xref: /openbmc/linux/net/wireless/nl80211.c (revision 9b93eb47) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2019 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <net/net_namespace.h>
24 #include <net/genetlink.h>
25 #include <net/cfg80211.h>
26 #include <net/sock.h>
27 #include <net/inet_connection_sock.h>
28 #include "core.h"
29 #include "nl80211.h"
30 #include "reg.h"
31 #include "rdev-ops.h"
32 
33 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
34 				   struct genl_info *info,
35 				   struct cfg80211_crypto_settings *settings,
36 				   int cipher_limit);
37 
38 /* the netlink family */
39 static struct genl_family nl80211_fam;
40 
41 /* multicast groups */
42 enum nl80211_multicast_groups {
43 	NL80211_MCGRP_CONFIG,
44 	NL80211_MCGRP_SCAN,
45 	NL80211_MCGRP_REGULATORY,
46 	NL80211_MCGRP_MLME,
47 	NL80211_MCGRP_VENDOR,
48 	NL80211_MCGRP_NAN,
49 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
50 };
51 
52 static const struct genl_multicast_group nl80211_mcgrps[] = {
53 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
54 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
55 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
56 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
57 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
58 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
59 #ifdef CONFIG_NL80211_TESTMODE
60 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
61 #endif
62 };
63 
64 /* returns ERR_PTR values */
65 static struct wireless_dev *
66 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
67 {
68 	struct cfg80211_registered_device *rdev;
69 	struct wireless_dev *result = NULL;
70 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
71 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
72 	u64 wdev_id;
73 	int wiphy_idx = -1;
74 	int ifidx = -1;
75 
76 	ASSERT_RTNL();
77 
78 	if (!have_ifidx && !have_wdev_id)
79 		return ERR_PTR(-EINVAL);
80 
81 	if (have_ifidx)
82 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
83 	if (have_wdev_id) {
84 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
85 		wiphy_idx = wdev_id >> 32;
86 	}
87 
88 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
89 		struct wireless_dev *wdev;
90 
91 		if (wiphy_net(&rdev->wiphy) != netns)
92 			continue;
93 
94 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
95 			continue;
96 
97 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
98 			if (have_ifidx && wdev->netdev &&
99 			    wdev->netdev->ifindex == ifidx) {
100 				result = wdev;
101 				break;
102 			}
103 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
104 				result = wdev;
105 				break;
106 			}
107 		}
108 
109 		if (result)
110 			break;
111 	}
112 
113 	if (result)
114 		return result;
115 	return ERR_PTR(-ENODEV);
116 }
117 
118 static struct cfg80211_registered_device *
119 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
120 {
121 	struct cfg80211_registered_device *rdev = NULL, *tmp;
122 	struct net_device *netdev;
123 
124 	ASSERT_RTNL();
125 
126 	if (!attrs[NL80211_ATTR_WIPHY] &&
127 	    !attrs[NL80211_ATTR_IFINDEX] &&
128 	    !attrs[NL80211_ATTR_WDEV])
129 		return ERR_PTR(-EINVAL);
130 
131 	if (attrs[NL80211_ATTR_WIPHY])
132 		rdev = cfg80211_rdev_by_wiphy_idx(
133 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
134 
135 	if (attrs[NL80211_ATTR_WDEV]) {
136 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
137 		struct wireless_dev *wdev;
138 		bool found = false;
139 
140 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
141 		if (tmp) {
142 			/* make sure wdev exists */
143 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
144 				if (wdev->identifier != (u32)wdev_id)
145 					continue;
146 				found = true;
147 				break;
148 			}
149 
150 			if (!found)
151 				tmp = NULL;
152 
153 			if (rdev && tmp != rdev)
154 				return ERR_PTR(-EINVAL);
155 			rdev = tmp;
156 		}
157 	}
158 
159 	if (attrs[NL80211_ATTR_IFINDEX]) {
160 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
161 
162 		netdev = __dev_get_by_index(netns, ifindex);
163 		if (netdev) {
164 			if (netdev->ieee80211_ptr)
165 				tmp = wiphy_to_rdev(
166 					netdev->ieee80211_ptr->wiphy);
167 			else
168 				tmp = NULL;
169 
170 			/* not wireless device -- return error */
171 			if (!tmp)
172 				return ERR_PTR(-EINVAL);
173 
174 			/* mismatch -- return error */
175 			if (rdev && tmp != rdev)
176 				return ERR_PTR(-EINVAL);
177 
178 			rdev = tmp;
179 		}
180 	}
181 
182 	if (!rdev)
183 		return ERR_PTR(-ENODEV);
184 
185 	if (netns != wiphy_net(&rdev->wiphy))
186 		return ERR_PTR(-ENODEV);
187 
188 	return rdev;
189 }
190 
191 /*
192  * This function returns a pointer to the driver
193  * that the genl_info item that is passed refers to.
194  *
195  * The result of this can be a PTR_ERR and hence must
196  * be checked with IS_ERR() for errors.
197  */
198 static struct cfg80211_registered_device *
199 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
200 {
201 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
202 }
203 
204 static int validate_ie_attr(const struct nlattr *attr,
205 			    struct netlink_ext_ack *extack)
206 {
207 	const u8 *data = nla_data(attr);
208 	unsigned int len = nla_len(attr);
209 	const struct element *elem;
210 
211 	for_each_element(elem, data, len) {
212 		/* nothing */
213 	}
214 
215 	if (for_each_element_completed(elem, data, len))
216 		return 0;
217 
218 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
219 	return -EINVAL;
220 }
221 
222 /* policy for the attributes */
223 static const struct nla_policy
224 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
225 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
226 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
227 					.len = U8_MAX },
228 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
229 					     .len = U8_MAX },
230 };
231 
232 static const struct nla_policy
233 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
234 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
235 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
236 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
237 		NLA_POLICY_MAX(NLA_U8, 15),
238 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
239 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
240 		NLA_POLICY_MAX(NLA_U8, 15),
241 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
242 		NLA_POLICY_MAX(NLA_U8, 31),
243 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
244 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
245 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
246 };
247 
248 static const struct nla_policy
249 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
250 	[NL80211_PMSR_TYPE_FTM] =
251 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
252 };
253 
254 static const struct nla_policy
255 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
256 	[NL80211_PMSR_REQ_ATTR_DATA] =
257 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
258 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
259 };
260 
261 static const struct nla_policy
262 nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
263 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
264 	/*
265 	 * we could specify this again to be the top-level policy,
266 	 * but that would open us up to recursion problems ...
267 	 */
268 	[NL80211_PMSR_PEER_ATTR_CHAN] = { .type = NLA_NESTED },
269 	[NL80211_PMSR_PEER_ATTR_REQ] =
270 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
271 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
272 };
273 
274 static const struct nla_policy
275 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
276 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
277 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
278 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
279 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
280 	[NL80211_PMSR_ATTR_PEERS] =
281 		NLA_POLICY_NESTED_ARRAY(nl80211_psmr_peer_attr_policy),
282 };
283 
284 const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
285 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
286 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
287 				      .len = 20-1 },
288 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
289 
290 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
291 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
292 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
293 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
294 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
295 
296 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
297 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
298 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
299 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
300 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
301 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
302 
303 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
304 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
305 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
306 
307 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
308 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
309 
310 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
311 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
312 				    .len = WLAN_MAX_KEY_LEN },
313 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 5),
314 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
315 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
316 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
317 	[NL80211_ATTR_KEY_TYPE] =
318 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
319 
320 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
321 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
322 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
323 				       .len = IEEE80211_MAX_DATA_LEN },
324 	[NL80211_ATTR_BEACON_TAIL] =
325 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
326 				       IEEE80211_MAX_DATA_LEN),
327 	[NL80211_ATTR_STA_AID] =
328 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
329 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
330 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
331 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
332 					       .len = NL80211_MAX_SUPP_RATES },
333 	[NL80211_ATTR_STA_PLINK_ACTION] =
334 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
335 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
336 		NLA_POLICY_RANGE(NLA_U8,
337 				 NL80211_TX_POWER_AUTOMATIC,
338 				 NL80211_TX_POWER_FIXED),
339 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
340 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
341 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
342 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
343 				   .len = IEEE80211_MAX_MESH_ID_LEN },
344 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
345 
346 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
347 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
348 
349 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
350 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
351 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
352 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
353 					   .len = NL80211_MAX_SUPP_RATES },
354 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
355 
356 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
357 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
358 
359 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
360 
361 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
362 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
363 						   validate_ie_attr,
364 						   IEEE80211_MAX_DATA_LEN),
365 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
366 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
367 
368 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
369 				.len = IEEE80211_MAX_SSID_LEN },
370 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
371 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
372 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
373 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
374 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
375 						  NL80211_MFP_NO,
376 						  NL80211_MFP_OPTIONAL),
377 	[NL80211_ATTR_STA_FLAGS2] = {
378 		.len = sizeof(struct nl80211_sta_flag_update),
379 	},
380 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
381 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
382 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
383 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
384 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
385 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
386 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
387 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
388 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
389 	[NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN },
390 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
391 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
392 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
393 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
394 				 .len = IEEE80211_MAX_DATA_LEN },
395 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
396 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
397 						   NL80211_PS_DISABLED,
398 						   NL80211_PS_ENABLED),
399 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
400 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
401 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
402 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
403 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
404 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
405 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
406 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
407 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
408 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
409 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
410 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
411 	[NL80211_ATTR_STA_PLINK_STATE] =
412 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
413 	[NL80211_ATTR_MESH_PEER_AID] =
414 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
415 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
416 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
417 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
418 	[NL80211_ATTR_HIDDEN_SSID] =
419 		NLA_POLICY_RANGE(NLA_U32,
420 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
421 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
422 	[NL80211_ATTR_IE_PROBE_RESP] =
423 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
424 				       IEEE80211_MAX_DATA_LEN),
425 	[NL80211_ATTR_IE_ASSOC_RESP] =
426 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
427 				       IEEE80211_MAX_DATA_LEN),
428 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
429 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
430 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
431 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
432 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
433 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
434 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
435 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
436 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
437 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
438 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
439 				      .len = IEEE80211_MAX_DATA_LEN },
440 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
441 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
442 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
443 		.len = NL80211_HT_CAPABILITY_LEN
444 	},
445 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
446 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
447 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
448 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
449 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
450 	[NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
451 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
452 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
453 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
454 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
455 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
456 		NLA_POLICY_RANGE(NLA_U32,
457 				 NL80211_MESH_POWER_UNKNOWN + 1,
458 				 NL80211_MESH_POWER_MAX),
459 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
460 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
461 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
462 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
463 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
464 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
465 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
466 		.len = NL80211_VHT_CAPABILITY_LEN,
467 	},
468 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
469 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
470 				  .len = IEEE80211_MAX_DATA_LEN },
471 	[NL80211_ATTR_PEER_AID] =
472 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
473 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
474 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
475 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
476 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
477 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
478 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
479 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
480 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
481 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
482 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
483 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
484 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
485 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
486 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
487 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
488 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
489 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
490 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
491 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
492 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
493 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
494 	[NL80211_ATTR_USER_PRIO] =
495 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
496 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
497 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
498 	[NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
499 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
500 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
501 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
502 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
503 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
504 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
505 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
506 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
507 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
508 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
509 	},
510 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = { .len = ETH_ALEN },
511 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
512 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
513 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
514 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
515 				    .len = FILS_MAX_KEK_LEN },
516 	[NL80211_ATTR_FILS_NONCES] = { .len = 2 * FILS_NONCE_LEN },
517 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
518 	[NL80211_ATTR_BSSID] = { .len = ETH_ALEN },
519 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
520 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
521 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
522 	},
523 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
524 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
525 					     .len = FILS_ERP_MAX_USERNAME_LEN },
526 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
527 					  .len = FILS_ERP_MAX_REALM_LEN },
528 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
529 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
530 					.len = FILS_ERP_MAX_RRK_LEN },
531 	[NL80211_ATTR_FILS_CACHE_ID] = { .len = 2 },
532 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
533 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
534 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
535 
536 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
537 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
538 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
539 	[NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY,
540 					 .len = NL80211_HE_MAX_CAPABILITY_LEN },
541 
542 	[NL80211_ATTR_FTM_RESPONDER] = {
543 		.type = NLA_NESTED,
544 		.validation_data = nl80211_ftm_responder_policy,
545 	},
546 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
547 	[NL80211_ATTR_PEER_MEASUREMENTS] =
548 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
549 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
550 };
551 
552 /* policy for the key attributes */
553 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
554 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
555 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
556 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
557 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
558 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
559 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
560 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
561 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
562 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
563 };
564 
565 /* policy for the key default flags */
566 static const struct nla_policy
567 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
568 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
569 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
570 };
571 
572 #ifdef CONFIG_PM
573 /* policy for WoWLAN attributes */
574 static const struct nla_policy
575 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
576 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
577 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
578 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
579 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
580 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
581 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
582 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
583 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
584 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
585 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
586 };
587 
588 static const struct nla_policy
589 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
590 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
591 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
592 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
593 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
594 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
595 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
596 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
597 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
598 	},
599 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
600 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
601 	},
602 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
603 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
604 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
605 };
606 #endif /* CONFIG_PM */
607 
608 /* policy for coalesce rule attributes */
609 static const struct nla_policy
610 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
611 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
612 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
613 		NLA_POLICY_RANGE(NLA_U32,
614 				 NL80211_COALESCE_CONDITION_MATCH,
615 				 NL80211_COALESCE_CONDITION_NO_MATCH),
616 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
617 };
618 
619 /* policy for GTK rekey offload attributes */
620 static const struct nla_policy
621 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
622 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
623 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
624 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
625 };
626 
627 static const struct nla_policy
628 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
629 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
630 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
631 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
632 };
633 
634 static const struct nla_policy
635 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
636 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
637 						 .len = IEEE80211_MAX_SSID_LEN },
638 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = { .len = ETH_ALEN },
639 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
640 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
641 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
642 };
643 
644 static const struct nla_policy
645 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
646 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
647 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
648 };
649 
650 static const struct nla_policy
651 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
652 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
653 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
654 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
655 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
656 	},
657 };
658 
659 /* policy for NAN function attributes */
660 static const struct nla_policy
661 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
662 	[NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
663 	[NL80211_NAN_FUNC_SERVICE_ID] = {
664 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
665 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
666 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
667 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
668 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
669 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
670 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = { .len = ETH_ALEN },
671 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
672 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
673 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
674 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
675 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
676 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
677 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
678 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
679 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
680 };
681 
682 /* policy for Service Response Filter attributes */
683 static const struct nla_policy
684 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
685 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
686 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
687 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
688 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
689 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
690 };
691 
692 /* policy for packet pattern attributes */
693 static const struct nla_policy
694 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
695 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
696 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
697 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
698 };
699 
700 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
701 			      struct cfg80211_registered_device **rdev,
702 			      struct wireless_dev **wdev)
703 {
704 	int err;
705 
706 	if (!cb->args[0]) {
707 		err = nlmsg_parse_deprecated(cb->nlh,
708 					     GENL_HDRLEN + nl80211_fam.hdrsize,
709 					     genl_family_attrbuf(&nl80211_fam),
710 					     nl80211_fam.maxattr,
711 					     nl80211_policy, NULL);
712 		if (err)
713 			return err;
714 
715 		*wdev = __cfg80211_wdev_from_attrs(
716 					sock_net(cb->skb->sk),
717 					genl_family_attrbuf(&nl80211_fam));
718 		if (IS_ERR(*wdev))
719 			return PTR_ERR(*wdev);
720 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
721 		/* 0 is the first index - add 1 to parse only once */
722 		cb->args[0] = (*rdev)->wiphy_idx + 1;
723 		cb->args[1] = (*wdev)->identifier;
724 	} else {
725 		/* subtract the 1 again here */
726 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
727 		struct wireless_dev *tmp;
728 
729 		if (!wiphy)
730 			return -ENODEV;
731 		*rdev = wiphy_to_rdev(wiphy);
732 		*wdev = NULL;
733 
734 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
735 			if (tmp->identifier == cb->args[1]) {
736 				*wdev = tmp;
737 				break;
738 			}
739 		}
740 
741 		if (!*wdev)
742 			return -ENODEV;
743 	}
744 
745 	return 0;
746 }
747 
748 /* message building helper */
749 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
750 		     int flags, u8 cmd)
751 {
752 	/* since there is no private header just add the generic one */
753 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
754 }
755 
756 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
757 				     const struct ieee80211_reg_rule *rule)
758 {
759 	int j;
760 	struct nlattr *nl_wmm_rules =
761 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
762 
763 	if (!nl_wmm_rules)
764 		goto nla_put_failure;
765 
766 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
767 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
768 
769 		if (!nl_wmm_rule)
770 			goto nla_put_failure;
771 
772 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
773 				rule->wmm_rule.client[j].cw_min) ||
774 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
775 				rule->wmm_rule.client[j].cw_max) ||
776 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
777 			       rule->wmm_rule.client[j].aifsn) ||
778 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
779 			        rule->wmm_rule.client[j].cot))
780 			goto nla_put_failure;
781 
782 		nla_nest_end(msg, nl_wmm_rule);
783 	}
784 	nla_nest_end(msg, nl_wmm_rules);
785 
786 	return 0;
787 
788 nla_put_failure:
789 	return -ENOBUFS;
790 }
791 
792 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
793 				   struct ieee80211_channel *chan,
794 				   bool large)
795 {
796 	/* Some channels must be completely excluded from the
797 	 * list to protect old user-space tools from breaking
798 	 */
799 	if (!large && chan->flags &
800 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
801 		return 0;
802 
803 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
804 			chan->center_freq))
805 		goto nla_put_failure;
806 
807 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
808 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
809 		goto nla_put_failure;
810 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
811 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
812 			goto nla_put_failure;
813 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
814 			goto nla_put_failure;
815 	}
816 	if (chan->flags & IEEE80211_CHAN_RADAR) {
817 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
818 			goto nla_put_failure;
819 		if (large) {
820 			u32 time;
821 
822 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
823 
824 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
825 					chan->dfs_state))
826 				goto nla_put_failure;
827 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
828 					time))
829 				goto nla_put_failure;
830 			if (nla_put_u32(msg,
831 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
832 					chan->dfs_cac_ms))
833 				goto nla_put_failure;
834 		}
835 	}
836 
837 	if (large) {
838 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
839 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
840 			goto nla_put_failure;
841 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
842 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
843 			goto nla_put_failure;
844 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
845 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
846 			goto nla_put_failure;
847 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
848 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
849 			goto nla_put_failure;
850 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
851 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
852 			goto nla_put_failure;
853 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
854 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
855 			goto nla_put_failure;
856 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
857 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
858 			goto nla_put_failure;
859 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
860 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
861 			goto nla_put_failure;
862 	}
863 
864 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
865 			DBM_TO_MBM(chan->max_power)))
866 		goto nla_put_failure;
867 
868 	if (large) {
869 		const struct ieee80211_reg_rule *rule =
870 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
871 
872 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
873 			if (nl80211_msg_put_wmm_rules(msg, rule))
874 				goto nla_put_failure;
875 		}
876 	}
877 
878 	return 0;
879 
880  nla_put_failure:
881 	return -ENOBUFS;
882 }
883 
884 static bool nl80211_put_txq_stats(struct sk_buff *msg,
885 				  struct cfg80211_txq_stats *txqstats,
886 				  int attrtype)
887 {
888 	struct nlattr *txqattr;
889 
890 #define PUT_TXQVAL_U32(attr, memb) do {					  \
891 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
892 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
893 		return false;						  \
894 	} while (0)
895 
896 	txqattr = nla_nest_start_noflag(msg, attrtype);
897 	if (!txqattr)
898 		return false;
899 
900 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
901 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
902 	PUT_TXQVAL_U32(FLOWS, flows);
903 	PUT_TXQVAL_U32(DROPS, drops);
904 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
905 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
906 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
907 	PUT_TXQVAL_U32(COLLISIONS, collisions);
908 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
909 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
910 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
911 	nla_nest_end(msg, txqattr);
912 
913 #undef PUT_TXQVAL_U32
914 	return true;
915 }
916 
917 /* netlink command implementations */
918 
919 struct key_parse {
920 	struct key_params p;
921 	int idx;
922 	int type;
923 	bool def, defmgmt;
924 	bool def_uni, def_multi;
925 };
926 
927 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
928 				 struct key_parse *k)
929 {
930 	struct nlattr *tb[NL80211_KEY_MAX + 1];
931 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
932 					      nl80211_key_policy,
933 					      info->extack);
934 	if (err)
935 		return err;
936 
937 	k->def = !!tb[NL80211_KEY_DEFAULT];
938 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
939 
940 	if (k->def) {
941 		k->def_uni = true;
942 		k->def_multi = true;
943 	}
944 	if (k->defmgmt)
945 		k->def_multi = true;
946 
947 	if (tb[NL80211_KEY_IDX])
948 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
949 
950 	if (tb[NL80211_KEY_DATA]) {
951 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
952 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
953 	}
954 
955 	if (tb[NL80211_KEY_SEQ]) {
956 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
957 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
958 	}
959 
960 	if (tb[NL80211_KEY_CIPHER])
961 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
962 
963 	if (tb[NL80211_KEY_TYPE])
964 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
965 
966 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
967 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
968 
969 		err = nla_parse_nested_deprecated(kdt,
970 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
971 						  tb[NL80211_KEY_DEFAULT_TYPES],
972 						  nl80211_key_default_policy,
973 						  info->extack);
974 		if (err)
975 			return err;
976 
977 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
978 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
979 	}
980 
981 	if (tb[NL80211_KEY_MODE])
982 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
983 
984 	return 0;
985 }
986 
987 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
988 {
989 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
990 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
991 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
992 	}
993 
994 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
995 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
996 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
997 	}
998 
999 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1000 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1001 
1002 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1003 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1004 
1005 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1006 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1007 
1008 	if (k->def) {
1009 		k->def_uni = true;
1010 		k->def_multi = true;
1011 	}
1012 	if (k->defmgmt)
1013 		k->def_multi = true;
1014 
1015 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1016 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1017 
1018 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1019 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1020 		int err = nla_parse_nested_deprecated(kdt,
1021 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1022 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1023 						      nl80211_key_default_policy,
1024 						      info->extack);
1025 		if (err)
1026 			return err;
1027 
1028 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1029 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1030 	}
1031 
1032 	return 0;
1033 }
1034 
1035 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1036 {
1037 	int err;
1038 
1039 	memset(k, 0, sizeof(*k));
1040 	k->idx = -1;
1041 	k->type = -1;
1042 
1043 	if (info->attrs[NL80211_ATTR_KEY])
1044 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1045 	else
1046 		err = nl80211_parse_key_old(info, k);
1047 
1048 	if (err)
1049 		return err;
1050 
1051 	if (k->def && k->defmgmt) {
1052 		GENL_SET_ERR_MSG(info, "key with def && defmgmt is invalid");
1053 		return -EINVAL;
1054 	}
1055 
1056 	if (k->defmgmt) {
1057 		if (k->def_uni || !k->def_multi) {
1058 			GENL_SET_ERR_MSG(info, "defmgmt key must be mcast");
1059 			return -EINVAL;
1060 		}
1061 	}
1062 
1063 	if (k->idx != -1) {
1064 		if (k->defmgmt) {
1065 			if (k->idx < 4 || k->idx > 5) {
1066 				GENL_SET_ERR_MSG(info,
1067 						 "defmgmt key idx not 4 or 5");
1068 				return -EINVAL;
1069 			}
1070 		} else if (k->def) {
1071 			if (k->idx < 0 || k->idx > 3) {
1072 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1073 				return -EINVAL;
1074 			}
1075 		} else {
1076 			if (k->idx < 0 || k->idx > 5) {
1077 				GENL_SET_ERR_MSG(info, "key idx not 0-5");
1078 				return -EINVAL;
1079 			}
1080 		}
1081 	}
1082 
1083 	return 0;
1084 }
1085 
1086 static struct cfg80211_cached_keys *
1087 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1088 		       struct genl_info *info, bool *no_ht)
1089 {
1090 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1091 	struct key_parse parse;
1092 	struct nlattr *key;
1093 	struct cfg80211_cached_keys *result;
1094 	int rem, err, def = 0;
1095 	bool have_key = false;
1096 
1097 	nla_for_each_nested(key, keys, rem) {
1098 		have_key = true;
1099 		break;
1100 	}
1101 
1102 	if (!have_key)
1103 		return NULL;
1104 
1105 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1106 	if (!result)
1107 		return ERR_PTR(-ENOMEM);
1108 
1109 	result->def = -1;
1110 
1111 	nla_for_each_nested(key, keys, rem) {
1112 		memset(&parse, 0, sizeof(parse));
1113 		parse.idx = -1;
1114 
1115 		err = nl80211_parse_key_new(info, key, &parse);
1116 		if (err)
1117 			goto error;
1118 		err = -EINVAL;
1119 		if (!parse.p.key)
1120 			goto error;
1121 		if (parse.idx < 0 || parse.idx > 3) {
1122 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1123 			goto error;
1124 		}
1125 		if (parse.def) {
1126 			if (def) {
1127 				GENL_SET_ERR_MSG(info,
1128 						 "only one key can be default");
1129 				goto error;
1130 			}
1131 			def = 1;
1132 			result->def = parse.idx;
1133 			if (!parse.def_uni || !parse.def_multi)
1134 				goto error;
1135 		} else if (parse.defmgmt)
1136 			goto error;
1137 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1138 						     parse.idx, false, NULL);
1139 		if (err)
1140 			goto error;
1141 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1142 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1143 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1144 			err = -EINVAL;
1145 			goto error;
1146 		}
1147 		result->params[parse.idx].cipher = parse.p.cipher;
1148 		result->params[parse.idx].key_len = parse.p.key_len;
1149 		result->params[parse.idx].key = result->data[parse.idx];
1150 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1151 
1152 		/* must be WEP key if we got here */
1153 		if (no_ht)
1154 			*no_ht = true;
1155 	}
1156 
1157 	if (result->def < 0) {
1158 		err = -EINVAL;
1159 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1160 		goto error;
1161 	}
1162 
1163 	return result;
1164  error:
1165 	kfree(result);
1166 	return ERR_PTR(err);
1167 }
1168 
1169 static int nl80211_key_allowed(struct wireless_dev *wdev)
1170 {
1171 	ASSERT_WDEV_LOCK(wdev);
1172 
1173 	switch (wdev->iftype) {
1174 	case NL80211_IFTYPE_AP:
1175 	case NL80211_IFTYPE_AP_VLAN:
1176 	case NL80211_IFTYPE_P2P_GO:
1177 	case NL80211_IFTYPE_MESH_POINT:
1178 		break;
1179 	case NL80211_IFTYPE_ADHOC:
1180 	case NL80211_IFTYPE_STATION:
1181 	case NL80211_IFTYPE_P2P_CLIENT:
1182 		if (!wdev->current_bss)
1183 			return -ENOLINK;
1184 		break;
1185 	case NL80211_IFTYPE_UNSPECIFIED:
1186 	case NL80211_IFTYPE_OCB:
1187 	case NL80211_IFTYPE_MONITOR:
1188 	case NL80211_IFTYPE_NAN:
1189 	case NL80211_IFTYPE_P2P_DEVICE:
1190 	case NL80211_IFTYPE_WDS:
1191 	case NUM_NL80211_IFTYPES:
1192 		return -EINVAL;
1193 	}
1194 
1195 	return 0;
1196 }
1197 
1198 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1199 							struct nlattr *tb)
1200 {
1201 	struct ieee80211_channel *chan;
1202 
1203 	if (tb == NULL)
1204 		return NULL;
1205 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
1206 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1207 		return NULL;
1208 	return chan;
1209 }
1210 
1211 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1212 {
1213 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1214 	int i;
1215 
1216 	if (!nl_modes)
1217 		goto nla_put_failure;
1218 
1219 	i = 0;
1220 	while (ifmodes) {
1221 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1222 			goto nla_put_failure;
1223 		ifmodes >>= 1;
1224 		i++;
1225 	}
1226 
1227 	nla_nest_end(msg, nl_modes);
1228 	return 0;
1229 
1230 nla_put_failure:
1231 	return -ENOBUFS;
1232 }
1233 
1234 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1235 					  struct sk_buff *msg,
1236 					  bool large)
1237 {
1238 	struct nlattr *nl_combis;
1239 	int i, j;
1240 
1241 	nl_combis = nla_nest_start_noflag(msg,
1242 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1243 	if (!nl_combis)
1244 		goto nla_put_failure;
1245 
1246 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1247 		const struct ieee80211_iface_combination *c;
1248 		struct nlattr *nl_combi, *nl_limits;
1249 
1250 		c = &wiphy->iface_combinations[i];
1251 
1252 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1253 		if (!nl_combi)
1254 			goto nla_put_failure;
1255 
1256 		nl_limits = nla_nest_start_noflag(msg,
1257 						  NL80211_IFACE_COMB_LIMITS);
1258 		if (!nl_limits)
1259 			goto nla_put_failure;
1260 
1261 		for (j = 0; j < c->n_limits; j++) {
1262 			struct nlattr *nl_limit;
1263 
1264 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1265 			if (!nl_limit)
1266 				goto nla_put_failure;
1267 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1268 					c->limits[j].max))
1269 				goto nla_put_failure;
1270 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1271 						c->limits[j].types))
1272 				goto nla_put_failure;
1273 			nla_nest_end(msg, nl_limit);
1274 		}
1275 
1276 		nla_nest_end(msg, nl_limits);
1277 
1278 		if (c->beacon_int_infra_match &&
1279 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1280 			goto nla_put_failure;
1281 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1282 				c->num_different_channels) ||
1283 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1284 				c->max_interfaces))
1285 			goto nla_put_failure;
1286 		if (large &&
1287 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1288 				c->radar_detect_widths) ||
1289 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1290 				c->radar_detect_regions)))
1291 			goto nla_put_failure;
1292 		if (c->beacon_int_min_gcd &&
1293 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1294 				c->beacon_int_min_gcd))
1295 			goto nla_put_failure;
1296 
1297 		nla_nest_end(msg, nl_combi);
1298 	}
1299 
1300 	nla_nest_end(msg, nl_combis);
1301 
1302 	return 0;
1303 nla_put_failure:
1304 	return -ENOBUFS;
1305 }
1306 
1307 #ifdef CONFIG_PM
1308 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1309 					struct sk_buff *msg)
1310 {
1311 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1312 	struct nlattr *nl_tcp;
1313 
1314 	if (!tcp)
1315 		return 0;
1316 
1317 	nl_tcp = nla_nest_start_noflag(msg,
1318 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1319 	if (!nl_tcp)
1320 		return -ENOBUFS;
1321 
1322 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1323 			tcp->data_payload_max))
1324 		return -ENOBUFS;
1325 
1326 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1327 			tcp->data_payload_max))
1328 		return -ENOBUFS;
1329 
1330 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1331 		return -ENOBUFS;
1332 
1333 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1334 				sizeof(*tcp->tok), tcp->tok))
1335 		return -ENOBUFS;
1336 
1337 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1338 			tcp->data_interval_max))
1339 		return -ENOBUFS;
1340 
1341 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1342 			tcp->wake_payload_max))
1343 		return -ENOBUFS;
1344 
1345 	nla_nest_end(msg, nl_tcp);
1346 	return 0;
1347 }
1348 
1349 static int nl80211_send_wowlan(struct sk_buff *msg,
1350 			       struct cfg80211_registered_device *rdev,
1351 			       bool large)
1352 {
1353 	struct nlattr *nl_wowlan;
1354 
1355 	if (!rdev->wiphy.wowlan)
1356 		return 0;
1357 
1358 	nl_wowlan = nla_nest_start_noflag(msg,
1359 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1360 	if (!nl_wowlan)
1361 		return -ENOBUFS;
1362 
1363 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1364 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1365 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1366 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1367 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1368 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1369 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1370 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1371 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1372 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1373 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1374 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1375 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1376 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1377 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1378 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1379 		return -ENOBUFS;
1380 
1381 	if (rdev->wiphy.wowlan->n_patterns) {
1382 		struct nl80211_pattern_support pat = {
1383 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1384 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1385 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1386 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1387 		};
1388 
1389 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1390 			    sizeof(pat), &pat))
1391 			return -ENOBUFS;
1392 	}
1393 
1394 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1395 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1396 			rdev->wiphy.wowlan->max_nd_match_sets))
1397 		return -ENOBUFS;
1398 
1399 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1400 		return -ENOBUFS;
1401 
1402 	nla_nest_end(msg, nl_wowlan);
1403 
1404 	return 0;
1405 }
1406 #endif
1407 
1408 static int nl80211_send_coalesce(struct sk_buff *msg,
1409 				 struct cfg80211_registered_device *rdev)
1410 {
1411 	struct nl80211_coalesce_rule_support rule;
1412 
1413 	if (!rdev->wiphy.coalesce)
1414 		return 0;
1415 
1416 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1417 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1418 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1419 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1420 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1421 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1422 
1423 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1424 		return -ENOBUFS;
1425 
1426 	return 0;
1427 }
1428 
1429 static int
1430 nl80211_send_iftype_data(struct sk_buff *msg,
1431 			 const struct ieee80211_sband_iftype_data *iftdata)
1432 {
1433 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1434 
1435 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1436 				iftdata->types_mask))
1437 		return -ENOBUFS;
1438 
1439 	if (he_cap->has_he) {
1440 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1441 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1442 			    he_cap->he_cap_elem.mac_cap_info) ||
1443 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1444 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1445 			    he_cap->he_cap_elem.phy_cap_info) ||
1446 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1447 			    sizeof(he_cap->he_mcs_nss_supp),
1448 			    &he_cap->he_mcs_nss_supp) ||
1449 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1450 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1451 			return -ENOBUFS;
1452 	}
1453 
1454 	return 0;
1455 }
1456 
1457 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1458 				      struct ieee80211_supported_band *sband)
1459 {
1460 	struct nlattr *nl_rates, *nl_rate;
1461 	struct ieee80211_rate *rate;
1462 	int i;
1463 
1464 	/* add HT info */
1465 	if (sband->ht_cap.ht_supported &&
1466 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1467 		     sizeof(sband->ht_cap.mcs),
1468 		     &sband->ht_cap.mcs) ||
1469 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1470 			 sband->ht_cap.cap) ||
1471 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1472 			sband->ht_cap.ampdu_factor) ||
1473 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1474 			sband->ht_cap.ampdu_density)))
1475 		return -ENOBUFS;
1476 
1477 	/* add VHT info */
1478 	if (sband->vht_cap.vht_supported &&
1479 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1480 		     sizeof(sband->vht_cap.vht_mcs),
1481 		     &sband->vht_cap.vht_mcs) ||
1482 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1483 			 sband->vht_cap.cap)))
1484 		return -ENOBUFS;
1485 
1486 	if (sband->n_iftype_data) {
1487 		struct nlattr *nl_iftype_data =
1488 			nla_nest_start_noflag(msg,
1489 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1490 		int err;
1491 
1492 		if (!nl_iftype_data)
1493 			return -ENOBUFS;
1494 
1495 		for (i = 0; i < sband->n_iftype_data; i++) {
1496 			struct nlattr *iftdata;
1497 
1498 			iftdata = nla_nest_start_noflag(msg, i + 1);
1499 			if (!iftdata)
1500 				return -ENOBUFS;
1501 
1502 			err = nl80211_send_iftype_data(msg,
1503 						       &sband->iftype_data[i]);
1504 			if (err)
1505 				return err;
1506 
1507 			nla_nest_end(msg, iftdata);
1508 		}
1509 
1510 		nla_nest_end(msg, nl_iftype_data);
1511 	}
1512 
1513 	/* add bitrates */
1514 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1515 	if (!nl_rates)
1516 		return -ENOBUFS;
1517 
1518 	for (i = 0; i < sband->n_bitrates; i++) {
1519 		nl_rate = nla_nest_start_noflag(msg, i);
1520 		if (!nl_rate)
1521 			return -ENOBUFS;
1522 
1523 		rate = &sband->bitrates[i];
1524 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1525 				rate->bitrate))
1526 			return -ENOBUFS;
1527 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1528 		    nla_put_flag(msg,
1529 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1530 			return -ENOBUFS;
1531 
1532 		nla_nest_end(msg, nl_rate);
1533 	}
1534 
1535 	nla_nest_end(msg, nl_rates);
1536 
1537 	return 0;
1538 }
1539 
1540 static int
1541 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1542 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1543 {
1544 	u16 stypes;
1545 	struct nlattr *nl_ftypes, *nl_ifs;
1546 	enum nl80211_iftype ift;
1547 	int i;
1548 
1549 	if (!mgmt_stypes)
1550 		return 0;
1551 
1552 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1553 	if (!nl_ifs)
1554 		return -ENOBUFS;
1555 
1556 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1557 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1558 		if (!nl_ftypes)
1559 			return -ENOBUFS;
1560 		i = 0;
1561 		stypes = mgmt_stypes[ift].tx;
1562 		while (stypes) {
1563 			if ((stypes & 1) &&
1564 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1565 					(i << 4) | IEEE80211_FTYPE_MGMT))
1566 				return -ENOBUFS;
1567 			stypes >>= 1;
1568 			i++;
1569 		}
1570 		nla_nest_end(msg, nl_ftypes);
1571 	}
1572 
1573 	nla_nest_end(msg, nl_ifs);
1574 
1575 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1576 	if (!nl_ifs)
1577 		return -ENOBUFS;
1578 
1579 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1580 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1581 		if (!nl_ftypes)
1582 			return -ENOBUFS;
1583 		i = 0;
1584 		stypes = mgmt_stypes[ift].rx;
1585 		while (stypes) {
1586 			if ((stypes & 1) &&
1587 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1588 					(i << 4) | IEEE80211_FTYPE_MGMT))
1589 				return -ENOBUFS;
1590 			stypes >>= 1;
1591 			i++;
1592 		}
1593 		nla_nest_end(msg, nl_ftypes);
1594 	}
1595 	nla_nest_end(msg, nl_ifs);
1596 
1597 	return 0;
1598 }
1599 
1600 #define CMD(op, n)							\
1601 	 do {								\
1602 		if (rdev->ops->op) {					\
1603 			i++;						\
1604 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1605 				goto nla_put_failure;			\
1606 		}							\
1607 	} while (0)
1608 
1609 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1610 					struct sk_buff *msg)
1611 {
1612 	int i = 0;
1613 
1614 	/*
1615 	 * do *NOT* add anything into this function, new things need to be
1616 	 * advertised only to new versions of userspace that can deal with
1617 	 * the split (and they can't possibly care about new features...
1618 	 */
1619 	CMD(add_virtual_intf, NEW_INTERFACE);
1620 	CMD(change_virtual_intf, SET_INTERFACE);
1621 	CMD(add_key, NEW_KEY);
1622 	CMD(start_ap, START_AP);
1623 	CMD(add_station, NEW_STATION);
1624 	CMD(add_mpath, NEW_MPATH);
1625 	CMD(update_mesh_config, SET_MESH_CONFIG);
1626 	CMD(change_bss, SET_BSS);
1627 	CMD(auth, AUTHENTICATE);
1628 	CMD(assoc, ASSOCIATE);
1629 	CMD(deauth, DEAUTHENTICATE);
1630 	CMD(disassoc, DISASSOCIATE);
1631 	CMD(join_ibss, JOIN_IBSS);
1632 	CMD(join_mesh, JOIN_MESH);
1633 	CMD(set_pmksa, SET_PMKSA);
1634 	CMD(del_pmksa, DEL_PMKSA);
1635 	CMD(flush_pmksa, FLUSH_PMKSA);
1636 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1637 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1638 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1639 	CMD(mgmt_tx, FRAME);
1640 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1641 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1642 		i++;
1643 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1644 			goto nla_put_failure;
1645 	}
1646 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1647 	    rdev->ops->join_mesh) {
1648 		i++;
1649 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1650 			goto nla_put_failure;
1651 	}
1652 	CMD(set_wds_peer, SET_WDS_PEER);
1653 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1654 		CMD(tdls_mgmt, TDLS_MGMT);
1655 		CMD(tdls_oper, TDLS_OPER);
1656 	}
1657 	if (rdev->wiphy.max_sched_scan_reqs)
1658 		CMD(sched_scan_start, START_SCHED_SCAN);
1659 	CMD(probe_client, PROBE_CLIENT);
1660 	CMD(set_noack_map, SET_NOACK_MAP);
1661 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1662 		i++;
1663 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1664 			goto nla_put_failure;
1665 	}
1666 	CMD(start_p2p_device, START_P2P_DEVICE);
1667 	CMD(set_mcast_rate, SET_MCAST_RATE);
1668 #ifdef CONFIG_NL80211_TESTMODE
1669 	CMD(testmode_cmd, TESTMODE);
1670 #endif
1671 
1672 	if (rdev->ops->connect || rdev->ops->auth) {
1673 		i++;
1674 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1675 			goto nla_put_failure;
1676 	}
1677 
1678 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1679 		i++;
1680 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1681 			goto nla_put_failure;
1682 	}
1683 
1684 	return i;
1685  nla_put_failure:
1686 	return -ENOBUFS;
1687 }
1688 
1689 static int
1690 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1691 			   struct sk_buff *msg)
1692 {
1693 	struct nlattr *ftm;
1694 
1695 	if (!cap->ftm.supported)
1696 		return 0;
1697 
1698 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1699 	if (!ftm)
1700 		return -ENOBUFS;
1701 
1702 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1703 		return -ENOBUFS;
1704 	if (cap->ftm.non_asap &&
1705 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1706 		return -ENOBUFS;
1707 	if (cap->ftm.request_lci &&
1708 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1709 		return -ENOBUFS;
1710 	if (cap->ftm.request_civicloc &&
1711 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1712 		return -ENOBUFS;
1713 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1714 			cap->ftm.preambles))
1715 		return -ENOBUFS;
1716 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
1717 			cap->ftm.bandwidths))
1718 		return -ENOBUFS;
1719 	if (cap->ftm.max_bursts_exponent >= 0 &&
1720 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
1721 			cap->ftm.max_bursts_exponent))
1722 		return -ENOBUFS;
1723 	if (cap->ftm.max_ftms_per_burst &&
1724 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
1725 			cap->ftm.max_ftms_per_burst))
1726 		return -ENOBUFS;
1727 
1728 	nla_nest_end(msg, ftm);
1729 	return 0;
1730 }
1731 
1732 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
1733 				  struct sk_buff *msg)
1734 {
1735 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
1736 	struct nlattr *pmsr, *caps;
1737 
1738 	if (!cap)
1739 		return 0;
1740 
1741 	/*
1742 	 * we don't need to clean up anything here since the caller
1743 	 * will genlmsg_cancel() if we fail
1744 	 */
1745 
1746 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
1747 	if (!pmsr)
1748 		return -ENOBUFS;
1749 
1750 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
1751 		return -ENOBUFS;
1752 
1753 	if (cap->report_ap_tsf &&
1754 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
1755 		return -ENOBUFS;
1756 
1757 	if (cap->randomize_mac_addr &&
1758 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
1759 		return -ENOBUFS;
1760 
1761 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
1762 	if (!caps)
1763 		return -ENOBUFS;
1764 
1765 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
1766 		return -ENOBUFS;
1767 
1768 	nla_nest_end(msg, caps);
1769 	nla_nest_end(msg, pmsr);
1770 
1771 	return 0;
1772 }
1773 
1774 struct nl80211_dump_wiphy_state {
1775 	s64 filter_wiphy;
1776 	long start;
1777 	long split_start, band_start, chan_start, capa_start;
1778 	bool split;
1779 };
1780 
1781 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1782 			      enum nl80211_commands cmd,
1783 			      struct sk_buff *msg, u32 portid, u32 seq,
1784 			      int flags, struct nl80211_dump_wiphy_state *state)
1785 {
1786 	void *hdr;
1787 	struct nlattr *nl_bands, *nl_band;
1788 	struct nlattr *nl_freqs, *nl_freq;
1789 	struct nlattr *nl_cmds;
1790 	enum nl80211_band band;
1791 	struct ieee80211_channel *chan;
1792 	int i;
1793 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1794 				rdev->wiphy.mgmt_stypes;
1795 	u32 features;
1796 
1797 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1798 	if (!hdr)
1799 		return -ENOBUFS;
1800 
1801 	if (WARN_ON(!state))
1802 		return -EINVAL;
1803 
1804 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1805 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1806 			   wiphy_name(&rdev->wiphy)) ||
1807 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1808 			cfg80211_rdev_list_generation))
1809 		goto nla_put_failure;
1810 
1811 	if (cmd != NL80211_CMD_NEW_WIPHY)
1812 		goto finish;
1813 
1814 	switch (state->split_start) {
1815 	case 0:
1816 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1817 			       rdev->wiphy.retry_short) ||
1818 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1819 			       rdev->wiphy.retry_long) ||
1820 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1821 				rdev->wiphy.frag_threshold) ||
1822 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1823 				rdev->wiphy.rts_threshold) ||
1824 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1825 			       rdev->wiphy.coverage_class) ||
1826 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1827 			       rdev->wiphy.max_scan_ssids) ||
1828 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1829 			       rdev->wiphy.max_sched_scan_ssids) ||
1830 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1831 				rdev->wiphy.max_scan_ie_len) ||
1832 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1833 				rdev->wiphy.max_sched_scan_ie_len) ||
1834 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1835 			       rdev->wiphy.max_match_sets) ||
1836 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1837 				rdev->wiphy.max_sched_scan_plans) ||
1838 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1839 				rdev->wiphy.max_sched_scan_plan_interval) ||
1840 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1841 				rdev->wiphy.max_sched_scan_plan_iterations))
1842 			goto nla_put_failure;
1843 
1844 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1845 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1846 			goto nla_put_failure;
1847 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1848 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1849 			goto nla_put_failure;
1850 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1851 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1852 			goto nla_put_failure;
1853 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1854 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1855 			goto nla_put_failure;
1856 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1857 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1858 			goto nla_put_failure;
1859 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1860 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1861 			goto nla_put_failure;
1862 		state->split_start++;
1863 		if (state->split)
1864 			break;
1865 		/* fall through */
1866 	case 1:
1867 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1868 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1869 			    rdev->wiphy.cipher_suites))
1870 			goto nla_put_failure;
1871 
1872 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1873 			       rdev->wiphy.max_num_pmkids))
1874 			goto nla_put_failure;
1875 
1876 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1877 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1878 			goto nla_put_failure;
1879 
1880 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1881 				rdev->wiphy.available_antennas_tx) ||
1882 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1883 				rdev->wiphy.available_antennas_rx))
1884 			goto nla_put_failure;
1885 
1886 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1887 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1888 				rdev->wiphy.probe_resp_offload))
1889 			goto nla_put_failure;
1890 
1891 		if ((rdev->wiphy.available_antennas_tx ||
1892 		     rdev->wiphy.available_antennas_rx) &&
1893 		    rdev->ops->get_antenna) {
1894 			u32 tx_ant = 0, rx_ant = 0;
1895 			int res;
1896 
1897 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1898 			if (!res) {
1899 				if (nla_put_u32(msg,
1900 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1901 						tx_ant) ||
1902 				    nla_put_u32(msg,
1903 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1904 						rx_ant))
1905 					goto nla_put_failure;
1906 			}
1907 		}
1908 
1909 		state->split_start++;
1910 		if (state->split)
1911 			break;
1912 		/* fall through */
1913 	case 2:
1914 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1915 					rdev->wiphy.interface_modes))
1916 				goto nla_put_failure;
1917 		state->split_start++;
1918 		if (state->split)
1919 			break;
1920 		/* fall through */
1921 	case 3:
1922 		nl_bands = nla_nest_start_noflag(msg,
1923 						 NL80211_ATTR_WIPHY_BANDS);
1924 		if (!nl_bands)
1925 			goto nla_put_failure;
1926 
1927 		for (band = state->band_start;
1928 		     band < NUM_NL80211_BANDS; band++) {
1929 			struct ieee80211_supported_band *sband;
1930 
1931 			sband = rdev->wiphy.bands[band];
1932 
1933 			if (!sband)
1934 				continue;
1935 
1936 			nl_band = nla_nest_start_noflag(msg, band);
1937 			if (!nl_band)
1938 				goto nla_put_failure;
1939 
1940 			switch (state->chan_start) {
1941 			case 0:
1942 				if (nl80211_send_band_rateinfo(msg, sband))
1943 					goto nla_put_failure;
1944 				state->chan_start++;
1945 				if (state->split)
1946 					break;
1947 				/* fall through */
1948 			default:
1949 				/* add frequencies */
1950 				nl_freqs = nla_nest_start_noflag(msg,
1951 								 NL80211_BAND_ATTR_FREQS);
1952 				if (!nl_freqs)
1953 					goto nla_put_failure;
1954 
1955 				for (i = state->chan_start - 1;
1956 				     i < sband->n_channels;
1957 				     i++) {
1958 					nl_freq = nla_nest_start_noflag(msg,
1959 									i);
1960 					if (!nl_freq)
1961 						goto nla_put_failure;
1962 
1963 					chan = &sband->channels[i];
1964 
1965 					if (nl80211_msg_put_channel(
1966 							msg, &rdev->wiphy, chan,
1967 							state->split))
1968 						goto nla_put_failure;
1969 
1970 					nla_nest_end(msg, nl_freq);
1971 					if (state->split)
1972 						break;
1973 				}
1974 				if (i < sband->n_channels)
1975 					state->chan_start = i + 2;
1976 				else
1977 					state->chan_start = 0;
1978 				nla_nest_end(msg, nl_freqs);
1979 			}
1980 
1981 			nla_nest_end(msg, nl_band);
1982 
1983 			if (state->split) {
1984 				/* start again here */
1985 				if (state->chan_start)
1986 					band--;
1987 				break;
1988 			}
1989 		}
1990 		nla_nest_end(msg, nl_bands);
1991 
1992 		if (band < NUM_NL80211_BANDS)
1993 			state->band_start = band + 1;
1994 		else
1995 			state->band_start = 0;
1996 
1997 		/* if bands & channels are done, continue outside */
1998 		if (state->band_start == 0 && state->chan_start == 0)
1999 			state->split_start++;
2000 		if (state->split)
2001 			break;
2002 		/* fall through */
2003 	case 4:
2004 		nl_cmds = nla_nest_start_noflag(msg,
2005 						NL80211_ATTR_SUPPORTED_COMMANDS);
2006 		if (!nl_cmds)
2007 			goto nla_put_failure;
2008 
2009 		i = nl80211_add_commands_unsplit(rdev, msg);
2010 		if (i < 0)
2011 			goto nla_put_failure;
2012 		if (state->split) {
2013 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2014 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2015 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2016 				CMD(channel_switch, CHANNEL_SWITCH);
2017 			CMD(set_qos_map, SET_QOS_MAP);
2018 			if (rdev->wiphy.features &
2019 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2020 				CMD(add_tx_ts, ADD_TX_TS);
2021 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2022 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2023 		}
2024 #undef CMD
2025 
2026 		nla_nest_end(msg, nl_cmds);
2027 		state->split_start++;
2028 		if (state->split)
2029 			break;
2030 		/* fall through */
2031 	case 5:
2032 		if (rdev->ops->remain_on_channel &&
2033 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2034 		    nla_put_u32(msg,
2035 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2036 				rdev->wiphy.max_remain_on_channel_duration))
2037 			goto nla_put_failure;
2038 
2039 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2040 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2041 			goto nla_put_failure;
2042 
2043 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2044 			goto nla_put_failure;
2045 		state->split_start++;
2046 		if (state->split)
2047 			break;
2048 		/* fall through */
2049 	case 6:
2050 #ifdef CONFIG_PM
2051 		if (nl80211_send_wowlan(msg, rdev, state->split))
2052 			goto nla_put_failure;
2053 		state->split_start++;
2054 		if (state->split)
2055 			break;
2056 #else
2057 		state->split_start++;
2058 #endif
2059 		/* fall through */
2060 	case 7:
2061 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2062 					rdev->wiphy.software_iftypes))
2063 			goto nla_put_failure;
2064 
2065 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2066 						   state->split))
2067 			goto nla_put_failure;
2068 
2069 		state->split_start++;
2070 		if (state->split)
2071 			break;
2072 		/* fall through */
2073 	case 8:
2074 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2075 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2076 				rdev->wiphy.ap_sme_capa))
2077 			goto nla_put_failure;
2078 
2079 		features = rdev->wiphy.features;
2080 		/*
2081 		 * We can only add the per-channel limit information if the
2082 		 * dump is split, otherwise it makes it too big. Therefore
2083 		 * only advertise it in that case.
2084 		 */
2085 		if (state->split)
2086 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2087 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2088 			goto nla_put_failure;
2089 
2090 		if (rdev->wiphy.ht_capa_mod_mask &&
2091 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2092 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2093 			    rdev->wiphy.ht_capa_mod_mask))
2094 			goto nla_put_failure;
2095 
2096 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2097 		    rdev->wiphy.max_acl_mac_addrs &&
2098 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2099 				rdev->wiphy.max_acl_mac_addrs))
2100 			goto nla_put_failure;
2101 
2102 		/*
2103 		 * Any information below this point is only available to
2104 		 * applications that can deal with it being split. This
2105 		 * helps ensure that newly added capabilities don't break
2106 		 * older tools by overrunning their buffers.
2107 		 *
2108 		 * We still increment split_start so that in the split
2109 		 * case we'll continue with more data in the next round,
2110 		 * but break unconditionally so unsplit data stops here.
