xref: /openbmc/linux/net/wireless/nl80211.c (revision ac73d4bf) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2022 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy
460 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
461 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
462 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
463 };
464 
465 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
466 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
467 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
468 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
469 				      .len = 20-1 },
470 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
471 
472 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
473 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
474 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
475 						NL80211_EDMG_CHANNELS_MIN,
476 						NL80211_EDMG_CHANNELS_MAX),
477 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
478 						NL80211_EDMG_BW_CONFIG_MIN,
479 						NL80211_EDMG_BW_CONFIG_MAX),
480 
481 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
482 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
483 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
484 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
485 
486 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
487 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
488 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
489 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
490 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
491 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
492 
493 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
494 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
495 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
496 
497 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
498 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
499 
500 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
501 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
502 				    .len = WLAN_MAX_KEY_LEN },
503 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
504 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
505 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
506 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
507 	[NL80211_ATTR_KEY_TYPE] =
508 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
509 
510 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
511 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
512 	[NL80211_ATTR_BEACON_HEAD] =
513 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
514 				       IEEE80211_MAX_DATA_LEN),
515 	[NL80211_ATTR_BEACON_TAIL] =
516 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
517 				       IEEE80211_MAX_DATA_LEN),
518 	[NL80211_ATTR_STA_AID] =
519 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
520 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
521 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
522 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
523 					       .len = NL80211_MAX_SUPP_RATES },
524 	[NL80211_ATTR_STA_PLINK_ACTION] =
525 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
526 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
527 		NLA_POLICY_RANGE(NLA_U8,
528 				 NL80211_TX_POWER_AUTOMATIC,
529 				 NL80211_TX_POWER_FIXED),
530 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
531 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
532 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
533 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
534 				   .len = IEEE80211_MAX_MESH_ID_LEN },
535 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
536 
537 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
538 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
539 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
540 
541 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
542 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
543 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
544 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
545 					   .len = NL80211_MAX_SUPP_RATES },
546 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
547 
548 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
549 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
550 
551 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
552 
553 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
554 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
555 						   validate_ie_attr,
556 						   IEEE80211_MAX_DATA_LEN),
557 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
558 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
559 
560 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
561 				.len = IEEE80211_MAX_SSID_LEN },
562 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
563 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
564 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
565 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
566 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
567 						  NL80211_MFP_NO,
568 						  NL80211_MFP_OPTIONAL),
569 	[NL80211_ATTR_STA_FLAGS2] =
570 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
571 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
572 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
573 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
574 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
575 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
576 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
577 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
578 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
579 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
580 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
581 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
582 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
583 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
584 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
585 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
586 				 .len = IEEE80211_MAX_DATA_LEN },
587 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
588 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
589 						   NL80211_PS_DISABLED,
590 						   NL80211_PS_ENABLED),
591 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
592 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
593 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
594 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
595 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
596 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
597 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
598 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
599 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
600 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
601 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
602 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
603 	[NL80211_ATTR_STA_PLINK_STATE] =
604 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
605 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
606 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
607 	[NL80211_ATTR_MESH_PEER_AID] =
608 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
609 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
610 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
611 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
612 	[NL80211_ATTR_HIDDEN_SSID] =
613 		NLA_POLICY_RANGE(NLA_U32,
614 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
615 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
616 	[NL80211_ATTR_IE_PROBE_RESP] =
617 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
618 				       IEEE80211_MAX_DATA_LEN),
619 	[NL80211_ATTR_IE_ASSOC_RESP] =
620 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
621 				       IEEE80211_MAX_DATA_LEN),
622 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
623 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
624 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
625 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
626 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
627 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
628 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
629 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
630 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
631 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
632 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
633 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
634 				      .len = IEEE80211_MAX_DATA_LEN },
635 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
636 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
637 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
638 		.len = NL80211_HT_CAPABILITY_LEN
639 	},
640 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
641 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
642 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
643 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
644 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
645 
646 	/* need to include at least Auth Transaction and Status Code */
647 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
648 
649 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
650 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
651 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
652 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
653 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
654 		NLA_POLICY_RANGE(NLA_U32,
655 				 NL80211_MESH_POWER_UNKNOWN + 1,
656 				 NL80211_MESH_POWER_MAX),
657 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
658 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
659 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
660 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
661 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
662 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
663 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
664 		.len = NL80211_VHT_CAPABILITY_LEN,
665 	},
666 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
667 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
668 				  .len = IEEE80211_MAX_DATA_LEN },
669 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
670 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
671 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
672 	[NL80211_ATTR_PEER_AID] =
673 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
674 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
675 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
676 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
677 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
678 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
679 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
680 	/*
681 	 * The value of the Length field of the Supported Operating
682 	 * Classes element is between 2 and 253.
683 	 */
684 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
685 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
686 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
687 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
688 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
689 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
690 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
691 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
692 						  IEEE80211_QOS_MAP_LEN_MIN,
693 						  IEEE80211_QOS_MAP_LEN_MAX),
694 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
695 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
696 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
697 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
698 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
699 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
700 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
701 	[NL80211_ATTR_USER_PRIO] =
702 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
703 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
704 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
705 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
706 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
707 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
708 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
709 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
710 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
711 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
712 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
713 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
714 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
715 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
716 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
717 	},
718 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
719 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
720 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
721 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
722 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
723 				    .len = FILS_MAX_KEK_LEN },
724 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
725 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
726 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
727 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
728 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
729 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
730 	},
731 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
732 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
733 					     .len = FILS_ERP_MAX_USERNAME_LEN },
734 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
735 					  .len = FILS_ERP_MAX_REALM_LEN },
736 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
737 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
738 					.len = FILS_ERP_MAX_RRK_LEN },
739 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
740 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
741 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
742 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
743 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
744 
745 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
746 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
747 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
748 	[NL80211_ATTR_HE_CAPABILITY] =
749 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
750 				       NL80211_HE_MAX_CAPABILITY_LEN),
751 	[NL80211_ATTR_FTM_RESPONDER] =
752 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
753 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
754 	[NL80211_ATTR_PEER_MEASUREMENTS] =
755 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
756 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
757 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
758 					.len = SAE_PASSWORD_MAX_LEN },
759 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
760 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
761 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
762 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
763 	[NL80211_ATTR_TID_CONFIG] =
764 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
765 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
766 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
767 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
768 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
769 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
770 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
771 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
772 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
773 	[NL80211_ATTR_FILS_DISCOVERY] =
774 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
775 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
776 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
777 	[NL80211_ATTR_S1G_CAPABILITY] =
778 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
779 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
780 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
781 	[NL80211_ATTR_SAE_PWE] =
782 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
783 				 NL80211_SAE_PWE_BOTH),
784 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
785 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
786 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
787 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
788 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
789 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
790 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
791 	[NL80211_ATTR_MBSSID_CONFIG] =
792 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
793 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
794 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
795 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
796 	[NL80211_ATTR_EHT_CAPABILITY] =
797 		NLA_POLICY_RANGE(NLA_BINARY,
798 				 NL80211_EHT_MIN_CAPABILITY_LEN,
799 				 NL80211_EHT_MAX_CAPABILITY_LEN),
800 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
801 	[NL80211_ATTR_MLO_LINKS] =
802 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
803 	[NL80211_ATTR_MLO_LINK_ID] =
804 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
805 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
806 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
807 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
808 };
809 
810 /* policy for the key attributes */
811 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
812 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
813 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
814 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
815 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
816 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
817 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
818 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
819 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
820 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
821 };
822 
823 /* policy for the key default flags */
824 static const struct nla_policy
825 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
826 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
827 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
828 };
829 
830 #ifdef CONFIG_PM
831 /* policy for WoWLAN attributes */
832 static const struct nla_policy
833 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
834 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
835 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
836 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
837 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
838 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
839 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
840 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
841 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
842 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
843 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
844 };
845 
846 static const struct nla_policy
847 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
848 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
849 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
850 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
851 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
852 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
853 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
854 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
855 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
856 	},
857 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
858 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
859 	},
860 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
861 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
862 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
863 };
864 #endif /* CONFIG_PM */
865 
866 /* policy for coalesce rule attributes */
867 static const struct nla_policy
868 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
869 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
870 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
871 		NLA_POLICY_RANGE(NLA_U32,
872 				 NL80211_COALESCE_CONDITION_MATCH,
873 				 NL80211_COALESCE_CONDITION_NO_MATCH),
874 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
875 };
876 
877 /* policy for GTK rekey offload attributes */
878 static const struct nla_policy
879 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
880 	[NL80211_REKEY_DATA_KEK] = {
881 		.type = NLA_BINARY,
882 		.len = NL80211_KEK_EXT_LEN
883 	},
884 	[NL80211_REKEY_DATA_KCK] = {
885 		.type = NLA_BINARY,
886 		.len = NL80211_KCK_EXT_LEN
887 	},
888 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
889 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
890 };
891 
892 static const struct nla_policy
893 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
894 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
895 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
896 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
897 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
898 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
899 };
900 
901 static const struct nla_policy
902 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
903 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
904 						 .len = IEEE80211_MAX_SSID_LEN },
905 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
906 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
907 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
908 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
909 };
910 
911 static const struct nla_policy
912 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
913 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
914 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
915 };
916 
917 static const struct nla_policy
918 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
919 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
920 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
921 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
922 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
923 	},
924 };
925 
926 /* policy for NAN function attributes */
927 static const struct nla_policy
928 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
929 	[NL80211_NAN_FUNC_TYPE] =
930 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
931 	[NL80211_NAN_FUNC_SERVICE_ID] = {
932 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
933 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
934 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
935 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
936 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
937 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
938 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
939 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
940 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
941 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
942 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
943 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
944 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
945 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
946 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
947 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
948 };
949 
950 /* policy for Service Response Filter attributes */
951 static const struct nla_policy
952 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
953 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
954 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
955 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
956 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
957 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
958 };
959 
960 /* policy for packet pattern attributes */
961 static const struct nla_policy
962 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
963 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
964 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
965 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
966 };
967 
968 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
969 				     struct cfg80211_registered_device **rdev,
970 				     struct wireless_dev **wdev,
971 				     struct nlattr **attrbuf)
972 {
973 	int err;
974 
975 	if (!cb->args[0]) {
976 		struct nlattr **attrbuf_free = NULL;
977 
978 		if (!attrbuf) {
979 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
980 					  GFP_KERNEL);
981 			if (!attrbuf)
982 				return -ENOMEM;
983 			attrbuf_free = attrbuf;
984 		}
985 
986 		err = nlmsg_parse_deprecated(cb->nlh,
987 					     GENL_HDRLEN + nl80211_fam.hdrsize,
988 					     attrbuf, nl80211_fam.maxattr,
989 					     nl80211_policy, NULL);
990 		if (err) {
991 			kfree(attrbuf_free);
992 			return err;
993 		}
994 
995 		rtnl_lock();
996 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
997 						   attrbuf);
998 		kfree(attrbuf_free);
999 		if (IS_ERR(*wdev)) {
1000 			rtnl_unlock();
1001 			return PTR_ERR(*wdev);
1002 		}
1003 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1004 		mutex_lock(&(*rdev)->wiphy.mtx);
1005 		rtnl_unlock();
1006 		/* 0 is the first index - add 1 to parse only once */
1007 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1008 		cb->args[1] = (*wdev)->identifier;
1009 	} else {
1010 		/* subtract the 1 again here */
1011 		struct wiphy *wiphy;
1012 		struct wireless_dev *tmp;
1013 
1014 		rtnl_lock();
1015 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1016 		if (!wiphy) {
1017 			rtnl_unlock();
1018 			return -ENODEV;
1019 		}
1020 		*rdev = wiphy_to_rdev(wiphy);
1021 		*wdev = NULL;
1022 
1023 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1024 			if (tmp->identifier == cb->args[1]) {
1025 				*wdev = tmp;
1026 				break;
1027 			}
1028 		}
1029 
1030 		if (!*wdev) {
1031 			rtnl_unlock();
1032 			return -ENODEV;
1033 		}
1034 		mutex_lock(&(*rdev)->wiphy.mtx);
1035 		rtnl_unlock();
1036 	}
1037 
1038 	return 0;
1039 }
1040 
1041 /* message building helper */
1042 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1043 		     int flags, u8 cmd)
1044 {
1045 	/* since there is no private header just add the generic one */
1046 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1047 }
1048 
1049 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1050 				     const struct ieee80211_reg_rule *rule)
1051 {
1052 	int j;
1053 	struct nlattr *nl_wmm_rules =
1054 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1055 
1056 	if (!nl_wmm_rules)
1057 		goto nla_put_failure;
1058 
1059 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1060 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1061 
1062 		if (!nl_wmm_rule)
1063 			goto nla_put_failure;
1064 
1065 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1066 				rule->wmm_rule.client[j].cw_min) ||
1067 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1068 				rule->wmm_rule.client[j].cw_max) ||
1069 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1070 			       rule->wmm_rule.client[j].aifsn) ||
1071 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1072 			        rule->wmm_rule.client[j].cot))
1073 			goto nla_put_failure;
1074 
1075 		nla_nest_end(msg, nl_wmm_rule);
1076 	}
1077 	nla_nest_end(msg, nl_wmm_rules);
1078 
1079 	return 0;
1080 
1081 nla_put_failure:
1082 	return -ENOBUFS;
1083 }
1084 
1085 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1086 				   struct ieee80211_channel *chan,
1087 				   bool large)
1088 {
1089 	/* Some channels must be completely excluded from the
1090 	 * list to protect old user-space tools from breaking
1091 	 */
1092 	if (!large && chan->flags &
1093 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1094 		return 0;
1095 	if (!large && chan->freq_offset)
1096 		return 0;
1097 
1098 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1099 			chan->center_freq))
1100 		goto nla_put_failure;
1101 
1102 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1103 		goto nla_put_failure;
1104 
1105 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1106 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1107 		goto nla_put_failure;
1108 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1109 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1110 			goto nla_put_failure;
1111 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1112 			goto nla_put_failure;
1113 	}
1114 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1115 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1116 			goto nla_put_failure;
1117 		if (large) {
1118 			u32 time;
1119 
1120 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1121 
1122 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1123 					chan->dfs_state))
1124 				goto nla_put_failure;
1125 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1126 					time))
1127 				goto nla_put_failure;
1128 			if (nla_put_u32(msg,
1129 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1130 					chan->dfs_cac_ms))
1131 				goto nla_put_failure;
1132 		}
1133 	}
1134 
1135 	if (large) {
1136 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1137 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1138 			goto nla_put_failure;
1139 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1140 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1141 			goto nla_put_failure;
1142 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1143 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1144 			goto nla_put_failure;
1145 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1146 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1147 			goto nla_put_failure;
1148 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1149 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1150 			goto nla_put_failure;
1151 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1152 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1153 			goto nla_put_failure;
1154 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1155 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1156 			goto nla_put_failure;
1157 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1158 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1159 			goto nla_put_failure;
1160 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1161 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1162 			goto nla_put_failure;
1163 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1164 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1165 			goto nla_put_failure;
1166 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1167 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1168 			goto nla_put_failure;
1169 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1170 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1171 			goto nla_put_failure;
1172 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1173 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1174 			goto nla_put_failure;
1175 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1176 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1177 			goto nla_put_failure;
1178 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1179 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1180 			goto nla_put_failure;
1181 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1182 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1183 			goto nla_put_failure;
1184 	}
1185 
1186 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1187 			DBM_TO_MBM(chan->max_power)))
1188 		goto nla_put_failure;
1189 
1190 	if (large) {
1191 		const struct ieee80211_reg_rule *rule =
1192 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1193 
1194 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1195 			if (nl80211_msg_put_wmm_rules(msg, rule))
1196 				goto nla_put_failure;
1197 		}
1198 	}
1199 
1200 	return 0;
1201 
1202  nla_put_failure:
1203 	return -ENOBUFS;
1204 }
1205 
1206 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1207 				  struct cfg80211_txq_stats *txqstats,
1208 				  int attrtype)
1209 {
1210 	struct nlattr *txqattr;
1211 
1212 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1213 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1214 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1215 		return false;						  \
1216 	} while (0)
1217 
1218 	txqattr = nla_nest_start_noflag(msg, attrtype);
1219 	if (!txqattr)
1220 		return false;
1221 
1222 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1223 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1224 	PUT_TXQVAL_U32(FLOWS, flows);
1225 	PUT_TXQVAL_U32(DROPS, drops);
1226 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1227 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1228 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1229 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1230 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1231 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1232 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1233 	nla_nest_end(msg, txqattr);
1234 
1235 #undef PUT_TXQVAL_U32
1236 	return true;
1237 }
1238 
1239 /* netlink command implementations */
1240 
1241 /**
1242  * nl80211_link_id - return link ID
1243  * @attrs: attributes to look at
1244  *
1245  * Returns: the link ID or 0 if not given
1246  *
1247  * Note this function doesn't do any validation of the link
1248  * ID validity wrt. links that were actually added, so it must
1249  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1250  * or if additional validation is done.
1251  */
1252 static unsigned int nl80211_link_id(struct nlattr **attrs)
1253 {
1254 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1255 
1256 	if (!linkid)
1257 		return 0;
1258 
1259 	return nla_get_u8(linkid);
1260 }
1261 
1262 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1263 {
1264 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1265 
1266 	if (!linkid)
1267 		return -1;
1268 
1269 	return nla_get_u8(linkid);
1270 }
1271 
1272 struct key_parse {
1273 	struct key_params p;
1274 	int idx;
1275 	int type;
1276 	bool def, defmgmt, defbeacon;
1277 	bool def_uni, def_multi;
1278 };
1279 
1280 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1281 				 struct key_parse *k)
1282 {
1283 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1284 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1285 					      nl80211_key_policy,
1286 					      info->extack);
1287 	if (err)
1288 		return err;
1289 
1290 	k->def = !!tb[NL80211_KEY_DEFAULT];
1291 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1292 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1293 
1294 	if (k->def) {
1295 		k->def_uni = true;
1296 		k->def_multi = true;
1297 	}
1298 	if (k->defmgmt || k->defbeacon)
1299 		k->def_multi = true;
1300 
1301 	if (tb[NL80211_KEY_IDX])
1302 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1303 
1304 	if (tb[NL80211_KEY_DATA]) {
1305 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1306 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1307 	}
1308 
1309 	if (tb[NL80211_KEY_SEQ]) {
1310 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1311 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1312 	}
1313 
1314 	if (tb[NL80211_KEY_CIPHER])
1315 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1316 
1317 	if (tb[NL80211_KEY_TYPE])
1318 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1319 
1320 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1321 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1322 
1323 		err = nla_parse_nested_deprecated(kdt,
1324 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1325 						  tb[NL80211_KEY_DEFAULT_TYPES],
1326 						  nl80211_key_default_policy,
1327 						  info->extack);
1328 		if (err)
1329 			return err;
1330 
1331 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1332 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1333 	}
1334 
1335 	if (tb[NL80211_KEY_MODE])
1336 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1337 
1338 	return 0;
1339 }
1340 
1341 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1342 {
1343 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1344 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1345 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1346 	}
1347 
1348 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1349 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1350 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1351 	}
1352 
1353 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1354 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1355 
1356 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1357 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1358 
1359 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1360 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1361 
1362 	if (k->def) {
1363 		k->def_uni = true;
1364 		k->def_multi = true;
1365 	}
1366 	if (k->defmgmt)
1367 		k->def_multi = true;
1368 
1369 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1370 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1371 
1372 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1373 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1374 		int err = nla_parse_nested_deprecated(kdt,
1375 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1376 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1377 						      nl80211_key_default_policy,
1378 						      info->extack);
1379 		if (err)
1380 			return err;
1381 
1382 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1383 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1384 	}
1385 
1386 	return 0;
1387 }
1388 
1389 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1390 {
1391 	int err;
1392 
1393 	memset(k, 0, sizeof(*k));
1394 	k->idx = -1;
1395 	k->type = -1;
1396 
1397 	if (info->attrs[NL80211_ATTR_KEY])
1398 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1399 	else
1400 		err = nl80211_parse_key_old(info, k);
1401 
1402 	if (err)
1403 		return err;
1404 
1405 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1406 	    (k->defbeacon ? 1 : 0) > 1) {
1407 		GENL_SET_ERR_MSG(info,
1408 				 "key with multiple default flags is invalid");
1409 		return -EINVAL;
1410 	}
1411 
1412 	if (k->defmgmt || k->defbeacon) {
1413 		if (k->def_uni || !k->def_multi) {
1414 			GENL_SET_ERR_MSG(info,
1415 					 "defmgmt/defbeacon key must be mcast");
1416 			return -EINVAL;
1417 		}
1418 	}
1419 
1420 	if (k->idx != -1) {
1421 		if (k->defmgmt) {
1422 			if (k->idx < 4 || k->idx > 5) {
1423 				GENL_SET_ERR_MSG(info,
1424 						 "defmgmt key idx not 4 or 5");
1425 				return -EINVAL;
1426 			}
1427 		} else if (k->defbeacon) {
1428 			if (k->idx < 6 || k->idx > 7) {
1429 				GENL_SET_ERR_MSG(info,
1430 						 "defbeacon key idx not 6 or 7");
1431 				return -EINVAL;
1432 			}
1433 		} else if (k->def) {
1434 			if (k->idx < 0 || k->idx > 3) {
1435 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1436 				return -EINVAL;
1437 			}
1438 		} else {
1439 			if (k->idx < 0 || k->idx > 7) {
1440 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1441 				return -EINVAL;
1442 			}
1443 		}
1444 	}
1445 
1446 	return 0;
1447 }
1448 
1449 static struct cfg80211_cached_keys *
1450 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1451 		       struct genl_info *info, bool *no_ht)
1452 {
1453 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1454 	struct key_parse parse;
1455 	struct nlattr *key;
1456 	struct cfg80211_cached_keys *result;
1457 	int rem, err, def = 0;
1458 	bool have_key = false;
1459 
1460 	nla_for_each_nested(key, keys, rem) {
1461 		have_key = true;
1462 		break;
1463 	}
1464 
1465 	if (!have_key)
1466 		return NULL;
1467 
1468 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1469 	if (!result)
1470 		return ERR_PTR(-ENOMEM);
1471 
1472 	result->def = -1;
1473 
1474 	nla_for_each_nested(key, keys, rem) {
1475 		memset(&parse, 0, sizeof(parse));
1476 		parse.idx = -1;
1477 
1478 		err = nl80211_parse_key_new(info, key, &parse);
1479 		if (err)
1480 			goto error;
1481 		err = -EINVAL;
1482 		if (!parse.p.key)
1483 			goto error;
1484 		if (parse.idx < 0 || parse.idx > 3) {
1485 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1486 			goto error;
1487 		}
1488 		if (parse.def) {
1489 			if (def) {
1490 				GENL_SET_ERR_MSG(info,
1491 						 "only one key can be default");
1492 				goto error;
1493 			}
1494 			def = 1;
1495 			result->def = parse.idx;
1496 			if (!parse.def_uni || !parse.def_multi)
1497 				goto error;
1498 		} else if (parse.defmgmt)
1499 			goto error;
1500 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1501 						     parse.idx, false, NULL);
1502 		if (err)
1503 			goto error;
1504 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1505 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1506 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1507 			err = -EINVAL;
1508 			goto error;
1509 		}
1510 		result->params[parse.idx].cipher = parse.p.cipher;
1511 		result->params[parse.idx].key_len = parse.p.key_len;
1512 		result->params[parse.idx].key = result->data[parse.idx];
1513 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1514 
1515 		/* must be WEP key if we got here */
1516 		if (no_ht)
1517 			*no_ht = true;
1518 	}
1519 
1520 	if (result->def < 0) {
1521 		err = -EINVAL;
1522 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1523 		goto error;
1524 	}
1525 
1526 	return result;
1527  error:
1528 	kfree(result);
1529 	return ERR_PTR(err);
1530 }
1531 
1532 static int nl80211_key_allowed(struct wireless_dev *wdev)
1533 {
1534 	ASSERT_WDEV_LOCK(wdev);
1535 
1536 	switch (wdev->iftype) {
1537 	case NL80211_IFTYPE_AP:
1538 	case NL80211_IFTYPE_AP_VLAN:
1539 	case NL80211_IFTYPE_P2P_GO:
1540 	case NL80211_IFTYPE_MESH_POINT:
1541 		break;
1542 	case NL80211_IFTYPE_ADHOC:
1543 		if (wdev->u.ibss.current_bss)
1544 			return 0;
1545 		return -ENOLINK;
1546 	case NL80211_IFTYPE_STATION:
1547 	case NL80211_IFTYPE_P2P_CLIENT:
1548 		if (wdev->connected)
1549 			return 0;
1550 		return -ENOLINK;
1551 	case NL80211_IFTYPE_UNSPECIFIED:
1552 	case NL80211_IFTYPE_OCB:
1553 	case NL80211_IFTYPE_MONITOR:
1554 	case NL80211_IFTYPE_NAN:
1555 	case NL80211_IFTYPE_P2P_DEVICE:
1556 	case NL80211_IFTYPE_WDS:
1557 	case NUM_NL80211_IFTYPES:
1558 		return -EINVAL;
1559 	}
1560 
1561 	return 0;
1562 }
1563 
1564 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1565 							u32 freq)
1566 {
1567 	struct ieee80211_channel *chan;
1568 
1569 	chan = ieee80211_get_channel_khz(wiphy, freq);
1570 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1571 		return NULL;
1572 	return chan;
1573 }
1574 
1575 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1576 {
1577 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1578 	int i;
1579 
1580 	if (!nl_modes)
1581 		goto nla_put_failure;
1582 
1583 	i = 0;
1584 	while (ifmodes) {
1585 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1586 			goto nla_put_failure;
1587 		ifmodes >>= 1;
1588 		i++;
1589 	}
1590 
1591 	nla_nest_end(msg, nl_modes);
1592 	return 0;
1593 
1594 nla_put_failure:
1595 	return -ENOBUFS;
1596 }
1597 
1598 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1599 					  struct sk_buff *msg,
1600 					  bool large)
1601 {
1602 	struct nlattr *nl_combis;
1603 	int i, j;
1604 
1605 	nl_combis = nla_nest_start_noflag(msg,
1606 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1607 	if (!nl_combis)
1608 		goto nla_put_failure;
1609 
1610 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1611 		const struct ieee80211_iface_combination *c;
1612 		struct nlattr *nl_combi, *nl_limits;
1613 
1614 		c = &wiphy->iface_combinations[i];
1615 
1616 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1617 		if (!nl_combi)
1618 			goto nla_put_failure;
1619 
1620 		nl_limits = nla_nest_start_noflag(msg,
1621 						  NL80211_IFACE_COMB_LIMITS);
1622 		if (!nl_limits)
1623 			goto nla_put_failure;
1624 
1625 		for (j = 0; j < c->n_limits; j++) {
1626 			struct nlattr *nl_limit;
1627 
1628 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1629 			if (!nl_limit)
1630 				goto nla_put_failure;
1631 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1632 					c->limits[j].max))
1633 				goto nla_put_failure;
1634 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1635 						c->limits[j].types))
1636 				goto nla_put_failure;
1637 			nla_nest_end(msg, nl_limit);
1638 		}
1639 
1640 		nla_nest_end(msg, nl_limits);
1641 
1642 		if (c->beacon_int_infra_match &&
1643 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1644 			goto nla_put_failure;
1645 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1646 				c->num_different_channels) ||
1647 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1648 				c->max_interfaces))
1649 			goto nla_put_failure;
1650 		if (large &&
1651 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1652 				c->radar_detect_widths) ||
1653 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1654 				c->radar_detect_regions)))
1655 			goto nla_put_failure;
1656 		if (c->beacon_int_min_gcd &&
1657 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1658 				c->beacon_int_min_gcd))
1659 			goto nla_put_failure;
1660 
1661 		nla_nest_end(msg, nl_combi);
1662 	}
1663 
1664 	nla_nest_end(msg, nl_combis);
1665 
1666 	return 0;
1667 nla_put_failure:
1668 	return -ENOBUFS;
1669 }
1670 
1671 #ifdef CONFIG_PM
1672 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1673 					struct sk_buff *msg)
1674 {
1675 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1676 	struct nlattr *nl_tcp;
1677 
1678 	if (!tcp)
1679 		return 0;
1680 
1681 	nl_tcp = nla_nest_start_noflag(msg,
1682 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1683 	if (!nl_tcp)
1684 		return -ENOBUFS;
1685 
1686 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1687 			tcp->data_payload_max))
1688 		return -ENOBUFS;
1689 
1690 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1691 			tcp->data_payload_max))
1692 		return -ENOBUFS;
1693 
1694 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1695 		return -ENOBUFS;
1696 
1697 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1698 				sizeof(*tcp->tok), tcp->tok))
1699 		return -ENOBUFS;
1700 
1701 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1702 			tcp->data_interval_max))
1703 		return -ENOBUFS;
1704 
1705 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1706 			tcp->wake_payload_max))
1707 		return -ENOBUFS;
1708 
1709 	nla_nest_end(msg, nl_tcp);
1710 	return 0;
1711 }
1712 
1713 static int nl80211_send_wowlan(struct sk_buff *msg,
1714 			       struct cfg80211_registered_device *rdev,
1715 			       bool large)
1716 {
1717 	struct nlattr *nl_wowlan;
1718 
1719 	if (!rdev->wiphy.wowlan)
1720 		return 0;
1721 
1722 	nl_wowlan = nla_nest_start_noflag(msg,
1723 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1724 	if (!nl_wowlan)
1725 		return -ENOBUFS;
1726 
1727 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1728 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1729 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1730 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1731 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1732 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1733 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1734 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1735 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1736 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1737 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1738 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1739 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1740 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1741 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1742 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1743 		return -ENOBUFS;
1744 
1745 	if (rdev->wiphy.wowlan->n_patterns) {
1746 		struct nl80211_pattern_support pat = {
1747 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1748 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1749 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1750 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1751 		};
1752 
1753 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1754 			    sizeof(pat), &pat))
1755 			return -ENOBUFS;
1756 	}
1757 
1758 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1759 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1760 			rdev->wiphy.wowlan->max_nd_match_sets))
1761 		return -ENOBUFS;
1762 
1763 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1764 		return -ENOBUFS;
1765 
1766 	nla_nest_end(msg, nl_wowlan);
1767 
1768 	return 0;
1769 }
1770 #endif
1771 
1772 static int nl80211_send_coalesce(struct sk_buff *msg,
1773 				 struct cfg80211_registered_device *rdev)
1774 {
1775 	struct nl80211_coalesce_rule_support rule;
1776 
1777 	if (!rdev->wiphy.coalesce)
1778 		return 0;
1779 
1780 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1781 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1782 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1783 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1784 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1785 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1786 
1787 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1788 		return -ENOBUFS;
1789 
1790 	return 0;
1791 }
1792 
1793 static int
1794 nl80211_send_iftype_data(struct sk_buff *msg,
1795 			 const struct ieee80211_supported_band *sband,
1796 			 const struct ieee80211_sband_iftype_data *iftdata)
1797 {
1798 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1799 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1800 
1801 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1802 				iftdata->types_mask))
1803 		return -ENOBUFS;
1804 
1805 	if (he_cap->has_he) {
1806 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1807 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1808 			    he_cap->he_cap_elem.mac_cap_info) ||
1809 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1810 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1811 			    he_cap->he_cap_elem.phy_cap_info) ||
1812 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1813 			    sizeof(he_cap->he_mcs_nss_supp),
1814 			    &he_cap->he_mcs_nss_supp) ||
1815 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1816 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1817 			return -ENOBUFS;
1818 	}
1819 
1820 	if (eht_cap->has_eht && he_cap->has_he) {
1821 		u8 mcs_nss_size, ppe_thresh_size;
1822 		u16 ppe_thres_hdr;
1823 		bool is_ap;
1824 
1825 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1826 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1827 
1828 		mcs_nss_size =
1829 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1830 						   &eht_cap->eht_cap_elem,
1831 						   is_ap);
1832 
1833 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1834 		ppe_thresh_size =
1835 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1836 					       eht_cap->eht_cap_elem.phy_cap_info);
1837 
1838 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1839 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1840 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1841 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1842 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1843 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1844 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1845 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1846 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1847 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1848 			return -ENOBUFS;
1849 	}
1850 
1851 	if (sband->band == NL80211_BAND_6GHZ &&
1852 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1853 		    sizeof(iftdata->he_6ghz_capa),
1854 		    &iftdata->he_6ghz_capa))
1855 		return -ENOBUFS;
1856 
1857 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1858 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1859 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1860 		return -ENOBUFS;
1861 
1862 	return 0;
1863 }
1864 
1865 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1866 				      struct ieee80211_supported_band *sband,
1867 				      bool large)
1868 {
1869 	struct nlattr *nl_rates, *nl_rate;
1870 	struct ieee80211_rate *rate;
1871 	int i;
1872 
1873 	/* add HT info */
1874 	if (sband->ht_cap.ht_supported &&
1875 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1876 		     sizeof(sband->ht_cap.mcs),
1877 		     &sband->ht_cap.mcs) ||
1878 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1879 			 sband->ht_cap.cap) ||
1880 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1881 			sband->ht_cap.ampdu_factor) ||
1882 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1883 			sband->ht_cap.ampdu_density)))
1884 		return -ENOBUFS;
1885 
1886 	/* add VHT info */
1887 	if (sband->vht_cap.vht_supported &&
1888 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1889 		     sizeof(sband->vht_cap.vht_mcs),
1890 		     &sband->vht_cap.vht_mcs) ||
1891 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1892 			 sband->vht_cap.cap)))
1893 		return -ENOBUFS;
1894 
1895 	if (large && sband->n_iftype_data) {
1896 		struct nlattr *nl_iftype_data =
1897 			nla_nest_start_noflag(msg,
1898 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1899 		int err;
1900 
1901 		if (!nl_iftype_data)
1902 			return -ENOBUFS;
1903 
1904 		for (i = 0; i < sband->n_iftype_data; i++) {
1905 			struct nlattr *iftdata;
1906 
1907 			iftdata = nla_nest_start_noflag(msg, i + 1);
1908 			if (!iftdata)
1909 				return -ENOBUFS;
1910 
1911 			err = nl80211_send_iftype_data(msg, sband,
1912 						       &sband->iftype_data[i]);
1913 			if (err)
1914 				return err;
1915 
1916 			nla_nest_end(msg, iftdata);
1917 		}
1918 
1919 		nla_nest_end(msg, nl_iftype_data);
1920 	}
1921 
1922 	/* add EDMG info */
1923 	if (large && sband->edmg_cap.channels &&
1924 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1925 		       sband->edmg_cap.channels) ||
1926 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1927 		       sband->edmg_cap.bw_config)))
1928 
1929 		return -ENOBUFS;
1930 
1931 	/* add bitrates */
1932 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1933 	if (!nl_rates)
1934 		return -ENOBUFS;
1935 
1936 	for (i = 0; i < sband->n_bitrates; i++) {
1937 		nl_rate = nla_nest_start_noflag(msg, i);
1938 		if (!nl_rate)
1939 			return -ENOBUFS;
1940 
1941 		rate = &sband->bitrates[i];
1942 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1943 				rate->bitrate))
1944 			return -ENOBUFS;
1945 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1946 		    nla_put_flag(msg,
1947 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1948 			return -ENOBUFS;
1949 
1950 		nla_nest_end(msg, nl_rate);
1951 	}
1952 
1953 	nla_nest_end(msg, nl_rates);
1954 
1955 	return 0;
1956 }
1957 
1958 static int
1959 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1960 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1961 {
1962 	u16 stypes;
1963 	struct nlattr *nl_ftypes, *nl_ifs;
1964 	enum nl80211_iftype ift;
1965 	int i;
1966 
1967 	if (!mgmt_stypes)
1968 		return 0;
1969 
1970 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1971 	if (!nl_ifs)
1972 		return -ENOBUFS;
1973 
1974 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1975 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1976 		if (!nl_ftypes)
1977 			return -ENOBUFS;
1978 		i = 0;
1979 		stypes = mgmt_stypes[ift].tx;
1980 		while (stypes) {
1981 			if ((stypes & 1) &&
1982 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1983 					(i << 4) | IEEE80211_FTYPE_MGMT))
1984 				return -ENOBUFS;
1985 			stypes >>= 1;
1986 			i++;
1987 		}
1988 		nla_nest_end(msg, nl_ftypes);
1989 	}
1990 
1991 	nla_nest_end(msg, nl_ifs);
1992 
1993 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1994 	if (!nl_ifs)
1995 		return -ENOBUFS;
1996 
1997 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1998 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1999 		if (!nl_ftypes)
2000 			return -ENOBUFS;
2001 		i = 0;
2002 		stypes = mgmt_stypes[ift].rx;
2003 		while (stypes) {
2004 			if ((stypes & 1) &&
2005 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2006 					(i << 4) | IEEE80211_FTYPE_MGMT))
2007 				return -ENOBUFS;
2008 			stypes >>= 1;
2009 			i++;
2010 		}
2011 		nla_nest_end(msg, nl_ftypes);
2012 	}
2013 	nla_nest_end(msg, nl_ifs);
2014 
2015 	return 0;
2016 }
2017 
2018 #define CMD(op, n)							\
2019 	 do {								\
2020 		if (rdev->ops->op) {					\
2021 			i++;						\
2022 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2023 				goto nla_put_failure;			\
2024 		}							\
2025 	} while (0)
2026 
2027 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2028 					struct sk_buff *msg)
2029 {
2030 	int i = 0;
2031 
2032 	/*
2033 	 * do *NOT* add anything into this function, new things need to be
2034 	 * advertised only to new versions of userspace that can deal with
2035 	 * the split (and they can't possibly care about new features...
2036 	 */
2037 	CMD(add_virtual_intf, NEW_INTERFACE);
2038 	CMD(change_virtual_intf, SET_INTERFACE);
2039 	CMD(add_key, NEW_KEY);
2040 	CMD(start_ap, START_AP);
2041 	CMD(add_station, NEW_STATION);
2042 	CMD(add_mpath, NEW_MPATH);
2043 	CMD(update_mesh_config, SET_MESH_CONFIG);
2044 	CMD(change_bss, SET_BSS);
2045 	CMD(auth, AUTHENTICATE);
2046 	CMD(assoc, ASSOCIATE);
2047 	CMD(deauth, DEAUTHENTICATE);
2048 	CMD(disassoc, DISASSOCIATE);
2049 	CMD(join_ibss, JOIN_IBSS);
2050 	CMD(join_mesh, JOIN_MESH);
2051 	CMD(set_pmksa, SET_PMKSA);
2052 	CMD(del_pmksa, DEL_PMKSA);
2053 	CMD(flush_pmksa, FLUSH_PMKSA);
2054 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2055 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2056 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2057 	CMD(mgmt_tx, FRAME);
2058 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2059 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2060 		i++;
2061 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2062 			goto nla_put_failure;
2063 	}
2064 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2065 	    rdev->ops->join_mesh) {
2066 		i++;
2067 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2068 			goto nla_put_failure;
2069 	}
2070 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2071 		CMD(tdls_mgmt, TDLS_MGMT);
2072 		CMD(tdls_oper, TDLS_OPER);
2073 	}
2074 	if (rdev->wiphy.max_sched_scan_reqs)
2075 		CMD(sched_scan_start, START_SCHED_SCAN);
2076 	CMD(probe_client, PROBE_CLIENT);
2077 	CMD(set_noack_map, SET_NOACK_MAP);
2078 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2079 		i++;
2080 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2081 			goto nla_put_failure;
2082 	}
2083 	CMD(start_p2p_device, START_P2P_DEVICE);
2084 	CMD(set_mcast_rate, SET_MCAST_RATE);
2085 #ifdef CONFIG_NL80211_TESTMODE
2086 	CMD(testmode_cmd, TESTMODE);
2087 #endif
2088 
2089 	if (rdev->ops->connect || rdev->ops->auth) {
2090 		i++;
2091 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2092 			goto nla_put_failure;
2093 	}
2094 
2095 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2096 		i++;
2097 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2098 			goto nla_put_failure;
2099 	}
2100 
2101 	return i;
2102  nla_put_failure:
2103 	return -ENOBUFS;
2104 }
2105 
2106 static int
2107 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2108 			   struct sk_buff *msg)
2109 {
2110 	struct nlattr *ftm;
2111 
2112 	if (!cap->ftm.supported)
2113 		return 0;
2114 
2115 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2116 	if (!ftm)
2117 		return -ENOBUFS;
2118 
2119 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2120 		return -ENOBUFS;
2121 	if (cap->ftm.non_asap &&
2122 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2123 		return -ENOBUFS;
2124 	if (cap->ftm.request_lci &&
2125 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2126 		return -ENOBUFS;
2127 	if (cap->ftm.request_civicloc &&
2128 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2129 		return -ENOBUFS;
2130 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2131 			cap->ftm.preambles))
2132 		return -ENOBUFS;
2133 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2134 			cap->ftm.bandwidths))
2135 		return -ENOBUFS;
2136 	if (cap->ftm.max_bursts_exponent >= 0 &&
2137 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2138 			cap->ftm.max_bursts_exponent))
2139 		return -ENOBUFS;
2140 	if (cap->ftm.max_ftms_per_burst &&
2141 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2142 			cap->ftm.max_ftms_per_burst))
2143 		return -ENOBUFS;
2144 	if (cap->ftm.trigger_based &&
2145 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2146 		return -ENOBUFS;
2147 	if (cap->ftm.non_trigger_based &&
2148 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2149 		return -ENOBUFS;
2150 
2151 	nla_nest_end(msg, ftm);
2152 	return 0;
2153 }
2154 
2155 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2156 				  struct sk_buff *msg)
2157 {
2158 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2159 	struct nlattr *pmsr, *caps;
2160 
2161 	if (!cap)
2162 		return 0;
2163 
2164 	/*
2165 	 * we don't need to clean up anything here since the caller
2166 	 * will genlmsg_cancel() if we fail
2167 	 */
2168 
2169 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2170 	if (!pmsr)
2171 		return -ENOBUFS;
2172 
2173 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2174 		return -ENOBUFS;
2175 
2176 	if (cap->report_ap_tsf &&
2177 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2178 		return -ENOBUFS;
2179 
2180 	if (cap->randomize_mac_addr &&
2181 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2182 		return -ENOBUFS;
2183 
2184 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2185 	if (!caps)
2186 		return -ENOBUFS;
2187 
2188 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2189 		return -ENOBUFS;
2190 
2191 	nla_nest_end(msg, caps);
2192 	nla_nest_end(msg, pmsr);
2193 
2194 	return 0;
2195 }
2196 
2197 static int
2198 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2199 			      struct sk_buff *msg)
2200 {
2201 	int i;
2202 	struct nlattr *nested, *nested_akms;
2203 	const struct wiphy_iftype_akm_suites *iftype_akms;
2204 
2205 	if (!rdev->wiphy.num_iftype_akm_suites ||
2206 	    !rdev->wiphy.iftype_akm_suites)
2207 		return 0;
2208 
2209 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2210 	if (!nested)
2211 		return -ENOBUFS;
2212 
2213 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2214 		nested_akms = nla_nest_start(msg, i + 1);
2215 		if (!nested_akms)
2216 			return -ENOBUFS;
2217 
2218 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2219 
2220 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2221 					iftype_akms->iftypes_mask))
2222 			return -ENOBUFS;
2223 
2224 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2225 			    sizeof(u32) * iftype_akms->n_akm_suites,
2226 			    iftype_akms->akm_suites)) {
2227 			return -ENOBUFS;
2228 		}
2229 		nla_nest_end(msg, nested_akms);
2230 	}
2231 
2232 	nla_nest_end(msg, nested);
2233 
2234 	return 0;
2235 }
2236 
2237 static int
2238 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2239 			       struct sk_buff *msg)
2240 {
2241 	struct nlattr *supp;
2242 
2243 	if (!rdev->wiphy.tid_config_support.vif &&
2244 	    !rdev->wiphy.tid_config_support.peer)
2245 		return 0;
2246 
2247 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2248 	if (!supp)
2249 		return -ENOSPC;
2250 
2251 	if (rdev->wiphy.tid_config_support.vif &&
2252 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2253 			      rdev->wiphy.tid_config_support.vif,
2254 			      NL80211_TID_CONFIG_ATTR_PAD))
2255 		goto fail;
2256 
2257 	if (rdev->wiphy.tid_config_support.peer &&
2258 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2259 			      rdev->wiphy.tid_config_support.peer,
2260 			      NL80211_TID_CONFIG_ATTR_PAD))
2261 		goto fail;
2262 
2263 	/* for now we just use the same value ... makes more sense */
2264 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2265 		       rdev->wiphy.tid_config_support.max_retry))
2266 		goto fail;
2267 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2268 		       rdev->wiphy.tid_config_support.max_retry))
2269 		goto fail;
2270 
2271 	nla_nest_end(msg, supp);
2272 
2273 	return 0;
2274 fail:
2275 	nla_nest_cancel(msg, supp);
2276 	return -ENOBUFS;
2277 }
2278 
2279 static int
2280 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2281 		      struct sk_buff *msg)
2282 {
2283 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2284 	u8 num_freq_ranges;
2285 	int i;
2286 
2287 	if (!rdev->wiphy.sar_capa)
2288 		return 0;
2289 
2290 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2291 
2292 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2293 	if (!sar_capa)
2294 		return -ENOSPC;
2295 
2296 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2297 		goto fail;
2298 
2299 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2300 	if (!specs)
2301 		goto fail;
2302 
2303 	/* report supported freq_ranges */
2304 	for (i = 0; i < num_freq_ranges; i++) {
2305 		sub_freq_range = nla_nest_start(msg, i + 1);
2306 		if (!sub_freq_range)
2307 			goto fail;
2308 
2309 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2310 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2311 			goto fail;
2312 
2313 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2314 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2315 			goto fail;
2316 
2317 		nla_nest_end(msg, sub_freq_range);
2318 	}
2319 
2320 	nla_nest_end(msg, specs);
2321 	nla_nest_end(msg, sar_capa);
2322 
2323 	return 0;
2324 fail:
2325 	nla_nest_cancel(msg, sar_capa);
2326 	return -ENOBUFS;
2327 }
2328 
2329 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2330 {
2331 	struct nlattr *config;
2332 
2333 	if (!wiphy->mbssid_max_interfaces)
2334 		return 0;
2335 
2336 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2337 	if (!config)
2338 		return -ENOBUFS;
2339 
2340 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2341 		       wiphy->mbssid_max_interfaces))
2342 		goto fail;
2343 
2344 	if (wiphy->ema_max_profile_periodicity &&
2345 	    nla_put_u8(msg,
2346 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2347 		       wiphy->ema_max_profile_periodicity))
2348 		goto fail;
2349 
2350 	nla_nest_end(msg, config);
2351 	return 0;
2352 
2353 fail:
2354 	nla_nest_cancel(msg, config);
2355 	return -ENOBUFS;
2356 }
2357 
2358 struct nl80211_dump_wiphy_state {
2359 	s64 filter_wiphy;
2360 	long start;
2361 	long split_start, band_start, chan_start, capa_start;
2362 	bool split;
2363 };
2364 
2365 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2366 			      enum nl80211_commands cmd,
2367 			      struct sk_buff *msg, u32 portid, u32 seq,
2368 			      int flags, struct nl80211_dump_wiphy_state *state)
2369 {
2370 	void *hdr;
2371 	struct nlattr *nl_bands, *nl_band;
2372 	struct nlattr *nl_freqs, *nl_freq;
2373 	struct nlattr *nl_cmds;
2374 	enum nl80211_band band;
2375 	struct ieee80211_channel *chan;
2376 	int i;
2377 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2378 				rdev->wiphy.mgmt_stypes;
2379 	u32 features;
2380 
2381 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2382 	if (!hdr)
2383 		return -ENOBUFS;
2384 
2385 	if (WARN_ON(!state))
2386 		return -EINVAL;
2387 
2388 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2389 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2390 			   wiphy_name(&rdev->wiphy)) ||
2391 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2392 			cfg80211_rdev_list_generation))
2393 		goto nla_put_failure;
2394 
2395 	if (cmd != NL80211_CMD_NEW_WIPHY)
2396 		goto finish;
2397 
2398 	switch (state->split_start) {
2399 	case 0:
2400 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2401 			       rdev->wiphy.retry_short) ||
2402 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2403 			       rdev->wiphy.retry_long) ||
2404 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2405 				rdev->wiphy.frag_threshold) ||
2406 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2407 				rdev->wiphy.rts_threshold) ||
2408 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2409 			       rdev->wiphy.coverage_class) ||
2410 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2411 			       rdev->wiphy.max_scan_ssids) ||
2412 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2413 			       rdev->wiphy.max_sched_scan_ssids) ||
2414 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2415 				rdev->wiphy.max_scan_ie_len) ||
2416 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2417 				rdev->wiphy.max_sched_scan_ie_len) ||
2418 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2419 			       rdev->wiphy.max_match_sets))
2420 			goto nla_put_failure;
2421 
2422 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2423 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2424 			goto nla_put_failure;
2425 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2426 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2427 			goto nla_put_failure;
2428 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2429 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2430 			goto nla_put_failure;
2431 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2432 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2433 			goto nla_put_failure;
2434 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2435 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2436 			goto nla_put_failure;
2437 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2438 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2439 			goto nla_put_failure;
2440 		state->split_start++;
2441 		if (state->split)
2442 			break;
2443 		fallthrough;
2444 	case 1:
2445 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2446 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2447 			    rdev->wiphy.cipher_suites))
2448 			goto nla_put_failure;
2449 
2450 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2451 			       rdev->wiphy.max_num_pmkids))
2452 			goto nla_put_failure;
2453 
2454 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2455 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2456 			goto nla_put_failure;
2457 
2458 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2459 				rdev->wiphy.available_antennas_tx) ||
2460 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2461 				rdev->wiphy.available_antennas_rx))
2462 			goto nla_put_failure;
2463 
2464 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2465 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2466 				rdev->wiphy.probe_resp_offload))
2467 			goto nla_put_failure;
2468 
2469 		if ((rdev->wiphy.available_antennas_tx ||
2470 		     rdev->wiphy.available_antennas_rx) &&
2471 		    rdev->ops->get_antenna) {
2472 			u32 tx_ant = 0, rx_ant = 0;
2473 			int res;
2474 
2475 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2476 			if (!res) {
2477 				if (nla_put_u32(msg,
2478 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2479 						tx_ant) ||
2480 				    nla_put_u32(msg,
2481 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2482 						rx_ant))
2483 					goto nla_put_failure;
2484 			}
2485 		}
2486 
2487 		state->split_start++;
2488 		if (state->split)
2489 			break;
2490 		fallthrough;
2491 	case 2:
2492 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2493 					rdev->wiphy.interface_modes))
2494 				goto nla_put_failure;
2495 		state->split_start++;
2496 		if (state->split)
2497 			break;
2498 		fallthrough;
2499 	case 3:
2500 		nl_bands = nla_nest_start_noflag(msg,
2501 						 NL80211_ATTR_WIPHY_BANDS);
2502 		if (!nl_bands)
2503 			goto nla_put_failure;
2504 
2505 		for (band = state->band_start;
2506 		     band < (state->split ?
2507 				NUM_NL80211_BANDS :
2508 				NL80211_BAND_60GHZ + 1);
2509 		     band++) {
2510 			struct ieee80211_supported_band *sband;
2511 
2512 			/* omit higher bands for ancient software */
2513 			if (band > NL80211_BAND_5GHZ && !state->split)
2514 				break;
2515 
2516 			sband = rdev->wiphy.bands[band];
2517 
2518 			if (!sband)
2519 				continue;
2520 
2521 			nl_band = nla_nest_start_noflag(msg, band);
2522 			if (!nl_band)
2523 				goto nla_put_failure;
2524 
2525 			switch (state->chan_start) {
2526 			case 0:
2527 				if (nl80211_send_band_rateinfo(msg, sband,
2528 							       state->split))
2529 					goto nla_put_failure;
2530 				state->chan_start++;
2531 				if (state->split)
2532 					break;
2533 				fallthrough;
2534 			default:
2535 				/* add frequencies */
2536 				nl_freqs = nla_nest_start_noflag(msg,
2537 								 NL80211_BAND_ATTR_FREQS);
2538 				if (!nl_freqs)
2539 					goto nla_put_failure;
2540 
2541 				for (i = state->chan_start - 1;
2542 				     i < sband->n_channels;
2543 				     i++) {
2544 					nl_freq = nla_nest_start_noflag(msg,
2545 									i);
2546 					if (!nl_freq)
2547 						goto nla_put_failure;
2548 
2549 					chan = &sband->channels[i];
2550 
2551 					if (nl80211_msg_put_channel(
2552 							msg, &rdev->wiphy, chan,
2553 							state->split))
2554 						goto nla_put_failure;
2555 
2556 					nla_nest_end(msg, nl_freq);
2557 					if (state->split)
2558 						break;
2559 				}
2560 				if (i < sband->n_channels)
2561 					state->chan_start = i + 2;
2562 				else
2563 					state->chan_start = 0;
2564 				nla_nest_end(msg, nl_freqs);
2565 			}
2566 
2567 			nla_nest_end(msg, nl_band);
2568 
2569 			if (state->split) {
2570 				/* start again here */
2571 				if (state->chan_start)
2572 					band--;
2573 				break;
2574 			}
2575 		}
2576 		nla_nest_end(msg, nl_bands);
2577 
2578 		if (band < NUM_NL80211_BANDS)
2579 			state->band_start = band + 1;
2580 		else
2581 			state->band_start = 0;
2582 
2583 		/* if bands & channels are done, continue outside */
2584 		if (state->band_start == 0 && state->chan_start == 0)
2585 			state->split_start++;
2586 		if (state->split)
2587 			break;
2588 		fallthrough;
2589 	case 4:
2590 		nl_cmds = nla_nest_start_noflag(msg,
2591 						NL80211_ATTR_SUPPORTED_COMMANDS);
2592 		if (!nl_cmds)
2593 			goto nla_put_failure;
2594 
2595 		i = nl80211_add_commands_unsplit(rdev, msg);
2596 		if (i < 0)
2597 			goto nla_put_failure;
2598 		if (state->split) {
2599 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2600 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2601 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2602 				CMD(channel_switch, CHANNEL_SWITCH);
2603 			CMD(set_qos_map, SET_QOS_MAP);
2604 			if (rdev->wiphy.features &
2605 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2606 				CMD(add_tx_ts, ADD_TX_TS);
2607 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2608 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2609 			CMD(update_ft_ies, UPDATE_FT_IES);
2610 			if (rdev->wiphy.sar_capa)
2611 				CMD(set_sar_specs, SET_SAR_SPECS);
2612 		}
2613 #undef CMD
2614 
2615 		nla_nest_end(msg, nl_cmds);
2616 		state->split_start++;
2617 		if (state->split)
2618 			break;
2619 		fallthrough;
2620 	case 5:
2621 		if (rdev->ops->remain_on_channel &&
2622 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2623 		    nla_put_u32(msg,
2624 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2625 				rdev->wiphy.max_remain_on_channel_duration))
2626 			goto nla_put_failure;
2627 
2628 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2629 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2630 			goto nla_put_failure;
2631 
2632 		state->split_start++;
2633 		if (state->split)
2634 			break;
2635 		fallthrough;
2636 	case 6:
2637 #ifdef CONFIG_PM
2638 		if (nl80211_send_wowlan(msg, rdev, state->split))
2639 			goto nla_put_failure;
2640 		state->split_start++;
2641 		if (state->split)
2642 			break;
2643 #else
2644 		state->split_start++;
2645 #endif
2646 		fallthrough;
2647 	case 7:
2648 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2649 					rdev->wiphy.software_iftypes))
2650 			goto nla_put_failure;
2651 
2652 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2653 						   state->split))
2654 			goto nla_put_failure;
2655 
2656 		state->split_start++;
2657 		if (state->split)
2658 			break;
2659 		fallthrough;
2660 	case 8:
2661 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2662 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2663 				rdev->wiphy.ap_sme_capa))
2664 			goto nla_put_failure;
2665 
2666 		features = rdev->wiphy.features;
2667 		/*
2668 		 * We can only add the per-channel limit information if the
2669 		 * dump is split, otherwise it makes it too big. Therefore
2670 		 * only advertise it in that case.
2671 		 */
2672 		if (state->split)
2673 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2674 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2675 			goto nla_put_failure;
2676 
2677 		if (rdev->wiphy.ht_capa_mod_mask &&
2678 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2679 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2680 			    rdev->wiphy.ht_capa_mod_mask))
2681 			goto nla_put_failure;
2682 
2683 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2684 		    rdev->wiphy.max_acl_mac_addrs &&
2685 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2686 				rdev->wiphy.max_acl_mac_addrs))
2687 			goto nla_put_failure;
2688 
2689 		/*
2690 		 * Any information below this point is only available to
2691 		 * applications that can deal with it being split. This
2692 		 * helps ensure that newly added capabilities don't break
2693 		 * older tools by overrunning their buffers.
2694 		 *
2695 		 * We still increment split_start so that in the split
2696 		 * case we'll continue with more data in the next round,
2697 		 * but break unconditionally so unsplit data stops here.
2698 		 */
2699 		if (state->split)
2700 			state->split_start++;
2701 		else
2702 			state->split_start = 0;
2703 		break;
2704 	case 9:
2705 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2706 			goto nla_put_failure;
2707 
2708 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2709 				rdev->wiphy.max_sched_scan_plans) ||
2710 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2711 				rdev->wiphy.max_sched_scan_plan_interval) ||
2712 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2713 				rdev->wiphy.max_sched_scan_plan_iterations))
2714 			goto nla_put_failure;
2715 
2716 		if (rdev->wiphy.extended_capabilities &&
2717 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2718 			     rdev->wiphy.extended_capabilities_len,
2719 			     rdev->wiphy.extended_capabilities) ||
2720 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2721 			     rdev->wiphy.extended_capabilities_len,
2722 			     rdev->wiphy.extended_capabilities_mask)))
2723 			goto nla_put_failure;
2724 
2725 		if (rdev->wiphy.vht_capa_mod_mask &&
2726 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2727 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2728 			    rdev->wiphy.vht_capa_mod_mask))
2729 			goto nla_put_failure;
2730 
2731 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2732 			    rdev->wiphy.perm_addr))
2733 			goto nla_put_failure;
2734 
2735 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2736 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2737 			    rdev->wiphy.addr_mask))
2738 			goto nla_put_failure;
2739 
2740 		if (rdev->wiphy.n_addresses > 1) {
2741 			void *attr;
2742 
2743 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2744 			if (!attr)
2745 				goto nla_put_failure;
2746 
2747 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2748 				if (nla_put(msg, i + 1, ETH_ALEN,
2749 					    rdev->wiphy.addresses[i].addr))
2750 					goto nla_put_failure;
2751 
2752 			nla_nest_end(msg, attr);
2753 		}
2754 
2755 		state->split_start++;
2756 		break;
2757 	case 10:
2758 		if (nl80211_send_coalesce(msg, rdev))
2759 			goto nla_put_failure;
2760 
2761 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2762 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2763 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2764 			goto nla_put_failure;
2765 
2766 		if (rdev->wiphy.max_ap_assoc_sta &&
2767 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2768 				rdev->wiphy.max_ap_assoc_sta))
2769 			goto nla_put_failure;
2770 
2771 		state->split_start++;
2772 		break;
2773 	case 11:
2774 		if (rdev->wiphy.n_vendor_commands) {
2775 			const struct nl80211_vendor_cmd_info *info;
2776 			struct nlattr *nested;
2777 
2778 			nested = nla_nest_start_noflag(msg,
2779 						       NL80211_ATTR_VENDOR_DATA);
2780 			if (!nested)
2781 				goto nla_put_failure;
2782 
2783 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2784 				info = &rdev->wiphy.vendor_commands[i].info;
2785 				if (nla_put(msg, i + 1, sizeof(*info), info))
2786 					goto nla_put_failure;
2787 			}
2788 			nla_nest_end(msg, nested);
2789 		}
2790 
2791 		if (rdev->wiphy.n_vendor_events) {
2792 			const struct nl80211_vendor_cmd_info *info;
2793 			struct nlattr *nested;
2794 
2795 			nested = nla_nest_start_noflag(msg,
2796 						       NL80211_ATTR_VENDOR_EVENTS);
2797 			if (!nested)
2798 				goto nla_put_failure;
2799 
2800 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2801 				info = &rdev->wiphy.vendor_events[i];
2802 				if (nla_put(msg, i + 1, sizeof(*info), info))
2803 					goto nla_put_failure;
2804 			}
2805 			nla_nest_end(msg, nested);
2806 		}
2807 		state->split_start++;
2808 		break;
2809 	case 12:
2810 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2811 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2812 			       rdev->wiphy.max_num_csa_counters))
2813 			goto nla_put_failure;
2814 
2815 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2816 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2817 			goto nla_put_failure;
2818 
2819 		if (rdev->wiphy.max_sched_scan_reqs &&
2820 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2821 				rdev->wiphy.max_sched_scan_reqs))
2822 			goto nla_put_failure;
2823 
2824 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2825 			    sizeof(rdev->wiphy.ext_features),
2826 			    rdev->wiphy.ext_features))
2827 			goto nla_put_failure;
2828 
2829 		if (rdev->wiphy.bss_select_support) {
2830 			struct nlattr *nested;
2831 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2832 
2833 			nested = nla_nest_start_noflag(msg,
2834 						       NL80211_ATTR_BSS_SELECT);
2835 			if (!nested)
2836 				goto nla_put_failure;
2837 
2838 			i = 0;
2839 			while (bss_select_support) {
2840 				if ((bss_select_support & 1) &&
2841 				    nla_put_flag(msg, i))
2842 					goto nla_put_failure;
2843 				i++;
2844 				bss_select_support >>= 1;
2845 			}
2846 			nla_nest_end(msg, nested);
2847 		}
2848 
2849 		state->split_start++;
2850 		break;
2851 	case 13:
2852 		if (rdev->wiphy.num_iftype_ext_capab &&
2853 		    rdev->wiphy.iftype_ext_capab) {
2854 			struct nlattr *nested_ext_capab, *nested;
2855 
2856 			nested = nla_nest_start_noflag(msg,
2857 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2858 			if (!nested)
2859 				goto nla_put_failure;
2860 
2861 			for (i = state->capa_start;
2862 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2863 				const struct wiphy_iftype_ext_capab *capab;
2864 
2865 				capab = &rdev->wiphy.iftype_ext_capab[i];
2866 
2867 				nested_ext_capab = nla_nest_start_noflag(msg,
2868 									 i);
2869 				if (!nested_ext_capab ||
2870 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2871 						capab->iftype) ||
2872 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2873 					    capab->extended_capabilities_len,
2874 					    capab->extended_capabilities) ||
2875 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2876 					    capab->extended_capabilities_len,
2877 					    capab->extended_capabilities_mask))
2878 					goto nla_put_failure;
2879 
2880 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
2881 				    (nla_put_u16(msg,
2882 						 NL80211_ATTR_EML_CAPABILITY,
2883 						 capab->eml_capabilities) ||
2884 				     nla_put_u16(msg,
2885 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
2886 						 capab->mld_capa_and_ops)))
2887 					goto nla_put_failure;
2888 
2889 				nla_nest_end(msg, nested_ext_capab);
2890 				if (state->split)
2891 					break;
2892 			}
2893 			nla_nest_end(msg, nested);
2894 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2895 				state->capa_start = i + 1;
2896 				break;
2897 			}
2898 		}
2899 
2900 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2901 				rdev->wiphy.nan_supported_bands))
2902 			goto nla_put_failure;
2903 
2904 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2905 					    NL80211_EXT_FEATURE_TXQS)) {
2906 			struct cfg80211_txq_stats txqstats = {};
2907 			int res;
2908 
2909 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2910 			if (!res &&
2911 			    !nl80211_put_txq_stats(msg, &txqstats,
2912 						   NL80211_ATTR_TXQ_STATS))
2913 				goto nla_put_failure;
2914 
2915 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2916 					rdev->wiphy.txq_limit))
2917 				goto nla_put_failure;
2918 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2919 					rdev->wiphy.txq_memory_limit))
2920 				goto nla_put_failure;
2921 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2922 					rdev->wiphy.txq_quantum))
2923 				goto nla_put_failure;
2924 		}
2925 
2926 		state->split_start++;
2927 		break;
2928 	case 14:
2929 		if (nl80211_send_pmsr_capa(rdev, msg))
2930 			goto nla_put_failure;
2931 
2932 		state->split_start++;
2933 		break;
2934 	case 15:
2935 		if (rdev->wiphy.akm_suites &&
2936 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2937 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2938 			    rdev->wiphy.akm_suites))
2939 			goto nla_put_failure;
2940 
2941 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2942 			goto nla_put_failure;
2943 
2944 		if (nl80211_put_tid_config_support(rdev, msg))
2945 			goto nla_put_failure;
2946 		state->split_start++;
2947 		break;
2948 	case 16:
2949 		if (nl80211_put_sar_specs(rdev, msg))
2950 			goto nla_put_failure;
2951 
2952 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2953 			goto nla_put_failure;
2954 
2955 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
2956 				rdev->wiphy.max_num_akm_suites))
2957 			goto nla_put_failure;
2958 
2959 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
2960 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
2961 
2962 		/* done */
2963 		state->split_start = 0;
2964 		break;
2965 	}
2966  finish:
2967 	genlmsg_end(msg, hdr);
2968 	return 0;
2969 
2970  nla_put_failure:
2971 	genlmsg_cancel(msg, hdr);
2972 	return -EMSGSIZE;
2973 }
2974 
2975 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2976 				    struct netlink_callback *cb,
2977 				    struct nl80211_dump_wiphy_state *state)
2978 {
2979 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2980 	int ret;
2981 
2982 	if (!tb)
2983 		return -ENOMEM;
2984 
2985 	ret = nlmsg_parse_deprecated(cb->nlh,
2986 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2987 				     tb, nl80211_fam.maxattr,
2988 				     nl80211_policy, NULL);
2989 	/* ignore parse errors for backward compatibility */
2990 	if (ret) {
2991 		ret = 0;
2992 		goto out;
2993 	}
2994 
2995 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2996 	if (tb[NL80211_ATTR_WIPHY])
2997 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2998 	if (tb[NL80211_ATTR_WDEV])
2999 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3000 	if (tb[NL80211_ATTR_IFINDEX]) {
3001 		struct net_device *netdev;
3002 		struct cfg80211_registered_device *rdev;
3003 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3004 
3005 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3006 		if (!netdev) {
3007 			ret = -ENODEV;
3008 			goto out;
3009 		}
3010 		if (netdev->ieee80211_ptr) {
3011 			rdev = wiphy_to_rdev(
3012 				netdev->ieee80211_ptr->wiphy);
3013 			state->filter_wiphy = rdev->wiphy_idx;
3014 		}
3015 	}
3016 
3017 	ret = 0;
3018 out:
3019 	kfree(tb);
3020 	return ret;
3021 }
3022 
3023 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3024 {
3025 	int idx = 0, ret;
3026 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3027 	struct cfg80211_registered_device *rdev;
3028 
3029 	rtnl_lock();
3030 	if (!state) {
3031 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3032 		if (!state) {
3033 			rtnl_unlock();
3034 			return -ENOMEM;
3035 		}
3036 		state->filter_wiphy = -1;
3037 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3038 		if (ret) {
3039 			kfree(state);
3040 			rtnl_unlock();
3041 			return ret;
3042 		}
3043 		cb->args[0] = (long)state;
3044 	}
3045 
3046 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3047 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3048 			continue;
3049 		if (++idx <= state->start)
3050 			continue;
3051 		if (state->filter_wiphy != -1 &&
3052 		    state->filter_wiphy != rdev->wiphy_idx)
3053 			continue;
3054 		/* attempt to fit multiple wiphy data chunks into the skb */
3055 		do {
3056 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3057 						 skb,
3058 						 NETLINK_CB(cb->skb).portid,
3059 						 cb->nlh->nlmsg_seq,
3060 						 NLM_F_MULTI, state);
3061 			if (ret < 0) {
3062 				/*
3063 				 * If sending the wiphy data didn't fit (ENOBUFS
3064 				 * or EMSGSIZE returned), this SKB is still
3065 				 * empty (so it's not too big because another
3066 				 * wiphy dataset is already in the skb) and
3067 				 * we've not tried to adjust the dump allocation
3068 				 * yet ... then adjust the alloc size to be
3069 				 * bigger, and return 1 but with the empty skb.
