xref: /openbmc/linux/net/wireless/nl80211.c (revision abcda807) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2020 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
68 {
69 	struct cfg80211_registered_device *rdev;
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	ASSERT_RTNL();
78 
79 	if (!have_ifidx && !have_wdev_id)
80 		return ERR_PTR(-EINVAL);
81 
82 	if (have_ifidx)
83 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
84 	if (have_wdev_id) {
85 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
86 		wiphy_idx = wdev_id >> 32;
87 	}
88 
89 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
90 		struct wireless_dev *wdev;
91 
92 		if (wiphy_net(&rdev->wiphy) != netns)
93 			continue;
94 
95 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
96 			continue;
97 
98 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
99 			if (have_ifidx && wdev->netdev &&
100 			    wdev->netdev->ifindex == ifidx) {
101 				result = wdev;
102 				break;
103 			}
104 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
105 				result = wdev;
106 				break;
107 			}
108 		}
109 
110 		if (result)
111 			break;
112 	}
113 
114 	if (result)
115 		return result;
116 	return ERR_PTR(-ENODEV);
117 }
118 
119 static struct cfg80211_registered_device *
120 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
121 {
122 	struct cfg80211_registered_device *rdev = NULL, *tmp;
123 	struct net_device *netdev;
124 
125 	ASSERT_RTNL();
126 
127 	if (!attrs[NL80211_ATTR_WIPHY] &&
128 	    !attrs[NL80211_ATTR_IFINDEX] &&
129 	    !attrs[NL80211_ATTR_WDEV])
130 		return ERR_PTR(-EINVAL);
131 
132 	if (attrs[NL80211_ATTR_WIPHY])
133 		rdev = cfg80211_rdev_by_wiphy_idx(
134 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
135 
136 	if (attrs[NL80211_ATTR_WDEV]) {
137 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
138 		struct wireless_dev *wdev;
139 		bool found = false;
140 
141 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
142 		if (tmp) {
143 			/* make sure wdev exists */
144 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
145 				if (wdev->identifier != (u32)wdev_id)
146 					continue;
147 				found = true;
148 				break;
149 			}
150 
151 			if (!found)
152 				tmp = NULL;
153 
154 			if (rdev && tmp != rdev)
155 				return ERR_PTR(-EINVAL);
156 			rdev = tmp;
157 		}
158 	}
159 
160 	if (attrs[NL80211_ATTR_IFINDEX]) {
161 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
162 
163 		netdev = __dev_get_by_index(netns, ifindex);
164 		if (netdev) {
165 			if (netdev->ieee80211_ptr)
166 				tmp = wiphy_to_rdev(
167 					netdev->ieee80211_ptr->wiphy);
168 			else
169 				tmp = NULL;
170 
171 			/* not wireless device -- return error */
172 			if (!tmp)
173 				return ERR_PTR(-EINVAL);
174 
175 			/* mismatch -- return error */
176 			if (rdev && tmp != rdev)
177 				return ERR_PTR(-EINVAL);
178 
179 			rdev = tmp;
180 		}
181 	}
182 
183 	if (!rdev)
184 		return ERR_PTR(-ENODEV);
185 
186 	if (netns != wiphy_net(&rdev->wiphy))
187 		return ERR_PTR(-ENODEV);
188 
189 	return rdev;
190 }
191 
192 /*
193  * This function returns a pointer to the driver
194  * that the genl_info item that is passed refers to.
195  *
196  * The result of this can be a PTR_ERR and hence must
197  * be checked with IS_ERR() for errors.
198  */
199 static struct cfg80211_registered_device *
200 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
201 {
202 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
203 }
204 
205 static int validate_beacon_head(const struct nlattr *attr,
206 				struct netlink_ext_ack *extack)
207 {
208 	const u8 *data = nla_data(attr);
209 	unsigned int len = nla_len(attr);
210 	const struct element *elem;
211 	const struct ieee80211_mgmt *mgmt = (void *)data;
212 	bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
213 	unsigned int fixedlen, hdrlen;
214 
215 	if (s1g_bcn) {
216 		fixedlen = offsetof(struct ieee80211_ext,
217 				    u.s1g_beacon.variable);
218 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
219 	} else {
220 		fixedlen = offsetof(struct ieee80211_mgmt,
221 				    u.beacon.variable);
222 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
223 	}
224 
225 	if (len < fixedlen)
226 		goto err;
227 
228 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
229 		goto err;
230 
231 	data += fixedlen;
232 	len -= fixedlen;
233 
234 	for_each_element(elem, data, len) {
235 		/* nothing */
236 	}
237 
238 	if (for_each_element_completed(elem, data, len))
239 		return 0;
240 
241 err:
242 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
243 	return -EINVAL;
244 }
245 
246 static int validate_ie_attr(const struct nlattr *attr,
247 			    struct netlink_ext_ack *extack)
248 {
249 	const u8 *data = nla_data(attr);
250 	unsigned int len = nla_len(attr);
251 	const struct element *elem;
252 
253 	for_each_element(elem, data, len) {
254 		/* nothing */
255 	}
256 
257 	if (for_each_element_completed(elem, data, len))
258 		return 0;
259 
260 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
261 	return -EINVAL;
262 }
263 
264 /* policy for the attributes */
265 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
266 
267 static const struct nla_policy
268 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
269 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
270 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
271 					.len = U8_MAX },
272 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
273 					     .len = U8_MAX },
274 };
275 
276 static const struct nla_policy
277 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
278 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
279 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
280 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
281 		NLA_POLICY_MAX(NLA_U8, 15),
282 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
283 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
284 		NLA_POLICY_MAX(NLA_U8, 15),
285 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
286 		NLA_POLICY_MAX(NLA_U8, 31),
287 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
288 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
289 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
290 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
291 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
292 };
293 
294 static const struct nla_policy
295 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
296 	[NL80211_PMSR_TYPE_FTM] =
297 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
298 };
299 
300 static const struct nla_policy
301 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
302 	[NL80211_PMSR_REQ_ATTR_DATA] =
303 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
304 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
305 };
306 
307 static const struct nla_policy
308 nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
309 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
310 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
311 	[NL80211_PMSR_PEER_ATTR_REQ] =
312 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
313 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
314 };
315 
316 static const struct nla_policy
317 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
318 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
319 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
320 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
321 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
322 	[NL80211_PMSR_ATTR_PEERS] =
323 		NLA_POLICY_NESTED_ARRAY(nl80211_psmr_peer_attr_policy),
324 };
325 
326 static const struct nla_policy
327 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
328 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
329 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
330 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
331 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
332 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
333 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
334 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
335 		NLA_POLICY_EXACT_LEN(8),
336 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
337 		NLA_POLICY_EXACT_LEN(8),
338 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
339 };
340 
341 static const struct nla_policy
342 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
343 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
344 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
345 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
346 };
347 
348 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
349 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
350 				    .len = NL80211_MAX_SUPP_RATES },
351 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
352 				.len = NL80211_MAX_SUPP_HT_RATES },
353 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
354 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
355 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
356 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
357 						   NL80211_RATE_INFO_HE_GI_0_8,
358 						   NL80211_RATE_INFO_HE_GI_3_2),
359 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
360 						   NL80211_RATE_INFO_HE_1XLTF,
361 						   NL80211_RATE_INFO_HE_4XLTF),
362 };
363 
364 static const struct nla_policy
365 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
366 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
367 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
368 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
369 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
370 	[NL80211_TID_CONFIG_ATTR_NOACK] =
371 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
372 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
373 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
374 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
375 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
376 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
377 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
378 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
379 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
380 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
381 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
382 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
383 			NLA_POLICY_NESTED(nl80211_txattr_policy),
384 };
385 
386 static const struct nla_policy
387 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
388 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
389 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
390 	NLA_POLICY_RANGE(NLA_BINARY,
391 			 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
392 			 IEEE80211_MAX_DATA_LEN),
393 };
394 
395 static const struct nla_policy
396 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
397 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
398 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
399 						       .len = IEEE80211_MAX_DATA_LEN }
400 };
401 
402 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
403 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
404 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
405 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
406 				      .len = 20-1 },
407 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
408 
409 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
410 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
411 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
412 						NL80211_EDMG_CHANNELS_MIN,
413 						NL80211_EDMG_CHANNELS_MAX),
414 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
415 						NL80211_EDMG_BW_CONFIG_MIN,
416 						NL80211_EDMG_BW_CONFIG_MAX),
417 
418 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
419 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
420 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
421 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
422 
423 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
424 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
425 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
426 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
427 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
428 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
429 
430 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
431 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
432 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
433 
434 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
435 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
436 
437 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
438 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
439 				    .len = WLAN_MAX_KEY_LEN },
440 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
441 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
442 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
443 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
444 	[NL80211_ATTR_KEY_TYPE] =
445 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
446 
447 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
448 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
449 	[NL80211_ATTR_BEACON_HEAD] =
450 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
451 				       IEEE80211_MAX_DATA_LEN),
452 	[NL80211_ATTR_BEACON_TAIL] =
453 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
454 				       IEEE80211_MAX_DATA_LEN),
455 	[NL80211_ATTR_STA_AID] =
456 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
457 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
458 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
459 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
460 					       .len = NL80211_MAX_SUPP_RATES },
461 	[NL80211_ATTR_STA_PLINK_ACTION] =
462 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
463 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
464 		NLA_POLICY_RANGE(NLA_U8,
465 				 NL80211_TX_POWER_AUTOMATIC,
466 				 NL80211_TX_POWER_FIXED),
467 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
468 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
469 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
470 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
471 				   .len = IEEE80211_MAX_MESH_ID_LEN },
472 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
473 
474 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
475 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
476 
477 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
478 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
479 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
480 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
481 					   .len = NL80211_MAX_SUPP_RATES },
482 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
483 
484 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
485 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
486 
487 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
488 
489 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
490 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
491 						   validate_ie_attr,
492 						   IEEE80211_MAX_DATA_LEN),
493 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
494 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
495 
496 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
497 				.len = IEEE80211_MAX_SSID_LEN },
498 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
499 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
500 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
501 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
502 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
503 						  NL80211_MFP_NO,
504 						  NL80211_MFP_OPTIONAL),
505 	[NL80211_ATTR_STA_FLAGS2] = {
506 		.len = sizeof(struct nl80211_sta_flag_update),
507 	},
508 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
509 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
510 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
511 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
512 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
513 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
514 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
515 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
516 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
517 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
518 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
519 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
520 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
521 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
522 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
523 				 .len = IEEE80211_MAX_DATA_LEN },
524 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
525 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
526 						   NL80211_PS_DISABLED,
527 						   NL80211_PS_ENABLED),
528 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
529 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
530 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
531 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
532 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
533 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
534 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
535 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
536 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
537 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
538 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
539 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
540 	[NL80211_ATTR_STA_PLINK_STATE] =
541 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
542 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
543 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
544 	[NL80211_ATTR_MESH_PEER_AID] =
545 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
546 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
547 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
548 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
549 	[NL80211_ATTR_HIDDEN_SSID] =
550 		NLA_POLICY_RANGE(NLA_U32,
551 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
552 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
553 	[NL80211_ATTR_IE_PROBE_RESP] =
554 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
555 				       IEEE80211_MAX_DATA_LEN),
556 	[NL80211_ATTR_IE_ASSOC_RESP] =
557 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
558 				       IEEE80211_MAX_DATA_LEN),
559 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
560 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
561 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
562 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
563 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
564 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
565 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
566 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
567 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
568 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
569 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
570 				      .len = IEEE80211_MAX_DATA_LEN },
571 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
572 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
573 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
574 		.len = NL80211_HT_CAPABILITY_LEN
575 	},
576 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
577 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
578 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
579 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
580 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
581 
582 	/* need to include at least Auth Transaction and Status Code */
583 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
584 
585 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
586 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
587 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
588 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
589 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
590 		NLA_POLICY_RANGE(NLA_U32,
591 				 NL80211_MESH_POWER_UNKNOWN + 1,
592 				 NL80211_MESH_POWER_MAX),
593 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
594 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
595 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
596 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
597 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
598 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
599 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
600 		.len = NL80211_VHT_CAPABILITY_LEN,
601 	},
602 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
603 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
604 				  .len = IEEE80211_MAX_DATA_LEN },
605 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
606 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
607 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
608 	[NL80211_ATTR_PEER_AID] =
609 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
610 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
611 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
612 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
613 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
614 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
615 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
616 	/*
617 	 * The value of the Length field of the Supported Operating
618 	 * Classes element is between 2 and 253.
619 	 */
620 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
621 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
622 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
623 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
624 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
625 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
626 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
627 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
628 						  IEEE80211_QOS_MAP_LEN_MIN,
629 						  IEEE80211_QOS_MAP_LEN_MAX),
630 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
631 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
632 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
633 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
634 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
635 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
636 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
637 	[NL80211_ATTR_USER_PRIO] =
638 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
639 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
640 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
641 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
642 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
643 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
644 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
645 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
646 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
647 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
648 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
649 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
650 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
651 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
652 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
653 	},
654 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
655 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
656 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
657 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
658 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
659 				    .len = FILS_MAX_KEK_LEN },
660 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
661 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
662 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
663 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
664 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
665 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
666 	},
667 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
668 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
669 					     .len = FILS_ERP_MAX_USERNAME_LEN },
670 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
671 					  .len = FILS_ERP_MAX_REALM_LEN },
672 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
673 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
674 					.len = FILS_ERP_MAX_RRK_LEN },
675 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
676 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
677 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
678 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
679 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
680 
681 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
682 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
683 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
684 	[NL80211_ATTR_HE_CAPABILITY] =
685 		NLA_POLICY_RANGE(NLA_BINARY,
686 				 NL80211_HE_MIN_CAPABILITY_LEN,
687 				 NL80211_HE_MAX_CAPABILITY_LEN),
688 	[NL80211_ATTR_FTM_RESPONDER] =
689 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
690 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
691 	[NL80211_ATTR_PEER_MEASUREMENTS] =
692 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
693 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
694 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
695 					.len = SAE_PASSWORD_MAX_LEN },
696 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
697 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
698 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
699 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
700 	[NL80211_ATTR_TID_CONFIG] =
701 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
702 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
703 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
704 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
705 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
706 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
707 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
708 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
709 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
710 	[NL80211_ATTR_FILS_DISCOVERY] =
711 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
712 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
713 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
714 	[NL80211_ATTR_S1G_CAPABILITY] =
715 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
716 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
717 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
718 };
719 
720 /* policy for the key attributes */
721 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
722 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
723 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
724 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
725 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
726 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
727 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
728 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
729 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
730 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
731 };
732 
733 /* policy for the key default flags */
734 static const struct nla_policy
735 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
736 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
737 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
738 };
739 
740 #ifdef CONFIG_PM
741 /* policy for WoWLAN attributes */
742 static const struct nla_policy
743 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
744 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
745 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
746 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
747 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
748 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
749 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
750 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
751 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
752 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
753 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
754 };
755 
756 static const struct nla_policy
757 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
758 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
759 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
760 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
761 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
762 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
763 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
764 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
765 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
766 	},
767 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
768 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
769 	},
770 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
771 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
772 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
773 };
774 #endif /* CONFIG_PM */
775 
776 /* policy for coalesce rule attributes */
777 static const struct nla_policy
778 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
779 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
780 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
781 		NLA_POLICY_RANGE(NLA_U32,
782 				 NL80211_COALESCE_CONDITION_MATCH,
783 				 NL80211_COALESCE_CONDITION_NO_MATCH),
784 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
785 };
786 
787 /* policy for GTK rekey offload attributes */
788 static const struct nla_policy
789 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
790 	[NL80211_REKEY_DATA_KEK] = {
791 		.type = NLA_BINARY,
792 		.len = NL80211_KEK_EXT_LEN
793 	},
794 	[NL80211_REKEY_DATA_KCK] = {
795 		.type = NLA_BINARY,
796 		.len = NL80211_KCK_EXT_LEN
797 	},
798 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
799 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
800 };
801 
802 static const struct nla_policy
803 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
804 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
805 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
806 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
807 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
808 };
809 
810 static const struct nla_policy
811 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
812 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
813 						 .len = IEEE80211_MAX_SSID_LEN },
814 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
815 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
816 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
817 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
818 };
819 
820 static const struct nla_policy
821 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
822 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
823 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
824 };
825 
826 static const struct nla_policy
827 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
828 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
829 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
830 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
831 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
832 	},
833 };
834 
835 /* policy for NAN function attributes */
836 static const struct nla_policy
837 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
838 	[NL80211_NAN_FUNC_TYPE] =
839 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
840 	[NL80211_NAN_FUNC_SERVICE_ID] = {
841 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
842 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
843 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
844 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
845 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
846 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
847 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
848 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
849 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
850 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
851 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
852 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
853 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
854 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
855 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
856 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
857 };
858 
859 /* policy for Service Response Filter attributes */
860 static const struct nla_policy
861 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
862 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
863 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
864 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
865 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
866 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
867 };
868 
869 /* policy for packet pattern attributes */
870 static const struct nla_policy
871 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
872 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
873 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
874 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
875 };
876 
877 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
878 			      struct cfg80211_registered_device **rdev,
879 			      struct wireless_dev **wdev)
880 {
881 	int err;
882 
883 	if (!cb->args[0]) {
884 		struct nlattr **attrbuf;
885 
886 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
887 				  GFP_KERNEL);
888 		if (!attrbuf)
889 			return -ENOMEM;
890 
891 		err = nlmsg_parse_deprecated(cb->nlh,
892 					     GENL_HDRLEN + nl80211_fam.hdrsize,
893 					     attrbuf, nl80211_fam.maxattr,
894 					     nl80211_policy, NULL);
895 		if (err) {
896 			kfree(attrbuf);
897 			return err;
898 		}
899 
900 		*wdev = __cfg80211_wdev_from_attrs(sock_net(cb->skb->sk),
901 						   attrbuf);
902 		kfree(attrbuf);
903 		if (IS_ERR(*wdev))
904 			return PTR_ERR(*wdev);
905 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
906 		/* 0 is the first index - add 1 to parse only once */
907 		cb->args[0] = (*rdev)->wiphy_idx + 1;
908 		cb->args[1] = (*wdev)->identifier;
909 	} else {
910 		/* subtract the 1 again here */
911 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
912 		struct wireless_dev *tmp;
913 
914 		if (!wiphy)
915 			return -ENODEV;
916 		*rdev = wiphy_to_rdev(wiphy);
917 		*wdev = NULL;
918 
919 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
920 			if (tmp->identifier == cb->args[1]) {
921 				*wdev = tmp;
922 				break;
923 			}
924 		}
925 
926 		if (!*wdev)
927 			return -ENODEV;
928 	}
929 
930 	return 0;
931 }
932 
933 /* message building helper */
934 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
935 		     int flags, u8 cmd)
936 {
937 	/* since there is no private header just add the generic one */
938 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
939 }
940 
941 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
942 				     const struct ieee80211_reg_rule *rule)
943 {
944 	int j;
945 	struct nlattr *nl_wmm_rules =
946 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
947 
948 	if (!nl_wmm_rules)
949 		goto nla_put_failure;
950 
951 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
952 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
953 
954 		if (!nl_wmm_rule)
955 			goto nla_put_failure;
956 
957 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
958 				rule->wmm_rule.client[j].cw_min) ||
959 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
960 				rule->wmm_rule.client[j].cw_max) ||
961 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
962 			       rule->wmm_rule.client[j].aifsn) ||
963 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
964 			        rule->wmm_rule.client[j].cot))
965 			goto nla_put_failure;
966 
967 		nla_nest_end(msg, nl_wmm_rule);
968 	}
969 	nla_nest_end(msg, nl_wmm_rules);
970 
971 	return 0;
972 
973 nla_put_failure:
974 	return -ENOBUFS;
975 }
976 
977 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
978 				   struct ieee80211_channel *chan,
979 				   bool large)
980 {
981 	/* Some channels must be completely excluded from the
982 	 * list to protect old user-space tools from breaking
983 	 */
984 	if (!large && chan->flags &
985 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
986 		return 0;
987 	if (!large && chan->freq_offset)
988 		return 0;
989 
990 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
991 			chan->center_freq))
992 		goto nla_put_failure;
993 
994 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
995 		goto nla_put_failure;
996 
997 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
998 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
999 		goto nla_put_failure;
1000 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1001 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1002 			goto nla_put_failure;
1003 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1004 			goto nla_put_failure;
1005 	}
1006 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1007 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1008 			goto nla_put_failure;
1009 		if (large) {
1010 			u32 time;
1011 
1012 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1013 
1014 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1015 					chan->dfs_state))
1016 				goto nla_put_failure;
1017 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1018 					time))
1019 				goto nla_put_failure;
1020 			if (nla_put_u32(msg,
1021 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1022 					chan->dfs_cac_ms))
1023 				goto nla_put_failure;
1024 		}
1025 	}
1026 
1027 	if (large) {
1028 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1029 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1030 			goto nla_put_failure;
1031 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1032 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1033 			goto nla_put_failure;
1034 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1035 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1036 			goto nla_put_failure;
1037 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1038 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1039 			goto nla_put_failure;
1040 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1041 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1042 			goto nla_put_failure;
1043 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1044 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1045 			goto nla_put_failure;
1046 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1047 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1048 			goto nla_put_failure;
1049 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1050 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1051 			goto nla_put_failure;
1052 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1053 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1054 			goto nla_put_failure;
1055 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1056 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1057 			goto nla_put_failure;
1058 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1059 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1060 			goto nla_put_failure;
1061 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1062 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1063 			goto nla_put_failure;
1064 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1065 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1066 			goto nla_put_failure;
1067 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1068 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1069 			goto nla_put_failure;
1070 	}
1071 
1072 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1073 			DBM_TO_MBM(chan->max_power)))
1074 		goto nla_put_failure;
1075 
1076 	if (large) {
1077 		const struct ieee80211_reg_rule *rule =
1078 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1079 
1080 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1081 			if (nl80211_msg_put_wmm_rules(msg, rule))
1082 				goto nla_put_failure;
1083 		}
1084 	}
1085 
1086 	return 0;
1087 
1088  nla_put_failure:
1089 	return -ENOBUFS;
1090 }
1091 
1092 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1093 				  struct cfg80211_txq_stats *txqstats,
1094 				  int attrtype)
1095 {
1096 	struct nlattr *txqattr;
1097 
1098 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1099 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1100 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1101 		return false;						  \
1102 	} while (0)
1103 
1104 	txqattr = nla_nest_start_noflag(msg, attrtype);
1105 	if (!txqattr)
1106 		return false;
1107 
1108 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1109 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1110 	PUT_TXQVAL_U32(FLOWS, flows);
1111 	PUT_TXQVAL_U32(DROPS, drops);
1112 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1113 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1114 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1115 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1116 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1117 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1118 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1119 	nla_nest_end(msg, txqattr);
1120 
1121 #undef PUT_TXQVAL_U32
1122 	return true;
1123 }
1124 
1125 /* netlink command implementations */
1126 
1127 struct key_parse {
1128 	struct key_params p;
1129 	int idx;
1130 	int type;
1131 	bool def, defmgmt, defbeacon;
1132 	bool def_uni, def_multi;
1133 };
1134 
1135 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1136 				 struct key_parse *k)
1137 {
1138 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1139 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1140 					      nl80211_key_policy,
1141 					      info->extack);
1142 	if (err)
1143 		return err;
1144 
1145 	k->def = !!tb[NL80211_KEY_DEFAULT];
1146 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1147 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1148 
1149 	if (k->def) {
1150 		k->def_uni = true;
1151 		k->def_multi = true;
1152 	}
1153 	if (k->defmgmt || k->defbeacon)
1154 		k->def_multi = true;
1155 
1156 	if (tb[NL80211_KEY_IDX])
1157 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1158 
1159 	if (tb[NL80211_KEY_DATA]) {
1160 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1161 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1162 	}
1163 
1164 	if (tb[NL80211_KEY_SEQ]) {
1165 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1166 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1167 	}
1168 
1169 	if (tb[NL80211_KEY_CIPHER])
1170 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1171 
1172 	if (tb[NL80211_KEY_TYPE])
1173 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1174 
1175 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1176 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1177 
1178 		err = nla_parse_nested_deprecated(kdt,
1179 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1180 						  tb[NL80211_KEY_DEFAULT_TYPES],
1181 						  nl80211_key_default_policy,
1182 						  info->extack);
1183 		if (err)
1184 			return err;
1185 
1186 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1187 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1188 	}
1189 
1190 	if (tb[NL80211_KEY_MODE])
1191 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1192 
1193 	return 0;
1194 }
1195 
1196 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1197 {
1198 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1199 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1200 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1201 	}
1202 
1203 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1204 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1205 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1206 	}
1207 
1208 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1209 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1210 
1211 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1212 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1213 
1214 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1215 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1216 
1217 	if (k->def) {
1218 		k->def_uni = true;
1219 		k->def_multi = true;
1220 	}
1221 	if (k->defmgmt)
1222 		k->def_multi = true;
1223 
1224 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1225 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1226 
1227 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1228 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1229 		int err = nla_parse_nested_deprecated(kdt,
1230 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1231 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1232 						      nl80211_key_default_policy,
1233 						      info->extack);
1234 		if (err)
1235 			return err;
1236 
1237 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1238 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1239 	}
1240 
1241 	return 0;
1242 }
1243 
1244 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1245 {
1246 	int err;
1247 
1248 	memset(k, 0, sizeof(*k));
1249 	k->idx = -1;
1250 	k->type = -1;
1251 
1252 	if (info->attrs[NL80211_ATTR_KEY])
1253 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1254 	else
1255 		err = nl80211_parse_key_old(info, k);
1256 
1257 	if (err)
1258 		return err;
1259 
1260 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1261 	    (k->defbeacon ? 1 : 0) > 1) {
1262 		GENL_SET_ERR_MSG(info,
1263 				 "key with multiple default flags is invalid");
1264 		return -EINVAL;
1265 	}
1266 
1267 	if (k->defmgmt || k->defbeacon) {
1268 		if (k->def_uni || !k->def_multi) {
1269 			GENL_SET_ERR_MSG(info,
1270 					 "defmgmt/defbeacon key must be mcast");
1271 			return -EINVAL;
1272 		}
1273 	}
1274 
1275 	if (k->idx != -1) {
1276 		if (k->defmgmt) {
1277 			if (k->idx < 4 || k->idx > 5) {
1278 				GENL_SET_ERR_MSG(info,
1279 						 "defmgmt key idx not 4 or 5");
1280 				return -EINVAL;
1281 			}
1282 		} else if (k->defbeacon) {
1283 			if (k->idx < 6 || k->idx > 7) {
1284 				GENL_SET_ERR_MSG(info,
1285 						 "defbeacon key idx not 6 or 7");
1286 				return -EINVAL;
1287 			}
1288 		} else if (k->def) {
1289 			if (k->idx < 0 || k->idx > 3) {
1290 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1291 				return -EINVAL;
1292 			}
1293 		} else {
1294 			if (k->idx < 0 || k->idx > 7) {
1295 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1296 				return -EINVAL;
1297 			}
1298 		}
1299 	}
1300 
1301 	return 0;
1302 }
1303 
1304 static struct cfg80211_cached_keys *
1305 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1306 		       struct genl_info *info, bool *no_ht)
1307 {
1308 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1309 	struct key_parse parse;
1310 	struct nlattr *key;
1311 	struct cfg80211_cached_keys *result;
1312 	int rem, err, def = 0;
1313 	bool have_key = false;
1314 
1315 	nla_for_each_nested(key, keys, rem) {
1316 		have_key = true;
1317 		break;
1318 	}
1319 
1320 	if (!have_key)
1321 		return NULL;
1322 
1323 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1324 	if (!result)
1325 		return ERR_PTR(-ENOMEM);
1326 
1327 	result->def = -1;
1328 
1329 	nla_for_each_nested(key, keys, rem) {
1330 		memset(&parse, 0, sizeof(parse));
1331 		parse.idx = -1;
1332 
1333 		err = nl80211_parse_key_new(info, key, &parse);
1334 		if (err)
1335 			goto error;
1336 		err = -EINVAL;
1337 		if (!parse.p.key)
1338 			goto error;
1339 		if (parse.idx < 0 || parse.idx > 3) {
1340 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1341 			goto error;
1342 		}
1343 		if (parse.def) {
1344 			if (def) {
1345 				GENL_SET_ERR_MSG(info,
1346 						 "only one key can be default");
1347 				goto error;
1348 			}
1349 			def = 1;
1350 			result->def = parse.idx;
1351 			if (!parse.def_uni || !parse.def_multi)
1352 				goto error;
1353 		} else if (parse.defmgmt)
1354 			goto error;
1355 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1356 						     parse.idx, false, NULL);
1357 		if (err)
1358 			goto error;
1359 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1360 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1361 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1362 			err = -EINVAL;
1363 			goto error;
1364 		}
1365 		result->params[parse.idx].cipher = parse.p.cipher;
1366 		result->params[parse.idx].key_len = parse.p.key_len;
1367 		result->params[parse.idx].key = result->data[parse.idx];
1368 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1369 
1370 		/* must be WEP key if we got here */
1371 		if (no_ht)
1372 			*no_ht = true;
1373 	}
1374 
1375 	if (result->def < 0) {
1376 		err = -EINVAL;
1377 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1378 		goto error;
1379 	}
1380 
1381 	return result;
1382  error:
1383 	kfree(result);
1384 	return ERR_PTR(err);
1385 }
1386 
1387 static int nl80211_key_allowed(struct wireless_dev *wdev)
1388 {
1389 	ASSERT_WDEV_LOCK(wdev);
1390 
1391 	switch (wdev->iftype) {
1392 	case NL80211_IFTYPE_AP:
1393 	case NL80211_IFTYPE_AP_VLAN:
1394 	case NL80211_IFTYPE_P2P_GO:
1395 	case NL80211_IFTYPE_MESH_POINT:
1396 		break;
1397 	case NL80211_IFTYPE_ADHOC:
1398 	case NL80211_IFTYPE_STATION:
1399 	case NL80211_IFTYPE_P2P_CLIENT:
1400 		if (!wdev->current_bss)
1401 			return -ENOLINK;
1402 		break;
1403 	case NL80211_IFTYPE_UNSPECIFIED:
1404 	case NL80211_IFTYPE_OCB:
1405 	case NL80211_IFTYPE_MONITOR:
1406 	case NL80211_IFTYPE_NAN:
1407 	case NL80211_IFTYPE_P2P_DEVICE:
1408 	case NL80211_IFTYPE_WDS:
1409 	case NUM_NL80211_IFTYPES:
1410 		return -EINVAL;
1411 	}
1412 
1413 	return 0;
1414 }
1415 
1416 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1417 							u32 freq)
1418 {
1419 	struct ieee80211_channel *chan;
1420 
1421 	chan = ieee80211_get_channel_khz(wiphy, freq);
1422 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1423 		return NULL;
1424 	return chan;
1425 }
1426 
1427 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1428 {
1429 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1430 	int i;
1431 
1432 	if (!nl_modes)
1433 		goto nla_put_failure;
1434 
1435 	i = 0;
1436 	while (ifmodes) {
1437 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1438 			goto nla_put_failure;
1439 		ifmodes >>= 1;
1440 		i++;
1441 	}
1442 
1443 	nla_nest_end(msg, nl_modes);
1444 	return 0;
1445 
1446 nla_put_failure:
1447 	return -ENOBUFS;
1448 }
1449 
1450 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1451 					  struct sk_buff *msg,
1452 					  bool large)
1453 {
1454 	struct nlattr *nl_combis;
1455 	int i, j;
1456 
1457 	nl_combis = nla_nest_start_noflag(msg,
1458 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1459 	if (!nl_combis)
1460 		goto nla_put_failure;
1461 
1462 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1463 		const struct ieee80211_iface_combination *c;
1464 		struct nlattr *nl_combi, *nl_limits;
1465 
1466 		c = &wiphy->iface_combinations[i];
1467 
1468 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1469 		if (!nl_combi)
1470 			goto nla_put_failure;
1471 
1472 		nl_limits = nla_nest_start_noflag(msg,
1473 						  NL80211_IFACE_COMB_LIMITS);
1474 		if (!nl_limits)
1475 			goto nla_put_failure;
1476 
1477 		for (j = 0; j < c->n_limits; j++) {
1478 			struct nlattr *nl_limit;
1479 
1480 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1481 			if (!nl_limit)
1482 				goto nla_put_failure;
1483 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1484 					c->limits[j].max))
1485 				goto nla_put_failure;
1486 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1487 						c->limits[j].types))
1488 				goto nla_put_failure;
1489 			nla_nest_end(msg, nl_limit);
1490 		}
1491 
1492 		nla_nest_end(msg, nl_limits);
1493 
1494 		if (c->beacon_int_infra_match &&
1495 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1496 			goto nla_put_failure;
1497 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1498 				c->num_different_channels) ||
1499 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1500 				c->max_interfaces))
1501 			goto nla_put_failure;
1502 		if (large &&
1503 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1504 				c->radar_detect_widths) ||
1505 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1506 				c->radar_detect_regions)))
1507 			goto nla_put_failure;
1508 		if (c->beacon_int_min_gcd &&
1509 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1510 				c->beacon_int_min_gcd))
1511 			goto nla_put_failure;
1512 
1513 		nla_nest_end(msg, nl_combi);
1514 	}
1515 
1516 	nla_nest_end(msg, nl_combis);
1517 
1518 	return 0;
1519 nla_put_failure:
1520 	return -ENOBUFS;
1521 }
1522 
1523 #ifdef CONFIG_PM
1524 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1525 					struct sk_buff *msg)
1526 {
1527 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1528 	struct nlattr *nl_tcp;
1529 
1530 	if (!tcp)
1531 		return 0;
1532 
1533 	nl_tcp = nla_nest_start_noflag(msg,
1534 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1535 	if (!nl_tcp)
1536 		return -ENOBUFS;
1537 
1538 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1539 			tcp->data_payload_max))
1540 		return -ENOBUFS;
1541 
1542 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1543 			tcp->data_payload_max))
1544 		return -ENOBUFS;
1545 
1546 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1547 		return -ENOBUFS;
1548 
1549 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1550 				sizeof(*tcp->tok), tcp->tok))
1551 		return -ENOBUFS;
1552 
1553 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1554 			tcp->data_interval_max))
1555 		return -ENOBUFS;
1556 
1557 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1558 			tcp->wake_payload_max))
1559 		return -ENOBUFS;
1560 
1561 	nla_nest_end(msg, nl_tcp);
1562 	return 0;
1563 }
1564 
1565 static int nl80211_send_wowlan(struct sk_buff *msg,
1566 			       struct cfg80211_registered_device *rdev,
1567 			       bool large)
1568 {
1569 	struct nlattr *nl_wowlan;
1570 
1571 	if (!rdev->wiphy.wowlan)
1572 		return 0;
1573 
1574 	nl_wowlan = nla_nest_start_noflag(msg,
1575 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1576 	if (!nl_wowlan)
1577 		return -ENOBUFS;
1578 
1579 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1580 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1581 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1582 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1583 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1584 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1585 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1586 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1587 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1588 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1589 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1590 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1591 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1592 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1593 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1594 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1595 		return -ENOBUFS;
1596 
1597 	if (rdev->wiphy.wowlan->n_patterns) {
1598 		struct nl80211_pattern_support pat = {
1599 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1600 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1601 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1602 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1603 		};
1604 
1605 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1606 			    sizeof(pat), &pat))
1607 			return -ENOBUFS;
1608 	}
1609 
1610 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1611 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1612 			rdev->wiphy.wowlan->max_nd_match_sets))
1613 		return -ENOBUFS;
1614 
1615 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1616 		return -ENOBUFS;
1617 
1618 	nla_nest_end(msg, nl_wowlan);
1619 
1620 	return 0;
1621 }
1622 #endif
1623 
1624 static int nl80211_send_coalesce(struct sk_buff *msg,
1625 				 struct cfg80211_registered_device *rdev)
1626 {
1627 	struct nl80211_coalesce_rule_support rule;
1628 
1629 	if (!rdev->wiphy.coalesce)
1630 		return 0;
1631 
1632 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1633 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1634 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1635 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1636 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1637 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1638 
1639 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1640 		return -ENOBUFS;
1641 
1642 	return 0;
1643 }
1644 
1645 static int
1646 nl80211_send_iftype_data(struct sk_buff *msg,
1647 			 const struct ieee80211_supported_band *sband,
1648 			 const struct ieee80211_sband_iftype_data *iftdata)
1649 {
1650 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1651 
1652 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1653 				iftdata->types_mask))
1654 		return -ENOBUFS;
1655 
1656 	if (he_cap->has_he) {
1657 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1658 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1659 			    he_cap->he_cap_elem.mac_cap_info) ||
1660 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1661 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1662 			    he_cap->he_cap_elem.phy_cap_info) ||
1663 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1664 			    sizeof(he_cap->he_mcs_nss_supp),
1665 			    &he_cap->he_mcs_nss_supp) ||
1666 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1667 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1668 			return -ENOBUFS;
1669 	}
1670 
1671 	if (sband->band == NL80211_BAND_6GHZ &&
1672 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1673 		    sizeof(iftdata->he_6ghz_capa),
1674 		    &iftdata->he_6ghz_capa))
1675 		return -ENOBUFS;
1676 
1677 	return 0;
1678 }
1679 
1680 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1681 				      struct ieee80211_supported_band *sband,
1682 				      bool large)
1683 {
1684 	struct nlattr *nl_rates, *nl_rate;
1685 	struct ieee80211_rate *rate;
1686 	int i;
1687 
1688 	/* add HT info */
1689 	if (sband->ht_cap.ht_supported &&
1690 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1691 		     sizeof(sband->ht_cap.mcs),
1692 		     &sband->ht_cap.mcs) ||
1693 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1694 			 sband->ht_cap.cap) ||
1695 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1696 			sband->ht_cap.ampdu_factor) ||
1697 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1698 			sband->ht_cap.ampdu_density)))
1699 		return -ENOBUFS;
1700 
1701 	/* add VHT info */
1702 	if (sband->vht_cap.vht_supported &&
1703 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1704 		     sizeof(sband->vht_cap.vht_mcs),
1705 		     &sband->vht_cap.vht_mcs) ||
1706 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1707 			 sband->vht_cap.cap)))
1708 		return -ENOBUFS;
1709 
1710 	if (large && sband->n_iftype_data) {
1711 		struct nlattr *nl_iftype_data =
1712 			nla_nest_start_noflag(msg,
1713 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1714 		int err;
1715 
1716 		if (!nl_iftype_data)
1717 			return -ENOBUFS;
1718 
1719 		for (i = 0; i < sband->n_iftype_data; i++) {
1720 			struct nlattr *iftdata;
1721 
1722 			iftdata = nla_nest_start_noflag(msg, i + 1);
1723 			if (!iftdata)
1724 				return -ENOBUFS;
1725 
1726 			err = nl80211_send_iftype_data(msg, sband,
1727 						       &sband->iftype_data[i]);
1728 			if (err)
1729 				return err;
1730 
1731 			nla_nest_end(msg, iftdata);
1732 		}
1733 
1734 		nla_nest_end(msg, nl_iftype_data);
1735 	}
1736 
1737 	/* add EDMG info */
1738 	if (large && sband->edmg_cap.channels &&
1739 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1740 		       sband->edmg_cap.channels) ||
1741 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1742 		       sband->edmg_cap.bw_config)))
1743 
1744 		return -ENOBUFS;
1745 
1746 	/* add bitrates */
1747 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1748 	if (!nl_rates)
1749 		return -ENOBUFS;
1750 
1751 	for (i = 0; i < sband->n_bitrates; i++) {
1752 		nl_rate = nla_nest_start_noflag(msg, i);
1753 		if (!nl_rate)
1754 			return -ENOBUFS;
1755 
1756 		rate = &sband->bitrates[i];
1757 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1758 				rate->bitrate))
1759 			return -ENOBUFS;
1760 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1761 		    nla_put_flag(msg,
1762 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1763 			return -ENOBUFS;
1764 
1765 		nla_nest_end(msg, nl_rate);
1766 	}
1767 
1768 	nla_nest_end(msg, nl_rates);
1769 
1770 	return 0;
1771 }
1772 
1773 static int
1774 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1775 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1776 {
1777 	u16 stypes;
1778 	struct nlattr *nl_ftypes, *nl_ifs;
1779 	enum nl80211_iftype ift;
1780 	int i;
1781 
1782 	if (!mgmt_stypes)
1783 		return 0;
1784 
1785 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1786 	if (!nl_ifs)
1787 		return -ENOBUFS;
1788 
1789 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1790 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1791 		if (!nl_ftypes)
1792 			return -ENOBUFS;
1793 		i = 0;
1794 		stypes = mgmt_stypes[ift].tx;
1795 		while (stypes) {
1796 			if ((stypes & 1) &&
1797 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1798 					(i << 4) | IEEE80211_FTYPE_MGMT))
1799 				return -ENOBUFS;
1800 			stypes >>= 1;
1801 			i++;
1802 		}
1803 		nla_nest_end(msg, nl_ftypes);
1804 	}
1805 
1806 	nla_nest_end(msg, nl_ifs);
1807 
1808 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1809 	if (!nl_ifs)
1810 		return -ENOBUFS;
1811 
1812 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1813 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1814 		if (!nl_ftypes)
1815 			return -ENOBUFS;
1816 		i = 0;
1817 		stypes = mgmt_stypes[ift].rx;
1818 		while (stypes) {
1819 			if ((stypes & 1) &&
1820 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1821 					(i << 4) | IEEE80211_FTYPE_MGMT))
1822 				return -ENOBUFS;
1823 			stypes >>= 1;
1824 			i++;
1825 		}
1826 		nla_nest_end(msg, nl_ftypes);
1827 	}
1828 	nla_nest_end(msg, nl_ifs);
1829 
1830 	return 0;
1831 }
1832 
1833 #define CMD(op, n)							\
1834 	 do {								\
1835 		if (rdev->ops->op) {					\
1836 			i++;						\
1837 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1838 				goto nla_put_failure;			\
1839 		}							\
1840 	} while (0)
1841 
1842 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1843 					struct sk_buff *msg)
1844 {
1845 	int i = 0;
1846 
1847 	/*
1848 	 * do *NOT* add anything into this function, new things need to be
1849 	 * advertised only to new versions of userspace that can deal with
1850 	 * the split (and they can't possibly care about new features...
1851 	 */
1852 	CMD(add_virtual_intf, NEW_INTERFACE);
1853 	CMD(change_virtual_intf, SET_INTERFACE);
1854 	CMD(add_key, NEW_KEY);
1855 	CMD(start_ap, START_AP);
1856 	CMD(add_station, NEW_STATION);
1857 	CMD(add_mpath, NEW_MPATH);
1858 	CMD(update_mesh_config, SET_MESH_CONFIG);
1859 	CMD(change_bss, SET_BSS);
1860 	CMD(auth, AUTHENTICATE);
1861 	CMD(assoc, ASSOCIATE);
1862 	CMD(deauth, DEAUTHENTICATE);
1863 	CMD(disassoc, DISASSOCIATE);
1864 	CMD(join_ibss, JOIN_IBSS);
1865 	CMD(join_mesh, JOIN_MESH);
1866 	CMD(set_pmksa, SET_PMKSA);
1867 	CMD(del_pmksa, DEL_PMKSA);
1868 	CMD(flush_pmksa, FLUSH_PMKSA);
1869 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1870 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1871 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1872 	CMD(mgmt_tx, FRAME);
1873 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1874 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1875 		i++;
1876 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1877 			goto nla_put_failure;
1878 	}
1879 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1880 	    rdev->ops->join_mesh) {
1881 		i++;
1882 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1883 			goto nla_put_failure;
1884 	}
1885 	CMD(set_wds_peer, SET_WDS_PEER);
1886 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1887 		CMD(tdls_mgmt, TDLS_MGMT);
1888 		CMD(tdls_oper, TDLS_OPER);
1889 	}
1890 	if (rdev->wiphy.max_sched_scan_reqs)
1891 		CMD(sched_scan_start, START_SCHED_SCAN);
1892 	CMD(probe_client, PROBE_CLIENT);
1893 	CMD(set_noack_map, SET_NOACK_MAP);
1894 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1895 		i++;
1896 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1897 			goto nla_put_failure;
1898 	}
1899 	CMD(start_p2p_device, START_P2P_DEVICE);
1900 	CMD(set_mcast_rate, SET_MCAST_RATE);
1901 #ifdef CONFIG_NL80211_TESTMODE
1902 	CMD(testmode_cmd, TESTMODE);
1903 #endif
1904 
1905 	if (rdev->ops->connect || rdev->ops->auth) {
1906 		i++;
1907 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1908 			goto nla_put_failure;
1909 	}
1910 
1911 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1912 		i++;
1913 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1914 			goto nla_put_failure;
1915 	}
1916 
1917 	return i;
1918  nla_put_failure:
1919 	return -ENOBUFS;
1920 }
1921 
1922 static int
1923 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1924 			   struct sk_buff *msg)
1925 {
1926 	struct nlattr *ftm;
1927 
1928 	if (!cap->ftm.supported)
1929 		return 0;
1930 
1931 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1932 	if (!ftm)
1933 		return -ENOBUFS;
1934 
1935 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1936 		return -ENOBUFS;
1937 	if (cap->ftm.non_asap &&
1938 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1939 		return -ENOBUFS;
1940 	if (cap->ftm.request_lci &&
1941 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1942 		return -ENOBUFS;
1943 	if (cap->ftm.request_civicloc &&
1944 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1945 		return -ENOBUFS;
1946 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1947 			cap->ftm.preambles))
1948 		return -ENOBUFS;
1949 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
1950 			cap->ftm.bandwidths))
1951 		return -ENOBUFS;
1952 	if (cap->ftm.max_bursts_exponent >= 0 &&
1953 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
1954 			cap->ftm.max_bursts_exponent))
1955 		return -ENOBUFS;
1956 	if (cap->ftm.max_ftms_per_burst &&
1957 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
1958 			cap->ftm.max_ftms_per_burst))
1959 		return -ENOBUFS;
1960 	if (cap->ftm.trigger_based &&
1961 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
1962 		return -ENOBUFS;
1963 	if (cap->ftm.non_trigger_based &&
1964 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
1965 		return -ENOBUFS;
1966 
1967 	nla_nest_end(msg, ftm);
1968 	return 0;
1969 }
1970 
1971 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
1972 				  struct sk_buff *msg)
1973 {
1974 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
1975 	struct nlattr *pmsr, *caps;
1976 
1977 	if (!cap)
1978 		return 0;
1979 
1980 	/*
1981 	 * we don't need to clean up anything here since the caller
1982 	 * will genlmsg_cancel() if we fail
1983 	 */
1984 
1985 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
1986 	if (!pmsr)
1987 		return -ENOBUFS;
1988 
1989 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
1990 		return -ENOBUFS;
1991 
1992 	if (cap->report_ap_tsf &&
1993 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
1994 		return -ENOBUFS;
1995 
1996 	if (cap->randomize_mac_addr &&
1997 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
1998 		return -ENOBUFS;
1999 
2000 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2001 	if (!caps)
2002 		return -ENOBUFS;
2003 
2004 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2005 		return -ENOBUFS;
2006 
2007 	nla_nest_end(msg, caps);
2008 	nla_nest_end(msg, pmsr);
2009 
2010 	return 0;
2011 }
2012 
2013 static int
2014 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2015 			      struct sk_buff *msg)
2016 {
2017 	int i;
2018 	struct nlattr *nested, *nested_akms;
2019 	const struct wiphy_iftype_akm_suites *iftype_akms;
2020 
2021 	if (!rdev->wiphy.num_iftype_akm_suites ||
2022 	    !rdev->wiphy.iftype_akm_suites)
2023 		return 0;
2024 
2025 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2026 	if (!nested)
2027 		return -ENOBUFS;
2028 
2029 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2030 		nested_akms = nla_nest_start(msg, i + 1);
2031 		if (!nested_akms)
2032 			return -ENOBUFS;
2033 
2034 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2035 
2036 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2037 					iftype_akms->iftypes_mask))
2038 			return -ENOBUFS;
2039 
2040 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2041 			    sizeof(u32) * iftype_akms->n_akm_suites,
2042 			    iftype_akms->akm_suites)) {
2043 			return -ENOBUFS;
2044 		}
2045 		nla_nest_end(msg, nested_akms);
2046 	}
2047 
2048 	nla_nest_end(msg, nested);
2049 
2050 	return 0;
2051 }
2052 
2053 static int
2054 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2055 			       struct sk_buff *msg)
2056 {
2057 	struct nlattr *supp;
2058 
2059 	if (!rdev->wiphy.tid_config_support.vif &&
2060 	    !rdev->wiphy.tid_config_support.peer)
2061 		return 0;
2062 
2063 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2064 	if (!supp)
2065 		return -ENOSPC;
2066 
2067 	if (rdev->wiphy.tid_config_support.vif &&
2068 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2069 			      rdev->wiphy.tid_config_support.vif,
2070 			      NL80211_TID_CONFIG_ATTR_PAD))
2071 		goto fail;
2072 
2073 	if (rdev->wiphy.tid_config_support.peer &&
2074 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2075 			      rdev->wiphy.tid_config_support.peer,
2076 			      NL80211_TID_CONFIG_ATTR_PAD))
2077 		goto fail;
2078 
2079 	/* for now we just use the same value ... makes more sense */
2080 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2081 		       rdev->wiphy.tid_config_support.max_retry))
2082 		goto fail;
2083 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2084 		       rdev->wiphy.tid_config_support.max_retry))
2085 		goto fail;
2086 
2087 	nla_nest_end(msg, supp);
2088 
2089 	return 0;
2090 fail:
2091 	nla_nest_cancel(msg, supp);
2092 	return -ENOBUFS;
2093 }
2094 
2095 struct nl80211_dump_wiphy_state {
2096 	s64 filter_wiphy;
2097 	long start;
2098 	long split_start, band_start, chan_start, capa_start;
2099 	bool split;
2100 };
2101 
2102 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2103 			      enum nl80211_commands cmd,
2104 			      struct sk_buff *msg, u32 portid, u32 seq,
2105 			      int flags, struct nl80211_dump_wiphy_state *state)
2106 {
2107 	void *hdr;
2108 	struct nlattr *nl_bands, *nl_band;
2109 	struct nlattr *nl_freqs, *nl_freq;
2110 	struct nlattr *nl_cmds;
2111 	enum nl80211_band band;
2112 	struct ieee80211_channel *chan;
2113 	int i;
2114 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2115 				rdev->wiphy.mgmt_stypes;
2116 	u32 features;
2117 
2118 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2119 	if (!hdr)
2120 		return -ENOBUFS;
2121 
2122 	if (WARN_ON(!state))
2123 		return -EINVAL;
2124 
2125 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2126 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2127 			   wiphy_name(&rdev->wiphy)) ||
2128 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2129 			cfg80211_rdev_list_generation))
2130 		goto nla_put_failure;
2131 
2132 	if (cmd != NL80211_CMD_NEW_WIPHY)
2133 		goto finish;
2134 
2135 	switch (state->split_start) {
2136 	case 0:
2137 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2138 			       rdev->wiphy.retry_short) ||
2139 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2140 			       rdev->wiphy.retry_long) ||
2141 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2142 				rdev->wiphy.frag_threshold) ||
2143 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2144 				rdev->wiphy.rts_threshold) ||
2145 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2146 			       rdev->wiphy.coverage_class) ||
2147 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2148 			       rdev->wiphy.max_scan_ssids) ||
2149 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2150 			       rdev->wiphy.max_sched_scan_ssids) ||
2151 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2152 				rdev->wiphy.max_scan_ie_len) ||
2153 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2154 				rdev->wiphy.max_sched_scan_ie_len) ||
2155 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2156 			       rdev->wiphy.max_match_sets))
2157 			goto nla_put_failure;
2158 
2159 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2160 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2161 			goto nla_put_failure;
2162 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2163 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2164 			goto nla_put_failure;
2165 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2166 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2167 			goto nla_put_failure;
2168 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2169 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2170 			goto nla_put_failure;
2171 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2172 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2173 			goto nla_put_failure;
2174 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2175 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2176 			goto nla_put_failure;
2177 		state->split_start++;
2178 		if (state->split)
2179 			break;
2180 		fallthrough;
2181 	case 1:
2182 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2183 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2184 			    rdev->wiphy.cipher_suites))
2185 			goto nla_put_failure;
2186 
2187 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2188 			       rdev->wiphy.max_num_pmkids))
2189 			goto nla_put_failure;
2190 
2191 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2192 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2193 			goto nla_put_failure;
2194 
2195 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2196 				rdev->wiphy.available_antennas_tx) ||
2197 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2198 				rdev->wiphy.available_antennas_rx))
2199 			goto nla_put_failure;
2200 
2201 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2202 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2203 				rdev->wiphy.probe_resp_offload))
2204 			goto nla_put_failure;
2205 
2206 		if ((rdev->wiphy.available_antennas_tx ||
2207 		     rdev->wiphy.available_antennas_rx) &&
2208 		    rdev->ops->get_antenna) {
2209 			u32 tx_ant = 0, rx_ant = 0;
2210 			int res;
2211 
2212 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2213 			if (!res) {
2214 				if (nla_put_u32(msg,
2215 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2216 						tx_ant) ||
2217 				    nla_put_u32(msg,
2218 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2219 						rx_ant))
2220 					goto nla_put_failure;
2221 			}
2222 		}
2223 
2224 		state->split_start++;
2225 		if (state->split)
2226 			break;
2227 		fallthrough;
2228 	case 2:
2229 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2230 					rdev->wiphy.interface_modes))
2231 				goto nla_put_failure;
2232 		state->split_start++;
2233 		if (state->split)
2234 			break;
2235 		fallthrough;
2236 	case 3:
2237 		nl_bands = nla_nest_start_noflag(msg,
2238 						 NL80211_ATTR_WIPHY_BANDS);
2239 		if (!nl_bands)
2240 			goto nla_put_failure;
2241 
2242 		for (band = state->band_start;
2243 		     band < NUM_NL80211_BANDS; band++) {
2244 			struct ieee80211_supported_band *sband;
2245 
2246 			/* omit higher bands for ancient software */
2247 			if (band > NL80211_BAND_5GHZ && !state->split)
2248 				break;
2249 
2250 			sband = rdev->wiphy.bands[band];
2251 
2252 			if (!sband)
2253 				continue;
2254 
2255 			nl_band = nla_nest_start_noflag(msg, band);
2256 			if (!nl_band)
2257 				goto nla_put_failure;
2258 
2259 			switch (state->chan_start) {
2260 			case 0:
2261 				if (nl80211_send_band_rateinfo(msg, sband,
2262 							       state->split))
2263 					goto nla_put_failure;
2264 				state->chan_start++;
2265 				if (state->split)
2266 					break;
2267 				fallthrough;
2268 			default:
2269 				/* add frequencies */
2270 				nl_freqs = nla_nest_start_noflag(msg,
2271 								 NL80211_BAND_ATTR_FREQS);
2272 				if (!nl_freqs)
2273 					goto nla_put_failure;
2274 
2275 				for (i = state->chan_start - 1;
2276 				     i < sband->n_channels;
2277 				     i++) {
2278 					nl_freq = nla_nest_start_noflag(msg,
2279 									i);
2280 					if (!nl_freq)
2281 						goto nla_put_failure;
2282 
2283 					chan = &sband->channels[i];
2284 
2285 					if (nl80211_msg_put_channel(
2286 							msg, &rdev->wiphy, chan,
2287 							state->split))
2288 						goto nla_put_failure;
2289 
2290 					nla_nest_end(msg, nl_freq);
2291 					if (state->split)
2292 						break;
2293 				}
2294 				if (i < sband->n_channels)
2295 					state->chan_start = i + 2;
2296 				else
2297 					state->chan_start = 0;
2298 				nla_nest_end(msg, nl_freqs);
2299 			}
2300 
2301 			nla_nest_end(msg, nl_band);
2302 
2303 			if (state->split) {
2304 				/* start again here */
2305 				if (state->chan_start)
2306 					band--;
2307 				break;
2308 			}
2309 		}
2310 		nla_nest_end(msg, nl_bands);
2311 
2312 		if (band < NUM_NL80211_BANDS)
2313 			state->band_start = band + 1;
2314 		else
2315 			state->band_start = 0;
2316 
2317 		/* if bands & channels are done, continue outside */
2318 		if (state->band_start == 0 && state->chan_start == 0)
2319 			state->split_start++;
2320 		if (state->split)
2321 			break;
2322 		fallthrough;
2323 	case 4:
2324 		nl_cmds = nla_nest_start_noflag(msg,
2325 						NL80211_ATTR_SUPPORTED_COMMANDS);
2326 		if (!nl_cmds)
2327 			goto nla_put_failure;
2328 
2329 		i = nl80211_add_commands_unsplit(rdev, msg);
2330 		if (i < 0)
2331 			goto nla_put_failure;
2332 		if (state->split) {
2333 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2334 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2335 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2336 				CMD(channel_switch, CHANNEL_SWITCH);
2337 			CMD(set_qos_map, SET_QOS_MAP);
2338 			if (rdev->wiphy.features &
2339 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2340 				CMD(add_tx_ts, ADD_TX_TS);
2341 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2342 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2343 			CMD(update_ft_ies, UPDATE_FT_IES);
2344 		}
2345 #undef CMD
2346 
2347 		nla_nest_end(msg, nl_cmds);
2348 		state->split_start++;
2349 		if (state->split)
2350 			break;
2351 		fallthrough;
2352 	case 5:
2353 		if (rdev->ops->remain_on_channel &&
2354 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2355 		    nla_put_u32(msg,
2356 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2357 				rdev->wiphy.max_remain_on_channel_duration))
2358 			goto nla_put_failure;
2359 
2360 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2361 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2362 			goto nla_put_failure;
2363 
2364 		state->split_start++;
2365 		if (state->split)
2366 			break;
2367 		fallthrough;
2368 	case 6:
2369 #ifdef CONFIG_PM
2370 		if (nl80211_send_wowlan(msg, rdev, state->split))
2371 			goto nla_put_failure;
2372 		state->split_start++;
2373 		if (state->split)
2374 			break;
2375 #else
2376 		state->split_start++;
2377 #endif
2378 		fallthrough;
2379 	case 7:
2380 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2381 					rdev->wiphy.software_iftypes))
2382 			goto nla_put_failure;
2383 
2384 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2385 						   state->split))
2386 			goto nla_put_failure;
2387 
2388 		state->split_start++;
2389 		if (state->split)
2390 			break;
2391 		fallthrough;
2392 	case 8:
2393 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2394 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2395 				rdev->wiphy.ap_sme_capa))
2396 			goto nla_put_failure;
2397 
2398 		features = rdev->wiphy.features;
2399 		/*
2400 		 * We can only add the per-channel limit information if the
2401 		 * dump is split, otherwise it makes it too big. Therefore
2402 		 * only advertise it in that case.