2111 		 */
2112 		state->split_start++;
2113 		break;
2114 	case 9:
2115 		if (rdev->wiphy.extended_capabilities &&
2116 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2117 			     rdev->wiphy.extended_capabilities_len,
2118 			     rdev->wiphy.extended_capabilities) ||
2119 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2120 			     rdev->wiphy.extended_capabilities_len,
2121 			     rdev->wiphy.extended_capabilities_mask)))
2122 			goto nla_put_failure;
2123 
2124 		if (rdev->wiphy.vht_capa_mod_mask &&
2125 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2126 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2127 			    rdev->wiphy.vht_capa_mod_mask))
2128 			goto nla_put_failure;
2129 
2130 		state->split_start++;
2131 		break;
2132 	case 10:
2133 		if (nl80211_send_coalesce(msg, rdev))
2134 			goto nla_put_failure;
2135 
2136 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2137 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2138 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2139 			goto nla_put_failure;
2140 
2141 		if (rdev->wiphy.max_ap_assoc_sta &&
2142 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2143 				rdev->wiphy.max_ap_assoc_sta))
2144 			goto nla_put_failure;
2145 
2146 		state->split_start++;
2147 		break;
2148 	case 11:
2149 		if (rdev->wiphy.n_vendor_commands) {
2150 			const struct nl80211_vendor_cmd_info *info;
2151 			struct nlattr *nested;
2152 
2153 			nested = nla_nest_start_noflag(msg,
2154 						       NL80211_ATTR_VENDOR_DATA);
2155 			if (!nested)
2156 				goto nla_put_failure;
2157 
2158 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2159 				info = &rdev->wiphy.vendor_commands[i].info;
2160 				if (nla_put(msg, i + 1, sizeof(*info), info))
2161 					goto nla_put_failure;
2162 			}
2163 			nla_nest_end(msg, nested);
2164 		}
2165 
2166 		if (rdev->wiphy.n_vendor_events) {
2167 			const struct nl80211_vendor_cmd_info *info;
2168 			struct nlattr *nested;
2169 
2170 			nested = nla_nest_start_noflag(msg,
2171 						       NL80211_ATTR_VENDOR_EVENTS);
2172 			if (!nested)
2173 				goto nla_put_failure;
2174 
2175 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2176 				info = &rdev->wiphy.vendor_events[i];
2177 				if (nla_put(msg, i + 1, sizeof(*info), info))
2178 					goto nla_put_failure;
2179 			}
2180 			nla_nest_end(msg, nested);
2181 		}
2182 		state->split_start++;
2183 		break;
2184 	case 12:
2185 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2186 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2187 			       rdev->wiphy.max_num_csa_counters))
2188 			goto nla_put_failure;
2189 
2190 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2191 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2192 			goto nla_put_failure;
2193 
2194 		if (rdev->wiphy.max_sched_scan_reqs &&
2195 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2196 				rdev->wiphy.max_sched_scan_reqs))
2197 			goto nla_put_failure;
2198 
2199 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2200 			    sizeof(rdev->wiphy.ext_features),
2201 			    rdev->wiphy.ext_features))
2202 			goto nla_put_failure;
2203 
2204 		if (rdev->wiphy.bss_select_support) {
2205 			struct nlattr *nested;
2206 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2207 
2208 			nested = nla_nest_start_noflag(msg,
2209 						       NL80211_ATTR_BSS_SELECT);
2210 			if (!nested)
2211 				goto nla_put_failure;
2212 
2213 			i = 0;
2214 			while (bss_select_support) {
2215 				if ((bss_select_support & 1) &&
2216 				    nla_put_flag(msg, i))
2217 					goto nla_put_failure;
2218 				i++;
2219 				bss_select_support >>= 1;
2220 			}
2221 			nla_nest_end(msg, nested);
2222 		}
2223 
2224 		state->split_start++;
2225 		break;
2226 	case 13:
2227 		if (rdev->wiphy.num_iftype_ext_capab &&
2228 		    rdev->wiphy.iftype_ext_capab) {
2229 			struct nlattr *nested_ext_capab, *nested;
2230 
2231 			nested = nla_nest_start_noflag(msg,
2232 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2233 			if (!nested)
2234 				goto nla_put_failure;
2235 
2236 			for (i = state->capa_start;
2237 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2238 				const struct wiphy_iftype_ext_capab *capab;
2239 
2240 				capab = &rdev->wiphy.iftype_ext_capab[i];
2241 
2242 				nested_ext_capab = nla_nest_start_noflag(msg,
2243 									 i);
2244 				if (!nested_ext_capab ||
2245 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2246 						capab->iftype) ||
2247 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2248 					    capab->extended_capabilities_len,
2249 					    capab->extended_capabilities) ||
2250 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2251 					    capab->extended_capabilities_len,
2252 					    capab->extended_capabilities_mask))
2253 					goto nla_put_failure;
2254 
2255 				nla_nest_end(msg, nested_ext_capab);
2256 				if (state->split)
2257 					break;
2258 			}
2259 			nla_nest_end(msg, nested);
2260 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2261 				state->capa_start = i + 1;
2262 				break;
2263 			}
2264 		}
2265 
2266 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2267 				rdev->wiphy.nan_supported_bands))
2268 			goto nla_put_failure;
2269 
2270 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2271 					    NL80211_EXT_FEATURE_TXQS)) {
2272 			struct cfg80211_txq_stats txqstats = {};
2273 			int res;
2274 
2275 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2276 			if (!res &&
2277 			    !nl80211_put_txq_stats(msg, &txqstats,
2278 						   NL80211_ATTR_TXQ_STATS))
2279 				goto nla_put_failure;
2280 
2281 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2282 					rdev->wiphy.txq_limit))
2283 				goto nla_put_failure;
2284 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2285 					rdev->wiphy.txq_memory_limit))
2286 				goto nla_put_failure;
2287 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2288 					rdev->wiphy.txq_quantum))
2289 				goto nla_put_failure;
2290 		}
2291 
2292 		state->split_start++;
2293 		break;
2294 	case 14:
2295 		if (nl80211_send_pmsr_capa(rdev, msg))
2296 			goto nla_put_failure;
2297 
2298 		state->split_start++;
2299 		break;
2300 	case 15:
2301 		if (rdev->wiphy.akm_suites &&
2302 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2303 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2304 			    rdev->wiphy.akm_suites))
2305 			goto nla_put_failure;
2306 
2307 		/* done */
2308 		state->split_start = 0;
2309 		break;
2310 	}
2311  finish:
2312 	genlmsg_end(msg, hdr);
2313 	return 0;
2314 
2315  nla_put_failure:
2316 	genlmsg_cancel(msg, hdr);
2317 	return -EMSGSIZE;
2318 }
2319 
2320 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2321 				    struct netlink_callback *cb,
2322 				    struct nl80211_dump_wiphy_state *state)
2323 {
2324 	struct nlattr **tb = genl_family_attrbuf(&nl80211_fam);
2325 	int ret = nlmsg_parse_deprecated(cb->nlh,
2326 					 GENL_HDRLEN + nl80211_fam.hdrsize,
2327 					 tb, nl80211_fam.maxattr,
2328 					 nl80211_policy, NULL);
2329 	/* ignore parse errors for backward compatibility */
2330 	if (ret)
2331 		return 0;
2332 
2333 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2334 	if (tb[NL80211_ATTR_WIPHY])
2335 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2336 	if (tb[NL80211_ATTR_WDEV])
2337 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2338 	if (tb[NL80211_ATTR_IFINDEX]) {
2339 		struct net_device *netdev;
2340 		struct cfg80211_registered_device *rdev;
2341 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2342 
2343 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2344 		if (!netdev)
2345 			return -ENODEV;
2346 		if (netdev->ieee80211_ptr) {
2347 			rdev = wiphy_to_rdev(
2348 				netdev->ieee80211_ptr->wiphy);
2349 			state->filter_wiphy = rdev->wiphy_idx;
2350 		}
2351 	}
2352 
2353 	return 0;
2354 }
2355 
2356 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2357 {
2358 	int idx = 0, ret;
2359 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2360 	struct cfg80211_registered_device *rdev;
2361 
2362 	rtnl_lock();
2363 	if (!state) {
2364 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2365 		if (!state) {
2366 			rtnl_unlock();
2367 			return -ENOMEM;
2368 		}
2369 		state->filter_wiphy = -1;
2370 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2371 		if (ret) {
2372 			kfree(state);
2373 			rtnl_unlock();
2374 			return ret;
2375 		}
2376 		cb->args[0] = (long)state;
2377 	}
2378 
2379 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2380 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2381 			continue;
2382 		if (++idx <= state->start)
2383 			continue;
2384 		if (state->filter_wiphy != -1 &&
2385 		    state->filter_wiphy != rdev->wiphy_idx)
2386 			continue;
2387 		/* attempt to fit multiple wiphy data chunks into the skb */
2388 		do {
2389 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2390 						 skb,
2391 						 NETLINK_CB(cb->skb).portid,
2392 						 cb->nlh->nlmsg_seq,
2393 						 NLM_F_MULTI, state);
2394 			if (ret < 0) {
2395 				/*
2396 				 * If sending the wiphy data didn't fit (ENOBUFS
2397 				 * or EMSGSIZE returned), this SKB is still
2398 				 * empty (so it's not too big because another
2399 				 * wiphy dataset is already in the skb) and
2400 				 * we've not tried to adjust the dump allocation
2401 				 * yet ... then adjust the alloc size to be
2402 				 * bigger, and return 1 but with the empty skb.
2403 				 * This results in an empty message being RX'ed
2404 				 * in userspace, but that is ignored.
2405 				 *
2406 				 * We can then retry with the larger buffer.
2407 				 */
2408 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2409 				    !skb->len && !state->split &&
2410 				    cb->min_dump_alloc < 4096) {
2411 					cb->min_dump_alloc = 4096;
2412 					state->split_start = 0;
2413 					rtnl_unlock();
2414 					return 1;
2415 				}
2416 				idx--;
2417 				break;
2418 			}
2419 		} while (state->split_start > 0);
2420 		break;
2421 	}
2422 	rtnl_unlock();
2423 
2424 	state->start = idx;
2425 
2426 	return skb->len;
2427 }
2428 
2429 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2430 {
2431 	kfree((void *)cb->args[0]);
2432 	return 0;
2433 }
2434 
2435 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2436 {
2437 	struct sk_buff *msg;
2438 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2439 	struct nl80211_dump_wiphy_state state = {};
2440 
2441 	msg = nlmsg_new(4096, GFP_KERNEL);
2442 	if (!msg)
2443 		return -ENOMEM;
2444 
2445 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2446 			       info->snd_portid, info->snd_seq, 0,
2447 			       &state) < 0) {
2448 		nlmsg_free(msg);
2449 		return -ENOBUFS;
2450 	}
2451 
2452 	return genlmsg_reply(msg, info);
2453 }
2454 
2455 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2456 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2457 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2458 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2459 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2460 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2461 };
2462 
2463 static int parse_txq_params(struct nlattr *tb[],
2464 			    struct ieee80211_txq_params *txq_params)
2465 {
2466 	u8 ac;
2467 
2468 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2469 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2470 	    !tb[NL80211_TXQ_ATTR_AIFS])
2471 		return -EINVAL;
2472 
2473 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2474 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2475 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2476 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2477 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2478 
2479 	if (ac >= NL80211_NUM_ACS)
2480 		return -EINVAL;
2481 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2482 	return 0;
2483 }
2484 
2485 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2486 {
2487 	/*
2488 	 * You can only set the channel explicitly for WDS interfaces,
2489 	 * all others have their channel managed via their respective
2490 	 * "establish a connection" command (connect, join, ...)
2491 	 *
2492 	 * For AP/GO and mesh mode, the channel can be set with the
2493 	 * channel userspace API, but is only stored and passed to the
2494 	 * low-level driver when the AP starts or the mesh is joined.
2495 	 * This is for backward compatibility, userspace can also give
2496 	 * the channel in the start-ap or join-mesh commands instead.
2497 	 *
2498 	 * Monitors are special as they are normally slaved to
2499 	 * whatever else is going on, so they have their own special
2500 	 * operation to set the monitor channel if possible.
2501 	 */
2502 	return !wdev ||
2503 		wdev->iftype == NL80211_IFTYPE_AP ||
2504 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2505 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2506 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2507 }
2508 
2509 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2510 			  struct genl_info *info,
2511 			  struct cfg80211_chan_def *chandef)
2512 {
2513 	struct netlink_ext_ack *extack = info->extack;
2514 	struct nlattr **attrs = info->attrs;
2515 	u32 control_freq;
2516 
2517 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2518 		return -EINVAL;
2519 
2520 	control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);
2521 
2522 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2523 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2524 	chandef->center_freq1 = control_freq;
2525 	chandef->center_freq2 = 0;
2526 
2527 	/* Primary channel not allowed */
2528 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2529 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2530 				    "Channel is disabled");
2531 		return -EINVAL;
2532 	}
2533 
2534 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2535 		enum nl80211_channel_type chantype;
2536 
2537 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2538 
2539 		switch (chantype) {
2540 		case NL80211_CHAN_NO_HT:
2541 		case NL80211_CHAN_HT20:
2542 		case NL80211_CHAN_HT40PLUS:
2543 		case NL80211_CHAN_HT40MINUS:
2544 			cfg80211_chandef_create(chandef, chandef->chan,
2545 						chantype);
2546 			/* user input for center_freq is incorrect */
2547 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2548 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2549 				NL_SET_ERR_MSG_ATTR(extack,
2550 						    attrs[NL80211_ATTR_CENTER_FREQ1],
2551 						    "bad center frequency 1");
2552 				return -EINVAL;
2553 			}
2554 			/* center_freq2 must be zero */
2555 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2556 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2557 				NL_SET_ERR_MSG_ATTR(extack,
2558 						    attrs[NL80211_ATTR_CENTER_FREQ2],
2559 						    "center frequency 2 can't be used");
2560 				return -EINVAL;
2561 			}
2562 			break;
2563 		default:
2564 			NL_SET_ERR_MSG_ATTR(extack,
2565 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2566 					    "invalid channel type");
2567 			return -EINVAL;
2568 		}
2569 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2570 		chandef->width =
2571 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2572 		if (attrs[NL80211_ATTR_CENTER_FREQ1])
2573 			chandef->center_freq1 =
2574 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2575 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
2576 			chandef->center_freq2 =
2577 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2578 	}
2579 
2580 	if (!cfg80211_chandef_valid(chandef)) {
2581 		NL_SET_ERR_MSG(extack, "invalid channel definition");
2582 		return -EINVAL;
2583 	}
2584 
2585 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2586 				     IEEE80211_CHAN_DISABLED)) {
2587 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
2588 		return -EINVAL;
2589 	}
2590 
2591 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2592 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2593 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
2594 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
2595 		return -EINVAL;
2596 	}
2597 
2598 	return 0;
2599 }
2600 
2601 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2602 				 struct net_device *dev,
2603 				 struct genl_info *info)
2604 {
2605 	struct cfg80211_chan_def chandef;
2606 	int result;
2607 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2608 	struct wireless_dev *wdev = NULL;
2609 
2610 	if (dev)
2611 		wdev = dev->ieee80211_ptr;
2612 	if (!nl80211_can_set_dev_channel(wdev))
2613 		return -EOPNOTSUPP;
2614 	if (wdev)
2615 		iftype = wdev->iftype;
2616 
2617 	result = nl80211_parse_chandef(rdev, info, &chandef);
2618 	if (result)
2619 		return result;
2620 
2621 	switch (iftype) {
2622 	case NL80211_IFTYPE_AP:
2623 	case NL80211_IFTYPE_P2P_GO:
2624 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2625 						   iftype)) {
2626 			result = -EINVAL;
2627 			break;
2628 		}
2629 		if (wdev->beacon_interval) {
2630 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2631 			    !(rdev->wiphy.features &
2632 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2633 				result = -EBUSY;
2634 				break;
2635 			}
2636 
2637 			/* Only allow dynamic channel width changes */
2638 			if (chandef.chan != wdev->preset_chandef.chan) {
2639 				result = -EBUSY;
2640 				break;
2641 			}
2642 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2643 			if (result)
2644 				break;
2645 		}
2646 		wdev->preset_chandef = chandef;
2647 		result = 0;
2648 		break;
2649 	case NL80211_IFTYPE_MESH_POINT:
2650 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2651 		break;
2652 	case NL80211_IFTYPE_MONITOR:
2653 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2654 		break;
2655 	default:
2656 		result = -EINVAL;
2657 	}
2658 
2659 	return result;
2660 }
2661 
2662 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2663 {
2664 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2665 	struct net_device *netdev = info->user_ptr[1];
2666 
2667 	return __nl80211_set_channel(rdev, netdev, info);
2668 }
2669 
2670 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2671 {
2672 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2673 	struct net_device *dev = info->user_ptr[1];
2674 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2675 	const u8 *bssid;
2676 
2677 	if (!info->attrs[NL80211_ATTR_MAC])
2678 		return -EINVAL;
2679 
2680 	if (netif_running(dev))
2681 		return -EBUSY;
2682 
2683 	if (!rdev->ops->set_wds_peer)
2684 		return -EOPNOTSUPP;
2685 
2686 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2687 		return -EOPNOTSUPP;
2688 
2689 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2690 	return rdev_set_wds_peer(rdev, dev, bssid);
2691 }
2692 
2693 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2694 {
2695 	struct cfg80211_registered_device *rdev;
2696 	struct net_device *netdev = NULL;
2697 	struct wireless_dev *wdev;
2698 	int result = 0, rem_txq_params = 0;
2699 	struct nlattr *nl_txq_params;
2700 	u32 changed;
2701 	u8 retry_short = 0, retry_long = 0;
2702 	u32 frag_threshold = 0, rts_threshold = 0;
2703 	u8 coverage_class = 0;
2704 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
2705 
2706 	ASSERT_RTNL();
2707 
2708 	/*
2709 	 * Try to find the wiphy and netdev. Normally this
2710 	 * function shouldn't need the netdev, but this is
2711 	 * done for backward compatibility -- previously
2712 	 * setting the channel was done per wiphy, but now
2713 	 * it is per netdev. Previous userland like hostapd
2714 	 * also passed a netdev to set_wiphy, so that it is
2715 	 * possible to let that go to the right netdev!
2716 	 */
2717 
2718 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2719 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2720 
2721 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2722 		if (netdev && netdev->ieee80211_ptr)
2723 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2724 		else
2725 			netdev = NULL;
2726 	}
2727 
2728 	if (!netdev) {
2729 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2730 						  info->attrs);
2731 		if (IS_ERR(rdev))
2732 			return PTR_ERR(rdev);
2733 		wdev = NULL;
2734 		netdev = NULL;
2735 		result = 0;
2736 	} else
2737 		wdev = netdev->ieee80211_ptr;
2738 
2739 	/*
2740 	 * end workaround code, by now the rdev is available
2741 	 * and locked, and wdev may or may not be NULL.
2742 	 */
2743 
2744 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2745 		result = cfg80211_dev_rename(
2746 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2747 
2748 	if (result)
2749 		return result;
2750 
2751 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2752 		struct ieee80211_txq_params txq_params;
2753 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2754 
2755 		if (!rdev->ops->set_txq_params)
2756 			return -EOPNOTSUPP;
2757 
2758 		if (!netdev)
2759 			return -EINVAL;
2760 
2761 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2762 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2763 			return -EINVAL;
2764 
2765 		if (!netif_running(netdev))
2766 			return -ENETDOWN;
2767 
2768 		nla_for_each_nested(nl_txq_params,
2769 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2770 				    rem_txq_params) {
2771 			result = nla_parse_nested_deprecated(tb,
2772 							     NL80211_TXQ_ATTR_MAX,
2773 							     nl_txq_params,
2774 							     txq_params_policy,
2775 							     info->extack);
2776 			if (result)
2777 				return result;
2778 			result = parse_txq_params(tb, &txq_params);
2779 			if (result)
2780 				return result;
2781 
2782 			result = rdev_set_txq_params(rdev, netdev,
2783 						     &txq_params);
2784 			if (result)
2785 				return result;
2786 		}
2787 	}
2788 
2789 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2790 		result = __nl80211_set_channel(
2791 			rdev,
2792 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2793 			info);
2794 		if (result)
2795 			return result;
2796 	}
2797 
2798 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2799 		struct wireless_dev *txp_wdev = wdev;
2800 		enum nl80211_tx_power_setting type;
2801 		int idx, mbm = 0;
2802 
2803 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2804 			txp_wdev = NULL;
2805 
2806 		if (!rdev->ops->set_tx_power)
2807 			return -EOPNOTSUPP;
2808 
2809 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2810 		type = nla_get_u32(info->attrs[idx]);
2811 
2812 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2813 		    (type != NL80211_TX_POWER_AUTOMATIC))
2814 			return -EINVAL;
2815 
2816 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2817 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2818 			mbm = nla_get_u32(info->attrs[idx]);
2819 		}
2820 
2821 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2822 		if (result)
2823 			return result;
2824 	}
2825 
2826 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2827 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2828 		u32 tx_ant, rx_ant;
2829 
2830 		if ((!rdev->wiphy.available_antennas_tx &&
2831 		     !rdev->wiphy.available_antennas_rx) ||
2832 		    !rdev->ops->set_antenna)
2833 			return -EOPNOTSUPP;
2834 
2835 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2836 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2837 
2838 		/* reject antenna configurations which don't match the
2839 		 * available antenna masks, except for the "all" mask */
2840 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2841 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2842 			return -EINVAL;
2843 
2844 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2845 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2846 
2847 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2848 		if (result)
2849 			return result;
2850 	}
2851 
2852 	changed = 0;
2853 
2854 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2855 		retry_short = nla_get_u8(
2856 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2857 
2858 		changed |= WIPHY_PARAM_RETRY_SHORT;
2859 	}
2860 
2861 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2862 		retry_long = nla_get_u8(
2863 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2864 
2865 		changed |= WIPHY_PARAM_RETRY_LONG;
2866 	}
2867 
2868 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2869 		frag_threshold = nla_get_u32(
2870 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2871 		if (frag_threshold < 256)
2872 			return -EINVAL;
2873 
2874 		if (frag_threshold != (u32) -1) {
2875 			/*
2876 			 * Fragments (apart from the last one) are required to
2877 			 * have even length. Make the fragmentation code
2878 			 * simpler by stripping LSB should someone try to use
2879 			 * odd threshold value.
2880 			 */
2881 			frag_threshold &= ~0x1;
2882 		}
2883 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2884 	}
2885 
2886 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2887 		rts_threshold = nla_get_u32(
2888 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2889 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2890 	}
2891 
2892 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2893 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2894 			return -EINVAL;
2895 
2896 		coverage_class = nla_get_u8(
2897 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2898 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2899 	}
2900 
2901 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2902 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2903 			return -EOPNOTSUPP;
2904 
2905 		changed |= WIPHY_PARAM_DYN_ACK;
2906 	}
2907 
2908 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
2909 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2910 					     NL80211_EXT_FEATURE_TXQS))
2911 			return -EOPNOTSUPP;
2912 		txq_limit = nla_get_u32(
2913 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
2914 		changed |= WIPHY_PARAM_TXQ_LIMIT;
2915 	}
2916 
2917 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
2918 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2919 					     NL80211_EXT_FEATURE_TXQS))
2920 			return -EOPNOTSUPP;
2921 		txq_memory_limit = nla_get_u32(
2922 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
2923 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
2924 	}
2925 
2926 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
2927 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2928 					     NL80211_EXT_FEATURE_TXQS))
2929 			return -EOPNOTSUPP;
2930 		txq_quantum = nla_get_u32(
2931 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
2932 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
2933 	}
2934 
2935 	if (changed) {
2936 		u8 old_retry_short, old_retry_long;
2937 		u32 old_frag_threshold, old_rts_threshold;
2938 		u8 old_coverage_class;
2939 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
2940 
2941 		if (!rdev->ops->set_wiphy_params)
2942 			return -EOPNOTSUPP;
2943 
2944 		old_retry_short = rdev->wiphy.retry_short;
2945 		old_retry_long = rdev->wiphy.retry_long;
2946 		old_frag_threshold = rdev->wiphy.frag_threshold;
2947 		old_rts_threshold = rdev->wiphy.rts_threshold;
2948 		old_coverage_class = rdev->wiphy.coverage_class;
2949 		old_txq_limit = rdev->wiphy.txq_limit;
2950 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
2951 		old_txq_quantum = rdev->wiphy.txq_quantum;
2952 
2953 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2954 			rdev->wiphy.retry_short = retry_short;
2955 		if (changed & WIPHY_PARAM_RETRY_LONG)
2956 			rdev->wiphy.retry_long = retry_long;
2957 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2958 			rdev->wiphy.frag_threshold = frag_threshold;
2959 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2960 			rdev->wiphy.rts_threshold = rts_threshold;
2961 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2962 			rdev->wiphy.coverage_class = coverage_class;
2963 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
2964 			rdev->wiphy.txq_limit = txq_limit;
2965 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
2966 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
2967 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
2968 			rdev->wiphy.txq_quantum = txq_quantum;
2969 
2970 		result = rdev_set_wiphy_params(rdev, changed);
2971 		if (result) {
2972 			rdev->wiphy.retry_short = old_retry_short;
2973 			rdev->wiphy.retry_long = old_retry_long;
2974 			rdev->wiphy.frag_threshold = old_frag_threshold;
2975 			rdev->wiphy.rts_threshold = old_rts_threshold;
2976 			rdev->wiphy.coverage_class = old_coverage_class;
2977 			rdev->wiphy.txq_limit = old_txq_limit;
2978 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
2979 			rdev->wiphy.txq_quantum = old_txq_quantum;
2980 			return result;
2981 		}
2982 	}
2983 	return 0;
2984 }
2985 
2986 static int nl80211_send_chandef(struct sk_buff *msg,
2987 				const struct cfg80211_chan_def *chandef)
2988 {
2989 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2990 		return -EINVAL;
2991 
2992 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2993 			chandef->chan->center_freq))
2994 		return -ENOBUFS;
2995 	switch (chandef->width) {
2996 	case NL80211_CHAN_WIDTH_20_NOHT:
2997 	case NL80211_CHAN_WIDTH_20:
2998 	case NL80211_CHAN_WIDTH_40:
2999 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3000 				cfg80211_get_chandef_type(chandef)))
3001 			return -ENOBUFS;
3002 		break;
3003 	default:
3004 		break;
3005 	}
3006 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3007 		return -ENOBUFS;
3008 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3009 		return -ENOBUFS;
3010 	if (chandef->center_freq2 &&
3011 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3012 		return -ENOBUFS;
3013 	return 0;
3014 }
3015 
3016 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3017 			      struct cfg80211_registered_device *rdev,
3018 			      struct wireless_dev *wdev,
3019 			      enum nl80211_commands cmd)
3020 {
3021 	struct net_device *dev = wdev->netdev;
3022 	void *hdr;
3023 
3024 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3025 		cmd != NL80211_CMD_DEL_INTERFACE &&
3026 		cmd != NL80211_CMD_SET_INTERFACE);
3027 
3028 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3029 	if (!hdr)
3030 		return -1;
3031 
3032 	if (dev &&
3033 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3034 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3035 		goto nla_put_failure;
3036 
3037 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3038 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3039 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3040 			      NL80211_ATTR_PAD) ||
3041 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3042 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3043 			rdev->devlist_generation ^
3044 			(cfg80211_rdev_list_generation << 2)) ||
3045 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3046 		goto nla_put_failure;
3047 
3048 	if (rdev->ops->get_channel) {
3049 		int ret;
3050 		struct cfg80211_chan_def chandef;
3051 
3052 		ret = rdev_get_channel(rdev, wdev, &chandef);
3053 		if (ret == 0) {
3054 			if (nl80211_send_chandef(msg, &chandef))
3055 				goto nla_put_failure;
3056 		}
3057 	}
3058 
3059 	if (rdev->ops->get_tx_power) {
3060 		int dbm, ret;
3061 
3062 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3063 		if (ret == 0 &&
3064 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3065 				DBM_TO_MBM(dbm)))
3066 			goto nla_put_failure;
3067 	}
3068 
3069 	wdev_lock(wdev);
3070 	switch (wdev->iftype) {
3071 	case NL80211_IFTYPE_AP:
3072 		if (wdev->ssid_len &&
3073 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3074 			goto nla_put_failure_locked;
3075 		break;
3076 	case NL80211_IFTYPE_STATION:
3077 	case NL80211_IFTYPE_P2P_CLIENT:
3078 	case NL80211_IFTYPE_ADHOC: {
3079 		const u8 *ssid_ie;
3080 		if (!wdev->current_bss)
3081 			break;
3082 		rcu_read_lock();
3083 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3084 					       WLAN_EID_SSID);
3085 		if (ssid_ie &&
3086 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3087 			goto nla_put_failure_rcu_locked;
3088 		rcu_read_unlock();
3089 		break;
3090 		}
3091 	default:
3092 		/* nothing */
3093 		break;
3094 	}
3095 	wdev_unlock(wdev);
3096 
3097 	if (rdev->ops->get_txq_stats) {
3098 		struct cfg80211_txq_stats txqstats = {};
3099 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3100 
3101 		if (ret == 0 &&
3102 		    !nl80211_put_txq_stats(msg, &txqstats,
3103 					   NL80211_ATTR_TXQ_STATS))
3104 			goto nla_put_failure;
3105 	}
3106 
3107 	genlmsg_end(msg, hdr);
3108 	return 0;
3109 
3110  nla_put_failure_rcu_locked:
3111 	rcu_read_unlock();
3112  nla_put_failure_locked:
3113 	wdev_unlock(wdev);
3114  nla_put_failure:
3115 	genlmsg_cancel(msg, hdr);
3116 	return -EMSGSIZE;
3117 }
3118 
3119 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3120 {
3121 	int wp_idx = 0;
3122 	int if_idx = 0;
3123 	int wp_start = cb->args[0];
3124 	int if_start = cb->args[1];
3125 	int filter_wiphy = -1;
3126 	struct cfg80211_registered_device *rdev;
3127 	struct wireless_dev *wdev;
3128 	int ret;
3129 
3130 	rtnl_lock();
3131 	if (!cb->args[2]) {
3132 		struct nl80211_dump_wiphy_state state = {
3133 			.filter_wiphy = -1,
3134 		};
3135 
3136 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3137 		if (ret)
3138 			goto out_unlock;
3139 
3140 		filter_wiphy = state.filter_wiphy;
3141 
3142 		/*
3143 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3144 		 * value needed to determine that parsing is necessary.
3145 		 */
3146 		if (filter_wiphy >= 0)
3147 			cb->args[2] = filter_wiphy + 1;
3148 		else
3149 			cb->args[2] = -1;
3150 	} else if (cb->args[2] > 0) {
3151 		filter_wiphy = cb->args[2] - 1;
3152 	}
3153 
3154 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3155 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3156 			continue;
3157 		if (wp_idx < wp_start) {
3158 			wp_idx++;
3159 			continue;
3160 		}
3161 
3162 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3163 			continue;
3164 
3165 		if_idx = 0;
3166 
3167 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3168 			if (if_idx < if_start) {
3169 				if_idx++;
3170 				continue;
3171 			}
3172 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3173 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3174 					       rdev, wdev,
3175 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3176 				goto out;
3177 			}
3178 			if_idx++;
3179 		}
3180 
3181 		wp_idx++;
3182 	}
3183  out:
3184 	cb->args[0] = wp_idx;
3185 	cb->args[1] = if_idx;
3186 
3187 	ret = skb->len;
3188  out_unlock:
3189 	rtnl_unlock();
3190 
3191 	return ret;
3192 }
3193 
3194 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3195 {
3196 	struct sk_buff *msg;
3197 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3198 	struct wireless_dev *wdev = info->user_ptr[1];
3199 
3200 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3201 	if (!msg)
3202 		return -ENOMEM;
3203 
3204 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3205 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3206 		nlmsg_free(msg);
3207 		return -ENOBUFS;
3208 	}
3209 
3210 	return genlmsg_reply(msg, info);
3211 }
3212 
3213 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3214 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3215 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3216 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3217 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3218 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3219 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3220 };
3221 
3222 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3223 {
3224 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3225 	int flag;
3226 
3227 	*mntrflags = 0;
3228 
3229 	if (!nla)
3230 		return -EINVAL;
3231 
3232 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3233 		return -EINVAL;
3234 
3235 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3236 		if (flags[flag])
3237 			*mntrflags |= (1<<flag);
3238 
3239 	*mntrflags |= MONITOR_FLAG_CHANGED;
3240 
3241 	return 0;
3242 }
3243 
3244 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3245 				     enum nl80211_iftype type,
3246 				     struct genl_info *info,
3247 				     struct vif_params *params)
3248 {
3249 	bool change = false;
3250 	int err;
3251 
3252 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3253 		if (type != NL80211_IFTYPE_MONITOR)
3254 			return -EINVAL;
3255 
3256 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3257 					  &params->flags);
3258 		if (err)
3259 			return err;
3260 
3261 		change = true;
3262 	}
3263 
3264 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3265 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3266 		return -EOPNOTSUPP;
3267 
3268 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3269 		const u8 *mumimo_groups;
3270 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3271 
3272 		if (type != NL80211_IFTYPE_MONITOR)
3273 			return -EINVAL;
3274 
3275 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3276 			return -EOPNOTSUPP;
3277 
3278 		mumimo_groups =
3279 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3280 
3281 		/* bits 0 and 63 are reserved and must be zero */
3282 		if ((mumimo_groups[0] & BIT(0)) ||
3283 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3284 			return -EINVAL;
3285 
3286 		params->vht_mumimo_groups = mumimo_groups;
3287 		change = true;
3288 	}
3289 
3290 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3291 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3292 
3293 		if (type != NL80211_IFTYPE_MONITOR)
3294 			return -EINVAL;
3295 
3296 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3297 			return -EOPNOTSUPP;
3298 
3299 		params->vht_mumimo_follow_addr =
3300 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3301 		change = true;
3302 	}
3303 
3304 	return change ? 1 : 0;
3305 }
3306 
3307 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3308 			       struct net_device *netdev, u8 use_4addr,
3309 			       enum nl80211_iftype iftype)
3310 {
3311 	if (!use_4addr) {
3312 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
3313 			return -EBUSY;
3314 		return 0;
3315 	}
3316 
3317 	switch (iftype) {
3318 	case NL80211_IFTYPE_AP_VLAN:
3319 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3320 			return 0;
3321 		break;
3322 	case NL80211_IFTYPE_STATION:
3323 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3324 			return 0;
3325 		break;
3326 	default:
3327 		break;
3328 	}
3329 
3330 	return -EOPNOTSUPP;
3331 }
3332 
3333 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3334 {
3335 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3336 	struct vif_params params;
3337 	int err;
3338 	enum nl80211_iftype otype, ntype;
3339 	struct net_device *dev = info->user_ptr[1];
3340 	bool change = false;
3341 
3342 	memset(&params, 0, sizeof(params));
3343 
3344 	otype = ntype = dev->ieee80211_ptr->iftype;
3345 
3346 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3347 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3348 		if (otype != ntype)
3349 			change = true;
3350 	}
3351 
3352 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3353 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3354 
3355 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3356 			return -EINVAL;
3357 		if (netif_running(dev))
3358 			return -EBUSY;
3359 
3360 		wdev_lock(wdev);
3361 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3362 			     IEEE80211_MAX_MESH_ID_LEN);
3363 		wdev->mesh_id_up_len =
3364 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3365 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3366 		       wdev->mesh_id_up_len);
3367 		wdev_unlock(wdev);
3368 	}
3369 
3370 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3371 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3372 		change = true;
3373 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3374 		if (err)
3375 			return err;
3376 	} else {
3377 		params.use_4addr = -1;
3378 	}
3379 
3380 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3381 	if (err < 0)
3382 		return err;
3383 	if (err > 0)
3384 		change = true;
3385 
3386 	if (change)
3387 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3388 	else
3389 		err = 0;
3390 
3391 	if (!err && params.use_4addr != -1)
3392 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3393 
3394 	if (change && !err) {
3395 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3396 
3397 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3398 	}
3399 
3400 	return err;
3401 }
3402 
3403 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3404 {
3405 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3406 	struct vif_params params;
3407 	struct wireless_dev *wdev;
3408 	struct sk_buff *msg;
3409 	int err;
3410 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3411 
3412 	/* to avoid failing a new interface creation due to pending removal */
3413 	cfg80211_destroy_ifaces(rdev);
3414 
3415 	memset(&params, 0, sizeof(params));
3416 
3417 	if (!info->attrs[NL80211_ATTR_IFNAME])
3418 		return -EINVAL;
3419 
3420 	if (info->attrs[NL80211_ATTR_IFTYPE])
3421 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3422 
3423 	if (!rdev->ops->add_virtual_intf ||
3424 	    !(rdev->wiphy.interface_modes & (1 << type)))
3425 		return -EOPNOTSUPP;
3426 
3427 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3428 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3429 	    info->attrs[NL80211_ATTR_MAC]) {
3430 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3431 			   ETH_ALEN);
3432 		if (!is_valid_ether_addr(params.macaddr))
3433 			return -EADDRNOTAVAIL;
3434 	}
3435 
3436 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3437 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3438 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3439 		if (err)
3440 			return err;
3441 	}
3442 
3443 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3444 	if (err < 0)
3445 		return err;
3446 
3447 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3448 	if (!msg)
3449 		return -ENOMEM;
3450 
3451 	wdev = rdev_add_virtual_intf(rdev,
3452 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3453 				NET_NAME_USER, type, &params);
3454 	if (WARN_ON(!wdev)) {
3455 		nlmsg_free(msg);
3456 		return -EPROTO;
3457 	} else if (IS_ERR(wdev)) {
3458 		nlmsg_free(msg);
3459 		return PTR_ERR(wdev);
3460 	}
3461 
3462 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3463 		wdev->owner_nlportid = info->snd_portid;
3464 
3465 	switch (type) {
3466 	case NL80211_IFTYPE_MESH_POINT:
3467 		if (!info->attrs[NL80211_ATTR_MESH_ID])
3468 			break;
3469 		wdev_lock(wdev);
3470 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3471 			     IEEE80211_MAX_MESH_ID_LEN);
3472 		wdev->mesh_id_up_len =
3473 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3474 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3475 		       wdev->mesh_id_up_len);
3476 		wdev_unlock(wdev);
3477 		break;
3478 	case NL80211_IFTYPE_NAN:
3479 	case NL80211_IFTYPE_P2P_DEVICE:
3480 		/*
3481 		 * P2P Device and NAN do not have a netdev, so don't go
3482 		 * through the netdev notifier and must be added here
3483 		 */
3484 		cfg80211_init_wdev(rdev, wdev);
3485 		break;
3486 	default:
3487 		break;
3488 	}
3489 
3490 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3491 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3492 		nlmsg_free(msg);
3493 		return -ENOBUFS;
3494 	}
3495 
3496 	return genlmsg_reply(msg, info);
3497 }
3498 
3499 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3500 {
3501 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3502 	struct wireless_dev *wdev = info->user_ptr[1];
3503 
3504 	if (!rdev->ops->del_virtual_intf)
3505 		return -EOPNOTSUPP;
3506 
3507 	/*
3508 	 * If we remove a wireless device without a netdev then clear
3509 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
3510 	 * to check if it needs to do dev_put(). Otherwise it crashes
3511 	 * since the wdev has been freed, unlike with a netdev where
3512 	 * we need the dev_put() for the netdev to really be freed.
3513 	 */
3514 	if (!wdev->netdev)
3515 		info->user_ptr[1] = NULL;
3516 
3517 	return rdev_del_virtual_intf(rdev, wdev);
3518 }
3519 
3520 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3521 {
3522 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3523 	struct net_device *dev = info->user_ptr[1];
3524 	u16 noack_map;
3525 
3526 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3527 		return -EINVAL;
3528 
3529 	if (!rdev->ops->set_noack_map)
3530 		return -EOPNOTSUPP;
3531 
3532 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3533 
3534 	return rdev_set_noack_map(rdev, dev, noack_map);
3535 }
3536 
3537 struct get_key_cookie {
3538 	struct sk_buff *msg;
3539 	int error;
3540 	int idx;
3541 };
3542 
3543 static void get_key_callback(void *c, struct key_params *params)
3544 {
3545 	struct nlattr *key;
3546 	struct get_key_cookie *cookie = c;
3547 
3548 	if ((params->key &&
3549 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3550 		     params->key_len, params->key)) ||
3551 	    (params->seq &&
3552 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3553 		     params->seq_len, params->seq)) ||
3554 	    (params->cipher &&
3555 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3556 			 params->cipher)))
3557 		goto nla_put_failure;
3558 
3559 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
3560 	if (!key)
3561 		goto nla_put_failure;
3562 
3563 	if ((params->key &&
3564 	     nla_put(cookie->msg, NL80211_KEY_DATA,
3565 		     params->key_len, params->key)) ||
3566 	    (params->seq &&
3567 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3568 		     params->seq_len, params->seq)) ||
3569 	    (params->cipher &&
3570 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3571 			 params->cipher)))
3572 		goto nla_put_failure;
3573 
3574 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3575 		goto nla_put_failure;
3576 
3577 	nla_nest_end(cookie->msg, key);
3578 
3579 	return;
3580  nla_put_failure:
3581 	cookie->error = 1;
3582 }
3583 
3584 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3585 {
3586 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3587 	int err;
3588 	struct net_device *dev = info->user_ptr[1];
3589 	u8 key_idx = 0;
3590 	const u8 *mac_addr = NULL;
3591 	bool pairwise;
3592 	struct get_key_cookie cookie = {
3593 		.error = 0,
3594 	};
3595 	void *hdr;
3596 	struct sk_buff *msg;
3597 
3598 	if (info->attrs[NL80211_ATTR_KEY_IDX])
3599 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3600 
3601 	if (info->attrs[NL80211_ATTR_MAC])
3602 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3603 
3604 	pairwise = !!mac_addr;
3605 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3606 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3607 
3608 		if (kt != NL80211_KEYTYPE_GROUP &&
3609 		    kt != NL80211_KEYTYPE_PAIRWISE)
3610 			return -EINVAL;
3611 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3612 	}
3613 
3614 	if (!rdev->ops->get_key)
3615 		return -EOPNOTSUPP;
3616 
3617 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3618 		return -ENOENT;
3619 
3620 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3621 	if (!msg)
3622 		return -ENOMEM;
3623 
3624 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3625 			     NL80211_CMD_NEW_KEY);
3626 	if (!hdr)
3627 		goto nla_put_failure;
3628 
3629 	cookie.msg = msg;
3630 	cookie.idx = key_idx;
3631 
3632 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3633 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3634 		goto nla_put_failure;
3635 	if (mac_addr &&
3636 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3637 		goto nla_put_failure;
3638 
3639 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3640 			   get_key_callback);
3641 
3642 	if (err)
3643 		goto free_msg;
3644 
3645 	if (cookie.error)
3646 		goto nla_put_failure;
3647 
3648 	genlmsg_end(msg, hdr);
3649 	return genlmsg_reply(msg, info);
3650 
3651  nla_put_failure:
3652 	err = -ENOBUFS;
3653  free_msg:
3654 	nlmsg_free(msg);
3655 	return err;
3656 }
3657 
3658 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3659 {
3660 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3661 	struct key_parse key;
3662 	int err;
3663 	struct net_device *dev = info->user_ptr[1];
3664 
3665 	err = nl80211_parse_key(info, &key);
3666 	if (err)
3667 		return err;
3668 
3669 	if (key.idx < 0)
3670 		return -EINVAL;
3671 
3672 	/* Only support setting default key and
3673 	 * Extended Key ID action NL80211_KEY_SET_TX.
3674 	 */
3675 	if (!key.def && !key.defmgmt &&
3676 	    !(key.p.mode == NL80211_KEY_SET_TX))
3677 		return -EINVAL;
3678 
3679 	wdev_lock(dev->ieee80211_ptr);
3680 
3681 	if (key.def) {
3682 		if (!rdev->ops->set_default_key) {
3683 			err = -EOPNOTSUPP;
3684 			goto out;
3685 		}
3686 
3687 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3688 		if (err)
3689 			goto out;
3690 
3691 		err = rdev_set_default_key(rdev, dev, key.idx,
3692 						 key.def_uni, key.def_multi);
3693 
3694 		if (err)
3695 			goto out;
3696 
3697 #ifdef CONFIG_CFG80211_WEXT
3698 		dev->ieee80211_ptr->wext.default_key = key.idx;
3699 #endif
3700 	} else if (key.defmgmt) {
3701 		if (key.def_uni || !key.def_multi) {
3702 			err = -EINVAL;
3703 			goto out;
3704 		}
3705 
3706 		if (!rdev->ops->set_default_mgmt_key) {
3707 			err = -EOPNOTSUPP;
3708 			goto out;
3709 		}
3710 
3711 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3712 		if (err)
3713 			goto out;
3714 
3715 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3716 		if (err)
3717 			goto out;
3718 
3719 #ifdef CONFIG_CFG80211_WEXT
3720 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3721 #endif
3722 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
3723 		   wiphy_ext_feature_isset(&rdev->wiphy,
3724 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
3725 		u8 *mac_addr = NULL;
3726 
3727 		if (info->attrs[NL80211_ATTR_MAC])
3728 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3729 
3730 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
3731 			err = -EINVAL;
3732 			goto out;
3733 		}
3734 
3735 		err = rdev_add_key(rdev, dev, key.idx,
3736 				   NL80211_KEYTYPE_PAIRWISE,
3737 				   mac_addr, &key.p);
3738 	} else {
3739 		err = -EINVAL;
3740 	}
3741  out:
3742 	wdev_unlock(dev->ieee80211_ptr);
3743 
3744 	return err;
3745 }
3746 
3747 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3748 {
3749 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3750 	int err;
3751 	struct net_device *dev = info->user_ptr[1];
3752 	struct key_parse key;
3753 	const u8 *mac_addr = NULL;
3754 
3755 	err = nl80211_parse_key(info, &key);
3756 	if (err)
3757 		return err;
3758 
3759 	if (!key.p.key)
3760 		return -EINVAL;
3761 
3762 	if (info->attrs[NL80211_ATTR_MAC])
3763 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3764 
3765 	if (key.type == -1) {
3766 		if (mac_addr)
3767 			key.type = NL80211_KEYTYPE_PAIRWISE;
3768 		else
3769 			key.type = NL80211_KEYTYPE_GROUP;
3770 	}
3771 
3772 	/* for now */
3773 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3774 	    key.type != NL80211_KEYTYPE_GROUP)
3775 		return -EINVAL;
3776 
3777 	if (!rdev->ops->add_key)
3778 		return -EOPNOTSUPP;
3779 
3780 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3781 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3782 					   mac_addr))
3783 		return -EINVAL;
3784 
3785 	wdev_lock(dev->ieee80211_ptr);
3786 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3787 	if (!err)
3788 		err = rdev_add_key(rdev, dev, key.idx,
3789 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3790 				    mac_addr, &key.p);
3791 	wdev_unlock(dev->ieee80211_ptr);
3792 
3793 	return err;
3794 }
3795 
3796 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3797 {
3798 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3799 	int err;
3800 	struct net_device *dev = info->user_ptr[1];
3801 	u8 *mac_addr = NULL;
3802 	struct key_parse key;
3803 
3804 	err = nl80211_parse_key(info, &key);
3805 	if (err)
3806 		return err;
3807 
3808 	if (info->attrs[NL80211_ATTR_MAC])
3809 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3810 
3811 	if (key.type == -1) {
3812 		if (mac_addr)
3813 			key.type = NL80211_KEYTYPE_PAIRWISE;
3814 		else
3815 			key.type = NL80211_KEYTYPE_GROUP;
3816 	}
3817 
3818 	/* for now */
3819 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3820 	    key.type != NL80211_KEYTYPE_GROUP)
3821 		return -EINVAL;
3822 
3823 	if (!rdev->ops->del_key)
3824 		return -EOPNOTSUPP;
3825 
3826 	wdev_lock(dev->ieee80211_ptr);
3827 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3828 
3829 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3830 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3831 		err = -ENOENT;
3832 
3833 	if (!err)
3834 		err = rdev_del_key(rdev, dev, key.idx,
3835 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3836 				   mac_addr);
3837 
3838 #ifdef CONFIG_CFG80211_WEXT
3839 	if (!err) {
3840 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3841 			dev->ieee80211_ptr->wext.default_key = -1;
3842 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3843 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3844 	}
3845 #endif
3846 	wdev_unlock(dev->ieee80211_ptr);
3847 
3848 	return err;
3849 }
3850 
3851 /* This function returns an error or the number of nested attributes */
3852 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3853 {
3854 	struct nlattr *attr;
3855 	int n_entries = 0, tmp;
3856 
3857 	nla_for_each_nested(attr, nl_attr, tmp) {
3858 		if (nla_len(attr) != ETH_ALEN)
3859 			return -EINVAL;
3860 
3861 		n_entries++;
3862 	}
3863 
3864 	return n_entries;
3865 }
3866 
3867 /*
3868  * This function parses ACL information and allocates memory for ACL data.
3869  * On successful return, the calling function is responsible to free the
3870  * ACL buffer returned by this function.
3871  */
3872 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3873 						struct genl_info *info)
3874 {
3875 	enum nl80211_acl_policy acl_policy;
3876 	struct nlattr *attr;
3877 	struct cfg80211_acl_data *acl;
3878 	int i = 0, n_entries, tmp;
3879 
3880 	if (!wiphy->max_acl_mac_addrs)
3881 		return ERR_PTR(-EOPNOTSUPP);
3882 
3883 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3884 		return ERR_PTR(-EINVAL);
3885 
3886 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3887 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3888 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3889 		return ERR_PTR(-EINVAL);
3890 
3891 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3892 		return ERR_PTR(-EINVAL);
3893 
3894 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3895 	if (n_entries < 0)
3896 		return ERR_PTR(n_entries);
3897 
3898 	if (n_entries > wiphy->max_acl_mac_addrs)
3899 		return ERR_PTR(-ENOTSUPP);
3900 
3901 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
3902 	if (!acl)
3903 		return ERR_PTR(-ENOMEM);
3904 
3905 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3906 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3907 		i++;
3908 	}
3909 
3910 	acl->n_acl_entries = n_entries;
3911 	acl->acl_policy = acl_policy;
3912 
3913 	return acl;
3914 }
3915 
3916 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3917 {
3918 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3919 	struct net_device *dev = info->user_ptr[1];
3920 	struct cfg80211_acl_data *acl;
3921 	int err;
3922 
3923 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3924 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3925 		return -EOPNOTSUPP;
3926 
3927 	if (!dev->ieee80211_ptr->beacon_interval)
3928 		return -EINVAL;
3929 
3930 	acl = parse_acl_data(&rdev->wiphy, info);
3931 	if (IS_ERR(acl))
3932 		return PTR_ERR(acl);
3933 
3934 	err = rdev_set_mac_acl(rdev, dev, acl);
3935 
3936 	kfree(acl);
3937 
3938 	return err;
3939 }
3940 
3941 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
3942 			   u8 *rates, u8 rates_len)
3943 {
3944 	u8 i;
3945 	u32 mask = 0;
3946 
3947 	for (i = 0; i < rates_len; i++) {
3948 		int rate = (rates[i] & 0x7f) * 5;
3949 		int ridx;
3950 
3951 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
3952 			struct ieee80211_rate *srate =
3953 				&sband->bitrates[ridx];
3954 			if (rate == srate->bitrate) {
3955 				mask |= 1 << ridx;
3956 				break;
3957 			}
3958 		}
3959 		if (ridx == sband->n_bitrates)
3960 			return 0; /* rate not found */
3961 	}
3962 
3963 	return mask;
3964 }
3965 
3966 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
3967 			       u8 *rates, u8 rates_len,
3968 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
3969 {
3970 	u8 i;
3971 
3972 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
3973 
3974 	for (i = 0; i < rates_len; i++) {
3975 		int ridx, rbit;
3976 
3977 		ridx = rates[i] / 8;
3978 		rbit = BIT(rates[i] % 8);
3979 
3980 		/* check validity */
3981 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
3982 			return false;
3983 
3984 		/* check availability */
3985 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
3986 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
3987 			mcs[ridx] |= rbit;
3988 		else
3989 			return false;
3990 	}
3991 
3992 	return true;
3993 }
3994 
3995 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
3996 {
3997 	u16 mcs_mask = 0;
3998 
3999 	switch (vht_mcs_map) {
4000 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4001 		break;
4002 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4003 		mcs_mask = 0x00FF;
4004 		break;
4005 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4006 		mcs_mask = 0x01FF;
4007 		break;
4008 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4009 		mcs_mask = 0x03FF;
4010 		break;
4011 	default:
4012 		break;
4013 	}
4014 
4015 	return mcs_mask;
4016 }
4017 
4018 static void vht_build_mcs_mask(u16 vht_mcs_map,
4019 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4020 {
4021 	u8 nss;
4022 
4023 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4024 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4025 		vht_mcs_map >>= 2;
4026 	}
4027 }
4028 
4029 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4030 			     struct nl80211_txrate_vht *txrate,
4031 			     u16 mcs[NL80211_VHT_NSS_MAX])
4032 {
4033 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4034 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4035 	u8 i;
4036 
4037 	if (!sband->vht_cap.vht_supported)
4038 		return false;
4039 
4040 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4041 
4042 	/* Build vht_mcs_mask from VHT capabilities */
4043 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4044 
4045 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4046 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4047 			mcs[i] = txrate->mcs[i];
4048 		else
4049 			return false;
4050 	}
4051 
4052 	return true;
4053 }
4054 
4055 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
4056 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
4057 				    .len = NL80211_MAX_SUPP_RATES },
4058 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
4059 				.len = NL80211_MAX_SUPP_HT_RATES },
4060 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
4061 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
4062 };
4063 
4064 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4065 					 struct cfg80211_bitrate_mask *mask)
4066 {
4067 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4068 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4069 	int rem, i;
4070 	struct nlattr *tx_rates;
4071 	struct ieee80211_supported_band *sband;
4072 	u16 vht_tx_mcs_map;
4073 
4074 	memset(mask, 0, sizeof(*mask));
4075 	/* Default to all rates enabled */
4076 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4077 		sband = rdev->wiphy.bands[i];
4078 
4079 		if (!sband)
4080 			continue;
4081 
4082 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4083 		memcpy(mask->control[i].ht_mcs,
4084 		       sband->ht_cap.mcs.rx_mask,
4085 		       sizeof(mask->control[i].ht_mcs));
4086 
4087 		if (!sband->vht_cap.vht_supported)
4088 			continue;
4089 
4090 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4091 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4092 	}
4093 
4094 	/* if no rates are given set it back to the defaults */
4095 	if (!info->attrs[NL80211_ATTR_TX_RATES])
4096 		goto out;
4097 
4098 	/* The nested attribute uses enum nl80211_band as the index. This maps
4099 	 * directly to the enum nl80211_band values used in cfg80211.
4100 	 */
4101 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4102 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
4103 		enum nl80211_band band = nla_type(tx_rates);
4104 		int err;
4105 
4106 		if (band < 0 || band >= NUM_NL80211_BANDS)
4107 			return -EINVAL;
4108 		sband = rdev->wiphy.bands[band];
4109 		if (sband == NULL)
4110 			return -EINVAL;
4111 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4112 						  tx_rates,
4113 						  nl80211_txattr_policy,
4114 						  info->extack);
4115 		if (err)
4116 			return err;
4117 		if (tb[NL80211_TXRATE_LEGACY]) {
4118 			mask->control[band].legacy = rateset_to_mask(
4119 				sband,
4120 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4121 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4122 			if ((mask->control[band].legacy == 0) &&
4123 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4124 				return -EINVAL;
4125 		}
4126 		if (tb[NL80211_TXRATE_HT]) {
4127 			if (!ht_rateset_to_mask(
4128 					sband,
4129 					nla_data(tb[NL80211_TXRATE_HT]),
4130 					nla_len(tb[NL80211_TXRATE_HT]),
4131 					mask->control[band].ht_mcs))
4132 				return -EINVAL;
4133 		}
4134 		if (tb[NL80211_TXRATE_VHT]) {
4135 			if (!vht_set_mcs_mask(
4136 					sband,
4137 					nla_data(tb[NL80211_TXRATE_VHT]),
4138 					mask->control[band].vht_mcs))
4139 				return -EINVAL;
4140 		}
4141 		if (tb[NL80211_TXRATE_GI]) {
4142 			mask->control[band].gi =
4143 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4144 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4145 				return -EINVAL;
4146 		}
4147 
4148 		if (mask->control[band].legacy == 0) {
4149 			/* don't allow empty legacy rates if HT or VHT
4150 			 * are not even supported.
4151 			 */
4152 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4153 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
4154 				return -EINVAL;
4155 
4156 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4157 				if (mask->control[band].ht_mcs[i])
4158 					goto out;
4159 
4160 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4161 				if (mask->control[band].vht_mcs[i])
4162 					goto out;
4163 
4164 			/* legacy and mcs rates may not be both empty */
4165 			return -EINVAL;
4166 		}
4167 	}
4168 
4169 out:
4170 	return 0;
4171 }
4172 
4173 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4174 				   enum nl80211_band band,
4175 				   struct cfg80211_bitrate_mask *beacon_rate)
4176 {
4177 	u32 count_ht, count_vht, i;
4178 	u32 rate = beacon_rate->control[band].legacy;
4179 
4180 	/* Allow only one rate */
4181 	if (hweight32(rate) > 1)
4182 		return -EINVAL;
4183 
4184 	count_ht = 0;
4185 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4186 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4187 			return -EINVAL;
4188 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4189 			count_ht++;
4190 			if (count_ht > 1)
4191 				return -EINVAL;
4192 		}
4193 		if (count_ht && rate)
4194 			return -EINVAL;
4195 	}
4196 
4197 	count_vht = 0;
4198 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4199 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4200 			return -EINVAL;
4201 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4202 			count_vht++;
4203 			if (count_vht > 1)
4204 				return -EINVAL;
4205 		}
4206 		if (count_vht && rate)
4207 			return -EINVAL;
4208 	}
4209 
4210 	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4211 		return -EINVAL;
4212 
4213 	if (rate &&
4214 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4215 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4216 		return -EINVAL;
4217 	if (count_ht &&
4218 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4219 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4220 		return -EINVAL;
4221 	if (count_vht &&
4222 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4223 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4224 		return -EINVAL;
4225 
4226 	return 0;
4227 }
4228 
4229 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4230 				struct nlattr *attrs[],
4231 				struct cfg80211_beacon_data *bcn)
4232 {
4233 	bool haveinfo = false;
4234 	int err;
4235 
4236 	memset(bcn, 0, sizeof(*bcn));
4237 
4238 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4239 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4240 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4241 		if (!bcn->head_len)
4242 			return -EINVAL;
4243 		haveinfo = true;
4244 	}
4245 
4246 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4247 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4248 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4249 		haveinfo = true;
4250 	}
4251 
4252 	if (!haveinfo)
4253 		return -EINVAL;
4254 
4255 	if (attrs[NL80211_ATTR_IE]) {
4256 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4257 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4258 	}
4259 
4260 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4261 		bcn->proberesp_ies =
4262 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4263 		bcn->proberesp_ies_len =
4264 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4265 	}
4266 
4267 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4268 		bcn->assocresp_ies =
4269 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4270 		bcn->assocresp_ies_len =
4271 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4272 	}
4273 
4274 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
4275 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4276 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4277 	}
4278 
4279 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4280 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4281 
4282 		err = nla_parse_nested_deprecated(tb,
4283 						  NL80211_FTM_RESP_ATTR_MAX,
4284 						  attrs[NL80211_ATTR_FTM_RESPONDER],
4285 						  NULL, NULL);
4286 		if (err)
4287 			return err;
4288 
4289 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4290 		    wiphy_ext_feature_isset(&rdev->wiphy,
4291 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4292 			bcn->ftm_responder = 1;
4293 		else
4294 			return -EOPNOTSUPP;
4295 
4296 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4297 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4298 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4299 		}
4300 
4301 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4302 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4303 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4304 		}
4305 	} else {
4306 		bcn->ftm_responder = -1;
4307 	}
4308 
4309 	return 0;
4310 }
4311 
4312 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4313 					    const u8 *rates)
4314 {
4315 	int i;
4316 
4317 	if (!rates)
4318 		return;
4319 
4320 	for (i = 0; i < rates[1]; i++) {
4321 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4322 			params->ht_required = true;
4323 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4324 			params->vht_required = true;
4325 	}
4326 }
4327 
4328 /*
4329  * Since the nl80211 API didn't include, from the beginning, attributes about
4330  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4331  * benefit of drivers that rebuild IEs in the firmware.
