xref: /openbmc/linux/net/wireless/nl80211.c (revision adb19164) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2023 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
327 };
328 
329 static const struct nla_policy
330 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
331 	[NL80211_PMSR_TYPE_FTM] =
332 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
333 };
334 
335 static const struct nla_policy
336 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
337 	[NL80211_PMSR_REQ_ATTR_DATA] =
338 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
339 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
340 };
341 
342 static const struct nla_policy
343 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
344 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
345 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
346 	[NL80211_PMSR_PEER_ATTR_REQ] =
347 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
348 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
349 };
350 
351 static const struct nla_policy
352 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
353 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
357 	[NL80211_PMSR_ATTR_PEERS] =
358 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
359 };
360 
361 static const struct nla_policy
362 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
363 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
364 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
365 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
366 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
367 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
368 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
369 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
370 		NLA_POLICY_EXACT_LEN(8),
371 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
372 		NLA_POLICY_EXACT_LEN(8),
373 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
374 };
375 
376 static const struct nla_policy
377 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
378 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
379 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
380 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
381 };
382 
383 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
384 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
385 				    .len = NL80211_MAX_SUPP_RATES },
386 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
387 				.len = NL80211_MAX_SUPP_HT_RATES },
388 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
389 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
390 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
391 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
392 						   NL80211_RATE_INFO_HE_GI_0_8,
393 						   NL80211_RATE_INFO_HE_GI_3_2),
394 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
395 						   NL80211_RATE_INFO_HE_1XLTF,
396 						   NL80211_RATE_INFO_HE_4XLTF),
397 };
398 
399 static const struct nla_policy
400 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
401 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
403 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
404 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
405 	[NL80211_TID_CONFIG_ATTR_NOACK] =
406 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
409 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
410 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
411 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
412 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
413 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
414 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
415 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
416 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
417 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
418 			NLA_POLICY_NESTED(nl80211_txattr_policy),
419 };
420 
421 static const struct nla_policy
422 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
425 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
426 			NLA_POLICY_RANGE(NLA_BINARY,
427 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
428 					 IEEE80211_MAX_DATA_LEN),
429 };
430 
431 static const struct nla_policy
432 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
434 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
435 						       .len = IEEE80211_MAX_DATA_LEN }
436 };
437 
438 static const struct nla_policy
439 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
440 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
441 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
442 };
443 
444 static const struct nla_policy
445 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
446 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
447 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
448 };
449 
450 static const struct nla_policy
451 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
453 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
454 						NLA_POLICY_MIN(NLA_U8, 1),
455 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
456 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
457 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
458 };
459 
460 static const struct nla_policy
461 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
462 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
463 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
464 };
465 
466 static struct netlink_range_validation nl80211_punct_bitmap_range = {
467 	.min = 0,
468 	.max = 0xffff,
469 };
470 
471 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
472 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
473 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
474 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
475 				      .len = 20-1 },
476 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
477 
478 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
479 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
480 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
481 						NL80211_EDMG_CHANNELS_MIN,
482 						NL80211_EDMG_CHANNELS_MAX),
483 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
484 						NL80211_EDMG_BW_CONFIG_MIN,
485 						NL80211_EDMG_BW_CONFIG_MAX),
486 
487 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
488 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
489 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
490 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
491 
492 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
493 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
494 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
495 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
496 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
497 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
498 
499 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
500 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
501 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
502 
503 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
504 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
505 
506 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
507 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
508 				    .len = WLAN_MAX_KEY_LEN },
509 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
510 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
511 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
512 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
513 	[NL80211_ATTR_KEY_TYPE] =
514 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
515 
516 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
517 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
518 	[NL80211_ATTR_BEACON_HEAD] =
519 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
520 				       IEEE80211_MAX_DATA_LEN),
521 	[NL80211_ATTR_BEACON_TAIL] =
522 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
523 				       IEEE80211_MAX_DATA_LEN),
524 	[NL80211_ATTR_STA_AID] =
525 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
526 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
527 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
528 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
529 					       .len = NL80211_MAX_SUPP_RATES },
530 	[NL80211_ATTR_STA_PLINK_ACTION] =
531 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
532 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
533 		NLA_POLICY_RANGE(NLA_U8,
534 				 NL80211_TX_POWER_AUTOMATIC,
535 				 NL80211_TX_POWER_FIXED),
536 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
537 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
538 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
539 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
540 				   .len = IEEE80211_MAX_MESH_ID_LEN },
541 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
542 
543 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
544 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
545 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
546 
547 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
548 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
549 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
550 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
551 					   .len = NL80211_MAX_SUPP_RATES },
552 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
553 
554 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
555 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
556 
557 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
558 
559 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
560 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
561 						   validate_ie_attr,
562 						   IEEE80211_MAX_DATA_LEN),
563 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
564 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
565 
566 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
567 				.len = IEEE80211_MAX_SSID_LEN },
568 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
569 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
570 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
571 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
572 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
573 						  NL80211_MFP_NO,
574 						  NL80211_MFP_OPTIONAL),
575 	[NL80211_ATTR_STA_FLAGS2] =
576 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
577 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
578 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
579 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
580 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
581 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
582 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
583 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
584 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
585 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
586 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
587 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
588 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
589 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
590 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
591 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
592 				 .len = IEEE80211_MAX_DATA_LEN },
593 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
594 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
595 						   NL80211_PS_DISABLED,
596 						   NL80211_PS_ENABLED),
597 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
598 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
599 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
600 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
601 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
602 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
603 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
604 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
605 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
606 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
607 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
608 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
609 	[NL80211_ATTR_STA_PLINK_STATE] =
610 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
611 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
612 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
613 	[NL80211_ATTR_MESH_PEER_AID] =
614 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
615 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
616 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
617 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
618 	[NL80211_ATTR_HIDDEN_SSID] =
619 		NLA_POLICY_RANGE(NLA_U32,
620 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
621 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
622 	[NL80211_ATTR_IE_PROBE_RESP] =
623 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
624 				       IEEE80211_MAX_DATA_LEN),
625 	[NL80211_ATTR_IE_ASSOC_RESP] =
626 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
627 				       IEEE80211_MAX_DATA_LEN),
628 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
629 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
630 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
631 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
632 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
633 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
634 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
635 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
636 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
637 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
638 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
639 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
640 				      .len = IEEE80211_MAX_DATA_LEN },
641 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
642 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
643 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
644 		.len = NL80211_HT_CAPABILITY_LEN
645 	},
646 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
647 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
648 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
649 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
650 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
651 
652 	/* need to include at least Auth Transaction and Status Code */
653 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
654 
655 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
656 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
657 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
658 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
659 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
660 		NLA_POLICY_RANGE(NLA_U32,
661 				 NL80211_MESH_POWER_UNKNOWN + 1,
662 				 NL80211_MESH_POWER_MAX),
663 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
664 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
665 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
666 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
667 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
668 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
669 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
670 		.len = NL80211_VHT_CAPABILITY_LEN,
671 	},
672 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
673 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
674 				  .len = IEEE80211_MAX_DATA_LEN },
675 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
676 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
677 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
678 	[NL80211_ATTR_PEER_AID] =
679 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
680 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
681 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
682 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
683 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
684 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
685 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
686 	/*
687 	 * The value of the Length field of the Supported Operating
688 	 * Classes element is between 2 and 253.
689 	 */
690 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
691 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
692 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
693 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
694 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
695 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
696 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
697 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
698 						  IEEE80211_QOS_MAP_LEN_MIN,
699 						  IEEE80211_QOS_MAP_LEN_MAX),
700 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
701 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
702 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
703 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
704 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
705 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
706 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
707 	[NL80211_ATTR_USER_PRIO] =
708 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
709 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
710 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
711 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
712 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
713 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
714 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
715 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
716 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
717 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
718 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
719 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
720 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
721 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
722 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
723 	},
724 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
725 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
726 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
727 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
728 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
729 				    .len = FILS_MAX_KEK_LEN },
730 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
731 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
732 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
733 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
734 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
735 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
736 	},
737 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
738 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
739 					     .len = FILS_ERP_MAX_USERNAME_LEN },
740 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
741 					  .len = FILS_ERP_MAX_REALM_LEN },
742 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
743 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
744 					.len = FILS_ERP_MAX_RRK_LEN },
745 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
746 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
747 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
748 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
749 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
750 
751 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
752 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
753 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
754 	[NL80211_ATTR_HE_CAPABILITY] =
755 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
756 				       NL80211_HE_MAX_CAPABILITY_LEN),
757 	[NL80211_ATTR_FTM_RESPONDER] =
758 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
759 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
760 	[NL80211_ATTR_PEER_MEASUREMENTS] =
761 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
762 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
763 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
764 					.len = SAE_PASSWORD_MAX_LEN },
765 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
766 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
767 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
768 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
769 	[NL80211_ATTR_TID_CONFIG] =
770 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
771 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
772 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
773 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
774 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
775 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
776 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
777 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
778 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
779 	[NL80211_ATTR_FILS_DISCOVERY] =
780 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
781 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
782 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
783 	[NL80211_ATTR_S1G_CAPABILITY] =
784 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
785 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
786 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
787 	[NL80211_ATTR_SAE_PWE] =
788 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
789 				 NL80211_SAE_PWE_BOTH),
790 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
791 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
792 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
793 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
794 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
795 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
796 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
797 	[NL80211_ATTR_MBSSID_CONFIG] =
798 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
799 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
800 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
801 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
802 	[NL80211_ATTR_EHT_CAPABILITY] =
803 		NLA_POLICY_RANGE(NLA_BINARY,
804 				 NL80211_EHT_MIN_CAPABILITY_LEN,
805 				 NL80211_EHT_MAX_CAPABILITY_LEN),
806 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
807 	[NL80211_ATTR_MLO_LINKS] =
808 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
809 	[NL80211_ATTR_MLO_LINK_ID] =
810 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
811 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
812 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
813 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
814 	[NL80211_ATTR_PUNCT_BITMAP] =
815 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
816 
817 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
818 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
819 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
820 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
821 };
822 
823 /* policy for the key attributes */
824 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
825 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
826 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
827 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
828 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
829 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
830 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
831 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
832 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
833 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
834 };
835 
836 /* policy for the key default flags */
837 static const struct nla_policy
838 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
839 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
840 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
841 };
842 
843 #ifdef CONFIG_PM
844 /* policy for WoWLAN attributes */
845 static const struct nla_policy
846 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
847 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
848 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
849 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
850 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
851 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
852 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
853 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
854 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
855 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
856 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
857 };
858 
859 static const struct nla_policy
860 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
861 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
862 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
863 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
864 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
865 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
866 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
867 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
868 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
869 	},
870 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
871 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
872 	},
873 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
874 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
875 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
876 };
877 #endif /* CONFIG_PM */
878 
879 /* policy for coalesce rule attributes */
880 static const struct nla_policy
881 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
882 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
883 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
884 		NLA_POLICY_RANGE(NLA_U32,
885 				 NL80211_COALESCE_CONDITION_MATCH,
886 				 NL80211_COALESCE_CONDITION_NO_MATCH),
887 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
888 };
889 
890 /* policy for GTK rekey offload attributes */
891 static const struct nla_policy
892 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
893 	[NL80211_REKEY_DATA_KEK] = {
894 		.type = NLA_BINARY,
895 		.len = NL80211_KEK_EXT_LEN
896 	},
897 	[NL80211_REKEY_DATA_KCK] = {
898 		.type = NLA_BINARY,
899 		.len = NL80211_KCK_EXT_LEN_32
900 	},
901 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
902 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
903 };
904 
905 static const struct nla_policy
906 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
907 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
908 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
909 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
910 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
911 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
912 };
913 
914 static const struct nla_policy
915 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
916 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
917 						 .len = IEEE80211_MAX_SSID_LEN },
918 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
919 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
920 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
921 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
922 };
923 
924 static const struct nla_policy
925 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
926 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
927 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
928 };
929 
930 static const struct nla_policy
931 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
932 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
933 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
934 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
935 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
936 	},
937 };
938 
939 /* policy for NAN function attributes */
940 static const struct nla_policy
941 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
942 	[NL80211_NAN_FUNC_TYPE] =
943 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
944 	[NL80211_NAN_FUNC_SERVICE_ID] = {
945 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
946 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
947 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
948 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
949 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
950 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
951 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
952 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
953 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
954 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
955 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
956 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
957 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
958 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
959 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
960 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
961 };
962 
963 /* policy for Service Response Filter attributes */
964 static const struct nla_policy
965 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
966 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
967 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
968 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
969 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
970 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
971 };
972 
973 /* policy for packet pattern attributes */
974 static const struct nla_policy
975 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
976 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
977 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
978 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
979 };
980 
981 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
982 				     struct cfg80211_registered_device **rdev,
983 				     struct wireless_dev **wdev,
984 				     struct nlattr **attrbuf)
985 {
986 	int err;
987 
988 	if (!cb->args[0]) {
989 		struct nlattr **attrbuf_free = NULL;
990 
991 		if (!attrbuf) {
992 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
993 					  GFP_KERNEL);
994 			if (!attrbuf)
995 				return -ENOMEM;
996 			attrbuf_free = attrbuf;
997 		}
998 
999 		err = nlmsg_parse_deprecated(cb->nlh,
1000 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1001 					     attrbuf, nl80211_fam.maxattr,
1002 					     nl80211_policy, NULL);
1003 		if (err) {
1004 			kfree(attrbuf_free);
1005 			return err;
1006 		}
1007 
1008 		rtnl_lock();
1009 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1010 						   attrbuf);
1011 		kfree(attrbuf_free);
1012 		if (IS_ERR(*wdev)) {
1013 			rtnl_unlock();
1014 			return PTR_ERR(*wdev);
1015 		}
1016 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1017 		mutex_lock(&(*rdev)->wiphy.mtx);
1018 		rtnl_unlock();
1019 		/* 0 is the first index - add 1 to parse only once */
1020 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1021 		cb->args[1] = (*wdev)->identifier;
1022 	} else {
1023 		/* subtract the 1 again here */
1024 		struct wiphy *wiphy;
1025 		struct wireless_dev *tmp;
1026 
1027 		rtnl_lock();
1028 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1029 		if (!wiphy) {
1030 			rtnl_unlock();
1031 			return -ENODEV;
1032 		}
1033 		*rdev = wiphy_to_rdev(wiphy);
1034 		*wdev = NULL;
1035 
1036 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1037 			if (tmp->identifier == cb->args[1]) {
1038 				*wdev = tmp;
1039 				break;
1040 			}
1041 		}
1042 
1043 		if (!*wdev) {
1044 			rtnl_unlock();
1045 			return -ENODEV;
1046 		}
1047 		mutex_lock(&(*rdev)->wiphy.mtx);
1048 		rtnl_unlock();
1049 	}
1050 
1051 	return 0;
1052 }
1053 
1054 /* message building helper */
1055 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1056 		     int flags, u8 cmd)
1057 {
1058 	/* since there is no private header just add the generic one */
1059 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1060 }
1061 
1062 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1063 				     const struct ieee80211_reg_rule *rule)
1064 {
1065 	int j;
1066 	struct nlattr *nl_wmm_rules =
1067 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1068 
1069 	if (!nl_wmm_rules)
1070 		goto nla_put_failure;
1071 
1072 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1073 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1074 
1075 		if (!nl_wmm_rule)
1076 			goto nla_put_failure;
1077 
1078 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1079 				rule->wmm_rule.client[j].cw_min) ||
1080 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1081 				rule->wmm_rule.client[j].cw_max) ||
1082 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1083 			       rule->wmm_rule.client[j].aifsn) ||
1084 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1085 			        rule->wmm_rule.client[j].cot))
1086 			goto nla_put_failure;
1087 
1088 		nla_nest_end(msg, nl_wmm_rule);
1089 	}
1090 	nla_nest_end(msg, nl_wmm_rules);
1091 
1092 	return 0;
1093 
1094 nla_put_failure:
1095 	return -ENOBUFS;
1096 }
1097 
1098 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1099 				   struct ieee80211_channel *chan,
1100 				   bool large)
1101 {
1102 	/* Some channels must be completely excluded from the
1103 	 * list to protect old user-space tools from breaking
1104 	 */
1105 	if (!large && chan->flags &
1106 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1107 		return 0;
1108 	if (!large && chan->freq_offset)
1109 		return 0;
1110 
1111 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1112 			chan->center_freq))
1113 		goto nla_put_failure;
1114 
1115 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1116 		goto nla_put_failure;
1117 
1118 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1119 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1120 		goto nla_put_failure;
1121 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1122 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1123 			goto nla_put_failure;
1124 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1125 			goto nla_put_failure;
1126 	}
1127 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1128 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1129 			goto nla_put_failure;
1130 		if (large) {
1131 			u32 time;
1132 
1133 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1134 
1135 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1136 					chan->dfs_state))
1137 				goto nla_put_failure;
1138 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1139 					time))
1140 				goto nla_put_failure;
1141 			if (nla_put_u32(msg,
1142 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1143 					chan->dfs_cac_ms))
1144 				goto nla_put_failure;
1145 		}
1146 	}
1147 
1148 	if (large) {
1149 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1150 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1151 			goto nla_put_failure;
1152 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1153 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1154 			goto nla_put_failure;
1155 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1156 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1157 			goto nla_put_failure;
1158 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1159 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1160 			goto nla_put_failure;
1161 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1162 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1163 			goto nla_put_failure;
1164 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1165 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1166 			goto nla_put_failure;
1167 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1168 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1169 			goto nla_put_failure;
1170 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1171 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1172 			goto nla_put_failure;
1173 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1174 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1175 			goto nla_put_failure;
1176 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1177 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1178 			goto nla_put_failure;
1179 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1180 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1181 			goto nla_put_failure;
1182 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1183 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1184 			goto nla_put_failure;
1185 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1186 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1187 			goto nla_put_failure;
1188 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1189 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1190 			goto nla_put_failure;
1191 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1192 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1193 			goto nla_put_failure;
1194 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1195 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1196 			goto nla_put_failure;
1197 	}
1198 
1199 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1200 			DBM_TO_MBM(chan->max_power)))
1201 		goto nla_put_failure;
1202 
1203 	if (large) {
1204 		const struct ieee80211_reg_rule *rule =
1205 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1206 
1207 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1208 			if (nl80211_msg_put_wmm_rules(msg, rule))
1209 				goto nla_put_failure;
1210 		}
1211 	}
1212 
1213 	return 0;
1214 
1215  nla_put_failure:
1216 	return -ENOBUFS;
1217 }
1218 
1219 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1220 				  struct cfg80211_txq_stats *txqstats,
1221 				  int attrtype)
1222 {
1223 	struct nlattr *txqattr;
1224 
1225 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1226 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1227 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1228 		return false;						  \
1229 	} while (0)
1230 
1231 	txqattr = nla_nest_start_noflag(msg, attrtype);
1232 	if (!txqattr)
1233 		return false;
1234 
1235 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1236 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1237 	PUT_TXQVAL_U32(FLOWS, flows);
1238 	PUT_TXQVAL_U32(DROPS, drops);
1239 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1240 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1241 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1242 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1243 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1244 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1245 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1246 	nla_nest_end(msg, txqattr);
1247 
1248 #undef PUT_TXQVAL_U32
1249 	return true;
1250 }
1251 
1252 /* netlink command implementations */
1253 
1254 /**
1255  * nl80211_link_id - return link ID
1256  * @attrs: attributes to look at
1257  *
1258  * Returns: the link ID or 0 if not given
1259  *
1260  * Note this function doesn't do any validation of the link
1261  * ID validity wrt. links that were actually added, so it must
1262  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1263  * or if additional validation is done.
1264  */
1265 static unsigned int nl80211_link_id(struct nlattr **attrs)
1266 {
1267 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1268 
1269 	if (!linkid)
1270 		return 0;
1271 
1272 	return nla_get_u8(linkid);
1273 }
1274 
1275 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1276 {
1277 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1278 
1279 	if (!linkid)
1280 		return -1;
1281 
1282 	return nla_get_u8(linkid);
1283 }
1284 
1285 struct key_parse {
1286 	struct key_params p;
1287 	int idx;
1288 	int type;
1289 	bool def, defmgmt, defbeacon;
1290 	bool def_uni, def_multi;
1291 };
1292 
1293 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1294 				 struct key_parse *k)
1295 {
1296 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1297 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1298 					      nl80211_key_policy,
1299 					      info->extack);
1300 	if (err)
1301 		return err;
1302 
1303 	k->def = !!tb[NL80211_KEY_DEFAULT];
1304 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1305 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1306 
1307 	if (k->def) {
1308 		k->def_uni = true;
1309 		k->def_multi = true;
1310 	}
1311 	if (k->defmgmt || k->defbeacon)
1312 		k->def_multi = true;
1313 
1314 	if (tb[NL80211_KEY_IDX])
1315 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1316 
1317 	if (tb[NL80211_KEY_DATA]) {
1318 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1319 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1320 	}
1321 
1322 	if (tb[NL80211_KEY_SEQ]) {
1323 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1324 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1325 	}
1326 
1327 	if (tb[NL80211_KEY_CIPHER])
1328 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1329 
1330 	if (tb[NL80211_KEY_TYPE])
1331 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1332 
1333 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1334 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1335 
1336 		err = nla_parse_nested_deprecated(kdt,
1337 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1338 						  tb[NL80211_KEY_DEFAULT_TYPES],
1339 						  nl80211_key_default_policy,
1340 						  info->extack);
1341 		if (err)
1342 			return err;
1343 
1344 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1345 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1346 	}
1347 
1348 	if (tb[NL80211_KEY_MODE])
1349 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1350 
1351 	return 0;
1352 }
1353 
1354 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1355 {
1356 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1357 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1358 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1359 	}
1360 
1361 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1362 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1363 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1364 	}
1365 
1366 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1367 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1368 
1369 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1370 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1371 
1372 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1373 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1374 
1375 	if (k->def) {
1376 		k->def_uni = true;
1377 		k->def_multi = true;
1378 	}
1379 	if (k->defmgmt)
1380 		k->def_multi = true;
1381 
1382 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1383 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1384 
1385 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1386 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1387 		int err = nla_parse_nested_deprecated(kdt,
1388 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1389 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1390 						      nl80211_key_default_policy,
1391 						      info->extack);
1392 		if (err)
1393 			return err;
1394 
1395 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1396 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1397 	}
1398 
1399 	return 0;
1400 }
1401 
1402 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1403 {
1404 	int err;
1405 
1406 	memset(k, 0, sizeof(*k));
1407 	k->idx = -1;
1408 	k->type = -1;
1409 
1410 	if (info->attrs[NL80211_ATTR_KEY])
1411 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1412 	else
1413 		err = nl80211_parse_key_old(info, k);
1414 
1415 	if (err)
1416 		return err;
1417 
1418 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1419 	    (k->defbeacon ? 1 : 0) > 1) {
1420 		GENL_SET_ERR_MSG(info,
1421 				 "key with multiple default flags is invalid");
1422 		return -EINVAL;
1423 	}
1424 
1425 	if (k->defmgmt || k->defbeacon) {
1426 		if (k->def_uni || !k->def_multi) {
1427 			GENL_SET_ERR_MSG(info,
1428 					 "defmgmt/defbeacon key must be mcast");
1429 			return -EINVAL;
1430 		}
1431 	}
1432 
1433 	if (k->idx != -1) {
1434 		if (k->defmgmt) {
1435 			if (k->idx < 4 || k->idx > 5) {
1436 				GENL_SET_ERR_MSG(info,
1437 						 "defmgmt key idx not 4 or 5");
1438 				return -EINVAL;
1439 			}
1440 		} else if (k->defbeacon) {
1441 			if (k->idx < 6 || k->idx > 7) {
1442 				GENL_SET_ERR_MSG(info,
1443 						 "defbeacon key idx not 6 or 7");
1444 				return -EINVAL;
1445 			}
1446 		} else if (k->def) {
1447 			if (k->idx < 0 || k->idx > 3) {
1448 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1449 				return -EINVAL;
1450 			}
1451 		} else {
1452 			if (k->idx < 0 || k->idx > 7) {
1453 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1454 				return -EINVAL;
1455 			}
1456 		}
1457 	}
1458 
1459 	return 0;
1460 }
1461 
1462 static struct cfg80211_cached_keys *
1463 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1464 		       struct genl_info *info, bool *no_ht)
1465 {
1466 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1467 	struct key_parse parse;
1468 	struct nlattr *key;
1469 	struct cfg80211_cached_keys *result;
1470 	int rem, err, def = 0;
1471 	bool have_key = false;
1472 
1473 	nla_for_each_nested(key, keys, rem) {
1474 		have_key = true;
1475 		break;
1476 	}
1477 
1478 	if (!have_key)
1479 		return NULL;
1480 
1481 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1482 	if (!result)
1483 		return ERR_PTR(-ENOMEM);
1484 
1485 	result->def = -1;
1486 
1487 	nla_for_each_nested(key, keys, rem) {
1488 		memset(&parse, 0, sizeof(parse));
1489 		parse.idx = -1;
1490 
1491 		err = nl80211_parse_key_new(info, key, &parse);
1492 		if (err)
1493 			goto error;
1494 		err = -EINVAL;
1495 		if (!parse.p.key)
1496 			goto error;
1497 		if (parse.idx < 0 || parse.idx > 3) {
1498 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1499 			goto error;
1500 		}
1501 		if (parse.def) {
1502 			if (def) {
1503 				GENL_SET_ERR_MSG(info,
1504 						 "only one key can be default");
1505 				goto error;
1506 			}
1507 			def = 1;
1508 			result->def = parse.idx;
1509 			if (!parse.def_uni || !parse.def_multi)
1510 				goto error;
1511 		} else if (parse.defmgmt)
1512 			goto error;
1513 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1514 						     parse.idx, false, NULL);
1515 		if (err)
1516 			goto error;
1517 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1518 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1519 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1520 			err = -EINVAL;
1521 			goto error;
1522 		}
1523 		result->params[parse.idx].cipher = parse.p.cipher;
1524 		result->params[parse.idx].key_len = parse.p.key_len;
1525 		result->params[parse.idx].key = result->data[parse.idx];
1526 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1527 
1528 		/* must be WEP key if we got here */
1529 		if (no_ht)
1530 			*no_ht = true;
1531 	}
1532 
1533 	if (result->def < 0) {
1534 		err = -EINVAL;
1535 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1536 		goto error;
1537 	}
1538 
1539 	return result;
1540  error:
1541 	kfree(result);
1542 	return ERR_PTR(err);
1543 }
1544 
1545 static int nl80211_key_allowed(struct wireless_dev *wdev)
1546 {
1547 	ASSERT_WDEV_LOCK(wdev);
1548 
1549 	switch (wdev->iftype) {
1550 	case NL80211_IFTYPE_AP:
1551 	case NL80211_IFTYPE_AP_VLAN:
1552 	case NL80211_IFTYPE_P2P_GO:
1553 	case NL80211_IFTYPE_MESH_POINT:
1554 		break;
1555 	case NL80211_IFTYPE_ADHOC:
1556 		if (wdev->u.ibss.current_bss)
1557 			return 0;
1558 		return -ENOLINK;
1559 	case NL80211_IFTYPE_STATION:
1560 	case NL80211_IFTYPE_P2P_CLIENT:
1561 		if (wdev->connected)
1562 			return 0;
1563 		return -ENOLINK;
1564 	case NL80211_IFTYPE_NAN:
1565 		if (wiphy_ext_feature_isset(wdev->wiphy,
1566 					    NL80211_EXT_FEATURE_SECURE_NAN))
1567 			return 0;
1568 		return -EINVAL;
1569 	case NL80211_IFTYPE_UNSPECIFIED:
1570 	case NL80211_IFTYPE_OCB:
1571 	case NL80211_IFTYPE_MONITOR:
1572 	case NL80211_IFTYPE_P2P_DEVICE:
1573 	case NL80211_IFTYPE_WDS:
1574 	case NUM_NL80211_IFTYPES:
1575 		return -EINVAL;
1576 	}
1577 
1578 	return 0;
1579 }
1580 
1581 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1582 							u32 freq)
1583 {
1584 	struct ieee80211_channel *chan;
1585 
1586 	chan = ieee80211_get_channel_khz(wiphy, freq);
1587 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1588 		return NULL;
1589 	return chan;
1590 }
1591 
1592 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1593 {
1594 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1595 	int i;
1596 
1597 	if (!nl_modes)
1598 		goto nla_put_failure;
1599 
1600 	i = 0;
1601 	while (ifmodes) {
1602 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1603 			goto nla_put_failure;
1604 		ifmodes >>= 1;
1605 		i++;
1606 	}
1607 
1608 	nla_nest_end(msg, nl_modes);
1609 	return 0;
1610 
1611 nla_put_failure:
1612 	return -ENOBUFS;
1613 }
1614 
1615 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1616 					  struct sk_buff *msg,
1617 					  bool large)
1618 {
1619 	struct nlattr *nl_combis;
1620 	int i, j;
1621 
1622 	nl_combis = nla_nest_start_noflag(msg,
1623 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1624 	if (!nl_combis)
1625 		goto nla_put_failure;
1626 
1627 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1628 		const struct ieee80211_iface_combination *c;
1629 		struct nlattr *nl_combi, *nl_limits;
1630 
1631 		c = &wiphy->iface_combinations[i];
1632 
1633 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1634 		if (!nl_combi)
1635 			goto nla_put_failure;
1636 
1637 		nl_limits = nla_nest_start_noflag(msg,
1638 						  NL80211_IFACE_COMB_LIMITS);
1639 		if (!nl_limits)
1640 			goto nla_put_failure;
1641 
1642 		for (j = 0; j < c->n_limits; j++) {
1643 			struct nlattr *nl_limit;
1644 
1645 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1646 			if (!nl_limit)
1647 				goto nla_put_failure;
1648 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1649 					c->limits[j].max))
1650 				goto nla_put_failure;
1651 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1652 						c->limits[j].types))
1653 				goto nla_put_failure;
1654 			nla_nest_end(msg, nl_limit);
1655 		}
1656 
1657 		nla_nest_end(msg, nl_limits);
1658 
1659 		if (c->beacon_int_infra_match &&
1660 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1661 			goto nla_put_failure;
1662 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1663 				c->num_different_channels) ||
1664 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1665 				c->max_interfaces))
1666 			goto nla_put_failure;
1667 		if (large &&
1668 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1669 				c->radar_detect_widths) ||
1670 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1671 				c->radar_detect_regions)))
1672 			goto nla_put_failure;
1673 		if (c->beacon_int_min_gcd &&
1674 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1675 				c->beacon_int_min_gcd))
1676 			goto nla_put_failure;
1677 
1678 		nla_nest_end(msg, nl_combi);
1679 	}
1680 
1681 	nla_nest_end(msg, nl_combis);
1682 
1683 	return 0;
1684 nla_put_failure:
1685 	return -ENOBUFS;
1686 }
1687 
1688 #ifdef CONFIG_PM
1689 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1690 					struct sk_buff *msg)
1691 {
1692 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1693 	struct nlattr *nl_tcp;
1694 
1695 	if (!tcp)
1696 		return 0;
1697 
1698 	nl_tcp = nla_nest_start_noflag(msg,
1699 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1700 	if (!nl_tcp)
1701 		return -ENOBUFS;
1702 
1703 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1704 			tcp->data_payload_max))
1705 		return -ENOBUFS;
1706 
1707 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1708 			tcp->data_payload_max))
1709 		return -ENOBUFS;
1710 
1711 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1712 		return -ENOBUFS;
1713 
1714 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1715 				sizeof(*tcp->tok), tcp->tok))
1716 		return -ENOBUFS;
1717 
1718 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1719 			tcp->data_interval_max))
1720 		return -ENOBUFS;
1721 
1722 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1723 			tcp->wake_payload_max))
1724 		return -ENOBUFS;
1725 
1726 	nla_nest_end(msg, nl_tcp);
1727 	return 0;
1728 }
1729 
1730 static int nl80211_send_wowlan(struct sk_buff *msg,
1731 			       struct cfg80211_registered_device *rdev,
1732 			       bool large)
1733 {
1734 	struct nlattr *nl_wowlan;
1735 
1736 	if (!rdev->wiphy.wowlan)
1737 		return 0;
1738 
1739 	nl_wowlan = nla_nest_start_noflag(msg,
1740 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1741 	if (!nl_wowlan)
1742 		return -ENOBUFS;
1743 
1744 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1745 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1746 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1747 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1748 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1749 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1750 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1751 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1752 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1753 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1754 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1755 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1756 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1757 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1758 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1759 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1760 		return -ENOBUFS;
1761 
1762 	if (rdev->wiphy.wowlan->n_patterns) {
1763 		struct nl80211_pattern_support pat = {
1764 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1765 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1766 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1767 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1768 		};
1769 
1770 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1771 			    sizeof(pat), &pat))
1772 			return -ENOBUFS;
1773 	}
1774 
1775 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1776 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1777 			rdev->wiphy.wowlan->max_nd_match_sets))
1778 		return -ENOBUFS;
1779 
1780 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1781 		return -ENOBUFS;
1782 
1783 	nla_nest_end(msg, nl_wowlan);
1784 
1785 	return 0;
1786 }
1787 #endif
1788 
1789 static int nl80211_send_coalesce(struct sk_buff *msg,
1790 				 struct cfg80211_registered_device *rdev)
1791 {
1792 	struct nl80211_coalesce_rule_support rule;
1793 
1794 	if (!rdev->wiphy.coalesce)
1795 		return 0;
1796 
1797 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1798 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1799 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1800 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1801 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1802 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1803 
1804 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1805 		return -ENOBUFS;
1806 
1807 	return 0;
1808 }
1809 
1810 static int
1811 nl80211_send_iftype_data(struct sk_buff *msg,
1812 			 const struct ieee80211_supported_band *sband,
1813 			 const struct ieee80211_sband_iftype_data *iftdata)
1814 {
1815 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1816 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1817 
1818 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1819 				iftdata->types_mask))
1820 		return -ENOBUFS;
1821 
1822 	if (he_cap->has_he) {
1823 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1824 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1825 			    he_cap->he_cap_elem.mac_cap_info) ||
1826 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1827 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1828 			    he_cap->he_cap_elem.phy_cap_info) ||
1829 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1830 			    sizeof(he_cap->he_mcs_nss_supp),
1831 			    &he_cap->he_mcs_nss_supp) ||
1832 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1833 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1834 			return -ENOBUFS;
1835 	}
1836 
1837 	if (eht_cap->has_eht && he_cap->has_he) {
1838 		u8 mcs_nss_size, ppe_thresh_size;
1839 		u16 ppe_thres_hdr;
1840 		bool is_ap;
1841 
1842 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1843 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1844 
1845 		mcs_nss_size =
1846 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1847 						   &eht_cap->eht_cap_elem,
1848 						   is_ap);
1849 
1850 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1851 		ppe_thresh_size =
1852 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1853 					       eht_cap->eht_cap_elem.phy_cap_info);
1854 
1855 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1856 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1857 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1858 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1859 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1860 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1861 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1862 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1863 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1864 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1865 			return -ENOBUFS;
1866 	}
1867 
1868 	if (sband->band == NL80211_BAND_6GHZ &&
1869 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1870 		    sizeof(iftdata->he_6ghz_capa),
1871 		    &iftdata->he_6ghz_capa))
1872 		return -ENOBUFS;
1873 
1874 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1875 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1876 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1877 		return -ENOBUFS;
1878 
1879 	return 0;
1880 }
1881 
1882 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1883 				      struct ieee80211_supported_band *sband,
1884 				      bool large)
1885 {
1886 	struct nlattr *nl_rates, *nl_rate;
1887 	struct ieee80211_rate *rate;
1888 	int i;
1889 
1890 	/* add HT info */
1891 	if (sband->ht_cap.ht_supported &&
1892 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1893 		     sizeof(sband->ht_cap.mcs),
1894 		     &sband->ht_cap.mcs) ||
1895 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1896 			 sband->ht_cap.cap) ||
1897 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1898 			sband->ht_cap.ampdu_factor) ||
1899 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1900 			sband->ht_cap.ampdu_density)))
1901 		return -ENOBUFS;
1902 
1903 	/* add VHT info */
1904 	if (sband->vht_cap.vht_supported &&
1905 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1906 		     sizeof(sband->vht_cap.vht_mcs),
1907 		     &sband->vht_cap.vht_mcs) ||
1908 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1909 			 sband->vht_cap.cap)))
1910 		return -ENOBUFS;
1911 
1912 	if (large && sband->n_iftype_data) {
1913 		struct nlattr *nl_iftype_data =
1914 			nla_nest_start_noflag(msg,
1915 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1916 		int err;
1917 
1918 		if (!nl_iftype_data)
1919 			return -ENOBUFS;
1920 
1921 		for (i = 0; i < sband->n_iftype_data; i++) {
1922 			struct nlattr *iftdata;
1923 
1924 			iftdata = nla_nest_start_noflag(msg, i + 1);
1925 			if (!iftdata)
1926 				return -ENOBUFS;
1927 
1928 			err = nl80211_send_iftype_data(msg, sband,
1929 						       &sband->iftype_data[i]);
1930 			if (err)
1931 				return err;
1932 
1933 			nla_nest_end(msg, iftdata);
1934 		}
1935 
1936 		nla_nest_end(msg, nl_iftype_data);
1937 	}
1938 
1939 	/* add EDMG info */
1940 	if (large && sband->edmg_cap.channels &&
1941 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1942 		       sband->edmg_cap.channels) ||
1943 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1944 		       sband->edmg_cap.bw_config)))
1945 
1946 		return -ENOBUFS;
1947 
1948 	/* add bitrates */
1949 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1950 	if (!nl_rates)
1951 		return -ENOBUFS;
1952 
1953 	for (i = 0; i < sband->n_bitrates; i++) {
1954 		nl_rate = nla_nest_start_noflag(msg, i);
1955 		if (!nl_rate)
1956 			return -ENOBUFS;
1957 
1958 		rate = &sband->bitrates[i];
1959 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1960 				rate->bitrate))
1961 			return -ENOBUFS;
1962 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1963 		    nla_put_flag(msg,
1964 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1965 			return -ENOBUFS;
1966 
1967 		nla_nest_end(msg, nl_rate);
1968 	}
1969 
1970 	nla_nest_end(msg, nl_rates);
1971 
1972 	/* S1G capabilities */
1973 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
1974 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
1975 		     sizeof(sband->s1g_cap.cap),
1976 		     sband->s1g_cap.cap) ||
1977 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
1978 		     sizeof(sband->s1g_cap.nss_mcs),
1979 		     sband->s1g_cap.nss_mcs)))
1980 		return -ENOBUFS;
1981 
1982 	return 0;
1983 }
1984 
1985 static int
1986 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1987 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1988 {
1989 	u16 stypes;
1990 	struct nlattr *nl_ftypes, *nl_ifs;
1991 	enum nl80211_iftype ift;
1992 	int i;
1993 
1994 	if (!mgmt_stypes)
1995 		return 0;
1996 
1997 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1998 	if (!nl_ifs)
1999 		return -ENOBUFS;
2000 
2001 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2002 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2003 		if (!nl_ftypes)
2004 			return -ENOBUFS;
2005 		i = 0;
2006 		stypes = mgmt_stypes[ift].tx;
2007 		while (stypes) {
2008 			if ((stypes & 1) &&
2009 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2010 					(i << 4) | IEEE80211_FTYPE_MGMT))
2011 				return -ENOBUFS;
2012 			stypes >>= 1;
2013 			i++;
2014 		}
2015 		nla_nest_end(msg, nl_ftypes);
2016 	}
2017 
2018 	nla_nest_end(msg, nl_ifs);
2019 
2020 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2021 	if (!nl_ifs)
2022 		return -ENOBUFS;
2023 
2024 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2025 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2026 		if (!nl_ftypes)
2027 			return -ENOBUFS;
2028 		i = 0;
2029 		stypes = mgmt_stypes[ift].rx;
2030 		while (stypes) {
2031 			if ((stypes & 1) &&
2032 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2033 					(i << 4) | IEEE80211_FTYPE_MGMT))
2034 				return -ENOBUFS;
2035 			stypes >>= 1;
2036 			i++;
2037 		}
2038 		nla_nest_end(msg, nl_ftypes);
2039 	}
2040 	nla_nest_end(msg, nl_ifs);
2041 
2042 	return 0;
2043 }
2044 
2045 #define CMD(op, n)							\
2046 	 do {								\
2047 		if (rdev->ops->op) {					\
2048 			i++;						\
2049 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2050 				goto nla_put_failure;			\
2051 		}							\
2052 	} while (0)
2053 
2054 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2055 					struct sk_buff *msg)
2056 {
2057 	int i = 0;
2058 
2059 	/*
2060 	 * do *NOT* add anything into this function, new things need to be
2061 	 * advertised only to new versions of userspace that can deal with
2062 	 * the split (and they can't possibly care about new features...
