
11157 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11158 	if (err)
11159 		kfree_sensitive(connkeys);
11160 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11161 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11162 	wdev_unlock(dev->ieee80211_ptr);
11163 
11164 	return err;
11165 }
11166 
11167 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11168 {
11169 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11170 	struct net_device *dev = info->user_ptr[1];
11171 
11172 	if (!rdev->ops->leave_ibss)
11173 		return -EOPNOTSUPP;
11174 
11175 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11176 		return -EOPNOTSUPP;
11177 
11178 	return cfg80211_leave_ibss(rdev, dev, false);
11179 }
11180 
11181 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11182 {
11183 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11184 	struct net_device *dev = info->user_ptr[1];
11185 	int mcast_rate[NUM_NL80211_BANDS];
11186 	u32 nla_rate;
11187 	int err;
11188 
11189 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11190 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11191 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11192 		return -EOPNOTSUPP;
11193 
11194 	if (!rdev->ops->set_mcast_rate)
11195 		return -EOPNOTSUPP;
11196 
11197 	memset(mcast_rate, 0, sizeof(mcast_rate));
11198 
11199 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11200 		return -EINVAL;
11201 
11202 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11203 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11204 		return -EINVAL;
11205 
11206 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
11207 
11208 	return err;
11209 }
11210 
11211 static struct sk_buff *
11212 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11213 			    struct wireless_dev *wdev, int approxlen,
11214 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11215 			    enum nl80211_attrs attr,
11216 			    const struct nl80211_vendor_cmd_info *info,
11217 			    gfp_t gfp)
11218 {
11219 	struct sk_buff *skb;
11220 	void *hdr;
11221 	struct nlattr *data;
11222 
11223 	skb = nlmsg_new(approxlen + 100, gfp);
11224 	if (!skb)
11225 		return NULL;
11226 
11227 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11228 	if (!hdr) {
11229 		kfree_skb(skb);
11230 		return NULL;
11231 	}
11232 
11233 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11234 		goto nla_put_failure;
11235 
11236 	if (info) {
11237 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11238 				info->vendor_id))
11239 			goto nla_put_failure;
11240 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11241 				info->subcmd))
11242 			goto nla_put_failure;
11243 	}
11244 
11245 	if (wdev) {
11246 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11247 				      wdev_id(wdev), NL80211_ATTR_PAD))
11248 			goto nla_put_failure;
11249 		if (wdev->netdev &&
11250 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11251 				wdev->netdev->ifindex))
11252 			goto nla_put_failure;
11253 	}
11254 
11255 	data = nla_nest_start_noflag(skb, attr);
11256 	if (!data)
11257 		goto nla_put_failure;
11258 
11259 	((void **)skb->cb)[0] = rdev;
11260 	((void **)skb->cb)[1] = hdr;
11261 	((void **)skb->cb)[2] = data;
11262 
11263 	return skb;
11264 
11265  nla_put_failure:
11266 	kfree_skb(skb);
11267 	return NULL;
11268 }
11269 
11270 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11271 					   struct wireless_dev *wdev,
11272 					   enum nl80211_commands cmd,
11273 					   enum nl80211_attrs attr,
11274 					   unsigned int portid,
11275 					   int vendor_event_idx,
11276 					   int approxlen, gfp_t gfp)
11277 {
11278 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11279 	const struct nl80211_vendor_cmd_info *info;
11280 
11281 	switch (cmd) {
11282 	case NL80211_CMD_TESTMODE:
11283 		if (WARN_ON(vendor_event_idx != -1))
11284 			return NULL;
11285 		info = NULL;
11286 		break;
11287 	case NL80211_CMD_VENDOR:
11288 		if (WARN_ON(vendor_event_idx < 0 ||
11289 			    vendor_event_idx >= wiphy->n_vendor_events))
11290 			return NULL;
11291 		info = &wiphy->vendor_events[vendor_event_idx];
11292 		break;
11293 	default:
11294 		WARN_ON(1);
11295 		return NULL;
11296 	}
11297 
11298 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11299 					   cmd, attr, info, gfp);
11300 }
11301 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11302 
11303 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11304 {
11305 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11306 	void *hdr = ((void **)skb->cb)[1];
11307 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11308 	struct nlattr *data = ((void **)skb->cb)[2];
11309 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11310 
11311 	/* clear CB data for netlink core to own from now on */
11312 	memset(skb->cb, 0, sizeof(skb->cb));
11313 
11314 	nla_nest_end(skb, data);
11315 	genlmsg_end(skb, hdr);
11316 
11317 	if (nlhdr->nlmsg_pid) {
11318 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11319 				nlhdr->nlmsg_pid);
11320 	} else {
11321 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11322 			mcgrp = NL80211_MCGRP_VENDOR;
11323 
11324 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11325 					skb, 0, mcgrp, gfp);
11326 	}
11327 }
11328 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11329 
11330 #ifdef CONFIG_NL80211_TESTMODE
11331 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11332 {
11333 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11334 	struct wireless_dev *wdev;
11335 	int err;
11336 
11337 	lockdep_assert_held(&rdev->wiphy.mtx);
11338 
11339 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11340 					  info->attrs);
11341 
11342 	if (!rdev->ops->testmode_cmd)
11343 		return -EOPNOTSUPP;
11344 
11345 	if (IS_ERR(wdev)) {
11346 		err = PTR_ERR(wdev);
11347 		if (err != -EINVAL)
11348 			return err;
11349 		wdev = NULL;
11350 	} else if (wdev->wiphy != &rdev->wiphy) {
11351 		return -EINVAL;
11352 	}
11353 
11354 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11355 		return -EINVAL;
11356 
11357 	rdev->cur_cmd_info = info;
11358 	err = rdev_testmode_cmd(rdev, wdev,
11359 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11360 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11361 	rdev->cur_cmd_info = NULL;
11362 
11363 	return err;
11364 }
11365 
11366 static int nl80211_testmode_dump(struct sk_buff *skb,
11367 				 struct netlink_callback *cb)
11368 {
11369 	struct cfg80211_registered_device *rdev;
11370 	struct nlattr **attrbuf = NULL;
11371 	int err;
11372 	long phy_idx;
11373 	void *data = NULL;
11374 	int data_len = 0;
11375 
11376 	rtnl_lock();
11377 
11378 	if (cb->args[0]) {
11379 		/*
11380 		 * 0 is a valid index, but not valid for args[0],
11381 		 * so we need to offset by 1.
11382 		 */
11383 		phy_idx = cb->args[0] - 1;
11384 
11385 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11386 		if (!rdev) {
11387 			err = -ENOENT;
11388 			goto out_err;
11389 		}
11390 	} else {
11391 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11392 				  GFP_KERNEL);
11393 		if (!attrbuf) {
11394 			err = -ENOMEM;
11395 			goto out_err;
11396 		}
11397 
11398 		err = nlmsg_parse_deprecated(cb->nlh,
11399 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11400 					     attrbuf, nl80211_fam.maxattr,
11401 					     nl80211_policy, NULL);
11402 		if (err)
11403 			goto out_err;
11404 
11405 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11406 		if (IS_ERR(rdev)) {
11407 			err = PTR_ERR(rdev);
11408 			goto out_err;
11409 		}
11410 		phy_idx = rdev->wiphy_idx;
11411 
11412 		if (attrbuf[NL80211_ATTR_TESTDATA])
11413 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11414 	}
11415 
11416 	if (cb->args[1]) {
11417 		data = nla_data((void *)cb->args[1]);
11418 		data_len = nla_len((void *)cb->args[1]);
11419 	}
11420 
11421 	if (!rdev->ops->testmode_dump) {
11422 		err = -EOPNOTSUPP;
11423 		goto out_err;
11424 	}
11425 
11426 	while (1) {
11427 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11428 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11429 					   NL80211_CMD_TESTMODE);
11430 		struct nlattr *tmdata;
11431 
11432 		if (!hdr)
11433 			break;
11434 
11435 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11436 			genlmsg_cancel(skb, hdr);
11437 			break;
11438 		}
11439 
11440 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11441 		if (!tmdata) {
11442 			genlmsg_cancel(skb, hdr);
11443 			break;
11444 		}
11445 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11446 		nla_nest_end(skb, tmdata);
11447 
11448 		if (err == -ENOBUFS || err == -ENOENT) {
11449 			genlmsg_cancel(skb, hdr);
11450 			break;
11451 		} else if (err) {
11452 			genlmsg_cancel(skb, hdr);
11453 			goto out_err;
11454 		}
11455 
11456 		genlmsg_end(skb, hdr);
11457 	}
11458 
11459 	err = skb->len;
11460 	/* see above */
11461 	cb->args[0] = phy_idx + 1;
11462  out_err:
11463 	kfree(attrbuf);
11464 	rtnl_unlock();
11465 	return err;
11466 }
11467 #endif
11468 
11469 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11470 {
11471 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11472 	struct net_device *dev = info->user_ptr[1];
11473 	struct cfg80211_connect_params connect;
11474 	struct wiphy *wiphy;
11475 	struct cfg80211_cached_keys *connkeys = NULL;
11476 	u32 freq = 0;
11477 	int err;
11478 
11479 	memset(&connect, 0, sizeof(connect));
11480 
11481 	if (!info->attrs[NL80211_ATTR_SSID] ||
11482 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11483 		return -EINVAL;
11484 
11485 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11486 		connect.auth_type =
11487 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11488 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11489 					     NL80211_CMD_CONNECT))
11490 			return -EINVAL;
11491 	} else
11492 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11493 
11494 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11495 
11496 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11497 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11498 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11499 		return -EINVAL;
11500 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11501 
11502 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11503 				      NL80211_MAX_NR_CIPHER_SUITES);
11504 	if (err)
11505 		return err;
11506 
11507 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11508 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11509 		return -EOPNOTSUPP;
11510 
11511 	wiphy = &rdev->wiphy;
11512 
11513 	connect.bg_scan_period = -1;
11514 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11515 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11516 		connect.bg_scan_period =
11517 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11518 	}
11519 
11520 	if (info->attrs[NL80211_ATTR_MAC])
11521 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11522 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11523 		connect.bssid_hint =
11524 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11525 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11526 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11527 
11528 	if (info->attrs[NL80211_ATTR_IE]) {
11529 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11530 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11531 	}
11532 
11533 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11534 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11535 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11536 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11537 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11538 			return -EOPNOTSUPP;
11539 	} else {
11540 		connect.mfp = NL80211_MFP_NO;
11541 	}
11542 
11543 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11544 		connect.prev_bssid =
11545 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11546 
11547 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11548 		freq = MHZ_TO_KHZ(nla_get_u32(
11549 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11550 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11551 		freq +=
11552 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11553 
11554 	if (freq) {
11555 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11556 		if (!connect.channel)
11557 			return -EINVAL;
11558 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11559 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11560 		freq = MHZ_TO_KHZ(freq);
11561 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11562 		if (!connect.channel_hint)
11563 			return -EINVAL;
11564 	}
11565 
11566 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11567 		connect.edmg.channels =
11568 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11569 
11570 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11571 			connect.edmg.bw_config =
11572 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11573 	}
11574 
11575 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11576 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11577 		if (IS_ERR(connkeys))
11578 			return PTR_ERR(connkeys);
11579 	}
11580 
11581 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11582 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11583 
11584 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11585 		memcpy(&connect.ht_capa_mask,
11586 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11587 		       sizeof(connect.ht_capa_mask));
11588 
11589 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11590 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11591 			kfree_sensitive(connkeys);
11592 			return -EINVAL;
11593 		}
11594 		memcpy(&connect.ht_capa,
11595 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11596 		       sizeof(connect.ht_capa));
11597 	}
11598 
11599 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11600 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11601 
11602 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11603 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11604 
11605 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11606 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
11607 
11608 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11609 		memcpy(&connect.vht_capa_mask,
11610 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11611 		       sizeof(connect.vht_capa_mask));
11612 
11613 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11614 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11615 			kfree_sensitive(connkeys);
11616 			return -EINVAL;
11617 		}
11618 		memcpy(&connect.vht_capa,
11619 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11620 		       sizeof(connect.vht_capa));
11621 	}
11622 
11623 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11624 		if (!((rdev->wiphy.features &
11625 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11626 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11627 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11628 					     NL80211_EXT_FEATURE_RRM)) {
11629 			kfree_sensitive(connkeys);
11630 			return -EINVAL;
11631 		}
11632 		connect.flags |= ASSOC_REQ_USE_RRM;
11633 	}
11634 
11635 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11636 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11637 		kfree_sensitive(connkeys);
11638 		return -EOPNOTSUPP;
11639 	}
11640 
11641 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11642 		/* bss selection makes no sense if bssid is set */
11643 		if (connect.bssid) {
11644 			kfree_sensitive(connkeys);
11645 			return -EINVAL;
11646 		}
11647 
11648 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11649 				       wiphy, &connect.bss_select);
11650 		if (err) {
11651 			kfree_sensitive(connkeys);
11652 			return err;
11653 		}
11654 	}
11655 
11656 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11657 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11658 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11659 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11660 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11661 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11662 		connect.fils_erp_username =
11663 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11664 		connect.fils_erp_username_len =
11665 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11666 		connect.fils_erp_realm =
11667 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11668 		connect.fils_erp_realm_len =
11669 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11670 		connect.fils_erp_next_seq_num =
11671 			nla_get_u16(
11672 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11673 		connect.fils_erp_rrk =
11674 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11675 		connect.fils_erp_rrk_len =
11676 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11677 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11678 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11679 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11680 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11681 		kfree_sensitive(connkeys);
11682 		return -EINVAL;
11683 	}
11684 
11685 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11686 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11687 			kfree_sensitive(connkeys);
11688 			GENL_SET_ERR_MSG(info,
11689 					 "external auth requires connection ownership");
11690 			return -EINVAL;
11691 		}
11692 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11693 	}
11694 
11695 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
11696 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
11697 
11698 	wdev_lock(dev->ieee80211_ptr);
11699 
11700 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11701 			       connect.prev_bssid);
11702 	if (err)
11703 		kfree_sensitive(connkeys);
11704 
11705 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11706 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11707 		if (connect.bssid)
11708 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11709 			       connect.bssid, ETH_ALEN);
11710 		else
11711 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11712 	}
11713 
11714 	wdev_unlock(dev->ieee80211_ptr);
11715 
11716 	return err;
11717 }
11718 
11719 static int nl80211_update_connect_params(struct sk_buff *skb,
11720 					 struct genl_info *info)
11721 {
11722 	struct cfg80211_connect_params connect = {};
11723 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11724 	struct net_device *dev = info->user_ptr[1];
11725 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11726 	bool fils_sk_offload;
11727 	u32 auth_type;
11728 	u32 changed = 0;
11729 	int ret;
11730 
11731 	if (!rdev->ops->update_connect_params)
11732 		return -EOPNOTSUPP;
11733 
11734 	if (info->attrs[NL80211_ATTR_IE]) {
11735 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11736 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11737 		changed |= UPDATE_ASSOC_IES;
11738 	}
11739 
11740 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11741 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11742 
11743 	/*
11744 	 * when driver supports fils-sk offload all attributes must be
11745 	 * provided. So the else covers "fils-sk-not-all" and
11746 	 * "no-fils-sk-any".
11747 	 */
11748 	if (fils_sk_offload &&
11749 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11750 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11751 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11752 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11753 		connect.fils_erp_username =
11754 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11755 		connect.fils_erp_username_len =
11756 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11757 		connect.fils_erp_realm =
11758 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11759 		connect.fils_erp_realm_len =
11760 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11761 		connect.fils_erp_next_seq_num =
11762 			nla_get_u16(
11763 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11764 		connect.fils_erp_rrk =
11765 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11766 		connect.fils_erp_rrk_len =
11767 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11768 		changed |= UPDATE_FILS_ERP_INFO;
11769 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11770 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11771 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11772 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11773 		return -EINVAL;
11774 	}
11775 
11776 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11777 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11778 		if (!nl80211_valid_auth_type(rdev, auth_type,
11779 					     NL80211_CMD_CONNECT))
11780 			return -EINVAL;
11781 
11782 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11783 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11784 			return -EINVAL;
11785 
11786 		connect.auth_type = auth_type;
11787 		changed |= UPDATE_AUTH_TYPE;
11788 	}
11789 
11790 	wdev_lock(dev->ieee80211_ptr);
11791 	if (!wdev->connected)
11792 		ret = -ENOLINK;
11793 	else
11794 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11795 	wdev_unlock(dev->ieee80211_ptr);
11796 
11797 	return ret;
11798 }
11799 
11800 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11801 {
11802 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11803 	struct net_device *dev = info->user_ptr[1];
11804 	u16 reason;
11805 	int ret;
11806 
11807 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11808 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11809 		return -EPERM;
11810 
11811 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11812 		reason = WLAN_REASON_DEAUTH_LEAVING;
11813 	else
11814 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11815 
11816 	if (reason == 0)
11817 		return -EINVAL;
11818 
11819 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11820 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11821 		return -EOPNOTSUPP;
11822 
11823 	wdev_lock(dev->ieee80211_ptr);
11824 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11825 	wdev_unlock(dev->ieee80211_ptr);
11826 	return ret;
11827 }
11828 
11829 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11830 {
11831 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11832 	struct net *net;
11833 	int err;
11834 
11835 	if (info->attrs[NL80211_ATTR_PID]) {
11836 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11837 
11838 		net = get_net_ns_by_pid(pid);
11839 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11840 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11841 
11842 		net = get_net_ns_by_fd(fd);
11843 	} else {
11844 		return -EINVAL;
11845 	}
11846 
11847 	if (IS_ERR(net))
11848 		return PTR_ERR(net);
11849 
11850 	err = 0;
11851 
11852 	/* check if anything to do */
11853 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11854 		err = cfg80211_switch_netns(rdev, net);
11855 
11856 	put_net(net);
11857 	return err;
11858 }
11859 
11860 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11861 {
11862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11863 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11864 			struct cfg80211_pmksa *pmksa) = NULL;
11865 	struct net_device *dev = info->user_ptr[1];
11866 	struct cfg80211_pmksa pmksa;
11867 
11868 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11869 
11870 	if (!info->attrs[NL80211_ATTR_PMKID])
11871 		return -EINVAL;
11872 
11873 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11874 
11875 	if (info->attrs[NL80211_ATTR_MAC]) {
11876 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11877 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11878 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11879 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11880 		    info->attrs[NL80211_ATTR_PMK])) {
11881 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11882 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11883 		pmksa.cache_id =
11884 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11885 	} else {
11886 		return -EINVAL;
11887 	}
11888 	if (info->attrs[NL80211_ATTR_PMK]) {
11889 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11890 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11891 	}
11892 
11893 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11894 		pmksa.pmk_lifetime =
11895 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11896 
11897 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11898 		pmksa.pmk_reauth_threshold =
11899 			nla_get_u8(
11900 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11901 
11902 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11903 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11904 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11905 	      wiphy_ext_feature_isset(&rdev->wiphy,
11906 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11907 		return -EOPNOTSUPP;
11908 
11909 	switch (info->genlhdr->cmd) {
11910 	case NL80211_CMD_SET_PMKSA:
11911 		rdev_ops = rdev->ops->set_pmksa;
11912 		break;
11913 	case NL80211_CMD_DEL_PMKSA:
11914 		rdev_ops = rdev->ops->del_pmksa;
11915 		break;
11916 	default:
11917 		WARN_ON(1);
11918 		break;
11919 	}
11920 
11921 	if (!rdev_ops)
11922 		return -EOPNOTSUPP;
11923 
11924 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11925 }
11926 
11927 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11928 {
11929 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11930 	struct net_device *dev = info->user_ptr[1];
11931 
11932 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11933 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11934 		return -EOPNOTSUPP;
11935 
11936 	if (!rdev->ops->flush_pmksa)
11937 		return -EOPNOTSUPP;
11938 
11939 	return rdev_flush_pmksa(rdev, dev);
11940 }
11941 
11942 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11943 {
11944 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11945 	struct net_device *dev = info->user_ptr[1];
11946 	u8 action_code, dialog_token;
11947 	u32 peer_capability = 0;
11948 	u16 status_code;
11949 	u8 *peer;
11950 	bool initiator;
11951 
11952 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11953 	    !rdev->ops->tdls_mgmt)
11954 		return -EOPNOTSUPP;
11955 
11956 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11957 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11958 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11959 	    !info->attrs[NL80211_ATTR_IE] ||
11960 	    !info->attrs[NL80211_ATTR_MAC])
11961 		return -EINVAL;
11962 
11963 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11964 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11965 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11966 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11967 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11968 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11969 		peer_capability =
11970 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11971 
11972 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11973 			      dialog_token, status_code, peer_capability,
11974 			      initiator,
11975 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11976 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11977 }
11978 
11979 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11980 {
11981 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11982 	struct net_device *dev = info->user_ptr[1];
11983 	enum nl80211_tdls_operation operation;
11984 	u8 *peer;
11985 
11986 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11987 	    !rdev->ops->tdls_oper)
11988 		return -EOPNOTSUPP;
11989 
11990 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11991 	    !info->attrs[NL80211_ATTR_MAC])
11992 		return -EINVAL;
11993 
11994 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11995 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11996 
11997 	return rdev_tdls_oper(rdev, dev, peer, operation);
11998 }
11999 
12000 static int nl80211_remain_on_channel(struct sk_buff *skb,
12001 				     struct genl_info *info)
12002 {
12003 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12004 	unsigned int link_id = nl80211_link_id(info->attrs);
12005 	struct wireless_dev *wdev = info->user_ptr[1];
12006 	struct cfg80211_chan_def chandef;
12007 	struct sk_buff *msg;
12008 	void *hdr;
12009 	u64 cookie;
12010 	u32 duration;
12011 	int err;
12012 
12013 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12014 	    !info->attrs[NL80211_ATTR_DURATION])
12015 		return -EINVAL;
12016 
12017 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12018 
12019 	if (!rdev->ops->remain_on_channel ||
12020 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12021 		return -EOPNOTSUPP;
12022 
12023 	/*
12024 	 * We should be on that channel for at least a minimum amount of
12025 	 * time (10ms) but no longer than the driver supports.
12026 	 */
12027 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12028 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12029 		return -EINVAL;
12030 
12031 	err = nl80211_parse_chandef(rdev, info, &chandef);
12032 	if (err)
12033 		return err;
12034 
12035 	wdev_lock(wdev);
12036 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12037 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12038 
12039 		oper_chandef = wdev_chandef(wdev, link_id);
12040 
12041 		if (WARN_ON(!oper_chandef)) {
12042 			/* cannot happen since we must beacon to get here */
12043 			WARN_ON(1);
12044 			wdev_unlock(wdev);
12045 			return -EBUSY;
12046 		}
12047 
12048 		/* note: returns first one if identical chandefs */
12049 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12050 							     oper_chandef);
12051 
12052 		if (compat_chandef != &chandef) {
12053 			wdev_unlock(wdev);
12054 			return -EBUSY;
12055 		}
12056 	}
12057 	wdev_unlock(wdev);
12058 
12059 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12060 	if (!msg)
12061 		return -ENOMEM;
12062 
12063 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12064 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12065 	if (!hdr) {
12066 		err = -ENOBUFS;
12067 		goto free_msg;
12068 	}
12069 
12070 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12071 				     duration, &cookie);
12072 
12073 	if (err)
12074 		goto free_msg;
12075 
12076 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12077 			      NL80211_ATTR_PAD))
12078 		goto nla_put_failure;
12079 
12080 	genlmsg_end(msg, hdr);
12081 
12082 	return genlmsg_reply(msg, info);
12083 
12084  nla_put_failure:
12085 	err = -ENOBUFS;
12086  free_msg:
12087 	nlmsg_free(msg);
12088 	return err;
12089 }
12090 
12091 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12092 					    struct genl_info *info)
12093 {
12094 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12095 	struct wireless_dev *wdev = info->user_ptr[1];
12096 	u64 cookie;
12097 
12098 	if (!info->attrs[NL80211_ATTR_COOKIE])
12099 		return -EINVAL;
12100 
12101 	if (!rdev->ops->cancel_remain_on_channel)
12102 		return -EOPNOTSUPP;
12103 
12104 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12105 
12106 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12107 }
12108 
12109 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12110 				       struct genl_info *info)
12111 {
12112 	struct cfg80211_bitrate_mask mask;
12113 	unsigned int link_id = nl80211_link_id(info->attrs);
12114 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12115 	struct net_device *dev = info->user_ptr[1];
12116 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12117 	int err;
12118 
12119 	if (!rdev->ops->set_bitrate_mask)
12120 		return -EOPNOTSUPP;
12121 
12122 	wdev_lock(wdev);
12123 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12124 					    NL80211_ATTR_TX_RATES, &mask,
12125 					    dev, true, link_id);
12126 	if (err)
12127 		goto out;
12128 
12129 	err = rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12130 out:
12131 	wdev_unlock(wdev);
12132 	return err;
12133 }
12134 
12135 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12136 {
12137 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12138 	struct wireless_dev *wdev = info->user_ptr[1];
12139 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12140 
12141 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12142 		return -EINVAL;
12143 
12144 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12145 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12146 
12147 	switch (wdev->iftype) {
12148 	case NL80211_IFTYPE_STATION:
12149 	case NL80211_IFTYPE_ADHOC:
12150 	case NL80211_IFTYPE_P2P_CLIENT:
12151 	case NL80211_IFTYPE_AP:
12152 	case NL80211_IFTYPE_AP_VLAN:
12153 	case NL80211_IFTYPE_MESH_POINT:
12154 	case NL80211_IFTYPE_P2P_GO:
12155 	case NL80211_IFTYPE_P2P_DEVICE:
12156 		break;
12157 	case NL80211_IFTYPE_NAN:
12158 	default:
12159 		return -EOPNOTSUPP;
12160 	}
12161 
12162 	/* not much point in registering if we can't reply */
12163 	if (!rdev->ops->mgmt_tx)
12164 		return -EOPNOTSUPP;
12165 
12166 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12167 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12168 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12169 		GENL_SET_ERR_MSG(info,
12170 				 "multicast RX registrations are not supported");
12171 		return -EOPNOTSUPP;
12172 	}
12173 
12174 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12175 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12176 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12177 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12178 					   info->extack);
12179 }
12180 
12181 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12182 {
12183 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12184 	struct wireless_dev *wdev = info->user_ptr[1];
12185 	struct cfg80211_chan_def chandef;
12186 	int err;
12187 	void *hdr = NULL;
12188 	u64 cookie;
12189 	struct sk_buff *msg = NULL;
12190 	struct cfg80211_mgmt_tx_params params = {
12191 		.dont_wait_for_ack =
12192 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12193 	};
12194 
12195 	if (!info->attrs[NL80211_ATTR_FRAME])
12196 		return -EINVAL;
12197 
12198 	if (!rdev->ops->mgmt_tx)
12199 		return -EOPNOTSUPP;
12200 
12201 	switch (wdev->iftype) {
12202 	case NL80211_IFTYPE_P2P_DEVICE:
12203 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12204 			return -EINVAL;
12205 		break;
12206 	case NL80211_IFTYPE_STATION:
12207 	case NL80211_IFTYPE_ADHOC:
12208 	case NL80211_IFTYPE_P2P_CLIENT:
12209 	case NL80211_IFTYPE_AP:
12210 	case NL80211_IFTYPE_AP_VLAN:
12211 	case NL80211_IFTYPE_MESH_POINT:
12212 	case NL80211_IFTYPE_P2P_GO:
12213 		break;
12214 	case NL80211_IFTYPE_NAN:
12215 	default:
12216 		return -EOPNOTSUPP;
12217 	}
12218 
12219 	if (info->attrs[NL80211_ATTR_DURATION]) {
12220 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12221 			return -EINVAL;
12222 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12223 
12224 		/*
12225 		 * We should wait on the channel for at least a minimum amount
12226 		 * of time (10ms) but no longer than the driver supports.