3070 				 * This results in an empty message being RX'ed
3071 				 * in userspace, but that is ignored.
3072 				 *
3073 				 * We can then retry with the larger buffer.
3074 				 */
3075 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3076 				    !skb->len && !state->split &&
3077 				    cb->min_dump_alloc < 4096) {
3078 					cb->min_dump_alloc = 4096;
3079 					state->split_start = 0;
3080 					rtnl_unlock();
3081 					return 1;
3082 				}
3083 				idx--;
3084 				break;
3085 			}
3086 		} while (state->split_start > 0);
3087 		break;
3088 	}
3089 	rtnl_unlock();
3090 
3091 	state->start = idx;
3092 
3093 	return skb->len;
3094 }
3095 
3096 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3097 {
3098 	kfree((void *)cb->args[0]);
3099 	return 0;
3100 }
3101 
3102 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3103 {
3104 	struct sk_buff *msg;
3105 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3106 	struct nl80211_dump_wiphy_state state = {};
3107 
3108 	msg = nlmsg_new(4096, GFP_KERNEL);
3109 	if (!msg)
3110 		return -ENOMEM;
3111 
3112 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3113 			       info->snd_portid, info->snd_seq, 0,
3114 			       &state) < 0) {
3115 		nlmsg_free(msg);
3116 		return -ENOBUFS;
3117 	}
3118 
3119 	return genlmsg_reply(msg, info);
3120 }
3121 
3122 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3123 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3124 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3125 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3126 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3127 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3128 };
3129 
3130 static int parse_txq_params(struct nlattr *tb[],
3131 			    struct ieee80211_txq_params *txq_params)
3132 {
3133 	u8 ac;
3134 
3135 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3136 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3137 	    !tb[NL80211_TXQ_ATTR_AIFS])
3138 		return -EINVAL;
3139 
3140 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3141 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3142 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3143 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3144 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3145 
3146 	if (ac >= NL80211_NUM_ACS)
3147 		return -EINVAL;
3148 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3149 	return 0;
3150 }
3151 
3152 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3153 {
3154 	/*
3155 	 * You can only set the channel explicitly for some interfaces,
3156 	 * most have their channel managed via their respective
3157 	 * "establish a connection" command (connect, join, ...)
3158 	 *
3159 	 * For AP/GO and mesh mode, the channel can be set with the
3160 	 * channel userspace API, but is only stored and passed to the
3161 	 * low-level driver when the AP starts or the mesh is joined.
3162 	 * This is for backward compatibility, userspace can also give
3163 	 * the channel in the start-ap or join-mesh commands instead.
3164 	 *
3165 	 * Monitors are special as they are normally slaved to
3166 	 * whatever else is going on, so they have their own special
3167 	 * operation to set the monitor channel if possible.
3168 	 */
3169 	return !wdev ||
3170 		wdev->iftype == NL80211_IFTYPE_AP ||
3171 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3172 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3173 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3174 }
3175 
3176 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3177 			  struct genl_info *info,
3178 			  struct cfg80211_chan_def *chandef)
3179 {
3180 	struct netlink_ext_ack *extack = info->extack;
3181 	struct nlattr **attrs = info->attrs;
3182 	u32 control_freq;
3183 
3184 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3185 		return -EINVAL;
3186 
3187 	control_freq = MHZ_TO_KHZ(
3188 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3189 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3190 		control_freq +=
3191 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3192 
3193 	memset(chandef, 0, sizeof(*chandef));
3194 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3195 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3196 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3197 	chandef->freq1_offset = control_freq % 1000;
3198 	chandef->center_freq2 = 0;
3199 
3200 	/* Primary channel not allowed */
3201 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3202 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3203 				    "Channel is disabled");
3204 		return -EINVAL;
3205 	}
3206 
3207 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3208 		enum nl80211_channel_type chantype;
3209 
3210 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3211 
3212 		switch (chantype) {
3213 		case NL80211_CHAN_NO_HT:
3214 		case NL80211_CHAN_HT20:
3215 		case NL80211_CHAN_HT40PLUS:
3216 		case NL80211_CHAN_HT40MINUS:
3217 			cfg80211_chandef_create(chandef, chandef->chan,
3218 						chantype);
3219 			/* user input for center_freq is incorrect */
3220 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3221 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3222 				NL_SET_ERR_MSG_ATTR(extack,
3223 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3224 						    "bad center frequency 1");
3225 				return -EINVAL;
3226 			}
3227 			/* center_freq2 must be zero */
3228 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3229 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3230 				NL_SET_ERR_MSG_ATTR(extack,
3231 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3232 						    "center frequency 2 can't be used");
3233 				return -EINVAL;
3234 			}
3235 			break;
3236 		default:
3237 			NL_SET_ERR_MSG_ATTR(extack,
3238 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3239 					    "invalid channel type");
3240 			return -EINVAL;
3241 		}
3242 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3243 		chandef->width =
3244 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3245 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3246 			/* User input error for channel width doesn't match channel  */
3247 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3248 				NL_SET_ERR_MSG_ATTR(extack,
3249 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3250 						    "bad channel width");
3251 				return -EINVAL;
3252 			}
3253 		}
3254 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3255 			chandef->center_freq1 =
3256 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3257 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3258 				chandef->freq1_offset = nla_get_u32(
3259 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3260 			else
3261 				chandef->freq1_offset = 0;
3262 		}
3263 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3264 			chandef->center_freq2 =
3265 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3266 	}
3267 
3268 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3269 		chandef->edmg.channels =
3270 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3271 
3272 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3273 			chandef->edmg.bw_config =
3274 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3275 	} else {
3276 		chandef->edmg.bw_config = 0;
3277 		chandef->edmg.channels = 0;
3278 	}
3279 
3280 	if (!cfg80211_chandef_valid(chandef)) {
3281 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3282 		return -EINVAL;
3283 	}
3284 
3285 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3286 				     IEEE80211_CHAN_DISABLED)) {
3287 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3288 		return -EINVAL;
3289 	}
3290 
3291 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3292 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3293 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3294 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3295 		return -EINVAL;
3296 	}
3297 
3298 	return 0;
3299 }
3300 
3301 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3302 				 struct net_device *dev,
3303 				 struct genl_info *info,
3304 				 int _link_id)
3305 {
3306 	struct cfg80211_chan_def chandef;
3307 	int result;
3308 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3309 	struct wireless_dev *wdev = NULL;
3310 	int link_id = _link_id;
3311 
3312 	if (dev)
3313 		wdev = dev->ieee80211_ptr;
3314 	if (!nl80211_can_set_dev_channel(wdev))
3315 		return -EOPNOTSUPP;
3316 	if (wdev)
3317 		iftype = wdev->iftype;
3318 
3319 	if (link_id < 0) {
3320 		if (wdev && wdev->valid_links)
3321 			return -EINVAL;
3322 		link_id = 0;
3323 	}
3324 
3325 	result = nl80211_parse_chandef(rdev, info, &chandef);
3326 	if (result)
3327 		return result;
3328 
3329 	switch (iftype) {
3330 	case NL80211_IFTYPE_AP:
3331 	case NL80211_IFTYPE_P2P_GO:
3332 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3333 						   iftype))
3334 			return -EINVAL;
3335 		if (wdev->links[link_id].ap.beacon_interval) {
3336 			struct ieee80211_channel *cur_chan;
3337 
3338 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3339 			    !(rdev->wiphy.features &
3340 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3341 				return -EBUSY;
3342 
3343 			/* Only allow dynamic channel width changes */
3344 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3345 			if (chandef.chan != cur_chan)
3346 				return -EBUSY;
3347 
3348 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3349 						       &chandef);
3350 			if (result)
3351 				return result;
3352 			wdev->links[link_id].ap.chandef = chandef;
3353 		} else {
3354 			wdev->u.ap.preset_chandef = chandef;
3355 		}
3356 		return 0;
3357 	case NL80211_IFTYPE_MESH_POINT:
3358 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3359 	case NL80211_IFTYPE_MONITOR:
3360 		return cfg80211_set_monitor_channel(rdev, &chandef);
3361 	default:
3362 		break;
3363 	}
3364 
3365 	return -EINVAL;
3366 }
3367 
3368 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3369 {
3370 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3371 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3372 	struct net_device *netdev = info->user_ptr[1];
3373 	int ret;
3374 
3375 	wdev_lock(netdev->ieee80211_ptr);
3376 	ret = __nl80211_set_channel(rdev, netdev, info, link_id);
3377 	wdev_unlock(netdev->ieee80211_ptr);
3378 
3379 	return ret;
3380 }
3381 
3382 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3383 {
3384 	struct cfg80211_registered_device *rdev = NULL;
3385 	struct net_device *netdev = NULL;
3386 	struct wireless_dev *wdev;
3387 	int result = 0, rem_txq_params = 0;
3388 	struct nlattr *nl_txq_params;
3389 	u32 changed;
3390 	u8 retry_short = 0, retry_long = 0;
3391 	u32 frag_threshold = 0, rts_threshold = 0;
3392 	u8 coverage_class = 0;
3393 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3394 
3395 	rtnl_lock();
3396 	/*
3397 	 * Try to find the wiphy and netdev. Normally this
3398 	 * function shouldn't need the netdev, but this is
3399 	 * done for backward compatibility -- previously
3400 	 * setting the channel was done per wiphy, but now
3401 	 * it is per netdev. Previous userland like hostapd
3402 	 * also passed a netdev to set_wiphy, so that it is
3403 	 * possible to let that go to the right netdev!
3404 	 */
3405 
3406 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3407 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3408 
3409 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3410 		if (netdev && netdev->ieee80211_ptr)
3411 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3412 		else
3413 			netdev = NULL;
3414 	}
3415 
3416 	if (!netdev) {
3417 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3418 						  info->attrs);
3419 		if (IS_ERR(rdev)) {
3420 			rtnl_unlock();
3421 			return PTR_ERR(rdev);
3422 		}
3423 		wdev = NULL;
3424 		netdev = NULL;
3425 		result = 0;
3426 	} else
3427 		wdev = netdev->ieee80211_ptr;
3428 
3429 	wiphy_lock(&rdev->wiphy);
3430 
3431 	/*
3432 	 * end workaround code, by now the rdev is available
3433 	 * and locked, and wdev may or may not be NULL.
3434 	 */
3435 
3436 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3437 		result = cfg80211_dev_rename(
3438 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3439 	rtnl_unlock();
3440 
3441 	if (result)
3442 		goto out;
3443 
3444 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3445 		struct ieee80211_txq_params txq_params;
3446 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3447 
3448 		if (!rdev->ops->set_txq_params) {
3449 			result = -EOPNOTSUPP;
3450 			goto out;
3451 		}
3452 
3453 		if (!netdev) {
3454 			result = -EINVAL;
3455 			goto out;
3456 		}
3457 
3458 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3459 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3460 			result = -EINVAL;
3461 			goto out;
3462 		}
3463 
3464 		if (!netif_running(netdev)) {
3465 			result = -ENETDOWN;
3466 			goto out;
3467 		}
3468 
3469 		nla_for_each_nested(nl_txq_params,
3470 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3471 				    rem_txq_params) {
3472 			result = nla_parse_nested_deprecated(tb,
3473 							     NL80211_TXQ_ATTR_MAX,
3474 							     nl_txq_params,
3475 							     txq_params_policy,
3476 							     info->extack);
3477 			if (result)
3478 				goto out;
3479 			result = parse_txq_params(tb, &txq_params);
3480 			if (result)
3481 				goto out;
3482 
3483 			txq_params.link_id =
3484 				nl80211_link_id_or_invalid(info->attrs);
3485 
3486 			wdev_lock(netdev->ieee80211_ptr);
3487 			if (txq_params.link_id >= 0 &&
3488 			    !(netdev->ieee80211_ptr->valid_links &
3489 			      BIT(txq_params.link_id)))
3490 				result = -ENOLINK;
3491 			else if (txq_params.link_id >= 0 &&
3492 				 !netdev->ieee80211_ptr->valid_links)
3493 				result = -EINVAL;
3494 			else
3495 				result = rdev_set_txq_params(rdev, netdev,
3496 							     &txq_params);
3497 			wdev_unlock(netdev->ieee80211_ptr);
3498 			if (result)
3499 				goto out;
3500 		}
3501 	}
3502 
3503 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3504 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3505 
3506 		if (wdev) {
3507 			wdev_lock(wdev);
3508 			result = __nl80211_set_channel(
3509 				rdev,
3510 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3511 				info, link_id);
3512 			wdev_unlock(wdev);
3513 		} else {
3514 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3515 		}
3516 
3517 		if (result)
3518 			goto out;
3519 	}
3520 
3521 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3522 		struct wireless_dev *txp_wdev = wdev;
3523 		enum nl80211_tx_power_setting type;
3524 		int idx, mbm = 0;
3525 
3526 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3527 			txp_wdev = NULL;
3528 
3529 		if (!rdev->ops->set_tx_power) {
3530 			result = -EOPNOTSUPP;
3531 			goto out;
3532 		}
3533 
3534 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3535 		type = nla_get_u32(info->attrs[idx]);
3536 
3537 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3538 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3539 			result = -EINVAL;
3540 			goto out;
3541 		}
3542 
3543 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3544 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3545 			mbm = nla_get_u32(info->attrs[idx]);
3546 		}
3547 
3548 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3549 		if (result)
3550 			goto out;
3551 	}
3552 
3553 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3554 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3555 		u32 tx_ant, rx_ant;
3556 
3557 		if ((!rdev->wiphy.available_antennas_tx &&
3558 		     !rdev->wiphy.available_antennas_rx) ||
3559 		    !rdev->ops->set_antenna) {
3560 			result = -EOPNOTSUPP;
3561 			goto out;
3562 		}
3563 
3564 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3565 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3566 
3567 		/* reject antenna configurations which don't match the
3568 		 * available antenna masks, except for the "all" mask */
3569 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3570 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3571 			result = -EINVAL;
3572 			goto out;
3573 		}
3574 
3575 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3576 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3577 
3578 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3579 		if (result)
3580 			goto out;
3581 	}
3582 
3583 	changed = 0;
3584 
3585 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3586 		retry_short = nla_get_u8(
3587 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3588 
3589 		changed |= WIPHY_PARAM_RETRY_SHORT;
3590 	}
3591 
3592 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3593 		retry_long = nla_get_u8(
3594 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3595 
3596 		changed |= WIPHY_PARAM_RETRY_LONG;
3597 	}
3598 
3599 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3600 		frag_threshold = nla_get_u32(
3601 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3602 		if (frag_threshold < 256) {
3603 			result = -EINVAL;
3604 			goto out;
3605 		}
3606 
3607 		if (frag_threshold != (u32) -1) {
3608 			/*
3609 			 * Fragments (apart from the last one) are required to
3610 			 * have even length. Make the fragmentation code
3611 			 * simpler by stripping LSB should someone try to use
3612 			 * odd threshold value.
3613 			 */
3614 			frag_threshold &= ~0x1;
3615 		}
3616 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3617 	}
3618 
3619 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3620 		rts_threshold = nla_get_u32(
3621 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3622 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3623 	}
3624 
3625 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3626 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3627 			result = -EINVAL;
3628 			goto out;
3629 		}
3630 
3631 		coverage_class = nla_get_u8(
3632 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3633 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3634 	}
3635 
3636 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3637 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3638 			result = -EOPNOTSUPP;
3639 			goto out;
3640 		}
3641 
3642 		changed |= WIPHY_PARAM_DYN_ACK;
3643 	}
3644 
3645 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3646 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3647 					     NL80211_EXT_FEATURE_TXQS)) {
3648 			result = -EOPNOTSUPP;
3649 			goto out;
3650 		}
3651 		txq_limit = nla_get_u32(
3652 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3653 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3654 	}
3655 
3656 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3657 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3658 					     NL80211_EXT_FEATURE_TXQS)) {
3659 			result = -EOPNOTSUPP;
3660 			goto out;
3661 		}
3662 		txq_memory_limit = nla_get_u32(
3663 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3664 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3665 	}
3666 
3667 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3668 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3669 					     NL80211_EXT_FEATURE_TXQS)) {
3670 			result = -EOPNOTSUPP;
3671 			goto out;
3672 		}
3673 		txq_quantum = nla_get_u32(
3674 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3675 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3676 	}
3677 
3678 	if (changed) {
3679 		u8 old_retry_short, old_retry_long;
3680 		u32 old_frag_threshold, old_rts_threshold;
3681 		u8 old_coverage_class;
3682 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3683 
3684 		if (!rdev->ops->set_wiphy_params) {
3685 			result = -EOPNOTSUPP;
3686 			goto out;
3687 		}
3688 
3689 		old_retry_short = rdev->wiphy.retry_short;
3690 		old_retry_long = rdev->wiphy.retry_long;
3691 		old_frag_threshold = rdev->wiphy.frag_threshold;
3692 		old_rts_threshold = rdev->wiphy.rts_threshold;
3693 		old_coverage_class = rdev->wiphy.coverage_class;
3694 		old_txq_limit = rdev->wiphy.txq_limit;
3695 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3696 		old_txq_quantum = rdev->wiphy.txq_quantum;
3697 
3698 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3699 			rdev->wiphy.retry_short = retry_short;
3700 		if (changed & WIPHY_PARAM_RETRY_LONG)
3701 			rdev->wiphy.retry_long = retry_long;
3702 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3703 			rdev->wiphy.frag_threshold = frag_threshold;
3704 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3705 			rdev->wiphy.rts_threshold = rts_threshold;
3706 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3707 			rdev->wiphy.coverage_class = coverage_class;
3708 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3709 			rdev->wiphy.txq_limit = txq_limit;
3710 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3711 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3712 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3713 			rdev->wiphy.txq_quantum = txq_quantum;
3714 
3715 		result = rdev_set_wiphy_params(rdev, changed);
3716 		if (result) {
3717 			rdev->wiphy.retry_short = old_retry_short;
3718 			rdev->wiphy.retry_long = old_retry_long;
3719 			rdev->wiphy.frag_threshold = old_frag_threshold;
3720 			rdev->wiphy.rts_threshold = old_rts_threshold;
3721 			rdev->wiphy.coverage_class = old_coverage_class;
3722 			rdev->wiphy.txq_limit = old_txq_limit;
3723 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3724 			rdev->wiphy.txq_quantum = old_txq_quantum;
3725 			goto out;
3726 		}
3727 	}
3728 
3729 	result = 0;
3730 
3731 out:
3732 	wiphy_unlock(&rdev->wiphy);
3733 	return result;
3734 }
3735 
3736 static int nl80211_send_chandef(struct sk_buff *msg,
3737 				const struct cfg80211_chan_def *chandef)
3738 {
3739 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3740 		return -EINVAL;
3741 
3742 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3743 			chandef->chan->center_freq))
3744 		return -ENOBUFS;
3745 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3746 			chandef->chan->freq_offset))
3747 		return -ENOBUFS;
3748 	switch (chandef->width) {
3749 	case NL80211_CHAN_WIDTH_20_NOHT:
3750 	case NL80211_CHAN_WIDTH_20:
3751 	case NL80211_CHAN_WIDTH_40:
3752 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3753 				cfg80211_get_chandef_type(chandef)))
3754 			return -ENOBUFS;
3755 		break;
3756 	default:
3757 		break;
3758 	}
3759 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3760 		return -ENOBUFS;
3761 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3762 		return -ENOBUFS;
3763 	if (chandef->center_freq2 &&
3764 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3765 		return -ENOBUFS;
3766 	return 0;
3767 }
3768 
3769 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3770 			      struct cfg80211_registered_device *rdev,
3771 			      struct wireless_dev *wdev,
3772 			      enum nl80211_commands cmd)
3773 {
3774 	struct net_device *dev = wdev->netdev;
3775 	void *hdr;
3776 
3777 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3778 		cmd != NL80211_CMD_DEL_INTERFACE &&
3779 		cmd != NL80211_CMD_SET_INTERFACE);
3780 
3781 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3782 	if (!hdr)
3783 		return -1;
3784 
3785 	if (dev &&
3786 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3787 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3788 		goto nla_put_failure;
3789 
3790 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3791 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3792 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3793 			      NL80211_ATTR_PAD) ||
3794 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3795 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3796 			rdev->devlist_generation ^
3797 			(cfg80211_rdev_list_generation << 2)) ||
3798 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3799 		goto nla_put_failure;
3800 
3801 	if (rdev->ops->get_channel && !wdev->valid_links) {
3802 		struct cfg80211_chan_def chandef = {};
3803 		int ret;
3804 
3805 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3806 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3807 			goto nla_put_failure;
3808 	}
3809 
3810 	if (rdev->ops->get_tx_power) {
3811 		int dbm, ret;
3812 
3813 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3814 		if (ret == 0 &&
3815 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3816 				DBM_TO_MBM(dbm)))
3817 			goto nla_put_failure;
3818 	}
3819 
3820 	wdev_lock(wdev);
3821 	switch (wdev->iftype) {
3822 	case NL80211_IFTYPE_AP:
3823 	case NL80211_IFTYPE_P2P_GO:
3824 		if (wdev->u.ap.ssid_len &&
3825 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
3826 			    wdev->u.ap.ssid))
3827 			goto nla_put_failure_locked;
3828 		break;
3829 	case NL80211_IFTYPE_STATION:
3830 	case NL80211_IFTYPE_P2P_CLIENT:
3831 		if (wdev->u.client.ssid_len &&
3832 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
3833 			    wdev->u.client.ssid))
3834 			goto nla_put_failure_locked;
3835 		break;
3836 	case NL80211_IFTYPE_ADHOC:
3837 		if (wdev->u.ibss.ssid_len &&
3838 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
3839 			    wdev->u.ibss.ssid))
3840 			goto nla_put_failure_locked;
3841 		break;
3842 	default:
3843 		/* nothing */
3844 		break;
3845 	}
3846 	wdev_unlock(wdev);
3847 
3848 	if (rdev->ops->get_txq_stats) {
3849 		struct cfg80211_txq_stats txqstats = {};
3850 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3851 
3852 		if (ret == 0 &&
3853 		    !nl80211_put_txq_stats(msg, &txqstats,
3854 					   NL80211_ATTR_TXQ_STATS))
3855 			goto nla_put_failure;
3856 	}
3857 
3858 	if (wdev->valid_links) {
3859 		unsigned int link_id;
3860 		struct nlattr *links = nla_nest_start(msg,
3861 						      NL80211_ATTR_MLO_LINKS);
3862 
3863 		if (!links)
3864 			goto nla_put_failure;
3865 
3866 		for_each_valid_link(wdev, link_id) {
3867 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
3868 			struct cfg80211_chan_def chandef = {};
3869 			int ret;
3870 
3871 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
3872 				goto nla_put_failure;
3873 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3874 				    wdev->links[link_id].addr))
3875 				goto nla_put_failure;
3876 
3877 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
3878 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3879 				goto nla_put_failure;
3880 
3881 			nla_nest_end(msg, link);
3882 		}
3883 
3884 		nla_nest_end(msg, links);
3885 	}
3886 
3887 	genlmsg_end(msg, hdr);
3888 	return 0;
3889 
3890  nla_put_failure_locked:
3891 	wdev_unlock(wdev);
3892  nla_put_failure:
3893 	genlmsg_cancel(msg, hdr);
3894 	return -EMSGSIZE;
3895 }
3896 
3897 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3898 {
3899 	int wp_idx = 0;
3900 	int if_idx = 0;
3901 	int wp_start = cb->args[0];
3902 	int if_start = cb->args[1];
3903 	int filter_wiphy = -1;
3904 	struct cfg80211_registered_device *rdev;
3905 	struct wireless_dev *wdev;
3906 	int ret;
3907 
3908 	rtnl_lock();
3909 	if (!cb->args[2]) {
3910 		struct nl80211_dump_wiphy_state state = {
3911 			.filter_wiphy = -1,
3912 		};
3913 
3914 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3915 		if (ret)
3916 			goto out_unlock;
3917 
3918 		filter_wiphy = state.filter_wiphy;
3919 
3920 		/*
3921 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3922 		 * value needed to determine that parsing is necessary.
3923 		 */
3924 		if (filter_wiphy >= 0)
3925 			cb->args[2] = filter_wiphy + 1;
3926 		else
3927 			cb->args[2] = -1;
3928 	} else if (cb->args[2] > 0) {
3929 		filter_wiphy = cb->args[2] - 1;
3930 	}
3931 
3932 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3933 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3934 			continue;
3935 		if (wp_idx < wp_start) {
3936 			wp_idx++;
3937 			continue;
3938 		}
3939 
3940 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3941 			continue;
3942 
3943 		if_idx = 0;
3944 
3945 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3946 			if (if_idx < if_start) {
3947 				if_idx++;
3948 				continue;
3949 			}
3950 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3951 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3952 					       rdev, wdev,
3953 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3954 				goto out;
3955 			}
3956 			if_idx++;
3957 		}
3958 
3959 		wp_idx++;
3960 	}
3961  out:
3962 	cb->args[0] = wp_idx;
3963 	cb->args[1] = if_idx;
3964 
3965 	ret = skb->len;
3966  out_unlock:
3967 	rtnl_unlock();
3968 
3969 	return ret;
3970 }
3971 
3972 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3973 {
3974 	struct sk_buff *msg;
3975 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3976 	struct wireless_dev *wdev = info->user_ptr[1];
3977 
3978 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3979 	if (!msg)
3980 		return -ENOMEM;
3981 
3982 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3983 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3984 		nlmsg_free(msg);
3985 		return -ENOBUFS;
3986 	}
3987 
3988 	return genlmsg_reply(msg, info);
3989 }
3990 
3991 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3992 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3993 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3994 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3995 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3996 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3997 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3998 };
3999 
4000 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4001 {
4002 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4003 	int flag;
4004 
4005 	*mntrflags = 0;
4006 
4007 	if (!nla)
4008 		return -EINVAL;
4009 
4010 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4011 		return -EINVAL;
4012 
4013 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4014 		if (flags[flag])
4015 			*mntrflags |= (1<<flag);
4016 
4017 	*mntrflags |= MONITOR_FLAG_CHANGED;
4018 
4019 	return 0;
4020 }
4021 
4022 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4023 				     enum nl80211_iftype type,
4024 				     struct genl_info *info,
4025 				     struct vif_params *params)
4026 {
4027 	bool change = false;
4028 	int err;
4029 
4030 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4031 		if (type != NL80211_IFTYPE_MONITOR)
4032 			return -EINVAL;
4033 
4034 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4035 					  &params->flags);
4036 		if (err)
4037 			return err;
4038 
4039 		change = true;
4040 	}
4041 
4042 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4043 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4044 		return -EOPNOTSUPP;
4045 
4046 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4047 		const u8 *mumimo_groups;
4048 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4049 
4050 		if (type != NL80211_IFTYPE_MONITOR)
4051 			return -EINVAL;
4052 
4053 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4054 			return -EOPNOTSUPP;
4055 
4056 		mumimo_groups =
4057 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4058 
4059 		/* bits 0 and 63 are reserved and must be zero */
4060 		if ((mumimo_groups[0] & BIT(0)) ||
4061 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4062 			return -EINVAL;
4063 
4064 		params->vht_mumimo_groups = mumimo_groups;
4065 		change = true;
4066 	}
4067 
4068 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4069 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4070 
4071 		if (type != NL80211_IFTYPE_MONITOR)
4072 			return -EINVAL;
4073 
4074 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4075 			return -EOPNOTSUPP;
4076 
4077 		params->vht_mumimo_follow_addr =
4078 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4079 		change = true;
4080 	}
4081 
4082 	return change ? 1 : 0;
4083 }
4084 
4085 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4086 			       struct net_device *netdev, u8 use_4addr,
4087 			       enum nl80211_iftype iftype)
4088 {
4089 	if (!use_4addr) {
4090 		if (netdev && netif_is_bridge_port(netdev))
4091 			return -EBUSY;
4092 		return 0;
4093 	}
4094 
4095 	switch (iftype) {
4096 	case NL80211_IFTYPE_AP_VLAN:
4097 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4098 			return 0;
4099 		break;
4100 	case NL80211_IFTYPE_STATION:
4101 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4102 			return 0;
4103 		break;
4104 	default:
4105 		break;
4106 	}
4107 
4108 	return -EOPNOTSUPP;
4109 }
4110 
4111 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4112 {
4113 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4114 	struct vif_params params;
4115 	int err;
4116 	enum nl80211_iftype otype, ntype;
4117 	struct net_device *dev = info->user_ptr[1];
4118 	bool change = false;
4119 
4120 	memset(&params, 0, sizeof(params));
4121 
4122 	otype = ntype = dev->ieee80211_ptr->iftype;
4123 
4124 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4125 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4126 		if (otype != ntype)
4127 			change = true;
4128 	}
4129 
4130 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4131 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4132 
4133 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4134 			return -EINVAL;
4135 		if (netif_running(dev))
4136 			return -EBUSY;
4137 
4138 		wdev_lock(wdev);
4139 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4140 			     IEEE80211_MAX_MESH_ID_LEN);
4141 		wdev->u.mesh.id_up_len =
4142 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4143 		memcpy(wdev->u.mesh.id,
4144 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4145 		       wdev->u.mesh.id_up_len);
4146 		wdev_unlock(wdev);
4147 	}
4148 
4149 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4150 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4151 		change = true;
4152 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4153 		if (err)
4154 			return err;
4155 	} else {
4156 		params.use_4addr = -1;
4157 	}
4158 
4159 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4160 	if (err < 0)
4161 		return err;
4162 	if (err > 0)
4163 		change = true;
4164 
4165 	if (change)
4166 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4167 	else
4168 		err = 0;
4169 
4170 	if (!err && params.use_4addr != -1)
4171 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4172 
4173 	if (change && !err) {
4174 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4175 
4176 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4177 	}
4178 
4179 	return err;
4180 }
4181 
4182 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4183 {
4184 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4185 	struct vif_params params;
4186 	struct wireless_dev *wdev;
4187 	struct sk_buff *msg;
4188 	int err;
4189 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4190 
4191 	memset(&params, 0, sizeof(params));
4192 
4193 	if (!info->attrs[NL80211_ATTR_IFNAME])
4194 		return -EINVAL;
4195 
4196 	if (info->attrs[NL80211_ATTR_IFTYPE])
4197 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4198 
4199 	if (!rdev->ops->add_virtual_intf)
4200 		return -EOPNOTSUPP;
4201 
4202 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4203 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4204 	    info->attrs[NL80211_ATTR_MAC]) {
4205 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4206 			   ETH_ALEN);
4207 		if (!is_valid_ether_addr(params.macaddr))
4208 			return -EADDRNOTAVAIL;
4209 	}
4210 
4211 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4212 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4213 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4214 		if (err)
4215 			return err;
4216 	}
4217 
4218 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4219 		return -EOPNOTSUPP;
4220 
4221 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4222 	if (err < 0)
4223 		return err;
4224 
4225 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4226 	if (!msg)
4227 		return -ENOMEM;
4228 
4229 	wdev = rdev_add_virtual_intf(rdev,
4230 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4231 				NET_NAME_USER, type, &params);
4232 	if (WARN_ON(!wdev)) {
4233 		nlmsg_free(msg);
4234 		return -EPROTO;
4235 	} else if (IS_ERR(wdev)) {
4236 		nlmsg_free(msg);
4237 		return PTR_ERR(wdev);
4238 	}
4239 
4240 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4241 		wdev->owner_nlportid = info->snd_portid;
4242 
4243 	switch (type) {
4244 	case NL80211_IFTYPE_MESH_POINT:
4245 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4246 			break;
4247 		wdev_lock(wdev);
4248 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4249 			     IEEE80211_MAX_MESH_ID_LEN);
4250 		wdev->u.mesh.id_up_len =
4251 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4252 		memcpy(wdev->u.mesh.id,
4253 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4254 		       wdev->u.mesh.id_up_len);
4255 		wdev_unlock(wdev);
4256 		break;
4257 	case NL80211_IFTYPE_NAN:
4258 	case NL80211_IFTYPE_P2P_DEVICE:
4259 		/*
4260 		 * P2P Device and NAN do not have a netdev, so don't go
4261 		 * through the netdev notifier and must be added here
4262 		 */
4263 		cfg80211_init_wdev(wdev);
4264 		cfg80211_register_wdev(rdev, wdev);
4265 		break;
4266 	default:
4267 		break;
4268 	}
4269 
4270 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4271 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4272 		nlmsg_free(msg);
4273 		return -ENOBUFS;
4274 	}
4275 
4276 	return genlmsg_reply(msg, info);
4277 }
4278 
4279 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4280 {
4281 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4282 	int ret;
4283 
4284 	/* to avoid failing a new interface creation due to pending removal */
4285 	cfg80211_destroy_ifaces(rdev);
4286 
4287 	wiphy_lock(&rdev->wiphy);
4288 	ret = _nl80211_new_interface(skb, info);
4289 	wiphy_unlock(&rdev->wiphy);
4290 
4291 	return ret;
4292 }
4293 
4294 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4295 {
4296 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4297 	struct wireless_dev *wdev = info->user_ptr[1];
4298 
4299 	if (!rdev->ops->del_virtual_intf)
4300 		return -EOPNOTSUPP;
4301 
4302 	/*
4303 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4304 	 * reach 0, and thus the rdev cannot be deleted.
4305 	 *
4306 	 * We need to do it for the dev_close(), since that will call
4307 	 * the netdev notifiers, and we need to acquire the mutex there
4308 	 * but don't know if we get there from here or from some other
4309 	 * place (e.g. "ip link set ... down").
4310 	 */
4311 	mutex_unlock(&rdev->wiphy.mtx);
4312 
4313 	/*
4314 	 * If we remove a wireless device without a netdev then clear
4315 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4316 	 * to check if it needs to do dev_put(). Otherwise it crashes
4317 	 * since the wdev has been freed, unlike with a netdev where
4318 	 * we need the dev_put() for the netdev to really be freed.
4319 	 */
4320 	if (!wdev->netdev)
4321 		info->user_ptr[1] = NULL;
4322 	else
4323 		dev_close(wdev->netdev);
4324 
4325 	mutex_lock(&rdev->wiphy.mtx);
4326 
4327 	return cfg80211_remove_virtual_intf(rdev, wdev);
4328 }
4329 
4330 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4331 {
4332 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4333 	struct net_device *dev = info->user_ptr[1];
4334 	u16 noack_map;
4335 
4336 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4337 		return -EINVAL;
4338 
4339 	if (!rdev->ops->set_noack_map)
4340 		return -EOPNOTSUPP;
4341 
4342 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4343 
4344 	return rdev_set_noack_map(rdev, dev, noack_map);
4345 }
4346 
4347 static int nl80211_validate_key_link_id(struct genl_info *info,
4348 					struct wireless_dev *wdev,
4349 					int link_id, bool pairwise)
4350 {
4351 	if (pairwise) {
4352 		if (link_id != -1) {
4353 			GENL_SET_ERR_MSG(info,
4354 					 "link ID not allowed for pairwise key");
4355 			return -EINVAL;
4356 		}
4357 
4358 		return 0;
4359 	}
4360 
4361 	if (wdev->valid_links) {
4362 		if (link_id == -1) {
4363 			GENL_SET_ERR_MSG(info,
4364 					 "link ID must for MLO group key");
4365 			return -EINVAL;
4366 		}
4367 		if (!(wdev->valid_links & BIT(link_id))) {
4368 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4369 			return -EINVAL;
4370 		}
4371 	} else if (link_id != -1) {
4372 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4373 		return -EINVAL;
4374 	}
4375 
4376 	return 0;
4377 }
4378 
4379 struct get_key_cookie {
4380 	struct sk_buff *msg;
4381 	int error;
4382 	int idx;
4383 };
4384 
4385 static void get_key_callback(void *c, struct key_params *params)
4386 {
4387 	struct nlattr *key;
4388 	struct get_key_cookie *cookie = c;
4389 
4390 	if ((params->key &&
4391 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4392 		     params->key_len, params->key)) ||
4393 	    (params->seq &&
4394 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4395 		     params->seq_len, params->seq)) ||
4396 	    (params->cipher &&
4397 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4398 			 params->cipher)))
4399 		goto nla_put_failure;
4400 
4401 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4402 	if (!key)
4403 		goto nla_put_failure;
4404 
4405 	if ((params->key &&
4406 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4407 		     params->key_len, params->key)) ||
4408 	    (params->seq &&
4409 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4410 		     params->seq_len, params->seq)) ||
4411 	    (params->cipher &&
4412 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4413 			 params->cipher)))
4414 		goto nla_put_failure;
4415 
4416 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4417 		goto nla_put_failure;
4418 
4419 	nla_nest_end(cookie->msg, key);
4420 
4421 	return;
4422  nla_put_failure:
4423 	cookie->error = 1;
4424 }
4425 
4426 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4427 {
4428 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4429 	int err;
4430 	struct net_device *dev = info->user_ptr[1];
4431 	u8 key_idx = 0;
4432 	const u8 *mac_addr = NULL;
4433 	bool pairwise;
4434 	struct get_key_cookie cookie = {
4435 		.error = 0,
4436 	};
4437 	void *hdr;
4438 	struct sk_buff *msg;
4439 	bool bigtk_support = false;
4440 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4441 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4442 
4443 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4444 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4445 		bigtk_support = true;
4446 
4447 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4448 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4449 	    wiphy_ext_feature_isset(&rdev->wiphy,
4450 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4451 		bigtk_support = true;
4452 
4453 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4454 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4455 
4456 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4457 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4458 			return -EINVAL;
4459 		}
4460 	}
4461 
4462 	if (info->attrs[NL80211_ATTR_MAC])
4463 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4464 
4465 	pairwise = !!mac_addr;
4466 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4467 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4468 
4469 		if (kt != NL80211_KEYTYPE_GROUP &&
4470 		    kt != NL80211_KEYTYPE_PAIRWISE)
4471 			return -EINVAL;
4472 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4473 	}
4474 
4475 	if (!rdev->ops->get_key)
4476 		return -EOPNOTSUPP;
4477 
4478 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4479 		return -ENOENT;
4480 
4481 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4482 	if (!msg)
4483 		return -ENOMEM;
4484 
4485 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4486 			     NL80211_CMD_NEW_KEY);
4487 	if (!hdr)
4488 		goto nla_put_failure;
4489 
4490 	cookie.msg = msg;
4491 	cookie.idx = key_idx;
4492 
4493 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4494 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4495 		goto nla_put_failure;
4496 	if (mac_addr &&
4497 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4498 		goto nla_put_failure;
4499 
4500 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4501 	if (err)
4502 		goto free_msg;
4503 
4504 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4505 			   &cookie, get_key_callback);
4506 
4507 	if (err)
4508 		goto free_msg;
4509 
4510 	if (cookie.error)
4511 		goto nla_put_failure;
4512 
4513 	genlmsg_end(msg, hdr);
4514 	return genlmsg_reply(msg, info);
4515 
4516  nla_put_failure:
4517 	err = -ENOBUFS;
4518  free_msg:
4519 	nlmsg_free(msg);
4520 	return err;
4521 }
4522 
4523 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4524 {
4525 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4526 	struct key_parse key;
4527 	int err;
4528 	struct net_device *dev = info->user_ptr[1];
4529 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4530 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4531 
4532 	err = nl80211_parse_key(info, &key);
4533 	if (err)
4534 		return err;
4535 
4536 	if (key.idx < 0)
4537 		return -EINVAL;
4538 
4539 	/* Only support setting default key and
4540 	 * Extended Key ID action NL80211_KEY_SET_TX.
4541 	 */
4542 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4543 	    !(key.p.mode == NL80211_KEY_SET_TX))
4544 		return -EINVAL;
4545 
4546 	wdev_lock(wdev);
4547 
4548 	if (key.def) {
4549 		if (!rdev->ops->set_default_key) {
4550 			err = -EOPNOTSUPP;
4551 			goto out;
4552 		}
4553 
4554 		err = nl80211_key_allowed(wdev);
4555 		if (err)
4556 			goto out;
4557 
4558 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4559 		if (err)
4560 			goto out;
4561 
4562 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4563 					   key.def_uni, key.def_multi);
4564 
4565 		if (err)
4566 			goto out;
4567 
4568 #ifdef CONFIG_CFG80211_WEXT
4569 		wdev->wext.default_key = key.idx;
4570 #endif
4571 	} else if (key.defmgmt) {
4572 		if (key.def_uni || !key.def_multi) {
4573 			err = -EINVAL;
4574 			goto out;
4575 		}
4576 
4577 		if (!rdev->ops->set_default_mgmt_key) {
4578 			err = -EOPNOTSUPP;
4579 			goto out;
4580 		}
4581 
4582 		err = nl80211_key_allowed(wdev);
4583 		if (err)
4584 			goto out;
4585 
4586 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4587 		if (err)
4588 			goto out;
4589 
4590 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4591 		if (err)
4592 			goto out;
4593 
4594 #ifdef CONFIG_CFG80211_WEXT
4595 		wdev->wext.default_mgmt_key = key.idx;
4596 #endif
4597 	} else if (key.defbeacon) {
4598 		if (key.def_uni || !key.def_multi) {
4599 			err = -EINVAL;
4600 			goto out;
4601 		}
4602 
4603 		if (!rdev->ops->set_default_beacon_key) {
4604 			err = -EOPNOTSUPP;
4605 			goto out;
4606 		}
4607 
4608 		err = nl80211_key_allowed(wdev);
4609 		if (err)
4610 			goto out;
4611 
4612 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4613 		if (err)
4614 			goto out;
4615 
4616 		err = rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4617 		if (err)
4618 			goto out;
4619 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4620 		   wiphy_ext_feature_isset(&rdev->wiphy,
4621 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4622 		u8 *mac_addr = NULL;
4623 
4624 		if (info->attrs[NL80211_ATTR_MAC])
4625 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4626 
4627 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4628 			err = -EINVAL;
4629 			goto out;
4630 		}
4631 
4632 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4633 		if (err)
4634 			goto out;
4635 
4636 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4637 				   NL80211_KEYTYPE_PAIRWISE,
4638 				   mac_addr, &key.p);
4639 	} else {
4640 		err = -EINVAL;
4641 	}
4642  out:
4643 	wdev_unlock(wdev);
4644 
4645 	return err;
4646 }
4647 
4648 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4649 {
4650 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4651 	int err;
4652 	struct net_device *dev = info->user_ptr[1];
4653 	struct key_parse key;
4654 	const u8 *mac_addr = NULL;
4655 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4656 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4657 
4658 	err = nl80211_parse_key(info, &key);
4659 	if (err)
4660 		return err;
4661 
4662 	if (!key.p.key) {
4663 		GENL_SET_ERR_MSG(info, "no key");
4664 		return -EINVAL;
4665 	}
4666 
4667 	if (info->attrs[NL80211_ATTR_MAC])
4668 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4669 
4670 	if (key.type == -1) {
4671 		if (mac_addr)
4672 			key.type = NL80211_KEYTYPE_PAIRWISE;
4673 		else
4674 			key.type = NL80211_KEYTYPE_GROUP;
4675 	}
4676 
4677 	/* for now */
4678 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4679 	    key.type != NL80211_KEYTYPE_GROUP) {
4680 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4681 		return -EINVAL;
4682 	}
4683 
4684 	if (key.type == NL80211_KEYTYPE_GROUP &&
4685 	    info->attrs[NL80211_ATTR_VLAN_ID])
4686 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4687 
4688 	if (!rdev->ops->add_key)
4689 		return -EOPNOTSUPP;
4690 
4691 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4692 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4693 					   mac_addr)) {
4694 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4695 		return -EINVAL;
4696 	}
4697 
4698 	wdev_lock(wdev);
4699 	err = nl80211_key_allowed(wdev);
4700 	if (err)
4701 		GENL_SET_ERR_MSG(info, "key not allowed");
4702 
4703 	if (!err)
4704 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4705 				key.type == NL80211_KEYTYPE_PAIRWISE);
4706 
4707 	if (!err) {
4708 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4709 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4710 				    mac_addr, &key.p);
4711 		if (err)
4712 			GENL_SET_ERR_MSG(info, "key addition failed");
4713 	}
4714 	wdev_unlock(wdev);
4715 
4716 	return err;
4717 }
4718 
4719 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4720 {
4721 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4722 	int err;
4723 	struct net_device *dev = info->user_ptr[1];
4724 	u8 *mac_addr = NULL;
4725 	struct key_parse key;
4726 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4727 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4728 
4729 	err = nl80211_parse_key(info, &key);
4730 	if (err)
4731 		return err;
4732 
4733 	if (info->attrs[NL80211_ATTR_MAC])
4734 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4735 
4736 	if (key.type == -1) {
4737 		if (mac_addr)
4738 			key.type = NL80211_KEYTYPE_PAIRWISE;
4739 		else
4740 			key.type = NL80211_KEYTYPE_GROUP;
4741 	}
4742 
4743 	/* for now */
4744 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4745 	    key.type != NL80211_KEYTYPE_GROUP)
4746 		return -EINVAL;
4747 
4748 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4749 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4750 		return -EINVAL;
4751 
4752 	if (!rdev->ops->del_key)
4753 		return -EOPNOTSUPP;
4754 
4755 	wdev_lock(wdev);
4756 	err = nl80211_key_allowed(wdev);
4757 
4758 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4759 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4760 		err = -ENOENT;
4761 
4762 	if (!err)
4763 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4764 				key.type == NL80211_KEYTYPE_PAIRWISE);
4765 
4766 	if (!err)
4767 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4768 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4769 				   mac_addr);
4770 
4771 #ifdef CONFIG_CFG80211_WEXT
4772 	if (!err) {
4773 		if (key.idx == wdev->wext.default_key)
4774 			wdev->wext.default_key = -1;
4775 		else if (key.idx == wdev->wext.default_mgmt_key)
4776 			wdev->wext.default_mgmt_key = -1;
4777 	}
4778 #endif
4779 	wdev_unlock(wdev);
4780 
4781 	return err;
4782 }
4783 
4784 /* This function returns an error or the number of nested attributes */
4785 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4786 {
4787 	struct nlattr *attr;
4788 	int n_entries = 0, tmp;
4789 
4790 	nla_for_each_nested(attr, nl_attr, tmp) {
4791 		if (nla_len(attr) != ETH_ALEN)
4792 			return -EINVAL;
4793 
4794 		n_entries++;
4795 	}
4796 
4797 	return n_entries;
4798 }
4799 
4800 /*
4801  * This function parses ACL information and allocates memory for ACL data.
4802  * On successful return, the calling function is responsible to free the
4803  * ACL buffer returned by this function.
4804  */
4805 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4806 						struct genl_info *info)
4807 {
4808 	enum nl80211_acl_policy acl_policy;
4809 	struct nlattr *attr;
4810 	struct cfg80211_acl_data *acl;
4811 	int i = 0, n_entries, tmp;
4812 
4813 	if (!wiphy->max_acl_mac_addrs)
4814 		return ERR_PTR(-EOPNOTSUPP);
4815 
4816 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4817 		return ERR_PTR(-EINVAL);
4818 
4819 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4820 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4821 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4822 		return ERR_PTR(-EINVAL);
4823 
4824 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4825 		return ERR_PTR(-EINVAL);
4826 
4827 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4828 	if (n_entries < 0)
4829 		return ERR_PTR(n_entries);
4830 
4831 	if (n_entries > wiphy->max_acl_mac_addrs)
4832 		return ERR_PTR(-ENOTSUPP);
4833 
4834 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4835 	if (!acl)
4836 		return ERR_PTR(-ENOMEM);
4837 
4838 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4839 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4840 		i++;
4841 	}
4842 
4843 	acl->n_acl_entries = n_entries;
4844 	acl->acl_policy = acl_policy;
4845 
4846 	return acl;
4847 }
4848 
4849 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4850 {
4851 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4852 	struct net_device *dev = info->user_ptr[1];
4853 	struct cfg80211_acl_data *acl;
4854 	int err;
4855 
4856 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4857 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4858 		return -EOPNOTSUPP;
4859 
4860 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
4861 		return -EINVAL;
4862 
4863 	acl = parse_acl_data(&rdev->wiphy, info);
4864 	if (IS_ERR(acl))
4865 		return PTR_ERR(acl);
4866 
4867 	err = rdev_set_mac_acl(rdev, dev, acl);
4868 
4869 	kfree(acl);
4870 
4871 	return err;
4872 }
4873 
4874 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4875 			   u8 *rates, u8 rates_len)
4876 {
4877 	u8 i;
4878 	u32 mask = 0;
4879 
4880 	for (i = 0; i < rates_len; i++) {
4881 		int rate = (rates[i] & 0x7f) * 5;
4882 		int ridx;
4883 
4884 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4885 			struct ieee80211_rate *srate =
4886 				&sband->bitrates[ridx];
4887 			if (rate == srate->bitrate) {
4888 				mask |= 1 << ridx;
4889 				break;
4890 			}
4891 		}
4892 		if (ridx == sband->n_bitrates)
4893 			return 0; /* rate not found */
4894 	}
4895 
4896 	return mask;
4897 }
4898 
4899 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4900 			       u8 *rates, u8 rates_len,
4901 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4902 {
4903 	u8 i;
4904 
4905 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4906 
4907 	for (i = 0; i < rates_len; i++) {
4908 		int ridx, rbit;
4909 
4910 		ridx = rates[i] / 8;
4911 		rbit = BIT(rates[i] % 8);
4912 
4913 		/* check validity */
4914 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4915 			return false;
4916 
4917 		/* check availability */
4918 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4919 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4920 			mcs[ridx] |= rbit;
4921 		else
4922 			return false;
4923 	}
4924 
4925 	return true;
4926 }
4927 
4928 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4929 {
4930 	u16 mcs_mask = 0;
4931 
4932 	switch (vht_mcs_map) {
4933 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4934 		break;
4935 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4936 		mcs_mask = 0x00FF;
4937 		break;
4938 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4939 		mcs_mask = 0x01FF;
4940 		break;
4941 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4942 		mcs_mask = 0x03FF;
4943 		break;
4944 	default:
4945 		break;
4946 	}
4947 
4948 	return mcs_mask;
4949 }
4950 
4951 static void vht_build_mcs_mask(u16 vht_mcs_map,
4952 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4953 {
4954 	u8 nss;
4955 
4956 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4957 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4958 		vht_mcs_map >>= 2;
4959 	}
4960 }
4961 
4962 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4963 			     struct nl80211_txrate_vht *txrate,
4964 			     u16 mcs[NL80211_VHT_NSS_MAX])
4965 {
4966 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4967 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4968 	u8 i;
4969 
4970 	if (!sband->vht_cap.vht_supported)
4971 		return false;
4972 
4973 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4974 
4975 	/* Build vht_mcs_mask from VHT capabilities */
4976 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4977 
4978 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4979 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4980 			mcs[i] = txrate->mcs[i];
4981 		else
4982 			return false;
4983 	}
4984 
4985 	return true;
4986 }
4987 
4988 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4989 {
4990 	switch (he_mcs_map) {
4991 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4992 		return 0;
4993 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4994 		return 0x00FF;
4995 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4996 		return 0x03FF;
4997 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4998 		return 0xFFF;
4999 	default:
5000 		break;
5001 	}
5002 	return 0;
5003 }
5004 
5005 static void he_build_mcs_mask(u16 he_mcs_map,
5006 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5007 {
5008 	u8 nss;
5009 
5010 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5011 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5012 		he_mcs_map >>= 2;
5013 	}
5014 }
5015 
5016 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5017 			   const struct ieee80211_sta_he_cap *he_cap)
5018 {
5019 	struct net_device *dev = info->user_ptr[1];
5020 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5021 	struct cfg80211_chan_def *chandef;
5022 	__le16 tx_mcs;
5023 
5024 	chandef = wdev_chandef(wdev, link_id);
5025 	if (!chandef) {
5026 		/*
5027 		 * This is probably broken, but we never maintained
5028 		 * a chandef in these cases, so it always was.
5029 		 */
5030 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5031 	}
5032 
5033 	switch (chandef->width) {
5034 	case NL80211_CHAN_WIDTH_80P80:
5035 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5036 		break;
5037 	case NL80211_CHAN_WIDTH_160:
5038 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5039 		break;
5040 	default:
5041 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5042 		break;
5043 	}
5044 
5045 	return le16_to_cpu(tx_mcs);
5046 }
5047 
5048 static bool he_set_mcs_mask(struct genl_info *info,
5049 			    struct wireless_dev *wdev,
5050 			    struct ieee80211_supported_band *sband,
5051 			    struct nl80211_txrate_he *txrate,
5052 			    u16 mcs[NL80211_HE_NSS_MAX],
5053 			    unsigned int link_id)
5054 {
5055 	const struct ieee80211_sta_he_cap *he_cap;
5056 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5057 	u16 tx_mcs_map = 0;
5058 	u8 i;
5059 
5060 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5061 	if (!he_cap)
5062 		return false;
5063 
5064 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5065 
5066 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5067 
5068 	/* Build he_mcs_mask from HE capabilities */
5069 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5070 
5071 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5072 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5073 			mcs[i] = txrate->mcs[i];
5074 		else
5075 			return false;
5076 	}
5077 
5078 	return true;
5079 }
5080 
5081 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5082 					 struct nlattr *attrs[],
5083 					 enum nl80211_attrs attr,
5084 					 struct cfg80211_bitrate_mask *mask,
5085 					 struct net_device *dev,
5086 					 bool default_all_enabled,
5087 					 unsigned int link_id)
5088 {
5089 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5090 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5091 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5092 	int rem, i;
5093 	struct nlattr *tx_rates;
5094 	struct ieee80211_supported_band *sband;
5095 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5096 
5097 	memset(mask, 0, sizeof(*mask));
5098 	/* Default to all rates enabled */
5099 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5100 		const struct ieee80211_sta_he_cap *he_cap;
5101 
5102 		if (!default_all_enabled)
5103 			break;
5104 
5105 		sband = rdev->wiphy.bands[i];
5106 
5107 		if (!sband)
5108 			continue;
5109 
5110 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5111 		memcpy(mask->control[i].ht_mcs,
5112 		       sband->ht_cap.mcs.rx_mask,
5113 		       sizeof(mask->control[i].ht_mcs));
5114 
5115 		if (sband->vht_cap.vht_supported) {
5116 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5117 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5118 		}
5119 
5120 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5121 		if (!he_cap)
5122 			continue;
5123 
5124 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5125 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5126 
5127 		mask->control[i].he_gi = 0xFF;
5128 		mask->control[i].he_ltf = 0xFF;
5129 	}
5130 
5131 	/* if no rates are given set it back to the defaults */
5132 	if (!attrs[attr])
5133 		goto out;
5134 
5135 	/* The nested attribute uses enum nl80211_band as the index. This maps
5136 	 * directly to the enum nl80211_band values used in cfg80211.
5137 	 */
5138 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5139 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5140 		enum nl80211_band band = nla_type(tx_rates);
5141 		int err;
5142 
5143 		if (band < 0 || band >= NUM_NL80211_BANDS)
5144 			return -EINVAL;
5145 		sband = rdev->wiphy.bands[band];
5146 		if (sband == NULL)
5147 			return -EINVAL;
5148 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5149 						  tx_rates,
5150 						  nl80211_txattr_policy,
5151 						  info->extack);
5152 		if (err)
5153 			return err;
5154 		if (tb[NL80211_TXRATE_LEGACY]) {
5155 			mask->control[band].legacy = rateset_to_mask(
5156 				sband,
5157 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5158 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5159 			if ((mask->control[band].legacy == 0) &&
5160 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5161 				return -EINVAL;
5162 		}
5163 		if (tb[NL80211_TXRATE_HT]) {
5164 			if (!ht_rateset_to_mask(
5165 					sband,
5166 					nla_data(tb[NL80211_TXRATE_HT]),
5167 					nla_len(tb[NL80211_TXRATE_HT]),
5168 					mask->control[band].ht_mcs))
5169 				return -EINVAL;
5170 		}
5171 
5172 		if (tb[NL80211_TXRATE_VHT]) {
5173 			if (!vht_set_mcs_mask(
5174 					sband,
5175 					nla_data(tb[NL80211_TXRATE_VHT]),
5176 					mask->control[band].vht_mcs))
5177 				return -EINVAL;
5178 		}
5179 
5180 		if (tb[NL80211_TXRATE_GI]) {
5181 			mask->control[band].gi =
5182 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5183 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5184 				return -EINVAL;
5185 		}
5186 		if (tb[NL80211_TXRATE_HE] &&
5187 		    !he_set_mcs_mask(info, wdev, sband,
5188 				     nla_data(tb[NL80211_TXRATE_HE]),
5189 				     mask->control[band].he_mcs,
5190 				     link_id))
5191 			return -EINVAL;
5192 
5193 		if (tb[NL80211_TXRATE_HE_GI])
5194 			mask->control[band].he_gi =
5195 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5196 		if (tb[NL80211_TXRATE_HE_LTF])
5197 			mask->control[band].he_ltf =
5198 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5199 
5200 		if (mask->control[band].legacy == 0) {
5201 			/* don't allow empty legacy rates if HT, VHT or HE
5202 			 * are not even supported.