2063 	 */
2064 	CMD(add_virtual_intf, NEW_INTERFACE);
2065 	CMD(change_virtual_intf, SET_INTERFACE);
2066 	CMD(add_key, NEW_KEY);
2067 	CMD(start_ap, START_AP);
2068 	CMD(add_station, NEW_STATION);
2069 	CMD(add_mpath, NEW_MPATH);
2070 	CMD(update_mesh_config, SET_MESH_CONFIG);
2071 	CMD(change_bss, SET_BSS);
2072 	CMD(auth, AUTHENTICATE);
2073 	CMD(assoc, ASSOCIATE);
2074 	CMD(deauth, DEAUTHENTICATE);
2075 	CMD(disassoc, DISASSOCIATE);
2076 	CMD(join_ibss, JOIN_IBSS);
2077 	CMD(join_mesh, JOIN_MESH);
2078 	CMD(set_pmksa, SET_PMKSA);
2079 	CMD(del_pmksa, DEL_PMKSA);
2080 	CMD(flush_pmksa, FLUSH_PMKSA);
2081 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2082 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2083 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2084 	CMD(mgmt_tx, FRAME);
2085 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2086 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2087 		i++;
2088 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2089 			goto nla_put_failure;
2090 	}
2091 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2092 	    rdev->ops->join_mesh) {
2093 		i++;
2094 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2095 			goto nla_put_failure;
2096 	}
2097 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2098 		CMD(tdls_mgmt, TDLS_MGMT);
2099 		CMD(tdls_oper, TDLS_OPER);
2100 	}
2101 	if (rdev->wiphy.max_sched_scan_reqs)
2102 		CMD(sched_scan_start, START_SCHED_SCAN);
2103 	CMD(probe_client, PROBE_CLIENT);
2104 	CMD(set_noack_map, SET_NOACK_MAP);
2105 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2106 		i++;
2107 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2108 			goto nla_put_failure;
2109 	}
2110 	CMD(start_p2p_device, START_P2P_DEVICE);
2111 	CMD(set_mcast_rate, SET_MCAST_RATE);
2112 #ifdef CONFIG_NL80211_TESTMODE
2113 	CMD(testmode_cmd, TESTMODE);
2114 #endif
2115 
2116 	if (rdev->ops->connect || rdev->ops->auth) {
2117 		i++;
2118 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2119 			goto nla_put_failure;
2120 	}
2121 
2122 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2123 		i++;
2124 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2125 			goto nla_put_failure;
2126 	}
2127 
2128 	return i;
2129  nla_put_failure:
2130 	return -ENOBUFS;
2131 }
2132 
2133 static int
2134 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2135 			   struct sk_buff *msg)
2136 {
2137 	struct nlattr *ftm;
2138 
2139 	if (!cap->ftm.supported)
2140 		return 0;
2141 
2142 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2143 	if (!ftm)
2144 		return -ENOBUFS;
2145 
2146 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2147 		return -ENOBUFS;
2148 	if (cap->ftm.non_asap &&
2149 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2150 		return -ENOBUFS;
2151 	if (cap->ftm.request_lci &&
2152 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2153 		return -ENOBUFS;
2154 	if (cap->ftm.request_civicloc &&
2155 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2156 		return -ENOBUFS;
2157 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2158 			cap->ftm.preambles))
2159 		return -ENOBUFS;
2160 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2161 			cap->ftm.bandwidths))
2162 		return -ENOBUFS;
2163 	if (cap->ftm.max_bursts_exponent >= 0 &&
2164 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2165 			cap->ftm.max_bursts_exponent))
2166 		return -ENOBUFS;
2167 	if (cap->ftm.max_ftms_per_burst &&
2168 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2169 			cap->ftm.max_ftms_per_burst))
2170 		return -ENOBUFS;
2171 	if (cap->ftm.trigger_based &&
2172 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2173 		return -ENOBUFS;
2174 	if (cap->ftm.non_trigger_based &&
2175 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2176 		return -ENOBUFS;
2177 
2178 	nla_nest_end(msg, ftm);
2179 	return 0;
2180 }
2181 
2182 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2183 				  struct sk_buff *msg)
2184 {
2185 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2186 	struct nlattr *pmsr, *caps;
2187 
2188 	if (!cap)
2189 		return 0;
2190 
2191 	/*
2192 	 * we don't need to clean up anything here since the caller
2193 	 * will genlmsg_cancel() if we fail
2194 	 */
2195 
2196 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2197 	if (!pmsr)
2198 		return -ENOBUFS;
2199 
2200 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2201 		return -ENOBUFS;
2202 
2203 	if (cap->report_ap_tsf &&
2204 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2205 		return -ENOBUFS;
2206 
2207 	if (cap->randomize_mac_addr &&
2208 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2209 		return -ENOBUFS;
2210 
2211 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2212 	if (!caps)
2213 		return -ENOBUFS;
2214 
2215 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2216 		return -ENOBUFS;
2217 
2218 	nla_nest_end(msg, caps);
2219 	nla_nest_end(msg, pmsr);
2220 
2221 	return 0;
2222 }
2223 
2224 static int
2225 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2226 			      struct sk_buff *msg)
2227 {
2228 	int i;
2229 	struct nlattr *nested, *nested_akms;
2230 	const struct wiphy_iftype_akm_suites *iftype_akms;
2231 
2232 	if (!rdev->wiphy.num_iftype_akm_suites ||
2233 	    !rdev->wiphy.iftype_akm_suites)
2234 		return 0;
2235 
2236 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2237 	if (!nested)
2238 		return -ENOBUFS;
2239 
2240 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2241 		nested_akms = nla_nest_start(msg, i + 1);
2242 		if (!nested_akms)
2243 			return -ENOBUFS;
2244 
2245 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2246 
2247 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2248 					iftype_akms->iftypes_mask))
2249 			return -ENOBUFS;
2250 
2251 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2252 			    sizeof(u32) * iftype_akms->n_akm_suites,
2253 			    iftype_akms->akm_suites)) {
2254 			return -ENOBUFS;
2255 		}
2256 		nla_nest_end(msg, nested_akms);
2257 	}
2258 
2259 	nla_nest_end(msg, nested);
2260 
2261 	return 0;
2262 }
2263 
2264 static int
2265 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2266 			       struct sk_buff *msg)
2267 {
2268 	struct nlattr *supp;
2269 
2270 	if (!rdev->wiphy.tid_config_support.vif &&
2271 	    !rdev->wiphy.tid_config_support.peer)
2272 		return 0;
2273 
2274 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2275 	if (!supp)
2276 		return -ENOSPC;
2277 
2278 	if (rdev->wiphy.tid_config_support.vif &&
2279 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2280 			      rdev->wiphy.tid_config_support.vif,
2281 			      NL80211_TID_CONFIG_ATTR_PAD))
2282 		goto fail;
2283 
2284 	if (rdev->wiphy.tid_config_support.peer &&
2285 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2286 			      rdev->wiphy.tid_config_support.peer,
2287 			      NL80211_TID_CONFIG_ATTR_PAD))
2288 		goto fail;
2289 
2290 	/* for now we just use the same value ... makes more sense */
2291 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2292 		       rdev->wiphy.tid_config_support.max_retry))
2293 		goto fail;
2294 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2295 		       rdev->wiphy.tid_config_support.max_retry))
2296 		goto fail;
2297 
2298 	nla_nest_end(msg, supp);
2299 
2300 	return 0;
2301 fail:
2302 	nla_nest_cancel(msg, supp);
2303 	return -ENOBUFS;
2304 }
2305 
2306 static int
2307 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2308 		      struct sk_buff *msg)
2309 {
2310 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2311 	u8 num_freq_ranges;
2312 	int i;
2313 
2314 	if (!rdev->wiphy.sar_capa)
2315 		return 0;
2316 
2317 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2318 
2319 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2320 	if (!sar_capa)
2321 		return -ENOSPC;
2322 
2323 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2324 		goto fail;
2325 
2326 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2327 	if (!specs)
2328 		goto fail;
2329 
2330 	/* report supported freq_ranges */
2331 	for (i = 0; i < num_freq_ranges; i++) {
2332 		sub_freq_range = nla_nest_start(msg, i + 1);
2333 		if (!sub_freq_range)
2334 			goto fail;
2335 
2336 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2337 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2338 			goto fail;
2339 
2340 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2341 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2342 			goto fail;
2343 
2344 		nla_nest_end(msg, sub_freq_range);
2345 	}
2346 
2347 	nla_nest_end(msg, specs);
2348 	nla_nest_end(msg, sar_capa);
2349 
2350 	return 0;
2351 fail:
2352 	nla_nest_cancel(msg, sar_capa);
2353 	return -ENOBUFS;
2354 }
2355 
2356 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2357 {
2358 	struct nlattr *config;
2359 
2360 	if (!wiphy->mbssid_max_interfaces)
2361 		return 0;
2362 
2363 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2364 	if (!config)
2365 		return -ENOBUFS;
2366 
2367 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2368 		       wiphy->mbssid_max_interfaces))
2369 		goto fail;
2370 
2371 	if (wiphy->ema_max_profile_periodicity &&
2372 	    nla_put_u8(msg,
2373 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2374 		       wiphy->ema_max_profile_periodicity))
2375 		goto fail;
2376 
2377 	nla_nest_end(msg, config);
2378 	return 0;
2379 
2380 fail:
2381 	nla_nest_cancel(msg, config);
2382 	return -ENOBUFS;
2383 }
2384 
2385 struct nl80211_dump_wiphy_state {
2386 	s64 filter_wiphy;
2387 	long start;
2388 	long split_start, band_start, chan_start, capa_start;
2389 	bool split;
2390 };
2391 
2392 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2393 			      enum nl80211_commands cmd,
2394 			      struct sk_buff *msg, u32 portid, u32 seq,
2395 			      int flags, struct nl80211_dump_wiphy_state *state)
2396 {
2397 	void *hdr;
2398 	struct nlattr *nl_bands, *nl_band;
2399 	struct nlattr *nl_freqs, *nl_freq;
2400 	struct nlattr *nl_cmds;
2401 	enum nl80211_band band;
2402 	struct ieee80211_channel *chan;
2403 	int i;
2404 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2405 				rdev->wiphy.mgmt_stypes;
2406 	u32 features;
2407 
2408 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2409 	if (!hdr)
2410 		return -ENOBUFS;
2411 
2412 	if (WARN_ON(!state))
2413 		return -EINVAL;
2414 
2415 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2416 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2417 			   wiphy_name(&rdev->wiphy)) ||
2418 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2419 			cfg80211_rdev_list_generation))
2420 		goto nla_put_failure;
2421 
2422 	if (cmd != NL80211_CMD_NEW_WIPHY)
2423 		goto finish;
2424 
2425 	switch (state->split_start) {
2426 	case 0:
2427 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2428 			       rdev->wiphy.retry_short) ||
2429 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2430 			       rdev->wiphy.retry_long) ||
2431 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2432 				rdev->wiphy.frag_threshold) ||
2433 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2434 				rdev->wiphy.rts_threshold) ||
2435 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2436 			       rdev->wiphy.coverage_class) ||
2437 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2438 			       rdev->wiphy.max_scan_ssids) ||
2439 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2440 			       rdev->wiphy.max_sched_scan_ssids) ||
2441 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2442 				rdev->wiphy.max_scan_ie_len) ||
2443 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2444 				rdev->wiphy.max_sched_scan_ie_len) ||
2445 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2446 			       rdev->wiphy.max_match_sets))
2447 			goto nla_put_failure;
2448 
2449 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2450 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2451 			goto nla_put_failure;
2452 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2453 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2454 			goto nla_put_failure;
2455 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2456 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2457 			goto nla_put_failure;
2458 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2459 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2460 			goto nla_put_failure;
2461 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2462 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2463 			goto nla_put_failure;
2464 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2465 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2466 			goto nla_put_failure;
2467 		state->split_start++;
2468 		if (state->split)
2469 			break;
2470 		fallthrough;
2471 	case 1:
2472 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2473 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2474 			    rdev->wiphy.cipher_suites))
2475 			goto nla_put_failure;
2476 
2477 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2478 			       rdev->wiphy.max_num_pmkids))
2479 			goto nla_put_failure;
2480 
2481 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2482 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2483 			goto nla_put_failure;
2484 
2485 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2486 				rdev->wiphy.available_antennas_tx) ||
2487 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2488 				rdev->wiphy.available_antennas_rx))
2489 			goto nla_put_failure;
2490 
2491 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2492 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2493 				rdev->wiphy.probe_resp_offload))
2494 			goto nla_put_failure;
2495 
2496 		if ((rdev->wiphy.available_antennas_tx ||
2497 		     rdev->wiphy.available_antennas_rx) &&
2498 		    rdev->ops->get_antenna) {
2499 			u32 tx_ant = 0, rx_ant = 0;
2500 			int res;
2501 
2502 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2503 			if (!res) {
2504 				if (nla_put_u32(msg,
2505 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2506 						tx_ant) ||
2507 				    nla_put_u32(msg,
2508 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2509 						rx_ant))
2510 					goto nla_put_failure;
2511 			}
2512 		}
2513 
2514 		state->split_start++;
2515 		if (state->split)
2516 			break;
2517 		fallthrough;
2518 	case 2:
2519 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2520 					rdev->wiphy.interface_modes))
2521 				goto nla_put_failure;
2522 		state->split_start++;
2523 		if (state->split)
2524 			break;
2525 		fallthrough;
2526 	case 3:
2527 		nl_bands = nla_nest_start_noflag(msg,
2528 						 NL80211_ATTR_WIPHY_BANDS);
2529 		if (!nl_bands)
2530 			goto nla_put_failure;
2531 
2532 		for (band = state->band_start;
2533 		     band < (state->split ?
2534 				NUM_NL80211_BANDS :
2535 				NL80211_BAND_60GHZ + 1);
2536 		     band++) {
2537 			struct ieee80211_supported_band *sband;
2538 
2539 			/* omit higher bands for ancient software */
2540 			if (band > NL80211_BAND_5GHZ && !state->split)
2541 				break;
2542 
2543 			sband = rdev->wiphy.bands[band];
2544 
2545 			if (!sband)
2546 				continue;
2547 
2548 			nl_band = nla_nest_start_noflag(msg, band);
2549 			if (!nl_band)
2550 				goto nla_put_failure;
2551 
2552 			switch (state->chan_start) {
2553 			case 0:
2554 				if (nl80211_send_band_rateinfo(msg, sband,
2555 							       state->split))
2556 					goto nla_put_failure;
2557 				state->chan_start++;
2558 				if (state->split)
2559 					break;
2560 				fallthrough;
2561 			default:
2562 				/* add frequencies */
2563 				nl_freqs = nla_nest_start_noflag(msg,
2564 								 NL80211_BAND_ATTR_FREQS);
2565 				if (!nl_freqs)
2566 					goto nla_put_failure;
2567 
2568 				for (i = state->chan_start - 1;
2569 				     i < sband->n_channels;
2570 				     i++) {
2571 					nl_freq = nla_nest_start_noflag(msg,
2572 									i);
2573 					if (!nl_freq)
2574 						goto nla_put_failure;
2575 
2576 					chan = &sband->channels[i];
2577 
2578 					if (nl80211_msg_put_channel(
2579 							msg, &rdev->wiphy, chan,
2580 							state->split))
2581 						goto nla_put_failure;
2582 
2583 					nla_nest_end(msg, nl_freq);
2584 					if (state->split)
2585 						break;
2586 				}
2587 				if (i < sband->n_channels)
2588 					state->chan_start = i + 2;
2589 				else
2590 					state->chan_start = 0;
2591 				nla_nest_end(msg, nl_freqs);
2592 			}
2593 
2594 			nla_nest_end(msg, nl_band);
2595 
2596 			if (state->split) {
2597 				/* start again here */
2598 				if (state->chan_start)
2599 					band--;
2600 				break;
2601 			}
2602 		}
2603 		nla_nest_end(msg, nl_bands);
2604 
2605 		if (band < NUM_NL80211_BANDS)
2606 			state->band_start = band + 1;
2607 		else
2608 			state->band_start = 0;
2609 
2610 		/* if bands & channels are done, continue outside */
2611 		if (state->band_start == 0 && state->chan_start == 0)
2612 			state->split_start++;
2613 		if (state->split)
2614 			break;
2615 		fallthrough;
2616 	case 4:
2617 		nl_cmds = nla_nest_start_noflag(msg,
2618 						NL80211_ATTR_SUPPORTED_COMMANDS);
2619 		if (!nl_cmds)
2620 			goto nla_put_failure;
2621 
2622 		i = nl80211_add_commands_unsplit(rdev, msg);
2623 		if (i < 0)
2624 			goto nla_put_failure;
2625 		if (state->split) {
2626 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2627 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2628 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2629 				CMD(channel_switch, CHANNEL_SWITCH);
2630 			CMD(set_qos_map, SET_QOS_MAP);
2631 			if (rdev->wiphy.features &
2632 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2633 				CMD(add_tx_ts, ADD_TX_TS);
2634 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2635 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2636 			CMD(update_ft_ies, UPDATE_FT_IES);
2637 			if (rdev->wiphy.sar_capa)
2638 				CMD(set_sar_specs, SET_SAR_SPECS);
2639 		}
2640 #undef CMD
2641 
2642 		nla_nest_end(msg, nl_cmds);
2643 		state->split_start++;
2644 		if (state->split)
2645 			break;
2646 		fallthrough;
2647 	case 5:
2648 		if (rdev->ops->remain_on_channel &&
2649 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2650 		    nla_put_u32(msg,
2651 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2652 				rdev->wiphy.max_remain_on_channel_duration))
2653 			goto nla_put_failure;
2654 
2655 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2656 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2657 			goto nla_put_failure;
2658 
2659 		state->split_start++;
2660 		if (state->split)
2661 			break;
2662 		fallthrough;
2663 	case 6:
2664 #ifdef CONFIG_PM
2665 		if (nl80211_send_wowlan(msg, rdev, state->split))
2666 			goto nla_put_failure;
2667 		state->split_start++;
2668 		if (state->split)
2669 			break;
2670 #else
2671 		state->split_start++;
2672 #endif
2673 		fallthrough;
2674 	case 7:
2675 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2676 					rdev->wiphy.software_iftypes))
2677 			goto nla_put_failure;
2678 
2679 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2680 						   state->split))
2681 			goto nla_put_failure;
2682 
2683 		state->split_start++;
2684 		if (state->split)
2685 			break;
2686 		fallthrough;
2687 	case 8:
2688 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2689 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2690 				rdev->wiphy.ap_sme_capa))
2691 			goto nla_put_failure;
2692 
2693 		features = rdev->wiphy.features;
2694 		/*
2695 		 * We can only add the per-channel limit information if the
2696 		 * dump is split, otherwise it makes it too big. Therefore
2697 		 * only advertise it in that case.
2698 		 */
2699 		if (state->split)
2700 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2701 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2702 			goto nla_put_failure;
2703 
2704 		if (rdev->wiphy.ht_capa_mod_mask &&
2705 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2706 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2707 			    rdev->wiphy.ht_capa_mod_mask))
2708 			goto nla_put_failure;
2709 
2710 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2711 		    rdev->wiphy.max_acl_mac_addrs &&
2712 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2713 				rdev->wiphy.max_acl_mac_addrs))
2714 			goto nla_put_failure;
2715 
2716 		/*
2717 		 * Any information below this point is only available to
2718 		 * applications that can deal with it being split. This
2719 		 * helps ensure that newly added capabilities don't break
2720 		 * older tools by overrunning their buffers.
2721 		 *
2722 		 * We still increment split_start so that in the split
2723 		 * case we'll continue with more data in the next round,
2724 		 * but break unconditionally so unsplit data stops here.
2725 		 */
2726 		if (state->split)
2727 			state->split_start++;
2728 		else
2729 			state->split_start = 0;
2730 		break;
2731 	case 9:
2732 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2733 			goto nla_put_failure;
2734 
2735 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2736 				rdev->wiphy.max_sched_scan_plans) ||
2737 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2738 				rdev->wiphy.max_sched_scan_plan_interval) ||
2739 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2740 				rdev->wiphy.max_sched_scan_plan_iterations))
2741 			goto nla_put_failure;
2742 
2743 		if (rdev->wiphy.extended_capabilities &&
2744 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2745 			     rdev->wiphy.extended_capabilities_len,
2746 			     rdev->wiphy.extended_capabilities) ||
2747 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2748 			     rdev->wiphy.extended_capabilities_len,
2749 			     rdev->wiphy.extended_capabilities_mask)))
2750 			goto nla_put_failure;
2751 
2752 		if (rdev->wiphy.vht_capa_mod_mask &&
2753 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2754 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2755 			    rdev->wiphy.vht_capa_mod_mask))
2756 			goto nla_put_failure;
2757 
2758 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2759 			    rdev->wiphy.perm_addr))
2760 			goto nla_put_failure;
2761 
2762 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2763 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2764 			    rdev->wiphy.addr_mask))
2765 			goto nla_put_failure;
2766 
2767 		if (rdev->wiphy.n_addresses > 1) {
2768 			void *attr;
2769 
2770 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2771 			if (!attr)
2772 				goto nla_put_failure;
2773 
2774 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2775 				if (nla_put(msg, i + 1, ETH_ALEN,
2776 					    rdev->wiphy.addresses[i].addr))
2777 					goto nla_put_failure;
2778 
2779 			nla_nest_end(msg, attr);
2780 		}
2781 
2782 		state->split_start++;
2783 		break;
2784 	case 10:
2785 		if (nl80211_send_coalesce(msg, rdev))
2786 			goto nla_put_failure;
2787 
2788 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2789 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2790 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2791 			goto nla_put_failure;
2792 
2793 		if (rdev->wiphy.max_ap_assoc_sta &&
2794 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2795 				rdev->wiphy.max_ap_assoc_sta))
2796 			goto nla_put_failure;
2797 
2798 		state->split_start++;
2799 		break;
2800 	case 11:
2801 		if (rdev->wiphy.n_vendor_commands) {
2802 			const struct nl80211_vendor_cmd_info *info;
2803 			struct nlattr *nested;
2804 
2805 			nested = nla_nest_start_noflag(msg,
2806 						       NL80211_ATTR_VENDOR_DATA);
2807 			if (!nested)
2808 				goto nla_put_failure;
2809 
2810 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2811 				info = &rdev->wiphy.vendor_commands[i].info;
2812 				if (nla_put(msg, i + 1, sizeof(*info), info))
2813 					goto nla_put_failure;
2814 			}
2815 			nla_nest_end(msg, nested);
2816 		}
2817 
2818 		if (rdev->wiphy.n_vendor_events) {
2819 			const struct nl80211_vendor_cmd_info *info;
2820 			struct nlattr *nested;
2821 
2822 			nested = nla_nest_start_noflag(msg,
2823 						       NL80211_ATTR_VENDOR_EVENTS);
2824 			if (!nested)
2825 				goto nla_put_failure;
2826 
2827 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2828 				info = &rdev->wiphy.vendor_events[i];
2829 				if (nla_put(msg, i + 1, sizeof(*info), info))
2830 					goto nla_put_failure;
2831 			}
2832 			nla_nest_end(msg, nested);
2833 		}
2834 		state->split_start++;
2835 		break;
2836 	case 12:
2837 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2838 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2839 			       rdev->wiphy.max_num_csa_counters))
2840 			goto nla_put_failure;
2841 
2842 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2843 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2844 			goto nla_put_failure;
2845 
2846 		if (rdev->wiphy.max_sched_scan_reqs &&
2847 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2848 				rdev->wiphy.max_sched_scan_reqs))
2849 			goto nla_put_failure;
2850 
2851 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2852 			    sizeof(rdev->wiphy.ext_features),
2853 			    rdev->wiphy.ext_features))
2854 			goto nla_put_failure;
2855 
2856 		if (rdev->wiphy.bss_select_support) {
2857 			struct nlattr *nested;
2858 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2859 
2860 			nested = nla_nest_start_noflag(msg,
2861 						       NL80211_ATTR_BSS_SELECT);
2862 			if (!nested)
2863 				goto nla_put_failure;
2864 
2865 			i = 0;
2866 			while (bss_select_support) {
2867 				if ((bss_select_support & 1) &&
2868 				    nla_put_flag(msg, i))
2869 					goto nla_put_failure;
2870 				i++;
2871 				bss_select_support >>= 1;
2872 			}
2873 			nla_nest_end(msg, nested);
2874 		}
2875 
2876 		state->split_start++;
2877 		break;
2878 	case 13:
2879 		if (rdev->wiphy.num_iftype_ext_capab &&
2880 		    rdev->wiphy.iftype_ext_capab) {
2881 			struct nlattr *nested_ext_capab, *nested;
2882 
2883 			nested = nla_nest_start_noflag(msg,
2884 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2885 			if (!nested)
2886 				goto nla_put_failure;
2887 
2888 			for (i = state->capa_start;
2889 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2890 				const struct wiphy_iftype_ext_capab *capab;
2891 
2892 				capab = &rdev->wiphy.iftype_ext_capab[i];
2893 
2894 				nested_ext_capab = nla_nest_start_noflag(msg,
2895 									 i);
2896 				if (!nested_ext_capab ||
2897 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2898 						capab->iftype) ||
2899 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2900 					    capab->extended_capabilities_len,
2901 					    capab->extended_capabilities) ||
2902 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2903 					    capab->extended_capabilities_len,
2904 					    capab->extended_capabilities_mask))
2905 					goto nla_put_failure;
2906 
2907 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
2908 				    (nla_put_u16(msg,
2909 						 NL80211_ATTR_EML_CAPABILITY,
2910 						 capab->eml_capabilities) ||
2911 				     nla_put_u16(msg,
2912 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
2913 						 capab->mld_capa_and_ops)))
2914 					goto nla_put_failure;
2915 
2916 				nla_nest_end(msg, nested_ext_capab);
2917 				if (state->split)
2918 					break;
2919 			}
2920 			nla_nest_end(msg, nested);
2921 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2922 				state->capa_start = i + 1;
2923 				break;
2924 			}
2925 		}
2926 
2927 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2928 				rdev->wiphy.nan_supported_bands))
2929 			goto nla_put_failure;
2930 
2931 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2932 					    NL80211_EXT_FEATURE_TXQS)) {
2933 			struct cfg80211_txq_stats txqstats = {};
2934 			int res;
2935 
2936 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2937 			if (!res &&
2938 			    !nl80211_put_txq_stats(msg, &txqstats,
2939 						   NL80211_ATTR_TXQ_STATS))
2940 				goto nla_put_failure;
2941 
2942 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2943 					rdev->wiphy.txq_limit))
2944 				goto nla_put_failure;
2945 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2946 					rdev->wiphy.txq_memory_limit))
2947 				goto nla_put_failure;
2948 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2949 					rdev->wiphy.txq_quantum))
2950 				goto nla_put_failure;
2951 		}
2952 
2953 		state->split_start++;
2954 		break;
2955 	case 14:
2956 		if (nl80211_send_pmsr_capa(rdev, msg))
2957 			goto nla_put_failure;
2958 
2959 		state->split_start++;
2960 		break;
2961 	case 15:
2962 		if (rdev->wiphy.akm_suites &&
2963 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2964 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2965 			    rdev->wiphy.akm_suites))
2966 			goto nla_put_failure;
2967 
2968 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2969 			goto nla_put_failure;
2970 
2971 		if (nl80211_put_tid_config_support(rdev, msg))
2972 			goto nla_put_failure;
2973 		state->split_start++;
2974 		break;
2975 	case 16:
2976 		if (nl80211_put_sar_specs(rdev, msg))
2977 			goto nla_put_failure;
2978 
2979 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2980 			goto nla_put_failure;
2981 
2982 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
2983 				rdev->wiphy.max_num_akm_suites))
2984 			goto nla_put_failure;
2985 
2986 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
2987 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
2988 
2989 		if (rdev->wiphy.hw_timestamp_max_peers &&
2990 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
2991 				rdev->wiphy.hw_timestamp_max_peers))
2992 			goto nla_put_failure;
2993 
2994 		/* done */
2995 		state->split_start = 0;
2996 		break;
2997 	}
2998  finish:
2999 	genlmsg_end(msg, hdr);
3000 	return 0;
3001 
3002  nla_put_failure:
3003 	genlmsg_cancel(msg, hdr);
3004 	return -EMSGSIZE;
3005 }
3006 
3007 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3008 				    struct netlink_callback *cb,
3009 				    struct nl80211_dump_wiphy_state *state)
3010 {
3011 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3012 	int ret;
3013 
3014 	if (!tb)
3015 		return -ENOMEM;
3016 
3017 	ret = nlmsg_parse_deprecated(cb->nlh,
3018 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3019 				     tb, nl80211_fam.maxattr,
3020 				     nl80211_policy, NULL);
3021 	/* ignore parse errors for backward compatibility */
3022 	if (ret) {
3023 		ret = 0;
3024 		goto out;
3025 	}
3026 
3027 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3028 	if (tb[NL80211_ATTR_WIPHY])
3029 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3030 	if (tb[NL80211_ATTR_WDEV])
3031 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3032 	if (tb[NL80211_ATTR_IFINDEX]) {
3033 		struct net_device *netdev;
3034 		struct cfg80211_registered_device *rdev;
3035 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3036 
3037 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3038 		if (!netdev) {
3039 			ret = -ENODEV;
3040 			goto out;
3041 		}
3042 		if (netdev->ieee80211_ptr) {
3043 			rdev = wiphy_to_rdev(
3044 				netdev->ieee80211_ptr->wiphy);
3045 			state->filter_wiphy = rdev->wiphy_idx;
3046 		}
3047 	}
3048 
3049 	ret = 0;
3050 out:
3051 	kfree(tb);
3052 	return ret;
3053 }
3054 
3055 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3056 {
3057 	int idx = 0, ret;
3058 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3059 	struct cfg80211_registered_device *rdev;
3060 
3061 	rtnl_lock();
3062 	if (!state) {
3063 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3064 		if (!state) {
3065 			rtnl_unlock();
3066 			return -ENOMEM;
3067 		}
3068 		state->filter_wiphy = -1;
3069 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3070 		if (ret) {
3071 			kfree(state);
3072 			rtnl_unlock();
3073 			return ret;
3074 		}
3075 		cb->args[0] = (long)state;
3076 	}
3077 
3078 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3079 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3080 			continue;
3081 		if (++idx <= state->start)
3082 			continue;
3083 		if (state->filter_wiphy != -1 &&
3084 		    state->filter_wiphy != rdev->wiphy_idx)
3085 			continue;
3086 		wiphy_lock(&rdev->wiphy);
3087 		/* attempt to fit multiple wiphy data chunks into the skb */
3088 		do {
3089 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3090 						 skb,
3091 						 NETLINK_CB(cb->skb).portid,
3092 						 cb->nlh->nlmsg_seq,
3093 						 NLM_F_MULTI, state);
3094 			if (ret < 0) {
3095 				/*
3096 				 * If sending the wiphy data didn't fit (ENOBUFS
3097 				 * or EMSGSIZE returned), this SKB is still
3098 				 * empty (so it's not too big because another
3099 				 * wiphy dataset is already in the skb) and
3100 				 * we've not tried to adjust the dump allocation
3101 				 * yet ... then adjust the alloc size to be
3102 				 * bigger, and return 1 but with the empty skb.
3103 				 * This results in an empty message being RX'ed
3104 				 * in userspace, but that is ignored.
3105 				 *
3106 				 * We can then retry with the larger buffer.
3107 				 */
3108 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3109 				    !skb->len && !state->split &&
3110 				    cb->min_dump_alloc < 4096) {
3111 					cb->min_dump_alloc = 4096;
3112 					state->split_start = 0;
3113 					wiphy_unlock(&rdev->wiphy);
3114 					rtnl_unlock();
3115 					return 1;
3116 				}
3117 				idx--;
3118 				break;
3119 			}
3120 		} while (state->split_start > 0);
3121 		wiphy_unlock(&rdev->wiphy);
3122 		break;
3123 	}
3124 	rtnl_unlock();
3125 
3126 	state->start = idx;
3127 
3128 	return skb->len;
3129 }
3130 
3131 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3132 {
3133 	kfree((void *)cb->args[0]);
3134 	return 0;
3135 }
3136 
3137 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3138 {
3139 	struct sk_buff *msg;
3140 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3141 	struct nl80211_dump_wiphy_state state = {};
3142 
3143 	msg = nlmsg_new(4096, GFP_KERNEL);
3144 	if (!msg)
3145 		return -ENOMEM;
3146 
3147 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3148 			       info->snd_portid, info->snd_seq, 0,
3149 			       &state) < 0) {
3150 		nlmsg_free(msg);
3151 		return -ENOBUFS;
3152 	}
3153 
3154 	return genlmsg_reply(msg, info);
3155 }
3156 
3157 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3158 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3159 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3160 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3161 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3162 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3163 };
3164 
3165 static int parse_txq_params(struct nlattr *tb[],
3166 			    struct ieee80211_txq_params *txq_params)
3167 {
3168 	u8 ac;
3169 
3170 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3171 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3172 	    !tb[NL80211_TXQ_ATTR_AIFS])
3173 		return -EINVAL;
3174 
3175 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3176 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3177 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3178 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3179 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3180 
3181 	if (ac >= NL80211_NUM_ACS)
3182 		return -EINVAL;
3183 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3184 	return 0;
3185 }
3186 
3187 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3188 {
3189 	/*
3190 	 * You can only set the channel explicitly for some interfaces,
3191 	 * most have their channel managed via their respective
3192 	 * "establish a connection" command (connect, join, ...)
3193 	 *
3194 	 * For AP/GO and mesh mode, the channel can be set with the
3195 	 * channel userspace API, but is only stored and passed to the
3196 	 * low-level driver when the AP starts or the mesh is joined.
3197 	 * This is for backward compatibility, userspace can also give
3198 	 * the channel in the start-ap or join-mesh commands instead.
3199 	 *
3200 	 * Monitors are special as they are normally slaved to
3201 	 * whatever else is going on, so they have their own special
3202 	 * operation to set the monitor channel if possible.
3203 	 */
3204 	return !wdev ||
3205 		wdev->iftype == NL80211_IFTYPE_AP ||
3206 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3207 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3208 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3209 }
3210 
3211 static int nl80211_parse_punct_bitmap(struct cfg80211_registered_device *rdev,
3212 				      struct genl_info *info,
3213 				      const struct cfg80211_chan_def *chandef,
3214 				      u16 *punct_bitmap)
3215 {
3216 	if (!wiphy_ext_feature_isset(&rdev->wiphy, NL80211_EXT_FEATURE_PUNCT))
3217 		return -EINVAL;
3218 
3219 	*punct_bitmap = nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3220 	if (!cfg80211_valid_disable_subchannel_bitmap(punct_bitmap, chandef))
3221 		return -EINVAL;
3222 
3223 	return 0;
3224 }
3225 
3226 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3227 			  struct genl_info *info,
3228 			  struct cfg80211_chan_def *chandef)
3229 {
3230 	struct netlink_ext_ack *extack = info->extack;
3231 	struct nlattr **attrs = info->attrs;
3232 	u32 control_freq;
3233 
3234 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3235 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3236 				    "Frequency is missing");
3237 		return -EINVAL;
3238 	}
3239 
3240 	control_freq = MHZ_TO_KHZ(
3241 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3242 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3243 		control_freq +=
3244 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3245 
3246 	memset(chandef, 0, sizeof(*chandef));
3247 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3248 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3249 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3250 	chandef->freq1_offset = control_freq % 1000;
3251 	chandef->center_freq2 = 0;
3252 
3253 	/* Primary channel not allowed */
3254 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3255 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3256 				    "Channel is disabled");
3257 		return -EINVAL;
3258 	}
3259 
3260 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3261 		enum nl80211_channel_type chantype;
3262 
3263 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3264 
3265 		switch (chantype) {
3266 		case NL80211_CHAN_NO_HT:
3267 		case NL80211_CHAN_HT20:
3268 		case NL80211_CHAN_HT40PLUS:
3269 		case NL80211_CHAN_HT40MINUS:
3270 			cfg80211_chandef_create(chandef, chandef->chan,
3271 						chantype);
3272 			/* user input for center_freq is incorrect */
3273 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3274 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3275 				NL_SET_ERR_MSG_ATTR(extack,
3276 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3277 						    "bad center frequency 1");
3278 				return -EINVAL;
3279 			}
3280 			/* center_freq2 must be zero */
3281 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3282 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3283 				NL_SET_ERR_MSG_ATTR(extack,
3284 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3285 						    "center frequency 2 can't be used");
3286 				return -EINVAL;
3287 			}
3288 			break;
3289 		default:
3290 			NL_SET_ERR_MSG_ATTR(extack,
3291 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3292 					    "invalid channel type");
3293 			return -EINVAL;
3294 		}
3295 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3296 		chandef->width =
3297 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3298 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3299 			/* User input error for channel width doesn't match channel  */
3300 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3301 				NL_SET_ERR_MSG_ATTR(extack,
3302 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3303 						    "bad channel width");
3304 				return -EINVAL;
3305 			}
3306 		}
3307 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3308 			chandef->center_freq1 =
3309 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3310 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3311 				chandef->freq1_offset = nla_get_u32(
3312 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3313 			else
3314 				chandef->freq1_offset = 0;
3315 		}
3316 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3317 			chandef->center_freq2 =
3318 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3319 	}
3320 
3321 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3322 		chandef->edmg.channels =
3323 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3324 
3325 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3326 			chandef->edmg.bw_config =
3327 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3328 	} else {
3329 		chandef->edmg.bw_config = 0;
3330 		chandef->edmg.channels = 0;
3331 	}
3332 
3333 	if (!cfg80211_chandef_valid(chandef)) {
3334 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3335 		return -EINVAL;
3336 	}
3337 
3338 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3339 				     IEEE80211_CHAN_DISABLED)) {
3340 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3341 		return -EINVAL;
3342 	}
3343 
3344 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3345 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3346 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3347 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3348 		return -EINVAL;
3349 	}
3350 
3351 	return 0;
3352 }
3353 
3354 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3355 				 struct net_device *dev,
3356 				 struct genl_info *info,
3357 				 int _link_id)
3358 {
3359 	struct cfg80211_chan_def chandef;
3360 	int result;
3361 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3362 	struct wireless_dev *wdev = NULL;
3363 	int link_id = _link_id;
3364 
3365 	if (dev)
3366 		wdev = dev->ieee80211_ptr;
3367 	if (!nl80211_can_set_dev_channel(wdev))
3368 		return -EOPNOTSUPP;
3369 	if (wdev)
3370 		iftype = wdev->iftype;
3371 
3372 	if (link_id < 0) {
3373 		if (wdev && wdev->valid_links)
3374 			return -EINVAL;
3375 		link_id = 0;
3376 	}
3377 
3378 	result = nl80211_parse_chandef(rdev, info, &chandef);
3379 	if (result)
3380 		return result;
3381 
3382 	switch (iftype) {
3383 	case NL80211_IFTYPE_AP:
3384 	case NL80211_IFTYPE_P2P_GO:
3385 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3386 						   iftype))
3387 			return -EINVAL;
3388 		if (wdev->links[link_id].ap.beacon_interval) {
3389 			struct ieee80211_channel *cur_chan;
3390 
3391 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3392 			    !(rdev->wiphy.features &
3393 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3394 				return -EBUSY;
3395 
3396 			/* Only allow dynamic channel width changes */
3397 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3398 			if (chandef.chan != cur_chan)
3399 				return -EBUSY;
3400 
3401 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3402 						       &chandef);
3403 			if (result)
3404 				return result;
3405 			wdev->links[link_id].ap.chandef = chandef;
3406 		} else {
3407 			wdev->u.ap.preset_chandef = chandef;
3408 		}
3409 		return 0;
3410 	case NL80211_IFTYPE_MESH_POINT:
3411 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3412 	case NL80211_IFTYPE_MONITOR:
3413 		return cfg80211_set_monitor_channel(rdev, &chandef);
3414 	default:
3415 		break;
3416 	}
3417 
3418 	return -EINVAL;
3419 }
3420 
3421 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3422 {
3423 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3424 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3425 	struct net_device *netdev = info->user_ptr[1];
3426 	int ret;
3427 
3428 	wdev_lock(netdev->ieee80211_ptr);
3429 	ret = __nl80211_set_channel(rdev, netdev, info, link_id);
3430 	wdev_unlock(netdev->ieee80211_ptr);
3431 
3432 	return ret;
3433 }
3434 
3435 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3436 {
3437 	struct cfg80211_registered_device *rdev = NULL;
3438 	struct net_device *netdev = NULL;
3439 	struct wireless_dev *wdev;
3440 	int result = 0, rem_txq_params = 0;
3441 	struct nlattr *nl_txq_params;
3442 	u32 changed;
3443 	u8 retry_short = 0, retry_long = 0;
3444 	u32 frag_threshold = 0, rts_threshold = 0;
3445 	u8 coverage_class = 0;
3446 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3447 
3448 	rtnl_lock();
3449 	/*
3450 	 * Try to find the wiphy and netdev. Normally this
3451 	 * function shouldn't need the netdev, but this is
3452 	 * done for backward compatibility -- previously
3453 	 * setting the channel was done per wiphy, but now
3454 	 * it is per netdev. Previous userland like hostapd
3455 	 * also passed a netdev to set_wiphy, so that it is
3456 	 * possible to let that go to the right netdev!
3457 	 */
3458 
3459 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3460 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3461 
3462 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3463 		if (netdev && netdev->ieee80211_ptr)
3464 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3465 		else
3466 			netdev = NULL;
3467 	}
3468 
3469 	if (!netdev) {
3470 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3471 						  info->attrs);
3472 		if (IS_ERR(rdev)) {
3473 			rtnl_unlock();
3474 			return PTR_ERR(rdev);
3475 		}
3476 		wdev = NULL;
3477 		netdev = NULL;
3478 		result = 0;
3479 	} else
3480 		wdev = netdev->ieee80211_ptr;
3481 
3482 	wiphy_lock(&rdev->wiphy);
3483 
3484 	/*
3485 	 * end workaround code, by now the rdev is available
3486 	 * and locked, and wdev may or may not be NULL.
3487 	 */
3488 
3489 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3490 		result = cfg80211_dev_rename(
3491 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3492 	rtnl_unlock();
3493 
3494 	if (result)
3495 		goto out;
3496 
3497 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3498 		struct ieee80211_txq_params txq_params;
3499 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3500 
3501 		if (!rdev->ops->set_txq_params) {
3502 			result = -EOPNOTSUPP;
3503 			goto out;
3504 		}
3505 
3506 		if (!netdev) {
3507 			result = -EINVAL;
3508 			goto out;
3509 		}
3510 
3511 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3512 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3513 			result = -EINVAL;
3514 			goto out;
3515 		}
3516 
3517 		if (!netif_running(netdev)) {
3518 			result = -ENETDOWN;
3519 			goto out;
3520 		}
3521 
3522 		nla_for_each_nested(nl_txq_params,
3523 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3524 				    rem_txq_params) {
3525 			result = nla_parse_nested_deprecated(tb,
3526 							     NL80211_TXQ_ATTR_MAX,
3527 							     nl_txq_params,
3528 							     txq_params_policy,
3529 							     info->extack);
3530 			if (result)
3531 				goto out;
3532 			result = parse_txq_params(tb, &txq_params);
3533 			if (result)
3534 				goto out;
3535 
3536 			txq_params.link_id =
3537 				nl80211_link_id_or_invalid(info->attrs);
3538 
3539 			wdev_lock(netdev->ieee80211_ptr);
3540 			if (txq_params.link_id >= 0 &&
3541 			    !(netdev->ieee80211_ptr->valid_links &
3542 			      BIT(txq_params.link_id)))
3543 				result = -ENOLINK;
3544 			else if (txq_params.link_id >= 0 &&
3545 				 !netdev->ieee80211_ptr->valid_links)
3546 				result = -EINVAL;
3547 			else
3548 				result = rdev_set_txq_params(rdev, netdev,
3549 							     &txq_params);
3550 			wdev_unlock(netdev->ieee80211_ptr);
3551 			if (result)
3552 				goto out;
3553 		}
3554 	}
3555 
3556 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3557 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3558 
3559 		if (wdev) {
3560 			wdev_lock(wdev);
3561 			result = __nl80211_set_channel(
3562 				rdev,
3563 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3564 				info, link_id);
3565 			wdev_unlock(wdev);
3566 		} else {
3567 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3568 		}
3569 
3570 		if (result)
3571 			goto out;
3572 	}
3573 
3574 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3575 		struct wireless_dev *txp_wdev = wdev;
3576 		enum nl80211_tx_power_setting type;
3577 		int idx, mbm = 0;
3578 
3579 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3580 			txp_wdev = NULL;
3581 
3582 		if (!rdev->ops->set_tx_power) {
3583 			result = -EOPNOTSUPP;
3584 			goto out;
3585 		}
3586 
3587 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3588 		type = nla_get_u32(info->attrs[idx]);
3589 
3590 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3591 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3592 			result = -EINVAL;
3593 			goto out;
3594 		}
3595 
3596 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3597 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3598 			mbm = nla_get_u32(info->attrs[idx]);
3599 		}
3600 
3601 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3602 		if (result)
3603 			goto out;
3604 	}
3605 
3606 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3607 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3608 		u32 tx_ant, rx_ant;
3609 
3610 		if ((!rdev->wiphy.available_antennas_tx &&
3611 		     !rdev->wiphy.available_antennas_rx) ||
3612 		    !rdev->ops->set_antenna) {
3613 			result = -EOPNOTSUPP;
3614 			goto out;
3615 		}
3616 
3617 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3618 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3619 
3620 		/* reject antenna configurations which don't match the
3621 		 * available antenna masks, except for the "all" mask */
3622 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3623 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3624 			result = -EINVAL;
3625 			goto out;
3626 		}
3627 
3628 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3629 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3630 
3631 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3632 		if (result)
3633 			goto out;
3634 	}
3635 
3636 	changed = 0;
3637 
3638 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3639 		retry_short = nla_get_u8(
3640 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3641 
3642 		changed |= WIPHY_PARAM_RETRY_SHORT;
3643 	}
3644 
3645 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3646 		retry_long = nla_get_u8(
3647 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3648 
3649 		changed |= WIPHY_PARAM_RETRY_LONG;
3650 	}
3651 
3652 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3653 		frag_threshold = nla_get_u32(
3654 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3655 		if (frag_threshold < 256) {
3656 			result = -EINVAL;
3657 			goto out;
3658 		}
3659 
3660 		if (frag_threshold != (u32) -1) {
3661 			/*
3662 			 * Fragments (apart from the last one) are required to
3663 			 * have even length. Make the fragmentation code
3664 			 * simpler by stripping LSB should someone try to use
3665 			 * odd threshold value.