12227 		 */
12228 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12229 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12230 			return -EINVAL;
12231 	}
12232 
12233 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12234 
12235 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12236 		return -EINVAL;
12237 
12238 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12239 
12240 	/* get the channel if any has been specified, otherwise pass NULL to
12241 	 * the driver. The latter will use the current one
12242 	 */
12243 	chandef.chan = NULL;
12244 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12245 		err = nl80211_parse_chandef(rdev, info, &chandef);
12246 		if (err)
12247 			return err;
12248 	}
12249 
12250 	if (!chandef.chan && params.offchan)
12251 		return -EINVAL;
12252 
12253 	wdev_lock(wdev);
12254 	if (params.offchan &&
12255 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12256 		wdev_unlock(wdev);
12257 		return -EBUSY;
12258 	}
12259 
12260 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12261 	/*
12262 	 * This now races due to the unlock, but we cannot check
12263 	 * the valid links for the _station_ anyway, so that's up
12264 	 * to the driver.
12265 	 */
12266 	if (params.link_id >= 0 &&
12267 	    !(wdev->valid_links & BIT(params.link_id))) {
12268 		wdev_unlock(wdev);
12269 		return -EINVAL;
12270 	}
12271 	wdev_unlock(wdev);
12272 
12273 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12274 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12275 
12276 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
12277 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12278 		int i;
12279 
12280 		if (len % sizeof(u16))
12281 			return -EINVAL;
12282 
12283 		params.n_csa_offsets = len / sizeof(u16);
12284 		params.csa_offsets =
12285 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12286 
12287 		/* check that all the offsets fit the frame */
12288 		for (i = 0; i < params.n_csa_offsets; i++) {
12289 			if (params.csa_offsets[i] >= params.len)
12290 				return -EINVAL;
12291 		}
12292 	}
12293 
12294 	if (!params.dont_wait_for_ack) {
12295 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12296 		if (!msg)
12297 			return -ENOMEM;
12298 
12299 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12300 				     NL80211_CMD_FRAME);
12301 		if (!hdr) {
12302 			err = -ENOBUFS;
12303 			goto free_msg;
12304 		}
12305 	}
12306 
12307 	params.chan = chandef.chan;
12308 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12309 	if (err)
12310 		goto free_msg;
12311 
12312 	if (msg) {
12313 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12314 				      NL80211_ATTR_PAD))
12315 			goto nla_put_failure;
12316 
12317 		genlmsg_end(msg, hdr);
12318 		return genlmsg_reply(msg, info);
12319 	}
12320 
12321 	return 0;
12322 
12323  nla_put_failure:
12324 	err = -ENOBUFS;
12325  free_msg:
12326 	nlmsg_free(msg);
12327 	return err;
12328 }
12329 
12330 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12331 {
12332 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12333 	struct wireless_dev *wdev = info->user_ptr[1];
12334 	u64 cookie;
12335 
12336 	if (!info->attrs[NL80211_ATTR_COOKIE])
12337 		return -EINVAL;
12338 
12339 	if (!rdev->ops->mgmt_tx_cancel_wait)
12340 		return -EOPNOTSUPP;
12341 
12342 	switch (wdev->iftype) {
12343 	case NL80211_IFTYPE_STATION:
12344 	case NL80211_IFTYPE_ADHOC:
12345 	case NL80211_IFTYPE_P2P_CLIENT:
12346 	case NL80211_IFTYPE_AP:
12347 	case NL80211_IFTYPE_AP_VLAN:
12348 	case NL80211_IFTYPE_P2P_GO:
12349 	case NL80211_IFTYPE_P2P_DEVICE:
12350 		break;
12351 	case NL80211_IFTYPE_NAN:
12352 	default:
12353 		return -EOPNOTSUPP;
12354 	}
12355 
12356 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12357 
12358 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12359 }
12360 
12361 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12362 {
12363 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12364 	struct wireless_dev *wdev;
12365 	struct net_device *dev = info->user_ptr[1];
12366 	u8 ps_state;
12367 	bool state;
12368 	int err;
12369 
12370 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12371 		return -EINVAL;
12372 
12373 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12374 
12375 	wdev = dev->ieee80211_ptr;
12376 
12377 	if (!rdev->ops->set_power_mgmt)
12378 		return -EOPNOTSUPP;
12379 
12380 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12381 
12382 	if (state == wdev->ps)
12383 		return 0;
12384 
12385 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12386 	if (!err)
12387 		wdev->ps = state;
12388 	return err;
12389 }
12390 
12391 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12392 {
12393 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12394 	enum nl80211_ps_state ps_state;
12395 	struct wireless_dev *wdev;
12396 	struct net_device *dev = info->user_ptr[1];
12397 	struct sk_buff *msg;
12398 	void *hdr;
12399 	int err;
12400 
12401 	wdev = dev->ieee80211_ptr;
12402 
12403 	if (!rdev->ops->set_power_mgmt)
12404 		return -EOPNOTSUPP;
12405 
12406 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12407 	if (!msg)
12408 		return -ENOMEM;
12409 
12410 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12411 			     NL80211_CMD_GET_POWER_SAVE);
12412 	if (!hdr) {
12413 		err = -ENOBUFS;
12414 		goto free_msg;
12415 	}
12416 
12417 	if (wdev->ps)
12418 		ps_state = NL80211_PS_ENABLED;
12419 	else
12420 		ps_state = NL80211_PS_DISABLED;
12421 
12422 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12423 		goto nla_put_failure;
12424 
12425 	genlmsg_end(msg, hdr);
12426 	return genlmsg_reply(msg, info);
12427 
12428  nla_put_failure:
12429 	err = -ENOBUFS;
12430  free_msg:
12431 	nlmsg_free(msg);
12432 	return err;
12433 }
12434 
12435 static const struct nla_policy
12436 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12437 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12438 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12439 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12440 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12441 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12442 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12443 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12444 };
12445 
12446 static int nl80211_set_cqm_txe(struct genl_info *info,
12447 			       u32 rate, u32 pkts, u32 intvl)
12448 {
12449 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12450 	struct net_device *dev = info->user_ptr[1];
12451 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12452 
12453 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12454 		return -EINVAL;
12455 
12456 	if (!rdev->ops->set_cqm_txe_config)
12457 		return -EOPNOTSUPP;
12458 
12459 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12460 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12461 		return -EOPNOTSUPP;
12462 
12463 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12464 }
12465 
12466 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12467 				    struct net_device *dev)
12468 {
12469 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12470 	s32 last, low, high;
12471 	u32 hyst;
12472 	int i, n, low_index;
12473 	int err;
12474 
12475 	/* RSSI reporting disabled? */
12476 	if (!wdev->cqm_config)
12477 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12478 
12479 	/*
12480 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12481 	 * event has been received yet, we should receive an event after a
12482 	 * connection is established and enough beacons received to calculate
12483 	 * the average.
12484 	 */
12485 	if (!wdev->cqm_config->last_rssi_event_value &&
12486 	    wdev->links[0].client.current_bss &&
12487 	    rdev->ops->get_station) {
12488 		struct station_info sinfo = {};
12489 		u8 *mac_addr;
12490 
12491 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
12492 
12493 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12494 		if (err)
12495 			return err;
12496 
12497 		cfg80211_sinfo_release_content(&sinfo);
12498 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12499 			wdev->cqm_config->last_rssi_event_value =
12500 				(s8) sinfo.rx_beacon_signal_avg;
12501 	}
12502 
12503 	last = wdev->cqm_config->last_rssi_event_value;
12504 	hyst = wdev->cqm_config->rssi_hyst;
12505 	n = wdev->cqm_config->n_rssi_thresholds;
12506 
12507 	for (i = 0; i < n; i++) {
12508 		i = array_index_nospec(i, n);
12509 		if (last < wdev->cqm_config->rssi_thresholds[i])
12510 			break;
12511 	}
12512 
12513 	low_index = i - 1;
12514 	if (low_index >= 0) {
12515 		low_index = array_index_nospec(low_index, n);
12516 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
12517 	} else {
12518 		low = S32_MIN;
12519 	}
12520 	if (i < n) {
12521 		i = array_index_nospec(i, n);
12522 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
12523 	} else {
12524 		high = S32_MAX;
12525 	}
12526 
12527 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12528 }
12529 
12530 static int nl80211_set_cqm_rssi(struct genl_info *info,
12531 				const s32 *thresholds, int n_thresholds,
12532 				u32 hysteresis)
12533 {
12534 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12535 	struct net_device *dev = info->user_ptr[1];
12536 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12537 	int i, err;
12538 	s32 prev = S32_MIN;
12539 
12540 	/* Check all values negative and sorted */
12541 	for (i = 0; i < n_thresholds; i++) {
12542 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12543 			return -EINVAL;
12544 
12545 		prev = thresholds[i];
12546 	}
12547 
12548 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12549 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12550 		return -EOPNOTSUPP;
12551 
12552 	wdev_lock(wdev);
12553 	cfg80211_cqm_config_free(wdev);
12554 	wdev_unlock(wdev);
12555 
12556 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
12557 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
12558 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12559 
12560 		return rdev_set_cqm_rssi_config(rdev, dev,
12561 						thresholds[0], hysteresis);
12562 	}
12563 
12564 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12565 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
12566 		return -EOPNOTSUPP;
12567 
12568 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12569 		n_thresholds = 0;
12570 
12571 	wdev_lock(wdev);
12572 	if (n_thresholds) {
12573 		struct cfg80211_cqm_config *cqm_config;
12574 
12575 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12576 						 n_thresholds),
12577 				     GFP_KERNEL);
12578 		if (!cqm_config) {
12579 			err = -ENOMEM;
12580 			goto unlock;
12581 		}
12582 
12583 		cqm_config->rssi_hyst = hysteresis;
12584 		cqm_config->n_rssi_thresholds = n_thresholds;
12585 		memcpy(cqm_config->rssi_thresholds, thresholds,
12586 		       flex_array_size(cqm_config, rssi_thresholds,
12587 				       n_thresholds));
12588 
12589 		wdev->cqm_config = cqm_config;
12590 	}
12591 
12592 	err = cfg80211_cqm_rssi_update(rdev, dev);
12593 
12594 unlock:
12595 	wdev_unlock(wdev);
12596 
12597 	return err;
12598 }
12599 
12600 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12601 {
12602 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12603 	struct nlattr *cqm;
12604 	int err;
12605 
12606 	cqm = info->attrs[NL80211_ATTR_CQM];
12607 	if (!cqm)
12608 		return -EINVAL;
12609 
12610 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12611 					  nl80211_attr_cqm_policy,
12612 					  info->extack);
12613 	if (err)
12614 		return err;
12615 
12616 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12617 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12618 		const s32 *thresholds =
12619 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12620 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12621 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12622 
12623 		if (len % 4)
12624 			return -EINVAL;
12625 
12626 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12627 					    hysteresis);
12628 	}
12629 
12630 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12631 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12632 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12633 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12634 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12635 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12636 
12637 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12638 	}
12639 
12640 	return -EINVAL;
12641 }
12642 
12643 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12644 {
12645 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12646 	struct net_device *dev = info->user_ptr[1];
12647 	struct ocb_setup setup = {};
12648 	int err;
12649 
12650 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12651 	if (err)
12652 		return err;
12653 
12654 	return cfg80211_join_ocb(rdev, dev, &setup);
12655 }
12656 
12657 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12658 {
12659 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12660 	struct net_device *dev = info->user_ptr[1];
12661 
12662 	return cfg80211_leave_ocb(rdev, dev);
12663 }
12664 
12665 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12666 {
12667 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12668 	struct net_device *dev = info->user_ptr[1];
12669 	struct mesh_config cfg;
12670 	struct mesh_setup setup;
12671 	int err;
12672 
12673 	/* start with default */
12674 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12675 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12676 
12677 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12678 		/* and parse parameters if given */
12679 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12680 		if (err)
12681 			return err;
12682 	}
12683 
12684 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12685 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12686 		return -EINVAL;
12687 
12688 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12689 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12690 
12691 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12692 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12693 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12694 			return -EINVAL;
12695 
12696 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12697 		setup.beacon_interval =
12698 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12699 
12700 		err = cfg80211_validate_beacon_int(rdev,
12701 						   NL80211_IFTYPE_MESH_POINT,
12702 						   setup.beacon_interval);
12703 		if (err)
12704 			return err;
12705 	}
12706 
12707 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12708 		setup.dtim_period =
12709 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12710 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12711 			return -EINVAL;
12712 	}
12713 
12714 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12715 		/* parse additional setup parameters if given */
12716 		err = nl80211_parse_mesh_setup(info, &setup);
12717 		if (err)
12718 			return err;
12719 	}
12720 
12721 	if (setup.user_mpm)
12722 		cfg.auto_open_plinks = false;
12723 
12724 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12725 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12726 		if (err)
12727 			return err;
12728 	} else {
12729 		/* __cfg80211_join_mesh() will sort it out */
12730 		setup.chandef.chan = NULL;
12731 	}
12732 
12733 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12734 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12735 		int n_rates =
12736 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12737 		struct ieee80211_supported_band *sband;
12738 
12739 		if (!setup.chandef.chan)
12740 			return -EINVAL;
12741 
12742 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12743 
12744 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12745 					     &setup.basic_rates);
12746 		if (err)
12747 			return err;
12748 	}
12749 
12750 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12751 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12752 						    NL80211_ATTR_TX_RATES,
12753 						    &setup.beacon_rate,
12754 						    dev, false, 0);
12755 		if (err)
12756 			return err;
12757 
12758 		if (!setup.chandef.chan)
12759 			return -EINVAL;
12760 
12761 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12762 					      &setup.beacon_rate);
12763 		if (err)
12764 			return err;
12765 	}
12766 
12767 	setup.userspace_handles_dfs =
12768 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12769 
12770 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12771 		int r = validate_pae_over_nl80211(rdev, info);
12772 
12773 		if (r < 0)
12774 			return r;
12775 
12776 		setup.control_port_over_nl80211 = true;
12777 	}
12778 
12779 	wdev_lock(dev->ieee80211_ptr);
12780 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12781 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12782 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12783 	wdev_unlock(dev->ieee80211_ptr);
12784 
12785 	return err;
12786 }
12787 
12788 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12789 {
12790 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12791 	struct net_device *dev = info->user_ptr[1];
12792 
12793 	return cfg80211_leave_mesh(rdev, dev);
12794 }
12795 
12796 #ifdef CONFIG_PM
12797 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
12798 					struct cfg80211_registered_device *rdev)
12799 {
12800 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
12801 	struct nlattr *nl_pats, *nl_pat;
12802 	int i, pat_len;
12803 
12804 	if (!wowlan->n_patterns)
12805 		return 0;
12806 
12807 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12808 	if (!nl_pats)
12809 		return -ENOBUFS;
12810 
12811 	for (i = 0; i < wowlan->n_patterns; i++) {
12812 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12813 		if (!nl_pat)
12814 			return -ENOBUFS;
12815 		pat_len = wowlan->patterns[i].pattern_len;
12816 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12817 			    wowlan->patterns[i].mask) ||
12818 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12819 			    wowlan->patterns[i].pattern) ||
12820 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12821 				wowlan->patterns[i].pkt_offset))
12822 			return -ENOBUFS;
12823 		nla_nest_end(msg, nl_pat);
12824 	}
12825 	nla_nest_end(msg, nl_pats);
12826 
12827 	return 0;
12828 }
12829 
12830 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12831 				   struct cfg80211_wowlan_tcp *tcp)
12832 {
12833 	struct nlattr *nl_tcp;
12834 
12835 	if (!tcp)
12836 		return 0;
12837 
12838 	nl_tcp = nla_nest_start_noflag(msg,
12839 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12840 	if (!nl_tcp)
12841 		return -ENOBUFS;
12842 
12843 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12844 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12845 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12846 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12847 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12848 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12849 		    tcp->payload_len, tcp->payload) ||
12850 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12851 			tcp->data_interval) ||
12852 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12853 		    tcp->wake_len, tcp->wake_data) ||
12854 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12855 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12856 		return -ENOBUFS;
12857 
12858 	if (tcp->payload_seq.len &&
12859 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12860 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12861 		return -ENOBUFS;
12862 
12863 	if (tcp->payload_tok.len &&
12864 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12865 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12866 		    &tcp->payload_tok))
12867 		return -ENOBUFS;
12868 
12869 	nla_nest_end(msg, nl_tcp);
12870 
12871 	return 0;
12872 }
12873 
12874 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12875 				  struct cfg80211_sched_scan_request *req)
12876 {
12877 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12878 	int i;
12879 
12880 	if (!req)
12881 		return 0;
12882 
12883 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12884 	if (!nd)
12885 		return -ENOBUFS;
12886 
12887 	if (req->n_scan_plans == 1 &&
12888 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12889 			req->scan_plans[0].interval * 1000))
12890 		return -ENOBUFS;
12891 
12892 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12893 		return -ENOBUFS;
12894 
12895 	if (req->relative_rssi_set) {
12896 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12897 
12898 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12899 			       req->relative_rssi))
12900 			return -ENOBUFS;
12901 
12902 		rssi_adjust.band = req->rssi_adjust.band;
12903 		rssi_adjust.delta = req->rssi_adjust.delta;
12904 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12905 			    sizeof(rssi_adjust), &rssi_adjust))
12906 			return -ENOBUFS;
12907 	}
12908 
12909 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12910 	if (!freqs)
12911 		return -ENOBUFS;
12912 
12913 	for (i = 0; i < req->n_channels; i++) {
12914 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12915 			return -ENOBUFS;
12916 	}
12917 
12918 	nla_nest_end(msg, freqs);
12919 
12920 	if (req->n_match_sets) {
12921 		matches = nla_nest_start_noflag(msg,
12922 						NL80211_ATTR_SCHED_SCAN_MATCH);
12923 		if (!matches)
12924 			return -ENOBUFS;
12925 
12926 		for (i = 0; i < req->n_match_sets; i++) {
12927 			match = nla_nest_start_noflag(msg, i);
12928 			if (!match)
12929 				return -ENOBUFS;
12930 
12931 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12932 				    req->match_sets[i].ssid.ssid_len,
12933 				    req->match_sets[i].ssid.ssid))
12934 				return -ENOBUFS;
12935 			nla_nest_end(msg, match);
12936 		}
12937 		nla_nest_end(msg, matches);
12938 	}
12939 
12940 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12941 	if (!scan_plans)
12942 		return -ENOBUFS;
12943 
12944 	for (i = 0; i < req->n_scan_plans; i++) {
12945 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12946 		if (!scan_plan)
12947 			return -ENOBUFS;
12948 
12949 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12950 				req->scan_plans[i].interval) ||
12951 		    (req->scan_plans[i].iterations &&
12952 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12953 				 req->scan_plans[i].iterations)))
12954 			return -ENOBUFS;
12955 		nla_nest_end(msg, scan_plan);
12956 	}
12957 	nla_nest_end(msg, scan_plans);
12958 
12959 	nla_nest_end(msg, nd);
12960 
12961 	return 0;
12962 }
12963 
12964 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12965 {
12966 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12967 	struct sk_buff *msg;
12968 	void *hdr;
12969 	u32 size = NLMSG_DEFAULT_SIZE;
12970 
12971 	if (!rdev->wiphy.wowlan)
12972 		return -EOPNOTSUPP;
12973 
12974 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12975 		/* adjust size to have room for all the data */
12976 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12977 			rdev->wiphy.wowlan_config->tcp->payload_len +
12978 			rdev->wiphy.wowlan_config->tcp->wake_len +
12979 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12980 	}
12981 
12982 	msg = nlmsg_new(size, GFP_KERNEL);
12983 	if (!msg)
12984 		return -ENOMEM;
12985 
12986 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12987 			     NL80211_CMD_GET_WOWLAN);
12988 	if (!hdr)
12989 		goto nla_put_failure;
12990 
12991 	if (rdev->wiphy.wowlan_config) {
12992 		struct nlattr *nl_wowlan;
12993 
12994 		nl_wowlan = nla_nest_start_noflag(msg,
12995 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12996 		if (!nl_wowlan)
12997 			goto nla_put_failure;
12998 
12999 		if ((rdev->wiphy.wowlan_config->any &&
13000 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13001 		    (rdev->wiphy.wowlan_config->disconnect &&
13002 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13003 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13004 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13005 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13006 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13007 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13008 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13009 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13010 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13011 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13012 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13013 			goto nla_put_failure;
13014 
13015 		if (nl80211_send_wowlan_patterns(msg, rdev))
13016 			goto nla_put_failure;
13017 
13018 		if (nl80211_send_wowlan_tcp(msg,
13019 					    rdev->wiphy.wowlan_config->tcp))
13020 			goto nla_put_failure;
13021 
13022 		if (nl80211_send_wowlan_nd(
13023 			    msg,
13024 			    rdev->wiphy.wowlan_config->nd_config))
13025 			goto nla_put_failure;
13026 
13027 		nla_nest_end(msg, nl_wowlan);
13028 	}
13029 
13030 	genlmsg_end(msg, hdr);
13031 	return genlmsg_reply(msg, info);
13032 
13033 nla_put_failure:
13034 	nlmsg_free(msg);
13035 	return -ENOBUFS;
13036 }
13037 
13038 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13039 				    struct nlattr *attr,
13040 				    struct cfg80211_wowlan *trig)
13041 {
13042 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13043 	struct cfg80211_wowlan_tcp *cfg;
13044 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13045 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13046 	u32 size;
13047 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13048 	int err, port;
13049 
13050 	if (!rdev->wiphy.wowlan->tcp)
13051 		return -EINVAL;
13052 
13053 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13054 					  nl80211_wowlan_tcp_policy, NULL);
13055 	if (err)
13056 		return err;
13057 
13058 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13059 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13060 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13061 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13062 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13063 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13064 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13065 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13066 		return -EINVAL;
13067 
13068 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13069 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13070 		return -EINVAL;
13071 
13072 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13073 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13074 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13075 		return -EINVAL;
13076 
13077 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13078 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13079 		return -EINVAL;
13080 
13081 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13082 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13083 		return -EINVAL;
13084 
13085 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13086 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13087 
13088 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13089 		tokens_size = tokln - sizeof(*tok);
13090 
13091 		if (!tok->len || tokens_size % tok->len)
13092 			return -EINVAL;
13093 		if (!rdev->wiphy.wowlan->tcp->tok)
13094 			return -EINVAL;
13095 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13096 			return -EINVAL;
13097 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13098 			return -EINVAL;
13099 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13100 			return -EINVAL;
13101 		if (tok->offset + tok->len > data_size)
13102 			return -EINVAL;
13103 	}
13104 
13105 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13106 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13107 		if (!rdev->wiphy.wowlan->tcp->seq)
13108 			return -EINVAL;
13109 		if (seq->len == 0 || seq->len > 4)
13110 			return -EINVAL;
13111 		if (seq->len + seq->offset > data_size)
13112 			return -EINVAL;
13113 	}
13114 
13115 	size = sizeof(*cfg);
13116 	size += data_size;
13117 	size += wake_size + wake_mask_size;
13118 	size += tokens_size;
13119 
13120 	cfg = kzalloc(size, GFP_KERNEL);
13121 	if (!cfg)
13122 		return -ENOMEM;
13123 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13124 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13125 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13126 	       ETH_ALEN);
13127 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13128 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13129 	else
13130 		port = 0;
13131 #ifdef CONFIG_INET
13132 	/* allocate a socket and port for it and use it */
13133 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13134 			    IPPROTO_TCP, &cfg->sock, 1);
13135 	if (err) {
13136 		kfree(cfg);
13137 		return err;
13138 	}
13139 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13140 		sock_release(cfg->sock);
13141 		kfree(cfg);
13142 		return -EADDRINUSE;
13143 	}
13144 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13145 #else
13146 	if (!port) {
13147 		kfree(cfg);
13148 		return -EINVAL;
13149 	}
13150 	cfg->src_port = port;
13151 #endif
13152 
13153 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13154 	cfg->payload_len = data_size;
13155 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13156 	memcpy((void *)cfg->payload,
13157 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13158 	       data_size);
13159 	if (seq)
13160 		cfg->payload_seq = *seq;
13161 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13162 	cfg->wake_len = wake_size;
13163 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13164 	memcpy((void *)cfg->wake_data,
13165 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13166 	       wake_size);
13167 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13168 			 data_size + wake_size;
13169 	memcpy((void *)cfg->wake_mask,
13170 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13171 	       wake_mask_size);
13172 	if (tok) {
13173 		cfg->tokens_size = tokens_size;
13174 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
13175 	}
13176 
13177 	trig->tcp = cfg;
13178 
13179 	return 0;
13180 }
13181 
13182 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13183 				   const struct wiphy_wowlan_support *wowlan,
13184 				   struct nlattr *attr,
13185 				   struct cfg80211_wowlan *trig)
13186 {
13187 	struct nlattr **tb;
13188 	int err;
13189 
13190 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13191 	if (!tb)
13192 		return -ENOMEM;
13193 
13194 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13195 		err = -EOPNOTSUPP;
13196 		goto out;
13197 	}
13198 
13199 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13200 					  nl80211_policy, NULL);
13201 	if (err)
13202 		goto out;
13203 
13204 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13205 						   wowlan->max_nd_match_sets);
13206 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13207 	if (err)
13208 		trig->nd_config = NULL;
13209 
13210 out:
13211 	kfree(tb);
13212 	return err;
13213 }
13214 
13215 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13216 {
13217 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13218 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13219 	struct cfg80211_wowlan new_triggers = {};
13220 	struct cfg80211_wowlan *ntrig;
13221 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13222 	int err, i;
13223 	bool prev_enabled = rdev->wiphy.wowlan_config;
13224 	bool regular = false;
13225 
13226 	if (!wowlan)
13227 		return -EOPNOTSUPP;
13228 
13229 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13230 		cfg80211_rdev_free_wowlan(rdev);
13231 		rdev->wiphy.wowlan_config = NULL;
13232 		goto set_wakeup;
13233 	}
13234 
13235 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13236 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13237 					  nl80211_wowlan_policy, info->extack);
13238 	if (err)
13239 		return err;
13240 
13241 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13242 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13243 			return -EINVAL;
13244 		new_triggers.any = true;
13245 	}
13246 
13247 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13248 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13249 			return -EINVAL;
13250 		new_triggers.disconnect = true;
13251 		regular = true;
13252 	}
13253 
13254 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13255 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13256 			return -EINVAL;
13257 		new_triggers.magic_pkt = true;
13258 		regular = true;
13259 	}
13260 
13261 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13262 		return -EINVAL;
13263 
13264 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13265 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13266 			return -EINVAL;
13267 		new_triggers.gtk_rekey_failure = true;
13268 		regular = true;
13269 	}
13270 
13271 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13272 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13273 			return -EINVAL;
13274 		new_triggers.eap_identity_req = true;
13275 		regular = true;
13276 	}
13277 
13278 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13279 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13280 			return -EINVAL;
13281 		new_triggers.four_way_handshake = true;
13282 		regular = true;
13283 	}
13284 
13285 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13286 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13287 			return -EINVAL;
13288 		new_triggers.rfkill_release = true;
13289 		regular = true;
13290 	}
13291 
13292 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13293 		struct nlattr *pat;
13294 		int n_patterns = 0;
13295 		int rem, pat_len, mask_len, pkt_offset;
13296 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13297 
13298 		regular = true;
13299 
13300 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13301 				    rem)
13302 			n_patterns++;
13303 		if (n_patterns > wowlan->n_patterns)
13304 			return -EINVAL;
13305 
13306 		new_triggers.patterns = kcalloc(n_patterns,
13307 						sizeof(new_triggers.patterns[0]),
13308 						GFP_KERNEL);
13309 		if (!new_triggers.patterns)
13310 			return -ENOMEM;
13311 
13312 		new_triggers.n_patterns = n_patterns;
13313 		i = 0;
13314 
13315 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13316 				    rem) {
13317 			u8 *mask_pat;
13318 
13319 			err = nla_parse_nested_deprecated(pat_tb,
13320 							  MAX_NL80211_PKTPAT,
13321 							  pat,
13322 							  nl80211_packet_pattern_policy,
13323 							  info->extack);
13324 			if (err)
13325 				goto error;
13326 
13327 			err = -EINVAL;
13328 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13329 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13330 				goto error;
13331 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13332 			mask_len = DIV_ROUND_UP(pat_len, 8);
13333 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13334 				goto error;
13335 			if (pat_len > wowlan->pattern_max_len ||
13336 			    pat_len < wowlan->pattern_min_len)
13337 				goto error;
13338 
13339 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13340 				pkt_offset = 0;
13341 			else
13342 				pkt_offset = nla_get_u32(
13343 					pat_tb[NL80211_PKTPAT_OFFSET]);
13344 			if (pkt_offset > wowlan->max_pkt_offset)
13345 				goto error;
13346 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13347 
13348 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13349 			if (!mask_pat) {
13350 				err = -ENOMEM;
13351 				goto error;
13352 			}
13353 			new_triggers.patterns[i].mask = mask_pat;
13354 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13355 			       mask_len);
13356 			mask_pat += mask_len;
13357 			new_triggers.patterns[i].pattern = mask_pat;
13358 			new_triggers.patterns[i].pattern_len = pat_len;
13359 			memcpy(mask_pat,
13360 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13361 			       pat_len);
13362 			i++;
13363 		}
13364 	}
13365 
13366 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13367 		regular = true;
13368 		err = nl80211_parse_wowlan_tcp(
13369 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13370 			&new_triggers);
13371 		if (err)
13372 			goto error;
13373 	}
13374 
13375 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13376 		regular = true;
13377 		err = nl80211_parse_wowlan_nd(
13378 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13379 			&new_triggers);
13380 		if (err)
13381 			goto error;
13382 	}
13383 
13384 	/* The 'any' trigger means the device continues operating more or less
13385 	 * as in its normal operation mode and wakes up the host on most of the
13386 	 * normal interrupts (like packet RX, ...)