2403 		 */
2404 		if (state->split)
2405 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2406 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2407 			goto nla_put_failure;
2408 
2409 		if (rdev->wiphy.ht_capa_mod_mask &&
2410 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2411 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2412 			    rdev->wiphy.ht_capa_mod_mask))
2413 			goto nla_put_failure;
2414 
2415 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2416 		    rdev->wiphy.max_acl_mac_addrs &&
2417 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2418 				rdev->wiphy.max_acl_mac_addrs))
2419 			goto nla_put_failure;
2420 
2421 		/*
2422 		 * Any information below this point is only available to
2423 		 * applications that can deal with it being split. This
2424 		 * helps ensure that newly added capabilities don't break
2425 		 * older tools by overrunning their buffers.
2426 		 *
2427 		 * We still increment split_start so that in the split
2428 		 * case we'll continue with more data in the next round,
2429 		 * but break unconditionally so unsplit data stops here.
2430 		 */
2431 		if (state->split)
2432 			state->split_start++;
2433 		else
2434 			state->split_start = 0;
2435 		break;
2436 	case 9:
2437 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2438 			goto nla_put_failure;
2439 
2440 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2441 				rdev->wiphy.max_sched_scan_plans) ||
2442 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2443 				rdev->wiphy.max_sched_scan_plan_interval) ||
2444 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2445 				rdev->wiphy.max_sched_scan_plan_iterations))
2446 			goto nla_put_failure;
2447 
2448 		if (rdev->wiphy.extended_capabilities &&
2449 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2450 			     rdev->wiphy.extended_capabilities_len,
2451 			     rdev->wiphy.extended_capabilities) ||
2452 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2453 			     rdev->wiphy.extended_capabilities_len,
2454 			     rdev->wiphy.extended_capabilities_mask)))
2455 			goto nla_put_failure;
2456 
2457 		if (rdev->wiphy.vht_capa_mod_mask &&
2458 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2459 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2460 			    rdev->wiphy.vht_capa_mod_mask))
2461 			goto nla_put_failure;
2462 
2463 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2464 			    rdev->wiphy.perm_addr))
2465 			goto nla_put_failure;
2466 
2467 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2468 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2469 			    rdev->wiphy.addr_mask))
2470 			goto nla_put_failure;
2471 
2472 		if (rdev->wiphy.n_addresses > 1) {
2473 			void *attr;
2474 
2475 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2476 			if (!attr)
2477 				goto nla_put_failure;
2478 
2479 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2480 				if (nla_put(msg, i + 1, ETH_ALEN,
2481 					    rdev->wiphy.addresses[i].addr))
2482 					goto nla_put_failure;
2483 
2484 			nla_nest_end(msg, attr);
2485 		}
2486 
2487 		state->split_start++;
2488 		break;
2489 	case 10:
2490 		if (nl80211_send_coalesce(msg, rdev))
2491 			goto nla_put_failure;
2492 
2493 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2494 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2495 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2496 			goto nla_put_failure;
2497 
2498 		if (rdev->wiphy.max_ap_assoc_sta &&
2499 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2500 				rdev->wiphy.max_ap_assoc_sta))
2501 			goto nla_put_failure;
2502 
2503 		state->split_start++;
2504 		break;
2505 	case 11:
2506 		if (rdev->wiphy.n_vendor_commands) {
2507 			const struct nl80211_vendor_cmd_info *info;
2508 			struct nlattr *nested;
2509 
2510 			nested = nla_nest_start_noflag(msg,
2511 						       NL80211_ATTR_VENDOR_DATA);
2512 			if (!nested)
2513 				goto nla_put_failure;
2514 
2515 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2516 				info = &rdev->wiphy.vendor_commands[i].info;
2517 				if (nla_put(msg, i + 1, sizeof(*info), info))
2518 					goto nla_put_failure;
2519 			}
2520 			nla_nest_end(msg, nested);
2521 		}
2522 
2523 		if (rdev->wiphy.n_vendor_events) {
2524 			const struct nl80211_vendor_cmd_info *info;
2525 			struct nlattr *nested;
2526 
2527 			nested = nla_nest_start_noflag(msg,
2528 						       NL80211_ATTR_VENDOR_EVENTS);
2529 			if (!nested)
2530 				goto nla_put_failure;
2531 
2532 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2533 				info = &rdev->wiphy.vendor_events[i];
2534 				if (nla_put(msg, i + 1, sizeof(*info), info))
2535 					goto nla_put_failure;
2536 			}
2537 			nla_nest_end(msg, nested);
2538 		}
2539 		state->split_start++;
2540 		break;
2541 	case 12:
2542 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2543 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2544 			       rdev->wiphy.max_num_csa_counters))
2545 			goto nla_put_failure;
2546 
2547 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2548 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2549 			goto nla_put_failure;
2550 
2551 		if (rdev->wiphy.max_sched_scan_reqs &&
2552 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2553 				rdev->wiphy.max_sched_scan_reqs))
2554 			goto nla_put_failure;
2555 
2556 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2557 			    sizeof(rdev->wiphy.ext_features),
2558 			    rdev->wiphy.ext_features))
2559 			goto nla_put_failure;
2560 
2561 		if (rdev->wiphy.bss_select_support) {
2562 			struct nlattr *nested;
2563 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2564 
2565 			nested = nla_nest_start_noflag(msg,
2566 						       NL80211_ATTR_BSS_SELECT);
2567 			if (!nested)
2568 				goto nla_put_failure;
2569 
2570 			i = 0;
2571 			while (bss_select_support) {
2572 				if ((bss_select_support & 1) &&
2573 				    nla_put_flag(msg, i))
2574 					goto nla_put_failure;
2575 				i++;
2576 				bss_select_support >>= 1;
2577 			}
2578 			nla_nest_end(msg, nested);
2579 		}
2580 
2581 		state->split_start++;
2582 		break;
2583 	case 13:
2584 		if (rdev->wiphy.num_iftype_ext_capab &&
2585 		    rdev->wiphy.iftype_ext_capab) {
2586 			struct nlattr *nested_ext_capab, *nested;
2587 
2588 			nested = nla_nest_start_noflag(msg,
2589 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2590 			if (!nested)
2591 				goto nla_put_failure;
2592 
2593 			for (i = state->capa_start;
2594 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2595 				const struct wiphy_iftype_ext_capab *capab;
2596 
2597 				capab = &rdev->wiphy.iftype_ext_capab[i];
2598 
2599 				nested_ext_capab = nla_nest_start_noflag(msg,
2600 									 i);
2601 				if (!nested_ext_capab ||
2602 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2603 						capab->iftype) ||
2604 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2605 					    capab->extended_capabilities_len,
2606 					    capab->extended_capabilities) ||
2607 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2608 					    capab->extended_capabilities_len,
2609 					    capab->extended_capabilities_mask))
2610 					goto nla_put_failure;
2611 
2612 				nla_nest_end(msg, nested_ext_capab);
2613 				if (state->split)
2614 					break;
2615 			}
2616 			nla_nest_end(msg, nested);
2617 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2618 				state->capa_start = i + 1;
2619 				break;
2620 			}
2621 		}
2622 
2623 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2624 				rdev->wiphy.nan_supported_bands))
2625 			goto nla_put_failure;
2626 
2627 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2628 					    NL80211_EXT_FEATURE_TXQS)) {
2629 			struct cfg80211_txq_stats txqstats = {};
2630 			int res;
2631 
2632 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2633 			if (!res &&
2634 			    !nl80211_put_txq_stats(msg, &txqstats,
2635 						   NL80211_ATTR_TXQ_STATS))
2636 				goto nla_put_failure;
2637 
2638 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2639 					rdev->wiphy.txq_limit))
2640 				goto nla_put_failure;
2641 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2642 					rdev->wiphy.txq_memory_limit))
2643 				goto nla_put_failure;
2644 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2645 					rdev->wiphy.txq_quantum))
2646 				goto nla_put_failure;
2647 		}
2648 
2649 		state->split_start++;
2650 		break;
2651 	case 14:
2652 		if (nl80211_send_pmsr_capa(rdev, msg))
2653 			goto nla_put_failure;
2654 
2655 		state->split_start++;
2656 		break;
2657 	case 15:
2658 		if (rdev->wiphy.akm_suites &&
2659 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2660 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2661 			    rdev->wiphy.akm_suites))
2662 			goto nla_put_failure;
2663 
2664 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2665 			goto nla_put_failure;
2666 
2667 		if (nl80211_put_tid_config_support(rdev, msg))
2668 			goto nla_put_failure;
2669 
2670 		/* done */
2671 		state->split_start = 0;
2672 		break;
2673 	}
2674  finish:
2675 	genlmsg_end(msg, hdr);
2676 	return 0;
2677 
2678  nla_put_failure:
2679 	genlmsg_cancel(msg, hdr);
2680 	return -EMSGSIZE;
2681 }
2682 
2683 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2684 				    struct netlink_callback *cb,
2685 				    struct nl80211_dump_wiphy_state *state)
2686 {
2687 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2688 	int ret;
2689 
2690 	if (!tb)
2691 		return -ENOMEM;
2692 
2693 	ret = nlmsg_parse_deprecated(cb->nlh,
2694 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2695 				     tb, nl80211_fam.maxattr,
2696 				     nl80211_policy, NULL);
2697 	/* ignore parse errors for backward compatibility */
2698 	if (ret) {
2699 		ret = 0;
2700 		goto out;
2701 	}
2702 
2703 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2704 	if (tb[NL80211_ATTR_WIPHY])
2705 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2706 	if (tb[NL80211_ATTR_WDEV])
2707 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2708 	if (tb[NL80211_ATTR_IFINDEX]) {
2709 		struct net_device *netdev;
2710 		struct cfg80211_registered_device *rdev;
2711 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2712 
2713 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2714 		if (!netdev) {
2715 			ret = -ENODEV;
2716 			goto out;
2717 		}
2718 		if (netdev->ieee80211_ptr) {
2719 			rdev = wiphy_to_rdev(
2720 				netdev->ieee80211_ptr->wiphy);
2721 			state->filter_wiphy = rdev->wiphy_idx;
2722 		}
2723 	}
2724 
2725 	ret = 0;
2726 out:
2727 	kfree(tb);
2728 	return ret;
2729 }
2730 
2731 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2732 {
2733 	int idx = 0, ret;
2734 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2735 	struct cfg80211_registered_device *rdev;
2736 
2737 	rtnl_lock();
2738 	if (!state) {
2739 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2740 		if (!state) {
2741 			rtnl_unlock();
2742 			return -ENOMEM;
2743 		}
2744 		state->filter_wiphy = -1;
2745 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2746 		if (ret) {
2747 			kfree(state);
2748 			rtnl_unlock();
2749 			return ret;
2750 		}
2751 		cb->args[0] = (long)state;
2752 	}
2753 
2754 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2755 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2756 			continue;
2757 		if (++idx <= state->start)
2758 			continue;
2759 		if (state->filter_wiphy != -1 &&
2760 		    state->filter_wiphy != rdev->wiphy_idx)
2761 			continue;
2762 		/* attempt to fit multiple wiphy data chunks into the skb */
2763 		do {
2764 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2765 						 skb,
2766 						 NETLINK_CB(cb->skb).portid,
2767 						 cb->nlh->nlmsg_seq,
2768 						 NLM_F_MULTI, state);
2769 			if (ret < 0) {
2770 				/*
2771 				 * If sending the wiphy data didn't fit (ENOBUFS
2772 				 * or EMSGSIZE returned), this SKB is still
2773 				 * empty (so it's not too big because another
2774 				 * wiphy dataset is already in the skb) and
2775 				 * we've not tried to adjust the dump allocation
2776 				 * yet ... then adjust the alloc size to be
2777 				 * bigger, and return 1 but with the empty skb.
2778 				 * This results in an empty message being RX'ed
2779 				 * in userspace, but that is ignored.
2780 				 *
2781 				 * We can then retry with the larger buffer.
2782 				 */
2783 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2784 				    !skb->len && !state->split &&
2785 				    cb->min_dump_alloc < 4096) {
2786 					cb->min_dump_alloc = 4096;
2787 					state->split_start = 0;
2788 					rtnl_unlock();
2789 					return 1;
2790 				}
2791 				idx--;
2792 				break;
2793 			}
2794 		} while (state->split_start > 0);
2795 		break;
2796 	}
2797 	rtnl_unlock();
2798 
2799 	state->start = idx;
2800 
2801 	return skb->len;
2802 }
2803 
2804 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2805 {
2806 	kfree((void *)cb->args[0]);
2807 	return 0;
2808 }
2809 
2810 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2811 {
2812 	struct sk_buff *msg;
2813 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2814 	struct nl80211_dump_wiphy_state state = {};
2815 
2816 	msg = nlmsg_new(4096, GFP_KERNEL);
2817 	if (!msg)
2818 		return -ENOMEM;
2819 
2820 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2821 			       info->snd_portid, info->snd_seq, 0,
2822 			       &state) < 0) {
2823 		nlmsg_free(msg);
2824 		return -ENOBUFS;
2825 	}
2826 
2827 	return genlmsg_reply(msg, info);
2828 }
2829 
2830 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2831 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2832 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2833 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2834 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2835 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2836 };
2837 
2838 static int parse_txq_params(struct nlattr *tb[],
2839 			    struct ieee80211_txq_params *txq_params)
2840 {
2841 	u8 ac;
2842 
2843 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2844 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2845 	    !tb[NL80211_TXQ_ATTR_AIFS])
2846 		return -EINVAL;
2847 
2848 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2849 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2850 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2851 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2852 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2853 
2854 	if (ac >= NL80211_NUM_ACS)
2855 		return -EINVAL;
2856 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2857 	return 0;
2858 }
2859 
2860 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2861 {
2862 	/*
2863 	 * You can only set the channel explicitly for WDS interfaces,
2864 	 * all others have their channel managed via their respective
2865 	 * "establish a connection" command (connect, join, ...)
2866 	 *
2867 	 * For AP/GO and mesh mode, the channel can be set with the
2868 	 * channel userspace API, but is only stored and passed to the
2869 	 * low-level driver when the AP starts or the mesh is joined.
2870 	 * This is for backward compatibility, userspace can also give
2871 	 * the channel in the start-ap or join-mesh commands instead.
2872 	 *
2873 	 * Monitors are special as they are normally slaved to
2874 	 * whatever else is going on, so they have their own special
2875 	 * operation to set the monitor channel if possible.
2876 	 */
2877 	return !wdev ||
2878 		wdev->iftype == NL80211_IFTYPE_AP ||
2879 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2880 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2881 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2882 }
2883 
2884 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2885 			  struct genl_info *info,
2886 			  struct cfg80211_chan_def *chandef)
2887 {
2888 	struct netlink_ext_ack *extack = info->extack;
2889 	struct nlattr **attrs = info->attrs;
2890 	u32 control_freq;
2891 
2892 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2893 		return -EINVAL;
2894 
2895 	control_freq = MHZ_TO_KHZ(
2896 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
2897 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
2898 		control_freq +=
2899 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
2900 
2901 	memset(chandef, 0, sizeof(*chandef));
2902 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
2903 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2904 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
2905 	chandef->freq1_offset = control_freq % 1000;
2906 	chandef->center_freq2 = 0;
2907 
2908 	/* Primary channel not allowed */
2909 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2910 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2911 				    "Channel is disabled");
2912 		return -EINVAL;
2913 	}
2914 
2915 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2916 		enum nl80211_channel_type chantype;
2917 
2918 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2919 
2920 		switch (chantype) {
2921 		case NL80211_CHAN_NO_HT:
2922 		case NL80211_CHAN_HT20:
2923 		case NL80211_CHAN_HT40PLUS:
2924 		case NL80211_CHAN_HT40MINUS:
2925 			cfg80211_chandef_create(chandef, chandef->chan,
2926 						chantype);
2927 			/* user input for center_freq is incorrect */
2928 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2929 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2930 				NL_SET_ERR_MSG_ATTR(extack,
2931 						    attrs[NL80211_ATTR_CENTER_FREQ1],
2932 						    "bad center frequency 1");
2933 				return -EINVAL;
2934 			}
2935 			/* center_freq2 must be zero */
2936 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2937 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2938 				NL_SET_ERR_MSG_ATTR(extack,
2939 						    attrs[NL80211_ATTR_CENTER_FREQ2],
2940 						    "center frequency 2 can't be used");
2941 				return -EINVAL;
2942 			}
2943 			break;
2944 		default:
2945 			NL_SET_ERR_MSG_ATTR(extack,
2946 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2947 					    "invalid channel type");
2948 			return -EINVAL;
2949 		}
2950 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2951 		chandef->width =
2952 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2953 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
2954 			chandef->center_freq1 =
2955 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2956 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
2957 				chandef->freq1_offset = nla_get_u32(
2958 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
2959 			else
2960 				chandef->freq1_offset = 0;
2961 		}
2962 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
2963 			chandef->center_freq2 =
2964 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2965 	}
2966 
2967 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
2968 		chandef->edmg.channels =
2969 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
2970 
2971 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
2972 			chandef->edmg.bw_config =
2973 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
2974 	} else {
2975 		chandef->edmg.bw_config = 0;
2976 		chandef->edmg.channels = 0;
2977 	}
2978 
2979 	if (!cfg80211_chandef_valid(chandef)) {
2980 		NL_SET_ERR_MSG(extack, "invalid channel definition");
2981 		return -EINVAL;
2982 	}
2983 
2984 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2985 				     IEEE80211_CHAN_DISABLED)) {
2986 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
2987 		return -EINVAL;
2988 	}
2989 
2990 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2991 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2992 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
2993 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
2994 		return -EINVAL;
2995 	}
2996 
2997 	return 0;
2998 }
2999 
3000 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3001 				 struct net_device *dev,
3002 				 struct genl_info *info)
3003 {
3004 	struct cfg80211_chan_def chandef;
3005 	int result;
3006 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3007 	struct wireless_dev *wdev = NULL;
3008 
3009 	if (dev)
3010 		wdev = dev->ieee80211_ptr;
3011 	if (!nl80211_can_set_dev_channel(wdev))
3012 		return -EOPNOTSUPP;
3013 	if (wdev)
3014 		iftype = wdev->iftype;
3015 
3016 	result = nl80211_parse_chandef(rdev, info, &chandef);
3017 	if (result)
3018 		return result;
3019 
3020 	switch (iftype) {
3021 	case NL80211_IFTYPE_AP:
3022 	case NL80211_IFTYPE_P2P_GO:
3023 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3024 						   iftype)) {
3025 			result = -EINVAL;
3026 			break;
3027 		}
3028 		if (wdev->beacon_interval) {
3029 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3030 			    !(rdev->wiphy.features &
3031 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3032 				result = -EBUSY;
3033 				break;
3034 			}
3035 
3036 			/* Only allow dynamic channel width changes */
3037 			if (chandef.chan != wdev->preset_chandef.chan) {
3038 				result = -EBUSY;
3039 				break;
3040 			}
3041 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3042 			if (result)
3043 				break;
3044 		}
3045 		wdev->preset_chandef = chandef;
3046 		result = 0;
3047 		break;
3048 	case NL80211_IFTYPE_MESH_POINT:
3049 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3050 		break;
3051 	case NL80211_IFTYPE_MONITOR:
3052 		result = cfg80211_set_monitor_channel(rdev, &chandef);
3053 		break;
3054 	default:
3055 		result = -EINVAL;
3056 	}
3057 
3058 	return result;
3059 }
3060 
3061 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3062 {
3063 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3064 	struct net_device *netdev = info->user_ptr[1];
3065 
3066 	return __nl80211_set_channel(rdev, netdev, info);
3067 }
3068 
3069 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
3070 {
3071 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3072 	struct net_device *dev = info->user_ptr[1];
3073 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3074 	const u8 *bssid;
3075 
3076 	if (!info->attrs[NL80211_ATTR_MAC])
3077 		return -EINVAL;
3078 
3079 	if (netif_running(dev))
3080 		return -EBUSY;
3081 
3082 	if (!rdev->ops->set_wds_peer)
3083 		return -EOPNOTSUPP;
3084 
3085 	if (wdev->iftype != NL80211_IFTYPE_WDS)
3086 		return -EOPNOTSUPP;
3087 
3088 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
3089 	return rdev_set_wds_peer(rdev, dev, bssid);
3090 }
3091 
3092 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3093 {
3094 	struct cfg80211_registered_device *rdev;
3095 	struct net_device *netdev = NULL;
3096 	struct wireless_dev *wdev;
3097 	int result = 0, rem_txq_params = 0;
3098 	struct nlattr *nl_txq_params;
3099 	u32 changed;
3100 	u8 retry_short = 0, retry_long = 0;
3101 	u32 frag_threshold = 0, rts_threshold = 0;
3102 	u8 coverage_class = 0;
3103 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3104 
3105 	ASSERT_RTNL();
3106 
3107 	/*
3108 	 * Try to find the wiphy and netdev. Normally this
3109 	 * function shouldn't need the netdev, but this is
3110 	 * done for backward compatibility -- previously
3111 	 * setting the channel was done per wiphy, but now
3112 	 * it is per netdev. Previous userland like hostapd
3113 	 * also passed a netdev to set_wiphy, so that it is
3114 	 * possible to let that go to the right netdev!
3115 	 */
3116 
3117 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3118 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3119 
3120 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3121 		if (netdev && netdev->ieee80211_ptr)
3122 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3123 		else
3124 			netdev = NULL;
3125 	}
3126 
3127 	if (!netdev) {
3128 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3129 						  info->attrs);
3130 		if (IS_ERR(rdev))
3131 			return PTR_ERR(rdev);
3132 		wdev = NULL;
3133 		netdev = NULL;
3134 		result = 0;
3135 	} else
3136 		wdev = netdev->ieee80211_ptr;
3137 
3138 	/*
3139 	 * end workaround code, by now the rdev is available
3140 	 * and locked, and wdev may or may not be NULL.
3141 	 */
3142 
3143 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3144 		result = cfg80211_dev_rename(
3145 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3146 
3147 	if (result)
3148 		return result;
3149 
3150 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3151 		struct ieee80211_txq_params txq_params;
3152 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3153 
3154 		if (!rdev->ops->set_txq_params)
3155 			return -EOPNOTSUPP;
3156 
3157 		if (!netdev)
3158 			return -EINVAL;
3159 
3160 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3161 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3162 			return -EINVAL;
3163 
3164 		if (!netif_running(netdev))
3165 			return -ENETDOWN;
3166 
3167 		nla_for_each_nested(nl_txq_params,
3168 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3169 				    rem_txq_params) {
3170 			result = nla_parse_nested_deprecated(tb,
3171 							     NL80211_TXQ_ATTR_MAX,
3172 							     nl_txq_params,
3173 							     txq_params_policy,
3174 							     info->extack);
3175 			if (result)
3176 				return result;
3177 			result = parse_txq_params(tb, &txq_params);
3178 			if (result)
3179 				return result;
3180 
3181 			result = rdev_set_txq_params(rdev, netdev,
3182 						     &txq_params);
3183 			if (result)
3184 				return result;
3185 		}
3186 	}
3187 
3188 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3189 		result = __nl80211_set_channel(
3190 			rdev,
3191 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3192 			info);
3193 		if (result)
3194 			return result;
3195 	}
3196 
3197 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3198 		struct wireless_dev *txp_wdev = wdev;
3199 		enum nl80211_tx_power_setting type;
3200 		int idx, mbm = 0;
3201 
3202 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3203 			txp_wdev = NULL;
3204 
3205 		if (!rdev->ops->set_tx_power)
3206 			return -EOPNOTSUPP;
3207 
3208 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3209 		type = nla_get_u32(info->attrs[idx]);
3210 
3211 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3212 		    (type != NL80211_TX_POWER_AUTOMATIC))
3213 			return -EINVAL;
3214 
3215 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3216 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3217 			mbm = nla_get_u32(info->attrs[idx]);
3218 		}
3219 
3220 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3221 		if (result)
3222 			return result;
3223 	}
3224 
3225 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3226 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3227 		u32 tx_ant, rx_ant;
3228 
3229 		if ((!rdev->wiphy.available_antennas_tx &&
3230 		     !rdev->wiphy.available_antennas_rx) ||
3231 		    !rdev->ops->set_antenna)
3232 			return -EOPNOTSUPP;
3233 
3234 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3235 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3236 
3237 		/* reject antenna configurations which don't match the
3238 		 * available antenna masks, except for the "all" mask */
3239 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3240 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
3241 			return -EINVAL;
3242 
3243 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3244 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3245 
3246 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3247 		if (result)
3248 			return result;
3249 	}
3250 
3251 	changed = 0;
3252 
3253 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3254 		retry_short = nla_get_u8(
3255 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3256 
3257 		changed |= WIPHY_PARAM_RETRY_SHORT;
3258 	}
3259 
3260 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3261 		retry_long = nla_get_u8(
3262 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3263 
3264 		changed |= WIPHY_PARAM_RETRY_LONG;
3265 	}
3266 
3267 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3268 		frag_threshold = nla_get_u32(
3269 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3270 		if (frag_threshold < 256)
3271 			return -EINVAL;
3272 
3273 		if (frag_threshold != (u32) -1) {
3274 			/*
3275 			 * Fragments (apart from the last one) are required to
3276 			 * have even length. Make the fragmentation code
3277 			 * simpler by stripping LSB should someone try to use
3278 			 * odd threshold value.
3279 			 */
3280 			frag_threshold &= ~0x1;
3281 		}
3282 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3283 	}
3284 
3285 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3286 		rts_threshold = nla_get_u32(
3287 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3288 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3289 	}
3290 
3291 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3292 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3293 			return -EINVAL;
3294 
3295 		coverage_class = nla_get_u8(
3296 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3297 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3298 	}
3299 
3300 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3301 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3302 			return -EOPNOTSUPP;
3303 
3304 		changed |= WIPHY_PARAM_DYN_ACK;
3305 	}
3306 
3307 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3308 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3309 					     NL80211_EXT_FEATURE_TXQS))
3310 			return -EOPNOTSUPP;
3311 		txq_limit = nla_get_u32(
3312 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3313 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3314 	}
3315 
3316 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3317 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3318 					     NL80211_EXT_FEATURE_TXQS))
3319 			return -EOPNOTSUPP;
3320 		txq_memory_limit = nla_get_u32(
3321 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3322 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3323 	}
3324 
3325 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3326 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3327 					     NL80211_EXT_FEATURE_TXQS))
3328 			return -EOPNOTSUPP;
3329 		txq_quantum = nla_get_u32(
3330 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3331 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3332 	}
3333 
3334 	if (changed) {
3335 		u8 old_retry_short, old_retry_long;
3336 		u32 old_frag_threshold, old_rts_threshold;
3337 		u8 old_coverage_class;
3338 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3339 
3340 		if (!rdev->ops->set_wiphy_params)
3341 			return -EOPNOTSUPP;
3342 
3343 		old_retry_short = rdev->wiphy.retry_short;
3344 		old_retry_long = rdev->wiphy.retry_long;
3345 		old_frag_threshold = rdev->wiphy.frag_threshold;
3346 		old_rts_threshold = rdev->wiphy.rts_threshold;
3347 		old_coverage_class = rdev->wiphy.coverage_class;
3348 		old_txq_limit = rdev->wiphy.txq_limit;
3349 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3350 		old_txq_quantum = rdev->wiphy.txq_quantum;
3351 
3352 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3353 			rdev->wiphy.retry_short = retry_short;
3354 		if (changed & WIPHY_PARAM_RETRY_LONG)
3355 			rdev->wiphy.retry_long = retry_long;
3356 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3357 			rdev->wiphy.frag_threshold = frag_threshold;
3358 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3359 			rdev->wiphy.rts_threshold = rts_threshold;
3360 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3361 			rdev->wiphy.coverage_class = coverage_class;
3362 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3363 			rdev->wiphy.txq_limit = txq_limit;
3364 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3365 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3366 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3367 			rdev->wiphy.txq_quantum = txq_quantum;
3368 
3369 		result = rdev_set_wiphy_params(rdev, changed);
3370 		if (result) {
3371 			rdev->wiphy.retry_short = old_retry_short;
3372 			rdev->wiphy.retry_long = old_retry_long;
3373 			rdev->wiphy.frag_threshold = old_frag_threshold;
3374 			rdev->wiphy.rts_threshold = old_rts_threshold;
3375 			rdev->wiphy.coverage_class = old_coverage_class;
3376 			rdev->wiphy.txq_limit = old_txq_limit;
3377 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3378 			rdev->wiphy.txq_quantum = old_txq_quantum;
3379 			return result;
3380 		}
3381 	}
3382 	return 0;
3383 }
3384 
3385 static int nl80211_send_chandef(struct sk_buff *msg,
3386 				const struct cfg80211_chan_def *chandef)
3387 {
3388 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3389 		return -EINVAL;
3390 
3391 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3392 			chandef->chan->center_freq))
3393 		return -ENOBUFS;
3394 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3395 			chandef->chan->freq_offset))
3396 		return -ENOBUFS;
3397 	switch (chandef->width) {
3398 	case NL80211_CHAN_WIDTH_20_NOHT:
3399 	case NL80211_CHAN_WIDTH_20:
3400 	case NL80211_CHAN_WIDTH_40:
3401 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3402 				cfg80211_get_chandef_type(chandef)))
3403 			return -ENOBUFS;
3404 		break;
3405 	default:
3406 		break;
3407 	}
3408 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3409 		return -ENOBUFS;
3410 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3411 		return -ENOBUFS;
3412 	if (chandef->center_freq2 &&
3413 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3414 		return -ENOBUFS;
3415 	return 0;
3416 }
3417 
3418 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3419 			      struct cfg80211_registered_device *rdev,
3420 			      struct wireless_dev *wdev,
3421 			      enum nl80211_commands cmd)
3422 {
3423 	struct net_device *dev = wdev->netdev;
3424 	void *hdr;
3425 
3426 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3427 		cmd != NL80211_CMD_DEL_INTERFACE &&
3428 		cmd != NL80211_CMD_SET_INTERFACE);
3429 
3430 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3431 	if (!hdr)
3432 		return -1;
3433 
3434 	if (dev &&
3435 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3436 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3437 		goto nla_put_failure;
3438 
3439 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3440 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3441 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3442 			      NL80211_ATTR_PAD) ||
3443 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3444 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3445 			rdev->devlist_generation ^
3446 			(cfg80211_rdev_list_generation << 2)) ||
3447 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3448 		goto nla_put_failure;
3449 
3450 	if (rdev->ops->get_channel) {
3451 		int ret;
3452 		struct cfg80211_chan_def chandef = {};
3453 
3454 		ret = rdev_get_channel(rdev, wdev, &chandef);
3455 		if (ret == 0) {
3456 			if (nl80211_send_chandef(msg, &chandef))
3457 				goto nla_put_failure;
3458 		}
3459 	}
3460 
3461 	if (rdev->ops->get_tx_power) {
3462 		int dbm, ret;
3463 
3464 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3465 		if (ret == 0 &&
3466 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3467 				DBM_TO_MBM(dbm)))
3468 			goto nla_put_failure;
3469 	}
3470 
3471 	wdev_lock(wdev);
3472 	switch (wdev->iftype) {
3473 	case NL80211_IFTYPE_AP:
3474 		if (wdev->ssid_len &&
3475 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3476 			goto nla_put_failure_locked;
3477 		break;
3478 	case NL80211_IFTYPE_STATION:
3479 	case NL80211_IFTYPE_P2P_CLIENT:
3480 	case NL80211_IFTYPE_ADHOC: {
3481 		const u8 *ssid_ie;
3482 		if (!wdev->current_bss)
3483 			break;
3484 		rcu_read_lock();
3485 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3486 					       WLAN_EID_SSID);
3487 		if (ssid_ie &&
3488 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3489 			goto nla_put_failure_rcu_locked;
3490 		rcu_read_unlock();
3491 		break;
3492 		}
3493 	default:
3494 		/* nothing */
3495 		break;
3496 	}
3497 	wdev_unlock(wdev);
3498 
3499 	if (rdev->ops->get_txq_stats) {
3500 		struct cfg80211_txq_stats txqstats = {};
3501 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3502 
3503 		if (ret == 0 &&
3504 		    !nl80211_put_txq_stats(msg, &txqstats,
3505 					   NL80211_ATTR_TXQ_STATS))
3506 			goto nla_put_failure;
3507 	}
3508 
3509 	genlmsg_end(msg, hdr);
3510 	return 0;
3511 
3512  nla_put_failure_rcu_locked:
3513 	rcu_read_unlock();
3514  nla_put_failure_locked:
3515 	wdev_unlock(wdev);
3516  nla_put_failure:
3517 	genlmsg_cancel(msg, hdr);
3518 	return -EMSGSIZE;
3519 }
3520 
3521 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3522 {
3523 	int wp_idx = 0;
3524 	int if_idx = 0;
3525 	int wp_start = cb->args[0];
3526 	int if_start = cb->args[1];
3527 	int filter_wiphy = -1;
3528 	struct cfg80211_registered_device *rdev;
3529 	struct wireless_dev *wdev;
3530 	int ret;
3531 
3532 	rtnl_lock();
3533 	if (!cb->args[2]) {
3534 		struct nl80211_dump_wiphy_state state = {
3535 			.filter_wiphy = -1,
3536 		};
3537 
3538 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3539 		if (ret)
3540 			goto out_unlock;
3541 
3542 		filter_wiphy = state.filter_wiphy;
3543 
3544 		/*
3545 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3546 		 * value needed to determine that parsing is necessary.
3547 		 */
3548 		if (filter_wiphy >= 0)
3549 			cb->args[2] = filter_wiphy + 1;
3550 		else
3551 			cb->args[2] = -1;
3552 	} else if (cb->args[2] > 0) {
3553 		filter_wiphy = cb->args[2] - 1;
3554 	}
3555 
3556 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3557 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3558 			continue;
3559 		if (wp_idx < wp_start) {
3560 			wp_idx++;
3561 			continue;
3562 		}
3563 
3564 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3565 			continue;
3566 
3567 		if_idx = 0;
3568 
3569 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3570 			if (if_idx < if_start) {
3571 				if_idx++;
3572 				continue;
3573 			}
3574 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3575 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3576 					       rdev, wdev,
3577 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3578 				goto out;
3579 			}
3580 			if_idx++;
3581 		}
3582 
3583 		wp_idx++;
3584 	}
3585  out:
3586 	cb->args[0] = wp_idx;
3587 	cb->args[1] = if_idx;
3588 
3589 	ret = skb->len;
3590  out_unlock:
3591 	rtnl_unlock();
3592 
3593 	return ret;
3594 }
3595 
3596 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3597 {
3598 	struct sk_buff *msg;
3599 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3600 	struct wireless_dev *wdev = info->user_ptr[1];
3601 
3602 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3603 	if (!msg)
3604 		return -ENOMEM;
3605 
3606 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3607 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3608 		nlmsg_free(msg);
3609 		return -ENOBUFS;
3610 	}
3611 
3612 	return genlmsg_reply(msg, info);
3613 }
3614 
3615 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3616 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3617 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3618 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3619 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3620 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3621 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3622 };
3623 
3624 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3625 {
3626 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3627 	int flag;
3628 
3629 	*mntrflags = 0;
3630 
3631 	if (!nla)
3632 		return -EINVAL;
3633 
3634 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3635 		return -EINVAL;
3636 
3637 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3638 		if (flags[flag])
3639 			*mntrflags |= (1<<flag);
3640 
3641 	*mntrflags |= MONITOR_FLAG_CHANGED;
3642 
3643 	return 0;
3644 }
3645 
3646 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3647 				     enum nl80211_iftype type,
3648 				     struct genl_info *info,
3649 				     struct vif_params *params)
3650 {
3651 	bool change = false;
3652 	int err;
3653 
3654 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3655 		if (type != NL80211_IFTYPE_MONITOR)
3656 			return -EINVAL;
3657 
3658 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3659 					  &params->flags);
3660 		if (err)
3661 			return err;
3662 
3663 		change = true;
3664 	}
3665 
3666 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3667 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3668 		return -EOPNOTSUPP;
3669 
3670 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3671 		const u8 *mumimo_groups;
3672 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3673 
3674 		if (type != NL80211_IFTYPE_MONITOR)
3675 			return -EINVAL;
3676 
3677 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3678 			return -EOPNOTSUPP;
3679 
3680 		mumimo_groups =
3681 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3682 
3683 		/* bits 0 and 63 are reserved and must be zero */
3684 		if ((mumimo_groups[0] & BIT(0)) ||
3685 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3686 			return -EINVAL;
3687 
3688 		params->vht_mumimo_groups = mumimo_groups;
3689 		change = true;
3690 	}
3691 
3692 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3693 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3694 
3695 		if (type != NL80211_IFTYPE_MONITOR)
3696 			return -EINVAL;
3697 
3698 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3699 			return -EOPNOTSUPP;
3700 
3701 		params->vht_mumimo_follow_addr =
3702 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3703 		change = true;
3704 	}
3705 
3706 	return change ? 1 : 0;
3707 }
3708 
3709 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3710 			       struct net_device *netdev, u8 use_4addr,
3711 			       enum nl80211_iftype iftype)
3712 {
3713 	if (!use_4addr) {
3714 		if (netdev && netif_is_bridge_port(netdev))
3715 			return -EBUSY;
3716 		return 0;
3717 	}
3718 
3719 	switch (iftype) {
3720 	case NL80211_IFTYPE_AP_VLAN:
3721 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3722 			return 0;
3723 		break;
3724 	case NL80211_IFTYPE_STATION:
3725 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3726 			return 0;
3727 		break;
3728 	default:
3729 		break;
3730 	}
3731 
3732 	return -EOPNOTSUPP;
3733 }
3734 
3735 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3736 {
3737 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3738 	struct vif_params params;
3739 	int err;
3740 	enum nl80211_iftype otype, ntype;
3741 	struct net_device *dev = info->user_ptr[1];
3742 	bool change = false;
3743 
3744 	memset(&params, 0, sizeof(params));
3745 
3746 	otype = ntype = dev->ieee80211_ptr->iftype;
3747 
3748 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3749 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3750 		if (otype != ntype)
3751 			change = true;
3752 	}
3753 
3754 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3755 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3756 
3757 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3758 			return -EINVAL;
3759 		if (netif_running(dev))
3760 			return -EBUSY;
3761 
3762 		wdev_lock(wdev);
3763 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3764 			     IEEE80211_MAX_MESH_ID_LEN);
3765 		wdev->mesh_id_up_len =
3766 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3767 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3768 		       wdev->mesh_id_up_len);
3769 		wdev_unlock(wdev);
3770 	}
3771 
3772 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3773 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3774 		change = true;
3775 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3776 		if (err)
3777 			return err;
3778 	} else {
3779 		params.use_4addr = -1;
3780 	}
3781 
3782 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3783 	if (err < 0)
3784 		return err;
3785 	if (err > 0)
3786 		change = true;
3787 
3788 	if (change)
3789 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3790 	else
3791 		err = 0;
3792 
3793 	if (!err && params.use_4addr != -1)
3794 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3795 
3796 	if (change && !err) {
3797 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3798 
3799 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3800 	}
3801 
3802 	return err;
3803 }
3804 
3805 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3806 {
3807 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3808 	struct vif_params params;
3809 	struct wireless_dev *wdev;
3810 	struct sk_buff *msg;
3811 	int err;
3812 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3813 
3814 	/* to avoid failing a new interface creation due to pending removal */
3815 	cfg80211_destroy_ifaces(rdev);
3816 
3817 	memset(&params, 0, sizeof(params));
3818 
3819 	if (!info->attrs[NL80211_ATTR_IFNAME])
3820 		return -EINVAL;
3821 
3822 	if (info->attrs[NL80211_ATTR_IFTYPE])
3823 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3824 
3825 	if (!rdev->ops->add_virtual_intf)
3826 		return -EOPNOTSUPP;
3827 
3828 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3829 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3830 	    info->attrs[NL80211_ATTR_MAC]) {
3831 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3832 			   ETH_ALEN);
3833 		if (!is_valid_ether_addr(params.macaddr))
3834 			return -EADDRNOTAVAIL;
3835 	}
3836 
3837 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3838 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3839 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3840 		if (err)
3841 			return err;
3842 	}
3843 
3844 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
3845 		return -EOPNOTSUPP;
3846 
3847 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3848 	if (err < 0)
3849 		return err;
3850 
3851 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3852 	if (!msg)
3853 		return -ENOMEM;
3854 
3855 	wdev = rdev_add_virtual_intf(rdev,
3856 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3857 				NET_NAME_USER, type, &params);
3858 	if (WARN_ON(!wdev)) {
3859 		nlmsg_free(msg);
3860 		return -EPROTO;
3861 	} else if (IS_ERR(wdev)) {
3862 		nlmsg_free(msg);
3863 		return PTR_ERR(wdev);
3864 	}
3865 
3866 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3867 		wdev->owner_nlportid = info->snd_portid;
3868 
3869 	switch (type) {
3870 	case NL80211_IFTYPE_MESH_POINT:
3871 		if (!info->attrs[NL80211_ATTR_MESH_ID])
3872 			break;
3873 		wdev_lock(wdev);
3874 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3875 			     IEEE80211_MAX_MESH_ID_LEN);
3876 		wdev->mesh_id_up_len =
3877 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3878 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3879 		       wdev->mesh_id_up_len);
3880 		wdev_unlock(wdev);
3881 		break;
3882 	case NL80211_IFTYPE_NAN:
3883 	case NL80211_IFTYPE_P2P_DEVICE:
3884 		/*
3885 		 * P2P Device and NAN do not have a netdev, so don't go
3886 		 * through the netdev notifier and must be added here
3887 		 */
3888 		cfg80211_init_wdev(rdev, wdev);
3889 		break;
3890 	default:
3891 		break;
3892 	}
3893 
3894 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3895 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3896 		nlmsg_free(msg);
3897 		return -ENOBUFS;
3898 	}
3899 
3900 	return genlmsg_reply(msg, info);
3901 }
3902 
3903 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3904 {
3905 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3906 	struct wireless_dev *wdev = info->user_ptr[1];
3907 
3908 	if (!rdev->ops->del_virtual_intf)
3909 		return -EOPNOTSUPP;
3910 
3911 	/*
3912 	 * If we remove a wireless device without a netdev then clear
3913 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
3914 	 * to check if it needs to do dev_put(). Otherwise it crashes
3915 	 * since the wdev has been freed, unlike with a netdev where
3916 	 * we need the dev_put() for the netdev to really be freed.
3917 	 */
3918 	if (!wdev->netdev)
3919 		info->user_ptr[1] = NULL;
3920 
3921 	return rdev_del_virtual_intf(rdev, wdev);
3922 }
3923 
3924 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3925 {
3926 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3927 	struct net_device *dev = info->user_ptr[1];
3928 	u16 noack_map;
3929 
3930 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3931 		return -EINVAL;
3932 
3933 	if (!rdev->ops->set_noack_map)
3934 		return -EOPNOTSUPP;
3935 
3936 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3937 
3938 	return rdev_set_noack_map(rdev, dev, noack_map);
3939 }
3940 
3941 struct get_key_cookie {
3942 	struct sk_buff *msg;
3943 	int error;
3944 	int idx;
3945 };
3946 
3947 static void get_key_callback(void *c, struct key_params *params)
3948 {
3949 	struct nlattr *key;
3950 	struct get_key_cookie *cookie = c;
3951 
3952 	if ((params->key &&
3953 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3954 		     params->key_len, params->key)) ||
3955 	    (params->seq &&
3956 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3957 		     params->seq_len, params->seq)) ||
3958 	    (params->cipher &&
3959 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3960 			 params->cipher)))
3961 		goto nla_put_failure;
3962 
3963 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
3964 	if (!key)
3965 		goto nla_put_failure;
3966 
3967 	if ((params->key &&
3968 	     nla_put(cookie->msg, NL80211_KEY_DATA,
3969 		     params->key_len, params->key)) ||
3970 	    (params->seq &&
3971 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3972 		     params->seq_len, params->seq)) ||
3973 	    (params->cipher &&
3974 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3975 			 params->cipher)))
3976 		goto nla_put_failure;
3977 
3978 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3979 		goto nla_put_failure;
3980 
3981 	nla_nest_end(cookie->msg, key);
3982 
3983 	return;
3984  nla_put_failure:
3985 	cookie->error = 1;
3986 }
3987 
3988 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3989 {
3990 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3991 	int err;
3992 	struct net_device *dev = info->user_ptr[1];
3993 	u8 key_idx = 0;
3994 	const u8 *mac_addr = NULL;
3995 	bool pairwise;
3996 	struct get_key_cookie cookie = {
3997 		.error = 0,
3998 	};
3999 	void *hdr;
4000 	struct sk_buff *msg;
4001 	bool bigtk_support = false;
4002 
4003 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4004 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4005 		bigtk_support = true;
4006 
4007 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4008 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4009 	    wiphy_ext_feature_isset(&rdev->wiphy,
4010 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4011 		bigtk_support = true;
4012 
4013 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4014 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4015 
4016 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4017 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4018 			return -EINVAL;
4019 		}
4020 	}
4021 
4022 	if (info->attrs[NL80211_ATTR_MAC])
4023 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4024 
4025 	pairwise = !!mac_addr;
4026 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4027 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4028 
4029 		if (kt != NL80211_KEYTYPE_GROUP &&
4030 		    kt != NL80211_KEYTYPE_PAIRWISE)
4031 			return -EINVAL;
4032 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4033 	}
4034 
4035 	if (!rdev->ops->get_key)
4036 		return -EOPNOTSUPP;
4037 
4038 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4039 		return -ENOENT;
4040 
4041 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4042 	if (!msg)
4043 		return -ENOMEM;
4044 
4045 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4046 			     NL80211_CMD_NEW_KEY);
4047 	if (!hdr)
4048 		goto nla_put_failure;
4049 
4050 	cookie.msg = msg;
4051 	cookie.idx = key_idx;
4052 
4053 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4054 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4055 		goto nla_put_failure;
4056 	if (mac_addr &&
4057 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4058 		goto nla_put_failure;
4059 
4060 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4061 			   get_key_callback);
4062 
4063 	if (err)
4064 		goto free_msg;
4065 
4066 	if (cookie.error)
4067 		goto nla_put_failure;
4068 
4069 	genlmsg_end(msg, hdr);
4070 	return genlmsg_reply(msg, info);
4071 
4072  nla_put_failure:
4073 	err = -ENOBUFS;
4074  free_msg:
4075 	nlmsg_free(msg);
4076 	return err;
4077 }
4078 
4079 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4080 {
4081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4082 	struct key_parse key;
4083 	int err;
4084 	struct net_device *dev = info->user_ptr[1];
4085 
4086 	err = nl80211_parse_key(info, &key);
4087 	if (err)
4088 		return err;
4089 
4090 	if (key.idx < 0)
4091 		return -EINVAL;
4092 
4093 	/* Only support setting default key and
4094 	 * Extended Key ID action NL80211_KEY_SET_TX.
4095 	 */
4096 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4097 	    !(key.p.mode == NL80211_KEY_SET_TX))
4098 		return -EINVAL;
4099 
4100 	wdev_lock(dev->ieee80211_ptr);
4101 
4102 	if (key.def) {
4103 		if (!rdev->ops->set_default_key) {
4104 			err = -EOPNOTSUPP;
4105 			goto out;
4106 		}
4107 
4108 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4109 		if (err)
4110 			goto out;
4111 
4112 		err = rdev_set_default_key(rdev, dev, key.idx,
4113 						 key.def_uni, key.def_multi);
4114 
4115 		if (err)
4116 			goto out;
4117 
4118 #ifdef CONFIG_CFG80211_WEXT
4119 		dev->ieee80211_ptr->wext.default_key = key.idx;
4120 #endif
4121 	} else if (key.defmgmt) {
4122 		if (key.def_uni || !key.def_multi) {
4123 			err = -EINVAL;
4124 			goto out;
4125 		}
4126 
4127 		if (!rdev->ops->set_default_mgmt_key) {
4128 			err = -EOPNOTSUPP;
4129 			goto out;
4130 		}
4131 
4132 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4133 		if (err)
4134 			goto out;
4135 
4136 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4137 		if (err)
4138 			goto out;
4139 
4140 #ifdef CONFIG_CFG80211_WEXT
4141 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4142 #endif
4143 	} else if (key.defbeacon) {
4144 		if (key.def_uni || !key.def_multi) {
4145 			err = -EINVAL;
4146 			goto out;
4147 		}
4148 
4149 		if (!rdev->ops->set_default_beacon_key) {
4150 			err = -EOPNOTSUPP;
4151 			goto out;
4152 		}
4153 
4154 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4155 		if (err)
4156 			goto out;
4157 
4158 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4159 		if (err)
4160 			goto out;
4161 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4162 		   wiphy_ext_feature_isset(&rdev->wiphy,
4163 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4164 		u8 *mac_addr = NULL;
4165 
4166 		if (info->attrs[NL80211_ATTR_MAC])
4167 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4168 
4169 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4170 			err = -EINVAL;
4171 			goto out;
4172 		}
4173 
4174 		err = rdev_add_key(rdev, dev, key.idx,
4175 				   NL80211_KEYTYPE_PAIRWISE,
4176 				   mac_addr, &key.p);
4177 	} else {
4178 		err = -EINVAL;
4179 	}
4180  out:
4181 	wdev_unlock(dev->ieee80211_ptr);
4182 
4183 	return err;
4184 }
4185 
4186 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4187 {
4188 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4189 	int err;
4190 	struct net_device *dev = info->user_ptr[1];
4191 	struct key_parse key;
4192 	const u8 *mac_addr = NULL;
4193 
4194 	err = nl80211_parse_key(info, &key);
4195 	if (err)
4196 		return err;
4197 
4198 	if (!key.p.key) {
4199 		GENL_SET_ERR_MSG(info, "no key");
4200 		return -EINVAL;
4201 	}
4202 
4203 	if (info->attrs[NL80211_ATTR_MAC])
4204 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4205 
4206 	if (key.type == -1) {
4207 		if (mac_addr)
4208 			key.type = NL80211_KEYTYPE_PAIRWISE;
4209 		else
4210 			key.type = NL80211_KEYTYPE_GROUP;
4211 	}
4212 
4213 	/* for now */
4214 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4215 	    key.type != NL80211_KEYTYPE_GROUP) {
4216 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4217 		return -EINVAL;
4218 	}
4219 
4220 	if (key.type == NL80211_KEYTYPE_GROUP &&
4221 	    info->attrs[NL80211_ATTR_VLAN_ID])
4222 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4223 
4224 	if (!rdev->ops->add_key)
4225 		return -EOPNOTSUPP;
4226 
4227 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4228 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4229 					   mac_addr)) {
4230 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4231 		return -EINVAL;
4232 	}
4233 
4234 	wdev_lock(dev->ieee80211_ptr);
4235 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4236 	if (err)
4237 		GENL_SET_ERR_MSG(info, "key not allowed");
4238 	if (!err) {
4239 		err = rdev_add_key(rdev, dev, key.idx,
4240 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4241 				    mac_addr, &key.p);
4242 		if (err)
4243 			GENL_SET_ERR_MSG(info, "key addition failed");
4244 	}
4245 	wdev_unlock(dev->ieee80211_ptr);
4246 
4247 	return err;
4248 }
4249 
4250 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4251 {
4252 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4253 	int err;
4254 	struct net_device *dev = info->user_ptr[1];
4255 	u8 *mac_addr = NULL;
4256 	struct key_parse key;
4257 
4258 	err = nl80211_parse_key(info, &key);
4259 	if (err)
4260 		return err;
4261 
4262 	if (key.idx < 0)
4263 		return -EINVAL;
4264 
4265 	if (info->attrs[NL80211_ATTR_MAC])
4266 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4267 
4268 	if (key.type == -1) {
4269 		if (mac_addr)
4270 			key.type = NL80211_KEYTYPE_PAIRWISE;
4271 		else
4272 			key.type = NL80211_KEYTYPE_GROUP;
4273 	}
4274 
4275 	/* for now */
4276 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4277 	    key.type != NL80211_KEYTYPE_GROUP)
4278 		return -EINVAL;
4279 
4280 	if (!rdev->ops->del_key)
4281 		return -EOPNOTSUPP;
4282 
4283 	wdev_lock(dev->ieee80211_ptr);
4284 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4285 
4286 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4287 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4288 		err = -ENOENT;
4289 
4290 	if (!err)
4291 		err = rdev_del_key(rdev, dev, key.idx,
4292 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4293 				   mac_addr);
4294 
4295 #ifdef CONFIG_CFG80211_WEXT
4296 	if (!err) {
4297 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4298 			dev->ieee80211_ptr->wext.default_key = -1;
4299 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4300 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4301 	}
4302 #endif
4303 	wdev_unlock(dev->ieee80211_ptr);
4304 
4305 	return err;
4306 }
4307 
4308 /* This function returns an error or the number of nested attributes */
4309 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4310 {
4311 	struct nlattr *attr;
4312 	int n_entries = 0, tmp;
4313 
4314 	nla_for_each_nested(attr, nl_attr, tmp) {
4315 		if (nla_len(attr) != ETH_ALEN)
4316 			return -EINVAL;
4317 
4318 		n_entries++;
4319 	}
4320 
4321 	return n_entries;
4322 }
4323 
4324 /*
4325  * This function parses ACL information and allocates memory for ACL data.
4326  * On successful return, the calling function is responsible to free the
4327  * ACL buffer returned by this function.
4328  */
4329 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4330 						struct genl_info *info)
4331 {
4332 	enum nl80211_acl_policy acl_policy;
4333 	struct nlattr *attr;
4334 	struct cfg80211_acl_data *acl;
4335 	int i = 0, n_entries, tmp;
4336 
4337 	if (!wiphy->max_acl_mac_addrs)
4338 		return ERR_PTR(-EOPNOTSUPP);
4339 
4340 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4341 		return ERR_PTR(-EINVAL);
4342 
4343 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4344 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4345 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4346 		return ERR_PTR(-EINVAL);
4347 
4348 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4349 		return ERR_PTR(-EINVAL);
4350 
4351 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4352 	if (n_entries < 0)
4353 		return ERR_PTR(n_entries);
4354 
4355 	if (n_entries > wiphy->max_acl_mac_addrs)
4356 		return ERR_PTR(-ENOTSUPP);
4357 
4358 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4359 	if (!acl)
4360 		return ERR_PTR(-ENOMEM);
4361 
4362 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4363 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4364 		i++;
4365 	}
4366 
4367 	acl->n_acl_entries = n_entries;
4368 	acl->acl_policy = acl_policy;
4369 
4370 	return acl;
4371 }
4372 
4373 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4374 {
4375 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4376 	struct net_device *dev = info->user_ptr[1];
4377 	struct cfg80211_acl_data *acl;
4378 	int err;
4379 
4380 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4381 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4382 		return -EOPNOTSUPP;
4383 
4384 	if (!dev->ieee80211_ptr->beacon_interval)
4385 		return -EINVAL;
4386 
4387 	acl = parse_acl_data(&rdev->wiphy, info);
4388 	if (IS_ERR(acl))
4389 		return PTR_ERR(acl);
4390 
4391 	err = rdev_set_mac_acl(rdev, dev, acl);
4392 
4393 	kfree(acl);
4394 
4395 	return err;
4396 }
4397 
4398 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4399 			   u8 *rates, u8 rates_len)
4400 {
4401 	u8 i;
4402 	u32 mask = 0;
4403 
4404 	for (i = 0; i < rates_len; i++) {
4405 		int rate = (rates[i] & 0x7f) * 5;
4406 		int ridx;
4407 
4408 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4409 			struct ieee80211_rate *srate =
4410 				&sband->bitrates[ridx];
4411 			if (rate == srate->bitrate) {
4412 				mask |= 1 << ridx;
4413 				break;
4414 			}
4415 		}
4416 		if (ridx == sband->n_bitrates)
4417 			return 0; /* rate not found */
4418 	}
4419 
4420 	return mask;
4421 }
4422 
4423 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4424 			       u8 *rates, u8 rates_len,
4425 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4426 {
4427 	u8 i;
4428 
4429 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4430 
4431 	for (i = 0; i < rates_len; i++) {
4432 		int ridx, rbit;
4433 
4434 		ridx = rates[i] / 8;
4435 		rbit = BIT(rates[i] % 8);
4436 
4437 		/* check validity */
4438 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4439 			return false;
4440 
4441 		/* check availability */
4442 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4443 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4444 			mcs[ridx] |= rbit;
4445 		else
4446 			return false;
4447 	}
4448 
4449 	return true;
4450 }
4451 
4452 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4453 {
4454 	u16 mcs_mask = 0;
4455 
4456 	switch (vht_mcs_map) {
4457 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4458 		break;
4459 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4460 		mcs_mask = 0x00FF;
4461 		break;
4462 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4463 		mcs_mask = 0x01FF;
4464 		break;
4465 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4466 		mcs_mask = 0x03FF;
4467 		break;
4468 	default:
4469 		break;
4470 	}
4471 
4472 	return mcs_mask;
4473 }
4474 
4475 static void vht_build_mcs_mask(u16 vht_mcs_map,
4476 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4477 {
4478 	u8 nss;
4479 
4480 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4481 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4482 		vht_mcs_map >>= 2;
4483 	}
4484 }
4485 
4486 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4487 			     struct nl80211_txrate_vht *txrate,
4488 			     u16 mcs[NL80211_VHT_NSS_MAX])
4489 {
4490 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4491 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4492 	u8 i;
4493 
4494 	if (!sband->vht_cap.vht_supported)
4495 		return false;
4496 
4497 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4498 
4499 	/* Build vht_mcs_mask from VHT capabilities */
4500 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4501 
4502 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4503 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4504 			mcs[i] = txrate->mcs[i];
4505 		else
4506 			return false;
4507 	}
4508 
4509 	return true;
4510 }
4511 
4512 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4513 {
4514 	switch (he_mcs_map) {
4515 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4516 		return 0;
4517 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4518 		return 0x00FF;
4519 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4520 		return 0x03FF;
4521 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4522 		return 0xFFF;
4523 	default:
4524 		break;
4525 	}
4526 	return 0;
4527 }
4528 
4529 static void he_build_mcs_mask(u16 he_mcs_map,
4530 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4531 {
4532 	u8 nss;
4533 
4534 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4535 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4536 		he_mcs_map >>= 2;
4537 	}
4538 }
4539 
4540 static u16 he_get_txmcsmap(struct genl_info *info,
4541 			   const struct ieee80211_sta_he_cap *he_cap)
4542 {
4543 	struct net_device *dev = info->user_ptr[1];
4544 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4545 	__le16	tx_mcs;
4546 
4547 	switch (wdev->chandef.width) {
4548 	case NL80211_CHAN_WIDTH_80P80:
4549 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4550 		break;
4551 	case NL80211_CHAN_WIDTH_160:
4552 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4553 		break;
4554 	default:
4555 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4556 		break;
4557 	}
4558 	return le16_to_cpu(tx_mcs);
4559 }
4560 
4561 static bool he_set_mcs_mask(struct genl_info *info,
4562 			    struct wireless_dev *wdev,
4563 			    struct ieee80211_supported_band *sband,
4564 			    struct nl80211_txrate_he *txrate,
4565 			    u16 mcs[NL80211_HE_NSS_MAX])
4566 {
4567 	const struct ieee80211_sta_he_cap *he_cap;
4568 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4569 	u16 tx_mcs_map = 0;
4570 	u8 i;
4571 
4572 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4573 	if (!he_cap)
4574 		return false;
4575 
4576 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4577 
4578 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4579 
4580 	/* Build he_mcs_mask from HE capabilities */
4581 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4582 
4583 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4584 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4585 			mcs[i] = txrate->mcs[i];
4586 		else
4587 			return false;
4588 	}
4589 
4590 	return true;
4591 }
4592 
4593 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4594 					 struct nlattr *attrs[],
4595 					 enum nl80211_attrs attr,
4596 					 struct cfg80211_bitrate_mask *mask,
4597 					 struct net_device *dev)
4598 {
4599 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4600 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4601 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4602 	int rem, i;
4603 	struct nlattr *tx_rates;
4604 	struct ieee80211_supported_band *sband;
4605 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4606 
4607 	memset(mask, 0, sizeof(*mask));
4608 	/* Default to all rates enabled */
4609 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4610 		const struct ieee80211_sta_he_cap *he_cap;
4611 
4612 		sband = rdev->wiphy.bands[i];
4613 
4614 		if (!sband)
4615 			continue;
4616 
4617 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4618 		memcpy(mask->control[i].ht_mcs,
4619 		       sband->ht_cap.mcs.rx_mask,
4620 		       sizeof(mask->control[i].ht_mcs));
4621 
4622 		if (!sband->vht_cap.vht_supported)
4623 			continue;
4624 
4625 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4626 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4627 
4628 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4629 		if (!he_cap)
4630 			continue;
4631 
4632 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4633 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4634 
4635 		mask->control[i].he_gi = 0xFF;
4636 		mask->control[i].he_ltf = 0xFF;
4637 	}
4638 
4639 	/* if no rates are given set it back to the defaults */
4640 	if (!attrs[attr])
4641 		goto out;
4642 
4643 	/* The nested attribute uses enum nl80211_band as the index. This maps
4644 	 * directly to the enum nl80211_band values used in cfg80211.