3666 			 */
3667 			frag_threshold &= ~0x1;
3668 		}
3669 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3670 	}
3671 
3672 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3673 		rts_threshold = nla_get_u32(
3674 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3675 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3676 	}
3677 
3678 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3679 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3680 			result = -EINVAL;
3681 			goto out;
3682 		}
3683 
3684 		coverage_class = nla_get_u8(
3685 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3686 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3687 	}
3688 
3689 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3690 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3691 			result = -EOPNOTSUPP;
3692 			goto out;
3693 		}
3694 
3695 		changed |= WIPHY_PARAM_DYN_ACK;
3696 	}
3697 
3698 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3699 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3700 					     NL80211_EXT_FEATURE_TXQS)) {
3701 			result = -EOPNOTSUPP;
3702 			goto out;
3703 		}
3704 		txq_limit = nla_get_u32(
3705 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3706 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3707 	}
3708 
3709 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3710 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3711 					     NL80211_EXT_FEATURE_TXQS)) {
3712 			result = -EOPNOTSUPP;
3713 			goto out;
3714 		}
3715 		txq_memory_limit = nla_get_u32(
3716 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3717 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3718 	}
3719 
3720 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3721 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3722 					     NL80211_EXT_FEATURE_TXQS)) {
3723 			result = -EOPNOTSUPP;
3724 			goto out;
3725 		}
3726 		txq_quantum = nla_get_u32(
3727 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3728 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3729 	}
3730 
3731 	if (changed) {
3732 		u8 old_retry_short, old_retry_long;
3733 		u32 old_frag_threshold, old_rts_threshold;
3734 		u8 old_coverage_class;
3735 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3736 
3737 		if (!rdev->ops->set_wiphy_params) {
3738 			result = -EOPNOTSUPP;
3739 			goto out;
3740 		}
3741 
3742 		old_retry_short = rdev->wiphy.retry_short;
3743 		old_retry_long = rdev->wiphy.retry_long;
3744 		old_frag_threshold = rdev->wiphy.frag_threshold;
3745 		old_rts_threshold = rdev->wiphy.rts_threshold;
3746 		old_coverage_class = rdev->wiphy.coverage_class;
3747 		old_txq_limit = rdev->wiphy.txq_limit;
3748 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3749 		old_txq_quantum = rdev->wiphy.txq_quantum;
3750 
3751 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3752 			rdev->wiphy.retry_short = retry_short;
3753 		if (changed & WIPHY_PARAM_RETRY_LONG)
3754 			rdev->wiphy.retry_long = retry_long;
3755 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3756 			rdev->wiphy.frag_threshold = frag_threshold;
3757 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3758 			rdev->wiphy.rts_threshold = rts_threshold;
3759 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3760 			rdev->wiphy.coverage_class = coverage_class;
3761 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3762 			rdev->wiphy.txq_limit = txq_limit;
3763 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3764 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3765 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3766 			rdev->wiphy.txq_quantum = txq_quantum;
3767 
3768 		result = rdev_set_wiphy_params(rdev, changed);
3769 		if (result) {
3770 			rdev->wiphy.retry_short = old_retry_short;
3771 			rdev->wiphy.retry_long = old_retry_long;
3772 			rdev->wiphy.frag_threshold = old_frag_threshold;
3773 			rdev->wiphy.rts_threshold = old_rts_threshold;
3774 			rdev->wiphy.coverage_class = old_coverage_class;
3775 			rdev->wiphy.txq_limit = old_txq_limit;
3776 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3777 			rdev->wiphy.txq_quantum = old_txq_quantum;
3778 			goto out;
3779 		}
3780 	}
3781 
3782 	result = 0;
3783 
3784 out:
3785 	wiphy_unlock(&rdev->wiphy);
3786 	return result;
3787 }
3788 
3789 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3790 {
3791 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3792 		return -EINVAL;
3793 
3794 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3795 			chandef->chan->center_freq))
3796 		return -ENOBUFS;
3797 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3798 			chandef->chan->freq_offset))
3799 		return -ENOBUFS;
3800 	switch (chandef->width) {
3801 	case NL80211_CHAN_WIDTH_20_NOHT:
3802 	case NL80211_CHAN_WIDTH_20:
3803 	case NL80211_CHAN_WIDTH_40:
3804 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3805 				cfg80211_get_chandef_type(chandef)))
3806 			return -ENOBUFS;
3807 		break;
3808 	default:
3809 		break;
3810 	}
3811 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3812 		return -ENOBUFS;
3813 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3814 		return -ENOBUFS;
3815 	if (chandef->center_freq2 &&
3816 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3817 		return -ENOBUFS;
3818 	return 0;
3819 }
3820 EXPORT_SYMBOL(nl80211_send_chandef);
3821 
3822 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3823 			      struct cfg80211_registered_device *rdev,
3824 			      struct wireless_dev *wdev,
3825 			      enum nl80211_commands cmd)
3826 {
3827 	struct net_device *dev = wdev->netdev;
3828 	void *hdr;
3829 
3830 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3831 		cmd != NL80211_CMD_DEL_INTERFACE &&
3832 		cmd != NL80211_CMD_SET_INTERFACE);
3833 
3834 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3835 	if (!hdr)
3836 		return -1;
3837 
3838 	if (dev &&
3839 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3840 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3841 		goto nla_put_failure;
3842 
3843 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3844 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3845 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3846 			      NL80211_ATTR_PAD) ||
3847 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3848 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3849 			rdev->devlist_generation ^
3850 			(cfg80211_rdev_list_generation << 2)) ||
3851 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3852 		goto nla_put_failure;
3853 
3854 	if (rdev->ops->get_channel && !wdev->valid_links) {
3855 		struct cfg80211_chan_def chandef = {};
3856 		int ret;
3857 
3858 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3859 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3860 			goto nla_put_failure;
3861 	}
3862 
3863 	if (rdev->ops->get_tx_power) {
3864 		int dbm, ret;
3865 
3866 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3867 		if (ret == 0 &&
3868 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3869 				DBM_TO_MBM(dbm)))
3870 			goto nla_put_failure;
3871 	}
3872 
3873 	wdev_lock(wdev);
3874 	switch (wdev->iftype) {
3875 	case NL80211_IFTYPE_AP:
3876 	case NL80211_IFTYPE_P2P_GO:
3877 		if (wdev->u.ap.ssid_len &&
3878 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
3879 			    wdev->u.ap.ssid))
3880 			goto nla_put_failure_locked;
3881 		break;
3882 	case NL80211_IFTYPE_STATION:
3883 	case NL80211_IFTYPE_P2P_CLIENT:
3884 		if (wdev->u.client.ssid_len &&
3885 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
3886 			    wdev->u.client.ssid))
3887 			goto nla_put_failure_locked;
3888 		break;
3889 	case NL80211_IFTYPE_ADHOC:
3890 		if (wdev->u.ibss.ssid_len &&
3891 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
3892 			    wdev->u.ibss.ssid))
3893 			goto nla_put_failure_locked;
3894 		break;
3895 	default:
3896 		/* nothing */
3897 		break;
3898 	}
3899 	wdev_unlock(wdev);
3900 
3901 	if (rdev->ops->get_txq_stats) {
3902 		struct cfg80211_txq_stats txqstats = {};
3903 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3904 
3905 		if (ret == 0 &&
3906 		    !nl80211_put_txq_stats(msg, &txqstats,
3907 					   NL80211_ATTR_TXQ_STATS))
3908 			goto nla_put_failure;
3909 	}
3910 
3911 	if (wdev->valid_links) {
3912 		unsigned int link_id;
3913 		struct nlattr *links = nla_nest_start(msg,
3914 						      NL80211_ATTR_MLO_LINKS);
3915 
3916 		if (!links)
3917 			goto nla_put_failure;
3918 
3919 		for_each_valid_link(wdev, link_id) {
3920 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
3921 			struct cfg80211_chan_def chandef = {};
3922 			int ret;
3923 
3924 			if (!link)
3925 				goto nla_put_failure;
3926 
3927 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
3928 				goto nla_put_failure;
3929 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3930 				    wdev->links[link_id].addr))
3931 				goto nla_put_failure;
3932 
3933 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
3934 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3935 				goto nla_put_failure;
3936 
3937 			nla_nest_end(msg, link);
3938 		}
3939 
3940 		nla_nest_end(msg, links);
3941 	}
3942 
3943 	genlmsg_end(msg, hdr);
3944 	return 0;
3945 
3946  nla_put_failure_locked:
3947 	wdev_unlock(wdev);
3948  nla_put_failure:
3949 	genlmsg_cancel(msg, hdr);
3950 	return -EMSGSIZE;
3951 }
3952 
3953 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3954 {
3955 	int wp_idx = 0;
3956 	int if_idx = 0;
3957 	int wp_start = cb->args[0];
3958 	int if_start = cb->args[1];
3959 	int filter_wiphy = -1;
3960 	struct cfg80211_registered_device *rdev;
3961 	struct wireless_dev *wdev;
3962 	int ret;
3963 
3964 	rtnl_lock();
3965 	if (!cb->args[2]) {
3966 		struct nl80211_dump_wiphy_state state = {
3967 			.filter_wiphy = -1,
3968 		};
3969 
3970 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3971 		if (ret)
3972 			goto out_unlock;
3973 
3974 		filter_wiphy = state.filter_wiphy;
3975 
3976 		/*
3977 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3978 		 * value needed to determine that parsing is necessary.
3979 		 */
3980 		if (filter_wiphy >= 0)
3981 			cb->args[2] = filter_wiphy + 1;
3982 		else
3983 			cb->args[2] = -1;
3984 	} else if (cb->args[2] > 0) {
3985 		filter_wiphy = cb->args[2] - 1;
3986 	}
3987 
3988 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3989 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3990 			continue;
3991 		if (wp_idx < wp_start) {
3992 			wp_idx++;
3993 			continue;
3994 		}
3995 
3996 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3997 			continue;
3998 
3999 		if_idx = 0;
4000 
4001 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4002 			if (if_idx < if_start) {
4003 				if_idx++;
4004 				continue;
4005 			}
4006 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4007 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4008 					       rdev, wdev,
4009 					       NL80211_CMD_NEW_INTERFACE) < 0) {
4010 				goto out;
4011 			}
4012 			if_idx++;
4013 		}
4014 
4015 		if_start = 0;
4016 		wp_idx++;
4017 	}
4018  out:
4019 	cb->args[0] = wp_idx;
4020 	cb->args[1] = if_idx;
4021 
4022 	ret = skb->len;
4023  out_unlock:
4024 	rtnl_unlock();
4025 
4026 	return ret;
4027 }
4028 
4029 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4030 {
4031 	struct sk_buff *msg;
4032 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4033 	struct wireless_dev *wdev = info->user_ptr[1];
4034 
4035 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4036 	if (!msg)
4037 		return -ENOMEM;
4038 
4039 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4040 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4041 		nlmsg_free(msg);
4042 		return -ENOBUFS;
4043 	}
4044 
4045 	return genlmsg_reply(msg, info);
4046 }
4047 
4048 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4049 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4050 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4051 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4052 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4053 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4054 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4055 };
4056 
4057 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4058 {
4059 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4060 	int flag;
4061 
4062 	*mntrflags = 0;
4063 
4064 	if (!nla)
4065 		return -EINVAL;
4066 
4067 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4068 		return -EINVAL;
4069 
4070 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4071 		if (flags[flag])
4072 			*mntrflags |= (1<<flag);
4073 
4074 	*mntrflags |= MONITOR_FLAG_CHANGED;
4075 
4076 	return 0;
4077 }
4078 
4079 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4080 				     enum nl80211_iftype type,
4081 				     struct genl_info *info,
4082 				     struct vif_params *params)
4083 {
4084 	bool change = false;
4085 	int err;
4086 
4087 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4088 		if (type != NL80211_IFTYPE_MONITOR)
4089 			return -EINVAL;
4090 
4091 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4092 					  &params->flags);
4093 		if (err)
4094 			return err;
4095 
4096 		change = true;
4097 	}
4098 
4099 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4100 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4101 		return -EOPNOTSUPP;
4102 
4103 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4104 		const u8 *mumimo_groups;
4105 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4106 
4107 		if (type != NL80211_IFTYPE_MONITOR)
4108 			return -EINVAL;
4109 
4110 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4111 			return -EOPNOTSUPP;
4112 
4113 		mumimo_groups =
4114 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4115 
4116 		/* bits 0 and 63 are reserved and must be zero */
4117 		if ((mumimo_groups[0] & BIT(0)) ||
4118 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4119 			return -EINVAL;
4120 
4121 		params->vht_mumimo_groups = mumimo_groups;
4122 		change = true;
4123 	}
4124 
4125 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4126 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4127 
4128 		if (type != NL80211_IFTYPE_MONITOR)
4129 			return -EINVAL;
4130 
4131 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4132 			return -EOPNOTSUPP;
4133 
4134 		params->vht_mumimo_follow_addr =
4135 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4136 		change = true;
4137 	}
4138 
4139 	return change ? 1 : 0;
4140 }
4141 
4142 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4143 			       struct net_device *netdev, u8 use_4addr,
4144 			       enum nl80211_iftype iftype)
4145 {
4146 	if (!use_4addr) {
4147 		if (netdev && netif_is_bridge_port(netdev))
4148 			return -EBUSY;
4149 		return 0;
4150 	}
4151 
4152 	switch (iftype) {
4153 	case NL80211_IFTYPE_AP_VLAN:
4154 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4155 			return 0;
4156 		break;
4157 	case NL80211_IFTYPE_STATION:
4158 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4159 			return 0;
4160 		break;
4161 	default:
4162 		break;
4163 	}
4164 
4165 	return -EOPNOTSUPP;
4166 }
4167 
4168 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4169 {
4170 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4171 	struct vif_params params;
4172 	int err;
4173 	enum nl80211_iftype otype, ntype;
4174 	struct net_device *dev = info->user_ptr[1];
4175 	bool change = false;
4176 
4177 	memset(&params, 0, sizeof(params));
4178 
4179 	otype = ntype = dev->ieee80211_ptr->iftype;
4180 
4181 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4182 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4183 		if (otype != ntype)
4184 			change = true;
4185 	}
4186 
4187 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4188 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4189 
4190 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4191 			return -EINVAL;
4192 		if (otype != NL80211_IFTYPE_MESH_POINT)
4193 			return -EINVAL;
4194 		if (netif_running(dev))
4195 			return -EBUSY;
4196 
4197 		wdev_lock(wdev);
4198 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4199 			     IEEE80211_MAX_MESH_ID_LEN);
4200 		wdev->u.mesh.id_up_len =
4201 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4202 		memcpy(wdev->u.mesh.id,
4203 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4204 		       wdev->u.mesh.id_up_len);
4205 		wdev_unlock(wdev);
4206 	}
4207 
4208 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4209 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4210 		change = true;
4211 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4212 		if (err)
4213 			return err;
4214 	} else {
4215 		params.use_4addr = -1;
4216 	}
4217 
4218 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4219 	if (err < 0)
4220 		return err;
4221 	if (err > 0)
4222 		change = true;
4223 
4224 	if (change)
4225 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4226 	else
4227 		err = 0;
4228 
4229 	if (!err && params.use_4addr != -1)
4230 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4231 
4232 	if (change && !err) {
4233 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4234 
4235 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4236 	}
4237 
4238 	return err;
4239 }
4240 
4241 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4242 {
4243 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4244 	struct vif_params params;
4245 	struct wireless_dev *wdev;
4246 	struct sk_buff *msg;
4247 	int err;
4248 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4249 
4250 	memset(&params, 0, sizeof(params));
4251 
4252 	if (!info->attrs[NL80211_ATTR_IFNAME])
4253 		return -EINVAL;
4254 
4255 	if (info->attrs[NL80211_ATTR_IFTYPE])
4256 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4257 
4258 	if (!rdev->ops->add_virtual_intf)
4259 		return -EOPNOTSUPP;
4260 
4261 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4262 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4263 	    info->attrs[NL80211_ATTR_MAC]) {
4264 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4265 			   ETH_ALEN);
4266 		if (!is_valid_ether_addr(params.macaddr))
4267 			return -EADDRNOTAVAIL;
4268 	}
4269 
4270 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4271 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4272 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4273 		if (err)
4274 			return err;
4275 	}
4276 
4277 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4278 		return -EOPNOTSUPP;
4279 
4280 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4281 	if (err < 0)
4282 		return err;
4283 
4284 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4285 	if (!msg)
4286 		return -ENOMEM;
4287 
4288 	wdev = rdev_add_virtual_intf(rdev,
4289 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4290 				NET_NAME_USER, type, &params);
4291 	if (WARN_ON(!wdev)) {
4292 		nlmsg_free(msg);
4293 		return -EPROTO;
4294 	} else if (IS_ERR(wdev)) {
4295 		nlmsg_free(msg);
4296 		return PTR_ERR(wdev);
4297 	}
4298 
4299 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4300 		wdev->owner_nlportid = info->snd_portid;
4301 
4302 	switch (type) {
4303 	case NL80211_IFTYPE_MESH_POINT:
4304 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4305 			break;
4306 		wdev_lock(wdev);
4307 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4308 			     IEEE80211_MAX_MESH_ID_LEN);
4309 		wdev->u.mesh.id_up_len =
4310 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4311 		memcpy(wdev->u.mesh.id,
4312 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4313 		       wdev->u.mesh.id_up_len);
4314 		wdev_unlock(wdev);
4315 		break;
4316 	case NL80211_IFTYPE_NAN:
4317 	case NL80211_IFTYPE_P2P_DEVICE:
4318 		/*
4319 		 * P2P Device and NAN do not have a netdev, so don't go
4320 		 * through the netdev notifier and must be added here
4321 		 */
4322 		cfg80211_init_wdev(wdev);
4323 		cfg80211_register_wdev(rdev, wdev);
4324 		break;
4325 	default:
4326 		break;
4327 	}
4328 
4329 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4330 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4331 		nlmsg_free(msg);
4332 		return -ENOBUFS;
4333 	}
4334 
4335 	return genlmsg_reply(msg, info);
4336 }
4337 
4338 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4339 {
4340 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4341 	int ret;
4342 
4343 	/* to avoid failing a new interface creation due to pending removal */
4344 	cfg80211_destroy_ifaces(rdev);
4345 
4346 	wiphy_lock(&rdev->wiphy);
4347 	ret = _nl80211_new_interface(skb, info);
4348 	wiphy_unlock(&rdev->wiphy);
4349 
4350 	return ret;
4351 }
4352 
4353 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4354 {
4355 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4356 	struct wireless_dev *wdev = info->user_ptr[1];
4357 
4358 	if (!rdev->ops->del_virtual_intf)
4359 		return -EOPNOTSUPP;
4360 
4361 	/*
4362 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4363 	 * reach 0, and thus the rdev cannot be deleted.
4364 	 *
4365 	 * We need to do it for the dev_close(), since that will call
4366 	 * the netdev notifiers, and we need to acquire the mutex there
4367 	 * but don't know if we get there from here or from some other
4368 	 * place (e.g. "ip link set ... down").
4369 	 */
4370 	mutex_unlock(&rdev->wiphy.mtx);
4371 
4372 	/*
4373 	 * If we remove a wireless device without a netdev then clear
4374 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4375 	 * to check if it needs to do dev_put(). Otherwise it crashes
4376 	 * since the wdev has been freed, unlike with a netdev where
4377 	 * we need the dev_put() for the netdev to really be freed.
4378 	 */
4379 	if (!wdev->netdev)
4380 		info->user_ptr[1] = NULL;
4381 	else
4382 		dev_close(wdev->netdev);
4383 
4384 	mutex_lock(&rdev->wiphy.mtx);
4385 
4386 	return cfg80211_remove_virtual_intf(rdev, wdev);
4387 }
4388 
4389 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4390 {
4391 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4392 	struct net_device *dev = info->user_ptr[1];
4393 	u16 noack_map;
4394 
4395 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4396 		return -EINVAL;
4397 
4398 	if (!rdev->ops->set_noack_map)
4399 		return -EOPNOTSUPP;
4400 
4401 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4402 
4403 	return rdev_set_noack_map(rdev, dev, noack_map);
4404 }
4405 
4406 static int nl80211_validate_key_link_id(struct genl_info *info,
4407 					struct wireless_dev *wdev,
4408 					int link_id, bool pairwise)
4409 {
4410 	if (pairwise) {
4411 		if (link_id != -1) {
4412 			GENL_SET_ERR_MSG(info,
4413 					 "link ID not allowed for pairwise key");
4414 			return -EINVAL;
4415 		}
4416 
4417 		return 0;
4418 	}
4419 
4420 	if (wdev->valid_links) {
4421 		if (link_id == -1) {
4422 			GENL_SET_ERR_MSG(info,
4423 					 "link ID must for MLO group key");
4424 			return -EINVAL;
4425 		}
4426 		if (!(wdev->valid_links & BIT(link_id))) {
4427 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4428 			return -EINVAL;
4429 		}
4430 	} else if (link_id != -1) {
4431 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4432 		return -EINVAL;
4433 	}
4434 
4435 	return 0;
4436 }
4437 
4438 struct get_key_cookie {
4439 	struct sk_buff *msg;
4440 	int error;
4441 	int idx;
4442 };
4443 
4444 static void get_key_callback(void *c, struct key_params *params)
4445 {
4446 	struct nlattr *key;
4447 	struct get_key_cookie *cookie = c;
4448 
4449 	if ((params->key &&
4450 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4451 		     params->key_len, params->key)) ||
4452 	    (params->seq &&
4453 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4454 		     params->seq_len, params->seq)) ||
4455 	    (params->cipher &&
4456 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4457 			 params->cipher)))
4458 		goto nla_put_failure;
4459 
4460 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4461 	if (!key)
4462 		goto nla_put_failure;
4463 
4464 	if ((params->key &&
4465 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4466 		     params->key_len, params->key)) ||
4467 	    (params->seq &&
4468 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4469 		     params->seq_len, params->seq)) ||
4470 	    (params->cipher &&
4471 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4472 			 params->cipher)))
4473 		goto nla_put_failure;
4474 
4475 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4476 		goto nla_put_failure;
4477 
4478 	nla_nest_end(cookie->msg, key);
4479 
4480 	return;
4481  nla_put_failure:
4482 	cookie->error = 1;
4483 }
4484 
4485 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4486 {
4487 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4488 	int err;
4489 	struct net_device *dev = info->user_ptr[1];
4490 	u8 key_idx = 0;
4491 	const u8 *mac_addr = NULL;
4492 	bool pairwise;
4493 	struct get_key_cookie cookie = {
4494 		.error = 0,
4495 	};
4496 	void *hdr;
4497 	struct sk_buff *msg;
4498 	bool bigtk_support = false;
4499 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4500 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4501 
4502 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4503 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4504 		bigtk_support = true;
4505 
4506 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4507 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4508 	    wiphy_ext_feature_isset(&rdev->wiphy,
4509 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4510 		bigtk_support = true;
4511 
4512 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4513 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4514 
4515 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4516 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4517 			return -EINVAL;
4518 		}
4519 	}
4520 
4521 	if (info->attrs[NL80211_ATTR_MAC])
4522 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4523 
4524 	pairwise = !!mac_addr;
4525 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4526 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4527 
4528 		if (kt != NL80211_KEYTYPE_GROUP &&
4529 		    kt != NL80211_KEYTYPE_PAIRWISE)
4530 			return -EINVAL;
4531 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4532 	}
4533 
4534 	if (!rdev->ops->get_key)
4535 		return -EOPNOTSUPP;
4536 
4537 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4538 		return -ENOENT;
4539 
4540 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4541 	if (!msg)
4542 		return -ENOMEM;
4543 
4544 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4545 			     NL80211_CMD_NEW_KEY);
4546 	if (!hdr)
4547 		goto nla_put_failure;
4548 
4549 	cookie.msg = msg;
4550 	cookie.idx = key_idx;
4551 
4552 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4553 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4554 		goto nla_put_failure;
4555 	if (mac_addr &&
4556 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4557 		goto nla_put_failure;
4558 
4559 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4560 	if (err)
4561 		goto free_msg;
4562 
4563 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4564 			   &cookie, get_key_callback);
4565 
4566 	if (err)
4567 		goto free_msg;
4568 
4569 	if (cookie.error)
4570 		goto nla_put_failure;
4571 
4572 	genlmsg_end(msg, hdr);
4573 	return genlmsg_reply(msg, info);
4574 
4575  nla_put_failure:
4576 	err = -ENOBUFS;
4577  free_msg:
4578 	nlmsg_free(msg);
4579 	return err;
4580 }
4581 
4582 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4583 {
4584 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4585 	struct key_parse key;
4586 	int err;
4587 	struct net_device *dev = info->user_ptr[1];
4588 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4589 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4590 
4591 	err = nl80211_parse_key(info, &key);
4592 	if (err)
4593 		return err;
4594 
4595 	if (key.idx < 0)
4596 		return -EINVAL;
4597 
4598 	/* Only support setting default key and
4599 	 * Extended Key ID action NL80211_KEY_SET_TX.
4600 	 */
4601 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4602 	    !(key.p.mode == NL80211_KEY_SET_TX))
4603 		return -EINVAL;
4604 
4605 	wdev_lock(wdev);
4606 
4607 	if (key.def) {
4608 		if (!rdev->ops->set_default_key) {
4609 			err = -EOPNOTSUPP;
4610 			goto out;
4611 		}
4612 
4613 		err = nl80211_key_allowed(wdev);
4614 		if (err)
4615 			goto out;
4616 
4617 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4618 		if (err)
4619 			goto out;
4620 
4621 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4622 					   key.def_uni, key.def_multi);
4623 
4624 		if (err)
4625 			goto out;
4626 
4627 #ifdef CONFIG_CFG80211_WEXT
4628 		wdev->wext.default_key = key.idx;
4629 #endif
4630 	} else if (key.defmgmt) {
4631 		if (key.def_uni || !key.def_multi) {
4632 			err = -EINVAL;
4633 			goto out;
4634 		}
4635 
4636 		if (!rdev->ops->set_default_mgmt_key) {
4637 			err = -EOPNOTSUPP;
4638 			goto out;
4639 		}
4640 
4641 		err = nl80211_key_allowed(wdev);
4642 		if (err)
4643 			goto out;
4644 
4645 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4646 		if (err)
4647 			goto out;
4648 
4649 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4650 		if (err)
4651 			goto out;
4652 
4653 #ifdef CONFIG_CFG80211_WEXT
4654 		wdev->wext.default_mgmt_key = key.idx;
4655 #endif
4656 	} else if (key.defbeacon) {
4657 		if (key.def_uni || !key.def_multi) {
4658 			err = -EINVAL;
4659 			goto out;
4660 		}
4661 
4662 		if (!rdev->ops->set_default_beacon_key) {
4663 			err = -EOPNOTSUPP;
4664 			goto out;
4665 		}
4666 
4667 		err = nl80211_key_allowed(wdev);
4668 		if (err)
4669 			goto out;
4670 
4671 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4672 		if (err)
4673 			goto out;
4674 
4675 		err = rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4676 		if (err)
4677 			goto out;
4678 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4679 		   wiphy_ext_feature_isset(&rdev->wiphy,
4680 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4681 		u8 *mac_addr = NULL;
4682 
4683 		if (info->attrs[NL80211_ATTR_MAC])
4684 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4685 
4686 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4687 			err = -EINVAL;
4688 			goto out;
4689 		}
4690 
4691 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4692 		if (err)
4693 			goto out;
4694 
4695 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4696 				   NL80211_KEYTYPE_PAIRWISE,
4697 				   mac_addr, &key.p);
4698 	} else {
4699 		err = -EINVAL;
4700 	}
4701  out:
4702 	wdev_unlock(wdev);
4703 
4704 	return err;
4705 }
4706 
4707 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4708 {
4709 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4710 	int err;
4711 	struct net_device *dev = info->user_ptr[1];
4712 	struct key_parse key;
4713 	const u8 *mac_addr = NULL;
4714 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4715 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4716 
4717 	err = nl80211_parse_key(info, &key);
4718 	if (err)
4719 		return err;
4720 
4721 	if (!key.p.key) {
4722 		GENL_SET_ERR_MSG(info, "no key");
4723 		return -EINVAL;
4724 	}
4725 
4726 	if (info->attrs[NL80211_ATTR_MAC])
4727 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4728 
4729 	if (key.type == -1) {
4730 		if (mac_addr)
4731 			key.type = NL80211_KEYTYPE_PAIRWISE;
4732 		else
4733 			key.type = NL80211_KEYTYPE_GROUP;
4734 	}
4735 
4736 	/* for now */
4737 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4738 	    key.type != NL80211_KEYTYPE_GROUP) {
4739 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4740 		return -EINVAL;
4741 	}
4742 
4743 	if (key.type == NL80211_KEYTYPE_GROUP &&
4744 	    info->attrs[NL80211_ATTR_VLAN_ID])
4745 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4746 
4747 	if (!rdev->ops->add_key)
4748 		return -EOPNOTSUPP;
4749 
4750 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4751 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4752 					   mac_addr)) {
4753 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4754 		return -EINVAL;
4755 	}
4756 
4757 	wdev_lock(wdev);
4758 	err = nl80211_key_allowed(wdev);
4759 	if (err)
4760 		GENL_SET_ERR_MSG(info, "key not allowed");
4761 
4762 	if (!err)
4763 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4764 				key.type == NL80211_KEYTYPE_PAIRWISE);
4765 
4766 	if (!err) {
4767 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4768 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4769 				    mac_addr, &key.p);
4770 		if (err)
4771 			GENL_SET_ERR_MSG(info, "key addition failed");
4772 	}
4773 	wdev_unlock(wdev);
4774 
4775 	return err;
4776 }
4777 
4778 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4779 {
4780 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4781 	int err;
4782 	struct net_device *dev = info->user_ptr[1];
4783 	u8 *mac_addr = NULL;
4784 	struct key_parse key;
4785 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4786 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4787 
4788 	err = nl80211_parse_key(info, &key);
4789 	if (err)
4790 		return err;
4791 
4792 	if (info->attrs[NL80211_ATTR_MAC])
4793 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4794 
4795 	if (key.type == -1) {
4796 		if (mac_addr)
4797 			key.type = NL80211_KEYTYPE_PAIRWISE;
4798 		else
4799 			key.type = NL80211_KEYTYPE_GROUP;
4800 	}
4801 
4802 	/* for now */
4803 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4804 	    key.type != NL80211_KEYTYPE_GROUP)
4805 		return -EINVAL;
4806 
4807 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4808 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4809 		return -EINVAL;
4810 
4811 	if (!rdev->ops->del_key)
4812 		return -EOPNOTSUPP;
4813 
4814 	wdev_lock(wdev);
4815 	err = nl80211_key_allowed(wdev);
4816 
4817 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4818 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4819 		err = -ENOENT;
4820 
4821 	if (!err)
4822 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4823 				key.type == NL80211_KEYTYPE_PAIRWISE);
4824 
4825 	if (!err)
4826 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4827 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4828 				   mac_addr);
4829 
4830 #ifdef CONFIG_CFG80211_WEXT
4831 	if (!err) {
4832 		if (key.idx == wdev->wext.default_key)
4833 			wdev->wext.default_key = -1;
4834 		else if (key.idx == wdev->wext.default_mgmt_key)
4835 			wdev->wext.default_mgmt_key = -1;
4836 	}
4837 #endif
4838 	wdev_unlock(wdev);
4839 
4840 	return err;
4841 }
4842 
4843 /* This function returns an error or the number of nested attributes */
4844 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4845 {
4846 	struct nlattr *attr;
4847 	int n_entries = 0, tmp;
4848 
4849 	nla_for_each_nested(attr, nl_attr, tmp) {
4850 		if (nla_len(attr) != ETH_ALEN)
4851 			return -EINVAL;
4852 
4853 		n_entries++;
4854 	}
4855 
4856 	return n_entries;
4857 }
4858 
4859 /*
4860  * This function parses ACL information and allocates memory for ACL data.
4861  * On successful return, the calling function is responsible to free the
4862  * ACL buffer returned by this function.
4863  */
4864 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4865 						struct genl_info *info)
4866 {
4867 	enum nl80211_acl_policy acl_policy;
4868 	struct nlattr *attr;
4869 	struct cfg80211_acl_data *acl;
4870 	int i = 0, n_entries, tmp;
4871 
4872 	if (!wiphy->max_acl_mac_addrs)
4873 		return ERR_PTR(-EOPNOTSUPP);
4874 
4875 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4876 		return ERR_PTR(-EINVAL);
4877 
4878 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4879 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4880 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4881 		return ERR_PTR(-EINVAL);
4882 
4883 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4884 		return ERR_PTR(-EINVAL);
4885 
4886 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4887 	if (n_entries < 0)
4888 		return ERR_PTR(n_entries);
4889 
4890 	if (n_entries > wiphy->max_acl_mac_addrs)
4891 		return ERR_PTR(-ENOTSUPP);
4892 
4893 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4894 	if (!acl)
4895 		return ERR_PTR(-ENOMEM);
4896 	acl->n_acl_entries = n_entries;
4897 
4898 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4899 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4900 		i++;
4901 	}
4902 	acl->acl_policy = acl_policy;
4903 
4904 	return acl;
4905 }
4906 
4907 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4908 {
4909 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4910 	struct net_device *dev = info->user_ptr[1];
4911 	struct cfg80211_acl_data *acl;
4912 	int err;
4913 
4914 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4915 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4916 		return -EOPNOTSUPP;
4917 
4918 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
4919 		return -EINVAL;
4920 
4921 	acl = parse_acl_data(&rdev->wiphy, info);
4922 	if (IS_ERR(acl))
4923 		return PTR_ERR(acl);
4924 
4925 	err = rdev_set_mac_acl(rdev, dev, acl);
4926 
4927 	kfree(acl);
4928 
4929 	return err;
4930 }
4931 
4932 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4933 			   u8 *rates, u8 rates_len)
4934 {
4935 	u8 i;
4936 	u32 mask = 0;
4937 
4938 	for (i = 0; i < rates_len; i++) {
4939 		int rate = (rates[i] & 0x7f) * 5;
4940 		int ridx;
4941 
4942 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4943 			struct ieee80211_rate *srate =
4944 				&sband->bitrates[ridx];
4945 			if (rate == srate->bitrate) {
4946 				mask |= 1 << ridx;
4947 				break;
4948 			}
4949 		}
4950 		if (ridx == sband->n_bitrates)
4951 			return 0; /* rate not found */
4952 	}
4953 
4954 	return mask;
4955 }
4956 
4957 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4958 			       u8 *rates, u8 rates_len,
4959 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4960 {
4961 	u8 i;
4962 
4963 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4964 
4965 	for (i = 0; i < rates_len; i++) {
4966 		int ridx, rbit;
4967 
4968 		ridx = rates[i] / 8;
4969 		rbit = BIT(rates[i] % 8);
4970 
4971 		/* check validity */
4972 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4973 			return false;
4974 
4975 		/* check availability */
4976 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4977 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4978 			mcs[ridx] |= rbit;
4979 		else
4980 			return false;
4981 	}
4982 
4983 	return true;
4984 }
4985 
4986 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4987 {
4988 	u16 mcs_mask = 0;
4989 
4990 	switch (vht_mcs_map) {
4991 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4992 		break;
4993 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4994 		mcs_mask = 0x00FF;
4995 		break;
4996 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4997 		mcs_mask = 0x01FF;
4998 		break;
4999 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5000 		mcs_mask = 0x03FF;
5001 		break;
5002 	default:
5003 		break;
5004 	}
5005 
5006 	return mcs_mask;
5007 }
5008 
5009 static void vht_build_mcs_mask(u16 vht_mcs_map,
5010 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5011 {
5012 	u8 nss;
5013 
5014 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5015 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5016 		vht_mcs_map >>= 2;
5017 	}
5018 }
5019 
5020 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5021 			     struct nl80211_txrate_vht *txrate,
5022 			     u16 mcs[NL80211_VHT_NSS_MAX])
5023 {
5024 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5025 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5026 	u8 i;
5027 
5028 	if (!sband->vht_cap.vht_supported)
5029 		return false;
5030 
5031 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5032 
5033 	/* Build vht_mcs_mask from VHT capabilities */
5034 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5035 
5036 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5037 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5038 			mcs[i] = txrate->mcs[i];
5039 		else
5040 			return false;
5041 	}
5042 
5043 	return true;
5044 }
5045 
5046 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5047 {
5048 	switch (he_mcs_map) {
5049 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5050 		return 0;
5051 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5052 		return 0x00FF;
5053 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5054 		return 0x03FF;
5055 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5056 		return 0xFFF;
5057 	default:
5058 		break;
5059 	}
5060 	return 0;
5061 }
5062 
5063 static void he_build_mcs_mask(u16 he_mcs_map,
5064 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5065 {
5066 	u8 nss;
5067 
5068 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5069 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5070 		he_mcs_map >>= 2;
5071 	}
5072 }
5073 
5074 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5075 			   const struct ieee80211_sta_he_cap *he_cap)
5076 {
5077 	struct net_device *dev = info->user_ptr[1];
5078 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5079 	struct cfg80211_chan_def *chandef;
5080 	__le16 tx_mcs;
5081 
5082 	chandef = wdev_chandef(wdev, link_id);
5083 	if (!chandef) {
5084 		/*
5085 		 * This is probably broken, but we never maintained
5086 		 * a chandef in these cases, so it always was.
5087 		 */
5088 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5089 	}
5090 
5091 	switch (chandef->width) {
5092 	case NL80211_CHAN_WIDTH_80P80:
5093 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5094 		break;
5095 	case NL80211_CHAN_WIDTH_160:
5096 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5097 		break;
5098 	default:
5099 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5100 		break;
5101 	}
5102 
5103 	return le16_to_cpu(tx_mcs);
5104 }
5105 
5106 static bool he_set_mcs_mask(struct genl_info *info,
5107 			    struct wireless_dev *wdev,
5108 			    struct ieee80211_supported_band *sband,
5109 			    struct nl80211_txrate_he *txrate,
5110 			    u16 mcs[NL80211_HE_NSS_MAX],
5111 			    unsigned int link_id)
5112 {
5113 	const struct ieee80211_sta_he_cap *he_cap;
5114 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5115 	u16 tx_mcs_map = 0;
5116 	u8 i;
5117 
5118 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5119 	if (!he_cap)
5120 		return false;
5121 
5122 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5123 
5124 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5125 
5126 	/* Build he_mcs_mask from HE capabilities */
5127 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5128 
5129 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5130 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5131 			mcs[i] = txrate->mcs[i];
5132 		else
5133 			return false;
5134 	}
5135 
5136 	return true;
5137 }
5138 
5139 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5140 					 struct nlattr *attrs[],
5141 					 enum nl80211_attrs attr,
5142 					 struct cfg80211_bitrate_mask *mask,
5143 					 struct net_device *dev,
5144 					 bool default_all_enabled,
5145 					 unsigned int link_id)
5146 {
5147 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5148 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5149 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5150 	int rem, i;
5151 	struct nlattr *tx_rates;
5152 	struct ieee80211_supported_band *sband;
5153 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5154 
5155 	memset(mask, 0, sizeof(*mask));
5156 	/* Default to all rates enabled */
5157 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5158 		const struct ieee80211_sta_he_cap *he_cap;
5159 
5160 		if (!default_all_enabled)
5161 			break;
5162 
5163 		sband = rdev->wiphy.bands[i];
5164 
5165 		if (!sband)
5166 			continue;
5167 
5168 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5169 		memcpy(mask->control[i].ht_mcs,
5170 		       sband->ht_cap.mcs.rx_mask,
5171 		       sizeof(mask->control[i].ht_mcs));
5172 
5173 		if (sband->vht_cap.vht_supported) {
5174 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5175 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5176 		}
5177 
5178 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5179 		if (!he_cap)
5180 			continue;
5181 
5182 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5183 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5184 
5185 		mask->control[i].he_gi = 0xFF;
5186 		mask->control[i].he_ltf = 0xFF;
5187 	}
5188 
5189 	/* if no rates are given set it back to the defaults */
5190 	if (!attrs[attr])
5191 		goto out;
5192 
5193 	/* The nested attribute uses enum nl80211_band as the index. This maps
5194 	 * directly to the enum nl80211_band values used in cfg80211.
5195 	 */
5196 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5197 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5198 		enum nl80211_band band = nla_type(tx_rates);
5199 		int err;
5200 
5201 		if (band < 0 || band >= NUM_NL80211_BANDS)
5202 			return -EINVAL;
5203 		sband = rdev->wiphy.bands[band];
5204 		if (sband == NULL)
5205 			return -EINVAL;
5206 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5207 						  tx_rates,
5208 						  nl80211_txattr_policy,
5209 						  info->extack);
5210 		if (err)
5211 			return err;
5212 		if (tb[NL80211_TXRATE_LEGACY]) {
5213 			mask->control[band].legacy = rateset_to_mask(
5214 				sband,
5215 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5216 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5217 			if ((mask->control[band].legacy == 0) &&
5218 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5219 				return -EINVAL;
5220 		}
5221 		if (tb[NL80211_TXRATE_HT]) {
5222 			if (!ht_rateset_to_mask(
5223 					sband,
5224 					nla_data(tb[NL80211_TXRATE_HT]),
5225 					nla_len(tb[NL80211_TXRATE_HT]),
5226 					mask->control[band].ht_mcs))
5227 				return -EINVAL;
5228 		}
5229 
5230 		if (tb[NL80211_TXRATE_VHT]) {
5231 			if (!vht_set_mcs_mask(
5232 					sband,
5233 					nla_data(tb[NL80211_TXRATE_VHT]),
5234 					mask->control[band].vht_mcs))
5235 				return -EINVAL;
5236 		}
5237 
5238 		if (tb[NL80211_TXRATE_GI]) {
5239 			mask->control[band].gi =
5240 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5241 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5242 				return -EINVAL;
5243 		}
5244 		if (tb[NL80211_TXRATE_HE] &&
5245 		    !he_set_mcs_mask(info, wdev, sband,
5246 				     nla_data(tb[NL80211_TXRATE_HE]),
5247 				     mask->control[band].he_mcs,
5248 				     link_id))
5249 			return -EINVAL;
5250 
5251 		if (tb[NL80211_TXRATE_HE_GI])
5252 			mask->control[band].he_gi =
5253 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5254 		if (tb[NL80211_TXRATE_HE_LTF])
5255 			mask->control[band].he_ltf =
5256 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5257 
5258 		if (mask->control[band].legacy == 0) {
5259 			/* don't allow empty legacy rates if HT, VHT or HE
5260 			 * are not even supported.