13387 	 * It therefore makes little sense to combine with the more constrained
13388 	 * wakeup trigger modes.
13389 	 */
13390 	if (new_triggers.any && regular) {
13391 		err = -EINVAL;
13392 		goto error;
13393 	}
13394 
13395 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13396 	if (!ntrig) {
13397 		err = -ENOMEM;
13398 		goto error;
13399 	}
13400 	cfg80211_rdev_free_wowlan(rdev);
13401 	rdev->wiphy.wowlan_config = ntrig;
13402 
13403  set_wakeup:
13404 	if (rdev->ops->set_wakeup &&
13405 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13406 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13407 
13408 	return 0;
13409  error:
13410 	for (i = 0; i < new_triggers.n_patterns; i++)
13411 		kfree(new_triggers.patterns[i].mask);
13412 	kfree(new_triggers.patterns);
13413 	if (new_triggers.tcp && new_triggers.tcp->sock)
13414 		sock_release(new_triggers.tcp->sock);
13415 	kfree(new_triggers.tcp);
13416 	kfree(new_triggers.nd_config);
13417 	return err;
13418 }
13419 #endif
13420 
13421 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13422 				       struct cfg80211_registered_device *rdev)
13423 {
13424 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13425 	int i, j, pat_len;
13426 	struct cfg80211_coalesce_rules *rule;
13427 
13428 	if (!rdev->coalesce->n_rules)
13429 		return 0;
13430 
13431 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13432 	if (!nl_rules)
13433 		return -ENOBUFS;
13434 
13435 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13436 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13437 		if (!nl_rule)
13438 			return -ENOBUFS;
13439 
13440 		rule = &rdev->coalesce->rules[i];
13441 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13442 				rule->delay))
13443 			return -ENOBUFS;
13444 
13445 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13446 				rule->condition))
13447 			return -ENOBUFS;
13448 
13449 		nl_pats = nla_nest_start_noflag(msg,
13450 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13451 		if (!nl_pats)
13452 			return -ENOBUFS;
13453 
13454 		for (j = 0; j < rule->n_patterns; j++) {
13455 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13456 			if (!nl_pat)
13457 				return -ENOBUFS;
13458 			pat_len = rule->patterns[j].pattern_len;
13459 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13460 				    DIV_ROUND_UP(pat_len, 8),
13461 				    rule->patterns[j].mask) ||
13462 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13463 				    rule->patterns[j].pattern) ||
13464 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13465 					rule->patterns[j].pkt_offset))
13466 				return -ENOBUFS;
13467 			nla_nest_end(msg, nl_pat);
13468 		}
13469 		nla_nest_end(msg, nl_pats);
13470 		nla_nest_end(msg, nl_rule);
13471 	}
13472 	nla_nest_end(msg, nl_rules);
13473 
13474 	return 0;
13475 }
13476 
13477 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13478 {
13479 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13480 	struct sk_buff *msg;
13481 	void *hdr;
13482 
13483 	if (!rdev->wiphy.coalesce)
13484 		return -EOPNOTSUPP;
13485 
13486 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13487 	if (!msg)
13488 		return -ENOMEM;
13489 
13490 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13491 			     NL80211_CMD_GET_COALESCE);
13492 	if (!hdr)
13493 		goto nla_put_failure;
13494 
13495 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13496 		goto nla_put_failure;
13497 
13498 	genlmsg_end(msg, hdr);
13499 	return genlmsg_reply(msg, info);
13500 
13501 nla_put_failure:
13502 	nlmsg_free(msg);
13503 	return -ENOBUFS;
13504 }
13505 
13506 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13507 {
13508 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13509 	int i, j;
13510 	struct cfg80211_coalesce_rules *rule;
13511 
13512 	if (!coalesce)
13513 		return;
13514 
13515 	for (i = 0; i < coalesce->n_rules; i++) {
13516 		rule = &coalesce->rules[i];
13517 		for (j = 0; j < rule->n_patterns; j++)
13518 			kfree(rule->patterns[j].mask);
13519 		kfree(rule->patterns);
13520 	}
13521 	kfree(coalesce->rules);
13522 	kfree(coalesce);
13523 	rdev->coalesce = NULL;
13524 }
13525 
13526 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13527 				       struct nlattr *rule,
13528 				       struct cfg80211_coalesce_rules *new_rule)
13529 {
13530 	int err, i;
13531 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13532 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13533 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13534 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13535 
13536 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13537 					  rule, nl80211_coalesce_policy, NULL);
13538 	if (err)
13539 		return err;
13540 
13541 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13542 		new_rule->delay =
13543 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13544 	if (new_rule->delay > coalesce->max_delay)
13545 		return -EINVAL;
13546 
13547 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13548 		new_rule->condition =
13549 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13550 
13551 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13552 		return -EINVAL;
13553 
13554 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13555 			    rem)
13556 		n_patterns++;
13557 	if (n_patterns > coalesce->n_patterns)
13558 		return -EINVAL;
13559 
13560 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13561 				     GFP_KERNEL);
13562 	if (!new_rule->patterns)
13563 		return -ENOMEM;
13564 
13565 	new_rule->n_patterns = n_patterns;
13566 	i = 0;
13567 
13568 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13569 			    rem) {
13570 		u8 *mask_pat;
13571 
13572 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13573 						  pat,
13574 						  nl80211_packet_pattern_policy,
13575 						  NULL);
13576 		if (err)
13577 			return err;
13578 
13579 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13580 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13581 			return -EINVAL;
13582 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13583 		mask_len = DIV_ROUND_UP(pat_len, 8);
13584 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13585 			return -EINVAL;
13586 		if (pat_len > coalesce->pattern_max_len ||
13587 		    pat_len < coalesce->pattern_min_len)
13588 			return -EINVAL;
13589 
13590 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13591 			pkt_offset = 0;
13592 		else
13593 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13594 		if (pkt_offset > coalesce->max_pkt_offset)
13595 			return -EINVAL;
13596 		new_rule->patterns[i].pkt_offset = pkt_offset;
13597 
13598 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13599 		if (!mask_pat)
13600 			return -ENOMEM;
13601 
13602 		new_rule->patterns[i].mask = mask_pat;
13603 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13604 		       mask_len);
13605 
13606 		mask_pat += mask_len;
13607 		new_rule->patterns[i].pattern = mask_pat;
13608 		new_rule->patterns[i].pattern_len = pat_len;
13609 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13610 		       pat_len);
13611 		i++;
13612 	}
13613 
13614 	return 0;
13615 }
13616 
13617 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13618 {
13619 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13620 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13621 	struct cfg80211_coalesce new_coalesce = {};
13622 	struct cfg80211_coalesce *n_coalesce;
13623 	int err, rem_rule, n_rules = 0, i, j;
13624 	struct nlattr *rule;
13625 	struct cfg80211_coalesce_rules *tmp_rule;
13626 
13627 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13628 		return -EOPNOTSUPP;
13629 
13630 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13631 		cfg80211_rdev_free_coalesce(rdev);
13632 		rdev_set_coalesce(rdev, NULL);
13633 		return 0;
13634 	}
13635 
13636 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13637 			    rem_rule)
13638 		n_rules++;
13639 	if (n_rules > coalesce->n_rules)
13640 		return -EINVAL;
13641 
13642 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13643 				     GFP_KERNEL);
13644 	if (!new_coalesce.rules)
13645 		return -ENOMEM;
13646 
13647 	new_coalesce.n_rules = n_rules;
13648 	i = 0;
13649 
13650 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13651 			    rem_rule) {
13652 		err = nl80211_parse_coalesce_rule(rdev, rule,
13653 						  &new_coalesce.rules[i]);
13654 		if (err)
13655 			goto error;
13656 
13657 		i++;
13658 	}
13659 
13660 	err = rdev_set_coalesce(rdev, &new_coalesce);
13661 	if (err)
13662 		goto error;
13663 
13664 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13665 	if (!n_coalesce) {
13666 		err = -ENOMEM;
13667 		goto error;
13668 	}
13669 	cfg80211_rdev_free_coalesce(rdev);
13670 	rdev->coalesce = n_coalesce;
13671 
13672 	return 0;
13673 error:
13674 	for (i = 0; i < new_coalesce.n_rules; i++) {
13675 		tmp_rule = &new_coalesce.rules[i];
13676 		for (j = 0; j < tmp_rule->n_patterns; j++)
13677 			kfree(tmp_rule->patterns[j].mask);
13678 		kfree(tmp_rule->patterns);
13679 	}
13680 	kfree(new_coalesce.rules);
13681 
13682 	return err;
13683 }
13684 
13685 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13686 {
13687 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13688 	struct net_device *dev = info->user_ptr[1];
13689 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13690 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13691 	struct cfg80211_gtk_rekey_data rekey_data = {};
13692 	int err;
13693 
13694 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13695 		return -EINVAL;
13696 
13697 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13698 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13699 					  nl80211_rekey_policy, info->extack);
13700 	if (err)
13701 		return err;
13702 
13703 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13704 	    !tb[NL80211_REKEY_DATA_KCK])
13705 		return -EINVAL;
13706 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13707 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13708 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13709 		return -ERANGE;
13710 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13711 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13712 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
13713 		return -ERANGE;
13714 
13715 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13716 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13717 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13718 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13719 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13720 	if (tb[NL80211_REKEY_DATA_AKM])
13721 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13722 
13723 	wdev_lock(wdev);
13724 	if (!wdev->connected) {
13725 		err = -ENOTCONN;
13726 		goto out;
13727 	}
13728 
13729 	if (!rdev->ops->set_rekey_data) {
13730 		err = -EOPNOTSUPP;
13731 		goto out;
13732 	}
13733 
13734 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13735  out:
13736 	wdev_unlock(wdev);
13737 	return err;
13738 }
13739 
13740 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13741 					     struct genl_info *info)
13742 {
13743 	struct net_device *dev = info->user_ptr[1];
13744 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13745 
13746 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13747 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13748 		return -EINVAL;
13749 
13750 	if (wdev->ap_unexpected_nlportid)
13751 		return -EBUSY;
13752 
13753 	wdev->ap_unexpected_nlportid = info->snd_portid;
13754 	return 0;
13755 }
13756 
13757 static int nl80211_probe_client(struct sk_buff *skb,
13758 				struct genl_info *info)
13759 {
13760 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13761 	struct net_device *dev = info->user_ptr[1];
13762 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13763 	struct sk_buff *msg;
13764 	void *hdr;
13765 	const u8 *addr;
13766 	u64 cookie;
13767 	int err;
13768 
13769 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13770 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13771 		return -EOPNOTSUPP;
13772 
13773 	if (!info->attrs[NL80211_ATTR_MAC])
13774 		return -EINVAL;
13775 
13776 	if (!rdev->ops->probe_client)
13777 		return -EOPNOTSUPP;
13778 
13779 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13780 	if (!msg)
13781 		return -ENOMEM;
13782 
13783 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13784 			     NL80211_CMD_PROBE_CLIENT);
13785 	if (!hdr) {
13786 		err = -ENOBUFS;
13787 		goto free_msg;
13788 	}
13789 
13790 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13791 
13792 	err = rdev_probe_client(rdev, dev, addr, &cookie);
13793 	if (err)
13794 		goto free_msg;
13795 
13796 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13797 			      NL80211_ATTR_PAD))
13798 		goto nla_put_failure;
13799 
13800 	genlmsg_end(msg, hdr);
13801 
13802 	return genlmsg_reply(msg, info);
13803 
13804  nla_put_failure:
13805 	err = -ENOBUFS;
13806  free_msg:
13807 	nlmsg_free(msg);
13808 	return err;
13809 }
13810 
13811 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13812 {
13813 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13814 	struct cfg80211_beacon_registration *reg, *nreg;
13815 	int rv;
13816 
13817 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13818 		return -EOPNOTSUPP;
13819 
13820 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13821 	if (!nreg)
13822 		return -ENOMEM;
13823 
13824 	/* First, check if already registered. */
13825 	spin_lock_bh(&rdev->beacon_registrations_lock);
13826 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13827 		if (reg->nlportid == info->snd_portid) {
13828 			rv = -EALREADY;
13829 			goto out_err;
13830 		}
13831 	}
13832 	/* Add it to the list */
13833 	nreg->nlportid = info->snd_portid;
13834 	list_add(&nreg->list, &rdev->beacon_registrations);
13835 
13836 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13837 
13838 	return 0;
13839 out_err:
13840 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13841 	kfree(nreg);
13842 	return rv;
13843 }
13844 
13845 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13846 {
13847 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13848 	struct wireless_dev *wdev = info->user_ptr[1];
13849 	int err;
13850 
13851 	if (!rdev->ops->start_p2p_device)
13852 		return -EOPNOTSUPP;
13853 
13854 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13855 		return -EOPNOTSUPP;
13856 
13857 	if (wdev_running(wdev))
13858 		return 0;
13859 
13860 	if (rfkill_blocked(rdev->wiphy.rfkill))
13861 		return -ERFKILL;
13862 
13863 	err = rdev_start_p2p_device(rdev, wdev);
13864 	if (err)
13865 		return err;
13866 
13867 	wdev->is_running = true;
13868 	rdev->opencount++;
13869 
13870 	return 0;
13871 }
13872 
13873 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13874 {
13875 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13876 	struct wireless_dev *wdev = info->user_ptr[1];
13877 
13878 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13879 		return -EOPNOTSUPP;
13880 
13881 	if (!rdev->ops->stop_p2p_device)
13882 		return -EOPNOTSUPP;
13883 
13884 	cfg80211_stop_p2p_device(rdev, wdev);
13885 
13886 	return 0;
13887 }
13888 
13889 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13890 {
13891 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13892 	struct wireless_dev *wdev = info->user_ptr[1];
13893 	struct cfg80211_nan_conf conf = {};
13894 	int err;
13895 
13896 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13897 		return -EOPNOTSUPP;
13898 
13899 	if (wdev_running(wdev))
13900 		return -EEXIST;
13901 
13902 	if (rfkill_blocked(rdev->wiphy.rfkill))
13903 		return -ERFKILL;
13904 
13905 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13906 		return -EINVAL;
13907 
13908 	conf.master_pref =
13909 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13910 
13911 	if (info->attrs[NL80211_ATTR_BANDS]) {
13912 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13913 
13914 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13915 			return -EOPNOTSUPP;
13916 
13917 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13918 			return -EINVAL;
13919 
13920 		conf.bands = bands;
13921 	}
13922 
13923 	err = rdev_start_nan(rdev, wdev, &conf);
13924 	if (err)
13925 		return err;
13926 
13927 	wdev->is_running = true;
13928 	rdev->opencount++;
13929 
13930 	return 0;
13931 }
13932 
13933 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13934 {
13935 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13936 	struct wireless_dev *wdev = info->user_ptr[1];
13937 
13938 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13939 		return -EOPNOTSUPP;
13940 
13941 	cfg80211_stop_nan(rdev, wdev);
13942 
13943 	return 0;
13944 }
13945 
13946 static int validate_nan_filter(struct nlattr *filter_attr)
13947 {
13948 	struct nlattr *attr;
13949 	int len = 0, n_entries = 0, rem;
13950 
13951 	nla_for_each_nested(attr, filter_attr, rem) {
13952 		len += nla_len(attr);
13953 		n_entries++;
13954 	}
13955 
13956 	if (len >= U8_MAX)
13957 		return -EINVAL;
13958 
13959 	return n_entries;
13960 }
13961 
13962 static int handle_nan_filter(struct nlattr *attr_filter,
13963 			     struct cfg80211_nan_func *func,
13964 			     bool tx)
13965 {
13966 	struct nlattr *attr;
13967 	int n_entries, rem, i;
13968 	struct cfg80211_nan_func_filter *filter;
13969 
13970 	n_entries = validate_nan_filter(attr_filter);
13971 	if (n_entries < 0)
13972 		return n_entries;
13973 
13974 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13975 
13976 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13977 	if (!filter)
13978 		return -ENOMEM;
13979 
13980 	i = 0;
13981 	nla_for_each_nested(attr, attr_filter, rem) {
13982 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13983 		if (!filter[i].filter)
13984 			goto err;
13985 
13986 		filter[i].len = nla_len(attr);
13987 		i++;
13988 	}
13989 	if (tx) {
13990 		func->num_tx_filters = n_entries;
13991 		func->tx_filters = filter;
13992 	} else {
13993 		func->num_rx_filters = n_entries;
13994 		func->rx_filters = filter;
13995 	}
13996 
13997 	return 0;
13998 
13999 err:
14000 	i = 0;
14001 	nla_for_each_nested(attr, attr_filter, rem) {
14002 		kfree(filter[i].filter);
14003 		i++;
14004 	}
14005 	kfree(filter);
14006 	return -ENOMEM;
14007 }
14008 
14009 static int nl80211_nan_add_func(struct sk_buff *skb,
14010 				struct genl_info *info)
14011 {
14012 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14013 	struct wireless_dev *wdev = info->user_ptr[1];
14014 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14015 	struct cfg80211_nan_func *func;
14016 	struct sk_buff *msg = NULL;
14017 	void *hdr = NULL;
14018 	int err = 0;
14019 
14020 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14021 		return -EOPNOTSUPP;
14022 
14023 	if (!wdev_running(wdev))
14024 		return -ENOTCONN;
14025 
14026 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14027 		return -EINVAL;
14028 
14029 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14030 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14031 					  nl80211_nan_func_policy,
14032 					  info->extack);
14033 	if (err)
14034 		return err;
14035 
14036 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14037 	if (!func)
14038 		return -ENOMEM;
14039 
14040 	func->cookie = cfg80211_assign_cookie(rdev);
14041 
14042 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14043 		err = -EINVAL;
14044 		goto out;
14045 	}
14046 
14047 
14048 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14049 
14050 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14051 		err = -EINVAL;
14052 		goto out;
14053 	}
14054 
14055 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14056 	       sizeof(func->service_id));
14057 
14058 	func->close_range =
14059 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14060 
14061 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14062 		func->serv_spec_info_len =
14063 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14064 		func->serv_spec_info =
14065 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14066 				func->serv_spec_info_len,
14067 				GFP_KERNEL);
14068 		if (!func->serv_spec_info) {
14069 			err = -ENOMEM;
14070 			goto out;
14071 		}
14072 	}
14073 
14074 	if (tb[NL80211_NAN_FUNC_TTL])
14075 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14076 
14077 	switch (func->type) {
14078 	case NL80211_NAN_FUNC_PUBLISH:
14079 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14080 			err = -EINVAL;
14081 			goto out;
14082 		}
14083 
14084 		func->publish_type =
14085 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14086 		func->publish_bcast =
14087 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14088 
14089 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14090 			func->publish_bcast) {
14091 			err = -EINVAL;
14092 			goto out;
14093 		}
14094 		break;
14095 	case NL80211_NAN_FUNC_SUBSCRIBE:
14096 		func->subscribe_active =
14097 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14098 		break;
14099 	case NL80211_NAN_FUNC_FOLLOW_UP:
14100 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14101 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14102 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14103 			err = -EINVAL;
14104 			goto out;
14105 		}
14106 
14107 		func->followup_id =
14108 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14109 		func->followup_reqid =
14110 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14111 		memcpy(func->followup_dest.addr,
14112 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14113 		       sizeof(func->followup_dest.addr));
14114 		if (func->ttl) {
14115 			err = -EINVAL;
14116 			goto out;
14117 		}
14118 		break;
14119 	default:
14120 		err = -EINVAL;
14121 		goto out;
14122 	}
14123 
14124 	if (tb[NL80211_NAN_FUNC_SRF]) {
14125 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14126 
14127 		err = nla_parse_nested_deprecated(srf_tb,
14128 						  NL80211_NAN_SRF_ATTR_MAX,
14129 						  tb[NL80211_NAN_FUNC_SRF],
14130 						  nl80211_nan_srf_policy,
14131 						  info->extack);
14132 		if (err)
14133 			goto out;
14134 
14135 		func->srf_include =
14136 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14137 
14138 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14139 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14140 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14141 				err = -EINVAL;
14142 				goto out;
14143 			}
14144 
14145 			func->srf_bf_len =
14146 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14147 			func->srf_bf =
14148 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14149 					func->srf_bf_len, GFP_KERNEL);
14150 			if (!func->srf_bf) {
14151 				err = -ENOMEM;
14152 				goto out;
14153 			}
14154 
14155 			func->srf_bf_idx =
14156 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14157 		} else {
14158 			struct nlattr *attr, *mac_attr =
14159 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14160 			int n_entries, rem, i = 0;
14161 
14162 			if (!mac_attr) {
14163 				err = -EINVAL;
14164 				goto out;
14165 			}
14166 
14167 			n_entries = validate_acl_mac_addrs(mac_attr);
14168 			if (n_entries <= 0) {
14169 				err = -EINVAL;
14170 				goto out;
14171 			}
14172 
14173 			func->srf_num_macs = n_entries;
14174 			func->srf_macs =
14175 				kcalloc(n_entries, sizeof(*func->srf_macs),
14176 					GFP_KERNEL);
14177 			if (!func->srf_macs) {
14178 				err = -ENOMEM;
14179 				goto out;
14180 			}
14181 
14182 			nla_for_each_nested(attr, mac_attr, rem)
14183 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14184 				       sizeof(*func->srf_macs));
14185 		}
14186 	}
14187 
14188 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14189 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14190 					func, true);
14191 		if (err)
14192 			goto out;
14193 	}
14194 
14195 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14196 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14197 					func, false);
14198 		if (err)
14199 			goto out;
14200 	}
14201 
14202 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14203 	if (!msg) {
14204 		err = -ENOMEM;
14205 		goto out;
14206 	}
14207 
14208 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14209 			     NL80211_CMD_ADD_NAN_FUNCTION);
14210 	/* This can't really happen - we just allocated 4KB */
14211 	if (WARN_ON(!hdr)) {
14212 		err = -ENOMEM;
14213 		goto out;
14214 	}
14215 
14216 	err = rdev_add_nan_func(rdev, wdev, func);
14217 out:
14218 	if (err < 0) {
14219 		cfg80211_free_nan_func(func);
14220 		nlmsg_free(msg);
14221 		return err;
14222 	}
14223 
14224 	/* propagate the instance id and cookie to userspace  */
14225 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14226 			      NL80211_ATTR_PAD))
14227 		goto nla_put_failure;
14228 
14229 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14230 	if (!func_attr)
14231 		goto nla_put_failure;
14232 
14233 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14234 		       func->instance_id))
14235 		goto nla_put_failure;
14236 
14237 	nla_nest_end(msg, func_attr);
14238 
14239 	genlmsg_end(msg, hdr);
14240 	return genlmsg_reply(msg, info);
14241 
14242 nla_put_failure:
14243 	nlmsg_free(msg);
14244 	return -ENOBUFS;
14245 }
14246 
14247 static int nl80211_nan_del_func(struct sk_buff *skb,
14248 			       struct genl_info *info)
14249 {
14250 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14251 	struct wireless_dev *wdev = info->user_ptr[1];
14252 	u64 cookie;
14253 
14254 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14255 		return -EOPNOTSUPP;
14256 
14257 	if (!wdev_running(wdev))
14258 		return -ENOTCONN;
14259 
14260 	if (!info->attrs[NL80211_ATTR_COOKIE])
14261 		return -EINVAL;
14262 
14263 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14264 
14265 	rdev_del_nan_func(rdev, wdev, cookie);
14266 
14267 	return 0;
14268 }
14269 
14270 static int nl80211_nan_change_config(struct sk_buff *skb,
14271 				     struct genl_info *info)
14272 {
14273 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14274 	struct wireless_dev *wdev = info->user_ptr[1];
14275 	struct cfg80211_nan_conf conf = {};
14276 	u32 changed = 0;
14277 
14278 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14279 		return -EOPNOTSUPP;
14280 
14281 	if (!wdev_running(wdev))
14282 		return -ENOTCONN;
14283 
14284 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14285 		conf.master_pref =
14286 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14287 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14288 			return -EINVAL;
14289 
14290 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14291 	}
14292 
14293 	if (info->attrs[NL80211_ATTR_BANDS]) {
14294 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14295 
14296 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14297 			return -EOPNOTSUPP;
14298 
14299 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14300 			return -EINVAL;
14301 
14302 		conf.bands = bands;
14303 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14304 	}
14305 
14306 	if (!changed)
14307 		return -EINVAL;
14308 
14309 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14310 }
14311 
14312 void cfg80211_nan_match(struct wireless_dev *wdev,
14313 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14314 {
14315 	struct wiphy *wiphy = wdev->wiphy;
14316 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14317 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14318 	struct sk_buff *msg;
14319 	void *hdr;
14320 
14321 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14322 		return;
14323 
14324 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14325 	if (!msg)
14326 		return;
14327 
14328 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14329 	if (!hdr) {
14330 		nlmsg_free(msg);
14331 		return;
14332 	}
14333 
14334 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14335 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14336 					 wdev->netdev->ifindex)) ||
14337 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14338 			      NL80211_ATTR_PAD))
14339 		goto nla_put_failure;
14340 
14341 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14342 			      NL80211_ATTR_PAD) ||
14343 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14344 		goto nla_put_failure;
14345 
14346 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14347 	if (!match_attr)
14348 		goto nla_put_failure;
14349 
14350 	local_func_attr = nla_nest_start_noflag(msg,
14351 						NL80211_NAN_MATCH_FUNC_LOCAL);
14352 	if (!local_func_attr)
14353 		goto nla_put_failure;
14354 
14355 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14356 		goto nla_put_failure;
14357 
14358 	nla_nest_end(msg, local_func_attr);
14359 
14360 	peer_func_attr = nla_nest_start_noflag(msg,
14361 					       NL80211_NAN_MATCH_FUNC_PEER);
14362 	if (!peer_func_attr)
14363 		goto nla_put_failure;
14364 
14365 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14366 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14367 		goto nla_put_failure;
14368 
14369 	if (match->info && match->info_len &&
14370 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14371 		    match->info))
14372 		goto nla_put_failure;
14373 
14374 	nla_nest_end(msg, peer_func_attr);
14375 	nla_nest_end(msg, match_attr);
14376 	genlmsg_end(msg, hdr);
14377 
14378 	if (!wdev->owner_nlportid)
14379 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14380 					msg, 0, NL80211_MCGRP_NAN, gfp);
14381 	else
14382 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14383 				wdev->owner_nlportid);
14384 
14385 	return;
14386 
14387 nla_put_failure:
14388 	nlmsg_free(msg);
14389 }
14390 EXPORT_SYMBOL(cfg80211_nan_match);
14391 
14392 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14393 				  u8 inst_id,
14394 				  enum nl80211_nan_func_term_reason reason,
14395 				  u64 cookie, gfp_t gfp)
14396 {
14397 	struct wiphy *wiphy = wdev->wiphy;
14398 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14399 	struct sk_buff *msg;
14400 	struct nlattr *func_attr;
14401 	void *hdr;
14402 
14403 	if (WARN_ON(!inst_id))
14404 		return;
14405 
14406 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14407 	if (!msg)
14408 		return;
14409 
14410 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14411 	if (!hdr) {
14412 		nlmsg_free(msg);
14413 		return;
14414 	}
14415 
14416 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14417 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14418 					 wdev->netdev->ifindex)) ||
14419 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14420 			      NL80211_ATTR_PAD))
14421 		goto nla_put_failure;
14422 
14423 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14424 			      NL80211_ATTR_PAD))
14425 		goto nla_put_failure;
14426 
14427 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14428 	if (!func_attr)
14429 		goto nla_put_failure;
14430 
14431 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14432 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14433 		goto nla_put_failure;
14434 
14435 	nla_nest_end(msg, func_attr);
14436 	genlmsg_end(msg, hdr);
14437 
14438 	if (!wdev->owner_nlportid)
14439 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14440 					msg, 0, NL80211_MCGRP_NAN, gfp);
14441 	else
14442 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14443 				wdev->owner_nlportid);
14444 
14445 	return;
14446 
14447 nla_put_failure:
14448 	nlmsg_free(msg);
14449 }
14450 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14451 
14452 static int nl80211_get_protocol_features(struct sk_buff *skb,
14453 					 struct genl_info *info)
14454 {
14455 	void *hdr;
14456 	struct sk_buff *msg;
14457 
14458 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14459 	if (!msg)
14460 		return -ENOMEM;
14461 
14462 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14463 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14464 	if (!hdr)
14465 		goto nla_put_failure;
14466 
14467 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14468 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14469 		goto nla_put_failure;
14470 
14471 	genlmsg_end(msg, hdr);
14472 	return genlmsg_reply(msg, info);
14473 
14474  nla_put_failure:
14475 	kfree_skb(msg);
14476 	return -ENOBUFS;
14477 }
14478 
14479 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14480 {