4645 	 */
4646 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4647 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4648 		enum nl80211_band band = nla_type(tx_rates);
4649 		int err;
4650 
4651 		if (band < 0 || band >= NUM_NL80211_BANDS)
4652 			return -EINVAL;
4653 		sband = rdev->wiphy.bands[band];
4654 		if (sband == NULL)
4655 			return -EINVAL;
4656 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4657 						  tx_rates,
4658 						  nl80211_txattr_policy,
4659 						  info->extack);
4660 		if (err)
4661 			return err;
4662 		if (tb[NL80211_TXRATE_LEGACY]) {
4663 			mask->control[band].legacy = rateset_to_mask(
4664 				sband,
4665 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4666 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4667 			if ((mask->control[band].legacy == 0) &&
4668 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4669 				return -EINVAL;
4670 		}
4671 		if (tb[NL80211_TXRATE_HT]) {
4672 			if (!ht_rateset_to_mask(
4673 					sband,
4674 					nla_data(tb[NL80211_TXRATE_HT]),
4675 					nla_len(tb[NL80211_TXRATE_HT]),
4676 					mask->control[band].ht_mcs))
4677 				return -EINVAL;
4678 		}
4679 		if (tb[NL80211_TXRATE_VHT]) {
4680 			if (!vht_set_mcs_mask(
4681 					sband,
4682 					nla_data(tb[NL80211_TXRATE_VHT]),
4683 					mask->control[band].vht_mcs))
4684 				return -EINVAL;
4685 		}
4686 		if (tb[NL80211_TXRATE_GI]) {
4687 			mask->control[band].gi =
4688 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4689 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4690 				return -EINVAL;
4691 		}
4692 		if (tb[NL80211_TXRATE_HE] &&
4693 		    !he_set_mcs_mask(info, wdev, sband,
4694 				     nla_data(tb[NL80211_TXRATE_HE]),
4695 				     mask->control[band].he_mcs))
4696 			return -EINVAL;
4697 		if (tb[NL80211_TXRATE_HE_GI])
4698 			mask->control[band].he_gi =
4699 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4700 		if (tb[NL80211_TXRATE_HE_LTF])
4701 			mask->control[band].he_ltf =
4702 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4703 
4704 		if (mask->control[band].legacy == 0) {
4705 			/* don't allow empty legacy rates if HT, VHT or HE
4706 			 * are not even supported.
4707 			 */
4708 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4709 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4710 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4711 				return -EINVAL;
4712 
4713 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4714 				if (mask->control[band].ht_mcs[i])
4715 					goto out;
4716 
4717 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4718 				if (mask->control[band].vht_mcs[i])
4719 					goto out;
4720 
4721 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
4722 				if (mask->control[band].he_mcs[i])
4723 					goto out;
4724 
4725 			/* legacy and mcs rates may not be both empty */
4726 			return -EINVAL;
4727 		}
4728 	}
4729 
4730 out:
4731 	return 0;
4732 }
4733 
4734 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4735 				   enum nl80211_band band,
4736 				   struct cfg80211_bitrate_mask *beacon_rate)
4737 {
4738 	u32 count_ht, count_vht, i;
4739 	u32 rate = beacon_rate->control[band].legacy;
4740 
4741 	/* Allow only one rate */
4742 	if (hweight32(rate) > 1)
4743 		return -EINVAL;
4744 
4745 	count_ht = 0;
4746 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4747 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4748 			return -EINVAL;
4749 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4750 			count_ht++;
4751 			if (count_ht > 1)
4752 				return -EINVAL;
4753 		}
4754 		if (count_ht && rate)
4755 			return -EINVAL;
4756 	}
4757 
4758 	count_vht = 0;
4759 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4760 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4761 			return -EINVAL;
4762 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4763 			count_vht++;
4764 			if (count_vht > 1)
4765 				return -EINVAL;
4766 		}
4767 		if (count_vht && rate)
4768 			return -EINVAL;
4769 	}
4770 
4771 	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4772 		return -EINVAL;
4773 
4774 	if (rate &&
4775 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4776 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4777 		return -EINVAL;
4778 	if (count_ht &&
4779 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4780 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4781 		return -EINVAL;
4782 	if (count_vht &&
4783 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4784 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4785 		return -EINVAL;
4786 
4787 	return 0;
4788 }
4789 
4790 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4791 				struct nlattr *attrs[],
4792 				struct cfg80211_beacon_data *bcn)
4793 {
4794 	bool haveinfo = false;
4795 	int err;
4796 
4797 	memset(bcn, 0, sizeof(*bcn));
4798 
4799 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4800 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4801 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4802 		if (!bcn->head_len)
4803 			return -EINVAL;
4804 		haveinfo = true;
4805 	}
4806 
4807 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4808 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4809 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4810 		haveinfo = true;
4811 	}
4812 
4813 	if (!haveinfo)
4814 		return -EINVAL;
4815 
4816 	if (attrs[NL80211_ATTR_IE]) {
4817 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4818 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4819 	}
4820 
4821 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4822 		bcn->proberesp_ies =
4823 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4824 		bcn->proberesp_ies_len =
4825 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4826 	}
4827 
4828 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4829 		bcn->assocresp_ies =
4830 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4831 		bcn->assocresp_ies_len =
4832 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4833 	}
4834 
4835 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
4836 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4837 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4838 	}
4839 
4840 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4841 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4842 
4843 		err = nla_parse_nested_deprecated(tb,
4844 						  NL80211_FTM_RESP_ATTR_MAX,
4845 						  attrs[NL80211_ATTR_FTM_RESPONDER],
4846 						  NULL, NULL);
4847 		if (err)
4848 			return err;
4849 
4850 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4851 		    wiphy_ext_feature_isset(&rdev->wiphy,
4852 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4853 			bcn->ftm_responder = 1;
4854 		else
4855 			return -EOPNOTSUPP;
4856 
4857 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4858 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4859 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4860 		}
4861 
4862 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4863 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4864 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4865 		}
4866 	} else {
4867 		bcn->ftm_responder = -1;
4868 	}
4869 
4870 	return 0;
4871 }
4872 
4873 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
4874 				    struct ieee80211_he_obss_pd *he_obss_pd)
4875 {
4876 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
4877 	int err;
4878 
4879 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
4880 			       he_obss_pd_policy, NULL);
4881 	if (err)
4882 		return err;
4883 
4884 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
4885 		return -EINVAL;
4886 
4887 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
4888 
4889 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
4890 		he_obss_pd->min_offset =
4891 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
4892 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
4893 		he_obss_pd->max_offset =
4894 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
4895 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
4896 		he_obss_pd->non_srg_max_offset =
4897 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
4898 
4899 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
4900 		return -EINVAL;
4901 
4902 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
4903 		memcpy(he_obss_pd->bss_color_bitmap,
4904 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
4905 		       sizeof(he_obss_pd->bss_color_bitmap));
4906 
4907 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
4908 		memcpy(he_obss_pd->partial_bssid_bitmap,
4909 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
4910 		       sizeof(he_obss_pd->partial_bssid_bitmap));
4911 
4912 	he_obss_pd->enable = true;
4913 
4914 	return 0;
4915 }
4916 
4917 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
4918 				      struct cfg80211_he_bss_color *he_bss_color)
4919 {
4920 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
4921 	int err;
4922 
4923 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
4924 			       he_bss_color_policy, NULL);
4925 	if (err)
4926 		return err;
4927 
4928 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
4929 		return -EINVAL;
4930 
4931 	he_bss_color->color =
4932 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
4933 	he_bss_color->enabled =
4934 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
4935 	he_bss_color->partial =
4936 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
4937 
4938 	return 0;
4939 }
4940 
4941 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
4942 					struct nlattr *attrs,
4943 					struct cfg80211_ap_settings *params)
4944 {
4945 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
4946 	int ret;
4947 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
4948 
4949 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
4950 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
4951 		return -EINVAL;
4952 
4953 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
4954 			       NULL, NULL);
4955 	if (ret)
4956 		return ret;
4957 
4958 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
4959 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
4960 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
4961 		return -EINVAL;
4962 
4963 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
4964 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
4965 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
4966 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
4967 
4968 	return 0;
4969 }
4970 
4971 static int
4972 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
4973 				     struct nlattr *attrs,
4974 				     struct cfg80211_ap_settings *params)
4975 {
4976 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
4977 	int ret;
4978 	struct cfg80211_unsol_bcast_probe_resp *presp =
4979 					&params->unsol_bcast_probe_resp;
4980 
4981 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
4982 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
4983 		return -EINVAL;
4984 
4985 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
4986 			       attrs, NULL, NULL);
4987 	if (ret)
4988 		return ret;
4989 
4990 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
4991 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
4992 		return -EINVAL;
4993 
4994 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
4995 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
4996 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
4997 	return 0;
4998 }
4999 
5000 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5001 					    const u8 *rates)
5002 {
5003 	int i;
5004 
5005 	if (!rates)
5006 		return;
5007 
5008 	for (i = 0; i < rates[1]; i++) {
5009 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5010 			params->ht_required = true;
5011 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5012 			params->vht_required = true;
5013 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5014 			params->he_required = true;
5015 	}
5016 }
5017 
5018 /*
5019  * Since the nl80211 API didn't include, from the beginning, attributes about
5020  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5021  * benefit of drivers that rebuild IEs in the firmware.
5022  */
5023 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5024 {
5025 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5026 	size_t ies_len = bcn->tail_len;
5027 	const u8 *ies = bcn->tail;
5028 	const u8 *rates;
5029 	const u8 *cap;
5030 
5031 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
5032 	nl80211_check_ap_rate_selectors(params, rates);
5033 
5034 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5035 	nl80211_check_ap_rate_selectors(params, rates);
5036 
5037 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5038 	if (cap && cap[1] >= sizeof(*params->ht_cap))
5039 		params->ht_cap = (void *)(cap + 2);
5040 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5041 	if (cap && cap[1] >= sizeof(*params->vht_cap))
5042 		params->vht_cap = (void *)(cap + 2);
5043 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5044 	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
5045 		params->he_cap = (void *)(cap + 3);
5046 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5047 	if (cap && cap[1] >= sizeof(*params->he_oper) + 1)
5048 		params->he_oper = (void *)(cap + 3);
5049 }
5050 
5051 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5052 				   struct cfg80211_ap_settings *params)
5053 {
5054 	struct wireless_dev *wdev;
5055 	bool ret = false;
5056 
5057 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5058 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5059 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5060 			continue;
5061 
5062 		if (!wdev->preset_chandef.chan)
5063 			continue;
5064 
5065 		params->chandef = wdev->preset_chandef;
5066 		ret = true;
5067 		break;
5068 	}
5069 
5070 	return ret;
5071 }
5072 
5073 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5074 				    enum nl80211_auth_type auth_type,
5075 				    enum nl80211_commands cmd)
5076 {
5077 	if (auth_type > NL80211_AUTHTYPE_MAX)
5078 		return false;
5079 
5080 	switch (cmd) {
5081 	case NL80211_CMD_AUTHENTICATE:
5082 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5083 		    auth_type == NL80211_AUTHTYPE_SAE)
5084 			return false;
5085 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5086 					     NL80211_EXT_FEATURE_FILS_STA) &&
5087 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5088 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5089 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5090 			return false;
5091 		return true;
5092 	case NL80211_CMD_CONNECT:
5093 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5094 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5095 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5096 		    auth_type == NL80211_AUTHTYPE_SAE)
5097 			return false;
5098 
5099 		/* FILS with SK PFS or PK not supported yet */
5100 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5101 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5102 			return false;
5103 		if (!wiphy_ext_feature_isset(
5104 			    &rdev->wiphy,
5105 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5106 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5107 			return false;
5108 		return true;
5109 	case NL80211_CMD_START_AP:
5110 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5111 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5112 		    auth_type == NL80211_AUTHTYPE_SAE)
5113 			return false;
5114 		/* FILS not supported yet */
5115 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5116 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5117 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5118 			return false;
5119 		return true;
5120 	default:
5121 		return false;
5122 	}
5123 }
5124 
5125 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5126 {
5127 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5128 	struct net_device *dev = info->user_ptr[1];
5129 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5130 	struct cfg80211_ap_settings params;
5131 	int err;
5132 
5133 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5134 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5135 		return -EOPNOTSUPP;
5136 
5137 	if (!rdev->ops->start_ap)
5138 		return -EOPNOTSUPP;
5139 
5140 	if (wdev->beacon_interval)
5141 		return -EALREADY;
5142 
5143 	memset(&params, 0, sizeof(params));
5144 
5145 	/* these are required for START_AP */
5146 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5147 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5148 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5149 		return -EINVAL;
5150 
5151 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
5152 	if (err)
5153 		return err;
5154 
5155 	params.beacon_interval =
5156 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5157 	params.dtim_period =
5158 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5159 
5160 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5161 					   params.beacon_interval);
5162 	if (err)
5163 		return err;
5164 
5165 	/*
5166 	 * In theory, some of these attributes should be required here
5167 	 * but since they were not used when the command was originally
5168 	 * added, keep them optional for old user space programs to let
5169 	 * them continue to work with drivers that do not need the
5170 	 * additional information -- drivers must check!
5171 	 */
5172 	if (info->attrs[NL80211_ATTR_SSID]) {
5173 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5174 		params.ssid_len =
5175 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5176 		if (params.ssid_len == 0)
5177 			return -EINVAL;
5178 	}
5179 
5180 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5181 		params.hidden_ssid = nla_get_u32(
5182 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5183 
5184 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5185 
5186 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5187 		params.auth_type = nla_get_u32(
5188 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5189 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
5190 					     NL80211_CMD_START_AP))
5191 			return -EINVAL;
5192 	} else
5193 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5194 
5195 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
5196 				      NL80211_MAX_NR_CIPHER_SUITES);
5197 	if (err)
5198 		return err;
5199 
5200 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5201 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
5202 			return -EOPNOTSUPP;
5203 		params.inactivity_timeout = nla_get_u16(
5204 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5205 	}
5206 
5207 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5208 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5209 			return -EINVAL;
5210 		params.p2p_ctwindow =
5211 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5212 		if (params.p2p_ctwindow != 0 &&
5213 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
5214 			return -EINVAL;
5215 	}
5216 
5217 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5218 		u8 tmp;
5219 
5220 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5221 			return -EINVAL;
5222 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5223 		params.p2p_opp_ps = tmp;
5224 		if (params.p2p_opp_ps != 0 &&
5225 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
5226 			return -EINVAL;
5227 	}
5228 
5229 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5230 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
5231 		if (err)
5232 			return err;
5233 	} else if (wdev->preset_chandef.chan) {
5234 		params.chandef = wdev->preset_chandef;
5235 	} else if (!nl80211_get_ap_channel(rdev, &params))
5236 		return -EINVAL;
5237 
5238 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
5239 					   wdev->iftype))
5240 		return -EINVAL;
5241 
5242 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5243 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5244 						    NL80211_ATTR_TX_RATES,
5245 						    &params.beacon_rate,
5246 						    dev);
5247 		if (err)
5248 			return err;
5249 
5250 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
5251 					      &params.beacon_rate);
5252 		if (err)
5253 			return err;
5254 	}
5255 
5256 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5257 		params.smps_mode =
5258 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5259 		switch (params.smps_mode) {
5260 		case NL80211_SMPS_OFF:
5261 			break;
5262 		case NL80211_SMPS_STATIC:
5263 			if (!(rdev->wiphy.features &
5264 			      NL80211_FEATURE_STATIC_SMPS))
5265 				return -EINVAL;
5266 			break;
5267 		case NL80211_SMPS_DYNAMIC:
5268 			if (!(rdev->wiphy.features &
5269 			      NL80211_FEATURE_DYNAMIC_SMPS))
5270 				return -EINVAL;
5271 			break;
5272 		default:
5273 			return -EINVAL;
5274 		}
5275 	} else {
5276 		params.smps_mode = NL80211_SMPS_OFF;
5277 	}
5278 
5279 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5280 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
5281 		return -EOPNOTSUPP;
5282 
5283 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5284 		params.acl = parse_acl_data(&rdev->wiphy, info);
5285 		if (IS_ERR(params.acl))
5286 			return PTR_ERR(params.acl);
5287 	}
5288 
5289 	params.twt_responder =
5290 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5291 
5292 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5293 		err = nl80211_parse_he_obss_pd(
5294 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5295 					&params.he_obss_pd);
5296 		if (err)
5297 			goto out;
5298 	}
5299 
5300 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5301 		err = nl80211_parse_he_bss_color(
5302 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5303 					&params.he_bss_color);
5304 		if (err)
5305 			goto out;
5306 	}
5307 
5308 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5309 		err = nl80211_parse_fils_discovery(rdev,
5310 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5311 						   &params);
5312 		if (err)
5313 			goto out;
5314 	}
5315 
5316 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5317 		err = nl80211_parse_unsol_bcast_probe_resp(
5318 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5319 			&params);
5320 		if (err)
5321 			return err;
5322 	}
5323 
5324 	nl80211_calculate_ap_params(&params);
5325 
5326 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5327 		params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5328 
5329 	wdev_lock(wdev);
5330 	err = rdev_start_ap(rdev, dev, &params);
5331 	if (!err) {
5332 		wdev->preset_chandef = params.chandef;
5333 		wdev->beacon_interval = params.beacon_interval;
5334 		wdev->chandef = params.chandef;
5335 		wdev->ssid_len = params.ssid_len;
5336 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
5337 
5338 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5339 			wdev->conn_owner_nlportid = info->snd_portid;
5340 	}
5341 	wdev_unlock(wdev);
5342 
5343 out:
5344 	kfree(params.acl);
5345 
5346 	return err;
5347 }
5348 
5349 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5350 {
5351 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5352 	struct net_device *dev = info->user_ptr[1];
5353 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5354 	struct cfg80211_beacon_data params;
5355 	int err;
5356 
5357 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5358 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5359 		return -EOPNOTSUPP;
5360 
5361 	if (!rdev->ops->change_beacon)
5362 		return -EOPNOTSUPP;
5363 
5364 	if (!wdev->beacon_interval)
5365 		return -EINVAL;
5366 
5367 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5368 	if (err)
5369 		return err;
5370 
5371 	wdev_lock(wdev);
5372 	err = rdev_change_beacon(rdev, dev, &params);
5373 	wdev_unlock(wdev);
5374 
5375 	return err;
5376 }
5377 
5378 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5379 {
5380 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5381 	struct net_device *dev = info->user_ptr[1];
5382 
5383 	return cfg80211_stop_ap(rdev, dev, false);
5384 }
5385 
5386 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5387 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5388 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5389 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5390 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5391 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5392 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5393 };
5394 
5395 static int parse_station_flags(struct genl_info *info,
5396 			       enum nl80211_iftype iftype,
5397 			       struct station_parameters *params)
5398 {
5399 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5400 	struct nlattr *nla;
5401 	int flag;
5402 
5403 	/*
5404 	 * Try parsing the new attribute first so userspace
5405 	 * can specify both for older kernels.
5406 	 */
5407 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5408 	if (nla) {
5409 		struct nl80211_sta_flag_update *sta_flags;
5410 
5411 		sta_flags = nla_data(nla);
5412 		params->sta_flags_mask = sta_flags->mask;
5413 		params->sta_flags_set = sta_flags->set;
5414 		params->sta_flags_set &= params->sta_flags_mask;
5415 		if ((params->sta_flags_mask |
5416 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5417 			return -EINVAL;
5418 		return 0;
5419 	}
5420 
5421 	/* if present, parse the old attribute */
5422 
5423 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5424 	if (!nla)
5425 		return 0;
5426 
5427 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5428 		return -EINVAL;
5429 
5430 	/*
5431 	 * Only allow certain flags for interface types so that
5432 	 * other attributes are silently ignored. Remember that
5433 	 * this is backward compatibility code with old userspace
5434 	 * and shouldn't be hit in other cases anyway.
5435 	 */
5436 	switch (iftype) {
5437 	case NL80211_IFTYPE_AP:
5438 	case NL80211_IFTYPE_AP_VLAN:
5439 	case NL80211_IFTYPE_P2P_GO:
5440 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5441 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5442 					 BIT(NL80211_STA_FLAG_WME) |
5443 					 BIT(NL80211_STA_FLAG_MFP);
5444 		break;
5445 	case NL80211_IFTYPE_P2P_CLIENT:
5446 	case NL80211_IFTYPE_STATION:
5447 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5448 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5449 		break;
5450 	case NL80211_IFTYPE_MESH_POINT:
5451 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5452 					 BIT(NL80211_STA_FLAG_MFP) |
5453 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5454 		break;
5455 	default:
5456 		return -EINVAL;
5457 	}
5458 
5459 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5460 		if (flags[flag]) {
5461 			params->sta_flags_set |= (1<<flag);
5462 
5463 			/* no longer support new API additions in old API */
5464 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5465 				return -EINVAL;
5466 		}
5467 	}
5468 
5469 	return 0;
5470 }
5471 
5472 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5473 {
5474 	struct nlattr *rate;
5475 	u32 bitrate;
5476 	u16 bitrate_compat;
5477 	enum nl80211_rate_info rate_flg;
5478 
5479 	rate = nla_nest_start_noflag(msg, attr);
5480 	if (!rate)
5481 		return false;
5482 
5483 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5484 	bitrate = cfg80211_calculate_bitrate(info);
5485 	/* report 16-bit bitrate only if we can */
5486 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5487 	if (bitrate > 0 &&
5488 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5489 		return false;
5490 	if (bitrate_compat > 0 &&
5491 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5492 		return false;
5493 
5494 	switch (info->bw) {
5495 	case RATE_INFO_BW_5:
5496 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5497 		break;
5498 	case RATE_INFO_BW_10:
5499 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5500 		break;
5501 	default:
5502 		WARN_ON(1);
5503 		fallthrough;
5504 	case RATE_INFO_BW_20:
5505 		rate_flg = 0;
5506 		break;
5507 	case RATE_INFO_BW_40:
5508 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5509 		break;
5510 	case RATE_INFO_BW_80:
5511 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5512 		break;
5513 	case RATE_INFO_BW_160:
5514 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5515 		break;
5516 	case RATE_INFO_BW_HE_RU:
5517 		rate_flg = 0;
5518 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5519 	}
5520 
5521 	if (rate_flg && nla_put_flag(msg, rate_flg))
5522 		return false;
5523 
5524 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5525 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5526 			return false;
5527 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5528 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5529 			return false;
5530 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5531 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5532 			return false;
5533 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5534 			return false;
5535 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5536 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5537 			return false;
5538 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5539 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5540 			return false;
5541 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5542 			return false;
5543 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
5544 			return false;
5545 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
5546 			return false;
5547 		if (info->bw == RATE_INFO_BW_HE_RU &&
5548 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
5549 			       info->he_ru_alloc))
5550 			return false;
5551 	}
5552 
5553 	nla_nest_end(msg, rate);
5554 	return true;
5555 }
5556 
5557 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
5558 			       int id)
5559 {
5560 	void *attr;
5561 	int i = 0;
5562 
5563 	if (!mask)
5564 		return true;
5565 
5566 	attr = nla_nest_start_noflag(msg, id);
5567 	if (!attr)
5568 		return false;
5569 
5570 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5571 		if (!(mask & BIT(i)))
5572 			continue;
5573 
5574 		if (nla_put_u8(msg, i, signal[i]))
5575 			return false;
5576 	}
5577 
5578 	nla_nest_end(msg, attr);
5579 
5580 	return true;
5581 }
5582 
5583 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5584 				u32 seq, int flags,
5585 				struct cfg80211_registered_device *rdev,
5586 				struct net_device *dev,
5587 				const u8 *mac_addr, struct station_info *sinfo)
5588 {
5589 	void *hdr;
5590 	struct nlattr *sinfoattr, *bss_param;
5591 
5592 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5593 	if (!hdr) {
5594 		cfg80211_sinfo_release_content(sinfo);
5595 		return -1;
5596 	}
5597 
5598 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5599 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
5600 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
5601 		goto nla_put_failure;
5602 
5603 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
5604 	if (!sinfoattr)
5605 		goto nla_put_failure;
5606 
5607 #define PUT_SINFO(attr, memb, type) do {				\
5608 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
5609 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5610 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
5611 			     sinfo->memb))				\
5612 		goto nla_put_failure;					\
5613 	} while (0)
5614 #define PUT_SINFO_U64(attr, memb) do {					\
5615 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5616 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
5617 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
5618 		goto nla_put_failure;					\
5619 	} while (0)
5620 
5621 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
5622 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
5623 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
5624 
5625 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
5626 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
5627 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
5628 			(u32)sinfo->rx_bytes))
5629 		goto nla_put_failure;
5630 
5631 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
5632 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
5633 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
5634 			(u32)sinfo->tx_bytes))
5635 		goto nla_put_failure;
5636 
5637 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
5638 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
5639 	PUT_SINFO(LLID, llid, u16);
5640 	PUT_SINFO(PLID, plid, u16);
5641 	PUT_SINFO(PLINK_STATE, plink_state, u8);
5642 	PUT_SINFO_U64(RX_DURATION, rx_duration);
5643 	PUT_SINFO_U64(TX_DURATION, tx_duration);
5644 
5645 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5646 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5647 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
5648 
5649 	switch (rdev->wiphy.signal_type) {
5650 	case CFG80211_SIGNAL_TYPE_MBM:
5651 		PUT_SINFO(SIGNAL, signal, u8);
5652 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
5653 		break;
5654 	default:
5655 		break;
5656 	}
5657 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
5658 		if (!nl80211_put_signal(msg, sinfo->chains,
5659 					sinfo->chain_signal,
5660 					NL80211_STA_INFO_CHAIN_SIGNAL))
5661 			goto nla_put_failure;
5662 	}
5663 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
5664 		if (!nl80211_put_signal(msg, sinfo->chains,
5665 					sinfo->chain_signal_avg,
5666 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
5667 			goto nla_put_failure;
5668 	}
5669 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
5670 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
5671 					  NL80211_STA_INFO_TX_BITRATE))
5672 			goto nla_put_failure;
5673 	}
5674 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
5675 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
5676 					  NL80211_STA_INFO_RX_BITRATE))
5677 			goto nla_put_failure;
5678 	}
5679 
5680 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
5681 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
5682 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
5683 	PUT_SINFO(TX_FAILED, tx_failed, u32);
5684 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
5685 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
5686 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
5687 	PUT_SINFO(LOCAL_PM, local_pm, u32);
5688 	PUT_SINFO(PEER_PM, peer_pm, u32);
5689 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
5690 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
5691 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
5692 
5693 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
5694 		bss_param = nla_nest_start_noflag(msg,
5695 						  NL80211_STA_INFO_BSS_PARAM);
5696 		if (!bss_param)
5697 			goto nla_put_failure;
5698 
5699 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
5700 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
5701 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
5702 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
5703 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
5704 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
5705 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
5706 			       sinfo->bss_param.dtim_period) ||
5707 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
5708 				sinfo->bss_param.beacon_interval))
5709 			goto nla_put_failure;
5710 
5711 		nla_nest_end(msg, bss_param);
5712 	}
5713 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
5714 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
5715 		    sizeof(struct nl80211_sta_flag_update),
5716 		    &sinfo->sta_flags))
5717 		goto nla_put_failure;
5718 
5719 	PUT_SINFO_U64(T_OFFSET, t_offset);
5720 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
5721 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
5722 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
5723 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
5724 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
5725 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5726 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
5727 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
5728 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
5729 	}
5730 
5731 #undef PUT_SINFO
5732 #undef PUT_SINFO_U64
5733 
5734 	if (sinfo->pertid) {
5735 		struct nlattr *tidsattr;
5736 		int tid;
5737 
5738 		tidsattr = nla_nest_start_noflag(msg,
5739 						 NL80211_STA_INFO_TID_STATS);
5740 		if (!tidsattr)
5741 			goto nla_put_failure;
5742 
5743 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5744 			struct cfg80211_tid_stats *tidstats;
5745 			struct nlattr *tidattr;
5746 
5747 			tidstats = &sinfo->pertid[tid];
5748 
5749 			if (!tidstats->filled)
5750 				continue;
5751 
5752 			tidattr = nla_nest_start_noflag(msg, tid + 1);
5753 			if (!tidattr)
5754 				goto nla_put_failure;
5755 
5756 #define PUT_TIDVAL_U64(attr, memb) do {					\
5757 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
5758 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
5759 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
5760 		goto nla_put_failure;					\
5761 	} while (0)
5762 
5763 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5764 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5765 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5766 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5767 
5768 #undef PUT_TIDVAL_U64
5769 			if ((tidstats->filled &
5770 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5771 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5772 						   NL80211_TID_STATS_TXQ_STATS))
5773 				goto nla_put_failure;
5774 
5775 			nla_nest_end(msg, tidattr);
5776 		}
5777 
5778 		nla_nest_end(msg, tidsattr);
5779 	}
5780 
5781 	nla_nest_end(msg, sinfoattr);
5782 
5783 	if (sinfo->assoc_req_ies_len &&
5784 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5785 		    sinfo->assoc_req_ies))
5786 		goto nla_put_failure;
5787 
5788 	cfg80211_sinfo_release_content(sinfo);
5789 	genlmsg_end(msg, hdr);
5790 	return 0;
5791 
5792  nla_put_failure:
5793 	cfg80211_sinfo_release_content(sinfo);
5794 	genlmsg_cancel(msg, hdr);
5795 	return -EMSGSIZE;
5796 }
5797 
5798 static int nl80211_dump_station(struct sk_buff *skb,
5799 				struct netlink_callback *cb)
5800 {
5801 	struct station_info sinfo;
5802 	struct cfg80211_registered_device *rdev;
5803 	struct wireless_dev *wdev;
5804 	u8 mac_addr[ETH_ALEN];
5805 	int sta_idx = cb->args[2];
5806 	int err;
5807 
5808 	rtnl_lock();
5809 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5810 	if (err)
5811 		goto out_err;
5812 
5813 	if (!wdev->netdev) {
5814 		err = -EINVAL;
5815 		goto out_err;
5816 	}
5817 
5818 	if (!rdev->ops->dump_station) {
5819 		err = -EOPNOTSUPP;
5820 		goto out_err;
5821 	}
5822 
5823 	while (1) {
5824 		memset(&sinfo, 0, sizeof(sinfo));
5825 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5826 					mac_addr, &sinfo);
5827 		if (err == -ENOENT)
5828 			break;
5829 		if (err)
5830 			goto out_err;
5831 
5832 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
5833 				NETLINK_CB(cb->skb).portid,
5834 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5835 				rdev, wdev->netdev, mac_addr,
5836 				&sinfo) < 0)
5837 			goto out;
5838 
5839 		sta_idx++;
5840 	}
5841 
5842  out:
5843 	cb->args[2] = sta_idx;
5844 	err = skb->len;
5845  out_err:
5846 	rtnl_unlock();
5847 
5848 	return err;
5849 }
5850 
5851 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
5852 {
5853 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5854 	struct net_device *dev = info->user_ptr[1];
5855 	struct station_info sinfo;
5856 	struct sk_buff *msg;
5857 	u8 *mac_addr = NULL;
5858 	int err;
5859 
5860 	memset(&sinfo, 0, sizeof(sinfo));
5861 
5862 	if (!info->attrs[NL80211_ATTR_MAC])
5863 		return -EINVAL;
5864 
5865 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5866 
5867 	if (!rdev->ops->get_station)
5868 		return -EOPNOTSUPP;
5869 
5870 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
5871 	if (err)
5872 		return err;
5873 
5874 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5875 	if (!msg) {
5876 		cfg80211_sinfo_release_content(&sinfo);
5877 		return -ENOMEM;
5878 	}
5879 
5880 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
5881 				 info->snd_portid, info->snd_seq, 0,
5882 				 rdev, dev, mac_addr, &sinfo) < 0) {
5883 		nlmsg_free(msg);
5884 		return -ENOBUFS;
5885 	}
5886 
5887 	return genlmsg_reply(msg, info);
5888 }
5889 
5890 int cfg80211_check_station_change(struct wiphy *wiphy,
5891 				  struct station_parameters *params,
5892 				  enum cfg80211_station_type statype)
5893 {
5894 	if (params->listen_interval != -1 &&
5895 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5896 		return -EINVAL;
5897 
5898 	if (params->support_p2p_ps != -1 &&
5899 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5900 		return -EINVAL;
5901 
5902 	if (params->aid &&
5903 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
5904 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5905 		return -EINVAL;
5906 
5907 	/* When you run into this, adjust the code below for the new flag */
5908 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5909 
5910 	switch (statype) {
5911 	case CFG80211_STA_MESH_PEER_KERNEL:
5912 	case CFG80211_STA_MESH_PEER_USER:
5913 		/*
5914 		 * No ignoring the TDLS flag here -- the userspace mesh
5915 		 * code doesn't have the bug of including TDLS in the
5916 		 * mask everywhere.
5917 		 */
5918 		if (params->sta_flags_mask &
5919 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5920 				  BIT(NL80211_STA_FLAG_MFP) |
5921 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
5922 			return -EINVAL;
5923 		break;
5924 	case CFG80211_STA_TDLS_PEER_SETUP:
5925 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5926 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5927 			return -EINVAL;
5928 		/* ignore since it can't change */
5929 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5930 		break;
5931 	default:
5932 		/* disallow mesh-specific things */
5933 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
5934 			return -EINVAL;
5935 		if (params->local_pm)
5936 			return -EINVAL;
5937 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5938 			return -EINVAL;
5939 	}
5940 
5941 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5942 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5943 		/* TDLS can't be set, ... */
5944 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5945 			return -EINVAL;
5946 		/*
5947 		 * ... but don't bother the driver with it. This works around
5948 		 * a hostapd/wpa_supplicant issue -- it always includes the
5949 		 * TLDS_PEER flag in the mask even for AP mode.
5950 		 */
5951 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5952 	}
5953 
5954 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5955 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5956 		/* reject other things that can't change */
5957 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5958 			return -EINVAL;
5959 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5960 			return -EINVAL;
5961 		if (params->supported_rates)
5962 			return -EINVAL;
5963 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
5964 		    params->he_capa)
5965 			return -EINVAL;
5966 	}
5967 
5968 	if (statype != CFG80211_STA_AP_CLIENT &&
5969 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5970 		if (params->vlan)
5971 			return -EINVAL;
5972 	}
5973 
5974 	switch (statype) {
5975 	case CFG80211_STA_AP_MLME_CLIENT:
5976 		/* Use this only for authorizing/unauthorizing a station */
5977 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5978 			return -EOPNOTSUPP;
5979 		break;
5980 	case CFG80211_STA_AP_CLIENT:
5981 	case CFG80211_STA_AP_CLIENT_UNASSOC:
5982 		/* accept only the listed bits */
5983 		if (params->sta_flags_mask &
5984 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5985 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5986 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
5987 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5988 				  BIT(NL80211_STA_FLAG_WME) |
5989 				  BIT(NL80211_STA_FLAG_MFP)))
5990 			return -EINVAL;
5991 
5992 		/* but authenticated/associated only if driver handles it */
5993 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5994 		    params->sta_flags_mask &
5995 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5996 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
5997 			return -EINVAL;
5998 		break;
5999 	case CFG80211_STA_IBSS:
6000 	case CFG80211_STA_AP_STA:
6001 		/* reject any changes other than AUTHORIZED */
6002 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6003 			return -EINVAL;
6004 		break;
6005 	case CFG80211_STA_TDLS_PEER_SETUP:
6006 		/* reject any changes other than AUTHORIZED or WME */
6007 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6008 					       BIT(NL80211_STA_FLAG_WME)))
6009 			return -EINVAL;
6010 		/* force (at least) rates when authorizing */
6011 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6012 		    !params->supported_rates)
6013 			return -EINVAL;
6014 		break;
6015 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6016 		/* reject any changes */
6017 		return -EINVAL;
6018 	case CFG80211_STA_MESH_PEER_KERNEL:
6019 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6020 			return -EINVAL;
6021 		break;
6022 	case CFG80211_STA_MESH_PEER_USER:
6023 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6024 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6025 			return -EINVAL;
6026 		break;
6027 	}
6028 
6029 	/*
6030 	 * Older kernel versions ignored this attribute entirely, so don't
6031 	 * reject attempts to update it but mark it as unused instead so the
6032 	 * driver won't look at the data.
6033 	 */
6034 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6035 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6036 		params->opmode_notif_used = false;
6037 
6038 	return 0;
6039 }
6040 EXPORT_SYMBOL(cfg80211_check_station_change);
6041 
6042 /*
6043  * Get vlan interface making sure it is running and on the right wiphy.
6044  */
6045 static struct net_device *get_vlan(struct genl_info *info,
6046 				   struct cfg80211_registered_device *rdev)
6047 {
6048 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6049 	struct net_device *v;
6050 	int ret;
6051 
6052 	if (!vlanattr)
6053 		return NULL;
6054 
6055 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6056 	if (!v)
6057 		return ERR_PTR(-ENODEV);
6058 
6059 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6060 		ret = -EINVAL;
6061 		goto error;
6062 	}
6063 
6064 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6065 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6066 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6067 		ret = -EINVAL;
6068 		goto error;
6069 	}
6070 
6071 	if (!netif_running(v)) {
6072 		ret = -ENETDOWN;
6073 		goto error;
6074 	}
6075 
6076 	return v;
6077  error:
6078 	dev_put(v);
6079 	return ERR_PTR(ret);
6080 }
6081 
6082 static const struct nla_policy
6083 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6084 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6085 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6086 };
6087 
6088 static int nl80211_parse_sta_wme(struct genl_info *info,
6089 				 struct station_parameters *params)
6090 {
6091 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6092 	struct nlattr *nla;
6093 	int err;
6094 
6095 	/* parse WME attributes if present */
6096 	if (!info->attrs[NL80211_ATTR_STA_WME])
6097 		return 0;
6098 
6099 	nla = info->attrs[NL80211_ATTR_STA_WME];
6100 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6101 					  nl80211_sta_wme_policy,
6102 					  info->extack);
6103 	if (err)
6104 		return err;
6105 
6106 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6107 		params->uapsd_queues = nla_get_u8(
6108 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6109 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6110 		return -EINVAL;
6111 
6112 	if (tb[NL80211_STA_WME_MAX_SP])
6113 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6114 
6115 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6116 		return -EINVAL;
6117 
6118 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6119 
6120 	return 0;
6121 }
6122 
6123 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6124 				      struct station_parameters *params)
6125 {
6126 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6127 		params->supported_channels =
6128 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6129 		params->supported_channels_len =
6130 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6131 		/*
6132 		 * Need to include at least one (first channel, number of
6133 		 * channels) tuple for each subband (checked in policy),
6134 		 * and must have proper tuples for the rest of the data as well.
6135 		 */
6136 		if (params->supported_channels_len % 2)
6137 			return -EINVAL;
6138 	}
6139 
6140 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6141 		params->supported_oper_classes =
6142 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6143 		params->supported_oper_classes_len =
6144 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6145 	}
6146 	return 0;
6147 }
6148 
6149 static int nl80211_set_station_tdls(struct genl_info *info,
6150 				    struct station_parameters *params)
6151 {
6152 	int err;
6153 	/* Dummy STA entry gets updated once the peer capabilities are known */
6154 	if (info->attrs[NL80211_ATTR_PEER_AID])
6155 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6156 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6157 		params->ht_capa =
6158 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6159 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6160 		params->vht_capa =
6161 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6162 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6163 		params->he_capa =
6164 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6165 		params->he_capa_len =
6166 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6167 	}
6168 
6169 	err = nl80211_parse_sta_channel_info(info, params);
6170 	if (err)
6171 		return err;
6172 
6173 	return nl80211_parse_sta_wme(info, params);
6174 }
6175 
6176 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6177 					     struct station_parameters *params)
6178 {
6179 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6180 	int idx;
6181 
6182 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6183 		if (!rdev->ops->set_tx_power ||
6184 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6185 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6186 			return -EOPNOTSUPP;
6187 
6188 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6189 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6190 
6191 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6192 			idx = NL80211_ATTR_STA_TX_POWER;
6193 
6194 			if (info->attrs[idx])
6195 				params->txpwr.power =
6196 					nla_get_s16(info->attrs[idx]);
6197 			else
6198 				return -EINVAL;
6199 		}
6200 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6201 	}
6202 
6203 	return 0;
6204 }
6205 
6206 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6207 {
6208 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6209 	struct net_device *dev = info->user_ptr[1];
6210 	struct station_parameters params;
6211 	u8 *mac_addr;
6212 	int err;
6213 
6214 	memset(&params, 0, sizeof(params));
6215 
6216 	if (!rdev->ops->change_station)
6217 		return -EOPNOTSUPP;
6218 
6219 	/*
6220 	 * AID and listen_interval properties can be set only for unassociated
6221 	 * station. Include these parameters here and will check them in
6222 	 * cfg80211_check_station_change().
6223 	 */
6224 	if (info->attrs[NL80211_ATTR_STA_AID])
6225 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6226 
6227 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6228 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6229 
6230 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6231 		params.listen_interval =
6232 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6233 	else
6234 		params.listen_interval = -1;
6235 
6236 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6237 		params.support_p2p_ps =
6238 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6239 	else
6240 		params.support_p2p_ps = -1;
6241 
6242 	if (!info->attrs[NL80211_ATTR_MAC])
6243 		return -EINVAL;
6244 
6245 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6246 
6247 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6248 		params.supported_rates =
6249 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6250 		params.supported_rates_len =
6251 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6252 	}
6253 
6254 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6255 		params.capability =
6256 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6257 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6258 	}
6259 
6260 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6261 		params.ext_capab =
6262 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6263 		params.ext_capab_len =
6264 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6265 	}
6266 
6267 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6268 		return -EINVAL;
6269 
6270 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6271 		params.plink_action =
6272 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6273 
6274 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6275 		params.plink_state =
6276 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6277 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6278 			params.peer_aid = nla_get_u16(
6279 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6280 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6281 	}
6282 
6283 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6284 		params.local_pm = nla_get_u32(
6285 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6286 
6287 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6288 		params.opmode_notif_used = true;
6289 		params.opmode_notif =
6290 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6291 	}
6292 
6293 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6294 		params.he_6ghz_capa =
6295 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6296 
6297 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6298 		params.airtime_weight =
6299 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6300 
6301 	if (params.airtime_weight &&
6302 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6303 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6304 		return -EOPNOTSUPP;
6305 
6306 	err = nl80211_parse_sta_txpower_setting(info, &params);
6307 	if (err)
6308 		return err;
6309 
6310 	/* Include parameters for TDLS peer (will check later) */
6311 	err = nl80211_set_station_tdls(info, &params);
6312 	if (err)
6313 		return err;
6314 
6315 	params.vlan = get_vlan(info, rdev);
6316 	if (IS_ERR(params.vlan))
6317 		return PTR_ERR(params.vlan);
6318 
6319 	switch (dev->ieee80211_ptr->iftype) {
6320 	case NL80211_IFTYPE_AP:
6321 	case NL80211_IFTYPE_AP_VLAN:
6322 	case NL80211_IFTYPE_P2P_GO:
6323 	case NL80211_IFTYPE_P2P_CLIENT:
6324 	case NL80211_IFTYPE_STATION:
6325 	case NL80211_IFTYPE_ADHOC:
6326 	case NL80211_IFTYPE_MESH_POINT:
6327 		break;
6328 	default:
6329 		err = -EOPNOTSUPP;
6330 		goto out_put_vlan;
6331 	}
6332 
6333 	/* driver will call cfg80211_check_station_change() */
6334 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6335 
6336  out_put_vlan:
6337 	if (params.vlan)
6338 		dev_put(params.vlan);
6339 
6340 	return err;
6341 }
6342 
6343 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6344 {
6345 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6346 	int err;
6347 	struct net_device *dev = info->user_ptr[1];
6348 	struct station_parameters params;
6349 	u8 *mac_addr = NULL;
6350 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6351 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6352 
6353 	memset(&params, 0, sizeof(params));
6354 
6355 	if (!rdev->ops->add_station)
6356 		return -EOPNOTSUPP;
6357 
6358 	if (!info->attrs[NL80211_ATTR_MAC])
6359 		return -EINVAL;
6360 
6361 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6362 		return -EINVAL;
6363 
6364 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6365 		return -EINVAL;
6366 
6367 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6368 	    !info->attrs[NL80211_ATTR_PEER_AID])
6369 		return -EINVAL;
6370 
6371 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6372 	params.supported_rates =
6373 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6374 	params.supported_rates_len =
6375 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6376 	params.listen_interval =
6377 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6378 
6379 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6380 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6381 
6382 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6383 		params.support_p2p_ps =
6384 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6385 	} else {
6386 		/*
6387 		 * if not specified, assume it's supported for P2P GO interface,
6388 		 * and is NOT supported for AP interface
6389 		 */
6390 		params.support_p2p_ps =
6391 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6392 	}
6393 
6394 	if (info->attrs[NL80211_ATTR_PEER_AID])
6395 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6396 	else
6397 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6398 
6399 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6400 		params.capability =
6401 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6402 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6403 	}
6404 
6405 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6406 		params.ext_capab =
6407 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6408 		params.ext_capab_len =
6409 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6410 	}
6411 
6412 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6413 		params.ht_capa =
6414 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6415 
6416 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6417 		params.vht_capa =
6418 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6419 
6420 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6421 		params.he_capa =
6422 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6423 		params.he_capa_len =
6424 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6425 	}
6426 
6427 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6428 		params.he_6ghz_capa =
6429 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6430 
6431 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6432 		params.opmode_notif_used = true;
6433 		params.opmode_notif =
6434 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6435 	}
6436 
6437 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6438 		params.plink_action =
6439 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6440 
6441 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6442 		params.airtime_weight =
6443 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6444 
6445 	if (params.airtime_weight &&
6446 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6447 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6448 		return -EOPNOTSUPP;
6449 
6450 	err = nl80211_parse_sta_txpower_setting(info, &params);
6451 	if (err)
6452 		return err;
6453 
6454 	err = nl80211_parse_sta_channel_info(info, &params);
6455 	if (err)
6456 		return err;
6457 
6458 	err = nl80211_parse_sta_wme(info, &params);
6459 	if (err)
6460 		return err;
6461 
6462 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6463 		return -EINVAL;
6464 
6465 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6466 	 * as userspace might just pass through the capabilities from the IEs
6467 	 * directly, rather than enforcing this restriction and returning an
6468 	 * error in this case.
6469 	 */
6470 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6471 		params.ht_capa = NULL;
6472 		params.vht_capa = NULL;
6473 
6474 		/* HE requires WME */
6475 		if (params.he_capa_len || params.he_6ghz_capa)
6476 			return -EINVAL;
6477 	}
6478 
6479 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6480 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6481 		return -EINVAL;
6482 
6483 	/* When you run into this, adjust the code below for the new flag */
6484 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6485 
6486 	switch (dev->ieee80211_ptr->iftype) {
6487 	case NL80211_IFTYPE_AP:
6488 	case NL80211_IFTYPE_AP_VLAN:
6489 	case NL80211_IFTYPE_P2P_GO:
6490 		/* ignore WME attributes if iface/sta is not capable */
6491 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6492 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6493 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6494 
6495 		/* TDLS peers cannot be added */
6496 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6497 		    info->attrs[NL80211_ATTR_PEER_AID])
6498 			return -EINVAL;
6499 		/* but don't bother the driver with it */
6500 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6501 
6502 		/* allow authenticated/associated only if driver handles it */
6503 		if (!(rdev->wiphy.features &
6504 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6505 		    params.sta_flags_mask & auth_assoc)
6506 			return -EINVAL;
6507 
6508 		/* Older userspace, or userspace wanting to be compatible with
6509 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
6510 		 * and assoc flags in the mask, but assumes the station will be
6511 		 * added as associated anyway since this was the required driver
6512 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
6513 		 * introduced.
6514 		 * In order to not bother drivers with this quirk in the API
6515 		 * set the flags in both the mask and set for new stations in
6516 		 * this case.
6517 		 */
6518 		if (!(params.sta_flags_mask & auth_assoc)) {
6519 			params.sta_flags_mask |= auth_assoc;
6520 			params.sta_flags_set |= auth_assoc;
6521 		}
6522 
6523 		/* must be last in here for error handling */
6524 		params.vlan = get_vlan(info, rdev);
6525 		if (IS_ERR(params.vlan))
6526 			return PTR_ERR(params.vlan);
6527 		break;
6528 	case NL80211_IFTYPE_MESH_POINT:
6529 		/* ignore uAPSD data */
6530 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6531 
6532 		/* associated is disallowed */
6533 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
6534 			return -EINVAL;
6535 		/* TDLS peers cannot be added */
6536 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6537 		    info->attrs[NL80211_ATTR_PEER_AID])
6538 			return -EINVAL;
6539 		break;
6540 	case NL80211_IFTYPE_STATION:
6541 	case NL80211_IFTYPE_P2P_CLIENT:
6542 		/* ignore uAPSD data */
6543 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6544 
6545 		/* these are disallowed */
6546 		if (params.sta_flags_mask &
6547 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
6548 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
6549 			return -EINVAL;
6550 		/* Only TDLS peers can be added */
6551 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6552 			return -EINVAL;
6553 		/* Can only add if TDLS ... */
6554 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
6555 			return -EOPNOTSUPP;
6556 		/* ... with external setup is supported */
6557 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
6558 			return -EOPNOTSUPP;
6559 		/*
6560 		 * Older wpa_supplicant versions always mark the TDLS peer
6561 		 * as authorized, but it shouldn't yet be.
6562 		 */
6563 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6564 		break;
6565 	default:
6566 		return -EOPNOTSUPP;
6567 	}
6568 
6569 	/* be aware of params.vlan when changing code here */
6570 
6571 	err = rdev_add_station(rdev, dev, mac_addr, &params);
6572 
6573 	if (params.vlan)
6574 		dev_put(params.vlan);
6575 	return err;
6576 }
6577 
6578 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6579 {
6580 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6581 	struct net_device *dev = info->user_ptr[1];
6582 	struct station_del_parameters params;
6583 
6584 	memset(&params, 0, sizeof(params));
6585 
6586 	if (info->attrs[NL80211_ATTR_MAC])
6587 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6588 
6589 	switch (dev->ieee80211_ptr->iftype) {
6590 	case NL80211_IFTYPE_AP:
6591 	case NL80211_IFTYPE_AP_VLAN:
6592 	case NL80211_IFTYPE_MESH_POINT:
6593 	case NL80211_IFTYPE_P2P_GO:
6594 		/* always accept these */
6595 		break;
6596 	case NL80211_IFTYPE_ADHOC:
6597 		/* conditionally accept */
6598 		if (wiphy_ext_feature_isset(&rdev->wiphy,
6599 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
6600 			break;
6601 		return -EINVAL;
6602 	default:
6603 		return -EINVAL;
6604 	}
6605 
6606 	if (!rdev->ops->del_station)
6607 		return -EOPNOTSUPP;
6608 
6609 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
6610 		params.subtype =
6611 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
6612 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
6613 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
6614 			return -EINVAL;
6615 	} else {
6616 		/* Default to Deauthentication frame */
6617 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
6618 	}
6619 
6620 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
6621 		params.reason_code =
6622 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6623 		if (params.reason_code == 0)
6624 			return -EINVAL; /* 0 is reserved */
6625 	} else {
6626 		/* Default to reason code 2 */
6627 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
6628 	}
6629 
6630 	return rdev_del_station(rdev, dev, &params);
6631 }
6632 
6633 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
6634 				int flags, struct net_device *dev,
6635 				u8 *dst, u8 *next_hop,
6636 				struct mpath_info *pinfo)
6637 {
6638 	void *hdr;
6639 	struct nlattr *pinfoattr;
6640 
6641 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
6642 	if (!hdr)
6643 		return -1;
6644 
6645 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6646 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
6647 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
6648 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
6649 		goto nla_put_failure;
6650 
6651 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
6652 	if (!pinfoattr)
6653 		goto nla_put_failure;
6654 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
6655 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
6656 			pinfo->frame_qlen))
6657 		goto nla_put_failure;
6658 	if (((pinfo->filled & MPATH_INFO_SN) &&
6659 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
6660 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
6661 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
6662 			 pinfo->metric)) ||
6663 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
6664 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
6665 			 pinfo->exptime)) ||
6666 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
6667 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
6668 			pinfo->flags)) ||
6669 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
6670 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
6671 			 pinfo->discovery_timeout)) ||
6672 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
6673 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
6674 			pinfo->discovery_retries)) ||
6675 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
6676 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
6677 			pinfo->hop_count)) ||
6678 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
6679 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
6680 			 pinfo->path_change_count)))
6681 		goto nla_put_failure;
6682 
6683 	nla_nest_end(msg, pinfoattr);
6684 
6685 	genlmsg_end(msg, hdr);
6686 	return 0;
6687 
6688  nla_put_failure:
6689 	genlmsg_cancel(msg, hdr);
6690 	return -EMSGSIZE;
6691 }
6692 
6693 static int nl80211_dump_mpath(struct sk_buff *skb,
6694 			      struct netlink_callback *cb)
6695 {
6696 	struct mpath_info pinfo;
6697 	struct cfg80211_registered_device *rdev;
6698 	struct wireless_dev *wdev;
6699 	u8 dst[ETH_ALEN];
6700 	u8 next_hop[ETH_ALEN];
6701 	int path_idx = cb->args[2];
6702 	int err;
6703 
6704 	rtnl_lock();
6705 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6706 	if (err)
6707 		goto out_err;
6708 
6709 	if (!rdev->ops->dump_mpath) {
6710 		err = -EOPNOTSUPP;
6711 		goto out_err;
6712 	}
6713 
6714 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6715 		err = -EOPNOTSUPP;
6716 		goto out_err;
6717 	}
6718 
6719 	while (1) {
6720 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
6721 				      next_hop, &pinfo);
6722 		if (err == -ENOENT)
6723 			break;
6724 		if (err)
6725 			goto out_err;
6726 
6727 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6728 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6729 				       wdev->netdev, dst, next_hop,
6730 				       &pinfo) < 0)
6731 			goto out;
6732 
6733 		path_idx++;
6734 	}
6735 
6736  out:
6737 	cb->args[2] = path_idx;
6738 	err = skb->len;
6739  out_err:
6740 	rtnl_unlock();
6741 	return err;
6742 }
6743 
6744 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
6745 {
6746 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6747 	int err;
6748 	struct net_device *dev = info->user_ptr[1];
6749 	struct mpath_info pinfo;
6750 	struct sk_buff *msg;
6751 	u8 *dst = NULL;
6752 	u8 next_hop[ETH_ALEN];
6753 
6754 	memset(&pinfo, 0, sizeof(pinfo));
6755 
6756 	if (!info->attrs[NL80211_ATTR_MAC])
6757 		return -EINVAL;
6758 
6759 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6760 
6761 	if (!rdev->ops->get_mpath)
6762 		return -EOPNOTSUPP;
6763 
6764 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6765 		return -EOPNOTSUPP;
6766 
6767 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
6768 	if (err)
6769 		return err;
6770 
6771 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6772 	if (!msg)
6773 		return -ENOMEM;
6774 
6775 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6776 				 dev, dst, next_hop, &pinfo) < 0) {
6777 		nlmsg_free(msg);
6778 		return -ENOBUFS;
6779 	}
6780 
6781 	return genlmsg_reply(msg, info);
6782 }
6783 
6784 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
6785 {
6786 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6787 	struct net_device *dev = info->user_ptr[1];
6788 	u8 *dst = NULL;
6789 	u8 *next_hop = NULL;
6790 
6791 	if (!info->attrs[NL80211_ATTR_MAC])
6792 		return -EINVAL;
6793 
6794 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6795 		return -EINVAL;
6796 
6797 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6798 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6799 
6800 	if (!rdev->ops->change_mpath)
6801 		return -EOPNOTSUPP;
6802 
6803 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6804 		return -EOPNOTSUPP;
6805 
6806 	return rdev_change_mpath(rdev, dev, dst, next_hop);
6807 }
6808 
6809 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
6810 {
6811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6812 	struct net_device *dev = info->user_ptr[1];
6813 	u8 *dst = NULL;
6814 	u8 *next_hop = NULL;
6815 
6816 	if (!info->attrs[NL80211_ATTR_MAC])
6817 		return -EINVAL;
6818 
6819 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6820 		return -EINVAL;
6821 
6822 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6823 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6824 
6825 	if (!rdev->ops->add_mpath)
6826 		return -EOPNOTSUPP;
6827 
6828 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6829 		return -EOPNOTSUPP;
6830 
6831 	return rdev_add_mpath(rdev, dev, dst, next_hop);
6832 }
6833 
6834 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
6835 {
6836 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6837 	struct net_device *dev = info->user_ptr[1];
6838 	u8 *dst = NULL;
6839 
6840 	if (info->attrs[NL80211_ATTR_MAC])
6841 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6842 
6843 	if (!rdev->ops->del_mpath)
6844 		return -EOPNOTSUPP;
6845 
6846 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6847 		return -EOPNOTSUPP;
6848 
6849 	return rdev_del_mpath(rdev, dev, dst);
6850 }
6851 
6852 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
6853 {
6854 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6855 	int err;
6856 	struct net_device *dev = info->user_ptr[1];
6857 	struct mpath_info pinfo;
6858 	struct sk_buff *msg;
6859 	u8 *dst = NULL;
6860 	u8 mpp[ETH_ALEN];
6861 
6862 	memset(&pinfo, 0, sizeof(pinfo));
6863 
6864 	if (!info->attrs[NL80211_ATTR_MAC])
6865 		return -EINVAL;
6866 
6867 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6868 
6869 	if (!rdev->ops->get_mpp)
6870 		return -EOPNOTSUPP;
6871 
6872 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6873 		return -EOPNOTSUPP;
6874 
6875 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
6876 	if (err)
6877 		return err;
6878 
6879 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6880 	if (!msg)
6881 		return -ENOMEM;
6882 
6883 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6884 			       dev, dst, mpp, &pinfo) < 0) {
6885 		nlmsg_free(msg);
6886 		return -ENOBUFS;
6887 	}
6888 
6889 	return genlmsg_reply(msg, info);
6890 }
6891 
6892 static int nl80211_dump_mpp(struct sk_buff *skb,
6893 			    struct netlink_callback *cb)
6894 {
6895 	struct mpath_info pinfo;
6896 	struct cfg80211_registered_device *rdev;
6897 	struct wireless_dev *wdev;
6898 	u8 dst[ETH_ALEN];
6899 	u8 mpp[ETH_ALEN];
6900 	int path_idx = cb->args[2];
6901 	int err;
6902 
6903 	rtnl_lock();
6904 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6905 	if (err)
6906 		goto out_err;
6907 
6908 	if (!rdev->ops->dump_mpp) {
6909 		err = -EOPNOTSUPP;
6910 		goto out_err;
6911 	}
6912 
6913 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6914 		err = -EOPNOTSUPP;
6915 		goto out_err;
6916 	}
6917 
6918 	while (1) {
6919 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
6920 				    mpp, &pinfo);
6921 		if (err == -ENOENT)
6922 			break;
6923 		if (err)
6924 			goto out_err;
6925 
6926 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6927 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6928 				       wdev->netdev, dst, mpp,
6929 				       &pinfo) < 0)
6930 			goto out;
6931 
6932 		path_idx++;
6933 	}
6934 
6935  out:
6936 	cb->args[2] = path_idx;
6937 	err = skb->len;
6938  out_err:
6939 	rtnl_unlock();
6940 	return err;
6941 }
6942 
6943 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
6944 {
6945 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6946 	struct net_device *dev = info->user_ptr[1];
6947 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6948 	struct bss_parameters params;
6949 	int err;
6950 
6951 	memset(&params, 0, sizeof(params));
6952 	/* default to not changing parameters */
6953 	params.use_cts_prot = -1;
6954 	params.use_short_preamble = -1;
6955 	params.use_short_slot_time = -1;
6956 	params.ap_isolate = -1;
6957 	params.ht_opmode = -1;
6958 	params.p2p_ctwindow = -1;
6959 	params.p2p_opp_ps = -1;
6960 
6961 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
6962 		params.use_cts_prot =
6963 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
6964 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
6965 		params.use_short_preamble =
6966 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
6967 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
6968 		params.use_short_slot_time =
6969 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
6970 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6971 		params.basic_rates =
6972 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6973 		params.basic_rates_len =
6974 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6975 	}
6976 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
6977 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
6978 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
6979 		params.ht_opmode =
6980 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
6981 
6982 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6983 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6984 			return -EINVAL;
6985 		params.p2p_ctwindow =
6986 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6987 		if (params.p2p_ctwindow != 0 &&
6988 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
6989 			return -EINVAL;
6990 	}
6991 
6992 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6993 		u8 tmp;
6994 
6995 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6996 			return -EINVAL;
6997 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6998 		params.p2p_opp_ps = tmp;
6999 		if (params.p2p_opp_ps &&
7000 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7001 			return -EINVAL;
7002 	}
7003 
7004 	if (!rdev->ops->change_bss)
7005 		return -EOPNOTSUPP;
7006 
7007 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7008 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7009 		return -EOPNOTSUPP;
7010 
7011 	wdev_lock(wdev);
7012 	err = rdev_change_bss(rdev, dev, &params);
7013 	wdev_unlock(wdev);
7014 
7015 	return err;
7016 }
7017 
7018 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7019 {
7020 	char *data = NULL;
7021 	bool is_indoor;
7022 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7023 	u32 owner_nlportid;
7024 
7025 	/*
7026 	 * You should only get this when cfg80211 hasn't yet initialized
7027 	 * completely when built-in to the kernel right between the time
7028 	 * window between nl80211_init() and regulatory_init(), if that is
7029 	 * even possible.