5203 			 */
5204 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5205 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5206 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5207 				return -EINVAL;
5208 
5209 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5210 				if (mask->control[band].ht_mcs[i])
5211 					goto out;
5212 
5213 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5214 				if (mask->control[band].vht_mcs[i])
5215 					goto out;
5216 
5217 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5218 				if (mask->control[band].he_mcs[i])
5219 					goto out;
5220 
5221 			/* legacy and mcs rates may not be both empty */
5222 			return -EINVAL;
5223 		}
5224 	}
5225 
5226 out:
5227 	return 0;
5228 }
5229 
5230 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5231 				   enum nl80211_band band,
5232 				   struct cfg80211_bitrate_mask *beacon_rate)
5233 {
5234 	u32 count_ht, count_vht, count_he, i;
5235 	u32 rate = beacon_rate->control[band].legacy;
5236 
5237 	/* Allow only one rate */
5238 	if (hweight32(rate) > 1)
5239 		return -EINVAL;
5240 
5241 	count_ht = 0;
5242 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5243 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5244 			return -EINVAL;
5245 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5246 			count_ht++;
5247 			if (count_ht > 1)
5248 				return -EINVAL;
5249 		}
5250 		if (count_ht && rate)
5251 			return -EINVAL;
5252 	}
5253 
5254 	count_vht = 0;
5255 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5256 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5257 			return -EINVAL;
5258 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5259 			count_vht++;
5260 			if (count_vht > 1)
5261 				return -EINVAL;
5262 		}
5263 		if (count_vht && rate)
5264 			return -EINVAL;
5265 	}
5266 
5267 	count_he = 0;
5268 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5269 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5270 			return -EINVAL;
5271 		} else if (beacon_rate->control[band].he_mcs[i]) {
5272 			count_he++;
5273 			if (count_he > 1)
5274 				return -EINVAL;
5275 		}
5276 		if (count_he && rate)
5277 			return -EINVAL;
5278 	}
5279 
5280 	if ((count_ht && count_vht && count_he) ||
5281 	    (!rate && !count_ht && !count_vht && !count_he))
5282 		return -EINVAL;
5283 
5284 	if (rate &&
5285 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5286 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5287 		return -EINVAL;
5288 	if (count_ht &&
5289 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5290 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5291 		return -EINVAL;
5292 	if (count_vht &&
5293 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5294 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5295 		return -EINVAL;
5296 	if (count_he &&
5297 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5298 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5299 		return -EINVAL;
5300 
5301 	return 0;
5302 }
5303 
5304 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5305 				       struct net_device *dev,
5306 				       struct nlattr *attrs,
5307 				       struct cfg80211_mbssid_config *config,
5308 				       u8 num_elems)
5309 {
5310 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5311 
5312 	if (!wiphy->mbssid_max_interfaces)
5313 		return -EOPNOTSUPP;
5314 
5315 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5316 			     NULL) ||
5317 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5318 		return -EINVAL;
5319 
5320 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5321 	if (config->ema) {
5322 		if (!wiphy->ema_max_profile_periodicity)
5323 			return -EOPNOTSUPP;
5324 
5325 		if (num_elems > wiphy->ema_max_profile_periodicity)
5326 			return -EINVAL;
5327 	}
5328 
5329 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5330 	if (config->index >= wiphy->mbssid_max_interfaces ||
5331 	    (!config->index && !num_elems))
5332 		return -EINVAL;
5333 
5334 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5335 		u32 tx_ifindex =
5336 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5337 
5338 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5339 		    (config->index && tx_ifindex == dev->ifindex))
5340 			return -EINVAL;
5341 
5342 		if (tx_ifindex != dev->ifindex) {
5343 			struct net_device *tx_netdev =
5344 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5345 
5346 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5347 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5348 			    tx_netdev->ieee80211_ptr->iftype !=
5349 							NL80211_IFTYPE_AP) {
5350 				dev_put(tx_netdev);
5351 				return -EINVAL;
5352 			}
5353 
5354 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5355 		} else {
5356 			config->tx_wdev = dev->ieee80211_ptr;
5357 		}
5358 	} else if (!config->index) {
5359 		config->tx_wdev = dev->ieee80211_ptr;
5360 	} else {
5361 		return -EINVAL;
5362 	}
5363 
5364 	return 0;
5365 }
5366 
5367 static struct cfg80211_mbssid_elems *
5368 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5369 {
5370 	struct nlattr *nl_elems;
5371 	struct cfg80211_mbssid_elems *elems;
5372 	int rem_elems;
5373 	u8 i = 0, num_elems = 0;
5374 
5375 	if (!wiphy->mbssid_max_interfaces)
5376 		return ERR_PTR(-EINVAL);
5377 
5378 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5379 		num_elems++;
5380 
5381 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5382 	if (!elems)
5383 		return ERR_PTR(-ENOMEM);
5384 
5385 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5386 		elems->elem[i].data = nla_data(nl_elems);
5387 		elems->elem[i].len = nla_len(nl_elems);
5388 		i++;
5389 	}
5390 	elems->cnt = num_elems;
5391 	return elems;
5392 }
5393 
5394 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5395 				      struct cfg80211_he_bss_color *he_bss_color)
5396 {
5397 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5398 	int err;
5399 
5400 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5401 			       he_bss_color_policy, NULL);
5402 	if (err)
5403 		return err;
5404 
5405 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5406 		return -EINVAL;
5407 
5408 	he_bss_color->color =
5409 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5410 	he_bss_color->enabled =
5411 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5412 	he_bss_color->partial =
5413 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5414 
5415 	return 0;
5416 }
5417 
5418 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5419 				struct nlattr *attrs[],
5420 				struct cfg80211_beacon_data *bcn)
5421 {
5422 	bool haveinfo = false;
5423 	int err;
5424 
5425 	memset(bcn, 0, sizeof(*bcn));
5426 
5427 	bcn->link_id = nl80211_link_id(attrs);
5428 
5429 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5430 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5431 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5432 		if (!bcn->head_len)
5433 			return -EINVAL;
5434 		haveinfo = true;
5435 	}
5436 
5437 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5438 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5439 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5440 		haveinfo = true;
5441 	}
5442 
5443 	if (!haveinfo)
5444 		return -EINVAL;
5445 
5446 	if (attrs[NL80211_ATTR_IE]) {
5447 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5448 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5449 	}
5450 
5451 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5452 		bcn->proberesp_ies =
5453 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5454 		bcn->proberesp_ies_len =
5455 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5456 	}
5457 
5458 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5459 		bcn->assocresp_ies =
5460 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5461 		bcn->assocresp_ies_len =
5462 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5463 	}
5464 
5465 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5466 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5467 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5468 	}
5469 
5470 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5471 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5472 
5473 		err = nla_parse_nested_deprecated(tb,
5474 						  NL80211_FTM_RESP_ATTR_MAX,
5475 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5476 						  NULL, NULL);
5477 		if (err)
5478 			return err;
5479 
5480 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5481 		    wiphy_ext_feature_isset(&rdev->wiphy,
5482 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5483 			bcn->ftm_responder = 1;
5484 		else
5485 			return -EOPNOTSUPP;
5486 
5487 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5488 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5489 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5490 		}
5491 
5492 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5493 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5494 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5495 		}
5496 	} else {
5497 		bcn->ftm_responder = -1;
5498 	}
5499 
5500 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5501 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5502 						 &bcn->he_bss_color);
5503 		if (err)
5504 			return err;
5505 		bcn->he_bss_color_valid = true;
5506 	}
5507 
5508 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5509 		struct cfg80211_mbssid_elems *mbssid =
5510 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5511 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5512 
5513 		if (IS_ERR(mbssid))
5514 			return PTR_ERR(mbssid);
5515 
5516 		bcn->mbssid_ies = mbssid;
5517 	}
5518 
5519 	return 0;
5520 }
5521 
5522 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5523 				    struct ieee80211_he_obss_pd *he_obss_pd)
5524 {
5525 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5526 	int err;
5527 
5528 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5529 			       he_obss_pd_policy, NULL);
5530 	if (err)
5531 		return err;
5532 
5533 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5534 		return -EINVAL;
5535 
5536 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5537 
5538 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5539 		he_obss_pd->min_offset =
5540 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5541 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5542 		he_obss_pd->max_offset =
5543 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5544 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5545 		he_obss_pd->non_srg_max_offset =
5546 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5547 
5548 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5549 		return -EINVAL;
5550 
5551 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5552 		memcpy(he_obss_pd->bss_color_bitmap,
5553 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5554 		       sizeof(he_obss_pd->bss_color_bitmap));
5555 
5556 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5557 		memcpy(he_obss_pd->partial_bssid_bitmap,
5558 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5559 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5560 
5561 	he_obss_pd->enable = true;
5562 
5563 	return 0;
5564 }
5565 
5566 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5567 					struct nlattr *attrs,
5568 					struct cfg80211_ap_settings *params)
5569 {
5570 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5571 	int ret;
5572 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5573 
5574 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5575 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5576 		return -EINVAL;
5577 
5578 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5579 			       NULL, NULL);
5580 	if (ret)
5581 		return ret;
5582 
5583 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5584 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5585 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5586 		return -EINVAL;
5587 
5588 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5589 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5590 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5591 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5592 
5593 	return 0;
5594 }
5595 
5596 static int
5597 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5598 				     struct nlattr *attrs,
5599 				     struct cfg80211_ap_settings *params)
5600 {
5601 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5602 	int ret;
5603 	struct cfg80211_unsol_bcast_probe_resp *presp =
5604 					&params->unsol_bcast_probe_resp;
5605 
5606 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5607 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5608 		return -EINVAL;
5609 
5610 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5611 			       attrs, NULL, NULL);
5612 	if (ret)
5613 		return ret;
5614 
5615 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5616 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5617 		return -EINVAL;
5618 
5619 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5620 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5621 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5622 	return 0;
5623 }
5624 
5625 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5626 					    const struct element *rates)
5627 {
5628 	int i;
5629 
5630 	if (!rates)
5631 		return;
5632 
5633 	for (i = 0; i < rates->datalen; i++) {
5634 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5635 			params->ht_required = true;
5636 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5637 			params->vht_required = true;
5638 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5639 			params->he_required = true;
5640 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5641 			params->sae_h2e_required = true;
5642 	}
5643 }
5644 
5645 /*
5646  * Since the nl80211 API didn't include, from the beginning, attributes about
5647  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5648  * benefit of drivers that rebuild IEs in the firmware.
5649  */
5650 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5651 {
5652 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5653 	size_t ies_len = bcn->tail_len;
5654 	const u8 *ies = bcn->tail;
5655 	const struct element *rates;
5656 	const struct element *cap;
5657 
5658 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5659 	nl80211_check_ap_rate_selectors(params, rates);
5660 
5661 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5662 	nl80211_check_ap_rate_selectors(params, rates);
5663 
5664 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5665 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5666 		params->ht_cap = (void *)cap->data;
5667 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5668 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5669 		params->vht_cap = (void *)cap->data;
5670 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5671 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5672 		params->he_cap = (void *)(cap->data + 1);
5673 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5674 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5675 		params->he_oper = (void *)(cap->data + 1);
5676 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5677 	if (cap) {
5678 		if (!cap->datalen)
5679 			return -EINVAL;
5680 		params->eht_cap = (void *)(cap->data + 1);
5681 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5682 						(const u8 *)params->eht_cap,
5683 						cap->datalen - 1, true))
5684 			return -EINVAL;
5685 	}
5686 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5687 	if (cap) {
5688 		if (!cap->datalen)
5689 			return -EINVAL;
5690 		params->eht_oper = (void *)(cap->data + 1);
5691 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5692 						cap->datalen - 1))
5693 			return -EINVAL;
5694 	}
5695 	return 0;
5696 }
5697 
5698 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5699 				   struct cfg80211_ap_settings *params)
5700 {
5701 	struct wireless_dev *wdev;
5702 
5703 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5704 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5705 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5706 			continue;
5707 
5708 		if (!wdev->u.ap.preset_chandef.chan)
5709 			continue;
5710 
5711 		params->chandef = wdev->u.ap.preset_chandef;
5712 		return true;
5713 	}
5714 
5715 	return false;
5716 }
5717 
5718 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5719 				    enum nl80211_auth_type auth_type,
5720 				    enum nl80211_commands cmd)
5721 {
5722 	if (auth_type > NL80211_AUTHTYPE_MAX)
5723 		return false;
5724 
5725 	switch (cmd) {
5726 	case NL80211_CMD_AUTHENTICATE:
5727 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5728 		    auth_type == NL80211_AUTHTYPE_SAE)
5729 			return false;
5730 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5731 					     NL80211_EXT_FEATURE_FILS_STA) &&
5732 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5733 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5734 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5735 			return false;
5736 		return true;
5737 	case NL80211_CMD_CONNECT:
5738 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5739 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5740 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5741 		    auth_type == NL80211_AUTHTYPE_SAE)
5742 			return false;
5743 
5744 		/* FILS with SK PFS or PK not supported yet */
5745 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5746 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5747 			return false;
5748 		if (!wiphy_ext_feature_isset(
5749 			    &rdev->wiphy,
5750 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5751 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5752 			return false;
5753 		return true;
5754 	case NL80211_CMD_START_AP:
5755 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5756 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5757 		    auth_type == NL80211_AUTHTYPE_SAE)
5758 			return false;
5759 		/* FILS not supported yet */
5760 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5761 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5762 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5763 			return false;
5764 		return true;
5765 	default:
5766 		return false;
5767 	}
5768 }
5769 
5770 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5771 {
5772 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5773 	unsigned int link_id = nl80211_link_id(info->attrs);
5774 	struct net_device *dev = info->user_ptr[1];
5775 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5776 	struct cfg80211_ap_settings *params;
5777 	int err;
5778 
5779 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5780 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5781 		return -EOPNOTSUPP;
5782 
5783 	if (!rdev->ops->start_ap)
5784 		return -EOPNOTSUPP;
5785 
5786 	if (wdev->links[link_id].ap.beacon_interval)
5787 		return -EALREADY;
5788 
5789 	/* these are required for START_AP */
5790 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5791 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5792 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5793 		return -EINVAL;
5794 
5795 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5796 	if (!params)
5797 		return -ENOMEM;
5798 
5799 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5800 	if (err)
5801 		goto out;
5802 
5803 	params->beacon_interval =
5804 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5805 	params->dtim_period =
5806 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5807 
5808 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5809 					   params->beacon_interval);
5810 	if (err)
5811 		goto out;
5812 
5813 	/*
5814 	 * In theory, some of these attributes should be required here
5815 	 * but since they were not used when the command was originally
5816 	 * added, keep them optional for old user space programs to let
5817 	 * them continue to work with drivers that do not need the
5818 	 * additional information -- drivers must check!
5819 	 */
5820 	if (info->attrs[NL80211_ATTR_SSID]) {
5821 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5822 		params->ssid_len =
5823 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5824 		if (params->ssid_len == 0) {
5825 			err = -EINVAL;
5826 			goto out;
5827 		}
5828 
5829 		if (wdev->u.ap.ssid_len &&
5830 		    (wdev->u.ap.ssid_len != params->ssid_len ||
5831 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
5832 			/* require identical SSID for MLO */
5833 			err = -EINVAL;
5834 			goto out;
5835 		}
5836 	} else if (wdev->valid_links) {
5837 		/* require SSID for MLO */
5838 		err = -EINVAL;
5839 		goto out;
5840 	}
5841 
5842 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5843 		params->hidden_ssid = nla_get_u32(
5844 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5845 
5846 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5847 
5848 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5849 		params->auth_type = nla_get_u32(
5850 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5851 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5852 					     NL80211_CMD_START_AP)) {
5853 			err = -EINVAL;
5854 			goto out;
5855 		}
5856 	} else
5857 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5858 
5859 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5860 				      NL80211_MAX_NR_CIPHER_SUITES);
5861 	if (err)
5862 		goto out;
5863 
5864 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5865 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5866 			err = -EOPNOTSUPP;
5867 			goto out;
5868 		}
5869 		params->inactivity_timeout = nla_get_u16(
5870 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5871 	}
5872 
5873 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5874 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5875 			err = -EINVAL;
5876 			goto out;
5877 		}
5878 		params->p2p_ctwindow =
5879 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5880 		if (params->p2p_ctwindow != 0 &&
5881 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5882 			err = -EINVAL;
5883 			goto out;
5884 		}
5885 	}
5886 
5887 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5888 		u8 tmp;
5889 
5890 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5891 			err = -EINVAL;
5892 			goto out;
5893 		}
5894 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5895 		params->p2p_opp_ps = tmp;
5896 		if (params->p2p_opp_ps != 0 &&
5897 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5898 			err = -EINVAL;
5899 			goto out;
5900 		}
5901 	}
5902 
5903 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5904 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5905 		if (err)
5906 			goto out;
5907 	} else if (wdev->valid_links) {
5908 		/* with MLD need to specify the channel configuration */
5909 		err = -EINVAL;
5910 		goto out;
5911 	} else if (wdev->u.ap.preset_chandef.chan) {
5912 		params->chandef = wdev->u.ap.preset_chandef;
5913 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5914 		err = -EINVAL;
5915 		goto out;
5916 	}
5917 
5918 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5919 					   wdev->iftype)) {
5920 		err = -EINVAL;
5921 		goto out;
5922 	}
5923 
5924 	wdev_lock(wdev);
5925 
5926 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5927 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5928 						    NL80211_ATTR_TX_RATES,
5929 						    &params->beacon_rate,
5930 						    dev, false, link_id);
5931 		if (err)
5932 			goto out_unlock;
5933 
5934 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
5935 					      &params->beacon_rate);
5936 		if (err)
5937 			goto out_unlock;
5938 	}
5939 
5940 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5941 		params->smps_mode =
5942 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5943 		switch (params->smps_mode) {
5944 		case NL80211_SMPS_OFF:
5945 			break;
5946 		case NL80211_SMPS_STATIC:
5947 			if (!(rdev->wiphy.features &
5948 			      NL80211_FEATURE_STATIC_SMPS)) {
5949 				err = -EINVAL;
5950 				goto out_unlock;
5951 			}
5952 			break;
5953 		case NL80211_SMPS_DYNAMIC:
5954 			if (!(rdev->wiphy.features &
5955 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
5956 				err = -EINVAL;
5957 				goto out_unlock;
5958 			}
5959 			break;
5960 		default:
5961 			err = -EINVAL;
5962 			goto out_unlock;
5963 		}
5964 	} else {
5965 		params->smps_mode = NL80211_SMPS_OFF;
5966 	}
5967 
5968 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5969 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
5970 		err = -EOPNOTSUPP;
5971 		goto out_unlock;
5972 	}
5973 
5974 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5975 		params->acl = parse_acl_data(&rdev->wiphy, info);
5976 		if (IS_ERR(params->acl)) {
5977 			err = PTR_ERR(params->acl);
5978 			params->acl = NULL;
5979 			goto out_unlock;
5980 		}
5981 	}
5982 
5983 	params->twt_responder =
5984 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5985 
5986 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5987 		err = nl80211_parse_he_obss_pd(
5988 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5989 					&params->he_obss_pd);
5990 		if (err)
5991 			goto out_unlock;
5992 	}
5993 
5994 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5995 		err = nl80211_parse_fils_discovery(rdev,
5996 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5997 						   params);
5998 		if (err)
5999 			goto out_unlock;
6000 	}
6001 
6002 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6003 		err = nl80211_parse_unsol_bcast_probe_resp(
6004 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6005 			params);
6006 		if (err)
6007 			goto out_unlock;
6008 	}
6009 
6010 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6011 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6012 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6013 						  &params->mbssid_config,
6014 						  params->beacon.mbssid_ies ?
6015 							params->beacon.mbssid_ies->cnt :
6016 							0);
6017 		if (err)
6018 			goto out_unlock;
6019 	}
6020 
6021 	err = nl80211_calculate_ap_params(params);
6022 	if (err)
6023 		goto out_unlock;
6024 
6025 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6026 		params->flags = nla_get_u32(
6027 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6028 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6029 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6030 
6031 	if (wdev->conn_owner_nlportid &&
6032 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6033 	    wdev->conn_owner_nlportid != info->snd_portid) {
6034 		err = -EINVAL;
6035 		goto out_unlock;
6036 	}
6037 
6038 	/* FIXME: validate MLO/link-id against driver capabilities */
6039 
6040 	err = rdev_start_ap(rdev, dev, params);
6041 	if (!err) {
6042 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6043 		wdev->links[link_id].ap.chandef = params->chandef;
6044 		wdev->u.ap.ssid_len = params->ssid_len;
6045 		memcpy(wdev->u.ap.ssid, params->ssid,
6046 		       params->ssid_len);
6047 
6048 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6049 			wdev->conn_owner_nlportid = info->snd_portid;
6050 	}
6051 out_unlock:
6052 	wdev_unlock(wdev);
6053 out:
6054 	kfree(params->acl);
6055 	kfree(params->beacon.mbssid_ies);
6056 	if (params->mbssid_config.tx_wdev &&
6057 	    params->mbssid_config.tx_wdev->netdev &&
6058 	    params->mbssid_config.tx_wdev->netdev != dev)
6059 		dev_put(params->mbssid_config.tx_wdev->netdev);
6060 	kfree(params);
6061 
6062 	return err;
6063 }
6064 
6065 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6066 {
6067 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6068 	unsigned int link_id = nl80211_link_id(info->attrs);
6069 	struct net_device *dev = info->user_ptr[1];
6070 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6071 	struct cfg80211_beacon_data params;
6072 	int err;
6073 
6074 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6075 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6076 		return -EOPNOTSUPP;
6077 
6078 	if (!rdev->ops->change_beacon)
6079 		return -EOPNOTSUPP;
6080 
6081 	if (!wdev->links[link_id].ap.beacon_interval)
6082 		return -EINVAL;
6083 
6084 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
6085 	if (err)
6086 		goto out;
6087 
6088 	wdev_lock(wdev);
6089 	err = rdev_change_beacon(rdev, dev, &params);
6090 	wdev_unlock(wdev);
6091 
6092 out:
6093 	kfree(params.mbssid_ies);
6094 	return err;
6095 }
6096 
6097 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6098 {
6099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6100 	unsigned int link_id = nl80211_link_id(info->attrs);
6101 	struct net_device *dev = info->user_ptr[1];
6102 
6103 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6104 }
6105 
6106 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6107 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6108 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6109 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6110 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6111 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6112 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6113 };
6114 
6115 static int parse_station_flags(struct genl_info *info,
6116 			       enum nl80211_iftype iftype,
6117 			       struct station_parameters *params)
6118 {
6119 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6120 	struct nlattr *nla;
6121 	int flag;
6122 
6123 	/*
6124 	 * Try parsing the new attribute first so userspace
6125 	 * can specify both for older kernels.
6126 	 */
6127 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6128 	if (nla) {
6129 		struct nl80211_sta_flag_update *sta_flags;
6130 
6131 		sta_flags = nla_data(nla);
6132 		params->sta_flags_mask = sta_flags->mask;
6133 		params->sta_flags_set = sta_flags->set;
6134 		params->sta_flags_set &= params->sta_flags_mask;
6135 		if ((params->sta_flags_mask |
6136 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6137 			return -EINVAL;
6138 		return 0;
6139 	}
6140 
6141 	/* if present, parse the old attribute */
6142 
6143 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6144 	if (!nla)
6145 		return 0;
6146 
6147 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6148 		return -EINVAL;
6149 
6150 	/*
6151 	 * Only allow certain flags for interface types so that
6152 	 * other attributes are silently ignored. Remember that
6153 	 * this is backward compatibility code with old userspace
6154 	 * and shouldn't be hit in other cases anyway.
6155 	 */
6156 	switch (iftype) {
6157 	case NL80211_IFTYPE_AP:
6158 	case NL80211_IFTYPE_AP_VLAN:
6159 	case NL80211_IFTYPE_P2P_GO:
6160 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6161 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6162 					 BIT(NL80211_STA_FLAG_WME) |
6163 					 BIT(NL80211_STA_FLAG_MFP);
6164 		break;
6165 	case NL80211_IFTYPE_P2P_CLIENT:
6166 	case NL80211_IFTYPE_STATION:
6167 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6168 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6169 		break;
6170 	case NL80211_IFTYPE_MESH_POINT:
6171 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6172 					 BIT(NL80211_STA_FLAG_MFP) |
6173 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6174 		break;
6175 	default:
6176 		return -EINVAL;
6177 	}
6178 
6179 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6180 		if (flags[flag]) {
6181 			params->sta_flags_set |= (1<<flag);
6182 
6183 			/* no longer support new API additions in old API */
6184 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6185 				return -EINVAL;
6186 		}
6187 	}
6188 
6189 	return 0;
6190 }
6191 
6192 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6193 {
6194 	struct nlattr *rate;
6195 	u32 bitrate;
6196 	u16 bitrate_compat;
6197 	enum nl80211_rate_info rate_flg;
6198 
6199 	rate = nla_nest_start_noflag(msg, attr);
6200 	if (!rate)
6201 		return false;
6202 
6203 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6204 	bitrate = cfg80211_calculate_bitrate(info);
6205 	/* report 16-bit bitrate only if we can */
6206 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6207 	if (bitrate > 0 &&
6208 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6209 		return false;
6210 	if (bitrate_compat > 0 &&
6211 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6212 		return false;
6213 
6214 	switch (info->bw) {
6215 	case RATE_INFO_BW_5:
6216 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6217 		break;
6218 	case RATE_INFO_BW_10:
6219 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6220 		break;
6221 	default:
6222 		WARN_ON(1);
6223 		fallthrough;
6224 	case RATE_INFO_BW_20:
6225 		rate_flg = 0;
6226 		break;
6227 	case RATE_INFO_BW_40:
6228 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6229 		break;
6230 	case RATE_INFO_BW_80:
6231 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6232 		break;
6233 	case RATE_INFO_BW_160:
6234 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6235 		break;
6236 	case RATE_INFO_BW_HE_RU:
6237 		rate_flg = 0;
6238 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6239 		break;
6240 	case RATE_INFO_BW_320:
6241 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6242 		break;
6243 	case RATE_INFO_BW_EHT_RU:
6244 		rate_flg = 0;
6245 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6246 		break;
6247 	}
6248 
6249 	if (rate_flg && nla_put_flag(msg, rate_flg))
6250 		return false;
6251 
6252 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6253 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6254 			return false;
6255 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6256 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6257 			return false;
6258 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6259 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6260 			return false;
6261 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6262 			return false;
6263 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6264 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6265 			return false;
6266 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6267 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6268 			return false;
6269 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6270 			return false;
6271 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6272 			return false;
6273 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6274 			return false;
6275 		if (info->bw == RATE_INFO_BW_HE_RU &&
6276 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6277 			       info->he_ru_alloc))
6278 			return false;
6279 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6280 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6281 			return false;
6282 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6283 			return false;
6284 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6285 			return false;
6286 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6287 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6288 			       info->eht_ru_alloc))
6289 			return false;
6290 	}
6291 
6292 	nla_nest_end(msg, rate);
6293 	return true;
6294 }
6295 
6296 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6297 			       int id)
6298 {
6299 	void *attr;
6300 	int i = 0;
6301 
6302 	if (!mask)
6303 		return true;
6304 
6305 	attr = nla_nest_start_noflag(msg, id);
6306 	if (!attr)
6307 		return false;
6308 
6309 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6310 		if (!(mask & BIT(i)))
6311 			continue;
6312 
6313 		if (nla_put_u8(msg, i, signal[i]))
6314 			return false;
6315 	}
6316 
6317 	nla_nest_end(msg, attr);
6318 
6319 	return true;
6320 }
6321 
6322 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6323 				u32 seq, int flags,
6324 				struct cfg80211_registered_device *rdev,
6325 				struct net_device *dev,
6326 				const u8 *mac_addr, struct station_info *sinfo)
6327 {
6328 	void *hdr;
6329 	struct nlattr *sinfoattr, *bss_param;
6330 
6331 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6332 	if (!hdr) {
6333 		cfg80211_sinfo_release_content(sinfo);
6334 		return -1;
6335 	}
6336 
6337 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6338 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6339 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6340 		goto nla_put_failure;
6341 
6342 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6343 	if (!sinfoattr)
6344 		goto nla_put_failure;
6345 
6346 #define PUT_SINFO(attr, memb, type) do {				\
6347 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6348 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6349 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6350 			     sinfo->memb))				\
6351 		goto nla_put_failure;					\
6352 	} while (0)
6353 #define PUT_SINFO_U64(attr, memb) do {					\
6354 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6355 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6356 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6357 		goto nla_put_failure;					\
6358 	} while (0)
6359 
6360 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6361 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6362 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6363 
6364 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6365 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6366 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6367 			(u32)sinfo->rx_bytes))
6368 		goto nla_put_failure;
6369 
6370 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6371 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6372 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6373 			(u32)sinfo->tx_bytes))
6374 		goto nla_put_failure;
6375 
6376 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6377 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6378 	PUT_SINFO(LLID, llid, u16);
6379 	PUT_SINFO(PLID, plid, u16);
6380 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6381 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6382 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6383 
6384 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6385 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6386 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6387 
6388 	switch (rdev->wiphy.signal_type) {
6389 	case CFG80211_SIGNAL_TYPE_MBM:
6390 		PUT_SINFO(SIGNAL, signal, u8);
6391 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6392 		break;
6393 	default:
6394 		break;
6395 	}
6396 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6397 		if (!nl80211_put_signal(msg, sinfo->chains,
6398 					sinfo->chain_signal,
6399 					NL80211_STA_INFO_CHAIN_SIGNAL))
6400 			goto nla_put_failure;
6401 	}
6402 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6403 		if (!nl80211_put_signal(msg, sinfo->chains,
6404 					sinfo->chain_signal_avg,
6405 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6406 			goto nla_put_failure;
6407 	}
6408 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6409 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6410 					  NL80211_STA_INFO_TX_BITRATE))
6411 			goto nla_put_failure;
6412 	}
6413 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6414 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6415 					  NL80211_STA_INFO_RX_BITRATE))
6416 			goto nla_put_failure;
6417 	}
6418 
6419 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6420 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6421 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6422 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6423 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6424 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6425 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6426 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6427 	PUT_SINFO(PEER_PM, peer_pm, u32);
6428 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6429 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6430 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6431 
6432 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6433 		bss_param = nla_nest_start_noflag(msg,
6434 						  NL80211_STA_INFO_BSS_PARAM);
6435 		if (!bss_param)
6436 			goto nla_put_failure;
6437 
6438 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6439 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6440 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6441 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6442 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6443 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6444 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6445 			       sinfo->bss_param.dtim_period) ||
6446 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6447 				sinfo->bss_param.beacon_interval))
6448 			goto nla_put_failure;
6449 
6450 		nla_nest_end(msg, bss_param);
6451 	}
6452 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6453 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6454 		    sizeof(struct nl80211_sta_flag_update),
6455 		    &sinfo->sta_flags))
6456 		goto nla_put_failure;
6457 
6458 	PUT_SINFO_U64(T_OFFSET, t_offset);
6459 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6460 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6461 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6462 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6463 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6464 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6465 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6466 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6467 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6468 	}
6469 
6470 #undef PUT_SINFO
6471 #undef PUT_SINFO_U64
6472 
6473 	if (sinfo->pertid) {
6474 		struct nlattr *tidsattr;
6475 		int tid;
6476 
6477 		tidsattr = nla_nest_start_noflag(msg,
6478 						 NL80211_STA_INFO_TID_STATS);
6479 		if (!tidsattr)
6480 			goto nla_put_failure;
6481 
6482 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6483 			struct cfg80211_tid_stats *tidstats;
6484 			struct nlattr *tidattr;
6485 
6486 			tidstats = &sinfo->pertid[tid];
6487 
6488 			if (!tidstats->filled)
6489 				continue;
6490 
6491 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6492 			if (!tidattr)
6493 				goto nla_put_failure;
6494 
6495 #define PUT_TIDVAL_U64(attr, memb) do {					\
6496 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6497 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6498 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6499 		goto nla_put_failure;					\
6500 	} while (0)
6501 
6502 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6503 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6504 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6505 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6506 
6507 #undef PUT_TIDVAL_U64
6508 			if ((tidstats->filled &
6509 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6510 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6511 						   NL80211_TID_STATS_TXQ_STATS))
6512 				goto nla_put_failure;
6513 
6514 			nla_nest_end(msg, tidattr);
6515 		}
6516 
6517 		nla_nest_end(msg, tidsattr);
6518 	}
6519 
6520 	nla_nest_end(msg, sinfoattr);
6521 
6522 	if (sinfo->assoc_req_ies_len &&
6523 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6524 		    sinfo->assoc_req_ies))
6525 		goto nla_put_failure;
6526 
6527 	cfg80211_sinfo_release_content(sinfo);
6528 	genlmsg_end(msg, hdr);
6529 	return 0;
6530 
6531  nla_put_failure:
6532 	cfg80211_sinfo_release_content(sinfo);
6533 	genlmsg_cancel(msg, hdr);
6534 	return -EMSGSIZE;
6535 }
6536 
6537 static int nl80211_dump_station(struct sk_buff *skb,
6538 				struct netlink_callback *cb)
6539 {
6540 	struct station_info sinfo;
6541 	struct cfg80211_registered_device *rdev;
6542 	struct wireless_dev *wdev;
6543 	u8 mac_addr[ETH_ALEN];
6544 	int sta_idx = cb->args[2];
6545 	int err;
6546 
6547 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6548 	if (err)
6549 		return err;
6550 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6551 	__acquire(&rdev->wiphy.mtx);
6552 
6553 	if (!wdev->netdev) {
6554 		err = -EINVAL;
6555 		goto out_err;
6556 	}
6557 
6558 	if (!rdev->ops->dump_station) {
6559 		err = -EOPNOTSUPP;
6560 		goto out_err;
6561 	}
6562 
6563 	while (1) {
6564 		memset(&sinfo, 0, sizeof(sinfo));
6565 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6566 					mac_addr, &sinfo);
6567 		if (err == -ENOENT)
6568 			break;
6569 		if (err)
6570 			goto out_err;
6571 
6572 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6573 				NETLINK_CB(cb->skb).portid,
6574 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6575 				rdev, wdev->netdev, mac_addr,
6576 				&sinfo) < 0)
6577 			goto out;
6578 
6579 		sta_idx++;
6580 	}
6581 
6582  out:
6583 	cb->args[2] = sta_idx;
6584 	err = skb->len;
6585  out_err:
6586 	wiphy_unlock(&rdev->wiphy);
6587 
6588 	return err;
6589 }
6590 
6591 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6592 {
6593 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6594 	struct net_device *dev = info->user_ptr[1];
6595 	struct station_info sinfo;
6596 	struct sk_buff *msg;
6597 	u8 *mac_addr = NULL;
6598 	int err;
6599 
6600 	memset(&sinfo, 0, sizeof(sinfo));
6601 
6602 	if (!info->attrs[NL80211_ATTR_MAC])
6603 		return -EINVAL;
6604 
6605 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6606 
6607 	if (!rdev->ops->get_station)
6608 		return -EOPNOTSUPP;
6609 
6610 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6611 	if (err)
6612 		return err;
6613 
6614 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6615 	if (!msg) {
6616 		cfg80211_sinfo_release_content(&sinfo);
6617 		return -ENOMEM;
6618 	}
6619 
6620 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6621 				 info->snd_portid, info->snd_seq, 0,
6622 				 rdev, dev, mac_addr, &sinfo) < 0) {
6623 		nlmsg_free(msg);
6624 		return -ENOBUFS;
6625 	}
6626 
6627 	return genlmsg_reply(msg, info);
6628 }
6629 
6630 int cfg80211_check_station_change(struct wiphy *wiphy,
6631 				  struct station_parameters *params,
6632 				  enum cfg80211_station_type statype)
6633 {
6634 	if (params->listen_interval != -1 &&
6635 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6636 		return -EINVAL;
6637 
6638 	if (params->support_p2p_ps != -1 &&
6639 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6640 		return -EINVAL;
6641 
6642 	if (params->aid &&
6643 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6644 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6645 		return -EINVAL;
6646 
6647 	/* When you run into this, adjust the code below for the new flag */
6648 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6649 
6650 	switch (statype) {
6651 	case CFG80211_STA_MESH_PEER_KERNEL:
6652 	case CFG80211_STA_MESH_PEER_USER:
6653 		/*
6654 		 * No ignoring the TDLS flag here -- the userspace mesh
6655 		 * code doesn't have the bug of including TDLS in the
6656 		 * mask everywhere.
6657 		 */
6658 		if (params->sta_flags_mask &
6659 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6660 				  BIT(NL80211_STA_FLAG_MFP) |
6661 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6662 			return -EINVAL;
6663 		break;
6664 	case CFG80211_STA_TDLS_PEER_SETUP:
6665 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6666 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6667 			return -EINVAL;
6668 		/* ignore since it can't change */
6669 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6670 		break;
6671 	default:
6672 		/* disallow mesh-specific things */
6673 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6674 			return -EINVAL;
6675 		if (params->local_pm)
6676 			return -EINVAL;
6677 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6678 			return -EINVAL;
6679 	}
6680 
6681 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6682 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6683 		/* TDLS can't be set, ... */
6684 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6685 			return -EINVAL;
6686 		/*
6687 		 * ... but don't bother the driver with it. This works around
6688 		 * a hostapd/wpa_supplicant issue -- it always includes the
6689 		 * TLDS_PEER flag in the mask even for AP mode.
6690 		 */
6691 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6692 	}
6693 
6694 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6695 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6696 		/* reject other things that can't change */
6697 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6698 			return -EINVAL;
6699 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6700 			return -EINVAL;
6701 		if (params->link_sta_params.supported_rates)
6702 			return -EINVAL;
6703 		if (params->ext_capab || params->link_sta_params.ht_capa ||
6704 		    params->link_sta_params.vht_capa ||
6705 		    params->link_sta_params.he_capa ||
6706 		    params->link_sta_params.eht_capa)
6707 			return -EINVAL;
6708 	}
6709 
6710 	if (statype != CFG80211_STA_AP_CLIENT &&
6711 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6712 		if (params->vlan)
6713 			return -EINVAL;
6714 	}
6715 
6716 	switch (statype) {
6717 	case CFG80211_STA_AP_MLME_CLIENT:
6718 		/* Use this only for authorizing/unauthorizing a station */
6719 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6720 			return -EOPNOTSUPP;
6721 		break;
6722 	case CFG80211_STA_AP_CLIENT:
6723 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6724 		/* accept only the listed bits */
6725 		if (params->sta_flags_mask &
6726 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6727 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6728 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6729 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6730 				  BIT(NL80211_STA_FLAG_WME) |
6731 				  BIT(NL80211_STA_FLAG_MFP)))
6732 			return -EINVAL;
6733 
6734 		/* but authenticated/associated only if driver handles it */
6735 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6736 		    params->sta_flags_mask &
6737 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6738 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6739 			return -EINVAL;
6740 		break;
6741 	case CFG80211_STA_IBSS:
6742 	case CFG80211_STA_AP_STA:
6743 		/* reject any changes other than AUTHORIZED */
6744 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6745 			return -EINVAL;
6746 		break;
6747 	case CFG80211_STA_TDLS_PEER_SETUP:
6748 		/* reject any changes other than AUTHORIZED or WME */
6749 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6750 					       BIT(NL80211_STA_FLAG_WME)))
6751 			return -EINVAL;
6752 		/* force (at least) rates when authorizing */
6753 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6754 		    !params->link_sta_params.supported_rates)
6755 			return -EINVAL;
6756 		break;
6757 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6758 		/* reject any changes */
6759 		return -EINVAL;
6760 	case CFG80211_STA_MESH_PEER_KERNEL:
6761 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6762 			return -EINVAL;
6763 		break;
6764 	case CFG80211_STA_MESH_PEER_USER:
6765 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6766 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6767 			return -EINVAL;
6768 		break;
6769 	}
6770 
6771 	/*
6772 	 * Older kernel versions ignored this attribute entirely, so don't
6773 	 * reject attempts to update it but mark it as unused instead so the
6774 	 * driver won't look at the data.
6775 	 */
6776 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6777 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6778 		params->link_sta_params.opmode_notif_used = false;
6779 
6780 	return 0;
6781 }
6782 EXPORT_SYMBOL(cfg80211_check_station_change);
6783 
6784 /*
6785  * Get vlan interface making sure it is running and on the right wiphy.
6786  */
6787 static struct net_device *get_vlan(struct genl_info *info,
6788 				   struct cfg80211_registered_device *rdev)
6789 {
6790 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6791 	struct net_device *v;
6792 	int ret;
6793 
6794 	if (!vlanattr)
6795 		return NULL;
6796 
6797 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6798 	if (!v)
6799 		return ERR_PTR(-ENODEV);
6800 
6801 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6802 		ret = -EINVAL;
6803 		goto error;
6804 	}
6805 
6806 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6807 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6808 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6809 		ret = -EINVAL;
6810 		goto error;
6811 	}
6812 
6813 	if (!netif_running(v)) {
6814 		ret = -ENETDOWN;
6815 		goto error;
6816 	}
6817 
6818 	return v;
6819  error:
6820 	dev_put(v);
6821 	return ERR_PTR(ret);
6822 }
6823 
6824 static int nl80211_parse_sta_wme(struct genl_info *info,
6825 				 struct station_parameters *params)
6826 {
6827 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6828 	struct nlattr *nla;
6829 	int err;
6830 
6831 	/* parse WME attributes if present */
6832 	if (!info->attrs[NL80211_ATTR_STA_WME])
6833 		return 0;
6834 
6835 	nla = info->attrs[NL80211_ATTR_STA_WME];
6836 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6837 					  nl80211_sta_wme_policy,
6838 					  info->extack);
6839 	if (err)
6840 		return err;
6841 
6842 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6843 		params->uapsd_queues = nla_get_u8(
6844 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6845 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6846 		return -EINVAL;
6847 
6848 	if (tb[NL80211_STA_WME_MAX_SP])
6849 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6850 
6851 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6852 		return -EINVAL;
6853 
6854 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6855 
6856 	return 0;
6857 }
6858 
6859 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6860 				      struct station_parameters *params)
6861 {
6862 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6863 		params->supported_channels =
6864 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6865 		params->supported_channels_len =
6866 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6867 		/*
6868 		 * Need to include at least one (first channel, number of
6869 		 * channels) tuple for each subband (checked in policy),
6870 		 * and must have proper tuples for the rest of the data as well.
6871 		 */
6872 		if (params->supported_channels_len % 2)
6873 			return -EINVAL;
6874 	}
6875 
6876 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6877 		params->supported_oper_classes =
6878 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6879 		params->supported_oper_classes_len =
6880 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6881 	}
6882 	return 0;
6883 }
6884 
6885 static int nl80211_set_station_tdls(struct genl_info *info,
6886 				    struct station_parameters *params)
6887 {
6888 	int err;
6889 	/* Dummy STA entry gets updated once the peer capabilities are known */
6890 	if (info->attrs[NL80211_ATTR_PEER_AID])
6891 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6892 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6893 		params->link_sta_params.ht_capa =
6894 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6895 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6896 		params->link_sta_params.vht_capa =
6897 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6898 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6899 		params->link_sta_params.he_capa =
6900 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6901 		params->link_sta_params.he_capa_len =
6902 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6903 
6904 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6905 			params->link_sta_params.eht_capa =
6906 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6907 			params->link_sta_params.eht_capa_len =
6908 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6909 
6910 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
6911 							(const u8 *)params->link_sta_params.eht_capa,
6912 							params->link_sta_params.eht_capa_len,
6913 							false))
6914 				return -EINVAL;
6915 		}
6916 	}
6917 
6918 	err = nl80211_parse_sta_channel_info(info, params);
6919 	if (err)
6920 		return err;
6921 
6922 	return nl80211_parse_sta_wme(info, params);
6923 }
6924 
6925 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6926 					     struct sta_txpwr *txpwr,
6927 					     bool *txpwr_set)
6928 {
6929 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6930 	int idx;
6931 
6932 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6933 		if (!rdev->ops->set_tx_power ||
6934 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6935 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6936 			return -EOPNOTSUPP;
6937 
6938 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6939 		txpwr->type = nla_get_u8(info->attrs[idx]);
6940 
6941 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
6942 			idx = NL80211_ATTR_STA_TX_POWER;
6943 
6944 			if (info->attrs[idx])
6945 				txpwr->power = nla_get_s16(info->attrs[idx]);
6946 			else
6947 				return -EINVAL;
6948 		}
6949 
6950 		*txpwr_set = true;
6951 	} else {
6952 		*txpwr_set = false;
6953 	}
6954 
6955 	return 0;
6956 }
6957 
6958 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6959 {
6960 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6961 	struct net_device *dev = info->user_ptr[1];
6962 	struct station_parameters params;
6963 	u8 *mac_addr;
6964 	int err;
6965 
6966 	memset(&params, 0, sizeof(params));
6967 
6968 	if (!rdev->ops->change_station)
6969 		return -EOPNOTSUPP;
6970 
6971 	/*
6972 	 * AID and listen_interval properties can be set only for unassociated
6973 	 * station. Include these parameters here and will check them in
6974 	 * cfg80211_check_station_change().
6975 	 */
6976 	if (info->attrs[NL80211_ATTR_STA_AID])
6977 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6978 
6979 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6980 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6981 
6982 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6983 		params.listen_interval =
6984 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6985 	else
6986 		params.listen_interval = -1;
6987 
6988 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6989 		params.support_p2p_ps =
6990 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6991 	else
6992 		params.support_p2p_ps = -1;
6993 
6994 	if (!info->attrs[NL80211_ATTR_MAC])
6995 		return -EINVAL;
6996 
6997 	params.link_sta_params.link_id =
6998 		nl80211_link_id_or_invalid(info->attrs);
6999 
7000 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7001 		/* If MLD_ADDR attribute is set then this is an MLD station
7002 		 * and the MLD_ADDR attribute holds the MLD address and the
7003 		 * MAC attribute holds for the LINK address.
7004 		 * In that case, the link_id is also expected to be valid.
7005 		 */
7006 		if (params.link_sta_params.link_id < 0)
7007 			return -EINVAL;
7008 
7009 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7010 		params.link_sta_params.mld_mac = mac_addr;
7011 		params.link_sta_params.link_mac =
7012 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7013 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7014 			return -EINVAL;
7015 	} else {
7016 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7017 	}
7018 
7019 
7020 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7021 		params.link_sta_params.supported_rates =
7022 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7023 		params.link_sta_params.supported_rates_len =
7024 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7025 	}
7026 
7027 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7028 		params.capability =
7029 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7030 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7031 	}
7032 
7033 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7034 		params.ext_capab =
7035 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7036 		params.ext_capab_len =
7037 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7038 	}
7039 
7040 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7041 		return -EINVAL;
7042 
7043 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7044 		params.plink_action =
7045 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7046 
7047 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7048 		params.plink_state =
7049 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7050 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7051 			params.peer_aid = nla_get_u16(
7052 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7053 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7054 	}
7055 
7056 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7057 		params.local_pm = nla_get_u32(
7058 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7059 
7060 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7061 		params.link_sta_params.opmode_notif_used = true;
7062 		params.link_sta_params.opmode_notif =
7063 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7064 	}
7065 
7066 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7067 		params.link_sta_params.he_6ghz_capa =
7068 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7069 
7070 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7071 		params.airtime_weight =
7072 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7073 
7074 	if (params.airtime_weight &&
7075 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7076 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7077 		return -EOPNOTSUPP;
7078 
7079 	err = nl80211_parse_sta_txpower_setting(info,
7080 						&params.link_sta_params.txpwr,
7081 						&params.link_sta_params.txpwr_set);
7082 	if (err)
7083 		return err;
7084 
7085 	/* Include parameters for TDLS peer (will check later) */
7086 	err = nl80211_set_station_tdls(info, &params);
7087 	if (err)
7088 		return err;
7089 
7090 	params.vlan = get_vlan(info, rdev);
7091 	if (IS_ERR(params.vlan))
7092 		return PTR_ERR(params.vlan);
7093 
7094 	switch (dev->ieee80211_ptr->iftype) {
7095 	case NL80211_IFTYPE_AP:
7096 	case NL80211_IFTYPE_AP_VLAN:
7097 	case NL80211_IFTYPE_P2P_GO:
7098 	case NL80211_IFTYPE_P2P_CLIENT:
7099 	case NL80211_IFTYPE_STATION:
7100 	case NL80211_IFTYPE_ADHOC:
7101 	case NL80211_IFTYPE_MESH_POINT:
7102 		break;
7103 	default:
7104 		err = -EOPNOTSUPP;
7105 		goto out_put_vlan;
7106 	}
7107 
7108 	/* driver will call cfg80211_check_station_change() */
7109 	wdev_lock(dev->ieee80211_ptr);
7110 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7111 	wdev_unlock(dev->ieee80211_ptr);
7112 
7113  out_put_vlan:
7114 	dev_put(params.vlan);
7115 
7116 	return err;
7117 }
7118 
7119 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7120 {
7121 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7122 	int err;
7123 	struct net_device *dev = info->user_ptr[1];
7124 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7125 	struct station_parameters params;
7126 	u8 *mac_addr = NULL;
7127 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7128 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7129 
7130 	memset(&params, 0, sizeof(params));
7131 
7132 	if (!rdev->ops->add_station)
7133 		return -EOPNOTSUPP;
7134 
7135 	if (!info->attrs[NL80211_ATTR_MAC])
7136 		return -EINVAL;
7137 
7138 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7139 		return -EINVAL;
7140 
7141 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7142 		return -EINVAL;
7143 
7144 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7145 	    !info->attrs[NL80211_ATTR_PEER_AID])
7146 		return -EINVAL;
7147 
7148 	params.link_sta_params.link_id =
7149 		nl80211_link_id_or_invalid(info->attrs);
7150 
7151 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7152 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7153 		params.link_sta_params.mld_mac = mac_addr;
7154 		params.link_sta_params.link_mac =
7155 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7156 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7157 			return -EINVAL;
7158 	} else {
7159 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7160 	}
7161 
7162 	params.link_sta_params.supported_rates =
7163 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7164 	params.link_sta_params.supported_rates_len =
7165 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7166 	params.listen_interval =
7167 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7168 
7169 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7170 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7171 
7172 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7173 		params.support_p2p_ps =
7174 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7175 	} else {
7176 		/*
7177 		 * if not specified, assume it's supported for P2P GO interface,
7178 		 * and is NOT supported for AP interface
7179 		 */
7180 		params.support_p2p_ps =
7181 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7182 	}
7183 
7184 	if (info->attrs[NL80211_ATTR_PEER_AID])
7185 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7186 	else
7187 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7188 
7189 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7190 		params.capability =
7191 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7192 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7193 	}
7194 
7195 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7196 		params.ext_capab =
7197 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7198 		params.ext_capab_len =
7199 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7200 	}
7201 
7202 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7203 		params.link_sta_params.ht_capa =
7204 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7205 
7206 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7207 		params.link_sta_params.vht_capa =
7208 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7209 
7210 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7211 		params.link_sta_params.he_capa =
7212 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7213 		params.link_sta_params.he_capa_len =
7214 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7215 
7216 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7217 			params.link_sta_params.eht_capa =
7218 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7219 			params.link_sta_params.eht_capa_len =
7220 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7221 
7222 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7223 							(const u8 *)params.link_sta_params.eht_capa,
7224 							params.link_sta_params.eht_capa_len,
7225 							false))
7226 				return -EINVAL;
7227 		}
7228 	}
7229 
7230 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7231 		params.link_sta_params.he_6ghz_capa =
7232 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7233 
7234 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7235 		params.link_sta_params.opmode_notif_used = true;
7236 		params.link_sta_params.opmode_notif =
7237 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7238 	}
7239 
7240 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7241 		params.plink_action =
7242 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7243 
7244 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7245 		params.airtime_weight =
7246 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7247 
7248 	if (params.airtime_weight &&
7249 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7250 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7251 		return -EOPNOTSUPP;
7252 
7253 	err = nl80211_parse_sta_txpower_setting(info,
7254 						&params.link_sta_params.txpwr,
7255 						&params.link_sta_params.txpwr_set);
7256 	if (err)
7257 		return err;
7258 
7259 	err = nl80211_parse_sta_channel_info(info, &params);
7260 	if (err)
7261 		return err;
7262 
7263 	err = nl80211_parse_sta_wme(info, &params);
7264 	if (err)
7265 		return err;
7266 
7267 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7268 		return -EINVAL;
7269 
7270 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7271 	 * as userspace might just pass through the capabilities from the IEs
7272 	 * directly, rather than enforcing this restriction and returning an
7273 	 * error in this case.
7274 	 */
7275 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7276 		params.link_sta_params.ht_capa = NULL;
7277 		params.link_sta_params.vht_capa = NULL;
7278 
7279 		/* HE and EHT require WME */
7280 		if (params.link_sta_params.he_capa_len ||
7281 		    params.link_sta_params.he_6ghz_capa ||
7282 		    params.link_sta_params.eht_capa_len)
7283 			return -EINVAL;
7284 	}
7285 
7286 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7287 	if (params.link_sta_params.he_6ghz_capa &&
7288 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7289 		return -EINVAL;
7290 
7291 	/* When you run into this, adjust the code below for the new flag */
7292 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
7293 
7294 	switch (dev->ieee80211_ptr->iftype) {
7295 	case NL80211_IFTYPE_AP:
7296 	case NL80211_IFTYPE_AP_VLAN:
7297 	case NL80211_IFTYPE_P2P_GO:
7298 		/* ignore WME attributes if iface/sta is not capable */
7299 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7300 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7301 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7302 
7303 		/* TDLS peers cannot be added */
7304 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7305 		    info->attrs[NL80211_ATTR_PEER_AID])
7306 			return -EINVAL;
7307 		/* but don't bother the driver with it */
7308 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7309 
7310 		/* allow authenticated/associated only if driver handles it */
7311 		if (!(rdev->wiphy.features &
7312 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7313 		    params.sta_flags_mask & auth_assoc)
7314 			return -EINVAL;
7315 
7316 		/* Older userspace, or userspace wanting to be compatible with
7317 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7318 		 * and assoc flags in the mask, but assumes the station will be
7319 		 * added as associated anyway since this was the required driver
7320 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7321 		 * introduced.
7322 		 * In order to not bother drivers with this quirk in the API
7323 		 * set the flags in both the mask and set for new stations in
7324 		 * this case.
7325 		 */
7326 		if (!(params.sta_flags_mask & auth_assoc)) {
7327 			params.sta_flags_mask |= auth_assoc;
7328 			params.sta_flags_set |= auth_assoc;
7329 		}
7330 
7331 		/* must be last in here for error handling */
7332 		params.vlan = get_vlan(info, rdev);
7333 		if (IS_ERR(params.vlan))
7334 			return PTR_ERR(params.vlan);
7335 		break;
7336 	case NL80211_IFTYPE_MESH_POINT:
7337 		/* ignore uAPSD data */
7338 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7339 
7340 		/* associated is disallowed */
7341 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7342 			return -EINVAL;
7343 		/* TDLS peers cannot be added */
7344 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7345 		    info->attrs[NL80211_ATTR_PEER_AID])
7346 			return -EINVAL;
7347 		break;
7348 	case NL80211_IFTYPE_STATION:
7349 	case NL80211_IFTYPE_P2P_CLIENT:
7350 		/* ignore uAPSD data */
7351 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7352 
7353 		/* these are disallowed */
7354 		if (params.sta_flags_mask &
7355 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7356 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7357 			return -EINVAL;
7358 		/* Only TDLS peers can be added */
7359 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7360 			return -EINVAL;
7361 		/* Can only add if TDLS ... */
7362 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7363 			return -EOPNOTSUPP;
7364 		/* ... with external setup is supported */
7365 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7366 			return -EOPNOTSUPP;
7367 		/*
7368 		 * Older wpa_supplicant versions always mark the TDLS peer
7369 		 * as authorized, but it shouldn't yet be.
7370 		 */
7371 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7372 		break;
7373 	default:
7374 		return -EOPNOTSUPP;
7375 	}
7376 
7377 	/* be aware of params.vlan when changing code here */
7378 
7379 	wdev_lock(dev->ieee80211_ptr);
7380 	if (wdev->valid_links) {
7381 		if (params.link_sta_params.link_id < 0) {
7382 			err = -EINVAL;
7383 			goto out;
7384 		}
7385 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7386 			err = -ENOLINK;
7387 			goto out;
7388 		}
7389 	} else {
7390 		if (params.link_sta_params.link_id >= 0) {
7391 			err = -EINVAL;
7392 			goto out;
7393 		}
7394 	}
7395 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7396 out:
7397 	wdev_unlock(dev->ieee80211_ptr);
7398 	dev_put(params.vlan);
7399 	return err;
7400 }
7401 
7402 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7403 {
7404 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7405 	struct net_device *dev = info->user_ptr[1];
7406 	struct station_del_parameters params;
7407 	int ret;
7408 
7409 	memset(&params, 0, sizeof(params));
7410 
7411 	if (info->attrs[NL80211_ATTR_MAC])
7412 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7413 
7414 	switch (dev->ieee80211_ptr->iftype) {
7415 	case NL80211_IFTYPE_AP:
7416 	case NL80211_IFTYPE_AP_VLAN:
7417 	case NL80211_IFTYPE_MESH_POINT:
7418 	case NL80211_IFTYPE_P2P_GO:
7419 		/* always accept these */
7420 		break;
7421 	case NL80211_IFTYPE_ADHOC:
7422 		/* conditionally accept */
7423 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7424 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7425 			break;
7426 		return -EINVAL;
7427 	default:
7428 		return -EINVAL;
7429 	}
7430 
7431 	if (!rdev->ops->del_station)
7432 		return -EOPNOTSUPP;
7433 
7434 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7435 		params.subtype =
7436 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7437 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7438 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7439 			return -EINVAL;
7440 	} else {
7441 		/* Default to Deauthentication frame */
7442 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7443 	}
7444 
7445 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7446 		params.reason_code =
7447 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7448 		if (params.reason_code == 0)
7449 			return -EINVAL; /* 0 is reserved */
7450 	} else {
7451 		/* Default to reason code 2 */
7452 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7453 	}
7454 
7455 	wdev_lock(dev->ieee80211_ptr);
7456 	ret = rdev_del_station(rdev, dev, &params);
7457 	wdev_unlock(dev->ieee80211_ptr);
7458 
7459 	return ret;
7460 }
7461 
7462 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7463 				int flags, struct net_device *dev,
7464 				u8 *dst, u8 *next_hop,
7465 				struct mpath_info *pinfo)
7466 {
7467 	void *hdr;
7468 	struct nlattr *pinfoattr;
7469 
7470 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7471 	if (!hdr)
7472 		return -1;
7473 
7474 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7475 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7476 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7477 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7478 		goto nla_put_failure;
7479 
7480 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7481 	if (!pinfoattr)
7482 		goto nla_put_failure;
7483 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7484 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7485 			pinfo->frame_qlen))
7486 		goto nla_put_failure;
7487 	if (((pinfo->filled & MPATH_INFO_SN) &&
7488 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7489 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7490 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7491 			 pinfo->metric)) ||
7492 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7493 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7494 			 pinfo->exptime)) ||
7495 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7496 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7497 			pinfo->flags)) ||
7498 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7499 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7500 			 pinfo->discovery_timeout)) ||
7501 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7502 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7503 			pinfo->discovery_retries)) ||
7504 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7505 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7506 			pinfo->hop_count)) ||
7507 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7508 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7509 			 pinfo->path_change_count)))
7510 		goto nla_put_failure;
7511 
7512 	nla_nest_end(msg, pinfoattr);
7513 
7514 	genlmsg_end(msg, hdr);
7515 	return 0;
7516 
7517  nla_put_failure:
7518 	genlmsg_cancel(msg, hdr);
7519 	return -EMSGSIZE;
7520 }
7521 
7522 static int nl80211_dump_mpath(struct sk_buff *skb,
7523 			      struct netlink_callback *cb)
7524 {
7525 	struct mpath_info pinfo;
7526 	struct cfg80211_registered_device *rdev;
7527 	struct wireless_dev *wdev;
7528 	u8 dst[ETH_ALEN];
7529 	u8 next_hop[ETH_ALEN];
7530 	int path_idx = cb->args[2];
7531 	int err;
7532 
7533 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7534 	if (err)
7535 		return err;
7536 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7537 	__acquire(&rdev->wiphy.mtx);
7538 
7539 	if (!rdev->ops->dump_mpath) {
7540 		err = -EOPNOTSUPP;
7541 		goto out_err;
7542 	}
7543 
7544 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7545 		err = -EOPNOTSUPP;
7546 		goto out_err;
7547 	}
7548 
7549 	while (1) {
7550 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7551 				      next_hop, &pinfo);
7552 		if (err == -ENOENT)
7553 			break;
7554 		if (err)
7555 			goto out_err;
7556 
7557 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7558 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7559 				       wdev->netdev, dst, next_hop,
7560 				       &pinfo) < 0)
7561 			goto out;
7562 
7563 		path_idx++;
7564 	}
7565 
7566  out:
7567 	cb->args[2] = path_idx;
7568 	err = skb->len;
7569  out_err:
7570 	wiphy_unlock(&rdev->wiphy);
7571 	return err;
7572 }
7573 
7574 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7575 {
7576 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7577 	int err;
7578 	struct net_device *dev = info->user_ptr[1];
7579 	struct mpath_info pinfo;
7580 	struct sk_buff *msg;
7581 	u8 *dst = NULL;
7582 	u8 next_hop[ETH_ALEN];
7583 
7584 	memset(&pinfo, 0, sizeof(pinfo));
7585 
7586 	if (!info->attrs[NL80211_ATTR_MAC])
7587 		return -EINVAL;
7588 
7589 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7590 
7591 	if (!rdev->ops->get_mpath)
7592 		return -EOPNOTSUPP;
7593 
7594 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7595 		return -EOPNOTSUPP;
7596 
7597 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7598 	if (err)
7599 		return err;
7600 
7601 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7602 	if (!msg)
7603 		return -ENOMEM;
7604 
7605 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7606 				 dev, dst, next_hop, &pinfo) < 0) {
7607 		nlmsg_free(msg);
7608 		return -ENOBUFS;
7609 	}
7610 
7611 	return genlmsg_reply(msg, info);
7612 }
7613 
7614 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7615 {
7616 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7617 	struct net_device *dev = info->user_ptr[1];
7618 	u8 *dst = NULL;
7619 	u8 *next_hop = NULL;
7620 
7621 	if (!info->attrs[NL80211_ATTR_MAC])
7622 		return -EINVAL;
7623 
7624 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7625 		return -EINVAL;
7626 
7627 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7628 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7629 
7630 	if (!rdev->ops->change_mpath)
7631 		return -EOPNOTSUPP;
7632 
7633 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7634 		return -EOPNOTSUPP;
7635 
7636 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7637 }
7638 
7639 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7640 {
7641 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7642 	struct net_device *dev = info->user_ptr[1];
7643 	u8 *dst = NULL;
7644 	u8 *next_hop = NULL;
7645 
7646 	if (!info->attrs[NL80211_ATTR_MAC])
7647 		return -EINVAL;
7648 
7649 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7650 		return -EINVAL;
7651 
7652 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7653 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7654 
7655 	if (!rdev->ops->add_mpath)
7656 		return -EOPNOTSUPP;
7657 
7658 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7659 		return -EOPNOTSUPP;
7660 
7661 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7662 }
7663 
7664 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7665 {
7666 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7667 	struct net_device *dev = info->user_ptr[1];
7668 	u8 *dst = NULL;
7669 
7670 	if (info->attrs[NL80211_ATTR_MAC])
7671 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7672 
7673 	if (!rdev->ops->del_mpath)
7674 		return -EOPNOTSUPP;
7675 
7676 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7677 		return -EOPNOTSUPP;
7678 
7679 	return rdev_del_mpath(rdev, dev, dst);
7680 }
7681 
7682 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7683 {
7684 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7685 	int err;
7686 	struct net_device *dev = info->user_ptr[1];
7687 	struct mpath_info pinfo;
7688 	struct sk_buff *msg;
7689 	u8 *dst = NULL;
7690 	u8 mpp[ETH_ALEN];
7691 
7692 	memset(&pinfo, 0, sizeof(pinfo));
7693 
7694 	if (!info->attrs[NL80211_ATTR_MAC])
7695 		return -EINVAL;
7696 
7697 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7698 
7699 	if (!rdev->ops->get_mpp)
7700 		return -EOPNOTSUPP;
7701 
7702 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7703 		return -EOPNOTSUPP;
7704 
7705 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7706 	if (err)
7707 		return err;
7708 
7709 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7710 	if (!msg)
7711 		return -ENOMEM;
7712 
7713 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7714 			       dev, dst, mpp, &pinfo) < 0) {
7715 		nlmsg_free(msg);
7716 		return -ENOBUFS;
7717 	}
7718 
7719 	return genlmsg_reply(msg, info);
7720 }
7721 
7722 static int nl80211_dump_mpp(struct sk_buff *skb,
7723 			    struct netlink_callback *cb)
7724 {
7725 	struct mpath_info pinfo;
7726 	struct cfg80211_registered_device *rdev;
7727 	struct wireless_dev *wdev;
7728 	u8 dst[ETH_ALEN];
7729 	u8 mpp[ETH_ALEN];
7730 	int path_idx = cb->args[2];
7731 	int err;
7732 
7733 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7734 	if (err)
7735 		return err;
7736 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7737 	__acquire(&rdev->wiphy.mtx);
7738 
7739 	if (!rdev->ops->dump_mpp) {
7740 		err = -EOPNOTSUPP;
7741 		goto out_err;
7742 	}
7743 
7744 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7745 		err = -EOPNOTSUPP;
7746 		goto out_err;
7747 	}
7748 
7749 	while (1) {
7750 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7751 				    mpp, &pinfo);
7752 		if (err == -ENOENT)
7753 			break;
7754 		if (err)
7755 			goto out_err;
7756 
7757 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7758 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7759 				       wdev->netdev, dst, mpp,
7760 				       &pinfo) < 0)
7761 			goto out;
7762 
7763 		path_idx++;
7764 	}
7765 
7766  out:
7767 	cb->args[2] = path_idx;
7768 	err = skb->len;
7769  out_err:
7770 	wiphy_unlock(&rdev->wiphy);
7771 	return err;
7772 }
7773 
7774 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7775 {
7776 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7777 	struct net_device *dev = info->user_ptr[1];
7778 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7779 	struct bss_parameters params;
7780 	int err;
7781 
7782 	memset(&params, 0, sizeof(params));
7783 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
7784 	/* default to not changing parameters */
7785 	params.use_cts_prot = -1;
7786 	params.use_short_preamble = -1;
7787 	params.use_short_slot_time = -1;
7788 	params.ap_isolate = -1;
7789 	params.ht_opmode = -1;
7790 	params.p2p_ctwindow = -1;
7791 	params.p2p_opp_ps = -1;
7792 
7793 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7794 		params.use_cts_prot =
7795 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7796 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7797 		params.use_short_preamble =
7798 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7799 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7800 		params.use_short_slot_time =
7801 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7802 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7803 		params.basic_rates =
7804 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7805 		params.basic_rates_len =
7806 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7807 	}
7808 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7809 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7810 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7811 		params.ht_opmode =
7812 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7813 
7814 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7815 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7816 			return -EINVAL;
7817 		params.p2p_ctwindow =
7818 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7819 		if (params.p2p_ctwindow != 0 &&
7820 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7821 			return -EINVAL;
7822 	}
7823 
7824 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7825 		u8 tmp;
7826 
7827 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7828 			return -EINVAL;
7829 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7830 		params.p2p_opp_ps = tmp;
7831 		if (params.p2p_opp_ps &&
7832 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7833 			return -EINVAL;
7834 	}
7835 
7836 	if (!rdev->ops->change_bss)
7837 		return -EOPNOTSUPP;
7838 
7839 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7840 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7841 		return -EOPNOTSUPP;
7842 
7843 	wdev_lock(wdev);
7844 	err = rdev_change_bss(rdev, dev, &params);
7845 	wdev_unlock(wdev);
7846 
7847 	return err;
7848 }
7849 
7850 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7851 {
7852 	char *data = NULL;
7853 	bool is_indoor;
7854 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7855 	u32 owner_nlportid;
7856 
7857 	/*
7858 	 * You should only get this when cfg80211 hasn't yet initialized
7859 	 * completely when built-in to the kernel right between the time
7860 	 * window between nl80211_init() and regulatory_init(), if that is
7861 	 * even possible.