14481 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14482 	struct cfg80211_update_ft_ies_params ft_params;
14483 	struct net_device *dev = info->user_ptr[1];
14484 
14485 	if (!rdev->ops->update_ft_ies)
14486 		return -EOPNOTSUPP;
14487 
14488 	if (!info->attrs[NL80211_ATTR_MDID] ||
14489 	    !info->attrs[NL80211_ATTR_IE])
14490 		return -EINVAL;
14491 
14492 	memset(&ft_params, 0, sizeof(ft_params));
14493 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14494 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14495 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14496 
14497 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14498 }
14499 
14500 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14501 				       struct genl_info *info)
14502 {
14503 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14504 	struct wireless_dev *wdev = info->user_ptr[1];
14505 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14506 	u16 duration;
14507 	int ret;
14508 
14509 	if (!rdev->ops->crit_proto_start)
14510 		return -EOPNOTSUPP;
14511 
14512 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14513 		return -EINVAL;
14514 
14515 	if (rdev->crit_proto_nlportid)
14516 		return -EBUSY;
14517 
14518 	/* determine protocol if provided */
14519 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14520 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14521 
14522 	if (proto >= NUM_NL80211_CRIT_PROTO)
14523 		return -EINVAL;
14524 
14525 	/* timeout must be provided */
14526 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14527 		return -EINVAL;
14528 
14529 	duration =
14530 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14531 
14532 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14533 	if (!ret)
14534 		rdev->crit_proto_nlportid = info->snd_portid;
14535 
14536 	return ret;
14537 }
14538 
14539 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14540 				      struct genl_info *info)
14541 {
14542 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14543 	struct wireless_dev *wdev = info->user_ptr[1];
14544 
14545 	if (!rdev->ops->crit_proto_stop)
14546 		return -EOPNOTSUPP;
14547 
14548 	if (rdev->crit_proto_nlportid) {
14549 		rdev->crit_proto_nlportid = 0;
14550 		rdev_crit_proto_stop(rdev, wdev);
14551 	}
14552 	return 0;
14553 }
14554 
14555 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14556 				       struct nlattr *attr,
14557 				       struct netlink_ext_ack *extack)
14558 {
14559 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14560 		if (attr->nla_type & NLA_F_NESTED) {
14561 			NL_SET_ERR_MSG_ATTR(extack, attr,
14562 					    "unexpected nested data");
14563 			return -EINVAL;
14564 		}
14565 
14566 		return 0;
14567 	}
14568 
14569 	if (!(attr->nla_type & NLA_F_NESTED)) {
14570 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14571 		return -EINVAL;
14572 	}
14573 
14574 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14575 }
14576 
14577 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14578 {
14579 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14580 	struct wireless_dev *wdev =
14581 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14582 					   info->attrs);
14583 	int i, err;
14584 	u32 vid, subcmd;
14585 
14586 	if (!rdev->wiphy.vendor_commands)
14587 		return -EOPNOTSUPP;
14588 
14589 	if (IS_ERR(wdev)) {
14590 		err = PTR_ERR(wdev);
14591 		if (err != -EINVAL)
14592 			return err;
14593 		wdev = NULL;
14594 	} else if (wdev->wiphy != &rdev->wiphy) {
14595 		return -EINVAL;
14596 	}
14597 
14598 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14599 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14600 		return -EINVAL;
14601 
14602 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14603 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14604 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14605 		const struct wiphy_vendor_command *vcmd;
14606 		void *data = NULL;
14607 		int len = 0;
14608 
14609 		vcmd = &rdev->wiphy.vendor_commands[i];
14610 
14611 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14612 			continue;
14613 
14614 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14615 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14616 			if (!wdev)
14617 				return -EINVAL;
14618 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14619 			    !wdev->netdev)
14620 				return -EINVAL;
14621 
14622 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14623 				if (!wdev_running(wdev))
14624 					return -ENETDOWN;
14625 			}
14626 		} else {
14627 			wdev = NULL;
14628 		}
14629 
14630 		if (!vcmd->doit)
14631 			return -EOPNOTSUPP;
14632 
14633 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14634 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14635 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14636 
14637 			err = nl80211_vendor_check_policy(vcmd,
14638 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14639 					info->extack);
14640 			if (err)
14641 				return err;
14642 		}
14643 
14644 		rdev->cur_cmd_info = info;
14645 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14646 		rdev->cur_cmd_info = NULL;
14647 		return err;
14648 	}
14649 
14650 	return -EOPNOTSUPP;
14651 }
14652 
14653 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14654 				       struct netlink_callback *cb,
14655 				       struct cfg80211_registered_device **rdev,
14656 				       struct wireless_dev **wdev)
14657 {
14658 	struct nlattr **attrbuf;
14659 	u32 vid, subcmd;
14660 	unsigned int i;
14661 	int vcmd_idx = -1;
14662 	int err;
14663 	void *data = NULL;
14664 	unsigned int data_len = 0;
14665 
14666 	if (cb->args[0]) {
14667 		/* subtract the 1 again here */
14668 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14669 		struct wireless_dev *tmp;
14670 
14671 		if (!wiphy)
14672 			return -ENODEV;
14673 		*rdev = wiphy_to_rdev(wiphy);
14674 		*wdev = NULL;
14675 
14676 		if (cb->args[1]) {
14677 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14678 				if (tmp->identifier == cb->args[1] - 1) {
14679 					*wdev = tmp;
14680 					break;
14681 				}
14682 			}
14683 		}
14684 
14685 		/* keep rtnl locked in successful case */
14686 		return 0;
14687 	}
14688 
14689 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14690 	if (!attrbuf)
14691 		return -ENOMEM;
14692 
14693 	err = nlmsg_parse_deprecated(cb->nlh,
14694 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14695 				     attrbuf, nl80211_fam.maxattr,
14696 				     nl80211_policy, NULL);
14697 	if (err)
14698 		goto out;
14699 
14700 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14701 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14702 		err = -EINVAL;
14703 		goto out;
14704 	}
14705 
14706 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14707 	if (IS_ERR(*wdev))
14708 		*wdev = NULL;
14709 
14710 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14711 	if (IS_ERR(*rdev)) {
14712 		err = PTR_ERR(*rdev);
14713 		goto out;
14714 	}
14715 
14716 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14717 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14718 
14719 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14720 		const struct wiphy_vendor_command *vcmd;
14721 
14722 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14723 
14724 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14725 			continue;
14726 
14727 		if (!vcmd->dumpit) {
14728 			err = -EOPNOTSUPP;
14729 			goto out;
14730 		}
14731 
14732 		vcmd_idx = i;
14733 		break;
14734 	}
14735 
14736 	if (vcmd_idx < 0) {
14737 		err = -EOPNOTSUPP;
14738 		goto out;
14739 	}
14740 
14741 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14742 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14743 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14744 
14745 		err = nl80211_vendor_check_policy(
14746 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14747 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14748 				cb->extack);
14749 		if (err)
14750 			goto out;
14751 	}
14752 
14753 	/* 0 is the first index - add 1 to parse only once */
14754 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14755 	/* add 1 to know if it was NULL */
14756 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14757 	cb->args[2] = vcmd_idx;
14758 	cb->args[3] = (unsigned long)data;
14759 	cb->args[4] = data_len;
14760 
14761 	/* keep rtnl locked in successful case */
14762 	err = 0;
14763 out:
14764 	kfree(attrbuf);
14765 	return err;
14766 }
14767 
14768 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14769 				   struct netlink_callback *cb)
14770 {
14771 	struct cfg80211_registered_device *rdev;
14772 	struct wireless_dev *wdev;
14773 	unsigned int vcmd_idx;
14774 	const struct wiphy_vendor_command *vcmd;
14775 	void *data;
14776 	int data_len;
14777 	int err;
14778 	struct nlattr *vendor_data;
14779 
14780 	rtnl_lock();
14781 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14782 	if (err)
14783 		goto out;
14784 
14785 	vcmd_idx = cb->args[2];
14786 	data = (void *)cb->args[3];
14787 	data_len = cb->args[4];
14788 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14789 
14790 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14791 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14792 		if (!wdev) {
14793 			err = -EINVAL;
14794 			goto out;
14795 		}
14796 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14797 		    !wdev->netdev) {
14798 			err = -EINVAL;
14799 			goto out;
14800 		}
14801 
14802 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14803 			if (!wdev_running(wdev)) {
14804 				err = -ENETDOWN;
14805 				goto out;
14806 			}
14807 		}
14808 	}
14809 
14810 	while (1) {
14811 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
14812 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
14813 					   NL80211_CMD_VENDOR);
14814 		if (!hdr)
14815 			break;
14816 
14817 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14818 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14819 					       wdev_id(wdev),
14820 					       NL80211_ATTR_PAD))) {
14821 			genlmsg_cancel(skb, hdr);
14822 			break;
14823 		}
14824 
14825 		vendor_data = nla_nest_start_noflag(skb,
14826 						    NL80211_ATTR_VENDOR_DATA);
14827 		if (!vendor_data) {
14828 			genlmsg_cancel(skb, hdr);
14829 			break;
14830 		}
14831 
14832 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14833 				   (unsigned long *)&cb->args[5]);
14834 		nla_nest_end(skb, vendor_data);
14835 
14836 		if (err == -ENOBUFS || err == -ENOENT) {
14837 			genlmsg_cancel(skb, hdr);
14838 			break;
14839 		} else if (err <= 0) {
14840 			genlmsg_cancel(skb, hdr);
14841 			goto out;
14842 		}
14843 
14844 		genlmsg_end(skb, hdr);
14845 	}
14846 
14847 	err = skb->len;
14848  out:
14849 	rtnl_unlock();
14850 	return err;
14851 }
14852 
14853 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14854 					   enum nl80211_commands cmd,
14855 					   enum nl80211_attrs attr,
14856 					   int approxlen)
14857 {
14858 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14859 
14860 	if (WARN_ON(!rdev->cur_cmd_info))
14861 		return NULL;
14862 
14863 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14864 					   rdev->cur_cmd_info->snd_portid,
14865 					   rdev->cur_cmd_info->snd_seq,
14866 					   cmd, attr, NULL, GFP_KERNEL);
14867 }
14868 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14869 
14870 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14871 {
14872 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14873 	void *hdr = ((void **)skb->cb)[1];
14874 	struct nlattr *data = ((void **)skb->cb)[2];
14875 
14876 	/* clear CB data for netlink core to own from now on */
14877 	memset(skb->cb, 0, sizeof(skb->cb));
14878 
14879 	if (WARN_ON(!rdev->cur_cmd_info)) {
14880 		kfree_skb(skb);
14881 		return -EINVAL;
14882 	}
14883 
14884 	nla_nest_end(skb, data);
14885 	genlmsg_end(skb, hdr);
14886 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14887 }
14888 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14889 
14890 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14891 {
14892 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14893 
14894 	if (WARN_ON(!rdev->cur_cmd_info))
14895 		return 0;
14896 
14897 	return rdev->cur_cmd_info->snd_portid;
14898 }
14899 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14900 
14901 static int nl80211_set_qos_map(struct sk_buff *skb,
14902 			       struct genl_info *info)
14903 {
14904 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14905 	struct cfg80211_qos_map *qos_map = NULL;
14906 	struct net_device *dev = info->user_ptr[1];
14907 	u8 *pos, len, num_des, des_len, des;
14908 	int ret;
14909 
14910 	if (!rdev->ops->set_qos_map)
14911 		return -EOPNOTSUPP;
14912 
14913 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14914 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14915 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14916 
14917 		if (len % 2)
14918 			return -EINVAL;
14919 
14920 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14921 		if (!qos_map)
14922 			return -ENOMEM;
14923 
14924 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14925 		if (num_des) {
14926 			des_len = num_des *
14927 				sizeof(struct cfg80211_dscp_exception);
14928 			memcpy(qos_map->dscp_exception, pos, des_len);
14929 			qos_map->num_des = num_des;
14930 			for (des = 0; des < num_des; des++) {
14931 				if (qos_map->dscp_exception[des].up > 7) {
14932 					kfree(qos_map);
14933 					return -EINVAL;
14934 				}
14935 			}
14936 			pos += des_len;
14937 		}
14938 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14939 	}
14940 
14941 	wdev_lock(dev->ieee80211_ptr);
14942 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14943 	if (!ret)
14944 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14945 	wdev_unlock(dev->ieee80211_ptr);
14946 
14947 	kfree(qos_map);
14948 	return ret;
14949 }
14950 
14951 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14952 {
14953 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14954 	struct net_device *dev = info->user_ptr[1];
14955 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14956 	const u8 *peer;
14957 	u8 tsid, up;
14958 	u16 admitted_time = 0;
14959 	int err;
14960 
14961 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14962 		return -EOPNOTSUPP;
14963 
14964 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14965 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14966 		return -EINVAL;
14967 
14968 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14969 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14970 
14971 	/* WMM uses TIDs 0-7 even for TSPEC */
14972 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14973 		/* TODO: handle 802.11 TSPEC/admission control
14974 		 * need more attributes for that (e.g. BA session requirement);
14975 		 * change the WMM adminssion test above to allow both then
14976 		 */
14977 		return -EINVAL;
14978 	}
14979 
14980 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14981 
14982 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14983 		admitted_time =
14984 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14985 		if (!admitted_time)
14986 			return -EINVAL;
14987 	}
14988 
14989 	wdev_lock(wdev);
14990 	switch (wdev->iftype) {
14991 	case NL80211_IFTYPE_STATION:
14992 	case NL80211_IFTYPE_P2P_CLIENT:
14993 		if (wdev->connected)
14994 			break;
14995 		err = -ENOTCONN;
14996 		goto out;
14997 	default:
14998 		err = -EOPNOTSUPP;
14999 		goto out;
15000 	}
15001 
15002 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15003 
15004  out:
15005 	wdev_unlock(wdev);
15006 	return err;
15007 }
15008 
15009 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15010 {
15011 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15012 	struct net_device *dev = info->user_ptr[1];
15013 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15014 	const u8 *peer;
15015 	u8 tsid;
15016 	int err;
15017 
15018 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15019 		return -EINVAL;
15020 
15021 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15022 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15023 
15024 	wdev_lock(wdev);
15025 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
15026 	wdev_unlock(wdev);
15027 
15028 	return err;
15029 }
15030 
15031 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15032 				       struct genl_info *info)
15033 {
15034 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15035 	struct net_device *dev = info->user_ptr[1];
15036 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15037 	struct cfg80211_chan_def chandef = {};
15038 	const u8 *addr;
15039 	u8 oper_class;
15040 	int err;
15041 
15042 	if (!rdev->ops->tdls_channel_switch ||
15043 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15044 		return -EOPNOTSUPP;
15045 
15046 	switch (dev->ieee80211_ptr->iftype) {
15047 	case NL80211_IFTYPE_STATION:
15048 	case NL80211_IFTYPE_P2P_CLIENT:
15049 		break;
15050 	default:
15051 		return -EOPNOTSUPP;
15052 	}
15053 
15054 	if (!info->attrs[NL80211_ATTR_MAC] ||
15055 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15056 		return -EINVAL;
15057 
15058 	err = nl80211_parse_chandef(rdev, info, &chandef);
15059 	if (err)
15060 		return err;
15061 
15062 	/*
15063 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15064 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15065 	 * specification is not defined for them.
15066 	 */
15067 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15068 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15069 	    chandef.width != NL80211_CHAN_WIDTH_20)
15070 		return -EINVAL;
15071 
15072 	/* we will be active on the TDLS link */
15073 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15074 					   wdev->iftype))
15075 		return -EINVAL;
15076 
15077 	/* don't allow switching to DFS channels */
15078 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15079 		return -EINVAL;
15080 
15081 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15082 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15083 
15084 	wdev_lock(wdev);
15085 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15086 	wdev_unlock(wdev);
15087 
15088 	return err;
15089 }
15090 
15091 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15092 					      struct genl_info *info)
15093 {
15094 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15095 	struct net_device *dev = info->user_ptr[1];
15096 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15097 	const u8 *addr;
15098 
15099 	if (!rdev->ops->tdls_channel_switch ||
15100 	    !rdev->ops->tdls_cancel_channel_switch ||
15101 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15102 		return -EOPNOTSUPP;
15103 
15104 	switch (dev->ieee80211_ptr->iftype) {
15105 	case NL80211_IFTYPE_STATION:
15106 	case NL80211_IFTYPE_P2P_CLIENT:
15107 		break;
15108 	default:
15109 		return -EOPNOTSUPP;
15110 	}
15111 
15112 	if (!info->attrs[NL80211_ATTR_MAC])
15113 		return -EINVAL;
15114 
15115 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15116 
15117 	wdev_lock(wdev);
15118 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15119 	wdev_unlock(wdev);
15120 
15121 	return 0;
15122 }
15123 
15124 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15125 					    struct genl_info *info)
15126 {
15127 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15128 	struct net_device *dev = info->user_ptr[1];
15129 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15130 	const struct nlattr *nla;
15131 	bool enabled;
15132 
15133 	if (!rdev->ops->set_multicast_to_unicast)
15134 		return -EOPNOTSUPP;
15135 
15136 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15137 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15138 		return -EOPNOTSUPP;
15139 
15140 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15141 	enabled = nla_get_flag(nla);
15142 
15143 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15144 }
15145 
15146 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15147 {
15148 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15149 	struct net_device *dev = info->user_ptr[1];
15150 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15151 	struct cfg80211_pmk_conf pmk_conf = {};
15152 	int ret;
15153 
15154 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15155 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15156 		return -EOPNOTSUPP;
15157 
15158 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15159 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15160 		return -EOPNOTSUPP;
15161 
15162 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15163 		return -EINVAL;
15164 
15165 	wdev_lock(wdev);
15166 	if (!wdev->connected) {
15167 		ret = -ENOTCONN;
15168 		goto out;
15169 	}
15170 
15171 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15172 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN)) {
15173 		ret = -EINVAL;
15174 		goto out;
15175 	}
15176 
15177 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15178 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15179 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15180 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
15181 		ret = -EINVAL;
15182 		goto out;
15183 	}
15184 
15185 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15186 		pmk_conf.pmk_r0_name =
15187 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15188 
15189 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
15190 out:
15191 	wdev_unlock(wdev);
15192 	return ret;
15193 }
15194 
15195 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15196 {
15197 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15198 	struct net_device *dev = info->user_ptr[1];
15199 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15200 	const u8 *aa;
15201 	int ret;
15202 
15203 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15204 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15205 		return -EOPNOTSUPP;
15206 
15207 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15208 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15209 		return -EOPNOTSUPP;
15210 
15211 	if (!info->attrs[NL80211_ATTR_MAC])
15212 		return -EINVAL;
15213 
15214 	wdev_lock(wdev);
15215 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15216 	ret = rdev_del_pmk(rdev, dev, aa);
15217 	wdev_unlock(wdev);
15218 
15219 	return ret;
15220 }
15221 
15222 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15223 {
15224 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15225 	struct net_device *dev = info->user_ptr[1];
15226 	struct cfg80211_external_auth_params params;
15227 
15228 	if (!rdev->ops->external_auth)
15229 		return -EOPNOTSUPP;
15230 
15231 	if (!info->attrs[NL80211_ATTR_SSID] &&
15232 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15233 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15234 		return -EINVAL;
15235 
15236 	if (!info->attrs[NL80211_ATTR_BSSID])
15237 		return -EINVAL;
15238 
15239 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15240 		return -EINVAL;
15241 
15242 	memset(&params, 0, sizeof(params));
15243 
15244 	if (info->attrs[NL80211_ATTR_SSID]) {
15245 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15246 		if (params.ssid.ssid_len == 0)
15247 			return -EINVAL;
15248 		memcpy(params.ssid.ssid,
15249 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15250 		       params.ssid.ssid_len);
15251 	}
15252 
15253 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15254 	       ETH_ALEN);
15255 
15256 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15257 
15258 	if (info->attrs[NL80211_ATTR_PMKID])
15259 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15260 
15261 	return rdev_external_auth(rdev, dev, &params);
15262 }
15263 
15264 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15265 {
15266 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15267 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15268 	struct net_device *dev = info->user_ptr[1];
15269 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15270 	const u8 *buf;
15271 	size_t len;
15272 	u8 *dest;
15273 	u16 proto;
15274 	bool noencrypt;
15275 	u64 cookie = 0;
15276 	int link_id;
15277 	int err;
15278 
15279 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15280 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15281 		return -EOPNOTSUPP;
15282 
15283 	if (!rdev->ops->tx_control_port)
15284 		return -EOPNOTSUPP;
15285 
15286 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15287 	    !info->attrs[NL80211_ATTR_MAC] ||
15288 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15289 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15290 		return -EINVAL;
15291 	}
15292 
15293 	wdev_lock(wdev);
15294 
15295 	switch (wdev->iftype) {
15296 	case NL80211_IFTYPE_AP:
15297 	case NL80211_IFTYPE_P2P_GO:
15298 	case NL80211_IFTYPE_MESH_POINT:
15299 		break;
15300 	case NL80211_IFTYPE_ADHOC:
15301 		if (wdev->u.ibss.current_bss)
15302 			break;
15303 		err = -ENOTCONN;
15304 		goto out;
15305 	case NL80211_IFTYPE_STATION:
15306 	case NL80211_IFTYPE_P2P_CLIENT:
15307 		if (wdev->connected)
15308 			break;
15309 		err = -ENOTCONN;
15310 		goto out;
15311 	default:
15312 		err = -EOPNOTSUPP;
15313 		goto out;
15314 	}
15315 
15316 	wdev_unlock(wdev);
15317 
15318 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15319 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15320 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15321 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15322 	noencrypt =
15323 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15324 
15325 	link_id = nl80211_link_id_or_invalid(info->attrs);
15326 
15327 	err = rdev_tx_control_port(rdev, dev, buf, len,
15328 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15329 				   dont_wait_for_ack ? NULL : &cookie);
15330 	if (!err && !dont_wait_for_ack)
15331 		nl_set_extack_cookie_u64(info->extack, cookie);
15332 	return err;
15333  out:
15334 	wdev_unlock(wdev);
15335 	return err;
15336 }
15337 
15338 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15339 					   struct genl_info *info)
15340 {
15341 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15342 	struct net_device *dev = info->user_ptr[1];
15343 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15344 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15345 	unsigned int link_id = nl80211_link_id(info->attrs);
15346 	struct sk_buff *msg;
15347 	void *hdr;
15348 	struct nlattr *ftm_stats_attr;
15349 	int err;
15350 
15351 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15352 	    !wdev->links[link_id].ap.beacon_interval)
15353 		return -EOPNOTSUPP;
15354 
15355 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15356 	if (err)
15357 		return err;
15358 
15359 	if (!ftm_stats.filled)
15360 		return -ENODATA;
15361 
15362 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15363 	if (!msg)
15364 		return -ENOMEM;
15365 
15366 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15367 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15368 	if (!hdr)
15369 		goto nla_put_failure;
15370 
15371 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15372 		goto nla_put_failure;
15373 
15374 	ftm_stats_attr = nla_nest_start_noflag(msg,
15375 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15376 	if (!ftm_stats_attr)
15377 		goto nla_put_failure;
15378 
15379 #define SET_FTM(field, name, type)					 \
15380 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15381 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15382 			     ftm_stats.field))				 \
15383 		goto nla_put_failure; } while (0)
15384 #define SET_FTM_U64(field, name)					 \
15385 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15386 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15387 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15388 		goto nla_put_failure; } while (0)
15389 
15390 	SET_FTM(success_num, SUCCESS_NUM, u32);
15391 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15392 	SET_FTM(failed_num, FAILED_NUM, u32);
15393 	SET_FTM(asap_num, ASAP_NUM, u32);
15394 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15395 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15396 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15397 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15398 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15399 #undef SET_FTM
15400 
15401 	nla_nest_end(msg, ftm_stats_attr);
15402 
15403 	genlmsg_end(msg, hdr);
15404 	return genlmsg_reply(msg, info);
15405 
15406 nla_put_failure:
15407 	nlmsg_free(msg);
15408 	return -ENOBUFS;
15409 }
15410 
15411 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15412 {
15413 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15414 	struct cfg80211_update_owe_info owe_info;
15415 	struct net_device *dev = info->user_ptr[1];
15416 
15417 	if (!rdev->ops->update_owe_info)
15418 		return -EOPNOTSUPP;
15419 
15420 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15421 	    !info->attrs[NL80211_ATTR_MAC])
15422 		return -EINVAL;
15423 
15424 	memset(&owe_info, 0, sizeof(owe_info));
15425 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15426 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15427 
15428 	if (info->attrs[NL80211_ATTR_IE]) {
15429 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15430 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15431 	}
15432 
15433 	return rdev_update_owe_info(rdev, dev, &owe_info);
15434 }
15435 
15436 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15437 {
15438 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15439 	struct net_device *dev = info->user_ptr[1];
15440 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15441 	struct station_info sinfo = {};
15442 	const u8 *buf;
15443 	size_t len;
15444 	u8 *dest;
15445 	int err;
15446 
15447 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15448 		return -EOPNOTSUPP;
15449 
15450 	if (!info->attrs[NL80211_ATTR_MAC] ||
15451 	    !info->attrs[NL80211_ATTR_FRAME]) {
15452 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15453 		return -EINVAL;
15454 	}
15455 
15456 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15457 		return -EOPNOTSUPP;
15458 
15459 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15460 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15461 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15462 
15463 	if (len < sizeof(struct ethhdr))
15464 		return -EINVAL;
15465 
15466 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15467 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15468 		return -EINVAL;
15469 
15470 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15471 	if (err)
15472 		return err;
15473 
15474 	cfg80211_sinfo_release_content(&sinfo);
15475 
15476 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15477 }
15478 
15479 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15480 			  struct nlattr *attrs[], struct net_device *dev,
15481 			  struct cfg80211_tid_cfg *tid_conf,
15482 			  struct genl_info *info, const u8 *peer,
15483 			  unsigned int link_id)
15484 {
15485 	struct netlink_ext_ack *extack = info->extack;
15486 	u64 mask;
15487 	int err;
15488 
15489 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15490 		return -EINVAL;
15491 
15492 	tid_conf->config_override =
15493 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15494 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15495 
15496 	if (tid_conf->config_override) {
15497 		if (rdev->ops->reset_tid_config) {
15498 			err = rdev_reset_tid_config(rdev, dev, peer,
15499 						    tid_conf->tids);
15500 			if (err)
15501 				return err;
15502 		} else {
15503 			return -EINVAL;
15504 		}
15505 	}
15506 
15507 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15508 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15509 		tid_conf->noack =
15510 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15511 	}
15512 
15513 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15514 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15515 		tid_conf->retry_short =
15516 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15517 
15518 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15519 			return -EINVAL;
15520 	}
15521 
15522 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15523 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15524 		tid_conf->retry_long =