4332  */
4333 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4334 {
4335 	const struct cfg80211_beacon_data *bcn = &params->beacon;
4336 	size_t ies_len = bcn->tail_len;
4337 	const u8 *ies = bcn->tail;
4338 	const u8 *rates;
4339 	const u8 *cap;
4340 
4341 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4342 	nl80211_check_ap_rate_selectors(params, rates);
4343 
4344 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4345 	nl80211_check_ap_rate_selectors(params, rates);
4346 
4347 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4348 	if (cap && cap[1] >= sizeof(*params->ht_cap))
4349 		params->ht_cap = (void *)(cap + 2);
4350 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4351 	if (cap && cap[1] >= sizeof(*params->vht_cap))
4352 		params->vht_cap = (void *)(cap + 2);
4353 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
4354 	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
4355 		params->he_cap = (void *)(cap + 3);
4356 }
4357 
4358 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4359 				   struct cfg80211_ap_settings *params)
4360 {
4361 	struct wireless_dev *wdev;
4362 	bool ret = false;
4363 
4364 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4365 		if (wdev->iftype != NL80211_IFTYPE_AP &&
4366 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
4367 			continue;
4368 
4369 		if (!wdev->preset_chandef.chan)
4370 			continue;
4371 
4372 		params->chandef = wdev->preset_chandef;
4373 		ret = true;
4374 		break;
4375 	}
4376 
4377 	return ret;
4378 }
4379 
4380 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4381 				    enum nl80211_auth_type auth_type,
4382 				    enum nl80211_commands cmd)
4383 {
4384 	if (auth_type > NL80211_AUTHTYPE_MAX)
4385 		return false;
4386 
4387 	switch (cmd) {
4388 	case NL80211_CMD_AUTHENTICATE:
4389 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4390 		    auth_type == NL80211_AUTHTYPE_SAE)
4391 			return false;
4392 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4393 					     NL80211_EXT_FEATURE_FILS_STA) &&
4394 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4395 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4396 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
4397 			return false;
4398 		return true;
4399 	case NL80211_CMD_CONNECT:
4400 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4401 		    auth_type == NL80211_AUTHTYPE_SAE)
4402 			return false;
4403 
4404 		/* FILS with SK PFS or PK not supported yet */
4405 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4406 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4407 			return false;
4408 		if (!wiphy_ext_feature_isset(
4409 			    &rdev->wiphy,
4410 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4411 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
4412 			return false;
4413 		return true;
4414 	case NL80211_CMD_START_AP:
4415 		/* SAE not supported yet */
4416 		if (auth_type == NL80211_AUTHTYPE_SAE)
4417 			return false;
4418 		/* FILS not supported yet */
4419 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4420 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4421 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4422 			return false;
4423 		return true;
4424 	default:
4425 		return false;
4426 	}
4427 }
4428 
4429 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4430 {
4431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4432 	struct net_device *dev = info->user_ptr[1];
4433 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4434 	struct cfg80211_ap_settings params;
4435 	int err;
4436 
4437 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4438 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4439 		return -EOPNOTSUPP;
4440 
4441 	if (!rdev->ops->start_ap)
4442 		return -EOPNOTSUPP;
4443 
4444 	if (wdev->beacon_interval)
4445 		return -EALREADY;
4446 
4447 	memset(&params, 0, sizeof(params));
4448 
4449 	/* these are required for START_AP */
4450 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
4451 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
4452 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
4453 		return -EINVAL;
4454 
4455 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
4456 	if (err)
4457 		return err;
4458 
4459 	params.beacon_interval =
4460 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4461 	params.dtim_period =
4462 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
4463 
4464 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
4465 					   params.beacon_interval);
4466 	if (err)
4467 		return err;
4468 
4469 	/*
4470 	 * In theory, some of these attributes should be required here
4471 	 * but since they were not used when the command was originally
4472 	 * added, keep them optional for old user space programs to let
4473 	 * them continue to work with drivers that do not need the
4474 	 * additional information -- drivers must check!
4475 	 */
4476 	if (info->attrs[NL80211_ATTR_SSID]) {
4477 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4478 		params.ssid_len =
4479 			nla_len(info->attrs[NL80211_ATTR_SSID]);
4480 		if (params.ssid_len == 0 ||
4481 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
4482 			return -EINVAL;
4483 	}
4484 
4485 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
4486 		params.hidden_ssid = nla_get_u32(
4487 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
4488 
4489 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4490 
4491 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
4492 		params.auth_type = nla_get_u32(
4493 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
4494 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
4495 					     NL80211_CMD_START_AP))
4496 			return -EINVAL;
4497 	} else
4498 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
4499 
4500 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
4501 				      NL80211_MAX_NR_CIPHER_SUITES);
4502 	if (err)
4503 		return err;
4504 
4505 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
4506 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
4507 			return -EOPNOTSUPP;
4508 		params.inactivity_timeout = nla_get_u16(
4509 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
4510 	}
4511 
4512 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4513 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4514 			return -EINVAL;
4515 		params.p2p_ctwindow =
4516 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4517 		if (params.p2p_ctwindow != 0 &&
4518 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4519 			return -EINVAL;
4520 	}
4521 
4522 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4523 		u8 tmp;
4524 
4525 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4526 			return -EINVAL;
4527 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4528 		params.p2p_opp_ps = tmp;
4529 		if (params.p2p_opp_ps != 0 &&
4530 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4531 			return -EINVAL;
4532 	}
4533 
4534 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4535 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
4536 		if (err)
4537 			return err;
4538 	} else if (wdev->preset_chandef.chan) {
4539 		params.chandef = wdev->preset_chandef;
4540 	} else if (!nl80211_get_ap_channel(rdev, &params))
4541 		return -EINVAL;
4542 
4543 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
4544 					   wdev->iftype))
4545 		return -EINVAL;
4546 
4547 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
4548 		err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
4549 		if (err)
4550 			return err;
4551 
4552 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
4553 					      &params.beacon_rate);
4554 		if (err)
4555 			return err;
4556 	}
4557 
4558 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
4559 		params.smps_mode =
4560 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
4561 		switch (params.smps_mode) {
4562 		case NL80211_SMPS_OFF:
4563 			break;
4564 		case NL80211_SMPS_STATIC:
4565 			if (!(rdev->wiphy.features &
4566 			      NL80211_FEATURE_STATIC_SMPS))
4567 				return -EINVAL;
4568 			break;
4569 		case NL80211_SMPS_DYNAMIC:
4570 			if (!(rdev->wiphy.features &
4571 			      NL80211_FEATURE_DYNAMIC_SMPS))
4572 				return -EINVAL;
4573 			break;
4574 		default:
4575 			return -EINVAL;
4576 		}
4577 	} else {
4578 		params.smps_mode = NL80211_SMPS_OFF;
4579 	}
4580 
4581 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
4582 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
4583 		return -EOPNOTSUPP;
4584 
4585 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
4586 		params.acl = parse_acl_data(&rdev->wiphy, info);
4587 		if (IS_ERR(params.acl))
4588 			return PTR_ERR(params.acl);
4589 	}
4590 
4591 	nl80211_calculate_ap_params(&params);
4592 
4593 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
4594 		params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
4595 
4596 	wdev_lock(wdev);
4597 	err = rdev_start_ap(rdev, dev, &params);
4598 	if (!err) {
4599 		wdev->preset_chandef = params.chandef;
4600 		wdev->beacon_interval = params.beacon_interval;
4601 		wdev->chandef = params.chandef;
4602 		wdev->ssid_len = params.ssid_len;
4603 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
4604 
4605 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4606 			wdev->conn_owner_nlportid = info->snd_portid;
4607 	}
4608 	wdev_unlock(wdev);
4609 
4610 	kfree(params.acl);
4611 
4612 	return err;
4613 }
4614 
4615 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
4616 {
4617 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4618 	struct net_device *dev = info->user_ptr[1];
4619 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4620 	struct cfg80211_beacon_data params;
4621 	int err;
4622 
4623 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4624 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4625 		return -EOPNOTSUPP;
4626 
4627 	if (!rdev->ops->change_beacon)
4628 		return -EOPNOTSUPP;
4629 
4630 	if (!wdev->beacon_interval)
4631 		return -EINVAL;
4632 
4633 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
4634 	if (err)
4635 		return err;
4636 
4637 	wdev_lock(wdev);
4638 	err = rdev_change_beacon(rdev, dev, &params);
4639 	wdev_unlock(wdev);
4640 
4641 	return err;
4642 }
4643 
4644 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
4645 {
4646 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4647 	struct net_device *dev = info->user_ptr[1];
4648 
4649 	return cfg80211_stop_ap(rdev, dev, false);
4650 }
4651 
4652 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
4653 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
4654 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
4655 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
4656 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
4657 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
4658 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
4659 };
4660 
4661 static int parse_station_flags(struct genl_info *info,
4662 			       enum nl80211_iftype iftype,
4663 			       struct station_parameters *params)
4664 {
4665 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
4666 	struct nlattr *nla;
4667 	int flag;
4668 
4669 	/*
4670 	 * Try parsing the new attribute first so userspace
4671 	 * can specify both for older kernels.
4672 	 */
4673 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
4674 	if (nla) {
4675 		struct nl80211_sta_flag_update *sta_flags;
4676 
4677 		sta_flags = nla_data(nla);
4678 		params->sta_flags_mask = sta_flags->mask;
4679 		params->sta_flags_set = sta_flags->set;
4680 		params->sta_flags_set &= params->sta_flags_mask;
4681 		if ((params->sta_flags_mask |
4682 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
4683 			return -EINVAL;
4684 		return 0;
4685 	}
4686 
4687 	/* if present, parse the old attribute */
4688 
4689 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
4690 	if (!nla)
4691 		return 0;
4692 
4693 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
4694 		return -EINVAL;
4695 
4696 	/*
4697 	 * Only allow certain flags for interface types so that
4698 	 * other attributes are silently ignored. Remember that
4699 	 * this is backward compatibility code with old userspace
4700 	 * and shouldn't be hit in other cases anyway.
4701 	 */
4702 	switch (iftype) {
4703 	case NL80211_IFTYPE_AP:
4704 	case NL80211_IFTYPE_AP_VLAN:
4705 	case NL80211_IFTYPE_P2P_GO:
4706 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4707 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4708 					 BIT(NL80211_STA_FLAG_WME) |
4709 					 BIT(NL80211_STA_FLAG_MFP);
4710 		break;
4711 	case NL80211_IFTYPE_P2P_CLIENT:
4712 	case NL80211_IFTYPE_STATION:
4713 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4714 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
4715 		break;
4716 	case NL80211_IFTYPE_MESH_POINT:
4717 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4718 					 BIT(NL80211_STA_FLAG_MFP) |
4719 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
4720 		break;
4721 	default:
4722 		return -EINVAL;
4723 	}
4724 
4725 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
4726 		if (flags[flag]) {
4727 			params->sta_flags_set |= (1<<flag);
4728 
4729 			/* no longer support new API additions in old API */
4730 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
4731 				return -EINVAL;
4732 		}
4733 	}
4734 
4735 	return 0;
4736 }
4737 
4738 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
4739 {
4740 	struct nlattr *rate;
4741 	u32 bitrate;
4742 	u16 bitrate_compat;
4743 	enum nl80211_rate_info rate_flg;
4744 
4745 	rate = nla_nest_start_noflag(msg, attr);
4746 	if (!rate)
4747 		return false;
4748 
4749 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
4750 	bitrate = cfg80211_calculate_bitrate(info);
4751 	/* report 16-bit bitrate only if we can */
4752 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
4753 	if (bitrate > 0 &&
4754 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
4755 		return false;
4756 	if (bitrate_compat > 0 &&
4757 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
4758 		return false;
4759 
4760 	switch (info->bw) {
4761 	case RATE_INFO_BW_5:
4762 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
4763 		break;
4764 	case RATE_INFO_BW_10:
4765 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
4766 		break;
4767 	default:
4768 		WARN_ON(1);
4769 		/* fall through */
4770 	case RATE_INFO_BW_20:
4771 		rate_flg = 0;
4772 		break;
4773 	case RATE_INFO_BW_40:
4774 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
4775 		break;
4776 	case RATE_INFO_BW_80:
4777 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
4778 		break;
4779 	case RATE_INFO_BW_160:
4780 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
4781 		break;
4782 	case RATE_INFO_BW_HE_RU:
4783 		rate_flg = 0;
4784 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
4785 	}
4786 
4787 	if (rate_flg && nla_put_flag(msg, rate_flg))
4788 		return false;
4789 
4790 	if (info->flags & RATE_INFO_FLAGS_MCS) {
4791 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
4792 			return false;
4793 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4794 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4795 			return false;
4796 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
4797 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
4798 			return false;
4799 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
4800 			return false;
4801 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4802 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4803 			return false;
4804 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
4805 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
4806 			return false;
4807 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
4808 			return false;
4809 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
4810 			return false;
4811 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
4812 			return false;
4813 		if (info->bw == RATE_INFO_BW_HE_RU &&
4814 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
4815 			       info->he_ru_alloc))
4816 			return false;
4817 	}
4818 
4819 	nla_nest_end(msg, rate);
4820 	return true;
4821 }
4822 
4823 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
4824 			       int id)
4825 {
4826 	void *attr;
4827 	int i = 0;
4828 
4829 	if (!mask)
4830 		return true;
4831 
4832 	attr = nla_nest_start_noflag(msg, id);
4833 	if (!attr)
4834 		return false;
4835 
4836 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
4837 		if (!(mask & BIT(i)))
4838 			continue;
4839 
4840 		if (nla_put_u8(msg, i, signal[i]))
4841 			return false;
4842 	}
4843 
4844 	nla_nest_end(msg, attr);
4845 
4846 	return true;
4847 }
4848 
4849 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
4850 				u32 seq, int flags,
4851 				struct cfg80211_registered_device *rdev,
4852 				struct net_device *dev,
4853 				const u8 *mac_addr, struct station_info *sinfo)
4854 {
4855 	void *hdr;
4856 	struct nlattr *sinfoattr, *bss_param;
4857 
4858 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4859 	if (!hdr)
4860 		return -1;
4861 
4862 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4863 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
4864 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
4865 		goto nla_put_failure;
4866 
4867 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
4868 	if (!sinfoattr)
4869 		goto nla_put_failure;
4870 
4871 #define PUT_SINFO(attr, memb, type) do {				\
4872 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
4873 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
4874 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
4875 			     sinfo->memb))				\
4876 		goto nla_put_failure;					\
4877 	} while (0)
4878 #define PUT_SINFO_U64(attr, memb) do {					\
4879 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
4880 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
4881 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
4882 		goto nla_put_failure;					\
4883 	} while (0)
4884 
4885 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
4886 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
4887 
4888 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
4889 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
4890 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
4891 			(u32)sinfo->rx_bytes))
4892 		goto nla_put_failure;
4893 
4894 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
4895 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
4896 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
4897 			(u32)sinfo->tx_bytes))
4898 		goto nla_put_failure;
4899 
4900 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
4901 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
4902 	PUT_SINFO(LLID, llid, u16);
4903 	PUT_SINFO(PLID, plid, u16);
4904 	PUT_SINFO(PLINK_STATE, plink_state, u8);
4905 	PUT_SINFO_U64(RX_DURATION, rx_duration);
4906 	PUT_SINFO_U64(TX_DURATION, tx_duration);
4907 
4908 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4909 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
4910 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
4911 
4912 	switch (rdev->wiphy.signal_type) {
4913 	case CFG80211_SIGNAL_TYPE_MBM:
4914 		PUT_SINFO(SIGNAL, signal, u8);
4915 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
4916 		break;
4917 	default:
4918 		break;
4919 	}
4920 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
4921 		if (!nl80211_put_signal(msg, sinfo->chains,
4922 					sinfo->chain_signal,
4923 					NL80211_STA_INFO_CHAIN_SIGNAL))
4924 			goto nla_put_failure;
4925 	}
4926 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
4927 		if (!nl80211_put_signal(msg, sinfo->chains,
4928 					sinfo->chain_signal_avg,
4929 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
4930 			goto nla_put_failure;
4931 	}
4932 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
4933 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
4934 					  NL80211_STA_INFO_TX_BITRATE))
4935 			goto nla_put_failure;
4936 	}
4937 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
4938 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
4939 					  NL80211_STA_INFO_RX_BITRATE))
4940 			goto nla_put_failure;
4941 	}
4942 
4943 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
4944 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
4945 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
4946 	PUT_SINFO(TX_FAILED, tx_failed, u32);
4947 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
4948 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
4949 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
4950 	PUT_SINFO(LOCAL_PM, local_pm, u32);
4951 	PUT_SINFO(PEER_PM, peer_pm, u32);
4952 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
4953 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
4954 
4955 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
4956 		bss_param = nla_nest_start_noflag(msg,
4957 						  NL80211_STA_INFO_BSS_PARAM);
4958 		if (!bss_param)
4959 			goto nla_put_failure;
4960 
4961 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
4962 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
4963 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
4964 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
4965 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
4966 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
4967 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
4968 			       sinfo->bss_param.dtim_period) ||
4969 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
4970 				sinfo->bss_param.beacon_interval))
4971 			goto nla_put_failure;
4972 
4973 		nla_nest_end(msg, bss_param);
4974 	}
4975 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
4976 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
4977 		    sizeof(struct nl80211_sta_flag_update),
4978 		    &sinfo->sta_flags))
4979 		goto nla_put_failure;
4980 
4981 	PUT_SINFO_U64(T_OFFSET, t_offset);
4982 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
4983 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
4984 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
4985 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
4986 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
4987 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4988 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
4989 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
4990 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
4991 	}
4992 
4993 #undef PUT_SINFO
4994 #undef PUT_SINFO_U64
4995 
4996 	if (sinfo->pertid) {
4997 		struct nlattr *tidsattr;
4998 		int tid;
4999 
5000 		tidsattr = nla_nest_start_noflag(msg,
5001 						 NL80211_STA_INFO_TID_STATS);
5002 		if (!tidsattr)
5003 			goto nla_put_failure;
5004 
5005 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5006 			struct cfg80211_tid_stats *tidstats;
5007 			struct nlattr *tidattr;
5008 
5009 			tidstats = &sinfo->pertid[tid];
5010 
5011 			if (!tidstats->filled)
5012 				continue;
5013 
5014 			tidattr = nla_nest_start_noflag(msg, tid + 1);
5015 			if (!tidattr)
5016 				goto nla_put_failure;
5017 
5018 #define PUT_TIDVAL_U64(attr, memb) do {					\
5019 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
5020 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
5021 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
5022 		goto nla_put_failure;					\
5023 	} while (0)
5024 
5025 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5026 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5027 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5028 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5029 
5030 #undef PUT_TIDVAL_U64
5031 			if ((tidstats->filled &
5032 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5033 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5034 						   NL80211_TID_STATS_TXQ_STATS))
5035 				goto nla_put_failure;
5036 
5037 			nla_nest_end(msg, tidattr);
5038 		}
5039 
5040 		nla_nest_end(msg, tidsattr);
5041 	}
5042 
5043 	nla_nest_end(msg, sinfoattr);
5044 
5045 	if (sinfo->assoc_req_ies_len &&
5046 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5047 		    sinfo->assoc_req_ies))
5048 		goto nla_put_failure;
5049 
5050 	cfg80211_sinfo_release_content(sinfo);
5051 	genlmsg_end(msg, hdr);
5052 	return 0;
5053 
5054  nla_put_failure:
5055 	cfg80211_sinfo_release_content(sinfo);
5056 	genlmsg_cancel(msg, hdr);
5057 	return -EMSGSIZE;
5058 }
5059 
5060 static int nl80211_dump_station(struct sk_buff *skb,
5061 				struct netlink_callback *cb)
5062 {
5063 	struct station_info sinfo;
5064 	struct cfg80211_registered_device *rdev;
5065 	struct wireless_dev *wdev;
5066 	u8 mac_addr[ETH_ALEN];
5067 	int sta_idx = cb->args[2];
5068 	int err;
5069 
5070 	rtnl_lock();
5071 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5072 	if (err)
5073 		goto out_err;
5074 
5075 	if (!wdev->netdev) {
5076 		err = -EINVAL;
5077 		goto out_err;
5078 	}
5079 
5080 	if (!rdev->ops->dump_station) {
5081 		err = -EOPNOTSUPP;
5082 		goto out_err;
5083 	}
5084 
5085 	while (1) {
5086 		memset(&sinfo, 0, sizeof(sinfo));
5087 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5088 					mac_addr, &sinfo);
5089 		if (err == -ENOENT)
5090 			break;
5091 		if (err)
5092 			goto out_err;
5093 
5094 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
5095 				NETLINK_CB(cb->skb).portid,
5096 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5097 				rdev, wdev->netdev, mac_addr,
5098 				&sinfo) < 0)
5099 			goto out;
5100 
5101 		sta_idx++;
5102 	}
5103 
5104  out:
5105 	cb->args[2] = sta_idx;
5106 	err = skb->len;
5107  out_err:
5108 	rtnl_unlock();
5109 
5110 	return err;
5111 }
5112 
5113 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
5114 {
5115 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5116 	struct net_device *dev = info->user_ptr[1];
5117 	struct station_info sinfo;
5118 	struct sk_buff *msg;
5119 	u8 *mac_addr = NULL;
5120 	int err;
5121 
5122 	memset(&sinfo, 0, sizeof(sinfo));
5123 
5124 	if (!info->attrs[NL80211_ATTR_MAC])
5125 		return -EINVAL;
5126 
5127 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5128 
5129 	if (!rdev->ops->get_station)
5130 		return -EOPNOTSUPP;
5131 
5132 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
5133 	if (err)
5134 		return err;
5135 
5136 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5137 	if (!msg) {
5138 		cfg80211_sinfo_release_content(&sinfo);
5139 		return -ENOMEM;
5140 	}
5141 
5142 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
5143 				 info->snd_portid, info->snd_seq, 0,
5144 				 rdev, dev, mac_addr, &sinfo) < 0) {
5145 		nlmsg_free(msg);
5146 		return -ENOBUFS;
5147 	}
5148 
5149 	return genlmsg_reply(msg, info);
5150 }
5151 
5152 int cfg80211_check_station_change(struct wiphy *wiphy,
5153 				  struct station_parameters *params,
5154 				  enum cfg80211_station_type statype)
5155 {
5156 	if (params->listen_interval != -1 &&
5157 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5158 		return -EINVAL;
5159 
5160 	if (params->support_p2p_ps != -1 &&
5161 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5162 		return -EINVAL;
5163 
5164 	if (params->aid &&
5165 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
5166 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5167 		return -EINVAL;
5168 
5169 	/* When you run into this, adjust the code below for the new flag */
5170 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5171 
5172 	switch (statype) {
5173 	case CFG80211_STA_MESH_PEER_KERNEL:
5174 	case CFG80211_STA_MESH_PEER_USER:
5175 		/*
5176 		 * No ignoring the TDLS flag here -- the userspace mesh
5177 		 * code doesn't have the bug of including TDLS in the
5178 		 * mask everywhere.
5179 		 */
5180 		if (params->sta_flags_mask &
5181 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5182 				  BIT(NL80211_STA_FLAG_MFP) |
5183 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
5184 			return -EINVAL;
5185 		break;
5186 	case CFG80211_STA_TDLS_PEER_SETUP:
5187 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5188 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5189 			return -EINVAL;
5190 		/* ignore since it can't change */
5191 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5192 		break;
5193 	default:
5194 		/* disallow mesh-specific things */
5195 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
5196 			return -EINVAL;
5197 		if (params->local_pm)
5198 			return -EINVAL;
5199 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5200 			return -EINVAL;
5201 	}
5202 
5203 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5204 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5205 		/* TDLS can't be set, ... */
5206 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5207 			return -EINVAL;
5208 		/*
5209 		 * ... but don't bother the driver with it. This works around
5210 		 * a hostapd/wpa_supplicant issue -- it always includes the
5211 		 * TLDS_PEER flag in the mask even for AP mode.
5212 		 */
5213 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5214 	}
5215 
5216 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5217 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5218 		/* reject other things that can't change */
5219 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5220 			return -EINVAL;
5221 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5222 			return -EINVAL;
5223 		if (params->supported_rates)
5224 			return -EINVAL;
5225 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
5226 		    params->he_capa)
5227 			return -EINVAL;
5228 	}
5229 
5230 	if (statype != CFG80211_STA_AP_CLIENT &&
5231 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5232 		if (params->vlan)
5233 			return -EINVAL;
5234 	}
5235 
5236 	switch (statype) {
5237 	case CFG80211_STA_AP_MLME_CLIENT:
5238 		/* Use this only for authorizing/unauthorizing a station */
5239 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5240 			return -EOPNOTSUPP;
5241 		break;
5242 	case CFG80211_STA_AP_CLIENT:
5243 	case CFG80211_STA_AP_CLIENT_UNASSOC:
5244 		/* accept only the listed bits */
5245 		if (params->sta_flags_mask &
5246 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5247 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5248 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
5249 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5250 				  BIT(NL80211_STA_FLAG_WME) |
5251 				  BIT(NL80211_STA_FLAG_MFP)))
5252 			return -EINVAL;
5253 
5254 		/* but authenticated/associated only if driver handles it */
5255 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5256 		    params->sta_flags_mask &
5257 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5258 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
5259 			return -EINVAL;
5260 		break;
5261 	case CFG80211_STA_IBSS:
5262 	case CFG80211_STA_AP_STA:
5263 		/* reject any changes other than AUTHORIZED */
5264 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
5265 			return -EINVAL;
5266 		break;
5267 	case CFG80211_STA_TDLS_PEER_SETUP:
5268 		/* reject any changes other than AUTHORIZED or WME */
5269 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5270 					       BIT(NL80211_STA_FLAG_WME)))
5271 			return -EINVAL;
5272 		/* force (at least) rates when authorizing */
5273 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
5274 		    !params->supported_rates)
5275 			return -EINVAL;
5276 		break;
5277 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5278 		/* reject any changes */
5279 		return -EINVAL;
5280 	case CFG80211_STA_MESH_PEER_KERNEL:
5281 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5282 			return -EINVAL;
5283 		break;
5284 	case CFG80211_STA_MESH_PEER_USER:
5285 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
5286 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
5287 			return -EINVAL;
5288 		break;
5289 	}
5290 
5291 	/*
5292 	 * Older kernel versions ignored this attribute entirely, so don't
5293 	 * reject attempts to update it but mark it as unused instead so the
5294 	 * driver won't look at the data.
5295 	 */
5296 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
5297 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
5298 		params->opmode_notif_used = false;
5299 
5300 	return 0;
5301 }
5302 EXPORT_SYMBOL(cfg80211_check_station_change);
5303 
5304 /*
5305  * Get vlan interface making sure it is running and on the right wiphy.
5306  */
5307 static struct net_device *get_vlan(struct genl_info *info,
5308 				   struct cfg80211_registered_device *rdev)
5309 {
5310 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
5311 	struct net_device *v;
5312 	int ret;
5313 
5314 	if (!vlanattr)
5315 		return NULL;
5316 
5317 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
5318 	if (!v)
5319 		return ERR_PTR(-ENODEV);
5320 
5321 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
5322 		ret = -EINVAL;
5323 		goto error;
5324 	}
5325 
5326 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5327 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5328 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5329 		ret = -EINVAL;
5330 		goto error;
5331 	}
5332 
5333 	if (!netif_running(v)) {
5334 		ret = -ENETDOWN;
5335 		goto error;
5336 	}
5337 
5338 	return v;
5339  error:
5340 	dev_put(v);
5341 	return ERR_PTR(ret);
5342 }
5343 
5344 static const struct nla_policy
5345 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5346 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5347 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5348 };
5349 
5350 static int nl80211_parse_sta_wme(struct genl_info *info,
5351 				 struct station_parameters *params)
5352 {
5353 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5354 	struct nlattr *nla;
5355 	int err;
5356 
5357 	/* parse WME attributes if present */
5358 	if (!info->attrs[NL80211_ATTR_STA_WME])
5359 		return 0;
5360 
5361 	nla = info->attrs[NL80211_ATTR_STA_WME];
5362 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
5363 					  nl80211_sta_wme_policy,
5364 					  info->extack);
5365 	if (err)
5366 		return err;
5367 
5368 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5369 		params->uapsd_queues = nla_get_u8(
5370 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
5371 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5372 		return -EINVAL;
5373 
5374 	if (tb[NL80211_STA_WME_MAX_SP])
5375 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5376 
5377 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5378 		return -EINVAL;
5379 
5380 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5381 
5382 	return 0;
5383 }
5384 
5385 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5386 				      struct station_parameters *params)
5387 {
5388 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5389 		params->supported_channels =
5390 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5391 		params->supported_channels_len =
5392 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5393 		/*
5394 		 * Need to include at least one (first channel, number of
5395 		 * channels) tuple for each subband, and must have proper
5396 		 * tuples for the rest of the data as well.
5397 		 */
5398 		if (params->supported_channels_len < 2)
5399 			return -EINVAL;
5400 		if (params->supported_channels_len % 2)
5401 			return -EINVAL;
5402 	}
5403 
5404 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5405 		params->supported_oper_classes =
5406 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5407 		params->supported_oper_classes_len =
5408 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5409 		/*
5410 		 * The value of the Length field of the Supported Operating
5411 		 * Classes element is between 2 and 253.
5412 		 */
5413 		if (params->supported_oper_classes_len < 2 ||
5414 		    params->supported_oper_classes_len > 253)
5415 			return -EINVAL;
5416 	}
5417 	return 0;
5418 }
5419 
5420 static int nl80211_set_station_tdls(struct genl_info *info,
5421 				    struct station_parameters *params)
5422 {
5423 	int err;
5424 	/* Dummy STA entry gets updated once the peer capabilities are known */
5425 	if (info->attrs[NL80211_ATTR_PEER_AID])
5426 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5427 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5428 		params->ht_capa =
5429 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5430 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5431 		params->vht_capa =
5432 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5433 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5434 		params->he_capa =
5435 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5436 		params->he_capa_len =
5437 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5438 
5439 		if (params->he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5440 			return -EINVAL;
5441 	}
5442 
5443 	err = nl80211_parse_sta_channel_info(info, params);
5444 	if (err)
5445 		return err;
5446 
5447 	return nl80211_parse_sta_wme(info, params);
5448 }
5449 
5450 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
5451 					     struct station_parameters *params)
5452 {
5453 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5454 	int idx;
5455 
5456 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
5457 		if (!rdev->ops->set_tx_power ||
5458 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5459 					 NL80211_EXT_FEATURE_STA_TX_PWR))
5460 			return -EOPNOTSUPP;
5461 
5462 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
5463 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
5464 
5465 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
5466 			idx = NL80211_ATTR_STA_TX_POWER;
5467 
5468 			if (info->attrs[idx])
5469 				params->txpwr.power =
5470 					nla_get_s16(info->attrs[idx]);
5471 			else
5472 				return -EINVAL;
5473 		}
5474 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
5475 	}
5476 
5477 	return 0;
5478 }
5479 
5480 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
5481 {
5482 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5483 	struct net_device *dev = info->user_ptr[1];
5484 	struct station_parameters params;
5485 	u8 *mac_addr;
5486 	int err;
5487 
5488 	memset(&params, 0, sizeof(params));
5489 
5490 	if (!rdev->ops->change_station)
5491 		return -EOPNOTSUPP;
5492 
5493 	/*
5494 	 * AID and listen_interval properties can be set only for unassociated
5495 	 * station. Include these parameters here and will check them in
5496 	 * cfg80211_check_station_change().
5497 	 */
5498 	if (info->attrs[NL80211_ATTR_STA_AID])
5499 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5500 
5501 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5502 		params.listen_interval =
5503 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5504 	else
5505 		params.listen_interval = -1;
5506 
5507 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
5508 		params.support_p2p_ps =
5509 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5510 	else
5511 		params.support_p2p_ps = -1;
5512 
5513 	if (!info->attrs[NL80211_ATTR_MAC])
5514 		return -EINVAL;
5515 
5516 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5517 
5518 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
5519 		params.supported_rates =
5520 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5521 		params.supported_rates_len =
5522 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5523 	}
5524 
5525 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5526 		params.capability =
5527 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5528 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5529 	}
5530 
5531 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5532 		params.ext_capab =
5533 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5534 		params.ext_capab_len =
5535 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5536 	}
5537 
5538 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5539 		return -EINVAL;
5540 
5541 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5542 		params.plink_action =
5543 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5544 
5545 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
5546 		params.plink_state =
5547 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
5548 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
5549 			params.peer_aid = nla_get_u16(
5550 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
5551 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
5552 	}
5553 
5554 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
5555 		params.local_pm = nla_get_u32(
5556 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
5557 
5558 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5559 		params.opmode_notif_used = true;
5560 		params.opmode_notif =
5561 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5562 	}
5563 
5564 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
5565 		params.airtime_weight =
5566 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
5567 
5568 	if (params.airtime_weight &&
5569 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5570 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5571 		return -EOPNOTSUPP;
5572 
5573 	err = nl80211_parse_sta_txpower_setting(info, &params);
5574 	if (err)
5575 		return err;
5576 
5577 	/* Include parameters for TDLS peer (will check later) */
5578 	err = nl80211_set_station_tdls(info, &params);
5579 	if (err)
5580 		return err;
5581 
5582 	params.vlan = get_vlan(info, rdev);
5583 	if (IS_ERR(params.vlan))
5584 		return PTR_ERR(params.vlan);
5585 
5586 	switch (dev->ieee80211_ptr->iftype) {
5587 	case NL80211_IFTYPE_AP:
5588 	case NL80211_IFTYPE_AP_VLAN:
5589 	case NL80211_IFTYPE_P2P_GO:
5590 	case NL80211_IFTYPE_P2P_CLIENT:
5591 	case NL80211_IFTYPE_STATION:
5592 	case NL80211_IFTYPE_ADHOC:
5593 	case NL80211_IFTYPE_MESH_POINT:
5594 		break;
5595 	default:
5596 		err = -EOPNOTSUPP;
5597 		goto out_put_vlan;
5598 	}
5599 
5600 	/* driver will call cfg80211_check_station_change() */
5601 	err = rdev_change_station(rdev, dev, mac_addr, &params);
5602 
5603  out_put_vlan:
5604 	if (params.vlan)
5605 		dev_put(params.vlan);
5606 
5607 	return err;
5608 }
5609 
5610 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
5611 {
5612 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5613 	int err;
5614 	struct net_device *dev = info->user_ptr[1];
5615 	struct station_parameters params;
5616 	u8 *mac_addr = NULL;
5617 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5618 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
5619 
5620 	memset(&params, 0, sizeof(params));
5621 
5622 	if (!rdev->ops->add_station)
5623 		return -EOPNOTSUPP;
5624 
5625 	if (!info->attrs[NL80211_ATTR_MAC])
5626 		return -EINVAL;
5627 
5628 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5629 		return -EINVAL;
5630 
5631 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
5632 		return -EINVAL;
5633 
5634 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
5635 	    !info->attrs[NL80211_ATTR_PEER_AID])
5636 		return -EINVAL;
5637 
5638 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5639 	params.supported_rates =
5640 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5641 	params.supported_rates_len =
5642 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5643 	params.listen_interval =
5644 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5645 
5646 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
5647 		params.support_p2p_ps =
5648 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5649 	} else {
5650 		/*
5651 		 * if not specified, assume it's supported for P2P GO interface,
5652 		 * and is NOT supported for AP interface
5653 		 */
5654 		params.support_p2p_ps =
5655 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
5656 	}
5657 
5658 	if (info->attrs[NL80211_ATTR_PEER_AID])
5659 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5660 	else
5661 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5662 
5663 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5664 		params.capability =
5665 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5666 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5667 	}
5668 
5669 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5670 		params.ext_capab =
5671 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5672 		params.ext_capab_len =
5673 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5674 	}
5675 
5676 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5677 		params.ht_capa =
5678 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5679 
5680 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5681 		params.vht_capa =
5682 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5683 
5684 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5685 		params.he_capa =
5686 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5687 		params.he_capa_len =
5688 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5689 
5690 		/* max len is validated in nla policy */
5691 		if (params.he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5692 			return -EINVAL;
5693 	}
5694 
5695 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5696 		params.opmode_notif_used = true;
5697 		params.opmode_notif =
5698 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5699 	}
5700 
5701 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5702 		params.plink_action =
5703 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5704 
5705 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
5706 		params.airtime_weight =
5707 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
5708 
5709 	if (params.airtime_weight &&
5710 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5711 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5712 		return -EOPNOTSUPP;
5713 
5714 	err = nl80211_parse_sta_txpower_setting(info, &params);
5715 	if (err)
5716 		return err;
5717 
5718 	err = nl80211_parse_sta_channel_info(info, &params);
5719 	if (err)
5720 		return err;
5721 
5722 	err = nl80211_parse_sta_wme(info, &params);
5723 	if (err)
5724 		return err;
5725 
5726 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5727 		return -EINVAL;
5728 
5729 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
5730 	 * as userspace might just pass through the capabilities from the IEs
5731 	 * directly, rather than enforcing this restriction and returning an
5732 	 * error in this case.
5733 	 */
5734 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
5735 		params.ht_capa = NULL;
5736 		params.vht_capa = NULL;
5737 
5738 		/* HE requires WME */
5739 		if (params.he_capa_len)
5740 			return -EINVAL;
5741 	}
5742 
5743 	/* When you run into this, adjust the code below for the new flag */
5744 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5745 
5746 	switch (dev->ieee80211_ptr->iftype) {
5747 	case NL80211_IFTYPE_AP:
5748 	case NL80211_IFTYPE_AP_VLAN:
5749 	case NL80211_IFTYPE_P2P_GO:
5750 		/* ignore WME attributes if iface/sta is not capable */
5751 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
5752 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
5753 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5754 
5755 		/* TDLS peers cannot be added */
5756 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5757 		    info->attrs[NL80211_ATTR_PEER_AID])
5758 			return -EINVAL;
5759 		/* but don't bother the driver with it */
5760 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5761 
5762 		/* allow authenticated/associated only if driver handles it */
5763 		if (!(rdev->wiphy.features &
5764 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5765 		    params.sta_flags_mask & auth_assoc)
5766 			return -EINVAL;
5767 
5768 		/* Older userspace, or userspace wanting to be compatible with
5769 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
5770 		 * and assoc flags in the mask, but assumes the station will be
5771 		 * added as associated anyway since this was the required driver
5772 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
5773 		 * introduced.
5774 		 * In order to not bother drivers with this quirk in the API
5775 		 * set the flags in both the mask and set for new stations in
5776 		 * this case.
5777 		 */
5778 		if (!(params.sta_flags_mask & auth_assoc)) {
5779 			params.sta_flags_mask |= auth_assoc;
5780 			params.sta_flags_set |= auth_assoc;
5781 		}
5782 
5783 		/* must be last in here for error handling */
5784 		params.vlan = get_vlan(info, rdev);
5785 		if (IS_ERR(params.vlan))
5786 			return PTR_ERR(params.vlan);
5787 		break;
5788 	case NL80211_IFTYPE_MESH_POINT:
5789 		/* ignore uAPSD data */
5790 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5791 
5792 		/* associated is disallowed */
5793 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
5794 			return -EINVAL;
5795 		/* TDLS peers cannot be added */
5796 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5797 		    info->attrs[NL80211_ATTR_PEER_AID])
5798 			return -EINVAL;
5799 		break;
5800 	case NL80211_IFTYPE_STATION:
5801 	case NL80211_IFTYPE_P2P_CLIENT:
5802 		/* ignore uAPSD data */
5803 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5804 
5805 		/* these are disallowed */
5806 		if (params.sta_flags_mask &
5807 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
5808 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
5809 			return -EINVAL;
5810 		/* Only TDLS peers can be added */
5811 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5812 			return -EINVAL;
5813 		/* Can only add if TDLS ... */
5814 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
5815 			return -EOPNOTSUPP;
5816 		/* ... with external setup is supported */
5817 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
5818 			return -EOPNOTSUPP;
5819 		/*
5820 		 * Older wpa_supplicant versions always mark the TDLS peer
5821 		 * as authorized, but it shouldn't yet be.
5822 		 */
5823 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
5824 		break;
5825 	default:
5826 		return -EOPNOTSUPP;
5827 	}
5828 
5829 	/* be aware of params.vlan when changing code here */
5830 
5831 	err = rdev_add_station(rdev, dev, mac_addr, &params);
5832 
5833 	if (params.vlan)
5834 		dev_put(params.vlan);
5835 	return err;
5836 }
5837 
5838 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
5839 {
5840 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5841 	struct net_device *dev = info->user_ptr[1];
5842 	struct station_del_parameters params;
5843 
5844 	memset(&params, 0, sizeof(params));
5845 
5846 	if (info->attrs[NL80211_ATTR_MAC])
5847 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
5848 
5849 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5850 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5851 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
5852 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5853 		return -EINVAL;
5854 
5855 	if (!rdev->ops->del_station)
5856 		return -EOPNOTSUPP;
5857 
5858 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
5859 		params.subtype =
5860 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
5861 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
5862 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
5863 			return -EINVAL;
5864 	} else {
5865 		/* Default to Deauthentication frame */
5866 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
5867 	}
5868 
5869 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
5870 		params.reason_code =
5871 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5872 		if (params.reason_code == 0)
5873 			return -EINVAL; /* 0 is reserved */
5874 	} else {
5875 		/* Default to reason code 2 */
5876 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
5877 	}
5878 
5879 	return rdev_del_station(rdev, dev, &params);
5880 }
5881 
5882 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
5883 				int flags, struct net_device *dev,
5884 				u8 *dst, u8 *next_hop,
5885 				struct mpath_info *pinfo)
5886 {
5887 	void *hdr;
5888 	struct nlattr *pinfoattr;
5889 
5890 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
5891 	if (!hdr)
5892 		return -1;
5893 
5894 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5895 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
5896 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
5897 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
5898 		goto nla_put_failure;
5899 
5900 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
5901 	if (!pinfoattr)
5902 		goto nla_put_failure;
5903 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
5904 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
5905 			pinfo->frame_qlen))
5906 		goto nla_put_failure;
5907 	if (((pinfo->filled & MPATH_INFO_SN) &&
5908 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
5909 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
5910 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
5911 			 pinfo->metric)) ||
5912 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
5913 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
5914 			 pinfo->exptime)) ||
5915 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
5916 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
5917 			pinfo->flags)) ||
5918 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
5919 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
5920 			 pinfo->discovery_timeout)) ||
5921 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
5922 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
5923 			pinfo->discovery_retries)) ||
5924 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
5925 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
5926 			pinfo->hop_count)) ||
5927 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
5928 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
5929 			 pinfo->path_change_count)))
5930 		goto nla_put_failure;
5931 
5932 	nla_nest_end(msg, pinfoattr);
5933 
5934 	genlmsg_end(msg, hdr);
5935 	return 0;
5936 
5937  nla_put_failure:
5938 	genlmsg_cancel(msg, hdr);
5939 	return -EMSGSIZE;
5940 }
5941 
5942 static int nl80211_dump_mpath(struct sk_buff *skb,
5943 			      struct netlink_callback *cb)
5944 {
5945 	struct mpath_info pinfo;
5946 	struct cfg80211_registered_device *rdev;
5947 	struct wireless_dev *wdev;
5948 	u8 dst[ETH_ALEN];
5949 	u8 next_hop[ETH_ALEN];
5950 	int path_idx = cb->args[2];
5951 	int err;
5952 
5953 	rtnl_lock();
5954 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5955 	if (err)
5956 		goto out_err;
5957 
5958 	if (!rdev->ops->dump_mpath) {
5959 		err = -EOPNOTSUPP;
5960 		goto out_err;
5961 	}
5962 
5963 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
5964 		err = -EOPNOTSUPP;
5965 		goto out_err;
5966 	}
5967 
5968 	while (1) {
5969 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
5970 				      next_hop, &pinfo);
5971 		if (err == -ENOENT)
5972 			break;
5973 		if (err)
5974 			goto out_err;
5975 
5976 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
5977 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
5978 				       wdev->netdev, dst, next_hop,
5979 				       &pinfo) < 0)
5980 			goto out;
5981 
5982 		path_idx++;
5983 	}
5984 
5985  out:
5986 	cb->args[2] = path_idx;
5987 	err = skb->len;
5988  out_err:
5989 	rtnl_unlock();
5990 	return err;
5991 }
5992 
5993 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
5994 {
5995 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5996 	int err;
5997 	struct net_device *dev = info->user_ptr[1];
5998 	struct mpath_info pinfo;
5999 	struct sk_buff *msg;
6000 	u8 *dst = NULL;
6001 	u8 next_hop[ETH_ALEN];
6002 
6003 	memset(&pinfo, 0, sizeof(pinfo));
6004 
6005 	if (!info->attrs[NL80211_ATTR_MAC])
6006 		return -EINVAL;
6007 
6008 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6009 
6010 	if (!rdev->ops->get_mpath)
6011 		return -EOPNOTSUPP;
6012 
6013 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6014 		return -EOPNOTSUPP;
6015 
6016 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
6017 	if (err)
6018 		return err;
6019 
6020 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6021 	if (!msg)
6022 		return -ENOMEM;
6023 
6024 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6025 				 dev, dst, next_hop, &pinfo) < 0) {
6026 		nlmsg_free(msg);
6027 		return -ENOBUFS;
6028 	}
6029 
6030 	return genlmsg_reply(msg, info);
6031 }
6032 
6033 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
6034 {
6035 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6036 	struct net_device *dev = info->user_ptr[1];
6037 	u8 *dst = NULL;
6038 	u8 *next_hop = NULL;
6039 
6040 	if (!info->attrs[NL80211_ATTR_MAC])
6041 		return -EINVAL;
6042 
6043 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6044 		return -EINVAL;
6045 
6046 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6047 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6048 
6049 	if (!rdev->ops->change_mpath)
6050 		return -EOPNOTSUPP;
6051 
6052 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6053 		return -EOPNOTSUPP;
6054 
6055 	return rdev_change_mpath(rdev, dev, dst, next_hop);
6056 }
6057 
6058 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
6059 {
6060 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6061 	struct net_device *dev = info->user_ptr[1];
6062 	u8 *dst = NULL;
6063 	u8 *next_hop = NULL;
6064 
6065 	if (!info->attrs[NL80211_ATTR_MAC])
6066 		return -EINVAL;
6067 
6068 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6069 		return -EINVAL;
6070 
6071 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6072 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6073 
6074 	if (!rdev->ops->add_mpath)
6075 		return -EOPNOTSUPP;
6076 
6077 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6078 		return -EOPNOTSUPP;
6079 
6080 	return rdev_add_mpath(rdev, dev, dst, next_hop);
6081 }
6082 
6083 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
6084 {
6085 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6086 	struct net_device *dev = info->user_ptr[1];
6087 	u8 *dst = NULL;
6088 
6089 	if (info->attrs[NL80211_ATTR_MAC])
6090 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6091 
6092 	if (!rdev->ops->del_mpath)
6093 		return -EOPNOTSUPP;
6094 
6095 	return rdev_del_mpath(rdev, dev, dst);
6096 }
6097 
6098 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
6099 {
6100 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6101 	int err;
6102 	struct net_device *dev = info->user_ptr[1];
6103 	struct mpath_info pinfo;
6104 	struct sk_buff *msg;
6105 	u8 *dst = NULL;
6106 	u8 mpp[ETH_ALEN];
6107 
6108 	memset(&pinfo, 0, sizeof(pinfo));
6109 
6110 	if (!info->attrs[NL80211_ATTR_MAC])
6111 		return -EINVAL;
6112 
6113 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6114 
6115 	if (!rdev->ops->get_mpp)
6116 		return -EOPNOTSUPP;
6117 
6118 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6119 		return -EOPNOTSUPP;
6120 
6121 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
6122 	if (err)
6123 		return err;
6124 
6125 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6126 	if (!msg)
6127 		return -ENOMEM;
6128 
6129 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6130 			       dev, dst, mpp, &pinfo) < 0) {
6131 		nlmsg_free(msg);
6132 		return -ENOBUFS;
6133 	}
6134 
6135 	return genlmsg_reply(msg, info);
6136 }
6137 
6138 static int nl80211_dump_mpp(struct sk_buff *skb,
6139 			    struct netlink_callback *cb)
6140 {
6141 	struct mpath_info pinfo;
6142 	struct cfg80211_registered_device *rdev;
6143 	struct wireless_dev *wdev;
6144 	u8 dst[ETH_ALEN];
6145 	u8 mpp[ETH_ALEN];
6146 	int path_idx = cb->args[2];
6147 	int err;
6148 
6149 	rtnl_lock();
6150 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6151 	if (err)
6152 		goto out_err;
6153 
6154 	if (!rdev->ops->dump_mpp) {
6155 		err = -EOPNOTSUPP;
6156 		goto out_err;
6157 	}
6158 
6159 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6160 		err = -EOPNOTSUPP;
6161 		goto out_err;
6162 	}
6163 
6164 	while (1) {
6165 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
6166 				    mpp, &pinfo);
6167 		if (err == -ENOENT)
6168 			break;
6169 		if (err)
6170 			goto out_err;
6171 
6172 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6173 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6174 				       wdev->netdev, dst, mpp,
6175 				       &pinfo) < 0)
6176 			goto out;
6177 
6178 		path_idx++;
6179 	}
6180 
6181  out:
6182 	cb->args[2] = path_idx;
6183 	err = skb->len;
6184  out_err:
6185 	rtnl_unlock();
6186 	return err;
6187 }
6188 
6189 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
6190 {
6191 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6192 	struct net_device *dev = info->user_ptr[1];
6193 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6194 	struct bss_parameters params;
6195 	int err;
6196 
6197 	memset(&params, 0, sizeof(params));
6198 	/* default to not changing parameters */
6199 	params.use_cts_prot = -1;
6200 	params.use_short_preamble = -1;
6201 	params.use_short_slot_time = -1;
6202 	params.ap_isolate = -1;
6203 	params.ht_opmode = -1;
6204 	params.p2p_ctwindow = -1;
6205 	params.p2p_opp_ps = -1;
6206 
6207 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
6208 		params.use_cts_prot =
6209 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
6210 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
6211 		params.use_short_preamble =
6212 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
6213 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
6214 		params.use_short_slot_time =
6215 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
6216 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6217 		params.basic_rates =
6218 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6219 		params.basic_rates_len =
6220 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6221 	}
6222 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
6223 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
6224 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
6225 		params.ht_opmode =
6226 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
6227 
6228 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6229 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6230 			return -EINVAL;
6231 		params.p2p_ctwindow =
6232 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6233 		if (params.p2p_ctwindow != 0 &&
6234 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
6235 			return -EINVAL;
6236 	}
6237 
6238 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6239 		u8 tmp;
6240 
6241 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6242 			return -EINVAL;
6243 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6244 		params.p2p_opp_ps = tmp;
6245 		if (params.p2p_opp_ps &&
6246 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
6247 			return -EINVAL;
6248 	}
6249 
6250 	if (!rdev->ops->change_bss)
6251 		return -EOPNOTSUPP;
6252 
6253 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6254 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6255 		return -EOPNOTSUPP;
6256 
6257 	wdev_lock(wdev);
6258 	err = rdev_change_bss(rdev, dev, &params);
6259 	wdev_unlock(wdev);
6260 
6261 	return err;
6262 }
6263 
6264 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
6265 {
6266 	char *data = NULL;
6267 	bool is_indoor;
6268 	enum nl80211_user_reg_hint_type user_reg_hint_type;
6269 	u32 owner_nlportid;
6270 
6271 	/*
6272 	 * You should only get this when cfg80211 hasn't yet initialized
6273 	 * completely when built-in to the kernel right between the time
6274 	 * window between nl80211_init() and regulatory_init(), if that is
6275 	 * even possible.