7862 	 */
7863 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7864 		return -EINPROGRESS;
7865 
7866 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7867 		user_reg_hint_type =
7868 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7869 	else
7870 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7871 
7872 	switch (user_reg_hint_type) {
7873 	case NL80211_USER_REG_HINT_USER:
7874 	case NL80211_USER_REG_HINT_CELL_BASE:
7875 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7876 			return -EINVAL;
7877 
7878 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7879 		return regulatory_hint_user(data, user_reg_hint_type);
7880 	case NL80211_USER_REG_HINT_INDOOR:
7881 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7882 			owner_nlportid = info->snd_portid;
7883 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7884 		} else {
7885 			owner_nlportid = 0;
7886 			is_indoor = true;
7887 		}
7888 
7889 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7890 	default:
7891 		return -EINVAL;
7892 	}
7893 }
7894 
7895 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7896 {
7897 	return reg_reload_regdb();
7898 }
7899 
7900 static int nl80211_get_mesh_config(struct sk_buff *skb,
7901 				   struct genl_info *info)
7902 {
7903 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7904 	struct net_device *dev = info->user_ptr[1];
7905 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7906 	struct mesh_config cur_params;
7907 	int err = 0;
7908 	void *hdr;
7909 	struct nlattr *pinfoattr;
7910 	struct sk_buff *msg;
7911 
7912 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7913 		return -EOPNOTSUPP;
7914 
7915 	if (!rdev->ops->get_mesh_config)
7916 		return -EOPNOTSUPP;
7917 
7918 	wdev_lock(wdev);
7919 	/* If not connected, get default parameters */
7920 	if (!wdev->u.mesh.id_len)
7921 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7922 	else
7923 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7924 	wdev_unlock(wdev);
7925 
7926 	if (err)
7927 		return err;
7928 
7929 	/* Draw up a netlink message to send back */
7930 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7931 	if (!msg)
7932 		return -ENOMEM;
7933 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7934 			     NL80211_CMD_GET_MESH_CONFIG);
7935 	if (!hdr)
7936 		goto out;
7937 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7938 	if (!pinfoattr)
7939 		goto nla_put_failure;
7940 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7941 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7942 			cur_params.dot11MeshRetryTimeout) ||
7943 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7944 			cur_params.dot11MeshConfirmTimeout) ||
7945 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7946 			cur_params.dot11MeshHoldingTimeout) ||
7947 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7948 			cur_params.dot11MeshMaxPeerLinks) ||
7949 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7950 		       cur_params.dot11MeshMaxRetries) ||
7951 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7952 		       cur_params.dot11MeshTTL) ||
7953 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7954 		       cur_params.element_ttl) ||
7955 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7956 		       cur_params.auto_open_plinks) ||
7957 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7958 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7959 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7960 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7961 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7962 			cur_params.path_refresh_time) ||
7963 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7964 			cur_params.min_discovery_timeout) ||
7965 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7966 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7967 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7968 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7969 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7970 			cur_params.dot11MeshHWMPperrMinInterval) ||
7971 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7972 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7973 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7974 		       cur_params.dot11MeshHWMPRootMode) ||
7975 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7976 			cur_params.dot11MeshHWMPRannInterval) ||
7977 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7978 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7979 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7980 		       cur_params.dot11MeshForwarding) ||
7981 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7982 			cur_params.rssi_threshold) ||
7983 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7984 			cur_params.ht_opmode) ||
7985 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7986 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7987 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7988 			cur_params.dot11MeshHWMProotInterval) ||
7989 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7990 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7991 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7992 			cur_params.power_mode) ||
7993 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7994 			cur_params.dot11MeshAwakeWindowDuration) ||
7995 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7996 			cur_params.plink_timeout) ||
7997 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7998 		       cur_params.dot11MeshConnectedToMeshGate) ||
7999 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8000 		       cur_params.dot11MeshNolearn) ||
8001 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8002 		       cur_params.dot11MeshConnectedToAuthServer))
8003 		goto nla_put_failure;
8004 	nla_nest_end(msg, pinfoattr);
8005 	genlmsg_end(msg, hdr);
8006 	return genlmsg_reply(msg, info);
8007 
8008  nla_put_failure:
8009  out:
8010 	nlmsg_free(msg);
8011 	return -ENOBUFS;
8012 }
8013 
8014 static const struct nla_policy
8015 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8016 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8017 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8018 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8019 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8020 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8021 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8022 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8023 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8024 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8025 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8026 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8027 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8028 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8029 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8030 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8031 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8032 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8033 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8034 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8035 		NLA_POLICY_MIN(NLA_U16, 1),
8036 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8037 		NLA_POLICY_MIN(NLA_U16, 1),
8038 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8039 		NLA_POLICY_MIN(NLA_U16, 1),
8040 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8041 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8042 		NLA_POLICY_MIN(NLA_U16, 1),
8043 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8044 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8045 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8046 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8047 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8048 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8049 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8050 		NLA_POLICY_MIN(NLA_U16, 1),
8051 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8052 		NLA_POLICY_MIN(NLA_U16, 1),
8053 	[NL80211_MESHCONF_POWER_MODE] =
8054 		NLA_POLICY_RANGE(NLA_U32,
8055 				 NL80211_MESH_POWER_ACTIVE,
8056 				 NL80211_MESH_POWER_MAX),
8057 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8058 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8059 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8060 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8061 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8062 };
8063 
8064 static const struct nla_policy
8065 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8066 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8067 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8068 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8069 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8070 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8071 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8072 	[NL80211_MESH_SETUP_IE] =
8073 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8074 				       IEEE80211_MAX_DATA_LEN),
8075 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8076 };
8077 
8078 static int nl80211_parse_mesh_config(struct genl_info *info,
8079 				     struct mesh_config *cfg,
8080 				     u32 *mask_out)
8081 {
8082 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8083 	u32 mask = 0;
8084 	u16 ht_opmode;
8085 
8086 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8087 do {									\
8088 	if (tb[attr]) {							\
8089 		cfg->param = fn(tb[attr]);				\
8090 		mask |= BIT((attr) - 1);				\
8091 	}								\
8092 } while (0)
8093 
8094 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8095 		return -EINVAL;
8096 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8097 		return -EINVAL;
8098 
8099 	/* This makes sure that there aren't more than 32 mesh config
8100 	 * parameters (otherwise our bitfield scheme would not work.) */
8101 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8102 
8103 	/* Fill in the params struct */
8104 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8105 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8106 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8107 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8108 				  nla_get_u16);
8109 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8110 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8111 				  nla_get_u16);
8112 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8113 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8114 				  nla_get_u16);
8115 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8116 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8117 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8118 				  NL80211_MESHCONF_TTL, nla_get_u8);
8119 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8120 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8121 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8122 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8123 				  nla_get_u8);
8124 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8125 				  mask,
8126 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8127 				  nla_get_u32);
8128 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8129 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8130 				  nla_get_u8);
8131 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8132 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8133 				  nla_get_u32);
8134 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8135 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8136 		return -EINVAL;
8137 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8138 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8139 				  nla_get_u16);
8140 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8141 				  mask,
8142 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8143 				  nla_get_u32);
8144 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8145 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8146 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8147 		return -EINVAL;
8148 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8149 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8150 				  nla_get_u16);
8151 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8152 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8153 				  nla_get_u16);
8154 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8155 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8156 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8157 				  nla_get_u16);
8158 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8159 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8160 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8161 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8162 				  nla_get_u16);
8163 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8164 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8165 				  nla_get_u8);
8166 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8167 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8168 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8169 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8170 				  nla_get_s32);
8171 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8172 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8173 				  nla_get_u8);
8174 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8175 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8176 				  nla_get_u8);
8177 	/*
8178 	 * Check HT operation mode based on
8179 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8180 	 */
8181 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8182 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8183 
8184 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8185 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8186 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8187 			return -EINVAL;
8188 
8189 		/* NON_HT_STA bit is reserved, but some programs set it */
8190 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8191 
8192 		cfg->ht_opmode = ht_opmode;
8193 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8194 	}
8195 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8196 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8197 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8198 				  nla_get_u32);
8199 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8200 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8201 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8202 		return -EINVAL;
8203 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8204 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8205 				  nla_get_u16);
8206 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8207 				  mask,
8208 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8209 				  nla_get_u16);
8210 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8211 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8212 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8213 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8214 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8215 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8216 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8217 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8218 	if (mask_out)
8219 		*mask_out = mask;
8220 
8221 	return 0;
8222 
8223 #undef FILL_IN_MESH_PARAM_IF_SET
8224 }
8225 
8226 static int nl80211_parse_mesh_setup(struct genl_info *info,
8227 				     struct mesh_setup *setup)
8228 {
8229 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8230 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8231 
8232 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8233 		return -EINVAL;
8234 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8235 		return -EINVAL;
8236 
8237 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8238 		setup->sync_method =
8239 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8240 		 IEEE80211_SYNC_METHOD_VENDOR :
8241 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8242 
8243 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8244 		setup->path_sel_proto =
8245 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8246 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8247 		 IEEE80211_PATH_PROTOCOL_HWMP;
8248 
8249 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8250 		setup->path_metric =
8251 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8252 		 IEEE80211_PATH_METRIC_VENDOR :
8253 		 IEEE80211_PATH_METRIC_AIRTIME;
8254 
8255 	if (tb[NL80211_MESH_SETUP_IE]) {
8256 		struct nlattr *ieattr =
8257 			tb[NL80211_MESH_SETUP_IE];
8258 		setup->ie = nla_data(ieattr);
8259 		setup->ie_len = nla_len(ieattr);
8260 	}
8261 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8262 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8263 		return -EINVAL;
8264 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8265 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8266 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8267 	if (setup->is_secure)
8268 		setup->user_mpm = true;
8269 
8270 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8271 		if (!setup->user_mpm)
8272 			return -EINVAL;
8273 		setup->auth_id =
8274 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8275 	}
8276 
8277 	return 0;
8278 }
8279 
8280 static int nl80211_update_mesh_config(struct sk_buff *skb,
8281 				      struct genl_info *info)
8282 {
8283 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8284 	struct net_device *dev = info->user_ptr[1];
8285 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8286 	struct mesh_config cfg;
8287 	u32 mask;
8288 	int err;
8289 
8290 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8291 		return -EOPNOTSUPP;
8292 
8293 	if (!rdev->ops->update_mesh_config)
8294 		return -EOPNOTSUPP;
8295 
8296 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8297 	if (err)
8298 		return err;
8299 
8300 	wdev_lock(wdev);
8301 	if (!wdev->u.mesh.id_len)
8302 		err = -ENOLINK;
8303 
8304 	if (!err)
8305 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8306 
8307 	wdev_unlock(wdev);
8308 
8309 	return err;
8310 }
8311 
8312 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8313 			      struct sk_buff *msg)
8314 {
8315 	struct nlattr *nl_reg_rules;
8316 	unsigned int i;
8317 
8318 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8319 	    (regdom->dfs_region &&
8320 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8321 		goto nla_put_failure;
8322 
8323 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8324 	if (!nl_reg_rules)
8325 		goto nla_put_failure;
8326 
8327 	for (i = 0; i < regdom->n_reg_rules; i++) {
8328 		struct nlattr *nl_reg_rule;
8329 		const struct ieee80211_reg_rule *reg_rule;
8330 		const struct ieee80211_freq_range *freq_range;
8331 		const struct ieee80211_power_rule *power_rule;
8332 		unsigned int max_bandwidth_khz;
8333 
8334 		reg_rule = &regdom->reg_rules[i];
8335 		freq_range = &reg_rule->freq_range;
8336 		power_rule = &reg_rule->power_rule;
8337 
8338 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8339 		if (!nl_reg_rule)
8340 			goto nla_put_failure;
8341 
8342 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8343 		if (!max_bandwidth_khz)
8344 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8345 								  reg_rule);
8346 
8347 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8348 				reg_rule->flags) ||
8349 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8350 				freq_range->start_freq_khz) ||
8351 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8352 				freq_range->end_freq_khz) ||
8353 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8354 				max_bandwidth_khz) ||
8355 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8356 				power_rule->max_antenna_gain) ||
8357 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8358 				power_rule->max_eirp) ||
8359 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8360 				reg_rule->dfs_cac_ms))
8361 			goto nla_put_failure;
8362 
8363 		nla_nest_end(msg, nl_reg_rule);
8364 	}
8365 
8366 	nla_nest_end(msg, nl_reg_rules);
8367 	return 0;
8368 
8369 nla_put_failure:
8370 	return -EMSGSIZE;
8371 }
8372 
8373 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8374 {
8375 	const struct ieee80211_regdomain *regdom = NULL;
8376 	struct cfg80211_registered_device *rdev;
8377 	struct wiphy *wiphy = NULL;
8378 	struct sk_buff *msg;
8379 	int err = -EMSGSIZE;
8380 	void *hdr;
8381 
8382 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8383 	if (!msg)
8384 		return -ENOBUFS;
8385 
8386 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8387 			     NL80211_CMD_GET_REG);
8388 	if (!hdr)
8389 		goto put_failure;
8390 
8391 	rtnl_lock();
8392 
8393 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8394 		bool self_managed;
8395 
8396 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8397 		if (IS_ERR(rdev)) {
8398 			err = PTR_ERR(rdev);
8399 			goto nla_put_failure;
8400 		}
8401 
8402 		wiphy = &rdev->wiphy;
8403 		self_managed = wiphy->regulatory_flags &
8404 			       REGULATORY_WIPHY_SELF_MANAGED;
8405 
8406 		rcu_read_lock();
8407 
8408 		regdom = get_wiphy_regdom(wiphy);
8409 
8410 		/* a self-managed-reg device must have a private regdom */
8411 		if (WARN_ON(!regdom && self_managed)) {
8412 			err = -EINVAL;
8413 			goto nla_put_failure_rcu;
8414 		}
8415 
8416 		if (regdom &&
8417 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8418 			goto nla_put_failure_rcu;
8419 	} else {
8420 		rcu_read_lock();
8421 	}
8422 
8423 	if (!wiphy && reg_last_request_cell_base() &&
8424 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8425 			NL80211_USER_REG_HINT_CELL_BASE))
8426 		goto nla_put_failure_rcu;
8427 
8428 	if (!regdom)
8429 		regdom = rcu_dereference(cfg80211_regdomain);
8430 
8431 	if (nl80211_put_regdom(regdom, msg))
8432 		goto nla_put_failure_rcu;
8433 
8434 	rcu_read_unlock();
8435 
8436 	genlmsg_end(msg, hdr);
8437 	rtnl_unlock();
8438 	return genlmsg_reply(msg, info);
8439 
8440 nla_put_failure_rcu:
8441 	rcu_read_unlock();
8442 nla_put_failure:
8443 	rtnl_unlock();
8444 put_failure:
8445 	nlmsg_free(msg);
8446 	return err;
8447 }
8448 
8449 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8450 			       u32 seq, int flags, struct wiphy *wiphy,
8451 			       const struct ieee80211_regdomain *regdom)
8452 {
8453 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8454 				   NL80211_CMD_GET_REG);
8455 
8456 	if (!hdr)
8457 		return -1;
8458 
8459 	genl_dump_check_consistent(cb, hdr);
8460 
8461 	if (nl80211_put_regdom(regdom, msg))
8462 		goto nla_put_failure;
8463 
8464 	if (!wiphy && reg_last_request_cell_base() &&
8465 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8466 			NL80211_USER_REG_HINT_CELL_BASE))
8467 		goto nla_put_failure;
8468 
8469 	if (wiphy &&
8470 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8471 		goto nla_put_failure;
8472 
8473 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8474 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8475 		goto nla_put_failure;
8476 
8477 	genlmsg_end(msg, hdr);
8478 	return 0;
8479 
8480 nla_put_failure:
8481 	genlmsg_cancel(msg, hdr);
8482 	return -EMSGSIZE;
8483 }
8484 
8485 static int nl80211_get_reg_dump(struct sk_buff *skb,
8486 				struct netlink_callback *cb)
8487 {
8488 	const struct ieee80211_regdomain *regdom = NULL;
8489 	struct cfg80211_registered_device *rdev;
8490 	int err, reg_idx, start = cb->args[2];
8491 
8492 	rcu_read_lock();
8493 
8494 	if (cfg80211_regdomain && start == 0) {
8495 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8496 					  NLM_F_MULTI, NULL,
8497 					  rcu_dereference(cfg80211_regdomain));
8498 		if (err < 0)
8499 			goto out_err;
8500 	}
8501 
8502 	/* the global regdom is idx 0 */
8503 	reg_idx = 1;
8504 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8505 		regdom = get_wiphy_regdom(&rdev->wiphy);
8506 		if (!regdom)
8507 			continue;
8508 
8509 		if (++reg_idx <= start)
8510 			continue;
8511 
8512 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8513 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8514 		if (err < 0) {
8515 			reg_idx--;
8516 			break;
8517 		}
8518 	}
8519 
8520 	cb->args[2] = reg_idx;
8521 	err = skb->len;
8522 out_err:
8523 	rcu_read_unlock();
8524 	return err;
8525 }
8526 
8527 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8528 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8529 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8530 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8531 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8532 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8533 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8534 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8535 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8536 };
8537 
8538 static int parse_reg_rule(struct nlattr *tb[],
8539 	struct ieee80211_reg_rule *reg_rule)
8540 {
8541 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8542 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8543 
8544 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8545 		return -EINVAL;
8546 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8547 		return -EINVAL;
8548 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8549 		return -EINVAL;
8550 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8551 		return -EINVAL;
8552 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8553 		return -EINVAL;
8554 
8555 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8556 
8557 	freq_range->start_freq_khz =
8558 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8559 	freq_range->end_freq_khz =
8560 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8561 	freq_range->max_bandwidth_khz =
8562 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8563 
8564 	power_rule->max_eirp =
8565 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8566 
8567 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8568 		power_rule->max_antenna_gain =
8569 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8570 
8571 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8572 		reg_rule->dfs_cac_ms =
8573 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8574 
8575 	return 0;
8576 }
8577 
8578 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8579 {
8580 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8581 	struct nlattr *nl_reg_rule;
8582 	char *alpha2;
8583 	int rem_reg_rules, r;
8584 	u32 num_rules = 0, rule_idx = 0;
8585 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8586 	struct ieee80211_regdomain *rd;
8587 
8588 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8589 		return -EINVAL;
8590 
8591 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8592 		return -EINVAL;
8593 
8594 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8595 
8596 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8597 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8598 
8599 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8600 			    rem_reg_rules) {
8601 		num_rules++;
8602 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8603 			return -EINVAL;
8604 	}
8605 
8606 	rtnl_lock();
8607 	if (!reg_is_valid_request(alpha2)) {
8608 		r = -EINVAL;
8609 		goto out;
8610 	}
8611 
8612 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8613 	if (!rd) {
8614 		r = -ENOMEM;
8615 		goto out;
8616 	}
8617 
8618 	rd->n_reg_rules = num_rules;
8619 	rd->alpha2[0] = alpha2[0];
8620 	rd->alpha2[1] = alpha2[1];
8621 
8622 	/*
8623 	 * Disable DFS master mode if the DFS region was
8624 	 * not supported or known on this kernel.
8625 	 */
8626 	if (reg_supported_dfs_region(dfs_region))
8627 		rd->dfs_region = dfs_region;
8628 
8629 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8630 			    rem_reg_rules) {
8631 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8632 						nl_reg_rule, reg_rule_policy,
8633 						info->extack);
8634 		if (r)
8635 			goto bad_reg;
8636 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8637 		if (r)
8638 			goto bad_reg;
8639 
8640 		rule_idx++;
8641 
8642 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8643 			r = -EINVAL;
8644 			goto bad_reg;
8645 		}
8646 	}
8647 
8648 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8649 	/* set_regdom takes ownership of rd */
8650 	rd = NULL;
8651  bad_reg:
8652 	kfree(rd);
8653  out:
8654 	rtnl_unlock();
8655 	return r;
8656 }
8657 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8658 
8659 static int validate_scan_freqs(struct nlattr *freqs)
8660 {
8661 	struct nlattr *attr1, *attr2;
8662 	int n_channels = 0, tmp1, tmp2;
8663 
8664 	nla_for_each_nested(attr1, freqs, tmp1)
8665 		if (nla_len(attr1) != sizeof(u32))
8666 			return 0;
8667 
8668 	nla_for_each_nested(attr1, freqs, tmp1) {
8669 		n_channels++;
8670 		/*
8671 		 * Some hardware has a limited channel list for
8672 		 * scanning, and it is pretty much nonsensical
8673 		 * to scan for a channel twice, so disallow that
8674 		 * and don't require drivers to check that the
8675 		 * channel list they get isn't longer than what
8676 		 * they can scan, as long as they can scan all
8677 		 * the channels they registered at once.
8678 		 */
8679 		nla_for_each_nested(attr2, freqs, tmp2)
8680 			if (attr1 != attr2 &&
8681 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8682 				return 0;
8683 	}
8684 
8685 	return n_channels;
8686 }
8687 
8688 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8689 {
8690 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8691 }
8692 
8693 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8694 			    struct cfg80211_bss_selection *bss_select)
8695 {
8696 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8697 	struct nlattr *nest;
8698 	int err;
8699 	bool found = false;
8700 	int i;
8701 
8702 	/* only process one nested attribute */
8703 	nest = nla_data(nla);
8704 	if (!nla_ok(nest, nla_len(nest)))
8705 		return -EINVAL;
8706 
8707 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8708 					  nest, nl80211_bss_select_policy,
8709 					  NULL);
8710 	if (err)
8711 		return err;
8712 
8713 	/* only one attribute may be given */
8714 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8715 		if (attr[i]) {
8716 			if (found)
8717 				return -EINVAL;
8718 			found = true;
8719 		}
8720 	}
8721 
8722 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8723 
8724 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8725 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8726 
8727 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8728 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8729 		bss_select->param.band_pref =
8730 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8731 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8732 			return -EINVAL;
8733 	}
8734 
8735 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8736 		struct nl80211_bss_select_rssi_adjust *adj_param;
8737 
8738 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8739 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8740 		bss_select->param.adjust.band = adj_param->band;
8741 		bss_select->param.adjust.delta = adj_param->delta;
8742 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8743 			return -EINVAL;
8744 	}
8745 
8746 	/* user-space did not provide behaviour attribute */
8747 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8748 		return -EINVAL;
8749 
8750 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8751 		return -EINVAL;
8752 
8753 	return 0;
8754 }
8755 
8756 int nl80211_parse_random_mac(struct nlattr **attrs,
8757 			     u8 *mac_addr, u8 *mac_addr_mask)
8758 {
8759 	int i;
8760 
8761 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8762 		eth_zero_addr(mac_addr);
8763 		eth_zero_addr(mac_addr_mask);
8764 		mac_addr[0] = 0x2;
8765 		mac_addr_mask[0] = 0x3;
8766 
8767 		return 0;
8768 	}
8769 
8770 	/* need both or none */
8771 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8772 		return -EINVAL;
8773 
8774 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8775 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8776 
8777 	/* don't allow or configure an mcast address */
8778 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8779 	    is_multicast_ether_addr(mac_addr))
8780 		return -EINVAL;
8781 
8782 	/*
8783 	 * allow users to pass a MAC address that has bits set outside
8784 	 * of the mask, but don't bother drivers with having to deal
8785 	 * with such bits
8786 	 */
8787 	for (i = 0; i < ETH_ALEN; i++)
8788 		mac_addr[i] &= mac_addr_mask[i];
8789 
8790 	return 0;
8791 }
8792 
8793 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
8794 					      struct ieee80211_channel *chan)
8795 {
8796 	unsigned int link_id;
8797 	bool all_ok = true;
8798 
8799 	ASSERT_WDEV_LOCK(wdev);
8800 
8801 	if (!cfg80211_beaconing_iface_active(wdev))
8802 		return true;
8803 
8804 	/*
8805 	 * FIXME: check if we have a free HW resource/link for chan
8806 	 *
8807 	 * This, as well as the FIXME below, requires knowing the link
8808 	 * capabilities of the hardware.
8809 	 */
8810 
8811 	/* we cannot leave radar channels */
8812 	for_each_valid_link(wdev, link_id) {
8813 		struct cfg80211_chan_def *chandef;
8814 
8815 		chandef = wdev_chandef(wdev, link_id);
8816 		if (!chandef)
8817 			continue;
8818 
8819 		/*
8820 		 * FIXME: don't require all_ok, but rather check only the
8821 		 *	  correct HW resource/link onto which 'chan' falls,
8822 		 *	  as only that link leaves the channel for doing
8823 		 *	  the off-channel operation.
8824 		 */
8825 
8826 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
8827 			all_ok = false;
8828 	}
8829 
8830 	if (all_ok)
8831 		return true;
8832 
8833 	return regulatory_pre_cac_allowed(wdev->wiphy);
8834 }
8835 
8836 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8837 				    enum nl80211_ext_feature_index feat)
8838 {
8839 	if (!(flags & flag))
8840 		return true;
8841 	if (wiphy_ext_feature_isset(wiphy, feat))
8842 		return true;
8843 	return false;
8844 }
8845 
8846 static int
8847 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8848 			 void *request, struct nlattr **attrs,
8849 			 bool is_sched_scan)
8850 {
8851 	u8 *mac_addr, *mac_addr_mask;
8852 	u32 *flags;
8853 	enum nl80211_feature_flags randomness_flag;
8854 
8855 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8856 		return 0;
8857 
8858 	if (is_sched_scan) {
8859 		struct cfg80211_sched_scan_request *req = request;
8860 
8861 		randomness_flag = wdev ?
8862 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8863 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8864 		flags = &req->flags;
8865 		mac_addr = req->mac_addr;
8866 		mac_addr_mask = req->mac_addr_mask;
8867 	} else {
8868 		struct cfg80211_scan_request *req = request;
8869 
8870 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8871 		flags = &req->flags;
8872 		mac_addr = req->mac_addr;
8873 		mac_addr_mask = req->mac_addr_mask;
8874 	}
8875 
8876 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8877 
8878 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8879 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8880 	    !nl80211_check_scan_feat(wiphy, *flags,
8881 				     NL80211_SCAN_FLAG_LOW_SPAN,
8882 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8883 	    !nl80211_check_scan_feat(wiphy, *flags,
8884 				     NL80211_SCAN_FLAG_LOW_POWER,
8885 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8886 	    !nl80211_check_scan_feat(wiphy, *flags,
8887 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8888 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8889 	    !nl80211_check_scan_feat(wiphy, *flags,
8890 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8891 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8892 	    !nl80211_check_scan_feat(wiphy, *flags,
8893 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8894 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8895 	    !nl80211_check_scan_feat(wiphy, *flags,
8896 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8897 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8898 	    !nl80211_check_scan_feat(wiphy, *flags,
8899 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8900 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8901 	    !nl80211_check_scan_feat(wiphy, *flags,
8902 				     NL80211_SCAN_FLAG_RANDOM_SN,
8903 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8904 	    !nl80211_check_scan_feat(wiphy, *flags,
8905 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8906 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8907 		return -EOPNOTSUPP;
8908 
8909 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8910 		int err;
8911 
8912 		if (!(wiphy->features & randomness_flag) ||
8913 		    (wdev && wdev->connected))
8914 			return -EOPNOTSUPP;
8915 
8916 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8917 		if (err)
8918 			return err;
8919 	}
8920 
8921 	return 0;
8922 }
8923 
8924 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8925 {
8926 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8927 	struct wireless_dev *wdev = info->user_ptr[1];
8928 	struct cfg80211_scan_request *request;
8929 	struct nlattr *scan_freqs = NULL;
8930 	bool scan_freqs_khz = false;
8931 	struct nlattr *attr;
8932 	struct wiphy *wiphy;
8933 	int err, tmp, n_ssids = 0, n_channels, i;
8934 	size_t ie_len;
8935 
8936 	wiphy = &rdev->wiphy;
8937 
8938 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8939 		return -EOPNOTSUPP;
8940 
8941 	if (!rdev->ops->scan)
8942 		return -EOPNOTSUPP;
8943 
8944 	if (rdev->scan_req || rdev->scan_msg)
8945 		return -EBUSY;
8946 
8947 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8948 		if (!wiphy_ext_feature_isset(wiphy,
8949 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8950 			return -EOPNOTSUPP;
8951 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8952 		scan_freqs_khz = true;
8953 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8954 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8955 
8956 	if (scan_freqs) {
8957 		n_channels = validate_scan_freqs(scan_freqs);
8958 		if (!n_channels)
8959 			return -EINVAL;
8960 	} else {
8961 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8962 	}
8963 
8964 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8965 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8966 			n_ssids++;
8967 
8968 	if (n_ssids > wiphy->max_scan_ssids)
8969 		return -EINVAL;
8970 
8971 	if (info->attrs[NL80211_ATTR_IE])
8972 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8973 	else
8974 		ie_len = 0;
8975 
8976 	if (ie_len > wiphy->max_scan_ie_len)
8977 		return -EINVAL;
8978 
8979 	request = kzalloc(sizeof(*request)
8980 			+ sizeof(*request->ssids) * n_ssids
8981 			+ sizeof(*request->channels) * n_channels
8982 			+ ie_len, GFP_KERNEL);
8983 	if (!request)
8984 		return -ENOMEM;
8985 
8986 	if (n_ssids)
8987 		request->ssids = (void *)&request->channels[n_channels];
8988 	request->n_ssids = n_ssids;
8989 	if (ie_len) {
8990 		if (n_ssids)
8991 			request->ie = (void *)(request->ssids + n_ssids);
8992 		else
8993 			request->ie = (void *)(request->channels + n_channels);
8994 	}
8995 
8996 	i = 0;
8997 	if (scan_freqs) {
8998 		/* user specified, bail out if channel not found */
8999 		nla_for_each_nested(attr, scan_freqs, tmp) {
9000 			struct ieee80211_channel *chan;
9001 			int freq = nla_get_u32(attr);
9002 
9003 			if (!scan_freqs_khz)
9004 				freq = MHZ_TO_KHZ(freq);
9005 
9006 			chan = ieee80211_get_channel_khz(wiphy, freq);
9007 			if (!chan) {
9008 				err = -EINVAL;
9009 				goto out_free;
9010 			}
9011 
9012 			/* ignore disabled channels */
9013 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9014 				continue;
9015 
9016 			request->channels[i] = chan;
9017 			i++;
9018 		}
9019 	} else {
9020 		enum nl80211_band band;
9021 
9022 		/* all channels */
9023 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9024 			int j;
9025 
9026 			if (!wiphy->bands[band])
9027 				continue;
9028 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9029 				struct ieee80211_channel *chan;
9030 
9031 				chan = &wiphy->bands[band]->channels[j];
9032 
9033 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9034 					continue;
9035 
9036 				request->channels[i] = chan;
9037 				i++;
9038 			}
9039 		}
9040 	}
9041 
9042 	if (!i) {
9043 		err = -EINVAL;
9044 		goto out_free;
9045 	}
9046 
9047 	request->n_channels = i;
9048 
9049 	wdev_lock(wdev);
9050 	for (i = 0; i < request->n_channels; i++) {
9051 		struct ieee80211_channel *chan = request->channels[i];
9052 
9053 		/* if we can go off-channel to the target channel we're good */
9054 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9055 			continue;
9056 
9057 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9058 			wdev_unlock(wdev);
9059 			err = -EBUSY;
9060 			goto out_free;
9061 		}
9062 	}
9063 	wdev_unlock(wdev);
9064 
9065 	i = 0;
9066 	if (n_ssids) {
9067 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9068 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9069 				err = -EINVAL;
9070 				goto out_free;
9071 			}
9072 			request->ssids[i].ssid_len = nla_len(attr);
9073 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9074 			i++;
9075 		}
9076 	}
9077 
9078 	if (info->attrs[NL80211_ATTR_IE]) {
9079 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9080 		memcpy((void *)request->ie,
9081 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9082 		       request->ie_len);
9083 	}
9084 
9085 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9086 		if (wiphy->bands[i])
9087 			request->rates[i] =
9088 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9089 
9090 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9091 		nla_for_each_nested(attr,
9092 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9093 				    tmp) {
9094 			enum nl80211_band band = nla_type(attr);
9095 
9096 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9097 				err = -EINVAL;
9098 				goto out_free;
9099 			}
9100 
9101 			if (!wiphy->bands[band])
9102 				continue;
9103 
9104 			err = ieee80211_get_ratemask(wiphy->bands[band],
9105 						     nla_data(attr),
9106 						     nla_len(attr),
9107 						     &request->rates[band]);
9108 			if (err)
9109 				goto out_free;
9110 		}
9111 	}
9112 
9113 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9114 		request->duration =
9115 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9116 		request->duration_mandatory =
9117 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9118 	}
9119 
9120 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9121 				       false);
9122 	if (err)
9123 		goto out_free;
9124 
9125 	request->no_cck =
9126 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9127 
9128 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9129 	 * BSSID to scan for. This was problematic because that same attribute
9130 	 * was already used for another purpose (local random MAC address). The
9131 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9132 	 * compatibility with older userspace components, also use the
9133 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9134 	 * the specific BSSID use case instead of the random MAC address
9135 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9136 	 */
9137 	if (info->attrs[NL80211_ATTR_BSSID])
9138 		memcpy(request->bssid,
9139 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9140 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9141 		 info->attrs[NL80211_ATTR_MAC])
9142 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9143 		       ETH_ALEN);
9144 	else
9145 		eth_broadcast_addr(request->bssid);
9146 
9147 	request->wdev = wdev;
9148 	request->wiphy = &rdev->wiphy;
9149 	request->scan_start = jiffies;
9150 
9151 	rdev->scan_req = request;
9152 	err = cfg80211_scan(rdev);
9153 
9154 	if (err)
9155 		goto out_free;
9156 
9157 	nl80211_send_scan_start(rdev, wdev);
9158 	dev_hold(wdev->netdev);
9159 
9160 	return 0;
9161 
9162  out_free:
9163 	rdev->scan_req = NULL;
9164 	kfree(request);
9165 
9166 	return err;
9167 }
9168 
9169 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9170 {
9171 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9172 	struct wireless_dev *wdev = info->user_ptr[1];
9173 
9174 	if (!rdev->ops->abort_scan)
9175 		return -EOPNOTSUPP;
9176 
9177 	if (rdev->scan_msg)
9178 		return 0;
9179 
9180 	if (!rdev->scan_req)
9181 		return -ENOENT;
9182 
9183 	rdev_abort_scan(rdev, wdev);
9184 	return 0;
9185 }
9186 
9187 static int
9188 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9189 			       struct cfg80211_sched_scan_request *request,
9190 			       struct nlattr **attrs)
9191 {
9192 	int tmp, err, i = 0;
9193 	struct nlattr *attr;
9194 
9195 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9196 		u32 interval;
9197 
9198 		/*
9199 		 * If scan plans are not specified,
9200 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9201 		 * case one scan plan will be set with the specified scan
9202 		 * interval and infinite number of iterations.
9203 		 */
9204 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9205 		if (!interval)
9206 			return -EINVAL;
9207 
9208 		request->scan_plans[0].interval =
9209 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9210 		if (!request->scan_plans[0].interval)
9211 			return -EINVAL;
9212 
9213 		if (request->scan_plans[0].interval >
9214 		    wiphy->max_sched_scan_plan_interval)
9215 			request->scan_plans[0].interval =
9216 				wiphy->max_sched_scan_plan_interval;
9217 
9218 		return 0;
9219 	}
9220 
9221 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9222 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9223 
9224 		if (WARN_ON(i >= n_plans))
9225 			return -EINVAL;
9226 
9227 		err = nla_parse_nested_deprecated(plan,
9228 						  NL80211_SCHED_SCAN_PLAN_MAX,
9229 						  attr, nl80211_plan_policy,
9230 						  NULL);
9231 		if (err)
9232 			return err;
9233 
9234 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9235 			return -EINVAL;
9236 
9237 		request->scan_plans[i].interval =
9238 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9239 		if (!request->scan_plans[i].interval ||
9240 		    request->scan_plans[i].interval >
9241 		    wiphy->max_sched_scan_plan_interval)
9242 			return -EINVAL;
9243 
9244 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9245 			request->scan_plans[i].iterations =
9246 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9247 			if (!request->scan_plans[i].iterations ||
9248 			    (request->scan_plans[i].iterations >
9249 			     wiphy->max_sched_scan_plan_iterations))
9250 				return -EINVAL;
9251 		} else if (i < n_plans - 1) {
9252 			/*
9253 			 * All scan plans but the last one must specify
9254 			 * a finite number of iterations
9255 			 */
9256 			return -EINVAL;
9257 		}
9258 
9259 		i++;
9260 	}
9261 
9262 	/*
9263 	 * The last scan plan must not specify the number of
9264 	 * iterations, it is supposed to run infinitely
9265 	 */
9266 	if (request->scan_plans[n_plans - 1].iterations)
9267 		return  -EINVAL;
9268 
9269 	return 0;
9270 }
9271 
9272 static int
9273 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
9274 				       struct cfg80211_match_set *match_sets,
9275 				       struct nlattr *tb_band_rssi,
9276 				       s32 rssi_thold)
9277 {
9278 	struct nlattr *attr;
9279 	int i, tmp, ret = 0;
9280 
9281 	if (!wiphy_ext_feature_isset(wiphy,
9282 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
9283 		if (tb_band_rssi)
9284 			ret = -EOPNOTSUPP;
9285 		else
9286 			for (i = 0; i < NUM_NL80211_BANDS; i++)
9287 				match_sets->per_band_rssi_thold[i] =
9288 					NL80211_SCAN_RSSI_THOLD_OFF;
9289 		return ret;
9290 	}
9291 
9292 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9293 		match_sets->per_band_rssi_thold[i] = rssi_thold;
9294 
9295 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
9296 		enum nl80211_band band = nla_type(attr);
9297 
9298 		if (band < 0 || band >= NUM_NL80211_BANDS)
9299 			return -EINVAL;
9300 
9301 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
9302 	}
9303 
9304 	return 0;
9305 }
9306 
9307 static struct cfg80211_sched_scan_request *
9308 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9309 			 struct nlattr **attrs, int max_match_sets)
9310 {
9311 	struct cfg80211_sched_scan_request *request;
9312 	struct nlattr *attr;
9313 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9314 	enum nl80211_band band;
9315 	size_t ie_len;
9316 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9317 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9318 
9319 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9320 		n_channels = validate_scan_freqs(
9321 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9322 		if (!n_channels)
9323 			return ERR_PTR(-EINVAL);
9324 	} else {
9325 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9326 	}
9327 
9328 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9329 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9330 				    tmp)
9331 			n_ssids++;
9332 
9333 	if (n_ssids > wiphy->max_sched_scan_ssids)
9334 		return ERR_PTR(-EINVAL);
9335 
9336 	/*
9337 	 * First, count the number of 'real' matchsets. Due to an issue with
9338 	 * the old implementation, matchsets containing only the RSSI attribute
9339 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9340 	 * RSSI for all matchsets, rather than their own matchset for reporting
9341 	 * all APs with a strong RSSI. This is needed to be compatible with
9342 	 * older userspace that treated a matchset with only the RSSI as the
9343 	 * global RSSI for all other matchsets - if there are other matchsets.
9344 	 */
9345 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9346 		nla_for_each_nested(attr,
9347 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9348 				    tmp) {
9349 			struct nlattr *rssi;
9350 
9351 			err = nla_parse_nested_deprecated(tb,
9352 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9353 							  attr,
9354 							  nl80211_match_policy,
9355 							  NULL);
9356 			if (err)
9357 				return ERR_PTR(err);
9358 
9359 			/* SSID and BSSID are mutually exclusive */
9360 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9361 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9362 				return ERR_PTR(-EINVAL);
9363 
9364 			/* add other standalone attributes here */
9365 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9366 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9367 				n_match_sets++;
9368 				continue;
9369 			}
9370 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9371 			if (rssi)
9372 				default_match_rssi = nla_get_s32(rssi);
9373 		}
9374 	}
9375 
9376 	/* However, if there's no other matchset, add the RSSI one */
9377 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9378 		n_match_sets = 1;
9379 
9380 	if (n_match_sets > max_match_sets)
9381 		return ERR_PTR(-EINVAL);
9382 
9383 	if (attrs[NL80211_ATTR_IE])
9384 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9385 	else
9386 		ie_len = 0;
9387 
9388 	if (ie_len > wiphy->max_sched_scan_ie_len)
9389 		return ERR_PTR(-EINVAL);
9390 
9391 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9392 		/*
9393 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9394 		 * each scan plan already specifies its own interval
9395 		 */
9396 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9397 			return ERR_PTR(-EINVAL);
9398 
9399 		nla_for_each_nested(attr,
9400 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9401 			n_plans++;
9402 	} else {
9403 		/*
9404 		 * The scan interval attribute is kept for backward
9405 		 * compatibility. If no scan plans are specified and sched scan
9406 		 * interval is specified, one scan plan will be set with this
9407 		 * scan interval and infinite number of iterations.
9408 		 */
9409 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9410 			return ERR_PTR(-EINVAL);
9411 
9412 		n_plans = 1;
9413 	}
9414 
9415 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9416 		return ERR_PTR(-EINVAL);
9417 
9418 	if (!wiphy_ext_feature_isset(
9419 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9420 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9421 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9422 		return ERR_PTR(-EINVAL);
9423 
9424 	request = kzalloc(sizeof(*request)
9425 			+ sizeof(*request->ssids) * n_ssids
9426 			+ sizeof(*request->match_sets) * n_match_sets
9427 			+ sizeof(*request->scan_plans) * n_plans
9428 			+ sizeof(*request->channels) * n_channels
9429 			+ ie_len, GFP_KERNEL);
9430 	if (!request)
9431 		return ERR_PTR(-ENOMEM);
9432 
9433 	if (n_ssids)
9434 		request->ssids = (void *)&request->channels[n_channels];
9435 	request->n_ssids = n_ssids;
9436 	if (ie_len) {
9437 		if (n_ssids)
9438 			request->ie = (void *)(request->ssids + n_ssids);
9439 		else
9440 			request->ie = (void *)(request->channels + n_channels);
9441 	}
9442 
9443 	if (n_match_sets) {
9444 		if (request->ie)
9445 			request->match_sets = (void *)(request->ie + ie_len);
9446 		else if (n_ssids)
9447 			request->match_sets =
9448 				(void *)(request->ssids + n_ssids);
9449 		else
9450 			request->match_sets =
9451 				(void *)(request->channels + n_channels);
9452 	}
9453 	request->n_match_sets = n_match_sets;
9454 
9455 	if (n_match_sets)
9456 		request->scan_plans = (void *)(request->match_sets +
9457 					       n_match_sets);
9458 	else if (request->ie)
9459 		request->scan_plans = (void *)(request->ie + ie_len);
9460 	else if (n_ssids)
9461 		request->scan_plans = (void *)(request->ssids + n_ssids);
9462 	else
9463 		request->scan_plans = (void *)(request->channels + n_channels);
9464 
9465 	request->n_scan_plans = n_plans;
9466 
9467 	i = 0;
9468 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9469 		/* user specified, bail out if channel not found */
9470 		nla_for_each_nested(attr,
9471 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9472 				    tmp) {
9473 			struct ieee80211_channel *chan;
9474 
9475 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9476 
9477 			if (!chan) {
9478 				err = -EINVAL;
9479 				goto out_free;
9480 			}
9481 
9482 			/* ignore disabled channels */
9483 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9484 				continue;
9485 
9486 			request->channels[i] = chan;
9487 			i++;
9488 		}
9489 	} else {
9490 		/* all channels */
9491 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9492 			int j;
9493 
9494 			if (!wiphy->bands[band])
9495 				continue;
9496 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9497 				struct ieee80211_channel *chan;
9498 
9499 				chan = &wiphy->bands[band]->channels[j];
9500 
9501 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9502 					continue;
9503 
9504 				request->channels[i] = chan;
9505 				i++;
9506 			}
9507 		}
9508 	}
9509 
9510 	if (!i) {
9511 		err = -EINVAL;
9512 		goto out_free;
9513 	}
9514 
9515 	request->n_channels = i;
9516 
9517 	i = 0;
9518 	if (n_ssids) {
9519 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9520 				    tmp) {
9521 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9522 				err = -EINVAL;
9523 				goto out_free;
9524 			}
9525 			request->ssids[i].ssid_len = nla_len(attr);
9526 			memcpy(request->ssids[i].ssid, nla_data(attr),
9527 			       nla_len(attr));
9528 			i++;
9529 		}
9530 	}
9531 
9532 	i = 0;
9533 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9534 		nla_for_each_nested(attr,
9535 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9536 				    tmp) {
9537 			struct nlattr *ssid, *bssid, *rssi;
9538 
9539 			err = nla_parse_nested_deprecated(tb,
9540 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9541 							  attr,
9542 							  nl80211_match_policy,
9543 							  NULL);
9544 			if (err)
9545 				goto out_free;
9546 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9547 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9548 
9549 			if (!ssid && !bssid) {
9550 				i++;
9551 				continue;
9552 			}
9553 
9554 			if (WARN_ON(i >= n_match_sets)) {
9555 				/* this indicates a programming error,
9556 				 * the loop above should have verified
9557 				 * things properly
9558 				 */
9559 				err = -EINVAL;
9560 				goto out_free;
9561 			}
9562 
9563 			if (ssid) {
9564 				memcpy(request->match_sets[i].ssid.ssid,
9565 				       nla_data(ssid), nla_len(ssid));
9566 				request->match_sets[i].ssid.ssid_len =
9567 					nla_len(ssid);
9568 			}
9569 			if (bssid)
9570 				memcpy(request->match_sets[i].bssid,
9571 				       nla_data(bssid), ETH_ALEN);
9572 
9573 			/* special attribute - old implementation w/a */
9574 			request->match_sets[i].rssi_thold = default_match_rssi;
9575 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9576 			if (rssi)
9577 				request->match_sets[i].rssi_thold =
9578 					nla_get_s32(rssi);
9579 
9580 			/* Parse per band RSSI attribute */
9581 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9582 				&request->match_sets[i],
9583 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9584 				request->match_sets[i].rssi_thold);
9585 			if (err)
9586 				goto out_free;
9587 
9588 			i++;
9589 		}
9590 
9591 		/* there was no other matchset, so the RSSI one is alone */
9592 		if (i == 0 && n_match_sets)
9593 			request->match_sets[0].rssi_thold = default_match_rssi;
9594 
9595 		request->min_rssi_thold = INT_MAX;
9596 		for (i = 0; i < n_match_sets; i++)
9597 			request->min_rssi_thold =
9598 				min(request->match_sets[i].rssi_thold,
9599 				    request->min_rssi_thold);
9600 	} else {
9601 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9602 	}
9603 
9604 	if (ie_len) {
9605 		request->ie_len = ie_len;
9606 		memcpy((void *)request->ie,
9607 		       nla_data(attrs[NL80211_ATTR_IE]),
9608 		       request->ie_len);
9609 	}
9610 
9611 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9612 	if (err)
9613 		goto out_free;
9614 
9615 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9616 		request->delay =
9617 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9618 
9619 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9620 		request->relative_rssi = nla_get_s8(
9621 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9622 		request->relative_rssi_set = true;
9623 	}
9624 
9625 	if (request->relative_rssi_set &&
9626 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9627 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9628 
9629 		rssi_adjust = nla_data(
9630 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9631 		request->rssi_adjust.band = rssi_adjust->band;
9632 		request->rssi_adjust.delta = rssi_adjust->delta;
9633 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9634 			err = -EINVAL;
9635 			goto out_free;
9636 		}
9637 	}
9638 
9639 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9640 	if (err)
9641 		goto out_free;
9642 
9643 	request->scan_start = jiffies;
9644 
9645 	return request;
9646 
9647 out_free:
9648 	kfree(request);
9649 	return ERR_PTR(err);
9650 }
9651 
9652 static int nl80211_start_sched_scan(struct sk_buff *skb,
9653 				    struct genl_info *info)
9654 {
9655 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9656 	struct net_device *dev = info->user_ptr[1];
9657 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9658 	struct cfg80211_sched_scan_request *sched_scan_req;
9659 	bool want_multi;
9660 	int err;
9661 
9662 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9663 		return -EOPNOTSUPP;
9664 
9665 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9666 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9667 	if (err)
9668 		return err;
9669 
9670 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9671 						  info->attrs,
9672 						  rdev->wiphy.max_match_sets);
9673 
9674 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9675 	if (err)
9676 		goto out_err;
9677 
9678 	/* leave request id zero for legacy request
9679 	 * or if driver does not support multi-scheduled scan
9680 	 */
9681 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9682 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9683 
9684 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9685 	if (err)
9686 		goto out_free;
9687 
9688 	sched_scan_req->dev = dev;
9689 	sched_scan_req->wiphy = &rdev->wiphy;
9690 
9691 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9692 		sched_scan_req->owner_nlportid = info->snd_portid;
9693 
9694 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9695 
9696 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9697 	return 0;
9698 
9699 out_free:
9700 	kfree(sched_scan_req);
9701 out_err:
9702 	return err;
9703 }
9704 
9705 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9706 				   struct genl_info *info)
9707 {
9708 	struct cfg80211_sched_scan_request *req;
9709 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9710 	u64 cookie;
9711 
9712 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9713 		return -EOPNOTSUPP;
9714 
9715 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9716 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9717 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9718 	}
9719 
9720 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9721 				     struct cfg80211_sched_scan_request,
9722 				     list);
9723 	if (!req || req->reqid ||
9724 	    (req->owner_nlportid &&
9725 	     req->owner_nlportid != info->snd_portid))
9726 		return -ENOENT;
9727 
9728 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9729 }
9730 
9731 static int nl80211_start_radar_detection(struct sk_buff *skb,
9732 					 struct genl_info *info)
9733 {
9734 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9735 	struct net_device *dev = info->user_ptr[1];
9736 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9737 	struct wiphy *wiphy = wdev->wiphy;
9738 	struct cfg80211_chan_def chandef;
9739 	enum nl80211_dfs_regions dfs_region;
9740 	unsigned int cac_time_ms;
9741 	int err = -EINVAL;
9742 
9743 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9744 
9745 	wiphy_lock(wiphy);
9746 
9747 	dfs_region = reg_get_dfs_region(wiphy);
9748 	if (dfs_region == NL80211_DFS_UNSET)
9749 		goto unlock;
9750 
9751 	err = nl80211_parse_chandef(rdev, info, &chandef);
9752 	if (err)
9753 		goto unlock;
9754 
9755 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9756 	if (err < 0)
9757 		goto unlock;
9758 
9759 	if (err == 0) {
9760 		err = -EINVAL;
9761 		goto unlock;
9762 	}
9763 
9764 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9765 		err = -EINVAL;
9766 		goto unlock;
9767 	}
9768 
9769 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9770 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9771 								&chandef);
9772 		goto unlock;
9773 	}
9774 
9775 	if (netif_carrier_ok(dev)) {
9776 		err = -EBUSY;
9777 		goto unlock;
9778 	}
9779 
9780 	if (wdev->cac_started) {
9781 		err = -EBUSY;
9782 		goto unlock;
9783 	}
9784 
9785 	/* CAC start is offloaded to HW and can't be started manually */
9786 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9787 		err = -EOPNOTSUPP;
9788 		goto unlock;
9789 	}
9790 
9791 	if (!rdev->ops->start_radar_detection) {
9792 		err = -EOPNOTSUPP;
9793 		goto unlock;
9794 	}
9795 
9796 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9797 	if (WARN_ON(!cac_time_ms))
9798 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9799 
9800 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9801 	if (!err) {
9802 		wdev->links[0].ap.chandef = chandef;
9803 		wdev->cac_started = true;
9804 		wdev->cac_start_time = jiffies;
9805 		wdev->cac_time_ms = cac_time_ms;
9806 	}
9807 unlock:
9808 	wiphy_unlock(wiphy);
9809 
9810 	return err;
9811 }
9812 
9813 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9814 					  struct genl_info *info)
9815 {
9816 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9817 	struct net_device *dev = info->user_ptr[1];
9818 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9819 	struct wiphy *wiphy = wdev->wiphy;
9820 	struct cfg80211_chan_def chandef;
9821 	enum nl80211_dfs_regions dfs_region;
9822 	int err;
9823 
9824 	dfs_region = reg_get_dfs_region(wiphy);
9825 	if (dfs_region == NL80211_DFS_UNSET) {
9826 		GENL_SET_ERR_MSG(info,
9827 				 "DFS Region is not set. Unexpected Radar indication");
9828 		return -EINVAL;
9829 	}
9830 
9831 	err = nl80211_parse_chandef(rdev, info, &chandef);
9832 	if (err) {
9833 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9834 		return err;
9835 	}
9836 
9837 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9838 	if (err < 0) {
9839 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9840 		return err;
9841 	}
9842 
9843 	if (err == 0) {
9844 		GENL_SET_ERR_MSG(info,
9845 				 "Unexpected Radar indication for chandef/iftype");
9846 		return -EINVAL;
9847 	}
9848 
9849 	/* Do not process this notification if radar is already detected
9850 	 * by kernel on this channel, and return success.
9851 	 */
9852 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9853 		return 0;
9854 
9855 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9856 
9857 	cfg80211_sched_dfs_chan_update(rdev);
9858 
9859 	rdev->radar_chandef = chandef;
9860 
9861 	/* Propagate this notification to other radios as well */
9862 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9863 
9864 	return 0;
9865 }
9866 
9867 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9868 {
9869 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9870 	unsigned int link_id = nl80211_link_id(info->attrs);
9871 	struct net_device *dev = info->user_ptr[1];
9872 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9873 	struct cfg80211_csa_settings params;
9874 	struct nlattr **csa_attrs = NULL;
9875 	int err;
9876 	bool need_new_beacon = false;
9877 	bool need_handle_dfs_flag = true;
9878 	int len, i;
9879 	u32 cs_count;
9880 
9881 	if (!rdev->ops->channel_switch ||
9882 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9883 		return -EOPNOTSUPP;
9884 
9885 	switch (dev->ieee80211_ptr->iftype) {
9886 	case NL80211_IFTYPE_AP:
9887 	case NL80211_IFTYPE_P2P_GO:
9888 		need_new_beacon = true;
9889 		/* For all modes except AP the handle_dfs flag needs to be
9890 		 * supplied to tell the kernel that userspace will handle radar
9891 		 * events when they happen. Otherwise a switch to a channel
9892 		 * requiring DFS will be rejected.
9893 		 */
9894 		need_handle_dfs_flag = false;
9895 
9896 		/* useless if AP is not running */
9897 		if (!wdev->links[link_id].ap.beacon_interval)
9898 			return -ENOTCONN;
9899 		break;
9900 	case NL80211_IFTYPE_ADHOC:
9901 		if (!wdev->u.ibss.ssid_len)
9902 			return -ENOTCONN;
9903 		break;
9904 	case NL80211_IFTYPE_MESH_POINT:
9905 		if (!wdev->u.mesh.id_len)
9906 			return -ENOTCONN;
9907 		break;
9908 	default:
9909 		return -EOPNOTSUPP;
9910 	}
9911 
9912 	memset(&params, 0, sizeof(params));
9913 	params.beacon_csa.ftm_responder = -1;
9914 
9915 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9916 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9917 		return -EINVAL;
9918 
9919 	/* only important for AP, IBSS and mesh create IEs internally */
9920 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9921 		return -EINVAL;
9922 
9923 	/* Even though the attribute is u32, the specification says
9924 	 * u8, so let's make sure we don't overflow.