15525 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15526 
15527 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15528 			return -EINVAL;
15529 	}
15530 
15531 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15532 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15533 		tid_conf->ampdu =
15534 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15535 	}
15536 
15537 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15538 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15539 		tid_conf->rtscts =
15540 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15541 	}
15542 
15543 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15544 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15545 		tid_conf->amsdu =
15546 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15547 	}
15548 
15549 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15550 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15551 
15552 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15553 
15554 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15555 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15556 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15557 						    &tid_conf->txrate_mask, dev,
15558 						    true, link_id);
15559 			if (err)
15560 				return err;
15561 
15562 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15563 		}
15564 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15565 	}
15566 
15567 	if (peer)
15568 		mask = rdev->wiphy.tid_config_support.peer;
15569 	else
15570 		mask = rdev->wiphy.tid_config_support.vif;
15571 
15572 	if (tid_conf->mask & ~mask) {
15573 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15574 		return -ENOTSUPP;
15575 	}
15576 
15577 	return 0;
15578 }
15579 
15580 static int nl80211_set_tid_config(struct sk_buff *skb,
15581 				  struct genl_info *info)
15582 {
15583 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15584 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15585 	unsigned int link_id = nl80211_link_id(info->attrs);
15586 	struct net_device *dev = info->user_ptr[1];
15587 	struct cfg80211_tid_config *tid_config;
15588 	struct nlattr *tid;
15589 	int conf_idx = 0, rem_conf;
15590 	int ret = -EINVAL;
15591 	u32 num_conf = 0;
15592 
15593 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15594 		return -EINVAL;
15595 
15596 	if (!rdev->ops->set_tid_config)
15597 		return -EOPNOTSUPP;
15598 
15599 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15600 			    rem_conf)
15601 		num_conf++;
15602 
15603 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15604 			     GFP_KERNEL);
15605 	if (!tid_config)
15606 		return -ENOMEM;
15607 
15608 	tid_config->n_tid_conf = num_conf;
15609 
15610 	if (info->attrs[NL80211_ATTR_MAC])
15611 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15612 
15613 	wdev_lock(dev->ieee80211_ptr);
15614 
15615 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15616 			    rem_conf) {
15617 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15618 				       tid, NULL, NULL);
15619 
15620 		if (ret)
15621 			goto bad_tid_conf;
15622 
15623 		ret = parse_tid_conf(rdev, attrs, dev,
15624 				     &tid_config->tid_conf[conf_idx],
15625 				     info, tid_config->peer, link_id);
15626 		if (ret)
15627 			goto bad_tid_conf;
15628 
15629 		conf_idx++;
15630 	}
15631 
15632 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15633 
15634 bad_tid_conf:
15635 	kfree(tid_config);
15636 	wdev_unlock(dev->ieee80211_ptr);
15637 	return ret;
15638 }
15639 
15640 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15641 {
15642 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15643 	struct cfg80211_color_change_settings params = {};
15644 	struct net_device *dev = info->user_ptr[1];
15645 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15646 	struct nlattr **tb;
15647 	u16 offset;
15648 	int err;
15649 
15650 	if (!rdev->ops->color_change)
15651 		return -EOPNOTSUPP;
15652 
15653 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15654 				     NL80211_EXT_FEATURE_BSS_COLOR))
15655 		return -EOPNOTSUPP;
15656 
15657 	if (wdev->iftype != NL80211_IFTYPE_AP)
15658 		return -EOPNOTSUPP;
15659 
15660 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15661 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15662 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15663 		return -EINVAL;
15664 
15665 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15666 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15667 
15668 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15669 	if (err)
15670 		return err;
15671 
15672 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15673 	if (!tb)
15674 		return -ENOMEM;
15675 
15676 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15677 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15678 			       nl80211_policy, info->extack);
15679 	if (err)
15680 		goto out;
15681 
15682 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15683 	if (err)
15684 		goto out;
15685 
15686 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15687 		err = -EINVAL;
15688 		goto out;
15689 	}
15690 
15691 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15692 		err = -EINVAL;
15693 		goto out;
15694 	}
15695 
15696 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15697 	if (offset >= params.beacon_color_change.tail_len) {
15698 		err = -EINVAL;
15699 		goto out;
15700 	}
15701 
15702 	if (params.beacon_color_change.tail[offset] != params.count) {
15703 		err = -EINVAL;
15704 		goto out;
15705 	}
15706 
15707 	params.counter_offset_beacon = offset;
15708 
15709 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15710 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15711 		    sizeof(u16)) {
15712 			err = -EINVAL;
15713 			goto out;
15714 		}
15715 
15716 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15717 		if (offset >= params.beacon_color_change.probe_resp_len) {
15718 			err = -EINVAL;
15719 			goto out;
15720 		}
15721 
15722 		if (params.beacon_color_change.probe_resp[offset] !=
15723 		    params.count) {
15724 			err = -EINVAL;
15725 			goto out;
15726 		}
15727 
15728 		params.counter_offset_presp = offset;
15729 	}
15730 
15731 	wdev_lock(wdev);
15732 	err = rdev_color_change(rdev, dev, &params);
15733 	wdev_unlock(wdev);
15734 
15735 out:
15736 	kfree(params.beacon_next.mbssid_ies);
15737 	kfree(params.beacon_color_change.mbssid_ies);
15738 	kfree(tb);
15739 	return err;
15740 }
15741 
15742 static int nl80211_set_fils_aad(struct sk_buff *skb,
15743 				struct genl_info *info)
15744 {
15745 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15746 	struct net_device *dev = info->user_ptr[1];
15747 	struct cfg80211_fils_aad fils_aad = {};
15748 	u8 *nonces;
15749 
15750 	if (!info->attrs[NL80211_ATTR_MAC] ||
15751 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15752 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15753 		return -EINVAL;
15754 
15755 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15756 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15757 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15758 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15759 	fils_aad.snonce = nonces;
15760 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15761 
15762 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15763 }
15764 
15765 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
15766 {
15767 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15768 	unsigned int link_id = nl80211_link_id(info->attrs);
15769 	struct net_device *dev = info->user_ptr[1];
15770 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15771 	int ret;
15772 
15773 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
15774 		return -EINVAL;
15775 
15776 	switch (wdev->iftype) {
15777 	case NL80211_IFTYPE_AP:
15778 		break;
15779 	default:
15780 		return -EINVAL;
15781 	}
15782 
15783 	if (!info->attrs[NL80211_ATTR_MAC] ||
15784 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
15785 		return -EINVAL;
15786 
15787 	wdev_lock(wdev);
15788 	wdev->valid_links |= BIT(link_id);
15789 	ether_addr_copy(wdev->links[link_id].addr,
15790 			nla_data(info->attrs[NL80211_ATTR_MAC]));
15791 
15792 	ret = rdev_add_intf_link(rdev, wdev, link_id);
15793 	if (ret) {
15794 		wdev->valid_links &= ~BIT(link_id);
15795 		eth_zero_addr(wdev->links[link_id].addr);
15796 	}
15797 	wdev_unlock(wdev);
15798 
15799 	return ret;
15800 }
15801 
15802 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
15803 {
15804 	unsigned int link_id = nl80211_link_id(info->attrs);
15805 	struct net_device *dev = info->user_ptr[1];
15806 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15807 
15808 	/* cannot remove if there's no link */
15809 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
15810 		return -EINVAL;
15811 
15812 	switch (wdev->iftype) {
15813 	case NL80211_IFTYPE_AP:
15814 		break;
15815 	default:
15816 		return -EINVAL;
15817 	}
15818 
15819 	wdev_lock(wdev);
15820 	cfg80211_remove_link(wdev, link_id);
15821 	wdev_unlock(wdev);
15822 
15823 	return 0;
15824 }
15825 
15826 static int
15827 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
15828 			     bool add)
15829 {
15830 	struct link_station_parameters params = {};
15831 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15832 	struct net_device *dev = info->user_ptr[1];
15833 	int err;
15834 
15835 	if ((add && !rdev->ops->add_link_station) ||
15836 	    (!add && !rdev->ops->mod_link_station))
15837 		return -EOPNOTSUPP;
15838 
15839 	if (add && !info->attrs[NL80211_ATTR_MAC])
15840 		return -EINVAL;
15841 
15842 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
15843 		return -EINVAL;
15844 
15845 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
15846 		return -EINVAL;
15847 
15848 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
15849 
15850 	if (info->attrs[NL80211_ATTR_MAC]) {
15851 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
15852 		if (!is_valid_ether_addr(params.link_mac))
15853 			return -EINVAL;
15854 	}
15855 
15856 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
15857 		return -EINVAL;
15858 
15859 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
15860 
15861 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
15862 		params.supported_rates =
15863 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
15864 		params.supported_rates_len =
15865 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
15866 	}
15867 
15868 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
15869 		params.ht_capa =
15870 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
15871 
15872 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
15873 		params.vht_capa =
15874 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
15875 
15876 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
15877 		params.he_capa =
15878 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
15879 		params.he_capa_len =
15880 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
15881 
15882 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
15883 			params.eht_capa =
15884 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
15885 			params.eht_capa_len =
15886 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
15887 
15888 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
15889 							(const u8 *)params.eht_capa,
15890 							params.eht_capa_len))
15891 				return -EINVAL;
15892 		}
15893 	}
15894 
15895 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
15896 		params.he_6ghz_capa =
15897 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
15898 
15899 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
15900 		params.opmode_notif_used = true;
15901 		params.opmode_notif =
15902 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
15903 	}
15904 
15905 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
15906 						&params.txpwr_set);
15907 	if (err)
15908 		return err;
15909 
15910 	wdev_lock(dev->ieee80211_ptr);
15911 	if (add)
15912 		err = rdev_add_link_station(rdev, dev, &params);
15913 	else
15914 		err = rdev_mod_link_station(rdev, dev, &params);
15915 	wdev_unlock(dev->ieee80211_ptr);
15916 
15917 	return err;
15918 }
15919 
15920 static int
15921 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
15922 {
15923 	return nl80211_add_mod_link_station(skb, info, true);
15924 }
15925 
15926 static int
15927 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
15928 {
15929 	return nl80211_add_mod_link_station(skb, info, false);
15930 }
15931 
15932 static int
15933 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
15934 {
15935 	struct link_station_del_parameters params = {};
15936 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15937 	struct net_device *dev = info->user_ptr[1];
15938 	int ret;
15939 
15940 	if (!rdev->ops->del_link_station)
15941 		return -EOPNOTSUPP;
15942 
15943 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
15944 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
15945 		return -EINVAL;
15946 
15947 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
15948 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
15949 
15950 	wdev_lock(dev->ieee80211_ptr);
15951 	ret = rdev_del_link_station(rdev, dev, &params);
15952 	wdev_unlock(dev->ieee80211_ptr);
15953 
15954 	return ret;
15955 }
15956 
15957 #define NL80211_FLAG_NEED_WIPHY		0x01
15958 #define NL80211_FLAG_NEED_NETDEV	0x02
15959 #define NL80211_FLAG_NEED_RTNL		0x04
15960 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
15961 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
15962 					 NL80211_FLAG_CHECK_NETDEV_UP)
15963 #define NL80211_FLAG_NEED_WDEV		0x10
15964 /* If a netdev is associated, it must be UP, P2P must be started */
15965 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
15966 					 NL80211_FLAG_CHECK_NETDEV_UP)
15967 #define NL80211_FLAG_CLEAR_SKB		0x20
15968 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
15969 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
15970 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
15971 
15972 #define INTERNAL_FLAG_SELECTORS(__sel)			\
15973 	SELECTOR(__sel, NONE, 0) /* must be first */	\
15974 	SELECTOR(__sel, WIPHY,				\
15975 		 NL80211_FLAG_NEED_WIPHY)		\
15976 	SELECTOR(__sel, WDEV,				\
15977 		 NL80211_FLAG_NEED_WDEV)		\
15978 	SELECTOR(__sel, NETDEV,				\
15979 		 NL80211_FLAG_NEED_NETDEV)		\
15980 	SELECTOR(__sel, NETDEV_LINK,			\
15981 		 NL80211_FLAG_NEED_NETDEV |		\
15982 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
15983 	SELECTOR(__sel, NETDEV_NO_MLO,			\
15984 		 NL80211_FLAG_NEED_NETDEV |		\
15985 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
15986 	SELECTOR(__sel, WIPHY_RTNL,			\
15987 		 NL80211_FLAG_NEED_WIPHY |		\
15988 		 NL80211_FLAG_NEED_RTNL)		\
15989 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
15990 		 NL80211_FLAG_NEED_WIPHY |		\
15991 		 NL80211_FLAG_NEED_RTNL |		\
15992 		 NL80211_FLAG_NO_WIPHY_MTX)		\
15993 	SELECTOR(__sel, WDEV_RTNL,			\
15994 		 NL80211_FLAG_NEED_WDEV |		\
15995 		 NL80211_FLAG_NEED_RTNL)		\
15996 	SELECTOR(__sel, NETDEV_RTNL,			\
15997 		 NL80211_FLAG_NEED_NETDEV |		\
15998 		 NL80211_FLAG_NEED_RTNL)		\
15999 	SELECTOR(__sel, NETDEV_UP,			\
16000 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16001 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16002 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16003 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16004 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16005 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16006 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16007 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16008 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16009 		 NL80211_FLAG_CLEAR_SKB |		\
16010 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16011 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16012 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16013 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16014 	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
16015 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16016 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16017 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16018 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16019 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16020 		 NL80211_FLAG_CLEAR_SKB)		\
16021 	SELECTOR(__sel, WDEV_UP,			\
16022 		 NL80211_FLAG_NEED_WDEV_UP)		\
16023 	SELECTOR(__sel, WDEV_UP_LINK,			\
16024 		 NL80211_FLAG_NEED_WDEV_UP |		\
16025 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16026 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16027 		 NL80211_FLAG_NEED_WDEV_UP |		\
16028 		 NL80211_FLAG_NEED_RTNL)		\
16029 	SELECTOR(__sel, WIPHY_CLEAR,			\
16030 		 NL80211_FLAG_NEED_WIPHY |		\
16031 		 NL80211_FLAG_CLEAR_SKB)
16032 
16033 enum nl80211_internal_flags_selector {
16034 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16035 	INTERNAL_FLAG_SELECTORS(_)
16036 #undef SELECTOR
16037 };
16038 
16039 static u32 nl80211_internal_flags[] = {
16040 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16041 	INTERNAL_FLAG_SELECTORS(_)
16042 #undef SELECTOR
16043 };
16044 
16045 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
16046 			    struct genl_info *info)
16047 {
16048 	struct cfg80211_registered_device *rdev = NULL;
16049 	struct wireless_dev *wdev = NULL;
16050 	struct net_device *dev = NULL;
16051 	u32 internal_flags;
16052 	int err;
16053 
16054 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16055 		return -EINVAL;
16056 
16057 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16058 
16059 	rtnl_lock();
16060 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16061 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16062 		if (IS_ERR(rdev)) {
16063 			err = PTR_ERR(rdev);
16064 			goto out_unlock;
16065 		}
16066 		info->user_ptr[0] = rdev;
16067 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16068 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16069 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16070 						  info->attrs);
16071 		if (IS_ERR(wdev)) {
16072 			err = PTR_ERR(wdev);
16073 			goto out_unlock;
16074 		}
16075 
16076 		dev = wdev->netdev;
16077 		dev_hold(dev);
16078 		rdev = wiphy_to_rdev(wdev->wiphy);
16079 
16080 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16081 			if (!dev) {
16082 				err = -EINVAL;
16083 				goto out_unlock;
16084 			}
16085 
16086 			info->user_ptr[1] = dev;
16087 		} else {
16088 			info->user_ptr[1] = wdev;
16089 		}
16090 
16091 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16092 		    !wdev_running(wdev)) {
16093 			err = -ENETDOWN;
16094 			goto out_unlock;
16095 		}
16096 
16097 		info->user_ptr[0] = rdev;
16098 	}
16099 
16100 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16101 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16102 
16103 		if (!wdev) {
16104 			err = -EINVAL;
16105 			goto out_unlock;
16106 		}
16107 
16108 		/* MLO -> require valid link ID */
16109 		if (wdev->valid_links &&
16110 		    (!link_id ||
16111 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16112 			err = -EINVAL;
16113 			goto out_unlock;
16114 		}
16115 
16116 		/* non-MLO -> no link ID attribute accepted */
16117 		if (!wdev->valid_links && link_id) {
16118 			err = -EINVAL;
16119 			goto out_unlock;
16120 		}
16121 	}
16122 
16123 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16124 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16125 		    (wdev && wdev->valid_links)) {
16126 			err = -EINVAL;
16127 			goto out_unlock;
16128 		}
16129 	}
16130 
16131 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16132 		wiphy_lock(&rdev->wiphy);
16133 		/* we keep the mutex locked until post_doit */
16134 		__release(&rdev->wiphy.mtx);
16135 	}
16136 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16137 		rtnl_unlock();
16138 
16139 	return 0;
16140 out_unlock:
16141 	rtnl_unlock();
16142 	dev_put(dev);
16143 	return err;
16144 }
16145 
16146 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
16147 			      struct genl_info *info)
16148 {
16149 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16150 
16151 	if (info->user_ptr[1]) {
16152 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16153 			struct wireless_dev *wdev = info->user_ptr[1];
16154 
16155 			dev_put(wdev->netdev);
16156 		} else {
16157 			dev_put(info->user_ptr[1]);
16158 		}
16159 	}
16160 
16161 	if (info->user_ptr[0] &&
16162 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16163 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16164 
16165 		/* we kept the mutex locked since pre_doit */
16166 		__acquire(&rdev->wiphy.mtx);
16167 		wiphy_unlock(&rdev->wiphy);
16168 	}
16169 
16170 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16171 		rtnl_unlock();
16172 
16173 	/* If needed, clear the netlink message payload from the SKB
16174 	 * as it might contain key data that shouldn't stick around on
16175 	 * the heap after the SKB is freed. The netlink message header
16176 	 * is still needed for further processing, so leave it intact.
16177 	 */
16178 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16179 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16180 
16181 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16182 	}
16183 }
16184 
16185 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16186 				     struct cfg80211_sar_specs *sar_specs,
16187 				     struct nlattr *spec[], int index)
16188 {
16189 	u32 range_index, i;
16190 
16191 	if (!sar_specs || !spec)
16192 		return -EINVAL;
16193 
16194 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16195 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16196 		return -EINVAL;
16197 
16198 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16199 
16200 	/* check if range_index exceeds num_freq_ranges */
16201 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16202 		return -EINVAL;
16203 
16204 	/* check if range_index duplicates */
16205 	for (i = 0; i < index; i++) {
16206 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16207 			return -EINVAL;
16208 	}
16209 
16210 	sar_specs->sub_specs[index].power =
16211 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16212 
16213 	sar_specs->sub_specs[index].freq_range_index = range_index;
16214 
16215 	return 0;
16216 }
16217 
16218 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16219 {
16220 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16221 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16222 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16223 	struct cfg80211_sar_specs *sar_spec;
16224 	enum nl80211_sar_type type;
16225 	struct nlattr *spec_list;
16226 	u32 specs;
16227 	int rem, err;
16228 
16229 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16230 		return -EOPNOTSUPP;
16231 
16232 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16233 		return -EINVAL;
16234 
16235 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16236 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16237 			 NULL, NULL);
16238 
16239 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16240 		return -EINVAL;
16241 
16242 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16243 	if (type != rdev->wiphy.sar_capa->type)
16244 		return -EINVAL;
16245 
16246 	specs = 0;
16247 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16248 		specs++;
16249 
16250 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16251 		return -EINVAL;
16252 
16253 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16254 	if (!sar_spec)
16255 		return -ENOMEM;
16256 
16257 	sar_spec->type = type;
16258 	specs = 0;
16259 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16260 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16261 				 spec_list, NULL, NULL);
16262 
16263 		switch (type) {
16264 		case NL80211_SAR_TYPE_POWER:
16265 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16266 						      spec, specs)) {
16267 				err = -EINVAL;
16268 				goto error;
16269 			}
16270 			break;
16271 		default:
16272 			err = -EINVAL;
16273 			goto error;
16274 		}
16275 		specs++;
16276 	}
16277 
16278 	sar_spec->num_sub_specs = specs;
16279 
16280 	rdev->cur_cmd_info = info;
16281 	err = rdev_set_sar_specs(rdev, sar_spec);
16282 	rdev->cur_cmd_info = NULL;
16283 error:
16284 	kfree(sar_spec);
16285 	return err;
16286 }
16287 
16288 #define SELECTOR(__sel, name, value) \
16289 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16290 int __missing_selector(void);
16291 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16292 
16293 static const struct genl_ops nl80211_ops[] = {
16294 	{
16295 		.cmd = NL80211_CMD_GET_WIPHY,
16296 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16297 		.doit = nl80211_get_wiphy,
16298 		.dumpit = nl80211_dump_wiphy,
16299 		.done = nl80211_dump_wiphy_done,
16300 		/* can be retrieved by unprivileged users */
16301 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16302 	},
16303 };
16304 
16305 static const struct genl_small_ops nl80211_small_ops[] = {
16306 	{
16307 		.cmd = NL80211_CMD_SET_WIPHY,
16308 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16309 		.doit = nl80211_set_wiphy,
16310 		.flags = GENL_UNS_ADMIN_PERM,
16311 	},
16312 	{
16313 		.cmd = NL80211_CMD_GET_INTERFACE,
16314 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16315 		.doit = nl80211_get_interface,
16316 		.dumpit = nl80211_dump_interface,
16317 		/* can be retrieved by unprivileged users */
16318 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16319 	},
16320 	{
16321 		.cmd = NL80211_CMD_SET_INTERFACE,
16322 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16323 		.doit = nl80211_set_interface,
16324 		.flags = GENL_UNS_ADMIN_PERM,
16325 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16326 					 NL80211_FLAG_NEED_RTNL),
16327 	},
16328 	{
16329 		.cmd = NL80211_CMD_NEW_INTERFACE,
16330 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16331 		.doit = nl80211_new_interface,
16332 		.flags = GENL_UNS_ADMIN_PERM,
16333 		.internal_flags =
16334 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16335 			       NL80211_FLAG_NEED_RTNL |
16336 			       /* we take the wiphy mutex later ourselves */
16337 			       NL80211_FLAG_NO_WIPHY_MTX),
16338 	},
16339 	{
16340 		.cmd = NL80211_CMD_DEL_INTERFACE,
16341 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16342 		.doit = nl80211_del_interface,
16343 		.flags = GENL_UNS_ADMIN_PERM,
16344 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16345 					 NL80211_FLAG_NEED_RTNL),
16346 	},
16347 	{
16348 		.cmd = NL80211_CMD_GET_KEY,
16349 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16350 		.doit = nl80211_get_key,
16351 		.flags = GENL_UNS_ADMIN_PERM,
16352 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16353 	},
16354 	{
16355 		.cmd = NL80211_CMD_SET_KEY,
16356 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16357 		.doit = nl80211_set_key,
16358 		.flags = GENL_UNS_ADMIN_PERM,
16359 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16360 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16361 					 NL80211_FLAG_CLEAR_SKB),
16362 	},
16363 	{
16364 		.cmd = NL80211_CMD_NEW_KEY,
16365 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16366 		.doit = nl80211_new_key,
16367 		.flags = GENL_UNS_ADMIN_PERM,
16368 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16369 					 NL80211_FLAG_CLEAR_SKB),
16370 	},
16371 	{
16372 		.cmd = NL80211_CMD_DEL_KEY,
16373 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16374 		.doit = nl80211_del_key,
16375 		.flags = GENL_UNS_ADMIN_PERM,
16376 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16377 	},
16378 	{
16379 		.cmd = NL80211_CMD_SET_BEACON,
16380 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16381 		.flags = GENL_UNS_ADMIN_PERM,
16382 		.doit = nl80211_set_beacon,
16383 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16384 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16385 	},
16386 	{
16387 		.cmd = NL80211_CMD_START_AP,
16388 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16389 		.flags = GENL_UNS_ADMIN_PERM,
16390 		.doit = nl80211_start_ap,
16391 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16392 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16393 	},
16394 	{
16395 		.cmd = NL80211_CMD_STOP_AP,
16396 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16397 		.flags = GENL_UNS_ADMIN_PERM,
16398 		.doit = nl80211_stop_ap,
16399 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16400 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16401 	},
16402 	{
16403 		.cmd = NL80211_CMD_GET_STATION,
16404 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16405 		.doit = nl80211_get_station,
16406 		.dumpit = nl80211_dump_station,
16407 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16408 	},
16409 	{
16410 		.cmd = NL80211_CMD_SET_STATION,
16411 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16412 		.doit = nl80211_set_station,
16413 		.flags = GENL_UNS_ADMIN_PERM,
16414 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16415 	},
16416 	{
16417 		.cmd = NL80211_CMD_NEW_STATION,
16418 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16419 		.doit = nl80211_new_station,
16420 		.flags = GENL_UNS_ADMIN_PERM,
16421 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16422 	},
16423 	{
16424 		.cmd = NL80211_CMD_DEL_STATION,
16425 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16426 		.doit = nl80211_del_station,
16427 		.flags = GENL_UNS_ADMIN_PERM,
16428 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16429 	},
16430 	{
16431 		.cmd = NL80211_CMD_GET_MPATH,
16432 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16433 		.doit = nl80211_get_mpath,
16434 		.dumpit = nl80211_dump_mpath,
16435 		.flags = GENL_UNS_ADMIN_PERM,
16436 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16437 	},
16438 	{
16439 		.cmd = NL80211_CMD_GET_MPP,
16440 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16441 		.doit = nl80211_get_mpp,
16442 		.dumpit = nl80211_dump_mpp,
16443 		.flags = GENL_UNS_ADMIN_PERM,
16444 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16445 	},
16446 	{
16447 		.cmd = NL80211_CMD_SET_MPATH,
16448 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16449 		.doit = nl80211_set_mpath,
16450 		.flags = GENL_UNS_ADMIN_PERM,
16451 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16452 	},
16453 	{
16454 		.cmd = NL80211_CMD_NEW_MPATH,
16455 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16456 		.doit = nl80211_new_mpath,
16457 		.flags = GENL_UNS_ADMIN_PERM,
16458 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16459 	},
16460 	{
16461 		.cmd = NL80211_CMD_DEL_MPATH,
16462 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16463 		.doit = nl80211_del_mpath,
16464 		.flags = GENL_UNS_ADMIN_PERM,
16465 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16466 	},
16467 	{
16468 		.cmd = NL80211_CMD_SET_BSS,
16469 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16470 		.doit = nl80211_set_bss,
16471 		.flags = GENL_UNS_ADMIN_PERM,
16472 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16473 	},
16474 	{
16475 		.cmd = NL80211_CMD_GET_REG,
16476 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16477 		.doit = nl80211_get_reg_do,
16478 		.dumpit = nl80211_get_reg_dump,
16479 		/* can be retrieved by unprivileged users */
16480 	},
16481 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
16482 	{
16483 		.cmd = NL80211_CMD_SET_REG,
16484 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16485 		.doit = nl80211_set_reg,
16486 		.flags = GENL_ADMIN_PERM,
16487 	},
16488 #endif
16489 	{
16490 		.cmd = NL80211_CMD_REQ_SET_REG,
16491 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16492 		.doit = nl80211_req_set_reg,
16493 		.flags = GENL_ADMIN_PERM,
16494 	},
16495 	{
16496 		.cmd = NL80211_CMD_RELOAD_REGDB,
16497 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16498 		.doit = nl80211_reload_regdb,
16499 		.flags = GENL_ADMIN_PERM,
16500 	},
16501 	{
16502 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
16503 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16504 		.doit = nl80211_get_mesh_config,
16505 		/* can be retrieved by unprivileged users */
16506 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16507 	},