7030 	 */
7031 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7032 		return -EINPROGRESS;
7033 
7034 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7035 		user_reg_hint_type =
7036 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7037 	else
7038 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7039 
7040 	switch (user_reg_hint_type) {
7041 	case NL80211_USER_REG_HINT_USER:
7042 	case NL80211_USER_REG_HINT_CELL_BASE:
7043 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7044 			return -EINVAL;
7045 
7046 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7047 		return regulatory_hint_user(data, user_reg_hint_type);
7048 	case NL80211_USER_REG_HINT_INDOOR:
7049 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7050 			owner_nlportid = info->snd_portid;
7051 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7052 		} else {
7053 			owner_nlportid = 0;
7054 			is_indoor = true;
7055 		}
7056 
7057 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7058 	default:
7059 		return -EINVAL;
7060 	}
7061 }
7062 
7063 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7064 {
7065 	return reg_reload_regdb();
7066 }
7067 
7068 static int nl80211_get_mesh_config(struct sk_buff *skb,
7069 				   struct genl_info *info)
7070 {
7071 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7072 	struct net_device *dev = info->user_ptr[1];
7073 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7074 	struct mesh_config cur_params;
7075 	int err = 0;
7076 	void *hdr;
7077 	struct nlattr *pinfoattr;
7078 	struct sk_buff *msg;
7079 
7080 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7081 		return -EOPNOTSUPP;
7082 
7083 	if (!rdev->ops->get_mesh_config)
7084 		return -EOPNOTSUPP;
7085 
7086 	wdev_lock(wdev);
7087 	/* If not connected, get default parameters */
7088 	if (!wdev->mesh_id_len)
7089 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7090 	else
7091 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7092 	wdev_unlock(wdev);
7093 
7094 	if (err)
7095 		return err;
7096 
7097 	/* Draw up a netlink message to send back */
7098 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7099 	if (!msg)
7100 		return -ENOMEM;
7101 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7102 			     NL80211_CMD_GET_MESH_CONFIG);
7103 	if (!hdr)
7104 		goto out;
7105 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7106 	if (!pinfoattr)
7107 		goto nla_put_failure;
7108 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7109 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7110 			cur_params.dot11MeshRetryTimeout) ||
7111 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7112 			cur_params.dot11MeshConfirmTimeout) ||
7113 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7114 			cur_params.dot11MeshHoldingTimeout) ||
7115 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7116 			cur_params.dot11MeshMaxPeerLinks) ||
7117 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7118 		       cur_params.dot11MeshMaxRetries) ||
7119 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7120 		       cur_params.dot11MeshTTL) ||
7121 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7122 		       cur_params.element_ttl) ||
7123 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7124 		       cur_params.auto_open_plinks) ||
7125 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7126 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7127 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7128 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7129 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7130 			cur_params.path_refresh_time) ||
7131 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7132 			cur_params.min_discovery_timeout) ||
7133 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7134 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7135 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7136 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7137 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7138 			cur_params.dot11MeshHWMPperrMinInterval) ||
7139 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7140 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7141 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7142 		       cur_params.dot11MeshHWMPRootMode) ||
7143 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7144 			cur_params.dot11MeshHWMPRannInterval) ||
7145 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7146 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7147 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7148 		       cur_params.dot11MeshForwarding) ||
7149 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7150 			cur_params.rssi_threshold) ||
7151 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7152 			cur_params.ht_opmode) ||
7153 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7154 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7155 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7156 			cur_params.dot11MeshHWMProotInterval) ||
7157 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7158 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7159 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7160 			cur_params.power_mode) ||
7161 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7162 			cur_params.dot11MeshAwakeWindowDuration) ||
7163 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7164 			cur_params.plink_timeout) ||
7165 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7166 		       cur_params.dot11MeshConnectedToMeshGate) ||
7167 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7168 		       cur_params.dot11MeshNolearn) ||
7169 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7170 		       cur_params.dot11MeshConnectedToAuthServer))
7171 		goto nla_put_failure;
7172 	nla_nest_end(msg, pinfoattr);
7173 	genlmsg_end(msg, hdr);
7174 	return genlmsg_reply(msg, info);
7175 
7176  nla_put_failure:
7177  out:
7178 	nlmsg_free(msg);
7179 	return -ENOBUFS;
7180 }
7181 
7182 static const struct nla_policy
7183 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7184 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7185 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7186 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7187 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7188 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7189 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7190 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7191 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7192 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7193 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7194 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7195 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7196 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7197 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7198 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7199 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7200 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7201 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7202 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7203 		NLA_POLICY_MIN(NLA_U16, 1),
7204 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7205 		NLA_POLICY_MIN(NLA_U16, 1),
7206 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7207 		NLA_POLICY_MIN(NLA_U16, 1),
7208 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7209 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7210 		NLA_POLICY_MIN(NLA_U16, 1),
7211 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7212 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7213 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7214 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7215 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7216 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7217 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7218 		NLA_POLICY_MIN(NLA_U16, 1),
7219 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7220 		NLA_POLICY_MIN(NLA_U16, 1),
7221 	[NL80211_MESHCONF_POWER_MODE] =
7222 		NLA_POLICY_RANGE(NLA_U32,
7223 				 NL80211_MESH_POWER_ACTIVE,
7224 				 NL80211_MESH_POWER_MAX),
7225 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7226 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7227 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7228 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7229 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7230 };
7231 
7232 static const struct nla_policy
7233 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7234 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7235 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7236 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7237 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7238 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7239 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7240 	[NL80211_MESH_SETUP_IE] =
7241 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7242 				       IEEE80211_MAX_DATA_LEN),
7243 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7244 };
7245 
7246 static int nl80211_parse_mesh_config(struct genl_info *info,
7247 				     struct mesh_config *cfg,
7248 				     u32 *mask_out)
7249 {
7250 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7251 	u32 mask = 0;
7252 	u16 ht_opmode;
7253 
7254 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7255 do {									\
7256 	if (tb[attr]) {							\
7257 		cfg->param = fn(tb[attr]);				\
7258 		mask |= BIT((attr) - 1);				\
7259 	}								\
7260 } while (0)
7261 
7262 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7263 		return -EINVAL;
7264 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7265 		return -EINVAL;
7266 
7267 	/* This makes sure that there aren't more than 32 mesh config
7268 	 * parameters (otherwise our bitfield scheme would not work.) */
7269 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7270 
7271 	/* Fill in the params struct */
7272 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7273 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7274 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7275 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7276 				  nla_get_u16);
7277 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7278 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7279 				  nla_get_u16);
7280 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7281 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7282 				  nla_get_u16);
7283 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7284 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7285 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7286 				  NL80211_MESHCONF_TTL, nla_get_u8);
7287 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7288 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7289 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7290 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7291 				  nla_get_u8);
7292 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7293 				  mask,
7294 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7295 				  nla_get_u32);
7296 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7297 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7298 				  nla_get_u8);
7299 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7300 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7301 				  nla_get_u32);
7302 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7303 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7304 		return -EINVAL;
7305 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7306 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7307 				  nla_get_u16);
7308 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7309 				  mask,
7310 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7311 				  nla_get_u32);
7312 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7313 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7314 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7315 		return -EINVAL;
7316 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7317 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7318 				  nla_get_u16);
7319 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7320 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7321 				  nla_get_u16);
7322 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7323 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7324 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7325 				  nla_get_u16);
7326 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7327 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7328 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7329 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7330 				  nla_get_u16);
7331 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7332 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7333 				  nla_get_u8);
7334 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7335 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7336 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7337 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7338 				  nla_get_s32);
7339 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7340 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7341 				  nla_get_u8);
7342 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7343 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7344 				  nla_get_u8);
7345 	/*
7346 	 * Check HT operation mode based on
7347 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7348 	 */
7349 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7350 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7351 
7352 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7353 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7354 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7355 			return -EINVAL;
7356 
7357 		/* NON_HT_STA bit is reserved, but some programs set it */
7358 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7359 
7360 		cfg->ht_opmode = ht_opmode;
7361 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7362 	}
7363 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7364 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7365 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7366 				  nla_get_u32);
7367 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7368 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7369 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7370 		return -EINVAL;
7371 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7372 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7373 				  nla_get_u16);
7374 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7375 				  mask,
7376 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7377 				  nla_get_u16);
7378 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7379 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7380 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7381 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7382 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7383 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7384 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7385 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7386 	if (mask_out)
7387 		*mask_out = mask;
7388 
7389 	return 0;
7390 
7391 #undef FILL_IN_MESH_PARAM_IF_SET
7392 }
7393 
7394 static int nl80211_parse_mesh_setup(struct genl_info *info,
7395 				     struct mesh_setup *setup)
7396 {
7397 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7398 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7399 
7400 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7401 		return -EINVAL;
7402 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7403 		return -EINVAL;
7404 
7405 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7406 		setup->sync_method =
7407 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7408 		 IEEE80211_SYNC_METHOD_VENDOR :
7409 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7410 
7411 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7412 		setup->path_sel_proto =
7413 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7414 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7415 		 IEEE80211_PATH_PROTOCOL_HWMP;
7416 
7417 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7418 		setup->path_metric =
7419 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7420 		 IEEE80211_PATH_METRIC_VENDOR :
7421 		 IEEE80211_PATH_METRIC_AIRTIME;
7422 
7423 	if (tb[NL80211_MESH_SETUP_IE]) {
7424 		struct nlattr *ieattr =
7425 			tb[NL80211_MESH_SETUP_IE];
7426 		setup->ie = nla_data(ieattr);
7427 		setup->ie_len = nla_len(ieattr);
7428 	}
7429 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7430 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7431 		return -EINVAL;
7432 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7433 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7434 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7435 	if (setup->is_secure)
7436 		setup->user_mpm = true;
7437 
7438 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7439 		if (!setup->user_mpm)
7440 			return -EINVAL;
7441 		setup->auth_id =
7442 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7443 	}
7444 
7445 	return 0;
7446 }
7447 
7448 static int nl80211_update_mesh_config(struct sk_buff *skb,
7449 				      struct genl_info *info)
7450 {
7451 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7452 	struct net_device *dev = info->user_ptr[1];
7453 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7454 	struct mesh_config cfg;
7455 	u32 mask;
7456 	int err;
7457 
7458 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7459 		return -EOPNOTSUPP;
7460 
7461 	if (!rdev->ops->update_mesh_config)
7462 		return -EOPNOTSUPP;
7463 
7464 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7465 	if (err)
7466 		return err;
7467 
7468 	wdev_lock(wdev);
7469 	if (!wdev->mesh_id_len)
7470 		err = -ENOLINK;
7471 
7472 	if (!err)
7473 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7474 
7475 	wdev_unlock(wdev);
7476 
7477 	return err;
7478 }
7479 
7480 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7481 			      struct sk_buff *msg)
7482 {
7483 	struct nlattr *nl_reg_rules;
7484 	unsigned int i;
7485 
7486 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7487 	    (regdom->dfs_region &&
7488 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7489 		goto nla_put_failure;
7490 
7491 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7492 	if (!nl_reg_rules)
7493 		goto nla_put_failure;
7494 
7495 	for (i = 0; i < regdom->n_reg_rules; i++) {
7496 		struct nlattr *nl_reg_rule;
7497 		const struct ieee80211_reg_rule *reg_rule;
7498 		const struct ieee80211_freq_range *freq_range;
7499 		const struct ieee80211_power_rule *power_rule;
7500 		unsigned int max_bandwidth_khz;
7501 
7502 		reg_rule = &regdom->reg_rules[i];
7503 		freq_range = &reg_rule->freq_range;
7504 		power_rule = &reg_rule->power_rule;
7505 
7506 		nl_reg_rule = nla_nest_start_noflag(msg, i);
7507 		if (!nl_reg_rule)
7508 			goto nla_put_failure;
7509 
7510 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
7511 		if (!max_bandwidth_khz)
7512 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
7513 								  reg_rule);
7514 
7515 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
7516 				reg_rule->flags) ||
7517 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
7518 				freq_range->start_freq_khz) ||
7519 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
7520 				freq_range->end_freq_khz) ||
7521 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
7522 				max_bandwidth_khz) ||
7523 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
7524 				power_rule->max_antenna_gain) ||
7525 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
7526 				power_rule->max_eirp) ||
7527 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
7528 				reg_rule->dfs_cac_ms))
7529 			goto nla_put_failure;
7530 
7531 		nla_nest_end(msg, nl_reg_rule);
7532 	}
7533 
7534 	nla_nest_end(msg, nl_reg_rules);
7535 	return 0;
7536 
7537 nla_put_failure:
7538 	return -EMSGSIZE;
7539 }
7540 
7541 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
7542 {
7543 	const struct ieee80211_regdomain *regdom = NULL;
7544 	struct cfg80211_registered_device *rdev;
7545 	struct wiphy *wiphy = NULL;
7546 	struct sk_buff *msg;
7547 	void *hdr;
7548 
7549 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7550 	if (!msg)
7551 		return -ENOBUFS;
7552 
7553 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7554 			     NL80211_CMD_GET_REG);
7555 	if (!hdr)
7556 		goto put_failure;
7557 
7558 	if (info->attrs[NL80211_ATTR_WIPHY]) {
7559 		bool self_managed;
7560 
7561 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
7562 		if (IS_ERR(rdev)) {
7563 			nlmsg_free(msg);
7564 			return PTR_ERR(rdev);
7565 		}
7566 
7567 		wiphy = &rdev->wiphy;
7568 		self_managed = wiphy->regulatory_flags &
7569 			       REGULATORY_WIPHY_SELF_MANAGED;
7570 		regdom = get_wiphy_regdom(wiphy);
7571 
7572 		/* a self-managed-reg device must have a private regdom */
7573 		if (WARN_ON(!regdom && self_managed)) {
7574 			nlmsg_free(msg);
7575 			return -EINVAL;
7576 		}
7577 
7578 		if (regdom &&
7579 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7580 			goto nla_put_failure;
7581 	}
7582 
7583 	if (!wiphy && reg_last_request_cell_base() &&
7584 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7585 			NL80211_USER_REG_HINT_CELL_BASE))
7586 		goto nla_put_failure;
7587 
7588 	rcu_read_lock();
7589 
7590 	if (!regdom)
7591 		regdom = rcu_dereference(cfg80211_regdomain);
7592 
7593 	if (nl80211_put_regdom(regdom, msg))
7594 		goto nla_put_failure_rcu;
7595 
7596 	rcu_read_unlock();
7597 
7598 	genlmsg_end(msg, hdr);
7599 	return genlmsg_reply(msg, info);
7600 
7601 nla_put_failure_rcu:
7602 	rcu_read_unlock();
7603 nla_put_failure:
7604 put_failure:
7605 	nlmsg_free(msg);
7606 	return -EMSGSIZE;
7607 }
7608 
7609 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
7610 			       u32 seq, int flags, struct wiphy *wiphy,
7611 			       const struct ieee80211_regdomain *regdom)
7612 {
7613 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
7614 				   NL80211_CMD_GET_REG);
7615 
7616 	if (!hdr)
7617 		return -1;
7618 
7619 	genl_dump_check_consistent(cb, hdr);
7620 
7621 	if (nl80211_put_regdom(regdom, msg))
7622 		goto nla_put_failure;
7623 
7624 	if (!wiphy && reg_last_request_cell_base() &&
7625 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7626 			NL80211_USER_REG_HINT_CELL_BASE))
7627 		goto nla_put_failure;
7628 
7629 	if (wiphy &&
7630 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7631 		goto nla_put_failure;
7632 
7633 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
7634 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
7635 		goto nla_put_failure;
7636 
7637 	genlmsg_end(msg, hdr);
7638 	return 0;
7639 
7640 nla_put_failure:
7641 	genlmsg_cancel(msg, hdr);
7642 	return -EMSGSIZE;
7643 }
7644 
7645 static int nl80211_get_reg_dump(struct sk_buff *skb,
7646 				struct netlink_callback *cb)
7647 {
7648 	const struct ieee80211_regdomain *regdom = NULL;
7649 	struct cfg80211_registered_device *rdev;
7650 	int err, reg_idx, start = cb->args[2];
7651 
7652 	rtnl_lock();
7653 
7654 	if (cfg80211_regdomain && start == 0) {
7655 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7656 					  NLM_F_MULTI, NULL,
7657 					  rtnl_dereference(cfg80211_regdomain));
7658 		if (err < 0)
7659 			goto out_err;
7660 	}
7661 
7662 	/* the global regdom is idx 0 */
7663 	reg_idx = 1;
7664 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
7665 		regdom = get_wiphy_regdom(&rdev->wiphy);
7666 		if (!regdom)
7667 			continue;
7668 
7669 		if (++reg_idx <= start)
7670 			continue;
7671 
7672 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7673 					  NLM_F_MULTI, &rdev->wiphy, regdom);
7674 		if (err < 0) {
7675 			reg_idx--;
7676 			break;
7677 		}
7678 	}
7679 
7680 	cb->args[2] = reg_idx;
7681 	err = skb->len;
7682 out_err:
7683 	rtnl_unlock();
7684 	return err;
7685 }
7686 
7687 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
7688 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
7689 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
7690 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
7691 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
7692 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
7693 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
7694 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
7695 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
7696 };
7697 
7698 static int parse_reg_rule(struct nlattr *tb[],
7699 	struct ieee80211_reg_rule *reg_rule)
7700 {
7701 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
7702 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
7703 
7704 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
7705 		return -EINVAL;
7706 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
7707 		return -EINVAL;
7708 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
7709 		return -EINVAL;
7710 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
7711 		return -EINVAL;
7712 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
7713 		return -EINVAL;
7714 
7715 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
7716 
7717 	freq_range->start_freq_khz =
7718 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
7719 	freq_range->end_freq_khz =
7720 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
7721 	freq_range->max_bandwidth_khz =
7722 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
7723 
7724 	power_rule->max_eirp =
7725 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
7726 
7727 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
7728 		power_rule->max_antenna_gain =
7729 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
7730 
7731 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
7732 		reg_rule->dfs_cac_ms =
7733 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
7734 
7735 	return 0;
7736 }
7737 
7738 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
7739 {
7740 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
7741 	struct nlattr *nl_reg_rule;
7742 	char *alpha2;
7743 	int rem_reg_rules, r;
7744 	u32 num_rules = 0, rule_idx = 0;
7745 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
7746 	struct ieee80211_regdomain *rd;
7747 
7748 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7749 		return -EINVAL;
7750 
7751 	if (!info->attrs[NL80211_ATTR_REG_RULES])
7752 		return -EINVAL;
7753 
7754 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7755 
7756 	if (info->attrs[NL80211_ATTR_DFS_REGION])
7757 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
7758 
7759 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7760 			    rem_reg_rules) {
7761 		num_rules++;
7762 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
7763 			return -EINVAL;
7764 	}
7765 
7766 	if (!reg_is_valid_request(alpha2))
7767 		return -EINVAL;
7768 
7769 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
7770 	if (!rd)
7771 		return -ENOMEM;
7772 
7773 	rd->n_reg_rules = num_rules;
7774 	rd->alpha2[0] = alpha2[0];
7775 	rd->alpha2[1] = alpha2[1];
7776 
7777 	/*
7778 	 * Disable DFS master mode if the DFS region was
7779 	 * not supported or known on this kernel.
7780 	 */
7781 	if (reg_supported_dfs_region(dfs_region))
7782 		rd->dfs_region = dfs_region;
7783 
7784 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7785 			    rem_reg_rules) {
7786 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
7787 						nl_reg_rule, reg_rule_policy,
7788 						info->extack);
7789 		if (r)
7790 			goto bad_reg;
7791 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
7792 		if (r)
7793 			goto bad_reg;
7794 
7795 		rule_idx++;
7796 
7797 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
7798 			r = -EINVAL;
7799 			goto bad_reg;
7800 		}
7801 	}
7802 
7803 	/* set_regdom takes ownership of rd */
7804 	return set_regdom(rd, REGD_SOURCE_CRDA);
7805  bad_reg:
7806 	kfree(rd);
7807 	return r;
7808 }
7809 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
7810 
7811 static int validate_scan_freqs(struct nlattr *freqs)
7812 {
7813 	struct nlattr *attr1, *attr2;
7814 	int n_channels = 0, tmp1, tmp2;
7815 
7816 	nla_for_each_nested(attr1, freqs, tmp1)
7817 		if (nla_len(attr1) != sizeof(u32))
7818 			return 0;
7819 
7820 	nla_for_each_nested(attr1, freqs, tmp1) {
7821 		n_channels++;
7822 		/*
7823 		 * Some hardware has a limited channel list for
7824 		 * scanning, and it is pretty much nonsensical
7825 		 * to scan for a channel twice, so disallow that
7826 		 * and don't require drivers to check that the
7827 		 * channel list they get isn't longer than what
7828 		 * they can scan, as long as they can scan all
7829 		 * the channels they registered at once.
7830 		 */
7831 		nla_for_each_nested(attr2, freqs, tmp2)
7832 			if (attr1 != attr2 &&
7833 			    nla_get_u32(attr1) == nla_get_u32(attr2))
7834 				return 0;
7835 	}
7836 
7837 	return n_channels;
7838 }
7839 
7840 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
7841 {
7842 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
7843 }
7844 
7845 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
7846 			    struct cfg80211_bss_selection *bss_select)
7847 {
7848 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
7849 	struct nlattr *nest;
7850 	int err;
7851 	bool found = false;
7852 	int i;
7853 
7854 	/* only process one nested attribute */
7855 	nest = nla_data(nla);
7856 	if (!nla_ok(nest, nla_len(nest)))
7857 		return -EINVAL;
7858 
7859 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
7860 					  nest, nl80211_bss_select_policy,
7861 					  NULL);
7862 	if (err)
7863 		return err;
7864 
7865 	/* only one attribute may be given */
7866 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
7867 		if (attr[i]) {
7868 			if (found)
7869 				return -EINVAL;
7870 			found = true;
7871 		}
7872 	}
7873 
7874 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
7875 
7876 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
7877 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
7878 
7879 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
7880 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
7881 		bss_select->param.band_pref =
7882 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
7883 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
7884 			return -EINVAL;
7885 	}
7886 
7887 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
7888 		struct nl80211_bss_select_rssi_adjust *adj_param;
7889 
7890 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
7891 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
7892 		bss_select->param.adjust.band = adj_param->band;
7893 		bss_select->param.adjust.delta = adj_param->delta;
7894 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
7895 			return -EINVAL;
7896 	}
7897 
7898 	/* user-space did not provide behaviour attribute */
7899 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
7900 		return -EINVAL;
7901 
7902 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
7903 		return -EINVAL;
7904 
7905 	return 0;
7906 }
7907 
7908 int nl80211_parse_random_mac(struct nlattr **attrs,
7909 			     u8 *mac_addr, u8 *mac_addr_mask)
7910 {
7911 	int i;
7912 
7913 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
7914 		eth_zero_addr(mac_addr);
7915 		eth_zero_addr(mac_addr_mask);
7916 		mac_addr[0] = 0x2;
7917 		mac_addr_mask[0] = 0x3;
7918 
7919 		return 0;
7920 	}
7921 
7922 	/* need both or none */
7923 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
7924 		return -EINVAL;
7925 
7926 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
7927 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
7928 
7929 	/* don't allow or configure an mcast address */
7930 	if (!is_multicast_ether_addr(mac_addr_mask) ||
7931 	    is_multicast_ether_addr(mac_addr))
7932 		return -EINVAL;
7933 
7934 	/*
7935 	 * allow users to pass a MAC address that has bits set outside
7936 	 * of the mask, but don't bother drivers with having to deal
7937 	 * with such bits
7938 	 */
7939 	for (i = 0; i < ETH_ALEN; i++)
7940 		mac_addr[i] &= mac_addr_mask[i];
7941 
7942 	return 0;
7943 }
7944 
7945 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
7946 {
7947 	ASSERT_WDEV_LOCK(wdev);
7948 
7949 	if (!cfg80211_beaconing_iface_active(wdev))
7950 		return true;
7951 
7952 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
7953 		return true;
7954 
7955 	return regulatory_pre_cac_allowed(wdev->wiphy);
7956 }
7957 
7958 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
7959 				    enum nl80211_ext_feature_index feat)
7960 {
7961 	if (!(flags & flag))
7962 		return true;
7963 	if (wiphy_ext_feature_isset(wiphy, feat))
7964 		return true;
7965 	return false;
7966 }
7967 
7968 static int
7969 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
7970 			 void *request, struct nlattr **attrs,
7971 			 bool is_sched_scan)
7972 {
7973 	u8 *mac_addr, *mac_addr_mask;
7974 	u32 *flags;
7975 	enum nl80211_feature_flags randomness_flag;
7976 
7977 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
7978 		return 0;
7979 
7980 	if (is_sched_scan) {
7981 		struct cfg80211_sched_scan_request *req = request;
7982 
7983 		randomness_flag = wdev ?
7984 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
7985 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
7986 		flags = &req->flags;
7987 		mac_addr = req->mac_addr;
7988 		mac_addr_mask = req->mac_addr_mask;
7989 	} else {
7990 		struct cfg80211_scan_request *req = request;
7991 
7992 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
7993 		flags = &req->flags;
7994 		mac_addr = req->mac_addr;
7995 		mac_addr_mask = req->mac_addr_mask;
7996 	}
7997 
7998 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
7999 
8000 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8001 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8002 	    !nl80211_check_scan_feat(wiphy, *flags,
8003 				     NL80211_SCAN_FLAG_LOW_SPAN,
8004 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8005 	    !nl80211_check_scan_feat(wiphy, *flags,
8006 				     NL80211_SCAN_FLAG_LOW_POWER,
8007 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8008 	    !nl80211_check_scan_feat(wiphy, *flags,
8009 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8010 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8011 	    !nl80211_check_scan_feat(wiphy, *flags,
8012 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8013 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8014 	    !nl80211_check_scan_feat(wiphy, *flags,
8015 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8016 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8017 	    !nl80211_check_scan_feat(wiphy, *flags,
8018 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8019 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8020 	    !nl80211_check_scan_feat(wiphy, *flags,
8021 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8022 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8023 	    !nl80211_check_scan_feat(wiphy, *flags,
8024 				     NL80211_SCAN_FLAG_RANDOM_SN,
8025 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8026 	    !nl80211_check_scan_feat(wiphy, *flags,
8027 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8028 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8029 		return -EOPNOTSUPP;
8030 
8031 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8032 		int err;
8033 
8034 		if (!(wiphy->features & randomness_flag) ||
8035 		    (wdev && wdev->current_bss))
8036 			return -EOPNOTSUPP;
8037 
8038 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8039 		if (err)
8040 			return err;
8041 	}
8042 
8043 	return 0;
8044 }
8045 
8046 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8047 {
8048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8049 	struct wireless_dev *wdev = info->user_ptr[1];
8050 	struct cfg80211_scan_request *request;
8051 	struct nlattr *scan_freqs = NULL;
8052 	bool scan_freqs_khz = false;
8053 	struct nlattr *attr;
8054 	struct wiphy *wiphy;
8055 	int err, tmp, n_ssids = 0, n_channels, i;
8056 	size_t ie_len;
8057 
8058 	wiphy = &rdev->wiphy;
8059 
8060 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8061 		return -EOPNOTSUPP;
8062 
8063 	if (!rdev->ops->scan)
8064 		return -EOPNOTSUPP;
8065 
8066 	if (rdev->scan_req || rdev->scan_msg)
8067 		return -EBUSY;
8068 
8069 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8070 		if (!wiphy_ext_feature_isset(wiphy,
8071 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8072 			return -EOPNOTSUPP;
8073 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8074 		scan_freqs_khz = true;
8075 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8076 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8077 
8078 	if (scan_freqs) {
8079 		n_channels = validate_scan_freqs(scan_freqs);
8080 		if (!n_channels)
8081 			return -EINVAL;
8082 	} else {
8083 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8084 	}
8085 
8086 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8087 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8088 			n_ssids++;
8089 
8090 	if (n_ssids > wiphy->max_scan_ssids)
8091 		return -EINVAL;
8092 
8093 	if (info->attrs[NL80211_ATTR_IE])
8094 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8095 	else
8096 		ie_len = 0;
8097 
8098 	if (ie_len > wiphy->max_scan_ie_len)
8099 		return -EINVAL;
8100 
8101 	request = kzalloc(sizeof(*request)
8102 			+ sizeof(*request->ssids) * n_ssids
8103 			+ sizeof(*request->channels) * n_channels
8104 			+ ie_len, GFP_KERNEL);
8105 	if (!request)
8106 		return -ENOMEM;
8107 
8108 	if (n_ssids)
8109 		request->ssids = (void *)&request->channels[n_channels];
8110 	request->n_ssids = n_ssids;
8111 	if (ie_len) {
8112 		if (n_ssids)
8113 			request->ie = (void *)(request->ssids + n_ssids);
8114 		else
8115 			request->ie = (void *)(request->channels + n_channels);
8116 	}
8117 
8118 	i = 0;
8119 	if (scan_freqs) {
8120 		/* user specified, bail out if channel not found */
8121 		nla_for_each_nested(attr, scan_freqs, tmp) {
8122 			struct ieee80211_channel *chan;
8123 			int freq = nla_get_u32(attr);
8124 
8125 			if (!scan_freqs_khz)
8126 				freq = MHZ_TO_KHZ(freq);
8127 
8128 			chan = ieee80211_get_channel_khz(wiphy, freq);
8129 			if (!chan) {
8130 				err = -EINVAL;
8131 				goto out_free;
8132 			}
8133 
8134 			/* ignore disabled channels */
8135 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8136 				continue;
8137 
8138 			request->channels[i] = chan;
8139 			i++;
8140 		}
8141 	} else {
8142 		enum nl80211_band band;
8143 
8144 		/* all channels */
8145 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8146 			int j;
8147 
8148 			if (!wiphy->bands[band])
8149 				continue;
8150 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8151 				struct ieee80211_channel *chan;
8152 
8153 				chan = &wiphy->bands[band]->channels[j];
8154 
8155 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8156 					continue;
8157 
8158 				request->channels[i] = chan;
8159 				i++;
8160 			}
8161 		}
8162 	}
8163 
8164 	if (!i) {
8165 		err = -EINVAL;
8166 		goto out_free;
8167 	}
8168 
8169 	request->n_channels = i;
8170 
8171 	wdev_lock(wdev);
8172 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8173 		struct ieee80211_channel *chan;
8174 
8175 		if (request->n_channels != 1) {
8176 			wdev_unlock(wdev);
8177 			err = -EBUSY;
8178 			goto out_free;
8179 		}
8180 
8181 		chan = request->channels[0];
8182 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8183 			wdev_unlock(wdev);
8184 			err = -EBUSY;
8185 			goto out_free;
8186 		}
8187 	}
8188 	wdev_unlock(wdev);
8189 
8190 	i = 0;
8191 	if (n_ssids) {
8192 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8193 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8194 				err = -EINVAL;
8195 				goto out_free;
8196 			}
8197 			request->ssids[i].ssid_len = nla_len(attr);
8198 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8199 			i++;
8200 		}
8201 	}
8202 
8203 	if (info->attrs[NL80211_ATTR_IE]) {
8204 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8205 		memcpy((void *)request->ie,
8206 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8207 		       request->ie_len);
8208 	}
8209 
8210 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8211 		if (wiphy->bands[i])
8212 			request->rates[i] =
8213 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8214 
8215 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8216 		nla_for_each_nested(attr,
8217 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8218 				    tmp) {
8219 			enum nl80211_band band = nla_type(attr);
8220 
8221 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8222 				err = -EINVAL;
8223 				goto out_free;
8224 			}
8225 
8226 			if (!wiphy->bands[band])
8227 				continue;
8228 
8229 			err = ieee80211_get_ratemask(wiphy->bands[band],
8230 						     nla_data(attr),
8231 						     nla_len(attr),
8232 						     &request->rates[band]);
8233 			if (err)
8234 				goto out_free;
8235 		}
8236 	}
8237 
8238 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8239 		if (!wiphy_ext_feature_isset(wiphy,
8240 					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
8241 			err = -EOPNOTSUPP;
8242 			goto out_free;
8243 		}
8244 
8245 		request->duration =
8246 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8247 		request->duration_mandatory =
8248 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8249 	}
8250 
8251 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8252 				       false);
8253 	if (err)
8254 		goto out_free;
8255 
8256 	request->no_cck =
8257 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8258 
8259 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8260 	 * BSSID to scan for. This was problematic because that same attribute
8261 	 * was already used for another purpose (local random MAC address). The
8262 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8263 	 * compatibility with older userspace components, also use the
8264 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8265 	 * the specific BSSID use case instead of the random MAC address
8266 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8267 	 */
8268 	if (info->attrs[NL80211_ATTR_BSSID])
8269 		memcpy(request->bssid,
8270 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8271 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8272 		 info->attrs[NL80211_ATTR_MAC])
8273 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8274 		       ETH_ALEN);
8275 	else
8276 		eth_broadcast_addr(request->bssid);
8277 
8278 	request->wdev = wdev;
8279 	request->wiphy = &rdev->wiphy;
8280 	request->scan_start = jiffies;
8281 
8282 	rdev->scan_req = request;
8283 	err = cfg80211_scan(rdev);
8284 
8285 	if (err)
8286 		goto out_free;
8287 
8288 	nl80211_send_scan_start(rdev, wdev);
8289 	if (wdev->netdev)
8290 		dev_hold(wdev->netdev);
8291 
8292 	return 0;
8293 
8294  out_free:
8295 	rdev->scan_req = NULL;
8296 	kfree(request);
8297 
8298 	return err;
8299 }
8300 
8301 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8302 {
8303 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8304 	struct wireless_dev *wdev = info->user_ptr[1];
8305 
8306 	if (!rdev->ops->abort_scan)
8307 		return -EOPNOTSUPP;
8308 
8309 	if (rdev->scan_msg)
8310 		return 0;
8311 
8312 	if (!rdev->scan_req)
8313 		return -ENOENT;
8314 
8315 	rdev_abort_scan(rdev, wdev);
8316 	return 0;
8317 }
8318 
8319 static int
8320 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8321 			       struct cfg80211_sched_scan_request *request,
8322 			       struct nlattr **attrs)
8323 {
8324 	int tmp, err, i = 0;
8325 	struct nlattr *attr;
8326 
8327 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8328 		u32 interval;
8329 
8330 		/*
8331 		 * If scan plans are not specified,
8332 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8333 		 * case one scan plan will be set with the specified scan
8334 		 * interval and infinite number of iterations.
8335 		 */
8336 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8337 		if (!interval)
8338 			return -EINVAL;
8339 
8340 		request->scan_plans[0].interval =
8341 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8342 		if (!request->scan_plans[0].interval)
8343 			return -EINVAL;
8344 
8345 		if (request->scan_plans[0].interval >
8346 		    wiphy->max_sched_scan_plan_interval)
8347 			request->scan_plans[0].interval =
8348 				wiphy->max_sched_scan_plan_interval;
8349 
8350 		return 0;
8351 	}
8352 
8353 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8354 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8355 
8356 		if (WARN_ON(i >= n_plans))
8357 			return -EINVAL;
8358 
8359 		err = nla_parse_nested_deprecated(plan,
8360 						  NL80211_SCHED_SCAN_PLAN_MAX,
8361 						  attr, nl80211_plan_policy,
8362 						  NULL);
8363 		if (err)
8364 			return err;
8365 
8366 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8367 			return -EINVAL;
8368 
8369 		request->scan_plans[i].interval =
8370 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8371 		if (!request->scan_plans[i].interval ||
8372 		    request->scan_plans[i].interval >
8373 		    wiphy->max_sched_scan_plan_interval)
8374 			return -EINVAL;
8375 
8376 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8377 			request->scan_plans[i].iterations =
8378 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8379 			if (!request->scan_plans[i].iterations ||
8380 			    (request->scan_plans[i].iterations >
8381 			     wiphy->max_sched_scan_plan_iterations))
8382 				return -EINVAL;
8383 		} else if (i < n_plans - 1) {
8384 			/*
8385 			 * All scan plans but the last one must specify
8386 			 * a finite number of iterations
8387 			 */
8388 			return -EINVAL;
8389 		}
8390 
8391 		i++;
8392 	}
8393 
8394 	/*
8395 	 * The last scan plan must not specify the number of
8396 	 * iterations, it is supposed to run infinitely
8397 	 */
8398 	if (request->scan_plans[n_plans - 1].iterations)
8399 		return  -EINVAL;
8400 
8401 	return 0;
8402 }
8403 
8404 static int
8405 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8406 				       struct cfg80211_match_set *match_sets,
8407 				       struct nlattr *tb_band_rssi,
8408 				       s32 rssi_thold)
8409 {
8410 	struct nlattr *attr;
8411 	int i, tmp, ret = 0;
8412 
8413 	if (!wiphy_ext_feature_isset(wiphy,
8414 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8415 		if (tb_band_rssi)
8416 			ret = -EOPNOTSUPP;
8417 		else
8418 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8419 				match_sets->per_band_rssi_thold[i] =
8420 					NL80211_SCAN_RSSI_THOLD_OFF;
8421 		return ret;
8422 	}
8423 
8424 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8425 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8426 
8427 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8428 		enum nl80211_band band = nla_type(attr);
8429 
8430 		if (band < 0 || band >= NUM_NL80211_BANDS)
8431 			return -EINVAL;
8432 
8433 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8434 	}
8435 
8436 	return 0;
8437 }
8438 
8439 static struct cfg80211_sched_scan_request *
8440 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8441 			 struct nlattr **attrs, int max_match_sets)
8442 {
8443 	struct cfg80211_sched_scan_request *request;
8444 	struct nlattr *attr;
8445 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8446 	enum nl80211_band band;
8447 	size_t ie_len;
8448 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8449 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8450 
8451 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8452 		n_channels = validate_scan_freqs(
8453 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8454 		if (!n_channels)
8455 			return ERR_PTR(-EINVAL);
8456 	} else {
8457 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8458 	}
8459 
8460 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8461 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8462 				    tmp)
8463 			n_ssids++;
8464 
8465 	if (n_ssids > wiphy->max_sched_scan_ssids)
8466 		return ERR_PTR(-EINVAL);
8467 
8468 	/*
8469 	 * First, count the number of 'real' matchsets. Due to an issue with
8470 	 * the old implementation, matchsets containing only the RSSI attribute
8471 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8472 	 * RSSI for all matchsets, rather than their own matchset for reporting
8473 	 * all APs with a strong RSSI. This is needed to be compatible with
8474 	 * older userspace that treated a matchset with only the RSSI as the
8475 	 * global RSSI for all other matchsets - if there are other matchsets.
8476 	 */
8477 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8478 		nla_for_each_nested(attr,
8479 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8480 				    tmp) {
8481 			struct nlattr *rssi;
8482 
8483 			err = nla_parse_nested_deprecated(tb,
8484 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8485 							  attr,
8486 							  nl80211_match_policy,
8487 							  NULL);
8488 			if (err)
8489 				return ERR_PTR(err);
8490 
8491 			/* SSID and BSSID are mutually exclusive */
8492 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8493 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8494 				return ERR_PTR(-EINVAL);
8495 
8496 			/* add other standalone attributes here */
8497 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
8498 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
8499 				n_match_sets++;
8500 				continue;
8501 			}
8502 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8503 			if (rssi)
8504 				default_match_rssi = nla_get_s32(rssi);
8505 		}
8506 	}
8507 
8508 	/* However, if there's no other matchset, add the RSSI one */
8509 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
8510 		n_match_sets = 1;
8511 
8512 	if (n_match_sets > max_match_sets)
8513 		return ERR_PTR(-EINVAL);
8514 
8515 	if (attrs[NL80211_ATTR_IE])
8516 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
8517 	else
8518 		ie_len = 0;
8519 
8520 	if (ie_len > wiphy->max_sched_scan_ie_len)
8521 		return ERR_PTR(-EINVAL);
8522 
8523 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8524 		/*
8525 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
8526 		 * each scan plan already specifies its own interval
8527 		 */
8528 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8529 			return ERR_PTR(-EINVAL);
8530 
8531 		nla_for_each_nested(attr,
8532 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
8533 			n_plans++;
8534 	} else {
8535 		/*
8536 		 * The scan interval attribute is kept for backward
8537 		 * compatibility. If no scan plans are specified and sched scan
8538 		 * interval is specified, one scan plan will be set with this
8539 		 * scan interval and infinite number of iterations.
8540 		 */
8541 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8542 			return ERR_PTR(-EINVAL);
8543 
8544 		n_plans = 1;
8545 	}
8546 
8547 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
8548 		return ERR_PTR(-EINVAL);
8549 
8550 	if (!wiphy_ext_feature_isset(
8551 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
8552 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
8553 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
8554 		return ERR_PTR(-EINVAL);
8555 
8556 	request = kzalloc(sizeof(*request)
8557 			+ sizeof(*request->ssids) * n_ssids
8558 			+ sizeof(*request->match_sets) * n_match_sets
8559 			+ sizeof(*request->scan_plans) * n_plans
8560 			+ sizeof(*request->channels) * n_channels
8561 			+ ie_len, GFP_KERNEL);
8562 	if (!request)
8563 		return ERR_PTR(-ENOMEM);
8564 
8565 	if (n_ssids)
8566 		request->ssids = (void *)&request->channels[n_channels];
8567 	request->n_ssids = n_ssids;
8568 	if (ie_len) {
8569 		if (n_ssids)
8570 			request->ie = (void *)(request->ssids + n_ssids);
8571 		else
8572 			request->ie = (void *)(request->channels + n_channels);
8573 	}
8574 
8575 	if (n_match_sets) {
8576 		if (request->ie)
8577 			request->match_sets = (void *)(request->ie + ie_len);
8578 		else if (n_ssids)
8579 			request->match_sets =
8580 				(void *)(request->ssids + n_ssids);
8581 		else
8582 			request->match_sets =
8583 				(void *)(request->channels + n_channels);
8584 	}
8585 	request->n_match_sets = n_match_sets;
8586 
8587 	if (n_match_sets)
8588 		request->scan_plans = (void *)(request->match_sets +
8589 					       n_match_sets);
8590 	else if (request->ie)
8591 		request->scan_plans = (void *)(request->ie + ie_len);
8592 	else if (n_ssids)
8593 		request->scan_plans = (void *)(request->ssids + n_ssids);
8594 	else
8595 		request->scan_plans = (void *)(request->channels + n_channels);
8596 
8597 	request->n_scan_plans = n_plans;
8598 
8599 	i = 0;
8600 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8601 		/* user specified, bail out if channel not found */
8602 		nla_for_each_nested(attr,
8603 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
8604 				    tmp) {
8605 			struct ieee80211_channel *chan;
8606 
8607 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
8608 
8609 			if (!chan) {
8610 				err = -EINVAL;
8611 				goto out_free;
8612 			}
8613 
8614 			/* ignore disabled channels */
8615 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8616 				continue;
8617 
8618 			request->channels[i] = chan;
8619 			i++;
8620 		}
8621 	} else {
8622 		/* all channels */
8623 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8624 			int j;
8625 
8626 			if (!wiphy->bands[band])
8627 				continue;
8628 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8629 				struct ieee80211_channel *chan;
8630 
8631 				chan = &wiphy->bands[band]->channels[j];
8632 
8633 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8634 					continue;
8635 
8636 				request->channels[i] = chan;
8637 				i++;
8638 			}
8639 		}
8640 	}
8641 
8642 	if (!i) {
8643 		err = -EINVAL;
8644 		goto out_free;
8645 	}
8646 
8647 	request->n_channels = i;
8648 
8649 	i = 0;
8650 	if (n_ssids) {
8651 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8652 				    tmp) {
8653 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8654 				err = -EINVAL;
8655 				goto out_free;
8656 			}
8657 			request->ssids[i].ssid_len = nla_len(attr);
8658 			memcpy(request->ssids[i].ssid, nla_data(attr),
8659 			       nla_len(attr));
8660 			i++;
8661 		}
8662 	}
8663 
8664 	i = 0;
8665 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8666 		nla_for_each_nested(attr,
8667 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8668 				    tmp) {
8669 			struct nlattr *ssid, *bssid, *rssi;
8670 
8671 			err = nla_parse_nested_deprecated(tb,
8672 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8673 							  attr,
8674 							  nl80211_match_policy,
8675 							  NULL);
8676 			if (err)
8677 				goto out_free;
8678 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
8679 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
8680 
8681 			if (!ssid && !bssid) {
8682 				i++;
8683 				continue;
8684 			}
8685 
8686 			if (WARN_ON(i >= n_match_sets)) {
8687 				/* this indicates a programming error,
8688 				 * the loop above should have verified
8689 				 * things properly
8690 				 */
8691 				err = -EINVAL;
8692 				goto out_free;
8693 			}
8694 
8695 			if (ssid) {
8696 				memcpy(request->match_sets[i].ssid.ssid,
8697 				       nla_data(ssid), nla_len(ssid));
8698 				request->match_sets[i].ssid.ssid_len =
8699 					nla_len(ssid);
8700 			}
8701 			if (bssid)
8702 				memcpy(request->match_sets[i].bssid,
8703 				       nla_data(bssid), ETH_ALEN);
8704 
8705 			/* special attribute - old implementation w/a */
8706 			request->match_sets[i].rssi_thold = default_match_rssi;
8707 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8708 			if (rssi)
8709 				request->match_sets[i].rssi_thold =
8710 					nla_get_s32(rssi);
8711 
8712 			/* Parse per band RSSI attribute */
8713 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
8714 				&request->match_sets[i],
8715 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
8716 				request->match_sets[i].rssi_thold);
8717 			if (err)
8718 				goto out_free;
8719 
8720 			i++;
8721 		}
8722 
8723 		/* there was no other matchset, so the RSSI one is alone */
8724 		if (i == 0 && n_match_sets)
8725 			request->match_sets[0].rssi_thold = default_match_rssi;
8726 
8727 		request->min_rssi_thold = INT_MAX;
8728 		for (i = 0; i < n_match_sets; i++)
8729 			request->min_rssi_thold =
8730 				min(request->match_sets[i].rssi_thold,
8731 				    request->min_rssi_thold);
8732 	} else {
8733 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
8734 	}
8735 
8736 	if (ie_len) {
8737 		request->ie_len = ie_len;
8738 		memcpy((void *)request->ie,
8739 		       nla_data(attrs[NL80211_ATTR_IE]),
8740 		       request->ie_len);
8741 	}
8742 
8743 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
8744 	if (err)
8745 		goto out_free;
8746 
8747 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
8748 		request->delay =
8749 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
8750 
8751 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
8752 		request->relative_rssi = nla_get_s8(
8753 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
8754 		request->relative_rssi_set = true;
8755 	}
8756 
8757 	if (request->relative_rssi_set &&
8758 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
8759 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
8760 
8761 		rssi_adjust = nla_data(
8762 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
8763 		request->rssi_adjust.band = rssi_adjust->band;
8764 		request->rssi_adjust.delta = rssi_adjust->delta;
8765 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
8766 			err = -EINVAL;
8767 			goto out_free;
8768 		}
8769 	}
8770 
8771 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
8772 	if (err)
8773 		goto out_free;
8774 
8775 	request->scan_start = jiffies;
8776 
8777 	return request;
8778 
8779 out_free:
8780 	kfree(request);
8781 	return ERR_PTR(err);
8782 }
8783 
8784 static int nl80211_start_sched_scan(struct sk_buff *skb,
8785 				    struct genl_info *info)
8786 {
8787 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8788 	struct net_device *dev = info->user_ptr[1];
8789 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8790 	struct cfg80211_sched_scan_request *sched_scan_req;
8791 	bool want_multi;
8792 	int err;
8793 
8794 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
8795 		return -EOPNOTSUPP;
8796 
8797 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
8798 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
8799 	if (err)
8800 		return err;
8801 
8802 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
8803 						  info->attrs,
8804 						  rdev->wiphy.max_match_sets);
8805 
8806 	err = PTR_ERR_OR_ZERO(sched_scan_req);
8807 	if (err)
8808 		goto out_err;
8809 
8810 	/* leave request id zero for legacy request
8811 	 * or if driver does not support multi-scheduled scan
8812 	 */
8813 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
8814 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
8815 
8816 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
8817 	if (err)
8818 		goto out_free;
8819 
8820 	sched_scan_req->dev = dev;
8821 	sched_scan_req->wiphy = &rdev->wiphy;
8822 
8823 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
8824 		sched_scan_req->owner_nlportid = info->snd_portid;
8825 
8826 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
8827 
8828 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
8829 	return 0;
8830 
8831 out_free:
8832 	kfree(sched_scan_req);
8833 out_err:
8834 	return err;
8835 }
8836 
8837 static int nl80211_stop_sched_scan(struct sk_buff *skb,
8838 				   struct genl_info *info)
8839 {
8840 	struct cfg80211_sched_scan_request *req;
8841 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8842 	u64 cookie;
8843 
8844 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
8845 		return -EOPNOTSUPP;
8846 
8847 	if (info->attrs[NL80211_ATTR_COOKIE]) {
8848 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8849 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
8850 	}
8851 
8852 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
8853 				     struct cfg80211_sched_scan_request,
8854 				     list);
8855 	if (!req || req->reqid ||
8856 	    (req->owner_nlportid &&
8857 	     req->owner_nlportid != info->snd_portid))
8858 		return -ENOENT;
8859 
8860 	return cfg80211_stop_sched_scan_req(rdev, req, false);
8861 }
8862 
8863 static int nl80211_start_radar_detection(struct sk_buff *skb,
8864 					 struct genl_info *info)
8865 {
8866 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8867 	struct net_device *dev = info->user_ptr[1];
8868 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8869 	struct wiphy *wiphy = wdev->wiphy;
8870 	struct cfg80211_chan_def chandef;
8871 	enum nl80211_dfs_regions dfs_region;
8872 	unsigned int cac_time_ms;
8873 	int err;
8874 
8875 	dfs_region = reg_get_dfs_region(wiphy);
8876 	if (dfs_region == NL80211_DFS_UNSET)
8877 		return -EINVAL;
8878 
8879 	err = nl80211_parse_chandef(rdev, info, &chandef);
8880 	if (err)
8881 		return err;
8882 
8883 	if (netif_carrier_ok(dev))
8884 		return -EBUSY;
8885 
8886 	if (wdev->cac_started)
8887 		return -EBUSY;
8888 
8889 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8890 	if (err < 0)
8891 		return err;
8892 
8893 	if (err == 0)
8894 		return -EINVAL;
8895 
8896 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
8897 		return -EINVAL;
8898 
8899 	/* CAC start is offloaded to HW and can't be started manually */
8900 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
8901 		return -EOPNOTSUPP;
8902 
8903 	if (!rdev->ops->start_radar_detection)
8904 		return -EOPNOTSUPP;
8905 
8906 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
8907 	if (WARN_ON(!cac_time_ms))
8908 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
8909 
8910 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
8911 	if (!err) {
8912 		wdev->chandef = chandef;
8913 		wdev->cac_started = true;
8914 		wdev->cac_start_time = jiffies;
8915 		wdev->cac_time_ms = cac_time_ms;
8916 	}
8917 	return err;
8918 }
8919 
8920 static int nl80211_notify_radar_detection(struct sk_buff *skb,
8921 					  struct genl_info *info)
8922 {
8923 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8924 	struct net_device *dev = info->user_ptr[1];
8925 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8926 	struct wiphy *wiphy = wdev->wiphy;
8927 	struct cfg80211_chan_def chandef;
8928 	enum nl80211_dfs_regions dfs_region;
8929 	int err;
8930 
8931 	dfs_region = reg_get_dfs_region(wiphy);
8932 	if (dfs_region == NL80211_DFS_UNSET) {
8933 		GENL_SET_ERR_MSG(info,
8934 				 "DFS Region is not set. Unexpected Radar indication");
8935 		return -EINVAL;
8936 	}
8937 
8938 	err = nl80211_parse_chandef(rdev, info, &chandef);
8939 	if (err) {
8940 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
8941 		return err;
8942 	}
8943 
8944 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8945 	if (err < 0) {
8946 		GENL_SET_ERR_MSG(info, "chandef is invalid");
8947 		return err;
8948 	}
8949 
8950 	if (err == 0) {
8951 		GENL_SET_ERR_MSG(info,
8952 				 "Unexpected Radar indication for chandef/iftype");
8953 		return -EINVAL;
8954 	}
8955 
8956 	/* Do not process this notification if radar is already detected
8957 	 * by kernel on this channel, and return success.
8958 	 */
8959 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
8960 		return 0;
8961 
8962 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
8963 
8964 	cfg80211_sched_dfs_chan_update(rdev);
8965 
8966 	rdev->radar_chandef = chandef;
8967 
8968 	/* Propagate this notification to other radios as well */
8969 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
8970 
8971 	return 0;
8972 }
8973 
8974 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
8975 {
8976 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8977 	struct net_device *dev = info->user_ptr[1];
8978 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8979 	struct cfg80211_csa_settings params;
8980 	/* csa_attrs is defined static to avoid waste of stack size - this
8981 	 * function is called under RTNL lock, so this should not be a problem.
8982 	 */
8983 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
8984 	int err;
8985 	bool need_new_beacon = false;
8986 	bool need_handle_dfs_flag = true;
8987 	int len, i;
8988 	u32 cs_count;
8989 
8990 	if (!rdev->ops->channel_switch ||
8991 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
8992 		return -EOPNOTSUPP;
8993 
8994 	switch (dev->ieee80211_ptr->iftype) {
8995 	case NL80211_IFTYPE_AP:
8996 	case NL80211_IFTYPE_P2P_GO:
8997 		need_new_beacon = true;
8998 		/* For all modes except AP the handle_dfs flag needs to be
8999 		 * supplied to tell the kernel that userspace will handle radar
9000 		 * events when they happen. Otherwise a switch to a channel
9001 		 * requiring DFS will be rejected.