9925 	 */
9926 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9927 	if (cs_count > 255)
9928 		return -EINVAL;
9929 
9930 	params.count = cs_count;
9931 
9932 	if (!need_new_beacon)
9933 		goto skip_beacons;
9934 
9935 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9936 	if (err)
9937 		goto free;
9938 
9939 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9940 			    GFP_KERNEL);
9941 	if (!csa_attrs) {
9942 		err = -ENOMEM;
9943 		goto free;
9944 	}
9945 
9946 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9947 					  info->attrs[NL80211_ATTR_CSA_IES],
9948 					  nl80211_policy, info->extack);
9949 	if (err)
9950 		goto free;
9951 
9952 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9953 	if (err)
9954 		goto free;
9955 
9956 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9957 		err = -EINVAL;
9958 		goto free;
9959 	}
9960 
9961 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9962 	if (!len || (len % sizeof(u16))) {
9963 		err = -EINVAL;
9964 		goto free;
9965 	}
9966 
9967 	params.n_counter_offsets_beacon = len / sizeof(u16);
9968 	if (rdev->wiphy.max_num_csa_counters &&
9969 	    (params.n_counter_offsets_beacon >
9970 	     rdev->wiphy.max_num_csa_counters)) {
9971 		err = -EINVAL;
9972 		goto free;
9973 	}
9974 
9975 	params.counter_offsets_beacon =
9976 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9977 
9978 	/* sanity checks - counters should fit and be the same */
9979 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9980 		u16 offset = params.counter_offsets_beacon[i];
9981 
9982 		if (offset >= params.beacon_csa.tail_len) {
9983 			err = -EINVAL;
9984 			goto free;
9985 		}
9986 
9987 		if (params.beacon_csa.tail[offset] != params.count) {
9988 			err = -EINVAL;
9989 			goto free;
9990 		}
9991 	}
9992 
9993 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9994 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9995 		if (!len || (len % sizeof(u16))) {
9996 			err = -EINVAL;
9997 			goto free;
9998 		}
9999 
10000 		params.n_counter_offsets_presp = len / sizeof(u16);
10001 		if (rdev->wiphy.max_num_csa_counters &&
10002 		    (params.n_counter_offsets_presp >
10003 		     rdev->wiphy.max_num_csa_counters)) {
10004 			err = -EINVAL;
10005 			goto free;
10006 		}
10007 
10008 		params.counter_offsets_presp =
10009 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10010 
10011 		/* sanity checks - counters should fit and be the same */
10012 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
10013 			u16 offset = params.counter_offsets_presp[i];
10014 
10015 			if (offset >= params.beacon_csa.probe_resp_len) {
10016 				err = -EINVAL;
10017 				goto free;
10018 			}
10019 
10020 			if (params.beacon_csa.probe_resp[offset] !=
10021 			    params.count) {
10022 				err = -EINVAL;
10023 				goto free;
10024 			}
10025 		}
10026 	}
10027 
10028 skip_beacons:
10029 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10030 	if (err)
10031 		goto free;
10032 
10033 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10034 					   wdev->iftype)) {
10035 		err = -EINVAL;
10036 		goto free;
10037 	}
10038 
10039 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10040 					    &params.chandef,
10041 					    wdev->iftype);
10042 	if (err < 0)
10043 		goto free;
10044 
10045 	if (err > 0) {
10046 		params.radar_required = true;
10047 		if (need_handle_dfs_flag &&
10048 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10049 			err = -EINVAL;
10050 			goto free;
10051 		}
10052 	}
10053 
10054 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10055 		params.block_tx = true;
10056 
10057 	wdev_lock(wdev);
10058 	err = rdev_channel_switch(rdev, dev, &params);
10059 	wdev_unlock(wdev);
10060 
10061 free:
10062 	kfree(params.beacon_after.mbssid_ies);
10063 	kfree(params.beacon_csa.mbssid_ies);
10064 	kfree(csa_attrs);
10065 	return err;
10066 }
10067 
10068 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10069 			    u32 seq, int flags,
10070 			    struct cfg80211_registered_device *rdev,
10071 			    struct wireless_dev *wdev,
10072 			    struct cfg80211_internal_bss *intbss)
10073 {
10074 	struct cfg80211_bss *res = &intbss->pub;
10075 	const struct cfg80211_bss_ies *ies;
10076 	unsigned int link_id;
10077 	void *hdr;
10078 	struct nlattr *bss;
10079 
10080 	ASSERT_WDEV_LOCK(wdev);
10081 
10082 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10083 			     NL80211_CMD_NEW_SCAN_RESULTS);
10084 	if (!hdr)
10085 		return -1;
10086 
10087 	genl_dump_check_consistent(cb, hdr);
10088 
10089 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10090 		goto nla_put_failure;
10091 	if (wdev->netdev &&
10092 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10093 		goto nla_put_failure;
10094 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10095 			      NL80211_ATTR_PAD))
10096 		goto nla_put_failure;
10097 
10098 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10099 	if (!bss)
10100 		goto nla_put_failure;
10101 	if ((!is_zero_ether_addr(res->bssid) &&
10102 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10103 		goto nla_put_failure;
10104 
10105 	rcu_read_lock();
10106 	/* indicate whether we have probe response data or not */
10107 	if (rcu_access_pointer(res->proberesp_ies) &&
10108 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10109 		goto fail_unlock_rcu;
10110 
10111 	/* this pointer prefers to be pointed to probe response data
10112 	 * but is always valid
10113 	 */
10114 	ies = rcu_dereference(res->ies);
10115 	if (ies) {
10116 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10117 				      NL80211_BSS_PAD))
10118 			goto fail_unlock_rcu;
10119 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10120 					ies->len, ies->data))
10121 			goto fail_unlock_rcu;
10122 	}
10123 
10124 	/* and this pointer is always (unless driver didn't know) beacon data */
10125 	ies = rcu_dereference(res->beacon_ies);
10126 	if (ies && ies->from_beacon) {
10127 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10128 				      NL80211_BSS_PAD))
10129 			goto fail_unlock_rcu;
10130 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10131 					ies->len, ies->data))
10132 			goto fail_unlock_rcu;
10133 	}
10134 	rcu_read_unlock();
10135 
10136 	if (res->beacon_interval &&
10137 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10138 		goto nla_put_failure;
10139 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10140 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10141 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10142 			res->channel->freq_offset) ||
10143 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
10144 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10145 			jiffies_to_msecs(jiffies - intbss->ts)))
10146 		goto nla_put_failure;
10147 
10148 	if (intbss->parent_tsf &&
10149 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10150 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10151 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10152 		     intbss->parent_bssid)))
10153 		goto nla_put_failure;
10154 
10155 	if (intbss->ts_boottime &&
10156 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10157 			      intbss->ts_boottime, NL80211_BSS_PAD))
10158 		goto nla_put_failure;
10159 
10160 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10161 				intbss->pub.chain_signal,
10162 				NL80211_BSS_CHAIN_SIGNAL))
10163 		goto nla_put_failure;
10164 
10165 	switch (rdev->wiphy.signal_type) {
10166 	case CFG80211_SIGNAL_TYPE_MBM:
10167 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
10168 			goto nla_put_failure;
10169 		break;
10170 	case CFG80211_SIGNAL_TYPE_UNSPEC:
10171 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
10172 			goto nla_put_failure;
10173 		break;
10174 	default:
10175 		break;
10176 	}
10177 
10178 	switch (wdev->iftype) {
10179 	case NL80211_IFTYPE_P2P_CLIENT:
10180 	case NL80211_IFTYPE_STATION:
10181 		for_each_valid_link(wdev, link_id) {
10182 			if (intbss == wdev->links[link_id].client.current_bss &&
10183 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10184 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10185 			     (wdev->valid_links &&
10186 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10187 					  link_id) ||
10188 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10189 				       wdev->u.client.connected_addr)))))
10190 				goto nla_put_failure;
10191 		}
10192 		break;
10193 	case NL80211_IFTYPE_ADHOC:
10194 		if (intbss == wdev->u.ibss.current_bss &&
10195 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10196 				NL80211_BSS_STATUS_IBSS_JOINED))
10197 			goto nla_put_failure;
10198 		break;
10199 	default:
10200 		break;
10201 	}
10202 
10203 	nla_nest_end(msg, bss);
10204 
10205 	genlmsg_end(msg, hdr);
10206 	return 0;
10207 
10208  fail_unlock_rcu:
10209 	rcu_read_unlock();
10210  nla_put_failure:
10211 	genlmsg_cancel(msg, hdr);
10212 	return -EMSGSIZE;
10213 }
10214 
10215 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10216 {
10217 	struct cfg80211_registered_device *rdev;
10218 	struct cfg80211_internal_bss *scan;
10219 	struct wireless_dev *wdev;
10220 	int start = cb->args[2], idx = 0;
10221 	int err;
10222 
10223 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
10224 	if (err)
10225 		return err;
10226 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10227 	__acquire(&rdev->wiphy.mtx);
10228 
10229 	wdev_lock(wdev);
10230 	spin_lock_bh(&rdev->bss_lock);
10231 
10232 	/*
10233 	 * dump_scan will be called multiple times to break up the scan results
10234 	 * into multiple messages.  It is unlikely that any more bss-es will be
10235 	 * expired after the first call, so only call only call this on the
10236 	 * first dump_scan invocation.
10237 	 */
10238 	if (start == 0)
10239 		cfg80211_bss_expire(rdev);
10240 
10241 	cb->seq = rdev->bss_generation;
10242 
10243 	list_for_each_entry(scan, &rdev->bss_list, list) {
10244 		if (++idx <= start)
10245 			continue;
10246 		if (nl80211_send_bss(skb, cb,
10247 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10248 				rdev, wdev, scan) < 0) {
10249 			idx--;
10250 			break;
10251 		}
10252 	}
10253 
10254 	spin_unlock_bh(&rdev->bss_lock);
10255 	wdev_unlock(wdev);
10256 
10257 	cb->args[2] = idx;
10258 	wiphy_unlock(&rdev->wiphy);
10259 
10260 	return skb->len;
10261 }
10262 
10263 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10264 			       int flags, struct net_device *dev,
10265 			       bool allow_radio_stats,
10266 			       struct survey_info *survey)
10267 {
10268 	void *hdr;
10269 	struct nlattr *infoattr;
10270 
10271 	/* skip radio stats if userspace didn't request them */
10272 	if (!survey->channel && !allow_radio_stats)
10273 		return 0;
10274 
10275 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10276 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10277 	if (!hdr)
10278 		return -ENOMEM;
10279 
10280 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10281 		goto nla_put_failure;
10282 
10283 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10284 	if (!infoattr)
10285 		goto nla_put_failure;
10286 
10287 	if (survey->channel &&
10288 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10289 			survey->channel->center_freq))
10290 		goto nla_put_failure;
10291 
10292 	if (survey->channel && survey->channel->freq_offset &&
10293 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10294 			survey->channel->freq_offset))
10295 		goto nla_put_failure;
10296 
10297 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10298 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10299 		goto nla_put_failure;
10300 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10301 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10302 		goto nla_put_failure;
10303 	if ((survey->filled & SURVEY_INFO_TIME) &&
10304 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10305 			survey->time, NL80211_SURVEY_INFO_PAD))
10306 		goto nla_put_failure;
10307 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10308 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10309 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10310 		goto nla_put_failure;
10311 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10312 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10313 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10314 		goto nla_put_failure;
10315 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10316 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10317 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10318 		goto nla_put_failure;
10319 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10320 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10321 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10322 		goto nla_put_failure;
10323 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10324 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10325 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10326 		goto nla_put_failure;
10327 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10328 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10329 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10330 		goto nla_put_failure;
10331 
10332 	nla_nest_end(msg, infoattr);
10333 
10334 	genlmsg_end(msg, hdr);
10335 	return 0;
10336 
10337  nla_put_failure:
10338 	genlmsg_cancel(msg, hdr);
10339 	return -EMSGSIZE;
10340 }
10341 
10342 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10343 {
10344 	struct nlattr **attrbuf;
10345 	struct survey_info survey;
10346 	struct cfg80211_registered_device *rdev;
10347 	struct wireless_dev *wdev;
10348 	int survey_idx = cb->args[2];
10349 	int res;
10350 	bool radio_stats;
10351 
10352 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10353 	if (!attrbuf)
10354 		return -ENOMEM;
10355 
10356 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10357 	if (res) {
10358 		kfree(attrbuf);
10359 		return res;
10360 	}
10361 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10362 	__acquire(&rdev->wiphy.mtx);
10363 
10364 	/* prepare_wdev_dump parsed the attributes */
10365 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10366 
10367 	if (!wdev->netdev) {
10368 		res = -EINVAL;
10369 		goto out_err;
10370 	}
10371 
10372 	if (!rdev->ops->dump_survey) {
10373 		res = -EOPNOTSUPP;
10374 		goto out_err;
10375 	}
10376 
10377 	while (1) {
10378 		wdev_lock(wdev);
10379 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10380 		wdev_unlock(wdev);
10381 		if (res == -ENOENT)
10382 			break;
10383 		if (res)
10384 			goto out_err;
10385 
10386 		/* don't send disabled channels, but do send non-channel data */
10387 		if (survey.channel &&
10388 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10389 			survey_idx++;
10390 			continue;
10391 		}
10392 
10393 		if (nl80211_send_survey(skb,
10394 				NETLINK_CB(cb->skb).portid,
10395 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10396 				wdev->netdev, radio_stats, &survey) < 0)
10397 			goto out;
10398 		survey_idx++;
10399 	}
10400 
10401  out:
10402 	cb->args[2] = survey_idx;
10403 	res = skb->len;
10404  out_err:
10405 	kfree(attrbuf);
10406 	wiphy_unlock(&rdev->wiphy);
10407 	return res;
10408 }
10409 
10410 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10411 {
10412 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10413 				  NL80211_WPA_VERSION_2 |
10414 				  NL80211_WPA_VERSION_3));
10415 }
10416 
10417 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10418 {
10419 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10420 	struct net_device *dev = info->user_ptr[1];
10421 	struct ieee80211_channel *chan;
10422 	const u8 *bssid, *ssid;
10423 	int err, ssid_len;
10424 	enum nl80211_auth_type auth_type;
10425 	struct key_parse key;
10426 	bool local_state_change;
10427 	struct cfg80211_auth_request req = {};
10428 	u32 freq;
10429 
10430 	if (!info->attrs[NL80211_ATTR_MAC])
10431 		return -EINVAL;
10432 
10433 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10434 		return -EINVAL;
10435 
10436 	if (!info->attrs[NL80211_ATTR_SSID])
10437 		return -EINVAL;
10438 
10439 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10440 		return -EINVAL;
10441 
10442 	err = nl80211_parse_key(info, &key);
10443 	if (err)
10444 		return err;
10445 
10446 	if (key.idx >= 0) {
10447 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10448 			return -EINVAL;
10449 		if (!key.p.key || !key.p.key_len)
10450 			return -EINVAL;
10451 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10452 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10453 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10454 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10455 			return -EINVAL;
10456 		if (key.idx > 3)
10457 			return -EINVAL;
10458 	} else {
10459 		key.p.key_len = 0;
10460 		key.p.key = NULL;
10461 	}
10462 
10463 	if (key.idx >= 0) {
10464 		int i;
10465 		bool ok = false;
10466 
10467 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10468 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10469 				ok = true;
10470 				break;
10471 			}
10472 		}
10473 		if (!ok)
10474 			return -EINVAL;
10475 	}
10476 
10477 	if (!rdev->ops->auth)
10478 		return -EOPNOTSUPP;
10479 
10480 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10481 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10482 		return -EOPNOTSUPP;
10483 
10484 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10485 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10486 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10487 		freq +=
10488 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10489 
10490 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10491 	if (!chan)
10492 		return -EINVAL;
10493 
10494 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10495 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10496 
10497 	if (info->attrs[NL80211_ATTR_IE]) {
10498 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10499 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10500 	}
10501 
10502 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10503 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10504 		return -EINVAL;
10505 
10506 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10507 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10508 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10509 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10510 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10511 		return -EINVAL;
10512 
10513 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10514 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10515 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10516 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10517 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10518 			return -EINVAL;
10519 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10520 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10521 	}
10522 
10523 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10524 
10525 	/*
10526 	 * Since we no longer track auth state, ignore
10527 	 * requests to only change local state.
10528 	 */
10529 	if (local_state_change)
10530 		return 0;
10531 
10532 	req.auth_type = auth_type;
10533 	req.key = key.p.key;
10534 	req.key_len = key.p.key_len;
10535 	req.key_idx = key.idx;
10536 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10537 	if (req.link_id >= 0) {
10538 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10539 			return -EINVAL;
10540 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10541 			return -EINVAL;
10542 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10543 	}
10544 
10545 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10546 				   IEEE80211_BSS_TYPE_ESS,
10547 				   IEEE80211_PRIVACY_ANY);
10548 	if (!req.bss)
10549 		return -ENOENT;
10550 
10551 	wdev_lock(dev->ieee80211_ptr);
10552 	err = cfg80211_mlme_auth(rdev, dev, &req);
10553 	wdev_unlock(dev->ieee80211_ptr);
10554 
10555 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10556 
10557 	return err;
10558 }
10559 
10560 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10561 				     struct genl_info *info)
10562 {
10563 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10564 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10565 		return -EINVAL;
10566 	}
10567 
10568 	if (!rdev->ops->tx_control_port ||
10569 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10570 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10571 		return -EOPNOTSUPP;
10572 
10573 	return 0;
10574 }
10575 
10576 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10577 				   struct genl_info *info,
10578 				   struct cfg80211_crypto_settings *settings,
10579 				   int cipher_limit)
10580 {
10581 	memset(settings, 0, sizeof(*settings));
10582 
10583 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10584 
10585 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10586 		u16 proto;
10587 
10588 		proto = nla_get_u16(
10589 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10590 		settings->control_port_ethertype = cpu_to_be16(proto);
10591 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10592 		    proto != ETH_P_PAE)
10593 			return -EINVAL;
10594 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10595 			settings->control_port_no_encrypt = true;
10596 	} else
10597 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10598 
10599 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10600 		int r = validate_pae_over_nl80211(rdev, info);
10601 
10602 		if (r < 0)
10603 			return r;
10604 
10605 		settings->control_port_over_nl80211 = true;
10606 
10607 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10608 			settings->control_port_no_preauth = true;
10609 	}
10610 
10611 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10612 		void *data;
10613 		int len, i;
10614 
10615 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10616 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10617 		settings->n_ciphers_pairwise = len / sizeof(u32);
10618 
10619 		if (len % sizeof(u32))
10620 			return -EINVAL;
10621 
10622 		if (settings->n_ciphers_pairwise > cipher_limit)
10623 			return -EINVAL;
10624 
10625 		memcpy(settings->ciphers_pairwise, data, len);
10626 
10627 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10628 			if (!cfg80211_supported_cipher_suite(
10629 					&rdev->wiphy,
10630 					settings->ciphers_pairwise[i]))
10631 				return -EINVAL;
10632 	}
10633 
10634 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10635 		settings->cipher_group =
10636 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10637 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10638 						     settings->cipher_group))
10639 			return -EINVAL;
10640 	}
10641 
10642 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10643 		settings->wpa_versions =
10644 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10645 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10646 			return -EINVAL;
10647 	}
10648 
10649 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10650 		void *data;
10651 		int len;
10652 
10653 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10654 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10655 		settings->n_akm_suites = len / sizeof(u32);
10656 
10657 		if (len % sizeof(u32))
10658 			return -EINVAL;
10659 
10660 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
10661 			return -EINVAL;
10662 
10663 		memcpy(settings->akm_suites, data, len);
10664 	}
10665 
10666 	if (info->attrs[NL80211_ATTR_PMK]) {
10667 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10668 			return -EINVAL;
10669 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10670 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10671 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10672 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10673 			return -EINVAL;
10674 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10675 	}
10676 
10677 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10678 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10679 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10680 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10681 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10682 			return -EINVAL;
10683 		settings->sae_pwd =
10684 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10685 		settings->sae_pwd_len =
10686 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10687 	}
10688 
10689 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10690 		settings->sae_pwe =
10691 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10692 	else
10693 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10694 
10695 	return 0;
10696 }
10697 
10698 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
10699 					      const u8 *ssid, int ssid_len,
10700 					      struct nlattr **attrs,
10701 					      const u8 **bssid_out)
10702 {
10703 	struct ieee80211_channel *chan;
10704 	struct cfg80211_bss *bss;
10705 	const u8 *bssid;
10706 	u32 freq;
10707 
10708 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
10709 		return ERR_PTR(-EINVAL);
10710 
10711 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
10712 
10713 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
10714 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10715 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10716 
10717 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10718 	if (!chan)
10719 		return ERR_PTR(-EINVAL);
10720 
10721 	bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid,
10722 			       ssid, ssid_len,
10723 			       IEEE80211_BSS_TYPE_ESS,
10724 			       IEEE80211_PRIVACY_ANY);
10725 	if (!bss)
10726 		return ERR_PTR(-ENOENT);
10727 
10728 	*bssid_out = bssid;
10729 	return bss;
10730 }
10731 
10732 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10733 {
10734 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10735 	struct net_device *dev = info->user_ptr[1];
10736 	struct cfg80211_assoc_request req = {};
10737 	struct nlattr **attrs = NULL;
10738 	const u8 *bssid, *ssid;
10739 	unsigned int link_id;
10740 	int err, ssid_len;
10741 
10742 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10743 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10744 		return -EPERM;
10745 
10746 	if (!info->attrs[NL80211_ATTR_SSID])
10747 		return -EINVAL;
10748 
10749 	if (!rdev->ops->assoc)
10750 		return -EOPNOTSUPP;
10751 
10752 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10753 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10754 		return -EOPNOTSUPP;
10755 
10756 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10757 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10758 
10759 	if (info->attrs[NL80211_ATTR_IE]) {
10760 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10761 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10762 
10763 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
10764 					   req.ie, req.ie_len)) {
10765 			GENL_SET_ERR_MSG(info,
10766 					 "non-inheritance makes no sense");
10767 			return -EINVAL;
10768 		}
10769 	}
10770 
10771 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10772 		enum nl80211_mfp mfp =
10773 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10774 		if (mfp == NL80211_MFP_REQUIRED)
10775 			req.use_mfp = true;
10776 		else if (mfp != NL80211_MFP_NO)
10777 			return -EINVAL;
10778 	}
10779 
10780 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10781 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10782 
10783 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10784 		req.flags |= ASSOC_REQ_DISABLE_HT;
10785 
10786 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10787 		memcpy(&req.ht_capa_mask,
10788 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10789 		       sizeof(req.ht_capa_mask));
10790 
10791 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10792 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10793 			return -EINVAL;
10794 		memcpy(&req.ht_capa,
10795 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10796 		       sizeof(req.ht_capa));
10797 	}
10798 
10799 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10800 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10801 
10802 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10803 		req.flags |= ASSOC_REQ_DISABLE_HE;
10804 
10805 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
10806 		req.flags |= ASSOC_REQ_DISABLE_EHT;
10807 
10808 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10809 		memcpy(&req.vht_capa_mask,
10810 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10811 		       sizeof(req.vht_capa_mask));
10812 
10813 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10814 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10815 			return -EINVAL;
10816 		memcpy(&req.vht_capa,
10817 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10818 		       sizeof(req.vht_capa));
10819 	}
10820 
10821 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10822 		if (!((rdev->wiphy.features &
10823 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10824 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10825 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10826 					     NL80211_EXT_FEATURE_RRM))
10827 			return -EINVAL;
10828 		req.flags |= ASSOC_REQ_USE_RRM;
10829 	}
10830 
10831 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10832 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10833 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10834 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10835 			return -EINVAL;
10836 		req.fils_nonces =
10837 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10838 	}
10839 
10840 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10841 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10842 			return -EINVAL;
10843 		memcpy(&req.s1g_capa_mask,
10844 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10845 		       sizeof(req.s1g_capa_mask));
10846 	}
10847 
10848 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10849 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10850 			return -EINVAL;
10851 		memcpy(&req.s1g_capa,
10852 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10853 		       sizeof(req.s1g_capa));
10854 	}
10855 
10856 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10857 
10858 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
10859 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
10860 		struct nlattr *link;
10861 		int rem = 0;
10862 
10863 		if (req.link_id < 0)
10864 			return -EINVAL;
10865 
10866 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10867 			return -EINVAL;
10868 
10869 		if (info->attrs[NL80211_ATTR_MAC] ||
10870 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10871 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
10872 			return -EINVAL;
10873 
10874 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10875 
10876 		attrs = kzalloc(attrsize, GFP_KERNEL);
10877 		if (!attrs)
10878 			return -ENOMEM;
10879 
10880 		nla_for_each_nested(link,
10881 				    info->attrs[NL80211_ATTR_MLO_LINKS],
10882 				    rem) {
10883 			memset(attrs, 0, attrsize);
10884 
10885 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
10886 					 link, NULL, NULL);
10887 
10888 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
10889 				err = -EINVAL;
10890 				goto free;
10891 			}
10892 
10893 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
10894 			/* cannot use the same link ID again */
10895 			if (req.links[link_id].bss) {
10896 				err = -EINVAL;
10897 				goto free;
10898 			}
10899 			req.links[link_id].bss =
10900 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
10901 						  &bssid);
10902 			if (IS_ERR(req.links[link_id].bss)) {
10903 				err = PTR_ERR(req.links[link_id].bss);
10904 				req.links[link_id].bss = NULL;
10905 				goto free;
10906 			}
10907 
10908 			if (attrs[NL80211_ATTR_IE]) {
10909 				req.links[link_id].elems =
10910 					nla_data(attrs[NL80211_ATTR_IE]);
10911 				req.links[link_id].elems_len =
10912 					nla_len(attrs[NL80211_ATTR_IE]);
10913 
10914 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
10915 						       req.links[link_id].elems,
10916 						       req.links[link_id].elems_len)) {
10917 					GENL_SET_ERR_MSG(info,
10918 							 "cannot deal with fragmentation");
10919 					err = -EINVAL;
10920 					goto free;
10921 				}
10922 
10923 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
10924 							   req.links[link_id].elems,
10925 							   req.links[link_id].elems_len)) {
10926 					GENL_SET_ERR_MSG(info,
10927 							 "cannot deal with non-inheritance");
10928 					err = -EINVAL;
10929 					goto free;
10930 				}
10931 			}
10932 		}
10933 
10934 		if (!req.links[req.link_id].bss) {
10935 			err = -EINVAL;
10936 			goto free;
10937 		}
10938 
10939 		if (req.links[req.link_id].elems_len) {
10940 			GENL_SET_ERR_MSG(info,
10941 					 "cannot have per-link elems on assoc link");
10942 			err = -EINVAL;
10943 			goto free;
10944 		}
10945 
10946 		kfree(attrs);
10947 		attrs = NULL;
10948 	} else {
10949 		if (req.link_id >= 0)
10950 			return -EINVAL;
10951 
10952 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
10953 					    &bssid);
10954 		if (IS_ERR(req.bss))
10955 			return PTR_ERR(req.bss);
10956 	}
10957 
10958 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10959 	if (!err) {
10960 		wdev_lock(dev->ieee80211_ptr);
10961 
10962 		err = cfg80211_mlme_assoc(rdev, dev, &req);
10963 
10964 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10965 			dev->ieee80211_ptr->conn_owner_nlportid =
10966 				info->snd_portid;
10967 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10968 			       bssid, ETH_ALEN);
10969 		}
10970 
10971 		wdev_unlock(dev->ieee80211_ptr);
10972 	}
10973 
10974 free:
10975 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
10976 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
10977 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10978 	kfree(attrs);
10979 
10980 	return err;
10981 }
10982 
10983 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10984 {
10985 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10986 	struct net_device *dev = info->user_ptr[1];
10987 	const u8 *ie = NULL, *bssid;
10988 	int ie_len = 0, err;
10989 	u16 reason_code;
10990 	bool local_state_change;
10991 
10992 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10993 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10994 		return -EPERM;
10995 
10996 	if (!info->attrs[NL80211_ATTR_MAC])
10997 		return -EINVAL;
10998 
10999 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11000 		return -EINVAL;
11001 
11002 	if (!rdev->ops->deauth)
11003 		return -EOPNOTSUPP;
11004 
11005 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11006 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11007 		return -EOPNOTSUPP;
11008 
11009 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11010 
11011 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11012 	if (reason_code == 0) {
11013 		/* Reason Code 0 is reserved */
11014 		return -EINVAL;
11015 	}
11016 
11017 	if (info->attrs[NL80211_ATTR_IE]) {
11018 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11019 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11020 	}
11021 
11022 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11023 
11024 	wdev_lock(dev->ieee80211_ptr);
11025 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11026 				   local_state_change);
11027 	wdev_unlock(dev->ieee80211_ptr);
11028 	return err;
11029 }
11030 
11031 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11032 {
11033 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11034 	struct net_device *dev = info->user_ptr[1];
11035 	const u8 *ie = NULL, *bssid;
11036 	int ie_len = 0, err;
11037 	u16 reason_code;
11038 	bool local_state_change;
11039 
11040 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11041 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11042 		return -EPERM;
11043 
11044 	if (!info->attrs[NL80211_ATTR_MAC])
11045 		return -EINVAL;
11046 
11047 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11048 		return -EINVAL;
11049 
11050 	if (!rdev->ops->disassoc)
11051 		return -EOPNOTSUPP;
11052 
11053 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11054 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11055 		return -EOPNOTSUPP;
11056 
11057 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11058 
11059 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11060 	if (reason_code == 0) {
11061 		/* Reason Code 0 is reserved */
11062 		return -EINVAL;
11063 	}
11064 
11065 	if (info->attrs[NL80211_ATTR_IE]) {
11066 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11067 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11068 	}
11069 
11070 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11071 
11072 	wdev_lock(dev->ieee80211_ptr);
11073 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11074 				     local_state_change);
11075 	wdev_unlock(dev->ieee80211_ptr);
11076 	return err;
11077 }
11078 
11079 static bool
11080 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11081 			 int mcast_rate[NUM_NL80211_BANDS],
11082 			 int rateval)
11083 {
11084 	struct wiphy *wiphy = &rdev->wiphy;
11085 	bool found = false;
11086 	int band, i;
11087 
11088 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11089 		struct ieee80211_supported_band *sband;
11090 
11091 		sband = wiphy->bands[band];
11092 		if (!sband)
11093 			continue;
11094 
11095 		for (i = 0; i < sband->n_bitrates; i++) {
11096 			if (sband->bitrates[i].bitrate == rateval) {
11097 				mcast_rate[band] = i + 1;
11098 				found = true;
11099 				break;
11100 			}
11101 		}
11102 	}
11103 
11104 	return found;
11105 }
11106 
11107 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11108 {
11109 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11110 	struct net_device *dev = info->user_ptr[1];
11111 	struct cfg80211_ibss_params ibss;
11112 	struct wiphy *wiphy;
11113 	struct cfg80211_cached_keys *connkeys = NULL;
11114 	int err;
11115 
11116 	memset(&ibss, 0, sizeof(ibss));
11117 
11118 	if (!info->attrs[NL80211_ATTR_SSID] ||
11119 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11120 		return -EINVAL;
11121 
11122 	ibss.beacon_interval = 100;
11123 
11124 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11125 		ibss.beacon_interval =
11126 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11127 
11128 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11129 					   ibss.beacon_interval);
11130 	if (err)
11131 		return err;
11132 
11133 	if (!rdev->ops->join_ibss)
11134 		return -EOPNOTSUPP;
11135 
11136 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11137 		return -EOPNOTSUPP;
11138 
11139 	wiphy = &rdev->wiphy;
11140 
11141 	if (info->attrs[NL80211_ATTR_MAC]) {
11142 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11143 
11144 		if (!is_valid_ether_addr(ibss.bssid))
11145 			return -EINVAL;
11146 	}
11147 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11148 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11149 
11150 	if (info->attrs[NL80211_ATTR_IE]) {
11151 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11152 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11153 	}
11154 
11155 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11156 	if (err)
11157 		return err;
11158 
11159 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11160 				     NL80211_IFTYPE_ADHOC))
11161 		return -EINVAL;
11162 
11163 	switch (ibss.chandef.width) {
11164 	case NL80211_CHAN_WIDTH_5:
11165 	case NL80211_CHAN_WIDTH_10:
11166 	case NL80211_CHAN_WIDTH_20_NOHT:
11167 		break;
11168 	case NL80211_CHAN_WIDTH_20:
11169 	case NL80211_CHAN_WIDTH_40:
11170 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11171 			return -EINVAL;
11172 		break;
11173 	case NL80211_CHAN_WIDTH_80:
11174 	case NL80211_CHAN_WIDTH_80P80:
11175 	case NL80211_CHAN_WIDTH_160:
11176 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11177 			return -EINVAL;
11178 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11179 					     NL80211_EXT_FEATURE_VHT_IBSS))
11180 			return -EINVAL;
11181 		break;
11182 	case NL80211_CHAN_WIDTH_320:
11183 		return -EINVAL;
11184 	default:
11185 		return -EINVAL;
11186 	}
11187 
11188 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11189 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11190 
11191 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11192 		u8 *rates =
11193 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11194 		int n_rates =
11195 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11196 		struct ieee80211_supported_band *sband =
11197 			wiphy->bands[ibss.chandef.chan->band];
11198 
11199 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11200 					     &ibss.basic_rates);
11201 		if (err)
11202 			return err;
11203 	}
11204 
11205 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11206 		memcpy(&ibss.ht_capa_mask,
11207 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11208 		       sizeof(ibss.ht_capa_mask));
11209 
11210 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11211 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11212 			return -EINVAL;
11213 		memcpy(&ibss.ht_capa,
11214 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11215 		       sizeof(ibss.ht_capa));
11216 	}
11217 
11218 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11219 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11220 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11221 		return -EINVAL;
11222 
11223 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11224 		bool no_ht = false;
11225 
11226 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11227 		if (IS_ERR(connkeys))
11228 			return PTR_ERR(connkeys);
11229 
11230 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11231 		    no_ht) {
11232 			kfree_sensitive(connkeys);
11233 			return -EINVAL;
11234 		}
11235 	}
11236 
11237 	ibss.control_port =
11238 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11239 
11240 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11241 		int r = validate_pae_over_nl80211(rdev, info);
11242 
11243 		if (r < 0) {
11244 			kfree_sensitive(connkeys);
11245 			return r;
11246 		}
11247 
11248 		ibss.control_port_over_nl80211 = true;
11249 	}
11250 
11251 	ibss.userspace_handles_dfs =
11252 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11253 
11254 	wdev_lock(dev->ieee80211_ptr);
11255 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11256 	if (err)
11257 		kfree_sensitive(connkeys);
11258 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11259 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11260 	wdev_unlock(dev->ieee80211_ptr);
11261 
11262 	return err;
11263 }
11264 
11265 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11266 {
11267 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11268 	struct net_device *dev = info->user_ptr[1];
11269 
11270 	if (!rdev->ops->leave_ibss)
11271 		return -EOPNOTSUPP;
11272 
11273 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11274 		return -EOPNOTSUPP;
11275 
11276 	return cfg80211_leave_ibss(rdev, dev, false);
11277 }
11278 
11279 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11280 {
11281 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11282 	struct net_device *dev = info->user_ptr[1];
11283 	int mcast_rate[NUM_NL80211_BANDS];
11284 	u32 nla_rate;
11285 
11286 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11287 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11288 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11289 		return -EOPNOTSUPP;
11290 
11291 	if (!rdev->ops->set_mcast_rate)
11292 		return -EOPNOTSUPP;
11293 
11294 	memset(mcast_rate, 0, sizeof(mcast_rate));
11295 
11296 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11297 		return -EINVAL;
11298 
11299 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11300 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11301 		return -EINVAL;
11302 
11303 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11304 }
11305 
11306 static struct sk_buff *
11307 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11308 			    struct wireless_dev *wdev, int approxlen,
11309 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11310 			    enum nl80211_attrs attr,
11311 			    const struct nl80211_vendor_cmd_info *info,
11312 			    gfp_t gfp)
11313 {
11314 	struct sk_buff *skb;
11315 	void *hdr;
11316 	struct nlattr *data;
11317 
11318 	skb = nlmsg_new(approxlen + 100, gfp);
11319 	if (!skb)
11320 		return NULL;
11321 
11322 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11323 	if (!hdr) {
11324 		kfree_skb(skb);
11325 		return NULL;
11326 	}
11327 
11328 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11329 		goto nla_put_failure;
11330 
11331 	if (info) {
11332 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11333 				info->vendor_id))
11334 			goto nla_put_failure;
11335 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11336 				info->subcmd))
11337 			goto nla_put_failure;
11338 	}
11339 
11340 	if (wdev) {
11341 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11342 				      wdev_id(wdev), NL80211_ATTR_PAD))
11343 			goto nla_put_failure;
11344 		if (wdev->netdev &&
11345 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11346 				wdev->netdev->ifindex))
11347 			goto nla_put_failure;
11348 	}
11349 
11350 	data = nla_nest_start_noflag(skb, attr);
11351 	if (!data)
11352 		goto nla_put_failure;
11353 
11354 	((void **)skb->cb)[0] = rdev;
11355 	((void **)skb->cb)[1] = hdr;
11356 	((void **)skb->cb)[2] = data;
11357 
11358 	return skb;
11359 
11360  nla_put_failure:
11361 	kfree_skb(skb);
11362 	return NULL;
11363 }
11364 
11365 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11366 					   struct wireless_dev *wdev,
11367 					   enum nl80211_commands cmd,
11368 					   enum nl80211_attrs attr,
11369 					   unsigned int portid,
11370 					   int vendor_event_idx,
11371 					   int approxlen, gfp_t gfp)
11372 {
11373 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11374 	const struct nl80211_vendor_cmd_info *info;
11375 
11376 	switch (cmd) {
11377 	case NL80211_CMD_TESTMODE:
11378 		if (WARN_ON(vendor_event_idx != -1))
11379 			return NULL;
11380 		info = NULL;
11381 		break;
11382 	case NL80211_CMD_VENDOR:
11383 		if (WARN_ON(vendor_event_idx < 0 ||
11384 			    vendor_event_idx >= wiphy->n_vendor_events))
11385 			return NULL;
11386 		info = &wiphy->vendor_events[vendor_event_idx];
11387 		break;
11388 	default:
11389 		WARN_ON(1);
11390 		return NULL;
11391 	}
11392 
11393 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11394 					   cmd, attr, info, gfp);
11395 }
11396 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11397 
11398 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11399 {
11400 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11401 	void *hdr = ((void **)skb->cb)[1];
11402 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11403 	struct nlattr *data = ((void **)skb->cb)[2];
11404 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11405 
11406 	/* clear CB data for netlink core to own from now on */
11407 	memset(skb->cb, 0, sizeof(skb->cb));
11408 
11409 	nla_nest_end(skb, data);
11410 	genlmsg_end(skb, hdr);
11411 
11412 	if (nlhdr->nlmsg_pid) {
11413 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11414 				nlhdr->nlmsg_pid);
11415 	} else {
11416 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11417 			mcgrp = NL80211_MCGRP_VENDOR;
11418 
11419 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11420 					skb, 0, mcgrp, gfp);
11421 	}
11422 }
11423 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11424 
11425 #ifdef CONFIG_NL80211_TESTMODE
11426 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11427 {
11428 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11429 	struct wireless_dev *wdev;
11430 	int err;
11431 
11432 	lockdep_assert_held(&rdev->wiphy.mtx);
11433 
11434 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11435 					  info->attrs);
11436 
11437 	if (!rdev->ops->testmode_cmd)
11438 		return -EOPNOTSUPP;
11439 
11440 	if (IS_ERR(wdev)) {
11441 		err = PTR_ERR(wdev);
11442 		if (err != -EINVAL)
11443 			return err;
11444 		wdev = NULL;
11445 	} else if (wdev->wiphy != &rdev->wiphy) {
11446 		return -EINVAL;
11447 	}
11448 
11449 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11450 		return -EINVAL;
11451 
11452 	rdev->cur_cmd_info = info;
11453 	err = rdev_testmode_cmd(rdev, wdev,
11454 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11455 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11456 	rdev->cur_cmd_info = NULL;
11457 
11458 	return err;
11459 }
11460 
11461 static int nl80211_testmode_dump(struct sk_buff *skb,
11462 				 struct netlink_callback *cb)
11463 {
11464 	struct cfg80211_registered_device *rdev;
11465 	struct nlattr **attrbuf = NULL;
11466 	int err;
11467 	long phy_idx;
11468 	void *data = NULL;
11469 	int data_len = 0;
11470 
11471 	rtnl_lock();
11472 
11473 	if (cb->args[0]) {
11474 		/*
11475 		 * 0 is a valid index, but not valid for args[0],
11476 		 * so we need to offset by 1.
11477 		 */
11478 		phy_idx = cb->args[0] - 1;
11479 
11480 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11481 		if (!rdev) {
11482 			err = -ENOENT;
11483 			goto out_err;
11484 		}
11485 	} else {
11486 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11487 				  GFP_KERNEL);
11488 		if (!attrbuf) {
11489 			err = -ENOMEM;
11490 			goto out_err;
11491 		}
11492 
11493 		err = nlmsg_parse_deprecated(cb->nlh,
11494 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11495 					     attrbuf, nl80211_fam.maxattr,
11496 					     nl80211_policy, NULL);
11497 		if (err)
11498 			goto out_err;
11499 
11500 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11501 		if (IS_ERR(rdev)) {
11502 			err = PTR_ERR(rdev);
11503 			goto out_err;
11504 		}
11505 		phy_idx = rdev->wiphy_idx;
11506 
11507 		if (attrbuf[NL80211_ATTR_TESTDATA])
11508 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11509 	}
11510 
11511 	if (cb->args[1]) {
11512 		data = nla_data((void *)cb->args[1]);
11513 		data_len = nla_len((void *)cb->args[1]);
11514 	}
11515 
11516 	if (!rdev->ops->testmode_dump) {
11517 		err = -EOPNOTSUPP;
11518 		goto out_err;
11519 	}
11520 
11521 	while (1) {
11522 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11523 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11524 					   NL80211_CMD_TESTMODE);
11525 		struct nlattr *tmdata;
11526 
11527 		if (!hdr)
11528 			break;
11529 
11530 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11531 			genlmsg_cancel(skb, hdr);
11532 			break;
11533 		}
11534 
11535 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11536 		if (!tmdata) {
11537 			genlmsg_cancel(skb, hdr);
11538 			break;
11539 		}
11540 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11541 		nla_nest_end(skb, tmdata);
11542 
11543 		if (err == -ENOBUFS || err == -ENOENT) {
11544 			genlmsg_cancel(skb, hdr);
11545 			break;
11546 		} else if (err) {
11547 			genlmsg_cancel(skb, hdr);
11548 			goto out_err;
11549 		}
11550 
11551 		genlmsg_end(skb, hdr);
11552 	}
11553 
11554 	err = skb->len;
11555 	/* see above */
11556 	cb->args[0] = phy_idx + 1;
11557  out_err:
11558 	kfree(attrbuf);
11559 	rtnl_unlock();
11560 	return err;
11561 }
11562 #endif
11563 
11564 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11565 {
11566 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11567 	struct net_device *dev = info->user_ptr[1];
11568 	struct cfg80211_connect_params connect;
11569 	struct wiphy *wiphy;
11570 	struct cfg80211_cached_keys *connkeys = NULL;
11571 	u32 freq = 0;
11572 	int err;
11573 
11574 	memset(&connect, 0, sizeof(connect));
11575 
11576 	if (!info->attrs[NL80211_ATTR_SSID] ||
11577 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11578 		return -EINVAL;
11579 
11580 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11581 		connect.auth_type =
11582 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11583 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11584 					     NL80211_CMD_CONNECT))
11585 			return -EINVAL;
11586 	} else
11587 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11588 
11589 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11590 
11591 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11592 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11593 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11594 		return -EINVAL;
11595 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11596 
11597 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11598 				      NL80211_MAX_NR_CIPHER_SUITES);
11599 	if (err)
11600 		return err;
11601 
11602 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11603 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11604 		return -EOPNOTSUPP;
11605 
11606 	wiphy = &rdev->wiphy;
11607 
11608 	connect.bg_scan_period = -1;
11609 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11610 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11611 		connect.bg_scan_period =
11612 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11613 	}
11614 
11615 	if (info->attrs[NL80211_ATTR_MAC])
11616 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11617 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11618 		connect.bssid_hint =
11619 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11620 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11621 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11622 
11623 	if (info->attrs[NL80211_ATTR_IE]) {
11624 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11625 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11626 	}
11627 
11628 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11629 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11630 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11631 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11632 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11633 			return -EOPNOTSUPP;
11634 	} else {
11635 		connect.mfp = NL80211_MFP_NO;
11636 	}
11637 
11638 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11639 		connect.prev_bssid =
11640 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11641 
11642 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11643 		freq = MHZ_TO_KHZ(nla_get_u32(
11644 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11645 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11646 		freq +=
11647 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11648 
11649 	if (freq) {
11650 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11651 		if (!connect.channel)
11652 			return -EINVAL;
11653 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11654 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11655 		freq = MHZ_TO_KHZ(freq);
11656 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11657 		if (!connect.channel_hint)
11658 			return -EINVAL;
11659 	}
11660 
11661 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11662 		connect.edmg.channels =
11663 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11664 
11665 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11666 			connect.edmg.bw_config =
11667 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11668 	}
11669 
11670 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11671 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11672 		if (IS_ERR(connkeys))
11673 			return PTR_ERR(connkeys);
11674 	}
11675 
11676 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11677 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11678 
11679 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11680 		memcpy(&connect.ht_capa_mask,
11681 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11682 		       sizeof(connect.ht_capa_mask));
11683 
11684 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11685 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11686 			kfree_sensitive(connkeys);
11687 			return -EINVAL;
11688 		}
11689 		memcpy(&connect.ht_capa,
11690 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11691 		       sizeof(connect.ht_capa));
11692 	}
11693 
11694 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11695 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11696 
11697 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11698 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11699 
11700 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11701 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
11702 
11703 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11704 		memcpy(&connect.vht_capa_mask,
11705 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11706 		       sizeof(connect.vht_capa_mask));
11707 
11708 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11709 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11710 			kfree_sensitive(connkeys);
11711 			return -EINVAL;
11712 		}
11713 		memcpy(&connect.vht_capa,
11714 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11715 		       sizeof(connect.vht_capa));
11716 	}
11717 
11718 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11719 		if (!((rdev->wiphy.features &
11720 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11721 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11722 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11723 					     NL80211_EXT_FEATURE_RRM)) {
11724 			kfree_sensitive(connkeys);
11725 			return -EINVAL;
11726 		}
11727 		connect.flags |= ASSOC_REQ_USE_RRM;
11728 	}
11729 
11730 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11731 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11732 		kfree_sensitive(connkeys);
11733 		return -EOPNOTSUPP;
11734 	}
11735 
11736 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11737 		/* bss selection makes no sense if bssid is set */
11738 		if (connect.bssid) {
11739 			kfree_sensitive(connkeys);
11740 			return -EINVAL;
11741 		}
11742 
11743 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11744 				       wiphy, &connect.bss_select);
11745 		if (err) {
11746 			kfree_sensitive(connkeys);
11747 			return err;
11748 		}
11749 	}
11750 
11751 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11752 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11753 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11754 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11755 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11756 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11757 		connect.fils_erp_username =
11758 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11759 		connect.fils_erp_username_len =
11760 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11761 		connect.fils_erp_realm =
11762 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11763 		connect.fils_erp_realm_len =
11764 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11765 		connect.fils_erp_next_seq_num =
11766 			nla_get_u16(
11767 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11768 		connect.fils_erp_rrk =
11769 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11770 		connect.fils_erp_rrk_len =
11771 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11772 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11773 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11774 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11775 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11776 		kfree_sensitive(connkeys);
11777 		return -EINVAL;
11778 	}
11779 
11780 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11781 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11782 			kfree_sensitive(connkeys);
11783 			GENL_SET_ERR_MSG(info,
11784 					 "external auth requires connection ownership");
11785 			return -EINVAL;
11786 		}
11787 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11788 	}
11789 
11790 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
11791 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
11792 
11793 	wdev_lock(dev->ieee80211_ptr);
11794 
11795 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11796 			       connect.prev_bssid);
11797 	if (err)
11798 		kfree_sensitive(connkeys);
11799 
11800 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11801 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11802 		if (connect.bssid)
11803 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11804 			       connect.bssid, ETH_ALEN);
11805 		else
11806 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11807 	}
11808 
11809 	wdev_unlock(dev->ieee80211_ptr);
11810 
11811 	return err;
11812 }
11813 
11814 static int nl80211_update_connect_params(struct sk_buff *skb,
11815 					 struct genl_info *info)
11816 {
11817 	struct cfg80211_connect_params connect = {};
11818 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11819 	struct net_device *dev = info->user_ptr[1];
11820 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11821 	bool fils_sk_offload;
11822 	u32 auth_type;
11823 	u32 changed = 0;
11824 	int ret;
11825 
11826 	if (!rdev->ops->update_connect_params)
11827 		return -EOPNOTSUPP;
11828 
11829 	if (info->attrs[NL80211_ATTR_IE]) {
11830 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11831 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11832 		changed |= UPDATE_ASSOC_IES;
11833 	}
11834 
11835 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11836 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11837 
11838 	/*
11839 	 * when driver supports fils-sk offload all attributes must be
11840 	 * provided. So the else covers "fils-sk-not-all" and
11841 	 * "no-fils-sk-any".
11842 	 */
11843 	if (fils_sk_offload &&
11844 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11845 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11846 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11847 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11848 		connect.fils_erp_username =
11849 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11850 		connect.fils_erp_username_len =
11851 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11852 		connect.fils_erp_realm =
11853 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11854 		connect.fils_erp_realm_len =
11855 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11856 		connect.fils_erp_next_seq_num =
11857 			nla_get_u16(
11858 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11859 		connect.fils_erp_rrk =
11860 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11861 		connect.fils_erp_rrk_len =
11862 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11863 		changed |= UPDATE_FILS_ERP_INFO;
11864 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11865 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11866 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11867 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11868 		return -EINVAL;
11869 	}
11870 
11871 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11872 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11873 		if (!nl80211_valid_auth_type(rdev, auth_type,
11874 					     NL80211_CMD_CONNECT))
11875 			return -EINVAL;
11876 
11877 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11878 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11879 			return -EINVAL;
11880 
11881 		connect.auth_type = auth_type;
11882 		changed |= UPDATE_AUTH_TYPE;
11883 	}
11884 
11885 	wdev_lock(dev->ieee80211_ptr);
11886 	if (!wdev->connected)
11887 		ret = -ENOLINK;
11888 	else
11889 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11890 	wdev_unlock(dev->ieee80211_ptr);
11891 
11892 	return ret;
11893 }
11894 
11895 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11896 {
11897 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11898 	struct net_device *dev = info->user_ptr[1];
11899 	u16 reason;
11900 	int ret;
11901 
11902 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11903 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11904 		return -EPERM;
11905 
11906 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11907 		reason = WLAN_REASON_DEAUTH_LEAVING;
11908 	else
11909 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11910 
11911 	if (reason == 0)
11912 		return -EINVAL;
11913 
11914 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11915 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11916 		return -EOPNOTSUPP;
11917 
11918 	wdev_lock(dev->ieee80211_ptr);
11919 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11920 	wdev_unlock(dev->ieee80211_ptr);
11921 	return ret;
11922 }
11923 
11924 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11925 {
11926 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11927 	struct net *net;
11928 	int err;
11929 
11930 	if (info->attrs[NL80211_ATTR_PID]) {
11931 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11932 
11933 		net = get_net_ns_by_pid(pid);
11934 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11935 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11936 
11937 		net = get_net_ns_by_fd(fd);
11938 	} else {
11939 		return -EINVAL;
11940 	}
11941 
11942 	if (IS_ERR(net))
11943 		return PTR_ERR(net);
11944 
11945 	err = 0;
11946 
11947 	/* check if anything to do */
11948 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11949 		err = cfg80211_switch_netns(rdev, net);
11950 
11951 	put_net(net);
11952 	return err;
11953 }
11954 
11955 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11956 {
11957 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11958 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11959 			struct cfg80211_pmksa *pmksa) = NULL;
11960 	struct net_device *dev = info->user_ptr[1];
11961 	struct cfg80211_pmksa pmksa;
11962 
11963 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11964 
11965 	if (!info->attrs[NL80211_ATTR_PMKID])
11966 		return -EINVAL;
11967 
11968 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11969 
11970 	if (info->attrs[NL80211_ATTR_MAC]) {
11971 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11972 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11973 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11974 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11975 		    info->attrs[NL80211_ATTR_PMK])) {
11976 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11977 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11978 		pmksa.cache_id =
11979 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11980 	} else {
11981 		return -EINVAL;
11982 	}
11983 	if (info->attrs[NL80211_ATTR_PMK]) {
11984 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11985 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11986 	}
11987 
11988 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11989 		pmksa.pmk_lifetime =
11990 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11991 
11992 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11993 		pmksa.pmk_reauth_threshold =
11994 			nla_get_u8(
11995 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11996 
11997 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11998 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11999 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
12000 	      wiphy_ext_feature_isset(&rdev->wiphy,
12001 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
12002 		return -EOPNOTSUPP;
12003 
12004 	switch (info->genlhdr->cmd) {
12005 	case NL80211_CMD_SET_PMKSA:
12006 		rdev_ops = rdev->ops->set_pmksa;
12007 		break;
12008 	case NL80211_CMD_DEL_PMKSA:
12009 		rdev_ops = rdev->ops->del_pmksa;
12010 		break;
12011 	default:
12012 		WARN_ON(1);
12013 		break;
12014 	}
12015 
12016 	if (!rdev_ops)
12017 		return -EOPNOTSUPP;
12018 
12019 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
12020 }
12021 
12022 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12023 {
12024 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12025 	struct net_device *dev = info->user_ptr[1];
12026 
12027 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12028 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12029 		return -EOPNOTSUPP;
12030 
12031 	if (!rdev->ops->flush_pmksa)
12032 		return -EOPNOTSUPP;
12033 
12034 	return rdev_flush_pmksa(rdev, dev);
12035 }
12036 
12037 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12038 {
12039 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12040 	struct net_device *dev = info->user_ptr[1];
12041 	u8 action_code, dialog_token;
12042 	u32 peer_capability = 0;
12043 	u16 status_code;
12044 	u8 *peer;
12045 	bool initiator;
12046 
12047 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12048 	    !rdev->ops->tdls_mgmt)
12049 		return -EOPNOTSUPP;
12050 
12051 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12052 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12053 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12054 	    !info->attrs[NL80211_ATTR_IE] ||
12055 	    !info->attrs[NL80211_ATTR_MAC])
12056 		return -EINVAL;
12057 
12058 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12059 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12060 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12061 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12062 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12063 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12064 		peer_capability =
12065 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12066 
12067 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
12068 			      dialog_token, status_code, peer_capability,
12069 			      initiator,
12070 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12071 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12072 }
12073 
12074 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12075 {
12076 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12077 	struct net_device *dev = info->user_ptr[1];
12078 	enum nl80211_tdls_operation operation;
12079 	u8 *peer;
12080 
12081 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12082 	    !rdev->ops->tdls_oper)
12083 		return -EOPNOTSUPP;
12084 
12085 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12086 	    !info->attrs[NL80211_ATTR_MAC])
12087 		return -EINVAL;
12088 
12089 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12090 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12091 
12092 	return rdev_tdls_oper(rdev, dev, peer, operation);
12093 }
12094 
12095 static int nl80211_remain_on_channel(struct sk_buff *skb,
12096 				     struct genl_info *info)
12097 {
12098 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12099 	unsigned int link_id = nl80211_link_id(info->attrs);
12100 	struct wireless_dev *wdev = info->user_ptr[1];
12101 	struct cfg80211_chan_def chandef;
12102 	struct sk_buff *msg;
12103 	void *hdr;
12104 	u64 cookie;
12105 	u32 duration;
12106 	int err;
12107 
12108 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12109 	    !info->attrs[NL80211_ATTR_DURATION])
12110 		return -EINVAL;
12111 
12112 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12113 
12114 	if (!rdev->ops->remain_on_channel ||
12115 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12116 		return -EOPNOTSUPP;
12117 
12118 	/*
12119 	 * We should be on that channel for at least a minimum amount of
12120 	 * time (10ms) but no longer than the driver supports.
12121 	 */
12122 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12123 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12124 		return -EINVAL;
12125 
12126 	err = nl80211_parse_chandef(rdev, info, &chandef);
12127 	if (err)
12128 		return err;
12129 
12130 	wdev_lock(wdev);
12131 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12132 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12133 
12134 		oper_chandef = wdev_chandef(wdev, link_id);
12135 
12136 		if (WARN_ON(!oper_chandef)) {
12137 			/* cannot happen since we must beacon to get here */
12138 			WARN_ON(1);
12139 			wdev_unlock(wdev);
12140 			return -EBUSY;
12141 		}
12142 
12143 		/* note: returns first one if identical chandefs */
12144 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12145 							     oper_chandef);
12146 
12147 		if (compat_chandef != &chandef) {
12148 			wdev_unlock(wdev);
12149 			return -EBUSY;
12150 		}
12151 	}
12152 	wdev_unlock(wdev);
12153 
12154 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12155 	if (!msg)
12156 		return -ENOMEM;
12157 
12158 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12159 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12160 	if (!hdr) {
12161 		err = -ENOBUFS;
12162 		goto free_msg;
12163 	}
12164 
12165 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12166 				     duration, &cookie);
12167 
12168 	if (err)
12169 		goto free_msg;
12170 
12171 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12172 			      NL80211_ATTR_PAD))
12173 		goto nla_put_failure;
12174 
12175 	genlmsg_end(msg, hdr);
12176 
12177 	return genlmsg_reply(msg, info);
12178 
12179  nla_put_failure:
12180 	err = -ENOBUFS;
12181  free_msg:
12182 	nlmsg_free(msg);
12183 	return err;
12184 }
12185 
12186 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12187 					    struct genl_info *info)
12188 {
12189 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12190 	struct wireless_dev *wdev = info->user_ptr[1];
12191 	u64 cookie;
12192 
12193 	if (!info->attrs[NL80211_ATTR_COOKIE])
12194 		return -EINVAL;
12195 
12196 	if (!rdev->ops->cancel_remain_on_channel)
12197 		return -EOPNOTSUPP;
12198 
12199 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12200 
12201 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12202 }
12203 
12204 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12205 				       struct genl_info *info)
12206 {
12207 	struct cfg80211_bitrate_mask mask;
12208 	unsigned int link_id = nl80211_link_id(info->attrs);
12209 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12210 	struct net_device *dev = info->user_ptr[1];
12211 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12212 	int err;
12213 
12214 	if (!rdev->ops->set_bitrate_mask)
12215 		return -EOPNOTSUPP;
12216 
12217 	wdev_lock(wdev);
12218 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12219 					    NL80211_ATTR_TX_RATES, &mask,
12220 					    dev, true, link_id);
12221 	if (err)
12222 		goto out;
12223 
12224 	err = rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12225 out:
12226 	wdev_unlock(wdev);
12227 	return err;
12228 }
12229 
12230 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12231 {
12232 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12233 	struct wireless_dev *wdev = info->user_ptr[1];
12234 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12235 
12236 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12237 		return -EINVAL;
12238 
12239 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12240 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12241 
12242 	switch (wdev->iftype) {
12243 	case NL80211_IFTYPE_STATION:
12244 	case NL80211_IFTYPE_ADHOC:
12245 	case NL80211_IFTYPE_P2P_CLIENT:
12246 	case NL80211_IFTYPE_AP:
12247 	case NL80211_IFTYPE_AP_VLAN:
12248 	case NL80211_IFTYPE_MESH_POINT:
12249 	case NL80211_IFTYPE_P2P_GO:
12250 	case NL80211_IFTYPE_P2P_DEVICE:
12251 		break;
12252 	case NL80211_IFTYPE_NAN:
12253 	default:
12254 		return -EOPNOTSUPP;
12255 	}
12256 
12257 	/* not much point in registering if we can't reply */
12258 	if (!rdev->ops->mgmt_tx)
12259 		return -EOPNOTSUPP;
12260 
12261 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12262 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12263 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12264 		GENL_SET_ERR_MSG(info,
12265 				 "multicast RX registrations are not supported");
12266 		return -EOPNOTSUPP;
12267 	}
12268 
12269 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12270 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12271 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12272 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12273 					   info->extack);
12274 }
12275 
12276 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12277 {
12278 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12279 	struct wireless_dev *wdev = info->user_ptr[1];
12280 	struct cfg80211_chan_def chandef;
12281 	int err;
12282 	void *hdr = NULL;
12283 	u64 cookie;
12284 	struct sk_buff *msg = NULL;
12285 	struct cfg80211_mgmt_tx_params params = {
12286 		.dont_wait_for_ack =
12287 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12288 	};
12289 
12290 	if (!info->attrs[NL80211_ATTR_FRAME])
12291 		return -EINVAL;
12292 
12293 	if (!rdev->ops->mgmt_tx)
12294 		return -EOPNOTSUPP;
12295 
12296 	switch (wdev->iftype) {
12297 	case NL80211_IFTYPE_P2P_DEVICE:
12298 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12299 			return -EINVAL;
12300 		break;
12301 	case NL80211_IFTYPE_STATION:
12302 	case NL80211_IFTYPE_ADHOC:
12303 	case NL80211_IFTYPE_P2P_CLIENT:
12304 	case NL80211_IFTYPE_AP:
12305 	case NL80211_IFTYPE_AP_VLAN:
12306 	case NL80211_IFTYPE_MESH_POINT:
12307 	case NL80211_IFTYPE_P2P_GO:
12308 		break;
12309 	case NL80211_IFTYPE_NAN:
12310 	default:
12311 		return -EOPNOTSUPP;
12312 	}
12313 
12314 	if (info->attrs[NL80211_ATTR_DURATION]) {
12315 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12316 			return -EINVAL;
12317 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12318 
12319 		/*
12320 		 * We should wait on the channel for at least a minimum amount
12321 		 * of time (10ms) but no longer than the driver supports.
12322 		 */
12323 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12324 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12325 			return -EINVAL;
12326 	}
12327 
12328 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12329 
12330 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12331 		return -EINVAL;
12332 
12333 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12334 
12335 	/* get the channel if any has been specified, otherwise pass NULL to
12336 	 * the driver. The latter will use the current one
12337 	 */
12338 	chandef.chan = NULL;
12339 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12340 		err = nl80211_parse_chandef(rdev, info, &chandef);
12341 		if (err)
12342 			return err;
12343 	}
12344 
12345 	if (!chandef.chan && params.offchan)
12346 		return -EINVAL;
12347 
12348 	wdev_lock(wdev);
12349 	if (params.offchan &&
12350 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12351 		wdev_unlock(wdev);
12352 		return -EBUSY;
12353 	}
12354 
12355 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12356 	/*
12357 	 * This now races due to the unlock, but we cannot check
12358 	 * the valid links for the _station_ anyway, so that's up
12359 	 * to the driver.
12360 	 */
12361 	if (params.link_id >= 0 &&
12362 	    !(wdev->valid_links & BIT(params.link_id))) {
12363 		wdev_unlock(wdev);
12364 		return -EINVAL;
12365 	}
12366 	wdev_unlock(wdev);
12367 
12368 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12369 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12370 
12371 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
12372 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12373 		int i;
12374 
12375 		if (len % sizeof(u16))
12376 			return -EINVAL;
12377 
12378 		params.n_csa_offsets = len / sizeof(u16);
12379 		params.csa_offsets =
12380 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12381 
12382 		/* check that all the offsets fit the frame */
12383 		for (i = 0; i < params.n_csa_offsets; i++) {
12384 			if (params.csa_offsets[i] >= params.len)
12385 				return -EINVAL;
12386 		}
12387 	}
12388 
12389 	if (!params.dont_wait_for_ack) {
12390 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12391 		if (!msg)
12392 			return -ENOMEM;
12393 
12394 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12395 				     NL80211_CMD_FRAME);
12396 		if (!hdr) {
12397 			err = -ENOBUFS;
12398 			goto free_msg;
12399 		}
12400 	}
12401 
12402 	params.chan = chandef.chan;
12403 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12404 	if (err)
12405 		goto free_msg;
12406 
12407 	if (msg) {
12408 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12409 				      NL80211_ATTR_PAD))
12410 			goto nla_put_failure;
12411 
12412 		genlmsg_end(msg, hdr);
12413 		return genlmsg_reply(msg, info);
12414 	}
12415 
12416 	return 0;
12417 
12418  nla_put_failure:
12419 	err = -ENOBUFS;
12420  free_msg:
12421 	nlmsg_free(msg);
12422 	return err;
12423 }
12424 
12425 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12426 {
12427 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12428 	struct wireless_dev *wdev = info->user_ptr[1];
12429 	u64 cookie;
12430 
12431 	if (!info->attrs[NL80211_ATTR_COOKIE])
12432 		return -EINVAL;
12433 
12434 	if (!rdev->ops->mgmt_tx_cancel_wait)
12435 		return -EOPNOTSUPP;
12436 
12437 	switch (wdev->iftype) {
12438 	case NL80211_IFTYPE_STATION:
12439 	case NL80211_IFTYPE_ADHOC:
12440 	case NL80211_IFTYPE_P2P_CLIENT:
12441 	case NL80211_IFTYPE_AP:
12442 	case NL80211_IFTYPE_AP_VLAN:
12443 	case NL80211_IFTYPE_P2P_GO:
12444 	case NL80211_IFTYPE_P2P_DEVICE:
12445 		break;
12446 	case NL80211_IFTYPE_NAN:
12447 	default:
12448 		return -EOPNOTSUPP;
12449 	}
12450 
12451 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12452 
12453 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12454 }
12455 
12456 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12457 {
12458 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12459 	struct wireless_dev *wdev;
12460 	struct net_device *dev = info->user_ptr[1];
12461 	u8 ps_state;
12462 	bool state;
12463 	int err;
12464 
12465 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12466 		return -EINVAL;
12467 
12468 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12469 
12470 	wdev = dev->ieee80211_ptr;
12471 
12472 	if (!rdev->ops->set_power_mgmt)
12473 		return -EOPNOTSUPP;
12474 
12475 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12476 
12477 	if (state == wdev->ps)
12478 		return 0;
12479 
12480 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12481 	if (!err)
12482 		wdev->ps = state;
12483 	return err;
12484 }
12485 
12486 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12487 {
12488 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12489 	enum nl80211_ps_state ps_state;
12490 	struct wireless_dev *wdev;
12491 	struct net_device *dev = info->user_ptr[1];
12492 	struct sk_buff *msg;
12493 	void *hdr;
12494 	int err;
12495 
12496 	wdev = dev->ieee80211_ptr;
12497 
12498 	if (!rdev->ops->set_power_mgmt)
12499 		return -EOPNOTSUPP;
12500 
12501 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12502 	if (!msg)
12503 		return -ENOMEM;
12504 
12505 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12506 			     NL80211_CMD_GET_POWER_SAVE);
12507 	if (!hdr) {
12508 		err = -ENOBUFS;
12509 		goto free_msg;
12510 	}
12511 
12512 	if (wdev->ps)
12513 		ps_state = NL80211_PS_ENABLED;
12514 	else
12515 		ps_state = NL80211_PS_DISABLED;
12516 
12517 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12518 		goto nla_put_failure;
12519 
12520 	genlmsg_end(msg, hdr);
12521 	return genlmsg_reply(msg, info);
12522 
12523  nla_put_failure:
12524 	err = -ENOBUFS;
12525  free_msg:
12526 	nlmsg_free(msg);
12527 	return err;
12528 }
12529 
12530 static const struct nla_policy
12531 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12532 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12533 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12534 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12535 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12536 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12537 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12538 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12539 };
12540 
12541 static int nl80211_set_cqm_txe(struct genl_info *info,
12542 			       u32 rate, u32 pkts, u32 intvl)
12543 {
12544 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12545 	struct net_device *dev = info->user_ptr[1];
12546 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12547 
12548 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12549 		return -EINVAL;
12550 
12551 	if (!rdev->ops->set_cqm_txe_config)
12552 		return -EOPNOTSUPP;
12553 
12554 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12555 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12556 		return -EOPNOTSUPP;
12557 
12558 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12559 }
12560 
12561 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12562 				    struct net_device *dev)
12563 {
12564 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12565 	s32 last, low, high;
12566 	u32 hyst;
12567 	int i, n, low_index;
12568 	int err;
12569 
12570 	/* RSSI reporting disabled? */
12571 	if (!wdev->cqm_config)
12572 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12573 
12574 	/*
12575 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12576 	 * event has been received yet, we should receive an event after a
12577 	 * connection is established and enough beacons received to calculate
12578 	 * the average.