16508 	{
16509 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
16510 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16511 		.doit = nl80211_update_mesh_config,
16512 		.flags = GENL_UNS_ADMIN_PERM,
16513 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16514 	},
16515 	{
16516 		.cmd = NL80211_CMD_TRIGGER_SCAN,
16517 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16518 		.doit = nl80211_trigger_scan,
16519 		.flags = GENL_UNS_ADMIN_PERM,
16520 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16521 	},
16522 	{
16523 		.cmd = NL80211_CMD_ABORT_SCAN,
16524 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16525 		.doit = nl80211_abort_scan,
16526 		.flags = GENL_UNS_ADMIN_PERM,
16527 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16528 	},
16529 	{
16530 		.cmd = NL80211_CMD_GET_SCAN,
16531 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16532 		.dumpit = nl80211_dump_scan,
16533 	},
16534 	{
16535 		.cmd = NL80211_CMD_START_SCHED_SCAN,
16536 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16537 		.doit = nl80211_start_sched_scan,
16538 		.flags = GENL_UNS_ADMIN_PERM,
16539 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16540 	},
16541 	{
16542 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
16543 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16544 		.doit = nl80211_stop_sched_scan,
16545 		.flags = GENL_UNS_ADMIN_PERM,
16546 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16547 	},
16548 	{
16549 		.cmd = NL80211_CMD_AUTHENTICATE,
16550 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16551 		.doit = nl80211_authenticate,
16552 		.flags = GENL_UNS_ADMIN_PERM,
16553 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16554 					 NL80211_FLAG_CLEAR_SKB),
16555 	},
16556 	{
16557 		.cmd = NL80211_CMD_ASSOCIATE,
16558 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16559 		.doit = nl80211_associate,
16560 		.flags = GENL_UNS_ADMIN_PERM,
16561 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16562 					 NL80211_FLAG_CLEAR_SKB),
16563 	},
16564 	{
16565 		.cmd = NL80211_CMD_DEAUTHENTICATE,
16566 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16567 		.doit = nl80211_deauthenticate,
16568 		.flags = GENL_UNS_ADMIN_PERM,
16569 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16570 	},
16571 	{
16572 		.cmd = NL80211_CMD_DISASSOCIATE,
16573 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16574 		.doit = nl80211_disassociate,
16575 		.flags = GENL_UNS_ADMIN_PERM,
16576 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16577 	},
16578 	{
16579 		.cmd = NL80211_CMD_JOIN_IBSS,
16580 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16581 		.doit = nl80211_join_ibss,
16582 		.flags = GENL_UNS_ADMIN_PERM,
16583 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16584 	},
16585 	{
16586 		.cmd = NL80211_CMD_LEAVE_IBSS,
16587 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16588 		.doit = nl80211_leave_ibss,
16589 		.flags = GENL_UNS_ADMIN_PERM,
16590 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16591 	},
16592 #ifdef CONFIG_NL80211_TESTMODE
16593 	{
16594 		.cmd = NL80211_CMD_TESTMODE,
16595 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16596 		.doit = nl80211_testmode_do,
16597 		.dumpit = nl80211_testmode_dump,
16598 		.flags = GENL_UNS_ADMIN_PERM,
16599 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16600 	},
16601 #endif
16602 	{
16603 		.cmd = NL80211_CMD_CONNECT,
16604 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16605 		.doit = nl80211_connect,
16606 		.flags = GENL_UNS_ADMIN_PERM,
16607 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16608 					 NL80211_FLAG_CLEAR_SKB),
16609 	},
16610 	{
16611 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
16612 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16613 		.doit = nl80211_update_connect_params,
16614 		.flags = GENL_ADMIN_PERM,
16615 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16616 					 NL80211_FLAG_CLEAR_SKB),
16617 	},
16618 	{
16619 		.cmd = NL80211_CMD_DISCONNECT,
16620 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16621 		.doit = nl80211_disconnect,
16622 		.flags = GENL_UNS_ADMIN_PERM,
16623 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16624 	},
16625 	{
16626 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
16627 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16628 		.doit = nl80211_wiphy_netns,
16629 		.flags = GENL_UNS_ADMIN_PERM,
16630 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
16631 					 NL80211_FLAG_NEED_RTNL |
16632 					 NL80211_FLAG_NO_WIPHY_MTX),
16633 	},
16634 	{
16635 		.cmd = NL80211_CMD_GET_SURVEY,
16636 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16637 		.dumpit = nl80211_dump_survey,
16638 	},
16639 	{
16640 		.cmd = NL80211_CMD_SET_PMKSA,
16641 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16642 		.doit = nl80211_setdel_pmksa,
16643 		.flags = GENL_UNS_ADMIN_PERM,
16644 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16645 					 NL80211_FLAG_CLEAR_SKB),
16646 	},
16647 	{
16648 		.cmd = NL80211_CMD_DEL_PMKSA,
16649 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16650 		.doit = nl80211_setdel_pmksa,
16651 		.flags = GENL_UNS_ADMIN_PERM,
16652 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16653 	},
16654 	{
16655 		.cmd = NL80211_CMD_FLUSH_PMKSA,
16656 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16657 		.doit = nl80211_flush_pmksa,
16658 		.flags = GENL_UNS_ADMIN_PERM,
16659 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16660 	},
16661 	{
16662 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
16663 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16664 		.doit = nl80211_remain_on_channel,
16665 		.flags = GENL_UNS_ADMIN_PERM,
16666 		/* FIXME: requiring a link ID here is probably not good */
16667 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16668 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16669 	},
16670 	{
16671 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
16672 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16673 		.doit = nl80211_cancel_remain_on_channel,
16674 		.flags = GENL_UNS_ADMIN_PERM,
16675 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16676 	},
16677 	{
16678 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
16679 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16680 		.doit = nl80211_set_tx_bitrate_mask,
16681 		.flags = GENL_UNS_ADMIN_PERM,
16682 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16683 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16684 	},
16685 	{
16686 		.cmd = NL80211_CMD_REGISTER_FRAME,
16687 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16688 		.doit = nl80211_register_mgmt,
16689 		.flags = GENL_UNS_ADMIN_PERM,
16690 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16691 	},
16692 	{
16693 		.cmd = NL80211_CMD_FRAME,
16694 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16695 		.doit = nl80211_tx_mgmt,
16696 		.flags = GENL_UNS_ADMIN_PERM,
16697 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16698 	},
16699 	{
16700 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
16701 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16702 		.doit = nl80211_tx_mgmt_cancel_wait,
16703 		.flags = GENL_UNS_ADMIN_PERM,
16704 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16705 	},
16706 	{
16707 		.cmd = NL80211_CMD_SET_POWER_SAVE,
16708 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16709 		.doit = nl80211_set_power_save,
16710 		.flags = GENL_UNS_ADMIN_PERM,
16711 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16712 	},
16713 	{
16714 		.cmd = NL80211_CMD_GET_POWER_SAVE,
16715 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16716 		.doit = nl80211_get_power_save,
16717 		/* can be retrieved by unprivileged users */
16718 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16719 	},
16720 	{
16721 		.cmd = NL80211_CMD_SET_CQM,
16722 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16723 		.doit = nl80211_set_cqm,
16724 		.flags = GENL_UNS_ADMIN_PERM,
16725 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16726 	},
16727 	{
16728 		.cmd = NL80211_CMD_SET_CHANNEL,
16729 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16730 		.doit = nl80211_set_channel,
16731 		.flags = GENL_UNS_ADMIN_PERM,
16732 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16733 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16734 	},
16735 	{
16736 		.cmd = NL80211_CMD_JOIN_MESH,
16737 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16738 		.doit = nl80211_join_mesh,
16739 		.flags = GENL_UNS_ADMIN_PERM,
16740 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16741 	},
16742 	{
16743 		.cmd = NL80211_CMD_LEAVE_MESH,
16744 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16745 		.doit = nl80211_leave_mesh,
16746 		.flags = GENL_UNS_ADMIN_PERM,
16747 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16748 	},
16749 	{
16750 		.cmd = NL80211_CMD_JOIN_OCB,
16751 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16752 		.doit = nl80211_join_ocb,
16753 		.flags = GENL_UNS_ADMIN_PERM,
16754 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16755 	},
16756 	{
16757 		.cmd = NL80211_CMD_LEAVE_OCB,
16758 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16759 		.doit = nl80211_leave_ocb,
16760 		.flags = GENL_UNS_ADMIN_PERM,
16761 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16762 	},
16763 #ifdef CONFIG_PM
16764 	{
16765 		.cmd = NL80211_CMD_GET_WOWLAN,
16766 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16767 		.doit = nl80211_get_wowlan,
16768 		/* can be retrieved by unprivileged users */
16769 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16770 	},
16771 	{
16772 		.cmd = NL80211_CMD_SET_WOWLAN,
16773 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16774 		.doit = nl80211_set_wowlan,
16775 		.flags = GENL_UNS_ADMIN_PERM,
16776 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16777 	},
16778 #endif
16779 	{
16780 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
16781 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16782 		.doit = nl80211_set_rekey_data,
16783 		.flags = GENL_UNS_ADMIN_PERM,
16784 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16785 					 NL80211_FLAG_CLEAR_SKB),
16786 	},
16787 	{
16788 		.cmd = NL80211_CMD_TDLS_MGMT,
16789 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16790 		.doit = nl80211_tdls_mgmt,
16791 		.flags = GENL_UNS_ADMIN_PERM,
16792 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16793 	},
16794 	{
16795 		.cmd = NL80211_CMD_TDLS_OPER,
16796 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16797 		.doit = nl80211_tdls_oper,
16798 		.flags = GENL_UNS_ADMIN_PERM,
16799 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16800 	},
16801 	{
16802 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
16803 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16804 		.doit = nl80211_register_unexpected_frame,
16805 		.flags = GENL_UNS_ADMIN_PERM,
16806 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16807 	},
16808 	{
16809 		.cmd = NL80211_CMD_PROBE_CLIENT,
16810 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16811 		.doit = nl80211_probe_client,
16812 		.flags = GENL_UNS_ADMIN_PERM,
16813 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16814 	},
16815 	{
16816 		.cmd = NL80211_CMD_REGISTER_BEACONS,
16817 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16818 		.doit = nl80211_register_beacons,
16819 		.flags = GENL_UNS_ADMIN_PERM,
16820 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16821 	},
16822 	{
16823 		.cmd = NL80211_CMD_SET_NOACK_MAP,
16824 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16825 		.doit = nl80211_set_noack_map,
16826 		.flags = GENL_UNS_ADMIN_PERM,
16827 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16828 	},
16829 	{
16830 		.cmd = NL80211_CMD_START_P2P_DEVICE,
16831 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16832 		.doit = nl80211_start_p2p_device,
16833 		.flags = GENL_UNS_ADMIN_PERM,
16834 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16835 					 NL80211_FLAG_NEED_RTNL),
16836 	},
16837 	{
16838 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
16839 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16840 		.doit = nl80211_stop_p2p_device,
16841 		.flags = GENL_UNS_ADMIN_PERM,
16842 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16843 					 NL80211_FLAG_NEED_RTNL),
16844 	},
16845 	{
16846 		.cmd = NL80211_CMD_START_NAN,
16847 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16848 		.doit = nl80211_start_nan,
16849 		.flags = GENL_ADMIN_PERM,
16850 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16851 					 NL80211_FLAG_NEED_RTNL),
16852 	},
16853 	{
16854 		.cmd = NL80211_CMD_STOP_NAN,
16855 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16856 		.doit = nl80211_stop_nan,
16857 		.flags = GENL_ADMIN_PERM,
16858 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16859 					 NL80211_FLAG_NEED_RTNL),
16860 	},
16861 	{
16862 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
16863 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16864 		.doit = nl80211_nan_add_func,
16865 		.flags = GENL_ADMIN_PERM,
16866 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16867 	},
16868 	{
16869 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
16870 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16871 		.doit = nl80211_nan_del_func,
16872 		.flags = GENL_ADMIN_PERM,
16873 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16874 	},
16875 	{
16876 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
16877 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16878 		.doit = nl80211_nan_change_config,
16879 		.flags = GENL_ADMIN_PERM,
16880 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16881 	},
16882 	{
16883 		.cmd = NL80211_CMD_SET_MCAST_RATE,
16884 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16885 		.doit = nl80211_set_mcast_rate,
16886 		.flags = GENL_UNS_ADMIN_PERM,
16887 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16888 	},
16889 	{
16890 		.cmd = NL80211_CMD_SET_MAC_ACL,
16891 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16892 		.doit = nl80211_set_mac_acl,
16893 		.flags = GENL_UNS_ADMIN_PERM,
16894 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16895 					 NL80211_FLAG_MLO_UNSUPPORTED),
16896 	},
16897 	{
16898 		.cmd = NL80211_CMD_RADAR_DETECT,
16899 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16900 		.doit = nl80211_start_radar_detection,
16901 		.flags = GENL_UNS_ADMIN_PERM,
16902 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16903 					 NL80211_FLAG_NO_WIPHY_MTX |
16904 					 NL80211_FLAG_MLO_UNSUPPORTED),
16905 	},
16906 	{
16907 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
16908 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16909 		.doit = nl80211_get_protocol_features,
16910 	},
16911 	{
16912 		.cmd = NL80211_CMD_UPDATE_FT_IES,
16913 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16914 		.doit = nl80211_update_ft_ies,
16915 		.flags = GENL_UNS_ADMIN_PERM,
16916 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16917 	},
16918 	{
16919 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
16920 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16921 		.doit = nl80211_crit_protocol_start,
16922 		.flags = GENL_UNS_ADMIN_PERM,
16923 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16924 	},
16925 	{
16926 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
16927 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16928 		.doit = nl80211_crit_protocol_stop,
16929 		.flags = GENL_UNS_ADMIN_PERM,
16930 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16931 	},
16932 	{
16933 		.cmd = NL80211_CMD_GET_COALESCE,
16934 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16935 		.doit = nl80211_get_coalesce,
16936 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16937 	},
16938 	{
16939 		.cmd = NL80211_CMD_SET_COALESCE,
16940 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16941 		.doit = nl80211_set_coalesce,
16942 		.flags = GENL_UNS_ADMIN_PERM,
16943 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16944 	},
16945 	{
16946 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
16947 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16948 		.doit = nl80211_channel_switch,
16949 		.flags = GENL_UNS_ADMIN_PERM,
16950 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16951 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16952 	},
16953 	{
16954 		.cmd = NL80211_CMD_VENDOR,
16955 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16956 		.doit = nl80211_vendor_cmd,
16957 		.dumpit = nl80211_vendor_cmd_dump,
16958 		.flags = GENL_UNS_ADMIN_PERM,
16959 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
16960 					 NL80211_FLAG_CLEAR_SKB),
16961 	},
16962 	{
16963 		.cmd = NL80211_CMD_SET_QOS_MAP,
16964 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16965 		.doit = nl80211_set_qos_map,
16966 		.flags = GENL_UNS_ADMIN_PERM,
16967 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16968 	},
16969 	{
16970 		.cmd = NL80211_CMD_ADD_TX_TS,
16971 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16972 		.doit = nl80211_add_tx_ts,
16973 		.flags = GENL_UNS_ADMIN_PERM,
16974 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16975 					 NL80211_FLAG_MLO_UNSUPPORTED),
16976 	},
16977 	{
16978 		.cmd = NL80211_CMD_DEL_TX_TS,
16979 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16980 		.doit = nl80211_del_tx_ts,
16981 		.flags = GENL_UNS_ADMIN_PERM,
16982 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16983 	},
16984 	{
16985 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
16986 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16987 		.doit = nl80211_tdls_channel_switch,
16988 		.flags = GENL_UNS_ADMIN_PERM,
16989 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16990 	},
16991 	{
16992 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
16993 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16994 		.doit = nl80211_tdls_cancel_channel_switch,
16995 		.flags = GENL_UNS_ADMIN_PERM,
16996 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16997 	},
16998 	{
16999 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17000 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17001 		.doit = nl80211_set_multicast_to_unicast,
17002 		.flags = GENL_UNS_ADMIN_PERM,
17003 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17004 	},
17005 	{
17006 		.cmd = NL80211_CMD_SET_PMK,
17007 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17008 		.doit = nl80211_set_pmk,
17009 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17010 					 NL80211_FLAG_CLEAR_SKB),
17011 	},
17012 	{
17013 		.cmd = NL80211_CMD_DEL_PMK,
17014 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17015 		.doit = nl80211_del_pmk,
17016 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17017 	},
17018 	{
17019 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17020 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17021 		.doit = nl80211_external_auth,
17022 		.flags = GENL_ADMIN_PERM,
17023 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17024 	},
17025 	{
17026 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17027 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17028 		.doit = nl80211_tx_control_port,
17029 		.flags = GENL_UNS_ADMIN_PERM,
17030 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17031 	},
17032 	{
17033 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17034 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17035 		.doit = nl80211_get_ftm_responder_stats,
17036 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17037 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17038 	},
17039 	{
17040 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17041 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17042 		.doit = nl80211_pmsr_start,
17043 		.flags = GENL_UNS_ADMIN_PERM,
17044 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17045 	},
17046 	{
17047 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17048 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17049 		.doit = nl80211_notify_radar_detection,
17050 		.flags = GENL_UNS_ADMIN_PERM,
17051 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17052 	},
17053 	{
17054 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17055 		.doit = nl80211_update_owe_info,
17056 		.flags = GENL_ADMIN_PERM,
17057 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17058 	},
17059 	{
17060 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17061 		.doit = nl80211_probe_mesh_link,
17062 		.flags = GENL_UNS_ADMIN_PERM,
17063 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17064 	},
17065 	{
17066 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17067 		.doit = nl80211_set_tid_config,
17068 		.flags = GENL_UNS_ADMIN_PERM,
17069 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17070 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17071 	},
17072 	{
17073 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17074 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17075 		.doit = nl80211_set_sar_specs,
17076 		.flags = GENL_UNS_ADMIN_PERM,
17077 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17078 					 NL80211_FLAG_NEED_RTNL),
17079 	},
17080 	{
17081 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17082 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17083 		.doit = nl80211_color_change,
17084 		.flags = GENL_UNS_ADMIN_PERM,
17085 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17086 	},
17087 	{
17088 		.cmd = NL80211_CMD_SET_FILS_AAD,
17089 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17090 		.doit = nl80211_set_fils_aad,
17091 		.flags = GENL_UNS_ADMIN_PERM,
17092 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17093 	},
17094 	{
17095 		.cmd = NL80211_CMD_ADD_LINK,
17096 		.doit = nl80211_add_link,
17097 		.flags = GENL_UNS_ADMIN_PERM,
17098 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17099 	},
17100 	{
17101 		.cmd = NL80211_CMD_REMOVE_LINK,
17102 		.doit = nl80211_remove_link,
17103 		.flags = GENL_UNS_ADMIN_PERM,
17104 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17105 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17106 	},
17107 	{
17108 		.cmd = NL80211_CMD_ADD_LINK_STA,
17109 		.doit = nl80211_add_link_station,
17110 		.flags = GENL_UNS_ADMIN_PERM,
17111 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17112 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17113 	},
17114 	{
17115 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17116 		.doit = nl80211_modify_link_station,
17117 		.flags = GENL_UNS_ADMIN_PERM,
17118 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17119 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17120 	},
17121 	{
17122 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17123 		.doit = nl80211_remove_link_station,
17124 		.flags = GENL_UNS_ADMIN_PERM,
17125 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17126 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17127 	},
17128 };
17129 
17130 static struct genl_family nl80211_fam __ro_after_init = {
17131 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17132 	.hdrsize = 0,			/* no private header */
17133 	.version = 1,			/* no particular meaning now */
17134 	.maxattr = NL80211_ATTR_MAX,
17135 	.policy = nl80211_policy,
17136 	.netnsok = true,
17137 	.pre_doit = nl80211_pre_doit,
17138 	.post_doit = nl80211_post_doit,
17139 	.module = THIS_MODULE,
17140 	.ops = nl80211_ops,
17141 	.n_ops = ARRAY_SIZE(nl80211_ops),
17142 	.small_ops = nl80211_small_ops,
17143 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17144 	.mcgrps = nl80211_mcgrps,
17145 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17146 	.parallel_ops = true,
17147 };
17148 
17149 /* notification functions */
17150 
17151 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17152 			  enum nl80211_commands cmd)
17153 {
17154 	struct sk_buff *msg;
17155 	struct nl80211_dump_wiphy_state state = {};
17156 
17157 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17158 		cmd != NL80211_CMD_DEL_WIPHY);
17159 
17160 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17161 	if (!msg)
17162 		return;
17163 
17164 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17165 		nlmsg_free(msg);
17166 		return;
17167 	}
17168 
17169 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17170 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17171 }
17172 
17173 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17174 				struct wireless_dev *wdev,
17175 				enum nl80211_commands cmd)
17176 {
17177 	struct sk_buff *msg;
17178 
17179 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17180 	if (!msg)
17181 		return;
17182 
17183 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17184 		nlmsg_free(msg);
17185 		return;
17186 	}
17187 
17188 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17189 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17190 }
17191 
17192 static int nl80211_add_scan_req(struct sk_buff *msg,
17193 				struct cfg80211_registered_device *rdev)
17194 {
17195 	struct cfg80211_scan_request *req = rdev->scan_req;
17196 	struct nlattr *nest;
17197 	int i;
17198 	struct cfg80211_scan_info *info;
17199 
17200 	if (WARN_ON(!req))
17201 		return 0;
17202 
17203 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17204 	if (!nest)
17205 		goto nla_put_failure;
17206 	for (i = 0; i < req->n_ssids; i++) {
17207 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17208 			goto nla_put_failure;
17209 	}
17210 	nla_nest_end(msg, nest);
17211 
17212 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17213 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17214 		if (!nest)
17215 			goto nla_put_failure;
17216 		for (i = 0; i < req->n_channels; i++) {
17217 			if (nla_put_u32(msg, i,
17218 				   ieee80211_channel_to_khz(req->channels[i])))
17219 				goto nla_put_failure;
17220 		}
17221 		nla_nest_end(msg, nest);
17222 	} else {
17223 		nest = nla_nest_start_noflag(msg,
17224 					     NL80211_ATTR_SCAN_FREQUENCIES);
17225 		if (!nest)
17226 			goto nla_put_failure;
17227 		for (i = 0; i < req->n_channels; i++) {
17228 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17229 				goto nla_put_failure;
17230 		}
17231 		nla_nest_end(msg, nest);
17232 	}
17233 
17234 	if (req->ie &&
17235 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17236 		goto nla_put_failure;
17237 
17238 	if (req->flags &&
17239 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17240 		goto nla_put_failure;
17241 
17242 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17243 		&rdev->scan_req->info;
17244 	if (info->scan_start_tsf &&
17245 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17246 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17247 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17248 		     info->tsf_bssid)))
17249 		goto nla_put_failure;
17250 
17251 	return 0;
17252  nla_put_failure:
17253 	return -ENOBUFS;
17254 }
17255 
17256 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17257 				 struct cfg80211_registered_device *rdev,
17258 				 struct wireless_dev *wdev,
17259 				 u32 portid, u32 seq, int flags,
17260 				 u32 cmd)
17261 {
17262 	void *hdr;
17263 
17264 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17265 	if (!hdr)
17266 		return -1;
17267 
17268 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17269 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17270 					 wdev->netdev->ifindex)) ||
17271 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17272 			      NL80211_ATTR_PAD))
17273 		goto nla_put_failure;
17274 
17275 	/* ignore errors and send incomplete event anyway */
17276 	nl80211_add_scan_req(msg, rdev);
17277 
17278 	genlmsg_end(msg, hdr);
17279 	return 0;
17280 
17281  nla_put_failure:
17282 	genlmsg_cancel(msg, hdr);
17283 	return -EMSGSIZE;
17284 }
17285 
17286 static int
17287 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17288 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17289 {
17290 	void *hdr;
17291 
17292 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17293 	if (!hdr)
17294 		return -1;
17295 
17296 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17297 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17298 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17299 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17300 			      NL80211_ATTR_PAD))
17301 		goto nla_put_failure;
17302 
17303 	genlmsg_end(msg, hdr);
17304 	return 0;
17305 
17306  nla_put_failure:
17307 	genlmsg_cancel(msg, hdr);
17308 	return -EMSGSIZE;
17309 }
17310 
17311 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17312 			     struct wireless_dev *wdev)
17313 {
17314 	struct sk_buff *msg;
17315 
17316 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17317 	if (!msg)
17318 		return;
17319 
17320 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17321 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17322 		nlmsg_free(msg);
17323 		return;
17324 	}
17325 
17326 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17327 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17328 }
17329 
17330 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17331 				       struct wireless_dev *wdev, bool aborted)
17332 {
17333 	struct sk_buff *msg;
17334 
17335 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17336 	if (!msg)
17337 		return NULL;
17338 
17339 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17340 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17341 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17342 		nlmsg_free(msg);
17343 		return NULL;
17344 	}
17345 
17346 	return msg;
17347 }
17348 
17349 /* send message created by nl80211_build_scan_msg() */
17350 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17351 			   struct sk_buff *msg)
17352 {
17353 	if (!msg)
17354 		return;
17355 
17356 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17357 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17358 }
17359 
17360 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17361 {
17362 	struct sk_buff *msg;
17363 
17364 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17365 	if (!msg)
17366 		return;
17367 
17368 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17369 		nlmsg_free(msg);
17370 		return;
17371 	}
17372 
17373 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17374 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17375 }
17376 
17377 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17378 					  struct regulatory_request *request)
17379 {
17380 	/* Userspace can always count this one always being set */
17381 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17382 		goto nla_put_failure;
17383 
17384 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17385 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17386 			       NL80211_REGDOM_TYPE_WORLD))
17387 			goto nla_put_failure;
17388 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17389 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17390 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17391 			goto nla_put_failure;
17392 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17393 		   request->intersect) {
17394 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17395 			       NL80211_REGDOM_TYPE_INTERSECTION))
17396 			goto nla_put_failure;
17397 	} else {
17398 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17399 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17400 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17401 				   request->alpha2))
17402 			goto nla_put_failure;
17403 	}
17404 
17405 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17406 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17407 
17408 		if (wiphy &&
17409 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17410 			goto nla_put_failure;
17411 
17412 		if (wiphy &&
17413 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17414 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17415 			goto nla_put_failure;
17416 	}
17417 
17418 	return true;
17419 
17420 nla_put_failure:
17421 	return false;
17422 }
17423 
17424 /*
17425  * This can happen on global regulatory changes or device specific settings
17426  * based on custom regulatory domains.