9002 		 */
9003 		need_handle_dfs_flag = false;
9004 
9005 		/* useless if AP is not running */
9006 		if (!wdev->beacon_interval)
9007 			return -ENOTCONN;
9008 		break;
9009 	case NL80211_IFTYPE_ADHOC:
9010 		if (!wdev->ssid_len)
9011 			return -ENOTCONN;
9012 		break;
9013 	case NL80211_IFTYPE_MESH_POINT:
9014 		if (!wdev->mesh_id_len)
9015 			return -ENOTCONN;
9016 		break;
9017 	default:
9018 		return -EOPNOTSUPP;
9019 	}
9020 
9021 	memset(&params, 0, sizeof(params));
9022 	params.beacon_csa.ftm_responder = -1;
9023 
9024 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9025 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9026 		return -EINVAL;
9027 
9028 	/* only important for AP, IBSS and mesh create IEs internally */
9029 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9030 		return -EINVAL;
9031 
9032 	/* Even though the attribute is u32, the specification says
9033 	 * u8, so let's make sure we don't overflow.
9034 	 */
9035 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9036 	if (cs_count > 255)
9037 		return -EINVAL;
9038 
9039 	params.count = cs_count;
9040 
9041 	if (!need_new_beacon)
9042 		goto skip_beacons;
9043 
9044 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9045 	if (err)
9046 		return err;
9047 
9048 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9049 					  info->attrs[NL80211_ATTR_CSA_IES],
9050 					  nl80211_policy, info->extack);
9051 	if (err)
9052 		return err;
9053 
9054 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9055 	if (err)
9056 		return err;
9057 
9058 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON])
9059 		return -EINVAL;
9060 
9061 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9062 	if (!len || (len % sizeof(u16)))
9063 		return -EINVAL;
9064 
9065 	params.n_counter_offsets_beacon = len / sizeof(u16);
9066 	if (rdev->wiphy.max_num_csa_counters &&
9067 	    (params.n_counter_offsets_beacon >
9068 	     rdev->wiphy.max_num_csa_counters))
9069 		return -EINVAL;
9070 
9071 	params.counter_offsets_beacon =
9072 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9073 
9074 	/* sanity checks - counters should fit and be the same */
9075 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9076 		u16 offset = params.counter_offsets_beacon[i];
9077 
9078 		if (offset >= params.beacon_csa.tail_len)
9079 			return -EINVAL;
9080 
9081 		if (params.beacon_csa.tail[offset] != params.count)
9082 			return -EINVAL;
9083 	}
9084 
9085 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9086 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9087 		if (!len || (len % sizeof(u16)))
9088 			return -EINVAL;
9089 
9090 		params.n_counter_offsets_presp = len / sizeof(u16);
9091 		if (rdev->wiphy.max_num_csa_counters &&
9092 		    (params.n_counter_offsets_presp >
9093 		     rdev->wiphy.max_num_csa_counters))
9094 			return -EINVAL;
9095 
9096 		params.counter_offsets_presp =
9097 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9098 
9099 		/* sanity checks - counters should fit and be the same */
9100 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9101 			u16 offset = params.counter_offsets_presp[i];
9102 
9103 			if (offset >= params.beacon_csa.probe_resp_len)
9104 				return -EINVAL;
9105 
9106 			if (params.beacon_csa.probe_resp[offset] !=
9107 			    params.count)
9108 				return -EINVAL;
9109 		}
9110 	}
9111 
9112 skip_beacons:
9113 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9114 	if (err)
9115 		return err;
9116 
9117 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9118 					   wdev->iftype))
9119 		return -EINVAL;
9120 
9121 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9122 					    &params.chandef,
9123 					    wdev->iftype);
9124 	if (err < 0)
9125 		return err;
9126 
9127 	if (err > 0) {
9128 		params.radar_required = true;
9129 		if (need_handle_dfs_flag &&
9130 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9131 			return -EINVAL;
9132 		}
9133 	}
9134 
9135 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9136 		params.block_tx = true;
9137 
9138 	wdev_lock(wdev);
9139 	err = rdev_channel_switch(rdev, dev, &params);
9140 	wdev_unlock(wdev);
9141 
9142 	return err;
9143 }
9144 
9145 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9146 			    u32 seq, int flags,
9147 			    struct cfg80211_registered_device *rdev,
9148 			    struct wireless_dev *wdev,
9149 			    struct cfg80211_internal_bss *intbss)
9150 {
9151 	struct cfg80211_bss *res = &intbss->pub;
9152 	const struct cfg80211_bss_ies *ies;
9153 	void *hdr;
9154 	struct nlattr *bss;
9155 
9156 	ASSERT_WDEV_LOCK(wdev);
9157 
9158 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9159 			     NL80211_CMD_NEW_SCAN_RESULTS);
9160 	if (!hdr)
9161 		return -1;
9162 
9163 	genl_dump_check_consistent(cb, hdr);
9164 
9165 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9166 		goto nla_put_failure;
9167 	if (wdev->netdev &&
9168 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9169 		goto nla_put_failure;
9170 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9171 			      NL80211_ATTR_PAD))
9172 		goto nla_put_failure;
9173 
9174 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9175 	if (!bss)
9176 		goto nla_put_failure;
9177 	if ((!is_zero_ether_addr(res->bssid) &&
9178 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9179 		goto nla_put_failure;
9180 
9181 	rcu_read_lock();
9182 	/* indicate whether we have probe response data or not */
9183 	if (rcu_access_pointer(res->proberesp_ies) &&
9184 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9185 		goto fail_unlock_rcu;
9186 
9187 	/* this pointer prefers to be pointed to probe response data
9188 	 * but is always valid
9189 	 */
9190 	ies = rcu_dereference(res->ies);
9191 	if (ies) {
9192 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9193 				      NL80211_BSS_PAD))
9194 			goto fail_unlock_rcu;
9195 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9196 					ies->len, ies->data))
9197 			goto fail_unlock_rcu;
9198 	}
9199 
9200 	/* and this pointer is always (unless driver didn't know) beacon data */
9201 	ies = rcu_dereference(res->beacon_ies);
9202 	if (ies && ies->from_beacon) {
9203 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9204 				      NL80211_BSS_PAD))
9205 			goto fail_unlock_rcu;
9206 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9207 					ies->len, ies->data))
9208 			goto fail_unlock_rcu;
9209 	}
9210 	rcu_read_unlock();
9211 
9212 	if (res->beacon_interval &&
9213 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9214 		goto nla_put_failure;
9215 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9216 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9217 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9218 			res->channel->freq_offset) ||
9219 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9220 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9221 			jiffies_to_msecs(jiffies - intbss->ts)))
9222 		goto nla_put_failure;
9223 
9224 	if (intbss->parent_tsf &&
9225 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9226 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9227 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9228 		     intbss->parent_bssid)))
9229 		goto nla_put_failure;
9230 
9231 	if (intbss->ts_boottime &&
9232 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9233 			      intbss->ts_boottime, NL80211_BSS_PAD))
9234 		goto nla_put_failure;
9235 
9236 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9237 				intbss->pub.chain_signal,
9238 				NL80211_BSS_CHAIN_SIGNAL))
9239 		goto nla_put_failure;
9240 
9241 	switch (rdev->wiphy.signal_type) {
9242 	case CFG80211_SIGNAL_TYPE_MBM:
9243 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9244 			goto nla_put_failure;
9245 		break;
9246 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9247 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9248 			goto nla_put_failure;
9249 		break;
9250 	default:
9251 		break;
9252 	}
9253 
9254 	switch (wdev->iftype) {
9255 	case NL80211_IFTYPE_P2P_CLIENT:
9256 	case NL80211_IFTYPE_STATION:
9257 		if (intbss == wdev->current_bss &&
9258 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9259 				NL80211_BSS_STATUS_ASSOCIATED))
9260 			goto nla_put_failure;
9261 		break;
9262 	case NL80211_IFTYPE_ADHOC:
9263 		if (intbss == wdev->current_bss &&
9264 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9265 				NL80211_BSS_STATUS_IBSS_JOINED))
9266 			goto nla_put_failure;
9267 		break;
9268 	default:
9269 		break;
9270 	}
9271 
9272 	nla_nest_end(msg, bss);
9273 
9274 	genlmsg_end(msg, hdr);
9275 	return 0;
9276 
9277  fail_unlock_rcu:
9278 	rcu_read_unlock();
9279  nla_put_failure:
9280 	genlmsg_cancel(msg, hdr);
9281 	return -EMSGSIZE;
9282 }
9283 
9284 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9285 {
9286 	struct cfg80211_registered_device *rdev;
9287 	struct cfg80211_internal_bss *scan;
9288 	struct wireless_dev *wdev;
9289 	int start = cb->args[2], idx = 0;
9290 	int err;
9291 
9292 	rtnl_lock();
9293 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9294 	if (err) {
9295 		rtnl_unlock();
9296 		return err;
9297 	}
9298 
9299 	wdev_lock(wdev);
9300 	spin_lock_bh(&rdev->bss_lock);
9301 
9302 	/*
9303 	 * dump_scan will be called multiple times to break up the scan results
9304 	 * into multiple messages.  It is unlikely that any more bss-es will be
9305 	 * expired after the first call, so only call only call this on the
9306 	 * first dump_scan invocation.
9307 	 */
9308 	if (start == 0)
9309 		cfg80211_bss_expire(rdev);
9310 
9311 	cb->seq = rdev->bss_generation;
9312 
9313 	list_for_each_entry(scan, &rdev->bss_list, list) {
9314 		if (++idx <= start)
9315 			continue;
9316 		if (nl80211_send_bss(skb, cb,
9317 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9318 				rdev, wdev, scan) < 0) {
9319 			idx--;
9320 			break;
9321 		}
9322 	}
9323 
9324 	spin_unlock_bh(&rdev->bss_lock);
9325 	wdev_unlock(wdev);
9326 
9327 	cb->args[2] = idx;
9328 	rtnl_unlock();
9329 
9330 	return skb->len;
9331 }
9332 
9333 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9334 			       int flags, struct net_device *dev,
9335 			       bool allow_radio_stats,
9336 			       struct survey_info *survey)
9337 {
9338 	void *hdr;
9339 	struct nlattr *infoattr;
9340 
9341 	/* skip radio stats if userspace didn't request them */
9342 	if (!survey->channel && !allow_radio_stats)
9343 		return 0;
9344 
9345 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9346 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9347 	if (!hdr)
9348 		return -ENOMEM;
9349 
9350 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9351 		goto nla_put_failure;
9352 
9353 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9354 	if (!infoattr)
9355 		goto nla_put_failure;
9356 
9357 	if (survey->channel &&
9358 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9359 			survey->channel->center_freq))
9360 		goto nla_put_failure;
9361 
9362 	if (survey->channel && survey->channel->freq_offset &&
9363 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9364 			survey->channel->freq_offset))
9365 		goto nla_put_failure;
9366 
9367 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9368 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9369 		goto nla_put_failure;
9370 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9371 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9372 		goto nla_put_failure;
9373 	if ((survey->filled & SURVEY_INFO_TIME) &&
9374 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9375 			survey->time, NL80211_SURVEY_INFO_PAD))
9376 		goto nla_put_failure;
9377 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9378 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9379 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9380 		goto nla_put_failure;
9381 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9382 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9383 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9384 		goto nla_put_failure;
9385 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9386 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9387 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9388 		goto nla_put_failure;
9389 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9390 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9391 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9392 		goto nla_put_failure;
9393 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9394 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9395 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9396 		goto nla_put_failure;
9397 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9398 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9399 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9400 		goto nla_put_failure;
9401 
9402 	nla_nest_end(msg, infoattr);
9403 
9404 	genlmsg_end(msg, hdr);
9405 	return 0;
9406 
9407  nla_put_failure:
9408 	genlmsg_cancel(msg, hdr);
9409 	return -EMSGSIZE;
9410 }
9411 
9412 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9413 {
9414 	struct nlattr **attrbuf;
9415 	struct survey_info survey;
9416 	struct cfg80211_registered_device *rdev;
9417 	struct wireless_dev *wdev;
9418 	int survey_idx = cb->args[2];
9419 	int res;
9420 	bool radio_stats;
9421 
9422 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9423 	if (!attrbuf)
9424 		return -ENOMEM;
9425 
9426 	rtnl_lock();
9427 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9428 	if (res)
9429 		goto out_err;
9430 
9431 	/* prepare_wdev_dump parsed the attributes */
9432 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9433 
9434 	if (!wdev->netdev) {
9435 		res = -EINVAL;
9436 		goto out_err;
9437 	}
9438 
9439 	if (!rdev->ops->dump_survey) {
9440 		res = -EOPNOTSUPP;
9441 		goto out_err;
9442 	}
9443 
9444 	while (1) {
9445 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
9446 		if (res == -ENOENT)
9447 			break;
9448 		if (res)
9449 			goto out_err;
9450 
9451 		/* don't send disabled channels, but do send non-channel data */
9452 		if (survey.channel &&
9453 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
9454 			survey_idx++;
9455 			continue;
9456 		}
9457 
9458 		if (nl80211_send_survey(skb,
9459 				NETLINK_CB(cb->skb).portid,
9460 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9461 				wdev->netdev, radio_stats, &survey) < 0)
9462 			goto out;
9463 		survey_idx++;
9464 	}
9465 
9466  out:
9467 	cb->args[2] = survey_idx;
9468 	res = skb->len;
9469  out_err:
9470 	kfree(attrbuf);
9471 	rtnl_unlock();
9472 	return res;
9473 }
9474 
9475 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
9476 {
9477 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
9478 				  NL80211_WPA_VERSION_2 |
9479 				  NL80211_WPA_VERSION_3));
9480 }
9481 
9482 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
9483 {
9484 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9485 	struct net_device *dev = info->user_ptr[1];
9486 	struct ieee80211_channel *chan;
9487 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
9488 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
9489 	enum nl80211_auth_type auth_type;
9490 	struct key_parse key;
9491 	bool local_state_change;
9492 	u32 freq;
9493 
9494 	if (!info->attrs[NL80211_ATTR_MAC])
9495 		return -EINVAL;
9496 
9497 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
9498 		return -EINVAL;
9499 
9500 	if (!info->attrs[NL80211_ATTR_SSID])
9501 		return -EINVAL;
9502 
9503 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9504 		return -EINVAL;
9505 
9506 	err = nl80211_parse_key(info, &key);
9507 	if (err)
9508 		return err;
9509 
9510 	if (key.idx >= 0) {
9511 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
9512 			return -EINVAL;
9513 		if (!key.p.key || !key.p.key_len)
9514 			return -EINVAL;
9515 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
9516 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
9517 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
9518 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
9519 			return -EINVAL;
9520 		if (key.idx > 3)
9521 			return -EINVAL;
9522 	} else {
9523 		key.p.key_len = 0;
9524 		key.p.key = NULL;
9525 	}
9526 
9527 	if (key.idx >= 0) {
9528 		int i;
9529 		bool ok = false;
9530 
9531 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
9532 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
9533 				ok = true;
9534 				break;
9535 			}
9536 		}
9537 		if (!ok)
9538 			return -EINVAL;
9539 	}
9540 
9541 	if (!rdev->ops->auth)
9542 		return -EOPNOTSUPP;
9543 
9544 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9545 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9546 		return -EOPNOTSUPP;
9547 
9548 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9549 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
9550 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
9551 		freq +=
9552 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
9553 
9554 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
9555 	if (!chan)
9556 		return -EINVAL;
9557 
9558 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9559 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9560 
9561 	if (info->attrs[NL80211_ATTR_IE]) {
9562 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9563 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9564 	}
9565 
9566 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9567 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
9568 		return -EINVAL;
9569 
9570 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
9571 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
9572 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
9573 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
9574 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
9575 		return -EINVAL;
9576 
9577 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
9578 		if (auth_type != NL80211_AUTHTYPE_SAE &&
9579 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
9580 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
9581 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
9582 			return -EINVAL;
9583 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
9584 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
9585 	}
9586 
9587 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9588 
9589 	/*
9590 	 * Since we no longer track auth state, ignore
9591 	 * requests to only change local state.
9592 	 */
9593 	if (local_state_change)
9594 		return 0;
9595 
9596 	wdev_lock(dev->ieee80211_ptr);
9597 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
9598 				 ssid, ssid_len, ie, ie_len,
9599 				 key.p.key, key.p.key_len, key.idx,
9600 				 auth_data, auth_data_len);
9601 	wdev_unlock(dev->ieee80211_ptr);
9602 	return err;
9603 }
9604 
9605 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
9606 				     struct genl_info *info)
9607 {
9608 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9609 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
9610 		return -EINVAL;
9611 	}
9612 
9613 	if (!rdev->ops->tx_control_port ||
9614 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9615 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
9616 		return -EOPNOTSUPP;
9617 
9618 	return 0;
9619 }
9620 
9621 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
9622 				   struct genl_info *info,
9623 				   struct cfg80211_crypto_settings *settings,
9624 				   int cipher_limit)
9625 {
9626 	memset(settings, 0, sizeof(*settings));
9627 
9628 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
9629 
9630 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
9631 		u16 proto;
9632 
9633 		proto = nla_get_u16(
9634 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
9635 		settings->control_port_ethertype = cpu_to_be16(proto);
9636 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
9637 		    proto != ETH_P_PAE)
9638 			return -EINVAL;
9639 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
9640 			settings->control_port_no_encrypt = true;
9641 	} else
9642 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
9643 
9644 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9645 		int r = validate_pae_over_nl80211(rdev, info);
9646 
9647 		if (r < 0)
9648 			return r;
9649 
9650 		settings->control_port_over_nl80211 = true;
9651 
9652 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
9653 			settings->control_port_no_preauth = true;
9654 	}
9655 
9656 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
9657 		void *data;
9658 		int len, i;
9659 
9660 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9661 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9662 		settings->n_ciphers_pairwise = len / sizeof(u32);
9663 
9664 		if (len % sizeof(u32))
9665 			return -EINVAL;
9666 
9667 		if (settings->n_ciphers_pairwise > cipher_limit)
9668 			return -EINVAL;
9669 
9670 		memcpy(settings->ciphers_pairwise, data, len);
9671 
9672 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
9673 			if (!cfg80211_supported_cipher_suite(
9674 					&rdev->wiphy,
9675 					settings->ciphers_pairwise[i]))
9676 				return -EINVAL;
9677 	}
9678 
9679 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
9680 		settings->cipher_group =
9681 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
9682 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
9683 						     settings->cipher_group))
9684 			return -EINVAL;
9685 	}
9686 
9687 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
9688 		settings->wpa_versions =
9689 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
9690 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
9691 			return -EINVAL;
9692 	}
9693 
9694 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
9695 		void *data;
9696 		int len;
9697 
9698 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
9699 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
9700 		settings->n_akm_suites = len / sizeof(u32);
9701 
9702 		if (len % sizeof(u32))
9703 			return -EINVAL;
9704 
9705 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
9706 			return -EINVAL;
9707 
9708 		memcpy(settings->akm_suites, data, len);
9709 	}
9710 
9711 	if (info->attrs[NL80211_ATTR_PMK]) {
9712 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
9713 			return -EINVAL;
9714 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9715 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
9716 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9717 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
9718 			return -EINVAL;
9719 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9720 	}
9721 
9722 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
9723 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9724 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
9725 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9726 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
9727 			return -EINVAL;
9728 		settings->sae_pwd =
9729 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9730 		settings->sae_pwd_len =
9731 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9732 	}
9733 
9734 	return 0;
9735 }
9736 
9737 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
9738 {
9739 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9740 	struct net_device *dev = info->user_ptr[1];
9741 	struct ieee80211_channel *chan;
9742 	struct cfg80211_assoc_request req = {};
9743 	const u8 *bssid, *ssid;
9744 	int err, ssid_len = 0;
9745 	u32 freq;
9746 
9747 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9748 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9749 		return -EPERM;
9750 
9751 	if (!info->attrs[NL80211_ATTR_MAC] ||
9752 	    !info->attrs[NL80211_ATTR_SSID] ||
9753 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
9754 		return -EINVAL;
9755 
9756 	if (!rdev->ops->assoc)
9757 		return -EOPNOTSUPP;
9758 
9759 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9760 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9761 		return -EOPNOTSUPP;
9762 
9763 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9764 
9765 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
9766 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
9767 		freq +=
9768 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
9769 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
9770 	if (!chan)
9771 		return -EINVAL;
9772 
9773 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9774 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9775 
9776 	if (info->attrs[NL80211_ATTR_IE]) {
9777 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9778 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9779 	}
9780 
9781 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9782 		enum nl80211_mfp mfp =
9783 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9784 		if (mfp == NL80211_MFP_REQUIRED)
9785 			req.use_mfp = true;
9786 		else if (mfp != NL80211_MFP_NO)
9787 			return -EINVAL;
9788 	}
9789 
9790 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9791 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9792 
9793 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9794 		req.flags |= ASSOC_REQ_DISABLE_HT;
9795 
9796 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9797 		memcpy(&req.ht_capa_mask,
9798 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9799 		       sizeof(req.ht_capa_mask));
9800 
9801 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9802 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9803 			return -EINVAL;
9804 		memcpy(&req.ht_capa,
9805 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9806 		       sizeof(req.ht_capa));
9807 	}
9808 
9809 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9810 		req.flags |= ASSOC_REQ_DISABLE_VHT;
9811 
9812 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9813 		memcpy(&req.vht_capa_mask,
9814 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9815 		       sizeof(req.vht_capa_mask));
9816 
9817 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9818 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9819 			return -EINVAL;
9820 		memcpy(&req.vht_capa,
9821 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9822 		       sizeof(req.vht_capa));
9823 	}
9824 
9825 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9826 		if (!((rdev->wiphy.features &
9827 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9828 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9829 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9830 					     NL80211_EXT_FEATURE_RRM))
9831 			return -EINVAL;
9832 		req.flags |= ASSOC_REQ_USE_RRM;
9833 	}
9834 
9835 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
9836 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
9837 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
9838 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
9839 			return -EINVAL;
9840 		req.fils_nonces =
9841 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
9842 	}
9843 
9844 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
9845 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
9846 			return -EINVAL;
9847 		memcpy(&req.s1g_capa_mask,
9848 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
9849 		       sizeof(req.s1g_capa_mask));
9850 	}
9851 
9852 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
9853 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
9854 			return -EINVAL;
9855 		memcpy(&req.s1g_capa,
9856 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
9857 		       sizeof(req.s1g_capa));
9858 	}
9859 
9860 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
9861 	if (!err) {
9862 		wdev_lock(dev->ieee80211_ptr);
9863 
9864 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
9865 					  ssid, ssid_len, &req);
9866 
9867 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9868 			dev->ieee80211_ptr->conn_owner_nlportid =
9869 				info->snd_portid;
9870 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9871 			       bssid, ETH_ALEN);
9872 		}
9873 
9874 		wdev_unlock(dev->ieee80211_ptr);
9875 	}
9876 
9877 	return err;
9878 }
9879 
9880 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
9881 {
9882 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9883 	struct net_device *dev = info->user_ptr[1];
9884 	const u8 *ie = NULL, *bssid;
9885 	int ie_len = 0, err;
9886 	u16 reason_code;
9887 	bool local_state_change;
9888 
9889 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9890 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9891 		return -EPERM;
9892 
9893 	if (!info->attrs[NL80211_ATTR_MAC])
9894 		return -EINVAL;
9895 
9896 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9897 		return -EINVAL;
9898 
9899 	if (!rdev->ops->deauth)
9900 		return -EOPNOTSUPP;
9901 
9902 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9903 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9904 		return -EOPNOTSUPP;
9905 
9906 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9907 
9908 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9909 	if (reason_code == 0) {
9910 		/* Reason Code 0 is reserved */
9911 		return -EINVAL;
9912 	}
9913 
9914 	if (info->attrs[NL80211_ATTR_IE]) {
9915 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9916 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9917 	}
9918 
9919 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9920 
9921 	wdev_lock(dev->ieee80211_ptr);
9922 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
9923 				   local_state_change);
9924 	wdev_unlock(dev->ieee80211_ptr);
9925 	return err;
9926 }
9927 
9928 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
9929 {
9930 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9931 	struct net_device *dev = info->user_ptr[1];
9932 	const u8 *ie = NULL, *bssid;
9933 	int ie_len = 0, err;
9934 	u16 reason_code;
9935 	bool local_state_change;
9936 
9937 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9938 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9939 		return -EPERM;
9940 
9941 	if (!info->attrs[NL80211_ATTR_MAC])
9942 		return -EINVAL;
9943 
9944 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9945 		return -EINVAL;
9946 
9947 	if (!rdev->ops->disassoc)
9948 		return -EOPNOTSUPP;
9949 
9950 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9951 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9952 		return -EOPNOTSUPP;
9953 
9954 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9955 
9956 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9957 	if (reason_code == 0) {
9958 		/* Reason Code 0 is reserved */
9959 		return -EINVAL;
9960 	}
9961 
9962 	if (info->attrs[NL80211_ATTR_IE]) {
9963 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9964 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9965 	}
9966 
9967 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9968 
9969 	wdev_lock(dev->ieee80211_ptr);
9970 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
9971 				     local_state_change);
9972 	wdev_unlock(dev->ieee80211_ptr);
9973 	return err;
9974 }
9975 
9976 static bool
9977 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
9978 			 int mcast_rate[NUM_NL80211_BANDS],
9979 			 int rateval)
9980 {
9981 	struct wiphy *wiphy = &rdev->wiphy;
9982 	bool found = false;
9983 	int band, i;
9984 
9985 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
9986 		struct ieee80211_supported_band *sband;
9987 
9988 		sband = wiphy->bands[band];
9989 		if (!sband)
9990 			continue;
9991 
9992 		for (i = 0; i < sband->n_bitrates; i++) {
9993 			if (sband->bitrates[i].bitrate == rateval) {
9994 				mcast_rate[band] = i + 1;
9995 				found = true;
9996 				break;
9997 			}
9998 		}
9999 	}
10000 
10001 	return found;
10002 }
10003 
10004 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10005 {
10006 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10007 	struct net_device *dev = info->user_ptr[1];
10008 	struct cfg80211_ibss_params ibss;
10009 	struct wiphy *wiphy;
10010 	struct cfg80211_cached_keys *connkeys = NULL;
10011 	int err;
10012 
10013 	memset(&ibss, 0, sizeof(ibss));
10014 
10015 	if (!info->attrs[NL80211_ATTR_SSID] ||
10016 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10017 		return -EINVAL;
10018 
10019 	ibss.beacon_interval = 100;
10020 
10021 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10022 		ibss.beacon_interval =
10023 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10024 
10025 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10026 					   ibss.beacon_interval);
10027 	if (err)
10028 		return err;
10029 
10030 	if (!rdev->ops->join_ibss)
10031 		return -EOPNOTSUPP;
10032 
10033 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10034 		return -EOPNOTSUPP;
10035 
10036 	wiphy = &rdev->wiphy;
10037 
10038 	if (info->attrs[NL80211_ATTR_MAC]) {
10039 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10040 
10041 		if (!is_valid_ether_addr(ibss.bssid))
10042 			return -EINVAL;
10043 	}
10044 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10045 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10046 
10047 	if (info->attrs[NL80211_ATTR_IE]) {
10048 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10049 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10050 	}
10051 
10052 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10053 	if (err)
10054 		return err;
10055 
10056 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10057 				     NL80211_IFTYPE_ADHOC))
10058 		return -EINVAL;
10059 
10060 	switch (ibss.chandef.width) {
10061 	case NL80211_CHAN_WIDTH_5:
10062 	case NL80211_CHAN_WIDTH_10:
10063 	case NL80211_CHAN_WIDTH_20_NOHT:
10064 		break;
10065 	case NL80211_CHAN_WIDTH_20:
10066 	case NL80211_CHAN_WIDTH_40:
10067 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10068 			return -EINVAL;
10069 		break;
10070 	case NL80211_CHAN_WIDTH_80:
10071 	case NL80211_CHAN_WIDTH_80P80:
10072 	case NL80211_CHAN_WIDTH_160:
10073 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10074 			return -EINVAL;
10075 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10076 					     NL80211_EXT_FEATURE_VHT_IBSS))
10077 			return -EINVAL;
10078 		break;
10079 	default:
10080 		return -EINVAL;
10081 	}
10082 
10083 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10084 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10085 
10086 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10087 		u8 *rates =
10088 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10089 		int n_rates =
10090 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10091 		struct ieee80211_supported_band *sband =
10092 			wiphy->bands[ibss.chandef.chan->band];
10093 
10094 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10095 					     &ibss.basic_rates);
10096 		if (err)
10097 			return err;
10098 	}
10099 
10100 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10101 		memcpy(&ibss.ht_capa_mask,
10102 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10103 		       sizeof(ibss.ht_capa_mask));
10104 
10105 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10106 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10107 			return -EINVAL;
10108 		memcpy(&ibss.ht_capa,
10109 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10110 		       sizeof(ibss.ht_capa));
10111 	}
10112 
10113 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10114 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10115 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10116 		return -EINVAL;
10117 
10118 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10119 		bool no_ht = false;
10120 
10121 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10122 		if (IS_ERR(connkeys))
10123 			return PTR_ERR(connkeys);
10124 
10125 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10126 		    no_ht) {
10127 			kfree_sensitive(connkeys);
10128 			return -EINVAL;
10129 		}
10130 	}
10131 
10132 	ibss.control_port =
10133 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10134 
10135 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10136 		int r = validate_pae_over_nl80211(rdev, info);
10137 
10138 		if (r < 0) {
10139 			kfree_sensitive(connkeys);
10140 			return r;
10141 		}
10142 
10143 		ibss.control_port_over_nl80211 = true;
10144 	}
10145 
10146 	ibss.userspace_handles_dfs =
10147 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10148 
10149 	wdev_lock(dev->ieee80211_ptr);
10150 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10151 	if (err)
10152 		kfree_sensitive(connkeys);
10153 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10154 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10155 	wdev_unlock(dev->ieee80211_ptr);
10156 
10157 	return err;
10158 }
10159 
10160 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10161 {
10162 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10163 	struct net_device *dev = info->user_ptr[1];
10164 
10165 	if (!rdev->ops->leave_ibss)
10166 		return -EOPNOTSUPP;
10167 
10168 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10169 		return -EOPNOTSUPP;
10170 
10171 	return cfg80211_leave_ibss(rdev, dev, false);
10172 }
10173 
10174 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10175 {
10176 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10177 	struct net_device *dev = info->user_ptr[1];
10178 	int mcast_rate[NUM_NL80211_BANDS];
10179 	u32 nla_rate;
10180 	int err;
10181 
10182 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10183 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10184 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10185 		return -EOPNOTSUPP;
10186 
10187 	if (!rdev->ops->set_mcast_rate)
10188 		return -EOPNOTSUPP;
10189 
10190 	memset(mcast_rate, 0, sizeof(mcast_rate));
10191 
10192 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10193 		return -EINVAL;
10194 
10195 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10196 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10197 		return -EINVAL;
10198 
10199 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10200 
10201 	return err;
10202 }
10203 
10204 static struct sk_buff *
10205 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10206 			    struct wireless_dev *wdev, int approxlen,
10207 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10208 			    enum nl80211_attrs attr,
10209 			    const struct nl80211_vendor_cmd_info *info,
10210 			    gfp_t gfp)
10211 {
10212 	struct sk_buff *skb;
10213 	void *hdr;
10214 	struct nlattr *data;
10215 
10216 	skb = nlmsg_new(approxlen + 100, gfp);
10217 	if (!skb)
10218 		return NULL;
10219 
10220 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10221 	if (!hdr) {
10222 		kfree_skb(skb);
10223 		return NULL;
10224 	}
10225 
10226 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10227 		goto nla_put_failure;
10228 
10229 	if (info) {
10230 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10231 				info->vendor_id))
10232 			goto nla_put_failure;
10233 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10234 				info->subcmd))
10235 			goto nla_put_failure;
10236 	}
10237 
10238 	if (wdev) {
10239 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10240 				      wdev_id(wdev), NL80211_ATTR_PAD))
10241 			goto nla_put_failure;
10242 		if (wdev->netdev &&
10243 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10244 				wdev->netdev->ifindex))
10245 			goto nla_put_failure;
10246 	}
10247 
10248 	data = nla_nest_start_noflag(skb, attr);
10249 	if (!data)
10250 		goto nla_put_failure;
10251 
10252 	((void **)skb->cb)[0] = rdev;
10253 	((void **)skb->cb)[1] = hdr;
10254 	((void **)skb->cb)[2] = data;
10255 
10256 	return skb;
10257 
10258  nla_put_failure:
10259 	kfree_skb(skb);
10260 	return NULL;
10261 }
10262 
10263 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10264 					   struct wireless_dev *wdev,
10265 					   enum nl80211_commands cmd,
10266 					   enum nl80211_attrs attr,
10267 					   unsigned int portid,
10268 					   int vendor_event_idx,
10269 					   int approxlen, gfp_t gfp)
10270 {
10271 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10272 	const struct nl80211_vendor_cmd_info *info;
10273 
10274 	switch (cmd) {
10275 	case NL80211_CMD_TESTMODE:
10276 		if (WARN_ON(vendor_event_idx != -1))
10277 			return NULL;
10278 		info = NULL;
10279 		break;
10280 	case NL80211_CMD_VENDOR:
10281 		if (WARN_ON(vendor_event_idx < 0 ||
10282 			    vendor_event_idx >= wiphy->n_vendor_events))
10283 			return NULL;
10284 		info = &wiphy->vendor_events[vendor_event_idx];
10285 		break;
10286 	default:
10287 		WARN_ON(1);
10288 		return NULL;
10289 	}
10290 
10291 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10292 					   cmd, attr, info, gfp);
10293 }
10294 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10295 
10296 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10297 {
10298 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10299 	void *hdr = ((void **)skb->cb)[1];
10300 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10301 	struct nlattr *data = ((void **)skb->cb)[2];
10302 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10303 
10304 	/* clear CB data for netlink core to own from now on */
10305 	memset(skb->cb, 0, sizeof(skb->cb));
10306 
10307 	nla_nest_end(skb, data);
10308 	genlmsg_end(skb, hdr);
10309 
10310 	if (nlhdr->nlmsg_pid) {
10311 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10312 				nlhdr->nlmsg_pid);
10313 	} else {
10314 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10315 			mcgrp = NL80211_MCGRP_VENDOR;
10316 
10317 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10318 					skb, 0, mcgrp, gfp);
10319 	}
10320 }
10321 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10322 
10323 #ifdef CONFIG_NL80211_TESTMODE
10324 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10325 {
10326 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10327 	struct wireless_dev *wdev =
10328 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
10329 	int err;
10330 
10331 	if (!rdev->ops->testmode_cmd)
10332 		return -EOPNOTSUPP;
10333 
10334 	if (IS_ERR(wdev)) {
10335 		err = PTR_ERR(wdev);
10336 		if (err != -EINVAL)
10337 			return err;
10338 		wdev = NULL;
10339 	} else if (wdev->wiphy != &rdev->wiphy) {
10340 		return -EINVAL;
10341 	}
10342 
10343 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10344 		return -EINVAL;
10345 
10346 	rdev->cur_cmd_info = info;
10347 	err = rdev_testmode_cmd(rdev, wdev,
10348 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10349 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10350 	rdev->cur_cmd_info = NULL;
10351 
10352 	return err;
10353 }
10354 
10355 static int nl80211_testmode_dump(struct sk_buff *skb,
10356 				 struct netlink_callback *cb)
10357 {
10358 	struct cfg80211_registered_device *rdev;
10359 	struct nlattr **attrbuf = NULL;
10360 	int err;
10361 	long phy_idx;
10362 	void *data = NULL;
10363 	int data_len = 0;
10364 
10365 	rtnl_lock();
10366 
10367 	if (cb->args[0]) {
10368 		/*
10369 		 * 0 is a valid index, but not valid for args[0],
10370 		 * so we need to offset by 1.
10371 		 */
10372 		phy_idx = cb->args[0] - 1;
10373 
10374 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10375 		if (!rdev) {
10376 			err = -ENOENT;
10377 			goto out_err;
10378 		}
10379 	} else {
10380 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10381 				  GFP_KERNEL);
10382 		if (!attrbuf) {
10383 			err = -ENOMEM;
10384 			goto out_err;
10385 		}
10386 
10387 		err = nlmsg_parse_deprecated(cb->nlh,
10388 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10389 					     attrbuf, nl80211_fam.maxattr,
10390 					     nl80211_policy, NULL);
10391 		if (err)
10392 			goto out_err;
10393 
10394 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10395 		if (IS_ERR(rdev)) {
10396 			err = PTR_ERR(rdev);
10397 			goto out_err;
10398 		}
10399 		phy_idx = rdev->wiphy_idx;
10400 
10401 		if (attrbuf[NL80211_ATTR_TESTDATA])
10402 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10403 	}
10404 
10405 	if (cb->args[1]) {
10406 		data = nla_data((void *)cb->args[1]);
10407 		data_len = nla_len((void *)cb->args[1]);
10408 	}
10409 
10410 	if (!rdev->ops->testmode_dump) {
10411 		err = -EOPNOTSUPP;
10412 		goto out_err;
10413 	}
10414 
10415 	while (1) {
10416 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10417 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10418 					   NL80211_CMD_TESTMODE);
10419 		struct nlattr *tmdata;
10420 
10421 		if (!hdr)
10422 			break;
10423 
10424 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10425 			genlmsg_cancel(skb, hdr);
10426 			break;
10427 		}
10428 
10429 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
10430 		if (!tmdata) {
10431 			genlmsg_cancel(skb, hdr);
10432 			break;
10433 		}
10434 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
10435 		nla_nest_end(skb, tmdata);
10436 
10437 		if (err == -ENOBUFS || err == -ENOENT) {
10438 			genlmsg_cancel(skb, hdr);
10439 			break;
10440 		} else if (err) {
10441 			genlmsg_cancel(skb, hdr);
10442 			goto out_err;
10443 		}
10444 
10445 		genlmsg_end(skb, hdr);
10446 	}
10447 
10448 	err = skb->len;
10449 	/* see above */
10450 	cb->args[0] = phy_idx + 1;
10451  out_err:
10452 	kfree(attrbuf);
10453 	rtnl_unlock();
10454 	return err;
10455 }
10456 #endif
10457 
10458 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
10459 {
10460 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10461 	struct net_device *dev = info->user_ptr[1];
10462 	struct cfg80211_connect_params connect;
10463 	struct wiphy *wiphy;
10464 	struct cfg80211_cached_keys *connkeys = NULL;
10465 	u32 freq = 0;
10466 	int err;
10467 
10468 	memset(&connect, 0, sizeof(connect));
10469 
10470 	if (!info->attrs[NL80211_ATTR_SSID] ||
10471 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10472 		return -EINVAL;
10473 
10474 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10475 		connect.auth_type =
10476 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10477 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
10478 					     NL80211_CMD_CONNECT))
10479 			return -EINVAL;
10480 	} else
10481 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
10482 
10483 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
10484 
10485 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
10486 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10487 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
10488 		return -EINVAL;
10489 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
10490 
10491 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
10492 				      NL80211_MAX_NR_CIPHER_SUITES);
10493 	if (err)
10494 		return err;
10495 
10496 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10497 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10498 		return -EOPNOTSUPP;
10499 
10500 	wiphy = &rdev->wiphy;
10501 
10502 	connect.bg_scan_period = -1;
10503 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
10504 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
10505 		connect.bg_scan_period =
10506 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
10507 	}
10508 
10509 	if (info->attrs[NL80211_ATTR_MAC])
10510 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10511 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
10512 		connect.bssid_hint =
10513 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
10514 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10515 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10516 
10517 	if (info->attrs[NL80211_ATTR_IE]) {
10518 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10519 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10520 	}
10521 
10522 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10523 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10524 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
10525 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10526 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
10527 			return -EOPNOTSUPP;
10528 	} else {
10529 		connect.mfp = NL80211_MFP_NO;
10530 	}
10531 
10532 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10533 		connect.prev_bssid =
10534 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10535 
10536 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
10537 		freq = MHZ_TO_KHZ(nla_get_u32(
10538 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10539 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10540 		freq +=
10541 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10542 
10543 	if (freq) {
10544 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
10545 		if (!connect.channel)
10546 			return -EINVAL;
10547 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
10548 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
10549 		freq = MHZ_TO_KHZ(freq);
10550 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
10551 		if (!connect.channel_hint)
10552 			return -EINVAL;
10553 	}
10554 
10555 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
10556 		connect.edmg.channels =
10557 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
10558 
10559 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
10560 			connect.edmg.bw_config =
10561 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
10562 	}
10563 
10564 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10565 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
10566 		if (IS_ERR(connkeys))
10567 			return PTR_ERR(connkeys);
10568 	}
10569 
10570 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10571 		connect.flags |= ASSOC_REQ_DISABLE_HT;
10572 
10573 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10574 		memcpy(&connect.ht_capa_mask,
10575 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10576 		       sizeof(connect.ht_capa_mask));
10577 
10578 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10579 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
10580 			kfree_sensitive(connkeys);
10581 			return -EINVAL;
10582 		}
10583 		memcpy(&connect.ht_capa,
10584 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10585 		       sizeof(connect.ht_capa));
10586 	}
10587 
10588 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10589 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
10590 
10591 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10592 		memcpy(&connect.vht_capa_mask,
10593 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10594 		       sizeof(connect.vht_capa_mask));
10595 
10596 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10597 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
10598 			kfree_sensitive(connkeys);
10599 			return -EINVAL;
10600 		}
10601 		memcpy(&connect.vht_capa,
10602 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10603 		       sizeof(connect.vht_capa));
10604 	}
10605 
10606 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10607 		if (!((rdev->wiphy.features &
10608 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10609 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10610 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10611 					     NL80211_EXT_FEATURE_RRM)) {
10612 			kfree_sensitive(connkeys);
10613 			return -EINVAL;
10614 		}
10615 		connect.flags |= ASSOC_REQ_USE_RRM;
10616 	}
10617 
10618 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
10619 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
10620 		kfree_sensitive(connkeys);
10621 		return -EOPNOTSUPP;
10622 	}
10623 
10624 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
10625 		/* bss selection makes no sense if bssid is set */
10626 		if (connect.bssid) {
10627 			kfree_sensitive(connkeys);
10628 			return -EINVAL;
10629 		}
10630 
10631 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
10632 				       wiphy, &connect.bss_select);
10633 		if (err) {
10634 			kfree_sensitive(connkeys);
10635 			return err;
10636 		}
10637 	}
10638 
10639 	if (wiphy_ext_feature_isset(&rdev->wiphy,
10640 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
10641 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10642 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10643 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10644 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10645 		connect.fils_erp_username =
10646 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10647 		connect.fils_erp_username_len =
10648 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10649 		connect.fils_erp_realm =
10650 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10651 		connect.fils_erp_realm_len =
10652 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10653 		connect.fils_erp_next_seq_num =
10654 			nla_get_u16(
10655 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10656 		connect.fils_erp_rrk =
10657 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10658 		connect.fils_erp_rrk_len =
10659 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10660 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10661 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10662 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10663 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10664 		kfree_sensitive(connkeys);
10665 		return -EINVAL;
10666 	}
10667 
10668 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
10669 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10670 			kfree_sensitive(connkeys);
10671 			GENL_SET_ERR_MSG(info,
10672 					 "external auth requires connection ownership");
10673 			return -EINVAL;
10674 		}
10675 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
10676 	}
10677 
10678 	wdev_lock(dev->ieee80211_ptr);
10679 
10680 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
10681 			       connect.prev_bssid);
10682 	if (err)
10683 		kfree_sensitive(connkeys);
10684 
10685 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10686 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10687 		if (connect.bssid)
10688 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10689 			       connect.bssid, ETH_ALEN);
10690 		else
10691 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
10692 	}
10693 
10694 	wdev_unlock(dev->ieee80211_ptr);
10695 
10696 	return err;
10697 }
10698 
10699 static int nl80211_update_connect_params(struct sk_buff *skb,
10700 					 struct genl_info *info)
10701 {
10702 	struct cfg80211_connect_params connect = {};
10703 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10704 	struct net_device *dev = info->user_ptr[1];
10705 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10706 	bool fils_sk_offload;
10707 	u32 auth_type;
10708 	u32 changed = 0;
10709 	int ret;
10710 
10711 	if (!rdev->ops->update_connect_params)
10712 		return -EOPNOTSUPP;
10713 
10714 	if (info->attrs[NL80211_ATTR_IE]) {
10715 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10716 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10717 		changed |= UPDATE_ASSOC_IES;
10718 	}
10719 
10720 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
10721 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
10722 
10723 	/*
10724 	 * when driver supports fils-sk offload all attributes must be
10725 	 * provided. So the else covers "fils-sk-not-all" and
10726 	 * "no-fils-sk-any".
10727 	 */
10728 	if (fils_sk_offload &&
10729 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10730 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10731 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10732 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10733 		connect.fils_erp_username =
10734 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10735 		connect.fils_erp_username_len =
10736 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10737 		connect.fils_erp_realm =
10738 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10739 		connect.fils_erp_realm_len =
10740 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10741 		connect.fils_erp_next_seq_num =
10742 			nla_get_u16(
10743 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10744 		connect.fils_erp_rrk =
10745 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10746 		connect.fils_erp_rrk_len =
10747 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10748 		changed |= UPDATE_FILS_ERP_INFO;
10749 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10750 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10751 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10752 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10753 		return -EINVAL;
10754 	}
10755 
10756 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10757 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10758 		if (!nl80211_valid_auth_type(rdev, auth_type,
10759 					     NL80211_CMD_CONNECT))
10760 			return -EINVAL;
10761 
10762 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
10763 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
10764 			return -EINVAL;
10765 
10766 		connect.auth_type = auth_type;
10767 		changed |= UPDATE_AUTH_TYPE;
10768 	}
10769 
10770 	wdev_lock(dev->ieee80211_ptr);
10771 	if (!wdev->current_bss)
10772 		ret = -ENOLINK;
10773 	else
10774 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
10775 	wdev_unlock(dev->ieee80211_ptr);
10776 
10777 	return ret;
10778 }
10779 
10780 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
10781 {
10782 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10783 	struct net_device *dev = info->user_ptr[1];
10784 	u16 reason;
10785 	int ret;
10786 
10787 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10788 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10789 		return -EPERM;
10790 
10791 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10792 		reason = WLAN_REASON_DEAUTH_LEAVING;
10793 	else
10794 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10795 
10796 	if (reason == 0)
10797 		return -EINVAL;
10798 
10799 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10800 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10801 		return -EOPNOTSUPP;
10802 
10803 	wdev_lock(dev->ieee80211_ptr);
10804 	ret = cfg80211_disconnect(rdev, dev, reason, true);
10805 	wdev_unlock(dev->ieee80211_ptr);
10806 	return ret;
10807 }
10808 
10809 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
10810 {
10811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10812 	struct net *net;
10813 	int err;
10814 
10815 	if (info->attrs[NL80211_ATTR_PID]) {
10816 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
10817 
10818 		net = get_net_ns_by_pid(pid);
10819 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
10820 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
10821 
10822 		net = get_net_ns_by_fd(fd);
10823 	} else {
10824 		return -EINVAL;
10825 	}
10826 
10827 	if (IS_ERR(net))
10828 		return PTR_ERR(net);
10829 
10830 	err = 0;
10831 
10832 	/* check if anything to do */
10833 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
10834 		err = cfg80211_switch_netns(rdev, net);
10835 
10836 	put_net(net);
10837 	return err;
10838 }
10839 
10840 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
10841 {
10842 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10843 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
10844 			struct cfg80211_pmksa *pmksa) = NULL;
10845 	struct net_device *dev = info->user_ptr[1];
10846 	struct cfg80211_pmksa pmksa;
10847 
10848 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
10849 
10850 	if (!info->attrs[NL80211_ATTR_PMKID])
10851 		return -EINVAL;
10852 
10853 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
10854 
10855 	if (info->attrs[NL80211_ATTR_MAC]) {
10856 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10857 	} else if (info->attrs[NL80211_ATTR_SSID] &&
10858 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
10859 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
10860 		    info->attrs[NL80211_ATTR_PMK])) {
10861 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10862 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10863 		pmksa.cache_id =
10864 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
10865 	} else {
10866 		return -EINVAL;
10867 	}
10868 	if (info->attrs[NL80211_ATTR_PMK]) {
10869 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10870 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
10871 	}
10872 
10873 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
10874 		pmksa.pmk_lifetime =
10875 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
10876 
10877 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
10878 		pmksa.pmk_reauth_threshold =
10879 			nla_get_u8(
10880 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
10881 
10882 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10883 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
10884 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
10885 	      wiphy_ext_feature_isset(&rdev->wiphy,
10886 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
10887 		return -EOPNOTSUPP;
10888 
10889 	switch (info->genlhdr->cmd) {
10890 	case NL80211_CMD_SET_PMKSA:
10891 		rdev_ops = rdev->ops->set_pmksa;
10892 		break;
10893 	case NL80211_CMD_DEL_PMKSA:
10894 		rdev_ops = rdev->ops->del_pmksa;
10895 		break;
10896 	default:
10897 		WARN_ON(1);
10898 		break;
10899 	}
10900 
10901 	if (!rdev_ops)
10902 		return -EOPNOTSUPP;
10903 
10904 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
10905 }
10906 
10907 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
10908 {
10909 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10910 	struct net_device *dev = info->user_ptr[1];
10911 
10912 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10913 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10914 		return -EOPNOTSUPP;
10915 
10916 	if (!rdev->ops->flush_pmksa)
10917 		return -EOPNOTSUPP;
10918 
10919 	return rdev_flush_pmksa(rdev, dev);
10920 }
10921 
10922 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
10923 {
10924 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10925 	struct net_device *dev = info->user_ptr[1];
10926 	u8 action_code, dialog_token;
10927 	u32 peer_capability = 0;
10928 	u16 status_code;
10929 	u8 *peer;
10930 	bool initiator;
10931 
10932 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10933 	    !rdev->ops->tdls_mgmt)
10934 		return -EOPNOTSUPP;
10935 
10936 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
10937 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
10938 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
10939 	    !info->attrs[NL80211_ATTR_IE] ||
10940 	    !info->attrs[NL80211_ATTR_MAC])
10941 		return -EINVAL;
10942 
10943 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10944 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
10945 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
10946 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
10947 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
10948 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
10949 		peer_capability =
10950 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
10951 
10952 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
10953 			      dialog_token, status_code, peer_capability,
10954 			      initiator,
10955 			      nla_data(info->attrs[NL80211_ATTR_IE]),
10956 			      nla_len(info->attrs[NL80211_ATTR_IE]));
10957 }
10958 
10959 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
10960 {
10961 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10962 	struct net_device *dev = info->user_ptr[1];
10963 	enum nl80211_tdls_operation operation;
10964 	u8 *peer;
10965 
10966 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10967 	    !rdev->ops->tdls_oper)
10968 		return -EOPNOTSUPP;
10969 
10970 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
10971 	    !info->attrs[NL80211_ATTR_MAC])
10972 		return -EINVAL;
10973 
10974 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
10975 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10976 
10977 	return rdev_tdls_oper(rdev, dev, peer, operation);
10978 }
10979 
10980 static int nl80211_remain_on_channel(struct sk_buff *skb,
10981 				     struct genl_info *info)
10982 {
10983 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10984 	struct wireless_dev *wdev = info->user_ptr[1];
10985 	struct cfg80211_chan_def chandef;
10986 	const struct cfg80211_chan_def *compat_chandef;
10987 	struct sk_buff *msg;
10988 	void *hdr;
10989 	u64 cookie;
10990 	u32 duration;
10991 	int err;
10992 
10993 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10994 	    !info->attrs[NL80211_ATTR_DURATION])
10995 		return -EINVAL;
10996 
10997 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10998 
10999 	if (!rdev->ops->remain_on_channel ||
11000 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11001 		return -EOPNOTSUPP;
11002 
11003 	/*
11004 	 * We should be on that channel for at least a minimum amount of
11005 	 * time (10ms) but no longer than the driver supports.
11006 	 */
11007 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11008 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11009 		return -EINVAL;
11010 
11011 	err = nl80211_parse_chandef(rdev, info, &chandef);
11012 	if (err)
11013 		return err;
11014 
11015 	wdev_lock(wdev);
11016 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11017 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11018 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11019 							     &chandef);
11020 		if (compat_chandef != &chandef) {
11021 			wdev_unlock(wdev);
11022 			return -EBUSY;
11023 		}
11024 	}
11025 	wdev_unlock(wdev);
11026 
11027 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11028 	if (!msg)
11029 		return -ENOMEM;
11030 
11031 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11032 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11033 	if (!hdr) {
11034 		err = -ENOBUFS;
11035 		goto free_msg;
11036 	}
11037 
11038 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11039 				     duration, &cookie);
11040 
11041 	if (err)
11042 		goto free_msg;
11043 
11044 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11045 			      NL80211_ATTR_PAD))
11046 		goto nla_put_failure;
11047 
11048 	genlmsg_end(msg, hdr);
11049 
11050 	return genlmsg_reply(msg, info);
11051 
11052  nla_put_failure:
11053 	err = -ENOBUFS;
11054  free_msg:
11055 	nlmsg_free(msg);
11056 	return err;
11057 }
11058 
11059 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11060 					    struct genl_info *info)
11061 {
11062 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11063 	struct wireless_dev *wdev = info->user_ptr[1];
11064 	u64 cookie;
11065 
11066 	if (!info->attrs[NL80211_ATTR_COOKIE])
11067 		return -EINVAL;
11068 
11069 	if (!rdev->ops->cancel_remain_on_channel)
11070 		return -EOPNOTSUPP;
11071 
11072 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11073 
11074 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11075 }
11076 
11077 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11078 				       struct genl_info *info)
11079 {
11080 	struct cfg80211_bitrate_mask mask;
11081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11082 	struct net_device *dev = info->user_ptr[1];
11083 	int err;
11084 
11085 	if (!rdev->ops->set_bitrate_mask)
11086 		return -EOPNOTSUPP;
11087 
11088 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11089 					    NL80211_ATTR_TX_RATES, &mask,
11090 					    dev);
11091 	if (err)
11092 		return err;
11093 
11094 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11095 }
11096 
11097 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11098 {
11099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11100 	struct wireless_dev *wdev = info->user_ptr[1];
11101 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11102 
11103 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11104 		return -EINVAL;
11105 
11106 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11107 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11108 
11109 	switch (wdev->iftype) {
11110 	case NL80211_IFTYPE_STATION:
11111 	case NL80211_IFTYPE_ADHOC:
11112 	case NL80211_IFTYPE_P2P_CLIENT:
11113 	case NL80211_IFTYPE_AP:
11114 	case NL80211_IFTYPE_AP_VLAN:
11115 	case NL80211_IFTYPE_MESH_POINT:
11116 	case NL80211_IFTYPE_P2P_GO:
11117 	case NL80211_IFTYPE_P2P_DEVICE:
11118 		break;
11119 	case NL80211_IFTYPE_NAN:
11120 	default:
11121 		return -EOPNOTSUPP;
11122 	}
11123 
11124 	/* not much point in registering if we can't reply */
11125 	if (!rdev->ops->mgmt_tx)
11126 		return -EOPNOTSUPP;
11127 
11128 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11129 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11130 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11131 		GENL_SET_ERR_MSG(info,
11132 				 "multicast RX registrations are not supported");
11133 		return -EOPNOTSUPP;
11134 	}
11135 
11136 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11137 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11138 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11139 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11140 					   info->extack);
11141 }
11142 
11143 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11144 {
11145 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11146 	struct wireless_dev *wdev = info->user_ptr[1];
11147 	struct cfg80211_chan_def chandef;
11148 	int err;
11149 	void *hdr = NULL;
11150 	u64 cookie;
11151 	struct sk_buff *msg = NULL;
11152 	struct cfg80211_mgmt_tx_params params = {
11153 		.dont_wait_for_ack =
11154 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11155 	};
11156 
11157 	if (!info->attrs[NL80211_ATTR_FRAME])
11158 		return -EINVAL;
11159 
11160 	if (!rdev->ops->mgmt_tx)
11161 		return -EOPNOTSUPP;
11162 
11163 	switch (wdev->iftype) {
11164 	case NL80211_IFTYPE_P2P_DEVICE:
11165 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11166 			return -EINVAL;
11167 	case NL80211_IFTYPE_STATION:
11168 	case NL80211_IFTYPE_ADHOC:
11169 	case NL80211_IFTYPE_P2P_CLIENT:
11170 	case NL80211_IFTYPE_AP:
11171 	case NL80211_IFTYPE_AP_VLAN:
11172 	case NL80211_IFTYPE_MESH_POINT:
11173 	case NL80211_IFTYPE_P2P_GO:
11174 		break;
11175 	case NL80211_IFTYPE_NAN:
11176 	default:
11177 		return -EOPNOTSUPP;
11178 	}
11179 
11180 	if (info->attrs[NL80211_ATTR_DURATION]) {
11181 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11182 			return -EINVAL;
11183 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11184 
11185 		/*
11186 		 * We should wait on the channel for at least a minimum amount
11187 		 * of time (10ms) but no longer than the driver supports.