12579 	 */
12580 	if (!wdev->cqm_config->last_rssi_event_value &&
12581 	    wdev->links[0].client.current_bss &&
12582 	    rdev->ops->get_station) {
12583 		struct station_info sinfo = {};
12584 		u8 *mac_addr;
12585 
12586 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
12587 
12588 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12589 		if (err)
12590 			return err;
12591 
12592 		cfg80211_sinfo_release_content(&sinfo);
12593 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12594 			wdev->cqm_config->last_rssi_event_value =
12595 				(s8) sinfo.rx_beacon_signal_avg;
12596 	}
12597 
12598 	last = wdev->cqm_config->last_rssi_event_value;
12599 	hyst = wdev->cqm_config->rssi_hyst;
12600 	n = wdev->cqm_config->n_rssi_thresholds;
12601 
12602 	for (i = 0; i < n; i++) {
12603 		i = array_index_nospec(i, n);
12604 		if (last < wdev->cqm_config->rssi_thresholds[i])
12605 			break;
12606 	}
12607 
12608 	low_index = i - 1;
12609 	if (low_index >= 0) {
12610 		low_index = array_index_nospec(low_index, n);
12611 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
12612 	} else {
12613 		low = S32_MIN;
12614 	}
12615 	if (i < n) {
12616 		i = array_index_nospec(i, n);
12617 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
12618 	} else {
12619 		high = S32_MAX;
12620 	}
12621 
12622 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12623 }
12624 
12625 static int nl80211_set_cqm_rssi(struct genl_info *info,
12626 				const s32 *thresholds, int n_thresholds,
12627 				u32 hysteresis)
12628 {
12629 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12630 	struct net_device *dev = info->user_ptr[1];
12631 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12632 	int i, err;
12633 	s32 prev = S32_MIN;
12634 
12635 	/* Check all values negative and sorted */
12636 	for (i = 0; i < n_thresholds; i++) {
12637 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12638 			return -EINVAL;
12639 
12640 		prev = thresholds[i];
12641 	}
12642 
12643 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12644 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12645 		return -EOPNOTSUPP;
12646 
12647 	wdev_lock(wdev);
12648 	cfg80211_cqm_config_free(wdev);
12649 	wdev_unlock(wdev);
12650 
12651 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
12652 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
12653 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12654 
12655 		return rdev_set_cqm_rssi_config(rdev, dev,
12656 						thresholds[0], hysteresis);
12657 	}
12658 
12659 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12660 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
12661 		return -EOPNOTSUPP;
12662 
12663 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12664 		n_thresholds = 0;
12665 
12666 	wdev_lock(wdev);
12667 	if (n_thresholds) {
12668 		struct cfg80211_cqm_config *cqm_config;
12669 
12670 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12671 						 n_thresholds),
12672 				     GFP_KERNEL);
12673 		if (!cqm_config) {
12674 			err = -ENOMEM;
12675 			goto unlock;
12676 		}
12677 
12678 		cqm_config->rssi_hyst = hysteresis;
12679 		cqm_config->n_rssi_thresholds = n_thresholds;
12680 		memcpy(cqm_config->rssi_thresholds, thresholds,
12681 		       flex_array_size(cqm_config, rssi_thresholds,
12682 				       n_thresholds));
12683 
12684 		wdev->cqm_config = cqm_config;
12685 	}
12686 
12687 	err = cfg80211_cqm_rssi_update(rdev, dev);
12688 
12689 unlock:
12690 	wdev_unlock(wdev);
12691 
12692 	return err;
12693 }
12694 
12695 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12696 {
12697 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12698 	struct nlattr *cqm;
12699 	int err;
12700 
12701 	cqm = info->attrs[NL80211_ATTR_CQM];
12702 	if (!cqm)
12703 		return -EINVAL;
12704 
12705 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12706 					  nl80211_attr_cqm_policy,
12707 					  info->extack);
12708 	if (err)
12709 		return err;
12710 
12711 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12712 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12713 		const s32 *thresholds =
12714 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12715 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12716 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12717 
12718 		if (len % 4)
12719 			return -EINVAL;
12720 
12721 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12722 					    hysteresis);
12723 	}
12724 
12725 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12726 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12727 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12728 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12729 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12730 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12731 
12732 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12733 	}
12734 
12735 	return -EINVAL;
12736 }
12737 
12738 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12739 {
12740 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12741 	struct net_device *dev = info->user_ptr[1];
12742 	struct ocb_setup setup = {};
12743 	int err;
12744 
12745 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12746 	if (err)
12747 		return err;
12748 
12749 	return cfg80211_join_ocb(rdev, dev, &setup);
12750 }
12751 
12752 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12753 {
12754 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12755 	struct net_device *dev = info->user_ptr[1];
12756 
12757 	return cfg80211_leave_ocb(rdev, dev);
12758 }
12759 
12760 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12761 {
12762 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12763 	struct net_device *dev = info->user_ptr[1];
12764 	struct mesh_config cfg;
12765 	struct mesh_setup setup;
12766 	int err;
12767 
12768 	/* start with default */
12769 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12770 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12771 
12772 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12773 		/* and parse parameters if given */
12774 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12775 		if (err)
12776 			return err;
12777 	}
12778 
12779 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12780 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12781 		return -EINVAL;
12782 
12783 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12784 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12785 
12786 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12787 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12788 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12789 			return -EINVAL;
12790 
12791 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12792 		setup.beacon_interval =
12793 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12794 
12795 		err = cfg80211_validate_beacon_int(rdev,
12796 						   NL80211_IFTYPE_MESH_POINT,
12797 						   setup.beacon_interval);
12798 		if (err)
12799 			return err;
12800 	}
12801 
12802 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12803 		setup.dtim_period =
12804 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12805 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12806 			return -EINVAL;
12807 	}
12808 
12809 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12810 		/* parse additional setup parameters if given */
12811 		err = nl80211_parse_mesh_setup(info, &setup);
12812 		if (err)
12813 			return err;
12814 	}
12815 
12816 	if (setup.user_mpm)
12817 		cfg.auto_open_plinks = false;
12818 
12819 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12820 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12821 		if (err)
12822 			return err;
12823 	} else {
12824 		/* __cfg80211_join_mesh() will sort it out */
12825 		setup.chandef.chan = NULL;
12826 	}
12827 
12828 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12829 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12830 		int n_rates =
12831 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12832 		struct ieee80211_supported_band *sband;
12833 
12834 		if (!setup.chandef.chan)
12835 			return -EINVAL;
12836 
12837 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12838 
12839 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12840 					     &setup.basic_rates);
12841 		if (err)
12842 			return err;
12843 	}
12844 
12845 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12846 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12847 						    NL80211_ATTR_TX_RATES,
12848 						    &setup.beacon_rate,
12849 						    dev, false, 0);
12850 		if (err)
12851 			return err;
12852 
12853 		if (!setup.chandef.chan)
12854 			return -EINVAL;
12855 
12856 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12857 					      &setup.beacon_rate);
12858 		if (err)
12859 			return err;
12860 	}
12861 
12862 	setup.userspace_handles_dfs =
12863 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12864 
12865 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12866 		int r = validate_pae_over_nl80211(rdev, info);
12867 
12868 		if (r < 0)
12869 			return r;
12870 
12871 		setup.control_port_over_nl80211 = true;
12872 	}
12873 
12874 	wdev_lock(dev->ieee80211_ptr);
12875 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12876 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12877 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12878 	wdev_unlock(dev->ieee80211_ptr);
12879 
12880 	return err;
12881 }
12882 
12883 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12884 {
12885 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12886 	struct net_device *dev = info->user_ptr[1];
12887 
12888 	return cfg80211_leave_mesh(rdev, dev);
12889 }
12890 
12891 #ifdef CONFIG_PM
12892 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
12893 					struct cfg80211_registered_device *rdev)
12894 {
12895 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
12896 	struct nlattr *nl_pats, *nl_pat;
12897 	int i, pat_len;
12898 
12899 	if (!wowlan->n_patterns)
12900 		return 0;
12901 
12902 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12903 	if (!nl_pats)
12904 		return -ENOBUFS;
12905 
12906 	for (i = 0; i < wowlan->n_patterns; i++) {
12907 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12908 		if (!nl_pat)
12909 			return -ENOBUFS;
12910 		pat_len = wowlan->patterns[i].pattern_len;
12911 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12912 			    wowlan->patterns[i].mask) ||
12913 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12914 			    wowlan->patterns[i].pattern) ||
12915 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12916 				wowlan->patterns[i].pkt_offset))
12917 			return -ENOBUFS;
12918 		nla_nest_end(msg, nl_pat);
12919 	}
12920 	nla_nest_end(msg, nl_pats);
12921 
12922 	return 0;
12923 }
12924 
12925 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12926 				   struct cfg80211_wowlan_tcp *tcp)
12927 {
12928 	struct nlattr *nl_tcp;
12929 
12930 	if (!tcp)
12931 		return 0;
12932 
12933 	nl_tcp = nla_nest_start_noflag(msg,
12934 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12935 	if (!nl_tcp)
12936 		return -ENOBUFS;
12937 
12938 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12939 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12940 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12941 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12942 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12943 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12944 		    tcp->payload_len, tcp->payload) ||
12945 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12946 			tcp->data_interval) ||
12947 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12948 		    tcp->wake_len, tcp->wake_data) ||
12949 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12950 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12951 		return -ENOBUFS;
12952 
12953 	if (tcp->payload_seq.len &&
12954 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12955 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12956 		return -ENOBUFS;
12957 
12958 	if (tcp->payload_tok.len &&
12959 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12960 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12961 		    &tcp->payload_tok))
12962 		return -ENOBUFS;
12963 
12964 	nla_nest_end(msg, nl_tcp);
12965 
12966 	return 0;
12967 }
12968 
12969 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12970 				  struct cfg80211_sched_scan_request *req)
12971 {
12972 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12973 	int i;
12974 
12975 	if (!req)
12976 		return 0;
12977 
12978 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12979 	if (!nd)
12980 		return -ENOBUFS;
12981 
12982 	if (req->n_scan_plans == 1 &&
12983 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12984 			req->scan_plans[0].interval * 1000))
12985 		return -ENOBUFS;
12986 
12987 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12988 		return -ENOBUFS;
12989 
12990 	if (req->relative_rssi_set) {
12991 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12992 
12993 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12994 			       req->relative_rssi))
12995 			return -ENOBUFS;
12996 
12997 		rssi_adjust.band = req->rssi_adjust.band;
12998 		rssi_adjust.delta = req->rssi_adjust.delta;
12999 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13000 			    sizeof(rssi_adjust), &rssi_adjust))
13001 			return -ENOBUFS;
13002 	}
13003 
13004 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13005 	if (!freqs)
13006 		return -ENOBUFS;
13007 
13008 	for (i = 0; i < req->n_channels; i++) {
13009 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13010 			return -ENOBUFS;
13011 	}
13012 
13013 	nla_nest_end(msg, freqs);
13014 
13015 	if (req->n_match_sets) {
13016 		matches = nla_nest_start_noflag(msg,
13017 						NL80211_ATTR_SCHED_SCAN_MATCH);
13018 		if (!matches)
13019 			return -ENOBUFS;
13020 
13021 		for (i = 0; i < req->n_match_sets; i++) {
13022 			match = nla_nest_start_noflag(msg, i);
13023 			if (!match)
13024 				return -ENOBUFS;
13025 
13026 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13027 				    req->match_sets[i].ssid.ssid_len,
13028 				    req->match_sets[i].ssid.ssid))
13029 				return -ENOBUFS;
13030 			nla_nest_end(msg, match);
13031 		}
13032 		nla_nest_end(msg, matches);
13033 	}
13034 
13035 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13036 	if (!scan_plans)
13037 		return -ENOBUFS;
13038 
13039 	for (i = 0; i < req->n_scan_plans; i++) {
13040 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13041 		if (!scan_plan)
13042 			return -ENOBUFS;
13043 
13044 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13045 				req->scan_plans[i].interval) ||
13046 		    (req->scan_plans[i].iterations &&
13047 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13048 				 req->scan_plans[i].iterations)))
13049 			return -ENOBUFS;
13050 		nla_nest_end(msg, scan_plan);
13051 	}
13052 	nla_nest_end(msg, scan_plans);
13053 
13054 	nla_nest_end(msg, nd);
13055 
13056 	return 0;
13057 }
13058 
13059 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13060 {
13061 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13062 	struct sk_buff *msg;
13063 	void *hdr;
13064 	u32 size = NLMSG_DEFAULT_SIZE;
13065 
13066 	if (!rdev->wiphy.wowlan)
13067 		return -EOPNOTSUPP;
13068 
13069 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13070 		/* adjust size to have room for all the data */
13071 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13072 			rdev->wiphy.wowlan_config->tcp->payload_len +
13073 			rdev->wiphy.wowlan_config->tcp->wake_len +
13074 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13075 	}
13076 
13077 	msg = nlmsg_new(size, GFP_KERNEL);
13078 	if (!msg)
13079 		return -ENOMEM;
13080 
13081 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13082 			     NL80211_CMD_GET_WOWLAN);
13083 	if (!hdr)
13084 		goto nla_put_failure;
13085 
13086 	if (rdev->wiphy.wowlan_config) {
13087 		struct nlattr *nl_wowlan;
13088 
13089 		nl_wowlan = nla_nest_start_noflag(msg,
13090 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13091 		if (!nl_wowlan)
13092 			goto nla_put_failure;
13093 
13094 		if ((rdev->wiphy.wowlan_config->any &&
13095 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13096 		    (rdev->wiphy.wowlan_config->disconnect &&
13097 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13098 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13099 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13100 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13101 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13102 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13103 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13104 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13105 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13106 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13107 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13108 			goto nla_put_failure;
13109 
13110 		if (nl80211_send_wowlan_patterns(msg, rdev))
13111 			goto nla_put_failure;
13112 
13113 		if (nl80211_send_wowlan_tcp(msg,
13114 					    rdev->wiphy.wowlan_config->tcp))
13115 			goto nla_put_failure;
13116 
13117 		if (nl80211_send_wowlan_nd(
13118 			    msg,
13119 			    rdev->wiphy.wowlan_config->nd_config))
13120 			goto nla_put_failure;
13121 
13122 		nla_nest_end(msg, nl_wowlan);
13123 	}
13124 
13125 	genlmsg_end(msg, hdr);
13126 	return genlmsg_reply(msg, info);
13127 
13128 nla_put_failure:
13129 	nlmsg_free(msg);
13130 	return -ENOBUFS;
13131 }
13132 
13133 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13134 				    struct nlattr *attr,
13135 				    struct cfg80211_wowlan *trig)
13136 {
13137 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13138 	struct cfg80211_wowlan_tcp *cfg;
13139 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13140 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13141 	u32 size;
13142 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13143 	int err, port;
13144 
13145 	if (!rdev->wiphy.wowlan->tcp)
13146 		return -EINVAL;
13147 
13148 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13149 					  nl80211_wowlan_tcp_policy, NULL);
13150 	if (err)
13151 		return err;
13152 
13153 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13154 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13155 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13156 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13157 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13158 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13159 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13160 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13161 		return -EINVAL;
13162 
13163 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13164 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13165 		return -EINVAL;
13166 
13167 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13168 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13169 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13170 		return -EINVAL;
13171 
13172 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13173 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13174 		return -EINVAL;
13175 
13176 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13177 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13178 		return -EINVAL;
13179 
13180 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13181 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13182 
13183 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13184 		tokens_size = tokln - sizeof(*tok);
13185 
13186 		if (!tok->len || tokens_size % tok->len)
13187 			return -EINVAL;
13188 		if (!rdev->wiphy.wowlan->tcp->tok)
13189 			return -EINVAL;
13190 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13191 			return -EINVAL;
13192 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13193 			return -EINVAL;
13194 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13195 			return -EINVAL;
13196 		if (tok->offset + tok->len > data_size)
13197 			return -EINVAL;
13198 	}
13199 
13200 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13201 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13202 		if (!rdev->wiphy.wowlan->tcp->seq)
13203 			return -EINVAL;
13204 		if (seq->len == 0 || seq->len > 4)
13205 			return -EINVAL;
13206 		if (seq->len + seq->offset > data_size)
13207 			return -EINVAL;
13208 	}
13209 
13210 	size = sizeof(*cfg);
13211 	size += data_size;
13212 	size += wake_size + wake_mask_size;
13213 	size += tokens_size;
13214 
13215 	cfg = kzalloc(size, GFP_KERNEL);
13216 	if (!cfg)
13217 		return -ENOMEM;
13218 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13219 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13220 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13221 	       ETH_ALEN);
13222 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13223 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13224 	else
13225 		port = 0;
13226 #ifdef CONFIG_INET
13227 	/* allocate a socket and port for it and use it */
13228 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13229 			    IPPROTO_TCP, &cfg->sock, 1);
13230 	if (err) {
13231 		kfree(cfg);
13232 		return err;
13233 	}
13234 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13235 		sock_release(cfg->sock);
13236 		kfree(cfg);
13237 		return -EADDRINUSE;
13238 	}
13239 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13240 #else
13241 	if (!port) {
13242 		kfree(cfg);
13243 		return -EINVAL;
13244 	}
13245 	cfg->src_port = port;
13246 #endif
13247 
13248 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13249 	cfg->payload_len = data_size;
13250 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13251 	memcpy((void *)cfg->payload,
13252 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13253 	       data_size);
13254 	if (seq)
13255 		cfg->payload_seq = *seq;
13256 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13257 	cfg->wake_len = wake_size;
13258 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13259 	memcpy((void *)cfg->wake_data,
13260 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13261 	       wake_size);
13262 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13263 			 data_size + wake_size;
13264 	memcpy((void *)cfg->wake_mask,
13265 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13266 	       wake_mask_size);
13267 	if (tok) {
13268 		cfg->tokens_size = tokens_size;
13269 		cfg->payload_tok = *tok;
13270 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13271 		       tokens_size);
13272 	}
13273 
13274 	trig->tcp = cfg;
13275 
13276 	return 0;
13277 }
13278 
13279 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13280 				   const struct wiphy_wowlan_support *wowlan,
13281 				   struct nlattr *attr,
13282 				   struct cfg80211_wowlan *trig)
13283 {
13284 	struct nlattr **tb;
13285 	int err;
13286 
13287 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13288 	if (!tb)
13289 		return -ENOMEM;
13290 
13291 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13292 		err = -EOPNOTSUPP;
13293 		goto out;
13294 	}
13295 
13296 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13297 					  nl80211_policy, NULL);
13298 	if (err)
13299 		goto out;
13300 
13301 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13302 						   wowlan->max_nd_match_sets);
13303 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13304 	if (err)
13305 		trig->nd_config = NULL;
13306 
13307 out:
13308 	kfree(tb);
13309 	return err;
13310 }
13311 
13312 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13313 {
13314 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13315 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13316 	struct cfg80211_wowlan new_triggers = {};
13317 	struct cfg80211_wowlan *ntrig;
13318 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13319 	int err, i;
13320 	bool prev_enabled = rdev->wiphy.wowlan_config;
13321 	bool regular = false;
13322 
13323 	if (!wowlan)
13324 		return -EOPNOTSUPP;
13325 
13326 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13327 		cfg80211_rdev_free_wowlan(rdev);
13328 		rdev->wiphy.wowlan_config = NULL;
13329 		goto set_wakeup;
13330 	}
13331 
13332 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13333 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13334 					  nl80211_wowlan_policy, info->extack);
13335 	if (err)
13336 		return err;
13337 
13338 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13339 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13340 			return -EINVAL;
13341 		new_triggers.any = true;
13342 	}
13343 
13344 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13345 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13346 			return -EINVAL;
13347 		new_triggers.disconnect = true;
13348 		regular = true;
13349 	}
13350 
13351 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13352 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13353 			return -EINVAL;
13354 		new_triggers.magic_pkt = true;
13355 		regular = true;
13356 	}
13357 
13358 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13359 		return -EINVAL;
13360 
13361 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13362 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13363 			return -EINVAL;
13364 		new_triggers.gtk_rekey_failure = true;
13365 		regular = true;
13366 	}
13367 
13368 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13369 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13370 			return -EINVAL;
13371 		new_triggers.eap_identity_req = true;
13372 		regular = true;
13373 	}
13374 
13375 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13376 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13377 			return -EINVAL;
13378 		new_triggers.four_way_handshake = true;
13379 		regular = true;
13380 	}
13381 
13382 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13383 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13384 			return -EINVAL;
13385 		new_triggers.rfkill_release = true;
13386 		regular = true;
13387 	}
13388 
13389 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13390 		struct nlattr *pat;
13391 		int n_patterns = 0;
13392 		int rem, pat_len, mask_len, pkt_offset;
13393 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13394 
13395 		regular = true;
13396 
13397 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13398 				    rem)
13399 			n_patterns++;
13400 		if (n_patterns > wowlan->n_patterns)
13401 			return -EINVAL;
13402 
13403 		new_triggers.patterns = kcalloc(n_patterns,
13404 						sizeof(new_triggers.patterns[0]),
13405 						GFP_KERNEL);
13406 		if (!new_triggers.patterns)
13407 			return -ENOMEM;
13408 
13409 		new_triggers.n_patterns = n_patterns;
13410 		i = 0;
13411 
13412 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13413 				    rem) {
13414 			u8 *mask_pat;
13415 
13416 			err = nla_parse_nested_deprecated(pat_tb,
13417 							  MAX_NL80211_PKTPAT,
13418 							  pat,
13419 							  nl80211_packet_pattern_policy,
13420 							  info->extack);
13421 			if (err)
13422 				goto error;
13423 
13424 			err = -EINVAL;
13425 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13426 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13427 				goto error;
13428 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13429 			mask_len = DIV_ROUND_UP(pat_len, 8);
13430 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13431 				goto error;
13432 			if (pat_len > wowlan->pattern_max_len ||
13433 			    pat_len < wowlan->pattern_min_len)
13434 				goto error;
13435 
13436 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13437 				pkt_offset = 0;
13438 			else
13439 				pkt_offset = nla_get_u32(
13440 					pat_tb[NL80211_PKTPAT_OFFSET]);
13441 			if (pkt_offset > wowlan->max_pkt_offset)
13442 				goto error;
13443 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13444 
13445 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13446 			if (!mask_pat) {
13447 				err = -ENOMEM;
13448 				goto error;
13449 			}
13450 			new_triggers.patterns[i].mask = mask_pat;
13451 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13452 			       mask_len);
13453 			mask_pat += mask_len;
13454 			new_triggers.patterns[i].pattern = mask_pat;
13455 			new_triggers.patterns[i].pattern_len = pat_len;
13456 			memcpy(mask_pat,
13457 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13458 			       pat_len);
13459 			i++;
13460 		}
13461 	}
13462 
13463 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13464 		regular = true;
13465 		err = nl80211_parse_wowlan_tcp(
13466 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13467 			&new_triggers);
13468 		if (err)
13469 			goto error;
13470 	}
13471 
13472 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13473 		regular = true;
13474 		err = nl80211_parse_wowlan_nd(
13475 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13476 			&new_triggers);
13477 		if (err)
13478 			goto error;
13479 	}
13480 
13481 	/* The 'any' trigger means the device continues operating more or less
13482 	 * as in its normal operation mode and wakes up the host on most of the
13483 	 * normal interrupts (like packet RX, ...)
13484 	 * It therefore makes little sense to combine with the more constrained
13485 	 * wakeup trigger modes.
13486 	 */
13487 	if (new_triggers.any && regular) {
13488 		err = -EINVAL;
13489 		goto error;
13490 	}
13491 
13492 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13493 	if (!ntrig) {
13494 		err = -ENOMEM;
13495 		goto error;
13496 	}
13497 	cfg80211_rdev_free_wowlan(rdev);
13498 	rdev->wiphy.wowlan_config = ntrig;
13499 
13500  set_wakeup:
13501 	if (rdev->ops->set_wakeup &&
13502 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13503 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13504 
13505 	return 0;
13506  error:
13507 	for (i = 0; i < new_triggers.n_patterns; i++)
13508 		kfree(new_triggers.patterns[i].mask);
13509 	kfree(new_triggers.patterns);
13510 	if (new_triggers.tcp && new_triggers.tcp->sock)
13511 		sock_release(new_triggers.tcp->sock);
13512 	kfree(new_triggers.tcp);
13513 	kfree(new_triggers.nd_config);
13514 	return err;
13515 }
13516 #endif
13517 
13518 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13519 				       struct cfg80211_registered_device *rdev)
13520 {
13521 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13522 	int i, j, pat_len;
13523 	struct cfg80211_coalesce_rules *rule;
13524 
13525 	if (!rdev->coalesce->n_rules)
13526 		return 0;
13527 
13528 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13529 	if (!nl_rules)
13530 		return -ENOBUFS;
13531 
13532 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13533 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13534 		if (!nl_rule)
13535 			return -ENOBUFS;
13536 
13537 		rule = &rdev->coalesce->rules[i];
13538 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13539 				rule->delay))
13540 			return -ENOBUFS;
13541 
13542 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13543 				rule->condition))
13544 			return -ENOBUFS;
13545 
13546 		nl_pats = nla_nest_start_noflag(msg,
13547 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13548 		if (!nl_pats)
13549 			return -ENOBUFS;
13550 
13551 		for (j = 0; j < rule->n_patterns; j++) {
13552 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13553 			if (!nl_pat)
13554 				return -ENOBUFS;
13555 			pat_len = rule->patterns[j].pattern_len;
13556 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13557 				    DIV_ROUND_UP(pat_len, 8),
13558 				    rule->patterns[j].mask) ||
13559 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13560 				    rule->patterns[j].pattern) ||
13561 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13562 					rule->patterns[j].pkt_offset))
13563 				return -ENOBUFS;
13564 			nla_nest_end(msg, nl_pat);
13565 		}
13566 		nla_nest_end(msg, nl_pats);
13567 		nla_nest_end(msg, nl_rule);
13568 	}
13569 	nla_nest_end(msg, nl_rules);
13570 
13571 	return 0;
13572 }
13573 
13574 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13575 {
13576 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13577 	struct sk_buff *msg;
13578 	void *hdr;
13579 
13580 	if (!rdev->wiphy.coalesce)
13581 		return -EOPNOTSUPP;
13582 
13583 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13584 	if (!msg)
13585 		return -ENOMEM;
13586 
13587 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13588 			     NL80211_CMD_GET_COALESCE);
13589 	if (!hdr)
13590 		goto nla_put_failure;
13591 
13592 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13593 		goto nla_put_failure;
13594 
13595 	genlmsg_end(msg, hdr);
13596 	return genlmsg_reply(msg, info);
13597 
13598 nla_put_failure:
13599 	nlmsg_free(msg);
13600 	return -ENOBUFS;
13601 }
13602 
13603 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13604 {
13605 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13606 	int i, j;
13607 	struct cfg80211_coalesce_rules *rule;
13608 
13609 	if (!coalesce)
13610 		return;
13611 
13612 	for (i = 0; i < coalesce->n_rules; i++) {
13613 		rule = &coalesce->rules[i];
13614 		for (j = 0; j < rule->n_patterns; j++)
13615 			kfree(rule->patterns[j].mask);
13616 		kfree(rule->patterns);
13617 	}
13618 	kfree(coalesce->rules);
13619 	kfree(coalesce);
13620 	rdev->coalesce = NULL;
13621 }
13622 
13623 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13624 				       struct nlattr *rule,
13625 				       struct cfg80211_coalesce_rules *new_rule)
13626 {
13627 	int err, i;
13628 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13629 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13630 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13631 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13632 
13633 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13634 					  rule, nl80211_coalesce_policy, NULL);
13635 	if (err)
13636 		return err;
13637 
13638 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13639 		new_rule->delay =
13640 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13641 	if (new_rule->delay > coalesce->max_delay)
13642 		return -EINVAL;
13643 
13644 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13645 		new_rule->condition =
13646 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13647 
13648 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13649 		return -EINVAL;
13650 
13651 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13652 			    rem)
13653 		n_patterns++;
13654 	if (n_patterns > coalesce->n_patterns)
13655 		return -EINVAL;
13656 
13657 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13658 				     GFP_KERNEL);
13659 	if (!new_rule->patterns)
13660 		return -ENOMEM;
13661 
13662 	new_rule->n_patterns = n_patterns;
13663 	i = 0;
13664 
13665 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13666 			    rem) {
13667 		u8 *mask_pat;
13668 
13669 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13670 						  pat,
13671 						  nl80211_packet_pattern_policy,
13672 						  NULL);
13673 		if (err)
13674 			return err;
13675 
13676 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13677 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13678 			return -EINVAL;
13679 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13680 		mask_len = DIV_ROUND_UP(pat_len, 8);
13681 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13682 			return -EINVAL;
13683 		if (pat_len > coalesce->pattern_max_len ||
13684 		    pat_len < coalesce->pattern_min_len)
13685 			return -EINVAL;
13686 
13687 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13688 			pkt_offset = 0;
13689 		else
13690 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13691 		if (pkt_offset > coalesce->max_pkt_offset)
13692 			return -EINVAL;
13693 		new_rule->patterns[i].pkt_offset = pkt_offset;
13694 
13695 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13696 		if (!mask_pat)
13697 			return -ENOMEM;
13698 
13699 		new_rule->patterns[i].mask = mask_pat;
13700 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13701 		       mask_len);
13702 
13703 		mask_pat += mask_len;
13704 		new_rule->patterns[i].pattern = mask_pat;
13705 		new_rule->patterns[i].pattern_len = pat_len;
13706 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13707 		       pat_len);
13708 		i++;
13709 	}
13710 
13711 	return 0;
13712 }
13713 
13714 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13715 {
13716 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13717 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13718 	struct cfg80211_coalesce new_coalesce = {};
13719 	struct cfg80211_coalesce *n_coalesce;
13720 	int err, rem_rule, n_rules = 0, i, j;
13721 	struct nlattr *rule;
13722 	struct cfg80211_coalesce_rules *tmp_rule;
13723 
13724 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13725 		return -EOPNOTSUPP;
13726 
13727 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13728 		cfg80211_rdev_free_coalesce(rdev);
13729 		rdev_set_coalesce(rdev, NULL);
13730 		return 0;
13731 	}
13732 
13733 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13734 			    rem_rule)
13735 		n_rules++;
13736 	if (n_rules > coalesce->n_rules)
13737 		return -EINVAL;
13738 
13739 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13740 				     GFP_KERNEL);
13741 	if (!new_coalesce.rules)
13742 		return -ENOMEM;
13743 
13744 	new_coalesce.n_rules = n_rules;
13745 	i = 0;
13746 
13747 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13748 			    rem_rule) {
13749 		err = nl80211_parse_coalesce_rule(rdev, rule,
13750 						  &new_coalesce.rules[i]);
13751 		if (err)
13752 			goto error;
13753 
13754 		i++;
13755 	}
13756 
13757 	err = rdev_set_coalesce(rdev, &new_coalesce);
13758 	if (err)
13759 		goto error;
13760 
13761 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13762 	if (!n_coalesce) {
13763 		err = -ENOMEM;
13764 		goto error;
13765 	}
13766 	cfg80211_rdev_free_coalesce(rdev);
13767 	rdev->coalesce = n_coalesce;
13768 
13769 	return 0;
13770 error:
13771 	for (i = 0; i < new_coalesce.n_rules; i++) {
13772 		tmp_rule = &new_coalesce.rules[i];
13773 		for (j = 0; j < tmp_rule->n_patterns; j++)
13774 			kfree(tmp_rule->patterns[j].mask);
13775 		kfree(tmp_rule->patterns);
13776 	}
13777 	kfree(new_coalesce.rules);
13778 
13779 	return err;
13780 }
13781 
13782 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13783 {
13784 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13785 	struct net_device *dev = info->user_ptr[1];
13786 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13787 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13788 	struct cfg80211_gtk_rekey_data rekey_data = {};
13789 	int err;
13790 
13791 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13792 		return -EINVAL;
13793 
13794 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13795 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13796 					  nl80211_rekey_policy, info->extack);
13797 	if (err)
13798 		return err;
13799 
13800 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13801 	    !tb[NL80211_REKEY_DATA_KCK])
13802 		return -EINVAL;
13803 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13804 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13805 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13806 		return -ERANGE;
13807 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13808 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13809 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
13810 		return -ERANGE;
13811 
13812 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13813 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13814 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13815 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13816 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13817 	if (tb[NL80211_REKEY_DATA_AKM])
13818 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13819 
13820 	wdev_lock(wdev);
13821 	if (!wdev->connected) {
13822 		err = -ENOTCONN;
13823 		goto out;
13824 	}
13825 
13826 	if (!rdev->ops->set_rekey_data) {
13827 		err = -EOPNOTSUPP;
13828 		goto out;
13829 	}
13830 
13831 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13832  out:
13833 	wdev_unlock(wdev);
13834 	return err;
13835 }
13836 
13837 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13838 					     struct genl_info *info)
13839 {
13840 	struct net_device *dev = info->user_ptr[1];
13841 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13842 
13843 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13844 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13845 		return -EINVAL;
13846 
13847 	if (wdev->ap_unexpected_nlportid)
13848 		return -EBUSY;
13849 
13850 	wdev->ap_unexpected_nlportid = info->snd_portid;
13851 	return 0;
13852 }
13853 
13854 static int nl80211_probe_client(struct sk_buff *skb,
13855 				struct genl_info *info)
13856 {
13857 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13858 	struct net_device *dev = info->user_ptr[1];
13859 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13860 	struct sk_buff *msg;
13861 	void *hdr;
13862 	const u8 *addr;
13863 	u64 cookie;
13864 	int err;
13865 
13866 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13867 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13868 		return -EOPNOTSUPP;
13869 
13870 	if (!info->attrs[NL80211_ATTR_MAC])
13871 		return -EINVAL;
13872 
13873 	if (!rdev->ops->probe_client)
13874 		return -EOPNOTSUPP;
13875 
13876 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13877 	if (!msg)
13878 		return -ENOMEM;
13879 
13880 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13881 			     NL80211_CMD_PROBE_CLIENT);
13882 	if (!hdr) {
13883 		err = -ENOBUFS;
13884 		goto free_msg;
13885 	}
13886 
13887 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13888 
13889 	err = rdev_probe_client(rdev, dev, addr, &cookie);
13890 	if (err)
13891 		goto free_msg;
13892 
13893 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13894 			      NL80211_ATTR_PAD))
13895 		goto nla_put_failure;
13896 
13897 	genlmsg_end(msg, hdr);
13898 
13899 	return genlmsg_reply(msg, info);
13900 
13901  nla_put_failure:
13902 	err = -ENOBUFS;
13903  free_msg:
13904 	nlmsg_free(msg);
13905 	return err;
13906 }
13907 
13908 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13909 {
13910 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13911 	struct cfg80211_beacon_registration *reg, *nreg;
13912 	int rv;
13913 
13914 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13915 		return -EOPNOTSUPP;
13916 
13917 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13918 	if (!nreg)
13919 		return -ENOMEM;
13920 
13921 	/* First, check if already registered. */
13922 	spin_lock_bh(&rdev->beacon_registrations_lock);
13923 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13924 		if (reg->nlportid == info->snd_portid) {
13925 			rv = -EALREADY;
13926 			goto out_err;
13927 		}
13928 	}
13929 	/* Add it to the list */
13930 	nreg->nlportid = info->snd_portid;
13931 	list_add(&nreg->list, &rdev->beacon_registrations);
13932 
13933 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13934 
13935 	return 0;
13936 out_err:
13937 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13938 	kfree(nreg);
13939 	return rv;
13940 }
13941 
13942 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13943 {
13944 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13945 	struct wireless_dev *wdev = info->user_ptr[1];
13946 	int err;
13947 
13948 	if (!rdev->ops->start_p2p_device)
13949 		return -EOPNOTSUPP;
13950 
13951 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13952 		return -EOPNOTSUPP;
13953 
13954 	if (wdev_running(wdev))
13955 		return 0;
13956 
13957 	if (rfkill_blocked(rdev->wiphy.rfkill))
13958 		return -ERFKILL;
13959 
13960 	err = rdev_start_p2p_device(rdev, wdev);
13961 	if (err)
13962 		return err;
13963 
13964 	wdev->is_running = true;
13965 	rdev->opencount++;
13966 
13967 	return 0;
13968 }
13969 
13970 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13971 {
13972 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13973 	struct wireless_dev *wdev = info->user_ptr[1];
13974 
13975 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13976 		return -EOPNOTSUPP;
13977 
13978 	if (!rdev->ops->stop_p2p_device)
13979 		return -EOPNOTSUPP;
13980 
13981 	cfg80211_stop_p2p_device(rdev, wdev);
13982 
13983 	return 0;
13984 }
13985 
13986 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13987 {
13988 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13989 	struct wireless_dev *wdev = info->user_ptr[1];
13990 	struct cfg80211_nan_conf conf = {};
13991 	int err;
13992 
13993 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13994 		return -EOPNOTSUPP;
13995 
13996 	if (wdev_running(wdev))
13997 		return -EEXIST;
13998 
13999 	if (rfkill_blocked(rdev->wiphy.rfkill))
14000 		return -ERFKILL;
14001 
14002 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14003 		return -EINVAL;
14004 
14005 	conf.master_pref =
14006 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14007 
14008 	if (info->attrs[NL80211_ATTR_BANDS]) {
14009 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14010 
14011 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14012 			return -EOPNOTSUPP;
14013 
14014 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14015 			return -EINVAL;
14016 
14017 		conf.bands = bands;
14018 	}
14019 
14020 	err = rdev_start_nan(rdev, wdev, &conf);
14021 	if (err)
14022 		return err;
14023 
14024 	wdev->is_running = true;
14025 	rdev->opencount++;
14026 
14027 	return 0;
14028 }
14029 
14030 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14031 {
14032 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14033 	struct wireless_dev *wdev = info->user_ptr[1];
14034 
14035 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14036 		return -EOPNOTSUPP;
14037 
14038 	cfg80211_stop_nan(rdev, wdev);
14039 
14040 	return 0;
14041 }
14042 
14043 static int validate_nan_filter(struct nlattr *filter_attr)
14044 {
14045 	struct nlattr *attr;
14046 	int len = 0, n_entries = 0, rem;
14047 
14048 	nla_for_each_nested(attr, filter_attr, rem) {
14049 		len += nla_len(attr);
14050 		n_entries++;
14051 	}
14052 
14053 	if (len >= U8_MAX)
14054 		return -EINVAL;
14055 
14056 	return n_entries;
14057 }
14058 
14059 static int handle_nan_filter(struct nlattr *attr_filter,
14060 			     struct cfg80211_nan_func *func,
14061 			     bool tx)
14062 {
14063 	struct nlattr *attr;
14064 	int n_entries, rem, i;
14065 	struct cfg80211_nan_func_filter *filter;
14066 
14067 	n_entries = validate_nan_filter(attr_filter);
14068 	if (n_entries < 0)
14069 		return n_entries;
14070 
14071 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14072 
14073 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14074 	if (!filter)
14075 		return -ENOMEM;
14076 
14077 	i = 0;
14078 	nla_for_each_nested(attr, attr_filter, rem) {
14079 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14080 		if (!filter[i].filter)
14081 			goto err;
14082 
14083 		filter[i].len = nla_len(attr);
14084 		i++;
14085 	}
14086 	if (tx) {
14087 		func->num_tx_filters = n_entries;
14088 		func->tx_filters = filter;
14089 	} else {
14090 		func->num_rx_filters = n_entries;
14091 		func->rx_filters = filter;
14092 	}
14093 
14094 	return 0;
14095 
14096 err:
14097 	i = 0;
14098 	nla_for_each_nested(attr, attr_filter, rem) {
14099 		kfree(filter[i].filter);
14100 		i++;
14101 	}
14102 	kfree(filter);
14103 	return -ENOMEM;
14104 }
14105 
14106 static int nl80211_nan_add_func(struct sk_buff *skb,
14107 				struct genl_info *info)
14108 {
14109 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14110 	struct wireless_dev *wdev = info->user_ptr[1];
14111 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14112 	struct cfg80211_nan_func *func;
14113 	struct sk_buff *msg = NULL;
14114 	void *hdr = NULL;
14115 	int err = 0;
14116 
14117 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14118 		return -EOPNOTSUPP;
14119 
14120 	if (!wdev_running(wdev))
14121 		return -ENOTCONN;
14122 
14123 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14124 		return -EINVAL;
14125 
14126 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14127 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14128 					  nl80211_nan_func_policy,
14129 					  info->extack);
14130 	if (err)
14131 		return err;
14132 
14133 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14134 	if (!func)
14135 		return -ENOMEM;
14136 
14137 	func->cookie = cfg80211_assign_cookie(rdev);
14138 
14139 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14140 		err = -EINVAL;
14141 		goto out;
14142 	}
14143 
14144 
14145 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14146 
14147 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14148 		err = -EINVAL;
14149 		goto out;
14150 	}
14151 
14152 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14153 	       sizeof(func->service_id));
14154 
14155 	func->close_range =
14156 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14157 
14158 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14159 		func->serv_spec_info_len =
14160 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14161 		func->serv_spec_info =
14162 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14163 				func->serv_spec_info_len,
14164 				GFP_KERNEL);
14165 		if (!func->serv_spec_info) {
14166 			err = -ENOMEM;
14167 			goto out;
14168 		}
14169 	}
14170 
14171 	if (tb[NL80211_NAN_FUNC_TTL])
14172 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14173 
14174 	switch (func->type) {
14175 	case NL80211_NAN_FUNC_PUBLISH:
14176 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14177 			err = -EINVAL;
14178 			goto out;
14179 		}
14180 
14181 		func->publish_type =
14182 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14183 		func->publish_bcast =
14184 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14185 
14186 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14187 			func->publish_bcast) {
14188 			err = -EINVAL;
14189 			goto out;
14190 		}
14191 		break;
14192 	case NL80211_NAN_FUNC_SUBSCRIBE:
14193 		func->subscribe_active =
14194 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14195 		break;
14196 	case NL80211_NAN_FUNC_FOLLOW_UP:
14197 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14198 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14199 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14200 			err = -EINVAL;
14201 			goto out;
14202 		}
14203 
14204 		func->followup_id =
14205 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14206 		func->followup_reqid =
14207 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14208 		memcpy(func->followup_dest.addr,
14209 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14210 		       sizeof(func->followup_dest.addr));
14211 		if (func->ttl) {
14212 			err = -EINVAL;
14213 			goto out;
14214 		}
14215 		break;
14216 	default:
14217 		err = -EINVAL;
14218 		goto out;
14219 	}
14220 
14221 	if (tb[NL80211_NAN_FUNC_SRF]) {
14222 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14223 
14224 		err = nla_parse_nested_deprecated(srf_tb,
14225 						  NL80211_NAN_SRF_ATTR_MAX,
14226 						  tb[NL80211_NAN_FUNC_SRF],
14227 						  nl80211_nan_srf_policy,
14228 						  info->extack);
14229 		if (err)
14230 			goto out;
14231 
14232 		func->srf_include =
14233 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14234 
14235 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14236 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14237 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14238 				err = -EINVAL;
14239 				goto out;
14240 			}
14241 
14242 			func->srf_bf_len =
14243 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14244 			func->srf_bf =
14245 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14246 					func->srf_bf_len, GFP_KERNEL);
14247 			if (!func->srf_bf) {
14248 				err = -ENOMEM;
14249 				goto out;
14250 			}
14251 
14252 			func->srf_bf_idx =
14253 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14254 		} else {
14255 			struct nlattr *attr, *mac_attr =
14256 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14257 			int n_entries, rem, i = 0;
14258 
14259 			if (!mac_attr) {
14260 				err = -EINVAL;
14261 				goto out;
14262 			}
14263 
14264 			n_entries = validate_acl_mac_addrs(mac_attr);
14265 			if (n_entries <= 0) {
14266 				err = -EINVAL;
14267 				goto out;
14268 			}
14269 
14270 			func->srf_num_macs = n_entries;
14271 			func->srf_macs =
14272 				kcalloc(n_entries, sizeof(*func->srf_macs),
14273 					GFP_KERNEL);
14274 			if (!func->srf_macs) {
14275 				err = -ENOMEM;
14276 				goto out;
14277 			}
14278 
14279 			nla_for_each_nested(attr, mac_attr, rem)
14280 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14281 				       sizeof(*func->srf_macs));
14282 		}
14283 	}
14284 
14285 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14286 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14287 					func, true);
14288 		if (err)
14289 			goto out;
14290 	}
14291 
14292 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14293 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14294 					func, false);
14295 		if (err)
14296 			goto out;
14297 	}
14298 
14299 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14300 	if (!msg) {
14301 		err = -ENOMEM;
14302 		goto out;
14303 	}
14304 
14305 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14306 			     NL80211_CMD_ADD_NAN_FUNCTION);
14307 	/* This can't really happen - we just allocated 4KB */
14308 	if (WARN_ON(!hdr)) {
14309 		err = -ENOMEM;
14310 		goto out;
14311 	}
14312 
14313 	err = rdev_add_nan_func(rdev, wdev, func);
14314 out:
14315 	if (err < 0) {
14316 		cfg80211_free_nan_func(func);
14317 		nlmsg_free(msg);
14318 		return err;
14319 	}
14320 
14321 	/* propagate the instance id and cookie to userspace  */
14322 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14323 			      NL80211_ATTR_PAD))
14324 		goto nla_put_failure;
14325 
14326 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14327 	if (!func_attr)
14328 		goto nla_put_failure;
14329 
14330 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14331 		       func->instance_id))
14332 		goto nla_put_failure;
14333 
14334 	nla_nest_end(msg, func_attr);
14335 
14336 	genlmsg_end(msg, hdr);
14337 	return genlmsg_reply(msg, info);
14338 
14339 nla_put_failure:
14340 	nlmsg_free(msg);
14341 	return -ENOBUFS;
14342 }
14343 
14344 static int nl80211_nan_del_func(struct sk_buff *skb,
14345 			       struct genl_info *info)
14346 {
14347 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14348 	struct wireless_dev *wdev = info->user_ptr[1];
14349 	u64 cookie;
14350 
14351 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14352 		return -EOPNOTSUPP;
14353 
14354 	if (!wdev_running(wdev))
14355 		return -ENOTCONN;
14356 
14357 	if (!info->attrs[NL80211_ATTR_COOKIE])
14358 		return -EINVAL;
14359 
14360 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14361 
14362 	rdev_del_nan_func(rdev, wdev, cookie);
14363 
14364 	return 0;
14365 }
14366 
14367 static int nl80211_nan_change_config(struct sk_buff *skb,
14368 				     struct genl_info *info)
14369 {
14370 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14371 	struct wireless_dev *wdev = info->user_ptr[1];
14372 	struct cfg80211_nan_conf conf = {};
14373 	u32 changed = 0;
14374 
14375 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14376 		return -EOPNOTSUPP;
14377 
14378 	if (!wdev_running(wdev))
14379 		return -ENOTCONN;
14380 
14381 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14382 		conf.master_pref =
14383 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14384 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14385 			return -EINVAL;
14386 
14387 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14388 	}
14389 
14390 	if (info->attrs[NL80211_ATTR_BANDS]) {
14391 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14392 
14393 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14394 			return -EOPNOTSUPP;
14395 
14396 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14397 			return -EINVAL;
14398 
14399 		conf.bands = bands;
14400 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14401 	}
14402 
14403 	if (!changed)
14404 		return -EINVAL;
14405 
14406 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14407 }
14408 
14409 void cfg80211_nan_match(struct wireless_dev *wdev,
14410 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14411 {
14412 	struct wiphy *wiphy = wdev->wiphy;
14413 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14414 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14415 	struct sk_buff *msg;
14416 	void *hdr;
14417 
14418 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14419 		return;
14420 
14421 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14422 	if (!msg)
14423 		return;
14424 
14425 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14426 	if (!hdr) {
14427 		nlmsg_free(msg);
14428 		return;
14429 	}
14430 
14431 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14432 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14433 					 wdev->netdev->ifindex)) ||
14434 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14435 			      NL80211_ATTR_PAD))
14436 		goto nla_put_failure;
14437 
14438 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14439 			      NL80211_ATTR_PAD) ||
14440 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14441 		goto nla_put_failure;
14442 
14443 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14444 	if (!match_attr)
14445 		goto nla_put_failure;
14446 
14447 	local_func_attr = nla_nest_start_noflag(msg,
14448 						NL80211_NAN_MATCH_FUNC_LOCAL);
14449 	if (!local_func_attr)
14450 		goto nla_put_failure;
14451 
14452 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14453 		goto nla_put_failure;
14454 
14455 	nla_nest_end(msg, local_func_attr);
14456 
14457 	peer_func_attr = nla_nest_start_noflag(msg,
14458 					       NL80211_NAN_MATCH_FUNC_PEER);
14459 	if (!peer_func_attr)
14460 		goto nla_put_failure;
14461 
14462 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14463 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14464 		goto nla_put_failure;
14465 
14466 	if (match->info && match->info_len &&
14467 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14468 		    match->info))
14469 		goto nla_put_failure;
14470 
14471 	nla_nest_end(msg, peer_func_attr);
14472 	nla_nest_end(msg, match_attr);
14473 	genlmsg_end(msg, hdr);
14474 
14475 	if (!wdev->owner_nlportid)
14476 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14477 					msg, 0, NL80211_MCGRP_NAN, gfp);
14478 	else
14479 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14480 				wdev->owner_nlportid);
14481 
14482 	return;
14483 
14484 nla_put_failure:
14485 	nlmsg_free(msg);
14486 }
14487 EXPORT_SYMBOL(cfg80211_nan_match);
14488 
14489 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14490 				  u8 inst_id,
14491 				  enum nl80211_nan_func_term_reason reason,
14492 				  u64 cookie, gfp_t gfp)
14493 {
14494 	struct wiphy *wiphy = wdev->wiphy;
14495 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14496 	struct sk_buff *msg;
14497 	struct nlattr *func_attr;
14498 	void *hdr;
14499 
14500 	if (WARN_ON(!inst_id))
14501 		return;
14502 
14503 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14504 	if (!msg)
14505 		return;
14506 
14507 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14508 	if (!hdr) {
14509 		nlmsg_free(msg);
14510 		return;
14511 	}
14512 
14513 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14514 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14515 					 wdev->netdev->ifindex)) ||
14516 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14517 			      NL80211_ATTR_PAD))
14518 		goto nla_put_failure;
14519 
14520 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14521 			      NL80211_ATTR_PAD))
14522 		goto nla_put_failure;
14523 
14524 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14525 	if (!func_attr)
14526 		goto nla_put_failure;
14527 
14528 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14529 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14530 		goto nla_put_failure;
14531 
14532 	nla_nest_end(msg, func_attr);
14533 	genlmsg_end(msg, hdr);
14534 
14535 	if (!wdev->owner_nlportid)
14536 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14537 					msg, 0, NL80211_MCGRP_NAN, gfp);
14538 	else
14539 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14540 				wdev->owner_nlportid);
14541 
14542 	return;
14543 
14544 nla_put_failure:
14545 	nlmsg_free(msg);
14546 }
14547 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14548 
14549 static int nl80211_get_protocol_features(struct sk_buff *skb,
14550 					 struct genl_info *info)
14551 {
14552 	void *hdr;
14553 	struct sk_buff *msg;
14554 
14555 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14556 	if (!msg)
14557 		return -ENOMEM;
14558 
14559 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14560 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14561 	if (!hdr)
14562 		goto nla_put_failure;
14563 
14564 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14565 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14566 		goto nla_put_failure;
14567 
14568 	genlmsg_end(msg, hdr);
14569 	return genlmsg_reply(msg, info);
14570 
14571  nla_put_failure:
14572 	kfree_skb(msg);
14573 	return -ENOBUFS;
14574 }
14575 
14576 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14577 {
14578 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14579 	struct cfg80211_update_ft_ies_params ft_params;
14580 	struct net_device *dev = info->user_ptr[1];
14581 
14582 	if (!rdev->ops->update_ft_ies)
14583 		return -EOPNOTSUPP;
14584 
14585 	if (!info->attrs[NL80211_ATTR_MDID] ||
14586 	    !info->attrs[NL80211_ATTR_IE])
14587 		return -EINVAL;
14588 
14589 	memset(&ft_params, 0, sizeof(ft_params));
14590 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14591 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14592 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14593 
14594 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14595 }
14596 
14597 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14598 				       struct genl_info *info)
14599 {
14600 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14601 	struct wireless_dev *wdev = info->user_ptr[1];
14602 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14603 	u16 duration;
14604 	int ret;
14605 
14606 	if (!rdev->ops->crit_proto_start)
14607 		return -EOPNOTSUPP;
14608 
14609 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14610 		return -EINVAL;
14611 
14612 	if (rdev->crit_proto_nlportid)
14613 		return -EBUSY;
14614 
14615 	/* determine protocol if provided */
14616 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14617 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14618 
14619 	if (proto >= NUM_NL80211_CRIT_PROTO)
14620 		return -EINVAL;
14621 
14622 	/* timeout must be provided */
14623 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14624 		return -EINVAL;
14625 
14626 	duration =
14627 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14628 
14629 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14630 	if (!ret)
14631 		rdev->crit_proto_nlportid = info->snd_portid;
14632 
14633 	return ret;
14634 }
14635 
14636 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14637 				      struct genl_info *info)
14638 {
14639 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14640 	struct wireless_dev *wdev = info->user_ptr[1];
14641 
14642 	if (!rdev->ops->crit_proto_stop)
14643 		return -EOPNOTSUPP;
14644 
14645 	if (rdev->crit_proto_nlportid) {
14646 		rdev->crit_proto_nlportid = 0;
14647 		rdev_crit_proto_stop(rdev, wdev);
14648 	}
14649 	return 0;
14650 }
14651 
14652 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14653 				       struct nlattr *attr,
14654 				       struct netlink_ext_ack *extack)
14655 {
14656 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14657 		if (attr->nla_type & NLA_F_NESTED) {
14658 			NL_SET_ERR_MSG_ATTR(extack, attr,
14659 					    "unexpected nested data");
14660 			return -EINVAL;
14661 		}
14662 
14663 		return 0;
14664 	}
14665 
14666 	if (!(attr->nla_type & NLA_F_NESTED)) {
14667 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14668 		return -EINVAL;
14669 	}
14670 
14671 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14672 }
14673 
14674 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14675 {
14676 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14677 	struct wireless_dev *wdev =
14678 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14679 					   info->attrs);
14680 	int i, err;
14681 	u32 vid, subcmd;
14682 
14683 	if (!rdev->wiphy.vendor_commands)
14684 		return -EOPNOTSUPP;
14685 
14686 	if (IS_ERR(wdev)) {
14687 		err = PTR_ERR(wdev);
14688 		if (err != -EINVAL)
14689 			return err;
14690 		wdev = NULL;
14691 	} else if (wdev->wiphy != &rdev->wiphy) {
14692 		return -EINVAL;
14693 	}
14694 
14695 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14696 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14697 		return -EINVAL;
14698 
14699 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14700 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14701 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14702 		const struct wiphy_vendor_command *vcmd;
14703 		void *data = NULL;
14704 		int len = 0;
14705 
14706 		vcmd = &rdev->wiphy.vendor_commands[i];
14707 
14708 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14709 			continue;
14710 
14711 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14712 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14713 			if (!wdev)
14714 				return -EINVAL;
14715 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14716 			    !wdev->netdev)
14717 				return -EINVAL;
14718 
14719 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14720 				if (!wdev_running(wdev))
14721 					return -ENETDOWN;
14722 			}
14723 		} else {
14724 			wdev = NULL;
14725 		}
14726 
14727 		if (!vcmd->doit)
14728 			return -EOPNOTSUPP;
14729 
14730 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14731 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14732 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14733 
14734 			err = nl80211_vendor_check_policy(vcmd,
14735 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14736 					info->extack);
14737 			if (err)
14738 				return err;
14739 		}
14740 
14741 		rdev->cur_cmd_info = info;
14742 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14743 		rdev->cur_cmd_info = NULL;
14744 		return err;
14745 	}
14746 
14747 	return -EOPNOTSUPP;
14748 }
14749 
14750 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14751 				       struct netlink_callback *cb,
14752 				       struct cfg80211_registered_device **rdev,
14753 				       struct wireless_dev **wdev)
14754 {
14755 	struct nlattr **attrbuf;
14756 	u32 vid, subcmd;
14757 	unsigned int i;
14758 	int vcmd_idx = -1;
14759 	int err;
14760 	void *data = NULL;
14761 	unsigned int data_len = 0;
14762 
14763 	if (cb->args[0]) {
14764 		/* subtract the 1 again here */
14765 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14766 		struct wireless_dev *tmp;
14767 
14768 		if (!wiphy)
14769 			return -ENODEV;
14770 		*rdev = wiphy_to_rdev(wiphy);
14771 		*wdev = NULL;
14772 
14773 		if (cb->args[1]) {
14774 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14775 				if (tmp->identifier == cb->args[1] - 1) {
14776 					*wdev = tmp;
14777 					break;
14778 				}
14779 			}
14780 		}
14781 
14782 		/* keep rtnl locked in successful case */
14783 		return 0;
14784 	}
14785 
14786 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14787 	if (!attrbuf)
14788 		return -ENOMEM;
14789 
14790 	err = nlmsg_parse_deprecated(cb->nlh,
14791 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14792 				     attrbuf, nl80211_fam.maxattr,
14793 				     nl80211_policy, NULL);
14794 	if (err)
14795 		goto out;
14796 
14797 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14798 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14799 		err = -EINVAL;
14800 		goto out;
14801 	}
14802 
14803 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14804 	if (IS_ERR(*wdev))
14805 		*wdev = NULL;
14806 
14807 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14808 	if (IS_ERR(*rdev)) {
14809 		err = PTR_ERR(*rdev);
14810 		goto out;
14811 	}
14812 
14813 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14814 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14815 
14816 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14817 		const struct wiphy_vendor_command *vcmd;
14818 
14819 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14820 
14821 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14822 			continue;
14823 
14824 		if (!vcmd->dumpit) {
14825 			err = -EOPNOTSUPP;
14826 			goto out;
14827 		}
14828 
14829 		vcmd_idx = i;
14830 		break;
14831 	}
14832 
14833 	if (vcmd_idx < 0) {
14834 		err = -EOPNOTSUPP;
14835 		goto out;
14836 	}
14837 
14838 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14839 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14840 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14841 
14842 		err = nl80211_vendor_check_policy(
14843 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14844 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14845 				cb->extack);
14846 		if (err)
14847 			goto out;
14848 	}
14849 
14850 	/* 0 is the first index - add 1 to parse only once */
14851 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14852 	/* add 1 to know if it was NULL */
14853 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14854 	cb->args[2] = vcmd_idx;
14855 	cb->args[3] = (unsigned long)data;
14856 	cb->args[4] = data_len;
14857 
14858 	/* keep rtnl locked in successful case */
14859 	err = 0;
14860 out:
14861 	kfree(attrbuf);
14862 	return err;
14863 }
14864 
14865 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14866 				   struct netlink_callback *cb)
14867 {
14868 	struct cfg80211_registered_device *rdev;
14869 	struct wireless_dev *wdev;
14870 	unsigned int vcmd_idx;
14871 	const struct wiphy_vendor_command *vcmd;
14872 	void *data;
14873 	int data_len;
14874 	int err;
14875 	struct nlattr *vendor_data;
14876 
14877 	rtnl_lock();
14878 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14879 	if (err)
14880 		goto out;
14881 
14882 	vcmd_idx = cb->args[2];
14883 	data = (void *)cb->args[3];
14884 	data_len = cb->args[4];
14885 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14886 
14887 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14888 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14889 		if (!wdev) {
14890 			err = -EINVAL;
14891 			goto out;
14892 		}
14893 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14894 		    !wdev->netdev) {
14895 			err = -EINVAL;
14896 			goto out;
14897 		}
14898 
14899 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14900 			if (!wdev_running(wdev)) {
14901 				err = -ENETDOWN;
14902 				goto out;
14903 			}
14904 		}
14905 	}
14906 
14907 	while (1) {
14908 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
14909 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
14910 					   NL80211_CMD_VENDOR);
14911 		if (!hdr)
14912 			break;
14913 
14914 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14915 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14916 					       wdev_id(wdev),
14917 					       NL80211_ATTR_PAD))) {
14918 			genlmsg_cancel(skb, hdr);
14919 			break;
14920 		}
14921 
14922 		vendor_data = nla_nest_start_noflag(skb,
14923 						    NL80211_ATTR_VENDOR_DATA);
14924 		if (!vendor_data) {
14925 			genlmsg_cancel(skb, hdr);
14926 			break;
14927 		}
14928 
14929 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14930 				   (unsigned long *)&cb->args[5]);
14931 		nla_nest_end(skb, vendor_data);
14932 
14933 		if (err == -ENOBUFS || err == -ENOENT) {
14934 			genlmsg_cancel(skb, hdr);
14935 			break;
14936 		} else if (err <= 0) {
14937 			genlmsg_cancel(skb, hdr);
14938 			goto out;
14939 		}
14940 
14941 		genlmsg_end(skb, hdr);
14942 	}
14943 
14944 	err = skb->len;
14945  out:
14946 	rtnl_unlock();
14947 	return err;
14948 }
14949 
14950 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14951 					   enum nl80211_commands cmd,
14952 					   enum nl80211_attrs attr,
14953 					   int approxlen)
14954 {
14955 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14956 
14957 	if (WARN_ON(!rdev->cur_cmd_info))
14958 		return NULL;
14959 
14960 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14961 					   rdev->cur_cmd_info->snd_portid,
14962 					   rdev->cur_cmd_info->snd_seq,
14963 					   cmd, attr, NULL, GFP_KERNEL);
14964 }
14965 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14966 
14967 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14968 {
14969 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14970 	void *hdr = ((void **)skb->cb)[1];
14971 	struct nlattr *data = ((void **)skb->cb)[2];
14972 
14973 	/* clear CB data for netlink core to own from now on */
14974 	memset(skb->cb, 0, sizeof(skb->cb));
14975 
14976 	if (WARN_ON(!rdev->cur_cmd_info)) {
14977 		kfree_skb(skb);
14978 		return -EINVAL;
14979 	}
14980 
14981 	nla_nest_end(skb, data);
14982 	genlmsg_end(skb, hdr);
14983 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14984 }
14985 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14986 
14987 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14988 {
14989 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14990 
14991 	if (WARN_ON(!rdev->cur_cmd_info))
14992 		return 0;
14993 
14994 	return rdev->cur_cmd_info->snd_portid;
14995 }
14996 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14997 
14998 static int nl80211_set_qos_map(struct sk_buff *skb,
14999 			       struct genl_info *info)
15000 {
15001 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15002 	struct cfg80211_qos_map *qos_map = NULL;
15003 	struct net_device *dev = info->user_ptr[1];
15004 	u8 *pos, len, num_des, des_len, des;
15005 	int ret;
15006 
15007 	if (!rdev->ops->set_qos_map)
15008 		return -EOPNOTSUPP;
15009 
15010 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15011 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15012 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15013 
15014 		if (len % 2)
15015 			return -EINVAL;
15016 
15017 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15018 		if (!qos_map)
15019 			return -ENOMEM;
15020 
15021 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15022 		if (num_des) {
15023 			des_len = num_des *
15024 				sizeof(struct cfg80211_dscp_exception);
15025 			memcpy(qos_map->dscp_exception, pos, des_len);
15026 			qos_map->num_des = num_des;
15027 			for (des = 0; des < num_des; des++) {
15028 				if (qos_map->dscp_exception[des].up > 7) {
15029 					kfree(qos_map);
15030 					return -EINVAL;
15031 				}
15032 			}
15033 			pos += des_len;
15034 		}
15035 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15036 	}
15037 
15038 	wdev_lock(dev->ieee80211_ptr);
15039 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15040 	if (!ret)
15041 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15042 	wdev_unlock(dev->ieee80211_ptr);
15043 
15044 	kfree(qos_map);
15045 	return ret;
15046 }
15047 
15048 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15049 {
15050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15051 	struct net_device *dev = info->user_ptr[1];
15052 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15053 	const u8 *peer;
15054 	u8 tsid, up;
15055 	u16 admitted_time = 0;
15056 	int err;
15057 
15058 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15059 		return -EOPNOTSUPP;
15060 
15061 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15062 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15063 		return -EINVAL;
15064 
15065 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15066 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15067 
15068 	/* WMM uses TIDs 0-7 even for TSPEC */
15069 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15070 		/* TODO: handle 802.11 TSPEC/admission control
15071 		 * need more attributes for that (e.g. BA session requirement);
15072 		 * change the WMM adminssion test above to allow both then
15073 		 */
15074 		return -EINVAL;
15075 	}
15076 
15077 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15078 
15079 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15080 		admitted_time =
15081 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15082 		if (!admitted_time)
15083 			return -EINVAL;
15084 	}
15085 
15086 	wdev_lock(wdev);
15087 	switch (wdev->iftype) {
15088 	case NL80211_IFTYPE_STATION:
15089 	case NL80211_IFTYPE_P2P_CLIENT:
15090 		if (wdev->connected)
15091 			break;
15092 		err = -ENOTCONN;
15093 		goto out;
15094 	default:
15095 		err = -EOPNOTSUPP;
15096 		goto out;
15097 	}
15098 
15099 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15100 
15101  out:
15102 	wdev_unlock(wdev);
15103 	return err;
15104 }
15105 
15106 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15107 {
15108 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15109 	struct net_device *dev = info->user_ptr[1];
15110 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15111 	const u8 *peer;
15112 	u8 tsid;
15113 	int err;
15114 
15115 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15116 		return -EINVAL;
15117 
15118 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15119 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15120 
15121 	wdev_lock(wdev);
15122 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
15123 	wdev_unlock(wdev);
15124 
15125 	return err;
15126 }
15127 
15128 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15129 				       struct genl_info *info)
15130 {
15131 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15132 	struct net_device *dev = info->user_ptr[1];
15133 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15134 	struct cfg80211_chan_def chandef = {};
15135 	const u8 *addr;
15136 	u8 oper_class;
15137 	int err;
15138 
15139 	if (!rdev->ops->tdls_channel_switch ||
15140 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15141 		return -EOPNOTSUPP;
15142 
15143 	switch (dev->ieee80211_ptr->iftype) {
15144 	case NL80211_IFTYPE_STATION:
15145 	case NL80211_IFTYPE_P2P_CLIENT:
15146 		break;
15147 	default:
15148 		return -EOPNOTSUPP;
15149 	}
15150 
15151 	if (!info->attrs[NL80211_ATTR_MAC] ||
15152 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15153 		return -EINVAL;
15154 
15155 	err = nl80211_parse_chandef(rdev, info, &chandef);
15156 	if (err)
15157 		return err;
15158 
15159 	/*
15160 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15161 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15162 	 * specification is not defined for them.