17427  */
17428 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17429 				     struct regulatory_request *request)
17430 {
17431 	struct sk_buff *msg;
17432 	void *hdr;
17433 
17434 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17435 	if (!msg)
17436 		return;
17437 
17438 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17439 	if (!hdr)
17440 		goto nla_put_failure;
17441 
17442 	if (!nl80211_reg_change_event_fill(msg, request))
17443 		goto nla_put_failure;
17444 
17445 	genlmsg_end(msg, hdr);
17446 
17447 	rcu_read_lock();
17448 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17449 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17450 	rcu_read_unlock();
17451 
17452 	return;
17453 
17454 nla_put_failure:
17455 	nlmsg_free(msg);
17456 }
17457 
17458 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17459 				    struct net_device *netdev,
17460 				    const u8 *buf, size_t len,
17461 				    enum nl80211_commands cmd, gfp_t gfp,
17462 				    int uapsd_queues, const u8 *req_ies,
17463 				    size_t req_ies_len, bool reconnect)
17464 {
17465 	struct sk_buff *msg;
17466 	void *hdr;
17467 
17468 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
17469 	if (!msg)
17470 		return;
17471 
17472 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17473 	if (!hdr) {
17474 		nlmsg_free(msg);
17475 		return;
17476 	}
17477 
17478 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17479 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17480 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17481 	    (req_ies &&
17482 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
17483 		goto nla_put_failure;
17484 
17485 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
17486 		goto nla_put_failure;
17487 
17488 	if (uapsd_queues >= 0) {
17489 		struct nlattr *nla_wmm =
17490 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
17491 		if (!nla_wmm)
17492 			goto nla_put_failure;
17493 
17494 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
17495 			       uapsd_queues))
17496 			goto nla_put_failure;
17497 
17498 		nla_nest_end(msg, nla_wmm);
17499 	}
17500 
17501 	genlmsg_end(msg, hdr);
17502 
17503 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17504 				NL80211_MCGRP_MLME, gfp);
17505 	return;
17506 
17507  nla_put_failure:
17508 	nlmsg_free(msg);
17509 }
17510 
17511 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
17512 			  struct net_device *netdev, const u8 *buf,
17513 			  size_t len, gfp_t gfp)
17514 {
17515 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17516 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
17517 				false);
17518 }
17519 
17520 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
17521 			   struct net_device *netdev,
17522 			   struct cfg80211_rx_assoc_resp *data)
17523 {
17524 	nl80211_send_mlme_event(rdev, netdev, data->buf, data->len,
17525 				NL80211_CMD_ASSOCIATE, GFP_KERNEL,
17526 				data->uapsd_queues,
17527 				data->req_ies, data->req_ies_len, false);
17528 }
17529 
17530 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
17531 			 struct net_device *netdev, const u8 *buf,
17532 			 size_t len, bool reconnect, gfp_t gfp)
17533 {
17534 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17535 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
17536 				reconnect);
17537 }
17538 
17539 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
17540 			   struct net_device *netdev, const u8 *buf,
17541 			   size_t len, bool reconnect, gfp_t gfp)
17542 {
17543 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17544 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
17545 				reconnect);
17546 }
17547 
17548 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
17549 				  size_t len)
17550 {
17551 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17552 	struct wiphy *wiphy = wdev->wiphy;
17553 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17554 	const struct ieee80211_mgmt *mgmt = (void *)buf;
17555 	u32 cmd;
17556 
17557 	if (WARN_ON(len < 2))
17558 		return;
17559 
17560 	if (ieee80211_is_deauth(mgmt->frame_control)) {
17561 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
17562 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
17563 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
17564 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
17565 		if (wdev->unprot_beacon_reported &&
17566 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
17567 			return;
17568 		cmd = NL80211_CMD_UNPROT_BEACON;
17569 		wdev->unprot_beacon_reported = jiffies;
17570 	} else {
17571 		return;
17572 	}
17573 
17574 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
17575 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
17576 				NULL, 0, false);
17577 }
17578 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
17579 
17580 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
17581 				      struct net_device *netdev, int cmd,
17582 				      const u8 *addr, gfp_t gfp)
17583 {
17584 	struct sk_buff *msg;
17585 	void *hdr;
17586 
17587 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17588 	if (!msg)
17589 		return;
17590 
17591 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17592 	if (!hdr) {
17593 		nlmsg_free(msg);
17594 		return;
17595 	}
17596 
17597 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17598 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17599 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
17600 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17601 		goto nla_put_failure;
17602 
17603 	genlmsg_end(msg, hdr);
17604 
17605 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17606 				NL80211_MCGRP_MLME, gfp);
17607 	return;
17608 
17609  nla_put_failure:
17610 	nlmsg_free(msg);
17611 }
17612 
17613 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
17614 			       struct net_device *netdev, const u8 *addr,
17615 			       gfp_t gfp)
17616 {
17617 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
17618 				  addr, gfp);
17619 }
17620 
17621 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
17622 				struct net_device *netdev, const u8 *addr,
17623 				gfp_t gfp)
17624 {
17625 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
17626 				  addr, gfp);
17627 }
17628 
17629 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
17630 				 struct net_device *netdev,
17631 				 struct cfg80211_connect_resp_params *cr,
17632 				 gfp_t gfp)
17633 {
17634 	struct sk_buff *msg;
17635 	void *hdr;
17636 	unsigned int link;
17637 	size_t link_info_size = 0;
17638 	const u8 *connected_addr = cr->valid_links ?
17639 				   cr->ap_mld_addr : cr->links[0].bssid;
17640 
17641 	if (cr->valid_links) {
17642 		for_each_valid_link(cr, link) {
17643 			/* Nested attribute header */
17644 			link_info_size += NLA_HDRLEN;
17645 			/* Link ID */
17646 			link_info_size += nla_total_size(sizeof(u8));
17647 			link_info_size += cr->links[link].addr ?
17648 					  nla_total_size(ETH_ALEN) : 0;
17649 			link_info_size += (cr->links[link].bssid ||
17650 					   cr->links[link].bss) ?
17651 					  nla_total_size(ETH_ALEN) : 0;
17652 		}
17653 	}
17654 
17655 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
17656 			cr->fils.kek_len + cr->fils.pmk_len +
17657 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
17658 			gfp);
17659 	if (!msg)
17660 		return;
17661 
17662 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
17663 	if (!hdr) {
17664 		nlmsg_free(msg);
17665 		return;
17666 	}
17667 
17668 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17669 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17670 	    (connected_addr &&
17671 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
17672 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
17673 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
17674 			cr->status) ||
17675 	    (cr->status < 0 &&
17676 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
17677 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
17678 			  cr->timeout_reason))) ||
17679 	    (cr->req_ie &&
17680 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
17681 	    (cr->resp_ie &&
17682 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
17683 		     cr->resp_ie)) ||
17684 	    (cr->fils.update_erp_next_seq_num &&
17685 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
17686 			 cr->fils.erp_next_seq_num)) ||
17687 	    (cr->status == WLAN_STATUS_SUCCESS &&
17688 	     ((cr->fils.kek &&
17689 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
17690 		       cr->fils.kek)) ||
17691 	      (cr->fils.pmk &&
17692 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
17693 	      (cr->fils.pmkid &&
17694 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
17695 		goto nla_put_failure;
17696 
17697 	if (cr->valid_links) {
17698 		int i = 1;
17699 		struct nlattr *nested;
17700 
17701 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
17702 		if (!nested)
17703 			goto nla_put_failure;
17704 
17705 		for_each_valid_link(cr, link) {
17706 			struct nlattr *nested_mlo_links;
17707 			const u8 *bssid = cr->links[link].bss ?
17708 					  cr->links[link].bss->bssid :
17709 					  cr->links[link].bssid;
17710 
17711 			nested_mlo_links = nla_nest_start(msg, i);
17712 			if (!nested_mlo_links)
17713 				goto nla_put_failure;
17714 
17715 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
17716 			    (bssid &&
17717 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
17718 			    (cr->links[link].addr &&
17719 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
17720 				     cr->links[link].addr)))
17721 				goto nla_put_failure;
17722 
17723 			nla_nest_end(msg, nested_mlo_links);
17724 			i++;
17725 		}
17726 		nla_nest_end(msg, nested);
17727 	}
17728 
17729 	genlmsg_end(msg, hdr);
17730 
17731 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17732 				NL80211_MCGRP_MLME, gfp);
17733 	return;
17734 
17735  nla_put_failure:
17736 	nlmsg_free(msg);
17737 }
17738 
17739 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
17740 			 struct net_device *netdev,
17741 			 struct cfg80211_roam_info *info, gfp_t gfp)
17742 {
17743 	struct sk_buff *msg;
17744 	void *hdr;
17745 	size_t link_info_size = 0;
17746 	unsigned int link;
17747 	const u8 *connected_addr = info->ap_mld_addr ?
17748 				   info->ap_mld_addr :
17749 				   (info->links[0].bss ?
17750 				    info->links[0].bss->bssid :
17751 				    info->links[0].bssid);
17752 
17753 	if (info->valid_links) {
17754 		for_each_valid_link(info, link) {
17755 			/* Nested attribute header */
17756 			link_info_size += NLA_HDRLEN;
17757 			/* Link ID */
17758 			link_info_size += nla_total_size(sizeof(u8));
17759 			link_info_size += info->links[link].addr ?
17760 					  nla_total_size(ETH_ALEN) : 0;
17761 			link_info_size += (info->links[link].bssid ||
17762 					   info->links[link].bss) ?
17763 					  nla_total_size(ETH_ALEN) : 0;
17764 		}
17765 	}
17766 
17767 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
17768 			info->fils.kek_len + info->fils.pmk_len +
17769 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
17770 			link_info_size, gfp);
17771 	if (!msg)
17772 		return;
17773 
17774 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
17775 	if (!hdr) {
17776 		nlmsg_free(msg);
17777 		return;
17778 	}
17779 
17780 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17781 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17782 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
17783 	    (info->req_ie &&
17784 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
17785 		     info->req_ie)) ||
17786 	    (info->resp_ie &&
17787 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
17788 		     info->resp_ie)) ||
17789 	    (info->fils.update_erp_next_seq_num &&
17790 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
17791 			 info->fils.erp_next_seq_num)) ||
17792 	    (info->fils.kek &&
17793 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
17794 		     info->fils.kek)) ||
17795 	    (info->fils.pmk &&
17796 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
17797 	    (info->fils.pmkid &&
17798 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
17799 		goto nla_put_failure;
17800 
17801 	if (info->valid_links) {
17802 		int i = 1;
17803 		struct nlattr *nested;
17804 
17805 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
17806 		if (!nested)
17807 			goto nla_put_failure;
17808 
17809 		for_each_valid_link(info, link) {
17810 			struct nlattr *nested_mlo_links;
17811 			const u8 *bssid = info->links[link].bss ?
17812 					  info->links[link].bss->bssid :
17813 					  info->links[link].bssid;
17814 
17815 			nested_mlo_links = nla_nest_start(msg, i);
17816 			if (!nested_mlo_links)
17817 				goto nla_put_failure;
17818 
17819 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
17820 			    (bssid &&
17821 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
17822 			    (info->links[link].addr &&
17823 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
17824 				     info->links[link].addr)))
17825 				goto nla_put_failure;
17826 
17827 			nla_nest_end(msg, nested_mlo_links);
17828 			i++;
17829 		}
17830 		nla_nest_end(msg, nested);
17831 	}
17832 
17833 	genlmsg_end(msg, hdr);
17834 
17835 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17836 				NL80211_MCGRP_MLME, gfp);
17837 	return;
17838 
17839  nla_put_failure:
17840 	nlmsg_free(msg);
17841 }
17842 
17843 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
17844 				  struct net_device *netdev, const u8 *bssid)
17845 {
17846 	struct sk_buff *msg;
17847 	void *hdr;
17848 
17849 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17850 	if (!msg)
17851 		return;
17852 
17853 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
17854 	if (!hdr) {
17855 		nlmsg_free(msg);
17856 		return;
17857 	}
17858 
17859 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17860 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17861 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17862 		goto nla_put_failure;
17863 
17864 	genlmsg_end(msg, hdr);
17865 
17866 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17867 				NL80211_MCGRP_MLME, GFP_KERNEL);
17868 	return;
17869 
17870  nla_put_failure:
17871 	nlmsg_free(msg);
17872 }
17873 
17874 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
17875 			       struct net_device *netdev, u16 reason,
17876 			       const u8 *ie, size_t ie_len, bool from_ap)
17877 {
17878 	struct sk_buff *msg;
17879 	void *hdr;
17880 
17881 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
17882 	if (!msg)
17883 		return;
17884 
17885 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
17886 	if (!hdr) {
17887 		nlmsg_free(msg);
17888 		return;
17889 	}
17890 
17891 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17892 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17893 	    (reason &&
17894 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
17895 	    (from_ap &&
17896 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
17897 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
17898 		goto nla_put_failure;
17899 
17900 	genlmsg_end(msg, hdr);
17901 
17902 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17903 				NL80211_MCGRP_MLME, GFP_KERNEL);
17904 	return;
17905 
17906  nla_put_failure:
17907 	nlmsg_free(msg);
17908 }
17909 
17910 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
17911 			     struct net_device *netdev, const u8 *bssid,
17912 			     gfp_t gfp)
17913 {
17914 	struct sk_buff *msg;
17915 	void *hdr;
17916 
17917 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17918 	if (!msg)
17919 		return;
17920 
17921 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
17922 	if (!hdr) {
17923 		nlmsg_free(msg);
17924 		return;
17925 	}
17926 
17927 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17928 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17929 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17930 		goto nla_put_failure;
17931 
17932 	genlmsg_end(msg, hdr);
17933 
17934 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17935 				NL80211_MCGRP_MLME, gfp);
17936 	return;
17937 
17938  nla_put_failure:
17939 	nlmsg_free(msg);
17940 }
17941 
17942 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
17943 					const u8 *ie, u8 ie_len,
17944 					int sig_dbm, gfp_t gfp)
17945 {
17946 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17947 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17948 	struct sk_buff *msg;
17949 	void *hdr;
17950 
17951 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
17952 		return;
17953 
17954 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
17955 
17956 	msg = nlmsg_new(100 + ie_len, gfp);
17957 	if (!msg)
17958 		return;
17959 
17960 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
17961 	if (!hdr) {
17962 		nlmsg_free(msg);
17963 		return;
17964 	}
17965 
17966 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17967 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17968 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17969 	    (ie_len && ie &&
17970 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
17971 	    (sig_dbm &&
17972 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
17973 		goto nla_put_failure;
17974 
17975 	genlmsg_end(msg, hdr);
17976 
17977 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17978 				NL80211_MCGRP_MLME, gfp);
17979 	return;
17980 
17981  nla_put_failure:
17982 	nlmsg_free(msg);
17983 }
17984 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
17985 
17986 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
17987 				 struct net_device *netdev, const u8 *addr,
17988 				 enum nl80211_key_type key_type, int key_id,
17989 				 const u8 *tsc, gfp_t gfp)
17990 {
17991 	struct sk_buff *msg;
17992 	void *hdr;
17993 
17994 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17995 	if (!msg)
17996 		return;
17997 
17998 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
17999 	if (!hdr) {
18000 		nlmsg_free(msg);
18001 		return;
18002 	}
18003 
18004 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18005 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18006 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18007 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18008 	    (key_id != -1 &&
18009 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18010 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18011 		goto nla_put_failure;
18012 
18013 	genlmsg_end(msg, hdr);
18014 
18015 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18016 				NL80211_MCGRP_MLME, gfp);
18017 	return;
18018 
18019  nla_put_failure:
18020 	nlmsg_free(msg);
18021 }
18022 
18023 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18024 				    struct ieee80211_channel *channel_before,
18025 				    struct ieee80211_channel *channel_after)
18026 {
18027 	struct sk_buff *msg;
18028 	void *hdr;
18029 	struct nlattr *nl_freq;
18030 
18031 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18032 	if (!msg)
18033 		return;
18034 
18035 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18036 	if (!hdr) {
18037 		nlmsg_free(msg);
18038 		return;
18039 	}
18040 
18041 	/*
18042 	 * Since we are applying the beacon hint to a wiphy we know its
18043 	 * wiphy_idx is valid
18044 	 */
18045 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18046 		goto nla_put_failure;
18047 
18048 	/* Before */
18049 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18050 	if (!nl_freq)
18051 		goto nla_put_failure;
18052 
18053 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18054 		goto nla_put_failure;
18055 	nla_nest_end(msg, nl_freq);
18056 
18057 	/* After */
18058 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18059 	if (!nl_freq)
18060 		goto nla_put_failure;
18061 
18062 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18063 		goto nla_put_failure;
18064 	nla_nest_end(msg, nl_freq);
18065 
18066 	genlmsg_end(msg, hdr);
18067 
18068 	rcu_read_lock();
18069 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18070 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18071 	rcu_read_unlock();
18072 
18073 	return;
18074 
18075 nla_put_failure:
18076 	nlmsg_free(msg);
18077 }
18078 
18079 static void nl80211_send_remain_on_chan_event(
18080 	int cmd, struct cfg80211_registered_device *rdev,
18081 	struct wireless_dev *wdev, u64 cookie,
18082 	struct ieee80211_channel *chan,
18083 	unsigned int duration, gfp_t gfp)
18084 {
18085 	struct sk_buff *msg;
18086 	void *hdr;
18087 
18088 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18089 	if (!msg)
18090 		return;
18091 
18092 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18093 	if (!hdr) {
18094 		nlmsg_free(msg);
18095 		return;
18096 	}
18097 
18098 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18099 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18100 					 wdev->netdev->ifindex)) ||
18101 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18102 			      NL80211_ATTR_PAD) ||
18103 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18104 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18105 			NL80211_CHAN_NO_HT) ||
18106 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18107 			      NL80211_ATTR_PAD))
18108 		goto nla_put_failure;
18109 
18110 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18111 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18112 		goto nla_put_failure;
18113 
18114 	genlmsg_end(msg, hdr);
18115 
18116 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18117 				NL80211_MCGRP_MLME, gfp);
18118 	return;
18119 
18120  nla_put_failure:
18121 	nlmsg_free(msg);
18122 }
18123 
18124 void cfg80211_assoc_comeback(struct net_device *netdev,
18125 			     const u8 *ap_addr, u32 timeout)
18126 {
18127 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18128 	struct wiphy *wiphy = wdev->wiphy;
18129 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18130 	struct sk_buff *msg;
18131 	void *hdr;
18132 
18133 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18134 
18135 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18136 	if (!msg)
18137 		return;
18138 
18139 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18140 	if (!hdr) {
18141 		nlmsg_free(msg);
18142 		return;
18143 	}
18144 
18145 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18146 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18147 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18148 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18149 		goto nla_put_failure;
18150 
18151 	genlmsg_end(msg, hdr);
18152 
18153 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18154 				NL80211_MCGRP_MLME, GFP_KERNEL);
18155 	return;
18156 
18157  nla_put_failure:
18158 	nlmsg_free(msg);
18159 }
18160 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18161 
18162 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18163 			       struct ieee80211_channel *chan,
18164 			       unsigned int duration, gfp_t gfp)
18165 {
18166 	struct wiphy *wiphy = wdev->wiphy;
18167 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18168 
18169 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18170 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18171 					  rdev, wdev, cookie, chan,
18172 					  duration, gfp);
18173 }
18174 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18175 
18176 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18177 					struct ieee80211_channel *chan,
18178 					gfp_t gfp)
18179 {
18180 	struct wiphy *wiphy = wdev->wiphy;
18181 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18182 
18183 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18184 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18185 					  rdev, wdev, cookie, chan, 0, gfp);
18186 }
18187 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18188 
18189 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18190 					struct ieee80211_channel *chan,
18191 					gfp_t gfp)
18192 {
18193 	struct wiphy *wiphy = wdev->wiphy;
18194 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18195 
18196 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18197 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18198 					  rdev, wdev, cookie, chan, 0, gfp);
18199 }
18200 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18201 
18202 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18203 		      struct station_info *sinfo, gfp_t gfp)
18204 {
18205 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18206 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18207 	struct sk_buff *msg;
18208 
18209 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18210 
18211 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18212 	if (!msg)
18213 		return;
18214 
18215 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18216 				 rdev, dev, mac_addr, sinfo) < 0) {
18217 		nlmsg_free(msg);
18218 		return;
18219 	}
18220 
18221 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18222 				NL80211_MCGRP_MLME, gfp);
18223 }
18224 EXPORT_SYMBOL(cfg80211_new_sta);
18225 
18226 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18227 			    struct station_info *sinfo, gfp_t gfp)
18228 {
18229 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18230 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18231 	struct sk_buff *msg;
18232 	struct station_info empty_sinfo = {};
18233 
18234 	if (!sinfo)
18235 		sinfo = &empty_sinfo;
18236 
18237 	trace_cfg80211_del_sta(dev, mac_addr);
18238 
18239 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18240 	if (!msg) {
18241 		cfg80211_sinfo_release_content(sinfo);
18242 		return;
18243 	}
18244 
18245 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18246 				 rdev, dev, mac_addr, sinfo) < 0) {
18247 		nlmsg_free(msg);
18248 		return;
18249 	}
18250 
18251 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18252 				NL80211_MCGRP_MLME, gfp);
18253 }
18254 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18255 
18256 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18257 			  enum nl80211_connect_failed_reason reason,
18258 			  gfp_t gfp)
18259 {
18260 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18261 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18262 	struct sk_buff *msg;
18263 	void *hdr;
18264 
18265 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18266 	if (!msg)
18267 		return;
18268 
18269 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18270 	if (!hdr) {
18271 		nlmsg_free(msg);
18272 		return;
18273 	}
18274 
18275 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18276 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18277 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18278 		goto nla_put_failure;
18279 
18280 	genlmsg_end(msg, hdr);
18281 
18282 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18283 				NL80211_MCGRP_MLME, gfp);
18284 	return;
18285 
18286  nla_put_failure:
18287 	nlmsg_free(msg);
18288 }
18289 EXPORT_SYMBOL(cfg80211_conn_failed);
18290 
18291 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18292 				       const u8 *addr, gfp_t gfp)
18293 {
18294 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18295 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18296 	struct sk_buff *msg;
18297 	void *hdr;
18298 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18299 
18300 	if (!nlportid)
18301 		return false;
18302 
18303 	msg = nlmsg_new(100, gfp);
18304 	if (!msg)
18305 		return true;
18306 
18307 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18308 	if (!hdr) {
18309 		nlmsg_free(msg);
18310 		return true;
18311 	}
18312 
18313 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18314 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18315 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18316 		goto nla_put_failure;
18317 
18318 	genlmsg_end(msg, hdr);
18319 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18320 	return true;
18321 
18322  nla_put_failure:
18323 	nlmsg_free(msg);
18324 	return true;
18325 }
18326 
18327 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18328 				const u8 *addr, gfp_t gfp)
18329 {
18330 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18331 	bool ret;
18332 
18333 	trace_cfg80211_rx_spurious_frame(dev, addr);
18334 
18335 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18336 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18337 		trace_cfg80211_return_bool(false);
18338 		return false;
18339 	}
18340 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18341 					 addr, gfp);
18342 	trace_cfg80211_return_bool(ret);
18343 	return ret;
18344 }
18345 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18346 
18347 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18348 					const u8 *addr, gfp_t gfp)
18349 {
18350 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18351 	bool ret;
18352 
18353 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18354 
18355 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18356 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18357 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18358 		trace_cfg80211_return_bool(false);
18359 		return false;
18360 	}
18361 	ret = __nl80211_unexpected_frame(dev,
18362 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
18363 					 addr, gfp);
18364 	trace_cfg80211_return_bool(ret);
18365 	return ret;
18366 }
18367 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
18368 
18369 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
18370 		      struct wireless_dev *wdev, u32 nlportid,
18371 		      struct cfg80211_rx_info *info, gfp_t gfp)
18372 {
18373 	struct net_device *netdev = wdev->netdev;
18374 	struct sk_buff *msg;
18375 	void *hdr;
18376 
18377 	msg = nlmsg_new(100 + info->len, gfp);
18378 	if (!msg)
18379 		return -ENOMEM;
18380 
18381 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18382 	if (!hdr) {
18383 		nlmsg_free(msg);
18384 		return -ENOMEM;
18385 	}
18386 
18387 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18388 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18389 					netdev->ifindex)) ||
18390 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18391 			      NL80211_ATTR_PAD) ||
18392 	    (info->have_link_id &&
18393 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
18394 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
18395 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
18396 	    (info->sig_dbm &&
18397 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
18398 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
18399 	    (info->flags &&
18400 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
18401 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
18402 						  NL80211_ATTR_RX_HW_TIMESTAMP,
18403 						  info->rx_tstamp,
18404 						  NL80211_ATTR_PAD)) ||
18405 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
18406 						   NL80211_ATTR_TX_HW_TIMESTAMP,
18407 						   info->ack_tstamp,
18408 						   NL80211_ATTR_PAD)))
18409 		goto nla_put_failure;
18410 
18411 	genlmsg_end(msg, hdr);
18412 
18413 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18414 
18415  nla_put_failure:
18416 	nlmsg_free(msg);
18417 	return -ENOBUFS;
18418 }
18419 
18420 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
18421 				    struct cfg80211_tx_status *status,
18422 				    gfp_t gfp, enum nl80211_commands command)
18423 {
18424 	struct wiphy *wiphy = wdev->wiphy;
18425 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18426 	struct net_device *netdev = wdev->netdev;
18427 	struct sk_buff *msg;
18428 	void *hdr;
18429 
18430 	if (command == NL80211_CMD_FRAME_TX_STATUS)
18431 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
18432 					      status->ack);
18433 	else
18434 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
18435 						      status->ack);
18436 
18437 	msg = nlmsg_new(100 + status->len, gfp);
18438 	if (!msg)
18439 		return;
18440 
18441 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
18442 	if (!hdr) {
18443 		nlmsg_free(msg);
18444 		return;
18445 	}
18446 
18447 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18448 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18449 				   netdev->ifindex)) ||
18450 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18451 			      NL80211_ATTR_PAD) ||
18452 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
18453 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
18454 			      NL80211_ATTR_PAD) ||
18455 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18456 	    (status->tx_tstamp &&
18457 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
18458 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
18459 	    (status->ack_tstamp &&
18460 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
18461 			       status->ack_tstamp, NL80211_ATTR_PAD)))
18462 		goto nla_put_failure;
18463 
18464 	genlmsg_end(msg, hdr);
18465 
18466 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18467 				NL80211_MCGRP_MLME, gfp);
18468 	return;
18469 
18470 nla_put_failure:
18471 	nlmsg_free(msg);
18472 }
18473 
18474 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
18475 				     const u8 *buf, size_t len, bool ack,
18476 				     gfp_t gfp)
18477 {
18478 	struct cfg80211_tx_status status = {
18479 		.cookie = cookie,
18480 		.buf = buf,
18481 		.len = len,
18482 		.ack = ack
18483 	};
18484 
18485 	nl80211_frame_tx_status(wdev, &status, gfp,
18486 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
18487 }
18488 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
18489 
18490 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
18491 				 struct cfg80211_tx_status *status, gfp_t gfp)
18492 {
18493 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
18494 }
18495 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
18496 
18497 static int __nl80211_rx_control_port(struct net_device *dev,
18498 				     struct sk_buff *skb,
18499 				     bool unencrypted, gfp_t gfp)
18500 {
18501 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18502 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18503 	struct ethhdr *ehdr = eth_hdr(skb);
18504 	const u8 *addr = ehdr->h_source;
18505 	u16 proto = be16_to_cpu(skb->protocol);
18506 	struct sk_buff *msg;
18507 	void *hdr;
18508 	struct nlattr *frame;
18509 
18510 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
18511 
18512 	if (!nlportid)
18513 		return -ENOENT;
18514 
18515 	msg = nlmsg_new(100 + skb->len, gfp);
18516 	if (!msg)
18517 		return -ENOMEM;
18518 
18519 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
18520 	if (!hdr) {
18521 		nlmsg_free(msg);
18522 		return -ENOBUFS;
18523 	}
18524 
18525 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18526 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18527 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18528 			      NL80211_ATTR_PAD) ||