6276 	 */
6277 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
6278 		return -EINPROGRESS;
6279 
6280 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
6281 		user_reg_hint_type =
6282 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
6283 	else
6284 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
6285 
6286 	switch (user_reg_hint_type) {
6287 	case NL80211_USER_REG_HINT_USER:
6288 	case NL80211_USER_REG_HINT_CELL_BASE:
6289 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6290 			return -EINVAL;
6291 
6292 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6293 		return regulatory_hint_user(data, user_reg_hint_type);
6294 	case NL80211_USER_REG_HINT_INDOOR:
6295 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
6296 			owner_nlportid = info->snd_portid;
6297 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
6298 		} else {
6299 			owner_nlportid = 0;
6300 			is_indoor = true;
6301 		}
6302 
6303 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
6304 	default:
6305 		return -EINVAL;
6306 	}
6307 }
6308 
6309 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
6310 {
6311 	return reg_reload_regdb();
6312 }
6313 
6314 static int nl80211_get_mesh_config(struct sk_buff *skb,
6315 				   struct genl_info *info)
6316 {
6317 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6318 	struct net_device *dev = info->user_ptr[1];
6319 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6320 	struct mesh_config cur_params;
6321 	int err = 0;
6322 	void *hdr;
6323 	struct nlattr *pinfoattr;
6324 	struct sk_buff *msg;
6325 
6326 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6327 		return -EOPNOTSUPP;
6328 
6329 	if (!rdev->ops->get_mesh_config)
6330 		return -EOPNOTSUPP;
6331 
6332 	wdev_lock(wdev);
6333 	/* If not connected, get default parameters */
6334 	if (!wdev->mesh_id_len)
6335 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
6336 	else
6337 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
6338 	wdev_unlock(wdev);
6339 
6340 	if (err)
6341 		return err;
6342 
6343 	/* Draw up a netlink message to send back */
6344 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6345 	if (!msg)
6346 		return -ENOMEM;
6347 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6348 			     NL80211_CMD_GET_MESH_CONFIG);
6349 	if (!hdr)
6350 		goto out;
6351 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
6352 	if (!pinfoattr)
6353 		goto nla_put_failure;
6354 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6355 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
6356 			cur_params.dot11MeshRetryTimeout) ||
6357 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6358 			cur_params.dot11MeshConfirmTimeout) ||
6359 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
6360 			cur_params.dot11MeshHoldingTimeout) ||
6361 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
6362 			cur_params.dot11MeshMaxPeerLinks) ||
6363 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
6364 		       cur_params.dot11MeshMaxRetries) ||
6365 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
6366 		       cur_params.dot11MeshTTL) ||
6367 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
6368 		       cur_params.element_ttl) ||
6369 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6370 		       cur_params.auto_open_plinks) ||
6371 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6372 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
6373 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6374 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
6375 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
6376 			cur_params.path_refresh_time) ||
6377 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6378 			cur_params.min_discovery_timeout) ||
6379 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6380 			cur_params.dot11MeshHWMPactivePathTimeout) ||
6381 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6382 			cur_params.dot11MeshHWMPpreqMinInterval) ||
6383 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6384 			cur_params.dot11MeshHWMPperrMinInterval) ||
6385 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6386 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
6387 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
6388 		       cur_params.dot11MeshHWMPRootMode) ||
6389 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6390 			cur_params.dot11MeshHWMPRannInterval) ||
6391 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6392 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
6393 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
6394 		       cur_params.dot11MeshForwarding) ||
6395 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
6396 			cur_params.rssi_threshold) ||
6397 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
6398 			cur_params.ht_opmode) ||
6399 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6400 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
6401 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6402 			cur_params.dot11MeshHWMProotInterval) ||
6403 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6404 			cur_params.dot11MeshHWMPconfirmationInterval) ||
6405 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
6406 			cur_params.power_mode) ||
6407 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
6408 			cur_params.dot11MeshAwakeWindowDuration) ||
6409 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
6410 			cur_params.plink_timeout) ||
6411 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
6412 		       cur_params.dot11MeshConnectedToMeshGate))
6413 		goto nla_put_failure;
6414 	nla_nest_end(msg, pinfoattr);
6415 	genlmsg_end(msg, hdr);
6416 	return genlmsg_reply(msg, info);
6417 
6418  nla_put_failure:
6419  out:
6420 	nlmsg_free(msg);
6421 	return -ENOBUFS;
6422 }
6423 
6424 static const struct nla_policy
6425 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
6426 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
6427 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6428 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
6429 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6430 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
6431 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6432 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
6433 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
6434 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
6435 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6436 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6437 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
6438 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
6439 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
6440 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
6441 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
6442 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
6443 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
6444 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
6445 		NLA_POLICY_MIN(NLA_U16, 1),
6446 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
6447 		NLA_POLICY_MIN(NLA_U16, 1),
6448 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
6449 		NLA_POLICY_MIN(NLA_U16, 1),
6450 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
6451 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
6452 		NLA_POLICY_MIN(NLA_U16, 1),
6453 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
6454 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
6455 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
6456 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
6457 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
6458 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
6459 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
6460 		NLA_POLICY_MIN(NLA_U16, 1),
6461 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
6462 		NLA_POLICY_MIN(NLA_U16, 1),
6463 	[NL80211_MESHCONF_POWER_MODE] =
6464 		NLA_POLICY_RANGE(NLA_U32,
6465 				 NL80211_MESH_POWER_ACTIVE,
6466 				 NL80211_MESH_POWER_MAX),
6467 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
6468 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
6469 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
6470 };
6471 
6472 static const struct nla_policy
6473 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
6474 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
6475 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
6476 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
6477 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
6478 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
6479 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
6480 	[NL80211_MESH_SETUP_IE] =
6481 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
6482 				       IEEE80211_MAX_DATA_LEN),
6483 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
6484 };
6485 
6486 static int nl80211_parse_mesh_config(struct genl_info *info,
6487 				     struct mesh_config *cfg,
6488 				     u32 *mask_out)
6489 {
6490 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
6491 	u32 mask = 0;
6492 	u16 ht_opmode;
6493 
6494 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
6495 do {									\
6496 	if (tb[attr]) {							\
6497 		cfg->param = fn(tb[attr]);				\
6498 		mask |= BIT((attr) - 1);				\
6499 	}								\
6500 } while (0)
6501 
6502 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
6503 		return -EINVAL;
6504 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
6505 		return -EINVAL;
6506 
6507 	/* This makes sure that there aren't more than 32 mesh config
6508 	 * parameters (otherwise our bitfield scheme would not work.) */
6509 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
6510 
6511 	/* Fill in the params struct */
6512 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
6513 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
6514 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
6515 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
6516 				  nla_get_u16);
6517 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
6518 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
6519 				  nla_get_u16);
6520 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
6521 				  NL80211_MESHCONF_MAX_PEER_LINKS,
6522 				  nla_get_u16);
6523 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
6524 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
6525 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
6526 				  NL80211_MESHCONF_TTL, nla_get_u8);
6527 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
6528 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
6529 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
6530 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6531 				  nla_get_u8);
6532 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
6533 				  mask,
6534 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6535 				  nla_get_u32);
6536 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
6537 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6538 				  nla_get_u8);
6539 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
6540 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
6541 				  nla_get_u32);
6542 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
6543 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
6544 		return -EINVAL;
6545 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
6546 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6547 				  nla_get_u16);
6548 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
6549 				  mask,
6550 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6551 				  nla_get_u32);
6552 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
6553 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
6554 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
6555 		return -EINVAL;
6556 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
6557 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6558 				  nla_get_u16);
6559 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
6560 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6561 				  nla_get_u16);
6562 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6563 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
6564 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6565 				  nla_get_u16);
6566 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
6567 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
6568 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
6569 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6570 				  nla_get_u16);
6571 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
6572 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6573 				  nla_get_u8);
6574 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
6575 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
6576 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
6577 				  NL80211_MESHCONF_RSSI_THRESHOLD,
6578 				  nla_get_s32);
6579 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
6580 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
6581 				  nla_get_u8);
6582 	/*
6583 	 * Check HT operation mode based on
6584 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
6585 	 */
6586 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
6587 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
6588 
6589 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
6590 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
6591 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
6592 			return -EINVAL;
6593 
6594 		/* NON_HT_STA bit is reserved, but some programs set it */
6595 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
6596 
6597 		cfg->ht_opmode = ht_opmode;
6598 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
6599 	}
6600 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6601 				  dot11MeshHWMPactivePathToRootTimeout, mask,
6602 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6603 				  nla_get_u32);
6604 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
6605 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
6606 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
6607 		return -EINVAL;
6608 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
6609 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6610 				  nla_get_u16);
6611 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
6612 				  mask,
6613 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6614 				  nla_get_u16);
6615 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
6616 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
6617 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
6618 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
6619 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
6620 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
6621 	if (mask_out)
6622 		*mask_out = mask;
6623 
6624 	return 0;
6625 
6626 #undef FILL_IN_MESH_PARAM_IF_SET
6627 }
6628 
6629 static int nl80211_parse_mesh_setup(struct genl_info *info,
6630 				     struct mesh_setup *setup)
6631 {
6632 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6633 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
6634 
6635 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
6636 		return -EINVAL;
6637 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
6638 		return -EINVAL;
6639 
6640 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
6641 		setup->sync_method =
6642 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
6643 		 IEEE80211_SYNC_METHOD_VENDOR :
6644 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
6645 
6646 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
6647 		setup->path_sel_proto =
6648 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
6649 		 IEEE80211_PATH_PROTOCOL_VENDOR :
6650 		 IEEE80211_PATH_PROTOCOL_HWMP;
6651 
6652 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
6653 		setup->path_metric =
6654 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
6655 		 IEEE80211_PATH_METRIC_VENDOR :
6656 		 IEEE80211_PATH_METRIC_AIRTIME;
6657 
6658 	if (tb[NL80211_MESH_SETUP_IE]) {
6659 		struct nlattr *ieattr =
6660 			tb[NL80211_MESH_SETUP_IE];
6661 		setup->ie = nla_data(ieattr);
6662 		setup->ie_len = nla_len(ieattr);
6663 	}
6664 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
6665 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
6666 		return -EINVAL;
6667 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
6668 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
6669 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
6670 	if (setup->is_secure)
6671 		setup->user_mpm = true;
6672 
6673 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
6674 		if (!setup->user_mpm)
6675 			return -EINVAL;
6676 		setup->auth_id =
6677 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
6678 	}
6679 
6680 	return 0;
6681 }
6682 
6683 static int nl80211_update_mesh_config(struct sk_buff *skb,
6684 				      struct genl_info *info)
6685 {
6686 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6687 	struct net_device *dev = info->user_ptr[1];
6688 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6689 	struct mesh_config cfg;
6690 	u32 mask;
6691 	int err;
6692 
6693 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6694 		return -EOPNOTSUPP;
6695 
6696 	if (!rdev->ops->update_mesh_config)
6697 		return -EOPNOTSUPP;
6698 
6699 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
6700 	if (err)
6701 		return err;
6702 
6703 	wdev_lock(wdev);
6704 	if (!wdev->mesh_id_len)
6705 		err = -ENOLINK;
6706 
6707 	if (!err)
6708 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
6709 
6710 	wdev_unlock(wdev);
6711 
6712 	return err;
6713 }
6714 
6715 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
6716 			      struct sk_buff *msg)
6717 {
6718 	struct nlattr *nl_reg_rules;
6719 	unsigned int i;
6720 
6721 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
6722 	    (regdom->dfs_region &&
6723 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
6724 		goto nla_put_failure;
6725 
6726 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
6727 	if (!nl_reg_rules)
6728 		goto nla_put_failure;
6729 
6730 	for (i = 0; i < regdom->n_reg_rules; i++) {
6731 		struct nlattr *nl_reg_rule;
6732 		const struct ieee80211_reg_rule *reg_rule;
6733 		const struct ieee80211_freq_range *freq_range;
6734 		const struct ieee80211_power_rule *power_rule;
6735 		unsigned int max_bandwidth_khz;
6736 
6737 		reg_rule = &regdom->reg_rules[i];
6738 		freq_range = &reg_rule->freq_range;
6739 		power_rule = &reg_rule->power_rule;
6740 
6741 		nl_reg_rule = nla_nest_start_noflag(msg, i);
6742 		if (!nl_reg_rule)
6743 			goto nla_put_failure;
6744 
6745 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
6746 		if (!max_bandwidth_khz)
6747 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
6748 								  reg_rule);
6749 
6750 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
6751 				reg_rule->flags) ||
6752 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
6753 				freq_range->start_freq_khz) ||
6754 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
6755 				freq_range->end_freq_khz) ||
6756 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
6757 				max_bandwidth_khz) ||
6758 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
6759 				power_rule->max_antenna_gain) ||
6760 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
6761 				power_rule->max_eirp) ||
6762 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
6763 				reg_rule->dfs_cac_ms))
6764 			goto nla_put_failure;
6765 
6766 		nla_nest_end(msg, nl_reg_rule);
6767 	}
6768 
6769 	nla_nest_end(msg, nl_reg_rules);
6770 	return 0;
6771 
6772 nla_put_failure:
6773 	return -EMSGSIZE;
6774 }
6775 
6776 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
6777 {
6778 	const struct ieee80211_regdomain *regdom = NULL;
6779 	struct cfg80211_registered_device *rdev;
6780 	struct wiphy *wiphy = NULL;
6781 	struct sk_buff *msg;
6782 	void *hdr;
6783 
6784 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6785 	if (!msg)
6786 		return -ENOBUFS;
6787 
6788 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6789 			     NL80211_CMD_GET_REG);
6790 	if (!hdr)
6791 		goto put_failure;
6792 
6793 	if (info->attrs[NL80211_ATTR_WIPHY]) {
6794 		bool self_managed;
6795 
6796 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
6797 		if (IS_ERR(rdev)) {
6798 			nlmsg_free(msg);
6799 			return PTR_ERR(rdev);
6800 		}
6801 
6802 		wiphy = &rdev->wiphy;
6803 		self_managed = wiphy->regulatory_flags &
6804 			       REGULATORY_WIPHY_SELF_MANAGED;
6805 		regdom = get_wiphy_regdom(wiphy);
6806 
6807 		/* a self-managed-reg device must have a private regdom */
6808 		if (WARN_ON(!regdom && self_managed)) {
6809 			nlmsg_free(msg);
6810 			return -EINVAL;
6811 		}
6812 
6813 		if (regdom &&
6814 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6815 			goto nla_put_failure;
6816 	}
6817 
6818 	if (!wiphy && reg_last_request_cell_base() &&
6819 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6820 			NL80211_USER_REG_HINT_CELL_BASE))
6821 		goto nla_put_failure;
6822 
6823 	rcu_read_lock();
6824 
6825 	if (!regdom)
6826 		regdom = rcu_dereference(cfg80211_regdomain);
6827 
6828 	if (nl80211_put_regdom(regdom, msg))
6829 		goto nla_put_failure_rcu;
6830 
6831 	rcu_read_unlock();
6832 
6833 	genlmsg_end(msg, hdr);
6834 	return genlmsg_reply(msg, info);
6835 
6836 nla_put_failure_rcu:
6837 	rcu_read_unlock();
6838 nla_put_failure:
6839 put_failure:
6840 	nlmsg_free(msg);
6841 	return -EMSGSIZE;
6842 }
6843 
6844 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
6845 			       u32 seq, int flags, struct wiphy *wiphy,
6846 			       const struct ieee80211_regdomain *regdom)
6847 {
6848 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6849 				   NL80211_CMD_GET_REG);
6850 
6851 	if (!hdr)
6852 		return -1;
6853 
6854 	genl_dump_check_consistent(cb, hdr);
6855 
6856 	if (nl80211_put_regdom(regdom, msg))
6857 		goto nla_put_failure;
6858 
6859 	if (!wiphy && reg_last_request_cell_base() &&
6860 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6861 			NL80211_USER_REG_HINT_CELL_BASE))
6862 		goto nla_put_failure;
6863 
6864 	if (wiphy &&
6865 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6866 		goto nla_put_failure;
6867 
6868 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
6869 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
6870 		goto nla_put_failure;
6871 
6872 	genlmsg_end(msg, hdr);
6873 	return 0;
6874 
6875 nla_put_failure:
6876 	genlmsg_cancel(msg, hdr);
6877 	return -EMSGSIZE;
6878 }
6879 
6880 static int nl80211_get_reg_dump(struct sk_buff *skb,
6881 				struct netlink_callback *cb)
6882 {
6883 	const struct ieee80211_regdomain *regdom = NULL;
6884 	struct cfg80211_registered_device *rdev;
6885 	int err, reg_idx, start = cb->args[2];
6886 
6887 	rtnl_lock();
6888 
6889 	if (cfg80211_regdomain && start == 0) {
6890 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6891 					  NLM_F_MULTI, NULL,
6892 					  rtnl_dereference(cfg80211_regdomain));
6893 		if (err < 0)
6894 			goto out_err;
6895 	}
6896 
6897 	/* the global regdom is idx 0 */
6898 	reg_idx = 1;
6899 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
6900 		regdom = get_wiphy_regdom(&rdev->wiphy);
6901 		if (!regdom)
6902 			continue;
6903 
6904 		if (++reg_idx <= start)
6905 			continue;
6906 
6907 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6908 					  NLM_F_MULTI, &rdev->wiphy, regdom);
6909 		if (err < 0) {
6910 			reg_idx--;
6911 			break;
6912 		}
6913 	}
6914 
6915 	cb->args[2] = reg_idx;
6916 	err = skb->len;
6917 out_err:
6918 	rtnl_unlock();
6919 	return err;
6920 }
6921 
6922 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
6923 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
6924 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
6925 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
6926 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
6927 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
6928 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
6929 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
6930 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
6931 };
6932 
6933 static int parse_reg_rule(struct nlattr *tb[],
6934 	struct ieee80211_reg_rule *reg_rule)
6935 {
6936 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
6937 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
6938 
6939 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
6940 		return -EINVAL;
6941 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
6942 		return -EINVAL;
6943 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
6944 		return -EINVAL;
6945 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
6946 		return -EINVAL;
6947 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
6948 		return -EINVAL;
6949 
6950 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
6951 
6952 	freq_range->start_freq_khz =
6953 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
6954 	freq_range->end_freq_khz =
6955 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
6956 	freq_range->max_bandwidth_khz =
6957 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
6958 
6959 	power_rule->max_eirp =
6960 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
6961 
6962 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
6963 		power_rule->max_antenna_gain =
6964 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
6965 
6966 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
6967 		reg_rule->dfs_cac_ms =
6968 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
6969 
6970 	return 0;
6971 }
6972 
6973 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
6974 {
6975 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
6976 	struct nlattr *nl_reg_rule;
6977 	char *alpha2;
6978 	int rem_reg_rules, r;
6979 	u32 num_rules = 0, rule_idx = 0;
6980 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
6981 	struct ieee80211_regdomain *rd;
6982 
6983 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6984 		return -EINVAL;
6985 
6986 	if (!info->attrs[NL80211_ATTR_REG_RULES])
6987 		return -EINVAL;
6988 
6989 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6990 
6991 	if (info->attrs[NL80211_ATTR_DFS_REGION])
6992 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
6993 
6994 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6995 			    rem_reg_rules) {
6996 		num_rules++;
6997 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
6998 			return -EINVAL;
6999 	}
7000 
7001 	if (!reg_is_valid_request(alpha2))
7002 		return -EINVAL;
7003 
7004 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
7005 	if (!rd)
7006 		return -ENOMEM;
7007 
7008 	rd->n_reg_rules = num_rules;
7009 	rd->alpha2[0] = alpha2[0];
7010 	rd->alpha2[1] = alpha2[1];
7011 
7012 	/*
7013 	 * Disable DFS master mode if the DFS region was
7014 	 * not supported or known on this kernel.
7015 	 */
7016 	if (reg_supported_dfs_region(dfs_region))
7017 		rd->dfs_region = dfs_region;
7018 
7019 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7020 			    rem_reg_rules) {
7021 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
7022 						nl_reg_rule, reg_rule_policy,
7023 						info->extack);
7024 		if (r)
7025 			goto bad_reg;
7026 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
7027 		if (r)
7028 			goto bad_reg;
7029 
7030 		rule_idx++;
7031 
7032 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
7033 			r = -EINVAL;
7034 			goto bad_reg;
7035 		}
7036 	}
7037 
7038 	/* set_regdom takes ownership of rd */
7039 	return set_regdom(rd, REGD_SOURCE_CRDA);
7040  bad_reg:
7041 	kfree(rd);
7042 	return r;
7043 }
7044 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
7045 
7046 static int validate_scan_freqs(struct nlattr *freqs)
7047 {
7048 	struct nlattr *attr1, *attr2;
7049 	int n_channels = 0, tmp1, tmp2;
7050 
7051 	nla_for_each_nested(attr1, freqs, tmp1)
7052 		if (nla_len(attr1) != sizeof(u32))
7053 			return 0;
7054 
7055 	nla_for_each_nested(attr1, freqs, tmp1) {
7056 		n_channels++;
7057 		/*
7058 		 * Some hardware has a limited channel list for
7059 		 * scanning, and it is pretty much nonsensical
7060 		 * to scan for a channel twice, so disallow that
7061 		 * and don't require drivers to check that the
7062 		 * channel list they get isn't longer than what
7063 		 * they can scan, as long as they can scan all
7064 		 * the channels they registered at once.
7065 		 */
7066 		nla_for_each_nested(attr2, freqs, tmp2)
7067 			if (attr1 != attr2 &&
7068 			    nla_get_u32(attr1) == nla_get_u32(attr2))
7069 				return 0;
7070 	}
7071 
7072 	return n_channels;
7073 }
7074 
7075 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
7076 {
7077 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
7078 }
7079 
7080 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
7081 			    struct cfg80211_bss_selection *bss_select)
7082 {
7083 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
7084 	struct nlattr *nest;
7085 	int err;
7086 	bool found = false;
7087 	int i;
7088 
7089 	/* only process one nested attribute */
7090 	nest = nla_data(nla);
7091 	if (!nla_ok(nest, nla_len(nest)))
7092 		return -EINVAL;
7093 
7094 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
7095 					  nest, nl80211_bss_select_policy,
7096 					  NULL);
7097 	if (err)
7098 		return err;
7099 
7100 	/* only one attribute may be given */
7101 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
7102 		if (attr[i]) {
7103 			if (found)
7104 				return -EINVAL;
7105 			found = true;
7106 		}
7107 	}
7108 
7109 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
7110 
7111 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
7112 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
7113 
7114 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
7115 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
7116 		bss_select->param.band_pref =
7117 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
7118 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
7119 			return -EINVAL;
7120 	}
7121 
7122 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
7123 		struct nl80211_bss_select_rssi_adjust *adj_param;
7124 
7125 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
7126 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
7127 		bss_select->param.adjust.band = adj_param->band;
7128 		bss_select->param.adjust.delta = adj_param->delta;
7129 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
7130 			return -EINVAL;
7131 	}
7132 
7133 	/* user-space did not provide behaviour attribute */
7134 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
7135 		return -EINVAL;
7136 
7137 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
7138 		return -EINVAL;
7139 
7140 	return 0;
7141 }
7142 
7143 int nl80211_parse_random_mac(struct nlattr **attrs,
7144 			     u8 *mac_addr, u8 *mac_addr_mask)
7145 {
7146 	int i;
7147 
7148 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
7149 		eth_zero_addr(mac_addr);
7150 		eth_zero_addr(mac_addr_mask);
7151 		mac_addr[0] = 0x2;
7152 		mac_addr_mask[0] = 0x3;
7153 
7154 		return 0;
7155 	}
7156 
7157 	/* need both or none */
7158 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
7159 		return -EINVAL;
7160 
7161 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
7162 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
7163 
7164 	/* don't allow or configure an mcast address */
7165 	if (!is_multicast_ether_addr(mac_addr_mask) ||
7166 	    is_multicast_ether_addr(mac_addr))
7167 		return -EINVAL;
7168 
7169 	/*
7170 	 * allow users to pass a MAC address that has bits set outside
7171 	 * of the mask, but don't bother drivers with having to deal
7172 	 * with such bits
7173 	 */
7174 	for (i = 0; i < ETH_ALEN; i++)
7175 		mac_addr[i] &= mac_addr_mask[i];
7176 
7177 	return 0;
7178 }
7179 
7180 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
7181 {
7182 	ASSERT_WDEV_LOCK(wdev);
7183 
7184 	if (!cfg80211_beaconing_iface_active(wdev))
7185 		return true;
7186 
7187 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
7188 		return true;
7189 
7190 	return regulatory_pre_cac_allowed(wdev->wiphy);
7191 }
7192 
7193 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
7194 				    enum nl80211_ext_feature_index feat)
7195 {
7196 	if (!(flags & flag))
7197 		return true;
7198 	if (wiphy_ext_feature_isset(wiphy, feat))
7199 		return true;
7200 	return false;
7201 }
7202 
7203 static int
7204 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
7205 			 void *request, struct nlattr **attrs,
7206 			 bool is_sched_scan)
7207 {
7208 	u8 *mac_addr, *mac_addr_mask;
7209 	u32 *flags;
7210 	enum nl80211_feature_flags randomness_flag;
7211 
7212 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
7213 		return 0;
7214 
7215 	if (is_sched_scan) {
7216 		struct cfg80211_sched_scan_request *req = request;
7217 
7218 		randomness_flag = wdev ?
7219 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
7220 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
7221 		flags = &req->flags;
7222 		mac_addr = req->mac_addr;
7223 		mac_addr_mask = req->mac_addr_mask;
7224 	} else {
7225 		struct cfg80211_scan_request *req = request;
7226 
7227 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
7228 		flags = &req->flags;
7229 		mac_addr = req->mac_addr;
7230 		mac_addr_mask = req->mac_addr_mask;
7231 	}
7232 
7233 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
7234 
7235 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
7236 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
7237 	    !nl80211_check_scan_feat(wiphy, *flags,
7238 				     NL80211_SCAN_FLAG_LOW_SPAN,
7239 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
7240 	    !nl80211_check_scan_feat(wiphy, *flags,
7241 				     NL80211_SCAN_FLAG_LOW_POWER,
7242 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
7243 	    !nl80211_check_scan_feat(wiphy, *flags,
7244 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
7245 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
7246 	    !nl80211_check_scan_feat(wiphy, *flags,
7247 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
7248 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
7249 	    !nl80211_check_scan_feat(wiphy, *flags,
7250 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
7251 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
7252 	    !nl80211_check_scan_feat(wiphy, *flags,
7253 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
7254 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
7255 	    !nl80211_check_scan_feat(wiphy, *flags,
7256 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
7257 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
7258 	    !nl80211_check_scan_feat(wiphy, *flags,
7259 				     NL80211_SCAN_FLAG_RANDOM_SN,
7260 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
7261 	    !nl80211_check_scan_feat(wiphy, *flags,
7262 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
7263 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
7264 		return -EOPNOTSUPP;
7265 
7266 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
7267 		int err;
7268 
7269 		if (!(wiphy->features & randomness_flag) ||
7270 		    (wdev && wdev->current_bss))
7271 			return -EOPNOTSUPP;
7272 
7273 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
7274 		if (err)
7275 			return err;
7276 	}
7277 
7278 	return 0;
7279 }
7280 
7281 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
7282 {
7283 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7284 	struct wireless_dev *wdev = info->user_ptr[1];
7285 	struct cfg80211_scan_request *request;
7286 	struct nlattr *attr;
7287 	struct wiphy *wiphy;
7288 	int err, tmp, n_ssids = 0, n_channels, i;
7289 	size_t ie_len;
7290 
7291 	wiphy = &rdev->wiphy;
7292 
7293 	if (wdev->iftype == NL80211_IFTYPE_NAN)
7294 		return -EOPNOTSUPP;
7295 
7296 	if (!rdev->ops->scan)
7297 		return -EOPNOTSUPP;
7298 
7299 	if (rdev->scan_req || rdev->scan_msg) {
7300 		err = -EBUSY;
7301 		goto unlock;
7302 	}
7303 
7304 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7305 		n_channels = validate_scan_freqs(
7306 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7307 		if (!n_channels) {
7308 			err = -EINVAL;
7309 			goto unlock;
7310 		}
7311 	} else {
7312 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7313 	}
7314 
7315 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
7316 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
7317 			n_ssids++;
7318 
7319 	if (n_ssids > wiphy->max_scan_ssids) {
7320 		err = -EINVAL;
7321 		goto unlock;
7322 	}
7323 
7324 	if (info->attrs[NL80211_ATTR_IE])
7325 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7326 	else
7327 		ie_len = 0;
7328 
7329 	if (ie_len > wiphy->max_scan_ie_len) {
7330 		err = -EINVAL;
7331 		goto unlock;
7332 	}
7333 
7334 	request = kzalloc(sizeof(*request)
7335 			+ sizeof(*request->ssids) * n_ssids
7336 			+ sizeof(*request->channels) * n_channels
7337 			+ ie_len, GFP_KERNEL);
7338 	if (!request) {
7339 		err = -ENOMEM;
7340 		goto unlock;
7341 	}
7342 
7343 	if (n_ssids)
7344 		request->ssids = (void *)&request->channels[n_channels];
7345 	request->n_ssids = n_ssids;
7346 	if (ie_len) {
7347 		if (n_ssids)
7348 			request->ie = (void *)(request->ssids + n_ssids);
7349 		else
7350 			request->ie = (void *)(request->channels + n_channels);
7351 	}
7352 
7353 	i = 0;
7354 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7355 		/* user specified, bail out if channel not found */
7356 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
7357 			struct ieee80211_channel *chan;
7358 
7359 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7360 
7361 			if (!chan) {
7362 				err = -EINVAL;
7363 				goto out_free;
7364 			}
7365 
7366 			/* ignore disabled channels */
7367 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7368 				continue;
7369 
7370 			request->channels[i] = chan;
7371 			i++;
7372 		}
7373 	} else {
7374 		enum nl80211_band band;
7375 
7376 		/* all channels */
7377 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7378 			int j;
7379 
7380 			if (!wiphy->bands[band])
7381 				continue;
7382 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7383 				struct ieee80211_channel *chan;
7384 
7385 				chan = &wiphy->bands[band]->channels[j];
7386 
7387 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7388 					continue;
7389 
7390 				request->channels[i] = chan;
7391 				i++;
7392 			}
7393 		}
7394 	}
7395 
7396 	if (!i) {
7397 		err = -EINVAL;
7398 		goto out_free;
7399 	}
7400 
7401 	request->n_channels = i;
7402 
7403 	wdev_lock(wdev);
7404 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
7405 		struct ieee80211_channel *chan;
7406 
7407 		if (request->n_channels != 1) {
7408 			wdev_unlock(wdev);
7409 			err = -EBUSY;
7410 			goto out_free;
7411 		}
7412 
7413 		chan = request->channels[0];
7414 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
7415 			wdev_unlock(wdev);
7416 			err = -EBUSY;
7417 			goto out_free;
7418 		}
7419 	}
7420 	wdev_unlock(wdev);
7421 
7422 	i = 0;
7423 	if (n_ssids) {
7424 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
7425 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7426 				err = -EINVAL;
7427 				goto out_free;
7428 			}
7429 			request->ssids[i].ssid_len = nla_len(attr);
7430 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
7431 			i++;
7432 		}
7433 	}
7434 
7435 	if (info->attrs[NL80211_ATTR_IE]) {
7436 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7437 		memcpy((void *)request->ie,
7438 		       nla_data(info->attrs[NL80211_ATTR_IE]),
7439 		       request->ie_len);
7440 	}
7441 
7442 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7443 		if (wiphy->bands[i])
7444 			request->rates[i] =
7445 				(1 << wiphy->bands[i]->n_bitrates) - 1;
7446 
7447 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
7448 		nla_for_each_nested(attr,
7449 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
7450 				    tmp) {
7451 			enum nl80211_band band = nla_type(attr);
7452 
7453 			if (band < 0 || band >= NUM_NL80211_BANDS) {
7454 				err = -EINVAL;
7455 				goto out_free;
7456 			}
7457 
7458 			if (!wiphy->bands[band])
7459 				continue;
7460 
7461 			err = ieee80211_get_ratemask(wiphy->bands[band],
7462 						     nla_data(attr),
7463 						     nla_len(attr),
7464 						     &request->rates[band]);
7465 			if (err)
7466 				goto out_free;
7467 		}
7468 	}
7469 
7470 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
7471 		if (!wiphy_ext_feature_isset(wiphy,
7472 					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
7473 			err = -EOPNOTSUPP;
7474 			goto out_free;
7475 		}
7476 
7477 		request->duration =
7478 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
7479 		request->duration_mandatory =
7480 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
7481 	}
7482 
7483 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
7484 				       false);
7485 	if (err)
7486 		goto out_free;
7487 
7488 	request->no_cck =
7489 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7490 
7491 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
7492 	 * BSSID to scan for. This was problematic because that same attribute
7493 	 * was already used for another purpose (local random MAC address). The
7494 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
7495 	 * compatibility with older userspace components, also use the
7496 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
7497 	 * the specific BSSID use case instead of the random MAC address
7498 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
7499 	 */
7500 	if (info->attrs[NL80211_ATTR_BSSID])
7501 		memcpy(request->bssid,
7502 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
7503 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
7504 		 info->attrs[NL80211_ATTR_MAC])
7505 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
7506 		       ETH_ALEN);
7507 	else
7508 		eth_broadcast_addr(request->bssid);
7509 
7510 	request->wdev = wdev;
7511 	request->wiphy = &rdev->wiphy;
7512 	request->scan_start = jiffies;
7513 
7514 	rdev->scan_req = request;
7515 	err = rdev_scan(rdev, request);
7516 
7517 	if (!err) {
7518 		nl80211_send_scan_start(rdev, wdev);
7519 		if (wdev->netdev)
7520 			dev_hold(wdev->netdev);
7521 	} else {
7522  out_free:
7523 		rdev->scan_req = NULL;
7524 		kfree(request);
7525 	}
7526 
7527  unlock:
7528 	return err;
7529 }
7530 
7531 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
7532 {
7533 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7534 	struct wireless_dev *wdev = info->user_ptr[1];
7535 
7536 	if (!rdev->ops->abort_scan)
7537 		return -EOPNOTSUPP;
7538 
7539 	if (rdev->scan_msg)
7540 		return 0;
7541 
7542 	if (!rdev->scan_req)
7543 		return -ENOENT;
7544 
7545 	rdev_abort_scan(rdev, wdev);
7546 	return 0;
7547 }
7548 
7549 static int
7550 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
7551 			       struct cfg80211_sched_scan_request *request,
7552 			       struct nlattr **attrs)
7553 {
7554 	int tmp, err, i = 0;
7555 	struct nlattr *attr;
7556 
7557 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7558 		u32 interval;
7559 
7560 		/*
7561 		 * If scan plans are not specified,
7562 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
7563 		 * case one scan plan will be set with the specified scan
7564 		 * interval and infinite number of iterations.
7565 		 */
7566 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
7567 		if (!interval)
7568 			return -EINVAL;
7569 
7570 		request->scan_plans[0].interval =
7571 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
7572 		if (!request->scan_plans[0].interval)
7573 			return -EINVAL;
7574 
7575 		if (request->scan_plans[0].interval >
7576 		    wiphy->max_sched_scan_plan_interval)
7577 			request->scan_plans[0].interval =
7578 				wiphy->max_sched_scan_plan_interval;
7579 
7580 		return 0;
7581 	}
7582 
7583 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
7584 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
7585 
7586 		if (WARN_ON(i >= n_plans))
7587 			return -EINVAL;
7588 
7589 		err = nla_parse_nested_deprecated(plan,
7590 						  NL80211_SCHED_SCAN_PLAN_MAX,
7591 						  attr, nl80211_plan_policy,
7592 						  NULL);
7593 		if (err)
7594 			return err;
7595 
7596 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
7597 			return -EINVAL;
7598 
7599 		request->scan_plans[i].interval =
7600 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
7601 		if (!request->scan_plans[i].interval ||
7602 		    request->scan_plans[i].interval >
7603 		    wiphy->max_sched_scan_plan_interval)
7604 			return -EINVAL;
7605 
7606 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
7607 			request->scan_plans[i].iterations =
7608 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
7609 			if (!request->scan_plans[i].iterations ||
7610 			    (request->scan_plans[i].iterations >
7611 			     wiphy->max_sched_scan_plan_iterations))
7612 				return -EINVAL;
7613 		} else if (i < n_plans - 1) {
7614 			/*
7615 			 * All scan plans but the last one must specify
7616 			 * a finite number of iterations
7617 			 */
7618 			return -EINVAL;
7619 		}
7620 
7621 		i++;
7622 	}
7623 
7624 	/*
7625 	 * The last scan plan must not specify the number of
7626 	 * iterations, it is supposed to run infinitely
7627 	 */
7628 	if (request->scan_plans[n_plans - 1].iterations)
7629 		return  -EINVAL;
7630 
7631 	return 0;
7632 }
7633 
7634 static int
7635 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
7636 				       struct cfg80211_match_set *match_sets,
7637 				       struct nlattr *tb_band_rssi,
7638 				       s32 rssi_thold)
7639 {
7640 	struct nlattr *attr;
7641 	int i, tmp, ret = 0;
7642 
7643 	if (!wiphy_ext_feature_isset(wiphy,
7644 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
7645 		if (tb_band_rssi)
7646 			ret = -EOPNOTSUPP;
7647 		else
7648 			for (i = 0; i < NUM_NL80211_BANDS; i++)
7649 				match_sets->per_band_rssi_thold[i] =
7650 					NL80211_SCAN_RSSI_THOLD_OFF;
7651 		return ret;
7652 	}
7653 
7654 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7655 		match_sets->per_band_rssi_thold[i] = rssi_thold;
7656 
7657 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
7658 		enum nl80211_band band = nla_type(attr);
7659 
7660 		if (band < 0 || band >= NUM_NL80211_BANDS)
7661 			return -EINVAL;
7662 
7663 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
7664 	}
7665 
7666 	return 0;
7667 }
7668 
7669 static struct cfg80211_sched_scan_request *
7670 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
7671 			 struct nlattr **attrs, int max_match_sets)
7672 {
7673 	struct cfg80211_sched_scan_request *request;
7674 	struct nlattr *attr;
7675 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
7676 	enum nl80211_band band;
7677 	size_t ie_len;
7678 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
7679 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
7680 
7681 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7682 		n_channels = validate_scan_freqs(
7683 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7684 		if (!n_channels)
7685 			return ERR_PTR(-EINVAL);
7686 	} else {
7687 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7688 	}
7689 
7690 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
7691 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7692 				    tmp)
7693 			n_ssids++;
7694 
7695 	if (n_ssids > wiphy->max_sched_scan_ssids)
7696 		return ERR_PTR(-EINVAL);
7697 
7698 	/*
7699 	 * First, count the number of 'real' matchsets. Due to an issue with
7700 	 * the old implementation, matchsets containing only the RSSI attribute
7701 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
7702 	 * RSSI for all matchsets, rather than their own matchset for reporting
7703 	 * all APs with a strong RSSI. This is needed to be compatible with
7704 	 * older userspace that treated a matchset with only the RSSI as the
7705 	 * global RSSI for all other matchsets - if there are other matchsets.
7706 	 */
7707 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7708 		nla_for_each_nested(attr,
7709 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7710 				    tmp) {
7711 			struct nlattr *rssi;
7712 
7713 			err = nla_parse_nested_deprecated(tb,
7714 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7715 							  attr,
7716 							  nl80211_match_policy,
7717 							  NULL);
7718 			if (err)
7719 				return ERR_PTR(err);
7720 
7721 			/* SSID and BSSID are mutually exclusive */
7722 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
7723 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
7724 				return ERR_PTR(-EINVAL);
7725 
7726 			/* add other standalone attributes here */
7727 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
7728 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
7729 				n_match_sets++;
7730 				continue;
7731 			}
7732 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7733 			if (rssi)
7734 				default_match_rssi = nla_get_s32(rssi);
7735 		}
7736 	}
7737 
7738 	/* However, if there's no other matchset, add the RSSI one */
7739 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
7740 		n_match_sets = 1;
7741 
7742 	if (n_match_sets > max_match_sets)
7743 		return ERR_PTR(-EINVAL);
7744 
7745 	if (attrs[NL80211_ATTR_IE])
7746 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
7747 	else
7748 		ie_len = 0;
7749 
7750 	if (ie_len > wiphy->max_sched_scan_ie_len)
7751 		return ERR_PTR(-EINVAL);
7752 
7753 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7754 		/*
7755 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
7756 		 * each scan plan already specifies its own interval
7757 		 */
7758 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7759 			return ERR_PTR(-EINVAL);
7760 
7761 		nla_for_each_nested(attr,
7762 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
7763 			n_plans++;
7764 	} else {
7765 		/*
7766 		 * The scan interval attribute is kept for backward
7767 		 * compatibility. If no scan plans are specified and sched scan
7768 		 * interval is specified, one scan plan will be set with this
7769 		 * scan interval and infinite number of iterations.
7770 		 */
7771 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7772 			return ERR_PTR(-EINVAL);
7773 
7774 		n_plans = 1;
7775 	}
7776 
7777 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
7778 		return ERR_PTR(-EINVAL);
7779 
7780 	if (!wiphy_ext_feature_isset(
7781 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
7782 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
7783 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
7784 		return ERR_PTR(-EINVAL);
7785 
7786 	request = kzalloc(sizeof(*request)
7787 			+ sizeof(*request->ssids) * n_ssids
7788 			+ sizeof(*request->match_sets) * n_match_sets
7789 			+ sizeof(*request->scan_plans) * n_plans
7790 			+ sizeof(*request->channels) * n_channels
7791 			+ ie_len, GFP_KERNEL);
7792 	if (!request)
7793 		return ERR_PTR(-ENOMEM);
7794 
7795 	if (n_ssids)
7796 		request->ssids = (void *)&request->channels[n_channels];
7797 	request->n_ssids = n_ssids;
7798 	if (ie_len) {
7799 		if (n_ssids)
7800 			request->ie = (void *)(request->ssids + n_ssids);
7801 		else
7802 			request->ie = (void *)(request->channels + n_channels);
7803 	}
7804 
7805 	if (n_match_sets) {
7806 		if (request->ie)
7807 			request->match_sets = (void *)(request->ie + ie_len);
7808 		else if (n_ssids)
7809 			request->match_sets =
7810 				(void *)(request->ssids + n_ssids);
7811 		else
7812 			request->match_sets =
7813 				(void *)(request->channels + n_channels);
7814 	}
7815 	request->n_match_sets = n_match_sets;
7816 
7817 	if (n_match_sets)
7818 		request->scan_plans = (void *)(request->match_sets +
7819 					       n_match_sets);
7820 	else if (request->ie)
7821 		request->scan_plans = (void *)(request->ie + ie_len);
7822 	else if (n_ssids)
7823 		request->scan_plans = (void *)(request->ssids + n_ssids);
7824 	else
7825 		request->scan_plans = (void *)(request->channels + n_channels);
7826 
7827 	request->n_scan_plans = n_plans;
7828 
7829 	i = 0;
7830 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7831 		/* user specified, bail out if channel not found */
7832 		nla_for_each_nested(attr,
7833 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
7834 				    tmp) {
7835 			struct ieee80211_channel *chan;
7836 
7837 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7838 
7839 			if (!chan) {
7840 				err = -EINVAL;
7841 				goto out_free;
7842 			}
7843 
7844 			/* ignore disabled channels */
7845 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7846 				continue;
7847 
7848 			request->channels[i] = chan;
7849 			i++;
7850 		}
7851 	} else {
7852 		/* all channels */
7853 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7854 			int j;
7855 
7856 			if (!wiphy->bands[band])
7857 				continue;
7858 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7859 				struct ieee80211_channel *chan;
7860 
7861 				chan = &wiphy->bands[band]->channels[j];
7862 
7863 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7864 					continue;
7865 
7866 				request->channels[i] = chan;
7867 				i++;
7868 			}
7869 		}
7870 	}
7871 
7872 	if (!i) {
7873 		err = -EINVAL;
7874 		goto out_free;
7875 	}
7876 
7877 	request->n_channels = i;
7878 
7879 	i = 0;
7880 	if (n_ssids) {
7881 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7882 				    tmp) {
7883 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7884 				err = -EINVAL;
7885 				goto out_free;
7886 			}
7887 			request->ssids[i].ssid_len = nla_len(attr);
7888 			memcpy(request->ssids[i].ssid, nla_data(attr),
7889 			       nla_len(attr));
7890 			i++;
7891 		}
7892 	}
7893 
7894 	i = 0;
7895 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7896 		nla_for_each_nested(attr,
7897 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7898 				    tmp) {
7899 			struct nlattr *ssid, *bssid, *rssi;
7900 
7901 			err = nla_parse_nested_deprecated(tb,
7902 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7903 							  attr,
7904 							  nl80211_match_policy,
7905 							  NULL);
7906 			if (err)
7907 				goto out_free;
7908 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
7909 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
7910 
7911 			if (!ssid && !bssid) {
7912 				i++;
7913 				continue;
7914 			}
7915 
7916 			if (WARN_ON(i >= n_match_sets)) {
7917 				/* this indicates a programming error,
7918 				 * the loop above should have verified
7919 				 * things properly
7920 				 */
7921 				err = -EINVAL;
7922 				goto out_free;
7923 			}
7924 
7925 			if (ssid) {
7926 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
7927 					err = -EINVAL;
7928 					goto out_free;
7929 				}
7930 				memcpy(request->match_sets[i].ssid.ssid,
7931 				       nla_data(ssid), nla_len(ssid));
7932 				request->match_sets[i].ssid.ssid_len =
7933 					nla_len(ssid);
7934 			}
7935 			if (bssid) {
7936 				if (nla_len(bssid) != ETH_ALEN) {
7937 					err = -EINVAL;
7938 					goto out_free;
7939 				}
7940 				memcpy(request->match_sets[i].bssid,
7941 				       nla_data(bssid), ETH_ALEN);
7942 			}
7943 
7944 			/* special attribute - old implementation w/a */
7945 			request->match_sets[i].rssi_thold = default_match_rssi;
7946 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7947 			if (rssi)
7948 				request->match_sets[i].rssi_thold =
7949 					nla_get_s32(rssi);
7950 
7951 			/* Parse per band RSSI attribute */
7952 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
7953 				&request->match_sets[i],
7954 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
7955 				request->match_sets[i].rssi_thold);
7956 			if (err)
7957 				goto out_free;
7958 
7959 			i++;
7960 		}
7961 
7962 		/* there was no other matchset, so the RSSI one is alone */
7963 		if (i == 0 && n_match_sets)
7964 			request->match_sets[0].rssi_thold = default_match_rssi;
7965 
7966 		request->min_rssi_thold = INT_MAX;
7967 		for (i = 0; i < n_match_sets; i++)
7968 			request->min_rssi_thold =
7969 				min(request->match_sets[i].rssi_thold,
7970 				    request->min_rssi_thold);
7971 	} else {
7972 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
7973 	}
7974 
7975 	if (ie_len) {
7976 		request->ie_len = ie_len;
7977 		memcpy((void *)request->ie,
7978 		       nla_data(attrs[NL80211_ATTR_IE]),
7979 		       request->ie_len);
7980 	}
7981 
7982 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
7983 	if (err)
7984 		goto out_free;
7985 
7986 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
7987 		request->delay =
7988 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
7989 
7990 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
7991 		request->relative_rssi = nla_get_s8(
7992 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
7993 		request->relative_rssi_set = true;
7994 	}
7995 
7996 	if (request->relative_rssi_set &&
7997 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
7998 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
7999 
8000 		rssi_adjust = nla_data(
8001 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
8002 		request->rssi_adjust.band = rssi_adjust->band;
8003 		request->rssi_adjust.delta = rssi_adjust->delta;
8004 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
8005 			err = -EINVAL;
8006 			goto out_free;
8007 		}
8008 	}
8009 
8010 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
8011 	if (err)
8012 		goto out_free;
8013 
8014 	request->scan_start = jiffies;
8015 
8016 	return request;
8017 
8018 out_free:
8019 	kfree(request);
8020 	return ERR_PTR(err);
8021 }
8022 
8023 static int nl80211_start_sched_scan(struct sk_buff *skb,
8024 				    struct genl_info *info)
8025 {
8026 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8027 	struct net_device *dev = info->user_ptr[1];
8028 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8029 	struct cfg80211_sched_scan_request *sched_scan_req;
8030 	bool want_multi;
8031 	int err;
8032 
8033 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
8034 		return -EOPNOTSUPP;
8035 
8036 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
8037 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
8038 	if (err)
8039 		return err;
8040 
8041 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
8042 						  info->attrs,
8043 						  rdev->wiphy.max_match_sets);
8044 
8045 	err = PTR_ERR_OR_ZERO(sched_scan_req);
8046 	if (err)
8047 		goto out_err;
8048 
8049 	/* leave request id zero for legacy request
8050 	 * or if driver does not support multi-scheduled scan
8051 	 */
8052 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1) {
8053 		while (!sched_scan_req->reqid)
8054 			sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
8055 	}
8056 
8057 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
8058 	if (err)
8059 		goto out_free;
8060 
8061 	sched_scan_req->dev = dev;
8062 	sched_scan_req->wiphy = &rdev->wiphy;
8063 
8064 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
8065 		sched_scan_req->owner_nlportid = info->snd_portid;
8066 
8067 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
8068 
8069 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
8070 	return 0;
8071 
8072 out_free:
8073 	kfree(sched_scan_req);
8074 out_err:
8075 	return err;
8076 }
8077 
8078 static int nl80211_stop_sched_scan(struct sk_buff *skb,
8079 				   struct genl_info *info)
8080 {
8081 	struct cfg80211_sched_scan_request *req;
8082 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8083 	u64 cookie;
8084 
8085 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
8086 		return -EOPNOTSUPP;
8087 
8088 	if (info->attrs[NL80211_ATTR_COOKIE]) {
8089 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8090 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
8091 	}
8092 
8093 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
8094 				     struct cfg80211_sched_scan_request,
8095 				     list);
8096 	if (!req || req->reqid ||
8097 	    (req->owner_nlportid &&
8098 	     req->owner_nlportid != info->snd_portid))
8099 		return -ENOENT;
8100 
8101 	return cfg80211_stop_sched_scan_req(rdev, req, false);
8102 }
8103 
8104 static int nl80211_start_radar_detection(struct sk_buff *skb,
8105 					 struct genl_info *info)
8106 {
8107 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8108 	struct net_device *dev = info->user_ptr[1];
8109 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8110 	struct wiphy *wiphy = wdev->wiphy;
8111 	struct cfg80211_chan_def chandef;
8112 	enum nl80211_dfs_regions dfs_region;
8113 	unsigned int cac_time_ms;
8114 	int err;
8115 
8116 	dfs_region = reg_get_dfs_region(wiphy);
8117 	if (dfs_region == NL80211_DFS_UNSET)
8118 		return -EINVAL;
8119 
8120 	err = nl80211_parse_chandef(rdev, info, &chandef);
8121 	if (err)
8122 		return err;
8123 
8124 	if (netif_carrier_ok(dev))
8125 		return -EBUSY;
8126 
8127 	if (wdev->cac_started)
8128 		return -EBUSY;
8129 
8130 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8131 	if (err < 0)
8132 		return err;
8133 
8134 	if (err == 0)
8135 		return -EINVAL;
8136 
8137 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
8138 		return -EINVAL;
8139 
8140 	/* CAC start is offloaded to HW and can't be started manually */
8141 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
8142 		return -EOPNOTSUPP;
8143 
8144 	if (!rdev->ops->start_radar_detection)
8145 		return -EOPNOTSUPP;
8146 
8147 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
8148 	if (WARN_ON(!cac_time_ms))
8149 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
8150 
8151 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
8152 	if (!err) {
8153 		wdev->chandef = chandef;
8154 		wdev->cac_started = true;
8155 		wdev->cac_start_time = jiffies;
8156 		wdev->cac_time_ms = cac_time_ms;
8157 	}
8158 	return err;
8159 }
8160 
8161 static int nl80211_notify_radar_detection(struct sk_buff *skb,
8162 					  struct genl_info *info)
8163 {
8164 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8165 	struct net_device *dev = info->user_ptr[1];
8166 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8167 	struct wiphy *wiphy = wdev->wiphy;
8168 	struct cfg80211_chan_def chandef;
8169 	enum nl80211_dfs_regions dfs_region;
8170 	int err;
8171 
8172 	dfs_region = reg_get_dfs_region(wiphy);
8173 	if (dfs_region == NL80211_DFS_UNSET) {
8174 		GENL_SET_ERR_MSG(info,
8175 				 "DFS Region is not set. Unexpected Radar indication");
8176 		return -EINVAL;
8177 	}
8178 
8179 	err = nl80211_parse_chandef(rdev, info, &chandef);
8180 	if (err) {
8181 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
8182 		return err;
8183 	}
8184 
8185 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8186 	if (err < 0) {
8187 		GENL_SET_ERR_MSG(info, "chandef is invalid");
8188 		return err;
8189 	}
8190 
8191 	if (err == 0) {
8192 		GENL_SET_ERR_MSG(info,
8193 				 "Unexpected Radar indication for chandef/iftype");
8194 		return -EINVAL;
8195 	}
8196 
8197 	/* Do not process this notification if radar is already detected
8198 	 * by kernel on this channel, and return success.
8199 	 */
8200 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
8201 		return 0;
8202 
8203 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
8204 
8205 	cfg80211_sched_dfs_chan_update(rdev);
8206 
8207 	rdev->radar_chandef = chandef;
8208 
8209 	/* Propagate this notification to other radios as well */
8210 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
8211 
8212 	return 0;
8213 }
8214 
8215 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
8216 {
8217 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8218 	struct net_device *dev = info->user_ptr[1];
8219 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8220 	struct cfg80211_csa_settings params;
8221 	/* csa_attrs is defined static to avoid waste of stack size - this
8222 	 * function is called under RTNL lock, so this should not be a problem.
8223 	 */
8224 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
8225 	int err;
8226 	bool need_new_beacon = false;
8227 	bool need_handle_dfs_flag = true;
8228 	int len, i;
8229 	u32 cs_count;
8230 
8231 	if (!rdev->ops->channel_switch ||
8232 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
8233 		return -EOPNOTSUPP;
8234 
8235 	switch (dev->ieee80211_ptr->iftype) {
8236 	case NL80211_IFTYPE_AP:
8237 	case NL80211_IFTYPE_P2P_GO:
8238 		need_new_beacon = true;
8239 		/* For all modes except AP the handle_dfs flag needs to be
8240 		 * supplied to tell the kernel that userspace will handle radar
8241 		 * events when they happen. Otherwise a switch to a channel
8242 		 * requiring DFS will be rejected.
8243 		 */
8244 		need_handle_dfs_flag = false;
8245 
8246 		/* useless if AP is not running */
8247 		if (!wdev->beacon_interval)
8248 			return -ENOTCONN;
8249 		break;
8250 	case NL80211_IFTYPE_ADHOC:
8251 		if (!wdev->ssid_len)
8252 			return -ENOTCONN;
8253 		break;
8254 	case NL80211_IFTYPE_MESH_POINT:
8255 		if (!wdev->mesh_id_len)
8256 			return -ENOTCONN;
8257 		break;
8258 	default:
8259 		return -EOPNOTSUPP;
8260 	}
8261 
8262 	memset(&params, 0, sizeof(params));
8263 	params.beacon_csa.ftm_responder = -1;
8264 
8265 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8266 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
8267 		return -EINVAL;
8268 
8269 	/* only important for AP, IBSS and mesh create IEs internally */
8270 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
8271 		return -EINVAL;
8272 
8273 	/* Even though the attribute is u32, the specification says
8274 	 * u8, so let's make sure we don't overflow.