11188 		 */
11189 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11190 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11191 			return -EINVAL;
11192 	}
11193 
11194 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11195 
11196 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11197 		return -EINVAL;
11198 
11199 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11200 
11201 	/* get the channel if any has been specified, otherwise pass NULL to
11202 	 * the driver. The latter will use the current one
11203 	 */
11204 	chandef.chan = NULL;
11205 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11206 		err = nl80211_parse_chandef(rdev, info, &chandef);
11207 		if (err)
11208 			return err;
11209 	}
11210 
11211 	if (!chandef.chan && params.offchan)
11212 		return -EINVAL;
11213 
11214 	wdev_lock(wdev);
11215 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11216 		wdev_unlock(wdev);
11217 		return -EBUSY;
11218 	}
11219 	wdev_unlock(wdev);
11220 
11221 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11222 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11223 
11224 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11225 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11226 		int i;
11227 
11228 		if (len % sizeof(u16))
11229 			return -EINVAL;
11230 
11231 		params.n_csa_offsets = len / sizeof(u16);
11232 		params.csa_offsets =
11233 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11234 
11235 		/* check that all the offsets fit the frame */
11236 		for (i = 0; i < params.n_csa_offsets; i++) {
11237 			if (params.csa_offsets[i] >= params.len)
11238 				return -EINVAL;
11239 		}
11240 	}
11241 
11242 	if (!params.dont_wait_for_ack) {
11243 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11244 		if (!msg)
11245 			return -ENOMEM;
11246 
11247 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11248 				     NL80211_CMD_FRAME);
11249 		if (!hdr) {
11250 			err = -ENOBUFS;
11251 			goto free_msg;
11252 		}
11253 	}
11254 
11255 	params.chan = chandef.chan;
11256 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11257 	if (err)
11258 		goto free_msg;
11259 
11260 	if (msg) {
11261 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11262 				      NL80211_ATTR_PAD))
11263 			goto nla_put_failure;
11264 
11265 		genlmsg_end(msg, hdr);
11266 		return genlmsg_reply(msg, info);
11267 	}
11268 
11269 	return 0;
11270 
11271  nla_put_failure:
11272 	err = -ENOBUFS;
11273  free_msg:
11274 	nlmsg_free(msg);
11275 	return err;
11276 }
11277 
11278 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11279 {
11280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11281 	struct wireless_dev *wdev = info->user_ptr[1];
11282 	u64 cookie;
11283 
11284 	if (!info->attrs[NL80211_ATTR_COOKIE])
11285 		return -EINVAL;
11286 
11287 	if (!rdev->ops->mgmt_tx_cancel_wait)
11288 		return -EOPNOTSUPP;
11289 
11290 	switch (wdev->iftype) {
11291 	case NL80211_IFTYPE_STATION:
11292 	case NL80211_IFTYPE_ADHOC:
11293 	case NL80211_IFTYPE_P2P_CLIENT:
11294 	case NL80211_IFTYPE_AP:
11295 	case NL80211_IFTYPE_AP_VLAN:
11296 	case NL80211_IFTYPE_P2P_GO:
11297 	case NL80211_IFTYPE_P2P_DEVICE:
11298 		break;
11299 	case NL80211_IFTYPE_NAN:
11300 	default:
11301 		return -EOPNOTSUPP;
11302 	}
11303 
11304 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11305 
11306 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11307 }
11308 
11309 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11310 {
11311 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11312 	struct wireless_dev *wdev;
11313 	struct net_device *dev = info->user_ptr[1];
11314 	u8 ps_state;
11315 	bool state;
11316 	int err;
11317 
11318 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11319 		return -EINVAL;
11320 
11321 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11322 
11323 	wdev = dev->ieee80211_ptr;
11324 
11325 	if (!rdev->ops->set_power_mgmt)
11326 		return -EOPNOTSUPP;
11327 
11328 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11329 
11330 	if (state == wdev->ps)
11331 		return 0;
11332 
11333 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11334 	if (!err)
11335 		wdev->ps = state;
11336 	return err;
11337 }
11338 
11339 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11340 {
11341 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11342 	enum nl80211_ps_state ps_state;
11343 	struct wireless_dev *wdev;
11344 	struct net_device *dev = info->user_ptr[1];
11345 	struct sk_buff *msg;
11346 	void *hdr;
11347 	int err;
11348 
11349 	wdev = dev->ieee80211_ptr;
11350 
11351 	if (!rdev->ops->set_power_mgmt)
11352 		return -EOPNOTSUPP;
11353 
11354 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11355 	if (!msg)
11356 		return -ENOMEM;
11357 
11358 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11359 			     NL80211_CMD_GET_POWER_SAVE);
11360 	if (!hdr) {
11361 		err = -ENOBUFS;
11362 		goto free_msg;
11363 	}
11364 
11365 	if (wdev->ps)
11366 		ps_state = NL80211_PS_ENABLED;
11367 	else
11368 		ps_state = NL80211_PS_DISABLED;
11369 
11370 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11371 		goto nla_put_failure;
11372 
11373 	genlmsg_end(msg, hdr);
11374 	return genlmsg_reply(msg, info);
11375 
11376  nla_put_failure:
11377 	err = -ENOBUFS;
11378  free_msg:
11379 	nlmsg_free(msg);
11380 	return err;
11381 }
11382 
11383 static const struct nla_policy
11384 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11385 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11386 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11387 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11388 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11389 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11390 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11391 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11392 };
11393 
11394 static int nl80211_set_cqm_txe(struct genl_info *info,
11395 			       u32 rate, u32 pkts, u32 intvl)
11396 {
11397 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11398 	struct net_device *dev = info->user_ptr[1];
11399 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11400 
11401 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11402 		return -EINVAL;
11403 
11404 	if (!rdev->ops->set_cqm_txe_config)
11405 		return -EOPNOTSUPP;
11406 
11407 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11408 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11409 		return -EOPNOTSUPP;
11410 
11411 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11412 }
11413 
11414 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11415 				    struct net_device *dev)
11416 {
11417 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11418 	s32 last, low, high;
11419 	u32 hyst;
11420 	int i, n, low_index;
11421 	int err;
11422 
11423 	/* RSSI reporting disabled? */
11424 	if (!wdev->cqm_config)
11425 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
11426 
11427 	/*
11428 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
11429 	 * event has been received yet, we should receive an event after a
11430 	 * connection is established and enough beacons received to calculate
11431 	 * the average.
11432 	 */
11433 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
11434 	    rdev->ops->get_station) {
11435 		struct station_info sinfo = {};
11436 		u8 *mac_addr;
11437 
11438 		mac_addr = wdev->current_bss->pub.bssid;
11439 
11440 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
11441 		if (err)
11442 			return err;
11443 
11444 		cfg80211_sinfo_release_content(&sinfo);
11445 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
11446 			wdev->cqm_config->last_rssi_event_value =
11447 				(s8) sinfo.rx_beacon_signal_avg;
11448 	}
11449 
11450 	last = wdev->cqm_config->last_rssi_event_value;
11451 	hyst = wdev->cqm_config->rssi_hyst;
11452 	n = wdev->cqm_config->n_rssi_thresholds;
11453 
11454 	for (i = 0; i < n; i++) {
11455 		i = array_index_nospec(i, n);
11456 		if (last < wdev->cqm_config->rssi_thresholds[i])
11457 			break;
11458 	}
11459 
11460 	low_index = i - 1;
11461 	if (low_index >= 0) {
11462 		low_index = array_index_nospec(low_index, n);
11463 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
11464 	} else {
11465 		low = S32_MIN;
11466 	}
11467 	if (i < n) {
11468 		i = array_index_nospec(i, n);
11469 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
11470 	} else {
11471 		high = S32_MAX;
11472 	}
11473 
11474 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
11475 }
11476 
11477 static int nl80211_set_cqm_rssi(struct genl_info *info,
11478 				const s32 *thresholds, int n_thresholds,
11479 				u32 hysteresis)
11480 {
11481 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11482 	struct net_device *dev = info->user_ptr[1];
11483 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11484 	int i, err;
11485 	s32 prev = S32_MIN;
11486 
11487 	/* Check all values negative and sorted */
11488 	for (i = 0; i < n_thresholds; i++) {
11489 		if (thresholds[i] > 0 || thresholds[i] <= prev)
11490 			return -EINVAL;
11491 
11492 		prev = thresholds[i];
11493 	}
11494 
11495 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11496 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11497 		return -EOPNOTSUPP;
11498 
11499 	wdev_lock(wdev);
11500 	cfg80211_cqm_config_free(wdev);
11501 	wdev_unlock(wdev);
11502 
11503 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
11504 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
11505 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
11506 
11507 		return rdev_set_cqm_rssi_config(rdev, dev,
11508 						thresholds[0], hysteresis);
11509 	}
11510 
11511 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
11512 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
11513 		return -EOPNOTSUPP;
11514 
11515 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
11516 		n_thresholds = 0;
11517 
11518 	wdev_lock(wdev);
11519 	if (n_thresholds) {
11520 		struct cfg80211_cqm_config *cqm_config;
11521 
11522 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
11523 				     n_thresholds * sizeof(s32), GFP_KERNEL);
11524 		if (!cqm_config) {
11525 			err = -ENOMEM;
11526 			goto unlock;
11527 		}
11528 
11529 		cqm_config->rssi_hyst = hysteresis;
11530 		cqm_config->n_rssi_thresholds = n_thresholds;
11531 		memcpy(cqm_config->rssi_thresholds, thresholds,
11532 		       n_thresholds * sizeof(s32));
11533 
11534 		wdev->cqm_config = cqm_config;
11535 	}
11536 
11537 	err = cfg80211_cqm_rssi_update(rdev, dev);
11538 
11539 unlock:
11540 	wdev_unlock(wdev);
11541 
11542 	return err;
11543 }
11544 
11545 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
11546 {
11547 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
11548 	struct nlattr *cqm;
11549 	int err;
11550 
11551 	cqm = info->attrs[NL80211_ATTR_CQM];
11552 	if (!cqm)
11553 		return -EINVAL;
11554 
11555 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
11556 					  nl80211_attr_cqm_policy,
11557 					  info->extack);
11558 	if (err)
11559 		return err;
11560 
11561 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
11562 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
11563 		const s32 *thresholds =
11564 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11565 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11566 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
11567 
11568 		if (len % 4)
11569 			return -EINVAL;
11570 
11571 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
11572 					    hysteresis);
11573 	}
11574 
11575 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
11576 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
11577 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
11578 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
11579 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
11580 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
11581 
11582 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
11583 	}
11584 
11585 	return -EINVAL;
11586 }
11587 
11588 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
11589 {
11590 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11591 	struct net_device *dev = info->user_ptr[1];
11592 	struct ocb_setup setup = {};
11593 	int err;
11594 
11595 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11596 	if (err)
11597 		return err;
11598 
11599 	return cfg80211_join_ocb(rdev, dev, &setup);
11600 }
11601 
11602 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
11603 {
11604 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11605 	struct net_device *dev = info->user_ptr[1];
11606 
11607 	return cfg80211_leave_ocb(rdev, dev);
11608 }
11609 
11610 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
11611 {
11612 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11613 	struct net_device *dev = info->user_ptr[1];
11614 	struct mesh_config cfg;
11615 	struct mesh_setup setup;
11616 	int err;
11617 
11618 	/* start with default */
11619 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
11620 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
11621 
11622 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
11623 		/* and parse parameters if given */
11624 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
11625 		if (err)
11626 			return err;
11627 	}
11628 
11629 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
11630 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
11631 		return -EINVAL;
11632 
11633 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
11634 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
11635 
11636 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11637 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
11638 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11639 			return -EINVAL;
11640 
11641 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
11642 		setup.beacon_interval =
11643 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11644 
11645 		err = cfg80211_validate_beacon_int(rdev,
11646 						   NL80211_IFTYPE_MESH_POINT,
11647 						   setup.beacon_interval);
11648 		if (err)
11649 			return err;
11650 	}
11651 
11652 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
11653 		setup.dtim_period =
11654 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
11655 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
11656 			return -EINVAL;
11657 	}
11658 
11659 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
11660 		/* parse additional setup parameters if given */
11661 		err = nl80211_parse_mesh_setup(info, &setup);
11662 		if (err)
11663 			return err;
11664 	}
11665 
11666 	if (setup.user_mpm)
11667 		cfg.auto_open_plinks = false;
11668 
11669 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11670 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11671 		if (err)
11672 			return err;
11673 	} else {
11674 		/* __cfg80211_join_mesh() will sort it out */
11675 		setup.chandef.chan = NULL;
11676 	}
11677 
11678 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11679 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11680 		int n_rates =
11681 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11682 		struct ieee80211_supported_band *sband;
11683 
11684 		if (!setup.chandef.chan)
11685 			return -EINVAL;
11686 
11687 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
11688 
11689 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11690 					     &setup.basic_rates);
11691 		if (err)
11692 			return err;
11693 	}
11694 
11695 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
11696 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11697 						    NL80211_ATTR_TX_RATES,
11698 						    &setup.beacon_rate,
11699 						    dev);
11700 		if (err)
11701 			return err;
11702 
11703 		if (!setup.chandef.chan)
11704 			return -EINVAL;
11705 
11706 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
11707 					      &setup.beacon_rate);
11708 		if (err)
11709 			return err;
11710 	}
11711 
11712 	setup.userspace_handles_dfs =
11713 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11714 
11715 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11716 		int r = validate_pae_over_nl80211(rdev, info);
11717 
11718 		if (r < 0)
11719 			return r;
11720 
11721 		setup.control_port_over_nl80211 = true;
11722 	}
11723 
11724 	wdev_lock(dev->ieee80211_ptr);
11725 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
11726 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
11727 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11728 	wdev_unlock(dev->ieee80211_ptr);
11729 
11730 	return err;
11731 }
11732 
11733 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
11734 {
11735 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11736 	struct net_device *dev = info->user_ptr[1];
11737 
11738 	return cfg80211_leave_mesh(rdev, dev);
11739 }
11740 
11741 #ifdef CONFIG_PM
11742 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
11743 					struct cfg80211_registered_device *rdev)
11744 {
11745 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
11746 	struct nlattr *nl_pats, *nl_pat;
11747 	int i, pat_len;
11748 
11749 	if (!wowlan->n_patterns)
11750 		return 0;
11751 
11752 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
11753 	if (!nl_pats)
11754 		return -ENOBUFS;
11755 
11756 	for (i = 0; i < wowlan->n_patterns; i++) {
11757 		nl_pat = nla_nest_start_noflag(msg, i + 1);
11758 		if (!nl_pat)
11759 			return -ENOBUFS;
11760 		pat_len = wowlan->patterns[i].pattern_len;
11761 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
11762 			    wowlan->patterns[i].mask) ||
11763 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11764 			    wowlan->patterns[i].pattern) ||
11765 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11766 				wowlan->patterns[i].pkt_offset))
11767 			return -ENOBUFS;
11768 		nla_nest_end(msg, nl_pat);
11769 	}
11770 	nla_nest_end(msg, nl_pats);
11771 
11772 	return 0;
11773 }
11774 
11775 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
11776 				   struct cfg80211_wowlan_tcp *tcp)
11777 {
11778 	struct nlattr *nl_tcp;
11779 
11780 	if (!tcp)
11781 		return 0;
11782 
11783 	nl_tcp = nla_nest_start_noflag(msg,
11784 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
11785 	if (!nl_tcp)
11786 		return -ENOBUFS;
11787 
11788 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
11789 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
11790 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
11791 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
11792 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
11793 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
11794 		    tcp->payload_len, tcp->payload) ||
11795 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
11796 			tcp->data_interval) ||
11797 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
11798 		    tcp->wake_len, tcp->wake_data) ||
11799 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
11800 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
11801 		return -ENOBUFS;
11802 
11803 	if (tcp->payload_seq.len &&
11804 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
11805 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
11806 		return -ENOBUFS;
11807 
11808 	if (tcp->payload_tok.len &&
11809 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
11810 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
11811 		    &tcp->payload_tok))
11812 		return -ENOBUFS;
11813 
11814 	nla_nest_end(msg, nl_tcp);
11815 
11816 	return 0;
11817 }
11818 
11819 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
11820 				  struct cfg80211_sched_scan_request *req)
11821 {
11822 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
11823 	int i;
11824 
11825 	if (!req)
11826 		return 0;
11827 
11828 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
11829 	if (!nd)
11830 		return -ENOBUFS;
11831 
11832 	if (req->n_scan_plans == 1 &&
11833 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
11834 			req->scan_plans[0].interval * 1000))
11835 		return -ENOBUFS;
11836 
11837 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
11838 		return -ENOBUFS;
11839 
11840 	if (req->relative_rssi_set) {
11841 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
11842 
11843 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
11844 			       req->relative_rssi))
11845 			return -ENOBUFS;
11846 
11847 		rssi_adjust.band = req->rssi_adjust.band;
11848 		rssi_adjust.delta = req->rssi_adjust.delta;
11849 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
11850 			    sizeof(rssi_adjust), &rssi_adjust))
11851 			return -ENOBUFS;
11852 	}
11853 
11854 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11855 	if (!freqs)
11856 		return -ENOBUFS;
11857 
11858 	for (i = 0; i < req->n_channels; i++) {
11859 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11860 			return -ENOBUFS;
11861 	}
11862 
11863 	nla_nest_end(msg, freqs);
11864 
11865 	if (req->n_match_sets) {
11866 		matches = nla_nest_start_noflag(msg,
11867 						NL80211_ATTR_SCHED_SCAN_MATCH);
11868 		if (!matches)
11869 			return -ENOBUFS;
11870 
11871 		for (i = 0; i < req->n_match_sets; i++) {
11872 			match = nla_nest_start_noflag(msg, i);
11873 			if (!match)
11874 				return -ENOBUFS;
11875 
11876 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
11877 				    req->match_sets[i].ssid.ssid_len,
11878 				    req->match_sets[i].ssid.ssid))
11879 				return -ENOBUFS;
11880 			nla_nest_end(msg, match);
11881 		}
11882 		nla_nest_end(msg, matches);
11883 	}
11884 
11885 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
11886 	if (!scan_plans)
11887 		return -ENOBUFS;
11888 
11889 	for (i = 0; i < req->n_scan_plans; i++) {
11890 		scan_plan = nla_nest_start_noflag(msg, i + 1);
11891 		if (!scan_plan)
11892 			return -ENOBUFS;
11893 
11894 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
11895 				req->scan_plans[i].interval) ||
11896 		    (req->scan_plans[i].iterations &&
11897 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
11898 				 req->scan_plans[i].iterations)))
11899 			return -ENOBUFS;
11900 		nla_nest_end(msg, scan_plan);
11901 	}
11902 	nla_nest_end(msg, scan_plans);
11903 
11904 	nla_nest_end(msg, nd);
11905 
11906 	return 0;
11907 }
11908 
11909 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
11910 {
11911 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11912 	struct sk_buff *msg;
11913 	void *hdr;
11914 	u32 size = NLMSG_DEFAULT_SIZE;
11915 
11916 	if (!rdev->wiphy.wowlan)
11917 		return -EOPNOTSUPP;
11918 
11919 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
11920 		/* adjust size to have room for all the data */
11921 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
11922 			rdev->wiphy.wowlan_config->tcp->payload_len +
11923 			rdev->wiphy.wowlan_config->tcp->wake_len +
11924 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
11925 	}
11926 
11927 	msg = nlmsg_new(size, GFP_KERNEL);
11928 	if (!msg)
11929 		return -ENOMEM;
11930 
11931 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11932 			     NL80211_CMD_GET_WOWLAN);
11933 	if (!hdr)
11934 		goto nla_put_failure;
11935 
11936 	if (rdev->wiphy.wowlan_config) {
11937 		struct nlattr *nl_wowlan;
11938 
11939 		nl_wowlan = nla_nest_start_noflag(msg,
11940 						  NL80211_ATTR_WOWLAN_TRIGGERS);
11941 		if (!nl_wowlan)
11942 			goto nla_put_failure;
11943 
11944 		if ((rdev->wiphy.wowlan_config->any &&
11945 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
11946 		    (rdev->wiphy.wowlan_config->disconnect &&
11947 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
11948 		    (rdev->wiphy.wowlan_config->magic_pkt &&
11949 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
11950 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
11951 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
11952 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
11953 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
11954 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
11955 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
11956 		    (rdev->wiphy.wowlan_config->rfkill_release &&
11957 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
11958 			goto nla_put_failure;
11959 
11960 		if (nl80211_send_wowlan_patterns(msg, rdev))
11961 			goto nla_put_failure;
11962 
11963 		if (nl80211_send_wowlan_tcp(msg,
11964 					    rdev->wiphy.wowlan_config->tcp))
11965 			goto nla_put_failure;
11966 
11967 		if (nl80211_send_wowlan_nd(
11968 			    msg,
11969 			    rdev->wiphy.wowlan_config->nd_config))
11970 			goto nla_put_failure;
11971 
11972 		nla_nest_end(msg, nl_wowlan);
11973 	}
11974 
11975 	genlmsg_end(msg, hdr);
11976 	return genlmsg_reply(msg, info);
11977 
11978 nla_put_failure:
11979 	nlmsg_free(msg);
11980 	return -ENOBUFS;
11981 }
11982 
11983 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
11984 				    struct nlattr *attr,
11985 				    struct cfg80211_wowlan *trig)
11986 {
11987 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
11988 	struct cfg80211_wowlan_tcp *cfg;
11989 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
11990 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
11991 	u32 size;
11992 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
11993 	int err, port;
11994 
11995 	if (!rdev->wiphy.wowlan->tcp)
11996 		return -EINVAL;
11997 
11998 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
11999 					  nl80211_wowlan_tcp_policy, NULL);
12000 	if (err)
12001 		return err;
12002 
12003 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12004 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12005 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12006 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12007 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12008 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12009 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12010 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12011 		return -EINVAL;
12012 
12013 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12014 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12015 		return -EINVAL;
12016 
12017 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12018 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12019 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12020 		return -EINVAL;
12021 
12022 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12023 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12024 		return -EINVAL;
12025 
12026 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12027 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12028 		return -EINVAL;
12029 
12030 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12031 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12032 
12033 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12034 		tokens_size = tokln - sizeof(*tok);
12035 
12036 		if (!tok->len || tokens_size % tok->len)
12037 			return -EINVAL;
12038 		if (!rdev->wiphy.wowlan->tcp->tok)
12039 			return -EINVAL;
12040 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12041 			return -EINVAL;
12042 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12043 			return -EINVAL;
12044 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12045 			return -EINVAL;
12046 		if (tok->offset + tok->len > data_size)
12047 			return -EINVAL;
12048 	}
12049 
12050 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12051 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12052 		if (!rdev->wiphy.wowlan->tcp->seq)
12053 			return -EINVAL;
12054 		if (seq->len == 0 || seq->len > 4)
12055 			return -EINVAL;
12056 		if (seq->len + seq->offset > data_size)
12057 			return -EINVAL;
12058 	}
12059 
12060 	size = sizeof(*cfg);
12061 	size += data_size;
12062 	size += wake_size + wake_mask_size;
12063 	size += tokens_size;
12064 
12065 	cfg = kzalloc(size, GFP_KERNEL);
12066 	if (!cfg)
12067 		return -ENOMEM;
12068 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12069 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12070 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12071 	       ETH_ALEN);
12072 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12073 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12074 	else
12075 		port = 0;
12076 #ifdef CONFIG_INET
12077 	/* allocate a socket and port for it and use it */
12078 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12079 			    IPPROTO_TCP, &cfg->sock, 1);
12080 	if (err) {
12081 		kfree(cfg);
12082 		return err;
12083 	}
12084 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12085 		sock_release(cfg->sock);
12086 		kfree(cfg);
12087 		return -EADDRINUSE;
12088 	}
12089 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12090 #else
12091 	if (!port) {
12092 		kfree(cfg);
12093 		return -EINVAL;
12094 	}
12095 	cfg->src_port = port;
12096 #endif
12097 
12098 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12099 	cfg->payload_len = data_size;
12100 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12101 	memcpy((void *)cfg->payload,
12102 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12103 	       data_size);
12104 	if (seq)
12105 		cfg->payload_seq = *seq;
12106 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12107 	cfg->wake_len = wake_size;
12108 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12109 	memcpy((void *)cfg->wake_data,
12110 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12111 	       wake_size);
12112 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12113 			 data_size + wake_size;
12114 	memcpy((void *)cfg->wake_mask,
12115 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12116 	       wake_mask_size);
12117 	if (tok) {
12118 		cfg->tokens_size = tokens_size;
12119 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12120 	}
12121 
12122 	trig->tcp = cfg;
12123 
12124 	return 0;
12125 }
12126 
12127 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12128 				   const struct wiphy_wowlan_support *wowlan,
12129 				   struct nlattr *attr,
12130 				   struct cfg80211_wowlan *trig)
12131 {
12132 	struct nlattr **tb;
12133 	int err;
12134 
12135 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12136 	if (!tb)
12137 		return -ENOMEM;
12138 
12139 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12140 		err = -EOPNOTSUPP;
12141 		goto out;
12142 	}
12143 
12144 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12145 					  nl80211_policy, NULL);
12146 	if (err)
12147 		goto out;
12148 
12149 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12150 						   wowlan->max_nd_match_sets);
12151 	err = PTR_ERR_OR_ZERO(trig->nd_config);
12152 	if (err)
12153 		trig->nd_config = NULL;
12154 
12155 out:
12156 	kfree(tb);
12157 	return err;
12158 }
12159 
12160 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12161 {
12162 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12163 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12164 	struct cfg80211_wowlan new_triggers = {};
12165 	struct cfg80211_wowlan *ntrig;
12166 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12167 	int err, i;
12168 	bool prev_enabled = rdev->wiphy.wowlan_config;
12169 	bool regular = false;
12170 
12171 	if (!wowlan)
12172 		return -EOPNOTSUPP;
12173 
12174 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12175 		cfg80211_rdev_free_wowlan(rdev);
12176 		rdev->wiphy.wowlan_config = NULL;
12177 		goto set_wakeup;
12178 	}
12179 
12180 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12181 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12182 					  nl80211_wowlan_policy, info->extack);
12183 	if (err)
12184 		return err;
12185 
12186 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12187 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12188 			return -EINVAL;
12189 		new_triggers.any = true;
12190 	}
12191 
12192 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12193 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12194 			return -EINVAL;
12195 		new_triggers.disconnect = true;
12196 		regular = true;
12197 	}
12198 
12199 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12200 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12201 			return -EINVAL;
12202 		new_triggers.magic_pkt = true;
12203 		regular = true;
12204 	}
12205 
12206 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12207 		return -EINVAL;
12208 
12209 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12210 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12211 			return -EINVAL;
12212 		new_triggers.gtk_rekey_failure = true;
12213 		regular = true;
12214 	}
12215 
12216 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12217 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12218 			return -EINVAL;
12219 		new_triggers.eap_identity_req = true;
12220 		regular = true;
12221 	}
12222 
12223 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12224 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12225 			return -EINVAL;
12226 		new_triggers.four_way_handshake = true;
12227 		regular = true;
12228 	}
12229 
12230 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12231 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12232 			return -EINVAL;
12233 		new_triggers.rfkill_release = true;
12234 		regular = true;
12235 	}
12236 
12237 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12238 		struct nlattr *pat;
12239 		int n_patterns = 0;
12240 		int rem, pat_len, mask_len, pkt_offset;
12241 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12242 
12243 		regular = true;
12244 
12245 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12246 				    rem)
12247 			n_patterns++;
12248 		if (n_patterns > wowlan->n_patterns)
12249 			return -EINVAL;
12250 
12251 		new_triggers.patterns = kcalloc(n_patterns,
12252 						sizeof(new_triggers.patterns[0]),
12253 						GFP_KERNEL);
12254 		if (!new_triggers.patterns)
12255 			return -ENOMEM;
12256 
12257 		new_triggers.n_patterns = n_patterns;
12258 		i = 0;
12259 
12260 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12261 				    rem) {
12262 			u8 *mask_pat;
12263 
12264 			err = nla_parse_nested_deprecated(pat_tb,
12265 							  MAX_NL80211_PKTPAT,
12266 							  pat,
12267 							  nl80211_packet_pattern_policy,
12268 							  info->extack);
12269 			if (err)
12270 				goto error;
12271 
12272 			err = -EINVAL;
12273 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12274 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12275 				goto error;
12276 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12277 			mask_len = DIV_ROUND_UP(pat_len, 8);
12278 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12279 				goto error;
12280 			if (pat_len > wowlan->pattern_max_len ||
12281 			    pat_len < wowlan->pattern_min_len)
12282 				goto error;
12283 
12284 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12285 				pkt_offset = 0;
12286 			else
12287 				pkt_offset = nla_get_u32(
12288 					pat_tb[NL80211_PKTPAT_OFFSET]);
12289 			if (pkt_offset > wowlan->max_pkt_offset)
12290 				goto error;
12291 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12292 
12293 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12294 			if (!mask_pat) {
12295 				err = -ENOMEM;
12296 				goto error;
12297 			}
12298 			new_triggers.patterns[i].mask = mask_pat;
12299 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12300 			       mask_len);
12301 			mask_pat += mask_len;
12302 			new_triggers.patterns[i].pattern = mask_pat;
12303 			new_triggers.patterns[i].pattern_len = pat_len;
12304 			memcpy(mask_pat,
12305 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12306 			       pat_len);
12307 			i++;
12308 		}
12309 	}
12310 
12311 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12312 		regular = true;
12313 		err = nl80211_parse_wowlan_tcp(
12314 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12315 			&new_triggers);
12316 		if (err)
12317 			goto error;
12318 	}
12319 
12320 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12321 		regular = true;
12322 		err = nl80211_parse_wowlan_nd(
12323 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12324 			&new_triggers);
12325 		if (err)
12326 			goto error;
12327 	}
12328 
12329 	/* The 'any' trigger means the device continues operating more or less
12330 	 * as in its normal operation mode and wakes up the host on most of the
12331 	 * normal interrupts (like packet RX, ...)
12332 	 * It therefore makes little sense to combine with the more constrained
12333 	 * wakeup trigger modes.
12334 	 */
12335 	if (new_triggers.any && regular) {
12336 		err = -EINVAL;
12337 		goto error;
12338 	}
12339 
12340 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12341 	if (!ntrig) {
12342 		err = -ENOMEM;
12343 		goto error;
12344 	}
12345 	cfg80211_rdev_free_wowlan(rdev);
12346 	rdev->wiphy.wowlan_config = ntrig;
12347 
12348  set_wakeup:
12349 	if (rdev->ops->set_wakeup &&
12350 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12351 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12352 
12353 	return 0;
12354  error:
12355 	for (i = 0; i < new_triggers.n_patterns; i++)
12356 		kfree(new_triggers.patterns[i].mask);
12357 	kfree(new_triggers.patterns);
12358 	if (new_triggers.tcp && new_triggers.tcp->sock)
12359 		sock_release(new_triggers.tcp->sock);
12360 	kfree(new_triggers.tcp);
12361 	kfree(new_triggers.nd_config);
12362 	return err;
12363 }
12364 #endif
12365 
12366 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12367 				       struct cfg80211_registered_device *rdev)
12368 {
12369 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12370 	int i, j, pat_len;
12371 	struct cfg80211_coalesce_rules *rule;
12372 
12373 	if (!rdev->coalesce->n_rules)
12374 		return 0;
12375 
12376 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12377 	if (!nl_rules)
12378 		return -ENOBUFS;
12379 
12380 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12381 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12382 		if (!nl_rule)
12383 			return -ENOBUFS;
12384 
12385 		rule = &rdev->coalesce->rules[i];
12386 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12387 				rule->delay))
12388 			return -ENOBUFS;
12389 
12390 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12391 				rule->condition))
12392 			return -ENOBUFS;
12393 
12394 		nl_pats = nla_nest_start_noflag(msg,
12395 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12396 		if (!nl_pats)
12397 			return -ENOBUFS;
12398 
12399 		for (j = 0; j < rule->n_patterns; j++) {
12400 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12401 			if (!nl_pat)
12402 				return -ENOBUFS;
12403 			pat_len = rule->patterns[j].pattern_len;
12404 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12405 				    DIV_ROUND_UP(pat_len, 8),
12406 				    rule->patterns[j].mask) ||
12407 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12408 				    rule->patterns[j].pattern) ||
12409 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12410 					rule->patterns[j].pkt_offset))
12411 				return -ENOBUFS;
12412 			nla_nest_end(msg, nl_pat);
12413 		}
12414 		nla_nest_end(msg, nl_pats);
12415 		nla_nest_end(msg, nl_rule);
12416 	}
12417 	nla_nest_end(msg, nl_rules);
12418 
12419 	return 0;
12420 }
12421 
12422 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
12423 {
12424 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12425 	struct sk_buff *msg;
12426 	void *hdr;
12427 
12428 	if (!rdev->wiphy.coalesce)
12429 		return -EOPNOTSUPP;
12430 
12431 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12432 	if (!msg)
12433 		return -ENOMEM;
12434 
12435 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12436 			     NL80211_CMD_GET_COALESCE);
12437 	if (!hdr)
12438 		goto nla_put_failure;
12439 
12440 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
12441 		goto nla_put_failure;
12442 
12443 	genlmsg_end(msg, hdr);
12444 	return genlmsg_reply(msg, info);
12445 
12446 nla_put_failure:
12447 	nlmsg_free(msg);
12448 	return -ENOBUFS;
12449 }
12450 
12451 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
12452 {
12453 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
12454 	int i, j;
12455 	struct cfg80211_coalesce_rules *rule;
12456 
12457 	if (!coalesce)
12458 		return;
12459 
12460 	for (i = 0; i < coalesce->n_rules; i++) {
12461 		rule = &coalesce->rules[i];
12462 		for (j = 0; j < rule->n_patterns; j++)
12463 			kfree(rule->patterns[j].mask);
12464 		kfree(rule->patterns);
12465 	}
12466 	kfree(coalesce->rules);
12467 	kfree(coalesce);
12468 	rdev->coalesce = NULL;
12469 }
12470 
12471 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
12472 				       struct nlattr *rule,
12473 				       struct cfg80211_coalesce_rules *new_rule)
12474 {
12475 	int err, i;
12476 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12477 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
12478 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
12479 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12480 
12481 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
12482 					  rule, nl80211_coalesce_policy, NULL);
12483 	if (err)
12484 		return err;
12485 
12486 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
12487 		new_rule->delay =
12488 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
12489 	if (new_rule->delay > coalesce->max_delay)
12490 		return -EINVAL;
12491 
12492 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
12493 		new_rule->condition =
12494 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
12495 
12496 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
12497 		return -EINVAL;
12498 
12499 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12500 			    rem)
12501 		n_patterns++;
12502 	if (n_patterns > coalesce->n_patterns)
12503 		return -EINVAL;
12504 
12505 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
12506 				     GFP_KERNEL);
12507 	if (!new_rule->patterns)
12508 		return -ENOMEM;
12509 
12510 	new_rule->n_patterns = n_patterns;
12511 	i = 0;
12512 
12513 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12514 			    rem) {
12515 		u8 *mask_pat;
12516 
12517 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
12518 						  pat,
12519 						  nl80211_packet_pattern_policy,
12520 						  NULL);
12521 		if (err)
12522 			return err;
12523 
12524 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
12525 		    !pat_tb[NL80211_PKTPAT_PATTERN])
12526 			return -EINVAL;
12527 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12528 		mask_len = DIV_ROUND_UP(pat_len, 8);
12529 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12530 			return -EINVAL;
12531 		if (pat_len > coalesce->pattern_max_len ||
12532 		    pat_len < coalesce->pattern_min_len)
12533 			return -EINVAL;
12534 
12535 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
12536 			pkt_offset = 0;
12537 		else
12538 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
12539 		if (pkt_offset > coalesce->max_pkt_offset)
12540 			return -EINVAL;
12541 		new_rule->patterns[i].pkt_offset = pkt_offset;
12542 
12543 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12544 		if (!mask_pat)
12545 			return -ENOMEM;
12546 
12547 		new_rule->patterns[i].mask = mask_pat;
12548 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12549 		       mask_len);
12550 
12551 		mask_pat += mask_len;
12552 		new_rule->patterns[i].pattern = mask_pat;
12553 		new_rule->patterns[i].pattern_len = pat_len;
12554 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12555 		       pat_len);
12556 		i++;
12557 	}
12558 
12559 	return 0;
12560 }
12561 
12562 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
12563 {
12564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12565 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12566 	struct cfg80211_coalesce new_coalesce = {};
12567 	struct cfg80211_coalesce *n_coalesce;
12568 	int err, rem_rule, n_rules = 0, i, j;
12569 	struct nlattr *rule;
12570 	struct cfg80211_coalesce_rules *tmp_rule;
12571 
12572 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
12573 		return -EOPNOTSUPP;
12574 
12575 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
12576 		cfg80211_rdev_free_coalesce(rdev);
12577 		rdev_set_coalesce(rdev, NULL);
12578 		return 0;
12579 	}
12580 
12581 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12582 			    rem_rule)
12583 		n_rules++;
12584 	if (n_rules > coalesce->n_rules)
12585 		return -EINVAL;
12586 
12587 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
12588 				     GFP_KERNEL);
12589 	if (!new_coalesce.rules)
12590 		return -ENOMEM;
12591 
12592 	new_coalesce.n_rules = n_rules;
12593 	i = 0;
12594 
12595 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12596 			    rem_rule) {
12597 		err = nl80211_parse_coalesce_rule(rdev, rule,
12598 						  &new_coalesce.rules[i]);
12599 		if (err)
12600 			goto error;
12601 
12602 		i++;
12603 	}
12604 
12605 	err = rdev_set_coalesce(rdev, &new_coalesce);
12606 	if (err)
12607 		goto error;
12608 
12609 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
12610 	if (!n_coalesce) {
12611 		err = -ENOMEM;
12612 		goto error;
12613 	}
12614 	cfg80211_rdev_free_coalesce(rdev);
12615 	rdev->coalesce = n_coalesce;
12616 
12617 	return 0;
12618 error:
12619 	for (i = 0; i < new_coalesce.n_rules; i++) {
12620 		tmp_rule = &new_coalesce.rules[i];
12621 		for (j = 0; j < tmp_rule->n_patterns; j++)
12622 			kfree(tmp_rule->patterns[j].mask);
12623 		kfree(tmp_rule->patterns);
12624 	}
12625 	kfree(new_coalesce.rules);
12626 
12627 	return err;
12628 }
12629 
12630 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
12631 {
12632 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12633 	struct net_device *dev = info->user_ptr[1];
12634 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12635 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
12636 	struct cfg80211_gtk_rekey_data rekey_data;
12637 	int err;
12638 
12639 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
12640 		return -EINVAL;
12641 
12642 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
12643 					  info->attrs[NL80211_ATTR_REKEY_DATA],
12644 					  nl80211_rekey_policy, info->extack);
12645 	if (err)
12646 		return err;
12647 
12648 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
12649 	    !tb[NL80211_REKEY_DATA_KCK])
12650 		return -EINVAL;
12651 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
12652 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
12653 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
12654 		return -ERANGE;
12655 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
12656 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
12657 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
12658 		return -ERANGE;
12659 
12660 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
12661 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
12662 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
12663 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
12664 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
12665 	if (tb[NL80211_REKEY_DATA_AKM])
12666 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
12667 
12668 	wdev_lock(wdev);
12669 	if (!wdev->current_bss) {
12670 		err = -ENOTCONN;
12671 		goto out;
12672 	}
12673 
12674 	if (!rdev->ops->set_rekey_data) {
12675 		err = -EOPNOTSUPP;
12676 		goto out;
12677 	}
12678 
12679 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
12680  out:
12681 	wdev_unlock(wdev);
12682 	return err;
12683 }
12684 
12685 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
12686 					     struct genl_info *info)
12687 {
12688 	struct net_device *dev = info->user_ptr[1];
12689 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12690 
12691 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12692 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12693 		return -EINVAL;
12694 
12695 	if (wdev->ap_unexpected_nlportid)
12696 		return -EBUSY;
12697 
12698 	wdev->ap_unexpected_nlportid = info->snd_portid;
12699 	return 0;
12700 }
12701 
12702 static int nl80211_probe_client(struct sk_buff *skb,
12703 				struct genl_info *info)
12704 {
12705 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12706 	struct net_device *dev = info->user_ptr[1];
12707 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12708 	struct sk_buff *msg;
12709 	void *hdr;
12710 	const u8 *addr;
12711 	u64 cookie;
12712 	int err;
12713 
12714 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12715 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12716 		return -EOPNOTSUPP;
12717 
12718 	if (!info->attrs[NL80211_ATTR_MAC])
12719 		return -EINVAL;
12720 
12721 	if (!rdev->ops->probe_client)
12722 		return -EOPNOTSUPP;
12723 
12724 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12725 	if (!msg)
12726 		return -ENOMEM;
12727 
12728 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12729 			     NL80211_CMD_PROBE_CLIENT);
12730 	if (!hdr) {
12731 		err = -ENOBUFS;
12732 		goto free_msg;
12733 	}
12734 
12735 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12736 
12737 	err = rdev_probe_client(rdev, dev, addr, &cookie);
12738 	if (err)
12739 		goto free_msg;
12740 
12741 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12742 			      NL80211_ATTR_PAD))
12743 		goto nla_put_failure;
12744 
12745 	genlmsg_end(msg, hdr);
12746 
12747 	return genlmsg_reply(msg, info);
12748 
12749  nla_put_failure:
12750 	err = -ENOBUFS;
12751  free_msg:
12752 	nlmsg_free(msg);
12753 	return err;
12754 }
12755 
12756 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
12757 {
12758 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12759 	struct cfg80211_beacon_registration *reg, *nreg;
12760 	int rv;
12761 
12762 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
12763 		return -EOPNOTSUPP;
12764 
12765 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
12766 	if (!nreg)
12767 		return -ENOMEM;
12768 
12769 	/* First, check if already registered. */
12770 	spin_lock_bh(&rdev->beacon_registrations_lock);
12771 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
12772 		if (reg->nlportid == info->snd_portid) {
12773 			rv = -EALREADY;
12774 			goto out_err;
12775 		}
12776 	}
12777 	/* Add it to the list */
12778 	nreg->nlportid = info->snd_portid;
12779 	list_add(&nreg->list, &rdev->beacon_registrations);
12780 
12781 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12782 
12783 	return 0;
12784 out_err:
12785 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12786 	kfree(nreg);
12787 	return rv;
12788 }
12789 
12790 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
12791 {
12792 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12793 	struct wireless_dev *wdev = info->user_ptr[1];
12794 	int err;
12795 
12796 	if (!rdev->ops->start_p2p_device)
12797 		return -EOPNOTSUPP;
12798 
12799 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12800 		return -EOPNOTSUPP;
12801 
12802 	if (wdev_running(wdev))
12803 		return 0;
12804 
12805 	if (rfkill_blocked(rdev->rfkill))
12806 		return -ERFKILL;
12807 
12808 	err = rdev_start_p2p_device(rdev, wdev);
12809 	if (err)
12810 		return err;
12811 
12812 	wdev->is_running = true;
12813 	rdev->opencount++;
12814 
12815 	return 0;
12816 }
12817 
12818 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
12819 {
12820 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12821 	struct wireless_dev *wdev = info->user_ptr[1];
12822 
12823 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12824 		return -EOPNOTSUPP;
12825 
12826 	if (!rdev->ops->stop_p2p_device)
12827 		return -EOPNOTSUPP;
12828 
12829 	cfg80211_stop_p2p_device(rdev, wdev);
12830 
12831 	return 0;
12832 }
12833 
12834 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
12835 {
12836 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12837 	struct wireless_dev *wdev = info->user_ptr[1];
12838 	struct cfg80211_nan_conf conf = {};
12839 	int err;
12840 
12841 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12842 		return -EOPNOTSUPP;
12843 
12844 	if (wdev_running(wdev))
12845 		return -EEXIST;
12846 
12847 	if (rfkill_blocked(rdev->rfkill))
12848 		return -ERFKILL;
12849 
12850 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
12851 		return -EINVAL;
12852 
12853 	conf.master_pref =
12854 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12855 
12856 	if (info->attrs[NL80211_ATTR_BANDS]) {
12857 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12858 
12859 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12860 			return -EOPNOTSUPP;
12861 
12862 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12863 			return -EINVAL;
12864 
12865 		conf.bands = bands;
12866 	}
12867 
12868 	err = rdev_start_nan(rdev, wdev, &conf);
12869 	if (err)
12870 		return err;
12871 
12872 	wdev->is_running = true;
12873 	rdev->opencount++;
12874 
12875 	return 0;
12876 }
12877 
12878 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
12879 {
12880 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12881 	struct wireless_dev *wdev = info->user_ptr[1];
12882 
12883 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12884 		return -EOPNOTSUPP;
12885 
12886 	cfg80211_stop_nan(rdev, wdev);
12887 
12888 	return 0;
12889 }
12890 
12891 static int validate_nan_filter(struct nlattr *filter_attr)
12892 {
12893 	struct nlattr *attr;
12894 	int len = 0, n_entries = 0, rem;
12895 
12896 	nla_for_each_nested(attr, filter_attr, rem) {
12897 		len += nla_len(attr);
12898 		n_entries++;
12899 	}
12900 
12901 	if (len >= U8_MAX)
12902 		return -EINVAL;
12903 
12904 	return n_entries;
12905 }
12906 
12907 static int handle_nan_filter(struct nlattr *attr_filter,
12908 			     struct cfg80211_nan_func *func,
12909 			     bool tx)
12910 {
12911 	struct nlattr *attr;
12912 	int n_entries, rem, i;
12913 	struct cfg80211_nan_func_filter *filter;
12914 
12915 	n_entries = validate_nan_filter(attr_filter);
12916 	if (n_entries < 0)
12917 		return n_entries;
12918 
12919 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
12920 
12921 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
12922 	if (!filter)
12923 		return -ENOMEM;
12924 
12925 	i = 0;
12926 	nla_for_each_nested(attr, attr_filter, rem) {
12927 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
12928 		filter[i].len = nla_len(attr);
12929 		i++;
12930 	}
12931 	if (tx) {
12932 		func->num_tx_filters = n_entries;
12933 		func->tx_filters = filter;
12934 	} else {
12935 		func->num_rx_filters = n_entries;
12936 		func->rx_filters = filter;
12937 	}
12938 
12939 	return 0;
12940 }
12941 
12942 static int nl80211_nan_add_func(struct sk_buff *skb,
12943 				struct genl_info *info)
12944 {
12945 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12946 	struct wireless_dev *wdev = info->user_ptr[1];
12947 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
12948 	struct cfg80211_nan_func *func;
12949 	struct sk_buff *msg = NULL;
12950 	void *hdr = NULL;
12951 	int err = 0;
12952 
12953 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12954 		return -EOPNOTSUPP;
12955 
12956 	if (!wdev_running(wdev))
12957 		return -ENOTCONN;
12958 
12959 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
12960 		return -EINVAL;
12961 
12962 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
12963 					  info->attrs[NL80211_ATTR_NAN_FUNC],
12964 					  nl80211_nan_func_policy,
12965 					  info->extack);
12966 	if (err)
12967 		return err;
12968 
12969 	func = kzalloc(sizeof(*func), GFP_KERNEL);
12970 	if (!func)
12971 		return -ENOMEM;
12972 
12973 	func->cookie = cfg80211_assign_cookie(rdev);
12974 
12975 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
12976 		err = -EINVAL;
12977 		goto out;
12978 	}
12979 
12980 
12981 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
12982 
12983 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
12984 		err = -EINVAL;
12985 		goto out;
12986 	}
12987 
12988 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
12989 	       sizeof(func->service_id));
12990 
12991 	func->close_range =
12992 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
12993 
12994 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
12995 		func->serv_spec_info_len =
12996 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
12997 		func->serv_spec_info =
12998 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
12999 				func->serv_spec_info_len,
13000 				GFP_KERNEL);
13001 		if (!func->serv_spec_info) {
13002 			err = -ENOMEM;
13003 			goto out;
13004 		}
13005 	}
13006 
13007 	if (tb[NL80211_NAN_FUNC_TTL])
13008 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13009 
13010 	switch (func->type) {
13011 	case NL80211_NAN_FUNC_PUBLISH:
13012 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13013 			err = -EINVAL;
13014 			goto out;
13015 		}
13016 
13017 		func->publish_type =
13018 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13019 		func->publish_bcast =
13020 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13021 
13022 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13023 			func->publish_bcast) {
13024 			err = -EINVAL;
13025 			goto out;
13026 		}
13027 		break;
13028 	case NL80211_NAN_FUNC_SUBSCRIBE:
13029 		func->subscribe_active =
13030 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13031 		break;
13032 	case NL80211_NAN_FUNC_FOLLOW_UP:
13033 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13034 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13035 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13036 			err = -EINVAL;
13037 			goto out;
13038 		}
13039 
13040 		func->followup_id =
13041 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13042 		func->followup_reqid =
13043 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13044 		memcpy(func->followup_dest.addr,
13045 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13046 		       sizeof(func->followup_dest.addr));
13047 		if (func->ttl) {
13048 			err = -EINVAL;
13049 			goto out;
13050 		}
13051 		break;
13052 	default:
13053 		err = -EINVAL;
13054 		goto out;
13055 	}
13056 
13057 	if (tb[NL80211_NAN_FUNC_SRF]) {
13058 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13059 
13060 		err = nla_parse_nested_deprecated(srf_tb,
13061 						  NL80211_NAN_SRF_ATTR_MAX,
13062 						  tb[NL80211_NAN_FUNC_SRF],
13063 						  nl80211_nan_srf_policy,
13064 						  info->extack);
13065 		if (err)
13066 			goto out;
13067 
13068 		func->srf_include =
13069 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13070 
13071 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13072 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13073 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13074 				err = -EINVAL;
13075 				goto out;
13076 			}
13077 
13078 			func->srf_bf_len =
13079 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13080 			func->srf_bf =
13081 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13082 					func->srf_bf_len, GFP_KERNEL);
13083 			if (!func->srf_bf) {
13084 				err = -ENOMEM;
13085 				goto out;
13086 			}
13087 
13088 			func->srf_bf_idx =
13089 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13090 		} else {
13091 			struct nlattr *attr, *mac_attr =
13092 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13093 			int n_entries, rem, i = 0;
13094 
13095 			if (!mac_attr) {
13096 				err = -EINVAL;
13097 				goto out;
13098 			}
13099 
13100 			n_entries = validate_acl_mac_addrs(mac_attr);
13101 			if (n_entries <= 0) {
13102 				err = -EINVAL;
13103 				goto out;
13104 			}
13105 
13106 			func->srf_num_macs = n_entries;
13107 			func->srf_macs =
13108 				kcalloc(n_entries, sizeof(*func->srf_macs),
13109 					GFP_KERNEL);
13110 			if (!func->srf_macs) {
13111 				err = -ENOMEM;
13112 				goto out;
13113 			}
13114 
13115 			nla_for_each_nested(attr, mac_attr, rem)
13116 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13117 				       sizeof(*func->srf_macs));
13118 		}
13119 	}
13120 
13121 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13122 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13123 					func, true);
13124 		if (err)
13125 			goto out;
13126 	}
13127 
13128 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13129 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13130 					func, false);
13131 		if (err)
13132 			goto out;
13133 	}
13134 
13135 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13136 	if (!msg) {
13137 		err = -ENOMEM;
13138 		goto out;
13139 	}
13140 
13141 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13142 			     NL80211_CMD_ADD_NAN_FUNCTION);
13143 	/* This can't really happen - we just allocated 4KB */
13144 	if (WARN_ON(!hdr)) {
13145 		err = -ENOMEM;
13146 		goto out;
13147 	}
13148 
13149 	err = rdev_add_nan_func(rdev, wdev, func);
13150 out:
13151 	if (err < 0) {
13152 		cfg80211_free_nan_func(func);
13153 		nlmsg_free(msg);
13154 		return err;
13155 	}
13156 
13157 	/* propagate the instance id and cookie to userspace  */
13158 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13159 			      NL80211_ATTR_PAD))
13160 		goto nla_put_failure;
13161 
13162 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13163 	if (!func_attr)
13164 		goto nla_put_failure;
13165 
13166 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13167 		       func->instance_id))
13168 		goto nla_put_failure;
13169 
13170 	nla_nest_end(msg, func_attr);
13171 
13172 	genlmsg_end(msg, hdr);
13173 	return genlmsg_reply(msg, info);
13174 
13175 nla_put_failure:
13176 	nlmsg_free(msg);
13177 	return -ENOBUFS;
13178 }
13179 
13180 static int nl80211_nan_del_func(struct sk_buff *skb,
13181 			       struct genl_info *info)
13182 {
13183 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13184 	struct wireless_dev *wdev = info->user_ptr[1];
13185 	u64 cookie;
13186 
13187 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13188 		return -EOPNOTSUPP;
13189 
13190 	if (!wdev_running(wdev))
13191 		return -ENOTCONN;
13192 
13193 	if (!info->attrs[NL80211_ATTR_COOKIE])
13194 		return -EINVAL;
13195 
13196 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13197 
13198 	rdev_del_nan_func(rdev, wdev, cookie);
13199 
13200 	return 0;
13201 }
13202 
13203 static int nl80211_nan_change_config(struct sk_buff *skb,
13204 				     struct genl_info *info)
13205 {
13206 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13207 	struct wireless_dev *wdev = info->user_ptr[1];
13208 	struct cfg80211_nan_conf conf = {};
13209 	u32 changed = 0;
13210 
13211 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13212 		return -EOPNOTSUPP;
13213 
13214 	if (!wdev_running(wdev))
13215 		return -ENOTCONN;
13216 
13217 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13218 		conf.master_pref =
13219 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13220 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13221 			return -EINVAL;
13222 
13223 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13224 	}
13225 
13226 	if (info->attrs[NL80211_ATTR_BANDS]) {
13227 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13228 
13229 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13230 			return -EOPNOTSUPP;
13231 
13232 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13233 			return -EINVAL;
13234 
13235 		conf.bands = bands;
13236 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13237 	}
13238 
13239 	if (!changed)
13240 		return -EINVAL;
13241 
13242 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13243 }
13244 
13245 void cfg80211_nan_match(struct wireless_dev *wdev,
13246 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13247 {
13248 	struct wiphy *wiphy = wdev->wiphy;
13249 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13250 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13251 	struct sk_buff *msg;
13252 	void *hdr;
13253 
13254 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13255 		return;
13256 
13257 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13258 	if (!msg)
13259 		return;
13260 
13261 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13262 	if (!hdr) {
13263 		nlmsg_free(msg);
13264 		return;
13265 	}
13266 
13267 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13268 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13269 					 wdev->netdev->ifindex)) ||
13270 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13271 			      NL80211_ATTR_PAD))
13272 		goto nla_put_failure;
13273 
13274 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13275 			      NL80211_ATTR_PAD) ||
13276 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13277 		goto nla_put_failure;
13278 
13279 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13280 	if (!match_attr)
13281 		goto nla_put_failure;
13282 
13283 	local_func_attr = nla_nest_start_noflag(msg,
13284 						NL80211_NAN_MATCH_FUNC_LOCAL);
13285 	if (!local_func_attr)
13286 		goto nla_put_failure;
13287 
13288 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13289 		goto nla_put_failure;
13290 
13291 	nla_nest_end(msg, local_func_attr);
13292 
13293 	peer_func_attr = nla_nest_start_noflag(msg,
13294 					       NL80211_NAN_MATCH_FUNC_PEER);
13295 	if (!peer_func_attr)
13296 		goto nla_put_failure;
13297 
13298 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13299 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13300 		goto nla_put_failure;
13301 
13302 	if (match->info && match->info_len &&
13303 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13304 		    match->info))
13305 		goto nla_put_failure;
13306 
13307 	nla_nest_end(msg, peer_func_attr);
13308 	nla_nest_end(msg, match_attr);
13309 	genlmsg_end(msg, hdr);
13310 
13311 	if (!wdev->owner_nlportid)
13312 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13313 					msg, 0, NL80211_MCGRP_NAN, gfp);
13314 	else
13315 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13316 				wdev->owner_nlportid);
13317 
13318 	return;
13319 
13320 nla_put_failure:
13321 	nlmsg_free(msg);
13322 }
13323 EXPORT_SYMBOL(cfg80211_nan_match);
13324 
13325 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13326 				  u8 inst_id,
13327 				  enum nl80211_nan_func_term_reason reason,
13328 				  u64 cookie, gfp_t gfp)
13329 {
13330 	struct wiphy *wiphy = wdev->wiphy;
13331 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13332 	struct sk_buff *msg;
13333 	struct nlattr *func_attr;
13334 	void *hdr;
13335 
13336 	if (WARN_ON(!inst_id))
13337 		return;
13338 
13339 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13340 	if (!msg)
13341 		return;
13342 
13343 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13344 	if (!hdr) {
13345 		nlmsg_free(msg);
13346 		return;
13347 	}
13348 
13349 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13350 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13351 					 wdev->netdev->ifindex)) ||
13352 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13353 			      NL80211_ATTR_PAD))
13354 		goto nla_put_failure;
13355 
13356 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13357 			      NL80211_ATTR_PAD))
13358 		goto nla_put_failure;
13359 
13360 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13361 	if (!func_attr)
13362 		goto nla_put_failure;
13363 
13364 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13365 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13366 		goto nla_put_failure;
13367 
13368 	nla_nest_end(msg, func_attr);
13369 	genlmsg_end(msg, hdr);
13370 
13371 	if (!wdev->owner_nlportid)
13372 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13373 					msg, 0, NL80211_MCGRP_NAN, gfp);
13374 	else
13375 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13376 				wdev->owner_nlportid);
13377 
13378 	return;
13379 
13380 nla_put_failure:
13381 	nlmsg_free(msg);
13382 }
13383 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13384 
13385 static int nl80211_get_protocol_features(struct sk_buff *skb,
13386 					 struct genl_info *info)
13387 {
13388 	void *hdr;
13389 	struct sk_buff *msg;
13390 
13391 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13392 	if (!msg)
13393 		return -ENOMEM;
13394 
13395 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13396 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13397 	if (!hdr)
13398 		goto nla_put_failure;
13399 
13400 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13401 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13402 		goto nla_put_failure;
13403 
13404 	genlmsg_end(msg, hdr);
13405 	return genlmsg_reply(msg, info);
13406 
13407  nla_put_failure:
13408 	kfree_skb(msg);
13409 	return -ENOBUFS;
13410 }
13411 
13412 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
13413 {
13414 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13415 	struct cfg80211_update_ft_ies_params ft_params;
13416 	struct net_device *dev = info->user_ptr[1];
13417 
13418 	if (!rdev->ops->update_ft_ies)
13419 		return -EOPNOTSUPP;
13420 
13421 	if (!info->attrs[NL80211_ATTR_MDID] ||
13422 	    !info->attrs[NL80211_ATTR_IE])
13423 		return -EINVAL;
13424 
13425 	memset(&ft_params, 0, sizeof(ft_params));
13426 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
13427 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13428 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13429 
13430 	return rdev_update_ft_ies(rdev, dev, &ft_params);
13431 }
13432 
13433 static int nl80211_crit_protocol_start(struct sk_buff *skb,
13434 				       struct genl_info *info)
13435 {
13436 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13437 	struct wireless_dev *wdev = info->user_ptr[1];
13438 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
13439 	u16 duration;
13440 	int ret;
13441 
13442 	if (!rdev->ops->crit_proto_start)
13443 		return -EOPNOTSUPP;
13444 
13445 	if (WARN_ON(!rdev->ops->crit_proto_stop))
13446 		return -EINVAL;
13447 
13448 	if (rdev->crit_proto_nlportid)
13449 		return -EBUSY;
13450 
13451 	/* determine protocol if provided */
13452 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
13453 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
13454 
13455 	if (proto >= NUM_NL80211_CRIT_PROTO)
13456 		return -EINVAL;
13457 
13458 	/* timeout must be provided */
13459 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
13460 		return -EINVAL;
13461 
13462 	duration =
13463 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
13464 
13465 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
13466 	if (!ret)
13467 		rdev->crit_proto_nlportid = info->snd_portid;
13468 
13469 	return ret;
13470 }
13471 
13472 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
13473 				      struct genl_info *info)
13474 {
13475 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13476 	struct wireless_dev *wdev = info->user_ptr[1];
13477 
13478 	if (!rdev->ops->crit_proto_stop)
13479 		return -EOPNOTSUPP;
13480 
13481 	if (rdev->crit_proto_nlportid) {
13482 		rdev->crit_proto_nlportid = 0;
13483 		rdev_crit_proto_stop(rdev, wdev);
13484 	}
13485 	return 0;
13486 }
13487 
13488 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
13489 				       struct nlattr *attr,
13490 				       struct netlink_ext_ack *extack)
13491 {
13492 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
13493 		if (attr->nla_type & NLA_F_NESTED) {
13494 			NL_SET_ERR_MSG_ATTR(extack, attr,
13495 					    "unexpected nested data");
13496 			return -EINVAL;
13497 		}
13498 
13499 		return 0;
13500 	}
13501 
13502 	if (!(attr->nla_type & NLA_F_NESTED)) {
13503 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
13504 		return -EINVAL;
13505 	}
13506 
13507 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
13508 }
13509 
13510 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
13511 {
13512 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13513 	struct wireless_dev *wdev =
13514 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
13515 	int i, err;
13516 	u32 vid, subcmd;
13517 
13518 	if (!rdev->wiphy.vendor_commands)
13519 		return -EOPNOTSUPP;
13520 
13521 	if (IS_ERR(wdev)) {
13522 		err = PTR_ERR(wdev);
13523 		if (err != -EINVAL)
13524 			return err;
13525 		wdev = NULL;
13526 	} else if (wdev->wiphy != &rdev->wiphy) {
13527 		return -EINVAL;
13528 	}
13529 
13530 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
13531 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
13532 		return -EINVAL;
13533 
13534 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
13535 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
13536 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
13537 		const struct wiphy_vendor_command *vcmd;
13538 		void *data = NULL;
13539 		int len = 0;
13540 
13541 		vcmd = &rdev->wiphy.vendor_commands[i];
13542 
13543 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13544 			continue;
13545 
13546 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13547 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13548 			if (!wdev)
13549 				return -EINVAL;
13550 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13551 			    !wdev->netdev)
13552 				return -EINVAL;
13553 
13554 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13555 				if (!wdev_running(wdev))
13556 					return -ENETDOWN;
13557 			}
13558 		} else {
13559 			wdev = NULL;
13560 		}
13561 
13562 		if (!vcmd->doit)
13563 			return -EOPNOTSUPP;
13564 
13565 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
13566 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13567 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13568 
13569 			err = nl80211_vendor_check_policy(vcmd,
13570 					info->attrs[NL80211_ATTR_VENDOR_DATA],
13571 					info->extack);
13572 			if (err)
13573 				return err;
13574 		}
13575 
13576 		rdev->cur_cmd_info = info;
13577 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
13578 		rdev->cur_cmd_info = NULL;
13579 		return err;
13580 	}
13581 
13582 	return -EOPNOTSUPP;
13583 }
13584 
13585 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
13586 				       struct netlink_callback *cb,
13587 				       struct cfg80211_registered_device **rdev,
13588 				       struct wireless_dev **wdev)
13589 {
13590 	struct nlattr **attrbuf;
13591 	u32 vid, subcmd;
13592 	unsigned int i;
13593 	int vcmd_idx = -1;
13594 	int err;
13595 	void *data = NULL;
13596 	unsigned int data_len = 0;
13597 
13598 	if (cb->args[0]) {
13599 		/* subtract the 1 again here */
13600 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
13601 		struct wireless_dev *tmp;
13602 
13603 		if (!wiphy)
13604 			return -ENODEV;
13605 		*rdev = wiphy_to_rdev(wiphy);
13606 		*wdev = NULL;
13607 
13608 		if (cb->args[1]) {
13609 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
13610 				if (tmp->identifier == cb->args[1] - 1) {
13611 					*wdev = tmp;
13612 					break;
13613 				}
13614 			}
13615 		}
13616 
13617 		/* keep rtnl locked in successful case */
13618 		return 0;
13619 	}
13620 
13621 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
13622 	if (!attrbuf)
13623 		return -ENOMEM;
13624 
13625 	err = nlmsg_parse_deprecated(cb->nlh,
13626 				     GENL_HDRLEN + nl80211_fam.hdrsize,
13627 				     attrbuf, nl80211_fam.maxattr,
13628 				     nl80211_policy, NULL);
13629 	if (err)
13630 		goto out;
13631 
13632 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
13633 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
13634 		err = -EINVAL;
13635 		goto out;
13636 	}
13637 
13638 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
13639 	if (IS_ERR(*wdev))
13640 		*wdev = NULL;
13641 
13642 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13643 	if (IS_ERR(*rdev)) {
13644 		err = PTR_ERR(*rdev);
13645 		goto out;
13646 	}
13647 
13648 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
13649 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
13650 
13651 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
13652 		const struct wiphy_vendor_command *vcmd;
13653 
13654 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
13655 
13656 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13657 			continue;
13658 
13659 		if (!vcmd->dumpit) {
13660 			err = -EOPNOTSUPP;
13661 			goto out;
13662 		}
13663 
13664 		vcmd_idx = i;
13665 		break;
13666 	}
13667 
13668 	if (vcmd_idx < 0) {
13669 		err = -EOPNOTSUPP;
13670 		goto out;
13671 	}
13672 
13673 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
13674 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13675 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13676 
13677 		err = nl80211_vendor_check_policy(
13678 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
13679 				attrbuf[NL80211_ATTR_VENDOR_DATA],
13680 				cb->extack);
13681 		if (err)
13682 			goto out;
13683 	}
13684 
13685 	/* 0 is the first index - add 1 to parse only once */
13686 	cb->args[0] = (*rdev)->wiphy_idx + 1;
13687 	/* add 1 to know if it was NULL */
13688 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
13689 	cb->args[2] = vcmd_idx;
13690 	cb->args[3] = (unsigned long)data;
13691 	cb->args[4] = data_len;
13692 
13693 	/* keep rtnl locked in successful case */
13694 	err = 0;
13695 out:
13696 	kfree(attrbuf);
13697 	return err;
13698 }
13699 
13700 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
13701 				   struct netlink_callback *cb)
13702 {
13703 	struct cfg80211_registered_device *rdev;
13704 	struct wireless_dev *wdev;
13705 	unsigned int vcmd_idx;
13706 	const struct wiphy_vendor_command *vcmd;
13707 	void *data;
13708 	int data_len;
13709 	int err;
13710 	struct nlattr *vendor_data;
13711 
13712 	rtnl_lock();
13713 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
13714 	if (err)
13715 		goto out;
13716 
13717 	vcmd_idx = cb->args[2];
13718 	data = (void *)cb->args[3];
13719 	data_len = cb->args[4];
13720 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
13721 
13722 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13723 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13724 		if (!wdev) {
13725 			err = -EINVAL;
13726 			goto out;
13727 		}
13728 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13729 		    !wdev->netdev) {
13730 			err = -EINVAL;
13731 			goto out;
13732 		}
13733 
13734 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13735 			if (!wdev_running(wdev)) {
13736 				err = -ENETDOWN;
13737 				goto out;
13738 			}
13739 		}
13740 	}
13741 
13742 	while (1) {
13743 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13744 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13745 					   NL80211_CMD_VENDOR);
13746 		if (!hdr)
13747 			break;
13748 
13749 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13750 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13751 					       wdev_id(wdev),
13752 					       NL80211_ATTR_PAD))) {
13753 			genlmsg_cancel(skb, hdr);
13754 			break;
13755 		}
13756 
13757 		vendor_data = nla_nest_start_noflag(skb,
13758 						    NL80211_ATTR_VENDOR_DATA);
13759 		if (!vendor_data) {
13760 			genlmsg_cancel(skb, hdr);
13761 			break;
13762 		}
13763 
13764 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
13765 				   (unsigned long *)&cb->args[5]);
13766 		nla_nest_end(skb, vendor_data);
13767 
13768 		if (err == -ENOBUFS || err == -ENOENT) {
13769 			genlmsg_cancel(skb, hdr);
13770 			break;
13771 		} else if (err <= 0) {
13772 			genlmsg_cancel(skb, hdr);
13773 			goto out;
13774 		}
13775 
13776 		genlmsg_end(skb, hdr);
13777 	}
13778 
13779 	err = skb->len;
13780  out:
13781 	rtnl_unlock();
13782 	return err;
13783 }
13784 
13785 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
13786 					   enum nl80211_commands cmd,
13787 					   enum nl80211_attrs attr,
13788 					   int approxlen)
13789 {
13790 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13791 
13792 	if (WARN_ON(!rdev->cur_cmd_info))
13793 		return NULL;
13794 
13795 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
13796 					   rdev->cur_cmd_info->snd_portid,
13797 					   rdev->cur_cmd_info->snd_seq,
13798 					   cmd, attr, NULL, GFP_KERNEL);
13799 }
13800 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
13801 
13802 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
13803 {
13804 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13805 	void *hdr = ((void **)skb->cb)[1];
13806 	struct nlattr *data = ((void **)skb->cb)[2];
13807 
13808 	/* clear CB data for netlink core to own from now on */
13809 	memset(skb->cb, 0, sizeof(skb->cb));
13810 
13811 	if (WARN_ON(!rdev->cur_cmd_info)) {
13812 		kfree_skb(skb);
13813 		return -EINVAL;
13814 	}
13815 
13816 	nla_nest_end(skb, data);
13817 	genlmsg_end(skb, hdr);
13818 	return genlmsg_reply(skb, rdev->cur_cmd_info);
13819 }
13820 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
13821 
13822 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
13823 {
13824 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13825 
13826 	if (WARN_ON(!rdev->cur_cmd_info))
13827 		return 0;
13828 
13829 	return rdev->cur_cmd_info->snd_portid;
13830 }
13831 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
13832 
13833 static int nl80211_set_qos_map(struct sk_buff *skb,
13834 			       struct genl_info *info)
13835 {
13836 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13837 	struct cfg80211_qos_map *qos_map = NULL;
13838 	struct net_device *dev = info->user_ptr[1];
13839 	u8 *pos, len, num_des, des_len, des;
13840 	int ret;
13841 
13842 	if (!rdev->ops->set_qos_map)
13843 		return -EOPNOTSUPP;
13844 
13845 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
13846 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
13847 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
13848 
13849 		if (len % 2)
13850 			return -EINVAL;
13851 
13852 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
13853 		if (!qos_map)
13854 			return -ENOMEM;
13855 
13856 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
13857 		if (num_des) {
13858 			des_len = num_des *
13859 				sizeof(struct cfg80211_dscp_exception);
13860 			memcpy(qos_map->dscp_exception, pos, des_len);
13861 			qos_map->num_des = num_des;
13862 			for (des = 0; des < num_des; des++) {
13863 				if (qos_map->dscp_exception[des].up > 7) {
13864 					kfree(qos_map);
13865 					return -EINVAL;
13866 				}
13867 			}
13868 			pos += des_len;
13869 		}
13870 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
13871 	}
13872 
13873 	wdev_lock(dev->ieee80211_ptr);
13874 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
13875 	if (!ret)
13876 		ret = rdev_set_qos_map(rdev, dev, qos_map);
13877 	wdev_unlock(dev->ieee80211_ptr);
13878 
13879 	kfree(qos_map);
13880 	return ret;
13881 }
13882 
13883 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
13884 {
13885 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13886 	struct net_device *dev = info->user_ptr[1];
13887 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13888 	const u8 *peer;
13889 	u8 tsid, up;
13890 	u16 admitted_time = 0;
13891 	int err;
13892 
13893 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
13894 		return -EOPNOTSUPP;
13895 
13896 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
13897 	    !info->attrs[NL80211_ATTR_USER_PRIO])
13898 		return -EINVAL;
13899 
13900 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13901 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
13902 
13903 	/* WMM uses TIDs 0-7 even for TSPEC */
13904 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
13905 		/* TODO: handle 802.11 TSPEC/admission control
13906 		 * need more attributes for that (e.g. BA session requirement);
13907 		 * change the WMM adminssion test above to allow both then
13908 		 */
13909 		return -EINVAL;
13910 	}
13911 
13912 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13913 
13914 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
13915 		admitted_time =
13916 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
13917 		if (!admitted_time)
13918 			return -EINVAL;
13919 	}
13920 
13921 	wdev_lock(wdev);
13922 	switch (wdev->iftype) {
13923 	case NL80211_IFTYPE_STATION:
13924 	case NL80211_IFTYPE_P2P_CLIENT:
13925 		if (wdev->current_bss)
13926 			break;
13927 		err = -ENOTCONN;
13928 		goto out;
13929 	default:
13930 		err = -EOPNOTSUPP;
13931 		goto out;
13932 	}
13933 
13934 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
13935 
13936  out:
13937 	wdev_unlock(wdev);
13938 	return err;
13939 }
13940 
13941 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
13942 {
13943 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13944 	struct net_device *dev = info->user_ptr[1];
13945 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13946 	const u8 *peer;
13947 	u8 tsid;
13948 	int err;
13949 
13950 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
13951 		return -EINVAL;
13952 
13953 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13954 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13955 
13956 	wdev_lock(wdev);
13957 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
13958 	wdev_unlock(wdev);
13959 
13960 	return err;
13961 }
13962 
13963 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
13964 				       struct genl_info *info)
13965 {
13966 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13967 	struct net_device *dev = info->user_ptr[1];
13968 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13969 	struct cfg80211_chan_def chandef = {};
13970 	const u8 *addr;
13971 	u8 oper_class;
13972 	int err;
13973 
13974 	if (!rdev->ops->tdls_channel_switch ||
13975 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13976 		return -EOPNOTSUPP;
13977 
13978 	switch (dev->ieee80211_ptr->iftype) {
13979 	case NL80211_IFTYPE_STATION:
13980 	case NL80211_IFTYPE_P2P_CLIENT:
13981 		break;
13982 	default:
13983 		return -EOPNOTSUPP;
13984 	}
13985 
13986 	if (!info->attrs[NL80211_ATTR_MAC] ||
13987 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
13988 		return -EINVAL;
13989 
13990 	err = nl80211_parse_chandef(rdev, info, &chandef);
13991 	if (err)
13992 		return err;
13993 
13994 	/*
13995 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
13996 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
13997 	 * specification is not defined for them.