18529 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18530 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
18531 	    (unencrypted && nla_put_flag(msg,
18532 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
18533 		goto nla_put_failure;
18534 
18535 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
18536 	if (!frame)
18537 		goto nla_put_failure;
18538 
18539 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
18540 	genlmsg_end(msg, hdr);
18541 
18542 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18543 
18544  nla_put_failure:
18545 	nlmsg_free(msg);
18546 	return -ENOBUFS;
18547 }
18548 
18549 bool cfg80211_rx_control_port(struct net_device *dev,
18550 			      struct sk_buff *skb, bool unencrypted)
18551 {
18552 	int ret;
18553 
18554 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
18555 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
18556 	trace_cfg80211_return_bool(ret == 0);
18557 	return ret == 0;
18558 }
18559 EXPORT_SYMBOL(cfg80211_rx_control_port);
18560 
18561 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
18562 					    const char *mac, gfp_t gfp)
18563 {
18564 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18565 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18566 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18567 	void **cb;
18568 
18569 	if (!msg)
18570 		return NULL;
18571 
18572 	cb = (void **)msg->cb;
18573 
18574 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
18575 	if (!cb[0]) {
18576 		nlmsg_free(msg);
18577 		return NULL;
18578 	}
18579 
18580 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18581 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18582 		goto nla_put_failure;
18583 
18584 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
18585 		goto nla_put_failure;
18586 
18587 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
18588 	if (!cb[1])
18589 		goto nla_put_failure;
18590 
18591 	cb[2] = rdev;
18592 
18593 	return msg;
18594  nla_put_failure:
18595 	nlmsg_free(msg);
18596 	return NULL;
18597 }
18598 
18599 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
18600 {
18601 	void **cb = (void **)msg->cb;
18602 	struct cfg80211_registered_device *rdev = cb[2];
18603 
18604 	nla_nest_end(msg, cb[1]);
18605 	genlmsg_end(msg, cb[0]);
18606 
18607 	memset(msg->cb, 0, sizeof(msg->cb));
18608 
18609 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18610 				NL80211_MCGRP_MLME, gfp);
18611 }
18612 
18613 void cfg80211_cqm_rssi_notify(struct net_device *dev,
18614 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
18615 			      s32 rssi_level, gfp_t gfp)
18616 {
18617 	struct sk_buff *msg;
18618 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18619 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18620 
18621 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
18622 
18623 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
18624 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
18625 		return;
18626 
18627 	if (wdev->cqm_config) {
18628 		wdev->cqm_config->last_rssi_event_value = rssi_level;
18629 
18630 		cfg80211_cqm_rssi_update(rdev, dev);
18631 
18632 		if (rssi_level == 0)
18633 			rssi_level = wdev->cqm_config->last_rssi_event_value;
18634 	}
18635 
18636 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
18637 	if (!msg)
18638 		return;
18639 
18640 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
18641 			rssi_event))
18642 		goto nla_put_failure;
18643 
18644 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
18645 				      rssi_level))
18646 		goto nla_put_failure;
18647 
18648 	cfg80211_send_cqm(msg, gfp);
18649 
18650 	return;
18651 
18652  nla_put_failure:
18653 	nlmsg_free(msg);
18654 }
18655 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
18656 
18657 void cfg80211_cqm_txe_notify(struct net_device *dev,
18658 			     const u8 *peer, u32 num_packets,
18659 			     u32 rate, u32 intvl, gfp_t gfp)
18660 {
18661 	struct sk_buff *msg;
18662 
18663 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
18664 	if (!msg)
18665 		return;
18666 
18667 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
18668 		goto nla_put_failure;
18669 
18670 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
18671 		goto nla_put_failure;
18672 
18673 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
18674 		goto nla_put_failure;
18675 
18676 	cfg80211_send_cqm(msg, gfp);
18677 	return;
18678 
18679  nla_put_failure:
18680 	nlmsg_free(msg);
18681 }
18682 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
18683 
18684 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
18685 				 const u8 *peer, u32 num_packets, gfp_t gfp)
18686 {
18687 	struct sk_buff *msg;
18688 
18689 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
18690 
18691 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
18692 	if (!msg)
18693 		return;
18694 
18695 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
18696 		goto nla_put_failure;
18697 
18698 	cfg80211_send_cqm(msg, gfp);
18699 	return;
18700 
18701  nla_put_failure:
18702 	nlmsg_free(msg);
18703 }
18704 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
18705 
18706 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
18707 {
18708 	struct sk_buff *msg;
18709 
18710 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
18711 	if (!msg)
18712 		return;
18713 
18714 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
18715 		goto nla_put_failure;
18716 
18717 	cfg80211_send_cqm(msg, gfp);
18718 	return;
18719 
18720  nla_put_failure:
18721 	nlmsg_free(msg);
18722 }
18723 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
18724 
18725 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
18726 				     struct net_device *netdev, const u8 *bssid,
18727 				     const u8 *replay_ctr, gfp_t gfp)
18728 {
18729 	struct sk_buff *msg;
18730 	struct nlattr *rekey_attr;
18731 	void *hdr;
18732 
18733 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18734 	if (!msg)
18735 		return;
18736 
18737 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
18738 	if (!hdr) {
18739 		nlmsg_free(msg);
18740 		return;
18741 	}
18742 
18743 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18744 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18745 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18746 		goto nla_put_failure;
18747 
18748 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
18749 	if (!rekey_attr)
18750 		goto nla_put_failure;
18751 
18752 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
18753 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
18754 		goto nla_put_failure;
18755 
18756 	nla_nest_end(msg, rekey_attr);
18757 
18758 	genlmsg_end(msg, hdr);
18759 
18760 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18761 				NL80211_MCGRP_MLME, gfp);
18762 	return;
18763 
18764  nla_put_failure:
18765 	nlmsg_free(msg);
18766 }
18767 
18768 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
18769 			       const u8 *replay_ctr, gfp_t gfp)
18770 {
18771 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18772 	struct wiphy *wiphy = wdev->wiphy;
18773 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18774 
18775 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
18776 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
18777 }
18778 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
18779 
18780 static void
18781 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
18782 			       struct net_device *netdev, int index,
18783 			       const u8 *bssid, bool preauth, gfp_t gfp)
18784 {
18785 	struct sk_buff *msg;
18786 	struct nlattr *attr;
18787 	void *hdr;
18788 
18789 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18790 	if (!msg)
18791 		return;
18792 
18793 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
18794 	if (!hdr) {
18795 		nlmsg_free(msg);
18796 		return;
18797 	}
18798 
18799 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18800 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
18801 		goto nla_put_failure;
18802 
18803 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
18804 	if (!attr)
18805 		goto nla_put_failure;
18806 
18807 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
18808 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
18809 	    (preauth &&
18810 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
18811 		goto nla_put_failure;
18812 
18813 	nla_nest_end(msg, attr);
18814 
18815 	genlmsg_end(msg, hdr);
18816 
18817 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18818 				NL80211_MCGRP_MLME, gfp);
18819 	return;
18820 
18821  nla_put_failure:
18822 	nlmsg_free(msg);
18823 }
18824 
18825 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
18826 				     const u8 *bssid, bool preauth, gfp_t gfp)
18827 {
18828 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18829 	struct wiphy *wiphy = wdev->wiphy;
18830 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18831 
18832 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
18833 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
18834 }
18835 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
18836 
18837 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
18838 				     struct net_device *netdev,
18839 				     struct cfg80211_chan_def *chandef,
18840 				     gfp_t gfp,
18841 				     enum nl80211_commands notif,
18842 				     u8 count, bool quiet)
18843 {
18844 	struct sk_buff *msg;
18845 	void *hdr;
18846 
18847 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18848 	if (!msg)
18849 		return;
18850 
18851 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
18852 	if (!hdr) {
18853 		nlmsg_free(msg);
18854 		return;
18855 	}
18856 
18857 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
18858 		goto nla_put_failure;
18859 
18860 	if (nl80211_send_chandef(msg, chandef))
18861 		goto nla_put_failure;
18862 
18863 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
18864 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
18865 			goto nla_put_failure;
18866 		if (quiet &&
18867 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
18868 			goto nla_put_failure;
18869 	}
18870 
18871 	genlmsg_end(msg, hdr);
18872 
18873 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18874 				NL80211_MCGRP_MLME, gfp);
18875 	return;
18876 
18877  nla_put_failure:
18878 	nlmsg_free(msg);
18879 }
18880 
18881 void cfg80211_ch_switch_notify(struct net_device *dev,
18882 			       struct cfg80211_chan_def *chandef,
18883 			       unsigned int link_id)
18884 {
18885 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18886 	struct wiphy *wiphy = wdev->wiphy;
18887 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18888 
18889 	ASSERT_WDEV_LOCK(wdev);
18890 	WARN_INVALID_LINK_ID(wdev, link_id);
18891 
18892 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
18893 
18894 	switch (wdev->iftype) {
18895 	case NL80211_IFTYPE_STATION:
18896 	case NL80211_IFTYPE_P2P_CLIENT:
18897 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
18898 			cfg80211_update_assoc_bss_entry(wdev, link_id,
18899 							chandef->chan);
18900 		break;
18901 	case NL80211_IFTYPE_MESH_POINT:
18902 		wdev->u.mesh.chandef = *chandef;
18903 		wdev->u.mesh.preset_chandef = *chandef;
18904 		break;
18905 	case NL80211_IFTYPE_AP:
18906 	case NL80211_IFTYPE_P2P_GO:
18907 		wdev->links[link_id].ap.chandef = *chandef;
18908 		break;
18909 	case NL80211_IFTYPE_ADHOC:
18910 		wdev->u.ibss.chandef = *chandef;
18911 		break;
18912 	default:
18913 		WARN_ON(1);
18914 		break;
18915 	}
18916 
18917 	cfg80211_sched_dfs_chan_update(rdev);
18918 
18919 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
18920 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
18921 }
18922 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
18923 
18924 void cfg80211_ch_switch_started_notify(struct net_device *dev,
18925 				       struct cfg80211_chan_def *chandef,
18926 				       u8 count, bool quiet)
18927 {
18928 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18929 	struct wiphy *wiphy = wdev->wiphy;
18930 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18931 
18932 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
18933 
18934 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
18935 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
18936 				 count, quiet);
18937 }
18938 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
18939 
18940 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
18941 			      enum nl80211_commands cmd, u8 count,
18942 			      u64 color_bitmap)
18943 {
18944 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18945 	struct wiphy *wiphy = wdev->wiphy;
18946 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18947 	struct sk_buff *msg;
18948 	void *hdr;
18949 
18950 	ASSERT_WDEV_LOCK(wdev);
18951 
18952 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
18953 
18954 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18955 	if (!msg)
18956 		return -ENOMEM;
18957 
18958 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18959 	if (!hdr)
18960 		goto nla_put_failure;
18961 
18962 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18963 		goto nla_put_failure;
18964 
18965 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
18966 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
18967 		goto nla_put_failure;
18968 
18969 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
18970 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
18971 			      color_bitmap, NL80211_ATTR_PAD))
18972 		goto nla_put_failure;
18973 
18974 	genlmsg_end(msg, hdr);
18975 
18976 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
18977 				       msg, 0, NL80211_MCGRP_MLME, gfp);
18978 
18979 nla_put_failure:
18980 	nlmsg_free(msg);
18981 	return -EINVAL;
18982 }
18983 EXPORT_SYMBOL(cfg80211_bss_color_notify);
18984 
18985 void
18986 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
18987 		     const struct cfg80211_chan_def *chandef,
18988 		     enum nl80211_radar_event event,
18989 		     struct net_device *netdev, gfp_t gfp)
18990 {
18991 	struct sk_buff *msg;
18992 	void *hdr;
18993 
18994 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18995 	if (!msg)
18996 		return;
18997 
18998 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
18999 	if (!hdr) {
19000 		nlmsg_free(msg);
19001 		return;
19002 	}
19003 
19004 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19005 		goto nla_put_failure;
19006 
19007 	/* NOP and radar events don't need a netdev parameter */
19008 	if (netdev) {
19009 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19010 
19011 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19012 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19013 				      NL80211_ATTR_PAD))
19014 			goto nla_put_failure;
19015 	}
19016 
19017 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19018 		goto nla_put_failure;
19019 
19020 	if (nl80211_send_chandef(msg, chandef))
19021 		goto nla_put_failure;
19022 
19023 	genlmsg_end(msg, hdr);
19024 
19025 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19026 				NL80211_MCGRP_MLME, gfp);
19027 	return;
19028 
19029  nla_put_failure:
19030 	nlmsg_free(msg);
19031 }
19032 
19033 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19034 				       struct sta_opmode_info *sta_opmode,
19035 				       gfp_t gfp)
19036 {
19037 	struct sk_buff *msg;
19038 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19039 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19040 	void *hdr;
19041 
19042 	if (WARN_ON(!mac))
19043 		return;
19044 
19045 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19046 	if (!msg)
19047 		return;
19048 
19049 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19050 	if (!hdr) {
19051 		nlmsg_free(msg);
19052 		return;
19053 	}
19054 
19055 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19056 		goto nla_put_failure;
19057 
19058 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19059 		goto nla_put_failure;
19060 
19061 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19062 		goto nla_put_failure;
19063 
19064 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19065 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19066 		goto nla_put_failure;
19067 
19068 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19069 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19070 		goto nla_put_failure;
19071 
19072 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19073 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19074 		goto nla_put_failure;
19075 
19076 	genlmsg_end(msg, hdr);
19077 
19078 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19079 				NL80211_MCGRP_MLME, gfp);
19080 
19081 	return;
19082 
19083 nla_put_failure:
19084 	nlmsg_free(msg);
19085 }
19086 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19087 
19088 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19089 			   u64 cookie, bool acked, s32 ack_signal,
19090 			   bool is_valid_ack_signal, gfp_t gfp)
19091 {
19092 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19093 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19094 	struct sk_buff *msg;
19095 	void *hdr;
19096 
19097 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19098 
19099 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19100 
19101 	if (!msg)
19102 		return;
19103 
19104 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19105 	if (!hdr) {
19106 		nlmsg_free(msg);
19107 		return;
19108 	}
19109 
19110 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19111 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19112 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19113 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19114 			      NL80211_ATTR_PAD) ||
19115 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19116 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19117 						ack_signal)))
19118 		goto nla_put_failure;
19119 
19120 	genlmsg_end(msg, hdr);
19121 
19122 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19123 				NL80211_MCGRP_MLME, gfp);
19124 	return;
19125 
19126  nla_put_failure:
19127 	nlmsg_free(msg);
19128 }
19129 EXPORT_SYMBOL(cfg80211_probe_status);
19130 
19131 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19132 				     size_t len, int freq, int sig_dbm)
19133 {
19134 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19135 	struct sk_buff *msg;
19136 	void *hdr;
19137 	struct cfg80211_beacon_registration *reg;
19138 
19139 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19140 
19141 	spin_lock_bh(&rdev->beacon_registrations_lock);
19142 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19143 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19144 		if (!msg) {
19145 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19146 			return;
19147 		}
19148 
19149 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19150 		if (!hdr)
19151 			goto nla_put_failure;
19152 
19153 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19154 		    (freq &&
19155 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19156 				  KHZ_TO_MHZ(freq)) ||
19157 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19158 				  freq % 1000))) ||
19159 		    (sig_dbm &&
19160 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19161 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19162 			goto nla_put_failure;
19163 
19164 		genlmsg_end(msg, hdr);
19165 
19166 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19167 	}
19168 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19169 	return;
19170 
19171  nla_put_failure:
19172 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19173 	nlmsg_free(msg);
19174 }
19175 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19176 
19177 #ifdef CONFIG_PM
19178 static int cfg80211_net_detect_results(struct sk_buff *msg,
19179 				       struct cfg80211_wowlan_wakeup *wakeup)
19180 {
19181 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19182 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19183 	int i, j;
19184 
19185 	nl_results = nla_nest_start_noflag(msg,
19186 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19187 	if (!nl_results)
19188 		return -EMSGSIZE;
19189 
19190 	for (i = 0; i < nd->n_matches; i++) {
19191 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19192 
19193 		nl_match = nla_nest_start_noflag(msg, i);
19194 		if (!nl_match)
19195 			break;
19196 
19197 		/* The SSID attribute is optional in nl80211, but for
19198 		 * simplicity reasons it's always present in the
19199 		 * cfg80211 structure.  If a driver can't pass the
19200 		 * SSID, that needs to be changed.  A zero length SSID
19201 		 * is still a valid SSID (wildcard), so it cannot be
19202 		 * used for this purpose.
19203 		 */
19204 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19205 			    match->ssid.ssid)) {
19206 			nla_nest_cancel(msg, nl_match);
19207 			goto out;
19208 		}
19209 
19210 		if (match->n_channels) {
19211 			nl_freqs = nla_nest_start_noflag(msg,
19212 							 NL80211_ATTR_SCAN_FREQUENCIES);
19213 			if (!nl_freqs) {
19214 				nla_nest_cancel(msg, nl_match);
19215 				goto out;
19216 			}
19217 
19218 			for (j = 0; j < match->n_channels; j++) {
19219 				if (nla_put_u32(msg, j, match->channels[j])) {
19220 					nla_nest_cancel(msg, nl_freqs);
19221 					nla_nest_cancel(msg, nl_match);
19222 					goto out;
19223 				}
19224 			}
19225 
19226 			nla_nest_end(msg, nl_freqs);
19227 		}
19228 
19229 		nla_nest_end(msg, nl_match);
19230 	}
19231 
19232 out:
19233 	nla_nest_end(msg, nl_results);
19234 	return 0;
19235 }
19236 
19237 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19238 				   struct cfg80211_wowlan_wakeup *wakeup,
19239 				   gfp_t gfp)
19240 {
19241 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19242 	struct sk_buff *msg;
19243 	void *hdr;
19244 	int size = 200;
19245 
19246 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19247 
19248 	if (wakeup)
19249 		size += wakeup->packet_present_len;
19250 
19251 	msg = nlmsg_new(size, gfp);
19252 	if (!msg)
19253 		return;
19254 
19255 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19256 	if (!hdr)
19257 		goto free_msg;
19258 
19259 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19260 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19261 			      NL80211_ATTR_PAD))
19262 		goto free_msg;
19263 
19264 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19265 					wdev->netdev->ifindex))
19266 		goto free_msg;
19267 
19268 	if (wakeup) {
19269 		struct nlattr *reasons;
19270 
19271 		reasons = nla_nest_start_noflag(msg,
19272 						NL80211_ATTR_WOWLAN_TRIGGERS);
19273 		if (!reasons)
19274 			goto free_msg;
19275 
19276 		if (wakeup->disconnect &&
19277 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19278 			goto free_msg;
19279 		if (wakeup->magic_pkt &&
19280 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19281 			goto free_msg;
19282 		if (wakeup->gtk_rekey_failure &&
19283 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19284 			goto free_msg;
19285 		if (wakeup->eap_identity_req &&
19286 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19287 			goto free_msg;
19288 		if (wakeup->four_way_handshake &&
19289 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19290 			goto free_msg;
19291 		if (wakeup->rfkill_release &&
19292 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19293 			goto free_msg;
19294 
19295 		if (wakeup->pattern_idx >= 0 &&
19296 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19297 				wakeup->pattern_idx))
19298 			goto free_msg;
19299 
19300 		if (wakeup->tcp_match &&
19301 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19302 			goto free_msg;
19303 
19304 		if (wakeup->tcp_connlost &&
19305 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
19306 			goto free_msg;
19307 
19308 		if (wakeup->tcp_nomoretokens &&
19309 		    nla_put_flag(msg,
19310 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
19311 			goto free_msg;
19312 
19313 		if (wakeup->packet) {
19314 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
19315 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19316 
19317 			if (!wakeup->packet_80211) {
19318 				pkt_attr =
19319 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
19320 				len_attr =
19321 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
19322 			}
19323 
19324 			if (wakeup->packet_len &&
19325 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
19326 				goto free_msg;
19327 
19328 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
19329 				    wakeup->packet))
19330 				goto free_msg;
19331 		}
19332 
19333 		if (wakeup->net_detect &&
19334 		    cfg80211_net_detect_results(msg, wakeup))
19335 				goto free_msg;
19336 
19337 		nla_nest_end(msg, reasons);
19338 	}
19339 
19340 	genlmsg_end(msg, hdr);
19341 
19342 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19343 				NL80211_MCGRP_MLME, gfp);
19344 	return;
19345 
19346  free_msg:
19347 	nlmsg_free(msg);
19348 }
19349 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
19350 #endif
19351 
19352 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
19353 				enum nl80211_tdls_operation oper,
19354 				u16 reason_code, gfp_t gfp)
19355 {
19356 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19357 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19358 	struct sk_buff *msg;
19359 	void *hdr;
19360 
19361 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
19362 					 reason_code);
19363 
19364 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19365 	if (!msg)
19366 		return;
19367 
19368 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
19369 	if (!hdr) {
19370 		nlmsg_free(msg);
19371 		return;
19372 	}
19373 
19374 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19375 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19376 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
19377 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
19378 	    (reason_code > 0 &&
19379 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
19380 		goto nla_put_failure;
19381 
19382 	genlmsg_end(msg, hdr);
19383 
19384 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19385 				NL80211_MCGRP_MLME, gfp);
19386 	return;
19387 
19388  nla_put_failure:
19389 	nlmsg_free(msg);
19390 }
19391 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
19392 
19393 static int nl80211_netlink_notify(struct notifier_block * nb,
19394 				  unsigned long state,
19395 				  void *_notify)
19396 {
19397 	struct netlink_notify *notify = _notify;
19398 	struct cfg80211_registered_device *rdev;
19399 	struct wireless_dev *wdev;
19400 	struct cfg80211_beacon_registration *reg, *tmp;
19401 
19402 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
19403 		return NOTIFY_DONE;
19404 
19405 	rcu_read_lock();
19406 
19407 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
19408 		struct cfg80211_sched_scan_request *sched_scan_req;
19409 
19410 		list_for_each_entry_rcu(sched_scan_req,
19411 					&rdev->sched_scan_req_list,
19412 					list) {
19413 			if (sched_scan_req->owner_nlportid == notify->portid) {
19414 				sched_scan_req->nl_owner_dead = true;
19415 				schedule_work(&rdev->sched_scan_stop_wk);
19416 			}
19417 		}
19418 
19419 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
19420 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
19421 
19422 			if (wdev->owner_nlportid == notify->portid) {
19423 				wdev->nl_owner_dead = true;
19424 				schedule_work(&rdev->destroy_work);
19425 			} else if (wdev->conn_owner_nlportid == notify->portid) {
19426 				schedule_work(&wdev->disconnect_wk);
19427 			}
19428 
19429 			cfg80211_release_pmsr(wdev, notify->portid);
19430 		}
19431 
19432 		spin_lock_bh(&rdev->beacon_registrations_lock);
19433 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
19434 					 list) {
19435 			if (reg->nlportid == notify->portid) {
19436 				list_del(&reg->list);
19437 				kfree(reg);
19438 				break;
19439 			}
19440 		}
19441 		spin_unlock_bh(&rdev->beacon_registrations_lock);
19442 	}
19443 
19444 	rcu_read_unlock();
19445 
19446 	/*
19447 	 * It is possible that the user space process that is controlling the
19448 	 * indoor setting disappeared, so notify the regulatory core.
19449 	 */
19450 	regulatory_netlink_notify(notify->portid);
19451 	return NOTIFY_OK;
19452 }
19453 
19454 static struct notifier_block nl80211_netlink_notifier = {
19455 	.notifier_call = nl80211_netlink_notify,
19456 };
19457 
19458 void cfg80211_ft_event(struct net_device *netdev,
19459 		       struct cfg80211_ft_event_params *ft_event)
19460 {
19461 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
19462 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19463 	struct sk_buff *msg;
19464 	void *hdr;
19465 
19466 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
19467 
19468 	if (!ft_event->target_ap)
19469 		return;
19470 
19471 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
19472 			GFP_KERNEL);
19473 	if (!msg)
19474 		return;
19475 
19476 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
19477 	if (!hdr)
19478 		goto out;
19479 
19480 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19481 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19482 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
19483 		goto out;
19484 
19485 	if (ft_event->ies &&
19486 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
19487 		goto out;
19488 	if (ft_event->ric_ies &&
19489 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
19490 		    ft_event->ric_ies))
19491 		goto out;
19492 
19493 	genlmsg_end(msg, hdr);
19494 
19495 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19496 				NL80211_MCGRP_MLME, GFP_KERNEL);
19497 	return;
19498  out:
19499 	nlmsg_free(msg);
19500 }
19501 EXPORT_SYMBOL(cfg80211_ft_event);
19502 
19503 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
19504 {
19505 	struct cfg80211_registered_device *rdev;
19506 	struct sk_buff *msg;
19507 	void *hdr;
19508 	u32 nlportid;
19509 
19510 	rdev = wiphy_to_rdev(wdev->wiphy);
19511 	if (!rdev->crit_proto_nlportid)
19512 		return;
19513 
19514 	nlportid = rdev->crit_proto_nlportid;
19515 	rdev->crit_proto_nlportid = 0;
19516 
19517 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19518 	if (!msg)
19519 		return;
19520 
19521 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
19522 	if (!hdr)
19523 		goto nla_put_failure;
19524 
19525 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19526 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19527 			      NL80211_ATTR_PAD))
19528 		goto nla_put_failure;
19529 
19530 	genlmsg_end(msg, hdr);
19531 
19532 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19533 	return;
19534 
19535  nla_put_failure:
19536 	nlmsg_free(msg);
19537 }
19538 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
19539 
19540 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
19541 {
19542 	struct wiphy *wiphy = wdev->wiphy;
19543 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19544 	struct sk_buff *msg;
19545 	void *hdr;
19546 
19547 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19548 	if (!msg)
19549 		return;
19550 
19551 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
19552 	if (!hdr)
19553 		goto out;
19554 
19555 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19556 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
19557 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19558 			      NL80211_ATTR_PAD))
19559 		goto out;
19560 
19561 	genlmsg_end(msg, hdr);
19562 
19563 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
19564 				NL80211_MCGRP_MLME, GFP_KERNEL);
19565 	return;
19566  out:
19567 	nlmsg_free(msg);
19568 }
19569 
19570 int cfg80211_external_auth_request(struct net_device *dev,
19571 				   struct cfg80211_external_auth_params *params,
19572 				   gfp_t gfp)
19573 {
19574 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19575 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19576 	struct sk_buff *msg;
19577 	void *hdr;
19578 
19579 	if (!wdev->conn_owner_nlportid)
19580 		return -EINVAL;
19581 
19582 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19583 	if (!msg)
19584 		return -ENOMEM;
19585 
19586 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
19587 	if (!hdr)
19588 		goto nla_put_failure;
19589 
19590 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19591 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19592 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
19593 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
19594 			params->action) ||
19595 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
19596 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
19597 		    params->ssid.ssid))
19598 		goto nla_put_failure;
19599 
19600 	genlmsg_end(msg, hdr);
19601 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
19602 			wdev->conn_owner_nlportid);
19603 	return 0;
19604 
19605  nla_put_failure:
19606 	nlmsg_free(msg);
19607 	return -ENOBUFS;
19608 }
19609 EXPORT_SYMBOL(cfg80211_external_auth_request);
19610 
19611 void cfg80211_update_owe_info_event(struct net_device *netdev,
19612 				    struct cfg80211_update_owe_info *owe_info,
19613 				    gfp_t gfp)
19614 {
19615 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
19616 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19617 	struct sk_buff *msg;
19618 	void *hdr;
19619 
19620 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
19621 
19622 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19623 	if (!msg)
19624 		return;
19625 
19626 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
19627 	if (!hdr)
19628 		goto nla_put_failure;
19629 
19630 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19631 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19632 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
19633 		goto nla_put_failure;
19634 
19635 	if (!owe_info->ie_len ||
19636 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
19637 		goto nla_put_failure;
19638 
19639 	genlmsg_end(msg, hdr);
19640 
19641 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19642 				NL80211_MCGRP_MLME, gfp);
19643 	return;
19644 
19645 nla_put_failure:
19646 	genlmsg_cancel(msg, hdr);
19647 	nlmsg_free(msg);
19648 }
19649 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
19650 
19651 /* initialisation/exit functions */
19652 
19653 int __init nl80211_init(void)
19654 {
19655 	int err;
19656 
19657 	err = genl_register_family(&nl80211_fam);
19658 	if (err)
19659 		return err;
19660 
19661 	err = netlink_register_notifier(&nl80211_netlink_notifier);
19662 	if (err)
19663 		goto err_out;
19664 
19665 	return 0;
19666  err_out:
19667 	genl_unregister_family(&nl80211_fam);
19668 	return err;
19669 }
19670 
19671 void nl80211_exit(void)
19672 {
19673 	netlink_unregister_notifier(&nl80211_netlink_notifier);
19674 	genl_unregister_family(&nl80211_fam);
19675 }
19676