5261 			 */
5262 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5263 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5264 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5265 				return -EINVAL;
5266 
5267 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5268 				if (mask->control[band].ht_mcs[i])
5269 					goto out;
5270 
5271 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5272 				if (mask->control[band].vht_mcs[i])
5273 					goto out;
5274 
5275 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5276 				if (mask->control[band].he_mcs[i])
5277 					goto out;
5278 
5279 			/* legacy and mcs rates may not be both empty */
5280 			return -EINVAL;
5281 		}
5282 	}
5283 
5284 out:
5285 	return 0;
5286 }
5287 
5288 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5289 				   enum nl80211_band band,
5290 				   struct cfg80211_bitrate_mask *beacon_rate)
5291 {
5292 	u32 count_ht, count_vht, count_he, i;
5293 	u32 rate = beacon_rate->control[band].legacy;
5294 
5295 	/* Allow only one rate */
5296 	if (hweight32(rate) > 1)
5297 		return -EINVAL;
5298 
5299 	count_ht = 0;
5300 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5301 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5302 			return -EINVAL;
5303 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5304 			count_ht++;
5305 			if (count_ht > 1)
5306 				return -EINVAL;
5307 		}
5308 		if (count_ht && rate)
5309 			return -EINVAL;
5310 	}
5311 
5312 	count_vht = 0;
5313 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5314 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5315 			return -EINVAL;
5316 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5317 			count_vht++;
5318 			if (count_vht > 1)
5319 				return -EINVAL;
5320 		}
5321 		if (count_vht && rate)
5322 			return -EINVAL;
5323 	}
5324 
5325 	count_he = 0;
5326 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5327 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5328 			return -EINVAL;
5329 		} else if (beacon_rate->control[band].he_mcs[i]) {
5330 			count_he++;
5331 			if (count_he > 1)
5332 				return -EINVAL;
5333 		}
5334 		if (count_he && rate)
5335 			return -EINVAL;
5336 	}
5337 
5338 	if ((count_ht && count_vht && count_he) ||
5339 	    (!rate && !count_ht && !count_vht && !count_he))
5340 		return -EINVAL;
5341 
5342 	if (rate &&
5343 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5344 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5345 		return -EINVAL;
5346 	if (count_ht &&
5347 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5348 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5349 		return -EINVAL;
5350 	if (count_vht &&
5351 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5352 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5353 		return -EINVAL;
5354 	if (count_he &&
5355 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5356 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5357 		return -EINVAL;
5358 
5359 	return 0;
5360 }
5361 
5362 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5363 				       struct net_device *dev,
5364 				       struct nlattr *attrs,
5365 				       struct cfg80211_mbssid_config *config,
5366 				       u8 num_elems)
5367 {
5368 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5369 
5370 	if (!wiphy->mbssid_max_interfaces)
5371 		return -EOPNOTSUPP;
5372 
5373 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5374 			     NULL) ||
5375 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5376 		return -EINVAL;
5377 
5378 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5379 	if (config->ema) {
5380 		if (!wiphy->ema_max_profile_periodicity)
5381 			return -EOPNOTSUPP;
5382 
5383 		if (num_elems > wiphy->ema_max_profile_periodicity)
5384 			return -EINVAL;
5385 	}
5386 
5387 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5388 	if (config->index >= wiphy->mbssid_max_interfaces ||
5389 	    (!config->index && !num_elems))
5390 		return -EINVAL;
5391 
5392 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5393 		u32 tx_ifindex =
5394 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5395 
5396 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5397 		    (config->index && tx_ifindex == dev->ifindex))
5398 			return -EINVAL;
5399 
5400 		if (tx_ifindex != dev->ifindex) {
5401 			struct net_device *tx_netdev =
5402 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5403 
5404 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5405 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5406 			    tx_netdev->ieee80211_ptr->iftype !=
5407 							NL80211_IFTYPE_AP) {
5408 				dev_put(tx_netdev);
5409 				return -EINVAL;
5410 			}
5411 
5412 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5413 		} else {
5414 			config->tx_wdev = dev->ieee80211_ptr;
5415 		}
5416 	} else if (!config->index) {
5417 		config->tx_wdev = dev->ieee80211_ptr;
5418 	} else {
5419 		return -EINVAL;
5420 	}
5421 
5422 	return 0;
5423 }
5424 
5425 static struct cfg80211_mbssid_elems *
5426 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5427 {
5428 	struct nlattr *nl_elems;
5429 	struct cfg80211_mbssid_elems *elems;
5430 	int rem_elems;
5431 	u8 i = 0, num_elems = 0;
5432 
5433 	if (!wiphy->mbssid_max_interfaces)
5434 		return ERR_PTR(-EINVAL);
5435 
5436 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5437 		if (num_elems >= 255)
5438 			return ERR_PTR(-EINVAL);
5439 		num_elems++;
5440 	}
5441 
5442 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5443 	if (!elems)
5444 		return ERR_PTR(-ENOMEM);
5445 	elems->cnt = num_elems;
5446 
5447 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5448 		elems->elem[i].data = nla_data(nl_elems);
5449 		elems->elem[i].len = nla_len(nl_elems);
5450 		i++;
5451 	}
5452 	return elems;
5453 }
5454 
5455 static struct cfg80211_rnr_elems *
5456 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5457 			struct netlink_ext_ack *extack)
5458 {
5459 	struct nlattr *nl_elems;
5460 	struct cfg80211_rnr_elems *elems;
5461 	int rem_elems;
5462 	u8 i = 0, num_elems = 0;
5463 
5464 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5465 		int ret;
5466 
5467 		ret = validate_ie_attr(nl_elems, extack);
5468 		if (ret)
5469 			return ERR_PTR(ret);
5470 
5471 		num_elems++;
5472 	}
5473 
5474 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5475 	if (!elems)
5476 		return ERR_PTR(-ENOMEM);
5477 	elems->cnt = num_elems;
5478 
5479 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5480 		elems->elem[i].data = nla_data(nl_elems);
5481 		elems->elem[i].len = nla_len(nl_elems);
5482 		i++;
5483 	}
5484 	return elems;
5485 }
5486 
5487 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5488 				      struct cfg80211_he_bss_color *he_bss_color)
5489 {
5490 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5491 	int err;
5492 
5493 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5494 			       he_bss_color_policy, NULL);
5495 	if (err)
5496 		return err;
5497 
5498 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5499 		return -EINVAL;
5500 
5501 	he_bss_color->color =
5502 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5503 	he_bss_color->enabled =
5504 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5505 	he_bss_color->partial =
5506 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5507 
5508 	return 0;
5509 }
5510 
5511 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5512 				struct nlattr *attrs[],
5513 				struct cfg80211_beacon_data *bcn,
5514 				struct netlink_ext_ack *extack)
5515 {
5516 	bool haveinfo = false;
5517 	int err;
5518 
5519 	memset(bcn, 0, sizeof(*bcn));
5520 
5521 	bcn->link_id = nl80211_link_id(attrs);
5522 
5523 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5524 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5525 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5526 		if (!bcn->head_len)
5527 			return -EINVAL;
5528 		haveinfo = true;
5529 	}
5530 
5531 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5532 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5533 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5534 		haveinfo = true;
5535 	}
5536 
5537 	if (!haveinfo)
5538 		return -EINVAL;
5539 
5540 	if (attrs[NL80211_ATTR_IE]) {
5541 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5542 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5543 	}
5544 
5545 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5546 		bcn->proberesp_ies =
5547 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5548 		bcn->proberesp_ies_len =
5549 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5550 	}
5551 
5552 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5553 		bcn->assocresp_ies =
5554 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5555 		bcn->assocresp_ies_len =
5556 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5557 	}
5558 
5559 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5560 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5561 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5562 	}
5563 
5564 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5565 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5566 
5567 		err = nla_parse_nested_deprecated(tb,
5568 						  NL80211_FTM_RESP_ATTR_MAX,
5569 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5570 						  NULL, NULL);
5571 		if (err)
5572 			return err;
5573 
5574 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5575 		    wiphy_ext_feature_isset(&rdev->wiphy,
5576 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5577 			bcn->ftm_responder = 1;
5578 		else
5579 			return -EOPNOTSUPP;
5580 
5581 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5582 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5583 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5584 		}
5585 
5586 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5587 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5588 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5589 		}
5590 	} else {
5591 		bcn->ftm_responder = -1;
5592 	}
5593 
5594 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5595 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5596 						 &bcn->he_bss_color);
5597 		if (err)
5598 			return err;
5599 		bcn->he_bss_color_valid = true;
5600 	}
5601 
5602 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5603 		struct cfg80211_mbssid_elems *mbssid =
5604 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5605 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5606 
5607 		if (IS_ERR(mbssid))
5608 			return PTR_ERR(mbssid);
5609 
5610 		bcn->mbssid_ies = mbssid;
5611 
5612 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5613 			struct cfg80211_rnr_elems *rnr =
5614 				nl80211_parse_rnr_elems(&rdev->wiphy,
5615 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5616 							extack);
5617 
5618 			if (IS_ERR(rnr))
5619 				return PTR_ERR(rnr);
5620 
5621 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5622 				return -EINVAL;
5623 
5624 			bcn->rnr_ies = rnr;
5625 		}
5626 	}
5627 
5628 	return 0;
5629 }
5630 
5631 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5632 				    struct ieee80211_he_obss_pd *he_obss_pd)
5633 {
5634 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5635 	int err;
5636 
5637 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5638 			       he_obss_pd_policy, NULL);
5639 	if (err)
5640 		return err;
5641 
5642 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5643 		return -EINVAL;
5644 
5645 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5646 
5647 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5648 		he_obss_pd->min_offset =
5649 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5650 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5651 		he_obss_pd->max_offset =
5652 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5653 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5654 		he_obss_pd->non_srg_max_offset =
5655 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5656 
5657 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5658 		return -EINVAL;
5659 
5660 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5661 		memcpy(he_obss_pd->bss_color_bitmap,
5662 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5663 		       sizeof(he_obss_pd->bss_color_bitmap));
5664 
5665 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5666 		memcpy(he_obss_pd->partial_bssid_bitmap,
5667 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5668 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5669 
5670 	he_obss_pd->enable = true;
5671 
5672 	return 0;
5673 }
5674 
5675 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5676 					struct nlattr *attrs,
5677 					struct cfg80211_ap_settings *params)
5678 {
5679 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5680 	int ret;
5681 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5682 
5683 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5684 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5685 		return -EINVAL;
5686 
5687 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5688 			       NULL, NULL);
5689 	if (ret)
5690 		return ret;
5691 
5692 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5693 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5694 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5695 		return -EINVAL;
5696 
5697 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5698 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5699 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5700 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5701 
5702 	return 0;
5703 }
5704 
5705 static int
5706 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5707 				     struct nlattr *attrs,
5708 				     struct cfg80211_ap_settings *params)
5709 {
5710 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5711 	int ret;
5712 	struct cfg80211_unsol_bcast_probe_resp *presp =
5713 					&params->unsol_bcast_probe_resp;
5714 
5715 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5716 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5717 		return -EINVAL;
5718 
5719 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5720 			       attrs, NULL, NULL);
5721 	if (ret)
5722 		return ret;
5723 
5724 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5725 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5726 		return -EINVAL;
5727 
5728 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5729 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5730 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5731 	return 0;
5732 }
5733 
5734 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5735 					    const struct element *rates)
5736 {
5737 	int i;
5738 
5739 	if (!rates)
5740 		return;
5741 
5742 	for (i = 0; i < rates->datalen; i++) {
5743 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5744 			params->ht_required = true;
5745 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5746 			params->vht_required = true;
5747 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5748 			params->he_required = true;
5749 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5750 			params->sae_h2e_required = true;
5751 	}
5752 }
5753 
5754 /*
5755  * Since the nl80211 API didn't include, from the beginning, attributes about
5756  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5757  * benefit of drivers that rebuild IEs in the firmware.
5758  */
5759 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5760 {
5761 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5762 	size_t ies_len = bcn->tail_len;
5763 	const u8 *ies = bcn->tail;
5764 	const struct element *rates;
5765 	const struct element *cap;
5766 
5767 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5768 	nl80211_check_ap_rate_selectors(params, rates);
5769 
5770 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5771 	nl80211_check_ap_rate_selectors(params, rates);
5772 
5773 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5774 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5775 		params->ht_cap = (void *)cap->data;
5776 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5777 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5778 		params->vht_cap = (void *)cap->data;
5779 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5780 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5781 		params->he_cap = (void *)(cap->data + 1);
5782 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5783 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5784 		params->he_oper = (void *)(cap->data + 1);
5785 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5786 	if (cap) {
5787 		if (!cap->datalen)
5788 			return -EINVAL;
5789 		params->eht_cap = (void *)(cap->data + 1);
5790 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5791 						(const u8 *)params->eht_cap,
5792 						cap->datalen - 1, true))
5793 			return -EINVAL;
5794 	}
5795 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5796 	if (cap) {
5797 		if (!cap->datalen)
5798 			return -EINVAL;
5799 		params->eht_oper = (void *)(cap->data + 1);
5800 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5801 						cap->datalen - 1))
5802 			return -EINVAL;
5803 	}
5804 	return 0;
5805 }
5806 
5807 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5808 				   struct cfg80211_ap_settings *params)
5809 {
5810 	struct wireless_dev *wdev;
5811 
5812 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5813 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5814 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5815 			continue;
5816 
5817 		if (!wdev->u.ap.preset_chandef.chan)
5818 			continue;
5819 
5820 		params->chandef = wdev->u.ap.preset_chandef;
5821 		return true;
5822 	}
5823 
5824 	return false;
5825 }
5826 
5827 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5828 				    enum nl80211_auth_type auth_type,
5829 				    enum nl80211_commands cmd)
5830 {
5831 	if (auth_type > NL80211_AUTHTYPE_MAX)
5832 		return false;
5833 
5834 	switch (cmd) {
5835 	case NL80211_CMD_AUTHENTICATE:
5836 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5837 		    auth_type == NL80211_AUTHTYPE_SAE)
5838 			return false;
5839 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5840 					     NL80211_EXT_FEATURE_FILS_STA) &&
5841 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5842 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5843 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5844 			return false;
5845 		return true;
5846 	case NL80211_CMD_CONNECT:
5847 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5848 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5849 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5850 		    auth_type == NL80211_AUTHTYPE_SAE)
5851 			return false;
5852 
5853 		/* FILS with SK PFS or PK not supported yet */
5854 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5855 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5856 			return false;
5857 		if (!wiphy_ext_feature_isset(
5858 			    &rdev->wiphy,
5859 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5860 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5861 			return false;
5862 		return true;
5863 	case NL80211_CMD_START_AP:
5864 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5865 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5866 		    auth_type == NL80211_AUTHTYPE_SAE)
5867 			return false;
5868 		/* FILS not supported yet */
5869 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5870 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5871 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5872 			return false;
5873 		return true;
5874 	default:
5875 		return false;
5876 	}
5877 }
5878 
5879 static void nl80211_send_ap_started(struct wireless_dev *wdev,
5880 				    unsigned int link_id)
5881 {
5882 	struct wiphy *wiphy = wdev->wiphy;
5883 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
5884 	struct sk_buff *msg;
5885 	void *hdr;
5886 
5887 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5888 	if (!msg)
5889 		return;
5890 
5891 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
5892 	if (!hdr)
5893 		goto out;
5894 
5895 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
5896 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
5897 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
5898 			      NL80211_ATTR_PAD) ||
5899 	    (wdev->u.ap.ssid_len &&
5900 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
5901 		     wdev->u.ap.ssid)) ||
5902 	    (wdev->valid_links &&
5903 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
5904 		goto out;
5905 
5906 	genlmsg_end(msg, hdr);
5907 
5908 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
5909 				NL80211_MCGRP_MLME, GFP_KERNEL);
5910 	return;
5911 out:
5912 	nlmsg_free(msg);
5913 }
5914 
5915 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
5916 {
5917 	struct ieee80211_channel *channel = params->chandef.chan;
5918 
5919 	if ((params->he_cap ||  params->he_oper) &&
5920 	    (channel->flags & IEEE80211_CHAN_NO_HE))
5921 		return -EOPNOTSUPP;
5922 
5923 	if ((params->eht_cap || params->eht_oper) &&
5924 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
5925 		return -EOPNOTSUPP;
5926 
5927 	return 0;
5928 }
5929 
5930 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5931 {
5932 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5933 	unsigned int link_id = nl80211_link_id(info->attrs);
5934 	struct net_device *dev = info->user_ptr[1];
5935 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5936 	struct cfg80211_ap_settings *params;
5937 	int err;
5938 
5939 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5940 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5941 		return -EOPNOTSUPP;
5942 
5943 	if (!rdev->ops->start_ap)
5944 		return -EOPNOTSUPP;
5945 
5946 	if (wdev->links[link_id].ap.beacon_interval)
5947 		return -EALREADY;
5948 
5949 	/* these are required for START_AP */
5950 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5951 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5952 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5953 		return -EINVAL;
5954 
5955 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5956 	if (!params)
5957 		return -ENOMEM;
5958 
5959 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
5960 				   info->extack);
5961 	if (err)
5962 		goto out;
5963 
5964 	params->beacon_interval =
5965 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5966 	params->dtim_period =
5967 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5968 
5969 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5970 					   params->beacon_interval);
5971 	if (err)
5972 		goto out;
5973 
5974 	/*
5975 	 * In theory, some of these attributes should be required here
5976 	 * but since they were not used when the command was originally
5977 	 * added, keep them optional for old user space programs to let
5978 	 * them continue to work with drivers that do not need the
5979 	 * additional information -- drivers must check!
5980 	 */
5981 	if (info->attrs[NL80211_ATTR_SSID]) {
5982 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5983 		params->ssid_len =
5984 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5985 		if (params->ssid_len == 0) {
5986 			err = -EINVAL;
5987 			goto out;
5988 		}
5989 
5990 		if (wdev->u.ap.ssid_len &&
5991 		    (wdev->u.ap.ssid_len != params->ssid_len ||
5992 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
5993 			/* require identical SSID for MLO */
5994 			err = -EINVAL;
5995 			goto out;
5996 		}
5997 	} else if (wdev->valid_links) {
5998 		/* require SSID for MLO */
5999 		err = -EINVAL;
6000 		goto out;
6001 	}
6002 
6003 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6004 		params->hidden_ssid = nla_get_u32(
6005 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6006 
6007 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6008 
6009 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6010 		params->auth_type = nla_get_u32(
6011 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6012 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6013 					     NL80211_CMD_START_AP)) {
6014 			err = -EINVAL;
6015 			goto out;
6016 		}
6017 	} else
6018 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6019 
6020 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6021 				      NL80211_MAX_NR_CIPHER_SUITES);
6022 	if (err)
6023 		goto out;
6024 
6025 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6026 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6027 			err = -EOPNOTSUPP;
6028 			goto out;
6029 		}
6030 		params->inactivity_timeout = nla_get_u16(
6031 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6032 	}
6033 
6034 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6035 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6036 			err = -EINVAL;
6037 			goto out;
6038 		}
6039 		params->p2p_ctwindow =
6040 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6041 		if (params->p2p_ctwindow != 0 &&
6042 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6043 			err = -EINVAL;
6044 			goto out;
6045 		}
6046 	}
6047 
6048 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6049 		u8 tmp;
6050 
6051 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6052 			err = -EINVAL;
6053 			goto out;
6054 		}
6055 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6056 		params->p2p_opp_ps = tmp;
6057 		if (params->p2p_opp_ps != 0 &&
6058 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6059 			err = -EINVAL;
6060 			goto out;
6061 		}
6062 	}
6063 
6064 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6065 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6066 		if (err)
6067 			goto out;
6068 	} else if (wdev->valid_links) {
6069 		/* with MLD need to specify the channel configuration */
6070 		err = -EINVAL;
6071 		goto out;
6072 	} else if (wdev->u.ap.preset_chandef.chan) {
6073 		params->chandef = wdev->u.ap.preset_chandef;
6074 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6075 		err = -EINVAL;
6076 		goto out;
6077 	}
6078 
6079 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
6080 		err = nl80211_parse_punct_bitmap(rdev, info,
6081 						 &params->chandef,
6082 						 &params->punct_bitmap);
6083 		if (err)
6084 			goto out;
6085 	}
6086 
6087 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
6088 					   wdev->iftype)) {
6089 		err = -EINVAL;
6090 		goto out;
6091 	}
6092 
6093 	wdev_lock(wdev);
6094 
6095 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6096 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6097 						    NL80211_ATTR_TX_RATES,
6098 						    &params->beacon_rate,
6099 						    dev, false, link_id);
6100 		if (err)
6101 			goto out_unlock;
6102 
6103 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6104 					      &params->beacon_rate);
6105 		if (err)
6106 			goto out_unlock;
6107 	}
6108 
6109 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
6110 		params->smps_mode =
6111 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
6112 		switch (params->smps_mode) {
6113 		case NL80211_SMPS_OFF:
6114 			break;
6115 		case NL80211_SMPS_STATIC:
6116 			if (!(rdev->wiphy.features &
6117 			      NL80211_FEATURE_STATIC_SMPS)) {
6118 				err = -EINVAL;
6119 				goto out_unlock;
6120 			}
6121 			break;
6122 		case NL80211_SMPS_DYNAMIC:
6123 			if (!(rdev->wiphy.features &
6124 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
6125 				err = -EINVAL;
6126 				goto out_unlock;
6127 			}
6128 			break;
6129 		default:
6130 			err = -EINVAL;
6131 			goto out_unlock;
6132 		}
6133 	} else {
6134 		params->smps_mode = NL80211_SMPS_OFF;
6135 	}
6136 
6137 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6138 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6139 		err = -EOPNOTSUPP;
6140 		goto out_unlock;
6141 	}
6142 
6143 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6144 		params->acl = parse_acl_data(&rdev->wiphy, info);
6145 		if (IS_ERR(params->acl)) {
6146 			err = PTR_ERR(params->acl);
6147 			params->acl = NULL;
6148 			goto out_unlock;
6149 		}
6150 	}
6151 
6152 	params->twt_responder =
6153 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6154 
6155 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6156 		err = nl80211_parse_he_obss_pd(
6157 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6158 					&params->he_obss_pd);
6159 		if (err)
6160 			goto out_unlock;
6161 	}
6162 
6163 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6164 		err = nl80211_parse_fils_discovery(rdev,
6165 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6166 						   params);
6167 		if (err)
6168 			goto out_unlock;
6169 	}
6170 
6171 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6172 		err = nl80211_parse_unsol_bcast_probe_resp(
6173 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6174 			params);
6175 		if (err)
6176 			goto out_unlock;
6177 	}
6178 
6179 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6180 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6181 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6182 						  &params->mbssid_config,
6183 						  params->beacon.mbssid_ies ?
6184 							params->beacon.mbssid_ies->cnt :
6185 							0);
6186 		if (err)
6187 			goto out_unlock;
6188 	}
6189 
6190 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6191 		err = -EINVAL;
6192 		goto out_unlock;
6193 	}
6194 
6195 	err = nl80211_calculate_ap_params(params);
6196 	if (err)
6197 		goto out_unlock;
6198 
6199 	err = nl80211_validate_ap_phy_operation(params);
6200 	if (err)
6201 		goto out_unlock;
6202 
6203 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6204 		params->flags = nla_get_u32(
6205 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6206 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6207 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6208 
6209 	if (wdev->conn_owner_nlportid &&
6210 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6211 	    wdev->conn_owner_nlportid != info->snd_portid) {
6212 		err = -EINVAL;
6213 		goto out_unlock;
6214 	}
6215 
6216 	/* FIXME: validate MLO/link-id against driver capabilities */
6217 
6218 	err = rdev_start_ap(rdev, dev, params);
6219 	if (!err) {
6220 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6221 		wdev->links[link_id].ap.chandef = params->chandef;
6222 		wdev->u.ap.ssid_len = params->ssid_len;
6223 		memcpy(wdev->u.ap.ssid, params->ssid,
6224 		       params->ssid_len);
6225 
6226 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6227 			wdev->conn_owner_nlportid = info->snd_portid;
6228 
6229 		nl80211_send_ap_started(wdev, link_id);
6230 	}
6231 out_unlock:
6232 	wdev_unlock(wdev);
6233 out:
6234 	kfree(params->acl);
6235 	kfree(params->beacon.mbssid_ies);
6236 	if (params->mbssid_config.tx_wdev &&
6237 	    params->mbssid_config.tx_wdev->netdev &&
6238 	    params->mbssid_config.tx_wdev->netdev != dev)
6239 		dev_put(params->mbssid_config.tx_wdev->netdev);
6240 	kfree(params->beacon.rnr_ies);
6241 	kfree(params);
6242 
6243 	return err;
6244 }
6245 
6246 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6247 {
6248 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6249 	unsigned int link_id = nl80211_link_id(info->attrs);
6250 	struct net_device *dev = info->user_ptr[1];
6251 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6252 	struct cfg80211_beacon_data params;
6253 	int err;
6254 
6255 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6256 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6257 		return -EOPNOTSUPP;
6258 
6259 	if (!rdev->ops->change_beacon)
6260 		return -EOPNOTSUPP;
6261 
6262 	if (!wdev->links[link_id].ap.beacon_interval)
6263 		return -EINVAL;
6264 
6265 	err = nl80211_parse_beacon(rdev, info->attrs, &params, info->extack);
6266 	if (err)
6267 		goto out;
6268 
6269 	wdev_lock(wdev);
6270 	err = rdev_change_beacon(rdev, dev, &params);
6271 	wdev_unlock(wdev);
6272 
6273 out:
6274 	kfree(params.mbssid_ies);
6275 	kfree(params.rnr_ies);
6276 	return err;
6277 }
6278 
6279 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6280 {
6281 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6282 	unsigned int link_id = nl80211_link_id(info->attrs);
6283 	struct net_device *dev = info->user_ptr[1];
6284 
6285 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6286 }
6287 
6288 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6289 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6290 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6291 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6292 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6293 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6294 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6295 };
6296 
6297 static int parse_station_flags(struct genl_info *info,
6298 			       enum nl80211_iftype iftype,
6299 			       struct station_parameters *params)
6300 {
6301 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6302 	struct nlattr *nla;
6303 	int flag;
6304 
6305 	/*
6306 	 * Try parsing the new attribute first so userspace
6307 	 * can specify both for older kernels.
6308 	 */
6309 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6310 	if (nla) {
6311 		struct nl80211_sta_flag_update *sta_flags;
6312 
6313 		sta_flags = nla_data(nla);
6314 		params->sta_flags_mask = sta_flags->mask;
6315 		params->sta_flags_set = sta_flags->set;
6316 		params->sta_flags_set &= params->sta_flags_mask;
6317 		if ((params->sta_flags_mask |
6318 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6319 			return -EINVAL;
6320 		return 0;
6321 	}
6322 
6323 	/* if present, parse the old attribute */
6324 
6325 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6326 	if (!nla)
6327 		return 0;
6328 
6329 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6330 		return -EINVAL;
6331 
6332 	/*
6333 	 * Only allow certain flags for interface types so that
6334 	 * other attributes are silently ignored. Remember that
6335 	 * this is backward compatibility code with old userspace
6336 	 * and shouldn't be hit in other cases anyway.
6337 	 */
6338 	switch (iftype) {
6339 	case NL80211_IFTYPE_AP:
6340 	case NL80211_IFTYPE_AP_VLAN:
6341 	case NL80211_IFTYPE_P2P_GO:
6342 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6343 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6344 					 BIT(NL80211_STA_FLAG_WME) |
6345 					 BIT(NL80211_STA_FLAG_MFP);
6346 		break;
6347 	case NL80211_IFTYPE_P2P_CLIENT:
6348 	case NL80211_IFTYPE_STATION:
6349 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6350 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6351 		break;
6352 	case NL80211_IFTYPE_MESH_POINT:
6353 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6354 					 BIT(NL80211_STA_FLAG_MFP) |
6355 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6356 		break;
6357 	default:
6358 		return -EINVAL;
6359 	}
6360 
6361 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6362 		if (flags[flag]) {
6363 			params->sta_flags_set |= (1<<flag);
6364 
6365 			/* no longer support new API additions in old API */
6366 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6367 				return -EINVAL;
6368 		}
6369 	}
6370 
6371 	return 0;
6372 }
6373 
6374 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6375 {
6376 	struct nlattr *rate;
6377 	u32 bitrate;
6378 	u16 bitrate_compat;
6379 	enum nl80211_rate_info rate_flg;
6380 
6381 	rate = nla_nest_start_noflag(msg, attr);
6382 	if (!rate)
6383 		return false;
6384 
6385 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6386 	bitrate = cfg80211_calculate_bitrate(info);
6387 	/* report 16-bit bitrate only if we can */
6388 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6389 	if (bitrate > 0 &&
6390 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6391 		return false;
6392 	if (bitrate_compat > 0 &&
6393 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6394 		return false;
6395 
6396 	switch (info->bw) {
6397 	case RATE_INFO_BW_1:
6398 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6399 		break;
6400 	case RATE_INFO_BW_2:
6401 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6402 		break;
6403 	case RATE_INFO_BW_4:
6404 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6405 		break;
6406 	case RATE_INFO_BW_5:
6407 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6408 		break;
6409 	case RATE_INFO_BW_8:
6410 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6411 		break;
6412 	case RATE_INFO_BW_10:
6413 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6414 		break;
6415 	case RATE_INFO_BW_16:
6416 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6417 		break;
6418 	default:
6419 		WARN_ON(1);
6420 		fallthrough;
6421 	case RATE_INFO_BW_20:
6422 		rate_flg = 0;
6423 		break;
6424 	case RATE_INFO_BW_40:
6425 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6426 		break;
6427 	case RATE_INFO_BW_80:
6428 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6429 		break;
6430 	case RATE_INFO_BW_160:
6431 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6432 		break;
6433 	case RATE_INFO_BW_HE_RU:
6434 		rate_flg = 0;
6435 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6436 		break;
6437 	case RATE_INFO_BW_320:
6438 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6439 		break;
6440 	case RATE_INFO_BW_EHT_RU:
6441 		rate_flg = 0;
6442 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6443 		break;
6444 	}
6445 
6446 	if (rate_flg && nla_put_flag(msg, rate_flg))
6447 		return false;
6448 
6449 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6450 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6451 			return false;
6452 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6453 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6454 			return false;
6455 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6456 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6457 			return false;
6458 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6459 			return false;
6460 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6461 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6462 			return false;
6463 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6464 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6465 			return false;
6466 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6467 			return false;
6468 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6469 			return false;
6470 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6471 			return false;
6472 		if (info->bw == RATE_INFO_BW_HE_RU &&
6473 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6474 			       info->he_ru_alloc))
6475 			return false;
6476 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6477 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6478 			return false;
6479 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6480 			return false;
6481 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6482 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6483 			return false;
6484 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6485 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6486 			return false;
6487 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6488 			return false;
6489 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6490 			return false;
6491 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6492 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6493 			       info->eht_ru_alloc))
6494 			return false;
6495 	}
6496 
6497 	nla_nest_end(msg, rate);
6498 	return true;
6499 }
6500 
6501 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6502 			       int id)
6503 {
6504 	void *attr;
6505 	int i = 0;
6506 
6507 	if (!mask)
6508 		return true;
6509 
6510 	attr = nla_nest_start_noflag(msg, id);
6511 	if (!attr)
6512 		return false;
6513 
6514 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6515 		if (!(mask & BIT(i)))
6516 			continue;
6517 
6518 		if (nla_put_u8(msg, i, signal[i]))
6519 			return false;
6520 	}
6521 
6522 	nla_nest_end(msg, attr);
6523 
6524 	return true;
6525 }
6526 
6527 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6528 				u32 seq, int flags,
6529 				struct cfg80211_registered_device *rdev,
6530 				struct net_device *dev,
6531 				const u8 *mac_addr, struct station_info *sinfo)
6532 {
6533 	void *hdr;
6534 	struct nlattr *sinfoattr, *bss_param;
6535 
6536 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6537 	if (!hdr) {
6538 		cfg80211_sinfo_release_content(sinfo);
6539 		return -1;
6540 	}
6541 
6542 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6543 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6544 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6545 		goto nla_put_failure;
6546 
6547 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6548 	if (!sinfoattr)
6549 		goto nla_put_failure;
6550 
6551 #define PUT_SINFO(attr, memb, type) do {				\
6552 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6553 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6554 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6555 			     sinfo->memb))				\
6556 		goto nla_put_failure;					\
6557 	} while (0)
6558 #define PUT_SINFO_U64(attr, memb) do {					\
6559 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6560 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6561 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6562 		goto nla_put_failure;					\
6563 	} while (0)
6564 
6565 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6566 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6567 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6568 
6569 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6570 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6571 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6572 			(u32)sinfo->rx_bytes))
6573 		goto nla_put_failure;
6574 
6575 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6576 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6577 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6578 			(u32)sinfo->tx_bytes))
6579 		goto nla_put_failure;
6580 
6581 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6582 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6583 	PUT_SINFO(LLID, llid, u16);
6584 	PUT_SINFO(PLID, plid, u16);
6585 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6586 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6587 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6588 
6589 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6590 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6591 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6592 
6593 	switch (rdev->wiphy.signal_type) {
6594 	case CFG80211_SIGNAL_TYPE_MBM:
6595 		PUT_SINFO(SIGNAL, signal, u8);
6596 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6597 		break;
6598 	default:
6599 		break;
6600 	}
6601 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6602 		if (!nl80211_put_signal(msg, sinfo->chains,
6603 					sinfo->chain_signal,
6604 					NL80211_STA_INFO_CHAIN_SIGNAL))
6605 			goto nla_put_failure;
6606 	}
6607 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6608 		if (!nl80211_put_signal(msg, sinfo->chains,
6609 					sinfo->chain_signal_avg,
6610 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6611 			goto nla_put_failure;
6612 	}
6613 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6614 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6615 					  NL80211_STA_INFO_TX_BITRATE))
6616 			goto nla_put_failure;
6617 	}
6618 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6619 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6620 					  NL80211_STA_INFO_RX_BITRATE))
6621 			goto nla_put_failure;
6622 	}
6623 
6624 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6625 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6626 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6627 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6628 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6629 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6630 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6631 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6632 	PUT_SINFO(PEER_PM, peer_pm, u32);
6633 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6634 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6635 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6636 
6637 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6638 		bss_param = nla_nest_start_noflag(msg,
6639 						  NL80211_STA_INFO_BSS_PARAM);
6640 		if (!bss_param)
6641 			goto nla_put_failure;
6642 
6643 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6644 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6645 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6646 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6647 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6648 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6649 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6650 			       sinfo->bss_param.dtim_period) ||
6651 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6652 				sinfo->bss_param.beacon_interval))
6653 			goto nla_put_failure;
6654 
6655 		nla_nest_end(msg, bss_param);
6656 	}
6657 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6658 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6659 		    sizeof(struct nl80211_sta_flag_update),
6660 		    &sinfo->sta_flags))
6661 		goto nla_put_failure;
6662 
6663 	PUT_SINFO_U64(T_OFFSET, t_offset);
6664 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6665 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6666 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6667 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6668 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6669 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6670 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6671 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6672 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6673 	}
6674 
6675 #undef PUT_SINFO
6676 #undef PUT_SINFO_U64
6677 
6678 	if (sinfo->pertid) {
6679 		struct nlattr *tidsattr;
6680 		int tid;
6681 
6682 		tidsattr = nla_nest_start_noflag(msg,
6683 						 NL80211_STA_INFO_TID_STATS);
6684 		if (!tidsattr)
6685 			goto nla_put_failure;
6686 
6687 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6688 			struct cfg80211_tid_stats *tidstats;
6689 			struct nlattr *tidattr;
6690 
6691 			tidstats = &sinfo->pertid[tid];
6692 
6693 			if (!tidstats->filled)
6694 				continue;
6695 
6696 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6697 			if (!tidattr)
6698 				goto nla_put_failure;
6699 
6700 #define PUT_TIDVAL_U64(attr, memb) do {					\
6701 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6702 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6703 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6704 		goto nla_put_failure;					\
6705 	} while (0)
6706 
6707 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6708 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6709 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6710 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6711 
6712 #undef PUT_TIDVAL_U64
6713 			if ((tidstats->filled &
6714 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6715 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6716 						   NL80211_TID_STATS_TXQ_STATS))
6717 				goto nla_put_failure;
6718 
6719 			nla_nest_end(msg, tidattr);
6720 		}
6721 
6722 		nla_nest_end(msg, tidsattr);
6723 	}
6724 
6725 	nla_nest_end(msg, sinfoattr);
6726 
6727 	if (sinfo->assoc_req_ies_len &&
6728 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6729 		    sinfo->assoc_req_ies))
6730 		goto nla_put_failure;
6731 
6732 	if (sinfo->assoc_resp_ies_len &&
6733 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6734 		    sinfo->assoc_resp_ies))
6735 		goto nla_put_failure;
6736 
6737 	if (sinfo->mlo_params_valid) {
6738 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6739 			       sinfo->assoc_link_id))
6740 			goto nla_put_failure;
6741 
6742 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6743 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6744 			    sinfo->mld_addr))
6745 			goto nla_put_failure;
6746 	}
6747 
6748 	cfg80211_sinfo_release_content(sinfo);
6749 	genlmsg_end(msg, hdr);
6750 	return 0;
6751 
6752  nla_put_failure:
6753 	cfg80211_sinfo_release_content(sinfo);
6754 	genlmsg_cancel(msg, hdr);
6755 	return -EMSGSIZE;
6756 }
6757 
6758 static int nl80211_dump_station(struct sk_buff *skb,
6759 				struct netlink_callback *cb)
6760 {
6761 	struct station_info sinfo;
6762 	struct cfg80211_registered_device *rdev;
6763 	struct wireless_dev *wdev;
6764 	u8 mac_addr[ETH_ALEN];
6765 	int sta_idx = cb->args[2];
6766 	int err;
6767 
6768 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6769 	if (err)
6770 		return err;
6771 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6772 	__acquire(&rdev->wiphy.mtx);
6773 
6774 	if (!wdev->netdev) {
6775 		err = -EINVAL;
6776 		goto out_err;
6777 	}
6778 
6779 	if (!rdev->ops->dump_station) {
6780 		err = -EOPNOTSUPP;
6781 		goto out_err;
6782 	}
6783 
6784 	while (1) {
6785 		memset(&sinfo, 0, sizeof(sinfo));
6786 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6787 					mac_addr, &sinfo);
6788 		if (err == -ENOENT)
6789 			break;
6790 		if (err)
6791 			goto out_err;
6792 
6793 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6794 				NETLINK_CB(cb->skb).portid,
6795 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6796 				rdev, wdev->netdev, mac_addr,
6797 				&sinfo) < 0)
6798 			goto out;
6799 
6800 		sta_idx++;
6801 	}
6802 
6803  out:
6804 	cb->args[2] = sta_idx;
6805 	err = skb->len;
6806  out_err:
6807 	wiphy_unlock(&rdev->wiphy);
6808 
6809 	return err;
6810 }
6811 
6812 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6813 {
6814 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6815 	struct net_device *dev = info->user_ptr[1];
6816 	struct station_info sinfo;
6817 	struct sk_buff *msg;
6818 	u8 *mac_addr = NULL;
6819 	int err;
6820 
6821 	memset(&sinfo, 0, sizeof(sinfo));
6822 
6823 	if (!info->attrs[NL80211_ATTR_MAC])
6824 		return -EINVAL;
6825 
6826 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6827 
6828 	if (!rdev->ops->get_station)
6829 		return -EOPNOTSUPP;
6830 
6831 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6832 	if (err)
6833 		return err;
6834 
6835 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6836 	if (!msg) {
6837 		cfg80211_sinfo_release_content(&sinfo);
6838 		return -ENOMEM;
6839 	}
6840 
6841 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6842 				 info->snd_portid, info->snd_seq, 0,
6843 				 rdev, dev, mac_addr, &sinfo) < 0) {
6844 		nlmsg_free(msg);
6845 		return -ENOBUFS;
6846 	}
6847 
6848 	return genlmsg_reply(msg, info);
6849 }
6850 
6851 int cfg80211_check_station_change(struct wiphy *wiphy,
6852 				  struct station_parameters *params,
6853 				  enum cfg80211_station_type statype)
6854 {
6855 	if (params->listen_interval != -1 &&
6856 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6857 		return -EINVAL;
6858 
6859 	if (params->support_p2p_ps != -1 &&
6860 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6861 		return -EINVAL;
6862 
6863 	if (params->aid &&
6864 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6865 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6866 		return -EINVAL;
6867 
6868 	/* When you run into this, adjust the code below for the new flag */
6869 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6870 
6871 	switch (statype) {
6872 	case CFG80211_STA_MESH_PEER_KERNEL:
6873 	case CFG80211_STA_MESH_PEER_USER:
6874 		/*
6875 		 * No ignoring the TDLS flag here -- the userspace mesh
6876 		 * code doesn't have the bug of including TDLS in the
6877 		 * mask everywhere.
6878 		 */
6879 		if (params->sta_flags_mask &
6880 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6881 				  BIT(NL80211_STA_FLAG_MFP) |
6882 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6883 			return -EINVAL;
6884 		break;
6885 	case CFG80211_STA_TDLS_PEER_SETUP:
6886 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6887 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6888 			return -EINVAL;
6889 		/* ignore since it can't change */
6890 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6891 		break;
6892 	default:
6893 		/* disallow mesh-specific things */
6894 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6895 			return -EINVAL;
6896 		if (params->local_pm)
6897 			return -EINVAL;
6898 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6899 			return -EINVAL;
6900 	}
6901 
6902 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6903 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6904 		/* TDLS can't be set, ... */
6905 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6906 			return -EINVAL;
6907 		/*
6908 		 * ... but don't bother the driver with it. This works around
6909 		 * a hostapd/wpa_supplicant issue -- it always includes the
6910 		 * TLDS_PEER flag in the mask even for AP mode.
6911 		 */
6912 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6913 	}
6914 
6915 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6916 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6917 		/* reject other things that can't change */
6918 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6919 			return -EINVAL;
6920 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6921 			return -EINVAL;
6922 		if (params->link_sta_params.supported_rates)
6923 			return -EINVAL;
6924 		if (params->ext_capab || params->link_sta_params.ht_capa ||
6925 		    params->link_sta_params.vht_capa ||
6926 		    params->link_sta_params.he_capa ||
6927 		    params->link_sta_params.eht_capa)
6928 			return -EINVAL;
6929 	}
6930 
6931 	if (statype != CFG80211_STA_AP_CLIENT &&
6932 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6933 		if (params->vlan)
6934 			return -EINVAL;
6935 	}
6936 
6937 	switch (statype) {
6938 	case CFG80211_STA_AP_MLME_CLIENT:
6939 		/* Use this only for authorizing/unauthorizing a station */
6940 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6941 			return -EOPNOTSUPP;
6942 		break;
6943 	case CFG80211_STA_AP_CLIENT:
6944 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6945 		/* accept only the listed bits */
6946 		if (params->sta_flags_mask &
6947 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6948 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6949 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6950 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6951 				  BIT(NL80211_STA_FLAG_WME) |
6952 				  BIT(NL80211_STA_FLAG_MFP)))
6953 			return -EINVAL;
6954 
6955 		/* but authenticated/associated only if driver handles it */
6956 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6957 		    params->sta_flags_mask &
6958 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6959 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6960 			return -EINVAL;
6961 		break;
6962 	case CFG80211_STA_IBSS:
6963 	case CFG80211_STA_AP_STA:
6964 		/* reject any changes other than AUTHORIZED */
6965 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6966 			return -EINVAL;
6967 		break;
6968 	case CFG80211_STA_TDLS_PEER_SETUP:
6969 		/* reject any changes other than AUTHORIZED or WME */
6970 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6971 					       BIT(NL80211_STA_FLAG_WME)))
6972 			return -EINVAL;
6973 		/* force (at least) rates when authorizing */
6974 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6975 		    !params->link_sta_params.supported_rates)
6976 			return -EINVAL;
6977 		break;
6978 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6979 		/* reject any changes */
6980 		return -EINVAL;
6981 	case CFG80211_STA_MESH_PEER_KERNEL:
6982 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6983 			return -EINVAL;
6984 		break;
6985 	case CFG80211_STA_MESH_PEER_USER:
6986 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6987 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6988 			return -EINVAL;
6989 		break;
6990 	}
6991 
6992 	/*
6993 	 * Older kernel versions ignored this attribute entirely, so don't
6994 	 * reject attempts to update it but mark it as unused instead so the
6995 	 * driver won't look at the data.
6996 	 */
6997 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6998 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6999 		params->link_sta_params.opmode_notif_used = false;
7000 
7001 	return 0;
7002 }
7003 EXPORT_SYMBOL(cfg80211_check_station_change);
7004 
7005 /*
7006  * Get vlan interface making sure it is running and on the right wiphy.