8275 	 */
8276 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
8277 	if (cs_count > 255)
8278 		return -EINVAL;
8279 
8280 	params.count = cs_count;
8281 
8282 	if (!need_new_beacon)
8283 		goto skip_beacons;
8284 
8285 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
8286 	if (err)
8287 		return err;
8288 
8289 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
8290 					  info->attrs[NL80211_ATTR_CSA_IES],
8291 					  nl80211_policy, info->extack);
8292 	if (err)
8293 		return err;
8294 
8295 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
8296 	if (err)
8297 		return err;
8298 
8299 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
8300 		return -EINVAL;
8301 
8302 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8303 	if (!len || (len % sizeof(u16)))
8304 		return -EINVAL;
8305 
8306 	params.n_counter_offsets_beacon = len / sizeof(u16);
8307 	if (rdev->wiphy.max_num_csa_counters &&
8308 	    (params.n_counter_offsets_beacon >
8309 	     rdev->wiphy.max_num_csa_counters))
8310 		return -EINVAL;
8311 
8312 	params.counter_offsets_beacon =
8313 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8314 
8315 	/* sanity checks - counters should fit and be the same */
8316 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
8317 		u16 offset = params.counter_offsets_beacon[i];
8318 
8319 		if (offset >= params.beacon_csa.tail_len)
8320 			return -EINVAL;
8321 
8322 		if (params.beacon_csa.tail[offset] != params.count)
8323 			return -EINVAL;
8324 	}
8325 
8326 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
8327 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8328 		if (!len || (len % sizeof(u16)))
8329 			return -EINVAL;
8330 
8331 		params.n_counter_offsets_presp = len / sizeof(u16);
8332 		if (rdev->wiphy.max_num_csa_counters &&
8333 		    (params.n_counter_offsets_presp >
8334 		     rdev->wiphy.max_num_csa_counters))
8335 			return -EINVAL;
8336 
8337 		params.counter_offsets_presp =
8338 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8339 
8340 		/* sanity checks - counters should fit and be the same */
8341 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
8342 			u16 offset = params.counter_offsets_presp[i];
8343 
8344 			if (offset >= params.beacon_csa.probe_resp_len)
8345 				return -EINVAL;
8346 
8347 			if (params.beacon_csa.probe_resp[offset] !=
8348 			    params.count)
8349 				return -EINVAL;
8350 		}
8351 	}
8352 
8353 skip_beacons:
8354 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
8355 	if (err)
8356 		return err;
8357 
8358 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
8359 					   wdev->iftype))
8360 		return -EINVAL;
8361 
8362 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
8363 					    &params.chandef,
8364 					    wdev->iftype);
8365 	if (err < 0)
8366 		return err;
8367 
8368 	if (err > 0) {
8369 		params.radar_required = true;
8370 		if (need_handle_dfs_flag &&
8371 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
8372 			return -EINVAL;
8373 		}
8374 	}
8375 
8376 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
8377 		params.block_tx = true;
8378 
8379 	wdev_lock(wdev);
8380 	err = rdev_channel_switch(rdev, dev, &params);
8381 	wdev_unlock(wdev);
8382 
8383 	return err;
8384 }
8385 
8386 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
8387 			    u32 seq, int flags,
8388 			    struct cfg80211_registered_device *rdev,
8389 			    struct wireless_dev *wdev,
8390 			    struct cfg80211_internal_bss *intbss)
8391 {
8392 	struct cfg80211_bss *res = &intbss->pub;
8393 	const struct cfg80211_bss_ies *ies;
8394 	void *hdr;
8395 	struct nlattr *bss;
8396 
8397 	ASSERT_WDEV_LOCK(wdev);
8398 
8399 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8400 			     NL80211_CMD_NEW_SCAN_RESULTS);
8401 	if (!hdr)
8402 		return -1;
8403 
8404 	genl_dump_check_consistent(cb, hdr);
8405 
8406 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
8407 		goto nla_put_failure;
8408 	if (wdev->netdev &&
8409 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
8410 		goto nla_put_failure;
8411 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
8412 			      NL80211_ATTR_PAD))
8413 		goto nla_put_failure;
8414 
8415 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
8416 	if (!bss)
8417 		goto nla_put_failure;
8418 	if ((!is_zero_ether_addr(res->bssid) &&
8419 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
8420 		goto nla_put_failure;
8421 
8422 	rcu_read_lock();
8423 	/* indicate whether we have probe response data or not */
8424 	if (rcu_access_pointer(res->proberesp_ies) &&
8425 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
8426 		goto fail_unlock_rcu;
8427 
8428 	/* this pointer prefers to be pointed to probe response data
8429 	 * but is always valid
8430 	 */
8431 	ies = rcu_dereference(res->ies);
8432 	if (ies) {
8433 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
8434 				      NL80211_BSS_PAD))
8435 			goto fail_unlock_rcu;
8436 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
8437 					ies->len, ies->data))
8438 			goto fail_unlock_rcu;
8439 	}
8440 
8441 	/* and this pointer is always (unless driver didn't know) beacon data */
8442 	ies = rcu_dereference(res->beacon_ies);
8443 	if (ies && ies->from_beacon) {
8444 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
8445 				      NL80211_BSS_PAD))
8446 			goto fail_unlock_rcu;
8447 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
8448 					ies->len, ies->data))
8449 			goto fail_unlock_rcu;
8450 	}
8451 	rcu_read_unlock();
8452 
8453 	if (res->beacon_interval &&
8454 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
8455 		goto nla_put_failure;
8456 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
8457 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
8458 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
8459 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
8460 			jiffies_to_msecs(jiffies - intbss->ts)))
8461 		goto nla_put_failure;
8462 
8463 	if (intbss->parent_tsf &&
8464 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
8465 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
8466 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
8467 		     intbss->parent_bssid)))
8468 		goto nla_put_failure;
8469 
8470 	if (intbss->ts_boottime &&
8471 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
8472 			      intbss->ts_boottime, NL80211_BSS_PAD))
8473 		goto nla_put_failure;
8474 
8475 	if (!nl80211_put_signal(msg, intbss->pub.chains,
8476 				intbss->pub.chain_signal,
8477 				NL80211_BSS_CHAIN_SIGNAL))
8478 		goto nla_put_failure;
8479 
8480 	switch (rdev->wiphy.signal_type) {
8481 	case CFG80211_SIGNAL_TYPE_MBM:
8482 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
8483 			goto nla_put_failure;
8484 		break;
8485 	case CFG80211_SIGNAL_TYPE_UNSPEC:
8486 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
8487 			goto nla_put_failure;
8488 		break;
8489 	default:
8490 		break;
8491 	}
8492 
8493 	switch (wdev->iftype) {
8494 	case NL80211_IFTYPE_P2P_CLIENT:
8495 	case NL80211_IFTYPE_STATION:
8496 		if (intbss == wdev->current_bss &&
8497 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8498 				NL80211_BSS_STATUS_ASSOCIATED))
8499 			goto nla_put_failure;
8500 		break;
8501 	case NL80211_IFTYPE_ADHOC:
8502 		if (intbss == wdev->current_bss &&
8503 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8504 				NL80211_BSS_STATUS_IBSS_JOINED))
8505 			goto nla_put_failure;
8506 		break;
8507 	default:
8508 		break;
8509 	}
8510 
8511 	nla_nest_end(msg, bss);
8512 
8513 	genlmsg_end(msg, hdr);
8514 	return 0;
8515 
8516  fail_unlock_rcu:
8517 	rcu_read_unlock();
8518  nla_put_failure:
8519 	genlmsg_cancel(msg, hdr);
8520 	return -EMSGSIZE;
8521 }
8522 
8523 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
8524 {
8525 	struct cfg80211_registered_device *rdev;
8526 	struct cfg80211_internal_bss *scan;
8527 	struct wireless_dev *wdev;
8528 	int start = cb->args[2], idx = 0;
8529 	int err;
8530 
8531 	rtnl_lock();
8532 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8533 	if (err) {
8534 		rtnl_unlock();
8535 		return err;
8536 	}
8537 
8538 	wdev_lock(wdev);
8539 	spin_lock_bh(&rdev->bss_lock);
8540 
8541 	/*
8542 	 * dump_scan will be called multiple times to break up the scan results
8543 	 * into multiple messages.  It is unlikely that any more bss-es will be
8544 	 * expired after the first call, so only call only call this on the
8545 	 * first dump_scan invocation.
8546 	 */
8547 	if (start == 0)
8548 		cfg80211_bss_expire(rdev);
8549 
8550 	cb->seq = rdev->bss_generation;
8551 
8552 	list_for_each_entry(scan, &rdev->bss_list, list) {
8553 		if (++idx <= start)
8554 			continue;
8555 		if (nl80211_send_bss(skb, cb,
8556 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8557 				rdev, wdev, scan) < 0) {
8558 			idx--;
8559 			break;
8560 		}
8561 	}
8562 
8563 	spin_unlock_bh(&rdev->bss_lock);
8564 	wdev_unlock(wdev);
8565 
8566 	cb->args[2] = idx;
8567 	rtnl_unlock();
8568 
8569 	return skb->len;
8570 }
8571 
8572 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
8573 			       int flags, struct net_device *dev,
8574 			       bool allow_radio_stats,
8575 			       struct survey_info *survey)
8576 {
8577 	void *hdr;
8578 	struct nlattr *infoattr;
8579 
8580 	/* skip radio stats if userspace didn't request them */
8581 	if (!survey->channel && !allow_radio_stats)
8582 		return 0;
8583 
8584 	hdr = nl80211hdr_put(msg, portid, seq, flags,
8585 			     NL80211_CMD_NEW_SURVEY_RESULTS);
8586 	if (!hdr)
8587 		return -ENOMEM;
8588 
8589 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
8590 		goto nla_put_failure;
8591 
8592 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
8593 	if (!infoattr)
8594 		goto nla_put_failure;
8595 
8596 	if (survey->channel &&
8597 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
8598 			survey->channel->center_freq))
8599 		goto nla_put_failure;
8600 
8601 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
8602 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
8603 		goto nla_put_failure;
8604 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
8605 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
8606 		goto nla_put_failure;
8607 	if ((survey->filled & SURVEY_INFO_TIME) &&
8608 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
8609 			survey->time, NL80211_SURVEY_INFO_PAD))
8610 		goto nla_put_failure;
8611 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
8612 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
8613 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
8614 		goto nla_put_failure;
8615 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
8616 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
8617 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
8618 		goto nla_put_failure;
8619 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
8620 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
8621 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
8622 		goto nla_put_failure;
8623 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
8624 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
8625 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
8626 		goto nla_put_failure;
8627 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
8628 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
8629 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
8630 		goto nla_put_failure;
8631 
8632 	nla_nest_end(msg, infoattr);
8633 
8634 	genlmsg_end(msg, hdr);
8635 	return 0;
8636 
8637  nla_put_failure:
8638 	genlmsg_cancel(msg, hdr);
8639 	return -EMSGSIZE;
8640 }
8641 
8642 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
8643 {
8644 	struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
8645 	struct survey_info survey;
8646 	struct cfg80211_registered_device *rdev;
8647 	struct wireless_dev *wdev;
8648 	int survey_idx = cb->args[2];
8649 	int res;
8650 	bool radio_stats;
8651 
8652 	rtnl_lock();
8653 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8654 	if (res)
8655 		goto out_err;
8656 
8657 	/* prepare_wdev_dump parsed the attributes */
8658 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
8659 
8660 	if (!wdev->netdev) {
8661 		res = -EINVAL;
8662 		goto out_err;
8663 	}
8664 
8665 	if (!rdev->ops->dump_survey) {
8666 		res = -EOPNOTSUPP;
8667 		goto out_err;
8668 	}
8669 
8670 	while (1) {
8671 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
8672 		if (res == -ENOENT)
8673 			break;
8674 		if (res)
8675 			goto out_err;
8676 
8677 		/* don't send disabled channels, but do send non-channel data */
8678 		if (survey.channel &&
8679 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
8680 			survey_idx++;
8681 			continue;
8682 		}
8683 
8684 		if (nl80211_send_survey(skb,
8685 				NETLINK_CB(cb->skb).portid,
8686 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8687 				wdev->netdev, radio_stats, &survey) < 0)
8688 			goto out;
8689 		survey_idx++;
8690 	}
8691 
8692  out:
8693 	cb->args[2] = survey_idx;
8694 	res = skb->len;
8695  out_err:
8696 	rtnl_unlock();
8697 	return res;
8698 }
8699 
8700 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
8701 {
8702 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
8703 				  NL80211_WPA_VERSION_2));
8704 }
8705 
8706 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
8707 {
8708 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8709 	struct net_device *dev = info->user_ptr[1];
8710 	struct ieee80211_channel *chan;
8711 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
8712 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
8713 	enum nl80211_auth_type auth_type;
8714 	struct key_parse key;
8715 	bool local_state_change;
8716 
8717 	if (!info->attrs[NL80211_ATTR_MAC])
8718 		return -EINVAL;
8719 
8720 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
8721 		return -EINVAL;
8722 
8723 	if (!info->attrs[NL80211_ATTR_SSID])
8724 		return -EINVAL;
8725 
8726 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8727 		return -EINVAL;
8728 
8729 	err = nl80211_parse_key(info, &key);
8730 	if (err)
8731 		return err;
8732 
8733 	if (key.idx >= 0) {
8734 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
8735 			return -EINVAL;
8736 		if (!key.p.key || !key.p.key_len)
8737 			return -EINVAL;
8738 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
8739 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
8740 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
8741 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
8742 			return -EINVAL;
8743 		if (key.idx > 3)
8744 			return -EINVAL;
8745 	} else {
8746 		key.p.key_len = 0;
8747 		key.p.key = NULL;
8748 	}
8749 
8750 	if (key.idx >= 0) {
8751 		int i;
8752 		bool ok = false;
8753 
8754 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
8755 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
8756 				ok = true;
8757 				break;
8758 			}
8759 		}
8760 		if (!ok)
8761 			return -EINVAL;
8762 	}
8763 
8764 	if (!rdev->ops->auth)
8765 		return -EOPNOTSUPP;
8766 
8767 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8768 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8769 		return -EOPNOTSUPP;
8770 
8771 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8772 	chan = nl80211_get_valid_chan(&rdev->wiphy,
8773 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8774 	if (!chan)
8775 		return -EINVAL;
8776 
8777 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8778 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8779 
8780 	if (info->attrs[NL80211_ATTR_IE]) {
8781 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8782 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8783 	}
8784 
8785 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
8786 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
8787 		return -EINVAL;
8788 
8789 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
8790 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
8791 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
8792 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
8793 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
8794 		return -EINVAL;
8795 
8796 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
8797 		if (auth_type != NL80211_AUTHTYPE_SAE &&
8798 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
8799 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
8800 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
8801 			return -EINVAL;
8802 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
8803 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
8804 		/* need to include at least Auth Transaction and Status Code */
8805 		if (auth_data_len < 4)
8806 			return -EINVAL;
8807 	}
8808 
8809 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8810 
8811 	/*
8812 	 * Since we no longer track auth state, ignore
8813 	 * requests to only change local state.
8814 	 */
8815 	if (local_state_change)
8816 		return 0;
8817 
8818 	wdev_lock(dev->ieee80211_ptr);
8819 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
8820 				 ssid, ssid_len, ie, ie_len,
8821 				 key.p.key, key.p.key_len, key.idx,
8822 				 auth_data, auth_data_len);
8823 	wdev_unlock(dev->ieee80211_ptr);
8824 	return err;
8825 }
8826 
8827 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
8828 				     struct genl_info *info)
8829 {
8830 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8831 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
8832 		return -EINVAL;
8833 	}
8834 
8835 	if (!rdev->ops->tx_control_port ||
8836 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8837 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
8838 		return -EOPNOTSUPP;
8839 
8840 	return 0;
8841 }
8842 
8843 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
8844 				   struct genl_info *info,
8845 				   struct cfg80211_crypto_settings *settings,
8846 				   int cipher_limit)
8847 {
8848 	memset(settings, 0, sizeof(*settings));
8849 
8850 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
8851 
8852 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
8853 		u16 proto;
8854 
8855 		proto = nla_get_u16(
8856 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
8857 		settings->control_port_ethertype = cpu_to_be16(proto);
8858 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
8859 		    proto != ETH_P_PAE)
8860 			return -EINVAL;
8861 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
8862 			settings->control_port_no_encrypt = true;
8863 	} else
8864 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
8865 
8866 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
8867 		int r = validate_pae_over_nl80211(rdev, info);
8868 
8869 		if (r < 0)
8870 			return r;
8871 
8872 		settings->control_port_over_nl80211 = true;
8873 	}
8874 
8875 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
8876 		void *data;
8877 		int len, i;
8878 
8879 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
8880 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
8881 		settings->n_ciphers_pairwise = len / sizeof(u32);
8882 
8883 		if (len % sizeof(u32))
8884 			return -EINVAL;
8885 
8886 		if (settings->n_ciphers_pairwise > cipher_limit)
8887 			return -EINVAL;
8888 
8889 		memcpy(settings->ciphers_pairwise, data, len);
8890 
8891 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
8892 			if (!cfg80211_supported_cipher_suite(
8893 					&rdev->wiphy,
8894 					settings->ciphers_pairwise[i]))
8895 				return -EINVAL;
8896 	}
8897 
8898 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
8899 		settings->cipher_group =
8900 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
8901 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
8902 						     settings->cipher_group))
8903 			return -EINVAL;
8904 	}
8905 
8906 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
8907 		settings->wpa_versions =
8908 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
8909 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
8910 			return -EINVAL;
8911 	}
8912 
8913 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
8914 		void *data;
8915 		int len;
8916 
8917 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
8918 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
8919 		settings->n_akm_suites = len / sizeof(u32);
8920 
8921 		if (len % sizeof(u32))
8922 			return -EINVAL;
8923 
8924 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
8925 			return -EINVAL;
8926 
8927 		memcpy(settings->akm_suites, data, len);
8928 	}
8929 
8930 	if (info->attrs[NL80211_ATTR_PMK]) {
8931 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
8932 			return -EINVAL;
8933 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8934 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK))
8935 			return -EINVAL;
8936 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
8937 	}
8938 
8939 	return 0;
8940 }
8941 
8942 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
8943 {
8944 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8945 	struct net_device *dev = info->user_ptr[1];
8946 	struct ieee80211_channel *chan;
8947 	struct cfg80211_assoc_request req = {};
8948 	const u8 *bssid, *ssid;
8949 	int err, ssid_len = 0;
8950 
8951 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
8952 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
8953 		return -EPERM;
8954 
8955 	if (!info->attrs[NL80211_ATTR_MAC] ||
8956 	    !info->attrs[NL80211_ATTR_SSID] ||
8957 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
8958 		return -EINVAL;
8959 
8960 	if (!rdev->ops->assoc)
8961 		return -EOPNOTSUPP;
8962 
8963 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8964 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8965 		return -EOPNOTSUPP;
8966 
8967 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8968 
8969 	chan = nl80211_get_valid_chan(&rdev->wiphy,
8970 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8971 	if (!chan)
8972 		return -EINVAL;
8973 
8974 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8975 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8976 
8977 	if (info->attrs[NL80211_ATTR_IE]) {
8978 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8979 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8980 	}
8981 
8982 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
8983 		enum nl80211_mfp mfp =
8984 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
8985 		if (mfp == NL80211_MFP_REQUIRED)
8986 			req.use_mfp = true;
8987 		else if (mfp != NL80211_MFP_NO)
8988 			return -EINVAL;
8989 	}
8990 
8991 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
8992 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
8993 
8994 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
8995 		req.flags |= ASSOC_REQ_DISABLE_HT;
8996 
8997 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8998 		memcpy(&req.ht_capa_mask,
8999 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9000 		       sizeof(req.ht_capa_mask));
9001 
9002 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9003 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9004 			return -EINVAL;
9005 		memcpy(&req.ht_capa,
9006 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9007 		       sizeof(req.ht_capa));
9008 	}
9009 
9010 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9011 		req.flags |= ASSOC_REQ_DISABLE_VHT;
9012 
9013 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9014 		memcpy(&req.vht_capa_mask,
9015 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9016 		       sizeof(req.vht_capa_mask));
9017 
9018 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9019 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9020 			return -EINVAL;
9021 		memcpy(&req.vht_capa,
9022 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9023 		       sizeof(req.vht_capa));
9024 	}
9025 
9026 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9027 		if (!((rdev->wiphy.features &
9028 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9029 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9030 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9031 					     NL80211_EXT_FEATURE_RRM))
9032 			return -EINVAL;
9033 		req.flags |= ASSOC_REQ_USE_RRM;
9034 	}
9035 
9036 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
9037 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
9038 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
9039 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
9040 			return -EINVAL;
9041 		req.fils_nonces =
9042 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
9043 	}
9044 
9045 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
9046 	if (!err) {
9047 		wdev_lock(dev->ieee80211_ptr);
9048 
9049 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
9050 					  ssid, ssid_len, &req);
9051 
9052 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9053 			dev->ieee80211_ptr->conn_owner_nlportid =
9054 				info->snd_portid;
9055 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9056 			       bssid, ETH_ALEN);
9057 		}
9058 
9059 		wdev_unlock(dev->ieee80211_ptr);
9060 	}
9061 
9062 	return err;
9063 }
9064 
9065 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
9066 {
9067 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9068 	struct net_device *dev = info->user_ptr[1];
9069 	const u8 *ie = NULL, *bssid;
9070 	int ie_len = 0, err;
9071 	u16 reason_code;
9072 	bool local_state_change;
9073 
9074 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9075 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9076 		return -EPERM;
9077 
9078 	if (!info->attrs[NL80211_ATTR_MAC])
9079 		return -EINVAL;
9080 
9081 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9082 		return -EINVAL;
9083 
9084 	if (!rdev->ops->deauth)
9085 		return -EOPNOTSUPP;
9086 
9087 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9088 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9089 		return -EOPNOTSUPP;
9090 
9091 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9092 
9093 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9094 	if (reason_code == 0) {
9095 		/* Reason Code 0 is reserved */
9096 		return -EINVAL;
9097 	}
9098 
9099 	if (info->attrs[NL80211_ATTR_IE]) {
9100 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9101 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9102 	}
9103 
9104 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9105 
9106 	wdev_lock(dev->ieee80211_ptr);
9107 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
9108 				   local_state_change);
9109 	wdev_unlock(dev->ieee80211_ptr);
9110 	return err;
9111 }
9112 
9113 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
9114 {
9115 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9116 	struct net_device *dev = info->user_ptr[1];
9117 	const u8 *ie = NULL, *bssid;
9118 	int ie_len = 0, err;
9119 	u16 reason_code;
9120 	bool local_state_change;
9121 
9122 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9123 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9124 		return -EPERM;
9125 
9126 	if (!info->attrs[NL80211_ATTR_MAC])
9127 		return -EINVAL;
9128 
9129 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9130 		return -EINVAL;
9131 
9132 	if (!rdev->ops->disassoc)
9133 		return -EOPNOTSUPP;
9134 
9135 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9136 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9137 		return -EOPNOTSUPP;
9138 
9139 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9140 
9141 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9142 	if (reason_code == 0) {
9143 		/* Reason Code 0 is reserved */
9144 		return -EINVAL;
9145 	}
9146 
9147 	if (info->attrs[NL80211_ATTR_IE]) {
9148 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9149 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9150 	}
9151 
9152 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9153 
9154 	wdev_lock(dev->ieee80211_ptr);
9155 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
9156 				     local_state_change);
9157 	wdev_unlock(dev->ieee80211_ptr);
9158 	return err;
9159 }
9160 
9161 static bool
9162 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
9163 			 int mcast_rate[NUM_NL80211_BANDS],
9164 			 int rateval)
9165 {
9166 	struct wiphy *wiphy = &rdev->wiphy;
9167 	bool found = false;
9168 	int band, i;
9169 
9170 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
9171 		struct ieee80211_supported_band *sband;
9172 
9173 		sband = wiphy->bands[band];
9174 		if (!sband)
9175 			continue;
9176 
9177 		for (i = 0; i < sband->n_bitrates; i++) {
9178 			if (sband->bitrates[i].bitrate == rateval) {
9179 				mcast_rate[band] = i + 1;
9180 				found = true;
9181 				break;
9182 			}
9183 		}
9184 	}
9185 
9186 	return found;
9187 }
9188 
9189 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
9190 {
9191 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9192 	struct net_device *dev = info->user_ptr[1];
9193 	struct cfg80211_ibss_params ibss;
9194 	struct wiphy *wiphy;
9195 	struct cfg80211_cached_keys *connkeys = NULL;
9196 	int err;
9197 
9198 	memset(&ibss, 0, sizeof(ibss));
9199 
9200 	if (!info->attrs[NL80211_ATTR_SSID] ||
9201 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9202 		return -EINVAL;
9203 
9204 	ibss.beacon_interval = 100;
9205 
9206 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
9207 		ibss.beacon_interval =
9208 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9209 
9210 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
9211 					   ibss.beacon_interval);
9212 	if (err)
9213 		return err;
9214 
9215 	if (!rdev->ops->join_ibss)
9216 		return -EOPNOTSUPP;
9217 
9218 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9219 		return -EOPNOTSUPP;
9220 
9221 	wiphy = &rdev->wiphy;
9222 
9223 	if (info->attrs[NL80211_ATTR_MAC]) {
9224 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9225 
9226 		if (!is_valid_ether_addr(ibss.bssid))
9227 			return -EINVAL;
9228 	}
9229 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9230 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9231 
9232 	if (info->attrs[NL80211_ATTR_IE]) {
9233 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9234 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9235 	}
9236 
9237 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
9238 	if (err)
9239 		return err;
9240 
9241 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
9242 				     NL80211_IFTYPE_ADHOC))
9243 		return -EINVAL;
9244 
9245 	switch (ibss.chandef.width) {
9246 	case NL80211_CHAN_WIDTH_5:
9247 	case NL80211_CHAN_WIDTH_10:
9248 	case NL80211_CHAN_WIDTH_20_NOHT:
9249 		break;
9250 	case NL80211_CHAN_WIDTH_20:
9251 	case NL80211_CHAN_WIDTH_40:
9252 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9253 			return -EINVAL;
9254 		break;
9255 	case NL80211_CHAN_WIDTH_80:
9256 	case NL80211_CHAN_WIDTH_80P80:
9257 	case NL80211_CHAN_WIDTH_160:
9258 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9259 			return -EINVAL;
9260 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9261 					     NL80211_EXT_FEATURE_VHT_IBSS))
9262 			return -EINVAL;
9263 		break;
9264 	default:
9265 		return -EINVAL;
9266 	}
9267 
9268 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
9269 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
9270 
9271 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9272 		u8 *rates =
9273 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9274 		int n_rates =
9275 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9276 		struct ieee80211_supported_band *sband =
9277 			wiphy->bands[ibss.chandef.chan->band];
9278 
9279 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9280 					     &ibss.basic_rates);
9281 		if (err)
9282 			return err;
9283 	}
9284 
9285 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9286 		memcpy(&ibss.ht_capa_mask,
9287 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9288 		       sizeof(ibss.ht_capa_mask));
9289 
9290 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9291 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9292 			return -EINVAL;
9293 		memcpy(&ibss.ht_capa,
9294 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9295 		       sizeof(ibss.ht_capa));
9296 	}
9297 
9298 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9299 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
9300 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9301 		return -EINVAL;
9302 
9303 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9304 		bool no_ht = false;
9305 
9306 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
9307 		if (IS_ERR(connkeys))
9308 			return PTR_ERR(connkeys);
9309 
9310 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
9311 		    no_ht) {
9312 			kzfree(connkeys);
9313 			return -EINVAL;
9314 		}
9315 	}
9316 
9317 	ibss.control_port =
9318 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
9319 
9320 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9321 		int r = validate_pae_over_nl80211(rdev, info);
9322 
9323 		if (r < 0) {
9324 			kzfree(connkeys);
9325 			return r;
9326 		}
9327 
9328 		ibss.control_port_over_nl80211 = true;
9329 	}
9330 
9331 	ibss.userspace_handles_dfs =
9332 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
9333 
9334 	wdev_lock(dev->ieee80211_ptr);
9335 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
9336 	if (err)
9337 		kzfree(connkeys);
9338 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9339 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9340 	wdev_unlock(dev->ieee80211_ptr);
9341 
9342 	return err;
9343 }
9344 
9345 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
9346 {
9347 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9348 	struct net_device *dev = info->user_ptr[1];
9349 
9350 	if (!rdev->ops->leave_ibss)
9351 		return -EOPNOTSUPP;
9352 
9353 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9354 		return -EOPNOTSUPP;
9355 
9356 	return cfg80211_leave_ibss(rdev, dev, false);
9357 }
9358 
9359 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
9360 {
9361 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9362 	struct net_device *dev = info->user_ptr[1];
9363 	int mcast_rate[NUM_NL80211_BANDS];
9364 	u32 nla_rate;
9365 	int err;
9366 
9367 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
9368 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
9369 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
9370 		return -EOPNOTSUPP;
9371 
9372 	if (!rdev->ops->set_mcast_rate)
9373 		return -EOPNOTSUPP;
9374 
9375 	memset(mcast_rate, 0, sizeof(mcast_rate));
9376 
9377 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
9378 		return -EINVAL;
9379 
9380 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
9381 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
9382 		return -EINVAL;
9383 
9384 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
9385 
9386 	return err;
9387 }
9388 
9389 static struct sk_buff *
9390 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
9391 			    struct wireless_dev *wdev, int approxlen,
9392 			    u32 portid, u32 seq, enum nl80211_commands cmd,
9393 			    enum nl80211_attrs attr,
9394 			    const struct nl80211_vendor_cmd_info *info,
9395 			    gfp_t gfp)
9396 {
9397 	struct sk_buff *skb;
9398 	void *hdr;
9399 	struct nlattr *data;
9400 
9401 	skb = nlmsg_new(approxlen + 100, gfp);
9402 	if (!skb)
9403 		return NULL;
9404 
9405 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
9406 	if (!hdr) {
9407 		kfree_skb(skb);
9408 		return NULL;
9409 	}
9410 
9411 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
9412 		goto nla_put_failure;
9413 
9414 	if (info) {
9415 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
9416 				info->vendor_id))
9417 			goto nla_put_failure;
9418 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
9419 				info->subcmd))
9420 			goto nla_put_failure;
9421 	}
9422 
9423 	if (wdev) {
9424 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
9425 				      wdev_id(wdev), NL80211_ATTR_PAD))
9426 			goto nla_put_failure;
9427 		if (wdev->netdev &&
9428 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
9429 				wdev->netdev->ifindex))
9430 			goto nla_put_failure;
9431 	}
9432 
9433 	data = nla_nest_start_noflag(skb, attr);
9434 	if (!data)
9435 		goto nla_put_failure;
9436 
9437 	((void **)skb->cb)[0] = rdev;
9438 	((void **)skb->cb)[1] = hdr;
9439 	((void **)skb->cb)[2] = data;
9440 
9441 	return skb;
9442 
9443  nla_put_failure:
9444 	kfree_skb(skb);
9445 	return NULL;
9446 }
9447 
9448 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
9449 					   struct wireless_dev *wdev,
9450 					   enum nl80211_commands cmd,
9451 					   enum nl80211_attrs attr,
9452 					   unsigned int portid,
9453 					   int vendor_event_idx,
9454 					   int approxlen, gfp_t gfp)
9455 {
9456 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9457 	const struct nl80211_vendor_cmd_info *info;
9458 
9459 	switch (cmd) {
9460 	case NL80211_CMD_TESTMODE:
9461 		if (WARN_ON(vendor_event_idx != -1))
9462 			return NULL;
9463 		info = NULL;
9464 		break;
9465 	case NL80211_CMD_VENDOR:
9466 		if (WARN_ON(vendor_event_idx < 0 ||
9467 			    vendor_event_idx >= wiphy->n_vendor_events))
9468 			return NULL;
9469 		info = &wiphy->vendor_events[vendor_event_idx];
9470 		break;
9471 	default:
9472 		WARN_ON(1);
9473 		return NULL;
9474 	}
9475 
9476 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
9477 					   cmd, attr, info, gfp);
9478 }
9479 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
9480 
9481 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
9482 {
9483 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9484 	void *hdr = ((void **)skb->cb)[1];
9485 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
9486 	struct nlattr *data = ((void **)skb->cb)[2];
9487 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
9488 
9489 	/* clear CB data for netlink core to own from now on */
9490 	memset(skb->cb, 0, sizeof(skb->cb));
9491 
9492 	nla_nest_end(skb, data);
9493 	genlmsg_end(skb, hdr);
9494 
9495 	if (nlhdr->nlmsg_pid) {
9496 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
9497 				nlhdr->nlmsg_pid);
9498 	} else {
9499 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
9500 			mcgrp = NL80211_MCGRP_VENDOR;
9501 
9502 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
9503 					skb, 0, mcgrp, gfp);
9504 	}
9505 }
9506 EXPORT_SYMBOL(__cfg80211_send_event_skb);
9507 
9508 #ifdef CONFIG_NL80211_TESTMODE
9509 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
9510 {
9511 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9512 	struct wireless_dev *wdev =
9513 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9514 	int err;
9515 
9516 	if (!rdev->ops->testmode_cmd)
9517 		return -EOPNOTSUPP;
9518 
9519 	if (IS_ERR(wdev)) {
9520 		err = PTR_ERR(wdev);
9521 		if (err != -EINVAL)
9522 			return err;
9523 		wdev = NULL;
9524 	} else if (wdev->wiphy != &rdev->wiphy) {
9525 		return -EINVAL;
9526 	}
9527 
9528 	if (!info->attrs[NL80211_ATTR_TESTDATA])
9529 		return -EINVAL;
9530 
9531 	rdev->cur_cmd_info = info;
9532 	err = rdev_testmode_cmd(rdev, wdev,
9533 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
9534 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
9535 	rdev->cur_cmd_info = NULL;
9536 
9537 	return err;
9538 }
9539 
9540 static int nl80211_testmode_dump(struct sk_buff *skb,
9541 				 struct netlink_callback *cb)
9542 {
9543 	struct cfg80211_registered_device *rdev;
9544 	int err;
9545 	long phy_idx;
9546 	void *data = NULL;
9547 	int data_len = 0;
9548 
9549 	rtnl_lock();
9550 
9551 	if (cb->args[0]) {
9552 		/*
9553 		 * 0 is a valid index, but not valid for args[0],
9554 		 * so we need to offset by 1.
9555 		 */
9556 		phy_idx = cb->args[0] - 1;
9557 
9558 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
9559 		if (!rdev) {
9560 			err = -ENOENT;
9561 			goto out_err;
9562 		}
9563 	} else {
9564 		struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
9565 
9566 		err = nlmsg_parse_deprecated(cb->nlh,
9567 					     GENL_HDRLEN + nl80211_fam.hdrsize,
9568 					     attrbuf, nl80211_fam.maxattr,
9569 					     nl80211_policy, NULL);
9570 		if (err)
9571 			goto out_err;
9572 
9573 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
9574 		if (IS_ERR(rdev)) {
9575 			err = PTR_ERR(rdev);
9576 			goto out_err;
9577 		}
9578 		phy_idx = rdev->wiphy_idx;
9579 
9580 		if (attrbuf[NL80211_ATTR_TESTDATA])
9581 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
9582 	}
9583 
9584 	if (cb->args[1]) {
9585 		data = nla_data((void *)cb->args[1]);
9586 		data_len = nla_len((void *)cb->args[1]);
9587 	}
9588 
9589 	if (!rdev->ops->testmode_dump) {
9590 		err = -EOPNOTSUPP;
9591 		goto out_err;
9592 	}
9593 
9594 	while (1) {
9595 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
9596 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
9597 					   NL80211_CMD_TESTMODE);
9598 		struct nlattr *tmdata;
9599 
9600 		if (!hdr)
9601 			break;
9602 
9603 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
9604 			genlmsg_cancel(skb, hdr);
9605 			break;
9606 		}
9607 
9608 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
9609 		if (!tmdata) {
9610 			genlmsg_cancel(skb, hdr);
9611 			break;
9612 		}
9613 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
9614 		nla_nest_end(skb, tmdata);
9615 
9616 		if (err == -ENOBUFS || err == -ENOENT) {
9617 			genlmsg_cancel(skb, hdr);
9618 			break;
9619 		} else if (err) {
9620 			genlmsg_cancel(skb, hdr);
9621 			goto out_err;
9622 		}
9623 
9624 		genlmsg_end(skb, hdr);
9625 	}
9626 
9627 	err = skb->len;
9628 	/* see above */
9629 	cb->args[0] = phy_idx + 1;
9630  out_err:
9631 	rtnl_unlock();
9632 	return err;
9633 }
9634 #endif
9635 
9636 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
9637 {
9638 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9639 	struct net_device *dev = info->user_ptr[1];
9640 	struct cfg80211_connect_params connect;
9641 	struct wiphy *wiphy;
9642 	struct cfg80211_cached_keys *connkeys = NULL;
9643 	int err;
9644 
9645 	memset(&connect, 0, sizeof(connect));
9646 
9647 	if (!info->attrs[NL80211_ATTR_SSID] ||
9648 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9649 		return -EINVAL;
9650 
9651 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9652 		connect.auth_type =
9653 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9654 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
9655 					     NL80211_CMD_CONNECT))
9656 			return -EINVAL;
9657 	} else
9658 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
9659 
9660 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
9661 
9662 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
9663 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9664 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
9665 		return -EINVAL;
9666 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
9667 
9668 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
9669 				      NL80211_MAX_NR_CIPHER_SUITES);
9670 	if (err)
9671 		return err;
9672 
9673 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9674 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9675 		return -EOPNOTSUPP;
9676 
9677 	wiphy = &rdev->wiphy;
9678 
9679 	connect.bg_scan_period = -1;
9680 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
9681 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
9682 		connect.bg_scan_period =
9683 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
9684 	}
9685 
9686 	if (info->attrs[NL80211_ATTR_MAC])
9687 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9688 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
9689 		connect.bssid_hint =
9690 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
9691 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9692 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9693 
9694 	if (info->attrs[NL80211_ATTR_IE]) {
9695 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9696 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9697 	}
9698 
9699 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9700 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9701 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
9702 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9703 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
9704 			return -EOPNOTSUPP;
9705 	} else {
9706 		connect.mfp = NL80211_MFP_NO;
9707 	}
9708 
9709 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9710 		connect.prev_bssid =
9711 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9712 
9713 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9714 		connect.channel = nl80211_get_valid_chan(
9715 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9716 		if (!connect.channel)
9717 			return -EINVAL;
9718 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
9719 		connect.channel_hint = nl80211_get_valid_chan(
9720 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
9721 		if (!connect.channel_hint)
9722 			return -EINVAL;
9723 	}
9724 
9725 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9726 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
9727 		if (IS_ERR(connkeys))
9728 			return PTR_ERR(connkeys);
9729 	}
9730 
9731 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9732 		connect.flags |= ASSOC_REQ_DISABLE_HT;
9733 
9734 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9735 		memcpy(&connect.ht_capa_mask,
9736 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9737 		       sizeof(connect.ht_capa_mask));
9738 
9739 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9740 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
9741 			kzfree(connkeys);
9742 			return -EINVAL;
9743 		}
9744 		memcpy(&connect.ht_capa,
9745 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9746 		       sizeof(connect.ht_capa));
9747 	}
9748 
9749 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9750 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
9751 
9752 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9753 		memcpy(&connect.vht_capa_mask,
9754 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9755 		       sizeof(connect.vht_capa_mask));
9756 
9757 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9758 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
9759 			kzfree(connkeys);
9760 			return -EINVAL;
9761 		}
9762 		memcpy(&connect.vht_capa,
9763 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9764 		       sizeof(connect.vht_capa));
9765 	}
9766 
9767 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9768 		if (!((rdev->wiphy.features &
9769 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9770 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9771 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9772 					     NL80211_EXT_FEATURE_RRM)) {
9773 			kzfree(connkeys);
9774 			return -EINVAL;
9775 		}
9776 		connect.flags |= ASSOC_REQ_USE_RRM;
9777 	}
9778 
9779 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
9780 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
9781 		kzfree(connkeys);
9782 		return -EOPNOTSUPP;
9783 	}
9784 
9785 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
9786 		/* bss selection makes no sense if bssid is set */
9787 		if (connect.bssid) {
9788 			kzfree(connkeys);
9789 			return -EINVAL;
9790 		}
9791 
9792 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
9793 				       wiphy, &connect.bss_select);
9794 		if (err) {
9795 			kzfree(connkeys);
9796 			return err;
9797 		}
9798 	}
9799 
9800 	if (wiphy_ext_feature_isset(&rdev->wiphy,
9801 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
9802 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
9803 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
9804 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
9805 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9806 		connect.fils_erp_username =
9807 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9808 		connect.fils_erp_username_len =
9809 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9810 		connect.fils_erp_realm =
9811 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9812 		connect.fils_erp_realm_len =
9813 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9814 		connect.fils_erp_next_seq_num =
9815 			nla_get_u16(
9816 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
9817 		connect.fils_erp_rrk =
9818 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9819 		connect.fils_erp_rrk_len =
9820 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9821 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
9822 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
9823 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
9824 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9825 		kzfree(connkeys);
9826 		return -EINVAL;
9827 	}
9828 
9829 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
9830 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9831 			kzfree(connkeys);
9832 			GENL_SET_ERR_MSG(info,
9833 					 "external auth requires connection ownership");
9834 			return -EINVAL;
9835 		}
9836 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
9837 	}
9838 
9839 	wdev_lock(dev->ieee80211_ptr);
9840 
9841 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
9842 			       connect.prev_bssid);
9843 	if (err)
9844 		kzfree(connkeys);
9845 
9846 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9847 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9848 		if (connect.bssid)
9849 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9850 			       connect.bssid, ETH_ALEN);
9851 		else
9852 			memset(dev->ieee80211_ptr->disconnect_bssid,
9853 			       0, ETH_ALEN);
9854 	}
9855 
9856 	wdev_unlock(dev->ieee80211_ptr);
9857 
9858 	return err;
9859 }
9860 
9861 static int nl80211_update_connect_params(struct sk_buff *skb,
9862 					 struct genl_info *info)
9863 {
9864 	struct cfg80211_connect_params connect = {};
9865 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9866 	struct net_device *dev = info->user_ptr[1];
9867 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9868 	bool fils_sk_offload;
9869 	u32 auth_type;
9870 	u32 changed = 0;
9871 	int ret;
9872 
9873 	if (!rdev->ops->update_connect_params)
9874 		return -EOPNOTSUPP;
9875 
9876 	if (info->attrs[NL80211_ATTR_IE]) {
9877 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9878 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9879 		changed |= UPDATE_ASSOC_IES;
9880 	}
9881 
9882 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
9883 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
9884 
9885 	/*
9886 	 * when driver supports fils-sk offload all attributes must be
9887 	 * provided. So the else covers "fils-sk-not-all" and
9888 	 * "no-fils-sk-any".
9889 	 */
9890 	if (fils_sk_offload &&
9891 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
9892 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
9893 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
9894 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9895 		connect.fils_erp_username =
9896 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9897 		connect.fils_erp_username_len =
9898 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9899 		connect.fils_erp_realm =
9900 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9901 		connect.fils_erp_realm_len =
9902 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9903 		connect.fils_erp_next_seq_num =
9904 			nla_get_u16(
9905 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
9906 		connect.fils_erp_rrk =
9907 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9908 		connect.fils_erp_rrk_len =
9909 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9910 		changed |= UPDATE_FILS_ERP_INFO;
9911 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
9912 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
9913 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
9914 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9915 		return -EINVAL;
9916 	}
9917 
9918 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9919 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9920 		if (!nl80211_valid_auth_type(rdev, auth_type,
9921 					     NL80211_CMD_CONNECT))
9922 			return -EINVAL;
9923 
9924 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
9925 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
9926 			return -EINVAL;
9927 
9928 		connect.auth_type = auth_type;
9929 		changed |= UPDATE_AUTH_TYPE;
9930 	}
9931 
9932 	wdev_lock(dev->ieee80211_ptr);
9933 	if (!wdev->current_bss)
9934 		ret = -ENOLINK;
9935 	else
9936 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
9937 	wdev_unlock(dev->ieee80211_ptr);
9938 
9939 	return ret;
9940 }
9941 
9942 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
9943 {
9944 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9945 	struct net_device *dev = info->user_ptr[1];
9946 	u16 reason;
9947 	int ret;
9948 
9949 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9950 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9951 		return -EPERM;
9952 
9953 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9954 		reason = WLAN_REASON_DEAUTH_LEAVING;
9955 	else
9956 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9957 
9958 	if (reason == 0)
9959 		return -EINVAL;
9960 
9961 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9962 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9963 		return -EOPNOTSUPP;
9964 
9965 	wdev_lock(dev->ieee80211_ptr);
9966 	ret = cfg80211_disconnect(rdev, dev, reason, true);
9967 	wdev_unlock(dev->ieee80211_ptr);
9968 	return ret;
9969 }
9970 
9971 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
9972 {
9973 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9974 	struct net *net;
9975 	int err;
9976 
9977 	if (info->attrs[NL80211_ATTR_PID]) {
9978 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
9979 
9980 		net = get_net_ns_by_pid(pid);
9981 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
9982 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
9983 
9984 		net = get_net_ns_by_fd(fd);
9985 	} else {
9986 		return -EINVAL;
9987 	}
9988 
9989 	if (IS_ERR(net))
9990 		return PTR_ERR(net);
9991 
9992 	err = 0;
9993 
9994 	/* check if anything to do */
9995 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
9996 		err = cfg80211_switch_netns(rdev, net);
9997 
9998 	put_net(net);
9999 	return err;
10000 }
10001 
10002 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
10003 {
10004 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10005 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
10006 			struct cfg80211_pmksa *pmksa) = NULL;
10007 	struct net_device *dev = info->user_ptr[1];
10008 	struct cfg80211_pmksa pmksa;
10009 
10010 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
10011 
10012 	if (!info->attrs[NL80211_ATTR_PMKID])
10013 		return -EINVAL;
10014 
10015 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
10016 
10017 	if (info->attrs[NL80211_ATTR_MAC]) {
10018 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10019 	} else if (info->attrs[NL80211_ATTR_SSID] &&
10020 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
10021 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
10022 		    info->attrs[NL80211_ATTR_PMK])) {
10023 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10024 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10025 		pmksa.cache_id =
10026 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
10027 	} else {
10028 		return -EINVAL;
10029 	}
10030 	if (info->attrs[NL80211_ATTR_PMK]) {
10031 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10032 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
10033 	}
10034 
10035 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10036 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
10037 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
10038 	      wiphy_ext_feature_isset(&rdev->wiphy,
10039 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
10040 		return -EOPNOTSUPP;
10041 
10042 	switch (info->genlhdr->cmd) {
10043 	case NL80211_CMD_SET_PMKSA:
10044 		rdev_ops = rdev->ops->set_pmksa;
10045 		break;
10046 	case NL80211_CMD_DEL_PMKSA:
10047 		rdev_ops = rdev->ops->del_pmksa;
10048 		break;
10049 	default:
10050 		WARN_ON(1);
10051 		break;
10052 	}
10053 
10054 	if (!rdev_ops)
10055 		return -EOPNOTSUPP;
10056 
10057 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
10058 }
10059 
10060 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
10061 {
10062 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10063 	struct net_device *dev = info->user_ptr[1];
10064 
10065 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10066 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10067 		return -EOPNOTSUPP;
10068 
10069 	if (!rdev->ops->flush_pmksa)
10070 		return -EOPNOTSUPP;
10071 
10072 	return rdev_flush_pmksa(rdev, dev);
10073 }
10074 
10075 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
10076 {
10077 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10078 	struct net_device *dev = info->user_ptr[1];
10079 	u8 action_code, dialog_token;
10080 	u32 peer_capability = 0;
10081 	u16 status_code;
10082 	u8 *peer;
10083 	bool initiator;
10084 
10085 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10086 	    !rdev->ops->tdls_mgmt)
10087 		return -EOPNOTSUPP;
10088 
10089 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
10090 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
10091 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
10092 	    !info->attrs[NL80211_ATTR_IE] ||
10093 	    !info->attrs[NL80211_ATTR_MAC])
10094 		return -EINVAL;
10095 
10096 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10097 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
10098 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
10099 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
10100 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
10101 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
10102 		peer_capability =
10103 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
10104 
10105 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
10106 			      dialog_token, status_code, peer_capability,
10107 			      initiator,
10108 			      nla_data(info->attrs[NL80211_ATTR_IE]),
10109 			      nla_len(info->attrs[NL80211_ATTR_IE]));
10110 }
10111 
10112 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
10113 {
10114 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10115 	struct net_device *dev = info->user_ptr[1];
10116 	enum nl80211_tdls_operation operation;
10117 	u8 *peer;
10118 
10119 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10120 	    !rdev->ops->tdls_oper)
10121 		return -EOPNOTSUPP;
10122 
10123 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
10124 	    !info->attrs[NL80211_ATTR_MAC])
10125 		return -EINVAL;
10126 
10127 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
10128 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10129 
10130 	return rdev_tdls_oper(rdev, dev, peer, operation);
10131 }
10132 
10133 static int nl80211_remain_on_channel(struct sk_buff *skb,
10134 				     struct genl_info *info)
10135 {
10136 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10137 	struct wireless_dev *wdev = info->user_ptr[1];
10138 	struct cfg80211_chan_def chandef;
10139 	const struct cfg80211_chan_def *compat_chandef;
10140 	struct sk_buff *msg;
10141 	void *hdr;
10142 	u64 cookie;
10143 	u32 duration;
10144 	int err;
10145 
10146 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10147 	    !info->attrs[NL80211_ATTR_DURATION])
10148 		return -EINVAL;
10149 
10150 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10151 
10152 	if (!rdev->ops->remain_on_channel ||
10153 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
10154 		return -EOPNOTSUPP;
10155 
10156 	/*
10157 	 * We should be on that channel for at least a minimum amount of
10158 	 * time (10ms) but no longer than the driver supports.
10159 	 */
10160 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10161 	    duration > rdev->wiphy.max_remain_on_channel_duration)
10162 		return -EINVAL;
10163 
10164 	err = nl80211_parse_chandef(rdev, info, &chandef);
10165 	if (err)
10166 		return err;
10167 
10168 	wdev_lock(wdev);
10169 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
10170 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
10171 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
10172 							     &chandef);
10173 		if (compat_chandef != &chandef) {
10174 			wdev_unlock(wdev);
10175 			return -EBUSY;
10176 		}
10177 	}
10178 	wdev_unlock(wdev);
10179 
10180 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10181 	if (!msg)
10182 		return -ENOMEM;
10183 
10184 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10185 			     NL80211_CMD_REMAIN_ON_CHANNEL);
10186 	if (!hdr) {
10187 		err = -ENOBUFS;
10188 		goto free_msg;
10189 	}
10190 
10191 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
10192 				     duration, &cookie);
10193 
10194 	if (err)
10195 		goto free_msg;
10196 
10197 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10198 			      NL80211_ATTR_PAD))
10199 		goto nla_put_failure;
10200 
10201 	genlmsg_end(msg, hdr);
10202 
10203 	return genlmsg_reply(msg, info);
10204 
10205  nla_put_failure:
10206 	err = -ENOBUFS;
10207  free_msg:
10208 	nlmsg_free(msg);
10209 	return err;
10210 }
10211 
10212 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
10213 					    struct genl_info *info)
10214 {
10215 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10216 	struct wireless_dev *wdev = info->user_ptr[1];
10217 	u64 cookie;
10218 
10219 	if (!info->attrs[NL80211_ATTR_COOKIE])
10220 		return -EINVAL;
10221 
10222 	if (!rdev->ops->cancel_remain_on_channel)
10223 		return -EOPNOTSUPP;
10224 
10225 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10226 
10227 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
10228 }
10229 
10230 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
10231 				       struct genl_info *info)
10232 {
10233 	struct cfg80211_bitrate_mask mask;
10234 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10235 	struct net_device *dev = info->user_ptr[1];
10236 	int err;
10237 
10238 	if (!rdev->ops->set_bitrate_mask)
10239 		return -EOPNOTSUPP;
10240 
10241 	err = nl80211_parse_tx_bitrate_mask(info, &mask);
10242 	if (err)
10243 		return err;
10244 
10245 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
10246 }
10247 
10248 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
10249 {
10250 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10251 	struct wireless_dev *wdev = info->user_ptr[1];
10252 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
10253 
10254 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
10255 		return -EINVAL;
10256 
10257 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
10258 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
10259 
10260 	switch (wdev->iftype) {
10261 	case NL80211_IFTYPE_STATION:
10262 	case NL80211_IFTYPE_ADHOC:
10263 	case NL80211_IFTYPE_P2P_CLIENT:
10264 	case NL80211_IFTYPE_AP:
10265 	case NL80211_IFTYPE_AP_VLAN:
10266 	case NL80211_IFTYPE_MESH_POINT:
10267 	case NL80211_IFTYPE_P2P_GO:
10268 	case NL80211_IFTYPE_P2P_DEVICE:
10269 		break;
10270 	case NL80211_IFTYPE_NAN:
10271 	default:
10272 		return -EOPNOTSUPP;
10273 	}
10274 
10275 	/* not much point in registering if we can't reply */
10276 	if (!rdev->ops->mgmt_tx)
10277 		return -EOPNOTSUPP;
10278 
10279 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
10280 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10281 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
10282 }
10283 
10284 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
10285 {
10286 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10287 	struct wireless_dev *wdev = info->user_ptr[1];
10288 	struct cfg80211_chan_def chandef;
10289 	int err;
10290 	void *hdr = NULL;
10291 	u64 cookie;
10292 	struct sk_buff *msg = NULL;
10293 	struct cfg80211_mgmt_tx_params params = {
10294 		.dont_wait_for_ack =
10295 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
10296 	};
10297 
10298 	if (!info->attrs[NL80211_ATTR_FRAME])
10299 		return -EINVAL;
10300 
10301 	if (!rdev->ops->mgmt_tx)
10302 		return -EOPNOTSUPP;
10303 
10304 	switch (wdev->iftype) {
10305 	case NL80211_IFTYPE_P2P_DEVICE:
10306 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10307 			return -EINVAL;
10308 	case NL80211_IFTYPE_STATION:
10309 	case NL80211_IFTYPE_ADHOC:
10310 	case NL80211_IFTYPE_P2P_CLIENT:
10311 	case NL80211_IFTYPE_AP:
10312 	case NL80211_IFTYPE_AP_VLAN:
10313 	case NL80211_IFTYPE_MESH_POINT:
10314 	case NL80211_IFTYPE_P2P_GO:
10315 		break;
10316 	case NL80211_IFTYPE_NAN:
10317 	default:
10318 		return -EOPNOTSUPP;
10319 	}
10320 
10321 	if (info->attrs[NL80211_ATTR_DURATION]) {
10322 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10323 			return -EINVAL;
10324 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10325 
10326 		/*
10327 		 * We should wait on the channel for at least a minimum amount
10328 		 * of time (10ms) but no longer than the driver supports.
10329 		 */
10330 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10331 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
10332 			return -EINVAL;
10333 	}
10334 
10335 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
10336 
10337 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10338 		return -EINVAL;
10339 
10340 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10341 
10342 	/* get the channel if any has been specified, otherwise pass NULL to
10343 	 * the driver. The latter will use the current one
10344 	 */
10345 	chandef.chan = NULL;
10346 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10347 		err = nl80211_parse_chandef(rdev, info, &chandef);
10348 		if (err)
10349 			return err;
10350 	}
10351 
10352 	if (!chandef.chan && params.offchan)
10353 		return -EINVAL;
10354 
10355 	wdev_lock(wdev);
10356 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
10357 		wdev_unlock(wdev);
10358 		return -EBUSY;
10359 	}
10360 	wdev_unlock(wdev);
10361 
10362 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
10363 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
10364 
10365 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
10366 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10367 		int i;
10368 
10369 		if (len % sizeof(u16))
10370 			return -EINVAL;
10371 
10372 		params.n_csa_offsets = len / sizeof(u16);
10373 		params.csa_offsets =
10374 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10375 
10376 		/* check that all the offsets fit the frame */
10377 		for (i = 0; i < params.n_csa_offsets; i++) {
10378 			if (params.csa_offsets[i] >= params.len)
10379 				return -EINVAL;
10380 		}
10381 	}
10382 
10383 	if (!params.dont_wait_for_ack) {
10384 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10385 		if (!msg)
10386 			return -ENOMEM;
10387 
10388 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10389 				     NL80211_CMD_FRAME);
10390 		if (!hdr) {
10391 			err = -ENOBUFS;
10392 			goto free_msg;
10393 		}
10394 	}
10395 
10396 	params.chan = chandef.chan;
10397 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
10398 	if (err)
10399 		goto free_msg;
10400 
10401 	if (msg) {
10402 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10403 				      NL80211_ATTR_PAD))
10404 			goto nla_put_failure;
10405 
10406 		genlmsg_end(msg, hdr);
10407 		return genlmsg_reply(msg, info);
10408 	}
10409 
10410 	return 0;
10411 
10412  nla_put_failure:
10413 	err = -ENOBUFS;
10414  free_msg:
10415 	nlmsg_free(msg);
10416 	return err;
10417 }
10418 
10419 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
10420 {
10421 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10422 	struct wireless_dev *wdev = info->user_ptr[1];
10423 	u64 cookie;
10424 
10425 	if (!info->attrs[NL80211_ATTR_COOKIE])
10426 		return -EINVAL;
10427 
10428 	if (!rdev->ops->mgmt_tx_cancel_wait)
10429 		return -EOPNOTSUPP;
10430 
10431 	switch (wdev->iftype) {
10432 	case NL80211_IFTYPE_STATION:
10433 	case NL80211_IFTYPE_ADHOC:
10434 	case NL80211_IFTYPE_P2P_CLIENT:
10435 	case NL80211_IFTYPE_AP:
10436 	case NL80211_IFTYPE_AP_VLAN:
10437 	case NL80211_IFTYPE_P2P_GO:
10438 	case NL80211_IFTYPE_P2P_DEVICE:
10439 		break;
10440 	case NL80211_IFTYPE_NAN:
10441 	default:
10442 		return -EOPNOTSUPP;
10443 	}
10444 
10445 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10446 
10447 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
10448 }
10449 
10450 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
10451 {
10452 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10453 	struct wireless_dev *wdev;
10454 	struct net_device *dev = info->user_ptr[1];
10455 	u8 ps_state;
10456 	bool state;
10457 	int err;
10458 
10459 	if (!info->attrs[NL80211_ATTR_PS_STATE])
10460 		return -EINVAL;
10461 
10462 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
10463 
10464 	wdev = dev->ieee80211_ptr;
10465 
10466 	if (!rdev->ops->set_power_mgmt)
10467 		return -EOPNOTSUPP;
10468 
10469 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
10470 
10471 	if (state == wdev->ps)
10472 		return 0;
10473 
10474 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
10475 	if (!err)
10476 		wdev->ps = state;
10477 	return err;
10478 }
10479 
10480 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
10481 {
10482 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10483 	enum nl80211_ps_state ps_state;
10484 	struct wireless_dev *wdev;
10485 	struct net_device *dev = info->user_ptr[1];
10486 	struct sk_buff *msg;
10487 	void *hdr;
10488 	int err;
10489 
10490 	wdev = dev->ieee80211_ptr;
10491 
10492 	if (!rdev->ops->set_power_mgmt)
10493 		return -EOPNOTSUPP;
10494 
10495 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10496 	if (!msg)
10497 		return -ENOMEM;
10498 
10499 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10500 			     NL80211_CMD_GET_POWER_SAVE);
10501 	if (!hdr) {
10502 		err = -ENOBUFS;
10503 		goto free_msg;
10504 	}
10505 
10506 	if (wdev->ps)
10507 		ps_state = NL80211_PS_ENABLED;
10508 	else
10509 		ps_state = NL80211_PS_DISABLED;
10510 
10511 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
10512 		goto nla_put_failure;
10513 
10514 	genlmsg_end(msg, hdr);
10515 	return genlmsg_reply(msg, info);
10516 
10517  nla_put_failure:
10518 	err = -ENOBUFS;
10519  free_msg:
10520 	nlmsg_free(msg);
10521 	return err;
10522 }
10523 
10524 static const struct nla_policy
10525 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
10526 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
10527 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
10528 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
10529 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
10530 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
10531 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
10532 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
10533 };
10534 
10535 static int nl80211_set_cqm_txe(struct genl_info *info,
10536 			       u32 rate, u32 pkts, u32 intvl)
10537 {
10538 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10539 	struct net_device *dev = info->user_ptr[1];
10540 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10541 
10542 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
10543 		return -EINVAL;
10544 
10545 	if (!rdev->ops->set_cqm_txe_config)
10546 		return -EOPNOTSUPP;
10547 
10548 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10549 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10550 		return -EOPNOTSUPP;
10551 
10552 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
10553 }
10554 
10555 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
10556 				    struct net_device *dev)
10557 {
10558 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10559 	s32 last, low, high;
10560 	u32 hyst;
10561 	int i, n, low_index;
10562 	int err;
10563 
10564 	/* RSSI reporting disabled? */
10565 	if (!wdev->cqm_config)
10566 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
10567 
10568 	/*
10569 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
10570 	 * event has been received yet, we should receive an event after a
10571 	 * connection is established and enough beacons received to calculate
10572 	 * the average.