15163 	 */
15164 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15165 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15166 	    chandef.width != NL80211_CHAN_WIDTH_20)
15167 		return -EINVAL;
15168 
15169 	/* we will be active on the TDLS link */
15170 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15171 					   wdev->iftype))
15172 		return -EINVAL;
15173 
15174 	/* don't allow switching to DFS channels */
15175 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15176 		return -EINVAL;
15177 
15178 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15179 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15180 
15181 	wdev_lock(wdev);
15182 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15183 	wdev_unlock(wdev);
15184 
15185 	return err;
15186 }
15187 
15188 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15189 					      struct genl_info *info)
15190 {
15191 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15192 	struct net_device *dev = info->user_ptr[1];
15193 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15194 	const u8 *addr;
15195 
15196 	if (!rdev->ops->tdls_channel_switch ||
15197 	    !rdev->ops->tdls_cancel_channel_switch ||
15198 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15199 		return -EOPNOTSUPP;
15200 
15201 	switch (dev->ieee80211_ptr->iftype) {
15202 	case NL80211_IFTYPE_STATION:
15203 	case NL80211_IFTYPE_P2P_CLIENT:
15204 		break;
15205 	default:
15206 		return -EOPNOTSUPP;
15207 	}
15208 
15209 	if (!info->attrs[NL80211_ATTR_MAC])
15210 		return -EINVAL;
15211 
15212 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15213 
15214 	wdev_lock(wdev);
15215 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15216 	wdev_unlock(wdev);
15217 
15218 	return 0;
15219 }
15220 
15221 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15222 					    struct genl_info *info)
15223 {
15224 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15225 	struct net_device *dev = info->user_ptr[1];
15226 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15227 	const struct nlattr *nla;
15228 	bool enabled;
15229 
15230 	if (!rdev->ops->set_multicast_to_unicast)
15231 		return -EOPNOTSUPP;
15232 
15233 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15234 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15235 		return -EOPNOTSUPP;
15236 
15237 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15238 	enabled = nla_get_flag(nla);
15239 
15240 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15241 }
15242 
15243 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15244 {
15245 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15246 	struct net_device *dev = info->user_ptr[1];
15247 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15248 	struct cfg80211_pmk_conf pmk_conf = {};
15249 	int ret;
15250 
15251 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15252 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15253 		return -EOPNOTSUPP;
15254 
15255 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15256 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15257 		return -EOPNOTSUPP;
15258 
15259 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15260 		return -EINVAL;
15261 
15262 	wdev_lock(wdev);
15263 	if (!wdev->connected) {
15264 		ret = -ENOTCONN;
15265 		goto out;
15266 	}
15267 
15268 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15269 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN)) {
15270 		ret = -EINVAL;
15271 		goto out;
15272 	}
15273 
15274 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15275 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15276 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15277 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
15278 		ret = -EINVAL;
15279 		goto out;
15280 	}
15281 
15282 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15283 		pmk_conf.pmk_r0_name =
15284 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15285 
15286 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
15287 out:
15288 	wdev_unlock(wdev);
15289 	return ret;
15290 }
15291 
15292 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15293 {
15294 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15295 	struct net_device *dev = info->user_ptr[1];
15296 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15297 	const u8 *aa;
15298 	int ret;
15299 
15300 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15301 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15302 		return -EOPNOTSUPP;
15303 
15304 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15305 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15306 		return -EOPNOTSUPP;
15307 
15308 	if (!info->attrs[NL80211_ATTR_MAC])
15309 		return -EINVAL;
15310 
15311 	wdev_lock(wdev);
15312 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15313 	ret = rdev_del_pmk(rdev, dev, aa);
15314 	wdev_unlock(wdev);
15315 
15316 	return ret;
15317 }
15318 
15319 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15320 {
15321 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15322 	struct net_device *dev = info->user_ptr[1];
15323 	struct cfg80211_external_auth_params params;
15324 
15325 	if (!rdev->ops->external_auth)
15326 		return -EOPNOTSUPP;
15327 
15328 	if (!info->attrs[NL80211_ATTR_SSID] &&
15329 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15330 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15331 		return -EINVAL;
15332 
15333 	if (!info->attrs[NL80211_ATTR_BSSID])
15334 		return -EINVAL;
15335 
15336 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15337 		return -EINVAL;
15338 
15339 	memset(&params, 0, sizeof(params));
15340 
15341 	if (info->attrs[NL80211_ATTR_SSID]) {
15342 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15343 		if (params.ssid.ssid_len == 0)
15344 			return -EINVAL;
15345 		memcpy(params.ssid.ssid,
15346 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15347 		       params.ssid.ssid_len);
15348 	}
15349 
15350 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15351 	       ETH_ALEN);
15352 
15353 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15354 
15355 	if (info->attrs[NL80211_ATTR_PMKID])
15356 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15357 
15358 	return rdev_external_auth(rdev, dev, &params);
15359 }
15360 
15361 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15362 {
15363 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15364 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15365 	struct net_device *dev = info->user_ptr[1];
15366 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15367 	const u8 *buf;
15368 	size_t len;
15369 	u8 *dest;
15370 	u16 proto;
15371 	bool noencrypt;
15372 	u64 cookie = 0;
15373 	int link_id;
15374 	int err;
15375 
15376 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15377 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15378 		return -EOPNOTSUPP;
15379 
15380 	if (!rdev->ops->tx_control_port)
15381 		return -EOPNOTSUPP;
15382 
15383 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15384 	    !info->attrs[NL80211_ATTR_MAC] ||
15385 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15386 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15387 		return -EINVAL;
15388 	}
15389 
15390 	wdev_lock(wdev);
15391 
15392 	switch (wdev->iftype) {
15393 	case NL80211_IFTYPE_AP:
15394 	case NL80211_IFTYPE_P2P_GO:
15395 	case NL80211_IFTYPE_MESH_POINT:
15396 		break;
15397 	case NL80211_IFTYPE_ADHOC:
15398 		if (wdev->u.ibss.current_bss)
15399 			break;
15400 		err = -ENOTCONN;
15401 		goto out;
15402 	case NL80211_IFTYPE_STATION:
15403 	case NL80211_IFTYPE_P2P_CLIENT:
15404 		if (wdev->connected)
15405 			break;
15406 		err = -ENOTCONN;
15407 		goto out;
15408 	default:
15409 		err = -EOPNOTSUPP;
15410 		goto out;
15411 	}
15412 
15413 	wdev_unlock(wdev);
15414 
15415 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15416 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15417 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15418 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15419 	noencrypt =
15420 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15421 
15422 	link_id = nl80211_link_id_or_invalid(info->attrs);
15423 
15424 	err = rdev_tx_control_port(rdev, dev, buf, len,
15425 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15426 				   dont_wait_for_ack ? NULL : &cookie);
15427 	if (!err && !dont_wait_for_ack)
15428 		nl_set_extack_cookie_u64(info->extack, cookie);
15429 	return err;
15430  out:
15431 	wdev_unlock(wdev);
15432 	return err;
15433 }
15434 
15435 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15436 					   struct genl_info *info)
15437 {
15438 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15439 	struct net_device *dev = info->user_ptr[1];
15440 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15441 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15442 	unsigned int link_id = nl80211_link_id(info->attrs);
15443 	struct sk_buff *msg;
15444 	void *hdr;
15445 	struct nlattr *ftm_stats_attr;
15446 	int err;
15447 
15448 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15449 	    !wdev->links[link_id].ap.beacon_interval)
15450 		return -EOPNOTSUPP;
15451 
15452 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15453 	if (err)
15454 		return err;
15455 
15456 	if (!ftm_stats.filled)
15457 		return -ENODATA;
15458 
15459 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15460 	if (!msg)
15461 		return -ENOMEM;
15462 
15463 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15464 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15465 	if (!hdr)
15466 		goto nla_put_failure;
15467 
15468 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15469 		goto nla_put_failure;
15470 
15471 	ftm_stats_attr = nla_nest_start_noflag(msg,
15472 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15473 	if (!ftm_stats_attr)
15474 		goto nla_put_failure;
15475 
15476 #define SET_FTM(field, name, type)					 \
15477 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15478 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15479 			     ftm_stats.field))				 \
15480 		goto nla_put_failure; } while (0)
15481 #define SET_FTM_U64(field, name)					 \
15482 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15483 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15484 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15485 		goto nla_put_failure; } while (0)
15486 
15487 	SET_FTM(success_num, SUCCESS_NUM, u32);
15488 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15489 	SET_FTM(failed_num, FAILED_NUM, u32);
15490 	SET_FTM(asap_num, ASAP_NUM, u32);
15491 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15492 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15493 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15494 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15495 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15496 #undef SET_FTM
15497 
15498 	nla_nest_end(msg, ftm_stats_attr);
15499 
15500 	genlmsg_end(msg, hdr);
15501 	return genlmsg_reply(msg, info);
15502 
15503 nla_put_failure:
15504 	nlmsg_free(msg);
15505 	return -ENOBUFS;
15506 }
15507 
15508 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15509 {
15510 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15511 	struct cfg80211_update_owe_info owe_info;
15512 	struct net_device *dev = info->user_ptr[1];
15513 
15514 	if (!rdev->ops->update_owe_info)
15515 		return -EOPNOTSUPP;
15516 
15517 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15518 	    !info->attrs[NL80211_ATTR_MAC])
15519 		return -EINVAL;
15520 
15521 	memset(&owe_info, 0, sizeof(owe_info));
15522 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15523 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15524 
15525 	if (info->attrs[NL80211_ATTR_IE]) {
15526 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15527 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15528 	}
15529 
15530 	return rdev_update_owe_info(rdev, dev, &owe_info);
15531 }
15532 
15533 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15534 {
15535 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15536 	struct net_device *dev = info->user_ptr[1];
15537 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15538 	struct station_info sinfo = {};
15539 	const u8 *buf;
15540 	size_t len;
15541 	u8 *dest;
15542 	int err;
15543 
15544 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15545 		return -EOPNOTSUPP;
15546 
15547 	if (!info->attrs[NL80211_ATTR_MAC] ||
15548 	    !info->attrs[NL80211_ATTR_FRAME]) {
15549 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15550 		return -EINVAL;
15551 	}
15552 
15553 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15554 		return -EOPNOTSUPP;
15555 
15556 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15557 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15558 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15559 
15560 	if (len < sizeof(struct ethhdr))
15561 		return -EINVAL;
15562 
15563 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15564 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15565 		return -EINVAL;
15566 
15567 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15568 	if (err)
15569 		return err;
15570 
15571 	cfg80211_sinfo_release_content(&sinfo);
15572 
15573 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15574 }
15575 
15576 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15577 			  struct nlattr *attrs[], struct net_device *dev,
15578 			  struct cfg80211_tid_cfg *tid_conf,
15579 			  struct genl_info *info, const u8 *peer,
15580 			  unsigned int link_id)
15581 {
15582 	struct netlink_ext_ack *extack = info->extack;
15583 	u64 mask;
15584 	int err;
15585 
15586 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15587 		return -EINVAL;
15588 
15589 	tid_conf->config_override =
15590 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15591 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15592 
15593 	if (tid_conf->config_override) {
15594 		if (rdev->ops->reset_tid_config) {
15595 			err = rdev_reset_tid_config(rdev, dev, peer,
15596 						    tid_conf->tids);
15597 			if (err)
15598 				return err;
15599 		} else {
15600 			return -EINVAL;
15601 		}
15602 	}
15603 
15604 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15605 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15606 		tid_conf->noack =
15607 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15608 	}
15609 
15610 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15611 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15612 		tid_conf->retry_short =
15613 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15614 
15615 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15616 			return -EINVAL;
15617 	}
15618 
15619 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15620 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15621 		tid_conf->retry_long =
15622 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15623 
15624 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15625 			return -EINVAL;
15626 	}
15627 
15628 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15629 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15630 		tid_conf->ampdu =
15631 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15632 	}
15633 
15634 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15635 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15636 		tid_conf->rtscts =
15637 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15638 	}
15639 
15640 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15641 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15642 		tid_conf->amsdu =
15643 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15644 	}
15645 
15646 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15647 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15648 
15649 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15650 
15651 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15652 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15653 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15654 						    &tid_conf->txrate_mask, dev,
15655 						    true, link_id);
15656 			if (err)
15657 				return err;
15658 
15659 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15660 		}
15661 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15662 	}
15663 
15664 	if (peer)
15665 		mask = rdev->wiphy.tid_config_support.peer;
15666 	else
15667 		mask = rdev->wiphy.tid_config_support.vif;
15668 
15669 	if (tid_conf->mask & ~mask) {
15670 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15671 		return -ENOTSUPP;
15672 	}
15673 
15674 	return 0;
15675 }
15676 
15677 static int nl80211_set_tid_config(struct sk_buff *skb,
15678 				  struct genl_info *info)
15679 {
15680 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15681 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15682 	unsigned int link_id = nl80211_link_id(info->attrs);
15683 	struct net_device *dev = info->user_ptr[1];
15684 	struct cfg80211_tid_config *tid_config;
15685 	struct nlattr *tid;
15686 	int conf_idx = 0, rem_conf;
15687 	int ret = -EINVAL;
15688 	u32 num_conf = 0;
15689 
15690 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15691 		return -EINVAL;
15692 
15693 	if (!rdev->ops->set_tid_config)
15694 		return -EOPNOTSUPP;
15695 
15696 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15697 			    rem_conf)
15698 		num_conf++;
15699 
15700 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15701 			     GFP_KERNEL);
15702 	if (!tid_config)
15703 		return -ENOMEM;
15704 
15705 	tid_config->n_tid_conf = num_conf;
15706 
15707 	if (info->attrs[NL80211_ATTR_MAC])
15708 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15709 
15710 	wdev_lock(dev->ieee80211_ptr);
15711 
15712 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15713 			    rem_conf) {
15714 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15715 				       tid, NULL, NULL);
15716 
15717 		if (ret)
15718 			goto bad_tid_conf;
15719 
15720 		ret = parse_tid_conf(rdev, attrs, dev,
15721 				     &tid_config->tid_conf[conf_idx],
15722 				     info, tid_config->peer, link_id);
15723 		if (ret)
15724 			goto bad_tid_conf;
15725 
15726 		conf_idx++;
15727 	}
15728 
15729 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15730 
15731 bad_tid_conf:
15732 	kfree(tid_config);
15733 	wdev_unlock(dev->ieee80211_ptr);
15734 	return ret;
15735 }
15736 
15737 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15738 {
15739 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15740 	struct cfg80211_color_change_settings params = {};
15741 	struct net_device *dev = info->user_ptr[1];
15742 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15743 	struct nlattr **tb;
15744 	u16 offset;
15745 	int err;
15746 
15747 	if (!rdev->ops->color_change)
15748 		return -EOPNOTSUPP;
15749 
15750 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15751 				     NL80211_EXT_FEATURE_BSS_COLOR))
15752 		return -EOPNOTSUPP;
15753 
15754 	if (wdev->iftype != NL80211_IFTYPE_AP)
15755 		return -EOPNOTSUPP;
15756 
15757 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15758 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15759 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15760 		return -EINVAL;
15761 
15762 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15763 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15764 
15765 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15766 	if (err)
15767 		return err;
15768 
15769 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15770 	if (!tb)
15771 		return -ENOMEM;
15772 
15773 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15774 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15775 			       nl80211_policy, info->extack);
15776 	if (err)
15777 		goto out;
15778 
15779 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15780 	if (err)
15781 		goto out;
15782 
15783 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15784 		err = -EINVAL;
15785 		goto out;
15786 	}
15787 
15788 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15789 		err = -EINVAL;
15790 		goto out;
15791 	}
15792 
15793 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15794 	if (offset >= params.beacon_color_change.tail_len) {
15795 		err = -EINVAL;
15796 		goto out;
15797 	}
15798 
15799 	if (params.beacon_color_change.tail[offset] != params.count) {
15800 		err = -EINVAL;
15801 		goto out;
15802 	}
15803 
15804 	params.counter_offset_beacon = offset;
15805 
15806 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15807 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15808 		    sizeof(u16)) {
15809 			err = -EINVAL;
15810 			goto out;
15811 		}
15812 
15813 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15814 		if (offset >= params.beacon_color_change.probe_resp_len) {
15815 			err = -EINVAL;
15816 			goto out;
15817 		}
15818 
15819 		if (params.beacon_color_change.probe_resp[offset] !=
15820 		    params.count) {
15821 			err = -EINVAL;
15822 			goto out;
15823 		}
15824 
15825 		params.counter_offset_presp = offset;
15826 	}
15827 
15828 	wdev_lock(wdev);
15829 	err = rdev_color_change(rdev, dev, &params);
15830 	wdev_unlock(wdev);
15831 
15832 out:
15833 	kfree(params.beacon_next.mbssid_ies);
15834 	kfree(params.beacon_color_change.mbssid_ies);
15835 	kfree(tb);
15836 	return err;
15837 }
15838 
15839 static int nl80211_set_fils_aad(struct sk_buff *skb,
15840 				struct genl_info *info)
15841 {
15842 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15843 	struct net_device *dev = info->user_ptr[1];
15844 	struct cfg80211_fils_aad fils_aad = {};
15845 	u8 *nonces;
15846 
15847 	if (!info->attrs[NL80211_ATTR_MAC] ||
15848 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15849 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15850 		return -EINVAL;
15851 
15852 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15853 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15854 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15855 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15856 	fils_aad.snonce = nonces;
15857 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15858 
15859 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15860 }
15861 
15862 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
15863 {
15864 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15865 	unsigned int link_id = nl80211_link_id(info->attrs);
15866 	struct net_device *dev = info->user_ptr[1];
15867 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15868 	int ret;
15869 
15870 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
15871 		return -EINVAL;
15872 
15873 	switch (wdev->iftype) {
15874 	case NL80211_IFTYPE_AP:
15875 		break;
15876 	default:
15877 		return -EINVAL;
15878 	}
15879 
15880 	if (!info->attrs[NL80211_ATTR_MAC] ||
15881 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
15882 		return -EINVAL;
15883 
15884 	wdev_lock(wdev);
15885 	wdev->valid_links |= BIT(link_id);
15886 	ether_addr_copy(wdev->links[link_id].addr,
15887 			nla_data(info->attrs[NL80211_ATTR_MAC]));
15888 
15889 	ret = rdev_add_intf_link(rdev, wdev, link_id);
15890 	if (ret) {
15891 		wdev->valid_links &= ~BIT(link_id);
15892 		eth_zero_addr(wdev->links[link_id].addr);
15893 	}
15894 	wdev_unlock(wdev);
15895 
15896 	return ret;
15897 }
15898 
15899 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
15900 {
15901 	unsigned int link_id = nl80211_link_id(info->attrs);
15902 	struct net_device *dev = info->user_ptr[1];
15903 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15904 
15905 	/* cannot remove if there's no link */
15906 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
15907 		return -EINVAL;
15908 
15909 	switch (wdev->iftype) {
15910 	case NL80211_IFTYPE_AP:
15911 		break;
15912 	default:
15913 		return -EINVAL;
15914 	}
15915 
15916 	wdev_lock(wdev);
15917 	cfg80211_remove_link(wdev, link_id);
15918 	wdev_unlock(wdev);
15919 
15920 	return 0;
15921 }
15922 
15923 static int
15924 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
15925 			     bool add)
15926 {
15927 	struct link_station_parameters params = {};
15928 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15929 	struct net_device *dev = info->user_ptr[1];
15930 	int err;
15931 
15932 	if ((add && !rdev->ops->add_link_station) ||
15933 	    (!add && !rdev->ops->mod_link_station))
15934 		return -EOPNOTSUPP;
15935 
15936 	if (add && !info->attrs[NL80211_ATTR_MAC])
15937 		return -EINVAL;
15938 
15939 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
15940 		return -EINVAL;
15941 
15942 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
15943 		return -EINVAL;
15944 
15945 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
15946 
15947 	if (info->attrs[NL80211_ATTR_MAC]) {
15948 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
15949 		if (!is_valid_ether_addr(params.link_mac))
15950 			return -EINVAL;
15951 	}
15952 
15953 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
15954 		return -EINVAL;
15955 
15956 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
15957 
15958 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
15959 		params.supported_rates =
15960 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
15961 		params.supported_rates_len =
15962 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
15963 	}
15964 
15965 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
15966 		params.ht_capa =
15967 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
15968 
15969 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
15970 		params.vht_capa =
15971 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
15972 
15973 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
15974 		params.he_capa =
15975 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
15976 		params.he_capa_len =
15977 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
15978 
15979 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
15980 			params.eht_capa =
15981 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
15982 			params.eht_capa_len =
15983 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
15984 
15985 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
15986 							(const u8 *)params.eht_capa,
15987 							params.eht_capa_len,
15988 							false))
15989 				return -EINVAL;
15990 		}
15991 	}
15992 
15993 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
15994 		params.he_6ghz_capa =
15995 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
15996 
15997 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
15998 		params.opmode_notif_used = true;
15999 		params.opmode_notif =
16000 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16001 	}
16002 
16003 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16004 						&params.txpwr_set);
16005 	if (err)
16006 		return err;
16007 
16008 	wdev_lock(dev->ieee80211_ptr);
16009 	if (add)
16010 		err = rdev_add_link_station(rdev, dev, &params);
16011 	else
16012 		err = rdev_mod_link_station(rdev, dev, &params);
16013 	wdev_unlock(dev->ieee80211_ptr);
16014 
16015 	return err;
16016 }
16017 
16018 static int
16019 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16020 {
16021 	return nl80211_add_mod_link_station(skb, info, true);
16022 }
16023 
16024 static int
16025 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16026 {
16027 	return nl80211_add_mod_link_station(skb, info, false);
16028 }
16029 
16030 static int
16031 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16032 {
16033 	struct link_station_del_parameters params = {};
16034 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16035 	struct net_device *dev = info->user_ptr[1];
16036 	int ret;
16037 
16038 	if (!rdev->ops->del_link_station)
16039 		return -EOPNOTSUPP;
16040 
16041 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16042 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16043 		return -EINVAL;
16044 
16045 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16046 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16047 
16048 	wdev_lock(dev->ieee80211_ptr);
16049 	ret = rdev_del_link_station(rdev, dev, &params);
16050 	wdev_unlock(dev->ieee80211_ptr);
16051 
16052 	return ret;
16053 }
16054 
16055 #define NL80211_FLAG_NEED_WIPHY		0x01
16056 #define NL80211_FLAG_NEED_NETDEV	0x02
16057 #define NL80211_FLAG_NEED_RTNL		0x04
16058 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16059 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16060 					 NL80211_FLAG_CHECK_NETDEV_UP)
16061 #define NL80211_FLAG_NEED_WDEV		0x10
16062 /* If a netdev is associated, it must be UP, P2P must be started */
16063 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16064 					 NL80211_FLAG_CHECK_NETDEV_UP)
16065 #define NL80211_FLAG_CLEAR_SKB		0x20
16066 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16067 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16068 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16069 
16070 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16071 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16072 	SELECTOR(__sel, WIPHY,				\
16073 		 NL80211_FLAG_NEED_WIPHY)		\
16074 	SELECTOR(__sel, WDEV,				\
16075 		 NL80211_FLAG_NEED_WDEV)		\
16076 	SELECTOR(__sel, NETDEV,				\
16077 		 NL80211_FLAG_NEED_NETDEV)		\
16078 	SELECTOR(__sel, NETDEV_LINK,			\
16079 		 NL80211_FLAG_NEED_NETDEV |		\
16080 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16081 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16082 		 NL80211_FLAG_NEED_NETDEV |		\
16083 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16084 	SELECTOR(__sel, WIPHY_RTNL,			\
16085 		 NL80211_FLAG_NEED_WIPHY |		\
16086 		 NL80211_FLAG_NEED_RTNL)		\
16087 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16088 		 NL80211_FLAG_NEED_WIPHY |		\
16089 		 NL80211_FLAG_NEED_RTNL |		\
16090 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16091 	SELECTOR(__sel, WDEV_RTNL,			\
16092 		 NL80211_FLAG_NEED_WDEV |		\
16093 		 NL80211_FLAG_NEED_RTNL)		\
16094 	SELECTOR(__sel, NETDEV_RTNL,			\
16095 		 NL80211_FLAG_NEED_NETDEV |		\
16096 		 NL80211_FLAG_NEED_RTNL)		\
16097 	SELECTOR(__sel, NETDEV_UP,			\
16098 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16099 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16100 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16101 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16102 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16103 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16104 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16105 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16106 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16107 		 NL80211_FLAG_CLEAR_SKB |		\
16108 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16109 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16110 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16111 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16112 	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
16113 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16114 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16115 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16116 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16117 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16118 		 NL80211_FLAG_CLEAR_SKB)		\
16119 	SELECTOR(__sel, WDEV_UP,			\
16120 		 NL80211_FLAG_NEED_WDEV_UP)		\
16121 	SELECTOR(__sel, WDEV_UP_LINK,			\
16122 		 NL80211_FLAG_NEED_WDEV_UP |		\
16123 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16124 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16125 		 NL80211_FLAG_NEED_WDEV_UP |		\
16126 		 NL80211_FLAG_NEED_RTNL)		\
16127 	SELECTOR(__sel, WIPHY_CLEAR,			\
16128 		 NL80211_FLAG_NEED_WIPHY |		\
16129 		 NL80211_FLAG_CLEAR_SKB)
16130 
16131 enum nl80211_internal_flags_selector {
16132 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16133 	INTERNAL_FLAG_SELECTORS(_)
16134 #undef SELECTOR
16135 };
16136 
16137 static u32 nl80211_internal_flags[] = {
16138 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16139 	INTERNAL_FLAG_SELECTORS(_)
16140 #undef SELECTOR
16141 };
16142 
16143 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
16144 			    struct genl_info *info)
16145 {
16146 	struct cfg80211_registered_device *rdev = NULL;
16147 	struct wireless_dev *wdev = NULL;
16148 	struct net_device *dev = NULL;
16149 	u32 internal_flags;
16150 	int err;
16151 
16152 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16153 		return -EINVAL;
16154 
16155 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16156 
16157 	rtnl_lock();
16158 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16159 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16160 		if (IS_ERR(rdev)) {
16161 			err = PTR_ERR(rdev);
16162 			goto out_unlock;
16163 		}
16164 		info->user_ptr[0] = rdev;
16165 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16166 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16167 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16168 						  info->attrs);
16169 		if (IS_ERR(wdev)) {
16170 			err = PTR_ERR(wdev);
16171 			goto out_unlock;
16172 		}
16173 
16174 		dev = wdev->netdev;
16175 		dev_hold(dev);
16176 		rdev = wiphy_to_rdev(wdev->wiphy);
16177 
16178 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16179 			if (!dev) {
16180 				err = -EINVAL;
16181 				goto out_unlock;
16182 			}
16183 
16184 			info->user_ptr[1] = dev;
16185 		} else {
16186 			info->user_ptr[1] = wdev;
16187 		}
16188 
16189 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16190 		    !wdev_running(wdev)) {
16191 			err = -ENETDOWN;
16192 			goto out_unlock;
16193 		}
16194 
16195 		info->user_ptr[0] = rdev;
16196 	}
16197 
16198 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16199 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16200 
16201 		if (!wdev) {
16202 			err = -EINVAL;
16203 			goto out_unlock;
16204 		}
16205 
16206 		/* MLO -> require valid link ID */
16207 		if (wdev->valid_links &&
16208 		    (!link_id ||
16209 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16210 			err = -EINVAL;
16211 			goto out_unlock;
16212 		}
16213 
16214 		/* non-MLO -> no link ID attribute accepted */
16215 		if (!wdev->valid_links && link_id) {
16216 			err = -EINVAL;
16217 			goto out_unlock;
16218 		}
16219 	}
16220 
16221 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16222 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16223 		    (wdev && wdev->valid_links)) {
16224 			err = -EINVAL;
16225 			goto out_unlock;
16226 		}
16227 	}
16228 
16229 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16230 		wiphy_lock(&rdev->wiphy);
16231 		/* we keep the mutex locked until post_doit */
16232 		__release(&rdev->wiphy.mtx);
16233 	}
16234 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16235 		rtnl_unlock();
16236 
16237 	return 0;
16238 out_unlock:
16239 	rtnl_unlock();
16240 	dev_put(dev);
16241 	return err;
16242 }
16243 
16244 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
16245 			      struct genl_info *info)
16246 {
16247 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16248 
16249 	if (info->user_ptr[1]) {
16250 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16251 			struct wireless_dev *wdev = info->user_ptr[1];
16252 
16253 			dev_put(wdev->netdev);
16254 		} else {
16255 			dev_put(info->user_ptr[1]);
16256 		}
16257 	}
16258 
16259 	if (info->user_ptr[0] &&
16260 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16261 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16262 
16263 		/* we kept the mutex locked since pre_doit */
16264 		__acquire(&rdev->wiphy.mtx);
16265 		wiphy_unlock(&rdev->wiphy);
16266 	}
16267 
16268 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16269 		rtnl_unlock();
16270 
16271 	/* If needed, clear the netlink message payload from the SKB
16272 	 * as it might contain key data that shouldn't stick around on
16273 	 * the heap after the SKB is freed. The netlink message header
16274 	 * is still needed for further processing, so leave it intact.
16275 	 */
16276 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16277 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16278 
16279 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16280 	}
16281 }
16282 
16283 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16284 				     struct cfg80211_sar_specs *sar_specs,
16285 				     struct nlattr *spec[], int index)
16286 {
16287 	u32 range_index, i;
16288 
16289 	if (!sar_specs || !spec)
16290 		return -EINVAL;
16291 
16292 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16293 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16294 		return -EINVAL;
16295 
16296 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16297 
16298 	/* check if range_index exceeds num_freq_ranges */
16299 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16300 		return -EINVAL;
16301 
16302 	/* check if range_index duplicates */
16303 	for (i = 0; i < index; i++) {
16304 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16305 			return -EINVAL;
16306 	}
16307 
16308 	sar_specs->sub_specs[index].power =
16309 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16310 
16311 	sar_specs->sub_specs[index].freq_range_index = range_index;
16312 
16313 	return 0;
16314 }
16315 
16316 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16317 {
16318 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16319 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16320 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16321 	struct cfg80211_sar_specs *sar_spec;
16322 	enum nl80211_sar_type type;
16323 	struct nlattr *spec_list;
16324 	u32 specs;
16325 	int rem, err;
16326 
16327 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16328 		return -EOPNOTSUPP;
16329 
16330 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16331 		return -EINVAL;
16332 
16333 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16334 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16335 			 NULL, NULL);
16336 
16337 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16338 		return -EINVAL;
16339 
16340 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16341 	if (type != rdev->wiphy.sar_capa->type)
16342 		return -EINVAL;
16343 
16344 	specs = 0;
16345 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16346 		specs++;
16347 
16348 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16349 		return -EINVAL;
16350 
16351 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16352 	if (!sar_spec)
16353 		return -ENOMEM;
16354 
16355 	sar_spec->type = type;
16356 	specs = 0;
16357 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16358 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16359 				 spec_list, NULL, NULL);
16360 
16361 		switch (type) {
16362 		case NL80211_SAR_TYPE_POWER:
16363 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16364 						      spec, specs)) {
16365 				err = -EINVAL;
16366 				goto error;
16367 			}
16368 			break;
16369 		default:
16370 			err = -EINVAL;
16371 			goto error;
16372 		}
16373 		specs++;
16374 	}
16375 
16376 	sar_spec->num_sub_specs = specs;
16377 
16378 	rdev->cur_cmd_info = info;
16379 	err = rdev_set_sar_specs(rdev, sar_spec);
16380 	rdev->cur_cmd_info = NULL;
16381 error:
16382 	kfree(sar_spec);
16383 	return err;
16384 }
16385 
16386 #define SELECTOR(__sel, name, value) \
16387 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16388 int __missing_selector(void);
16389 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16390 
16391 static const struct genl_ops nl80211_ops[] = {
16392 	{
16393 		.cmd = NL80211_CMD_GET_WIPHY,
16394 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16395 		.doit = nl80211_get_wiphy,
16396 		.dumpit = nl80211_dump_wiphy,
16397 		.done = nl80211_dump_wiphy_done,
16398 		/* can be retrieved by unprivileged users */
16399 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16400 	},
16401 };
16402 
16403 static const struct genl_small_ops nl80211_small_ops[] = {
16404 	{
16405 		.cmd = NL80211_CMD_SET_WIPHY,
16406 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16407 		.doit = nl80211_set_wiphy,
16408 		.flags = GENL_UNS_ADMIN_PERM,
16409 	},
16410 	{
16411 		.cmd = NL80211_CMD_GET_INTERFACE,
16412 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16413 		.doit = nl80211_get_interface,
16414 		.dumpit = nl80211_dump_interface,
16415 		/* can be retrieved by unprivileged users */
16416 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16417 	},
16418 	{
16419 		.cmd = NL80211_CMD_SET_INTERFACE,
16420 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16421 		.doit = nl80211_set_interface,
16422 		.flags = GENL_UNS_ADMIN_PERM,
16423 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16424 					 NL80211_FLAG_NEED_RTNL),
16425 	},
16426 	{
16427 		.cmd = NL80211_CMD_NEW_INTERFACE,
16428 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16429 		.doit = nl80211_new_interface,
16430 		.flags = GENL_UNS_ADMIN_PERM,
16431 		.internal_flags =
16432 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16433 			       NL80211_FLAG_NEED_RTNL |
16434 			       /* we take the wiphy mutex later ourselves */
16435 			       NL80211_FLAG_NO_WIPHY_MTX),
16436 	},
16437 	{
16438 		.cmd = NL80211_CMD_DEL_INTERFACE,
16439 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16440 		.doit = nl80211_del_interface,
16441 		.flags = GENL_UNS_ADMIN_PERM,
16442 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16443 					 NL80211_FLAG_NEED_RTNL),
16444 	},
16445 	{
16446 		.cmd = NL80211_CMD_GET_KEY,
16447 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16448 		.doit = nl80211_get_key,
16449 		.flags = GENL_UNS_ADMIN_PERM,
16450 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16451 	},
16452 	{
16453 		.cmd = NL80211_CMD_SET_KEY,
16454 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16455 		.doit = nl80211_set_key,
16456 		.flags = GENL_UNS_ADMIN_PERM,
16457 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16458 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16459 					 NL80211_FLAG_CLEAR_SKB),
16460 	},
16461 	{
16462 		.cmd = NL80211_CMD_NEW_KEY,
16463 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16464 		.doit = nl80211_new_key,
16465 		.flags = GENL_UNS_ADMIN_PERM,
16466 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16467 					 NL80211_FLAG_CLEAR_SKB),
16468 	},
16469 	{
16470 		.cmd = NL80211_CMD_DEL_KEY,
16471 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16472 		.doit = nl80211_del_key,
16473 		.flags = GENL_UNS_ADMIN_PERM,
16474 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16475 	},
16476 	{
16477 		.cmd = NL80211_CMD_SET_BEACON,
16478 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16479 		.flags = GENL_UNS_ADMIN_PERM,
16480 		.doit = nl80211_set_beacon,
16481 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16482 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16483 	},
16484 	{
16485 		.cmd = NL80211_CMD_START_AP,
16486 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16487 		.flags = GENL_UNS_ADMIN_PERM,
16488 		.doit = nl80211_start_ap,
16489 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16490 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16491 	},
16492 	{
16493 		.cmd = NL80211_CMD_STOP_AP,
16494 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16495 		.flags = GENL_UNS_ADMIN_PERM,
16496 		.doit = nl80211_stop_ap,
16497 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16498 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16499 	},
16500 	{
16501 		.cmd = NL80211_CMD_GET_STATION,
16502 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16503 		.doit = nl80211_get_station,
16504 		.dumpit = nl80211_dump_station,
16505 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16506 	},
16507 	{
16508 		.cmd = NL80211_CMD_SET_STATION,
16509 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16510 		.doit = nl80211_set_station,
16511 		.flags = GENL_UNS_ADMIN_PERM,
16512 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16513 	},
16514 	{
16515 		.cmd = NL80211_CMD_NEW_STATION,
16516 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16517 		.doit = nl80211_new_station,
16518 		.flags = GENL_UNS_ADMIN_PERM,
16519 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16520 	},
16521 	{
16522 		.cmd = NL80211_CMD_DEL_STATION,
16523 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16524 		.doit = nl80211_del_station,
16525 		.flags = GENL_UNS_ADMIN_PERM,
16526 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16527 	},
16528 	{
16529 		.cmd = NL80211_CMD_GET_MPATH,
16530 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16531 		.doit = nl80211_get_mpath,
16532 		.dumpit = nl80211_dump_mpath,
16533 		.flags = GENL_UNS_ADMIN_PERM,
16534 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16535 	},
16536 	{
16537 		.cmd = NL80211_CMD_GET_MPP,
16538 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16539 		.doit = nl80211_get_mpp,
16540 		.dumpit = nl80211_dump_mpp,
16541 		.flags = GENL_UNS_ADMIN_PERM,
16542 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16543 	},
16544 	{
16545 		.cmd = NL80211_CMD_SET_MPATH,
16546 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16547 		.doit = nl80211_set_mpath,
16548 		.flags = GENL_UNS_ADMIN_PERM,
16549 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16550 	},
16551 	{
16552 		.cmd = NL80211_CMD_NEW_MPATH,
16553 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16554 		.doit = nl80211_new_mpath,
16555 		.flags = GENL_UNS_ADMIN_PERM,
16556 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16557 	},
16558 	{
16559 		.cmd = NL80211_CMD_DEL_MPATH,
16560 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16561 		.doit = nl80211_del_mpath,
16562 		.flags = GENL_UNS_ADMIN_PERM,
16563 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16564 	},
16565 	{
16566 		.cmd = NL80211_CMD_SET_BSS,
16567 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16568 		.doit = nl80211_set_bss,
16569 		.flags = GENL_UNS_ADMIN_PERM,
16570 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16571 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16572 	},
16573 	{
16574 		.cmd = NL80211_CMD_GET_REG,
16575 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16576 		.doit = nl80211_get_reg_do,
16577 		.dumpit = nl80211_get_reg_dump,
16578 		/* can be retrieved by unprivileged users */
16579 	},
16580 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
16581 	{
16582 		.cmd = NL80211_CMD_SET_REG,
16583 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16584 		.doit = nl80211_set_reg,
16585 		.flags = GENL_ADMIN_PERM,
16586 	},
16587 #endif
16588 	{
16589 		.cmd = NL80211_CMD_REQ_SET_REG,
16590 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16591 		.doit = nl80211_req_set_reg,
16592 		.flags = GENL_ADMIN_PERM,
16593 	},
16594 	{
16595 		.cmd = NL80211_CMD_RELOAD_REGDB,
16596 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16597 		.doit = nl80211_reload_regdb,
16598 		.flags = GENL_ADMIN_PERM,
16599 	},
16600 	{
16601 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
16602 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16603 		.doit = nl80211_get_mesh_config,
16604 		/* can be retrieved by unprivileged users */
16605 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16606 	},
16607 	{
16608 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
16609 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16610 		.doit = nl80211_update_mesh_config,
16611 		.flags = GENL_UNS_ADMIN_PERM,
16612 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16613 	},
16614 	{
16615 		.cmd = NL80211_CMD_TRIGGER_SCAN,
16616 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16617 		.doit = nl80211_trigger_scan,
16618 		.flags = GENL_UNS_ADMIN_PERM,
16619 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16620 	},
16621 	{
16622 		.cmd = NL80211_CMD_ABORT_SCAN,
16623 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16624 		.doit = nl80211_abort_scan,
16625 		.flags = GENL_UNS_ADMIN_PERM,
16626 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16627 	},
16628 	{
16629 		.cmd = NL80211_CMD_GET_SCAN,
16630 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16631 		.dumpit = nl80211_dump_scan,
16632 	},
16633 	{
16634 		.cmd = NL80211_CMD_START_SCHED_SCAN,
16635 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16636 		.doit = nl80211_start_sched_scan,
16637 		.flags = GENL_UNS_ADMIN_PERM,
16638 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16639 	},
16640 	{
16641 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
16642 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16643 		.doit = nl80211_stop_sched_scan,
16644 		.flags = GENL_UNS_ADMIN_PERM,
16645 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16646 	},
16647 	{
16648 		.cmd = NL80211_CMD_AUTHENTICATE,
16649 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16650 		.doit = nl80211_authenticate,
16651 		.flags = GENL_UNS_ADMIN_PERM,
16652 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16653 					 NL80211_FLAG_CLEAR_SKB),
16654 	},
16655 	{
16656 		.cmd = NL80211_CMD_ASSOCIATE,
16657 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16658 		.doit = nl80211_associate,
16659 		.flags = GENL_UNS_ADMIN_PERM,
16660 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16661 					 NL80211_FLAG_CLEAR_SKB),
16662 	},
16663 	{
16664 		.cmd = NL80211_CMD_DEAUTHENTICATE,
16665 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16666 		.doit = nl80211_deauthenticate,
16667 		.flags = GENL_UNS_ADMIN_PERM,
16668 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16669 	},
16670 	{
16671 		.cmd = NL80211_CMD_DISASSOCIATE,
16672 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16673 		.doit = nl80211_disassociate,
16674 		.flags = GENL_UNS_ADMIN_PERM,
16675 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16676 	},
16677 	{
16678 		.cmd = NL80211_CMD_JOIN_IBSS,
16679 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16680 		.doit = nl80211_join_ibss,
16681 		.flags = GENL_UNS_ADMIN_PERM,
16682 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16683 	},
16684 	{
16685 		.cmd = NL80211_CMD_LEAVE_IBSS,
16686 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16687 		.doit = nl80211_leave_ibss,
16688 		.flags = GENL_UNS_ADMIN_PERM,
16689 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16690 	},
16691 #ifdef CONFIG_NL80211_TESTMODE
16692 	{
16693 		.cmd = NL80211_CMD_TESTMODE,
16694 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16695 		.doit = nl80211_testmode_do,
16696 		.dumpit = nl80211_testmode_dump,
16697 		.flags = GENL_UNS_ADMIN_PERM,
16698 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16699 	},
16700 #endif
16701 	{
16702 		.cmd = NL80211_CMD_CONNECT,
16703 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16704 		.doit = nl80211_connect,
16705 		.flags = GENL_UNS_ADMIN_PERM,
16706 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16707 					 NL80211_FLAG_CLEAR_SKB),
16708 	},
16709 	{
16710 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
16711 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16712 		.doit = nl80211_update_connect_params,
16713 		.flags = GENL_ADMIN_PERM,
16714 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16715 					 NL80211_FLAG_CLEAR_SKB),
16716 	},
16717 	{
16718 		.cmd = NL80211_CMD_DISCONNECT,
16719 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16720 		.doit = nl80211_disconnect,
16721 		.flags = GENL_UNS_ADMIN_PERM,
16722 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16723 	},
16724 	{
16725 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
16726 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16727 		.doit = nl80211_wiphy_netns,
16728 		.flags = GENL_UNS_ADMIN_PERM,
16729 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
16730 					 NL80211_FLAG_NEED_RTNL |
16731 					 NL80211_FLAG_NO_WIPHY_MTX),
16732 	},
16733 	{
16734 		.cmd = NL80211_CMD_GET_SURVEY,
16735 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16736 		.dumpit = nl80211_dump_survey,
16737 	},
16738 	{
16739 		.cmd = NL80211_CMD_SET_PMKSA,
16740 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16741 		.doit = nl80211_setdel_pmksa,
16742 		.flags = GENL_UNS_ADMIN_PERM,
16743 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16744 					 NL80211_FLAG_CLEAR_SKB),
16745 	},
16746 	{
16747 		.cmd = NL80211_CMD_DEL_PMKSA,
16748 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16749 		.doit = nl80211_setdel_pmksa,
16750 		.flags = GENL_UNS_ADMIN_PERM,
16751 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16752 	},
16753 	{
16754 		.cmd = NL80211_CMD_FLUSH_PMKSA,
16755 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16756 		.doit = nl80211_flush_pmksa,
16757 		.flags = GENL_UNS_ADMIN_PERM,
16758 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16759 	},
16760 	{
16761 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
16762 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16763 		.doit = nl80211_remain_on_channel,
16764 		.flags = GENL_UNS_ADMIN_PERM,
16765 		/* FIXME: requiring a link ID here is probably not good */
16766 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16767 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16768 	},
16769 	{
16770 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
16771 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16772 		.doit = nl80211_cancel_remain_on_channel,
16773 		.flags = GENL_UNS_ADMIN_PERM,
16774 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16775 	},
16776 	{
16777 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
16778 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16779 		.doit = nl80211_set_tx_bitrate_mask,
16780 		.flags = GENL_UNS_ADMIN_PERM,
16781 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16782 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16783 	},
16784 	{
16785 		.cmd = NL80211_CMD_REGISTER_FRAME,
16786 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16787 		.doit = nl80211_register_mgmt,
16788 		.flags = GENL_UNS_ADMIN_PERM,
16789 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16790 	},
16791 	{
16792 		.cmd = NL80211_CMD_FRAME,
16793 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16794 		.doit = nl80211_tx_mgmt,
16795 		.flags = GENL_UNS_ADMIN_PERM,
16796 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16797 	},
16798 	{
16799 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
16800 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16801 		.doit = nl80211_tx_mgmt_cancel_wait,
16802 		.flags = GENL_UNS_ADMIN_PERM,
16803 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16804 	},
16805 	{
16806 		.cmd = NL80211_CMD_SET_POWER_SAVE,
16807 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16808 		.doit = nl80211_set_power_save,
16809 		.flags = GENL_UNS_ADMIN_PERM,
16810 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16811 	},
16812 	{
16813 		.cmd = NL80211_CMD_GET_POWER_SAVE,
16814 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16815 		.doit = nl80211_get_power_save,
16816 		/* can be retrieved by unprivileged users */
16817 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16818 	},
16819 	{
16820 		.cmd = NL80211_CMD_SET_CQM,
16821 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16822 		.doit = nl80211_set_cqm,
16823 		.flags = GENL_UNS_ADMIN_PERM,
16824 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16825 	},
16826 	{
16827 		.cmd = NL80211_CMD_SET_CHANNEL,
16828 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16829 		.doit = nl80211_set_channel,
16830 		.flags = GENL_UNS_ADMIN_PERM,
16831 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16832 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16833 	},
16834 	{
16835 		.cmd = NL80211_CMD_JOIN_MESH,
16836 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16837 		.doit = nl80211_join_mesh,
16838 		.flags = GENL_UNS_ADMIN_PERM,
16839 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16840 	},
16841 	{
16842 		.cmd = NL80211_CMD_LEAVE_MESH,
16843 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16844 		.doit = nl80211_leave_mesh,
16845 		.flags = GENL_UNS_ADMIN_PERM,
16846 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16847 	},
16848 	{
16849 		.cmd = NL80211_CMD_JOIN_OCB,
16850 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16851 		.doit = nl80211_join_ocb,
16852 		.flags = GENL_UNS_ADMIN_PERM,
16853 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16854 	},
16855 	{
16856 		.cmd = NL80211_CMD_LEAVE_OCB,
16857 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16858 		.doit = nl80211_leave_ocb,
16859 		.flags = GENL_UNS_ADMIN_PERM,
16860 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16861 	},
16862 #ifdef CONFIG_PM
16863 	{
16864 		.cmd = NL80211_CMD_GET_WOWLAN,
16865 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16866 		.doit = nl80211_get_wowlan,
16867 		/* can be retrieved by unprivileged users */
16868 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16869 	},
16870 	{
16871 		.cmd = NL80211_CMD_SET_WOWLAN,
16872 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16873 		.doit = nl80211_set_wowlan,
16874 		.flags = GENL_UNS_ADMIN_PERM,
16875 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16876 	},
16877 #endif
16878 	{
16879 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
16880 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16881 		.doit = nl80211_set_rekey_data,
16882 		.flags = GENL_UNS_ADMIN_PERM,
16883 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16884 					 NL80211_FLAG_CLEAR_SKB),
16885 	},
16886 	{
16887 		.cmd = NL80211_CMD_TDLS_MGMT,
16888 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16889 		.doit = nl80211_tdls_mgmt,
16890 		.flags = GENL_UNS_ADMIN_PERM,
16891 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16892 	},
16893 	{
16894 		.cmd = NL80211_CMD_TDLS_OPER,
16895 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16896 		.doit = nl80211_tdls_oper,
16897 		.flags = GENL_UNS_ADMIN_PERM,
16898 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16899 	},
16900 	{
16901 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
16902 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16903 		.doit = nl80211_register_unexpected_frame,
16904 		.flags = GENL_UNS_ADMIN_PERM,
16905 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16906 	},
16907 	{
16908 		.cmd = NL80211_CMD_PROBE_CLIENT,
16909 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16910 		.doit = nl80211_probe_client,
16911 		.flags = GENL_UNS_ADMIN_PERM,
16912 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16913 	},
16914 	{
16915 		.cmd = NL80211_CMD_REGISTER_BEACONS,
16916 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16917 		.doit = nl80211_register_beacons,
16918 		.flags = GENL_UNS_ADMIN_PERM,
16919 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16920 	},
16921 	{
16922 		.cmd = NL80211_CMD_SET_NOACK_MAP,
16923 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16924 		.doit = nl80211_set_noack_map,
16925 		.flags = GENL_UNS_ADMIN_PERM,
16926 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16927 	},
16928 	{
16929 		.cmd = NL80211_CMD_START_P2P_DEVICE,
16930 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16931 		.doit = nl80211_start_p2p_device,
16932 		.flags = GENL_UNS_ADMIN_PERM,
16933 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16934 					 NL80211_FLAG_NEED_RTNL),
16935 	},
16936 	{
16937 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
16938 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16939 		.doit = nl80211_stop_p2p_device,
16940 		.flags = GENL_UNS_ADMIN_PERM,
16941 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16942 					 NL80211_FLAG_NEED_RTNL),
16943 	},
16944 	{
16945 		.cmd = NL80211_CMD_START_NAN,
16946 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16947 		.doit = nl80211_start_nan,
16948 		.flags = GENL_ADMIN_PERM,
16949 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16950 					 NL80211_FLAG_NEED_RTNL),
16951 	},
16952 	{
16953 		.cmd = NL80211_CMD_STOP_NAN,
16954 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16955 		.doit = nl80211_stop_nan,
16956 		.flags = GENL_ADMIN_PERM,
16957 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
16958 					 NL80211_FLAG_NEED_RTNL),
16959 	},
16960 	{
16961 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
16962 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16963 		.doit = nl80211_nan_add_func,
16964 		.flags = GENL_ADMIN_PERM,
16965 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16966 	},
16967 	{
16968 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
16969 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16970 		.doit = nl80211_nan_del_func,
16971 		.flags = GENL_ADMIN_PERM,
16972 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16973 	},
16974 	{
16975 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
16976 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16977 		.doit = nl80211_nan_change_config,
16978 		.flags = GENL_ADMIN_PERM,
16979 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16980 	},
16981 	{
16982 		.cmd = NL80211_CMD_SET_MCAST_RATE,
16983 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16984 		.doit = nl80211_set_mcast_rate,
16985 		.flags = GENL_UNS_ADMIN_PERM,
16986 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16987 	},
16988 	{
16989 		.cmd = NL80211_CMD_SET_MAC_ACL,
16990 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16991 		.doit = nl80211_set_mac_acl,
16992 		.flags = GENL_UNS_ADMIN_PERM,
16993 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16994 					 NL80211_FLAG_MLO_UNSUPPORTED),
16995 	},
16996 	{
16997 		.cmd = NL80211_CMD_RADAR_DETECT,
16998 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16999 		.doit = nl80211_start_radar_detection,
17000 		.flags = GENL_UNS_ADMIN_PERM,
17001 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17002 					 NL80211_FLAG_NO_WIPHY_MTX |
17003 					 NL80211_FLAG_MLO_UNSUPPORTED),
17004 	},
17005 	{
17006 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17007 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17008 		.doit = nl80211_get_protocol_features,
17009 	},
17010 	{
17011 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17012 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17013 		.doit = nl80211_update_ft_ies,
17014 		.flags = GENL_UNS_ADMIN_PERM,
17015 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17016 	},
17017 	{
17018 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17019 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17020 		.doit = nl80211_crit_protocol_start,
17021 		.flags = GENL_UNS_ADMIN_PERM,
17022 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17023 	},
17024 	{
17025 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17026 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17027 		.doit = nl80211_crit_protocol_stop,
17028 		.flags = GENL_UNS_ADMIN_PERM,
17029 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17030 	},
17031 	{
17032 		.cmd = NL80211_CMD_GET_COALESCE,
17033 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17034 		.doit = nl80211_get_coalesce,
17035 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17036 	},
17037 	{
17038 		.cmd = NL80211_CMD_SET_COALESCE,
17039 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17040 		.doit = nl80211_set_coalesce,
17041 		.flags = GENL_UNS_ADMIN_PERM,
17042 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17043 	},
17044 	{
17045 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17046 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17047 		.doit = nl80211_channel_switch,
17048 		.flags = GENL_UNS_ADMIN_PERM,
17049 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17050 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17051 	},
17052 	{
17053 		.cmd = NL80211_CMD_VENDOR,
17054 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17055 		.doit = nl80211_vendor_cmd,
17056 		.dumpit = nl80211_vendor_cmd_dump,
17057 		.flags = GENL_UNS_ADMIN_PERM,
17058 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17059 					 NL80211_FLAG_CLEAR_SKB),
17060 	},
17061 	{
17062 		.cmd = NL80211_CMD_SET_QOS_MAP,
17063 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17064 		.doit = nl80211_set_qos_map,
17065 		.flags = GENL_UNS_ADMIN_PERM,
17066 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17067 	},
17068 	{
17069 		.cmd = NL80211_CMD_ADD_TX_TS,
17070 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17071 		.doit = nl80211_add_tx_ts,
17072 		.flags = GENL_UNS_ADMIN_PERM,
17073 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17074 					 NL80211_FLAG_MLO_UNSUPPORTED),
17075 	},
17076 	{
17077 		.cmd = NL80211_CMD_DEL_TX_TS,
17078 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17079 		.doit = nl80211_del_tx_ts,
17080 		.flags = GENL_UNS_ADMIN_PERM,
17081 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17082 	},
17083 	{
17084 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17085 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17086 		.doit = nl80211_tdls_channel_switch,
17087 		.flags = GENL_UNS_ADMIN_PERM,
17088 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17089 	},
17090 	{
17091 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17092 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17093 		.doit = nl80211_tdls_cancel_channel_switch,
17094 		.flags = GENL_UNS_ADMIN_PERM,
17095 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17096 	},
17097 	{
17098 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17099 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17100 		.doit = nl80211_set_multicast_to_unicast,
17101 		.flags = GENL_UNS_ADMIN_PERM,
17102 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17103 	},
17104 	{
17105 		.cmd = NL80211_CMD_SET_PMK,
17106 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17107 		.doit = nl80211_set_pmk,
17108 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17109 					 NL80211_FLAG_CLEAR_SKB),
17110 	},
17111 	{
17112 		.cmd = NL80211_CMD_DEL_PMK,
17113 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17114 		.doit = nl80211_del_pmk,
17115 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17116 	},
17117 	{
17118 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17119 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17120 		.doit = nl80211_external_auth,
17121 		.flags = GENL_ADMIN_PERM,
17122 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17123 	},
17124 	{
17125 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17126 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17127 		.doit = nl80211_tx_control_port,
17128 		.flags = GENL_UNS_ADMIN_PERM,
17129 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17130 	},
17131 	{
17132 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17133 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17134 		.doit = nl80211_get_ftm_responder_stats,
17135 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17136 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17137 	},
17138 	{
17139 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17140 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17141 		.doit = nl80211_pmsr_start,
17142 		.flags = GENL_UNS_ADMIN_PERM,
17143 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17144 	},
17145 	{
17146 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17147 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17148 		.doit = nl80211_notify_radar_detection,
17149 		.flags = GENL_UNS_ADMIN_PERM,
17150 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17151 	},
17152 	{
17153 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17154 		.doit = nl80211_update_owe_info,
17155 		.flags = GENL_ADMIN_PERM,
17156 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17157 	},
17158 	{
17159 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17160 		.doit = nl80211_probe_mesh_link,
17161 		.flags = GENL_UNS_ADMIN_PERM,
17162 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17163 	},
17164 	{
17165 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17166 		.doit = nl80211_set_tid_config,
17167 		.flags = GENL_UNS_ADMIN_PERM,
17168 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17169 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17170 	},
17171 	{
17172 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17173 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17174 		.doit = nl80211_set_sar_specs,
17175 		.flags = GENL_UNS_ADMIN_PERM,
17176 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17177 					 NL80211_FLAG_NEED_RTNL),
17178 	},
17179 	{
17180 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17181 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17182 		.doit = nl80211_color_change,
17183 		.flags = GENL_UNS_ADMIN_PERM,
17184 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17185 	},
17186 	{
17187 		.cmd = NL80211_CMD_SET_FILS_AAD,
17188 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17189 		.doit = nl80211_set_fils_aad,
17190 		.flags = GENL_UNS_ADMIN_PERM,
17191 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17192 	},
17193 	{
17194 		.cmd = NL80211_CMD_ADD_LINK,
17195 		.doit = nl80211_add_link,
17196 		.flags = GENL_UNS_ADMIN_PERM,
17197 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17198 	},
17199 	{
17200 		.cmd = NL80211_CMD_REMOVE_LINK,
17201 		.doit = nl80211_remove_link,
17202 		.flags = GENL_UNS_ADMIN_PERM,
17203 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17204 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17205 	},
17206 	{
17207 		.cmd = NL80211_CMD_ADD_LINK_STA,
17208 		.doit = nl80211_add_link_station,
17209 		.flags = GENL_UNS_ADMIN_PERM,
17210 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17211 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17212 	},
17213 	{
17214 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17215 		.doit = nl80211_modify_link_station,
17216 		.flags = GENL_UNS_ADMIN_PERM,
17217 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17218 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17219 	},
17220 	{
17221 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17222 		.doit = nl80211_remove_link_station,
17223 		.flags = GENL_UNS_ADMIN_PERM,
17224 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17225 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17226 	},
17227 };
17228 
17229 static struct genl_family nl80211_fam __ro_after_init = {
17230 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17231 	.hdrsize = 0,			/* no private header */
17232 	.version = 1,			/* no particular meaning now */
17233 	.maxattr = NL80211_ATTR_MAX,
17234 	.policy = nl80211_policy,
17235 	.netnsok = true,
17236 	.pre_doit = nl80211_pre_doit,
17237 	.post_doit = nl80211_post_doit,
17238 	.module = THIS_MODULE,
17239 	.ops = nl80211_ops,
17240 	.n_ops = ARRAY_SIZE(nl80211_ops),
17241 	.small_ops = nl80211_small_ops,
17242 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17243 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17244 	.mcgrps = nl80211_mcgrps,
17245 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17246 	.parallel_ops = true,
17247 };
17248 
17249 /* notification functions */
17250 
17251 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17252 			  enum nl80211_commands cmd)
17253 {
17254 	struct sk_buff *msg;
17255 	struct nl80211_dump_wiphy_state state = {};
17256 
17257 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17258 		cmd != NL80211_CMD_DEL_WIPHY);
17259 
17260 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17261 	if (!msg)
17262 		return;
17263 
17264 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17265 		nlmsg_free(msg);
17266 		return;
17267 	}
17268 
17269 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17270 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17271 }
17272 
17273 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17274 				struct wireless_dev *wdev,
17275 				enum nl80211_commands cmd)
17276 {
17277 	struct sk_buff *msg;
17278 
17279 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17280 	if (!msg)
17281 		return;
17282 
17283 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17284 		nlmsg_free(msg);
17285 		return;
17286 	}
17287 
17288 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17289 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17290 }
17291 
17292 static int nl80211_add_scan_req(struct sk_buff *msg,
17293 				struct cfg80211_registered_device *rdev)
17294 {
17295 	struct cfg80211_scan_request *req = rdev->scan_req;
17296 	struct nlattr *nest;
17297 	int i;
17298 	struct cfg80211_scan_info *info;
17299 
17300 	if (WARN_ON(!req))
17301 		return 0;
17302 
17303 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17304 	if (!nest)
17305 		goto nla_put_failure;
17306 	for (i = 0; i < req->n_ssids; i++) {
17307 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17308 			goto nla_put_failure;
17309 	}
17310 	nla_nest_end(msg, nest);
17311 
17312 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17313 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17314 		if (!nest)
17315 			goto nla_put_failure;
17316 		for (i = 0; i < req->n_channels; i++) {
17317 			if (nla_put_u32(msg, i,
17318 				   ieee80211_channel_to_khz(req->channels[i])))
17319 				goto nla_put_failure;
17320 		}
17321 		nla_nest_end(msg, nest);
17322 	} else {
17323 		nest = nla_nest_start_noflag(msg,
17324 					     NL80211_ATTR_SCAN_FREQUENCIES);
17325 		if (!nest)
17326 			goto nla_put_failure;
17327 		for (i = 0; i < req->n_channels; i++) {
17328 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17329 				goto nla_put_failure;
17330 		}
17331 		nla_nest_end(msg, nest);
17332 	}
17333 
17334 	if (req->ie &&
17335 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17336 		goto nla_put_failure;
17337 
17338 	if (req->flags &&
17339 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17340 		goto nla_put_failure;
17341 
17342 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17343 		&rdev->scan_req->info;
17344 	if (info->scan_start_tsf &&
17345 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17346 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17347 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17348 		     info->tsf_bssid)))
17349 		goto nla_put_failure;
17350 
17351 	return 0;
17352  nla_put_failure:
17353 	return -ENOBUFS;
17354 }
17355 
17356 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17357 				 struct cfg80211_registered_device *rdev,
17358 				 struct wireless_dev *wdev,
17359 				 u32 portid, u32 seq, int flags,
17360 				 u32 cmd)
17361 {
17362 	void *hdr;
17363 
17364 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17365 	if (!hdr)
17366 		return -1;
17367 
17368 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17369 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17370 					 wdev->netdev->ifindex)) ||
17371 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17372 			      NL80211_ATTR_PAD))
17373 		goto nla_put_failure;
17374 
17375 	/* ignore errors and send incomplete event anyway */
17376 	nl80211_add_scan_req(msg, rdev);
17377 
17378 	genlmsg_end(msg, hdr);
17379 	return 0;
17380 
17381  nla_put_failure:
17382 	genlmsg_cancel(msg, hdr);
17383 	return -EMSGSIZE;
17384 }
17385 
17386 static int
17387 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17388 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17389 {
17390 	void *hdr;
17391 
17392 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17393 	if (!hdr)
17394 		return -1;
17395 
17396 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17397 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17398 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17399 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17400 			      NL80211_ATTR_PAD))
17401 		goto nla_put_failure;
17402 
17403 	genlmsg_end(msg, hdr);
17404 	return 0;
17405 
17406  nla_put_failure:
17407 	genlmsg_cancel(msg, hdr);
17408 	return -EMSGSIZE;
17409 }
17410 
17411 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17412 			     struct wireless_dev *wdev)
17413 {
17414 	struct sk_buff *msg;
17415 
17416 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17417 	if (!msg)
17418 		return;
17419 
17420 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17421 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17422 		nlmsg_free(msg);
17423 		return;
17424 	}
17425 
17426 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17427 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17428 }
17429 
17430 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17431 				       struct wireless_dev *wdev, bool aborted)
17432 {
17433 	struct sk_buff *msg;
17434 
17435 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17436 	if (!msg)
17437 		return NULL;
17438 
17439 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17440 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17441 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17442 		nlmsg_free(msg);
17443 		return NULL;
17444 	}
17445 
17446 	return msg;
17447 }
17448 
17449 /* send message created by nl80211_build_scan_msg() */
17450 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17451 			   struct sk_buff *msg)
17452 {
17453 	if (!msg)
17454 		return;
17455 
17456 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17457 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17458 }
17459 
17460 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17461 {
17462 	struct sk_buff *msg;
17463 
17464 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17465 	if (!msg)
17466 		return;
17467 
17468 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17469 		nlmsg_free(msg);
17470 		return;
17471 	}
17472 
17473 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17474 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17475 }
17476 
17477 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17478 					  struct regulatory_request *request)
17479 {
17480 	/* Userspace can always count this one always being set */
17481 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17482 		goto nla_put_failure;
17483 
17484 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17485 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17486 			       NL80211_REGDOM_TYPE_WORLD))
17487 			goto nla_put_failure;
17488 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17489 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17490 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17491 			goto nla_put_failure;
17492 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17493 		   request->intersect) {
17494 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17495 			       NL80211_REGDOM_TYPE_INTERSECTION))
17496 			goto nla_put_failure;
17497 	} else {
17498 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17499 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17500 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17501 				   request->alpha2))
17502 			goto nla_put_failure;
17503 	}
17504 
17505 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17506 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17507 
17508 		if (wiphy &&
17509 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17510 			goto nla_put_failure;
17511 
17512 		if (wiphy &&
17513 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17514 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17515 			goto nla_put_failure;
17516 	}
17517 
17518 	return true;
17519 
17520 nla_put_failure:
17521 	return false;
17522 }
17523 
17524 /*
17525  * This can happen on global regulatory changes or device specific settings
17526  * based on custom regulatory domains.