7007  */
7008 static struct net_device *get_vlan(struct genl_info *info,
7009 				   struct cfg80211_registered_device *rdev)
7010 {
7011 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7012 	struct net_device *v;
7013 	int ret;
7014 
7015 	if (!vlanattr)
7016 		return NULL;
7017 
7018 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7019 	if (!v)
7020 		return ERR_PTR(-ENODEV);
7021 
7022 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7023 		ret = -EINVAL;
7024 		goto error;
7025 	}
7026 
7027 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7028 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7029 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7030 		ret = -EINVAL;
7031 		goto error;
7032 	}
7033 
7034 	if (!netif_running(v)) {
7035 		ret = -ENETDOWN;
7036 		goto error;
7037 	}
7038 
7039 	return v;
7040  error:
7041 	dev_put(v);
7042 	return ERR_PTR(ret);
7043 }
7044 
7045 static int nl80211_parse_sta_wme(struct genl_info *info,
7046 				 struct station_parameters *params)
7047 {
7048 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7049 	struct nlattr *nla;
7050 	int err;
7051 
7052 	/* parse WME attributes if present */
7053 	if (!info->attrs[NL80211_ATTR_STA_WME])
7054 		return 0;
7055 
7056 	nla = info->attrs[NL80211_ATTR_STA_WME];
7057 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7058 					  nl80211_sta_wme_policy,
7059 					  info->extack);
7060 	if (err)
7061 		return err;
7062 
7063 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7064 		params->uapsd_queues = nla_get_u8(
7065 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7066 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7067 		return -EINVAL;
7068 
7069 	if (tb[NL80211_STA_WME_MAX_SP])
7070 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7071 
7072 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7073 		return -EINVAL;
7074 
7075 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7076 
7077 	return 0;
7078 }
7079 
7080 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7081 				      struct station_parameters *params)
7082 {
7083 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7084 		params->supported_channels =
7085 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7086 		params->supported_channels_len =
7087 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7088 		/*
7089 		 * Need to include at least one (first channel, number of
7090 		 * channels) tuple for each subband (checked in policy),
7091 		 * and must have proper tuples for the rest of the data as well.
7092 		 */
7093 		if (params->supported_channels_len % 2)
7094 			return -EINVAL;
7095 	}
7096 
7097 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7098 		params->supported_oper_classes =
7099 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7100 		params->supported_oper_classes_len =
7101 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7102 	}
7103 	return 0;
7104 }
7105 
7106 static int nl80211_set_station_tdls(struct genl_info *info,
7107 				    struct station_parameters *params)
7108 {
7109 	int err;
7110 	/* Dummy STA entry gets updated once the peer capabilities are known */
7111 	if (info->attrs[NL80211_ATTR_PEER_AID])
7112 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7113 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7114 		params->link_sta_params.ht_capa =
7115 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7116 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7117 		params->link_sta_params.vht_capa =
7118 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7119 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7120 		params->link_sta_params.he_capa =
7121 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7122 		params->link_sta_params.he_capa_len =
7123 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7124 
7125 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7126 			params->link_sta_params.eht_capa =
7127 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7128 			params->link_sta_params.eht_capa_len =
7129 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7130 
7131 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7132 							(const u8 *)params->link_sta_params.eht_capa,
7133 							params->link_sta_params.eht_capa_len,
7134 							false))
7135 				return -EINVAL;
7136 		}
7137 	}
7138 
7139 	err = nl80211_parse_sta_channel_info(info, params);
7140 	if (err)
7141 		return err;
7142 
7143 	return nl80211_parse_sta_wme(info, params);
7144 }
7145 
7146 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7147 					     struct sta_txpwr *txpwr,
7148 					     bool *txpwr_set)
7149 {
7150 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7151 	int idx;
7152 
7153 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7154 		if (!rdev->ops->set_tx_power ||
7155 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7156 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7157 			return -EOPNOTSUPP;
7158 
7159 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7160 		txpwr->type = nla_get_u8(info->attrs[idx]);
7161 
7162 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7163 			idx = NL80211_ATTR_STA_TX_POWER;
7164 
7165 			if (info->attrs[idx])
7166 				txpwr->power = nla_get_s16(info->attrs[idx]);
7167 			else
7168 				return -EINVAL;
7169 		}
7170 
7171 		*txpwr_set = true;
7172 	} else {
7173 		*txpwr_set = false;
7174 	}
7175 
7176 	return 0;
7177 }
7178 
7179 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7180 {
7181 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7182 	struct net_device *dev = info->user_ptr[1];
7183 	struct station_parameters params;
7184 	u8 *mac_addr;
7185 	int err;
7186 
7187 	memset(&params, 0, sizeof(params));
7188 
7189 	if (!rdev->ops->change_station)
7190 		return -EOPNOTSUPP;
7191 
7192 	/*
7193 	 * AID and listen_interval properties can be set only for unassociated
7194 	 * station. Include these parameters here and will check them in
7195 	 * cfg80211_check_station_change().
7196 	 */
7197 	if (info->attrs[NL80211_ATTR_STA_AID])
7198 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7199 
7200 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7201 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7202 
7203 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7204 		params.listen_interval =
7205 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7206 	else
7207 		params.listen_interval = -1;
7208 
7209 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7210 		params.support_p2p_ps =
7211 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7212 	else
7213 		params.support_p2p_ps = -1;
7214 
7215 	if (!info->attrs[NL80211_ATTR_MAC])
7216 		return -EINVAL;
7217 
7218 	params.link_sta_params.link_id =
7219 		nl80211_link_id_or_invalid(info->attrs);
7220 
7221 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7222 		/* If MLD_ADDR attribute is set then this is an MLD station
7223 		 * and the MLD_ADDR attribute holds the MLD address and the
7224 		 * MAC attribute holds for the LINK address.
7225 		 * In that case, the link_id is also expected to be valid.
7226 		 */
7227 		if (params.link_sta_params.link_id < 0)
7228 			return -EINVAL;
7229 
7230 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7231 		params.link_sta_params.mld_mac = mac_addr;
7232 		params.link_sta_params.link_mac =
7233 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7234 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7235 			return -EINVAL;
7236 	} else {
7237 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7238 	}
7239 
7240 
7241 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7242 		params.link_sta_params.supported_rates =
7243 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7244 		params.link_sta_params.supported_rates_len =
7245 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7246 	}
7247 
7248 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7249 		params.capability =
7250 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7251 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7252 	}
7253 
7254 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7255 		params.ext_capab =
7256 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7257 		params.ext_capab_len =
7258 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7259 	}
7260 
7261 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7262 		return -EINVAL;
7263 
7264 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7265 		params.plink_action =
7266 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7267 
7268 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7269 		params.plink_state =
7270 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7271 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7272 			params.peer_aid = nla_get_u16(
7273 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7274 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7275 	}
7276 
7277 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7278 		params.local_pm = nla_get_u32(
7279 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7280 
7281 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7282 		params.link_sta_params.opmode_notif_used = true;
7283 		params.link_sta_params.opmode_notif =
7284 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7285 	}
7286 
7287 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7288 		params.link_sta_params.he_6ghz_capa =
7289 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7290 
7291 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7292 		params.airtime_weight =
7293 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7294 
7295 	if (params.airtime_weight &&
7296 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7297 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7298 		return -EOPNOTSUPP;
7299 
7300 	err = nl80211_parse_sta_txpower_setting(info,
7301 						&params.link_sta_params.txpwr,
7302 						&params.link_sta_params.txpwr_set);
7303 	if (err)
7304 		return err;
7305 
7306 	/* Include parameters for TDLS peer (will check later) */
7307 	err = nl80211_set_station_tdls(info, &params);
7308 	if (err)
7309 		return err;
7310 
7311 	params.vlan = get_vlan(info, rdev);
7312 	if (IS_ERR(params.vlan))
7313 		return PTR_ERR(params.vlan);
7314 
7315 	switch (dev->ieee80211_ptr->iftype) {
7316 	case NL80211_IFTYPE_AP:
7317 	case NL80211_IFTYPE_AP_VLAN:
7318 	case NL80211_IFTYPE_P2P_GO:
7319 	case NL80211_IFTYPE_P2P_CLIENT:
7320 	case NL80211_IFTYPE_STATION:
7321 	case NL80211_IFTYPE_ADHOC:
7322 	case NL80211_IFTYPE_MESH_POINT:
7323 		break;
7324 	default:
7325 		err = -EOPNOTSUPP;
7326 		goto out_put_vlan;
7327 	}
7328 
7329 	/* driver will call cfg80211_check_station_change() */
7330 	wdev_lock(dev->ieee80211_ptr);
7331 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7332 	wdev_unlock(dev->ieee80211_ptr);
7333 
7334  out_put_vlan:
7335 	dev_put(params.vlan);
7336 
7337 	return err;
7338 }
7339 
7340 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7341 {
7342 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7343 	int err;
7344 	struct net_device *dev = info->user_ptr[1];
7345 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7346 	struct station_parameters params;
7347 	u8 *mac_addr = NULL;
7348 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7349 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7350 
7351 	memset(&params, 0, sizeof(params));
7352 
7353 	if (!rdev->ops->add_station)
7354 		return -EOPNOTSUPP;
7355 
7356 	if (!info->attrs[NL80211_ATTR_MAC])
7357 		return -EINVAL;
7358 
7359 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7360 		return -EINVAL;
7361 
7362 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7363 		return -EINVAL;
7364 
7365 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7366 	    !info->attrs[NL80211_ATTR_PEER_AID])
7367 		return -EINVAL;
7368 
7369 	params.link_sta_params.link_id =
7370 		nl80211_link_id_or_invalid(info->attrs);
7371 
7372 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7373 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7374 		params.link_sta_params.mld_mac = mac_addr;
7375 		params.link_sta_params.link_mac =
7376 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7377 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7378 			return -EINVAL;
7379 	} else {
7380 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7381 	}
7382 
7383 	params.link_sta_params.supported_rates =
7384 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7385 	params.link_sta_params.supported_rates_len =
7386 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7387 	params.listen_interval =
7388 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7389 
7390 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7391 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7392 
7393 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7394 		params.support_p2p_ps =
7395 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7396 	} else {
7397 		/*
7398 		 * if not specified, assume it's supported for P2P GO interface,
7399 		 * and is NOT supported for AP interface
7400 		 */
7401 		params.support_p2p_ps =
7402 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7403 	}
7404 
7405 	if (info->attrs[NL80211_ATTR_PEER_AID])
7406 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7407 	else
7408 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7409 
7410 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7411 		params.capability =
7412 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7413 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7414 	}
7415 
7416 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7417 		params.ext_capab =
7418 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7419 		params.ext_capab_len =
7420 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7421 	}
7422 
7423 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7424 		params.link_sta_params.ht_capa =
7425 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7426 
7427 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7428 		params.link_sta_params.vht_capa =
7429 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7430 
7431 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7432 		params.link_sta_params.he_capa =
7433 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7434 		params.link_sta_params.he_capa_len =
7435 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7436 
7437 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7438 			params.link_sta_params.eht_capa =
7439 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7440 			params.link_sta_params.eht_capa_len =
7441 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7442 
7443 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7444 							(const u8 *)params.link_sta_params.eht_capa,
7445 							params.link_sta_params.eht_capa_len,
7446 							false))
7447 				return -EINVAL;
7448 		}
7449 	}
7450 
7451 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7452 		params.link_sta_params.he_6ghz_capa =
7453 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7454 
7455 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7456 		params.link_sta_params.opmode_notif_used = true;
7457 		params.link_sta_params.opmode_notif =
7458 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7459 	}
7460 
7461 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7462 		params.plink_action =
7463 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7464 
7465 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7466 		params.airtime_weight =
7467 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7468 
7469 	if (params.airtime_weight &&
7470 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7471 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7472 		return -EOPNOTSUPP;
7473 
7474 	err = nl80211_parse_sta_txpower_setting(info,
7475 						&params.link_sta_params.txpwr,
7476 						&params.link_sta_params.txpwr_set);
7477 	if (err)
7478 		return err;
7479 
7480 	err = nl80211_parse_sta_channel_info(info, &params);
7481 	if (err)
7482 		return err;
7483 
7484 	err = nl80211_parse_sta_wme(info, &params);
7485 	if (err)
7486 		return err;
7487 
7488 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7489 		return -EINVAL;
7490 
7491 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7492 	 * as userspace might just pass through the capabilities from the IEs
7493 	 * directly, rather than enforcing this restriction and returning an
7494 	 * error in this case.
7495 	 */
7496 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7497 		params.link_sta_params.ht_capa = NULL;
7498 		params.link_sta_params.vht_capa = NULL;
7499 
7500 		/* HE and EHT require WME */
7501 		if (params.link_sta_params.he_capa_len ||
7502 		    params.link_sta_params.he_6ghz_capa ||
7503 		    params.link_sta_params.eht_capa_len)
7504 			return -EINVAL;
7505 	}
7506 
7507 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7508 	if (params.link_sta_params.he_6ghz_capa &&
7509 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7510 		return -EINVAL;
7511 
7512 	/* When you run into this, adjust the code below for the new flag */
7513 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
7514 
7515 	switch (dev->ieee80211_ptr->iftype) {
7516 	case NL80211_IFTYPE_AP:
7517 	case NL80211_IFTYPE_AP_VLAN:
7518 	case NL80211_IFTYPE_P2P_GO:
7519 		/* ignore WME attributes if iface/sta is not capable */
7520 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7521 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7522 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7523 
7524 		/* TDLS peers cannot be added */
7525 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7526 		    info->attrs[NL80211_ATTR_PEER_AID])
7527 			return -EINVAL;
7528 		/* but don't bother the driver with it */
7529 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7530 
7531 		/* allow authenticated/associated only if driver handles it */
7532 		if (!(rdev->wiphy.features &
7533 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7534 		    params.sta_flags_mask & auth_assoc)
7535 			return -EINVAL;
7536 
7537 		/* Older userspace, or userspace wanting to be compatible with
7538 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7539 		 * and assoc flags in the mask, but assumes the station will be
7540 		 * added as associated anyway since this was the required driver
7541 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7542 		 * introduced.
7543 		 * In order to not bother drivers with this quirk in the API
7544 		 * set the flags in both the mask and set for new stations in
7545 		 * this case.
7546 		 */
7547 		if (!(params.sta_flags_mask & auth_assoc)) {
7548 			params.sta_flags_mask |= auth_assoc;
7549 			params.sta_flags_set |= auth_assoc;
7550 		}
7551 
7552 		/* must be last in here for error handling */
7553 		params.vlan = get_vlan(info, rdev);
7554 		if (IS_ERR(params.vlan))
7555 			return PTR_ERR(params.vlan);
7556 		break;
7557 	case NL80211_IFTYPE_MESH_POINT:
7558 		/* ignore uAPSD data */
7559 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7560 
7561 		/* associated is disallowed */
7562 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7563 			return -EINVAL;
7564 		/* TDLS peers cannot be added */
7565 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7566 		    info->attrs[NL80211_ATTR_PEER_AID])
7567 			return -EINVAL;
7568 		break;
7569 	case NL80211_IFTYPE_STATION:
7570 	case NL80211_IFTYPE_P2P_CLIENT:
7571 		/* ignore uAPSD data */
7572 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7573 
7574 		/* these are disallowed */
7575 		if (params.sta_flags_mask &
7576 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7577 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7578 			return -EINVAL;
7579 		/* Only TDLS peers can be added */
7580 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7581 			return -EINVAL;
7582 		/* Can only add if TDLS ... */
7583 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7584 			return -EOPNOTSUPP;
7585 		/* ... with external setup is supported */
7586 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7587 			return -EOPNOTSUPP;
7588 		/*
7589 		 * Older wpa_supplicant versions always mark the TDLS peer
7590 		 * as authorized, but it shouldn't yet be.
7591 		 */
7592 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7593 		break;
7594 	default:
7595 		return -EOPNOTSUPP;
7596 	}
7597 
7598 	/* be aware of params.vlan when changing code here */
7599 
7600 	wdev_lock(dev->ieee80211_ptr);
7601 	if (wdev->valid_links) {
7602 		if (params.link_sta_params.link_id < 0) {
7603 			err = -EINVAL;
7604 			goto out;
7605 		}
7606 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7607 			err = -ENOLINK;
7608 			goto out;
7609 		}
7610 	} else {
7611 		if (params.link_sta_params.link_id >= 0) {
7612 			err = -EINVAL;
7613 			goto out;
7614 		}
7615 	}
7616 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7617 out:
7618 	wdev_unlock(dev->ieee80211_ptr);
7619 	dev_put(params.vlan);
7620 	return err;
7621 }
7622 
7623 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7624 {
7625 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7626 	struct net_device *dev = info->user_ptr[1];
7627 	struct station_del_parameters params;
7628 	int ret;
7629 
7630 	memset(&params, 0, sizeof(params));
7631 
7632 	if (info->attrs[NL80211_ATTR_MAC])
7633 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7634 
7635 	switch (dev->ieee80211_ptr->iftype) {
7636 	case NL80211_IFTYPE_AP:
7637 	case NL80211_IFTYPE_AP_VLAN:
7638 	case NL80211_IFTYPE_MESH_POINT:
7639 	case NL80211_IFTYPE_P2P_GO:
7640 		/* always accept these */
7641 		break;
7642 	case NL80211_IFTYPE_ADHOC:
7643 		/* conditionally accept */
7644 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7645 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7646 			break;
7647 		return -EINVAL;
7648 	default:
7649 		return -EINVAL;
7650 	}
7651 
7652 	if (!rdev->ops->del_station)
7653 		return -EOPNOTSUPP;
7654 
7655 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7656 		params.subtype =
7657 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7658 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7659 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7660 			return -EINVAL;
7661 	} else {
7662 		/* Default to Deauthentication frame */
7663 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7664 	}
7665 
7666 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7667 		params.reason_code =
7668 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7669 		if (params.reason_code == 0)
7670 			return -EINVAL; /* 0 is reserved */
7671 	} else {
7672 		/* Default to reason code 2 */
7673 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7674 	}
7675 
7676 	wdev_lock(dev->ieee80211_ptr);
7677 	ret = rdev_del_station(rdev, dev, &params);
7678 	wdev_unlock(dev->ieee80211_ptr);
7679 
7680 	return ret;
7681 }
7682 
7683 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7684 				int flags, struct net_device *dev,
7685 				u8 *dst, u8 *next_hop,
7686 				struct mpath_info *pinfo)
7687 {
7688 	void *hdr;
7689 	struct nlattr *pinfoattr;
7690 
7691 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7692 	if (!hdr)
7693 		return -1;
7694 
7695 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7696 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7697 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7698 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7699 		goto nla_put_failure;
7700 
7701 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7702 	if (!pinfoattr)
7703 		goto nla_put_failure;
7704 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7705 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7706 			pinfo->frame_qlen))
7707 		goto nla_put_failure;
7708 	if (((pinfo->filled & MPATH_INFO_SN) &&
7709 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7710 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7711 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7712 			 pinfo->metric)) ||
7713 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7714 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7715 			 pinfo->exptime)) ||
7716 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7717 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7718 			pinfo->flags)) ||
7719 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7720 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7721 			 pinfo->discovery_timeout)) ||
7722 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7723 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7724 			pinfo->discovery_retries)) ||
7725 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7726 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7727 			pinfo->hop_count)) ||
7728 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7729 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7730 			 pinfo->path_change_count)))
7731 		goto nla_put_failure;
7732 
7733 	nla_nest_end(msg, pinfoattr);
7734 
7735 	genlmsg_end(msg, hdr);
7736 	return 0;
7737 
7738  nla_put_failure:
7739 	genlmsg_cancel(msg, hdr);
7740 	return -EMSGSIZE;
7741 }
7742 
7743 static int nl80211_dump_mpath(struct sk_buff *skb,
7744 			      struct netlink_callback *cb)
7745 {
7746 	struct mpath_info pinfo;
7747 	struct cfg80211_registered_device *rdev;
7748 	struct wireless_dev *wdev;
7749 	u8 dst[ETH_ALEN];
7750 	u8 next_hop[ETH_ALEN];
7751 	int path_idx = cb->args[2];
7752 	int err;
7753 
7754 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7755 	if (err)
7756 		return err;
7757 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7758 	__acquire(&rdev->wiphy.mtx);
7759 
7760 	if (!rdev->ops->dump_mpath) {
7761 		err = -EOPNOTSUPP;
7762 		goto out_err;
7763 	}
7764 
7765 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7766 		err = -EOPNOTSUPP;
7767 		goto out_err;
7768 	}
7769 
7770 	while (1) {
7771 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7772 				      next_hop, &pinfo);
7773 		if (err == -ENOENT)
7774 			break;
7775 		if (err)
7776 			goto out_err;
7777 
7778 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7779 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7780 				       wdev->netdev, dst, next_hop,
7781 				       &pinfo) < 0)
7782 			goto out;
7783 
7784 		path_idx++;
7785 	}
7786 
7787  out:
7788 	cb->args[2] = path_idx;
7789 	err = skb->len;
7790  out_err:
7791 	wiphy_unlock(&rdev->wiphy);
7792 	return err;
7793 }
7794 
7795 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7796 {
7797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7798 	int err;
7799 	struct net_device *dev = info->user_ptr[1];
7800 	struct mpath_info pinfo;
7801 	struct sk_buff *msg;
7802 	u8 *dst = NULL;
7803 	u8 next_hop[ETH_ALEN];
7804 
7805 	memset(&pinfo, 0, sizeof(pinfo));
7806 
7807 	if (!info->attrs[NL80211_ATTR_MAC])
7808 		return -EINVAL;
7809 
7810 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7811 
7812 	if (!rdev->ops->get_mpath)
7813 		return -EOPNOTSUPP;
7814 
7815 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7816 		return -EOPNOTSUPP;
7817 
7818 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7819 	if (err)
7820 		return err;
7821 
7822 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7823 	if (!msg)
7824 		return -ENOMEM;
7825 
7826 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7827 				 dev, dst, next_hop, &pinfo) < 0) {
7828 		nlmsg_free(msg);
7829 		return -ENOBUFS;
7830 	}
7831 
7832 	return genlmsg_reply(msg, info);
7833 }
7834 
7835 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7836 {
7837 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7838 	struct net_device *dev = info->user_ptr[1];
7839 	u8 *dst = NULL;
7840 	u8 *next_hop = NULL;
7841 
7842 	if (!info->attrs[NL80211_ATTR_MAC])
7843 		return -EINVAL;
7844 
7845 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7846 		return -EINVAL;
7847 
7848 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7849 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7850 
7851 	if (!rdev->ops->change_mpath)
7852 		return -EOPNOTSUPP;
7853 
7854 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7855 		return -EOPNOTSUPP;
7856 
7857 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7858 }
7859 
7860 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7861 {
7862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7863 	struct net_device *dev = info->user_ptr[1];
7864 	u8 *dst = NULL;
7865 	u8 *next_hop = NULL;
7866 
7867 	if (!info->attrs[NL80211_ATTR_MAC])
7868 		return -EINVAL;
7869 
7870 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7871 		return -EINVAL;
7872 
7873 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7874 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7875 
7876 	if (!rdev->ops->add_mpath)
7877 		return -EOPNOTSUPP;
7878 
7879 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7880 		return -EOPNOTSUPP;
7881 
7882 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7883 }
7884 
7885 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7886 {
7887 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7888 	struct net_device *dev = info->user_ptr[1];
7889 	u8 *dst = NULL;
7890 
7891 	if (info->attrs[NL80211_ATTR_MAC])
7892 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7893 
7894 	if (!rdev->ops->del_mpath)
7895 		return -EOPNOTSUPP;
7896 
7897 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7898 		return -EOPNOTSUPP;
7899 
7900 	return rdev_del_mpath(rdev, dev, dst);
7901 }
7902 
7903 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7904 {
7905 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7906 	int err;
7907 	struct net_device *dev = info->user_ptr[1];
7908 	struct mpath_info pinfo;
7909 	struct sk_buff *msg;
7910 	u8 *dst = NULL;
7911 	u8 mpp[ETH_ALEN];
7912 
7913 	memset(&pinfo, 0, sizeof(pinfo));
7914 
7915 	if (!info->attrs[NL80211_ATTR_MAC])
7916 		return -EINVAL;
7917 
7918 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7919 
7920 	if (!rdev->ops->get_mpp)
7921 		return -EOPNOTSUPP;
7922 
7923 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7924 		return -EOPNOTSUPP;
7925 
7926 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7927 	if (err)
7928 		return err;
7929 
7930 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7931 	if (!msg)
7932 		return -ENOMEM;
7933 
7934 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7935 			       dev, dst, mpp, &pinfo) < 0) {
7936 		nlmsg_free(msg);
7937 		return -ENOBUFS;
7938 	}
7939 
7940 	return genlmsg_reply(msg, info);
7941 }
7942 
7943 static int nl80211_dump_mpp(struct sk_buff *skb,
7944 			    struct netlink_callback *cb)
7945 {
7946 	struct mpath_info pinfo;
7947 	struct cfg80211_registered_device *rdev;
7948 	struct wireless_dev *wdev;
7949 	u8 dst[ETH_ALEN];
7950 	u8 mpp[ETH_ALEN];
7951 	int path_idx = cb->args[2];
7952 	int err;
7953 
7954 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7955 	if (err)
7956 		return err;
7957 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7958 	__acquire(&rdev->wiphy.mtx);
7959 
7960 	if (!rdev->ops->dump_mpp) {
7961 		err = -EOPNOTSUPP;
7962 		goto out_err;
7963 	}
7964 
7965 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7966 		err = -EOPNOTSUPP;
7967 		goto out_err;
7968 	}
7969 
7970 	while (1) {
7971 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7972 				    mpp, &pinfo);
7973 		if (err == -ENOENT)
7974 			break;
7975 		if (err)
7976 			goto out_err;
7977 
7978 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7979 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7980 				       wdev->netdev, dst, mpp,
7981 				       &pinfo) < 0)
7982 			goto out;
7983 
7984 		path_idx++;
7985 	}
7986 
7987  out:
7988 	cb->args[2] = path_idx;
7989 	err = skb->len;
7990  out_err:
7991 	wiphy_unlock(&rdev->wiphy);
7992 	return err;
7993 }
7994 
7995 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7996 {
7997 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7998 	struct net_device *dev = info->user_ptr[1];
7999 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8000 	struct bss_parameters params;
8001 	int err;
8002 
8003 	memset(&params, 0, sizeof(params));
8004 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8005 	/* default to not changing parameters */
8006 	params.use_cts_prot = -1;
8007 	params.use_short_preamble = -1;
8008 	params.use_short_slot_time = -1;
8009 	params.ap_isolate = -1;
8010 	params.ht_opmode = -1;
8011 	params.p2p_ctwindow = -1;
8012 	params.p2p_opp_ps = -1;
8013 
8014 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8015 		params.use_cts_prot =
8016 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8017 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8018 		params.use_short_preamble =
8019 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8020 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8021 		params.use_short_slot_time =
8022 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8023 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8024 		params.basic_rates =
8025 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8026 		params.basic_rates_len =
8027 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8028 	}
8029 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8030 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8031 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8032 		params.ht_opmode =
8033 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8034 
8035 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8036 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8037 			return -EINVAL;
8038 		params.p2p_ctwindow =
8039 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8040 		if (params.p2p_ctwindow != 0 &&
8041 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8042 			return -EINVAL;
8043 	}
8044 
8045 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8046 		u8 tmp;
8047 
8048 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8049 			return -EINVAL;
8050 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8051 		params.p2p_opp_ps = tmp;
8052 		if (params.p2p_opp_ps &&
8053 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8054 			return -EINVAL;
8055 	}
8056 
8057 	if (!rdev->ops->change_bss)
8058 		return -EOPNOTSUPP;
8059 
8060 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8061 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8062 		return -EOPNOTSUPP;
8063 
8064 	wdev_lock(wdev);
8065 	err = rdev_change_bss(rdev, dev, &params);
8066 	wdev_unlock(wdev);
8067 
8068 	return err;
8069 }
8070 
8071 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8072 {
8073 	char *data = NULL;
8074 	bool is_indoor;
8075 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8076 	u32 owner_nlportid;
8077 
8078 	/*
8079 	 * You should only get this when cfg80211 hasn't yet initialized
8080 	 * completely when built-in to the kernel right between the time
8081 	 * window between nl80211_init() and regulatory_init(), if that is
8082 	 * even possible.
8083 	 */
8084 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8085 		return -EINPROGRESS;
8086 
8087 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
8088 		user_reg_hint_type =
8089 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
8090 	else
8091 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
8092 
8093 	switch (user_reg_hint_type) {
8094 	case NL80211_USER_REG_HINT_USER:
8095 	case NL80211_USER_REG_HINT_CELL_BASE:
8096 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8097 			return -EINVAL;
8098 
8099 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8100 		return regulatory_hint_user(data, user_reg_hint_type);
8101 	case NL80211_USER_REG_HINT_INDOOR:
8102 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8103 			owner_nlportid = info->snd_portid;
8104 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8105 		} else {
8106 			owner_nlportid = 0;
8107 			is_indoor = true;
8108 		}
8109 
8110 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
8111 	default:
8112 		return -EINVAL;
8113 	}
8114 }
8115 
8116 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8117 {
8118 	return reg_reload_regdb();
8119 }
8120 
8121 static int nl80211_get_mesh_config(struct sk_buff *skb,
8122 				   struct genl_info *info)
8123 {
8124 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8125 	struct net_device *dev = info->user_ptr[1];
8126 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8127 	struct mesh_config cur_params;
8128 	int err = 0;
8129 	void *hdr;
8130 	struct nlattr *pinfoattr;
8131 	struct sk_buff *msg;
8132 
8133 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8134 		return -EOPNOTSUPP;
8135 
8136 	if (!rdev->ops->get_mesh_config)
8137 		return -EOPNOTSUPP;
8138 
8139 	wdev_lock(wdev);
8140 	/* If not connected, get default parameters */
8141 	if (!wdev->u.mesh.id_len)
8142 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8143 	else
8144 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8145 	wdev_unlock(wdev);
8146 
8147 	if (err)
8148 		return err;
8149 
8150 	/* Draw up a netlink message to send back */
8151 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8152 	if (!msg)
8153 		return -ENOMEM;
8154 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8155 			     NL80211_CMD_GET_MESH_CONFIG);
8156 	if (!hdr)
8157 		goto out;
8158 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8159 	if (!pinfoattr)
8160 		goto nla_put_failure;
8161 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8162 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8163 			cur_params.dot11MeshRetryTimeout) ||
8164 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8165 			cur_params.dot11MeshConfirmTimeout) ||
8166 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8167 			cur_params.dot11MeshHoldingTimeout) ||
8168 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8169 			cur_params.dot11MeshMaxPeerLinks) ||
8170 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8171 		       cur_params.dot11MeshMaxRetries) ||
8172 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8173 		       cur_params.dot11MeshTTL) ||
8174 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8175 		       cur_params.element_ttl) ||
8176 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8177 		       cur_params.auto_open_plinks) ||
8178 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8179 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8180 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8181 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8182 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8183 			cur_params.path_refresh_time) ||
8184 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8185 			cur_params.min_discovery_timeout) ||
8186 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8187 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8188 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8189 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8190 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8191 			cur_params.dot11MeshHWMPperrMinInterval) ||
8192 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8193 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8194 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8195 		       cur_params.dot11MeshHWMPRootMode) ||
8196 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8197 			cur_params.dot11MeshHWMPRannInterval) ||
8198 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8199 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8200 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8201 		       cur_params.dot11MeshForwarding) ||
8202 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8203 			cur_params.rssi_threshold) ||
8204 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8205 			cur_params.ht_opmode) ||
8206 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8207 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8208 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8209 			cur_params.dot11MeshHWMProotInterval) ||
8210 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8211 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8212 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8213 			cur_params.power_mode) ||
8214 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8215 			cur_params.dot11MeshAwakeWindowDuration) ||
8216 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8217 			cur_params.plink_timeout) ||
8218 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8219 		       cur_params.dot11MeshConnectedToMeshGate) ||
8220 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8221 		       cur_params.dot11MeshNolearn) ||
8222 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8223 		       cur_params.dot11MeshConnectedToAuthServer))
8224 		goto nla_put_failure;
8225 	nla_nest_end(msg, pinfoattr);
8226 	genlmsg_end(msg, hdr);
8227 	return genlmsg_reply(msg, info);
8228 
8229  nla_put_failure:
8230  out:
8231 	nlmsg_free(msg);
8232 	return -ENOBUFS;
8233 }
8234 
8235 static const struct nla_policy
8236 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8237 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8238 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8239 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8240 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8241 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8242 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8243 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8244 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8245 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8246 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8247 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8248 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8249 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8250 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8251 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8252 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8253 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8254 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8255 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8256 		NLA_POLICY_MIN(NLA_U16, 1),
8257 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8258 		NLA_POLICY_MIN(NLA_U16, 1),
8259 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8260 		NLA_POLICY_MIN(NLA_U16, 1),
8261 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8262 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8263 		NLA_POLICY_MIN(NLA_U16, 1),
8264 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8265 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8266 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8267 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8268 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8269 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8270 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8271 		NLA_POLICY_MIN(NLA_U16, 1),
8272 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8273 		NLA_POLICY_MIN(NLA_U16, 1),
8274 	[NL80211_MESHCONF_POWER_MODE] =
8275 		NLA_POLICY_RANGE(NLA_U32,
8276 				 NL80211_MESH_POWER_ACTIVE,
8277 				 NL80211_MESH_POWER_MAX),
8278 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8279 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8280 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8281 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8282 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8283 };
8284 
8285 static const struct nla_policy
8286 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8287 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8288 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8289 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8290 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8291 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8292 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8293 	[NL80211_MESH_SETUP_IE] =
8294 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8295 				       IEEE80211_MAX_DATA_LEN),
8296 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8297 };
8298 
8299 static int nl80211_parse_mesh_config(struct genl_info *info,
8300 				     struct mesh_config *cfg,
8301 				     u32 *mask_out)
8302 {
8303 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8304 	u32 mask = 0;
8305 	u16 ht_opmode;
8306 
8307 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8308 do {									\
8309 	if (tb[attr]) {							\
8310 		cfg->param = fn(tb[attr]);				\
8311 		mask |= BIT((attr) - 1);				\
8312 	}								\
8313 } while (0)
8314 
8315 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8316 		return -EINVAL;
8317 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8318 		return -EINVAL;
8319 
8320 	/* This makes sure that there aren't more than 32 mesh config
8321 	 * parameters (otherwise our bitfield scheme would not work.) */
8322 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8323 
8324 	/* Fill in the params struct */
8325 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8326 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8327 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8328 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8329 				  nla_get_u16);
8330 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8331 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8332 				  nla_get_u16);
8333 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8334 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8335 				  nla_get_u16);
8336 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8337 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8338 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8339 				  NL80211_MESHCONF_TTL, nla_get_u8);
8340 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8341 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8342 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8343 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8344 				  nla_get_u8);
8345 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8346 				  mask,
8347 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8348 				  nla_get_u32);
8349 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8350 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8351 				  nla_get_u8);
8352 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8353 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8354 				  nla_get_u32);
8355 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8356 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8357 		return -EINVAL;
8358 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8359 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8360 				  nla_get_u16);
8361 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8362 				  mask,
8363 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8364 				  nla_get_u32);
8365 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8366 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8367 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8368 		return -EINVAL;
8369 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8370 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8371 				  nla_get_u16);
8372 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8373 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8374 				  nla_get_u16);
8375 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8376 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8377 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8378 				  nla_get_u16);
8379 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8380 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8381 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8382 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8383 				  nla_get_u16);
8384 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8385 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8386 				  nla_get_u8);
8387 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8388 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8389 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8390 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8391 				  nla_get_s32);
8392 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8393 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8394 				  nla_get_u8);
8395 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8396 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8397 				  nla_get_u8);
8398 	/*
8399 	 * Check HT operation mode based on
8400 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8401 	 */
8402 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8403 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8404 
8405 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8406 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8407 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8408 			return -EINVAL;
8409 
8410 		/* NON_HT_STA bit is reserved, but some programs set it */
8411 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8412 
8413 		cfg->ht_opmode = ht_opmode;
8414 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8415 	}
8416 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8417 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8418 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8419 				  nla_get_u32);
8420 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8421 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8422 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8423 		return -EINVAL;
8424 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8425 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8426 				  nla_get_u16);
8427 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8428 				  mask,
8429 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8430 				  nla_get_u16);
8431 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8432 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8433 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8434 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8435 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8436 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8437 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8438 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8439 	if (mask_out)
8440 		*mask_out = mask;
8441 
8442 	return 0;
8443 
8444 #undef FILL_IN_MESH_PARAM_IF_SET
8445 }
8446 
8447 static int nl80211_parse_mesh_setup(struct genl_info *info,
8448 				     struct mesh_setup *setup)
8449 {
8450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8451 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8452 
8453 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8454 		return -EINVAL;
8455 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8456 		return -EINVAL;
8457 
8458 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8459 		setup->sync_method =
8460 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8461 		 IEEE80211_SYNC_METHOD_VENDOR :
8462 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8463 
8464 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8465 		setup->path_sel_proto =
8466 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8467 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8468 		 IEEE80211_PATH_PROTOCOL_HWMP;
8469 
8470 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8471 		setup->path_metric =
8472 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8473 		 IEEE80211_PATH_METRIC_VENDOR :
8474 		 IEEE80211_PATH_METRIC_AIRTIME;
8475 
8476 	if (tb[NL80211_MESH_SETUP_IE]) {
8477 		struct nlattr *ieattr =
8478 			tb[NL80211_MESH_SETUP_IE];
8479 		setup->ie = nla_data(ieattr);
8480 		setup->ie_len = nla_len(ieattr);
8481 	}
8482 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8483 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8484 		return -EINVAL;
8485 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8486 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8487 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8488 	if (setup->is_secure)
8489 		setup->user_mpm = true;
8490 
8491 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8492 		if (!setup->user_mpm)
8493 			return -EINVAL;
8494 		setup->auth_id =
8495 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8496 	}
8497 
8498 	return 0;
8499 }
8500 
8501 static int nl80211_update_mesh_config(struct sk_buff *skb,
8502 				      struct genl_info *info)
8503 {
8504 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8505 	struct net_device *dev = info->user_ptr[1];
8506 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8507 	struct mesh_config cfg = {};
8508 	u32 mask;
8509 	int err;
8510 
8511 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8512 		return -EOPNOTSUPP;
8513 
8514 	if (!rdev->ops->update_mesh_config)
8515 		return -EOPNOTSUPP;
8516 
8517 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8518 	if (err)
8519 		return err;
8520 
8521 	wdev_lock(wdev);
8522 	if (!wdev->u.mesh.id_len)
8523 		err = -ENOLINK;
8524 
8525 	if (!err)
8526 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8527 
8528 	wdev_unlock(wdev);
8529 
8530 	return err;
8531 }
8532 
8533 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8534 			      struct sk_buff *msg)
8535 {
8536 	struct nlattr *nl_reg_rules;
8537 	unsigned int i;
8538 
8539 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8540 	    (regdom->dfs_region &&
8541 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8542 		goto nla_put_failure;
8543 
8544 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8545 	if (!nl_reg_rules)
8546 		goto nla_put_failure;
8547 
8548 	for (i = 0; i < regdom->n_reg_rules; i++) {
8549 		struct nlattr *nl_reg_rule;
8550 		const struct ieee80211_reg_rule *reg_rule;
8551 		const struct ieee80211_freq_range *freq_range;
8552 		const struct ieee80211_power_rule *power_rule;
8553 		unsigned int max_bandwidth_khz;
8554 
8555 		reg_rule = &regdom->reg_rules[i];
8556 		freq_range = &reg_rule->freq_range;
8557 		power_rule = &reg_rule->power_rule;
8558 
8559 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8560 		if (!nl_reg_rule)
8561 			goto nla_put_failure;
8562 
8563 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8564 		if (!max_bandwidth_khz)
8565 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8566 								  reg_rule);
8567 
8568 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8569 				reg_rule->flags) ||
8570 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8571 				freq_range->start_freq_khz) ||
8572 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8573 				freq_range->end_freq_khz) ||
8574 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8575 				max_bandwidth_khz) ||
8576 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8577 				power_rule->max_antenna_gain) ||
8578 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8579 				power_rule->max_eirp) ||
8580 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8581 				reg_rule->dfs_cac_ms))
8582 			goto nla_put_failure;
8583 
8584 		nla_nest_end(msg, nl_reg_rule);
8585 	}
8586 
8587 	nla_nest_end(msg, nl_reg_rules);
8588 	return 0;
8589 
8590 nla_put_failure:
8591 	return -EMSGSIZE;
8592 }
8593 
8594 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8595 {
8596 	const struct ieee80211_regdomain *regdom = NULL;
8597 	struct cfg80211_registered_device *rdev;
8598 	struct wiphy *wiphy = NULL;
8599 	struct sk_buff *msg;
8600 	int err = -EMSGSIZE;
8601 	void *hdr;
8602 
8603 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8604 	if (!msg)
8605 		return -ENOBUFS;
8606 
8607 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8608 			     NL80211_CMD_GET_REG);
8609 	if (!hdr)
8610 		goto put_failure;
8611 
8612 	rtnl_lock();
8613 
8614 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8615 		bool self_managed;
8616 
8617 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8618 		if (IS_ERR(rdev)) {
8619 			err = PTR_ERR(rdev);
8620 			goto nla_put_failure;
8621 		}
8622 
8623 		wiphy = &rdev->wiphy;
8624 		self_managed = wiphy->regulatory_flags &
8625 			       REGULATORY_WIPHY_SELF_MANAGED;
8626 
8627 		rcu_read_lock();
8628 
8629 		regdom = get_wiphy_regdom(wiphy);
8630 
8631 		/* a self-managed-reg device must have a private regdom */
8632 		if (WARN_ON(!regdom && self_managed)) {
8633 			err = -EINVAL;
8634 			goto nla_put_failure_rcu;
8635 		}
8636 
8637 		if (regdom &&
8638 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8639 			goto nla_put_failure_rcu;
8640 	} else {
8641 		rcu_read_lock();
8642 	}
8643 
8644 	if (!wiphy && reg_last_request_cell_base() &&
8645 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8646 			NL80211_USER_REG_HINT_CELL_BASE))
8647 		goto nla_put_failure_rcu;
8648 
8649 	if (!regdom)
8650 		regdom = rcu_dereference(cfg80211_regdomain);
8651 
8652 	if (nl80211_put_regdom(regdom, msg))
8653 		goto nla_put_failure_rcu;
8654 
8655 	rcu_read_unlock();
8656 
8657 	genlmsg_end(msg, hdr);
8658 	rtnl_unlock();
8659 	return genlmsg_reply(msg, info);
8660 
8661 nla_put_failure_rcu:
8662 	rcu_read_unlock();
8663 nla_put_failure:
8664 	rtnl_unlock();
8665 put_failure:
8666 	nlmsg_free(msg);
8667 	return err;
8668 }
8669 
8670 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8671 			       u32 seq, int flags, struct wiphy *wiphy,
8672 			       const struct ieee80211_regdomain *regdom)
8673 {
8674 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8675 				   NL80211_CMD_GET_REG);
8676 
8677 	if (!hdr)
8678 		return -1;
8679 
8680 	genl_dump_check_consistent(cb, hdr);
8681 
8682 	if (nl80211_put_regdom(regdom, msg))
8683 		goto nla_put_failure;
8684 
8685 	if (!wiphy && reg_last_request_cell_base() &&
8686 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8687 			NL80211_USER_REG_HINT_CELL_BASE))
8688 		goto nla_put_failure;
8689 
8690 	if (wiphy &&
8691 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8692 		goto nla_put_failure;
8693 
8694 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8695 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8696 		goto nla_put_failure;
8697 
8698 	genlmsg_end(msg, hdr);
8699 	return 0;
8700 
8701 nla_put_failure:
8702 	genlmsg_cancel(msg, hdr);
8703 	return -EMSGSIZE;
8704 }
8705 
8706 static int nl80211_get_reg_dump(struct sk_buff *skb,
8707 				struct netlink_callback *cb)
8708 {
8709 	const struct ieee80211_regdomain *regdom = NULL;
8710 	struct cfg80211_registered_device *rdev;
8711 	int err, reg_idx, start = cb->args[2];
8712 
8713 	rcu_read_lock();
8714 
8715 	if (cfg80211_regdomain && start == 0) {
8716 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8717 					  NLM_F_MULTI, NULL,
8718 					  rcu_dereference(cfg80211_regdomain));
8719 		if (err < 0)
8720 			goto out_err;
8721 	}
8722 
8723 	/* the global regdom is idx 0 */
8724 	reg_idx = 1;
8725 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8726 		regdom = get_wiphy_regdom(&rdev->wiphy);
8727 		if (!regdom)
8728 			continue;
8729 
8730 		if (++reg_idx <= start)
8731 			continue;
8732 
8733 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8734 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8735 		if (err < 0) {
8736 			reg_idx--;
8737 			break;
8738 		}
8739 	}
8740 
8741 	cb->args[2] = reg_idx;
8742 	err = skb->len;
8743 out_err:
8744 	rcu_read_unlock();
8745 	return err;
8746 }
8747 
8748 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8749 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8750 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8751 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8752 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8753 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8754 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8755 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8756 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8757 };
8758 
8759 static int parse_reg_rule(struct nlattr *tb[],
8760 	struct ieee80211_reg_rule *reg_rule)
8761 {
8762 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8763 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8764 
8765 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8766 		return -EINVAL;
8767 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8768 		return -EINVAL;
8769 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8770 		return -EINVAL;
8771 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8772 		return -EINVAL;
8773 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8774 		return -EINVAL;
8775 
8776 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8777 
8778 	freq_range->start_freq_khz =
8779 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8780 	freq_range->end_freq_khz =
8781 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8782 	freq_range->max_bandwidth_khz =
8783 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8784 
8785 	power_rule->max_eirp =
8786 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8787 
8788 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8789 		power_rule->max_antenna_gain =
8790 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8791 
8792 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8793 		reg_rule->dfs_cac_ms =
8794 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8795 
8796 	return 0;
8797 }
8798 
8799 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8800 {
8801 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8802 	struct nlattr *nl_reg_rule;
8803 	char *alpha2;
8804 	int rem_reg_rules, r;
8805 	u32 num_rules = 0, rule_idx = 0;
8806 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8807 	struct ieee80211_regdomain *rd;
8808 
8809 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8810 		return -EINVAL;
8811 
8812 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8813 		return -EINVAL;
8814 
8815 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8816 
8817 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8818 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8819 
8820 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8821 			    rem_reg_rules) {
8822 		num_rules++;
8823 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8824 			return -EINVAL;
8825 	}
8826 
8827 	rtnl_lock();
8828 	if (!reg_is_valid_request(alpha2)) {
8829 		r = -EINVAL;
8830 		goto out;
8831 	}
8832 
8833 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8834 	if (!rd) {
8835 		r = -ENOMEM;
8836 		goto out;
8837 	}
8838 
8839 	rd->n_reg_rules = num_rules;
8840 	rd->alpha2[0] = alpha2[0];
8841 	rd->alpha2[1] = alpha2[1];
8842 
8843 	/*
8844 	 * Disable DFS master mode if the DFS region was
8845 	 * not supported or known on this kernel.