13998 	 */
13999 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14000 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14001 	    chandef.width != NL80211_CHAN_WIDTH_20)
14002 		return -EINVAL;
14003 
14004 	/* we will be active on the TDLS link */
14005 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14006 					   wdev->iftype))
14007 		return -EINVAL;
14008 
14009 	/* don't allow switching to DFS channels */
14010 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14011 		return -EINVAL;
14012 
14013 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14014 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14015 
14016 	wdev_lock(wdev);
14017 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14018 	wdev_unlock(wdev);
14019 
14020 	return err;
14021 }
14022 
14023 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14024 					      struct genl_info *info)
14025 {
14026 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14027 	struct net_device *dev = info->user_ptr[1];
14028 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14029 	const u8 *addr;
14030 
14031 	if (!rdev->ops->tdls_channel_switch ||
14032 	    !rdev->ops->tdls_cancel_channel_switch ||
14033 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14034 		return -EOPNOTSUPP;
14035 
14036 	switch (dev->ieee80211_ptr->iftype) {
14037 	case NL80211_IFTYPE_STATION:
14038 	case NL80211_IFTYPE_P2P_CLIENT:
14039 		break;
14040 	default:
14041 		return -EOPNOTSUPP;
14042 	}
14043 
14044 	if (!info->attrs[NL80211_ATTR_MAC])
14045 		return -EINVAL;
14046 
14047 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14048 
14049 	wdev_lock(wdev);
14050 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14051 	wdev_unlock(wdev);
14052 
14053 	return 0;
14054 }
14055 
14056 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14057 					    struct genl_info *info)
14058 {
14059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14060 	struct net_device *dev = info->user_ptr[1];
14061 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14062 	const struct nlattr *nla;
14063 	bool enabled;
14064 
14065 	if (!rdev->ops->set_multicast_to_unicast)
14066 		return -EOPNOTSUPP;
14067 
14068 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14069 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14070 		return -EOPNOTSUPP;
14071 
14072 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14073 	enabled = nla_get_flag(nla);
14074 
14075 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14076 }
14077 
14078 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14079 {
14080 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14081 	struct net_device *dev = info->user_ptr[1];
14082 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14083 	struct cfg80211_pmk_conf pmk_conf = {};
14084 	int ret;
14085 
14086 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14087 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14088 		return -EOPNOTSUPP;
14089 
14090 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14091 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14092 		return -EOPNOTSUPP;
14093 
14094 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14095 		return -EINVAL;
14096 
14097 	wdev_lock(wdev);
14098 	if (!wdev->current_bss) {
14099 		ret = -ENOTCONN;
14100 		goto out;
14101 	}
14102 
14103 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14104 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14105 		ret = -EINVAL;
14106 		goto out;
14107 	}
14108 
14109 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14110 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14111 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14112 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14113 		ret = -EINVAL;
14114 		goto out;
14115 	}
14116 
14117 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14118 		pmk_conf.pmk_r0_name =
14119 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14120 
14121 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14122 out:
14123 	wdev_unlock(wdev);
14124 	return ret;
14125 }
14126 
14127 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14128 {
14129 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14130 	struct net_device *dev = info->user_ptr[1];
14131 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14132 	const u8 *aa;
14133 	int ret;
14134 
14135 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14136 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14137 		return -EOPNOTSUPP;
14138 
14139 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14140 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14141 		return -EOPNOTSUPP;
14142 
14143 	if (!info->attrs[NL80211_ATTR_MAC])
14144 		return -EINVAL;
14145 
14146 	wdev_lock(wdev);
14147 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14148 	ret = rdev_del_pmk(rdev, dev, aa);
14149 	wdev_unlock(wdev);
14150 
14151 	return ret;
14152 }
14153 
14154 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14155 {
14156 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14157 	struct net_device *dev = info->user_ptr[1];
14158 	struct cfg80211_external_auth_params params;
14159 
14160 	if (!rdev->ops->external_auth)
14161 		return -EOPNOTSUPP;
14162 
14163 	if (!info->attrs[NL80211_ATTR_SSID] &&
14164 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14165 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14166 		return -EINVAL;
14167 
14168 	if (!info->attrs[NL80211_ATTR_BSSID])
14169 		return -EINVAL;
14170 
14171 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14172 		return -EINVAL;
14173 
14174 	memset(&params, 0, sizeof(params));
14175 
14176 	if (info->attrs[NL80211_ATTR_SSID]) {
14177 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14178 		if (params.ssid.ssid_len == 0)
14179 			return -EINVAL;
14180 		memcpy(params.ssid.ssid,
14181 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14182 		       params.ssid.ssid_len);
14183 	}
14184 
14185 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14186 	       ETH_ALEN);
14187 
14188 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14189 
14190 	if (info->attrs[NL80211_ATTR_PMKID])
14191 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14192 
14193 	return rdev_external_auth(rdev, dev, &params);
14194 }
14195 
14196 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14197 {
14198 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14199 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14200 	struct net_device *dev = info->user_ptr[1];
14201 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14202 	const u8 *buf;
14203 	size_t len;
14204 	u8 *dest;
14205 	u16 proto;
14206 	bool noencrypt;
14207 	u64 cookie = 0;
14208 	int err;
14209 
14210 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14211 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14212 		return -EOPNOTSUPP;
14213 
14214 	if (!rdev->ops->tx_control_port)
14215 		return -EOPNOTSUPP;
14216 
14217 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14218 	    !info->attrs[NL80211_ATTR_MAC] ||
14219 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14220 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14221 		return -EINVAL;
14222 	}
14223 
14224 	wdev_lock(wdev);
14225 
14226 	switch (wdev->iftype) {
14227 	case NL80211_IFTYPE_AP:
14228 	case NL80211_IFTYPE_P2P_GO:
14229 	case NL80211_IFTYPE_MESH_POINT:
14230 		break;
14231 	case NL80211_IFTYPE_ADHOC:
14232 	case NL80211_IFTYPE_STATION:
14233 	case NL80211_IFTYPE_P2P_CLIENT:
14234 		if (wdev->current_bss)
14235 			break;
14236 		err = -ENOTCONN;
14237 		goto out;
14238 	default:
14239 		err = -EOPNOTSUPP;
14240 		goto out;
14241 	}
14242 
14243 	wdev_unlock(wdev);
14244 
14245 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14246 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14247 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14248 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14249 	noencrypt =
14250 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14251 
14252 	err = rdev_tx_control_port(rdev, dev, buf, len,
14253 				   dest, cpu_to_be16(proto), noencrypt,
14254 				   dont_wait_for_ack ? NULL : &cookie);
14255 	if (!err && !dont_wait_for_ack)
14256 		nl_set_extack_cookie_u64(info->extack, cookie);
14257 	return err;
14258  out:
14259 	wdev_unlock(wdev);
14260 	return err;
14261 }
14262 
14263 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14264 					   struct genl_info *info)
14265 {
14266 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14267 	struct net_device *dev = info->user_ptr[1];
14268 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14269 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14270 	struct sk_buff *msg;
14271 	void *hdr;
14272 	struct nlattr *ftm_stats_attr;
14273 	int err;
14274 
14275 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14276 		return -EOPNOTSUPP;
14277 
14278 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14279 	if (err)
14280 		return err;
14281 
14282 	if (!ftm_stats.filled)
14283 		return -ENODATA;
14284 
14285 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14286 	if (!msg)
14287 		return -ENOMEM;
14288 
14289 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14290 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14291 	if (!hdr)
14292 		goto nla_put_failure;
14293 
14294 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14295 		goto nla_put_failure;
14296 
14297 	ftm_stats_attr = nla_nest_start_noflag(msg,
14298 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14299 	if (!ftm_stats_attr)
14300 		goto nla_put_failure;
14301 
14302 #define SET_FTM(field, name, type)					 \
14303 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14304 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14305 			     ftm_stats.field))				 \
14306 		goto nla_put_failure; } while (0)
14307 #define SET_FTM_U64(field, name)					 \
14308 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14309 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14310 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14311 		goto nla_put_failure; } while (0)
14312 
14313 	SET_FTM(success_num, SUCCESS_NUM, u32);
14314 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14315 	SET_FTM(failed_num, FAILED_NUM, u32);
14316 	SET_FTM(asap_num, ASAP_NUM, u32);
14317 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14318 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14319 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14320 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14321 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14322 #undef SET_FTM
14323 
14324 	nla_nest_end(msg, ftm_stats_attr);
14325 
14326 	genlmsg_end(msg, hdr);
14327 	return genlmsg_reply(msg, info);
14328 
14329 nla_put_failure:
14330 	nlmsg_free(msg);
14331 	return -ENOBUFS;
14332 }
14333 
14334 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14335 {
14336 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14337 	struct cfg80211_update_owe_info owe_info;
14338 	struct net_device *dev = info->user_ptr[1];
14339 
14340 	if (!rdev->ops->update_owe_info)
14341 		return -EOPNOTSUPP;
14342 
14343 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14344 	    !info->attrs[NL80211_ATTR_MAC])
14345 		return -EINVAL;
14346 
14347 	memset(&owe_info, 0, sizeof(owe_info));
14348 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14349 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14350 
14351 	if (info->attrs[NL80211_ATTR_IE]) {
14352 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14353 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14354 	}
14355 
14356 	return rdev_update_owe_info(rdev, dev, &owe_info);
14357 }
14358 
14359 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14360 {
14361 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14362 	struct net_device *dev = info->user_ptr[1];
14363 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14364 	struct station_info sinfo = {};
14365 	const u8 *buf;
14366 	size_t len;
14367 	u8 *dest;
14368 	int err;
14369 
14370 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14371 		return -EOPNOTSUPP;
14372 
14373 	if (!info->attrs[NL80211_ATTR_MAC] ||
14374 	    !info->attrs[NL80211_ATTR_FRAME]) {
14375 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14376 		return -EINVAL;
14377 	}
14378 
14379 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14380 		return -EOPNOTSUPP;
14381 
14382 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14383 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14384 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14385 
14386 	if (len < sizeof(struct ethhdr))
14387 		return -EINVAL;
14388 
14389 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14390 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14391 		return -EINVAL;
14392 
14393 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14394 	if (err)
14395 		return err;
14396 
14397 	cfg80211_sinfo_release_content(&sinfo);
14398 
14399 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14400 }
14401 
14402 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14403 			  struct nlattr *attrs[], struct net_device *dev,
14404 			  struct cfg80211_tid_cfg *tid_conf,
14405 			  struct genl_info *info, const u8 *peer)
14406 {
14407 	struct netlink_ext_ack *extack = info->extack;
14408 	u64 mask;
14409 	int err;
14410 
14411 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
14412 		return -EINVAL;
14413 
14414 	tid_conf->config_override =
14415 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
14416 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
14417 
14418 	if (tid_conf->config_override) {
14419 		if (rdev->ops->reset_tid_config) {
14420 			err = rdev_reset_tid_config(rdev, dev, peer,
14421 						    tid_conf->tids);
14422 			if (err)
14423 				return err;
14424 		} else {
14425 			return -EINVAL;
14426 		}
14427 	}
14428 
14429 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
14430 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
14431 		tid_conf->noack =
14432 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
14433 	}
14434 
14435 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
14436 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
14437 		tid_conf->retry_short =
14438 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
14439 
14440 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
14441 			return -EINVAL;
14442 	}
14443 
14444 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
14445 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
14446 		tid_conf->retry_long =
14447 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
14448 
14449 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
14450 			return -EINVAL;
14451 	}
14452 
14453 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
14454 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
14455 		tid_conf->ampdu =
14456 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
14457 	}
14458 
14459 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
14460 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
14461 		tid_conf->rtscts =
14462 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
14463 	}
14464 
14465 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
14466 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
14467 		tid_conf->amsdu =
14468 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
14469 	}
14470 
14471 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
14472 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
14473 
14474 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
14475 
14476 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
14477 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
14478 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
14479 						    &tid_conf->txrate_mask, dev);
14480 			if (err)
14481 				return err;
14482 
14483 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
14484 		}
14485 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
14486 	}
14487 
14488 	if (peer)
14489 		mask = rdev->wiphy.tid_config_support.peer;
14490 	else
14491 		mask = rdev->wiphy.tid_config_support.vif;
14492 
14493 	if (tid_conf->mask & ~mask) {
14494 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
14495 		return -ENOTSUPP;
14496 	}
14497 
14498 	return 0;
14499 }
14500 
14501 static int nl80211_set_tid_config(struct sk_buff *skb,
14502 				  struct genl_info *info)
14503 {
14504 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14505 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
14506 	struct net_device *dev = info->user_ptr[1];
14507 	struct cfg80211_tid_config *tid_config;
14508 	struct nlattr *tid;
14509 	int conf_idx = 0, rem_conf;
14510 	int ret = -EINVAL;
14511 	u32 num_conf = 0;
14512 
14513 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
14514 		return -EINVAL;
14515 
14516 	if (!rdev->ops->set_tid_config)
14517 		return -EOPNOTSUPP;
14518 
14519 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14520 			    rem_conf)
14521 		num_conf++;
14522 
14523 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
14524 			     GFP_KERNEL);
14525 	if (!tid_config)
14526 		return -ENOMEM;
14527 
14528 	tid_config->n_tid_conf = num_conf;
14529 
14530 	if (info->attrs[NL80211_ATTR_MAC])
14531 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14532 
14533 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14534 			    rem_conf) {
14535 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
14536 				       tid, NULL, NULL);
14537 
14538 		if (ret)
14539 			goto bad_tid_conf;
14540 
14541 		ret = parse_tid_conf(rdev, attrs, dev,
14542 				     &tid_config->tid_conf[conf_idx],
14543 				     info, tid_config->peer);
14544 		if (ret)
14545 			goto bad_tid_conf;
14546 
14547 		conf_idx++;
14548 	}
14549 
14550 	ret = rdev_set_tid_config(rdev, dev, tid_config);
14551 
14552 bad_tid_conf:
14553 	kfree(tid_config);
14554 	return ret;
14555 }
14556 
14557 #define NL80211_FLAG_NEED_WIPHY		0x01
14558 #define NL80211_FLAG_NEED_NETDEV	0x02
14559 #define NL80211_FLAG_NEED_RTNL		0x04
14560 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
14561 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
14562 					 NL80211_FLAG_CHECK_NETDEV_UP)
14563 #define NL80211_FLAG_NEED_WDEV		0x10
14564 /* If a netdev is associated, it must be UP, P2P must be started */
14565 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
14566 					 NL80211_FLAG_CHECK_NETDEV_UP)
14567 #define NL80211_FLAG_CLEAR_SKB		0x20
14568 
14569 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
14570 			    struct genl_info *info)
14571 {
14572 	struct cfg80211_registered_device *rdev;
14573 	struct wireless_dev *wdev;
14574 	struct net_device *dev;
14575 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
14576 
14577 	if (rtnl)
14578 		rtnl_lock();
14579 
14580 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
14581 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
14582 		if (IS_ERR(rdev)) {
14583 			if (rtnl)
14584 				rtnl_unlock();
14585 			return PTR_ERR(rdev);
14586 		}
14587 		info->user_ptr[0] = rdev;
14588 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
14589 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14590 		ASSERT_RTNL();
14591 
14592 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
14593 						  info->attrs);
14594 		if (IS_ERR(wdev)) {
14595 			if (rtnl)
14596 				rtnl_unlock();
14597 			return PTR_ERR(wdev);
14598 		}
14599 
14600 		dev = wdev->netdev;
14601 		rdev = wiphy_to_rdev(wdev->wiphy);
14602 
14603 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
14604 			if (!dev) {
14605 				if (rtnl)
14606 					rtnl_unlock();
14607 				return -EINVAL;
14608 			}
14609 
14610 			info->user_ptr[1] = dev;
14611 		} else {
14612 			info->user_ptr[1] = wdev;
14613 		}
14614 
14615 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
14616 		    !wdev_running(wdev)) {
14617 			if (rtnl)
14618 				rtnl_unlock();
14619 			return -ENETDOWN;
14620 		}
14621 
14622 		if (dev)
14623 			dev_hold(dev);
14624 
14625 		info->user_ptr[0] = rdev;
14626 	}
14627 
14628 	return 0;
14629 }
14630 
14631 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
14632 			      struct genl_info *info)
14633 {
14634 	if (info->user_ptr[1]) {
14635 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14636 			struct wireless_dev *wdev = info->user_ptr[1];
14637 
14638 			if (wdev->netdev)
14639 				dev_put(wdev->netdev);
14640 		} else {
14641 			dev_put(info->user_ptr[1]);
14642 		}
14643 	}
14644 
14645 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
14646 		rtnl_unlock();
14647 
14648 	/* If needed, clear the netlink message payload from the SKB
14649 	 * as it might contain key data that shouldn't stick around on
14650 	 * the heap after the SKB is freed. The netlink message header
14651 	 * is still needed for further processing, so leave it intact.
14652 	 */
14653 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
14654 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
14655 
14656 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
14657 	}
14658 }
14659 
14660 static const struct genl_ops nl80211_ops[] = {
14661 	{
14662 		.cmd = NL80211_CMD_GET_WIPHY,
14663 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14664 		.doit = nl80211_get_wiphy,
14665 		.dumpit = nl80211_dump_wiphy,
14666 		.done = nl80211_dump_wiphy_done,
14667 		/* can be retrieved by unprivileged users */
14668 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14669 				  NL80211_FLAG_NEED_RTNL,
14670 	},
14671 };
14672 
14673 static const struct genl_small_ops nl80211_small_ops[] = {
14674 	{
14675 		.cmd = NL80211_CMD_SET_WIPHY,
14676 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14677 		.doit = nl80211_set_wiphy,
14678 		.flags = GENL_UNS_ADMIN_PERM,
14679 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14680 	},
14681 	{
14682 		.cmd = NL80211_CMD_GET_INTERFACE,
14683 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14684 		.doit = nl80211_get_interface,
14685 		.dumpit = nl80211_dump_interface,
14686 		/* can be retrieved by unprivileged users */
14687 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14688 				  NL80211_FLAG_NEED_RTNL,
14689 	},
14690 	{
14691 		.cmd = NL80211_CMD_SET_INTERFACE,
14692 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14693 		.doit = nl80211_set_interface,
14694 		.flags = GENL_UNS_ADMIN_PERM,
14695 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14696 				  NL80211_FLAG_NEED_RTNL,
14697 	},
14698 	{
14699 		.cmd = NL80211_CMD_NEW_INTERFACE,
14700 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14701 		.doit = nl80211_new_interface,
14702 		.flags = GENL_UNS_ADMIN_PERM,
14703 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14704 				  NL80211_FLAG_NEED_RTNL,
14705 	},
14706 	{
14707 		.cmd = NL80211_CMD_DEL_INTERFACE,
14708 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14709 		.doit = nl80211_del_interface,
14710 		.flags = GENL_UNS_ADMIN_PERM,
14711 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14712 				  NL80211_FLAG_NEED_RTNL,
14713 	},
14714 	{
14715 		.cmd = NL80211_CMD_GET_KEY,
14716 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14717 		.doit = nl80211_get_key,
14718 		.flags = GENL_UNS_ADMIN_PERM,
14719 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14720 				  NL80211_FLAG_NEED_RTNL,
14721 	},
14722 	{
14723 		.cmd = NL80211_CMD_SET_KEY,
14724 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14725 		.doit = nl80211_set_key,
14726 		.flags = GENL_UNS_ADMIN_PERM,
14727 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14728 				  NL80211_FLAG_NEED_RTNL |
14729 				  NL80211_FLAG_CLEAR_SKB,
14730 	},
14731 	{
14732 		.cmd = NL80211_CMD_NEW_KEY,
14733 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14734 		.doit = nl80211_new_key,
14735 		.flags = GENL_UNS_ADMIN_PERM,
14736 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14737 				  NL80211_FLAG_NEED_RTNL |
14738 				  NL80211_FLAG_CLEAR_SKB,
14739 	},
14740 	{
14741 		.cmd = NL80211_CMD_DEL_KEY,
14742 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14743 		.doit = nl80211_del_key,
14744 		.flags = GENL_UNS_ADMIN_PERM,
14745 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14746 				  NL80211_FLAG_NEED_RTNL,
14747 	},
14748 	{
14749 		.cmd = NL80211_CMD_SET_BEACON,
14750 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14751 		.flags = GENL_UNS_ADMIN_PERM,
14752 		.doit = nl80211_set_beacon,
14753 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14754 				  NL80211_FLAG_NEED_RTNL,
14755 	},
14756 	{
14757 		.cmd = NL80211_CMD_START_AP,
14758 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14759 		.flags = GENL_UNS_ADMIN_PERM,
14760 		.doit = nl80211_start_ap,
14761 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14762 				  NL80211_FLAG_NEED_RTNL,
14763 	},
14764 	{
14765 		.cmd = NL80211_CMD_STOP_AP,
14766 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14767 		.flags = GENL_UNS_ADMIN_PERM,
14768 		.doit = nl80211_stop_ap,
14769 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14770 				  NL80211_FLAG_NEED_RTNL,
14771 	},
14772 	{
14773 		.cmd = NL80211_CMD_GET_STATION,
14774 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14775 		.doit = nl80211_get_station,
14776 		.dumpit = nl80211_dump_station,
14777 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14778 				  NL80211_FLAG_NEED_RTNL,
14779 	},
14780 	{
14781 		.cmd = NL80211_CMD_SET_STATION,
14782 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14783 		.doit = nl80211_set_station,
14784 		.flags = GENL_UNS_ADMIN_PERM,
14785 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14786 				  NL80211_FLAG_NEED_RTNL,
14787 	},
14788 	{
14789 		.cmd = NL80211_CMD_NEW_STATION,
14790 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14791 		.doit = nl80211_new_station,
14792 		.flags = GENL_UNS_ADMIN_PERM,
14793 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14794 				  NL80211_FLAG_NEED_RTNL,
14795 	},
14796 	{
14797 		.cmd = NL80211_CMD_DEL_STATION,
14798 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14799 		.doit = nl80211_del_station,
14800 		.flags = GENL_UNS_ADMIN_PERM,
14801 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14802 				  NL80211_FLAG_NEED_RTNL,
14803 	},
14804 	{
14805 		.cmd = NL80211_CMD_GET_MPATH,
14806 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14807 		.doit = nl80211_get_mpath,
14808 		.dumpit = nl80211_dump_mpath,
14809 		.flags = GENL_UNS_ADMIN_PERM,
14810 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14811 				  NL80211_FLAG_NEED_RTNL,
14812 	},
14813 	{
14814 		.cmd = NL80211_CMD_GET_MPP,
14815 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14816 		.doit = nl80211_get_mpp,
14817 		.dumpit = nl80211_dump_mpp,
14818 		.flags = GENL_UNS_ADMIN_PERM,
14819 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14820 				  NL80211_FLAG_NEED_RTNL,
14821 	},
14822 	{
14823 		.cmd = NL80211_CMD_SET_MPATH,
14824 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14825 		.doit = nl80211_set_mpath,
14826 		.flags = GENL_UNS_ADMIN_PERM,
14827 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14828 				  NL80211_FLAG_NEED_RTNL,
14829 	},
14830 	{
14831 		.cmd = NL80211_CMD_NEW_MPATH,
14832 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14833 		.doit = nl80211_new_mpath,
14834 		.flags = GENL_UNS_ADMIN_PERM,
14835 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14836 				  NL80211_FLAG_NEED_RTNL,
14837 	},
14838 	{
14839 		.cmd = NL80211_CMD_DEL_MPATH,
14840 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14841 		.doit = nl80211_del_mpath,
14842 		.flags = GENL_UNS_ADMIN_PERM,
14843 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14844 				  NL80211_FLAG_NEED_RTNL,
14845 	},
14846 	{
14847 		.cmd = NL80211_CMD_SET_BSS,
14848 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14849 		.doit = nl80211_set_bss,
14850 		.flags = GENL_UNS_ADMIN_PERM,
14851 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14852 				  NL80211_FLAG_NEED_RTNL,
14853 	},
14854 	{
14855 		.cmd = NL80211_CMD_GET_REG,
14856 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14857 		.doit = nl80211_get_reg_do,
14858 		.dumpit = nl80211_get_reg_dump,
14859 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14860 		/* can be retrieved by unprivileged users */
14861 	},
14862 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
14863 	{
14864 		.cmd = NL80211_CMD_SET_REG,
14865 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14866 		.doit = nl80211_set_reg,
14867 		.flags = GENL_ADMIN_PERM,
14868 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14869 	},
14870 #endif
14871 	{
14872 		.cmd = NL80211_CMD_REQ_SET_REG,
14873 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14874 		.doit = nl80211_req_set_reg,
14875 		.flags = GENL_ADMIN_PERM,
14876 	},
14877 	{
14878 		.cmd = NL80211_CMD_RELOAD_REGDB,
14879 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14880 		.doit = nl80211_reload_regdb,
14881 		.flags = GENL_ADMIN_PERM,
14882 	},
14883 	{
14884 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
14885 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14886 		.doit = nl80211_get_mesh_config,
14887 		/* can be retrieved by unprivileged users */
14888 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14889 				  NL80211_FLAG_NEED_RTNL,
14890 	},
14891 	{
14892 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
14893 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14894 		.doit = nl80211_update_mesh_config,
14895 		.flags = GENL_UNS_ADMIN_PERM,
14896 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14897 				  NL80211_FLAG_NEED_RTNL,
14898 	},
14899 	{
14900 		.cmd = NL80211_CMD_TRIGGER_SCAN,
14901 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14902 		.doit = nl80211_trigger_scan,
14903 		.flags = GENL_UNS_ADMIN_PERM,
14904 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14905 				  NL80211_FLAG_NEED_RTNL,
14906 	},
14907 	{
14908 		.cmd = NL80211_CMD_ABORT_SCAN,
14909 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14910 		.doit = nl80211_abort_scan,
14911 		.flags = GENL_UNS_ADMIN_PERM,
14912 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14913 				  NL80211_FLAG_NEED_RTNL,
14914 	},
14915 	{
14916 		.cmd = NL80211_CMD_GET_SCAN,
14917 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14918 		.dumpit = nl80211_dump_scan,
14919 	},
14920 	{
14921 		.cmd = NL80211_CMD_START_SCHED_SCAN,
14922 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14923 		.doit = nl80211_start_sched_scan,
14924 		.flags = GENL_UNS_ADMIN_PERM,
14925 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14926 				  NL80211_FLAG_NEED_RTNL,
14927 	},
14928 	{
14929 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
14930 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14931 		.doit = nl80211_stop_sched_scan,
14932 		.flags = GENL_UNS_ADMIN_PERM,
14933 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14934 				  NL80211_FLAG_NEED_RTNL,
14935 	},
14936 	{
14937 		.cmd = NL80211_CMD_AUTHENTICATE,
14938 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14939 		.doit = nl80211_authenticate,
14940 		.flags = GENL_UNS_ADMIN_PERM,
14941 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14942 				  NL80211_FLAG_NEED_RTNL |
14943 				  NL80211_FLAG_CLEAR_SKB,
14944 	},
14945 	{
14946 		.cmd = NL80211_CMD_ASSOCIATE,
14947 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14948 		.doit = nl80211_associate,
14949 		.flags = GENL_UNS_ADMIN_PERM,
14950 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14951 				  NL80211_FLAG_NEED_RTNL |
14952 				  NL80211_FLAG_CLEAR_SKB,
14953 	},
14954 	{
14955 		.cmd = NL80211_CMD_DEAUTHENTICATE,
14956 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14957 		.doit = nl80211_deauthenticate,
14958 		.flags = GENL_UNS_ADMIN_PERM,
14959 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14960 				  NL80211_FLAG_NEED_RTNL,
14961 	},
14962 	{
14963 		.cmd = NL80211_CMD_DISASSOCIATE,
14964 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14965 		.doit = nl80211_disassociate,
14966 		.flags = GENL_UNS_ADMIN_PERM,
14967 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14968 				  NL80211_FLAG_NEED_RTNL,
14969 	},
14970 	{
14971 		.cmd = NL80211_CMD_JOIN_IBSS,
14972 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14973 		.doit = nl80211_join_ibss,
14974 		.flags = GENL_UNS_ADMIN_PERM,
14975 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14976 				  NL80211_FLAG_NEED_RTNL,
14977 	},
14978 	{
14979 		.cmd = NL80211_CMD_LEAVE_IBSS,
14980 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14981 		.doit = nl80211_leave_ibss,
14982 		.flags = GENL_UNS_ADMIN_PERM,
14983 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14984 				  NL80211_FLAG_NEED_RTNL,
14985 	},
14986 #ifdef CONFIG_NL80211_TESTMODE
14987 	{
14988 		.cmd = NL80211_CMD_TESTMODE,
14989 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14990 		.doit = nl80211_testmode_do,
14991 		.dumpit = nl80211_testmode_dump,
14992 		.flags = GENL_UNS_ADMIN_PERM,
14993 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14994 				  NL80211_FLAG_NEED_RTNL,
14995 	},
14996 #endif
14997 	{
14998 		.cmd = NL80211_CMD_CONNECT,
14999 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15000 		.doit = nl80211_connect,
15001 		.flags = GENL_UNS_ADMIN_PERM,
15002 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15003 				  NL80211_FLAG_NEED_RTNL |
15004 				  NL80211_FLAG_CLEAR_SKB,
15005 	},
15006 	{
15007 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15008 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15009 		.doit = nl80211_update_connect_params,
15010 		.flags = GENL_ADMIN_PERM,
15011 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15012 				  NL80211_FLAG_NEED_RTNL |
15013 				  NL80211_FLAG_CLEAR_SKB,
15014 	},
15015 	{
15016 		.cmd = NL80211_CMD_DISCONNECT,
15017 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15018 		.doit = nl80211_disconnect,
15019 		.flags = GENL_UNS_ADMIN_PERM,
15020 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15021 				  NL80211_FLAG_NEED_RTNL,
15022 	},
15023 	{
15024 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15025 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15026 		.doit = nl80211_wiphy_netns,
15027 		.flags = GENL_UNS_ADMIN_PERM,
15028 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15029 				  NL80211_FLAG_NEED_RTNL,
15030 	},
15031 	{
15032 		.cmd = NL80211_CMD_GET_SURVEY,
15033 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15034 		.dumpit = nl80211_dump_survey,
15035 	},
15036 	{
15037 		.cmd = NL80211_CMD_SET_PMKSA,
15038 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15039 		.doit = nl80211_setdel_pmksa,
15040 		.flags = GENL_UNS_ADMIN_PERM,
15041 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15042 				  NL80211_FLAG_NEED_RTNL |
15043 				  NL80211_FLAG_CLEAR_SKB,
15044 	},
15045 	{
15046 		.cmd = NL80211_CMD_DEL_PMKSA,
15047 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15048 		.doit = nl80211_setdel_pmksa,
15049 		.flags = GENL_UNS_ADMIN_PERM,
15050 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15051 				  NL80211_FLAG_NEED_RTNL,
15052 	},
15053 	{
15054 		.cmd = NL80211_CMD_FLUSH_PMKSA,
15055 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15056 		.doit = nl80211_flush_pmksa,
15057 		.flags = GENL_UNS_ADMIN_PERM,
15058 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15059 				  NL80211_FLAG_NEED_RTNL,
15060 	},
15061 	{
15062 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15063 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15064 		.doit = nl80211_remain_on_channel,
15065 		.flags = GENL_UNS_ADMIN_PERM,
15066 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15067 				  NL80211_FLAG_NEED_RTNL,
15068 	},
15069 	{
15070 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15071 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15072 		.doit = nl80211_cancel_remain_on_channel,
15073 		.flags = GENL_UNS_ADMIN_PERM,
15074 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15075 				  NL80211_FLAG_NEED_RTNL,
15076 	},
15077 	{
15078 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15079 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15080 		.doit = nl80211_set_tx_bitrate_mask,
15081 		.flags = GENL_UNS_ADMIN_PERM,
15082 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15083 				  NL80211_FLAG_NEED_RTNL,
15084 	},
15085 	{
15086 		.cmd = NL80211_CMD_REGISTER_FRAME,
15087 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15088 		.doit = nl80211_register_mgmt,
15089 		.flags = GENL_UNS_ADMIN_PERM,
15090 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15091 				  NL80211_FLAG_NEED_RTNL,
15092 	},
15093 	{
15094 		.cmd = NL80211_CMD_FRAME,
15095 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15096 		.doit = nl80211_tx_mgmt,
15097 		.flags = GENL_UNS_ADMIN_PERM,
15098 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15099 				  NL80211_FLAG_NEED_RTNL,
15100 	},
15101 	{
15102 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15103 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15104 		.doit = nl80211_tx_mgmt_cancel_wait,
15105 		.flags = GENL_UNS_ADMIN_PERM,
15106 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15107 				  NL80211_FLAG_NEED_RTNL,
15108 	},
15109 	{
15110 		.cmd = NL80211_CMD_SET_POWER_SAVE,
15111 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15112 		.doit = nl80211_set_power_save,
15113 		.flags = GENL_UNS_ADMIN_PERM,
15114 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15115 				  NL80211_FLAG_NEED_RTNL,
15116 	},
15117 	{
15118 		.cmd = NL80211_CMD_GET_POWER_SAVE,
15119 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15120 		.doit = nl80211_get_power_save,
15121 		/* can be retrieved by unprivileged users */
15122 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15123 				  NL80211_FLAG_NEED_RTNL,
15124 	},
15125 	{
15126 		.cmd = NL80211_CMD_SET_CQM,
15127 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15128 		.doit = nl80211_set_cqm,
15129 		.flags = GENL_UNS_ADMIN_PERM,
15130 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15131 				  NL80211_FLAG_NEED_RTNL,
15132 	},
15133 	{
15134 		.cmd = NL80211_CMD_SET_CHANNEL,
15135 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15136 		.doit = nl80211_set_channel,
15137 		.flags = GENL_UNS_ADMIN_PERM,
15138 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15139 				  NL80211_FLAG_NEED_RTNL,
15140 	},
15141 	{
15142 		.cmd = NL80211_CMD_SET_WDS_PEER,
15143 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15144 		.doit = nl80211_set_wds_peer,
15145 		.flags = GENL_UNS_ADMIN_PERM,
15146 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15147 				  NL80211_FLAG_NEED_RTNL,
15148 	},
15149 	{
15150 		.cmd = NL80211_CMD_JOIN_MESH,
15151 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15152 		.doit = nl80211_join_mesh,
15153 		.flags = GENL_UNS_ADMIN_PERM,
15154 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15155 				  NL80211_FLAG_NEED_RTNL,
15156 	},
15157 	{
15158 		.cmd = NL80211_CMD_LEAVE_MESH,
15159 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15160 		.doit = nl80211_leave_mesh,
15161 		.flags = GENL_UNS_ADMIN_PERM,
15162 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15163 				  NL80211_FLAG_NEED_RTNL,
15164 	},
15165 	{
15166 		.cmd = NL80211_CMD_JOIN_OCB,
15167 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15168 		.doit = nl80211_join_ocb,
15169 		.flags = GENL_UNS_ADMIN_PERM,
15170 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15171 				  NL80211_FLAG_NEED_RTNL,
15172 	},
15173 	{
15174 		.cmd = NL80211_CMD_LEAVE_OCB,
15175 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15176 		.doit = nl80211_leave_ocb,
15177 		.flags = GENL_UNS_ADMIN_PERM,
15178 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15179 				  NL80211_FLAG_NEED_RTNL,
15180 	},
15181 #ifdef CONFIG_PM
15182 	{
15183 		.cmd = NL80211_CMD_GET_WOWLAN,
15184 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15185 		.doit = nl80211_get_wowlan,
15186 		/* can be retrieved by unprivileged users */
15187 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15188 				  NL80211_FLAG_NEED_RTNL,
15189 	},
15190 	{
15191 		.cmd = NL80211_CMD_SET_WOWLAN,
15192 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15193 		.doit = nl80211_set_wowlan,
15194 		.flags = GENL_UNS_ADMIN_PERM,
15195 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15196 				  NL80211_FLAG_NEED_RTNL,
15197 	},
15198 #endif
15199 	{
15200 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15201 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15202 		.doit = nl80211_set_rekey_data,
15203 		.flags = GENL_UNS_ADMIN_PERM,
15204 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15205 				  NL80211_FLAG_NEED_RTNL |
15206 				  NL80211_FLAG_CLEAR_SKB,
15207 	},
15208 	{
15209 		.cmd = NL80211_CMD_TDLS_MGMT,
15210 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15211 		.doit = nl80211_tdls_mgmt,
15212 		.flags = GENL_UNS_ADMIN_PERM,
15213 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15214 				  NL80211_FLAG_NEED_RTNL,
15215 	},
15216 	{
15217 		.cmd = NL80211_CMD_TDLS_OPER,
15218 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15219 		.doit = nl80211_tdls_oper,
15220 		.flags = GENL_UNS_ADMIN_PERM,
15221 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15222 				  NL80211_FLAG_NEED_RTNL,
15223 	},
15224 	{
15225 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
15226 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15227 		.doit = nl80211_register_unexpected_frame,
15228 		.flags = GENL_UNS_ADMIN_PERM,
15229 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15230 				  NL80211_FLAG_NEED_RTNL,
15231 	},
15232 	{
15233 		.cmd = NL80211_CMD_PROBE_CLIENT,
15234 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15235 		.doit = nl80211_probe_client,
15236 		.flags = GENL_UNS_ADMIN_PERM,
15237 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15238 				  NL80211_FLAG_NEED_RTNL,
15239 	},
15240 	{
15241 		.cmd = NL80211_CMD_REGISTER_BEACONS,
15242 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15243 		.doit = nl80211_register_beacons,
15244 		.flags = GENL_UNS_ADMIN_PERM,
15245 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15246 				  NL80211_FLAG_NEED_RTNL,
15247 	},
15248 	{
15249 		.cmd = NL80211_CMD_SET_NOACK_MAP,
15250 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15251 		.doit = nl80211_set_noack_map,
15252 		.flags = GENL_UNS_ADMIN_PERM,
15253 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15254 				  NL80211_FLAG_NEED_RTNL,
15255 	},
15256 	{
15257 		.cmd = NL80211_CMD_START_P2P_DEVICE,
15258 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15259 		.doit = nl80211_start_p2p_device,
15260 		.flags = GENL_UNS_ADMIN_PERM,
15261 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15262 				  NL80211_FLAG_NEED_RTNL,
15263 	},
15264 	{
15265 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
15266 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15267 		.doit = nl80211_stop_p2p_device,
15268 		.flags = GENL_UNS_ADMIN_PERM,
15269 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15270 				  NL80211_FLAG_NEED_RTNL,
15271 	},
15272 	{
15273 		.cmd = NL80211_CMD_START_NAN,
15274 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15275 		.doit = nl80211_start_nan,
15276 		.flags = GENL_ADMIN_PERM,
15277 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15278 				  NL80211_FLAG_NEED_RTNL,
15279 	},
15280 	{
15281 		.cmd = NL80211_CMD_STOP_NAN,
15282 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15283 		.doit = nl80211_stop_nan,
15284 		.flags = GENL_ADMIN_PERM,
15285 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15286 				  NL80211_FLAG_NEED_RTNL,
15287 	},
15288 	{
15289 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
15290 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15291 		.doit = nl80211_nan_add_func,
15292 		.flags = GENL_ADMIN_PERM,
15293 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15294 				  NL80211_FLAG_NEED_RTNL,
15295 	},
15296 	{
15297 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
15298 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15299 		.doit = nl80211_nan_del_func,
15300 		.flags = GENL_ADMIN_PERM,
15301 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15302 				  NL80211_FLAG_NEED_RTNL,
15303 	},
15304 	{
15305 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
15306 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15307 		.doit = nl80211_nan_change_config,
15308 		.flags = GENL_ADMIN_PERM,
15309 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15310 				  NL80211_FLAG_NEED_RTNL,
15311 	},
15312 	{
15313 		.cmd = NL80211_CMD_SET_MCAST_RATE,
15314 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15315 		.doit = nl80211_set_mcast_rate,
15316 		.flags = GENL_UNS_ADMIN_PERM,
15317 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15318 				  NL80211_FLAG_NEED_RTNL,
15319 	},
15320 	{
15321 		.cmd = NL80211_CMD_SET_MAC_ACL,
15322 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15323 		.doit = nl80211_set_mac_acl,
15324 		.flags = GENL_UNS_ADMIN_PERM,
15325 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15326 				  NL80211_FLAG_NEED_RTNL,
15327 	},
15328 	{
15329 		.cmd = NL80211_CMD_RADAR_DETECT,
15330 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15331 		.doit = nl80211_start_radar_detection,
15332 		.flags = GENL_UNS_ADMIN_PERM,
15333 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15334 				  NL80211_FLAG_NEED_RTNL,
15335 	},
15336 	{
15337 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
15338 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15339 		.doit = nl80211_get_protocol_features,
15340 	},
15341 	{
15342 		.cmd = NL80211_CMD_UPDATE_FT_IES,
15343 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15344 		.doit = nl80211_update_ft_ies,
15345 		.flags = GENL_UNS_ADMIN_PERM,
15346 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15347 				  NL80211_FLAG_NEED_RTNL,
15348 	},
15349 	{
15350 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
15351 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15352 		.doit = nl80211_crit_protocol_start,
15353 		.flags = GENL_UNS_ADMIN_PERM,
15354 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15355 				  NL80211_FLAG_NEED_RTNL,
15356 	},
15357 	{
15358 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
15359 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15360 		.doit = nl80211_crit_protocol_stop,
15361 		.flags = GENL_UNS_ADMIN_PERM,
15362 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15363 				  NL80211_FLAG_NEED_RTNL,
15364 	},
15365 	{
15366 		.cmd = NL80211_CMD_GET_COALESCE,
15367 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15368 		.doit = nl80211_get_coalesce,
15369 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15370 				  NL80211_FLAG_NEED_RTNL,
15371 	},
15372 	{
15373 		.cmd = NL80211_CMD_SET_COALESCE,
15374 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15375 		.doit = nl80211_set_coalesce,
15376 		.flags = GENL_UNS_ADMIN_PERM,
15377 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15378 				  NL80211_FLAG_NEED_RTNL,
15379 	},
15380 	{
15381 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
15382 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15383 		.doit = nl80211_channel_switch,
15384 		.flags = GENL_UNS_ADMIN_PERM,
15385 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15386 				  NL80211_FLAG_NEED_RTNL,
15387 	},
15388 	{
15389 		.cmd = NL80211_CMD_VENDOR,
15390 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15391 		.doit = nl80211_vendor_cmd,
15392 		.dumpit = nl80211_vendor_cmd_dump,
15393 		.flags = GENL_UNS_ADMIN_PERM,
15394 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15395 				  NL80211_FLAG_NEED_RTNL |
15396 				  NL80211_FLAG_CLEAR_SKB,
15397 	},
15398 	{
15399 		.cmd = NL80211_CMD_SET_QOS_MAP,
15400 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15401 		.doit = nl80211_set_qos_map,
15402 		.flags = GENL_UNS_ADMIN_PERM,
15403 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15404 				  NL80211_FLAG_NEED_RTNL,
15405 	},
15406 	{
15407 		.cmd = NL80211_CMD_ADD_TX_TS,
15408 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15409 		.doit = nl80211_add_tx_ts,
15410 		.flags = GENL_UNS_ADMIN_PERM,
15411 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15412 				  NL80211_FLAG_NEED_RTNL,
15413 	},
15414 	{
15415 		.cmd = NL80211_CMD_DEL_TX_TS,
15416 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15417 		.doit = nl80211_del_tx_ts,
15418 		.flags = GENL_UNS_ADMIN_PERM,
15419 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15420 				  NL80211_FLAG_NEED_RTNL,
15421 	},
15422 	{
15423 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
15424 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15425 		.doit = nl80211_tdls_channel_switch,
15426 		.flags = GENL_UNS_ADMIN_PERM,
15427 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15428 				  NL80211_FLAG_NEED_RTNL,
15429 	},
15430 	{
15431 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
15432 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15433 		.doit = nl80211_tdls_cancel_channel_switch,
15434 		.flags = GENL_UNS_ADMIN_PERM,
15435 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15436 				  NL80211_FLAG_NEED_RTNL,
15437 	},
15438 	{
15439 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
15440 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15441 		.doit = nl80211_set_multicast_to_unicast,
15442 		.flags = GENL_UNS_ADMIN_PERM,
15443 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15444 				  NL80211_FLAG_NEED_RTNL,
15445 	},
15446 	{
15447 		.cmd = NL80211_CMD_SET_PMK,
15448 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15449 		.doit = nl80211_set_pmk,
15450 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15451 				  NL80211_FLAG_NEED_RTNL |
15452 				  NL80211_FLAG_CLEAR_SKB,
15453 	},
15454 	{
15455 		.cmd = NL80211_CMD_DEL_PMK,
15456 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15457 		.doit = nl80211_del_pmk,
15458 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15459 				  NL80211_FLAG_NEED_RTNL,
15460 	},
15461 	{
15462 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
15463 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15464 		.doit = nl80211_external_auth,
15465 		.flags = GENL_ADMIN_PERM,
15466 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15467 				  NL80211_FLAG_NEED_RTNL,
15468 	},
15469 	{
15470 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
15471 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15472 		.doit = nl80211_tx_control_port,
15473 		.flags = GENL_UNS_ADMIN_PERM,
15474 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15475 				  NL80211_FLAG_NEED_RTNL,
15476 	},
15477 	{
15478 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
15479 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15480 		.doit = nl80211_get_ftm_responder_stats,
15481 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15482 				  NL80211_FLAG_NEED_RTNL,
15483 	},
15484 	{
15485 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
15486 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15487 		.doit = nl80211_pmsr_start,
15488 		.flags = GENL_UNS_ADMIN_PERM,
15489 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15490 				  NL80211_FLAG_NEED_RTNL,
15491 	},
15492 	{
15493 		.cmd = NL80211_CMD_NOTIFY_RADAR,
15494 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15495 		.doit = nl80211_notify_radar_detection,
15496 		.flags = GENL_UNS_ADMIN_PERM,
15497 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15498 				  NL80211_FLAG_NEED_RTNL,
15499 	},
15500 	{
15501 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
15502 		.doit = nl80211_update_owe_info,
15503 		.flags = GENL_ADMIN_PERM,
15504 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15505 				  NL80211_FLAG_NEED_RTNL,
15506 	},
15507 	{
15508 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
15509 		.doit = nl80211_probe_mesh_link,
15510 		.flags = GENL_UNS_ADMIN_PERM,
15511 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15512 				  NL80211_FLAG_NEED_RTNL,
15513 	},
15514 	{
15515 		.cmd = NL80211_CMD_SET_TID_CONFIG,
15516 		.doit = nl80211_set_tid_config,
15517 		.flags = GENL_UNS_ADMIN_PERM,
15518 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15519 				  NL80211_FLAG_NEED_RTNL,
15520 	},
15521 };
15522 
15523 static struct genl_family nl80211_fam __ro_after_init = {
15524 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
15525 	.hdrsize = 0,			/* no private header */
15526 	.version = 1,			/* no particular meaning now */
15527 	.maxattr = NL80211_ATTR_MAX,
15528 	.policy = nl80211_policy,
15529 	.netnsok = true,
15530 	.pre_doit = nl80211_pre_doit,
15531 	.post_doit = nl80211_post_doit,
15532 	.module = THIS_MODULE,
15533 	.ops = nl80211_ops,
15534 	.n_ops = ARRAY_SIZE(nl80211_ops),
15535 	.small_ops = nl80211_small_ops,
15536 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
15537 	.mcgrps = nl80211_mcgrps,
15538 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
15539 	.parallel_ops = true,
15540 };
15541 
15542 /* notification functions */
15543 
15544 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
15545 			  enum nl80211_commands cmd)
15546 {
15547 	struct sk_buff *msg;
15548 	struct nl80211_dump_wiphy_state state = {};
15549 
15550 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
15551 		cmd != NL80211_CMD_DEL_WIPHY);
15552 
15553 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15554 	if (!msg)
15555 		return;
15556 
15557 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
15558 		nlmsg_free(msg);
15559 		return;
15560 	}
15561 
15562 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15563 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15564 }
15565 
15566 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
15567 				struct wireless_dev *wdev,
15568 				enum nl80211_commands cmd)
15569 {
15570 	struct sk_buff *msg;
15571 
15572 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15573 	if (!msg)
15574 		return;
15575 
15576 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
15577 		nlmsg_free(msg);
15578 		return;
15579 	}
15580 
15581 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15582 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15583 }
15584 
15585 static int nl80211_add_scan_req(struct sk_buff *msg,
15586 				struct cfg80211_registered_device *rdev)
15587 {
15588 	struct cfg80211_scan_request *req = rdev->scan_req;
15589 	struct nlattr *nest;
15590 	int i;
15591 	struct cfg80211_scan_info *info;
15592 
15593 	if (WARN_ON(!req))
15594 		return 0;
15595 
15596 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
15597 	if (!nest)
15598 		goto nla_put_failure;
15599 	for (i = 0; i < req->n_ssids; i++) {
15600 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
15601 			goto nla_put_failure;
15602 	}
15603 	nla_nest_end(msg, nest);
15604 
15605 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
15606 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
15607 		if (!nest)
15608 			goto nla_put_failure;
15609 		for (i = 0; i < req->n_channels; i++) {
15610 			if (nla_put_u32(msg, i,
15611 				   ieee80211_channel_to_khz(req->channels[i])))
15612 				goto nla_put_failure;
15613 		}
15614 		nla_nest_end(msg, nest);
15615 	} else {
15616 		nest = nla_nest_start_noflag(msg,
15617 					     NL80211_ATTR_SCAN_FREQUENCIES);
15618 		if (!nest)
15619 			goto nla_put_failure;
15620 		for (i = 0; i < req->n_channels; i++) {
15621 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
15622 				goto nla_put_failure;
15623 		}
15624 		nla_nest_end(msg, nest);
15625 	}
15626 
15627 	if (req->ie &&
15628 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
15629 		goto nla_put_failure;
15630 
15631 	if (req->flags &&
15632 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
15633 		goto nla_put_failure;
15634 
15635 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
15636 		&rdev->scan_req->info;
15637 	if (info->scan_start_tsf &&
15638 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
15639 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
15640 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
15641 		     info->tsf_bssid)))
15642 		goto nla_put_failure;
15643 
15644 	return 0;
15645  nla_put_failure:
15646 	return -ENOBUFS;
15647 }
15648 
15649 static int nl80211_prep_scan_msg(struct sk_buff *msg,
15650 				 struct cfg80211_registered_device *rdev,
15651 				 struct wireless_dev *wdev,
15652 				 u32 portid, u32 seq, int flags,
15653 				 u32 cmd)
15654 {
15655 	void *hdr;
15656 
15657 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
15658 	if (!hdr)
15659 		return -1;
15660 
15661 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15662 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15663 					 wdev->netdev->ifindex)) ||
15664 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15665 			      NL80211_ATTR_PAD))
15666 		goto nla_put_failure;
15667 
15668 	/* ignore errors and send incomplete event anyway */
15669 	nl80211_add_scan_req(msg, rdev);
15670 
15671 	genlmsg_end(msg, hdr);
15672 	return 0;
15673 
15674  nla_put_failure:
15675 	genlmsg_cancel(msg, hdr);
15676 	return -EMSGSIZE;
15677 }
15678 
15679 static int
15680 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
15681 			    struct cfg80211_sched_scan_request *req, u32 cmd)
15682 {
15683 	void *hdr;
15684 
15685 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15686 	if (!hdr)
15687 		return -1;
15688 
15689 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
15690 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
15691 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
15692 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
15693 			      NL80211_ATTR_PAD))
15694 		goto nla_put_failure;
15695 
15696 	genlmsg_end(msg, hdr);
15697 	return 0;
15698 
15699  nla_put_failure:
15700 	genlmsg_cancel(msg, hdr);
15701 	return -EMSGSIZE;
15702 }
15703 
15704 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
15705 			     struct wireless_dev *wdev)
15706 {
15707 	struct sk_buff *msg;
15708 
15709 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15710 	if (!msg)
15711 		return;
15712 
15713 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15714 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
15715 		nlmsg_free(msg);
15716 		return;
15717 	}
15718 
15719 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15720 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15721 }
15722 
15723 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
15724 				       struct wireless_dev *wdev, bool aborted)
15725 {
15726 	struct sk_buff *msg;
15727 
15728 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15729 	if (!msg)
15730 		return NULL;
15731 
15732 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15733 				  aborted ? NL80211_CMD_SCAN_ABORTED :
15734 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
15735 		nlmsg_free(msg);
15736 		return NULL;
15737 	}
15738 
15739 	return msg;
15740 }
15741 
15742 /* send message created by nl80211_build_scan_msg() */
15743 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
15744 			   struct sk_buff *msg)
15745 {
15746 	if (!msg)
15747 		return;
15748 
15749 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15750 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15751 }
15752 
15753 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
15754 {
15755 	struct sk_buff *msg;
15756 
15757 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15758 	if (!msg)
15759 		return;
15760 
15761 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
15762 		nlmsg_free(msg);
15763 		return;
15764 	}
15765 
15766 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
15767 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15768 }
15769 
15770 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
15771 					  struct regulatory_request *request)
15772 {
15773 	/* Userspace can always count this one always being set */
15774 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
15775 		goto nla_put_failure;
15776 
15777 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
15778 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15779 			       NL80211_REGDOM_TYPE_WORLD))
15780 			goto nla_put_failure;
15781 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
15782 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15783 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
15784 			goto nla_put_failure;
15785 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
15786 		   request->intersect) {
15787 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15788 			       NL80211_REGDOM_TYPE_INTERSECTION))
15789 			goto nla_put_failure;
15790 	} else {
15791 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15792 			       NL80211_REGDOM_TYPE_COUNTRY) ||
15793 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
15794 				   request->alpha2))
15795 			goto nla_put_failure;
15796 	}
15797 
15798 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
15799 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
15800 
15801 		if (wiphy &&
15802 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
15803 			goto nla_put_failure;
15804 
15805 		if (wiphy &&
15806 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
15807 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
15808 			goto nla_put_failure;
15809 	}
15810 
15811 	return true;
15812 
15813 nla_put_failure:
15814 	return false;
15815 }
15816 
15817 /*
15818  * This can happen on global regulatory changes or device specific settings
15819  * based on custom regulatory domains.