17527  */
17528 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17529 				     struct regulatory_request *request)
17530 {
17531 	struct sk_buff *msg;
17532 	void *hdr;
17533 
17534 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17535 	if (!msg)
17536 		return;
17537 
17538 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17539 	if (!hdr)
17540 		goto nla_put_failure;
17541 
17542 	if (!nl80211_reg_change_event_fill(msg, request))
17543 		goto nla_put_failure;
17544 
17545 	genlmsg_end(msg, hdr);
17546 
17547 	rcu_read_lock();
17548 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17549 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17550 	rcu_read_unlock();
17551 
17552 	return;
17553 
17554 nla_put_failure:
17555 	nlmsg_free(msg);
17556 }
17557 
17558 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17559 				    struct net_device *netdev,
17560 				    const u8 *buf, size_t len,
17561 				    enum nl80211_commands cmd, gfp_t gfp,
17562 				    int uapsd_queues, const u8 *req_ies,
17563 				    size_t req_ies_len, bool reconnect)
17564 {
17565 	struct sk_buff *msg;
17566 	void *hdr;
17567 
17568 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
17569 	if (!msg)
17570 		return;
17571 
17572 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17573 	if (!hdr) {
17574 		nlmsg_free(msg);
17575 		return;
17576 	}
17577 
17578 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17579 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17580 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17581 	    (req_ies &&
17582 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
17583 		goto nla_put_failure;
17584 
17585 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
17586 		goto nla_put_failure;
17587 
17588 	if (uapsd_queues >= 0) {
17589 		struct nlattr *nla_wmm =
17590 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
17591 		if (!nla_wmm)
17592 			goto nla_put_failure;
17593 
17594 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
17595 			       uapsd_queues))
17596 			goto nla_put_failure;
17597 
17598 		nla_nest_end(msg, nla_wmm);
17599 	}
17600 
17601 	genlmsg_end(msg, hdr);
17602 
17603 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17604 				NL80211_MCGRP_MLME, gfp);
17605 	return;
17606 
17607  nla_put_failure:
17608 	nlmsg_free(msg);
17609 }
17610 
17611 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
17612 			  struct net_device *netdev, const u8 *buf,
17613 			  size_t len, gfp_t gfp)
17614 {
17615 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17616 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
17617 				false);
17618 }
17619 
17620 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
17621 			   struct net_device *netdev,
17622 			   struct cfg80211_rx_assoc_resp *data)
17623 {
17624 	nl80211_send_mlme_event(rdev, netdev, data->buf, data->len,
17625 				NL80211_CMD_ASSOCIATE, GFP_KERNEL,
17626 				data->uapsd_queues,
17627 				data->req_ies, data->req_ies_len, false);
17628 }
17629 
17630 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
17631 			 struct net_device *netdev, const u8 *buf,
17632 			 size_t len, bool reconnect, gfp_t gfp)
17633 {
17634 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17635 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
17636 				reconnect);
17637 }
17638 
17639 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
17640 			   struct net_device *netdev, const u8 *buf,
17641 			   size_t len, bool reconnect, gfp_t gfp)
17642 {
17643 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17644 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
17645 				reconnect);
17646 }
17647 
17648 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
17649 				  size_t len)
17650 {
17651 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17652 	struct wiphy *wiphy = wdev->wiphy;
17653 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17654 	const struct ieee80211_mgmt *mgmt = (void *)buf;
17655 	u32 cmd;
17656 
17657 	if (WARN_ON(len < 2))
17658 		return;
17659 
17660 	if (ieee80211_is_deauth(mgmt->frame_control)) {
17661 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
17662 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
17663 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
17664 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
17665 		if (wdev->unprot_beacon_reported &&
17666 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
17667 			return;
17668 		cmd = NL80211_CMD_UNPROT_BEACON;
17669 		wdev->unprot_beacon_reported = jiffies;
17670 	} else {
17671 		return;
17672 	}
17673 
17674 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
17675 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
17676 				NULL, 0, false);
17677 }
17678 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
17679 
17680 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
17681 				      struct net_device *netdev, int cmd,
17682 				      const u8 *addr, gfp_t gfp)
17683 {
17684 	struct sk_buff *msg;
17685 	void *hdr;
17686 
17687 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17688 	if (!msg)
17689 		return;
17690 
17691 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17692 	if (!hdr) {
17693 		nlmsg_free(msg);
17694 		return;
17695 	}
17696 
17697 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17698 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17699 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
17700 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17701 		goto nla_put_failure;
17702 
17703 	genlmsg_end(msg, hdr);
17704 
17705 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17706 				NL80211_MCGRP_MLME, gfp);
17707 	return;
17708 
17709  nla_put_failure:
17710 	nlmsg_free(msg);
17711 }
17712 
17713 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
17714 			       struct net_device *netdev, const u8 *addr,
17715 			       gfp_t gfp)
17716 {
17717 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
17718 				  addr, gfp);
17719 }
17720 
17721 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
17722 				struct net_device *netdev, const u8 *addr,
17723 				gfp_t gfp)
17724 {
17725 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
17726 				  addr, gfp);
17727 }
17728 
17729 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
17730 				 struct net_device *netdev,
17731 				 struct cfg80211_connect_resp_params *cr,
17732 				 gfp_t gfp)
17733 {
17734 	struct sk_buff *msg;
17735 	void *hdr;
17736 	unsigned int link;
17737 	size_t link_info_size = 0;
17738 	const u8 *connected_addr = cr->valid_links ?
17739 				   cr->ap_mld_addr : cr->links[0].bssid;
17740 
17741 	if (cr->valid_links) {
17742 		for_each_valid_link(cr, link) {
17743 			/* Nested attribute header */
17744 			link_info_size += NLA_HDRLEN;
17745 			/* Link ID */
17746 			link_info_size += nla_total_size(sizeof(u8));
17747 			link_info_size += cr->links[link].addr ?
17748 					  nla_total_size(ETH_ALEN) : 0;
17749 			link_info_size += (cr->links[link].bssid ||
17750 					   cr->links[link].bss) ?
17751 					  nla_total_size(ETH_ALEN) : 0;
17752 			link_info_size += nla_total_size(sizeof(u16));
17753 		}
17754 	}
17755 
17756 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
17757 			cr->fils.kek_len + cr->fils.pmk_len +
17758 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
17759 			gfp);
17760 	if (!msg)
17761 		return;
17762 
17763 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
17764 	if (!hdr) {
17765 		nlmsg_free(msg);
17766 		return;
17767 	}
17768 
17769 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17770 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17771 	    (connected_addr &&
17772 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
17773 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
17774 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
17775 			cr->status) ||
17776 	    (cr->status < 0 &&
17777 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
17778 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
17779 			  cr->timeout_reason))) ||
17780 	    (cr->req_ie &&
17781 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
17782 	    (cr->resp_ie &&
17783 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
17784 		     cr->resp_ie)) ||
17785 	    (cr->fils.update_erp_next_seq_num &&
17786 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
17787 			 cr->fils.erp_next_seq_num)) ||
17788 	    (cr->status == WLAN_STATUS_SUCCESS &&
17789 	     ((cr->fils.kek &&
17790 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
17791 		       cr->fils.kek)) ||
17792 	      (cr->fils.pmk &&
17793 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
17794 	      (cr->fils.pmkid &&
17795 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
17796 		goto nla_put_failure;
17797 
17798 	if (cr->valid_links) {
17799 		int i = 1;
17800 		struct nlattr *nested;
17801 
17802 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
17803 		if (!nested)
17804 			goto nla_put_failure;
17805 
17806 		for_each_valid_link(cr, link) {
17807 			struct nlattr *nested_mlo_links;
17808 			const u8 *bssid = cr->links[link].bss ?
17809 					  cr->links[link].bss->bssid :
17810 					  cr->links[link].bssid;
17811 
17812 			nested_mlo_links = nla_nest_start(msg, i);
17813 			if (!nested_mlo_links)
17814 				goto nla_put_failure;
17815 
17816 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
17817 			    (bssid &&
17818 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
17819 			    (cr->links[link].addr &&
17820 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
17821 				     cr->links[link].addr)) ||
17822 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
17823 					cr->links[link].status))
17824 				goto nla_put_failure;
17825 
17826 			nla_nest_end(msg, nested_mlo_links);
17827 			i++;
17828 		}
17829 		nla_nest_end(msg, nested);
17830 	}
17831 
17832 	genlmsg_end(msg, hdr);
17833 
17834 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17835 				NL80211_MCGRP_MLME, gfp);
17836 	return;
17837 
17838  nla_put_failure:
17839 	nlmsg_free(msg);
17840 }
17841 
17842 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
17843 			 struct net_device *netdev,
17844 			 struct cfg80211_roam_info *info, gfp_t gfp)
17845 {
17846 	struct sk_buff *msg;
17847 	void *hdr;
17848 	size_t link_info_size = 0;
17849 	unsigned int link;
17850 	const u8 *connected_addr = info->ap_mld_addr ?
17851 				   info->ap_mld_addr :
17852 				   (info->links[0].bss ?
17853 				    info->links[0].bss->bssid :
17854 				    info->links[0].bssid);
17855 
17856 	if (info->valid_links) {
17857 		for_each_valid_link(info, link) {
17858 			/* Nested attribute header */
17859 			link_info_size += NLA_HDRLEN;
17860 			/* Link ID */
17861 			link_info_size += nla_total_size(sizeof(u8));
17862 			link_info_size += info->links[link].addr ?
17863 					  nla_total_size(ETH_ALEN) : 0;
17864 			link_info_size += (info->links[link].bssid ||
17865 					   info->links[link].bss) ?
17866 					  nla_total_size(ETH_ALEN) : 0;
17867 		}
17868 	}
17869 
17870 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
17871 			info->fils.kek_len + info->fils.pmk_len +
17872 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
17873 			link_info_size, gfp);
17874 	if (!msg)
17875 		return;
17876 
17877 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
17878 	if (!hdr) {
17879 		nlmsg_free(msg);
17880 		return;
17881 	}
17882 
17883 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17884 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17885 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
17886 	    (info->req_ie &&
17887 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
17888 		     info->req_ie)) ||
17889 	    (info->resp_ie &&
17890 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
17891 		     info->resp_ie)) ||
17892 	    (info->fils.update_erp_next_seq_num &&
17893 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
17894 			 info->fils.erp_next_seq_num)) ||
17895 	    (info->fils.kek &&
17896 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
17897 		     info->fils.kek)) ||
17898 	    (info->fils.pmk &&
17899 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
17900 	    (info->fils.pmkid &&
17901 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
17902 		goto nla_put_failure;
17903 
17904 	if (info->valid_links) {
17905 		int i = 1;
17906 		struct nlattr *nested;
17907 
17908 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
17909 		if (!nested)
17910 			goto nla_put_failure;
17911 
17912 		for_each_valid_link(info, link) {
17913 			struct nlattr *nested_mlo_links;
17914 			const u8 *bssid = info->links[link].bss ?
17915 					  info->links[link].bss->bssid :
17916 					  info->links[link].bssid;
17917 
17918 			nested_mlo_links = nla_nest_start(msg, i);
17919 			if (!nested_mlo_links)
17920 				goto nla_put_failure;
17921 
17922 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
17923 			    (bssid &&
17924 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
17925 			    (info->links[link].addr &&
17926 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
17927 				     info->links[link].addr)))
17928 				goto nla_put_failure;
17929 
17930 			nla_nest_end(msg, nested_mlo_links);
17931 			i++;
17932 		}
17933 		nla_nest_end(msg, nested);
17934 	}
17935 
17936 	genlmsg_end(msg, hdr);
17937 
17938 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17939 				NL80211_MCGRP_MLME, gfp);
17940 	return;
17941 
17942  nla_put_failure:
17943 	nlmsg_free(msg);
17944 }
17945 
17946 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
17947 				  struct net_device *netdev, const u8 *bssid,
17948 				  const u8 *td_bitmap, u8 td_bitmap_len)
17949 {
17950 	struct sk_buff *msg;
17951 	void *hdr;
17952 
17953 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17954 	if (!msg)
17955 		return;
17956 
17957 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
17958 	if (!hdr) {
17959 		nlmsg_free(msg);
17960 		return;
17961 	}
17962 
17963 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17964 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17965 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17966 		goto nla_put_failure;
17967 
17968 	if ((td_bitmap_len > 0) && td_bitmap)
17969 		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
17970 			    td_bitmap_len, td_bitmap))
17971 			goto nla_put_failure;
17972 
17973 	genlmsg_end(msg, hdr);
17974 
17975 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17976 				NL80211_MCGRP_MLME, GFP_KERNEL);
17977 	return;
17978 
17979  nla_put_failure:
17980 	nlmsg_free(msg);
17981 }
17982 
17983 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
17984 			       struct net_device *netdev, u16 reason,
17985 			       const u8 *ie, size_t ie_len, bool from_ap)
17986 {
17987 	struct sk_buff *msg;
17988 	void *hdr;
17989 
17990 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
17991 	if (!msg)
17992 		return;
17993 
17994 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
17995 	if (!hdr) {
17996 		nlmsg_free(msg);
17997 		return;
17998 	}
17999 
18000 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18001 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18002 	    (reason &&
18003 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18004 	    (from_ap &&
18005 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18006 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18007 		goto nla_put_failure;
18008 
18009 	genlmsg_end(msg, hdr);
18010 
18011 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18012 				NL80211_MCGRP_MLME, GFP_KERNEL);
18013 	return;
18014 
18015  nla_put_failure:
18016 	nlmsg_free(msg);
18017 }
18018 
18019 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18020 			     struct net_device *netdev, const u8 *bssid,
18021 			     gfp_t gfp)
18022 {
18023 	struct sk_buff *msg;
18024 	void *hdr;
18025 
18026 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18027 	if (!msg)
18028 		return;
18029 
18030 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18031 	if (!hdr) {
18032 		nlmsg_free(msg);
18033 		return;
18034 	}
18035 
18036 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18037 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18038 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18039 		goto nla_put_failure;
18040 
18041 	genlmsg_end(msg, hdr);
18042 
18043 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18044 				NL80211_MCGRP_MLME, gfp);
18045 	return;
18046 
18047  nla_put_failure:
18048 	nlmsg_free(msg);
18049 }
18050 
18051 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18052 					const u8 *ie, u8 ie_len,
18053 					int sig_dbm, gfp_t gfp)
18054 {
18055 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18056 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18057 	struct sk_buff *msg;
18058 	void *hdr;
18059 
18060 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18061 		return;
18062 
18063 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18064 
18065 	msg = nlmsg_new(100 + ie_len, gfp);
18066 	if (!msg)
18067 		return;
18068 
18069 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18070 	if (!hdr) {
18071 		nlmsg_free(msg);
18072 		return;
18073 	}
18074 
18075 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18076 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18077 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18078 	    (ie_len && ie &&
18079 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18080 	    (sig_dbm &&
18081 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18082 		goto nla_put_failure;
18083 
18084 	genlmsg_end(msg, hdr);
18085 
18086 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18087 				NL80211_MCGRP_MLME, gfp);
18088 	return;
18089 
18090  nla_put_failure:
18091 	nlmsg_free(msg);
18092 }
18093 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18094 
18095 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18096 				 struct net_device *netdev, const u8 *addr,
18097 				 enum nl80211_key_type key_type, int key_id,
18098 				 const u8 *tsc, gfp_t gfp)
18099 {
18100 	struct sk_buff *msg;
18101 	void *hdr;
18102 
18103 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18104 	if (!msg)
18105 		return;
18106 
18107 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18108 	if (!hdr) {
18109 		nlmsg_free(msg);
18110 		return;
18111 	}
18112 
18113 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18114 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18115 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18116 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18117 	    (key_id != -1 &&
18118 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18119 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18120 		goto nla_put_failure;
18121 
18122 	genlmsg_end(msg, hdr);
18123 
18124 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18125 				NL80211_MCGRP_MLME, gfp);
18126 	return;
18127 
18128  nla_put_failure:
18129 	nlmsg_free(msg);
18130 }
18131 
18132 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18133 				    struct ieee80211_channel *channel_before,
18134 				    struct ieee80211_channel *channel_after)
18135 {
18136 	struct sk_buff *msg;
18137 	void *hdr;
18138 	struct nlattr *nl_freq;
18139 
18140 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18141 	if (!msg)
18142 		return;
18143 
18144 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18145 	if (!hdr) {
18146 		nlmsg_free(msg);
18147 		return;
18148 	}
18149 
18150 	/*
18151 	 * Since we are applying the beacon hint to a wiphy we know its
18152 	 * wiphy_idx is valid
18153 	 */
18154 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18155 		goto nla_put_failure;
18156 
18157 	/* Before */
18158 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18159 	if (!nl_freq)
18160 		goto nla_put_failure;
18161 
18162 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18163 		goto nla_put_failure;
18164 	nla_nest_end(msg, nl_freq);
18165 
18166 	/* After */
18167 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18168 	if (!nl_freq)
18169 		goto nla_put_failure;
18170 
18171 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18172 		goto nla_put_failure;
18173 	nla_nest_end(msg, nl_freq);
18174 
18175 	genlmsg_end(msg, hdr);
18176 
18177 	rcu_read_lock();
18178 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18179 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18180 	rcu_read_unlock();
18181 
18182 	return;
18183 
18184 nla_put_failure:
18185 	nlmsg_free(msg);
18186 }
18187 
18188 static void nl80211_send_remain_on_chan_event(
18189 	int cmd, struct cfg80211_registered_device *rdev,
18190 	struct wireless_dev *wdev, u64 cookie,
18191 	struct ieee80211_channel *chan,
18192 	unsigned int duration, gfp_t gfp)
18193 {
18194 	struct sk_buff *msg;
18195 	void *hdr;
18196 
18197 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18198 	if (!msg)
18199 		return;
18200 
18201 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18202 	if (!hdr) {
18203 		nlmsg_free(msg);
18204 		return;
18205 	}
18206 
18207 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18208 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18209 					 wdev->netdev->ifindex)) ||
18210 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18211 			      NL80211_ATTR_PAD) ||
18212 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18213 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18214 			NL80211_CHAN_NO_HT) ||
18215 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18216 			      NL80211_ATTR_PAD))
18217 		goto nla_put_failure;
18218 
18219 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18220 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18221 		goto nla_put_failure;
18222 
18223 	genlmsg_end(msg, hdr);
18224 
18225 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18226 				NL80211_MCGRP_MLME, gfp);
18227 	return;
18228 
18229  nla_put_failure:
18230 	nlmsg_free(msg);
18231 }
18232 
18233 void cfg80211_assoc_comeback(struct net_device *netdev,
18234 			     const u8 *ap_addr, u32 timeout)
18235 {
18236 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18237 	struct wiphy *wiphy = wdev->wiphy;
18238 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18239 	struct sk_buff *msg;
18240 	void *hdr;
18241 
18242 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18243 
18244 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18245 	if (!msg)
18246 		return;
18247 
18248 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18249 	if (!hdr) {
18250 		nlmsg_free(msg);
18251 		return;
18252 	}
18253 
18254 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18255 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18256 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18257 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18258 		goto nla_put_failure;
18259 
18260 	genlmsg_end(msg, hdr);
18261 
18262 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18263 				NL80211_MCGRP_MLME, GFP_KERNEL);
18264 	return;
18265 
18266  nla_put_failure:
18267 	nlmsg_free(msg);
18268 }
18269 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18270 
18271 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18272 			       struct ieee80211_channel *chan,
18273 			       unsigned int duration, gfp_t gfp)
18274 {
18275 	struct wiphy *wiphy = wdev->wiphy;
18276 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18277 
18278 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18279 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18280 					  rdev, wdev, cookie, chan,
18281 					  duration, gfp);
18282 }
18283 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18284 
18285 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18286 					struct ieee80211_channel *chan,
18287 					gfp_t gfp)
18288 {
18289 	struct wiphy *wiphy = wdev->wiphy;
18290 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18291 
18292 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18293 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18294 					  rdev, wdev, cookie, chan, 0, gfp);
18295 }
18296 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18297 
18298 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18299 					struct ieee80211_channel *chan,
18300 					gfp_t gfp)
18301 {
18302 	struct wiphy *wiphy = wdev->wiphy;
18303 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18304 
18305 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18306 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18307 					  rdev, wdev, cookie, chan, 0, gfp);
18308 }
18309 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18310 
18311 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18312 		      struct station_info *sinfo, gfp_t gfp)
18313 {
18314 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18315 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18316 	struct sk_buff *msg;
18317 
18318 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18319 
18320 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18321 	if (!msg)
18322 		return;
18323 
18324 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18325 				 rdev, dev, mac_addr, sinfo) < 0) {
18326 		nlmsg_free(msg);
18327 		return;
18328 	}
18329 
18330 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18331 				NL80211_MCGRP_MLME, gfp);
18332 }
18333 EXPORT_SYMBOL(cfg80211_new_sta);
18334 
18335 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18336 			    struct station_info *sinfo, gfp_t gfp)
18337 {
18338 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18339 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18340 	struct sk_buff *msg;
18341 	struct station_info empty_sinfo = {};
18342 
18343 	if (!sinfo)
18344 		sinfo = &empty_sinfo;
18345 
18346 	trace_cfg80211_del_sta(dev, mac_addr);
18347 
18348 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18349 	if (!msg) {
18350 		cfg80211_sinfo_release_content(sinfo);
18351 		return;
18352 	}
18353 
18354 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18355 				 rdev, dev, mac_addr, sinfo) < 0) {
18356 		nlmsg_free(msg);
18357 		return;
18358 	}
18359 
18360 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18361 				NL80211_MCGRP_MLME, gfp);
18362 }
18363 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18364 
18365 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18366 			  enum nl80211_connect_failed_reason reason,
18367 			  gfp_t gfp)
18368 {
18369 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18370 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18371 	struct sk_buff *msg;
18372 	void *hdr;
18373 
18374 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18375 	if (!msg)
18376 		return;
18377 
18378 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18379 	if (!hdr) {
18380 		nlmsg_free(msg);
18381 		return;
18382 	}
18383 
18384 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18385 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18386 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18387 		goto nla_put_failure;
18388 
18389 	genlmsg_end(msg, hdr);
18390 
18391 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18392 				NL80211_MCGRP_MLME, gfp);
18393 	return;
18394 
18395  nla_put_failure:
18396 	nlmsg_free(msg);
18397 }
18398 EXPORT_SYMBOL(cfg80211_conn_failed);
18399 
18400 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18401 				       const u8 *addr, gfp_t gfp)
18402 {
18403 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18404 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18405 	struct sk_buff *msg;
18406 	void *hdr;
18407 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18408 
18409 	if (!nlportid)
18410 		return false;
18411 
18412 	msg = nlmsg_new(100, gfp);
18413 	if (!msg)
18414 		return true;
18415 
18416 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18417 	if (!hdr) {
18418 		nlmsg_free(msg);
18419 		return true;
18420 	}
18421 
18422 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18423 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18424 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18425 		goto nla_put_failure;
18426 
18427 	genlmsg_end(msg, hdr);
18428 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18429 	return true;
18430 
18431  nla_put_failure:
18432 	nlmsg_free(msg);
18433 	return true;
18434 }
18435 
18436 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18437 				const u8 *addr, gfp_t gfp)
18438 {
18439 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18440 	bool ret;
18441 
18442 	trace_cfg80211_rx_spurious_frame(dev, addr);
18443 
18444 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18445 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18446 		trace_cfg80211_return_bool(false);
18447 		return false;
18448 	}
18449 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18450 					 addr, gfp);
18451 	trace_cfg80211_return_bool(ret);
18452 	return ret;
18453 }
18454 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18455 
18456 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18457 					const u8 *addr, gfp_t gfp)
18458 {
18459 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18460 	bool ret;
18461 
18462 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18463 
18464 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18465 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18466 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18467 		trace_cfg80211_return_bool(false);
18468 		return false;
18469 	}
18470 	ret = __nl80211_unexpected_frame(dev,
18471 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
18472 					 addr, gfp);
18473 	trace_cfg80211_return_bool(ret);
18474 	return ret;
18475 }
18476 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
18477 
18478 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
18479 		      struct wireless_dev *wdev, u32 nlportid,
18480 		      struct cfg80211_rx_info *info, gfp_t gfp)
18481 {
18482 	struct net_device *netdev = wdev->netdev;
18483 	struct sk_buff *msg;
18484 	void *hdr;
18485 
18486 	msg = nlmsg_new(100 + info->len, gfp);
18487 	if (!msg)
18488 		return -ENOMEM;
18489 
18490 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18491 	if (!hdr) {
18492 		nlmsg_free(msg);
18493 		return -ENOMEM;
18494 	}
18495 
18496 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18497 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18498 					netdev->ifindex)) ||
18499 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18500 			      NL80211_ATTR_PAD) ||
18501 	    (info->have_link_id &&
18502 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
18503 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
18504 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
18505 	    (info->sig_dbm &&
18506 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
18507 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
18508 	    (info->flags &&
18509 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
18510 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
18511 						  NL80211_ATTR_RX_HW_TIMESTAMP,
18512 						  info->rx_tstamp,
18513 						  NL80211_ATTR_PAD)) ||
18514 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
18515 						   NL80211_ATTR_TX_HW_TIMESTAMP,
18516 						   info->ack_tstamp,
18517 						   NL80211_ATTR_PAD)))
18518 		goto nla_put_failure;
18519 
18520 	genlmsg_end(msg, hdr);
18521 
18522 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18523 
18524  nla_put_failure:
18525 	nlmsg_free(msg);
18526 	return -ENOBUFS;
18527 }
18528 
18529 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
18530 				    struct cfg80211_tx_status *status,
18531 				    gfp_t gfp, enum nl80211_commands command)
18532 {
18533 	struct wiphy *wiphy = wdev->wiphy;
18534 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18535 	struct net_device *netdev = wdev->netdev;
18536 	struct sk_buff *msg;
18537 	void *hdr;
18538 
18539 	if (command == NL80211_CMD_FRAME_TX_STATUS)
18540 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
18541 					      status->ack);
18542 	else
18543 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
18544 						      status->ack);
18545 
18546 	msg = nlmsg_new(100 + status->len, gfp);
18547 	if (!msg)
18548 		return;
18549 
18550 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
18551 	if (!hdr) {
18552 		nlmsg_free(msg);
18553 		return;
18554 	}
18555 
18556 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18557 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18558 				   netdev->ifindex)) ||
18559 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18560 			      NL80211_ATTR_PAD) ||
18561 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
18562 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
18563 			      NL80211_ATTR_PAD) ||
18564 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18565 	    (status->tx_tstamp &&
18566 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
18567 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
18568 	    (status->ack_tstamp &&
18569 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
18570 			       status->ack_tstamp, NL80211_ATTR_PAD)))
18571 		goto nla_put_failure;
18572 
18573 	genlmsg_end(msg, hdr);
18574 
18575 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18576 				NL80211_MCGRP_MLME, gfp);
18577 	return;
18578 
18579 nla_put_failure:
18580 	nlmsg_free(msg);
18581 }
18582 
18583 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
18584 				     const u8 *buf, size_t len, bool ack,
18585 				     gfp_t gfp)
18586 {
18587 	struct cfg80211_tx_status status = {
18588 		.cookie = cookie,
18589 		.buf = buf,
18590 		.len = len,
18591 		.ack = ack
18592 	};
18593 
18594 	nl80211_frame_tx_status(wdev, &status, gfp,
18595 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
18596 }
18597 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
18598 
18599 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
18600 				 struct cfg80211_tx_status *status, gfp_t gfp)
18601 {
18602 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
18603 }
18604 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
18605 
18606 static int __nl80211_rx_control_port(struct net_device *dev,
18607 				     struct sk_buff *skb,
18608 				     bool unencrypted, gfp_t gfp)
18609 {
18610 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18611 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18612 	struct ethhdr *ehdr = eth_hdr(skb);
18613 	const u8 *addr = ehdr->h_source;
18614 	u16 proto = be16_to_cpu(skb->protocol);
18615 	struct sk_buff *msg;
18616 	void *hdr;
18617 	struct nlattr *frame;
18618 
18619 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
18620 
18621 	if (!nlportid)
18622 		return -ENOENT;
18623 
18624 	msg = nlmsg_new(100 + skb->len, gfp);
18625 	if (!msg)
18626 		return -ENOMEM;
18627 
18628 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
18629 	if (!hdr) {
18630 		nlmsg_free(msg);
18631 		return -ENOBUFS;
18632 	}
18633 
18634 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18635 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18636 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18637 			      NL80211_ATTR_PAD) ||
18638 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18639 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
18640 	    (unencrypted && nla_put_flag(msg,
18641 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
18642 		goto nla_put_failure;
18643 
18644 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
18645 	if (!frame)
18646 		goto nla_put_failure;
18647 
18648 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
18649 	genlmsg_end(msg, hdr);
18650 
18651 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18652 
18653  nla_put_failure:
18654 	nlmsg_free(msg);
18655 	return -ENOBUFS;
18656 }
18657 
18658 bool cfg80211_rx_control_port(struct net_device *dev,
18659 			      struct sk_buff *skb, bool unencrypted)
18660 {
18661 	int ret;
18662 
18663 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
18664 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
18665 	trace_cfg80211_return_bool(ret == 0);
18666 	return ret == 0;
18667 }
18668 EXPORT_SYMBOL(cfg80211_rx_control_port);
18669 
18670 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
18671 					    const char *mac, gfp_t gfp)
18672 {
18673 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18674 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18675 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18676 	void **cb;
18677 
18678 	if (!msg)
18679 		return NULL;
18680 
18681 	cb = (void **)msg->cb;
18682 
18683 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
18684 	if (!cb[0]) {
18685 		nlmsg_free(msg);
18686 		return NULL;
18687 	}
18688 
18689 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18690 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18691 		goto nla_put_failure;
18692 
18693 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
18694 		goto nla_put_failure;
18695 
18696 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
18697 	if (!cb[1])
18698 		goto nla_put_failure;
18699 
18700 	cb[2] = rdev;
18701 
18702 	return msg;
18703  nla_put_failure:
18704 	nlmsg_free(msg);
18705 	return NULL;
18706 }
18707 
18708 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
18709 {
18710 	void **cb = (void **)msg->cb;
18711 	struct cfg80211_registered_device *rdev = cb[2];
18712 
18713 	nla_nest_end(msg, cb[1]);
18714 	genlmsg_end(msg, cb[0]);
18715 
18716 	memset(msg->cb, 0, sizeof(msg->cb));
18717 
18718 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18719 				NL80211_MCGRP_MLME, gfp);
18720 }
18721 
18722 void cfg80211_cqm_rssi_notify(struct net_device *dev,
18723 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
18724 			      s32 rssi_level, gfp_t gfp)
18725 {
18726 	struct sk_buff *msg;
18727 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18728 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18729 
18730 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
18731 
18732 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
18733 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
18734 		return;
18735 
18736 	if (wdev->cqm_config) {
18737 		wdev->cqm_config->last_rssi_event_value = rssi_level;
18738 
18739 		cfg80211_cqm_rssi_update(rdev, dev);
18740 
18741 		if (rssi_level == 0)
18742 			rssi_level = wdev->cqm_config->last_rssi_event_value;
18743 	}
18744 
18745 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
18746 	if (!msg)
18747 		return;
18748 
18749 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
18750 			rssi_event))
18751 		goto nla_put_failure;
18752 
18753 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
18754 				      rssi_level))
18755 		goto nla_put_failure;
18756 
18757 	cfg80211_send_cqm(msg, gfp);
18758 
18759 	return;
18760 
18761  nla_put_failure:
18762 	nlmsg_free(msg);
18763 }
18764 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
18765 
18766 void cfg80211_cqm_txe_notify(struct net_device *dev,
18767 			     const u8 *peer, u32 num_packets,
18768 			     u32 rate, u32 intvl, gfp_t gfp)
18769 {
18770 	struct sk_buff *msg;
18771 
18772 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
18773 	if (!msg)
18774 		return;
18775 
18776 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
18777 		goto nla_put_failure;
18778 
18779 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
18780 		goto nla_put_failure;
18781 
18782 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
18783 		goto nla_put_failure;
18784 
18785 	cfg80211_send_cqm(msg, gfp);
18786 	return;
18787 
18788  nla_put_failure:
18789 	nlmsg_free(msg);
18790 }
18791 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
18792 
18793 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
18794 				 const u8 *peer, u32 num_packets, gfp_t gfp)
18795 {
18796 	struct sk_buff *msg;
18797 
18798 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
18799 
18800 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
18801 	if (!msg)
18802 		return;
18803 
18804 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
18805 		goto nla_put_failure;
18806 
18807 	cfg80211_send_cqm(msg, gfp);
18808 	return;
18809 
18810  nla_put_failure:
18811 	nlmsg_free(msg);
18812 }
18813 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
18814 
18815 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
18816 {
18817 	struct sk_buff *msg;
18818 
18819 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
18820 	if (!msg)
18821 		return;
18822 
18823 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
18824 		goto nla_put_failure;
18825 
18826 	cfg80211_send_cqm(msg, gfp);
18827 	return;
18828 
18829  nla_put_failure:
18830 	nlmsg_free(msg);
18831 }
18832 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
18833 
18834 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
18835 				     struct net_device *netdev, const u8 *bssid,
18836 				     const u8 *replay_ctr, gfp_t gfp)
18837 {
18838 	struct sk_buff *msg;
18839 	struct nlattr *rekey_attr;
18840 	void *hdr;
18841 
18842 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18843 	if (!msg)
18844 		return;
18845 
18846 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
18847 	if (!hdr) {
18848 		nlmsg_free(msg);
18849 		return;
18850 	}
18851 
18852 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18853 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18854 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18855 		goto nla_put_failure;
18856 
18857 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
18858 	if (!rekey_attr)
18859 		goto nla_put_failure;
18860 
18861 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
18862 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
18863 		goto nla_put_failure;
18864 
18865 	nla_nest_end(msg, rekey_attr);
18866 
18867 	genlmsg_end(msg, hdr);
18868 
18869 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18870 				NL80211_MCGRP_MLME, gfp);
18871 	return;
18872 
18873  nla_put_failure:
18874 	nlmsg_free(msg);
18875 }
18876 
18877 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
18878 			       const u8 *replay_ctr, gfp_t gfp)
18879 {
18880 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18881 	struct wiphy *wiphy = wdev->wiphy;
18882 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18883 
18884 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
18885 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
18886 }
18887 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
18888 
18889 static void
18890 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
18891 			       struct net_device *netdev, int index,
18892 			       const u8 *bssid, bool preauth, gfp_t gfp)
18893 {
18894 	struct sk_buff *msg;
18895 	struct nlattr *attr;
18896 	void *hdr;
18897 
18898 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18899 	if (!msg)
18900 		return;
18901 
18902 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
18903 	if (!hdr) {
18904 		nlmsg_free(msg);
18905 		return;
18906 	}
18907 
18908 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18909 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
18910 		goto nla_put_failure;
18911 
18912 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
18913 	if (!attr)
18914 		goto nla_put_failure;
18915 
18916 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
18917 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
18918 	    (preauth &&
18919 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
18920 		goto nla_put_failure;
18921 
18922 	nla_nest_end(msg, attr);
18923 
18924 	genlmsg_end(msg, hdr);
18925 
18926 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18927 				NL80211_MCGRP_MLME, gfp);
18928 	return;
18929 
18930  nla_put_failure:
18931 	nlmsg_free(msg);
18932 }
18933 
18934 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
18935 				     const u8 *bssid, bool preauth, gfp_t gfp)
18936 {
18937 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18938 	struct wiphy *wiphy = wdev->wiphy;
18939 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18940 
18941 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
18942 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
18943 }
18944 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
18945 
18946 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
18947 				     struct net_device *netdev,
18948 				     unsigned int link_id,
18949 				     struct cfg80211_chan_def *chandef,
18950 				     gfp_t gfp,
18951 				     enum nl80211_commands notif,
18952 				     u8 count, bool quiet)
18953 {
18954 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18955 	struct sk_buff *msg;
18956 	void *hdr;
18957 
18958 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18959 	if (!msg)
18960 		return;
18961 
18962 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
18963 	if (!hdr) {
18964 		nlmsg_free(msg);
18965 		return;
18966 	}
18967 
18968 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
18969 		goto nla_put_failure;
18970 
18971 	if (wdev->valid_links &&
18972 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18973 		goto nla_put_failure;
18974 
18975 	if (nl80211_send_chandef(msg, chandef))
18976 		goto nla_put_failure;
18977 
18978 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
18979 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
18980 			goto nla_put_failure;
18981 		if (quiet &&
18982 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
18983 			goto nla_put_failure;
18984 	}
18985 
18986 	genlmsg_end(msg, hdr);
18987 
18988 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18989 				NL80211_MCGRP_MLME, gfp);
18990 	return;
18991 
18992  nla_put_failure:
18993 	nlmsg_free(msg);
18994 }
18995 
18996 void cfg80211_ch_switch_notify(struct net_device *dev,
18997 			       struct cfg80211_chan_def *chandef,
18998 			       unsigned int link_id)
18999 {
19000 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19001 	struct wiphy *wiphy = wdev->wiphy;
19002 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19003 
19004 	ASSERT_WDEV_LOCK(wdev);
19005 	WARN_INVALID_LINK_ID(wdev, link_id);
19006 
19007 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
19008 
19009 	switch (wdev->iftype) {
19010 	case NL80211_IFTYPE_STATION:
19011 	case NL80211_IFTYPE_P2P_CLIENT:
19012 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19013 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19014 							chandef->chan);
19015 		break;
19016 	case NL80211_IFTYPE_MESH_POINT:
19017 		wdev->u.mesh.chandef = *chandef;
19018 		wdev->u.mesh.preset_chandef = *chandef;
19019 		break;
19020 	case NL80211_IFTYPE_AP:
19021 	case NL80211_IFTYPE_P2P_GO:
19022 		wdev->links[link_id].ap.chandef = *chandef;
19023 		break;
19024 	case NL80211_IFTYPE_ADHOC:
19025 		wdev->u.ibss.chandef = *chandef;
19026 		break;
19027 	default:
19028 		WARN_ON(1);
19029 		break;
19030 	}
19031 
19032 	cfg80211_sched_dfs_chan_update(rdev);
19033 
19034 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19035 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
19036 }
19037 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19038 
19039 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19040 				       struct cfg80211_chan_def *chandef,
19041 				       unsigned int link_id, u8 count,
19042 				       bool quiet)
19043 {
19044 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19045 	struct wiphy *wiphy = wdev->wiphy;
19046 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19047 
19048 	ASSERT_WDEV_LOCK(wdev);
19049 	WARN_INVALID_LINK_ID(wdev, link_id);
19050 
19051 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
19052 
19053 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19054 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19055 				 count, quiet);
19056 }
19057 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19058 
19059 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
19060 			      enum nl80211_commands cmd, u8 count,
19061 			      u64 color_bitmap)
19062 {
19063 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19064 	struct wiphy *wiphy = wdev->wiphy;
19065 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19066 	struct sk_buff *msg;
19067 	void *hdr;
19068 
19069 	ASSERT_WDEV_LOCK(wdev);
19070 
19071 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19072 
19073 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19074 	if (!msg)
19075 		return -ENOMEM;
19076 
19077 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19078 	if (!hdr)
19079 		goto nla_put_failure;
19080 
19081 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19082 		goto nla_put_failure;
19083 
19084 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19085 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19086 		goto nla_put_failure;
19087 
19088 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19089 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19090 			      color_bitmap, NL80211_ATTR_PAD))
19091 		goto nla_put_failure;
19092 
19093 	genlmsg_end(msg, hdr);
19094 
19095 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19096 				       msg, 0, NL80211_MCGRP_MLME, gfp);
19097 
19098 nla_put_failure:
19099 	nlmsg_free(msg);
19100 	return -EINVAL;
19101 }
19102 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19103 
19104 void
19105 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19106 		     const struct cfg80211_chan_def *chandef,
19107 		     enum nl80211_radar_event event,
19108 		     struct net_device *netdev, gfp_t gfp)
19109 {
19110 	struct sk_buff *msg;
19111 	void *hdr;
19112 
19113 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19114 	if (!msg)
19115 		return;
19116 
19117 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19118 	if (!hdr) {
19119 		nlmsg_free(msg);
19120 		return;
19121 	}
19122 
19123 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19124 		goto nla_put_failure;
19125 
19126 	/* NOP and radar events don't need a netdev parameter */
19127 	if (netdev) {
19128 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19129 
19130 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19131 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19132 				      NL80211_ATTR_PAD))
19133 			goto nla_put_failure;
19134 	}
19135 
19136 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19137 		goto nla_put_failure;
19138 
19139 	if (nl80211_send_chandef(msg, chandef))
19140 		goto nla_put_failure;
19141 
19142 	genlmsg_end(msg, hdr);
19143 
19144 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19145 				NL80211_MCGRP_MLME, gfp);
19146 	return;
19147 
19148  nla_put_failure:
19149 	nlmsg_free(msg);
19150 }
19151 
19152 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19153 				       struct sta_opmode_info *sta_opmode,
19154 				       gfp_t gfp)
19155 {
19156 	struct sk_buff *msg;
19157 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19158 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19159 	void *hdr;
19160 
19161 	if (WARN_ON(!mac))
19162 		return;
19163 
19164 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19165 	if (!msg)
19166 		return;
19167 
19168 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19169 	if (!hdr) {
19170 		nlmsg_free(msg);
19171 		return;
19172 	}
19173 
19174 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19175 		goto nla_put_failure;
19176 
19177 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19178 		goto nla_put_failure;
19179 
19180 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19181 		goto nla_put_failure;
19182 
19183 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19184 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19185 		goto nla_put_failure;
19186 
19187 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19188 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19189 		goto nla_put_failure;
19190 
19191 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19192 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19193 		goto nla_put_failure;
19194 
19195 	genlmsg_end(msg, hdr);
19196 
19197 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19198 				NL80211_MCGRP_MLME, gfp);
19199 
19200 	return;
19201 
19202 nla_put_failure:
19203 	nlmsg_free(msg);
19204 }
19205 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19206 
19207 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19208 			   u64 cookie, bool acked, s32 ack_signal,
19209 			   bool is_valid_ack_signal, gfp_t gfp)
19210 {
19211 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19212 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19213 	struct sk_buff *msg;
19214 	void *hdr;
19215 
19216 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19217 
19218 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19219 
19220 	if (!msg)
19221 		return;
19222 
19223 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19224 	if (!hdr) {
19225 		nlmsg_free(msg);
19226 		return;
19227 	}
19228 
19229 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19230 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19231 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19232 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19233 			      NL80211_ATTR_PAD) ||
19234 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19235 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19236 						ack_signal)))
19237 		goto nla_put_failure;
19238 
19239 	genlmsg_end(msg, hdr);
19240 
19241 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19242 				NL80211_MCGRP_MLME, gfp);
19243 	return;
19244 
19245  nla_put_failure:
19246 	nlmsg_free(msg);
19247 }
19248 EXPORT_SYMBOL(cfg80211_probe_status);
19249 
19250 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19251 				     size_t len, int freq, int sig_dbm)
19252 {
19253 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19254 	struct sk_buff *msg;
19255 	void *hdr;
19256 	struct cfg80211_beacon_registration *reg;
19257 
19258 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19259 
19260 	spin_lock_bh(&rdev->beacon_registrations_lock);
19261 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19262 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19263 		if (!msg) {
19264 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19265 			return;
19266 		}
19267 
19268 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19269 		if (!hdr)
19270 			goto nla_put_failure;
19271 
19272 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19273 		    (freq &&
19274 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19275 				  KHZ_TO_MHZ(freq)) ||
19276 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19277 				  freq % 1000))) ||
19278 		    (sig_dbm &&
19279 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19280 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19281 			goto nla_put_failure;
19282 
19283 		genlmsg_end(msg, hdr);
19284 
19285 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19286 	}
19287 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19288 	return;
19289 
19290  nla_put_failure:
19291 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19292 	nlmsg_free(msg);
19293 }
19294 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19295 
19296 #ifdef CONFIG_PM
19297 static int cfg80211_net_detect_results(struct sk_buff *msg,
19298 				       struct cfg80211_wowlan_wakeup *wakeup)
19299 {
19300 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19301 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19302 	int i, j;
19303 
19304 	nl_results = nla_nest_start_noflag(msg,
19305 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19306 	if (!nl_results)
19307 		return -EMSGSIZE;
19308 
19309 	for (i = 0; i < nd->n_matches; i++) {
19310 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19311 
19312 		nl_match = nla_nest_start_noflag(msg, i);
19313 		if (!nl_match)
19314 			break;
19315 
19316 		/* The SSID attribute is optional in nl80211, but for
19317 		 * simplicity reasons it's always present in the
19318 		 * cfg80211 structure.  If a driver can't pass the
19319 		 * SSID, that needs to be changed.  A zero length SSID
19320 		 * is still a valid SSID (wildcard), so it cannot be
19321 		 * used for this purpose.
19322 		 */
19323 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19324 			    match->ssid.ssid)) {
19325 			nla_nest_cancel(msg, nl_match);
19326 			goto out;
19327 		}
19328 
19329 		if (match->n_channels) {
19330 			nl_freqs = nla_nest_start_noflag(msg,
19331 							 NL80211_ATTR_SCAN_FREQUENCIES);
19332 			if (!nl_freqs) {
19333 				nla_nest_cancel(msg, nl_match);
19334 				goto out;
19335 			}
19336 
19337 			for (j = 0; j < match->n_channels; j++) {
19338 				if (nla_put_u32(msg, j, match->channels[j])) {
19339 					nla_nest_cancel(msg, nl_freqs);
19340 					nla_nest_cancel(msg, nl_match);
19341 					goto out;
19342 				}
19343 			}
19344 
19345 			nla_nest_end(msg, nl_freqs);
19346 		}
19347 
19348 		nla_nest_end(msg, nl_match);
19349 	}
19350 
19351 out:
19352 	nla_nest_end(msg, nl_results);
19353 	return 0;
19354 }
19355 
19356 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19357 				   struct cfg80211_wowlan_wakeup *wakeup,
19358 				   gfp_t gfp)
19359 {
19360 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19361 	struct sk_buff *msg;
19362 	void *hdr;
19363 	int size = 200;
19364 
19365 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19366 
19367 	if (wakeup)
19368 		size += wakeup->packet_present_len;
19369 
19370 	msg = nlmsg_new(size, gfp);
19371 	if (!msg)
19372 		return;
19373 
19374 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19375 	if (!hdr)
19376 		goto free_msg;
19377 
19378 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19379 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19380 			      NL80211_ATTR_PAD))
19381 		goto free_msg;
19382 
19383 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19384 					wdev->netdev->ifindex))
19385 		goto free_msg;
19386 
19387 	if (wakeup) {
19388 		struct nlattr *reasons;
19389 
19390 		reasons = nla_nest_start_noflag(msg,
19391 						NL80211_ATTR_WOWLAN_TRIGGERS);
19392 		if (!reasons)
19393 			goto free_msg;
19394 
19395 		if (wakeup->disconnect &&
19396 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19397 			goto free_msg;
19398 		if (wakeup->magic_pkt &&
19399 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19400 			goto free_msg;
19401 		if (wakeup->gtk_rekey_failure &&
19402 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19403 			goto free_msg;
19404 		if (wakeup->eap_identity_req &&
19405 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19406 			goto free_msg;
19407 		if (wakeup->four_way_handshake &&
19408 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19409 			goto free_msg;
19410 		if (wakeup->rfkill_release &&
19411 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19412 			goto free_msg;
19413 
19414 		if (wakeup->pattern_idx >= 0 &&
19415 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19416 				wakeup->pattern_idx))
19417 			goto free_msg;
19418 
19419 		if (wakeup->tcp_match &&
19420 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19421 			goto free_msg;
19422 
19423 		if (wakeup->tcp_connlost &&
19424 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
19425 			goto free_msg;
19426 
19427 		if (wakeup->tcp_nomoretokens &&
19428 		    nla_put_flag(msg,
19429 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
19430 			goto free_msg;
19431 
19432 		if (wakeup->packet) {
19433 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
19434 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19435 
19436 			if (!wakeup->packet_80211) {
19437 				pkt_attr =
19438 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
19439 				len_attr =
19440 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
19441 			}
19442 
19443 			if (wakeup->packet_len &&
19444 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
19445 				goto free_msg;
19446 
19447 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
19448 				    wakeup->packet))
19449 				goto free_msg;
19450 		}
19451 
19452 		if (wakeup->net_detect &&
19453 		    cfg80211_net_detect_results(msg, wakeup))
19454 				goto free_msg;
19455 
19456 		nla_nest_end(msg, reasons);
19457 	}
19458 
19459 	genlmsg_end(msg, hdr);
19460 
19461 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19462 				NL80211_MCGRP_MLME, gfp);
19463 	return;
19464 
19465  free_msg:
19466 	nlmsg_free(msg);
19467 }
19468 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
19469 #endif
19470 
19471 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
19472 				enum nl80211_tdls_operation oper,
19473 				u16 reason_code, gfp_t gfp)
19474 {
19475 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19476 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19477 	struct sk_buff *msg;
19478 	void *hdr;
19479 
19480 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
19481 					 reason_code);
19482 
19483 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19484 	if (!msg)
19485 		return;
19486 
19487 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
19488 	if (!hdr) {
19489 		nlmsg_free(msg);
19490 		return;
19491 	}
19492 
19493 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19494 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19495 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
19496 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
19497 	    (reason_code > 0 &&
19498 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
19499 		goto nla_put_failure;
19500 
19501 	genlmsg_end(msg, hdr);
19502 
19503 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19504 				NL80211_MCGRP_MLME, gfp);
19505 	return;
19506 
19507  nla_put_failure:
19508 	nlmsg_free(msg);
19509 }
19510 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
19511 
19512 static int nl80211_netlink_notify(struct notifier_block * nb,
19513 				  unsigned long state,
19514 				  void *_notify)
19515 {
19516 	struct netlink_notify *notify = _notify;
19517 	struct cfg80211_registered_device *rdev;
19518 	struct wireless_dev *wdev;
19519 	struct cfg80211_beacon_registration *reg, *tmp;
19520 
19521 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
19522 		return NOTIFY_DONE;
19523 
19524 	rcu_read_lock();
19525 
19526 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
19527 		struct cfg80211_sched_scan_request *sched_scan_req;
19528 
19529 		list_for_each_entry_rcu(sched_scan_req,
19530 					&rdev->sched_scan_req_list,
19531 					list) {
19532 			if (sched_scan_req->owner_nlportid == notify->portid) {
19533 				sched_scan_req->nl_owner_dead = true;
19534 				schedule_work(&rdev->sched_scan_stop_wk);
19535 			}
19536 		}
19537 
19538 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
19539 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
19540 
19541 			if (wdev->owner_nlportid == notify->portid) {
19542 				wdev->nl_owner_dead = true;
19543 				schedule_work(&rdev->destroy_work);
19544 			} else if (wdev->conn_owner_nlportid == notify->portid) {
19545 				schedule_work(&wdev->disconnect_wk);
19546 			}
19547 
19548 			cfg80211_release_pmsr(wdev, notify->portid);
19549 		}
19550 
19551 		spin_lock_bh(&rdev->beacon_registrations_lock);
19552 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
19553 					 list) {
19554 			if (reg->nlportid == notify->portid) {
19555 				list_del(&reg->list);
19556 				kfree(reg);
19557 				break;
19558 			}
19559 		}
19560 		spin_unlock_bh(&rdev->beacon_registrations_lock);
19561 	}
19562 
19563 	rcu_read_unlock();
19564 
19565 	/*
19566 	 * It is possible that the user space process that is controlling the
19567 	 * indoor setting disappeared, so notify the regulatory core.
19568 	 */
19569 	regulatory_netlink_notify(notify->portid);
19570 	return NOTIFY_OK;
19571 }
19572 
19573 static struct notifier_block nl80211_netlink_notifier = {
19574 	.notifier_call = nl80211_netlink_notify,
19575 };
19576 
19577 void cfg80211_ft_event(struct net_device *netdev,
19578 		       struct cfg80211_ft_event_params *ft_event)
19579 {
19580 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
19581 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19582 	struct sk_buff *msg;
19583 	void *hdr;
19584 
19585 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
19586 
19587 	if (!ft_event->target_ap)
19588 		return;
19589 
19590 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
19591 			GFP_KERNEL);
19592 	if (!msg)
19593 		return;
19594 
19595 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
19596 	if (!hdr)
19597 		goto out;
19598 
19599 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19600 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19601 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
19602 		goto out;
19603 
19604 	if (ft_event->ies &&
19605 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
19606 		goto out;
19607 	if (ft_event->ric_ies &&
19608 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
19609 		    ft_event->ric_ies))
19610 		goto out;
19611 
19612 	genlmsg_end(msg, hdr);
19613 
19614 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19615 				NL80211_MCGRP_MLME, GFP_KERNEL);
19616 	return;
19617  out:
19618 	nlmsg_free(msg);
19619 }
19620 EXPORT_SYMBOL(cfg80211_ft_event);
19621 
19622 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
19623 {
19624 	struct cfg80211_registered_device *rdev;
19625 	struct sk_buff *msg;
19626 	void *hdr;
19627 	u32 nlportid;
19628 
19629 	rdev = wiphy_to_rdev(wdev->wiphy);
19630 	if (!rdev->crit_proto_nlportid)
19631 		return;
19632 
19633 	nlportid = rdev->crit_proto_nlportid;
19634 	rdev->crit_proto_nlportid = 0;
19635 
19636 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19637 	if (!msg)
19638 		return;
19639 
19640 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
19641 	if (!hdr)
19642 		goto nla_put_failure;
19643 
19644 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19645 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19646 			      NL80211_ATTR_PAD))
19647 		goto nla_put_failure;
19648 
19649 	genlmsg_end(msg, hdr);
19650 
19651 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19652 	return;
19653 
19654  nla_put_failure:
19655 	nlmsg_free(msg);
19656 }
19657 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
19658 
19659 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
19660 {
19661 	struct wiphy *wiphy = wdev->wiphy;
19662 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19663 	struct sk_buff *msg;
19664 	void *hdr;
19665 
19666 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19667 	if (!msg)
19668 		return;
19669 
19670 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
19671 	if (!hdr)
19672 		goto out;
19673 
19674 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19675 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
19676 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19677 			      NL80211_ATTR_PAD))
19678 		goto out;
19679 
19680 	genlmsg_end(msg, hdr);
19681 
19682 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
19683 				NL80211_MCGRP_MLME, GFP_KERNEL);
19684 	return;
19685  out:
19686 	nlmsg_free(msg);
19687 }
19688 
19689 int cfg80211_external_auth_request(struct net_device *dev,
19690 				   struct cfg80211_external_auth_params *params,
19691 				   gfp_t gfp)
19692 {
19693 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19694 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19695 	struct sk_buff *msg;
19696 	void *hdr;
19697 
19698 	if (!wdev->conn_owner_nlportid)
19699 		return -EINVAL;
19700 
19701 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19702 	if (!msg)
19703 		return -ENOMEM;
19704 
19705 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
19706 	if (!hdr)
19707 		goto nla_put_failure;
19708 
19709 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19710 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19711 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
19712 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
19713 			params->action) ||
19714 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
19715 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
19716 		    params->ssid.ssid))
19717 		goto nla_put_failure;
19718 
19719 	genlmsg_end(msg, hdr);
19720 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
19721 			wdev->conn_owner_nlportid);
19722 	return 0;
19723 
19724  nla_put_failure:
19725 	nlmsg_free(msg);
19726 	return -ENOBUFS;
19727 }
19728 EXPORT_SYMBOL(cfg80211_external_auth_request);
19729 
19730 void cfg80211_update_owe_info_event(struct net_device *netdev,
19731 				    struct cfg80211_update_owe_info *owe_info,
19732 				    gfp_t gfp)
19733 {
19734 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
19735 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19736 	struct sk_buff *msg;
19737 	void *hdr;
19738 
19739 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
19740 
19741 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19742 	if (!msg)
19743 		return;
19744 
19745 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
19746 	if (!hdr)
19747 		goto nla_put_failure;
19748 
19749 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19750 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19751 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
19752 		goto nla_put_failure;
19753 
19754 	if (!owe_info->ie_len ||
19755 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
19756 		goto nla_put_failure;
19757 
19758 	genlmsg_end(msg, hdr);
19759 
19760 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19761 				NL80211_MCGRP_MLME, gfp);
19762 	return;
19763 
19764 nla_put_failure:
19765 	genlmsg_cancel(msg, hdr);
19766 	nlmsg_free(msg);
19767 }
19768 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
19769 
19770 /* initialisation/exit functions */
19771 
19772 int __init nl80211_init(void)
19773 {
19774 	int err;
19775 
19776 	err = genl_register_family(&nl80211_fam);
19777 	if (err)
19778 		return err;
19779 
19780 	err = netlink_register_notifier(&nl80211_netlink_notifier);
19781 	if (err)
19782 		goto err_out;
19783 
19784 	return 0;
19785  err_out:
19786 	genl_unregister_family(&nl80211_fam);
19787 	return err;
19788 }
19789 
19790 void nl80211_exit(void)
19791 {
19792 	netlink_unregister_notifier(&nl80211_netlink_notifier);
19793 	genl_unregister_family(&nl80211_fam);
19794 }
19795