8846 	 */
8847 	if (reg_supported_dfs_region(dfs_region))
8848 		rd->dfs_region = dfs_region;
8849 
8850 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8851 			    rem_reg_rules) {
8852 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8853 						nl_reg_rule, reg_rule_policy,
8854 						info->extack);
8855 		if (r)
8856 			goto bad_reg;
8857 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8858 		if (r)
8859 			goto bad_reg;
8860 
8861 		rule_idx++;
8862 
8863 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8864 			r = -EINVAL;
8865 			goto bad_reg;
8866 		}
8867 	}
8868 
8869 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8870 	/* set_regdom takes ownership of rd */
8871 	rd = NULL;
8872  bad_reg:
8873 	kfree(rd);
8874  out:
8875 	rtnl_unlock();
8876 	return r;
8877 }
8878 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8879 
8880 static int validate_scan_freqs(struct nlattr *freqs)
8881 {
8882 	struct nlattr *attr1, *attr2;
8883 	int n_channels = 0, tmp1, tmp2;
8884 
8885 	nla_for_each_nested(attr1, freqs, tmp1)
8886 		if (nla_len(attr1) != sizeof(u32))
8887 			return 0;
8888 
8889 	nla_for_each_nested(attr1, freqs, tmp1) {
8890 		n_channels++;
8891 		/*
8892 		 * Some hardware has a limited channel list for
8893 		 * scanning, and it is pretty much nonsensical
8894 		 * to scan for a channel twice, so disallow that
8895 		 * and don't require drivers to check that the
8896 		 * channel list they get isn't longer than what
8897 		 * they can scan, as long as they can scan all
8898 		 * the channels they registered at once.
8899 		 */
8900 		nla_for_each_nested(attr2, freqs, tmp2)
8901 			if (attr1 != attr2 &&
8902 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8903 				return 0;
8904 	}
8905 
8906 	return n_channels;
8907 }
8908 
8909 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8910 {
8911 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8912 }
8913 
8914 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8915 			    struct cfg80211_bss_selection *bss_select)
8916 {
8917 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8918 	struct nlattr *nest;
8919 	int err;
8920 	bool found = false;
8921 	int i;
8922 
8923 	/* only process one nested attribute */
8924 	nest = nla_data(nla);
8925 	if (!nla_ok(nest, nla_len(nest)))
8926 		return -EINVAL;
8927 
8928 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8929 					  nest, nl80211_bss_select_policy,
8930 					  NULL);
8931 	if (err)
8932 		return err;
8933 
8934 	/* only one attribute may be given */
8935 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8936 		if (attr[i]) {
8937 			if (found)
8938 				return -EINVAL;
8939 			found = true;
8940 		}
8941 	}
8942 
8943 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8944 
8945 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8946 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8947 
8948 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8949 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8950 		bss_select->param.band_pref =
8951 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8952 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8953 			return -EINVAL;
8954 	}
8955 
8956 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8957 		struct nl80211_bss_select_rssi_adjust *adj_param;
8958 
8959 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8960 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8961 		bss_select->param.adjust.band = adj_param->band;
8962 		bss_select->param.adjust.delta = adj_param->delta;
8963 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8964 			return -EINVAL;
8965 	}
8966 
8967 	/* user-space did not provide behaviour attribute */
8968 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8969 		return -EINVAL;
8970 
8971 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8972 		return -EINVAL;
8973 
8974 	return 0;
8975 }
8976 
8977 int nl80211_parse_random_mac(struct nlattr **attrs,
8978 			     u8 *mac_addr, u8 *mac_addr_mask)
8979 {
8980 	int i;
8981 
8982 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8983 		eth_zero_addr(mac_addr);
8984 		eth_zero_addr(mac_addr_mask);
8985 		mac_addr[0] = 0x2;
8986 		mac_addr_mask[0] = 0x3;
8987 
8988 		return 0;
8989 	}
8990 
8991 	/* need both or none */
8992 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8993 		return -EINVAL;
8994 
8995 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8996 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8997 
8998 	/* don't allow or configure an mcast address */
8999 	if (!is_multicast_ether_addr(mac_addr_mask) ||
9000 	    is_multicast_ether_addr(mac_addr))
9001 		return -EINVAL;
9002 
9003 	/*
9004 	 * allow users to pass a MAC address that has bits set outside
9005 	 * of the mask, but don't bother drivers with having to deal
9006 	 * with such bits
9007 	 */
9008 	for (i = 0; i < ETH_ALEN; i++)
9009 		mac_addr[i] &= mac_addr_mask[i];
9010 
9011 	return 0;
9012 }
9013 
9014 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9015 					      struct ieee80211_channel *chan)
9016 {
9017 	unsigned int link_id;
9018 	bool all_ok = true;
9019 
9020 	ASSERT_WDEV_LOCK(wdev);
9021 
9022 	if (!cfg80211_beaconing_iface_active(wdev))
9023 		return true;
9024 
9025 	/*
9026 	 * FIXME: check if we have a free HW resource/link for chan
9027 	 *
9028 	 * This, as well as the FIXME below, requires knowing the link
9029 	 * capabilities of the hardware.
9030 	 */
9031 
9032 	/* we cannot leave radar channels */
9033 	for_each_valid_link(wdev, link_id) {
9034 		struct cfg80211_chan_def *chandef;
9035 
9036 		chandef = wdev_chandef(wdev, link_id);
9037 		if (!chandef || !chandef->chan)
9038 			continue;
9039 
9040 		/*
9041 		 * FIXME: don't require all_ok, but rather check only the
9042 		 *	  correct HW resource/link onto which 'chan' falls,
9043 		 *	  as only that link leaves the channel for doing
9044 		 *	  the off-channel operation.
9045 		 */
9046 
9047 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9048 			all_ok = false;
9049 	}
9050 
9051 	if (all_ok)
9052 		return true;
9053 
9054 	return regulatory_pre_cac_allowed(wdev->wiphy);
9055 }
9056 
9057 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9058 				    enum nl80211_ext_feature_index feat)
9059 {
9060 	if (!(flags & flag))
9061 		return true;
9062 	if (wiphy_ext_feature_isset(wiphy, feat))
9063 		return true;
9064 	return false;
9065 }
9066 
9067 static int
9068 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9069 			 void *request, struct nlattr **attrs,
9070 			 bool is_sched_scan)
9071 {
9072 	u8 *mac_addr, *mac_addr_mask;
9073 	u32 *flags;
9074 	enum nl80211_feature_flags randomness_flag;
9075 
9076 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9077 		return 0;
9078 
9079 	if (is_sched_scan) {
9080 		struct cfg80211_sched_scan_request *req = request;
9081 
9082 		randomness_flag = wdev ?
9083 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9084 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9085 		flags = &req->flags;
9086 		mac_addr = req->mac_addr;
9087 		mac_addr_mask = req->mac_addr_mask;
9088 	} else {
9089 		struct cfg80211_scan_request *req = request;
9090 
9091 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9092 		flags = &req->flags;
9093 		mac_addr = req->mac_addr;
9094 		mac_addr_mask = req->mac_addr_mask;
9095 	}
9096 
9097 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9098 
9099 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9100 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9101 	    !nl80211_check_scan_feat(wiphy, *flags,
9102 				     NL80211_SCAN_FLAG_LOW_SPAN,
9103 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9104 	    !nl80211_check_scan_feat(wiphy, *flags,
9105 				     NL80211_SCAN_FLAG_LOW_POWER,
9106 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9107 	    !nl80211_check_scan_feat(wiphy, *flags,
9108 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9109 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9110 	    !nl80211_check_scan_feat(wiphy, *flags,
9111 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9112 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9113 	    !nl80211_check_scan_feat(wiphy, *flags,
9114 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9115 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9116 	    !nl80211_check_scan_feat(wiphy, *flags,
9117 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9118 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9119 	    !nl80211_check_scan_feat(wiphy, *flags,
9120 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9121 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9122 	    !nl80211_check_scan_feat(wiphy, *flags,
9123 				     NL80211_SCAN_FLAG_RANDOM_SN,
9124 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9125 	    !nl80211_check_scan_feat(wiphy, *flags,
9126 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9127 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9128 		return -EOPNOTSUPP;
9129 
9130 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9131 		int err;
9132 
9133 		if (!(wiphy->features & randomness_flag) ||
9134 		    (wdev && wdev->connected))
9135 			return -EOPNOTSUPP;
9136 
9137 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9138 		if (err)
9139 			return err;
9140 	}
9141 
9142 	return 0;
9143 }
9144 
9145 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9146 {
9147 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9148 	struct wireless_dev *wdev = info->user_ptr[1];
9149 	struct cfg80211_scan_request *request;
9150 	struct nlattr *scan_freqs = NULL;
9151 	bool scan_freqs_khz = false;
9152 	struct nlattr *attr;
9153 	struct wiphy *wiphy;
9154 	int err, tmp, n_ssids = 0, n_channels, i;
9155 	size_t ie_len, size;
9156 
9157 	wiphy = &rdev->wiphy;
9158 
9159 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9160 		return -EOPNOTSUPP;
9161 
9162 	if (!rdev->ops->scan)
9163 		return -EOPNOTSUPP;
9164 
9165 	if (rdev->scan_req || rdev->scan_msg)
9166 		return -EBUSY;
9167 
9168 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9169 		if (!wiphy_ext_feature_isset(wiphy,
9170 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9171 			return -EOPNOTSUPP;
9172 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9173 		scan_freqs_khz = true;
9174 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9175 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9176 
9177 	if (scan_freqs) {
9178 		n_channels = validate_scan_freqs(scan_freqs);
9179 		if (!n_channels)
9180 			return -EINVAL;
9181 	} else {
9182 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9183 	}
9184 
9185 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9186 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9187 			n_ssids++;
9188 
9189 	if (n_ssids > wiphy->max_scan_ssids)
9190 		return -EINVAL;
9191 
9192 	if (info->attrs[NL80211_ATTR_IE])
9193 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9194 	else
9195 		ie_len = 0;
9196 
9197 	if (ie_len > wiphy->max_scan_ie_len)
9198 		return -EINVAL;
9199 
9200 	size = struct_size(request, channels, n_channels);
9201 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9202 	size = size_add(size, ie_len);
9203 	request = kzalloc(size, GFP_KERNEL);
9204 	if (!request)
9205 		return -ENOMEM;
9206 
9207 	if (n_ssids)
9208 		request->ssids = (void *)&request->channels[n_channels];
9209 	request->n_ssids = n_ssids;
9210 	if (ie_len) {
9211 		if (n_ssids)
9212 			request->ie = (void *)(request->ssids + n_ssids);
9213 		else
9214 			request->ie = (void *)(request->channels + n_channels);
9215 	}
9216 
9217 	i = 0;
9218 	if (scan_freqs) {
9219 		/* user specified, bail out if channel not found */
9220 		nla_for_each_nested(attr, scan_freqs, tmp) {
9221 			struct ieee80211_channel *chan;
9222 			int freq = nla_get_u32(attr);
9223 
9224 			if (!scan_freqs_khz)
9225 				freq = MHZ_TO_KHZ(freq);
9226 
9227 			chan = ieee80211_get_channel_khz(wiphy, freq);
9228 			if (!chan) {
9229 				err = -EINVAL;
9230 				goto out_free;
9231 			}
9232 
9233 			/* ignore disabled channels */
9234 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9235 				continue;
9236 
9237 			request->channels[i] = chan;
9238 			i++;
9239 		}
9240 	} else {
9241 		enum nl80211_band band;
9242 
9243 		/* all channels */
9244 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9245 			int j;
9246 
9247 			if (!wiphy->bands[band])
9248 				continue;
9249 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9250 				struct ieee80211_channel *chan;
9251 
9252 				chan = &wiphy->bands[band]->channels[j];
9253 
9254 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9255 					continue;
9256 
9257 				request->channels[i] = chan;
9258 				i++;
9259 			}
9260 		}
9261 	}
9262 
9263 	if (!i) {
9264 		err = -EINVAL;
9265 		goto out_free;
9266 	}
9267 
9268 	request->n_channels = i;
9269 
9270 	wdev_lock(wdev);
9271 	for (i = 0; i < request->n_channels; i++) {
9272 		struct ieee80211_channel *chan = request->channels[i];
9273 
9274 		/* if we can go off-channel to the target channel we're good */
9275 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9276 			continue;
9277 
9278 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9279 			wdev_unlock(wdev);
9280 			err = -EBUSY;
9281 			goto out_free;
9282 		}
9283 	}
9284 	wdev_unlock(wdev);
9285 
9286 	i = 0;
9287 	if (n_ssids) {
9288 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9289 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9290 				err = -EINVAL;
9291 				goto out_free;
9292 			}
9293 			request->ssids[i].ssid_len = nla_len(attr);
9294 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9295 			i++;
9296 		}
9297 	}
9298 
9299 	if (info->attrs[NL80211_ATTR_IE]) {
9300 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9301 		memcpy((void *)request->ie,
9302 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9303 		       request->ie_len);
9304 	}
9305 
9306 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9307 		if (wiphy->bands[i])
9308 			request->rates[i] =
9309 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9310 
9311 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9312 		nla_for_each_nested(attr,
9313 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9314 				    tmp) {
9315 			enum nl80211_band band = nla_type(attr);
9316 
9317 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9318 				err = -EINVAL;
9319 				goto out_free;
9320 			}
9321 
9322 			if (!wiphy->bands[band])
9323 				continue;
9324 
9325 			err = ieee80211_get_ratemask(wiphy->bands[band],
9326 						     nla_data(attr),
9327 						     nla_len(attr),
9328 						     &request->rates[band]);
9329 			if (err)
9330 				goto out_free;
9331 		}
9332 	}
9333 
9334 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9335 		request->duration =
9336 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9337 		request->duration_mandatory =
9338 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9339 	}
9340 
9341 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9342 				       false);
9343 	if (err)
9344 		goto out_free;
9345 
9346 	request->no_cck =
9347 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9348 
9349 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9350 	 * BSSID to scan for. This was problematic because that same attribute
9351 	 * was already used for another purpose (local random MAC address). The
9352 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9353 	 * compatibility with older userspace components, also use the
9354 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9355 	 * the specific BSSID use case instead of the random MAC address
9356 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9357 	 */
9358 	if (info->attrs[NL80211_ATTR_BSSID])
9359 		memcpy(request->bssid,
9360 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9361 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9362 		 info->attrs[NL80211_ATTR_MAC])
9363 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9364 		       ETH_ALEN);
9365 	else
9366 		eth_broadcast_addr(request->bssid);
9367 
9368 	request->wdev = wdev;
9369 	request->wiphy = &rdev->wiphy;
9370 	request->scan_start = jiffies;
9371 
9372 	rdev->scan_req = request;
9373 	err = cfg80211_scan(rdev);
9374 
9375 	if (err)
9376 		goto out_free;
9377 
9378 	nl80211_send_scan_start(rdev, wdev);
9379 	dev_hold(wdev->netdev);
9380 
9381 	return 0;
9382 
9383  out_free:
9384 	rdev->scan_req = NULL;
9385 	kfree(request);
9386 
9387 	return err;
9388 }
9389 
9390 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9391 {
9392 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9393 	struct wireless_dev *wdev = info->user_ptr[1];
9394 
9395 	if (!rdev->ops->abort_scan)
9396 		return -EOPNOTSUPP;
9397 
9398 	if (rdev->scan_msg)
9399 		return 0;
9400 
9401 	if (!rdev->scan_req)
9402 		return -ENOENT;
9403 
9404 	rdev_abort_scan(rdev, wdev);
9405 	return 0;
9406 }
9407 
9408 static int
9409 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9410 			       struct cfg80211_sched_scan_request *request,
9411 			       struct nlattr **attrs)
9412 {
9413 	int tmp, err, i = 0;
9414 	struct nlattr *attr;
9415 
9416 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9417 		u32 interval;
9418 
9419 		/*
9420 		 * If scan plans are not specified,
9421 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9422 		 * case one scan plan will be set with the specified scan
9423 		 * interval and infinite number of iterations.
9424 		 */
9425 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9426 		if (!interval)
9427 			return -EINVAL;
9428 
9429 		request->scan_plans[0].interval =
9430 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9431 		if (!request->scan_plans[0].interval)
9432 			return -EINVAL;
9433 
9434 		if (request->scan_plans[0].interval >
9435 		    wiphy->max_sched_scan_plan_interval)
9436 			request->scan_plans[0].interval =
9437 				wiphy->max_sched_scan_plan_interval;
9438 
9439 		return 0;
9440 	}
9441 
9442 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9443 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9444 
9445 		if (WARN_ON(i >= n_plans))
9446 			return -EINVAL;
9447 
9448 		err = nla_parse_nested_deprecated(plan,
9449 						  NL80211_SCHED_SCAN_PLAN_MAX,
9450 						  attr, nl80211_plan_policy,
9451 						  NULL);
9452 		if (err)
9453 			return err;
9454 
9455 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9456 			return -EINVAL;
9457 
9458 		request->scan_plans[i].interval =
9459 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9460 		if (!request->scan_plans[i].interval ||
9461 		    request->scan_plans[i].interval >
9462 		    wiphy->max_sched_scan_plan_interval)
9463 			return -EINVAL;
9464 
9465 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9466 			request->scan_plans[i].iterations =
9467 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9468 			if (!request->scan_plans[i].iterations ||
9469 			    (request->scan_plans[i].iterations >
9470 			     wiphy->max_sched_scan_plan_iterations))
9471 				return -EINVAL;
9472 		} else if (i < n_plans - 1) {
9473 			/*
9474 			 * All scan plans but the last one must specify
9475 			 * a finite number of iterations
9476 			 */
9477 			return -EINVAL;
9478 		}
9479 
9480 		i++;
9481 	}
9482 
9483 	/*
9484 	 * The last scan plan must not specify the number of
9485 	 * iterations, it is supposed to run infinitely
9486 	 */
9487 	if (request->scan_plans[n_plans - 1].iterations)
9488 		return  -EINVAL;
9489 
9490 	return 0;
9491 }
9492 
9493 static int
9494 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
9495 				       struct cfg80211_match_set *match_sets,
9496 				       struct nlattr *tb_band_rssi,
9497 				       s32 rssi_thold)
9498 {
9499 	struct nlattr *attr;
9500 	int i, tmp, ret = 0;
9501 
9502 	if (!wiphy_ext_feature_isset(wiphy,
9503 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
9504 		if (tb_band_rssi)
9505 			ret = -EOPNOTSUPP;
9506 		else
9507 			for (i = 0; i < NUM_NL80211_BANDS; i++)
9508 				match_sets->per_band_rssi_thold[i] =
9509 					NL80211_SCAN_RSSI_THOLD_OFF;
9510 		return ret;
9511 	}
9512 
9513 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9514 		match_sets->per_band_rssi_thold[i] = rssi_thold;
9515 
9516 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
9517 		enum nl80211_band band = nla_type(attr);
9518 
9519 		if (band < 0 || band >= NUM_NL80211_BANDS)
9520 			return -EINVAL;
9521 
9522 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
9523 	}
9524 
9525 	return 0;
9526 }
9527 
9528 static struct cfg80211_sched_scan_request *
9529 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9530 			 struct nlattr **attrs, int max_match_sets)
9531 {
9532 	struct cfg80211_sched_scan_request *request;
9533 	struct nlattr *attr;
9534 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9535 	enum nl80211_band band;
9536 	size_t ie_len, size;
9537 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9538 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9539 
9540 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9541 		n_channels = validate_scan_freqs(
9542 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9543 		if (!n_channels)
9544 			return ERR_PTR(-EINVAL);
9545 	} else {
9546 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9547 	}
9548 
9549 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9550 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9551 				    tmp)
9552 			n_ssids++;
9553 
9554 	if (n_ssids > wiphy->max_sched_scan_ssids)
9555 		return ERR_PTR(-EINVAL);
9556 
9557 	/*
9558 	 * First, count the number of 'real' matchsets. Due to an issue with
9559 	 * the old implementation, matchsets containing only the RSSI attribute
9560 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9561 	 * RSSI for all matchsets, rather than their own matchset for reporting
9562 	 * all APs with a strong RSSI. This is needed to be compatible with
9563 	 * older userspace that treated a matchset with only the RSSI as the
9564 	 * global RSSI for all other matchsets - if there are other matchsets.
9565 	 */
9566 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9567 		nla_for_each_nested(attr,
9568 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9569 				    tmp) {
9570 			struct nlattr *rssi;
9571 
9572 			err = nla_parse_nested_deprecated(tb,
9573 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9574 							  attr,
9575 							  nl80211_match_policy,
9576 							  NULL);
9577 			if (err)
9578 				return ERR_PTR(err);
9579 
9580 			/* SSID and BSSID are mutually exclusive */
9581 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9582 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9583 				return ERR_PTR(-EINVAL);
9584 
9585 			/* add other standalone attributes here */
9586 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9587 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9588 				n_match_sets++;
9589 				continue;
9590 			}
9591 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9592 			if (rssi)
9593 				default_match_rssi = nla_get_s32(rssi);
9594 		}
9595 	}
9596 
9597 	/* However, if there's no other matchset, add the RSSI one */
9598 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9599 		n_match_sets = 1;
9600 
9601 	if (n_match_sets > max_match_sets)
9602 		return ERR_PTR(-EINVAL);
9603 
9604 	if (attrs[NL80211_ATTR_IE])
9605 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9606 	else
9607 		ie_len = 0;
9608 
9609 	if (ie_len > wiphy->max_sched_scan_ie_len)
9610 		return ERR_PTR(-EINVAL);
9611 
9612 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9613 		/*
9614 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9615 		 * each scan plan already specifies its own interval
9616 		 */
9617 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9618 			return ERR_PTR(-EINVAL);
9619 
9620 		nla_for_each_nested(attr,
9621 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9622 			n_plans++;
9623 	} else {
9624 		/*
9625 		 * The scan interval attribute is kept for backward
9626 		 * compatibility. If no scan plans are specified and sched scan
9627 		 * interval is specified, one scan plan will be set with this
9628 		 * scan interval and infinite number of iterations.
9629 		 */
9630 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9631 			return ERR_PTR(-EINVAL);
9632 
9633 		n_plans = 1;
9634 	}
9635 
9636 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9637 		return ERR_PTR(-EINVAL);
9638 
9639 	if (!wiphy_ext_feature_isset(
9640 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9641 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9642 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9643 		return ERR_PTR(-EINVAL);
9644 
9645 	size = struct_size(request, channels, n_channels);
9646 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9647 	size = size_add(size, array_size(sizeof(*request->match_sets),
9648 					 n_match_sets));
9649 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9650 					 n_plans));
9651 	size = size_add(size, ie_len);
9652 	request = kzalloc(size, GFP_KERNEL);
9653 	if (!request)
9654 		return ERR_PTR(-ENOMEM);
9655 
9656 	if (n_ssids)
9657 		request->ssids = (void *)&request->channels[n_channels];
9658 	request->n_ssids = n_ssids;
9659 	if (ie_len) {
9660 		if (n_ssids)
9661 			request->ie = (void *)(request->ssids + n_ssids);
9662 		else
9663 			request->ie = (void *)(request->channels + n_channels);
9664 	}
9665 
9666 	if (n_match_sets) {
9667 		if (request->ie)
9668 			request->match_sets = (void *)(request->ie + ie_len);
9669 		else if (n_ssids)
9670 			request->match_sets =
9671 				(void *)(request->ssids + n_ssids);
9672 		else
9673 			request->match_sets =
9674 				(void *)(request->channels + n_channels);
9675 	}
9676 	request->n_match_sets = n_match_sets;
9677 
9678 	if (n_match_sets)
9679 		request->scan_plans = (void *)(request->match_sets +
9680 					       n_match_sets);
9681 	else if (request->ie)
9682 		request->scan_plans = (void *)(request->ie + ie_len);
9683 	else if (n_ssids)
9684 		request->scan_plans = (void *)(request->ssids + n_ssids);
9685 	else
9686 		request->scan_plans = (void *)(request->channels + n_channels);
9687 
9688 	request->n_scan_plans = n_plans;
9689 
9690 	i = 0;
9691 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9692 		/* user specified, bail out if channel not found */
9693 		nla_for_each_nested(attr,
9694 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9695 				    tmp) {
9696 			struct ieee80211_channel *chan;
9697 
9698 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9699 
9700 			if (!chan) {
9701 				err = -EINVAL;
9702 				goto out_free;
9703 			}
9704 
9705 			/* ignore disabled channels */
9706 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9707 				continue;
9708 
9709 			request->channels[i] = chan;
9710 			i++;
9711 		}
9712 	} else {
9713 		/* all channels */
9714 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9715 			int j;
9716 
9717 			if (!wiphy->bands[band])
9718 				continue;
9719 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9720 				struct ieee80211_channel *chan;
9721 
9722 				chan = &wiphy->bands[band]->channels[j];
9723 
9724 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9725 					continue;
9726 
9727 				request->channels[i] = chan;
9728 				i++;
9729 			}
9730 		}
9731 	}
9732 
9733 	if (!i) {
9734 		err = -EINVAL;
9735 		goto out_free;
9736 	}
9737 
9738 	request->n_channels = i;
9739 
9740 	i = 0;
9741 	if (n_ssids) {
9742 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9743 				    tmp) {
9744 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9745 				err = -EINVAL;
9746 				goto out_free;
9747 			}
9748 			request->ssids[i].ssid_len = nla_len(attr);
9749 			memcpy(request->ssids[i].ssid, nla_data(attr),
9750 			       nla_len(attr));
9751 			i++;
9752 		}
9753 	}
9754 
9755 	i = 0;
9756 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9757 		nla_for_each_nested(attr,
9758 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9759 				    tmp) {
9760 			struct nlattr *ssid, *bssid, *rssi;
9761 
9762 			err = nla_parse_nested_deprecated(tb,
9763 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9764 							  attr,
9765 							  nl80211_match_policy,
9766 							  NULL);
9767 			if (err)
9768 				goto out_free;
9769 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9770 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9771 
9772 			if (!ssid && !bssid) {
9773 				i++;
9774 				continue;
9775 			}
9776 
9777 			if (WARN_ON(i >= n_match_sets)) {
9778 				/* this indicates a programming error,
9779 				 * the loop above should have verified
9780 				 * things properly
9781 				 */
9782 				err = -EINVAL;
9783 				goto out_free;
9784 			}
9785 
9786 			if (ssid) {
9787 				memcpy(request->match_sets[i].ssid.ssid,
9788 				       nla_data(ssid), nla_len(ssid));
9789 				request->match_sets[i].ssid.ssid_len =
9790 					nla_len(ssid);
9791 			}
9792 			if (bssid)
9793 				memcpy(request->match_sets[i].bssid,
9794 				       nla_data(bssid), ETH_ALEN);
9795 
9796 			/* special attribute - old implementation w/a */
9797 			request->match_sets[i].rssi_thold = default_match_rssi;
9798 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9799 			if (rssi)
9800 				request->match_sets[i].rssi_thold =
9801 					nla_get_s32(rssi);
9802 
9803 			/* Parse per band RSSI attribute */
9804 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9805 				&request->match_sets[i],
9806 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9807 				request->match_sets[i].rssi_thold);
9808 			if (err)
9809 				goto out_free;
9810 
9811 			i++;
9812 		}
9813 
9814 		/* there was no other matchset, so the RSSI one is alone */
9815 		if (i == 0 && n_match_sets)
9816 			request->match_sets[0].rssi_thold = default_match_rssi;
9817 
9818 		request->min_rssi_thold = INT_MAX;
9819 		for (i = 0; i < n_match_sets; i++)
9820 			request->min_rssi_thold =
9821 				min(request->match_sets[i].rssi_thold,
9822 				    request->min_rssi_thold);
9823 	} else {
9824 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9825 	}
9826 
9827 	if (ie_len) {
9828 		request->ie_len = ie_len;
9829 		memcpy((void *)request->ie,
9830 		       nla_data(attrs[NL80211_ATTR_IE]),
9831 		       request->ie_len);
9832 	}
9833 
9834 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9835 	if (err)
9836 		goto out_free;
9837 
9838 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9839 		request->delay =
9840 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9841 
9842 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9843 		request->relative_rssi = nla_get_s8(
9844 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9845 		request->relative_rssi_set = true;
9846 	}
9847 
9848 	if (request->relative_rssi_set &&
9849 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9850 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9851 
9852 		rssi_adjust = nla_data(
9853 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9854 		request->rssi_adjust.band = rssi_adjust->band;
9855 		request->rssi_adjust.delta = rssi_adjust->delta;
9856 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9857 			err = -EINVAL;
9858 			goto out_free;
9859 		}
9860 	}
9861 
9862 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9863 	if (err)
9864 		goto out_free;
9865 
9866 	request->scan_start = jiffies;
9867 
9868 	return request;
9869 
9870 out_free:
9871 	kfree(request);
9872 	return ERR_PTR(err);
9873 }
9874 
9875 static int nl80211_start_sched_scan(struct sk_buff *skb,
9876 				    struct genl_info *info)
9877 {
9878 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9879 	struct net_device *dev = info->user_ptr[1];
9880 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9881 	struct cfg80211_sched_scan_request *sched_scan_req;
9882 	bool want_multi;
9883 	int err;
9884 
9885 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9886 		return -EOPNOTSUPP;
9887 
9888 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9889 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9890 	if (err)
9891 		return err;
9892 
9893 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9894 						  info->attrs,
9895 						  rdev->wiphy.max_match_sets);
9896 
9897 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9898 	if (err)
9899 		goto out_err;
9900 
9901 	/* leave request id zero for legacy request
9902 	 * or if driver does not support multi-scheduled scan
9903 	 */
9904 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9905 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9906 
9907 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9908 	if (err)
9909 		goto out_free;
9910 
9911 	sched_scan_req->dev = dev;
9912 	sched_scan_req->wiphy = &rdev->wiphy;
9913 
9914 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9915 		sched_scan_req->owner_nlportid = info->snd_portid;
9916 
9917 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9918 
9919 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9920 	return 0;
9921 
9922 out_free:
9923 	kfree(sched_scan_req);
9924 out_err:
9925 	return err;
9926 }
9927 
9928 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9929 				   struct genl_info *info)
9930 {
9931 	struct cfg80211_sched_scan_request *req;
9932 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9933 	u64 cookie;
9934 
9935 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9936 		return -EOPNOTSUPP;
9937 
9938 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9939 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9940 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9941 	}
9942 
9943 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9944 				     struct cfg80211_sched_scan_request,
9945 				     list);
9946 	if (!req || req->reqid ||
9947 	    (req->owner_nlportid &&
9948 	     req->owner_nlportid != info->snd_portid))
9949 		return -ENOENT;
9950 
9951 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9952 }
9953 
9954 static int nl80211_start_radar_detection(struct sk_buff *skb,
9955 					 struct genl_info *info)
9956 {
9957 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9958 	struct net_device *dev = info->user_ptr[1];
9959 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9960 	struct wiphy *wiphy = wdev->wiphy;
9961 	struct cfg80211_chan_def chandef;
9962 	enum nl80211_dfs_regions dfs_region;
9963 	unsigned int cac_time_ms;
9964 	int err = -EINVAL;
9965 
9966 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9967 
9968 	wiphy_lock(wiphy);
9969 
9970 	dfs_region = reg_get_dfs_region(wiphy);
9971 	if (dfs_region == NL80211_DFS_UNSET)
9972 		goto unlock;
9973 
9974 	err = nl80211_parse_chandef(rdev, info, &chandef);
9975 	if (err)
9976 		goto unlock;
9977 
9978 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9979 	if (err < 0)
9980 		goto unlock;
9981 
9982 	if (err == 0) {
9983 		err = -EINVAL;
9984 		goto unlock;
9985 	}
9986 
9987 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9988 		err = -EINVAL;
9989 		goto unlock;
9990 	}
9991 
9992 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9993 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9994 								&chandef);
9995 		goto unlock;
9996 	}
9997 
9998 	if (netif_carrier_ok(dev)) {
9999 		err = -EBUSY;
10000 		goto unlock;
10001 	}
10002 
10003 	if (wdev->cac_started) {
10004 		err = -EBUSY;
10005 		goto unlock;
10006 	}
10007 
10008 	/* CAC start is offloaded to HW and can't be started manually */
10009 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
10010 		err = -EOPNOTSUPP;
10011 		goto unlock;
10012 	}
10013 
10014 	if (!rdev->ops->start_radar_detection) {
10015 		err = -EOPNOTSUPP;
10016 		goto unlock;
10017 	}
10018 
10019 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10020 	if (WARN_ON(!cac_time_ms))
10021 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10022 
10023 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
10024 	if (!err) {
10025 		wdev->links[0].ap.chandef = chandef;
10026 		wdev->cac_started = true;
10027 		wdev->cac_start_time = jiffies;
10028 		wdev->cac_time_ms = cac_time_ms;
10029 	}
10030 unlock:
10031 	wiphy_unlock(wiphy);
10032 
10033 	return err;
10034 }
10035 
10036 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10037 					  struct genl_info *info)
10038 {
10039 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10040 	struct net_device *dev = info->user_ptr[1];
10041 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10042 	struct wiphy *wiphy = wdev->wiphy;
10043 	struct cfg80211_chan_def chandef;
10044 	enum nl80211_dfs_regions dfs_region;
10045 	int err;
10046 
10047 	dfs_region = reg_get_dfs_region(wiphy);
10048 	if (dfs_region == NL80211_DFS_UNSET) {
10049 		GENL_SET_ERR_MSG(info,
10050 				 "DFS Region is not set. Unexpected Radar indication");
10051 		return -EINVAL;
10052 	}
10053 
10054 	err = nl80211_parse_chandef(rdev, info, &chandef);
10055 	if (err) {
10056 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10057 		return err;
10058 	}
10059 
10060 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10061 	if (err < 0) {
10062 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10063 		return err;
10064 	}
10065 
10066 	if (err == 0) {
10067 		GENL_SET_ERR_MSG(info,
10068 				 "Unexpected Radar indication for chandef/iftype");
10069 		return -EINVAL;
10070 	}
10071 
10072 	/* Do not process this notification if radar is already detected
10073 	 * by kernel on this channel, and return success.
10074 	 */
10075 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10076 		return 0;
10077 
10078 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10079 
10080 	cfg80211_sched_dfs_chan_update(rdev);
10081 
10082 	rdev->radar_chandef = chandef;
10083 
10084 	/* Propagate this notification to other radios as well */
10085 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10086 
10087 	return 0;
10088 }
10089 
10090 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10091 {
10092 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10093 	unsigned int link_id = nl80211_link_id(info->attrs);
10094 	struct net_device *dev = info->user_ptr[1];
10095 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10096 	struct cfg80211_csa_settings params;
10097 	struct nlattr **csa_attrs = NULL;
10098 	int err;
10099 	bool need_new_beacon = false;
10100 	bool need_handle_dfs_flag = true;
10101 	int len, i;
10102 	u32 cs_count;
10103 
10104 	if (!rdev->ops->channel_switch ||
10105 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10106 		return -EOPNOTSUPP;
10107 
10108 	switch (dev->ieee80211_ptr->iftype) {
10109 	case NL80211_IFTYPE_AP:
10110 	case NL80211_IFTYPE_P2P_GO:
10111 		need_new_beacon = true;
10112 		/* For all modes except AP the handle_dfs flag needs to be
10113 		 * supplied to tell the kernel that userspace will handle radar
10114 		 * events when they happen. Otherwise a switch to a channel
10115 		 * requiring DFS will be rejected.
10116 		 */
10117 		need_handle_dfs_flag = false;
10118 
10119 		/* useless if AP is not running */
10120 		if (!wdev->links[link_id].ap.beacon_interval)
10121 			return -ENOTCONN;
10122 		break;
10123 	case NL80211_IFTYPE_ADHOC:
10124 		if (!wdev->u.ibss.ssid_len)
10125 			return -ENOTCONN;
10126 		break;
10127 	case NL80211_IFTYPE_MESH_POINT:
10128 		if (!wdev->u.mesh.id_len)
10129 			return -ENOTCONN;
10130 		break;
10131 	default:
10132 		return -EOPNOTSUPP;
10133 	}
10134 
10135 	memset(&params, 0, sizeof(params));
10136 	params.beacon_csa.ftm_responder = -1;
10137 
10138 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10139 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10140 		return -EINVAL;
10141 
10142 	/* only important for AP, IBSS and mesh create IEs internally */
10143 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10144 		return -EINVAL;
10145 
10146 	/* Even though the attribute is u32, the specification says
10147 	 * u8, so let's make sure we don't overflow.
10148 	 */
10149 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10150 	if (cs_count > 255)
10151 		return -EINVAL;
10152 
10153 	params.count = cs_count;
10154 
10155 	if (!need_new_beacon)
10156 		goto skip_beacons;
10157 
10158 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10159 				   info->extack);
10160 	if (err)
10161 		goto free;
10162 
10163 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10164 			    GFP_KERNEL);
10165 	if (!csa_attrs) {
10166 		err = -ENOMEM;
10167 		goto free;
10168 	}
10169 
10170 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10171 					  info->attrs[NL80211_ATTR_CSA_IES],
10172 					  nl80211_policy, info->extack);
10173 	if (err)
10174 		goto free;
10175 
10176 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10177 				   info->extack);
10178 	if (err)
10179 		goto free;
10180 
10181 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10182 		err = -EINVAL;
10183 		goto free;
10184 	}
10185 
10186 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10187 	if (!len || (len % sizeof(u16))) {
10188 		err = -EINVAL;
10189 		goto free;
10190 	}
10191 
10192 	params.n_counter_offsets_beacon = len / sizeof(u16);
10193 	if (rdev->wiphy.max_num_csa_counters &&
10194 	    (params.n_counter_offsets_beacon >
10195 	     rdev->wiphy.max_num_csa_counters)) {
10196 		err = -EINVAL;
10197 		goto free;
10198 	}
10199 
10200 	params.counter_offsets_beacon =
10201 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10202 
10203 	/* sanity checks - counters should fit and be the same */
10204 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
10205 		u16 offset = params.counter_offsets_beacon[i];
10206 
10207 		if (offset >= params.beacon_csa.tail_len) {
10208 			err = -EINVAL;
10209 			goto free;
10210 		}
10211 
10212 		if (params.beacon_csa.tail[offset] != params.count) {
10213 			err = -EINVAL;
10214 			goto free;
10215 		}
10216 	}
10217 
10218 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
10219 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10220 		if (!len || (len % sizeof(u16))) {
10221 			err = -EINVAL;
10222 			goto free;
10223 		}
10224 
10225 		params.n_counter_offsets_presp = len / sizeof(u16);
10226 		if (rdev->wiphy.max_num_csa_counters &&
10227 		    (params.n_counter_offsets_presp >
10228 		     rdev->wiphy.max_num_csa_counters)) {
10229 			err = -EINVAL;
10230 			goto free;
10231 		}
10232 
10233 		params.counter_offsets_presp =
10234 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10235 
10236 		/* sanity checks - counters should fit and be the same */
10237 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
10238 			u16 offset = params.counter_offsets_presp[i];
10239 
10240 			if (offset >= params.beacon_csa.probe_resp_len) {
10241 				err = -EINVAL;
10242 				goto free;
10243 			}
10244 
10245 			if (params.beacon_csa.probe_resp[offset] !=
10246 			    params.count) {
10247 				err = -EINVAL;
10248 				goto free;
10249 			}
10250 		}
10251 	}
10252 
10253 skip_beacons:
10254 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10255 	if (err)
10256 		goto free;
10257 
10258 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10259 					   wdev->iftype)) {
10260 		err = -EINVAL;
10261 		goto free;
10262 	}
10263 
10264 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10265 					    &params.chandef,
10266 					    wdev->iftype);
10267 	if (err < 0)
10268 		goto free;
10269 
10270 	if (err > 0) {
10271 		params.radar_required = true;
10272 		if (need_handle_dfs_flag &&
10273 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10274 			err = -EINVAL;
10275 			goto free;
10276 		}
10277 	}
10278 
10279 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10280 		params.block_tx = true;
10281 
10282 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
10283 		err = nl80211_parse_punct_bitmap(rdev, info,
10284 						 &params.chandef,
10285 						 &params.punct_bitmap);
10286 		if (err)
10287 			goto free;
10288 	}
10289 
10290 	wdev_lock(wdev);
10291 	err = rdev_channel_switch(rdev, dev, &params);
10292 	wdev_unlock(wdev);
10293 
10294 free:
10295 	kfree(params.beacon_after.mbssid_ies);
10296 	kfree(params.beacon_csa.mbssid_ies);
10297 	kfree(params.beacon_after.rnr_ies);
10298 	kfree(params.beacon_csa.rnr_ies);
10299 	kfree(csa_attrs);
10300 	return err;
10301 }
10302 
10303 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10304 			    u32 seq, int flags,
10305 			    struct cfg80211_registered_device *rdev,
10306 			    struct wireless_dev *wdev,
10307 			    struct cfg80211_internal_bss *intbss)
10308 {
10309 	struct cfg80211_bss *res = &intbss->pub;
10310 	const struct cfg80211_bss_ies *ies;
10311 	unsigned int link_id;
10312 	void *hdr;
10313 	struct nlattr *bss;
10314 
10315 	ASSERT_WDEV_LOCK(wdev);
10316 
10317 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10318 			     NL80211_CMD_NEW_SCAN_RESULTS);
10319 	if (!hdr)
10320 		return -1;
10321 
10322 	genl_dump_check_consistent(cb, hdr);
10323 
10324 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10325 		goto nla_put_failure;
10326 	if (wdev->netdev &&
10327 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10328 		goto nla_put_failure;
10329 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10330 			      NL80211_ATTR_PAD))
10331 		goto nla_put_failure;
10332 
10333 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10334 	if (!bss)
10335 		goto nla_put_failure;
10336 	if ((!is_zero_ether_addr(res->bssid) &&
10337 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10338 		goto nla_put_failure;
10339 
10340 	rcu_read_lock();
10341 	/* indicate whether we have probe response data or not */
10342 	if (rcu_access_pointer(res->proberesp_ies) &&
10343 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10344 		goto fail_unlock_rcu;
10345 
10346 	/* this pointer prefers to be pointed to probe response data
10347 	 * but is always valid
10348 	 */
10349 	ies = rcu_dereference(res->ies);
10350 	if (ies) {
10351 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10352 				      NL80211_BSS_PAD))
10353 			goto fail_unlock_rcu;
10354 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10355 					ies->len, ies->data))
10356 			goto fail_unlock_rcu;
10357 	}
10358 
10359 	/* and this pointer is always (unless driver didn't know) beacon data */
10360 	ies = rcu_dereference(res->beacon_ies);
10361 	if (ies && ies->from_beacon) {
10362 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10363 				      NL80211_BSS_PAD))
10364 			goto fail_unlock_rcu;
10365 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10366 					ies->len, ies->data))
10367 			goto fail_unlock_rcu;
10368 	}
10369 	rcu_read_unlock();
10370 
10371 	if (res->beacon_interval &&
10372 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10373 		goto nla_put_failure;
10374 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10375 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10376 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10377 			res->channel->freq_offset) ||
10378 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
10379 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10380 			jiffies_to_msecs(jiffies - intbss->ts)))
10381 		goto nla_put_failure;
10382 
10383 	if (intbss->parent_tsf &&
10384 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10385 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10386 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10387 		     intbss->parent_bssid)))
10388 		goto nla_put_failure;
10389 
10390 	if (intbss->ts_boottime &&
10391 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10392 			      intbss->ts_boottime, NL80211_BSS_PAD))
10393 		goto nla_put_failure;
10394 
10395 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10396 				intbss->pub.chain_signal,
10397 				NL80211_BSS_CHAIN_SIGNAL))
10398 		goto nla_put_failure;
10399 
10400 	switch (rdev->wiphy.signal_type) {
10401 	case CFG80211_SIGNAL_TYPE_MBM:
10402 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
10403 			goto nla_put_failure;
10404 		break;
10405 	case CFG80211_SIGNAL_TYPE_UNSPEC:
10406 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
10407 			goto nla_put_failure;
10408 		break;
10409 	default:
10410 		break;
10411 	}
10412 
10413 	switch (wdev->iftype) {
10414 	case NL80211_IFTYPE_P2P_CLIENT:
10415 	case NL80211_IFTYPE_STATION:
10416 		for_each_valid_link(wdev, link_id) {
10417 			if (intbss == wdev->links[link_id].client.current_bss &&
10418 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10419 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10420 			     (wdev->valid_links &&
10421 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10422 					  link_id) ||
10423 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10424 				       wdev->u.client.connected_addr)))))
10425 				goto nla_put_failure;
10426 		}
10427 		break;
10428 	case NL80211_IFTYPE_ADHOC:
10429 		if (intbss == wdev->u.ibss.current_bss &&
10430 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10431 				NL80211_BSS_STATUS_IBSS_JOINED))
10432 			goto nla_put_failure;
10433 		break;
10434 	default:
10435 		break;
10436 	}
10437 
10438 	nla_nest_end(msg, bss);
10439 
10440 	genlmsg_end(msg, hdr);
10441 	return 0;
10442 
10443  fail_unlock_rcu:
10444 	rcu_read_unlock();
10445  nla_put_failure:
10446 	genlmsg_cancel(msg, hdr);
10447 	return -EMSGSIZE;
10448 }
10449 
10450 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10451 {
10452 	struct cfg80211_registered_device *rdev;
10453 	struct cfg80211_internal_bss *scan;
10454 	struct wireless_dev *wdev;
10455 	int start = cb->args[2], idx = 0;
10456 	int err;
10457 
10458 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
10459 	if (err)
10460 		return err;
10461 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10462 	__acquire(&rdev->wiphy.mtx);
10463 
10464 	wdev_lock(wdev);
10465 	spin_lock_bh(&rdev->bss_lock);
10466 
10467 	/*
10468 	 * dump_scan will be called multiple times to break up the scan results
10469 	 * into multiple messages.  It is unlikely that any more bss-es will be
10470 	 * expired after the first call, so only call only call this on the
10471 	 * first dump_scan invocation.