15820  */
15821 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
15822 				     struct regulatory_request *request)
15823 {
15824 	struct sk_buff *msg;
15825 	void *hdr;
15826 
15827 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15828 	if (!msg)
15829 		return;
15830 
15831 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
15832 	if (!hdr)
15833 		goto nla_put_failure;
15834 
15835 	if (!nl80211_reg_change_event_fill(msg, request))
15836 		goto nla_put_failure;
15837 
15838 	genlmsg_end(msg, hdr);
15839 
15840 	rcu_read_lock();
15841 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15842 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15843 	rcu_read_unlock();
15844 
15845 	return;
15846 
15847 nla_put_failure:
15848 	nlmsg_free(msg);
15849 }
15850 
15851 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
15852 				    struct net_device *netdev,
15853 				    const u8 *buf, size_t len,
15854 				    enum nl80211_commands cmd, gfp_t gfp,
15855 				    int uapsd_queues, const u8 *req_ies,
15856 				    size_t req_ies_len)
15857 {
15858 	struct sk_buff *msg;
15859 	void *hdr;
15860 
15861 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
15862 	if (!msg)
15863 		return;
15864 
15865 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15866 	if (!hdr) {
15867 		nlmsg_free(msg);
15868 		return;
15869 	}
15870 
15871 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15872 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15873 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15874 	    (req_ies &&
15875 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
15876 		goto nla_put_failure;
15877 
15878 	if (uapsd_queues >= 0) {
15879 		struct nlattr *nla_wmm =
15880 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
15881 		if (!nla_wmm)
15882 			goto nla_put_failure;
15883 
15884 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
15885 			       uapsd_queues))
15886 			goto nla_put_failure;
15887 
15888 		nla_nest_end(msg, nla_wmm);
15889 	}
15890 
15891 	genlmsg_end(msg, hdr);
15892 
15893 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15894 				NL80211_MCGRP_MLME, gfp);
15895 	return;
15896 
15897  nla_put_failure:
15898 	nlmsg_free(msg);
15899 }
15900 
15901 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
15902 			  struct net_device *netdev, const u8 *buf,
15903 			  size_t len, gfp_t gfp)
15904 {
15905 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15906 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0);
15907 }
15908 
15909 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
15910 			   struct net_device *netdev, const u8 *buf,
15911 			   size_t len, gfp_t gfp, int uapsd_queues,
15912 			   const u8 *req_ies, size_t req_ies_len)
15913 {
15914 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15915 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
15916 				req_ies, req_ies_len);
15917 }
15918 
15919 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
15920 			 struct net_device *netdev, const u8 *buf,
15921 			 size_t len, gfp_t gfp)
15922 {
15923 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15924 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0);
15925 }
15926 
15927 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
15928 			   struct net_device *netdev, const u8 *buf,
15929 			   size_t len, gfp_t gfp)
15930 {
15931 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15932 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0);
15933 }
15934 
15935 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
15936 				  size_t len)
15937 {
15938 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15939 	struct wiphy *wiphy = wdev->wiphy;
15940 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15941 	const struct ieee80211_mgmt *mgmt = (void *)buf;
15942 	u32 cmd;
15943 
15944 	if (WARN_ON(len < 2))
15945 		return;
15946 
15947 	if (ieee80211_is_deauth(mgmt->frame_control)) {
15948 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
15949 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
15950 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
15951 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
15952 		if (wdev->unprot_beacon_reported &&
15953 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
15954 			return;
15955 		cmd = NL80211_CMD_UNPROT_BEACON;
15956 		wdev->unprot_beacon_reported = jiffies;
15957 	} else {
15958 		return;
15959 	}
15960 
15961 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
15962 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
15963 				NULL, 0);
15964 }
15965 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
15966 
15967 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
15968 				      struct net_device *netdev, int cmd,
15969 				      const u8 *addr, gfp_t gfp)
15970 {
15971 	struct sk_buff *msg;
15972 	void *hdr;
15973 
15974 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15975 	if (!msg)
15976 		return;
15977 
15978 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15979 	if (!hdr) {
15980 		nlmsg_free(msg);
15981 		return;
15982 	}
15983 
15984 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15985 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15986 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
15987 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
15988 		goto nla_put_failure;
15989 
15990 	genlmsg_end(msg, hdr);
15991 
15992 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15993 				NL80211_MCGRP_MLME, gfp);
15994 	return;
15995 
15996  nla_put_failure:
15997 	nlmsg_free(msg);
15998 }
15999 
16000 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16001 			       struct net_device *netdev, const u8 *addr,
16002 			       gfp_t gfp)
16003 {
16004 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16005 				  addr, gfp);
16006 }
16007 
16008 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16009 				struct net_device *netdev, const u8 *addr,
16010 				gfp_t gfp)
16011 {
16012 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16013 				  addr, gfp);
16014 }
16015 
16016 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16017 				 struct net_device *netdev,
16018 				 struct cfg80211_connect_resp_params *cr,
16019 				 gfp_t gfp)
16020 {
16021 	struct sk_buff *msg;
16022 	void *hdr;
16023 
16024 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16025 			cr->fils.kek_len + cr->fils.pmk_len +
16026 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16027 	if (!msg)
16028 		return;
16029 
16030 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16031 	if (!hdr) {
16032 		nlmsg_free(msg);
16033 		return;
16034 	}
16035 
16036 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16037 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16038 	    (cr->bssid &&
16039 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16040 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16041 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16042 			cr->status) ||
16043 	    (cr->status < 0 &&
16044 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16045 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16046 			  cr->timeout_reason))) ||
16047 	    (cr->req_ie &&
16048 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16049 	    (cr->resp_ie &&
16050 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16051 		     cr->resp_ie)) ||
16052 	    (cr->fils.update_erp_next_seq_num &&
16053 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16054 			 cr->fils.erp_next_seq_num)) ||
16055 	    (cr->status == WLAN_STATUS_SUCCESS &&
16056 	     ((cr->fils.kek &&
16057 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16058 		       cr->fils.kek)) ||
16059 	      (cr->fils.pmk &&
16060 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16061 	      (cr->fils.pmkid &&
16062 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16063 		goto nla_put_failure;
16064 
16065 	genlmsg_end(msg, hdr);
16066 
16067 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16068 				NL80211_MCGRP_MLME, gfp);
16069 	return;
16070 
16071  nla_put_failure:
16072 	nlmsg_free(msg);
16073 }
16074 
16075 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16076 			 struct net_device *netdev,
16077 			 struct cfg80211_roam_info *info, gfp_t gfp)
16078 {
16079 	struct sk_buff *msg;
16080 	void *hdr;
16081 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16082 
16083 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16084 			info->fils.kek_len + info->fils.pmk_len +
16085 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16086 	if (!msg)
16087 		return;
16088 
16089 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16090 	if (!hdr) {
16091 		nlmsg_free(msg);
16092 		return;
16093 	}
16094 
16095 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16096 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16097 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16098 	    (info->req_ie &&
16099 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16100 		     info->req_ie)) ||
16101 	    (info->resp_ie &&
16102 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16103 		     info->resp_ie)) ||
16104 	    (info->fils.update_erp_next_seq_num &&
16105 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16106 			 info->fils.erp_next_seq_num)) ||
16107 	    (info->fils.kek &&
16108 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16109 		     info->fils.kek)) ||
16110 	    (info->fils.pmk &&
16111 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16112 	    (info->fils.pmkid &&
16113 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16114 		goto nla_put_failure;
16115 
16116 	genlmsg_end(msg, hdr);
16117 
16118 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16119 				NL80211_MCGRP_MLME, gfp);
16120 	return;
16121 
16122  nla_put_failure:
16123 	nlmsg_free(msg);
16124 }
16125 
16126 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16127 				  struct net_device *netdev, const u8 *bssid)
16128 {
16129 	struct sk_buff *msg;
16130 	void *hdr;
16131 
16132 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16133 	if (!msg)
16134 		return;
16135 
16136 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16137 	if (!hdr) {
16138 		nlmsg_free(msg);
16139 		return;
16140 	}
16141 
16142 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16143 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16144 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16145 		goto nla_put_failure;
16146 
16147 	genlmsg_end(msg, hdr);
16148 
16149 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16150 				NL80211_MCGRP_MLME, GFP_KERNEL);
16151 	return;
16152 
16153  nla_put_failure:
16154 	nlmsg_free(msg);
16155 }
16156 
16157 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
16158 			       struct net_device *netdev, u16 reason,
16159 			       const u8 *ie, size_t ie_len, bool from_ap)
16160 {
16161 	struct sk_buff *msg;
16162 	void *hdr;
16163 
16164 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
16165 	if (!msg)
16166 		return;
16167 
16168 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
16169 	if (!hdr) {
16170 		nlmsg_free(msg);
16171 		return;
16172 	}
16173 
16174 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16175 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16176 	    (reason &&
16177 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
16178 	    (from_ap &&
16179 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
16180 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
16181 		goto nla_put_failure;
16182 
16183 	genlmsg_end(msg, hdr);
16184 
16185 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16186 				NL80211_MCGRP_MLME, GFP_KERNEL);
16187 	return;
16188 
16189  nla_put_failure:
16190 	nlmsg_free(msg);
16191 }
16192 
16193 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16194 			     struct net_device *netdev, const u8 *bssid,
16195 			     gfp_t gfp)
16196 {
16197 	struct sk_buff *msg;
16198 	void *hdr;
16199 
16200 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16201 	if (!msg)
16202 		return;
16203 
16204 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16205 	if (!hdr) {
16206 		nlmsg_free(msg);
16207 		return;
16208 	}
16209 
16210 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16211 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16212 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16213 		goto nla_put_failure;
16214 
16215 	genlmsg_end(msg, hdr);
16216 
16217 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16218 				NL80211_MCGRP_MLME, gfp);
16219 	return;
16220 
16221  nla_put_failure:
16222 	nlmsg_free(msg);
16223 }
16224 
16225 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
16226 					const u8 *ie, u8 ie_len,
16227 					int sig_dbm, gfp_t gfp)
16228 {
16229 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16230 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16231 	struct sk_buff *msg;
16232 	void *hdr;
16233 
16234 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
16235 		return;
16236 
16237 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
16238 
16239 	msg = nlmsg_new(100 + ie_len, gfp);
16240 	if (!msg)
16241 		return;
16242 
16243 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
16244 	if (!hdr) {
16245 		nlmsg_free(msg);
16246 		return;
16247 	}
16248 
16249 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16250 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16251 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16252 	    (ie_len && ie &&
16253 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
16254 	    (sig_dbm &&
16255 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
16256 		goto nla_put_failure;
16257 
16258 	genlmsg_end(msg, hdr);
16259 
16260 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16261 				NL80211_MCGRP_MLME, gfp);
16262 	return;
16263 
16264  nla_put_failure:
16265 	nlmsg_free(msg);
16266 }
16267 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
16268 
16269 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
16270 				 struct net_device *netdev, const u8 *addr,
16271 				 enum nl80211_key_type key_type, int key_id,
16272 				 const u8 *tsc, gfp_t gfp)
16273 {
16274 	struct sk_buff *msg;
16275 	void *hdr;
16276 
16277 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16278 	if (!msg)
16279 		return;
16280 
16281 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
16282 	if (!hdr) {
16283 		nlmsg_free(msg);
16284 		return;
16285 	}
16286 
16287 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16288 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16289 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
16290 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
16291 	    (key_id != -1 &&
16292 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
16293 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
16294 		goto nla_put_failure;
16295 
16296 	genlmsg_end(msg, hdr);
16297 
16298 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16299 				NL80211_MCGRP_MLME, gfp);
16300 	return;
16301 
16302  nla_put_failure:
16303 	nlmsg_free(msg);
16304 }
16305 
16306 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
16307 				    struct ieee80211_channel *channel_before,
16308 				    struct ieee80211_channel *channel_after)
16309 {
16310 	struct sk_buff *msg;
16311 	void *hdr;
16312 	struct nlattr *nl_freq;
16313 
16314 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
16315 	if (!msg)
16316 		return;
16317 
16318 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
16319 	if (!hdr) {
16320 		nlmsg_free(msg);
16321 		return;
16322 	}
16323 
16324 	/*
16325 	 * Since we are applying the beacon hint to a wiphy we know its
16326 	 * wiphy_idx is valid
16327 	 */
16328 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
16329 		goto nla_put_failure;
16330 
16331 	/* Before */
16332 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
16333 	if (!nl_freq)
16334 		goto nla_put_failure;
16335 
16336 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
16337 		goto nla_put_failure;
16338 	nla_nest_end(msg, nl_freq);
16339 
16340 	/* After */
16341 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
16342 	if (!nl_freq)
16343 		goto nla_put_failure;
16344 
16345 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
16346 		goto nla_put_failure;
16347 	nla_nest_end(msg, nl_freq);
16348 
16349 	genlmsg_end(msg, hdr);
16350 
16351 	rcu_read_lock();
16352 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16353 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16354 	rcu_read_unlock();
16355 
16356 	return;
16357 
16358 nla_put_failure:
16359 	nlmsg_free(msg);
16360 }
16361 
16362 static void nl80211_send_remain_on_chan_event(
16363 	int cmd, struct cfg80211_registered_device *rdev,
16364 	struct wireless_dev *wdev, u64 cookie,
16365 	struct ieee80211_channel *chan,
16366 	unsigned int duration, gfp_t gfp)
16367 {
16368 	struct sk_buff *msg;
16369 	void *hdr;
16370 
16371 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16372 	if (!msg)
16373 		return;
16374 
16375 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16376 	if (!hdr) {
16377 		nlmsg_free(msg);
16378 		return;
16379 	}
16380 
16381 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16382 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16383 					 wdev->netdev->ifindex)) ||
16384 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16385 			      NL80211_ATTR_PAD) ||
16386 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
16387 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
16388 			NL80211_CHAN_NO_HT) ||
16389 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16390 			      NL80211_ATTR_PAD))
16391 		goto nla_put_failure;
16392 
16393 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
16394 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
16395 		goto nla_put_failure;
16396 
16397 	genlmsg_end(msg, hdr);
16398 
16399 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16400 				NL80211_MCGRP_MLME, gfp);
16401 	return;
16402 
16403  nla_put_failure:
16404 	nlmsg_free(msg);
16405 }
16406 
16407 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
16408 			       struct ieee80211_channel *chan,
16409 			       unsigned int duration, gfp_t gfp)
16410 {
16411 	struct wiphy *wiphy = wdev->wiphy;
16412 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16413 
16414 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
16415 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
16416 					  rdev, wdev, cookie, chan,
16417 					  duration, gfp);
16418 }
16419 EXPORT_SYMBOL(cfg80211_ready_on_channel);
16420 
16421 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
16422 					struct ieee80211_channel *chan,
16423 					gfp_t gfp)
16424 {
16425 	struct wiphy *wiphy = wdev->wiphy;
16426 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16427 
16428 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
16429 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
16430 					  rdev, wdev, cookie, chan, 0, gfp);
16431 }
16432 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
16433 
16434 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
16435 					struct ieee80211_channel *chan,
16436 					gfp_t gfp)
16437 {
16438 	struct wiphy *wiphy = wdev->wiphy;
16439 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16440 
16441 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
16442 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
16443 					  rdev, wdev, cookie, chan, 0, gfp);
16444 }
16445 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
16446 
16447 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
16448 		      struct station_info *sinfo, gfp_t gfp)
16449 {
16450 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16451 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16452 	struct sk_buff *msg;
16453 
16454 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
16455 
16456 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16457 	if (!msg)
16458 		return;
16459 
16460 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
16461 				 rdev, dev, mac_addr, sinfo) < 0) {
16462 		nlmsg_free(msg);
16463 		return;
16464 	}
16465 
16466 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16467 				NL80211_MCGRP_MLME, gfp);
16468 }
16469 EXPORT_SYMBOL(cfg80211_new_sta);
16470 
16471 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
16472 			    struct station_info *sinfo, gfp_t gfp)
16473 {
16474 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16475 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16476 	struct sk_buff *msg;
16477 	struct station_info empty_sinfo = {};
16478 
16479 	if (!sinfo)
16480 		sinfo = &empty_sinfo;
16481 
16482 	trace_cfg80211_del_sta(dev, mac_addr);
16483 
16484 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16485 	if (!msg) {
16486 		cfg80211_sinfo_release_content(sinfo);
16487 		return;
16488 	}
16489 
16490 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
16491 				 rdev, dev, mac_addr, sinfo) < 0) {
16492 		nlmsg_free(msg);
16493 		return;
16494 	}
16495 
16496 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16497 				NL80211_MCGRP_MLME, gfp);
16498 }
16499 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
16500 
16501 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
16502 			  enum nl80211_connect_failed_reason reason,
16503 			  gfp_t gfp)
16504 {
16505 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16506 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16507 	struct sk_buff *msg;
16508 	void *hdr;
16509 
16510 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
16511 	if (!msg)
16512 		return;
16513 
16514 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
16515 	if (!hdr) {
16516 		nlmsg_free(msg);
16517 		return;
16518 	}
16519 
16520 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16521 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
16522 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
16523 		goto nla_put_failure;
16524 
16525 	genlmsg_end(msg, hdr);
16526 
16527 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16528 				NL80211_MCGRP_MLME, gfp);
16529 	return;
16530 
16531  nla_put_failure:
16532 	nlmsg_free(msg);
16533 }
16534 EXPORT_SYMBOL(cfg80211_conn_failed);
16535 
16536 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
16537 				       const u8 *addr, gfp_t gfp)
16538 {
16539 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16540 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16541 	struct sk_buff *msg;
16542 	void *hdr;
16543 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
16544 
16545 	if (!nlportid)
16546 		return false;
16547 
16548 	msg = nlmsg_new(100, gfp);
16549 	if (!msg)
16550 		return true;
16551 
16552 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16553 	if (!hdr) {
16554 		nlmsg_free(msg);
16555 		return true;
16556 	}
16557 
16558 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16559 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16560 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16561 		goto nla_put_failure;
16562 
16563 	genlmsg_end(msg, hdr);
16564 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16565 	return true;
16566 
16567  nla_put_failure:
16568 	nlmsg_free(msg);
16569 	return true;
16570 }
16571 
16572 bool cfg80211_rx_spurious_frame(struct net_device *dev,
16573 				const u8 *addr, gfp_t gfp)
16574 {
16575 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16576 	bool ret;
16577 
16578 	trace_cfg80211_rx_spurious_frame(dev, addr);
16579 
16580 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16581 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
16582 		trace_cfg80211_return_bool(false);
16583 		return false;
16584 	}
16585 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
16586 					 addr, gfp);
16587 	trace_cfg80211_return_bool(ret);
16588 	return ret;
16589 }
16590 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
16591 
16592 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
16593 					const u8 *addr, gfp_t gfp)
16594 {
16595 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16596 	bool ret;
16597 
16598 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
16599 
16600 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16601 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
16602 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
16603 		trace_cfg80211_return_bool(false);
16604 		return false;
16605 	}
16606 	ret = __nl80211_unexpected_frame(dev,
16607 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
16608 					 addr, gfp);
16609 	trace_cfg80211_return_bool(ret);
16610 	return ret;
16611 }
16612 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
16613 
16614 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
16615 		      struct wireless_dev *wdev, u32 nlportid,
16616 		      int freq, int sig_dbm,
16617 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
16618 {
16619 	struct net_device *netdev = wdev->netdev;
16620 	struct sk_buff *msg;
16621 	void *hdr;
16622 
16623 	msg = nlmsg_new(100 + len, gfp);
16624 	if (!msg)
16625 		return -ENOMEM;
16626 
16627 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16628 	if (!hdr) {
16629 		nlmsg_free(msg);
16630 		return -ENOMEM;
16631 	}
16632 
16633 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16634 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16635 					netdev->ifindex)) ||
16636 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16637 			      NL80211_ATTR_PAD) ||
16638 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
16639 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
16640 	    (sig_dbm &&
16641 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16642 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16643 	    (flags &&
16644 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
16645 		goto nla_put_failure;
16646 
16647 	genlmsg_end(msg, hdr);
16648 
16649 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16650 
16651  nla_put_failure:
16652 	nlmsg_free(msg);
16653 	return -ENOBUFS;
16654 }
16655 
16656 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
16657 				    const u8 *buf, size_t len, bool ack,
16658 				    gfp_t gfp, enum nl80211_commands command)
16659 {
16660 	struct wiphy *wiphy = wdev->wiphy;
16661 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16662 	struct net_device *netdev = wdev->netdev;
16663 	struct sk_buff *msg;
16664 	void *hdr;
16665 
16666 	if (command == NL80211_CMD_FRAME_TX_STATUS)
16667 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
16668 	else
16669 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
16670 
16671 	msg = nlmsg_new(100 + len, gfp);
16672 	if (!msg)
16673 		return;
16674 
16675 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
16676 	if (!hdr) {
16677 		nlmsg_free(msg);
16678 		return;
16679 	}
16680 
16681 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16682 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16683 				   netdev->ifindex)) ||
16684 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16685 			      NL80211_ATTR_PAD) ||
16686 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16687 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16688 			      NL80211_ATTR_PAD) ||
16689 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
16690 		goto nla_put_failure;
16691 
16692 	genlmsg_end(msg, hdr);
16693 
16694 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16695 				NL80211_MCGRP_MLME, gfp);
16696 	return;
16697 
16698 nla_put_failure:
16699 	nlmsg_free(msg);
16700 }
16701 
16702 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
16703 				     const u8 *buf, size_t len, bool ack,
16704 				     gfp_t gfp)
16705 {
16706 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
16707 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
16708 }
16709 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
16710 
16711 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
16712 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
16713 {
16714 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
16715 				NL80211_CMD_FRAME_TX_STATUS);
16716 }
16717 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
16718 
16719 static int __nl80211_rx_control_port(struct net_device *dev,
16720 				     struct sk_buff *skb,
16721 				     bool unencrypted, gfp_t gfp)
16722 {
16723 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16724 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16725 	struct ethhdr *ehdr = eth_hdr(skb);
16726 	const u8 *addr = ehdr->h_source;
16727 	u16 proto = be16_to_cpu(skb->protocol);
16728 	struct sk_buff *msg;
16729 	void *hdr;
16730 	struct nlattr *frame;
16731 
16732 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
16733 
16734 	if (!nlportid)
16735 		return -ENOENT;
16736 
16737 	msg = nlmsg_new(100 + skb->len, gfp);
16738 	if (!msg)
16739 		return -ENOMEM;
16740 
16741 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
16742 	if (!hdr) {
16743 		nlmsg_free(msg);
16744 		return -ENOBUFS;
16745 	}
16746 
16747 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16748 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16749 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16750 			      NL80211_ATTR_PAD) ||
16751 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16752 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
16753 	    (unencrypted && nla_put_flag(msg,
16754 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
16755 		goto nla_put_failure;
16756 
16757 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
16758 	if (!frame)
16759 		goto nla_put_failure;
16760 
16761 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
16762 	genlmsg_end(msg, hdr);
16763 
16764 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16765 
16766  nla_put_failure:
16767 	nlmsg_free(msg);
16768 	return -ENOBUFS;
16769 }
16770 
16771 bool cfg80211_rx_control_port(struct net_device *dev,
16772 			      struct sk_buff *skb, bool unencrypted)
16773 {
16774 	int ret;
16775 
16776 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
16777 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
16778 	trace_cfg80211_return_bool(ret == 0);
16779 	return ret == 0;
16780 }
16781 EXPORT_SYMBOL(cfg80211_rx_control_port);
16782 
16783 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
16784 					    const char *mac, gfp_t gfp)
16785 {
16786 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16787 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16788 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16789 	void **cb;
16790 
16791 	if (!msg)
16792 		return NULL;
16793 
16794 	cb = (void **)msg->cb;
16795 
16796 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
16797 	if (!cb[0]) {
16798 		nlmsg_free(msg);
16799 		return NULL;
16800 	}
16801 
16802 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16803 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16804 		goto nla_put_failure;
16805 
16806 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
16807 		goto nla_put_failure;
16808 
16809 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
16810 	if (!cb[1])
16811 		goto nla_put_failure;
16812 
16813 	cb[2] = rdev;
16814 
16815 	return msg;
16816  nla_put_failure:
16817 	nlmsg_free(msg);
16818 	return NULL;
16819 }
16820 
16821 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
16822 {
16823 	void **cb = (void **)msg->cb;
16824 	struct cfg80211_registered_device *rdev = cb[2];
16825 
16826 	nla_nest_end(msg, cb[1]);
16827 	genlmsg_end(msg, cb[0]);
16828 
16829 	memset(msg->cb, 0, sizeof(msg->cb));
16830 
16831 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16832 				NL80211_MCGRP_MLME, gfp);
16833 }
16834 
16835 void cfg80211_cqm_rssi_notify(struct net_device *dev,
16836 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
16837 			      s32 rssi_level, gfp_t gfp)
16838 {
16839 	struct sk_buff *msg;
16840 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16841 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16842 
16843 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
16844 
16845 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
16846 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
16847 		return;
16848 
16849 	if (wdev->cqm_config) {
16850 		wdev->cqm_config->last_rssi_event_value = rssi_level;
16851 
16852 		cfg80211_cqm_rssi_update(rdev, dev);
16853 
16854 		if (rssi_level == 0)
16855 			rssi_level = wdev->cqm_config->last_rssi_event_value;
16856 	}
16857 
16858 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16859 	if (!msg)
16860 		return;
16861 
16862 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
16863 			rssi_event))
16864 		goto nla_put_failure;
16865 
16866 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
16867 				      rssi_level))
16868 		goto nla_put_failure;
16869 
16870 	cfg80211_send_cqm(msg, gfp);
16871 
16872 	return;
16873 
16874  nla_put_failure:
16875 	nlmsg_free(msg);
16876 }
16877 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
16878 
16879 void cfg80211_cqm_txe_notify(struct net_device *dev,
16880 			     const u8 *peer, u32 num_packets,
16881 			     u32 rate, u32 intvl, gfp_t gfp)
16882 {
16883 	struct sk_buff *msg;
16884 
16885 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16886 	if (!msg)
16887 		return;
16888 
16889 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
16890 		goto nla_put_failure;
16891 
16892 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
16893 		goto nla_put_failure;
16894 
16895 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
16896 		goto nla_put_failure;
16897 
16898 	cfg80211_send_cqm(msg, gfp);
16899 	return;
16900 
16901  nla_put_failure:
16902 	nlmsg_free(msg);
16903 }
16904 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
16905 
16906 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
16907 				 const u8 *peer, u32 num_packets, gfp_t gfp)
16908 {
16909 	struct sk_buff *msg;
16910 
16911 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
16912 
16913 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16914 	if (!msg)
16915 		return;
16916 
16917 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
16918 		goto nla_put_failure;
16919 
16920 	cfg80211_send_cqm(msg, gfp);
16921 	return;
16922 
16923  nla_put_failure:
16924 	nlmsg_free(msg);
16925 }
16926 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
16927 
16928 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
16929 {
16930 	struct sk_buff *msg;
16931 
16932 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16933 	if (!msg)
16934 		return;
16935 
16936 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
16937 		goto nla_put_failure;
16938 
16939 	cfg80211_send_cqm(msg, gfp);
16940 	return;
16941 
16942  nla_put_failure:
16943 	nlmsg_free(msg);
16944 }
16945 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
16946 
16947 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
16948 				     struct net_device *netdev, const u8 *bssid,
16949 				     const u8 *replay_ctr, gfp_t gfp)
16950 {
16951 	struct sk_buff *msg;
16952 	struct nlattr *rekey_attr;
16953 	void *hdr;
16954 
16955 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16956 	if (!msg)
16957 		return;
16958 
16959 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
16960 	if (!hdr) {
16961 		nlmsg_free(msg);
16962 		return;
16963 	}
16964 
16965 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16966 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16967 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16968 		goto nla_put_failure;
16969 
16970 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
16971 	if (!rekey_attr)
16972 		goto nla_put_failure;
16973 
16974 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
16975 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
16976 		goto nla_put_failure;
16977 
16978 	nla_nest_end(msg, rekey_attr);
16979 
16980 	genlmsg_end(msg, hdr);
16981 
16982 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16983 				NL80211_MCGRP_MLME, gfp);
16984 	return;
16985 
16986  nla_put_failure:
16987 	nlmsg_free(msg);
16988 }
16989 
16990 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
16991 			       const u8 *replay_ctr, gfp_t gfp)
16992 {
16993 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16994 	struct wiphy *wiphy = wdev->wiphy;
16995 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16996 
16997 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
16998 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
16999 }
17000 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17001 
17002 static void
17003 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17004 			       struct net_device *netdev, int index,
17005 			       const u8 *bssid, bool preauth, gfp_t gfp)
17006 {
17007 	struct sk_buff *msg;
17008 	struct nlattr *attr;
17009 	void *hdr;
17010 
17011 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17012 	if (!msg)
17013 		return;
17014 
17015 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17016 	if (!hdr) {
17017 		nlmsg_free(msg);
17018 		return;
17019 	}
17020 
17021 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17022 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17023 		goto nla_put_failure;
17024 
17025 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17026 	if (!attr)
17027 		goto nla_put_failure;
17028 
17029 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17030 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17031 	    (preauth &&
17032 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17033 		goto nla_put_failure;
17034 
17035 	nla_nest_end(msg, attr);
17036 
17037 	genlmsg_end(msg, hdr);
17038 
17039 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17040 				NL80211_MCGRP_MLME, gfp);
17041 	return;
17042 
17043  nla_put_failure:
17044 	nlmsg_free(msg);
17045 }
17046 
17047 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17048 				     const u8 *bssid, bool preauth, gfp_t gfp)
17049 {
17050 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17051 	struct wiphy *wiphy = wdev->wiphy;
17052 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17053 
17054 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17055 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17056 }
17057 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17058 
17059 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17060 				     struct net_device *netdev,
17061 				     struct cfg80211_chan_def *chandef,
17062 				     gfp_t gfp,
17063 				     enum nl80211_commands notif,
17064 				     u8 count)
17065 {
17066 	struct sk_buff *msg;
17067 	void *hdr;
17068 
17069 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17070 	if (!msg)
17071 		return;
17072 
17073 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17074 	if (!hdr) {
17075 		nlmsg_free(msg);
17076 		return;
17077 	}
17078 
17079 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17080 		goto nla_put_failure;
17081 
17082 	if (nl80211_send_chandef(msg, chandef))
17083 		goto nla_put_failure;
17084 
17085 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
17086 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
17087 			goto nla_put_failure;
17088 
17089 	genlmsg_end(msg, hdr);
17090 
17091 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17092 				NL80211_MCGRP_MLME, gfp);
17093 	return;
17094 
17095  nla_put_failure:
17096 	nlmsg_free(msg);
17097 }
17098 
17099 void cfg80211_ch_switch_notify(struct net_device *dev,
17100 			       struct cfg80211_chan_def *chandef)
17101 {
17102 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17103 	struct wiphy *wiphy = wdev->wiphy;
17104 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17105 
17106 	ASSERT_WDEV_LOCK(wdev);
17107 
17108 	trace_cfg80211_ch_switch_notify(dev, chandef);
17109 
17110 	wdev->chandef = *chandef;
17111 	wdev->preset_chandef = *chandef;
17112 
17113 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
17114 	    !WARN_ON(!wdev->current_bss))
17115 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
17116 
17117 	cfg80211_sched_dfs_chan_update(rdev);
17118 
17119 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17120 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
17121 }
17122 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
17123 
17124 void cfg80211_ch_switch_started_notify(struct net_device *dev,
17125 				       struct cfg80211_chan_def *chandef,
17126 				       u8 count)
17127 {
17128 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17129 	struct wiphy *wiphy = wdev->wiphy;
17130 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17131 
17132 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
17133 
17134 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17135 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
17136 }
17137 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
17138 
17139 void
17140 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
17141 		     const struct cfg80211_chan_def *chandef,
17142 		     enum nl80211_radar_event event,
17143 		     struct net_device *netdev, gfp_t gfp)
17144 {
17145 	struct sk_buff *msg;
17146 	void *hdr;
17147 
17148 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17149 	if (!msg)
17150 		return;
17151 
17152 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
17153 	if (!hdr) {
17154 		nlmsg_free(msg);
17155 		return;
17156 	}
17157 
17158 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17159 		goto nla_put_failure;
17160 
17161 	/* NOP and radar events don't need a netdev parameter */
17162 	if (netdev) {
17163 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
17164 
17165 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17166 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17167 				      NL80211_ATTR_PAD))
17168 			goto nla_put_failure;
17169 	}
17170 
17171 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
17172 		goto nla_put_failure;
17173 
17174 	if (nl80211_send_chandef(msg, chandef))
17175 		goto nla_put_failure;
17176 
17177 	genlmsg_end(msg, hdr);
17178 
17179 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17180 				NL80211_MCGRP_MLME, gfp);
17181 	return;
17182 
17183  nla_put_failure:
17184 	nlmsg_free(msg);
17185 }
17186 
17187 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
17188 				       struct sta_opmode_info *sta_opmode,
17189 				       gfp_t gfp)
17190 {
17191 	struct sk_buff *msg;
17192 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17193 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17194 	void *hdr;
17195 
17196 	if (WARN_ON(!mac))
17197 		return;
17198 
17199 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17200 	if (!msg)
17201 		return;
17202 
17203 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
17204 	if (!hdr) {
17205 		nlmsg_free(msg);
17206 		return;
17207 	}
17208 
17209 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17210 		goto nla_put_failure;
17211 
17212 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17213 		goto nla_put_failure;
17214 
17215 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17216 		goto nla_put_failure;
17217 
17218 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
17219 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
17220 		goto nla_put_failure;
17221 
17222 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
17223 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
17224 		goto nla_put_failure;
17225 
17226 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
17227 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
17228 		goto nla_put_failure;
17229 
17230 	genlmsg_end(msg, hdr);
17231 
17232 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17233 				NL80211_MCGRP_MLME, gfp);
17234 
17235 	return;
17236 
17237 nla_put_failure:
17238 	nlmsg_free(msg);
17239 }
17240 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
17241 
17242 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
17243 			   u64 cookie, bool acked, s32 ack_signal,
17244 			   bool is_valid_ack_signal, gfp_t gfp)
17245 {
17246 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17247 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17248 	struct sk_buff *msg;
17249 	void *hdr;
17250 
17251 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
17252 
17253 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17254 
17255 	if (!msg)
17256 		return;
17257 
17258 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
17259 	if (!hdr) {
17260 		nlmsg_free(msg);
17261 		return;
17262 	}
17263 
17264 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17265 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17266 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17267 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17268 			      NL80211_ATTR_PAD) ||
17269 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
17270 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
17271 						ack_signal)))
17272 		goto nla_put_failure;
17273 
17274 	genlmsg_end(msg, hdr);
17275 
17276 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17277 				NL80211_MCGRP_MLME, gfp);
17278 	return;
17279 
17280  nla_put_failure:
17281 	nlmsg_free(msg);
17282 }
17283 EXPORT_SYMBOL(cfg80211_probe_status);
17284 
17285 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
17286 				     size_t len, int freq, int sig_dbm)
17287 {
17288 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17289 	struct sk_buff *msg;
17290 	void *hdr;
17291 	struct cfg80211_beacon_registration *reg;
17292 
17293 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
17294 
17295 	spin_lock_bh(&rdev->beacon_registrations_lock);
17296 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
17297 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
17298 		if (!msg) {
17299 			spin_unlock_bh(&rdev->beacon_registrations_lock);
17300 			return;
17301 		}
17302 
17303 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17304 		if (!hdr)
17305 			goto nla_put_failure;
17306 
17307 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17308 		    (freq &&
17309 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
17310 				  KHZ_TO_MHZ(freq)) ||
17311 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
17312 				  freq % 1000))) ||
17313 		    (sig_dbm &&
17314 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17315 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
17316 			goto nla_put_failure;
17317 
17318 		genlmsg_end(msg, hdr);
17319 
17320 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
17321 	}
17322 	spin_unlock_bh(&rdev->beacon_registrations_lock);
17323 	return;
17324 
17325  nla_put_failure:
17326 	spin_unlock_bh(&rdev->beacon_registrations_lock);
17327 	nlmsg_free(msg);
17328 }
17329 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
17330 
17331 #ifdef CONFIG_PM
17332 static int cfg80211_net_detect_results(struct sk_buff *msg,
17333 				       struct cfg80211_wowlan_wakeup *wakeup)
17334 {
17335 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
17336 	struct nlattr *nl_results, *nl_match, *nl_freqs;
17337 	int i, j;
17338 
17339 	nl_results = nla_nest_start_noflag(msg,
17340 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
17341 	if (!nl_results)
17342 		return -EMSGSIZE;
17343 
17344 	for (i = 0; i < nd->n_matches; i++) {
17345 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
17346 
17347 		nl_match = nla_nest_start_noflag(msg, i);
17348 		if (!nl_match)
17349 			break;
17350 
17351 		/* The SSID attribute is optional in nl80211, but for
17352 		 * simplicity reasons it's always present in the
17353 		 * cfg80211 structure.  If a driver can't pass the
17354 		 * SSID, that needs to be changed.  A zero length SSID
17355 		 * is still a valid SSID (wildcard), so it cannot be
17356 		 * used for this purpose.
17357 		 */
17358 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
17359 			    match->ssid.ssid)) {
17360 			nla_nest_cancel(msg, nl_match);
17361 			goto out;
17362 		}
17363 
17364 		if (match->n_channels) {
17365 			nl_freqs = nla_nest_start_noflag(msg,
17366 							 NL80211_ATTR_SCAN_FREQUENCIES);
17367 			if (!nl_freqs) {
17368 				nla_nest_cancel(msg, nl_match);
17369 				goto out;
17370 			}
17371 
17372 			for (j = 0; j < match->n_channels; j++) {
17373 				if (nla_put_u32(msg, j, match->channels[j])) {
17374 					nla_nest_cancel(msg, nl_freqs);
17375 					nla_nest_cancel(msg, nl_match);
17376 					goto out;
17377 				}
17378 			}
17379 
17380 			nla_nest_end(msg, nl_freqs);
17381 		}
17382 
17383 		nla_nest_end(msg, nl_match);
17384 	}
17385 
17386 out:
17387 	nla_nest_end(msg, nl_results);
17388 	return 0;
17389 }
17390 
17391 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
17392 				   struct cfg80211_wowlan_wakeup *wakeup,
17393 				   gfp_t gfp)
17394 {
17395 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17396 	struct sk_buff *msg;
17397 	void *hdr;
17398 	int size = 200;
17399 
17400 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
17401 
17402 	if (wakeup)
17403 		size += wakeup->packet_present_len;
17404 
17405 	msg = nlmsg_new(size, gfp);
17406 	if (!msg)
17407 		return;
17408 
17409 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
17410 	if (!hdr)
17411 		goto free_msg;
17412 
17413 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17414 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17415 			      NL80211_ATTR_PAD))
17416 		goto free_msg;
17417 
17418 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17419 					wdev->netdev->ifindex))
17420 		goto free_msg;
17421 
17422 	if (wakeup) {
17423 		struct nlattr *reasons;
17424 
17425 		reasons = nla_nest_start_noflag(msg,
17426 						NL80211_ATTR_WOWLAN_TRIGGERS);
17427 		if (!reasons)
17428 			goto free_msg;
17429 
17430 		if (wakeup->disconnect &&
17431 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
17432 			goto free_msg;
17433 		if (wakeup->magic_pkt &&
17434 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
17435 			goto free_msg;
17436 		if (wakeup->gtk_rekey_failure &&
17437 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
17438 			goto free_msg;
17439 		if (wakeup->eap_identity_req &&
17440 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
17441 			goto free_msg;
17442 		if (wakeup->four_way_handshake &&
17443 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
17444 			goto free_msg;
17445 		if (wakeup->rfkill_release &&
17446 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
17447 			goto free_msg;
17448 
17449 		if (wakeup->pattern_idx >= 0 &&
17450 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
17451 				wakeup->pattern_idx))
17452 			goto free_msg;
17453 
17454 		if (wakeup->tcp_match &&
17455 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
17456 			goto free_msg;
17457 
17458 		if (wakeup->tcp_connlost &&
17459 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
17460 			goto free_msg;
17461 
17462 		if (wakeup->tcp_nomoretokens &&
17463 		    nla_put_flag(msg,
17464 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
17465 			goto free_msg;
17466 
17467 		if (wakeup->packet) {
17468 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
17469 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
17470 
17471 			if (!wakeup->packet_80211) {
17472 				pkt_attr =
17473 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
17474 				len_attr =
17475 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
17476 			}
17477 
17478 			if (wakeup->packet_len &&
17479 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
17480 				goto free_msg;
17481 
17482 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
17483 				    wakeup->packet))
17484 				goto free_msg;
17485 		}
17486 
17487 		if (wakeup->net_detect &&
17488 		    cfg80211_net_detect_results(msg, wakeup))
17489 				goto free_msg;
17490 
17491 		nla_nest_end(msg, reasons);
17492 	}
17493 
17494 	genlmsg_end(msg, hdr);
17495 
17496 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17497 				NL80211_MCGRP_MLME, gfp);
17498 	return;
17499 
17500  free_msg:
17501 	nlmsg_free(msg);
17502 }
17503 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
17504 #endif
17505 
17506 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
17507 				enum nl80211_tdls_operation oper,
17508 				u16 reason_code, gfp_t gfp)
17509 {
17510 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17511 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17512 	struct sk_buff *msg;
17513 	void *hdr;
17514 
17515 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
17516 					 reason_code);
17517 
17518 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17519 	if (!msg)
17520 		return;
17521 
17522 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
17523 	if (!hdr) {
17524 		nlmsg_free(msg);
17525 		return;
17526 	}
17527 
17528 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17529 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17530 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
17531 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
17532 	    (reason_code > 0 &&
17533 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
17534 		goto nla_put_failure;
17535 
17536 	genlmsg_end(msg, hdr);
17537 
17538 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17539 				NL80211_MCGRP_MLME, gfp);
17540 	return;
17541 
17542  nla_put_failure:
17543 	nlmsg_free(msg);
17544 }
17545 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
17546 
17547 static int nl80211_netlink_notify(struct notifier_block * nb,
17548 				  unsigned long state,
17549 				  void *_notify)
17550 {
17551 	struct netlink_notify *notify = _notify;
17552 	struct cfg80211_registered_device *rdev;
17553 	struct wireless_dev *wdev;
17554 	struct cfg80211_beacon_registration *reg, *tmp;
17555 
17556 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
17557 		return NOTIFY_DONE;
17558 
17559 	rcu_read_lock();
17560 
17561 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
17562 		struct cfg80211_sched_scan_request *sched_scan_req;
17563 
17564 		list_for_each_entry_rcu(sched_scan_req,
17565 					&rdev->sched_scan_req_list,
17566 					list) {
17567 			if (sched_scan_req->owner_nlportid == notify->portid) {
17568 				sched_scan_req->nl_owner_dead = true;
17569 				schedule_work(&rdev->sched_scan_stop_wk);
17570 			}
17571 		}
17572 
17573 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
17574 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
17575 
17576 			if (wdev->owner_nlportid == notify->portid) {
17577 				wdev->nl_owner_dead = true;
17578 				schedule_work(&rdev->destroy_work);
17579 			} else if (wdev->conn_owner_nlportid == notify->portid) {
17580 				schedule_work(&wdev->disconnect_wk);
17581 			}
17582 
17583 			cfg80211_release_pmsr(wdev, notify->portid);
17584 		}
17585 
17586 		spin_lock_bh(&rdev->beacon_registrations_lock);
17587 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
17588 					 list) {
17589 			if (reg->nlportid == notify->portid) {
17590 				list_del(&reg->list);
17591 				kfree(reg);
17592 				break;
17593 			}
17594 		}
17595 		spin_unlock_bh(&rdev->beacon_registrations_lock);
17596 	}
17597 
17598 	rcu_read_unlock();
17599 
17600 	/*
17601 	 * It is possible that the user space process that is controlling the
17602 	 * indoor setting disappeared, so notify the regulatory core.
17603 	 */
17604 	regulatory_netlink_notify(notify->portid);
17605 	return NOTIFY_OK;
17606 }
17607 
17608 static struct notifier_block nl80211_netlink_notifier = {
17609 	.notifier_call = nl80211_netlink_notify,
17610 };
17611 
17612 void cfg80211_ft_event(struct net_device *netdev,
17613 		       struct cfg80211_ft_event_params *ft_event)
17614 {
17615 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
17616 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17617 	struct sk_buff *msg;
17618 	void *hdr;
17619 
17620 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
17621 
17622 	if (!ft_event->target_ap)
17623 		return;
17624 
17625 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
17626 			GFP_KERNEL);
17627 	if (!msg)
17628 		return;
17629 
17630 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
17631 	if (!hdr)
17632 		goto out;
17633 
17634 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17635 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17636 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
17637 		goto out;
17638 
17639 	if (ft_event->ies &&
17640 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
17641 		goto out;
17642 	if (ft_event->ric_ies &&
17643 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
17644 		    ft_event->ric_ies))
17645 		goto out;
17646 
17647 	genlmsg_end(msg, hdr);
17648 
17649 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17650 				NL80211_MCGRP_MLME, GFP_KERNEL);
17651 	return;
17652  out:
17653 	nlmsg_free(msg);
17654 }
17655 EXPORT_SYMBOL(cfg80211_ft_event);
17656 
17657 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
17658 {
17659 	struct cfg80211_registered_device *rdev;
17660 	struct sk_buff *msg;
17661 	void *hdr;
17662 	u32 nlportid;
17663 
17664 	rdev = wiphy_to_rdev(wdev->wiphy);
17665 	if (!rdev->crit_proto_nlportid)
17666 		return;
17667 
17668 	nlportid = rdev->crit_proto_nlportid;
17669 	rdev->crit_proto_nlportid = 0;
17670 
17671 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17672 	if (!msg)
17673 		return;
17674 
17675 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
17676 	if (!hdr)
17677 		goto nla_put_failure;
17678 
17679 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17680 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17681 			      NL80211_ATTR_PAD))
17682 		goto nla_put_failure;
17683 
17684 	genlmsg_end(msg, hdr);
17685 
17686 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17687 	return;
17688 
17689  nla_put_failure:
17690 	nlmsg_free(msg);
17691 }
17692 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
17693 
17694 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
17695 {
17696 	struct wiphy *wiphy = wdev->wiphy;
17697 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17698 	struct sk_buff *msg;
17699 	void *hdr;
17700 
17701 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17702 	if (!msg)
17703 		return;
17704 
17705 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
17706 	if (!hdr)
17707 		goto out;
17708 
17709 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17710 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
17711 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17712 			      NL80211_ATTR_PAD))
17713 		goto out;
17714 
17715 	genlmsg_end(msg, hdr);
17716 
17717 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
17718 				NL80211_MCGRP_MLME, GFP_KERNEL);
17719 	return;
17720  out:
17721 	nlmsg_free(msg);
17722 }
17723 
17724 int cfg80211_external_auth_request(struct net_device *dev,
17725 				   struct cfg80211_external_auth_params *params,
17726 				   gfp_t gfp)
17727 {
17728 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17729 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17730 	struct sk_buff *msg;
17731 	void *hdr;
17732 
17733 	if (!wdev->conn_owner_nlportid)
17734 		return -EINVAL;
17735 
17736 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17737 	if (!msg)
17738 		return -ENOMEM;
17739 
17740 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
17741 	if (!hdr)
17742 		goto nla_put_failure;
17743 
17744 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17745 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17746 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
17747 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
17748 			params->action) ||
17749 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
17750 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
17751 		    params->ssid.ssid))
17752 		goto nla_put_failure;
17753 
17754 	genlmsg_end(msg, hdr);
17755 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
17756 			wdev->conn_owner_nlportid);
17757 	return 0;
17758 
17759  nla_put_failure:
17760 	nlmsg_free(msg);
17761 	return -ENOBUFS;
17762 }
17763 EXPORT_SYMBOL(cfg80211_external_auth_request);
17764 
17765 void cfg80211_update_owe_info_event(struct net_device *netdev,
17766 				    struct cfg80211_update_owe_info *owe_info,
17767 				    gfp_t gfp)
17768 {
17769 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
17770 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17771 	struct sk_buff *msg;
17772 	void *hdr;
17773 
17774 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
17775 
17776 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17777 	if (!msg)
17778 		return;
17779 
17780 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
17781 	if (!hdr)
17782 		goto nla_put_failure;
17783 
17784 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17785 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17786 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
17787 		goto nla_put_failure;
17788 
17789 	if (!owe_info->ie_len ||
17790 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
17791 		goto nla_put_failure;
17792 
17793 	genlmsg_end(msg, hdr);
17794 
17795 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17796 				NL80211_MCGRP_MLME, gfp);
17797 	return;
17798 
17799 nla_put_failure:
17800 	genlmsg_cancel(msg, hdr);
17801 	nlmsg_free(msg);
17802 }
17803 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
17804 
17805 /* initialisation/exit functions */
17806 
17807 int __init nl80211_init(void)
17808 {
17809 	int err;
17810 
17811 	err = genl_register_family(&nl80211_fam);
17812 	if (err)
17813 		return err;
17814 
17815 	err = netlink_register_notifier(&nl80211_netlink_notifier);
17816 	if (err)
17817 		goto err_out;
17818 
17819 	return 0;
17820  err_out:
17821 	genl_unregister_family(&nl80211_fam);
17822 	return err;
17823 }
17824 
17825 void nl80211_exit(void)
17826 {
17827 	netlink_unregister_notifier(&nl80211_netlink_notifier);
17828 	genl_unregister_family(&nl80211_fam);
17829 }
17830