10573 	 */
10574 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
10575 	    rdev->ops->get_station) {
10576 		struct station_info sinfo = {};
10577 		u8 *mac_addr;
10578 
10579 		mac_addr = wdev->current_bss->pub.bssid;
10580 
10581 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
10582 		if (err)
10583 			return err;
10584 
10585 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
10586 			wdev->cqm_config->last_rssi_event_value =
10587 				(s8) sinfo.rx_beacon_signal_avg;
10588 	}
10589 
10590 	last = wdev->cqm_config->last_rssi_event_value;
10591 	hyst = wdev->cqm_config->rssi_hyst;
10592 	n = wdev->cqm_config->n_rssi_thresholds;
10593 
10594 	for (i = 0; i < n; i++)
10595 		if (last < wdev->cqm_config->rssi_thresholds[i])
10596 			break;
10597 
10598 	low_index = i - 1;
10599 	if (low_index >= 0) {
10600 		low_index = array_index_nospec(low_index, n);
10601 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
10602 	} else {
10603 		low = S32_MIN;
10604 	}
10605 	if (i < n) {
10606 		i = array_index_nospec(i, n);
10607 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
10608 	} else {
10609 		high = S32_MAX;
10610 	}
10611 
10612 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
10613 }
10614 
10615 static int nl80211_set_cqm_rssi(struct genl_info *info,
10616 				const s32 *thresholds, int n_thresholds,
10617 				u32 hysteresis)
10618 {
10619 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10620 	struct net_device *dev = info->user_ptr[1];
10621 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10622 	int i, err;
10623 	s32 prev = S32_MIN;
10624 
10625 	/* Check all values negative and sorted */
10626 	for (i = 0; i < n_thresholds; i++) {
10627 		if (thresholds[i] > 0 || thresholds[i] <= prev)
10628 			return -EINVAL;
10629 
10630 		prev = thresholds[i];
10631 	}
10632 
10633 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10634 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10635 		return -EOPNOTSUPP;
10636 
10637 	wdev_lock(wdev);
10638 	cfg80211_cqm_config_free(wdev);
10639 	wdev_unlock(wdev);
10640 
10641 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
10642 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
10643 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
10644 
10645 		return rdev_set_cqm_rssi_config(rdev, dev,
10646 						thresholds[0], hysteresis);
10647 	}
10648 
10649 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
10650 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
10651 		return -EOPNOTSUPP;
10652 
10653 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
10654 		n_thresholds = 0;
10655 
10656 	wdev_lock(wdev);
10657 	if (n_thresholds) {
10658 		struct cfg80211_cqm_config *cqm_config;
10659 
10660 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
10661 				     n_thresholds * sizeof(s32), GFP_KERNEL);
10662 		if (!cqm_config) {
10663 			err = -ENOMEM;
10664 			goto unlock;
10665 		}
10666 
10667 		cqm_config->rssi_hyst = hysteresis;
10668 		cqm_config->n_rssi_thresholds = n_thresholds;
10669 		memcpy(cqm_config->rssi_thresholds, thresholds,
10670 		       n_thresholds * sizeof(s32));
10671 
10672 		wdev->cqm_config = cqm_config;
10673 	}
10674 
10675 	err = cfg80211_cqm_rssi_update(rdev, dev);
10676 
10677 unlock:
10678 	wdev_unlock(wdev);
10679 
10680 	return err;
10681 }
10682 
10683 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
10684 {
10685 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
10686 	struct nlattr *cqm;
10687 	int err;
10688 
10689 	cqm = info->attrs[NL80211_ATTR_CQM];
10690 	if (!cqm)
10691 		return -EINVAL;
10692 
10693 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
10694 					  nl80211_attr_cqm_policy,
10695 					  info->extack);
10696 	if (err)
10697 		return err;
10698 
10699 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
10700 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
10701 		const s32 *thresholds =
10702 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10703 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10704 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
10705 
10706 		if (len % 4)
10707 			return -EINVAL;
10708 
10709 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
10710 					    hysteresis);
10711 	}
10712 
10713 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
10714 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
10715 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
10716 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
10717 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
10718 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
10719 
10720 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
10721 	}
10722 
10723 	return -EINVAL;
10724 }
10725 
10726 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
10727 {
10728 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10729 	struct net_device *dev = info->user_ptr[1];
10730 	struct ocb_setup setup = {};
10731 	int err;
10732 
10733 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10734 	if (err)
10735 		return err;
10736 
10737 	return cfg80211_join_ocb(rdev, dev, &setup);
10738 }
10739 
10740 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
10741 {
10742 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10743 	struct net_device *dev = info->user_ptr[1];
10744 
10745 	return cfg80211_leave_ocb(rdev, dev);
10746 }
10747 
10748 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
10749 {
10750 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10751 	struct net_device *dev = info->user_ptr[1];
10752 	struct mesh_config cfg;
10753 	struct mesh_setup setup;
10754 	int err;
10755 
10756 	/* start with default */
10757 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
10758 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
10759 
10760 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
10761 		/* and parse parameters if given */
10762 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
10763 		if (err)
10764 			return err;
10765 	}
10766 
10767 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
10768 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
10769 		return -EINVAL;
10770 
10771 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
10772 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
10773 
10774 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10775 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
10776 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10777 			return -EINVAL;
10778 
10779 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
10780 		setup.beacon_interval =
10781 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10782 
10783 		err = cfg80211_validate_beacon_int(rdev,
10784 						   NL80211_IFTYPE_MESH_POINT,
10785 						   setup.beacon_interval);
10786 		if (err)
10787 			return err;
10788 	}
10789 
10790 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
10791 		setup.dtim_period =
10792 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
10793 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
10794 			return -EINVAL;
10795 	}
10796 
10797 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
10798 		/* parse additional setup parameters if given */
10799 		err = nl80211_parse_mesh_setup(info, &setup);
10800 		if (err)
10801 			return err;
10802 	}
10803 
10804 	if (setup.user_mpm)
10805 		cfg.auto_open_plinks = false;
10806 
10807 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10808 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10809 		if (err)
10810 			return err;
10811 	} else {
10812 		/* __cfg80211_join_mesh() will sort it out */
10813 		setup.chandef.chan = NULL;
10814 	}
10815 
10816 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10817 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10818 		int n_rates =
10819 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10820 		struct ieee80211_supported_band *sband;
10821 
10822 		if (!setup.chandef.chan)
10823 			return -EINVAL;
10824 
10825 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
10826 
10827 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10828 					     &setup.basic_rates);
10829 		if (err)
10830 			return err;
10831 	}
10832 
10833 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
10834 		err = nl80211_parse_tx_bitrate_mask(info, &setup.beacon_rate);
10835 		if (err)
10836 			return err;
10837 
10838 		if (!setup.chandef.chan)
10839 			return -EINVAL;
10840 
10841 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
10842 					      &setup.beacon_rate);
10843 		if (err)
10844 			return err;
10845 	}
10846 
10847 	setup.userspace_handles_dfs =
10848 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10849 
10850 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10851 		int r = validate_pae_over_nl80211(rdev, info);
10852 
10853 		if (r < 0)
10854 			return r;
10855 
10856 		setup.control_port_over_nl80211 = true;
10857 	}
10858 
10859 	wdev_lock(dev->ieee80211_ptr);
10860 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
10861 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
10862 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10863 	wdev_unlock(dev->ieee80211_ptr);
10864 
10865 	return err;
10866 }
10867 
10868 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
10869 {
10870 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10871 	struct net_device *dev = info->user_ptr[1];
10872 
10873 	return cfg80211_leave_mesh(rdev, dev);
10874 }
10875 
10876 #ifdef CONFIG_PM
10877 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
10878 					struct cfg80211_registered_device *rdev)
10879 {
10880 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
10881 	struct nlattr *nl_pats, *nl_pat;
10882 	int i, pat_len;
10883 
10884 	if (!wowlan->n_patterns)
10885 		return 0;
10886 
10887 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
10888 	if (!nl_pats)
10889 		return -ENOBUFS;
10890 
10891 	for (i = 0; i < wowlan->n_patterns; i++) {
10892 		nl_pat = nla_nest_start_noflag(msg, i + 1);
10893 		if (!nl_pat)
10894 			return -ENOBUFS;
10895 		pat_len = wowlan->patterns[i].pattern_len;
10896 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
10897 			    wowlan->patterns[i].mask) ||
10898 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
10899 			    wowlan->patterns[i].pattern) ||
10900 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
10901 				wowlan->patterns[i].pkt_offset))
10902 			return -ENOBUFS;
10903 		nla_nest_end(msg, nl_pat);
10904 	}
10905 	nla_nest_end(msg, nl_pats);
10906 
10907 	return 0;
10908 }
10909 
10910 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
10911 				   struct cfg80211_wowlan_tcp *tcp)
10912 {
10913 	struct nlattr *nl_tcp;
10914 
10915 	if (!tcp)
10916 		return 0;
10917 
10918 	nl_tcp = nla_nest_start_noflag(msg,
10919 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
10920 	if (!nl_tcp)
10921 		return -ENOBUFS;
10922 
10923 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
10924 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
10925 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
10926 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
10927 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
10928 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
10929 		    tcp->payload_len, tcp->payload) ||
10930 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
10931 			tcp->data_interval) ||
10932 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
10933 		    tcp->wake_len, tcp->wake_data) ||
10934 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
10935 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
10936 		return -ENOBUFS;
10937 
10938 	if (tcp->payload_seq.len &&
10939 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
10940 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
10941 		return -ENOBUFS;
10942 
10943 	if (tcp->payload_tok.len &&
10944 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
10945 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
10946 		    &tcp->payload_tok))
10947 		return -ENOBUFS;
10948 
10949 	nla_nest_end(msg, nl_tcp);
10950 
10951 	return 0;
10952 }
10953 
10954 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
10955 				  struct cfg80211_sched_scan_request *req)
10956 {
10957 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
10958 	int i;
10959 
10960 	if (!req)
10961 		return 0;
10962 
10963 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
10964 	if (!nd)
10965 		return -ENOBUFS;
10966 
10967 	if (req->n_scan_plans == 1 &&
10968 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
10969 			req->scan_plans[0].interval * 1000))
10970 		return -ENOBUFS;
10971 
10972 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
10973 		return -ENOBUFS;
10974 
10975 	if (req->relative_rssi_set) {
10976 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
10977 
10978 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
10979 			       req->relative_rssi))
10980 			return -ENOBUFS;
10981 
10982 		rssi_adjust.band = req->rssi_adjust.band;
10983 		rssi_adjust.delta = req->rssi_adjust.delta;
10984 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
10985 			    sizeof(rssi_adjust), &rssi_adjust))
10986 			return -ENOBUFS;
10987 	}
10988 
10989 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
10990 	if (!freqs)
10991 		return -ENOBUFS;
10992 
10993 	for (i = 0; i < req->n_channels; i++) {
10994 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
10995 			return -ENOBUFS;
10996 	}
10997 
10998 	nla_nest_end(msg, freqs);
10999 
11000 	if (req->n_match_sets) {
11001 		matches = nla_nest_start_noflag(msg,
11002 						NL80211_ATTR_SCHED_SCAN_MATCH);
11003 		if (!matches)
11004 			return -ENOBUFS;
11005 
11006 		for (i = 0; i < req->n_match_sets; i++) {
11007 			match = nla_nest_start_noflag(msg, i);
11008 			if (!match)
11009 				return -ENOBUFS;
11010 
11011 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
11012 				    req->match_sets[i].ssid.ssid_len,
11013 				    req->match_sets[i].ssid.ssid))
11014 				return -ENOBUFS;
11015 			nla_nest_end(msg, match);
11016 		}
11017 		nla_nest_end(msg, matches);
11018 	}
11019 
11020 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
11021 	if (!scan_plans)
11022 		return -ENOBUFS;
11023 
11024 	for (i = 0; i < req->n_scan_plans; i++) {
11025 		scan_plan = nla_nest_start_noflag(msg, i + 1);
11026 		if (!scan_plan)
11027 			return -ENOBUFS;
11028 
11029 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
11030 				req->scan_plans[i].interval) ||
11031 		    (req->scan_plans[i].iterations &&
11032 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
11033 				 req->scan_plans[i].iterations)))
11034 			return -ENOBUFS;
11035 		nla_nest_end(msg, scan_plan);
11036 	}
11037 	nla_nest_end(msg, scan_plans);
11038 
11039 	nla_nest_end(msg, nd);
11040 
11041 	return 0;
11042 }
11043 
11044 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
11045 {
11046 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11047 	struct sk_buff *msg;
11048 	void *hdr;
11049 	u32 size = NLMSG_DEFAULT_SIZE;
11050 
11051 	if (!rdev->wiphy.wowlan)
11052 		return -EOPNOTSUPP;
11053 
11054 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
11055 		/* adjust size to have room for all the data */
11056 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
11057 			rdev->wiphy.wowlan_config->tcp->payload_len +
11058 			rdev->wiphy.wowlan_config->tcp->wake_len +
11059 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
11060 	}
11061 
11062 	msg = nlmsg_new(size, GFP_KERNEL);
11063 	if (!msg)
11064 		return -ENOMEM;
11065 
11066 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11067 			     NL80211_CMD_GET_WOWLAN);
11068 	if (!hdr)
11069 		goto nla_put_failure;
11070 
11071 	if (rdev->wiphy.wowlan_config) {
11072 		struct nlattr *nl_wowlan;
11073 
11074 		nl_wowlan = nla_nest_start_noflag(msg,
11075 						  NL80211_ATTR_WOWLAN_TRIGGERS);
11076 		if (!nl_wowlan)
11077 			goto nla_put_failure;
11078 
11079 		if ((rdev->wiphy.wowlan_config->any &&
11080 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
11081 		    (rdev->wiphy.wowlan_config->disconnect &&
11082 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
11083 		    (rdev->wiphy.wowlan_config->magic_pkt &&
11084 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
11085 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
11086 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
11087 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
11088 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
11089 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
11090 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
11091 		    (rdev->wiphy.wowlan_config->rfkill_release &&
11092 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
11093 			goto nla_put_failure;
11094 
11095 		if (nl80211_send_wowlan_patterns(msg, rdev))
11096 			goto nla_put_failure;
11097 
11098 		if (nl80211_send_wowlan_tcp(msg,
11099 					    rdev->wiphy.wowlan_config->tcp))
11100 			goto nla_put_failure;
11101 
11102 		if (nl80211_send_wowlan_nd(
11103 			    msg,
11104 			    rdev->wiphy.wowlan_config->nd_config))
11105 			goto nla_put_failure;
11106 
11107 		nla_nest_end(msg, nl_wowlan);
11108 	}
11109 
11110 	genlmsg_end(msg, hdr);
11111 	return genlmsg_reply(msg, info);
11112 
11113 nla_put_failure:
11114 	nlmsg_free(msg);
11115 	return -ENOBUFS;
11116 }
11117 
11118 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
11119 				    struct nlattr *attr,
11120 				    struct cfg80211_wowlan *trig)
11121 {
11122 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
11123 	struct cfg80211_wowlan_tcp *cfg;
11124 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
11125 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
11126 	u32 size;
11127 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
11128 	int err, port;
11129 
11130 	if (!rdev->wiphy.wowlan->tcp)
11131 		return -EINVAL;
11132 
11133 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
11134 					  nl80211_wowlan_tcp_policy, NULL);
11135 	if (err)
11136 		return err;
11137 
11138 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
11139 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
11140 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
11141 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
11142 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
11143 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
11144 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
11145 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
11146 		return -EINVAL;
11147 
11148 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
11149 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
11150 		return -EINVAL;
11151 
11152 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
11153 			rdev->wiphy.wowlan->tcp->data_interval_max ||
11154 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
11155 		return -EINVAL;
11156 
11157 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
11158 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
11159 		return -EINVAL;
11160 
11161 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
11162 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
11163 		return -EINVAL;
11164 
11165 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
11166 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11167 
11168 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11169 		tokens_size = tokln - sizeof(*tok);
11170 
11171 		if (!tok->len || tokens_size % tok->len)
11172 			return -EINVAL;
11173 		if (!rdev->wiphy.wowlan->tcp->tok)
11174 			return -EINVAL;
11175 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
11176 			return -EINVAL;
11177 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
11178 			return -EINVAL;
11179 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
11180 			return -EINVAL;
11181 		if (tok->offset + tok->len > data_size)
11182 			return -EINVAL;
11183 	}
11184 
11185 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
11186 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
11187 		if (!rdev->wiphy.wowlan->tcp->seq)
11188 			return -EINVAL;
11189 		if (seq->len == 0 || seq->len > 4)
11190 			return -EINVAL;
11191 		if (seq->len + seq->offset > data_size)
11192 			return -EINVAL;
11193 	}
11194 
11195 	size = sizeof(*cfg);
11196 	size += data_size;
11197 	size += wake_size + wake_mask_size;
11198 	size += tokens_size;
11199 
11200 	cfg = kzalloc(size, GFP_KERNEL);
11201 	if (!cfg)
11202 		return -ENOMEM;
11203 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
11204 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
11205 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
11206 	       ETH_ALEN);
11207 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
11208 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
11209 	else
11210 		port = 0;
11211 #ifdef CONFIG_INET
11212 	/* allocate a socket and port for it and use it */
11213 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
11214 			    IPPROTO_TCP, &cfg->sock, 1);
11215 	if (err) {
11216 		kfree(cfg);
11217 		return err;
11218 	}
11219 	if (inet_csk_get_port(cfg->sock->sk, port)) {
11220 		sock_release(cfg->sock);
11221 		kfree(cfg);
11222 		return -EADDRINUSE;
11223 	}
11224 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
11225 #else
11226 	if (!port) {
11227 		kfree(cfg);
11228 		return -EINVAL;
11229 	}
11230 	cfg->src_port = port;
11231 #endif
11232 
11233 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
11234 	cfg->payload_len = data_size;
11235 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
11236 	memcpy((void *)cfg->payload,
11237 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
11238 	       data_size);
11239 	if (seq)
11240 		cfg->payload_seq = *seq;
11241 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
11242 	cfg->wake_len = wake_size;
11243 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
11244 	memcpy((void *)cfg->wake_data,
11245 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
11246 	       wake_size);
11247 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
11248 			 data_size + wake_size;
11249 	memcpy((void *)cfg->wake_mask,
11250 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
11251 	       wake_mask_size);
11252 	if (tok) {
11253 		cfg->tokens_size = tokens_size;
11254 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
11255 	}
11256 
11257 	trig->tcp = cfg;
11258 
11259 	return 0;
11260 }
11261 
11262 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
11263 				   const struct wiphy_wowlan_support *wowlan,
11264 				   struct nlattr *attr,
11265 				   struct cfg80211_wowlan *trig)
11266 {
11267 	struct nlattr **tb;
11268 	int err;
11269 
11270 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
11271 	if (!tb)
11272 		return -ENOMEM;
11273 
11274 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
11275 		err = -EOPNOTSUPP;
11276 		goto out;
11277 	}
11278 
11279 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
11280 					  nl80211_policy, NULL);
11281 	if (err)
11282 		goto out;
11283 
11284 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
11285 						   wowlan->max_nd_match_sets);
11286 	err = PTR_ERR_OR_ZERO(trig->nd_config);
11287 	if (err)
11288 		trig->nd_config = NULL;
11289 
11290 out:
11291 	kfree(tb);
11292 	return err;
11293 }
11294 
11295 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
11296 {
11297 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11298 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
11299 	struct cfg80211_wowlan new_triggers = {};
11300 	struct cfg80211_wowlan *ntrig;
11301 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
11302 	int err, i;
11303 	bool prev_enabled = rdev->wiphy.wowlan_config;
11304 	bool regular = false;
11305 
11306 	if (!wowlan)
11307 		return -EOPNOTSUPP;
11308 
11309 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
11310 		cfg80211_rdev_free_wowlan(rdev);
11311 		rdev->wiphy.wowlan_config = NULL;
11312 		goto set_wakeup;
11313 	}
11314 
11315 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
11316 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
11317 					  nl80211_wowlan_policy, info->extack);
11318 	if (err)
11319 		return err;
11320 
11321 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
11322 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
11323 			return -EINVAL;
11324 		new_triggers.any = true;
11325 	}
11326 
11327 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
11328 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
11329 			return -EINVAL;
11330 		new_triggers.disconnect = true;
11331 		regular = true;
11332 	}
11333 
11334 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
11335 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
11336 			return -EINVAL;
11337 		new_triggers.magic_pkt = true;
11338 		regular = true;
11339 	}
11340 
11341 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
11342 		return -EINVAL;
11343 
11344 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
11345 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
11346 			return -EINVAL;
11347 		new_triggers.gtk_rekey_failure = true;
11348 		regular = true;
11349 	}
11350 
11351 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
11352 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
11353 			return -EINVAL;
11354 		new_triggers.eap_identity_req = true;
11355 		regular = true;
11356 	}
11357 
11358 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
11359 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
11360 			return -EINVAL;
11361 		new_triggers.four_way_handshake = true;
11362 		regular = true;
11363 	}
11364 
11365 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
11366 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
11367 			return -EINVAL;
11368 		new_triggers.rfkill_release = true;
11369 		regular = true;
11370 	}
11371 
11372 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
11373 		struct nlattr *pat;
11374 		int n_patterns = 0;
11375 		int rem, pat_len, mask_len, pkt_offset;
11376 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11377 
11378 		regular = true;
11379 
11380 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11381 				    rem)
11382 			n_patterns++;
11383 		if (n_patterns > wowlan->n_patterns)
11384 			return -EINVAL;
11385 
11386 		new_triggers.patterns = kcalloc(n_patterns,
11387 						sizeof(new_triggers.patterns[0]),
11388 						GFP_KERNEL);
11389 		if (!new_triggers.patterns)
11390 			return -ENOMEM;
11391 
11392 		new_triggers.n_patterns = n_patterns;
11393 		i = 0;
11394 
11395 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11396 				    rem) {
11397 			u8 *mask_pat;
11398 
11399 			err = nla_parse_nested_deprecated(pat_tb,
11400 							  MAX_NL80211_PKTPAT,
11401 							  pat,
11402 							  nl80211_packet_pattern_policy,
11403 							  info->extack);
11404 			if (err)
11405 				goto error;
11406 
11407 			err = -EINVAL;
11408 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
11409 			    !pat_tb[NL80211_PKTPAT_PATTERN])
11410 				goto error;
11411 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11412 			mask_len = DIV_ROUND_UP(pat_len, 8);
11413 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11414 				goto error;
11415 			if (pat_len > wowlan->pattern_max_len ||
11416 			    pat_len < wowlan->pattern_min_len)
11417 				goto error;
11418 
11419 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
11420 				pkt_offset = 0;
11421 			else
11422 				pkt_offset = nla_get_u32(
11423 					pat_tb[NL80211_PKTPAT_OFFSET]);
11424 			if (pkt_offset > wowlan->max_pkt_offset)
11425 				goto error;
11426 			new_triggers.patterns[i].pkt_offset = pkt_offset;
11427 
11428 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11429 			if (!mask_pat) {
11430 				err = -ENOMEM;
11431 				goto error;
11432 			}
11433 			new_triggers.patterns[i].mask = mask_pat;
11434 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11435 			       mask_len);
11436 			mask_pat += mask_len;
11437 			new_triggers.patterns[i].pattern = mask_pat;
11438 			new_triggers.patterns[i].pattern_len = pat_len;
11439 			memcpy(mask_pat,
11440 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11441 			       pat_len);
11442 			i++;
11443 		}
11444 	}
11445 
11446 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
11447 		regular = true;
11448 		err = nl80211_parse_wowlan_tcp(
11449 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
11450 			&new_triggers);
11451 		if (err)
11452 			goto error;
11453 	}
11454 
11455 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
11456 		regular = true;
11457 		err = nl80211_parse_wowlan_nd(
11458 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
11459 			&new_triggers);
11460 		if (err)
11461 			goto error;
11462 	}
11463 
11464 	/* The 'any' trigger means the device continues operating more or less
11465 	 * as in its normal operation mode and wakes up the host on most of the
11466 	 * normal interrupts (like packet RX, ...)
11467 	 * It therefore makes little sense to combine with the more constrained
11468 	 * wakeup trigger modes.
11469 	 */
11470 	if (new_triggers.any && regular) {
11471 		err = -EINVAL;
11472 		goto error;
11473 	}
11474 
11475 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
11476 	if (!ntrig) {
11477 		err = -ENOMEM;
11478 		goto error;
11479 	}
11480 	cfg80211_rdev_free_wowlan(rdev);
11481 	rdev->wiphy.wowlan_config = ntrig;
11482 
11483  set_wakeup:
11484 	if (rdev->ops->set_wakeup &&
11485 	    prev_enabled != !!rdev->wiphy.wowlan_config)
11486 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
11487 
11488 	return 0;
11489  error:
11490 	for (i = 0; i < new_triggers.n_patterns; i++)
11491 		kfree(new_triggers.patterns[i].mask);
11492 	kfree(new_triggers.patterns);
11493 	if (new_triggers.tcp && new_triggers.tcp->sock)
11494 		sock_release(new_triggers.tcp->sock);
11495 	kfree(new_triggers.tcp);
11496 	kfree(new_triggers.nd_config);
11497 	return err;
11498 }
11499 #endif
11500 
11501 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
11502 				       struct cfg80211_registered_device *rdev)
11503 {
11504 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
11505 	int i, j, pat_len;
11506 	struct cfg80211_coalesce_rules *rule;
11507 
11508 	if (!rdev->coalesce->n_rules)
11509 		return 0;
11510 
11511 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
11512 	if (!nl_rules)
11513 		return -ENOBUFS;
11514 
11515 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
11516 		nl_rule = nla_nest_start_noflag(msg, i + 1);
11517 		if (!nl_rule)
11518 			return -ENOBUFS;
11519 
11520 		rule = &rdev->coalesce->rules[i];
11521 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
11522 				rule->delay))
11523 			return -ENOBUFS;
11524 
11525 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
11526 				rule->condition))
11527 			return -ENOBUFS;
11528 
11529 		nl_pats = nla_nest_start_noflag(msg,
11530 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
11531 		if (!nl_pats)
11532 			return -ENOBUFS;
11533 
11534 		for (j = 0; j < rule->n_patterns; j++) {
11535 			nl_pat = nla_nest_start_noflag(msg, j + 1);
11536 			if (!nl_pat)
11537 				return -ENOBUFS;
11538 			pat_len = rule->patterns[j].pattern_len;
11539 			if (nla_put(msg, NL80211_PKTPAT_MASK,
11540 				    DIV_ROUND_UP(pat_len, 8),
11541 				    rule->patterns[j].mask) ||
11542 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11543 				    rule->patterns[j].pattern) ||
11544 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11545 					rule->patterns[j].pkt_offset))
11546 				return -ENOBUFS;
11547 			nla_nest_end(msg, nl_pat);
11548 		}
11549 		nla_nest_end(msg, nl_pats);
11550 		nla_nest_end(msg, nl_rule);
11551 	}
11552 	nla_nest_end(msg, nl_rules);
11553 
11554 	return 0;
11555 }
11556 
11557 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
11558 {
11559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11560 	struct sk_buff *msg;
11561 	void *hdr;
11562 
11563 	if (!rdev->wiphy.coalesce)
11564 		return -EOPNOTSUPP;
11565 
11566 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11567 	if (!msg)
11568 		return -ENOMEM;
11569 
11570 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11571 			     NL80211_CMD_GET_COALESCE);
11572 	if (!hdr)
11573 		goto nla_put_failure;
11574 
11575 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
11576 		goto nla_put_failure;
11577 
11578 	genlmsg_end(msg, hdr);
11579 	return genlmsg_reply(msg, info);
11580 
11581 nla_put_failure:
11582 	nlmsg_free(msg);
11583 	return -ENOBUFS;
11584 }
11585 
11586 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
11587 {
11588 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
11589 	int i, j;
11590 	struct cfg80211_coalesce_rules *rule;
11591 
11592 	if (!coalesce)
11593 		return;
11594 
11595 	for (i = 0; i < coalesce->n_rules; i++) {
11596 		rule = &coalesce->rules[i];
11597 		for (j = 0; j < rule->n_patterns; j++)
11598 			kfree(rule->patterns[j].mask);
11599 		kfree(rule->patterns);
11600 	}
11601 	kfree(coalesce->rules);
11602 	kfree(coalesce);
11603 	rdev->coalesce = NULL;
11604 }
11605 
11606 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
11607 				       struct nlattr *rule,
11608 				       struct cfg80211_coalesce_rules *new_rule)
11609 {
11610 	int err, i;
11611 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11612 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
11613 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
11614 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11615 
11616 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
11617 					  rule, nl80211_coalesce_policy, NULL);
11618 	if (err)
11619 		return err;
11620 
11621 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
11622 		new_rule->delay =
11623 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
11624 	if (new_rule->delay > coalesce->max_delay)
11625 		return -EINVAL;
11626 
11627 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
11628 		new_rule->condition =
11629 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
11630 
11631 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
11632 		return -EINVAL;
11633 
11634 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11635 			    rem)
11636 		n_patterns++;
11637 	if (n_patterns > coalesce->n_patterns)
11638 		return -EINVAL;
11639 
11640 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
11641 				     GFP_KERNEL);
11642 	if (!new_rule->patterns)
11643 		return -ENOMEM;
11644 
11645 	new_rule->n_patterns = n_patterns;
11646 	i = 0;
11647 
11648 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11649 			    rem) {
11650 		u8 *mask_pat;
11651 
11652 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
11653 						  pat,
11654 						  nl80211_packet_pattern_policy,
11655 						  NULL);
11656 		if (err)
11657 			return err;
11658 
11659 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
11660 		    !pat_tb[NL80211_PKTPAT_PATTERN])
11661 			return -EINVAL;
11662 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11663 		mask_len = DIV_ROUND_UP(pat_len, 8);
11664 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11665 			return -EINVAL;
11666 		if (pat_len > coalesce->pattern_max_len ||
11667 		    pat_len < coalesce->pattern_min_len)
11668 			return -EINVAL;
11669 
11670 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
11671 			pkt_offset = 0;
11672 		else
11673 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
11674 		if (pkt_offset > coalesce->max_pkt_offset)
11675 			return -EINVAL;
11676 		new_rule->patterns[i].pkt_offset = pkt_offset;
11677 
11678 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11679 		if (!mask_pat)
11680 			return -ENOMEM;
11681 
11682 		new_rule->patterns[i].mask = mask_pat;
11683 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11684 		       mask_len);
11685 
11686 		mask_pat += mask_len;
11687 		new_rule->patterns[i].pattern = mask_pat;
11688 		new_rule->patterns[i].pattern_len = pat_len;
11689 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11690 		       pat_len);
11691 		i++;
11692 	}
11693 
11694 	return 0;
11695 }
11696 
11697 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
11698 {
11699 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11700 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11701 	struct cfg80211_coalesce new_coalesce = {};
11702 	struct cfg80211_coalesce *n_coalesce;
11703 	int err, rem_rule, n_rules = 0, i, j;
11704 	struct nlattr *rule;
11705 	struct cfg80211_coalesce_rules *tmp_rule;
11706 
11707 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
11708 		return -EOPNOTSUPP;
11709 
11710 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
11711 		cfg80211_rdev_free_coalesce(rdev);
11712 		rdev_set_coalesce(rdev, NULL);
11713 		return 0;
11714 	}
11715 
11716 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11717 			    rem_rule)
11718 		n_rules++;
11719 	if (n_rules > coalesce->n_rules)
11720 		return -EINVAL;
11721 
11722 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
11723 				     GFP_KERNEL);
11724 	if (!new_coalesce.rules)
11725 		return -ENOMEM;
11726 
11727 	new_coalesce.n_rules = n_rules;
11728 	i = 0;
11729 
11730 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11731 			    rem_rule) {
11732 		err = nl80211_parse_coalesce_rule(rdev, rule,
11733 						  &new_coalesce.rules[i]);
11734 		if (err)
11735 			goto error;
11736 
11737 		i++;
11738 	}
11739 
11740 	err = rdev_set_coalesce(rdev, &new_coalesce);
11741 	if (err)
11742 		goto error;
11743 
11744 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
11745 	if (!n_coalesce) {
11746 		err = -ENOMEM;
11747 		goto error;
11748 	}
11749 	cfg80211_rdev_free_coalesce(rdev);
11750 	rdev->coalesce = n_coalesce;
11751 
11752 	return 0;
11753 error:
11754 	for (i = 0; i < new_coalesce.n_rules; i++) {
11755 		tmp_rule = &new_coalesce.rules[i];
11756 		for (j = 0; j < tmp_rule->n_patterns; j++)
11757 			kfree(tmp_rule->patterns[j].mask);
11758 		kfree(tmp_rule->patterns);
11759 	}
11760 	kfree(new_coalesce.rules);
11761 
11762 	return err;
11763 }
11764 
11765 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
11766 {
11767 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11768 	struct net_device *dev = info->user_ptr[1];
11769 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11770 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
11771 	struct cfg80211_gtk_rekey_data rekey_data;
11772 	int err;
11773 
11774 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
11775 		return -EINVAL;
11776 
11777 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
11778 					  info->attrs[NL80211_ATTR_REKEY_DATA],
11779 					  nl80211_rekey_policy, info->extack);
11780 	if (err)
11781 		return err;
11782 
11783 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
11784 	    !tb[NL80211_REKEY_DATA_KCK])
11785 		return -EINVAL;
11786 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
11787 		return -ERANGE;
11788 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
11789 		return -ERANGE;
11790 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
11791 		return -ERANGE;
11792 
11793 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
11794 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
11795 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
11796 
11797 	wdev_lock(wdev);
11798 	if (!wdev->current_bss) {
11799 		err = -ENOTCONN;
11800 		goto out;
11801 	}
11802 
11803 	if (!rdev->ops->set_rekey_data) {
11804 		err = -EOPNOTSUPP;
11805 		goto out;
11806 	}
11807 
11808 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
11809  out:
11810 	wdev_unlock(wdev);
11811 	return err;
11812 }
11813 
11814 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
11815 					     struct genl_info *info)
11816 {
11817 	struct net_device *dev = info->user_ptr[1];
11818 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11819 
11820 	if (wdev->iftype != NL80211_IFTYPE_AP &&
11821 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
11822 		return -EINVAL;
11823 
11824 	if (wdev->ap_unexpected_nlportid)
11825 		return -EBUSY;
11826 
11827 	wdev->ap_unexpected_nlportid = info->snd_portid;
11828 	return 0;
11829 }
11830 
11831 static int nl80211_probe_client(struct sk_buff *skb,
11832 				struct genl_info *info)
11833 {
11834 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11835 	struct net_device *dev = info->user_ptr[1];
11836 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11837 	struct sk_buff *msg;
11838 	void *hdr;
11839 	const u8 *addr;
11840 	u64 cookie;
11841 	int err;
11842 
11843 	if (wdev->iftype != NL80211_IFTYPE_AP &&
11844 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
11845 		return -EOPNOTSUPP;
11846 
11847 	if (!info->attrs[NL80211_ATTR_MAC])
11848 		return -EINVAL;
11849 
11850 	if (!rdev->ops->probe_client)
11851 		return -EOPNOTSUPP;
11852 
11853 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11854 	if (!msg)
11855 		return -ENOMEM;
11856 
11857 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11858 			     NL80211_CMD_PROBE_CLIENT);
11859 	if (!hdr) {
11860 		err = -ENOBUFS;
11861 		goto free_msg;
11862 	}
11863 
11864 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
11865 
11866 	err = rdev_probe_client(rdev, dev, addr, &cookie);
11867 	if (err)
11868 		goto free_msg;
11869 
11870 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11871 			      NL80211_ATTR_PAD))
11872 		goto nla_put_failure;
11873 
11874 	genlmsg_end(msg, hdr);
11875 
11876 	return genlmsg_reply(msg, info);
11877 
11878  nla_put_failure:
11879 	err = -ENOBUFS;
11880  free_msg:
11881 	nlmsg_free(msg);
11882 	return err;
11883 }
11884 
11885 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
11886 {
11887 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11888 	struct cfg80211_beacon_registration *reg, *nreg;
11889 	int rv;
11890 
11891 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
11892 		return -EOPNOTSUPP;
11893 
11894 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
11895 	if (!nreg)
11896 		return -ENOMEM;
11897 
11898 	/* First, check if already registered. */
11899 	spin_lock_bh(&rdev->beacon_registrations_lock);
11900 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
11901 		if (reg->nlportid == info->snd_portid) {
11902 			rv = -EALREADY;
11903 			goto out_err;
11904 		}
11905 	}
11906 	/* Add it to the list */
11907 	nreg->nlportid = info->snd_portid;
11908 	list_add(&nreg->list, &rdev->beacon_registrations);
11909 
11910 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11911 
11912 	return 0;
11913 out_err:
11914 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11915 	kfree(nreg);
11916 	return rv;
11917 }
11918 
11919 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
11920 {
11921 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11922 	struct wireless_dev *wdev = info->user_ptr[1];
11923 	int err;
11924 
11925 	if (!rdev->ops->start_p2p_device)
11926 		return -EOPNOTSUPP;
11927 
11928 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
11929 		return -EOPNOTSUPP;
11930 
11931 	if (wdev_running(wdev))
11932 		return 0;
11933 
11934 	if (rfkill_blocked(rdev->rfkill))
11935 		return -ERFKILL;
11936 
11937 	err = rdev_start_p2p_device(rdev, wdev);
11938 	if (err)
11939 		return err;
11940 
11941 	wdev->is_running = true;
11942 	rdev->opencount++;
11943 
11944 	return 0;
11945 }
11946 
11947 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
11948 {
11949 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11950 	struct wireless_dev *wdev = info->user_ptr[1];
11951 
11952 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
11953 		return -EOPNOTSUPP;
11954 
11955 	if (!rdev->ops->stop_p2p_device)
11956 		return -EOPNOTSUPP;
11957 
11958 	cfg80211_stop_p2p_device(rdev, wdev);
11959 
11960 	return 0;
11961 }
11962 
11963 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
11964 {
11965 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11966 	struct wireless_dev *wdev = info->user_ptr[1];
11967 	struct cfg80211_nan_conf conf = {};
11968 	int err;
11969 
11970 	if (wdev->iftype != NL80211_IFTYPE_NAN)
11971 		return -EOPNOTSUPP;
11972 
11973 	if (wdev_running(wdev))
11974 		return -EEXIST;
11975 
11976 	if (rfkill_blocked(rdev->rfkill))
11977 		return -ERFKILL;
11978 
11979 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
11980 		return -EINVAL;
11981 
11982 	conf.master_pref =
11983 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
11984 
11985 	if (info->attrs[NL80211_ATTR_BANDS]) {
11986 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
11987 
11988 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
11989 			return -EOPNOTSUPP;
11990 
11991 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
11992 			return -EINVAL;
11993 
11994 		conf.bands = bands;
11995 	}
11996 
11997 	err = rdev_start_nan(rdev, wdev, &conf);
11998 	if (err)
11999 		return err;
12000 
12001 	wdev->is_running = true;
12002 	rdev->opencount++;
12003 
12004 	return 0;
12005 }
12006 
12007 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
12008 {
12009 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12010 	struct wireless_dev *wdev = info->user_ptr[1];
12011 
12012 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12013 		return -EOPNOTSUPP;
12014 
12015 	cfg80211_stop_nan(rdev, wdev);
12016 
12017 	return 0;
12018 }
12019 
12020 static int validate_nan_filter(struct nlattr *filter_attr)
12021 {
12022 	struct nlattr *attr;
12023 	int len = 0, n_entries = 0, rem;
12024 
12025 	nla_for_each_nested(attr, filter_attr, rem) {
12026 		len += nla_len(attr);
12027 		n_entries++;
12028 	}
12029 
12030 	if (len >= U8_MAX)
12031 		return -EINVAL;
12032 
12033 	return n_entries;
12034 }
12035 
12036 static int handle_nan_filter(struct nlattr *attr_filter,
12037 			     struct cfg80211_nan_func *func,
12038 			     bool tx)
12039 {
12040 	struct nlattr *attr;
12041 	int n_entries, rem, i;
12042 	struct cfg80211_nan_func_filter *filter;
12043 
12044 	n_entries = validate_nan_filter(attr_filter);
12045 	if (n_entries < 0)
12046 		return n_entries;
12047 
12048 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
12049 
12050 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
12051 	if (!filter)
12052 		return -ENOMEM;
12053 
12054 	i = 0;
12055 	nla_for_each_nested(attr, attr_filter, rem) {
12056 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
12057 		filter[i].len = nla_len(attr);
12058 		i++;
12059 	}
12060 	if (tx) {
12061 		func->num_tx_filters = n_entries;
12062 		func->tx_filters = filter;
12063 	} else {
12064 		func->num_rx_filters = n_entries;
12065 		func->rx_filters = filter;
12066 	}
12067 
12068 	return 0;
12069 }
12070 
12071 static int nl80211_nan_add_func(struct sk_buff *skb,
12072 				struct genl_info *info)
12073 {
12074 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12075 	struct wireless_dev *wdev = info->user_ptr[1];
12076 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
12077 	struct cfg80211_nan_func *func;
12078 	struct sk_buff *msg = NULL;
12079 	void *hdr = NULL;
12080 	int err = 0;
12081 
12082 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12083 		return -EOPNOTSUPP;
12084 
12085 	if (!wdev_running(wdev))
12086 		return -ENOTCONN;
12087 
12088 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
12089 		return -EINVAL;
12090 
12091 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
12092 					  info->attrs[NL80211_ATTR_NAN_FUNC],
12093 					  nl80211_nan_func_policy,
12094 					  info->extack);
12095 	if (err)
12096 		return err;
12097 
12098 	func = kzalloc(sizeof(*func), GFP_KERNEL);
12099 	if (!func)
12100 		return -ENOMEM;
12101 
12102 	func->cookie = cfg80211_assign_cookie(rdev);
12103 
12104 	if (!tb[NL80211_NAN_FUNC_TYPE] ||
12105 	    nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]) > NL80211_NAN_FUNC_MAX_TYPE) {
12106 		err = -EINVAL;
12107 		goto out;
12108 	}
12109 
12110 
12111 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
12112 
12113 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
12114 		err = -EINVAL;
12115 		goto out;
12116 	}
12117 
12118 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
12119 	       sizeof(func->service_id));
12120 
12121 	func->close_range =
12122 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
12123 
12124 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
12125 		func->serv_spec_info_len =
12126 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
12127 		func->serv_spec_info =
12128 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
12129 				func->serv_spec_info_len,
12130 				GFP_KERNEL);
12131 		if (!func->serv_spec_info) {
12132 			err = -ENOMEM;
12133 			goto out;
12134 		}
12135 	}
12136 
12137 	if (tb[NL80211_NAN_FUNC_TTL])
12138 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
12139 
12140 	switch (func->type) {
12141 	case NL80211_NAN_FUNC_PUBLISH:
12142 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
12143 			err = -EINVAL;
12144 			goto out;
12145 		}
12146 
12147 		func->publish_type =
12148 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
12149 		func->publish_bcast =
12150 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
12151 
12152 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
12153 			func->publish_bcast) {
12154 			err = -EINVAL;
12155 			goto out;
12156 		}
12157 		break;
12158 	case NL80211_NAN_FUNC_SUBSCRIBE:
12159 		func->subscribe_active =
12160 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
12161 		break;
12162 	case NL80211_NAN_FUNC_FOLLOW_UP:
12163 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
12164 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
12165 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
12166 			err = -EINVAL;
12167 			goto out;
12168 		}
12169 
12170 		func->followup_id =
12171 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
12172 		func->followup_reqid =
12173 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
12174 		memcpy(func->followup_dest.addr,
12175 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
12176 		       sizeof(func->followup_dest.addr));
12177 		if (func->ttl) {
12178 			err = -EINVAL;
12179 			goto out;
12180 		}
12181 		break;
12182 	default:
12183 		err = -EINVAL;
12184 		goto out;
12185 	}
12186 
12187 	if (tb[NL80211_NAN_FUNC_SRF]) {
12188 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
12189 
12190 		err = nla_parse_nested_deprecated(srf_tb,
12191 						  NL80211_NAN_SRF_ATTR_MAX,
12192 						  tb[NL80211_NAN_FUNC_SRF],
12193 						  nl80211_nan_srf_policy,
12194 						  info->extack);
12195 		if (err)
12196 			goto out;
12197 
12198 		func->srf_include =
12199 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
12200 
12201 		if (srf_tb[NL80211_NAN_SRF_BF]) {
12202 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
12203 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
12204 				err = -EINVAL;
12205 				goto out;
12206 			}
12207 
12208 			func->srf_bf_len =
12209 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
12210 			func->srf_bf =
12211 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
12212 					func->srf_bf_len, GFP_KERNEL);
12213 			if (!func->srf_bf) {
12214 				err = -ENOMEM;
12215 				goto out;
12216 			}
12217 
12218 			func->srf_bf_idx =
12219 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
12220 		} else {
12221 			struct nlattr *attr, *mac_attr =
12222 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
12223 			int n_entries, rem, i = 0;
12224 
12225 			if (!mac_attr) {
12226 				err = -EINVAL;
12227 				goto out;
12228 			}
12229 
12230 			n_entries = validate_acl_mac_addrs(mac_attr);
12231 			if (n_entries <= 0) {
12232 				err = -EINVAL;
12233 				goto out;
12234 			}
12235 
12236 			func->srf_num_macs = n_entries;
12237 			func->srf_macs =
12238 				kcalloc(n_entries, sizeof(*func->srf_macs),
12239 					GFP_KERNEL);
12240 			if (!func->srf_macs) {
12241 				err = -ENOMEM;
12242 				goto out;
12243 			}
12244 
12245 			nla_for_each_nested(attr, mac_attr, rem)
12246 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
12247 				       sizeof(*func->srf_macs));
12248 		}
12249 	}
12250 
12251 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
12252 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
12253 					func, true);
12254 		if (err)
12255 			goto out;
12256 	}
12257 
12258 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
12259 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
12260 					func, false);
12261 		if (err)
12262 			goto out;
12263 	}
12264 
12265 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12266 	if (!msg) {
12267 		err = -ENOMEM;
12268 		goto out;
12269 	}
12270 
12271 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12272 			     NL80211_CMD_ADD_NAN_FUNCTION);
12273 	/* This can't really happen - we just allocated 4KB */
12274 	if (WARN_ON(!hdr)) {
12275 		err = -ENOMEM;
12276 		goto out;
12277 	}
12278 
12279 	err = rdev_add_nan_func(rdev, wdev, func);
12280 out:
12281 	if (err < 0) {
12282 		cfg80211_free_nan_func(func);
12283 		nlmsg_free(msg);
12284 		return err;
12285 	}
12286 
12287 	/* propagate the instance id and cookie to userspace  */
12288 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
12289 			      NL80211_ATTR_PAD))
12290 		goto nla_put_failure;
12291 
12292 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12293 	if (!func_attr)
12294 		goto nla_put_failure;
12295 
12296 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
12297 		       func->instance_id))
12298 		goto nla_put_failure;
12299 
12300 	nla_nest_end(msg, func_attr);
12301 
12302 	genlmsg_end(msg, hdr);
12303 	return genlmsg_reply(msg, info);
12304 
12305 nla_put_failure:
12306 	nlmsg_free(msg);
12307 	return -ENOBUFS;
12308 }
12309 
12310 static int nl80211_nan_del_func(struct sk_buff *skb,
12311 			       struct genl_info *info)
12312 {
12313 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12314 	struct wireless_dev *wdev = info->user_ptr[1];
12315 	u64 cookie;
12316 
12317 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12318 		return -EOPNOTSUPP;
12319 
12320 	if (!wdev_running(wdev))
12321 		return -ENOTCONN;
12322 
12323 	if (!info->attrs[NL80211_ATTR_COOKIE])
12324 		return -EINVAL;
12325 
12326 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12327 
12328 	rdev_del_nan_func(rdev, wdev, cookie);
12329 
12330 	return 0;
12331 }
12332 
12333 static int nl80211_nan_change_config(struct sk_buff *skb,
12334 				     struct genl_info *info)
12335 {
12336 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12337 	struct wireless_dev *wdev = info->user_ptr[1];
12338 	struct cfg80211_nan_conf conf = {};
12339 	u32 changed = 0;
12340 
12341 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12342 		return -EOPNOTSUPP;
12343 
12344 	if (!wdev_running(wdev))
12345 		return -ENOTCONN;
12346 
12347 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
12348 		conf.master_pref =
12349 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12350 		if (conf.master_pref <= 1 || conf.master_pref == 255)
12351 			return -EINVAL;
12352 
12353 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
12354 	}
12355 
12356 	if (info->attrs[NL80211_ATTR_BANDS]) {
12357 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12358 
12359 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12360 			return -EOPNOTSUPP;
12361 
12362 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12363 			return -EINVAL;
12364 
12365 		conf.bands = bands;
12366 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
12367 	}
12368 
12369 	if (!changed)
12370 		return -EINVAL;
12371 
12372 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
12373 }
12374 
12375 void cfg80211_nan_match(struct wireless_dev *wdev,
12376 			struct cfg80211_nan_match_params *match, gfp_t gfp)
12377 {
12378 	struct wiphy *wiphy = wdev->wiphy;
12379 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12380 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
12381 	struct sk_buff *msg;
12382 	void *hdr;
12383 
12384 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
12385 		return;
12386 
12387 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12388 	if (!msg)
12389 		return;
12390 
12391 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
12392 	if (!hdr) {
12393 		nlmsg_free(msg);
12394 		return;
12395 	}
12396 
12397 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12398 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12399 					 wdev->netdev->ifindex)) ||
12400 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12401 			      NL80211_ATTR_PAD))
12402 		goto nla_put_failure;
12403 
12404 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
12405 			      NL80211_ATTR_PAD) ||
12406 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
12407 		goto nla_put_failure;
12408 
12409 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
12410 	if (!match_attr)
12411 		goto nla_put_failure;
12412 
12413 	local_func_attr = nla_nest_start_noflag(msg,
12414 						NL80211_NAN_MATCH_FUNC_LOCAL);
12415 	if (!local_func_attr)
12416 		goto nla_put_failure;
12417 
12418 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
12419 		goto nla_put_failure;
12420 
12421 	nla_nest_end(msg, local_func_attr);
12422 
12423 	peer_func_attr = nla_nest_start_noflag(msg,
12424 					       NL80211_NAN_MATCH_FUNC_PEER);
12425 	if (!peer_func_attr)
12426 		goto nla_put_failure;
12427 
12428 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
12429 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
12430 		goto nla_put_failure;
12431 
12432 	if (match->info && match->info_len &&
12433 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
12434 		    match->info))
12435 		goto nla_put_failure;
12436 
12437 	nla_nest_end(msg, peer_func_attr);
12438 	nla_nest_end(msg, match_attr);
12439 	genlmsg_end(msg, hdr);
12440 
12441 	if (!wdev->owner_nlportid)
12442 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12443 					msg, 0, NL80211_MCGRP_NAN, gfp);
12444 	else
12445 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12446 				wdev->owner_nlportid);
12447 
12448 	return;
12449 
12450 nla_put_failure:
12451 	nlmsg_free(msg);
12452 }
12453 EXPORT_SYMBOL(cfg80211_nan_match);
12454 
12455 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
12456 				  u8 inst_id,
12457 				  enum nl80211_nan_func_term_reason reason,
12458 				  u64 cookie, gfp_t gfp)
12459 {
12460 	struct wiphy *wiphy = wdev->wiphy;
12461 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12462 	struct sk_buff *msg;
12463 	struct nlattr *func_attr;
12464 	void *hdr;
12465 
12466 	if (WARN_ON(!inst_id))
12467 		return;
12468 
12469 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12470 	if (!msg)
12471 		return;
12472 
12473 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
12474 	if (!hdr) {
12475 		nlmsg_free(msg);
12476 		return;
12477 	}
12478 
12479 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12480 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12481 					 wdev->netdev->ifindex)) ||
12482 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12483 			      NL80211_ATTR_PAD))
12484 		goto nla_put_failure;
12485 
12486 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12487 			      NL80211_ATTR_PAD))
12488 		goto nla_put_failure;
12489 
12490 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12491 	if (!func_attr)
12492 		goto nla_put_failure;
12493 
12494 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
12495 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
12496 		goto nla_put_failure;
12497 
12498 	nla_nest_end(msg, func_attr);
12499 	genlmsg_end(msg, hdr);
12500 
12501 	if (!wdev->owner_nlportid)
12502 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12503 					msg, 0, NL80211_MCGRP_NAN, gfp);
12504 	else
12505 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12506 				wdev->owner_nlportid);
12507 
12508 	return;
12509 
12510 nla_put_failure:
12511 	nlmsg_free(msg);
12512 }
12513 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
12514 
12515 static int nl80211_get_protocol_features(struct sk_buff *skb,
12516 					 struct genl_info *info)
12517 {
12518 	void *hdr;
12519 	struct sk_buff *msg;
12520 
12521 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12522 	if (!msg)
12523 		return -ENOMEM;
12524 
12525 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12526 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
12527 	if (!hdr)
12528 		goto nla_put_failure;
12529 
12530 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
12531 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
12532 		goto nla_put_failure;
12533 
12534 	genlmsg_end(msg, hdr);
12535 	return genlmsg_reply(msg, info);
12536 
12537  nla_put_failure:
12538 	kfree_skb(msg);
12539 	return -ENOBUFS;
12540 }
12541 
12542 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
12543 {
12544 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12545 	struct cfg80211_update_ft_ies_params ft_params;
12546 	struct net_device *dev = info->user_ptr[1];
12547 
12548 	if (!rdev->ops->update_ft_ies)
12549 		return -EOPNOTSUPP;
12550 
12551 	if (!info->attrs[NL80211_ATTR_MDID] ||
12552 	    !info->attrs[NL80211_ATTR_IE])
12553 		return -EINVAL;
12554 
12555 	memset(&ft_params, 0, sizeof(ft_params));
12556 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
12557 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12558 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12559 
12560 	return rdev_update_ft_ies(rdev, dev, &ft_params);
12561 }
12562 
12563 static int nl80211_crit_protocol_start(struct sk_buff *skb,
12564 				       struct genl_info *info)
12565 {
12566 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12567 	struct wireless_dev *wdev = info->user_ptr[1];
12568 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
12569 	u16 duration;
12570 	int ret;
12571 
12572 	if (!rdev->ops->crit_proto_start)
12573 		return -EOPNOTSUPP;
12574 
12575 	if (WARN_ON(!rdev->ops->crit_proto_stop))
12576 		return -EINVAL;
12577 
12578 	if (rdev->crit_proto_nlportid)
12579 		return -EBUSY;
12580 
12581 	/* determine protocol if provided */
12582 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
12583 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
12584 
12585 	if (proto >= NUM_NL80211_CRIT_PROTO)
12586 		return -EINVAL;
12587 
12588 	/* timeout must be provided */
12589 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
12590 		return -EINVAL;
12591 
12592 	duration =
12593 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
12594 
12595 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
12596 		return -ERANGE;
12597 
12598 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
12599 	if (!ret)
12600 		rdev->crit_proto_nlportid = info->snd_portid;
12601 
12602 	return ret;
12603 }
12604 
12605 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
12606 				      struct genl_info *info)
12607 {
12608 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12609 	struct wireless_dev *wdev = info->user_ptr[1];
12610 
12611 	if (!rdev->ops->crit_proto_stop)
12612 		return -EOPNOTSUPP;
12613 
12614 	if (rdev->crit_proto_nlportid) {
12615 		rdev->crit_proto_nlportid = 0;
12616 		rdev_crit_proto_stop(rdev, wdev);
12617 	}
12618 	return 0;
12619 }
12620 
12621 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
12622 {
12623 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12624 	struct wireless_dev *wdev =
12625 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
12626 	int i, err;
12627 	u32 vid, subcmd;
12628 
12629 	if (!rdev->wiphy.vendor_commands)
12630 		return -EOPNOTSUPP;
12631 
12632 	if (IS_ERR(wdev)) {
12633 		err = PTR_ERR(wdev);
12634 		if (err != -EINVAL)
12635 			return err;
12636 		wdev = NULL;
12637 	} else if (wdev->wiphy != &rdev->wiphy) {
12638 		return -EINVAL;
12639 	}
12640 
12641 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
12642 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
12643 		return -EINVAL;
12644 
12645 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
12646 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
12647 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
12648 		const struct wiphy_vendor_command *vcmd;
12649 		void *data = NULL;
12650 		int len = 0;
12651 
12652 		vcmd = &rdev->wiphy.vendor_commands[i];
12653 
12654 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12655 			continue;
12656 
12657 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12658 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12659 			if (!wdev)
12660 				return -EINVAL;
12661 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12662 			    !wdev->netdev)
12663 				return -EINVAL;
12664 
12665 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12666 				if (!wdev_running(wdev))
12667 					return -ENETDOWN;
12668 			}
12669 
12670 			if (!vcmd->doit)
12671 				return -EOPNOTSUPP;
12672 		} else {
12673 			wdev = NULL;
12674 		}
12675 
12676 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
12677 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12678 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12679 		}
12680 
12681 		rdev->cur_cmd_info = info;
12682 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
12683 							  data, len);
12684 		rdev->cur_cmd_info = NULL;
12685 		return err;
12686 	}
12687 
12688 	return -EOPNOTSUPP;
12689 }
12690 
12691 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
12692 				       struct netlink_callback *cb,
12693 				       struct cfg80211_registered_device **rdev,
12694 				       struct wireless_dev **wdev)
12695 {
12696 	struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
12697 	u32 vid, subcmd;
12698 	unsigned int i;
12699 	int vcmd_idx = -1;
12700 	int err;
12701 	void *data = NULL;
12702 	unsigned int data_len = 0;
12703 
12704 	if (cb->args[0]) {
12705 		/* subtract the 1 again here */
12706 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
12707 		struct wireless_dev *tmp;
12708 
12709 		if (!wiphy)
12710 			return -ENODEV;
12711 		*rdev = wiphy_to_rdev(wiphy);
12712 		*wdev = NULL;
12713 
12714 		if (cb->args[1]) {
12715 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
12716 				if (tmp->identifier == cb->args[1] - 1) {
12717 					*wdev = tmp;
12718 					break;
12719 				}
12720 			}
12721 		}
12722 
12723 		/* keep rtnl locked in successful case */
12724 		return 0;
12725 	}
12726 
12727 	err = nlmsg_parse_deprecated(cb->nlh,
12728 				     GENL_HDRLEN + nl80211_fam.hdrsize,
12729 				     attrbuf, nl80211_fam.maxattr,
12730 				     nl80211_policy, NULL);
12731 	if (err)
12732 		return err;
12733 
12734 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
12735 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD])
12736 		return -EINVAL;
12737 
12738 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
12739 	if (IS_ERR(*wdev))
12740 		*wdev = NULL;
12741 
12742 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
12743 	if (IS_ERR(*rdev))
12744 		return PTR_ERR(*rdev);
12745 
12746 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
12747 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
12748 
12749 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
12750 		const struct wiphy_vendor_command *vcmd;
12751 
12752 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
12753 
12754 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12755 			continue;
12756 
12757 		if (!vcmd->dumpit)
12758 			return -EOPNOTSUPP;
12759 
12760 		vcmd_idx = i;
12761 		break;
12762 	}
12763 
12764 	if (vcmd_idx < 0)
12765 		return -EOPNOTSUPP;
12766 
12767 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
12768 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
12769 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
12770 	}
12771 
12772 	/* 0 is the first index - add 1 to parse only once */
12773 	cb->args[0] = (*rdev)->wiphy_idx + 1;
12774 	/* add 1 to know if it was NULL */
12775 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
12776 	cb->args[2] = vcmd_idx;
12777 	cb->args[3] = (unsigned long)data;
12778 	cb->args[4] = data_len;
12779 
12780 	/* keep rtnl locked in successful case */
12781 	return 0;
12782 }
12783 
12784 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
12785 				   struct netlink_callback *cb)
12786 {
12787 	struct cfg80211_registered_device *rdev;
12788 	struct wireless_dev *wdev;
12789 	unsigned int vcmd_idx;
12790 	const struct wiphy_vendor_command *vcmd;
12791 	void *data;
12792 	int data_len;
12793 	int err;
12794 	struct nlattr *vendor_data;
12795 
12796 	rtnl_lock();
12797 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
12798 	if (err)
12799 		goto out;
12800 
12801 	vcmd_idx = cb->args[2];
12802 	data = (void *)cb->args[3];
12803 	data_len = cb->args[4];
12804 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
12805 
12806 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12807 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12808 		if (!wdev) {
12809 			err = -EINVAL;
12810 			goto out;
12811 		}
12812 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12813 		    !wdev->netdev) {
12814 			err = -EINVAL;
12815 			goto out;
12816 		}
12817 
12818 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12819 			if (!wdev_running(wdev)) {
12820 				err = -ENETDOWN;
12821 				goto out;
12822 			}
12823 		}
12824 	}
12825 
12826 	while (1) {
12827 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
12828 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
12829 					   NL80211_CMD_VENDOR);
12830 		if (!hdr)
12831 			break;
12832 
12833 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12834 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
12835 					       wdev_id(wdev),
12836 					       NL80211_ATTR_PAD))) {
12837 			genlmsg_cancel(skb, hdr);
12838 			break;
12839 		}
12840 
12841 		vendor_data = nla_nest_start_noflag(skb,
12842 						    NL80211_ATTR_VENDOR_DATA);
12843 		if (!vendor_data) {
12844 			genlmsg_cancel(skb, hdr);
12845 			break;
12846 		}
12847 
12848 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
12849 				   (unsigned long *)&cb->args[5]);
12850 		nla_nest_end(skb, vendor_data);
12851 
12852 		if (err == -ENOBUFS || err == -ENOENT) {
12853 			genlmsg_cancel(skb, hdr);
12854 			break;
12855 		} else if (err) {
12856 			genlmsg_cancel(skb, hdr);
12857 			goto out;
12858 		}
12859 
12860 		genlmsg_end(skb, hdr);
12861 	}
12862 
12863 	err = skb->len;
12864  out:
12865 	rtnl_unlock();
12866 	return err;
12867 }
12868 
12869 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
12870 					   enum nl80211_commands cmd,
12871 					   enum nl80211_attrs attr,
12872 					   int approxlen)
12873 {
12874 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12875 
12876 	if (WARN_ON(!rdev->cur_cmd_info))
12877 		return NULL;
12878 
12879 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
12880 					   rdev->cur_cmd_info->snd_portid,
12881 					   rdev->cur_cmd_info->snd_seq,
12882 					   cmd, attr, NULL, GFP_KERNEL);
12883 }
12884 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
12885 
12886 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
12887 {
12888 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
12889 	void *hdr = ((void **)skb->cb)[1];
12890 	struct nlattr *data = ((void **)skb->cb)[2];
12891 
12892 	/* clear CB data for netlink core to own from now on */
12893 	memset(skb->cb, 0, sizeof(skb->cb));
12894 
12895 	if (WARN_ON(!rdev->cur_cmd_info)) {
12896 		kfree_skb(skb);
12897 		return -EINVAL;
12898 	}
12899 
12900 	nla_nest_end(skb, data);
12901 	genlmsg_end(skb, hdr);
12902 	return genlmsg_reply(skb, rdev->cur_cmd_info);
12903 }
12904 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
12905 
12906 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
12907 {
12908 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12909 
12910 	if (WARN_ON(!rdev->cur_cmd_info))
12911 		return 0;
12912 
12913 	return rdev->cur_cmd_info->snd_portid;
12914 }
12915 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
12916 
12917 static int nl80211_set_qos_map(struct sk_buff *skb,
12918 			       struct genl_info *info)
12919 {
12920 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12921 	struct cfg80211_qos_map *qos_map = NULL;
12922 	struct net_device *dev = info->user_ptr[1];
12923 	u8 *pos, len, num_des, des_len, des;
12924 	int ret;
12925 
12926 	if (!rdev->ops->set_qos_map)
12927 		return -EOPNOTSUPP;
12928 
12929 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
12930 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
12931 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
12932 
12933 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
12934 		    len > IEEE80211_QOS_MAP_LEN_MAX)
12935 			return -EINVAL;
12936 
12937 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
12938 		if (!qos_map)
12939 			return -ENOMEM;
12940 
12941 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
12942 		if (num_des) {
12943 			des_len = num_des *
12944 				sizeof(struct cfg80211_dscp_exception);
12945 			memcpy(qos_map->dscp_exception, pos, des_len);
12946 			qos_map->num_des = num_des;
12947 			for (des = 0; des < num_des; des++) {
12948 				if (qos_map->dscp_exception[des].up > 7) {
12949 					kfree(qos_map);
12950 					return -EINVAL;
12951 				}
12952 			}
12953 			pos += des_len;
12954 		}
12955 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
12956 	}
12957 
12958 	wdev_lock(dev->ieee80211_ptr);
12959 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
12960 	if (!ret)
12961 		ret = rdev_set_qos_map(rdev, dev, qos_map);
12962 	wdev_unlock(dev->ieee80211_ptr);
12963 
12964 	kfree(qos_map);
12965 	return ret;
12966 }
12967 
12968 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
12969 {
12970 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12971 	struct net_device *dev = info->user_ptr[1];
12972 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12973 	const u8 *peer;
12974 	u8 tsid, up;
12975 	u16 admitted_time = 0;
12976 	int err;
12977 
12978 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
12979 		return -EOPNOTSUPP;
12980 
12981 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
12982 	    !info->attrs[NL80211_ATTR_USER_PRIO])
12983 		return -EINVAL;
12984 
12985 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
12986 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
12987 
12988 	/* WMM uses TIDs 0-7 even for TSPEC */
12989 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
12990 		/* TODO: handle 802.11 TSPEC/admission control
12991 		 * need more attributes for that (e.g. BA session requirement);
12992 		 * change the WMM adminssion test above to allow both then
12993 		 */
12994 		return -EINVAL;
12995 	}
12996 
12997 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12998 
12999 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
13000 		admitted_time =
13001 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
13002 		if (!admitted_time)
13003 			return -EINVAL;
13004 	}
13005 
13006 	wdev_lock(wdev);
13007 	switch (wdev->iftype) {
13008 	case NL80211_IFTYPE_STATION:
13009 	case NL80211_IFTYPE_P2P_CLIENT:
13010 		if (wdev->current_bss)
13011 			break;
13012 		err = -ENOTCONN;
13013 		goto out;
13014 	default:
13015 		err = -EOPNOTSUPP;
13016 		goto out;
13017 	}
13018 
13019 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
13020 
13021  out:
13022 	wdev_unlock(wdev);
13023 	return err;
13024 }
13025 
13026 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
13027 {
13028 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13029 	struct net_device *dev = info->user_ptr[1];
13030 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13031 	const u8 *peer;
13032 	u8 tsid;
13033 	int err;
13034 
13035 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
13036 		return -EINVAL;
13037 
13038 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13039 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13040 
13041 	wdev_lock(wdev);
13042 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
13043 	wdev_unlock(wdev);
13044 
13045 	return err;
13046 }
13047 
13048 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
13049 				       struct genl_info *info)
13050 {
13051 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13052 	struct net_device *dev = info->user_ptr[1];
13053 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13054 	struct cfg80211_chan_def chandef = {};
13055 	const u8 *addr;
13056 	u8 oper_class;
13057 	int err;
13058 
13059 	if (!rdev->ops->tdls_channel_switch ||
13060 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13061 		return -EOPNOTSUPP;
13062 
13063 	switch (dev->ieee80211_ptr->iftype) {
13064 	case NL80211_IFTYPE_STATION:
13065 	case NL80211_IFTYPE_P2P_CLIENT:
13066 		break;
13067 	default:
13068 		return -EOPNOTSUPP;
13069 	}
13070 
13071 	if (!info->attrs[NL80211_ATTR_MAC] ||
13072 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
13073 		return -EINVAL;
13074 
13075 	err = nl80211_parse_chandef(rdev, info, &chandef);
13076 	if (err)
13077 		return err;
13078 
13079 	/*
13080 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
13081 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
13082 	 * specification is not defined for them.