10472 	 */
10473 	if (start == 0)
10474 		cfg80211_bss_expire(rdev);
10475 
10476 	cb->seq = rdev->bss_generation;
10477 
10478 	list_for_each_entry(scan, &rdev->bss_list, list) {
10479 		if (++idx <= start)
10480 			continue;
10481 		if (nl80211_send_bss(skb, cb,
10482 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10483 				rdev, wdev, scan) < 0) {
10484 			idx--;
10485 			break;
10486 		}
10487 	}
10488 
10489 	spin_unlock_bh(&rdev->bss_lock);
10490 	wdev_unlock(wdev);
10491 
10492 	cb->args[2] = idx;
10493 	wiphy_unlock(&rdev->wiphy);
10494 
10495 	return skb->len;
10496 }
10497 
10498 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10499 			       int flags, struct net_device *dev,
10500 			       bool allow_radio_stats,
10501 			       struct survey_info *survey)
10502 {
10503 	void *hdr;
10504 	struct nlattr *infoattr;
10505 
10506 	/* skip radio stats if userspace didn't request them */
10507 	if (!survey->channel && !allow_radio_stats)
10508 		return 0;
10509 
10510 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10511 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10512 	if (!hdr)
10513 		return -ENOMEM;
10514 
10515 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10516 		goto nla_put_failure;
10517 
10518 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10519 	if (!infoattr)
10520 		goto nla_put_failure;
10521 
10522 	if (survey->channel &&
10523 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10524 			survey->channel->center_freq))
10525 		goto nla_put_failure;
10526 
10527 	if (survey->channel && survey->channel->freq_offset &&
10528 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10529 			survey->channel->freq_offset))
10530 		goto nla_put_failure;
10531 
10532 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10533 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10534 		goto nla_put_failure;
10535 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10536 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10537 		goto nla_put_failure;
10538 	if ((survey->filled & SURVEY_INFO_TIME) &&
10539 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10540 			survey->time, NL80211_SURVEY_INFO_PAD))
10541 		goto nla_put_failure;
10542 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10543 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10544 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10545 		goto nla_put_failure;
10546 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10547 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10548 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10549 		goto nla_put_failure;
10550 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10551 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10552 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10553 		goto nla_put_failure;
10554 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10555 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10556 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10557 		goto nla_put_failure;
10558 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10559 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10560 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10561 		goto nla_put_failure;
10562 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10563 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10564 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10565 		goto nla_put_failure;
10566 
10567 	nla_nest_end(msg, infoattr);
10568 
10569 	genlmsg_end(msg, hdr);
10570 	return 0;
10571 
10572  nla_put_failure:
10573 	genlmsg_cancel(msg, hdr);
10574 	return -EMSGSIZE;
10575 }
10576 
10577 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10578 {
10579 	struct nlattr **attrbuf;
10580 	struct survey_info survey;
10581 	struct cfg80211_registered_device *rdev;
10582 	struct wireless_dev *wdev;
10583 	int survey_idx = cb->args[2];
10584 	int res;
10585 	bool radio_stats;
10586 
10587 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10588 	if (!attrbuf)
10589 		return -ENOMEM;
10590 
10591 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10592 	if (res) {
10593 		kfree(attrbuf);
10594 		return res;
10595 	}
10596 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10597 	__acquire(&rdev->wiphy.mtx);
10598 
10599 	/* prepare_wdev_dump parsed the attributes */
10600 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10601 
10602 	if (!wdev->netdev) {
10603 		res = -EINVAL;
10604 		goto out_err;
10605 	}
10606 
10607 	if (!rdev->ops->dump_survey) {
10608 		res = -EOPNOTSUPP;
10609 		goto out_err;
10610 	}
10611 
10612 	while (1) {
10613 		wdev_lock(wdev);
10614 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10615 		wdev_unlock(wdev);
10616 		if (res == -ENOENT)
10617 			break;
10618 		if (res)
10619 			goto out_err;
10620 
10621 		/* don't send disabled channels, but do send non-channel data */
10622 		if (survey.channel &&
10623 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10624 			survey_idx++;
10625 			continue;
10626 		}
10627 
10628 		if (nl80211_send_survey(skb,
10629 				NETLINK_CB(cb->skb).portid,
10630 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10631 				wdev->netdev, radio_stats, &survey) < 0)
10632 			goto out;
10633 		survey_idx++;
10634 	}
10635 
10636  out:
10637 	cb->args[2] = survey_idx;
10638 	res = skb->len;
10639  out_err:
10640 	kfree(attrbuf);
10641 	wiphy_unlock(&rdev->wiphy);
10642 	return res;
10643 }
10644 
10645 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10646 {
10647 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10648 				  NL80211_WPA_VERSION_2 |
10649 				  NL80211_WPA_VERSION_3));
10650 }
10651 
10652 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10653 {
10654 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10655 	struct net_device *dev = info->user_ptr[1];
10656 	struct ieee80211_channel *chan;
10657 	const u8 *bssid, *ssid;
10658 	int err, ssid_len;
10659 	enum nl80211_auth_type auth_type;
10660 	struct key_parse key;
10661 	bool local_state_change;
10662 	struct cfg80211_auth_request req = {};
10663 	u32 freq;
10664 
10665 	if (!info->attrs[NL80211_ATTR_MAC])
10666 		return -EINVAL;
10667 
10668 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10669 		return -EINVAL;
10670 
10671 	if (!info->attrs[NL80211_ATTR_SSID])
10672 		return -EINVAL;
10673 
10674 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10675 		return -EINVAL;
10676 
10677 	err = nl80211_parse_key(info, &key);
10678 	if (err)
10679 		return err;
10680 
10681 	if (key.idx >= 0) {
10682 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10683 			return -EINVAL;
10684 		if (!key.p.key || !key.p.key_len)
10685 			return -EINVAL;
10686 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10687 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10688 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10689 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10690 			return -EINVAL;
10691 		if (key.idx > 3)
10692 			return -EINVAL;
10693 	} else {
10694 		key.p.key_len = 0;
10695 		key.p.key = NULL;
10696 	}
10697 
10698 	if (key.idx >= 0) {
10699 		int i;
10700 		bool ok = false;
10701 
10702 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10703 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10704 				ok = true;
10705 				break;
10706 			}
10707 		}
10708 		if (!ok)
10709 			return -EINVAL;
10710 	}
10711 
10712 	if (!rdev->ops->auth)
10713 		return -EOPNOTSUPP;
10714 
10715 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10716 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10717 		return -EOPNOTSUPP;
10718 
10719 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10720 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10721 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10722 		freq +=
10723 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10724 
10725 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10726 	if (!chan)
10727 		return -EINVAL;
10728 
10729 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10730 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10731 
10732 	if (info->attrs[NL80211_ATTR_IE]) {
10733 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10734 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10735 	}
10736 
10737 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10738 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10739 		return -EINVAL;
10740 
10741 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10742 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10743 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10744 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10745 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10746 		return -EINVAL;
10747 
10748 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10749 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10750 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10751 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10752 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10753 			return -EINVAL;
10754 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10755 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10756 	}
10757 
10758 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10759 
10760 	/*
10761 	 * Since we no longer track auth state, ignore
10762 	 * requests to only change local state.
10763 	 */
10764 	if (local_state_change)
10765 		return 0;
10766 
10767 	req.auth_type = auth_type;
10768 	req.key = key.p.key;
10769 	req.key_len = key.p.key_len;
10770 	req.key_idx = key.idx;
10771 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10772 	if (req.link_id >= 0) {
10773 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10774 			return -EINVAL;
10775 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10776 			return -EINVAL;
10777 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10778 		if (!is_valid_ether_addr(req.ap_mld_addr))
10779 			return -EINVAL;
10780 	}
10781 
10782 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10783 				   IEEE80211_BSS_TYPE_ESS,
10784 				   IEEE80211_PRIVACY_ANY);
10785 	if (!req.bss)
10786 		return -ENOENT;
10787 
10788 	wdev_lock(dev->ieee80211_ptr);
10789 	err = cfg80211_mlme_auth(rdev, dev, &req);
10790 	wdev_unlock(dev->ieee80211_ptr);
10791 
10792 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10793 
10794 	return err;
10795 }
10796 
10797 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10798 				     struct genl_info *info)
10799 {
10800 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10801 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10802 		return -EINVAL;
10803 	}
10804 
10805 	if (!rdev->ops->tx_control_port ||
10806 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10807 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10808 		return -EOPNOTSUPP;
10809 
10810 	return 0;
10811 }
10812 
10813 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10814 				   struct genl_info *info,
10815 				   struct cfg80211_crypto_settings *settings,
10816 				   int cipher_limit)
10817 {
10818 	memset(settings, 0, sizeof(*settings));
10819 
10820 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10821 
10822 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10823 		u16 proto;
10824 
10825 		proto = nla_get_u16(
10826 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10827 		settings->control_port_ethertype = cpu_to_be16(proto);
10828 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10829 		    proto != ETH_P_PAE)
10830 			return -EINVAL;
10831 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10832 			settings->control_port_no_encrypt = true;
10833 	} else
10834 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10835 
10836 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10837 		int r = validate_pae_over_nl80211(rdev, info);
10838 
10839 		if (r < 0)
10840 			return r;
10841 
10842 		settings->control_port_over_nl80211 = true;
10843 
10844 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10845 			settings->control_port_no_preauth = true;
10846 	}
10847 
10848 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10849 		void *data;
10850 		int len, i;
10851 
10852 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10853 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10854 		settings->n_ciphers_pairwise = len / sizeof(u32);
10855 
10856 		if (len % sizeof(u32))
10857 			return -EINVAL;
10858 
10859 		if (settings->n_ciphers_pairwise > cipher_limit)
10860 			return -EINVAL;
10861 
10862 		memcpy(settings->ciphers_pairwise, data, len);
10863 
10864 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10865 			if (!cfg80211_supported_cipher_suite(
10866 					&rdev->wiphy,
10867 					settings->ciphers_pairwise[i]))
10868 				return -EINVAL;
10869 	}
10870 
10871 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10872 		settings->cipher_group =
10873 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10874 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10875 						     settings->cipher_group))
10876 			return -EINVAL;
10877 	}
10878 
10879 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10880 		settings->wpa_versions =
10881 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10882 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10883 			return -EINVAL;
10884 	}
10885 
10886 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10887 		void *data;
10888 		int len;
10889 
10890 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10891 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10892 		settings->n_akm_suites = len / sizeof(u32);
10893 
10894 		if (len % sizeof(u32))
10895 			return -EINVAL;
10896 
10897 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
10898 			return -EINVAL;
10899 
10900 		memcpy(settings->akm_suites, data, len);
10901 	}
10902 
10903 	if (info->attrs[NL80211_ATTR_PMK]) {
10904 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10905 			return -EINVAL;
10906 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10907 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10908 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10909 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10910 			return -EINVAL;
10911 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10912 	}
10913 
10914 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10915 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10916 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10917 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10918 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10919 			return -EINVAL;
10920 		settings->sae_pwd =
10921 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10922 		settings->sae_pwd_len =
10923 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10924 	}
10925 
10926 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10927 		settings->sae_pwe =
10928 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10929 	else
10930 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10931 
10932 	return 0;
10933 }
10934 
10935 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
10936 					      const u8 *ssid, int ssid_len,
10937 					      struct nlattr **attrs)
10938 {
10939 	struct ieee80211_channel *chan;
10940 	struct cfg80211_bss *bss;
10941 	const u8 *bssid;
10942 	u32 freq;
10943 
10944 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
10945 		return ERR_PTR(-EINVAL);
10946 
10947 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
10948 
10949 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
10950 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10951 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10952 
10953 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10954 	if (!chan)
10955 		return ERR_PTR(-EINVAL);
10956 
10957 	bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid,
10958 			       ssid, ssid_len,
10959 			       IEEE80211_BSS_TYPE_ESS,
10960 			       IEEE80211_PRIVACY_ANY);
10961 	if (!bss)
10962 		return ERR_PTR(-ENOENT);
10963 
10964 	return bss;
10965 }
10966 
10967 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10968 {
10969 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10970 	struct net_device *dev = info->user_ptr[1];
10971 	struct cfg80211_assoc_request req = {};
10972 	struct nlattr **attrs = NULL;
10973 	const u8 *ap_addr, *ssid;
10974 	unsigned int link_id;
10975 	int err, ssid_len;
10976 
10977 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10978 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10979 		return -EPERM;
10980 
10981 	if (!info->attrs[NL80211_ATTR_SSID])
10982 		return -EINVAL;
10983 
10984 	if (!rdev->ops->assoc)
10985 		return -EOPNOTSUPP;
10986 
10987 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10988 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10989 		return -EOPNOTSUPP;
10990 
10991 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10992 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10993 
10994 	if (info->attrs[NL80211_ATTR_IE]) {
10995 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10996 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10997 
10998 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
10999 					   req.ie, req.ie_len)) {
11000 			GENL_SET_ERR_MSG(info,
11001 					 "non-inheritance makes no sense");
11002 			return -EINVAL;
11003 		}
11004 	}
11005 
11006 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11007 		enum nl80211_mfp mfp =
11008 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11009 		if (mfp == NL80211_MFP_REQUIRED)
11010 			req.use_mfp = true;
11011 		else if (mfp != NL80211_MFP_NO)
11012 			return -EINVAL;
11013 	}
11014 
11015 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11016 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11017 
11018 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11019 		req.flags |= ASSOC_REQ_DISABLE_HT;
11020 
11021 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11022 		memcpy(&req.ht_capa_mask,
11023 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11024 		       sizeof(req.ht_capa_mask));
11025 
11026 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11027 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11028 			return -EINVAL;
11029 		memcpy(&req.ht_capa,
11030 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11031 		       sizeof(req.ht_capa));
11032 	}
11033 
11034 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11035 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11036 
11037 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11038 		req.flags |= ASSOC_REQ_DISABLE_HE;
11039 
11040 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11041 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11042 
11043 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11044 		memcpy(&req.vht_capa_mask,
11045 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11046 		       sizeof(req.vht_capa_mask));
11047 
11048 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11049 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11050 			return -EINVAL;
11051 		memcpy(&req.vht_capa,
11052 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11053 		       sizeof(req.vht_capa));
11054 	}
11055 
11056 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11057 		if (!((rdev->wiphy.features &
11058 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11059 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11060 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11061 					     NL80211_EXT_FEATURE_RRM))
11062 			return -EINVAL;
11063 		req.flags |= ASSOC_REQ_USE_RRM;
11064 	}
11065 
11066 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11067 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11068 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11069 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11070 			return -EINVAL;
11071 		req.fils_nonces =
11072 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11073 	}
11074 
11075 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11076 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11077 			return -EINVAL;
11078 		memcpy(&req.s1g_capa_mask,
11079 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11080 		       sizeof(req.s1g_capa_mask));
11081 	}
11082 
11083 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11084 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11085 			return -EINVAL;
11086 		memcpy(&req.s1g_capa,
11087 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11088 		       sizeof(req.s1g_capa));
11089 	}
11090 
11091 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11092 
11093 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11094 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
11095 		struct nlattr *link;
11096 		int rem = 0;
11097 
11098 		if (req.link_id < 0)
11099 			return -EINVAL;
11100 
11101 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11102 			return -EINVAL;
11103 
11104 		if (info->attrs[NL80211_ATTR_MAC] ||
11105 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11106 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11107 			return -EINVAL;
11108 
11109 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11110 		ap_addr = req.ap_mld_addr;
11111 
11112 		attrs = kzalloc(attrsize, GFP_KERNEL);
11113 		if (!attrs)
11114 			return -ENOMEM;
11115 
11116 		nla_for_each_nested(link,
11117 				    info->attrs[NL80211_ATTR_MLO_LINKS],
11118 				    rem) {
11119 			memset(attrs, 0, attrsize);
11120 
11121 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
11122 					 link, NULL, NULL);
11123 
11124 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11125 				err = -EINVAL;
11126 				goto free;
11127 			}
11128 
11129 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11130 			/* cannot use the same link ID again */
11131 			if (req.links[link_id].bss) {
11132 				err = -EINVAL;
11133 				goto free;
11134 			}
11135 			req.links[link_id].bss =
11136 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs);
11137 			if (IS_ERR(req.links[link_id].bss)) {
11138 				err = PTR_ERR(req.links[link_id].bss);
11139 				req.links[link_id].bss = NULL;
11140 				goto free;
11141 			}
11142 
11143 			if (attrs[NL80211_ATTR_IE]) {
11144 				req.links[link_id].elems =
11145 					nla_data(attrs[NL80211_ATTR_IE]);
11146 				req.links[link_id].elems_len =
11147 					nla_len(attrs[NL80211_ATTR_IE]);
11148 
11149 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11150 						       req.links[link_id].elems,
11151 						       req.links[link_id].elems_len)) {
11152 					GENL_SET_ERR_MSG(info,
11153 							 "cannot deal with fragmentation");
11154 					err = -EINVAL;
11155 					goto free;
11156 				}
11157 
11158 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11159 							   req.links[link_id].elems,
11160 							   req.links[link_id].elems_len)) {
11161 					GENL_SET_ERR_MSG(info,
11162 							 "cannot deal with non-inheritance");
11163 					err = -EINVAL;
11164 					goto free;
11165 				}
11166 			}
11167 
11168 			req.links[link_id].disabled =
11169 				nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11170 		}
11171 
11172 		if (!req.links[req.link_id].bss) {
11173 			err = -EINVAL;
11174 			goto free;
11175 		}
11176 
11177 		if (req.links[req.link_id].elems_len) {
11178 			GENL_SET_ERR_MSG(info,
11179 					 "cannot have per-link elems on assoc link");
11180 			err = -EINVAL;
11181 			goto free;
11182 		}
11183 
11184 		if (req.links[req.link_id].disabled) {
11185 			GENL_SET_ERR_MSG(info,
11186 					 "cannot have assoc link disabled");
11187 			err = -EINVAL;
11188 			goto free;
11189 		}
11190 
11191 		kfree(attrs);
11192 		attrs = NULL;
11193 	} else {
11194 		if (req.link_id >= 0)
11195 			return -EINVAL;
11196 
11197 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs);
11198 		if (IS_ERR(req.bss))
11199 			return PTR_ERR(req.bss);
11200 		ap_addr = req.bss->bssid;
11201 	}
11202 
11203 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11204 	if (!err) {
11205 		wdev_lock(dev->ieee80211_ptr);
11206 
11207 		err = cfg80211_mlme_assoc(rdev, dev, &req);
11208 
11209 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11210 			dev->ieee80211_ptr->conn_owner_nlportid =
11211 				info->snd_portid;
11212 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11213 			       ap_addr, ETH_ALEN);
11214 		}
11215 
11216 		wdev_unlock(dev->ieee80211_ptr);
11217 	}
11218 
11219 free:
11220 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11221 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11222 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11223 	kfree(attrs);
11224 
11225 	return err;
11226 }
11227 
11228 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11229 {
11230 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11231 	struct net_device *dev = info->user_ptr[1];
11232 	const u8 *ie = NULL, *bssid;
11233 	int ie_len = 0, err;
11234 	u16 reason_code;
11235 	bool local_state_change;
11236 
11237 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11238 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11239 		return -EPERM;
11240 
11241 	if (!info->attrs[NL80211_ATTR_MAC])
11242 		return -EINVAL;
11243 
11244 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11245 		return -EINVAL;
11246 
11247 	if (!rdev->ops->deauth)
11248 		return -EOPNOTSUPP;
11249 
11250 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11251 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11252 		return -EOPNOTSUPP;
11253 
11254 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11255 
11256 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11257 	if (reason_code == 0) {
11258 		/* Reason Code 0 is reserved */
11259 		return -EINVAL;
11260 	}
11261 
11262 	if (info->attrs[NL80211_ATTR_IE]) {
11263 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11264 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11265 	}
11266 
11267 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11268 
11269 	wdev_lock(dev->ieee80211_ptr);
11270 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11271 				   local_state_change);
11272 	wdev_unlock(dev->ieee80211_ptr);
11273 	return err;
11274 }
11275 
11276 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11277 {
11278 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11279 	struct net_device *dev = info->user_ptr[1];
11280 	const u8 *ie = NULL, *bssid;
11281 	int ie_len = 0, err;
11282 	u16 reason_code;
11283 	bool local_state_change;
11284 
11285 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11286 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11287 		return -EPERM;
11288 
11289 	if (!info->attrs[NL80211_ATTR_MAC])
11290 		return -EINVAL;
11291 
11292 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11293 		return -EINVAL;
11294 
11295 	if (!rdev->ops->disassoc)
11296 		return -EOPNOTSUPP;
11297 
11298 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11299 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11300 		return -EOPNOTSUPP;
11301 
11302 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11303 
11304 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11305 	if (reason_code == 0) {
11306 		/* Reason Code 0 is reserved */
11307 		return -EINVAL;
11308 	}
11309 
11310 	if (info->attrs[NL80211_ATTR_IE]) {
11311 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11312 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11313 	}
11314 
11315 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11316 
11317 	wdev_lock(dev->ieee80211_ptr);
11318 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11319 				     local_state_change);
11320 	wdev_unlock(dev->ieee80211_ptr);
11321 	return err;
11322 }
11323 
11324 static bool
11325 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11326 			 int mcast_rate[NUM_NL80211_BANDS],
11327 			 int rateval)
11328 {
11329 	struct wiphy *wiphy = &rdev->wiphy;
11330 	bool found = false;
11331 	int band, i;
11332 
11333 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11334 		struct ieee80211_supported_band *sband;
11335 
11336 		sband = wiphy->bands[band];
11337 		if (!sband)
11338 			continue;
11339 
11340 		for (i = 0; i < sband->n_bitrates; i++) {
11341 			if (sband->bitrates[i].bitrate == rateval) {
11342 				mcast_rate[band] = i + 1;
11343 				found = true;
11344 				break;
11345 			}
11346 		}
11347 	}
11348 
11349 	return found;
11350 }
11351 
11352 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11353 {
11354 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11355 	struct net_device *dev = info->user_ptr[1];
11356 	struct cfg80211_ibss_params ibss;
11357 	struct wiphy *wiphy;
11358 	struct cfg80211_cached_keys *connkeys = NULL;
11359 	int err;
11360 
11361 	memset(&ibss, 0, sizeof(ibss));
11362 
11363 	if (!info->attrs[NL80211_ATTR_SSID] ||
11364 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11365 		return -EINVAL;
11366 
11367 	ibss.beacon_interval = 100;
11368 
11369 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11370 		ibss.beacon_interval =
11371 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11372 
11373 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11374 					   ibss.beacon_interval);
11375 	if (err)
11376 		return err;
11377 
11378 	if (!rdev->ops->join_ibss)
11379 		return -EOPNOTSUPP;
11380 
11381 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11382 		return -EOPNOTSUPP;
11383 
11384 	wiphy = &rdev->wiphy;
11385 
11386 	if (info->attrs[NL80211_ATTR_MAC]) {
11387 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11388 
11389 		if (!is_valid_ether_addr(ibss.bssid))
11390 			return -EINVAL;
11391 	}
11392 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11393 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11394 
11395 	if (info->attrs[NL80211_ATTR_IE]) {
11396 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11397 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11398 	}
11399 
11400 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11401 	if (err)
11402 		return err;
11403 
11404 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11405 				     NL80211_IFTYPE_ADHOC))
11406 		return -EINVAL;
11407 
11408 	switch (ibss.chandef.width) {
11409 	case NL80211_CHAN_WIDTH_5:
11410 	case NL80211_CHAN_WIDTH_10:
11411 	case NL80211_CHAN_WIDTH_20_NOHT:
11412 		break;
11413 	case NL80211_CHAN_WIDTH_20:
11414 	case NL80211_CHAN_WIDTH_40:
11415 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11416 			return -EINVAL;
11417 		break;
11418 	case NL80211_CHAN_WIDTH_80:
11419 	case NL80211_CHAN_WIDTH_80P80:
11420 	case NL80211_CHAN_WIDTH_160:
11421 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11422 			return -EINVAL;
11423 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11424 					     NL80211_EXT_FEATURE_VHT_IBSS))
11425 			return -EINVAL;
11426 		break;
11427 	case NL80211_CHAN_WIDTH_320:
11428 		return -EINVAL;
11429 	default:
11430 		return -EINVAL;
11431 	}
11432 
11433 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11434 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11435 
11436 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11437 		u8 *rates =
11438 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11439 		int n_rates =
11440 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11441 		struct ieee80211_supported_band *sband =
11442 			wiphy->bands[ibss.chandef.chan->band];
11443 
11444 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11445 					     &ibss.basic_rates);
11446 		if (err)
11447 			return err;
11448 	}
11449 
11450 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11451 		memcpy(&ibss.ht_capa_mask,
11452 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11453 		       sizeof(ibss.ht_capa_mask));
11454 
11455 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11456 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11457 			return -EINVAL;
11458 		memcpy(&ibss.ht_capa,
11459 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11460 		       sizeof(ibss.ht_capa));
11461 	}
11462 
11463 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11464 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11465 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11466 		return -EINVAL;
11467 
11468 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11469 		bool no_ht = false;
11470 
11471 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11472 		if (IS_ERR(connkeys))
11473 			return PTR_ERR(connkeys);
11474 
11475 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11476 		    no_ht) {
11477 			kfree_sensitive(connkeys);
11478 			return -EINVAL;
11479 		}
11480 	}
11481 
11482 	ibss.control_port =
11483 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11484 
11485 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11486 		int r = validate_pae_over_nl80211(rdev, info);
11487 
11488 		if (r < 0) {
11489 			kfree_sensitive(connkeys);
11490 			return r;
11491 		}
11492 
11493 		ibss.control_port_over_nl80211 = true;
11494 	}
11495 
11496 	ibss.userspace_handles_dfs =
11497 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11498 
11499 	wdev_lock(dev->ieee80211_ptr);
11500 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11501 	if (err)
11502 		kfree_sensitive(connkeys);
11503 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11504 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11505 	wdev_unlock(dev->ieee80211_ptr);
11506 
11507 	return err;
11508 }
11509 
11510 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11511 {
11512 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11513 	struct net_device *dev = info->user_ptr[1];
11514 
11515 	if (!rdev->ops->leave_ibss)
11516 		return -EOPNOTSUPP;
11517 
11518 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11519 		return -EOPNOTSUPP;
11520 
11521 	return cfg80211_leave_ibss(rdev, dev, false);
11522 }
11523 
11524 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11525 {
11526 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11527 	struct net_device *dev = info->user_ptr[1];
11528 	int mcast_rate[NUM_NL80211_BANDS];
11529 	u32 nla_rate;
11530 
11531 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11532 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11533 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11534 		return -EOPNOTSUPP;
11535 
11536 	if (!rdev->ops->set_mcast_rate)
11537 		return -EOPNOTSUPP;
11538 
11539 	memset(mcast_rate, 0, sizeof(mcast_rate));
11540 
11541 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11542 		return -EINVAL;
11543 
11544 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11545 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11546 		return -EINVAL;
11547 
11548 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11549 }
11550 
11551 static struct sk_buff *
11552 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11553 			    struct wireless_dev *wdev, int approxlen,
11554 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11555 			    enum nl80211_attrs attr,
11556 			    const struct nl80211_vendor_cmd_info *info,
11557 			    gfp_t gfp)
11558 {
11559 	struct sk_buff *skb;
11560 	void *hdr;
11561 	struct nlattr *data;
11562 
11563 	skb = nlmsg_new(approxlen + 100, gfp);
11564 	if (!skb)
11565 		return NULL;
11566 
11567 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11568 	if (!hdr) {
11569 		kfree_skb(skb);
11570 		return NULL;
11571 	}
11572 
11573 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11574 		goto nla_put_failure;
11575 
11576 	if (info) {
11577 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11578 				info->vendor_id))
11579 			goto nla_put_failure;
11580 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11581 				info->subcmd))
11582 			goto nla_put_failure;
11583 	}
11584 
11585 	if (wdev) {
11586 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11587 				      wdev_id(wdev), NL80211_ATTR_PAD))
11588 			goto nla_put_failure;
11589 		if (wdev->netdev &&
11590 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11591 				wdev->netdev->ifindex))
11592 			goto nla_put_failure;
11593 	}
11594 
11595 	data = nla_nest_start_noflag(skb, attr);
11596 	if (!data)
11597 		goto nla_put_failure;
11598 
11599 	((void **)skb->cb)[0] = rdev;
11600 	((void **)skb->cb)[1] = hdr;
11601 	((void **)skb->cb)[2] = data;
11602 
11603 	return skb;
11604 
11605  nla_put_failure:
11606 	kfree_skb(skb);
11607 	return NULL;
11608 }
11609 
11610 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11611 					   struct wireless_dev *wdev,
11612 					   enum nl80211_commands cmd,
11613 					   enum nl80211_attrs attr,
11614 					   unsigned int portid,
11615 					   int vendor_event_idx,
11616 					   int approxlen, gfp_t gfp)
11617 {
11618 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11619 	const struct nl80211_vendor_cmd_info *info;
11620 
11621 	switch (cmd) {
11622 	case NL80211_CMD_TESTMODE:
11623 		if (WARN_ON(vendor_event_idx != -1))
11624 			return NULL;
11625 		info = NULL;
11626 		break;
11627 	case NL80211_CMD_VENDOR:
11628 		if (WARN_ON(vendor_event_idx < 0 ||
11629 			    vendor_event_idx >= wiphy->n_vendor_events))
11630 			return NULL;
11631 		info = &wiphy->vendor_events[vendor_event_idx];
11632 		break;
11633 	default:
11634 		WARN_ON(1);
11635 		return NULL;
11636 	}
11637 
11638 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11639 					   cmd, attr, info, gfp);
11640 }
11641 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11642 
11643 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11644 {
11645 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11646 	void *hdr = ((void **)skb->cb)[1];
11647 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11648 	struct nlattr *data = ((void **)skb->cb)[2];
11649 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11650 
11651 	/* clear CB data for netlink core to own from now on */
11652 	memset(skb->cb, 0, sizeof(skb->cb));
11653 
11654 	nla_nest_end(skb, data);
11655 	genlmsg_end(skb, hdr);
11656 
11657 	if (nlhdr->nlmsg_pid) {
11658 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11659 				nlhdr->nlmsg_pid);
11660 	} else {
11661 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11662 			mcgrp = NL80211_MCGRP_VENDOR;
11663 
11664 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11665 					skb, 0, mcgrp, gfp);
11666 	}
11667 }
11668 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11669 
11670 #ifdef CONFIG_NL80211_TESTMODE
11671 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11672 {
11673 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11674 	struct wireless_dev *wdev;
11675 	int err;
11676 
11677 	lockdep_assert_held(&rdev->wiphy.mtx);
11678 
11679 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11680 					  info->attrs);
11681 
11682 	if (!rdev->ops->testmode_cmd)
11683 		return -EOPNOTSUPP;
11684 
11685 	if (IS_ERR(wdev)) {
11686 		err = PTR_ERR(wdev);
11687 		if (err != -EINVAL)
11688 			return err;
11689 		wdev = NULL;
11690 	} else if (wdev->wiphy != &rdev->wiphy) {
11691 		return -EINVAL;
11692 	}
11693 
11694 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11695 		return -EINVAL;
11696 
11697 	rdev->cur_cmd_info = info;
11698 	err = rdev_testmode_cmd(rdev, wdev,
11699 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11700 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11701 	rdev->cur_cmd_info = NULL;
11702 
11703 	return err;
11704 }
11705 
11706 static int nl80211_testmode_dump(struct sk_buff *skb,
11707 				 struct netlink_callback *cb)
11708 {
11709 	struct cfg80211_registered_device *rdev;
11710 	struct nlattr **attrbuf = NULL;
11711 	int err;
11712 	long phy_idx;
11713 	void *data = NULL;
11714 	int data_len = 0;
11715 
11716 	rtnl_lock();
11717 
11718 	if (cb->args[0]) {
11719 		/*
11720 		 * 0 is a valid index, but not valid for args[0],
11721 		 * so we need to offset by 1.
11722 		 */
11723 		phy_idx = cb->args[0] - 1;
11724 
11725 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11726 		if (!rdev) {
11727 			err = -ENOENT;
11728 			goto out_err;
11729 		}
11730 	} else {
11731 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11732 				  GFP_KERNEL);
11733 		if (!attrbuf) {
11734 			err = -ENOMEM;
11735 			goto out_err;
11736 		}
11737 
11738 		err = nlmsg_parse_deprecated(cb->nlh,
11739 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11740 					     attrbuf, nl80211_fam.maxattr,
11741 					     nl80211_policy, NULL);
11742 		if (err)
11743 			goto out_err;
11744 
11745 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11746 		if (IS_ERR(rdev)) {
11747 			err = PTR_ERR(rdev);
11748 			goto out_err;
11749 		}
11750 		phy_idx = rdev->wiphy_idx;
11751 
11752 		if (attrbuf[NL80211_ATTR_TESTDATA])
11753 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11754 	}
11755 
11756 	if (cb->args[1]) {
11757 		data = nla_data((void *)cb->args[1]);
11758 		data_len = nla_len((void *)cb->args[1]);
11759 	}
11760 
11761 	if (!rdev->ops->testmode_dump) {
11762 		err = -EOPNOTSUPP;
11763 		goto out_err;
11764 	}
11765 
11766 	while (1) {
11767 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11768 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11769 					   NL80211_CMD_TESTMODE);
11770 		struct nlattr *tmdata;
11771 
11772 		if (!hdr)
11773 			break;
11774 
11775 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11776 			genlmsg_cancel(skb, hdr);
11777 			break;
11778 		}
11779 
11780 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11781 		if (!tmdata) {
11782 			genlmsg_cancel(skb, hdr);
11783 			break;
11784 		}
11785 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11786 		nla_nest_end(skb, tmdata);
11787 
11788 		if (err == -ENOBUFS || err == -ENOENT) {
11789 			genlmsg_cancel(skb, hdr);
11790 			break;
11791 		} else if (err) {
11792 			genlmsg_cancel(skb, hdr);
11793 			goto out_err;
11794 		}
11795 
11796 		genlmsg_end(skb, hdr);
11797 	}
11798 
11799 	err = skb->len;
11800 	/* see above */
11801 	cb->args[0] = phy_idx + 1;
11802  out_err:
11803 	kfree(attrbuf);
11804 	rtnl_unlock();
11805 	return err;
11806 }
11807 #endif
11808 
11809 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11810 {
11811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11812 	struct net_device *dev = info->user_ptr[1];
11813 	struct cfg80211_connect_params connect;
11814 	struct wiphy *wiphy;
11815 	struct cfg80211_cached_keys *connkeys = NULL;
11816 	u32 freq = 0;
11817 	int err;
11818 
11819 	memset(&connect, 0, sizeof(connect));
11820 
11821 	if (!info->attrs[NL80211_ATTR_SSID] ||
11822 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11823 		return -EINVAL;
11824 
11825 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11826 		connect.auth_type =
11827 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11828 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11829 					     NL80211_CMD_CONNECT))
11830 			return -EINVAL;
11831 	} else
11832 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11833 
11834 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11835 
11836 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11837 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11838 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11839 		return -EINVAL;
11840 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11841 
11842 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11843 				      NL80211_MAX_NR_CIPHER_SUITES);
11844 	if (err)
11845 		return err;
11846 
11847 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11848 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11849 		return -EOPNOTSUPP;
11850 
11851 	wiphy = &rdev->wiphy;
11852 
11853 	connect.bg_scan_period = -1;
11854 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11855 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11856 		connect.bg_scan_period =
11857 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11858 	}
11859 
11860 	if (info->attrs[NL80211_ATTR_MAC])
11861 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11862 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11863 		connect.bssid_hint =
11864 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11865 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11866 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11867 
11868 	if (info->attrs[NL80211_ATTR_IE]) {
11869 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11870 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11871 	}
11872 
11873 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11874 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11875 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11876 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11877 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11878 			return -EOPNOTSUPP;
11879 	} else {
11880 		connect.mfp = NL80211_MFP_NO;
11881 	}
11882 
11883 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11884 		connect.prev_bssid =
11885 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11886 
11887 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11888 		freq = MHZ_TO_KHZ(nla_get_u32(
11889 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11890 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11891 		freq +=
11892 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11893 
11894 	if (freq) {
11895 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11896 		if (!connect.channel)
11897 			return -EINVAL;
11898 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11899 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11900 		freq = MHZ_TO_KHZ(freq);
11901 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11902 		if (!connect.channel_hint)
11903 			return -EINVAL;
11904 	}
11905 
11906 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11907 		connect.edmg.channels =
11908 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11909 
11910 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11911 			connect.edmg.bw_config =
11912 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11913 	}
11914 
11915 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11916 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11917 		if (IS_ERR(connkeys))
11918 			return PTR_ERR(connkeys);
11919 	}
11920 
11921 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11922 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11923 
11924 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11925 		memcpy(&connect.ht_capa_mask,
11926 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11927 		       sizeof(connect.ht_capa_mask));
11928 
11929 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11930 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11931 			kfree_sensitive(connkeys);
11932 			return -EINVAL;
11933 		}
11934 		memcpy(&connect.ht_capa,
11935 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11936 		       sizeof(connect.ht_capa));
11937 	}
11938 
11939 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11940 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11941 
11942 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11943 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11944 
11945 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11946 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
11947 
11948 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11949 		memcpy(&connect.vht_capa_mask,
11950 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11951 		       sizeof(connect.vht_capa_mask));
11952 
11953 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11954 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11955 			kfree_sensitive(connkeys);
11956 			return -EINVAL;
11957 		}
11958 		memcpy(&connect.vht_capa,
11959 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11960 		       sizeof(connect.vht_capa));
11961 	}
11962 
11963 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11964 		if (!((rdev->wiphy.features &
11965 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11966 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11967 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11968 					     NL80211_EXT_FEATURE_RRM)) {
11969 			kfree_sensitive(connkeys);
11970 			return -EINVAL;
11971 		}
11972 		connect.flags |= ASSOC_REQ_USE_RRM;
11973 	}
11974 
11975 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11976 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11977 		kfree_sensitive(connkeys);
11978 		return -EOPNOTSUPP;
11979 	}
11980 
11981 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11982 		/* bss selection makes no sense if bssid is set */
11983 		if (connect.bssid) {
11984 			kfree_sensitive(connkeys);
11985 			return -EINVAL;
11986 		}
11987 
11988 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11989 				       wiphy, &connect.bss_select);
11990 		if (err) {
11991 			kfree_sensitive(connkeys);
11992 			return err;
11993 		}
11994 	}
11995 
11996 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11997 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11998 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11999 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12000 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12001 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12002 		connect.fils_erp_username =
12003 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12004 		connect.fils_erp_username_len =
12005 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12006 		connect.fils_erp_realm =
12007 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12008 		connect.fils_erp_realm_len =
12009 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12010 		connect.fils_erp_next_seq_num =
12011 			nla_get_u16(
12012 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12013 		connect.fils_erp_rrk =
12014 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12015 		connect.fils_erp_rrk_len =
12016 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12017 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12018 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12019 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12020 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12021 		kfree_sensitive(connkeys);
12022 		return -EINVAL;
12023 	}
12024 
12025 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12026 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12027 			kfree_sensitive(connkeys);
12028 			GENL_SET_ERR_MSG(info,
12029 					 "external auth requires connection ownership");
12030 			return -EINVAL;
12031 		}
12032 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12033 	}
12034 
12035 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12036 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12037 
12038 	wdev_lock(dev->ieee80211_ptr);
12039 
12040 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12041 			       connect.prev_bssid);
12042 	if (err)
12043 		kfree_sensitive(connkeys);
12044 
12045 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12046 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12047 		if (connect.bssid)
12048 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12049 			       connect.bssid, ETH_ALEN);
12050 		else
12051 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12052 	}
12053 
12054 	wdev_unlock(dev->ieee80211_ptr);
12055 
12056 	return err;
12057 }
12058 
12059 static int nl80211_update_connect_params(struct sk_buff *skb,
12060 					 struct genl_info *info)
12061 {
12062 	struct cfg80211_connect_params connect = {};
12063 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12064 	struct net_device *dev = info->user_ptr[1];
12065 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12066 	bool fils_sk_offload;
12067 	u32 auth_type;
12068 	u32 changed = 0;
12069 	int ret;
12070 
12071 	if (!rdev->ops->update_connect_params)
12072 		return -EOPNOTSUPP;
12073 
12074 	if (info->attrs[NL80211_ATTR_IE]) {
12075 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12076 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12077 		changed |= UPDATE_ASSOC_IES;
12078 	}
12079 
12080 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12081 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12082 
12083 	/*
12084 	 * when driver supports fils-sk offload all attributes must be
12085 	 * provided. So the else covers "fils-sk-not-all" and
12086 	 * "no-fils-sk-any".