13083 	 */
13084 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
13085 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
13086 	    chandef.width != NL80211_CHAN_WIDTH_20)
13087 		return -EINVAL;
13088 
13089 	/* we will be active on the TDLS link */
13090 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
13091 					   wdev->iftype))
13092 		return -EINVAL;
13093 
13094 	/* don't allow switching to DFS channels */
13095 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
13096 		return -EINVAL;
13097 
13098 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13099 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
13100 
13101 	wdev_lock(wdev);
13102 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
13103 	wdev_unlock(wdev);
13104 
13105 	return err;
13106 }
13107 
13108 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
13109 					      struct genl_info *info)
13110 {
13111 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13112 	struct net_device *dev = info->user_ptr[1];
13113 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13114 	const u8 *addr;
13115 
13116 	if (!rdev->ops->tdls_channel_switch ||
13117 	    !rdev->ops->tdls_cancel_channel_switch ||
13118 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13119 		return -EOPNOTSUPP;
13120 
13121 	switch (dev->ieee80211_ptr->iftype) {
13122 	case NL80211_IFTYPE_STATION:
13123 	case NL80211_IFTYPE_P2P_CLIENT:
13124 		break;
13125 	default:
13126 		return -EOPNOTSUPP;
13127 	}
13128 
13129 	if (!info->attrs[NL80211_ATTR_MAC])
13130 		return -EINVAL;
13131 
13132 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13133 
13134 	wdev_lock(wdev);
13135 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
13136 	wdev_unlock(wdev);
13137 
13138 	return 0;
13139 }
13140 
13141 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
13142 					    struct genl_info *info)
13143 {
13144 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13145 	struct net_device *dev = info->user_ptr[1];
13146 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13147 	const struct nlattr *nla;
13148 	bool enabled;
13149 
13150 	if (!rdev->ops->set_multicast_to_unicast)
13151 		return -EOPNOTSUPP;
13152 
13153 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13154 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13155 		return -EOPNOTSUPP;
13156 
13157 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
13158 	enabled = nla_get_flag(nla);
13159 
13160 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
13161 }
13162 
13163 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
13164 {
13165 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13166 	struct net_device *dev = info->user_ptr[1];
13167 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13168 	struct cfg80211_pmk_conf pmk_conf = {};
13169 	int ret;
13170 
13171 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13172 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13173 		return -EOPNOTSUPP;
13174 
13175 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13176 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13177 		return -EOPNOTSUPP;
13178 
13179 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
13180 		return -EINVAL;
13181 
13182 	wdev_lock(wdev);
13183 	if (!wdev->current_bss) {
13184 		ret = -ENOTCONN;
13185 		goto out;
13186 	}
13187 
13188 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13189 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
13190 		ret = -EINVAL;
13191 		goto out;
13192 	}
13193 
13194 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13195 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13196 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
13197 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
13198 		ret = -EINVAL;
13199 		goto out;
13200 	}
13201 
13202 	if (info->attrs[NL80211_ATTR_PMKR0_NAME]) {
13203 		int r0_name_len = nla_len(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13204 
13205 		if (r0_name_len != WLAN_PMK_NAME_LEN) {
13206 			ret = -EINVAL;
13207 			goto out;
13208 		}
13209 
13210 		pmk_conf.pmk_r0_name =
13211 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13212 	}
13213 
13214 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
13215 out:
13216 	wdev_unlock(wdev);
13217 	return ret;
13218 }
13219 
13220 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
13221 {
13222 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13223 	struct net_device *dev = info->user_ptr[1];
13224 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13225 	const u8 *aa;
13226 	int ret;
13227 
13228 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13229 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13230 		return -EOPNOTSUPP;
13231 
13232 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13233 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13234 		return -EOPNOTSUPP;
13235 
13236 	if (!info->attrs[NL80211_ATTR_MAC])
13237 		return -EINVAL;
13238 
13239 	wdev_lock(wdev);
13240 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13241 	ret = rdev_del_pmk(rdev, dev, aa);
13242 	wdev_unlock(wdev);
13243 
13244 	return ret;
13245 }
13246 
13247 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
13248 {
13249 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13250 	struct net_device *dev = info->user_ptr[1];
13251 	struct cfg80211_external_auth_params params;
13252 
13253 	if (!rdev->ops->external_auth)
13254 		return -EOPNOTSUPP;
13255 
13256 	if (!info->attrs[NL80211_ATTR_SSID] &&
13257 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
13258 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
13259 		return -EINVAL;
13260 
13261 	if (!info->attrs[NL80211_ATTR_BSSID])
13262 		return -EINVAL;
13263 
13264 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
13265 		return -EINVAL;
13266 
13267 	memset(&params, 0, sizeof(params));
13268 
13269 	if (info->attrs[NL80211_ATTR_SSID]) {
13270 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13271 		if (params.ssid.ssid_len == 0 ||
13272 		    params.ssid.ssid_len > IEEE80211_MAX_SSID_LEN)
13273 			return -EINVAL;
13274 		memcpy(params.ssid.ssid,
13275 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
13276 		       params.ssid.ssid_len);
13277 	}
13278 
13279 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
13280 	       ETH_ALEN);
13281 
13282 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13283 
13284 	if (info->attrs[NL80211_ATTR_PMKID])
13285 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13286 
13287 	return rdev_external_auth(rdev, dev, &params);
13288 }
13289 
13290 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
13291 {
13292 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13293 	struct net_device *dev = info->user_ptr[1];
13294 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13295 	const u8 *buf;
13296 	size_t len;
13297 	u8 *dest;
13298 	u16 proto;
13299 	bool noencrypt;
13300 	int err;
13301 
13302 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13303 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
13304 		return -EOPNOTSUPP;
13305 
13306 	if (!rdev->ops->tx_control_port)
13307 		return -EOPNOTSUPP;
13308 
13309 	if (!info->attrs[NL80211_ATTR_FRAME] ||
13310 	    !info->attrs[NL80211_ATTR_MAC] ||
13311 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
13312 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
13313 		return -EINVAL;
13314 	}
13315 
13316 	wdev_lock(wdev);
13317 
13318 	switch (wdev->iftype) {
13319 	case NL80211_IFTYPE_AP:
13320 	case NL80211_IFTYPE_P2P_GO:
13321 	case NL80211_IFTYPE_MESH_POINT:
13322 		break;
13323 	case NL80211_IFTYPE_ADHOC:
13324 	case NL80211_IFTYPE_STATION:
13325 	case NL80211_IFTYPE_P2P_CLIENT:
13326 		if (wdev->current_bss)
13327 			break;
13328 		err = -ENOTCONN;
13329 		goto out;
13330 	default:
13331 		err = -EOPNOTSUPP;
13332 		goto out;
13333 	}
13334 
13335 	wdev_unlock(wdev);
13336 
13337 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13338 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13339 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13340 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
13341 	noencrypt =
13342 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
13343 
13344 	return rdev_tx_control_port(rdev, dev, buf, len,
13345 				    dest, cpu_to_be16(proto), noencrypt);
13346 
13347  out:
13348 	wdev_unlock(wdev);
13349 	return err;
13350 }
13351 
13352 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
13353 					   struct genl_info *info)
13354 {
13355 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13356 	struct net_device *dev = info->user_ptr[1];
13357 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13358 	struct cfg80211_ftm_responder_stats ftm_stats = {};
13359 	struct sk_buff *msg;
13360 	void *hdr;
13361 	struct nlattr *ftm_stats_attr;
13362 	int err;
13363 
13364 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
13365 		return -EOPNOTSUPP;
13366 
13367 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
13368 	if (err)
13369 		return err;
13370 
13371 	if (!ftm_stats.filled)
13372 		return -ENODATA;
13373 
13374 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13375 	if (!msg)
13376 		return -ENOMEM;
13377 
13378 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13379 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
13380 	if (!hdr)
13381 		return -ENOBUFS;
13382 
13383 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
13384 		goto nla_put_failure;
13385 
13386 	ftm_stats_attr = nla_nest_start_noflag(msg,
13387 					       NL80211_ATTR_FTM_RESPONDER_STATS);
13388 	if (!ftm_stats_attr)
13389 		goto nla_put_failure;
13390 
13391 #define SET_FTM(field, name, type)					 \
13392 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13393 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
13394 			     ftm_stats.field))				 \
13395 		goto nla_put_failure; } while (0)
13396 #define SET_FTM_U64(field, name)					 \
13397 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13398 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
13399 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
13400 		goto nla_put_failure; } while (0)
13401 
13402 	SET_FTM(success_num, SUCCESS_NUM, u32);
13403 	SET_FTM(partial_num, PARTIAL_NUM, u32);
13404 	SET_FTM(failed_num, FAILED_NUM, u32);
13405 	SET_FTM(asap_num, ASAP_NUM, u32);
13406 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
13407 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
13408 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
13409 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
13410 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
13411 #undef SET_FTM
13412 
13413 	nla_nest_end(msg, ftm_stats_attr);
13414 
13415 	genlmsg_end(msg, hdr);
13416 	return genlmsg_reply(msg, info);
13417 
13418 nla_put_failure:
13419 	nlmsg_free(msg);
13420 	return -ENOBUFS;
13421 }
13422 
13423 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
13424 {
13425 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13426 	struct cfg80211_update_owe_info owe_info;
13427 	struct net_device *dev = info->user_ptr[1];
13428 
13429 	if (!rdev->ops->update_owe_info)
13430 		return -EOPNOTSUPP;
13431 
13432 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
13433 	    !info->attrs[NL80211_ATTR_MAC])
13434 		return -EINVAL;
13435 
13436 	memset(&owe_info, 0, sizeof(owe_info));
13437 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13438 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
13439 
13440 	if (info->attrs[NL80211_ATTR_IE]) {
13441 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13442 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13443 	}
13444 
13445 	return rdev_update_owe_info(rdev, dev, &owe_info);
13446 }
13447 
13448 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
13449 {
13450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13451 	struct net_device *dev = info->user_ptr[1];
13452 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13453 	struct station_info sinfo = {};
13454 	const u8 *buf;
13455 	size_t len;
13456 	u8 *dest;
13457 	int err;
13458 
13459 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
13460 		return -EOPNOTSUPP;
13461 
13462 	if (!info->attrs[NL80211_ATTR_MAC] ||
13463 	    !info->attrs[NL80211_ATTR_FRAME]) {
13464 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
13465 		return -EINVAL;
13466 	}
13467 
13468 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
13469 		return -EOPNOTSUPP;
13470 
13471 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13472 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13473 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13474 
13475 	if (len < sizeof(struct ethhdr))
13476 		return -EINVAL;
13477 
13478 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
13479 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
13480 		return -EINVAL;
13481 
13482 	err = rdev_get_station(rdev, dev, dest, &sinfo);
13483 	if (err)
13484 		return err;
13485 
13486 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
13487 }
13488 
13489 #define NL80211_FLAG_NEED_WIPHY		0x01
13490 #define NL80211_FLAG_NEED_NETDEV	0x02
13491 #define NL80211_FLAG_NEED_RTNL		0x04
13492 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
13493 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
13494 					 NL80211_FLAG_CHECK_NETDEV_UP)
13495 #define NL80211_FLAG_NEED_WDEV		0x10
13496 /* If a netdev is associated, it must be UP, P2P must be started */
13497 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
13498 					 NL80211_FLAG_CHECK_NETDEV_UP)
13499 #define NL80211_FLAG_CLEAR_SKB		0x20
13500 
13501 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
13502 			    struct genl_info *info)
13503 {
13504 	struct cfg80211_registered_device *rdev;
13505 	struct wireless_dev *wdev;
13506 	struct net_device *dev;
13507 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
13508 
13509 	if (rtnl)
13510 		rtnl_lock();
13511 
13512 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
13513 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
13514 		if (IS_ERR(rdev)) {
13515 			if (rtnl)
13516 				rtnl_unlock();
13517 			return PTR_ERR(rdev);
13518 		}
13519 		info->user_ptr[0] = rdev;
13520 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
13521 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13522 		ASSERT_RTNL();
13523 
13524 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
13525 						  info->attrs);
13526 		if (IS_ERR(wdev)) {
13527 			if (rtnl)
13528 				rtnl_unlock();
13529 			return PTR_ERR(wdev);
13530 		}
13531 
13532 		dev = wdev->netdev;
13533 		rdev = wiphy_to_rdev(wdev->wiphy);
13534 
13535 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
13536 			if (!dev) {
13537 				if (rtnl)
13538 					rtnl_unlock();
13539 				return -EINVAL;
13540 			}
13541 
13542 			info->user_ptr[1] = dev;
13543 		} else {
13544 			info->user_ptr[1] = wdev;
13545 		}
13546 
13547 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
13548 		    !wdev_running(wdev)) {
13549 			if (rtnl)
13550 				rtnl_unlock();
13551 			return -ENETDOWN;
13552 		}
13553 
13554 		if (dev)
13555 			dev_hold(dev);
13556 
13557 		info->user_ptr[0] = rdev;
13558 	}
13559 
13560 	return 0;
13561 }
13562 
13563 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
13564 			      struct genl_info *info)
13565 {
13566 	if (info->user_ptr[1]) {
13567 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13568 			struct wireless_dev *wdev = info->user_ptr[1];
13569 
13570 			if (wdev->netdev)
13571 				dev_put(wdev->netdev);
13572 		} else {
13573 			dev_put(info->user_ptr[1]);
13574 		}
13575 	}
13576 
13577 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
13578 		rtnl_unlock();
13579 
13580 	/* If needed, clear the netlink message payload from the SKB
13581 	 * as it might contain key data that shouldn't stick around on
13582 	 * the heap after the SKB is freed. The netlink message header
13583 	 * is still needed for further processing, so leave it intact.
13584 	 */
13585 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
13586 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
13587 
13588 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
13589 	}
13590 }
13591 
13592 static const struct genl_ops nl80211_ops[] = {
13593 	{
13594 		.cmd = NL80211_CMD_GET_WIPHY,
13595 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13596 		.doit = nl80211_get_wiphy,
13597 		.dumpit = nl80211_dump_wiphy,
13598 		.done = nl80211_dump_wiphy_done,
13599 		/* can be retrieved by unprivileged users */
13600 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13601 				  NL80211_FLAG_NEED_RTNL,
13602 	},
13603 	{
13604 		.cmd = NL80211_CMD_SET_WIPHY,
13605 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13606 		.doit = nl80211_set_wiphy,
13607 		.flags = GENL_UNS_ADMIN_PERM,
13608 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13609 	},
13610 	{
13611 		.cmd = NL80211_CMD_GET_INTERFACE,
13612 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13613 		.doit = nl80211_get_interface,
13614 		.dumpit = nl80211_dump_interface,
13615 		/* can be retrieved by unprivileged users */
13616 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13617 				  NL80211_FLAG_NEED_RTNL,
13618 	},
13619 	{
13620 		.cmd = NL80211_CMD_SET_INTERFACE,
13621 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13622 		.doit = nl80211_set_interface,
13623 		.flags = GENL_UNS_ADMIN_PERM,
13624 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13625 				  NL80211_FLAG_NEED_RTNL,
13626 	},
13627 	{
13628 		.cmd = NL80211_CMD_NEW_INTERFACE,
13629 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13630 		.doit = nl80211_new_interface,
13631 		.flags = GENL_UNS_ADMIN_PERM,
13632 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13633 				  NL80211_FLAG_NEED_RTNL,
13634 	},
13635 	{
13636 		.cmd = NL80211_CMD_DEL_INTERFACE,
13637 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13638 		.doit = nl80211_del_interface,
13639 		.flags = GENL_UNS_ADMIN_PERM,
13640 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13641 				  NL80211_FLAG_NEED_RTNL,
13642 	},
13643 	{
13644 		.cmd = NL80211_CMD_GET_KEY,
13645 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13646 		.doit = nl80211_get_key,
13647 		.flags = GENL_UNS_ADMIN_PERM,
13648 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13649 				  NL80211_FLAG_NEED_RTNL,
13650 	},
13651 	{
13652 		.cmd = NL80211_CMD_SET_KEY,
13653 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13654 		.doit = nl80211_set_key,
13655 		.flags = GENL_UNS_ADMIN_PERM,
13656 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13657 				  NL80211_FLAG_NEED_RTNL |
13658 				  NL80211_FLAG_CLEAR_SKB,
13659 	},
13660 	{
13661 		.cmd = NL80211_CMD_NEW_KEY,
13662 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13663 		.doit = nl80211_new_key,
13664 		.flags = GENL_UNS_ADMIN_PERM,
13665 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13666 				  NL80211_FLAG_NEED_RTNL |
13667 				  NL80211_FLAG_CLEAR_SKB,
13668 	},
13669 	{
13670 		.cmd = NL80211_CMD_DEL_KEY,
13671 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13672 		.doit = nl80211_del_key,
13673 		.flags = GENL_UNS_ADMIN_PERM,
13674 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13675 				  NL80211_FLAG_NEED_RTNL,
13676 	},
13677 	{
13678 		.cmd = NL80211_CMD_SET_BEACON,
13679 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13680 		.flags = GENL_UNS_ADMIN_PERM,
13681 		.doit = nl80211_set_beacon,
13682 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13683 				  NL80211_FLAG_NEED_RTNL,
13684 	},
13685 	{
13686 		.cmd = NL80211_CMD_START_AP,
13687 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13688 		.flags = GENL_UNS_ADMIN_PERM,
13689 		.doit = nl80211_start_ap,
13690 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13691 				  NL80211_FLAG_NEED_RTNL,
13692 	},
13693 	{
13694 		.cmd = NL80211_CMD_STOP_AP,
13695 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13696 		.flags = GENL_UNS_ADMIN_PERM,
13697 		.doit = nl80211_stop_ap,
13698 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13699 				  NL80211_FLAG_NEED_RTNL,
13700 	},
13701 	{
13702 		.cmd = NL80211_CMD_GET_STATION,
13703 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13704 		.doit = nl80211_get_station,
13705 		.dumpit = nl80211_dump_station,
13706 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13707 				  NL80211_FLAG_NEED_RTNL,
13708 	},
13709 	{
13710 		.cmd = NL80211_CMD_SET_STATION,
13711 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13712 		.doit = nl80211_set_station,
13713 		.flags = GENL_UNS_ADMIN_PERM,
13714 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13715 				  NL80211_FLAG_NEED_RTNL,
13716 	},
13717 	{
13718 		.cmd = NL80211_CMD_NEW_STATION,
13719 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13720 		.doit = nl80211_new_station,
13721 		.flags = GENL_UNS_ADMIN_PERM,
13722 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13723 				  NL80211_FLAG_NEED_RTNL,
13724 	},
13725 	{
13726 		.cmd = NL80211_CMD_DEL_STATION,
13727 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13728 		.doit = nl80211_del_station,
13729 		.flags = GENL_UNS_ADMIN_PERM,
13730 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13731 				  NL80211_FLAG_NEED_RTNL,
13732 	},
13733 	{
13734 		.cmd = NL80211_CMD_GET_MPATH,
13735 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13736 		.doit = nl80211_get_mpath,
13737 		.dumpit = nl80211_dump_mpath,
13738 		.flags = GENL_UNS_ADMIN_PERM,
13739 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13740 				  NL80211_FLAG_NEED_RTNL,
13741 	},
13742 	{
13743 		.cmd = NL80211_CMD_GET_MPP,
13744 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13745 		.doit = nl80211_get_mpp,
13746 		.dumpit = nl80211_dump_mpp,
13747 		.flags = GENL_UNS_ADMIN_PERM,
13748 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13749 				  NL80211_FLAG_NEED_RTNL,
13750 	},
13751 	{
13752 		.cmd = NL80211_CMD_SET_MPATH,
13753 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13754 		.doit = nl80211_set_mpath,
13755 		.flags = GENL_UNS_ADMIN_PERM,
13756 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13757 				  NL80211_FLAG_NEED_RTNL,
13758 	},
13759 	{
13760 		.cmd = NL80211_CMD_NEW_MPATH,
13761 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13762 		.doit = nl80211_new_mpath,
13763 		.flags = GENL_UNS_ADMIN_PERM,
13764 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13765 				  NL80211_FLAG_NEED_RTNL,
13766 	},
13767 	{
13768 		.cmd = NL80211_CMD_DEL_MPATH,
13769 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13770 		.doit = nl80211_del_mpath,
13771 		.flags = GENL_UNS_ADMIN_PERM,
13772 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13773 				  NL80211_FLAG_NEED_RTNL,
13774 	},
13775 	{
13776 		.cmd = NL80211_CMD_SET_BSS,
13777 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13778 		.doit = nl80211_set_bss,
13779 		.flags = GENL_UNS_ADMIN_PERM,
13780 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13781 				  NL80211_FLAG_NEED_RTNL,
13782 	},
13783 	{
13784 		.cmd = NL80211_CMD_GET_REG,
13785 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13786 		.doit = nl80211_get_reg_do,
13787 		.dumpit = nl80211_get_reg_dump,
13788 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13789 		/* can be retrieved by unprivileged users */
13790 	},
13791 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
13792 	{
13793 		.cmd = NL80211_CMD_SET_REG,
13794 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13795 		.doit = nl80211_set_reg,
13796 		.flags = GENL_ADMIN_PERM,
13797 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13798 	},
13799 #endif
13800 	{
13801 		.cmd = NL80211_CMD_REQ_SET_REG,
13802 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13803 		.doit = nl80211_req_set_reg,
13804 		.flags = GENL_ADMIN_PERM,
13805 	},
13806 	{
13807 		.cmd = NL80211_CMD_RELOAD_REGDB,
13808 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13809 		.doit = nl80211_reload_regdb,
13810 		.flags = GENL_ADMIN_PERM,
13811 	},
13812 	{
13813 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
13814 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13815 		.doit = nl80211_get_mesh_config,
13816 		/* can be retrieved by unprivileged users */
13817 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13818 				  NL80211_FLAG_NEED_RTNL,
13819 	},
13820 	{
13821 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
13822 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13823 		.doit = nl80211_update_mesh_config,
13824 		.flags = GENL_UNS_ADMIN_PERM,
13825 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13826 				  NL80211_FLAG_NEED_RTNL,
13827 	},
13828 	{
13829 		.cmd = NL80211_CMD_TRIGGER_SCAN,
13830 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13831 		.doit = nl80211_trigger_scan,
13832 		.flags = GENL_UNS_ADMIN_PERM,
13833 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13834 				  NL80211_FLAG_NEED_RTNL,
13835 	},
13836 	{
13837 		.cmd = NL80211_CMD_ABORT_SCAN,
13838 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13839 		.doit = nl80211_abort_scan,
13840 		.flags = GENL_UNS_ADMIN_PERM,
13841 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13842 				  NL80211_FLAG_NEED_RTNL,
13843 	},
13844 	{
13845 		.cmd = NL80211_CMD_GET_SCAN,
13846 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13847 		.dumpit = nl80211_dump_scan,
13848 	},
13849 	{
13850 		.cmd = NL80211_CMD_START_SCHED_SCAN,
13851 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13852 		.doit = nl80211_start_sched_scan,
13853 		.flags = GENL_UNS_ADMIN_PERM,
13854 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13855 				  NL80211_FLAG_NEED_RTNL,
13856 	},
13857 	{
13858 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
13859 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13860 		.doit = nl80211_stop_sched_scan,
13861 		.flags = GENL_UNS_ADMIN_PERM,
13862 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13863 				  NL80211_FLAG_NEED_RTNL,
13864 	},
13865 	{
13866 		.cmd = NL80211_CMD_AUTHENTICATE,
13867 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13868 		.doit = nl80211_authenticate,
13869 		.flags = GENL_UNS_ADMIN_PERM,
13870 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13871 				  NL80211_FLAG_NEED_RTNL |
13872 				  NL80211_FLAG_CLEAR_SKB,
13873 	},
13874 	{
13875 		.cmd = NL80211_CMD_ASSOCIATE,
13876 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13877 		.doit = nl80211_associate,
13878 		.flags = GENL_UNS_ADMIN_PERM,
13879 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13880 				  NL80211_FLAG_NEED_RTNL |
13881 				  NL80211_FLAG_CLEAR_SKB,
13882 	},
13883 	{
13884 		.cmd = NL80211_CMD_DEAUTHENTICATE,
13885 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13886 		.doit = nl80211_deauthenticate,
13887 		.flags = GENL_UNS_ADMIN_PERM,
13888 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13889 				  NL80211_FLAG_NEED_RTNL,
13890 	},
13891 	{
13892 		.cmd = NL80211_CMD_DISASSOCIATE,
13893 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13894 		.doit = nl80211_disassociate,
13895 		.flags = GENL_UNS_ADMIN_PERM,
13896 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13897 				  NL80211_FLAG_NEED_RTNL,
13898 	},
13899 	{
13900 		.cmd = NL80211_CMD_JOIN_IBSS,
13901 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13902 		.doit = nl80211_join_ibss,
13903 		.flags = GENL_UNS_ADMIN_PERM,
13904 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13905 				  NL80211_FLAG_NEED_RTNL,
13906 	},
13907 	{
13908 		.cmd = NL80211_CMD_LEAVE_IBSS,
13909 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13910 		.doit = nl80211_leave_ibss,
13911 		.flags = GENL_UNS_ADMIN_PERM,
13912 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13913 				  NL80211_FLAG_NEED_RTNL,
13914 	},
13915 #ifdef CONFIG_NL80211_TESTMODE
13916 	{
13917 		.cmd = NL80211_CMD_TESTMODE,
13918 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13919 		.doit = nl80211_testmode_do,
13920 		.dumpit = nl80211_testmode_dump,
13921 		.flags = GENL_UNS_ADMIN_PERM,
13922 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13923 				  NL80211_FLAG_NEED_RTNL,
13924 	},
13925 #endif
13926 	{
13927 		.cmd = NL80211_CMD_CONNECT,
13928 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13929 		.doit = nl80211_connect,
13930 		.flags = GENL_UNS_ADMIN_PERM,
13931 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13932 				  NL80211_FLAG_NEED_RTNL |
13933 				  NL80211_FLAG_CLEAR_SKB,
13934 	},
13935 	{
13936 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
13937 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13938 		.doit = nl80211_update_connect_params,
13939 		.flags = GENL_ADMIN_PERM,
13940 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13941 				  NL80211_FLAG_NEED_RTNL |
13942 				  NL80211_FLAG_CLEAR_SKB,
13943 	},
13944 	{
13945 		.cmd = NL80211_CMD_DISCONNECT,
13946 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13947 		.doit = nl80211_disconnect,
13948 		.flags = GENL_UNS_ADMIN_PERM,
13949 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13950 				  NL80211_FLAG_NEED_RTNL,
13951 	},
13952 	{
13953 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
13954 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13955 		.doit = nl80211_wiphy_netns,
13956 		.flags = GENL_UNS_ADMIN_PERM,
13957 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13958 				  NL80211_FLAG_NEED_RTNL,
13959 	},
13960 	{
13961 		.cmd = NL80211_CMD_GET_SURVEY,
13962 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13963 		.dumpit = nl80211_dump_survey,
13964 	},
13965 	{
13966 		.cmd = NL80211_CMD_SET_PMKSA,
13967 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13968 		.doit = nl80211_setdel_pmksa,
13969 		.flags = GENL_UNS_ADMIN_PERM,
13970 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13971 				  NL80211_FLAG_NEED_RTNL |
13972 				  NL80211_FLAG_CLEAR_SKB,
13973 	},
13974 	{
13975 		.cmd = NL80211_CMD_DEL_PMKSA,
13976 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13977 		.doit = nl80211_setdel_pmksa,
13978 		.flags = GENL_UNS_ADMIN_PERM,
13979 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13980 				  NL80211_FLAG_NEED_RTNL,
13981 	},
13982 	{
13983 		.cmd = NL80211_CMD_FLUSH_PMKSA,
13984 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13985 		.doit = nl80211_flush_pmksa,
13986 		.flags = GENL_UNS_ADMIN_PERM,
13987 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13988 				  NL80211_FLAG_NEED_RTNL,
13989 	},
13990 	{
13991 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
13992 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13993 		.doit = nl80211_remain_on_channel,
13994 		.flags = GENL_UNS_ADMIN_PERM,
13995 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13996 				  NL80211_FLAG_NEED_RTNL,
13997 	},
13998 	{
13999 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
14000 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14001 		.doit = nl80211_cancel_remain_on_channel,
14002 		.flags = GENL_UNS_ADMIN_PERM,
14003 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14004 				  NL80211_FLAG_NEED_RTNL,
14005 	},
14006 	{
14007 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
14008 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14009 		.doit = nl80211_set_tx_bitrate_mask,
14010 		.flags = GENL_UNS_ADMIN_PERM,
14011 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14012 				  NL80211_FLAG_NEED_RTNL,
14013 	},
14014 	{
14015 		.cmd = NL80211_CMD_REGISTER_FRAME,
14016 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14017 		.doit = nl80211_register_mgmt,
14018 		.flags = GENL_UNS_ADMIN_PERM,
14019 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14020 				  NL80211_FLAG_NEED_RTNL,
14021 	},
14022 	{
14023 		.cmd = NL80211_CMD_FRAME,
14024 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14025 		.doit = nl80211_tx_mgmt,
14026 		.flags = GENL_UNS_ADMIN_PERM,
14027 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14028 				  NL80211_FLAG_NEED_RTNL,
14029 	},
14030 	{
14031 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
14032 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14033 		.doit = nl80211_tx_mgmt_cancel_wait,
14034 		.flags = GENL_UNS_ADMIN_PERM,
14035 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14036 				  NL80211_FLAG_NEED_RTNL,
14037 	},
14038 	{
14039 		.cmd = NL80211_CMD_SET_POWER_SAVE,
14040 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14041 		.doit = nl80211_set_power_save,
14042 		.flags = GENL_UNS_ADMIN_PERM,
14043 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14044 				  NL80211_FLAG_NEED_RTNL,
14045 	},
14046 	{
14047 		.cmd = NL80211_CMD_GET_POWER_SAVE,
14048 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14049 		.doit = nl80211_get_power_save,
14050 		/* can be retrieved by unprivileged users */
14051 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14052 				  NL80211_FLAG_NEED_RTNL,
14053 	},
14054 	{
14055 		.cmd = NL80211_CMD_SET_CQM,
14056 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14057 		.doit = nl80211_set_cqm,
14058 		.flags = GENL_UNS_ADMIN_PERM,
14059 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14060 				  NL80211_FLAG_NEED_RTNL,
14061 	},
14062 	{
14063 		.cmd = NL80211_CMD_SET_CHANNEL,
14064 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14065 		.doit = nl80211_set_channel,
14066 		.flags = GENL_UNS_ADMIN_PERM,
14067 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14068 				  NL80211_FLAG_NEED_RTNL,
14069 	},
14070 	{
14071 		.cmd = NL80211_CMD_SET_WDS_PEER,
14072 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14073 		.doit = nl80211_set_wds_peer,
14074 		.flags = GENL_UNS_ADMIN_PERM,
14075 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14076 				  NL80211_FLAG_NEED_RTNL,
14077 	},
14078 	{
14079 		.cmd = NL80211_CMD_JOIN_MESH,
14080 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14081 		.doit = nl80211_join_mesh,
14082 		.flags = GENL_UNS_ADMIN_PERM,
14083 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14084 				  NL80211_FLAG_NEED_RTNL,
14085 	},
14086 	{
14087 		.cmd = NL80211_CMD_LEAVE_MESH,
14088 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14089 		.doit = nl80211_leave_mesh,
14090 		.flags = GENL_UNS_ADMIN_PERM,
14091 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14092 				  NL80211_FLAG_NEED_RTNL,
14093 	},
14094 	{
14095 		.cmd = NL80211_CMD_JOIN_OCB,
14096 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14097 		.doit = nl80211_join_ocb,
14098 		.flags = GENL_UNS_ADMIN_PERM,
14099 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14100 				  NL80211_FLAG_NEED_RTNL,
14101 	},
14102 	{
14103 		.cmd = NL80211_CMD_LEAVE_OCB,
14104 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14105 		.doit = nl80211_leave_ocb,
14106 		.flags = GENL_UNS_ADMIN_PERM,
14107 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14108 				  NL80211_FLAG_NEED_RTNL,
14109 	},
14110 #ifdef CONFIG_PM
14111 	{
14112 		.cmd = NL80211_CMD_GET_WOWLAN,
14113 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14114 		.doit = nl80211_get_wowlan,
14115 		/* can be retrieved by unprivileged users */
14116 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14117 				  NL80211_FLAG_NEED_RTNL,
14118 	},
14119 	{
14120 		.cmd = NL80211_CMD_SET_WOWLAN,
14121 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14122 		.doit = nl80211_set_wowlan,
14123 		.flags = GENL_UNS_ADMIN_PERM,
14124 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14125 				  NL80211_FLAG_NEED_RTNL,
14126 	},
14127 #endif
14128 	{
14129 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
14130 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14131 		.doit = nl80211_set_rekey_data,
14132 		.flags = GENL_UNS_ADMIN_PERM,
14133 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14134 				  NL80211_FLAG_NEED_RTNL |
14135 				  NL80211_FLAG_CLEAR_SKB,
14136 	},
14137 	{
14138 		.cmd = NL80211_CMD_TDLS_MGMT,
14139 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14140 		.doit = nl80211_tdls_mgmt,
14141 		.flags = GENL_UNS_ADMIN_PERM,
14142 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14143 				  NL80211_FLAG_NEED_RTNL,
14144 	},
14145 	{
14146 		.cmd = NL80211_CMD_TDLS_OPER,
14147 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14148 		.doit = nl80211_tdls_oper,
14149 		.flags = GENL_UNS_ADMIN_PERM,
14150 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14151 				  NL80211_FLAG_NEED_RTNL,
14152 	},
14153 	{
14154 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
14155 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14156 		.doit = nl80211_register_unexpected_frame,
14157 		.flags = GENL_UNS_ADMIN_PERM,
14158 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14159 				  NL80211_FLAG_NEED_RTNL,
14160 	},
14161 	{
14162 		.cmd = NL80211_CMD_PROBE_CLIENT,
14163 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14164 		.doit = nl80211_probe_client,
14165 		.flags = GENL_UNS_ADMIN_PERM,
14166 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14167 				  NL80211_FLAG_NEED_RTNL,
14168 	},
14169 	{
14170 		.cmd = NL80211_CMD_REGISTER_BEACONS,
14171 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14172 		.doit = nl80211_register_beacons,
14173 		.flags = GENL_UNS_ADMIN_PERM,
14174 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14175 				  NL80211_FLAG_NEED_RTNL,
14176 	},
14177 	{
14178 		.cmd = NL80211_CMD_SET_NOACK_MAP,
14179 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14180 		.doit = nl80211_set_noack_map,
14181 		.flags = GENL_UNS_ADMIN_PERM,
14182 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14183 				  NL80211_FLAG_NEED_RTNL,
14184 	},
14185 	{
14186 		.cmd = NL80211_CMD_START_P2P_DEVICE,
14187 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14188 		.doit = nl80211_start_p2p_device,
14189 		.flags = GENL_UNS_ADMIN_PERM,
14190 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14191 				  NL80211_FLAG_NEED_RTNL,
14192 	},
14193 	{
14194 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
14195 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14196 		.doit = nl80211_stop_p2p_device,
14197 		.flags = GENL_UNS_ADMIN_PERM,
14198 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14199 				  NL80211_FLAG_NEED_RTNL,
14200 	},
14201 	{
14202 		.cmd = NL80211_CMD_START_NAN,
14203 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14204 		.doit = nl80211_start_nan,
14205 		.flags = GENL_ADMIN_PERM,
14206 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14207 				  NL80211_FLAG_NEED_RTNL,
14208 	},
14209 	{
14210 		.cmd = NL80211_CMD_STOP_NAN,
14211 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14212 		.doit = nl80211_stop_nan,
14213 		.flags = GENL_ADMIN_PERM,
14214 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14215 				  NL80211_FLAG_NEED_RTNL,
14216 	},
14217 	{
14218 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
14219 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14220 		.doit = nl80211_nan_add_func,
14221 		.flags = GENL_ADMIN_PERM,
14222 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14223 				  NL80211_FLAG_NEED_RTNL,
14224 	},
14225 	{
14226 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
14227 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14228 		.doit = nl80211_nan_del_func,
14229 		.flags = GENL_ADMIN_PERM,
14230 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14231 				  NL80211_FLAG_NEED_RTNL,
14232 	},
14233 	{
14234 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
14235 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14236 		.doit = nl80211_nan_change_config,
14237 		.flags = GENL_ADMIN_PERM,
14238 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14239 				  NL80211_FLAG_NEED_RTNL,
14240 	},
14241 	{
14242 		.cmd = NL80211_CMD_SET_MCAST_RATE,
14243 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14244 		.doit = nl80211_set_mcast_rate,
14245 		.flags = GENL_UNS_ADMIN_PERM,
14246 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14247 				  NL80211_FLAG_NEED_RTNL,
14248 	},
14249 	{
14250 		.cmd = NL80211_CMD_SET_MAC_ACL,
14251 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14252 		.doit = nl80211_set_mac_acl,
14253 		.flags = GENL_UNS_ADMIN_PERM,
14254 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14255 				  NL80211_FLAG_NEED_RTNL,
14256 	},
14257 	{
14258 		.cmd = NL80211_CMD_RADAR_DETECT,
14259 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14260 		.doit = nl80211_start_radar_detection,
14261 		.flags = GENL_UNS_ADMIN_PERM,
14262 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14263 				  NL80211_FLAG_NEED_RTNL,
14264 	},
14265 	{
14266 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
14267 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14268 		.doit = nl80211_get_protocol_features,
14269 	},
14270 	{
14271 		.cmd = NL80211_CMD_UPDATE_FT_IES,
14272 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14273 		.doit = nl80211_update_ft_ies,
14274 		.flags = GENL_UNS_ADMIN_PERM,
14275 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14276 				  NL80211_FLAG_NEED_RTNL,
14277 	},
14278 	{
14279 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
14280 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14281 		.doit = nl80211_crit_protocol_start,
14282 		.flags = GENL_UNS_ADMIN_PERM,
14283 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14284 				  NL80211_FLAG_NEED_RTNL,
14285 	},
14286 	{
14287 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
14288 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14289 		.doit = nl80211_crit_protocol_stop,
14290 		.flags = GENL_UNS_ADMIN_PERM,
14291 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14292 				  NL80211_FLAG_NEED_RTNL,
14293 	},
14294 	{
14295 		.cmd = NL80211_CMD_GET_COALESCE,
14296 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14297 		.doit = nl80211_get_coalesce,
14298 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14299 				  NL80211_FLAG_NEED_RTNL,
14300 	},
14301 	{
14302 		.cmd = NL80211_CMD_SET_COALESCE,
14303 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14304 		.doit = nl80211_set_coalesce,
14305 		.flags = GENL_UNS_ADMIN_PERM,
14306 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14307 				  NL80211_FLAG_NEED_RTNL,
14308 	},
14309 	{
14310 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
14311 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14312 		.doit = nl80211_channel_switch,
14313 		.flags = GENL_UNS_ADMIN_PERM,
14314 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14315 				  NL80211_FLAG_NEED_RTNL,
14316 	},
14317 	{
14318 		.cmd = NL80211_CMD_VENDOR,
14319 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14320 		.doit = nl80211_vendor_cmd,
14321 		.dumpit = nl80211_vendor_cmd_dump,
14322 		.flags = GENL_UNS_ADMIN_PERM,
14323 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14324 				  NL80211_FLAG_NEED_RTNL |
14325 				  NL80211_FLAG_CLEAR_SKB,
14326 	},
14327 	{
14328 		.cmd = NL80211_CMD_SET_QOS_MAP,
14329 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14330 		.doit = nl80211_set_qos_map,
14331 		.flags = GENL_UNS_ADMIN_PERM,
14332 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14333 				  NL80211_FLAG_NEED_RTNL,
14334 	},
14335 	{
14336 		.cmd = NL80211_CMD_ADD_TX_TS,
14337 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14338 		.doit = nl80211_add_tx_ts,
14339 		.flags = GENL_UNS_ADMIN_PERM,
14340 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14341 				  NL80211_FLAG_NEED_RTNL,
14342 	},
14343 	{
14344 		.cmd = NL80211_CMD_DEL_TX_TS,
14345 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14346 		.doit = nl80211_del_tx_ts,
14347 		.flags = GENL_UNS_ADMIN_PERM,
14348 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14349 				  NL80211_FLAG_NEED_RTNL,
14350 	},
14351 	{
14352 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
14353 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14354 		.doit = nl80211_tdls_channel_switch,
14355 		.flags = GENL_UNS_ADMIN_PERM,
14356 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14357 				  NL80211_FLAG_NEED_RTNL,
14358 	},
14359 	{
14360 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
14361 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14362 		.doit = nl80211_tdls_cancel_channel_switch,
14363 		.flags = GENL_UNS_ADMIN_PERM,
14364 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14365 				  NL80211_FLAG_NEED_RTNL,
14366 	},
14367 	{
14368 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
14369 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14370 		.doit = nl80211_set_multicast_to_unicast,
14371 		.flags = GENL_UNS_ADMIN_PERM,
14372 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14373 				  NL80211_FLAG_NEED_RTNL,
14374 	},
14375 	{
14376 		.cmd = NL80211_CMD_SET_PMK,
14377 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14378 		.doit = nl80211_set_pmk,
14379 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14380 				  NL80211_FLAG_NEED_RTNL |
14381 				  NL80211_FLAG_CLEAR_SKB,
14382 	},
14383 	{
14384 		.cmd = NL80211_CMD_DEL_PMK,
14385 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14386 		.doit = nl80211_del_pmk,
14387 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14388 				  NL80211_FLAG_NEED_RTNL,
14389 	},
14390 	{
14391 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
14392 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14393 		.doit = nl80211_external_auth,
14394 		.flags = GENL_ADMIN_PERM,
14395 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14396 				  NL80211_FLAG_NEED_RTNL,
14397 	},
14398 	{
14399 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
14400 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14401 		.doit = nl80211_tx_control_port,
14402 		.flags = GENL_UNS_ADMIN_PERM,
14403 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14404 				  NL80211_FLAG_NEED_RTNL,
14405 	},
14406 	{
14407 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
14408 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14409 		.doit = nl80211_get_ftm_responder_stats,
14410 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14411 				  NL80211_FLAG_NEED_RTNL,
14412 	},
14413 	{
14414 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
14415 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14416 		.doit = nl80211_pmsr_start,
14417 		.flags = GENL_UNS_ADMIN_PERM,
14418 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14419 				  NL80211_FLAG_NEED_RTNL,
14420 	},
14421 	{
14422 		.cmd = NL80211_CMD_NOTIFY_RADAR,
14423 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14424 		.doit = nl80211_notify_radar_detection,
14425 		.flags = GENL_UNS_ADMIN_PERM,
14426 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14427 				  NL80211_FLAG_NEED_RTNL,
14428 	},
14429 	{
14430 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
14431 		.doit = nl80211_update_owe_info,
14432 		.flags = GENL_ADMIN_PERM,
14433 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14434 				  NL80211_FLAG_NEED_RTNL,
14435 	},
14436 	{
14437 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
14438 		.doit = nl80211_probe_mesh_link,
14439 		.flags = GENL_UNS_ADMIN_PERM,
14440 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14441 				  NL80211_FLAG_NEED_RTNL,
14442 	},
14443 };
14444 
14445 static struct genl_family nl80211_fam __ro_after_init = {
14446 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
14447 	.hdrsize = 0,			/* no private header */
14448 	.version = 1,			/* no particular meaning now */
14449 	.maxattr = NL80211_ATTR_MAX,
14450 	.policy = nl80211_policy,
14451 	.netnsok = true,
14452 	.pre_doit = nl80211_pre_doit,
14453 	.post_doit = nl80211_post_doit,
14454 	.module = THIS_MODULE,
14455 	.ops = nl80211_ops,
14456 	.n_ops = ARRAY_SIZE(nl80211_ops),
14457 	.mcgrps = nl80211_mcgrps,
14458 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
14459 };
14460 
14461 /* notification functions */
14462 
14463 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
14464 			  enum nl80211_commands cmd)
14465 {
14466 	struct sk_buff *msg;
14467 	struct nl80211_dump_wiphy_state state = {};
14468 
14469 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
14470 		cmd != NL80211_CMD_DEL_WIPHY);
14471 
14472 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14473 	if (!msg)
14474 		return;
14475 
14476 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
14477 		nlmsg_free(msg);
14478 		return;
14479 	}
14480 
14481 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14482 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
14483 }
14484 
14485 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
14486 				struct wireless_dev *wdev,
14487 				enum nl80211_commands cmd)
14488 {
14489 	struct sk_buff *msg;
14490 
14491 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14492 	if (!msg)
14493 		return;
14494 
14495 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
14496 		nlmsg_free(msg);
14497 		return;
14498 	}
14499 
14500 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14501 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
14502 }
14503 
14504 static int nl80211_add_scan_req(struct sk_buff *msg,
14505 				struct cfg80211_registered_device *rdev)
14506 {
14507 	struct cfg80211_scan_request *req = rdev->scan_req;
14508 	struct nlattr *nest;
14509 	int i;
14510 
14511 	if (WARN_ON(!req))
14512 		return 0;
14513 
14514 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
14515 	if (!nest)
14516 		goto nla_put_failure;
14517 	for (i = 0; i < req->n_ssids; i++) {
14518 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
14519 			goto nla_put_failure;
14520 	}
14521 	nla_nest_end(msg, nest);
14522 
14523 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14524 	if (!nest)
14525 		goto nla_put_failure;
14526 	for (i = 0; i < req->n_channels; i++) {
14527 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14528 			goto nla_put_failure;
14529 	}
14530 	nla_nest_end(msg, nest);
14531 
14532 	if (req->ie &&
14533 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
14534 		goto nla_put_failure;
14535 
14536 	if (req->flags &&
14537 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
14538 		goto nla_put_failure;
14539 
14540 	if (req->info.scan_start_tsf &&
14541 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
14542 			       req->info.scan_start_tsf, NL80211_BSS_PAD) ||
14543 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
14544 		     req->info.tsf_bssid)))
14545 		goto nla_put_failure;
14546 
14547 	return 0;
14548  nla_put_failure:
14549 	return -ENOBUFS;
14550 }
14551 
14552 static int nl80211_prep_scan_msg(struct sk_buff *msg,
14553 				 struct cfg80211_registered_device *rdev,
14554 				 struct wireless_dev *wdev,
14555 				 u32 portid, u32 seq, int flags,
14556 				 u32 cmd)
14557 {
14558 	void *hdr;
14559 
14560 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
14561 	if (!hdr)
14562 		return -1;
14563 
14564 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14565 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14566 					 wdev->netdev->ifindex)) ||
14567 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14568 			      NL80211_ATTR_PAD))
14569 		goto nla_put_failure;
14570 
14571 	/* ignore errors and send incomplete event anyway */
14572 	nl80211_add_scan_req(msg, rdev);
14573 
14574 	genlmsg_end(msg, hdr);
14575 	return 0;
14576 
14577  nla_put_failure:
14578 	genlmsg_cancel(msg, hdr);
14579 	return -EMSGSIZE;
14580 }
14581 
14582 static int
14583 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
14584 			    struct cfg80211_sched_scan_request *req, u32 cmd)
14585 {
14586 	void *hdr;
14587 
14588 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14589 	if (!hdr)
14590 		return -1;
14591 
14592 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
14593 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
14594 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
14595 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
14596 			      NL80211_ATTR_PAD))
14597 		goto nla_put_failure;
14598 
14599 	genlmsg_end(msg, hdr);
14600 	return 0;
14601 
14602  nla_put_failure:
14603 	genlmsg_cancel(msg, hdr);
14604 	return -EMSGSIZE;
14605 }
14606 
14607 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
14608 			     struct wireless_dev *wdev)
14609 {
14610 	struct sk_buff *msg;
14611 
14612 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14613 	if (!msg)
14614 		return;
14615 
14616 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14617 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
14618 		nlmsg_free(msg);
14619 		return;
14620 	}
14621 
14622 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14623 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14624 }
14625 
14626 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
14627 				       struct wireless_dev *wdev, bool aborted)
14628 {
14629 	struct sk_buff *msg;
14630 
14631 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14632 	if (!msg)
14633 		return NULL;
14634 
14635 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14636 				  aborted ? NL80211_CMD_SCAN_ABORTED :
14637 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
14638 		nlmsg_free(msg);
14639 		return NULL;
14640 	}
14641 
14642 	return msg;
14643 }
14644 
14645 /* send message created by nl80211_build_scan_msg() */
14646 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
14647 			   struct sk_buff *msg)
14648 {
14649 	if (!msg)
14650 		return;
14651 
14652 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14653 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14654 }
14655 
14656 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
14657 {
14658 	struct sk_buff *msg;
14659 
14660 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14661 	if (!msg)
14662 		return;
14663 
14664 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
14665 		nlmsg_free(msg);
14666 		return;
14667 	}
14668 
14669 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
14670 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14671 }
14672 
14673 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
14674 					  struct regulatory_request *request)
14675 {
14676 	/* Userspace can always count this one always being set */
14677 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
14678 		goto nla_put_failure;
14679 
14680 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
14681 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14682 			       NL80211_REGDOM_TYPE_WORLD))
14683 			goto nla_put_failure;
14684 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
14685 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14686 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
14687 			goto nla_put_failure;
14688 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
14689 		   request->intersect) {
14690 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14691 			       NL80211_REGDOM_TYPE_INTERSECTION))
14692 			goto nla_put_failure;
14693 	} else {
14694 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14695 			       NL80211_REGDOM_TYPE_COUNTRY) ||
14696 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
14697 				   request->alpha2))
14698 			goto nla_put_failure;
14699 	}
14700 
14701 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
14702 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
14703 
14704 		if (wiphy &&
14705 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
14706 			goto nla_put_failure;
14707 
14708 		if (wiphy &&
14709 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
14710 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
14711 			goto nla_put_failure;
14712 	}
14713 
14714 	return true;
14715 
14716 nla_put_failure:
14717 	return false;
14718 }
14719 
14720 /*
14721  * This can happen on global regulatory changes or device specific settings
14722  * based on custom regulatory domains.
14723  */
14724 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
14725 				     struct regulatory_request *request)
14726 {
14727 	struct sk_buff *msg;
14728 	void *hdr;
14729 
14730 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14731 	if (!msg)
14732 		return;
14733 
14734 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
14735 	if (!hdr) {
14736 		nlmsg_free(msg);
14737 		return;
14738 	}
14739 
14740 	if (nl80211_reg_change_event_fill(msg, request) == false)
14741 		goto nla_put_failure;
14742 
14743 	genlmsg_end(msg, hdr);
14744 
14745 	rcu_read_lock();
14746 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
14747 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
14748 	rcu_read_unlock();
14749 
14750 	return;
14751 
14752 nla_put_failure:
14753 	nlmsg_free(msg);
14754 }
14755 
14756 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
14757 				    struct net_device *netdev,
14758 				    const u8 *buf, size_t len,
14759 				    enum nl80211_commands cmd, gfp_t gfp,
14760 				    int uapsd_queues, const u8 *req_ies,
14761 				    size_t req_ies_len)
14762 {
14763 	struct sk_buff *msg;
14764 	void *hdr;
14765 
14766 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
14767 	if (!msg)
14768 		return;
14769 
14770 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14771 	if (!hdr) {
14772 		nlmsg_free(msg);
14773 		return;
14774 	}
14775 
14776 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14777 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14778 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
14779 	    (req_ies &&
14780 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
14781 		goto nla_put_failure;
14782 
14783 	if (uapsd_queues >= 0) {
14784 		struct nlattr *nla_wmm =
14785 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
14786 		if (!nla_wmm)
14787 			goto nla_put_failure;
14788 
14789 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
14790 			       uapsd_queues))
14791 			goto nla_put_failure;
14792 
14793 		nla_nest_end(msg, nla_wmm);
14794 	}
14795 
14796 	genlmsg_end(msg, hdr);
14797 
14798 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14799 				NL80211_MCGRP_MLME, gfp);
14800 	return;
14801 
14802  nla_put_failure:
14803 	nlmsg_free(msg);
14804 }
14805 
14806 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
14807 			  struct net_device *netdev, const u8 *buf,
14808 			  size_t len, gfp_t gfp)
14809 {
14810 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14811 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0);
14812 }
14813 
14814 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
14815 			   struct net_device *netdev, const u8 *buf,
14816 			   size_t len, gfp_t gfp, int uapsd_queues,
14817 			   const u8 *req_ies, size_t req_ies_len)
14818 {
14819 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14820 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
14821 				req_ies, req_ies_len);
14822 }
14823 
14824 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
14825 			 struct net_device *netdev, const u8 *buf,
14826 			 size_t len, gfp_t gfp)
14827 {
14828 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14829 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0);
14830 }
14831 
14832 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
14833 			   struct net_device *netdev, const u8 *buf,
14834 			   size_t len, gfp_t gfp)
14835 {
14836 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14837 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0);
14838 }
14839 
14840 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
14841 				  size_t len)
14842 {
14843 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14844 	struct wiphy *wiphy = wdev->wiphy;
14845 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14846 	const struct ieee80211_mgmt *mgmt = (void *)buf;
14847 	u32 cmd;
14848 
14849 	if (WARN_ON(len < 2))
14850 		return;
14851 
14852 	if (ieee80211_is_deauth(mgmt->frame_control))
14853 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
14854 	else
14855 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
14856 
14857 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
14858 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
14859 				NULL, 0);
14860 }
14861 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
14862 
14863 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
14864 				      struct net_device *netdev, int cmd,
14865 				      const u8 *addr, gfp_t gfp)
14866 {
14867 	struct sk_buff *msg;
14868 	void *hdr;
14869 
14870 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14871 	if (!msg)
14872 		return;
14873 
14874 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14875 	if (!hdr) {
14876 		nlmsg_free(msg);
14877 		return;
14878 	}
14879 
14880 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14881 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14882 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
14883 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
14884 		goto nla_put_failure;
14885 
14886 	genlmsg_end(msg, hdr);
14887 
14888 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14889 				NL80211_MCGRP_MLME, gfp);
14890 	return;
14891 
14892  nla_put_failure:
14893 	nlmsg_free(msg);
14894 }
14895 
14896 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
14897 			       struct net_device *netdev, const u8 *addr,
14898 			       gfp_t gfp)
14899 {
14900 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
14901 				  addr, gfp);
14902 }
14903 
14904 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
14905 				struct net_device *netdev, const u8 *addr,
14906 				gfp_t gfp)
14907 {
14908 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
14909 				  addr, gfp);
14910 }
14911 
14912 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
14913 				 struct net_device *netdev,
14914 				 struct cfg80211_connect_resp_params *cr,
14915 				 gfp_t gfp)
14916 {
14917 	struct sk_buff *msg;
14918 	void *hdr;
14919 
14920 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
14921 			cr->fils.kek_len + cr->fils.pmk_len +
14922 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
14923 	if (!msg)
14924 		return;
14925 
14926 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
14927 	if (!hdr) {
14928 		nlmsg_free(msg);
14929 		return;
14930 	}
14931 
14932 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14933 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14934 	    (cr->bssid &&
14935 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
14936 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
14937 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
14938 			cr->status) ||
14939 	    (cr->status < 0 &&
14940 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
14941 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
14942 			  cr->timeout_reason))) ||
14943 	    (cr->req_ie &&
14944 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
14945 	    (cr->resp_ie &&
14946 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
14947 		     cr->resp_ie)) ||
14948 	    (cr->fils.update_erp_next_seq_num &&
14949 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
14950 			 cr->fils.erp_next_seq_num)) ||
14951 	    (cr->status == WLAN_STATUS_SUCCESS &&
14952 	     ((cr->fils.kek &&
14953 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
14954 		       cr->fils.kek)) ||
14955 	      (cr->fils.pmk &&
14956 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
14957 	      (cr->fils.pmkid &&
14958 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
14959 		goto nla_put_failure;
14960 
14961 	genlmsg_end(msg, hdr);
14962 
14963 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14964 				NL80211_MCGRP_MLME, gfp);
14965 	return;
14966 
14967  nla_put_failure:
14968 	nlmsg_free(msg);
14969 }
14970 
14971 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
14972 			 struct net_device *netdev,
14973 			 struct cfg80211_roam_info *info, gfp_t gfp)
14974 {
14975 	struct sk_buff *msg;
14976 	void *hdr;
14977 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
14978 
14979 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
14980 			info->fils.kek_len + info->fils.pmk_len +
14981 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
14982 	if (!msg)
14983 		return;
14984 
14985 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
14986 	if (!hdr) {
14987 		nlmsg_free(msg);
14988 		return;
14989 	}
14990 
14991 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14992 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14993 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
14994 	    (info->req_ie &&
14995 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
14996 		     info->req_ie)) ||
14997 	    (info->resp_ie &&
14998 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
14999 		     info->resp_ie)) ||
15000 	    (info->fils.update_erp_next_seq_num &&
15001 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15002 			 info->fils.erp_next_seq_num)) ||
15003 	    (info->fils.kek &&
15004 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
15005 		     info->fils.kek)) ||
15006 	    (info->fils.pmk &&
15007 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
15008 	    (info->fils.pmkid &&
15009 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
15010 		goto nla_put_failure;
15011 
15012 	genlmsg_end(msg, hdr);
15013 
15014 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15015 				NL80211_MCGRP_MLME, gfp);
15016 	return;
15017 
15018  nla_put_failure:
15019 	nlmsg_free(msg);
15020 }
15021 
15022 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
15023 				  struct net_device *netdev, const u8 *bssid)
15024 {
15025 	struct sk_buff *msg;
15026 	void *hdr;
15027 
15028 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15029 	if (!msg)
15030 		return;
15031 
15032 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
15033 	if (!hdr) {
15034 		nlmsg_free(msg);
15035 		return;
15036 	}
15037 
15038 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15039 		goto nla_put_failure;
15040 
15041 	genlmsg_end(msg, hdr);
15042 
15043 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15044 				NL80211_MCGRP_MLME, GFP_KERNEL);
15045 	return;
15046 
15047  nla_put_failure:
15048 	nlmsg_free(msg);
15049 }
15050 
15051 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
15052 			       struct net_device *netdev, u16 reason,
15053 			       const u8 *ie, size_t ie_len, bool from_ap)
15054 {
15055 	struct sk_buff *msg;
15056 	void *hdr;
15057 
15058 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
15059 	if (!msg)
15060 		return;
15061 
15062 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
15063 	if (!hdr) {
15064 		nlmsg_free(msg);
15065 		return;
15066 	}
15067 
15068 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15069 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15070 	    (reason &&
15071 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
15072 	    (from_ap &&
15073 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
15074 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
15075 		goto nla_put_failure;
15076 
15077 	genlmsg_end(msg, hdr);
15078 
15079 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15080 				NL80211_MCGRP_MLME, GFP_KERNEL);
15081 	return;
15082 
15083  nla_put_failure:
15084 	nlmsg_free(msg);
15085 }
15086 
15087 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
15088 			     struct net_device *netdev, const u8 *bssid,
15089 			     gfp_t gfp)
15090 {
15091 	struct sk_buff *msg;
15092 	void *hdr;
15093 
15094 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15095 	if (!msg)
15096 		return;
15097 
15098 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
15099 	if (!hdr) {
15100 		nlmsg_free(msg);
15101 		return;
15102 	}
15103 
15104 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15105 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15106 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15107 		goto nla_put_failure;
15108 
15109 	genlmsg_end(msg, hdr);
15110 
15111 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15112 				NL80211_MCGRP_MLME, gfp);
15113 	return;
15114 
15115  nla_put_failure:
15116 	nlmsg_free(msg);
15117 }
15118 
15119 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
15120 					const u8 *ie, u8 ie_len,
15121 					int sig_dbm, gfp_t gfp)
15122 {
15123 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15124 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15125 	struct sk_buff *msg;
15126 	void *hdr;
15127 
15128 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
15129 		return;
15130 
15131 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
15132 
15133 	msg = nlmsg_new(100 + ie_len, gfp);
15134 	if (!msg)
15135 		return;
15136 
15137 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
15138 	if (!hdr) {
15139 		nlmsg_free(msg);
15140 		return;
15141 	}
15142 
15143 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15144 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15145 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15146 	    (ie_len && ie &&
15147 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
15148 	    (sig_dbm &&
15149 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
15150 		goto nla_put_failure;
15151 
15152 	genlmsg_end(msg, hdr);
15153 
15154 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15155 				NL80211_MCGRP_MLME, gfp);
15156 	return;
15157 
15158  nla_put_failure:
15159 	nlmsg_free(msg);
15160 }
15161 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
15162 
15163 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
15164 				 struct net_device *netdev, const u8 *addr,
15165 				 enum nl80211_key_type key_type, int key_id,
15166 				 const u8 *tsc, gfp_t gfp)
15167 {
15168 	struct sk_buff *msg;
15169 	void *hdr;
15170 
15171 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15172 	if (!msg)
15173 		return;
15174 
15175 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
15176 	if (!hdr) {
15177 		nlmsg_free(msg);
15178 		return;
15179 	}
15180 
15181 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15182 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15183 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
15184 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
15185 	    (key_id != -1 &&
15186 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
15187 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
15188 		goto nla_put_failure;
15189 
15190 	genlmsg_end(msg, hdr);
15191 
15192 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15193 				NL80211_MCGRP_MLME, gfp);
15194 	return;
15195 
15196  nla_put_failure:
15197 	nlmsg_free(msg);
15198 }
15199 
15200 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
15201 				    struct ieee80211_channel *channel_before,
15202 				    struct ieee80211_channel *channel_after)
15203 {
15204 	struct sk_buff *msg;
15205 	void *hdr;
15206 	struct nlattr *nl_freq;
15207 
15208 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
15209 	if (!msg)
15210 		return;
15211 
15212 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
15213 	if (!hdr) {
15214 		nlmsg_free(msg);
15215 		return;
15216 	}
15217 
15218 	/*
15219 	 * Since we are applying the beacon hint to a wiphy we know its
15220 	 * wiphy_idx is valid
15221 	 */
15222 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
15223 		goto nla_put_failure;
15224 
15225 	/* Before */
15226 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
15227 	if (!nl_freq)
15228 		goto nla_put_failure;
15229 
15230 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
15231 		goto nla_put_failure;
15232 	nla_nest_end(msg, nl_freq);
15233 
15234 	/* After */
15235 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
15236 	if (!nl_freq)
15237 		goto nla_put_failure;
15238 
15239 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
15240 		goto nla_put_failure;
15241 	nla_nest_end(msg, nl_freq);
15242 
15243 	genlmsg_end(msg, hdr);
15244 
15245 	rcu_read_lock();
15246 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15247 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15248 	rcu_read_unlock();
15249 
15250 	return;
15251 
15252 nla_put_failure:
15253 	nlmsg_free(msg);
15254 }
15255 
15256 static void nl80211_send_remain_on_chan_event(
15257 	int cmd, struct cfg80211_registered_device *rdev,
15258 	struct wireless_dev *wdev, u64 cookie,
15259 	struct ieee80211_channel *chan,
15260 	unsigned int duration, gfp_t gfp)
15261 {
15262 	struct sk_buff *msg;
15263 	void *hdr;
15264 
15265 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15266 	if (!msg)
15267 		return;
15268 
15269 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15270 	if (!hdr) {
15271 		nlmsg_free(msg);
15272 		return;
15273 	}
15274 
15275 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15276 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15277 					 wdev->netdev->ifindex)) ||
15278 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15279 			      NL80211_ATTR_PAD) ||
15280 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
15281 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
15282 			NL80211_CHAN_NO_HT) ||
15283 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15284 			      NL80211_ATTR_PAD))
15285 		goto nla_put_failure;
15286 
15287 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
15288 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
15289 		goto nla_put_failure;
15290 
15291 	genlmsg_end(msg, hdr);
15292 
15293 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15294 				NL80211_MCGRP_MLME, gfp);
15295 	return;
15296 
15297  nla_put_failure:
15298 	nlmsg_free(msg);
15299 }
15300 
15301 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
15302 			       struct ieee80211_channel *chan,
15303 			       unsigned int duration, gfp_t gfp)
15304 {
15305 	struct wiphy *wiphy = wdev->wiphy;
15306 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15307 
15308 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
15309 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
15310 					  rdev, wdev, cookie, chan,
15311 					  duration, gfp);
15312 }
15313 EXPORT_SYMBOL(cfg80211_ready_on_channel);
15314 
15315 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
15316 					struct ieee80211_channel *chan,
15317 					gfp_t gfp)
15318 {
15319 	struct wiphy *wiphy = wdev->wiphy;
15320 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15321 
15322 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
15323 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15324 					  rdev, wdev, cookie, chan, 0, gfp);
15325 }
15326 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
15327 
15328 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
15329 		      struct station_info *sinfo, gfp_t gfp)
15330 {
15331 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15332 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15333 	struct sk_buff *msg;
15334 
15335 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
15336 
15337 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15338 	if (!msg)
15339 		return;
15340 
15341 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
15342 				 rdev, dev, mac_addr, sinfo) < 0) {
15343 		nlmsg_free(msg);
15344 		return;
15345 	}
15346 
15347 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15348 				NL80211_MCGRP_MLME, gfp);
15349 }
15350 EXPORT_SYMBOL(cfg80211_new_sta);
15351 
15352 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
15353 			    struct station_info *sinfo, gfp_t gfp)
15354 {
15355 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15356 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15357 	struct sk_buff *msg;
15358 	struct station_info empty_sinfo = {};
15359 
15360 	if (!sinfo)
15361 		sinfo = &empty_sinfo;
15362 
15363 	trace_cfg80211_del_sta(dev, mac_addr);
15364 
15365 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15366 	if (!msg) {
15367 		cfg80211_sinfo_release_content(sinfo);
15368 		return;
15369 	}
15370 
15371 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
15372 				 rdev, dev, mac_addr, sinfo) < 0) {
15373 		nlmsg_free(msg);
15374 		return;
15375 	}
15376 
15377 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15378 				NL80211_MCGRP_MLME, gfp);
15379 }
15380 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
15381 
15382 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
15383 			  enum nl80211_connect_failed_reason reason,
15384 			  gfp_t gfp)
15385 {
15386 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15387 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15388 	struct sk_buff *msg;
15389 	void *hdr;
15390 
15391 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
15392 	if (!msg)
15393 		return;
15394 
15395 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
15396 	if (!hdr) {
15397 		nlmsg_free(msg);
15398 		return;
15399 	}
15400 
15401 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15402 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
15403 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
15404 		goto nla_put_failure;
15405 
15406 	genlmsg_end(msg, hdr);
15407 
15408 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15409 				NL80211_MCGRP_MLME, gfp);
15410 	return;
15411 
15412  nla_put_failure:
15413 	nlmsg_free(msg);
15414 }
15415 EXPORT_SYMBOL(cfg80211_conn_failed);
15416 
15417 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
15418 				       const u8 *addr, gfp_t gfp)
15419 {
15420 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15421 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15422 	struct sk_buff *msg;
15423 	void *hdr;
15424 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
15425 
15426 	if (!nlportid)
15427 		return false;
15428 
15429 	msg = nlmsg_new(100, gfp);
15430 	if (!msg)
15431 		return true;
15432 
15433 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15434 	if (!hdr) {
15435 		nlmsg_free(msg);
15436 		return true;
15437 	}
15438 
15439 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15440 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15441 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
15442 		goto nla_put_failure;
15443 
15444 	genlmsg_end(msg, hdr);
15445 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15446 	return true;
15447 
15448  nla_put_failure:
15449 	nlmsg_free(msg);
15450 	return true;
15451 }
15452 
15453 bool cfg80211_rx_spurious_frame(struct net_device *dev,
15454 				const u8 *addr, gfp_t gfp)
15455 {
15456 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15457 	bool ret;
15458 
15459 	trace_cfg80211_rx_spurious_frame(dev, addr);
15460 
15461 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15462 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
15463 		trace_cfg80211_return_bool(false);
15464 		return false;
15465 	}
15466 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
15467 					 addr, gfp);
15468 	trace_cfg80211_return_bool(ret);
15469 	return ret;
15470 }
15471 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
15472 
15473 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
15474 					const u8 *addr, gfp_t gfp)
15475 {
15476 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15477 	bool ret;
15478 
15479 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
15480 
15481 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15482 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
15483 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
15484 		trace_cfg80211_return_bool(false);
15485 		return false;
15486 	}
15487 	ret = __nl80211_unexpected_frame(dev,
15488 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
15489 					 addr, gfp);
15490 	trace_cfg80211_return_bool(ret);
15491 	return ret;
15492 }
15493 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
15494 
15495 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
15496 		      struct wireless_dev *wdev, u32 nlportid,
15497 		      int freq, int sig_dbm,
15498 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
15499 {
15500 	struct net_device *netdev = wdev->netdev;
15501 	struct sk_buff *msg;
15502 	void *hdr;
15503 
15504 	msg = nlmsg_new(100 + len, gfp);
15505 	if (!msg)
15506 		return -ENOMEM;
15507 
15508 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
15509 	if (!hdr) {
15510 		nlmsg_free(msg);
15511 		return -ENOMEM;
15512 	}
15513 
15514 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15515 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15516 					netdev->ifindex)) ||
15517 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15518 			      NL80211_ATTR_PAD) ||
15519 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
15520 	    (sig_dbm &&
15521 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
15522 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15523 	    (flags &&
15524 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
15525 		goto nla_put_failure;
15526 
15527 	genlmsg_end(msg, hdr);
15528 
15529 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15530 
15531  nla_put_failure:
15532 	nlmsg_free(msg);
15533 	return -ENOBUFS;
15534 }
15535 
15536 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
15537 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
15538 {
15539 	struct wiphy *wiphy = wdev->wiphy;
15540 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15541 	struct net_device *netdev = wdev->netdev;
15542 	struct sk_buff *msg;
15543 	void *hdr;
15544 
15545 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
15546 
15547 	msg = nlmsg_new(100 + len, gfp);
15548 	if (!msg)
15549 		return;
15550 
15551 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
15552 	if (!hdr) {
15553 		nlmsg_free(msg);
15554 		return;
15555 	}
15556 
15557 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15558 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15559 				   netdev->ifindex)) ||
15560 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15561 			      NL80211_ATTR_PAD) ||
15562 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15563 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15564 			      NL80211_ATTR_PAD) ||
15565 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
15566 		goto nla_put_failure;
15567 
15568 	genlmsg_end(msg, hdr);
15569 
15570 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15571 				NL80211_MCGRP_MLME, gfp);
15572 	return;
15573 
15574  nla_put_failure:
15575 	nlmsg_free(msg);
15576 }
15577 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
15578 
15579 static int __nl80211_rx_control_port(struct net_device *dev,
15580 				     struct sk_buff *skb,
15581 				     bool unencrypted, gfp_t gfp)
15582 {
15583 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15584 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15585 	struct ethhdr *ehdr = eth_hdr(skb);
15586 	const u8 *addr = ehdr->h_source;
15587 	u16 proto = be16_to_cpu(skb->protocol);
15588 	struct sk_buff *msg;
15589 	void *hdr;
15590 	struct nlattr *frame;
15591 
15592 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
15593 
15594 	if (!nlportid)
15595 		return -ENOENT;
15596 
15597 	msg = nlmsg_new(100 + skb->len, gfp);
15598 	if (!msg)
15599 		return -ENOMEM;
15600 
15601 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
15602 	if (!hdr) {
15603 		nlmsg_free(msg);
15604 		return -ENOBUFS;
15605 	}
15606 
15607 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15608 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15609 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15610 			      NL80211_ATTR_PAD) ||
15611 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15612 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
15613 	    (unencrypted && nla_put_flag(msg,
15614 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
15615 		goto nla_put_failure;
15616 
15617 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
15618 	if (!frame)
15619 		goto nla_put_failure;
15620 
15621 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
15622 	genlmsg_end(msg, hdr);
15623 
15624 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15625 
15626  nla_put_failure:
15627 	nlmsg_free(msg);
15628 	return -ENOBUFS;
15629 }
15630 
15631 bool cfg80211_rx_control_port(struct net_device *dev,
15632 			      struct sk_buff *skb, bool unencrypted)
15633 {
15634 	int ret;
15635 
15636 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
15637 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
15638 	trace_cfg80211_return_bool(ret == 0);
15639 	return ret == 0;
15640 }
15641 EXPORT_SYMBOL(cfg80211_rx_control_port);
15642 
15643 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
15644 					    const char *mac, gfp_t gfp)
15645 {
15646 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15647 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15648 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15649 	void **cb;
15650 
15651 	if (!msg)
15652 		return NULL;
15653 
15654 	cb = (void **)msg->cb;
15655 
15656 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
15657 	if (!cb[0]) {
15658 		nlmsg_free(msg);
15659 		return NULL;
15660 	}
15661 
15662 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15663 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15664 		goto nla_put_failure;
15665 
15666 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
15667 		goto nla_put_failure;
15668 
15669 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
15670 	if (!cb[1])
15671 		goto nla_put_failure;
15672 
15673 	cb[2] = rdev;
15674 
15675 	return msg;
15676  nla_put_failure:
15677 	nlmsg_free(msg);
15678 	return NULL;
15679 }
15680 
15681 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
15682 {
15683 	void **cb = (void **)msg->cb;
15684 	struct cfg80211_registered_device *rdev = cb[2];
15685 
15686 	nla_nest_end(msg, cb[1]);
15687 	genlmsg_end(msg, cb[0]);
15688 
15689 	memset(msg->cb, 0, sizeof(msg->cb));
15690 
15691 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15692 				NL80211_MCGRP_MLME, gfp);
15693 }
15694 
15695 void cfg80211_cqm_rssi_notify(struct net_device *dev,
15696 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
15697 			      s32 rssi_level, gfp_t gfp)
15698 {
15699 	struct sk_buff *msg;
15700 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15701 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15702 
15703 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
15704 
15705 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
15706 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
15707 		return;
15708 
15709 	if (wdev->cqm_config) {
15710 		wdev->cqm_config->last_rssi_event_value = rssi_level;
15711 
15712 		cfg80211_cqm_rssi_update(rdev, dev);
15713 
15714 		if (rssi_level == 0)
15715 			rssi_level = wdev->cqm_config->last_rssi_event_value;
15716 	}
15717 
15718 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15719 	if (!msg)
15720 		return;
15721 
15722 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
15723 			rssi_event))
15724 		goto nla_put_failure;
15725 
15726 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
15727 				      rssi_level))
15728 		goto nla_put_failure;
15729 
15730 	cfg80211_send_cqm(msg, gfp);
15731 
15732 	return;
15733 
15734  nla_put_failure:
15735 	nlmsg_free(msg);
15736 }
15737 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
15738 
15739 void cfg80211_cqm_txe_notify(struct net_device *dev,
15740 			     const u8 *peer, u32 num_packets,
15741 			     u32 rate, u32 intvl, gfp_t gfp)
15742 {
15743 	struct sk_buff *msg;
15744 
15745 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
15746 	if (!msg)
15747 		return;
15748 
15749 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
15750 		goto nla_put_failure;
15751 
15752 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
15753 		goto nla_put_failure;
15754 
15755 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
15756 		goto nla_put_failure;
15757 
15758 	cfg80211_send_cqm(msg, gfp);
15759 	return;
15760 
15761  nla_put_failure:
15762 	nlmsg_free(msg);
15763 }
15764 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
15765 
15766 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
15767 				 const u8 *peer, u32 num_packets, gfp_t gfp)
15768 {
15769 	struct sk_buff *msg;
15770 
15771 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
15772 
15773 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
15774 	if (!msg)
15775 		return;
15776 
15777 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
15778 		goto nla_put_failure;
15779 
15780 	cfg80211_send_cqm(msg, gfp);
15781 	return;
15782 
15783  nla_put_failure:
15784 	nlmsg_free(msg);
15785 }
15786 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
15787 
15788 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
15789 {
15790 	struct sk_buff *msg;
15791 
15792 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15793 	if (!msg)
15794 		return;
15795 
15796 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
15797 		goto nla_put_failure;
15798 
15799 	cfg80211_send_cqm(msg, gfp);
15800 	return;
15801 
15802  nla_put_failure:
15803 	nlmsg_free(msg);
15804 }
15805 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
15806 
15807 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
15808 				     struct net_device *netdev, const u8 *bssid,
15809 				     const u8 *replay_ctr, gfp_t gfp)
15810 {
15811 	struct sk_buff *msg;
15812 	struct nlattr *rekey_attr;
15813 	void *hdr;
15814 
15815 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15816 	if (!msg)
15817 		return;
15818 
15819 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
15820 	if (!hdr) {
15821 		nlmsg_free(msg);
15822 		return;
15823 	}
15824 
15825 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15826 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15827 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15828 		goto nla_put_failure;
15829 
15830 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
15831 	if (!rekey_attr)
15832 		goto nla_put_failure;
15833 
15834 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
15835 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
15836 		goto nla_put_failure;
15837 
15838 	nla_nest_end(msg, rekey_attr);
15839 
15840 	genlmsg_end(msg, hdr);
15841 
15842 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15843 				NL80211_MCGRP_MLME, gfp);
15844 	return;
15845 
15846  nla_put_failure:
15847 	nlmsg_free(msg);
15848 }
15849 
15850 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
15851 			       const u8 *replay_ctr, gfp_t gfp)
15852 {
15853 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15854 	struct wiphy *wiphy = wdev->wiphy;
15855 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15856 
15857 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
15858 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
15859 }
15860 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
15861 
15862 static void
15863 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
15864 			       struct net_device *netdev, int index,
15865 			       const u8 *bssid, bool preauth, gfp_t gfp)
15866 {
15867 	struct sk_buff *msg;
15868 	struct nlattr *attr;
15869 	void *hdr;
15870 
15871 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15872 	if (!msg)
15873 		return;
15874 
15875 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
15876 	if (!hdr) {
15877 		nlmsg_free(msg);
15878 		return;
15879 	}
15880 
15881 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15882 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
15883 		goto nla_put_failure;
15884 
15885 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
15886 	if (!attr)
15887 		goto nla_put_failure;
15888 
15889 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
15890 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
15891 	    (preauth &&
15892 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
15893 		goto nla_put_failure;
15894 
15895 	nla_nest_end(msg, attr);
15896 
15897 	genlmsg_end(msg, hdr);
15898 
15899 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15900 				NL80211_MCGRP_MLME, gfp);
15901 	return;
15902 
15903  nla_put_failure:
15904 	nlmsg_free(msg);
15905 }
15906 
15907 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
15908 				     const u8 *bssid, bool preauth, gfp_t gfp)
15909 {
15910 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15911 	struct wiphy *wiphy = wdev->wiphy;
15912 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15913 
15914 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
15915 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
15916 }
15917 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
15918 
15919 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
15920 				     struct net_device *netdev,
15921 				     struct cfg80211_chan_def *chandef,
15922 				     gfp_t gfp,
15923 				     enum nl80211_commands notif,
15924 				     u8 count)
15925 {
15926 	struct sk_buff *msg;
15927 	void *hdr;
15928 
15929 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15930 	if (!msg)
15931 		return;
15932 
15933 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
15934 	if (!hdr) {
15935 		nlmsg_free(msg);
15936 		return;
15937 	}
15938 
15939 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
15940 		goto nla_put_failure;
15941 
15942 	if (nl80211_send_chandef(msg, chandef))
15943 		goto nla_put_failure;
15944 
15945 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
15946 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
15947 			goto nla_put_failure;
15948 
15949 	genlmsg_end(msg, hdr);
15950 
15951 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15952 				NL80211_MCGRP_MLME, gfp);
15953 	return;
15954 
15955  nla_put_failure:
15956 	nlmsg_free(msg);
15957 }
15958 
15959 void cfg80211_ch_switch_notify(struct net_device *dev,
15960 			       struct cfg80211_chan_def *chandef)
15961 {
15962 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15963 	struct wiphy *wiphy = wdev->wiphy;
15964 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15965 
15966 	ASSERT_WDEV_LOCK(wdev);
15967 
15968 	trace_cfg80211_ch_switch_notify(dev, chandef);
15969 
15970 	wdev->chandef = *chandef;
15971 	wdev->preset_chandef = *chandef;
15972 
15973 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
15974 	    !WARN_ON(!wdev->current_bss))
15975 		wdev->current_bss->pub.channel = chandef->chan;
15976 
15977 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
15978 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
15979 }
15980 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
15981 
15982 void cfg80211_ch_switch_started_notify(struct net_device *dev,
15983 				       struct cfg80211_chan_def *chandef,
15984 				       u8 count)
15985 {
15986 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15987 	struct wiphy *wiphy = wdev->wiphy;
15988 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15989 
15990 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
15991 
15992 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
15993 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
15994 }
15995 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
15996 
15997 void
15998 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
15999 		     const struct cfg80211_chan_def *chandef,
16000 		     enum nl80211_radar_event event,
16001 		     struct net_device *netdev, gfp_t gfp)
16002 {
16003 	struct sk_buff *msg;
16004 	void *hdr;
16005 
16006 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16007 	if (!msg)
16008 		return;
16009 
16010 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
16011 	if (!hdr) {
16012 		nlmsg_free(msg);
16013 		return;
16014 	}
16015 
16016 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16017 		goto nla_put_failure;
16018 
16019 	/* NOP and radar events don't need a netdev parameter */
16020 	if (netdev) {
16021 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
16022 
16023 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16024 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16025 				      NL80211_ATTR_PAD))
16026 			goto nla_put_failure;
16027 	}
16028 
16029 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
16030 		goto nla_put_failure;
16031 
16032 	if (nl80211_send_chandef(msg, chandef))
16033 		goto nla_put_failure;
16034 
16035 	genlmsg_end(msg, hdr);
16036 
16037 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16038 				NL80211_MCGRP_MLME, gfp);
16039 	return;
16040 
16041  nla_put_failure:
16042 	nlmsg_free(msg);
16043 }
16044 
16045 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
16046 				       struct sta_opmode_info *sta_opmode,
16047 				       gfp_t gfp)
16048 {
16049 	struct sk_buff *msg;
16050 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16051 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16052 	void *hdr;
16053 
16054 	if (WARN_ON(!mac))
16055 		return;
16056 
16057 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16058 	if (!msg)
16059 		return;
16060 
16061 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
16062 	if (!hdr) {
16063 		nlmsg_free(msg);
16064 		return;
16065 	}
16066 
16067 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16068 		goto nla_put_failure;
16069 
16070 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16071 		goto nla_put_failure;
16072 
16073 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
16074 		goto nla_put_failure;
16075 
16076 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
16077 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
16078 		goto nla_put_failure;
16079 
16080 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
16081 	    nla_put_u8(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
16082 		goto nla_put_failure;
16083 
16084 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
16085 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
16086 		goto nla_put_failure;
16087 
16088 	genlmsg_end(msg, hdr);
16089 
16090 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16091 				NL80211_MCGRP_MLME, gfp);
16092 
16093 	return;
16094 
16095 nla_put_failure:
16096 	nlmsg_free(msg);
16097 }
16098 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
16099 
16100 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
16101 			   u64 cookie, bool acked, s32 ack_signal,
16102 			   bool is_valid_ack_signal, gfp_t gfp)
16103 {
16104 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16105 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16106 	struct sk_buff *msg;
16107 	void *hdr;
16108 
16109 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
16110 
16111 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16112 
16113 	if (!msg)
16114 		return;
16115 
16116 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
16117 	if (!hdr) {
16118 		nlmsg_free(msg);
16119 		return;
16120 	}
16121 
16122 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16123 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16124 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16125 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16126 			      NL80211_ATTR_PAD) ||
16127 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
16128 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
16129 						ack_signal)))
16130 		goto nla_put_failure;
16131 
16132 	genlmsg_end(msg, hdr);
16133 
16134 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16135 				NL80211_MCGRP_MLME, gfp);
16136 	return;
16137 
16138  nla_put_failure:
16139 	nlmsg_free(msg);
16140 }
16141 EXPORT_SYMBOL(cfg80211_probe_status);
16142 
16143 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
16144 				 const u8 *frame, size_t len,
16145 				 int freq, int sig_dbm)
16146 {
16147 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16148 	struct sk_buff *msg;
16149 	void *hdr;
16150 	struct cfg80211_beacon_registration *reg;
16151 
16152 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
16153 
16154 	spin_lock_bh(&rdev->beacon_registrations_lock);
16155 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
16156 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
16157 		if (!msg) {
16158 			spin_unlock_bh(&rdev->beacon_registrations_lock);
16159 			return;
16160 		}
16161 
16162 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16163 		if (!hdr)
16164 			goto nla_put_failure;
16165 
16166 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16167 		    (freq &&
16168 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
16169 		    (sig_dbm &&
16170 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16171 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
16172 			goto nla_put_failure;
16173 
16174 		genlmsg_end(msg, hdr);
16175 
16176 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
16177 	}
16178 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16179 	return;
16180 
16181  nla_put_failure:
16182 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16183 	nlmsg_free(msg);
16184 }
16185 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
16186 
16187 #ifdef CONFIG_PM
16188 static int cfg80211_net_detect_results(struct sk_buff *msg,
16189 				       struct cfg80211_wowlan_wakeup *wakeup)
16190 {
16191 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
16192 	struct nlattr *nl_results, *nl_match, *nl_freqs;
16193 	int i, j;
16194 
16195 	nl_results = nla_nest_start_noflag(msg,
16196 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
16197 	if (!nl_results)
16198 		return -EMSGSIZE;
16199 
16200 	for (i = 0; i < nd->n_matches; i++) {
16201 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
16202 
16203 		nl_match = nla_nest_start_noflag(msg, i);
16204 		if (!nl_match)
16205 			break;
16206 
16207 		/* The SSID attribute is optional in nl80211, but for
16208 		 * simplicity reasons it's always present in the
16209 		 * cfg80211 structure.  If a driver can't pass the
16210 		 * SSID, that needs to be changed.  A zero length SSID
16211 		 * is still a valid SSID (wildcard), so it cannot be
16212 		 * used for this purpose.
16213 		 */
16214 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
16215 			    match->ssid.ssid)) {
16216 			nla_nest_cancel(msg, nl_match);
16217 			goto out;
16218 		}
16219 
16220 		if (match->n_channels) {
16221 			nl_freqs = nla_nest_start_noflag(msg,
16222 							 NL80211_ATTR_SCAN_FREQUENCIES);
16223 			if (!nl_freqs) {
16224 				nla_nest_cancel(msg, nl_match);
16225 				goto out;
16226 			}
16227 
16228 			for (j = 0; j < match->n_channels; j++) {
16229 				if (nla_put_u32(msg, j, match->channels[j])) {
16230 					nla_nest_cancel(msg, nl_freqs);
16231 					nla_nest_cancel(msg, nl_match);
16232 					goto out;
16233 				}
16234 			}
16235 
16236 			nla_nest_end(msg, nl_freqs);
16237 		}
16238 
16239 		nla_nest_end(msg, nl_match);
16240 	}
16241 
16242 out:
16243 	nla_nest_end(msg, nl_results);
16244 	return 0;
16245 }
16246 
16247 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
16248 				   struct cfg80211_wowlan_wakeup *wakeup,
16249 				   gfp_t gfp)
16250 {
16251 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16252 	struct sk_buff *msg;
16253 	void *hdr;
16254 	int size = 200;
16255 
16256 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
16257 
16258 	if (wakeup)
16259 		size += wakeup->packet_present_len;
16260 
16261 	msg = nlmsg_new(size, gfp);
16262 	if (!msg)
16263 		return;
16264 
16265 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
16266 	if (!hdr)
16267 		goto free_msg;
16268 
16269 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16270 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16271 			      NL80211_ATTR_PAD))
16272 		goto free_msg;
16273 
16274 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16275 					wdev->netdev->ifindex))
16276 		goto free_msg;
16277 
16278 	if (wakeup) {
16279 		struct nlattr *reasons;
16280 
16281 		reasons = nla_nest_start_noflag(msg,
16282 						NL80211_ATTR_WOWLAN_TRIGGERS);
16283 		if (!reasons)
16284 			goto free_msg;
16285 
16286 		if (wakeup->disconnect &&
16287 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
16288 			goto free_msg;
16289 		if (wakeup->magic_pkt &&
16290 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
16291 			goto free_msg;
16292 		if (wakeup->gtk_rekey_failure &&
16293 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
16294 			goto free_msg;
16295 		if (wakeup->eap_identity_req &&
16296 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
16297 			goto free_msg;
16298 		if (wakeup->four_way_handshake &&
16299 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
16300 			goto free_msg;
16301 		if (wakeup->rfkill_release &&
16302 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
16303 			goto free_msg;
16304 
16305 		if (wakeup->pattern_idx >= 0 &&
16306 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
16307 				wakeup->pattern_idx))
16308 			goto free_msg;
16309 
16310 		if (wakeup->tcp_match &&
16311 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
16312 			goto free_msg;
16313 
16314 		if (wakeup->tcp_connlost &&
16315 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
16316 			goto free_msg;
16317 
16318 		if (wakeup->tcp_nomoretokens &&
16319 		    nla_put_flag(msg,
16320 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
16321 			goto free_msg;
16322 
16323 		if (wakeup->packet) {
16324 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
16325 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
16326 
16327 			if (!wakeup->packet_80211) {
16328 				pkt_attr =
16329 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
16330 				len_attr =
16331 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
16332 			}
16333 
16334 			if (wakeup->packet_len &&
16335 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
16336 				goto free_msg;
16337 
16338 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
16339 				    wakeup->packet))
16340 				goto free_msg;
16341 		}
16342 
16343 		if (wakeup->net_detect &&
16344 		    cfg80211_net_detect_results(msg, wakeup))
16345 				goto free_msg;
16346 
16347 		nla_nest_end(msg, reasons);
16348 	}
16349 
16350 	genlmsg_end(msg, hdr);
16351 
16352 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16353 				NL80211_MCGRP_MLME, gfp);
16354 	return;
16355 
16356  free_msg:
16357 	nlmsg_free(msg);
16358 }
16359 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
16360 #endif
16361 
16362 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
16363 				enum nl80211_tdls_operation oper,
16364 				u16 reason_code, gfp_t gfp)
16365 {
16366 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16367 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16368 	struct sk_buff *msg;
16369 	void *hdr;
16370 
16371 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
16372 					 reason_code);
16373 
16374 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16375 	if (!msg)
16376 		return;
16377 
16378 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
16379 	if (!hdr) {
16380 		nlmsg_free(msg);
16381 		return;
16382 	}
16383 
16384 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16385 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16386 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
16387 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
16388 	    (reason_code > 0 &&
16389 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
16390 		goto nla_put_failure;
16391 
16392 	genlmsg_end(msg, hdr);
16393 
16394 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16395 				NL80211_MCGRP_MLME, gfp);
16396 	return;
16397 
16398  nla_put_failure:
16399 	nlmsg_free(msg);
16400 }
16401 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
16402 
16403 static int nl80211_netlink_notify(struct notifier_block * nb,
16404 				  unsigned long state,
16405 				  void *_notify)
16406 {
16407 	struct netlink_notify *notify = _notify;
16408 	struct cfg80211_registered_device *rdev;
16409 	struct wireless_dev *wdev;
16410 	struct cfg80211_beacon_registration *reg, *tmp;
16411 
16412 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
16413 		return NOTIFY_DONE;
16414 
16415 	rcu_read_lock();
16416 
16417 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
16418 		struct cfg80211_sched_scan_request *sched_scan_req;
16419 
16420 		list_for_each_entry_rcu(sched_scan_req,
16421 					&rdev->sched_scan_req_list,
16422 					list) {
16423 			if (sched_scan_req->owner_nlportid == notify->portid) {
16424 				sched_scan_req->nl_owner_dead = true;
16425 				schedule_work(&rdev->sched_scan_stop_wk);
16426 			}
16427 		}
16428 
16429 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
16430 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
16431 
16432 			if (wdev->owner_nlportid == notify->portid) {
16433 				wdev->nl_owner_dead = true;
16434 				schedule_work(&rdev->destroy_work);
16435 			} else if (wdev->conn_owner_nlportid == notify->portid) {
16436 				schedule_work(&wdev->disconnect_wk);
16437 			}
16438 
16439 			cfg80211_release_pmsr(wdev, notify->portid);
16440 		}
16441 
16442 		spin_lock_bh(&rdev->beacon_registrations_lock);
16443 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
16444 					 list) {
16445 			if (reg->nlportid == notify->portid) {
16446 				list_del(&reg->list);
16447 				kfree(reg);
16448 				break;
16449 			}
16450 		}
16451 		spin_unlock_bh(&rdev->beacon_registrations_lock);
16452 	}
16453 
16454 	rcu_read_unlock();
16455 
16456 	/*
16457 	 * It is possible that the user space process that is controlling the
16458 	 * indoor setting disappeared, so notify the regulatory core.
16459 	 */
16460 	regulatory_netlink_notify(notify->portid);
16461 	return NOTIFY_OK;
16462 }
16463 
16464 static struct notifier_block nl80211_netlink_notifier = {
16465 	.notifier_call = nl80211_netlink_notify,
16466 };
16467 
16468 void cfg80211_ft_event(struct net_device *netdev,
16469 		       struct cfg80211_ft_event_params *ft_event)
16470 {
16471 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
16472 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16473 	struct sk_buff *msg;
16474 	void *hdr;
16475 
16476 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
16477 
16478 	if (!ft_event->target_ap)
16479 		return;
16480 
16481 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
16482 			GFP_KERNEL);
16483 	if (!msg)
16484 		return;
16485 
16486 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
16487 	if (!hdr)
16488 		goto out;
16489 
16490 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16491 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16492 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
16493 		goto out;
16494 
16495 	if (ft_event->ies &&
16496 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
16497 		goto out;
16498 	if (ft_event->ric_ies &&
16499 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
16500 		    ft_event->ric_ies))
16501 		goto out;
16502 
16503 	genlmsg_end(msg, hdr);
16504 
16505 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16506 				NL80211_MCGRP_MLME, GFP_KERNEL);
16507 	return;
16508  out:
16509 	nlmsg_free(msg);
16510 }
16511 EXPORT_SYMBOL(cfg80211_ft_event);
16512 
16513 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
16514 {
16515 	struct cfg80211_registered_device *rdev;
16516 	struct sk_buff *msg;
16517 	void *hdr;
16518 	u32 nlportid;
16519 
16520 	rdev = wiphy_to_rdev(wdev->wiphy);
16521 	if (!rdev->crit_proto_nlportid)
16522 		return;
16523 
16524 	nlportid = rdev->crit_proto_nlportid;
16525 	rdev->crit_proto_nlportid = 0;
16526 
16527 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16528 	if (!msg)
16529 		return;
16530 
16531 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
16532 	if (!hdr)
16533 		goto nla_put_failure;
16534 
16535 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16536 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16537 			      NL80211_ATTR_PAD))
16538 		goto nla_put_failure;
16539 
16540 	genlmsg_end(msg, hdr);
16541 
16542 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16543 	return;
16544 
16545  nla_put_failure:
16546 	nlmsg_free(msg);
16547 }
16548 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
16549 
16550 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
16551 {
16552 	struct wiphy *wiphy = wdev->wiphy;
16553 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16554 	struct sk_buff *msg;
16555 	void *hdr;
16556 
16557 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16558 	if (!msg)
16559 		return;
16560 
16561 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
16562 	if (!hdr)
16563 		goto out;
16564 
16565 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16566 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
16567 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16568 			      NL80211_ATTR_PAD))
16569 		goto out;
16570 
16571 	genlmsg_end(msg, hdr);
16572 
16573 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
16574 				NL80211_MCGRP_MLME, GFP_KERNEL);
16575 	return;
16576  out:
16577 	nlmsg_free(msg);
16578 }
16579 
16580 int cfg80211_external_auth_request(struct net_device *dev,
16581 				   struct cfg80211_external_auth_params *params,
16582 				   gfp_t gfp)
16583 {
16584 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16585 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16586 	struct sk_buff *msg;
16587 	void *hdr;
16588 
16589 	if (!wdev->conn_owner_nlportid)
16590 		return -EINVAL;
16591 
16592 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16593 	if (!msg)
16594 		return -ENOMEM;
16595 
16596 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
16597 	if (!hdr)
16598 		goto nla_put_failure;
16599 
16600 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16601 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16602 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
16603 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
16604 			params->action) ||
16605 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
16606 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
16607 		    params->ssid.ssid))
16608 		goto nla_put_failure;
16609 
16610 	genlmsg_end(msg, hdr);
16611 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16612 			wdev->conn_owner_nlportid);
16613 	return 0;
16614 
16615  nla_put_failure:
16616 	nlmsg_free(msg);
16617 	return -ENOBUFS;
16618 }
16619 EXPORT_SYMBOL(cfg80211_external_auth_request);
16620 
16621 void cfg80211_update_owe_info_event(struct net_device *netdev,
16622 				    struct cfg80211_update_owe_info *owe_info,
16623 				    gfp_t gfp)
16624 {
16625 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
16626 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16627 	struct sk_buff *msg;
16628 	void *hdr;
16629 
16630 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
16631 
16632 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16633 	if (!msg)
16634 		return;
16635 
16636 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
16637 	if (!hdr)
16638 		goto nla_put_failure;
16639 
16640 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16641 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16642 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
16643 		goto nla_put_failure;
16644 
16645 	if (!owe_info->ie_len ||
16646 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
16647 		goto nla_put_failure;
16648 
16649 	genlmsg_end(msg, hdr);
16650 
16651 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16652 				NL80211_MCGRP_MLME, gfp);
16653 	return;
16654 
16655 nla_put_failure:
16656 	genlmsg_cancel(msg, hdr);
16657 	nlmsg_free(msg);
16658 }
16659 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
16660 
16661 /* initialisation/exit functions */
16662 
16663 int __init nl80211_init(void)
16664 {
16665 	int err;
16666 
16667 	err = genl_register_family(&nl80211_fam);
16668 	if (err)
16669 		return err;
16670 
16671 	err = netlink_register_notifier(&nl80211_netlink_notifier);
16672 	if (err)
16673 		goto err_out;
16674 
16675 	return 0;
16676  err_out:
16677 	genl_unregister_family(&nl80211_fam);
16678 	return err;
16679 }
16680 
16681 void nl80211_exit(void)
16682 {
16683 	netlink_unregister_notifier(&nl80211_netlink_notifier);
16684 	genl_unregister_family(&nl80211_fam);
16685 }
16686