12087 	 */
12088 	if (fils_sk_offload &&
12089 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12090 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12091 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12092 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12093 		connect.fils_erp_username =
12094 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12095 		connect.fils_erp_username_len =
12096 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12097 		connect.fils_erp_realm =
12098 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12099 		connect.fils_erp_realm_len =
12100 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12101 		connect.fils_erp_next_seq_num =
12102 			nla_get_u16(
12103 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12104 		connect.fils_erp_rrk =
12105 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12106 		connect.fils_erp_rrk_len =
12107 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12108 		changed |= UPDATE_FILS_ERP_INFO;
12109 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12110 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12111 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12112 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12113 		return -EINVAL;
12114 	}
12115 
12116 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12117 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12118 		if (!nl80211_valid_auth_type(rdev, auth_type,
12119 					     NL80211_CMD_CONNECT))
12120 			return -EINVAL;
12121 
12122 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12123 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12124 			return -EINVAL;
12125 
12126 		connect.auth_type = auth_type;
12127 		changed |= UPDATE_AUTH_TYPE;
12128 	}
12129 
12130 	wdev_lock(dev->ieee80211_ptr);
12131 	if (!wdev->connected)
12132 		ret = -ENOLINK;
12133 	else
12134 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
12135 	wdev_unlock(dev->ieee80211_ptr);
12136 
12137 	return ret;
12138 }
12139 
12140 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12141 {
12142 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12143 	struct net_device *dev = info->user_ptr[1];
12144 	u16 reason;
12145 	int ret;
12146 
12147 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12148 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12149 		return -EPERM;
12150 
12151 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12152 		reason = WLAN_REASON_DEAUTH_LEAVING;
12153 	else
12154 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12155 
12156 	if (reason == 0)
12157 		return -EINVAL;
12158 
12159 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12160 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12161 		return -EOPNOTSUPP;
12162 
12163 	wdev_lock(dev->ieee80211_ptr);
12164 	ret = cfg80211_disconnect(rdev, dev, reason, true);
12165 	wdev_unlock(dev->ieee80211_ptr);
12166 	return ret;
12167 }
12168 
12169 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12170 {
12171 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12172 	struct net *net;
12173 	int err;
12174 
12175 	if (info->attrs[NL80211_ATTR_PID]) {
12176 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12177 
12178 		net = get_net_ns_by_pid(pid);
12179 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12180 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12181 
12182 		net = get_net_ns_by_fd(fd);
12183 	} else {
12184 		return -EINVAL;
12185 	}
12186 
12187 	if (IS_ERR(net))
12188 		return PTR_ERR(net);
12189 
12190 	err = 0;
12191 
12192 	/* check if anything to do */
12193 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12194 		err = cfg80211_switch_netns(rdev, net);
12195 
12196 	put_net(net);
12197 	return err;
12198 }
12199 
12200 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
12201 {
12202 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12203 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
12204 			struct cfg80211_pmksa *pmksa) = NULL;
12205 	struct net_device *dev = info->user_ptr[1];
12206 	struct cfg80211_pmksa pmksa;
12207 
12208 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12209 
12210 	if (!info->attrs[NL80211_ATTR_PMKID])
12211 		return -EINVAL;
12212 
12213 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12214 
12215 	if (info->attrs[NL80211_ATTR_MAC]) {
12216 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12217 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12218 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12219 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
12220 		    info->attrs[NL80211_ATTR_PMK])) {
12221 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12222 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12223 		pmksa.cache_id =
12224 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12225 	} else {
12226 		return -EINVAL;
12227 	}
12228 	if (info->attrs[NL80211_ATTR_PMK]) {
12229 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12230 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12231 	}
12232 
12233 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12234 		pmksa.pmk_lifetime =
12235 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12236 
12237 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12238 		pmksa.pmk_reauth_threshold =
12239 			nla_get_u8(
12240 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12241 
12242 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12243 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12244 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
12245 	      wiphy_ext_feature_isset(&rdev->wiphy,
12246 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
12247 		return -EOPNOTSUPP;
12248 
12249 	switch (info->genlhdr->cmd) {
12250 	case NL80211_CMD_SET_PMKSA:
12251 		rdev_ops = rdev->ops->set_pmksa;
12252 		break;
12253 	case NL80211_CMD_DEL_PMKSA:
12254 		rdev_ops = rdev->ops->del_pmksa;
12255 		break;
12256 	default:
12257 		WARN_ON(1);
12258 		break;
12259 	}
12260 
12261 	if (!rdev_ops)
12262 		return -EOPNOTSUPP;
12263 
12264 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
12265 }
12266 
12267 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12268 {
12269 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12270 	struct net_device *dev = info->user_ptr[1];
12271 
12272 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12273 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12274 		return -EOPNOTSUPP;
12275 
12276 	if (!rdev->ops->flush_pmksa)
12277 		return -EOPNOTSUPP;
12278 
12279 	return rdev_flush_pmksa(rdev, dev);
12280 }
12281 
12282 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12283 {
12284 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12285 	struct net_device *dev = info->user_ptr[1];
12286 	u8 action_code, dialog_token;
12287 	u32 peer_capability = 0;
12288 	u16 status_code;
12289 	u8 *peer;
12290 	int link_id;
12291 	bool initiator;
12292 
12293 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12294 	    !rdev->ops->tdls_mgmt)
12295 		return -EOPNOTSUPP;
12296 
12297 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12298 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12299 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12300 	    !info->attrs[NL80211_ATTR_IE] ||
12301 	    !info->attrs[NL80211_ATTR_MAC])
12302 		return -EINVAL;
12303 
12304 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12305 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12306 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12307 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12308 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12309 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12310 		peer_capability =
12311 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12312 	link_id = nl80211_link_id_or_invalid(info->attrs);
12313 
12314 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12315 			      dialog_token, status_code, peer_capability,
12316 			      initiator,
12317 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12318 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12319 }
12320 
12321 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12322 {
12323 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12324 	struct net_device *dev = info->user_ptr[1];
12325 	enum nl80211_tdls_operation operation;
12326 	u8 *peer;
12327 
12328 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12329 	    !rdev->ops->tdls_oper)
12330 		return -EOPNOTSUPP;
12331 
12332 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12333 	    !info->attrs[NL80211_ATTR_MAC])
12334 		return -EINVAL;
12335 
12336 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12337 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12338 
12339 	return rdev_tdls_oper(rdev, dev, peer, operation);
12340 }
12341 
12342 static int nl80211_remain_on_channel(struct sk_buff *skb,
12343 				     struct genl_info *info)
12344 {
12345 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12346 	unsigned int link_id = nl80211_link_id(info->attrs);
12347 	struct wireless_dev *wdev = info->user_ptr[1];
12348 	struct cfg80211_chan_def chandef;
12349 	struct sk_buff *msg;
12350 	void *hdr;
12351 	u64 cookie;
12352 	u32 duration;
12353 	int err;
12354 
12355 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12356 	    !info->attrs[NL80211_ATTR_DURATION])
12357 		return -EINVAL;
12358 
12359 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12360 
12361 	if (!rdev->ops->remain_on_channel ||
12362 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12363 		return -EOPNOTSUPP;
12364 
12365 	/*
12366 	 * We should be on that channel for at least a minimum amount of
12367 	 * time (10ms) but no longer than the driver supports.
12368 	 */
12369 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12370 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12371 		return -EINVAL;
12372 
12373 	err = nl80211_parse_chandef(rdev, info, &chandef);
12374 	if (err)
12375 		return err;
12376 
12377 	wdev_lock(wdev);
12378 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12379 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12380 
12381 		oper_chandef = wdev_chandef(wdev, link_id);
12382 
12383 		if (WARN_ON(!oper_chandef)) {
12384 			/* cannot happen since we must beacon to get here */
12385 			WARN_ON(1);
12386 			wdev_unlock(wdev);
12387 			return -EBUSY;
12388 		}
12389 
12390 		/* note: returns first one if identical chandefs */
12391 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12392 							     oper_chandef);
12393 
12394 		if (compat_chandef != &chandef) {
12395 			wdev_unlock(wdev);
12396 			return -EBUSY;
12397 		}
12398 	}
12399 	wdev_unlock(wdev);
12400 
12401 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12402 	if (!msg)
12403 		return -ENOMEM;
12404 
12405 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12406 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12407 	if (!hdr) {
12408 		err = -ENOBUFS;
12409 		goto free_msg;
12410 	}
12411 
12412 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12413 				     duration, &cookie);
12414 
12415 	if (err)
12416 		goto free_msg;
12417 
12418 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12419 			      NL80211_ATTR_PAD))
12420 		goto nla_put_failure;
12421 
12422 	genlmsg_end(msg, hdr);
12423 
12424 	return genlmsg_reply(msg, info);
12425 
12426  nla_put_failure:
12427 	err = -ENOBUFS;
12428  free_msg:
12429 	nlmsg_free(msg);
12430 	return err;
12431 }
12432 
12433 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12434 					    struct genl_info *info)
12435 {
12436 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12437 	struct wireless_dev *wdev = info->user_ptr[1];
12438 	u64 cookie;
12439 
12440 	if (!info->attrs[NL80211_ATTR_COOKIE])
12441 		return -EINVAL;
12442 
12443 	if (!rdev->ops->cancel_remain_on_channel)
12444 		return -EOPNOTSUPP;
12445 
12446 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12447 
12448 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12449 }
12450 
12451 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12452 				       struct genl_info *info)
12453 {
12454 	struct cfg80211_bitrate_mask mask;
12455 	unsigned int link_id = nl80211_link_id(info->attrs);
12456 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12457 	struct net_device *dev = info->user_ptr[1];
12458 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12459 	int err;
12460 
12461 	if (!rdev->ops->set_bitrate_mask)
12462 		return -EOPNOTSUPP;
12463 
12464 	wdev_lock(wdev);
12465 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12466 					    NL80211_ATTR_TX_RATES, &mask,
12467 					    dev, true, link_id);
12468 	if (err)
12469 		goto out;
12470 
12471 	err = rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12472 out:
12473 	wdev_unlock(wdev);
12474 	return err;
12475 }
12476 
12477 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12478 {
12479 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12480 	struct wireless_dev *wdev = info->user_ptr[1];
12481 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12482 
12483 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12484 		return -EINVAL;
12485 
12486 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12487 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12488 
12489 	switch (wdev->iftype) {
12490 	case NL80211_IFTYPE_STATION:
12491 	case NL80211_IFTYPE_ADHOC:
12492 	case NL80211_IFTYPE_P2P_CLIENT:
12493 	case NL80211_IFTYPE_AP:
12494 	case NL80211_IFTYPE_AP_VLAN:
12495 	case NL80211_IFTYPE_MESH_POINT:
12496 	case NL80211_IFTYPE_P2P_GO:
12497 	case NL80211_IFTYPE_P2P_DEVICE:
12498 		break;
12499 	case NL80211_IFTYPE_NAN:
12500 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12501 					     NL80211_EXT_FEATURE_SECURE_NAN))
12502 			return -EOPNOTSUPP;
12503 		break;
12504 	default:
12505 		return -EOPNOTSUPP;
12506 	}
12507 
12508 	/* not much point in registering if we can't reply */
12509 	if (!rdev->ops->mgmt_tx)
12510 		return -EOPNOTSUPP;
12511 
12512 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12513 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12514 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12515 		GENL_SET_ERR_MSG(info,
12516 				 "multicast RX registrations are not supported");
12517 		return -EOPNOTSUPP;
12518 	}
12519 
12520 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12521 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12522 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12523 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12524 					   info->extack);
12525 }
12526 
12527 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12528 {
12529 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12530 	struct wireless_dev *wdev = info->user_ptr[1];
12531 	struct cfg80211_chan_def chandef;
12532 	int err;
12533 	void *hdr = NULL;
12534 	u64 cookie;
12535 	struct sk_buff *msg = NULL;
12536 	struct cfg80211_mgmt_tx_params params = {
12537 		.dont_wait_for_ack =
12538 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12539 	};
12540 
12541 	if (!info->attrs[NL80211_ATTR_FRAME])
12542 		return -EINVAL;
12543 
12544 	if (!rdev->ops->mgmt_tx)
12545 		return -EOPNOTSUPP;
12546 
12547 	switch (wdev->iftype) {
12548 	case NL80211_IFTYPE_P2P_DEVICE:
12549 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12550 			return -EINVAL;
12551 		break;
12552 	case NL80211_IFTYPE_STATION:
12553 	case NL80211_IFTYPE_ADHOC:
12554 	case NL80211_IFTYPE_P2P_CLIENT:
12555 	case NL80211_IFTYPE_AP:
12556 	case NL80211_IFTYPE_AP_VLAN:
12557 	case NL80211_IFTYPE_MESH_POINT:
12558 	case NL80211_IFTYPE_P2P_GO:
12559 		break;
12560 	case NL80211_IFTYPE_NAN:
12561 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12562 					     NL80211_EXT_FEATURE_SECURE_NAN))
12563 			return -EOPNOTSUPP;
12564 		break;
12565 	default:
12566 		return -EOPNOTSUPP;
12567 	}
12568 
12569 	if (info->attrs[NL80211_ATTR_DURATION]) {
12570 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12571 			return -EINVAL;
12572 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12573 
12574 		/*
12575 		 * We should wait on the channel for at least a minimum amount
12576 		 * of time (10ms) but no longer than the driver supports.
12577 		 */
12578 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12579 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12580 			return -EINVAL;
12581 	}
12582 
12583 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12584 
12585 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12586 		return -EINVAL;
12587 
12588 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12589 
12590 	/* get the channel if any has been specified, otherwise pass NULL to
12591 	 * the driver. The latter will use the current one
12592 	 */
12593 	chandef.chan = NULL;
12594 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12595 		err = nl80211_parse_chandef(rdev, info, &chandef);
12596 		if (err)
12597 			return err;
12598 	}
12599 
12600 	if (!chandef.chan && params.offchan)
12601 		return -EINVAL;
12602 
12603 	wdev_lock(wdev);
12604 	if (params.offchan &&
12605 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12606 		wdev_unlock(wdev);
12607 		return -EBUSY;
12608 	}
12609 
12610 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12611 	/*
12612 	 * This now races due to the unlock, but we cannot check
12613 	 * the valid links for the _station_ anyway, so that's up
12614 	 * to the driver.
12615 	 */
12616 	if (params.link_id >= 0 &&
12617 	    !(wdev->valid_links & BIT(params.link_id))) {
12618 		wdev_unlock(wdev);
12619 		return -EINVAL;
12620 	}
12621 	wdev_unlock(wdev);
12622 
12623 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12624 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12625 
12626 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
12627 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12628 		int i;
12629 
12630 		if (len % sizeof(u16))
12631 			return -EINVAL;
12632 
12633 		params.n_csa_offsets = len / sizeof(u16);
12634 		params.csa_offsets =
12635 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12636 
12637 		/* check that all the offsets fit the frame */
12638 		for (i = 0; i < params.n_csa_offsets; i++) {
12639 			if (params.csa_offsets[i] >= params.len)
12640 				return -EINVAL;
12641 		}
12642 	}
12643 
12644 	if (!params.dont_wait_for_ack) {
12645 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12646 		if (!msg)
12647 			return -ENOMEM;
12648 
12649 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12650 				     NL80211_CMD_FRAME);
12651 		if (!hdr) {
12652 			err = -ENOBUFS;
12653 			goto free_msg;
12654 		}
12655 	}
12656 
12657 	params.chan = chandef.chan;
12658 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12659 	if (err)
12660 		goto free_msg;
12661 
12662 	if (msg) {
12663 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12664 				      NL80211_ATTR_PAD))
12665 			goto nla_put_failure;
12666 
12667 		genlmsg_end(msg, hdr);
12668 		return genlmsg_reply(msg, info);
12669 	}
12670 
12671 	return 0;
12672 
12673  nla_put_failure:
12674 	err = -ENOBUFS;
12675  free_msg:
12676 	nlmsg_free(msg);
12677 	return err;
12678 }
12679 
12680 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12681 {
12682 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12683 	struct wireless_dev *wdev = info->user_ptr[1];
12684 	u64 cookie;
12685 
12686 	if (!info->attrs[NL80211_ATTR_COOKIE])
12687 		return -EINVAL;
12688 
12689 	if (!rdev->ops->mgmt_tx_cancel_wait)
12690 		return -EOPNOTSUPP;
12691 
12692 	switch (wdev->iftype) {
12693 	case NL80211_IFTYPE_STATION:
12694 	case NL80211_IFTYPE_ADHOC:
12695 	case NL80211_IFTYPE_P2P_CLIENT:
12696 	case NL80211_IFTYPE_AP:
12697 	case NL80211_IFTYPE_AP_VLAN:
12698 	case NL80211_IFTYPE_P2P_GO:
12699 	case NL80211_IFTYPE_P2P_DEVICE:
12700 		break;
12701 	case NL80211_IFTYPE_NAN:
12702 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12703 					     NL80211_EXT_FEATURE_SECURE_NAN))
12704 			return -EOPNOTSUPP;
12705 		break;
12706 	default:
12707 		return -EOPNOTSUPP;
12708 	}
12709 
12710 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12711 
12712 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12713 }
12714 
12715 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12716 {
12717 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12718 	struct wireless_dev *wdev;
12719 	struct net_device *dev = info->user_ptr[1];
12720 	u8 ps_state;
12721 	bool state;
12722 	int err;
12723 
12724 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12725 		return -EINVAL;
12726 
12727 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12728 
12729 	wdev = dev->ieee80211_ptr;
12730 
12731 	if (!rdev->ops->set_power_mgmt)
12732 		return -EOPNOTSUPP;
12733 
12734 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12735 
12736 	if (state == wdev->ps)
12737 		return 0;
12738 
12739 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12740 	if (!err)
12741 		wdev->ps = state;
12742 	return err;
12743 }
12744 
12745 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12746 {
12747 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12748 	enum nl80211_ps_state ps_state;
12749 	struct wireless_dev *wdev;
12750 	struct net_device *dev = info->user_ptr[1];
12751 	struct sk_buff *msg;
12752 	void *hdr;
12753 	int err;
12754 
12755 	wdev = dev->ieee80211_ptr;
12756 
12757 	if (!rdev->ops->set_power_mgmt)
12758 		return -EOPNOTSUPP;
12759 
12760 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12761 	if (!msg)
12762 		return -ENOMEM;
12763 
12764 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12765 			     NL80211_CMD_GET_POWER_SAVE);
12766 	if (!hdr) {
12767 		err = -ENOBUFS;
12768 		goto free_msg;
12769 	}
12770 
12771 	if (wdev->ps)
12772 		ps_state = NL80211_PS_ENABLED;
12773 	else
12774 		ps_state = NL80211_PS_DISABLED;
12775 
12776 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12777 		goto nla_put_failure;
12778 
12779 	genlmsg_end(msg, hdr);
12780 	return genlmsg_reply(msg, info);
12781 
12782  nla_put_failure:
12783 	err = -ENOBUFS;
12784  free_msg:
12785 	nlmsg_free(msg);
12786 	return err;
12787 }
12788 
12789 static const struct nla_policy
12790 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12791 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12792 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12793 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12794 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12795 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12796 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12797 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12798 };
12799 
12800 static int nl80211_set_cqm_txe(struct genl_info *info,
12801 			       u32 rate, u32 pkts, u32 intvl)
12802 {
12803 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12804 	struct net_device *dev = info->user_ptr[1];
12805 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12806 
12807 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12808 		return -EINVAL;
12809 
12810 	if (!rdev->ops->set_cqm_txe_config)
12811 		return -EOPNOTSUPP;
12812 
12813 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12814 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12815 		return -EOPNOTSUPP;
12816 
12817 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12818 }
12819 
12820 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12821 				    struct net_device *dev,
12822 				    struct cfg80211_cqm_config *cqm_config)
12823 {
12824 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12825 	s32 last, low, high;
12826 	u32 hyst;
12827 	int i, n, low_index;
12828 	int err;
12829 
12830 	/*
12831 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12832 	 * event has been received yet, we should receive an event after a
12833 	 * connection is established and enough beacons received to calculate
12834 	 * the average.
12835 	 */
12836 	if (!cqm_config->last_rssi_event_value &&
12837 	    wdev->links[0].client.current_bss &&
12838 	    rdev->ops->get_station) {
12839 		struct station_info sinfo = {};
12840 		u8 *mac_addr;
12841 
12842 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
12843 
12844 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12845 		if (err)
12846 			return err;
12847 
12848 		cfg80211_sinfo_release_content(&sinfo);
12849 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12850 			cqm_config->last_rssi_event_value =
12851 				(s8) sinfo.rx_beacon_signal_avg;
12852 	}
12853 
12854 	last = cqm_config->last_rssi_event_value;
12855 	hyst = cqm_config->rssi_hyst;
12856 	n = cqm_config->n_rssi_thresholds;
12857 
12858 	for (i = 0; i < n; i++) {
12859 		i = array_index_nospec(i, n);
12860 		if (last < cqm_config->rssi_thresholds[i])
12861 			break;
12862 	}
12863 
12864 	low_index = i - 1;
12865 	if (low_index >= 0) {
12866 		low_index = array_index_nospec(low_index, n);
12867 		low = cqm_config->rssi_thresholds[low_index] - hyst;
12868 	} else {
12869 		low = S32_MIN;
12870 	}
12871 	if (i < n) {
12872 		i = array_index_nospec(i, n);
12873 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
12874 	} else {
12875 		high = S32_MAX;
12876 	}
12877 
12878 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12879 }
12880 
12881 static int nl80211_set_cqm_rssi(struct genl_info *info,
12882 				const s32 *thresholds, int n_thresholds,
12883 				u32 hysteresis)
12884 {
12885 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12886 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
12887 	struct net_device *dev = info->user_ptr[1];
12888 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12889 	int i, err;
12890 	s32 prev = S32_MIN;
12891 
12892 	/* Check all values negative and sorted */
12893 	for (i = 0; i < n_thresholds; i++) {
12894 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12895 			return -EINVAL;
12896 
12897 		prev = thresholds[i];
12898 	}
12899 
12900 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12901 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12902 		return -EOPNOTSUPP;
12903 
12904 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12905 		n_thresholds = 0;
12906 
12907 	wdev_lock(wdev);
12908 	old = rcu_dereference_protected(wdev->cqm_config,
12909 					lockdep_is_held(&wdev->mtx));
12910 
12911 	/* if already disabled just succeed */
12912 	if (!n_thresholds && !old) {
12913 		err = 0;
12914 		goto unlock;
12915 	}
12916 
12917 	if (n_thresholds > 1) {
12918 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12919 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
12920 		    !rdev->ops->set_cqm_rssi_range_config) {
12921 			err = -EOPNOTSUPP;
12922 			goto unlock;
12923 		}
12924 	} else {
12925 		if (!rdev->ops->set_cqm_rssi_config) {
12926 			err = -EOPNOTSUPP;
12927 			goto unlock;
12928 		}
12929 	}
12930 
12931 	if (n_thresholds) {
12932 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12933 						 n_thresholds),
12934 				     GFP_KERNEL);
12935 		if (!cqm_config) {
12936 			err = -ENOMEM;
12937 			goto unlock;
12938 		}
12939 
12940 		cqm_config->rssi_hyst = hysteresis;
12941 		cqm_config->n_rssi_thresholds = n_thresholds;
12942 		memcpy(cqm_config->rssi_thresholds, thresholds,
12943 		       flex_array_size(cqm_config, rssi_thresholds,
12944 				       n_thresholds));
12945 		cqm_config->use_range_api = n_thresholds > 1 ||
12946 					    !rdev->ops->set_cqm_rssi_config;
12947 
12948 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
12949 
12950 		if (cqm_config->use_range_api)
12951 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
12952 		else
12953 			err = rdev_set_cqm_rssi_config(rdev, dev,
12954 						       thresholds[0],
12955 						       hysteresis);
12956 	} else {
12957 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
12958 		/* if enabled as range also disable via range */
12959 		if (old->use_range_api)
12960 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12961 		else
12962 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12963 	}
12964 
12965 	if (err) {
12966 		rcu_assign_pointer(wdev->cqm_config, old);
12967 		kfree_rcu(cqm_config, rcu_head);
12968 	} else {
12969 		kfree_rcu(old, rcu_head);
12970 	}
12971 unlock:
12972 	wdev_unlock(wdev);
12973 
12974 	return err;
12975 }
12976 
12977 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12978 {
12979 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12980 	struct nlattr *cqm;
12981 	int err;
12982 
12983 	cqm = info->attrs[NL80211_ATTR_CQM];
12984 	if (!cqm)
12985 		return -EINVAL;
12986 
12987 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12988 					  nl80211_attr_cqm_policy,
12989 					  info->extack);
12990 	if (err)
12991 		return err;
12992 
12993 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12994 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12995 		const s32 *thresholds =
12996 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12997 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12998 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12999 
13000 		if (len % 4)
13001 			return -EINVAL;
13002 
13003 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13004 					    hysteresis);
13005 	}
13006 
13007 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13008 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13009 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13010 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13011 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13012 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13013 
13014 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13015 	}
13016 
13017 	return -EINVAL;
13018 }
13019 
13020 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13021 {
13022 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13023 	struct net_device *dev = info->user_ptr[1];
13024 	struct ocb_setup setup = {};
13025 	int err;
13026 
13027 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13028 	if (err)
13029 		return err;
13030 
13031 	return cfg80211_join_ocb(rdev, dev, &setup);
13032 }
13033 
13034 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13035 {
13036 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13037 	struct net_device *dev = info->user_ptr[1];
13038 
13039 	return cfg80211_leave_ocb(rdev, dev);
13040 }
13041 
13042 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13043 {
13044 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13045 	struct net_device *dev = info->user_ptr[1];
13046 	struct mesh_config cfg;
13047 	struct mesh_setup setup;
13048 	int err;
13049 
13050 	/* start with default */
13051 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13052 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13053 
13054 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13055 		/* and parse parameters if given */
13056 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13057 		if (err)
13058 			return err;
13059 	}
13060 
13061 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13062 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13063 		return -EINVAL;
13064 
13065 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13066 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13067 
13068 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13069 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13070 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13071 			return -EINVAL;
13072 
13073 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13074 		setup.beacon_interval =
13075 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13076 
13077 		err = cfg80211_validate_beacon_int(rdev,
13078 						   NL80211_IFTYPE_MESH_POINT,
13079 						   setup.beacon_interval);
13080 		if (err)
13081 			return err;
13082 	}
13083 
13084 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13085 		setup.dtim_period =
13086 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13087 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13088 			return -EINVAL;
13089 	}
13090 
13091 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13092 		/* parse additional setup parameters if given */
13093 		err = nl80211_parse_mesh_setup(info, &setup);
13094 		if (err)
13095 			return err;
13096 	}
13097 
13098 	if (setup.user_mpm)
13099 		cfg.auto_open_plinks = false;
13100 
13101 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13102 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13103 		if (err)
13104 			return err;
13105 	} else {
13106 		/* __cfg80211_join_mesh() will sort it out */
13107 		setup.chandef.chan = NULL;
13108 	}
13109 
13110 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13111 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13112 		int n_rates =
13113 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13114 		struct ieee80211_supported_band *sband;
13115 
13116 		if (!setup.chandef.chan)
13117 			return -EINVAL;
13118 
13119 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13120 
13121 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13122 					     &setup.basic_rates);
13123 		if (err)
13124 			return err;
13125 	}
13126 
13127 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13128 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13129 						    NL80211_ATTR_TX_RATES,
13130 						    &setup.beacon_rate,
13131 						    dev, false, 0);
13132 		if (err)
13133 			return err;
13134 
13135 		if (!setup.chandef.chan)
13136 			return -EINVAL;
13137 
13138 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13139 					      &setup.beacon_rate);
13140 		if (err)
13141 			return err;
13142 	}
13143 
13144 	setup.userspace_handles_dfs =
13145 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13146 
13147 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13148 		int r = validate_pae_over_nl80211(rdev, info);
13149 
13150 		if (r < 0)
13151 			return r;
13152 
13153 		setup.control_port_over_nl80211 = true;
13154 	}
13155 
13156 	wdev_lock(dev->ieee80211_ptr);
13157 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13158 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13159 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13160 	wdev_unlock(dev->ieee80211_ptr);
13161 
13162 	return err;
13163 }
13164 
13165 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13166 {
13167 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13168 	struct net_device *dev = info->user_ptr[1];
13169 
13170 	return cfg80211_leave_mesh(rdev, dev);
13171 }
13172 
13173 #ifdef CONFIG_PM
13174 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13175 					struct cfg80211_registered_device *rdev)
13176 {
13177 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13178 	struct nlattr *nl_pats, *nl_pat;
13179 	int i, pat_len;
13180 
13181 	if (!wowlan->n_patterns)
13182 		return 0;
13183 
13184 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13185 	if (!nl_pats)
13186 		return -ENOBUFS;
13187 
13188 	for (i = 0; i < wowlan->n_patterns; i++) {
13189 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13190 		if (!nl_pat)
13191 			return -ENOBUFS;
13192 		pat_len = wowlan->patterns[i].pattern_len;
13193 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13194 			    wowlan->patterns[i].mask) ||
13195 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13196 			    wowlan->patterns[i].pattern) ||
13197 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13198 				wowlan->patterns[i].pkt_offset))
13199 			return -ENOBUFS;
13200 		nla_nest_end(msg, nl_pat);
13201 	}
13202 	nla_nest_end(msg, nl_pats);
13203 
13204 	return 0;
13205 }
13206 
13207 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13208 				   struct cfg80211_wowlan_tcp *tcp)
13209 {
13210 	struct nlattr *nl_tcp;
13211 
13212 	if (!tcp)
13213 		return 0;
13214 
13215 	nl_tcp = nla_nest_start_noflag(msg,
13216 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13217 	if (!nl_tcp)
13218 		return -ENOBUFS;
13219 
13220 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13221 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13222 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13223 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13224 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13225 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13226 		    tcp->payload_len, tcp->payload) ||
13227 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13228 			tcp->data_interval) ||
13229 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13230 		    tcp->wake_len, tcp->wake_data) ||
13231 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13232 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13233 		return -ENOBUFS;
13234 
13235 	if (tcp->payload_seq.len &&
13236 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13237 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13238 		return -ENOBUFS;
13239 
13240 	if (tcp->payload_tok.len &&
13241 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13242 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13243 		    &tcp->payload_tok))
13244 		return -ENOBUFS;
13245 
13246 	nla_nest_end(msg, nl_tcp);
13247 
13248 	return 0;
13249 }
13250 
13251 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13252 				  struct cfg80211_sched_scan_request *req)
13253 {
13254 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13255 	int i;
13256 
13257 	if (!req)
13258 		return 0;
13259 
13260 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13261 	if (!nd)
13262 		return -ENOBUFS;
13263 
13264 	if (req->n_scan_plans == 1 &&
13265 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13266 			req->scan_plans[0].interval * 1000))
13267 		return -ENOBUFS;
13268 
13269 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13270 		return -ENOBUFS;
13271 
13272 	if (req->relative_rssi_set) {
13273 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13274 
13275 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13276 			       req->relative_rssi))
13277 			return -ENOBUFS;
13278 
13279 		rssi_adjust.band = req->rssi_adjust.band;
13280 		rssi_adjust.delta = req->rssi_adjust.delta;
13281 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13282 			    sizeof(rssi_adjust), &rssi_adjust))
13283 			return -ENOBUFS;
13284 	}
13285 
13286 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13287 	if (!freqs)
13288 		return -ENOBUFS;
13289 
13290 	for (i = 0; i < req->n_channels; i++) {
13291 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13292 			return -ENOBUFS;
13293 	}
13294 
13295 	nla_nest_end(msg, freqs);
13296 
13297 	if (req->n_match_sets) {
13298 		matches = nla_nest_start_noflag(msg,
13299 						NL80211_ATTR_SCHED_SCAN_MATCH);
13300 		if (!matches)
13301 			return -ENOBUFS;
13302 
13303 		for (i = 0; i < req->n_match_sets; i++) {
13304 			match = nla_nest_start_noflag(msg, i);
13305 			if (!match)
13306 				return -ENOBUFS;
13307 
13308 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13309 				    req->match_sets[i].ssid.ssid_len,
13310 				    req->match_sets[i].ssid.ssid))
13311 				return -ENOBUFS;
13312 			nla_nest_end(msg, match);
13313 		}
13314 		nla_nest_end(msg, matches);
13315 	}
13316 
13317 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13318 	if (!scan_plans)
13319 		return -ENOBUFS;
13320 
13321 	for (i = 0; i < req->n_scan_plans; i++) {
13322 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13323 		if (!scan_plan)
13324 			return -ENOBUFS;
13325 
13326 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13327 				req->scan_plans[i].interval) ||
13328 		    (req->scan_plans[i].iterations &&
13329 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13330 				 req->scan_plans[i].iterations)))
13331 			return -ENOBUFS;
13332 		nla_nest_end(msg, scan_plan);
13333 	}
13334 	nla_nest_end(msg, scan_plans);
13335 
13336 	nla_nest_end(msg, nd);
13337 
13338 	return 0;
13339 }
13340 
13341 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13342 {
13343 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13344 	struct sk_buff *msg;
13345 	void *hdr;
13346 	u32 size = NLMSG_DEFAULT_SIZE;
13347 
13348 	if (!rdev->wiphy.wowlan)
13349 		return -EOPNOTSUPP;
13350 
13351 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13352 		/* adjust size to have room for all the data */
13353 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13354 			rdev->wiphy.wowlan_config->tcp->payload_len +
13355 			rdev->wiphy.wowlan_config->tcp->wake_len +
13356 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13357 	}
13358 
13359 	msg = nlmsg_new(size, GFP_KERNEL);
13360 	if (!msg)
13361 		return -ENOMEM;
13362 
13363 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13364 			     NL80211_CMD_GET_WOWLAN);
13365 	if (!hdr)
13366 		goto nla_put_failure;
13367 
13368 	if (rdev->wiphy.wowlan_config) {
13369 		struct nlattr *nl_wowlan;
13370 
13371 		nl_wowlan = nla_nest_start_noflag(msg,
13372 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13373 		if (!nl_wowlan)
13374 			goto nla_put_failure;
13375 
13376 		if ((rdev->wiphy.wowlan_config->any &&
13377 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13378 		    (rdev->wiphy.wowlan_config->disconnect &&
13379 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13380 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13381 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13382 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13383 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13384 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13385 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13386 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13387 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13388 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13389 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13390 			goto nla_put_failure;
13391 
13392 		if (nl80211_send_wowlan_patterns(msg, rdev))
13393 			goto nla_put_failure;
13394 
13395 		if (nl80211_send_wowlan_tcp(msg,
13396 					    rdev->wiphy.wowlan_config->tcp))
13397 			goto nla_put_failure;
13398 
13399 		if (nl80211_send_wowlan_nd(
13400 			    msg,
13401 			    rdev->wiphy.wowlan_config->nd_config))
13402 			goto nla_put_failure;
13403 
13404 		nla_nest_end(msg, nl_wowlan);
13405 	}
13406 
13407 	genlmsg_end(msg, hdr);
13408 	return genlmsg_reply(msg, info);
13409 
13410 nla_put_failure:
13411 	nlmsg_free(msg);
13412 	return -ENOBUFS;
13413 }
13414 
13415 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13416 				    struct nlattr *attr,
13417 				    struct cfg80211_wowlan *trig)
13418 {
13419 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13420 	struct cfg80211_wowlan_tcp *cfg;
13421 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13422 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13423 	u32 size;
13424 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13425 	int err, port;
13426 
13427 	if (!rdev->wiphy.wowlan->tcp)
13428 		return -EINVAL;
13429 
13430 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13431 					  nl80211_wowlan_tcp_policy, NULL);
13432 	if (err)
13433 		return err;
13434 
13435 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13436 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13437 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13438 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13439 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13440 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13441 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13442 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13443 		return -EINVAL;
13444 
13445 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13446 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13447 		return -EINVAL;
13448 
13449 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13450 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13451 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13452 		return -EINVAL;
13453 
13454 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13455 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13456 		return -EINVAL;
13457 
13458 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13459 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13460 		return -EINVAL;
13461 
13462 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13463 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13464 
13465 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13466 		tokens_size = tokln - sizeof(*tok);
13467 
13468 		if (!tok->len || tokens_size % tok->len)
13469 			return -EINVAL;
13470 		if (!rdev->wiphy.wowlan->tcp->tok)
13471 			return -EINVAL;
13472 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13473 			return -EINVAL;
13474 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13475 			return -EINVAL;
13476 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13477 			return -EINVAL;
13478 		if (tok->offset + tok->len > data_size)
13479 			return -EINVAL;
13480 	}
13481 
13482 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13483 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13484 		if (!rdev->wiphy.wowlan->tcp->seq)
13485 			return -EINVAL;
13486 		if (seq->len == 0 || seq->len > 4)
13487 			return -EINVAL;
13488 		if (seq->len + seq->offset > data_size)
13489 			return -EINVAL;
13490 	}
13491 
13492 	size = sizeof(*cfg);
13493 	size += data_size;
13494 	size += wake_size + wake_mask_size;
13495 	size += tokens_size;
13496 
13497 	cfg = kzalloc(size, GFP_KERNEL);
13498 	if (!cfg)
13499 		return -ENOMEM;
13500 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13501 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13502 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13503 	       ETH_ALEN);
13504 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13505 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13506 	else
13507 		port = 0;
13508 #ifdef CONFIG_INET
13509 	/* allocate a socket and port for it and use it */
13510 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13511 			    IPPROTO_TCP, &cfg->sock, 1);
13512 	if (err) {
13513 		kfree(cfg);
13514 		return err;
13515 	}
13516 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13517 		sock_release(cfg->sock);
13518 		kfree(cfg);
13519 		return -EADDRINUSE;
13520 	}
13521 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13522 #else
13523 	if (!port) {
13524 		kfree(cfg);
13525 		return -EINVAL;
13526 	}
13527 	cfg->src_port = port;
13528 #endif
13529 
13530 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13531 	cfg->payload_len = data_size;
13532 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13533 	memcpy((void *)cfg->payload,
13534 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13535 	       data_size);
13536 	if (seq)
13537 		cfg->payload_seq = *seq;
13538 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13539 	cfg->wake_len = wake_size;
13540 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13541 	memcpy((void *)cfg->wake_data,
13542 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13543 	       wake_size);
13544 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13545 			 data_size + wake_size;
13546 	memcpy((void *)cfg->wake_mask,
13547 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13548 	       wake_mask_size);
13549 	if (tok) {
13550 		cfg->tokens_size = tokens_size;
13551 		cfg->payload_tok = *tok;
13552 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13553 		       tokens_size);
13554 	}
13555 
13556 	trig->tcp = cfg;
13557 
13558 	return 0;
13559 }
13560 
13561 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13562 				   const struct wiphy_wowlan_support *wowlan,
13563 				   struct nlattr *attr,
13564 				   struct cfg80211_wowlan *trig)
13565 {
13566 	struct nlattr **tb;
13567 	int err;
13568 
13569 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13570 	if (!tb)
13571 		return -ENOMEM;
13572 
13573 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13574 		err = -EOPNOTSUPP;
13575 		goto out;
13576 	}
13577 
13578 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13579 					  nl80211_policy, NULL);
13580 	if (err)
13581 		goto out;
13582 
13583 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13584 						   wowlan->max_nd_match_sets);
13585 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13586 	if (err)
13587 		trig->nd_config = NULL;
13588 
13589 out:
13590 	kfree(tb);
13591 	return err;
13592 }
13593 
13594 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13595 {
13596 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13597 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13598 	struct cfg80211_wowlan new_triggers = {};
13599 	struct cfg80211_wowlan *ntrig;
13600 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13601 	int err, i;
13602 	bool prev_enabled = rdev->wiphy.wowlan_config;
13603 	bool regular = false;
13604 
13605 	if (!wowlan)
13606 		return -EOPNOTSUPP;
13607 
13608 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13609 		cfg80211_rdev_free_wowlan(rdev);
13610 		rdev->wiphy.wowlan_config = NULL;
13611 		goto set_wakeup;
13612 	}
13613 
13614 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13615 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13616 					  nl80211_wowlan_policy, info->extack);
13617 	if (err)
13618 		return err;
13619 
13620 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13621 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13622 			return -EINVAL;
13623 		new_triggers.any = true;
13624 	}
13625 
13626 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13627 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13628 			return -EINVAL;
13629 		new_triggers.disconnect = true;
13630 		regular = true;
13631 	}
13632 
13633 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13634 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13635 			return -EINVAL;
13636 		new_triggers.magic_pkt = true;
13637 		regular = true;
13638 	}
13639 
13640 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13641 		return -EINVAL;
13642 
13643 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13644 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13645 			return -EINVAL;
13646 		new_triggers.gtk_rekey_failure = true;
13647 		regular = true;
13648 	}
13649 
13650 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13651 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13652 			return -EINVAL;
13653 		new_triggers.eap_identity_req = true;
13654 		regular = true;
13655 	}
13656 
13657 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13658 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13659 			return -EINVAL;
13660 		new_triggers.four_way_handshake = true;
13661 		regular = true;
13662 	}
13663 
13664 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13665 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13666 			return -EINVAL;
13667 		new_triggers.rfkill_release = true;
13668 		regular = true;
13669 	}
13670 
13671 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13672 		struct nlattr *pat;
13673 		int n_patterns = 0;
13674 		int rem, pat_len, mask_len, pkt_offset;
13675 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13676 
13677 		regular = true;
13678 
13679 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13680 				    rem)
13681 			n_patterns++;
13682 		if (n_patterns > wowlan->n_patterns)
13683 			return -EINVAL;
13684 
13685 		new_triggers.patterns = kcalloc(n_patterns,
13686 						sizeof(new_triggers.patterns[0]),
13687 						GFP_KERNEL);
13688 		if (!new_triggers.patterns)
13689 			return -ENOMEM;
13690 
13691 		new_triggers.n_patterns = n_patterns;
13692 		i = 0;
13693 
13694 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13695 				    rem) {
13696 			u8 *mask_pat;
13697 
13698 			err = nla_parse_nested_deprecated(pat_tb,
13699 							  MAX_NL80211_PKTPAT,
13700 							  pat,
13701 							  nl80211_packet_pattern_policy,
13702 							  info->extack);
13703 			if (err)
13704 				goto error;
13705 
13706 			err = -EINVAL;
13707 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13708 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13709 				goto error;
13710 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13711 			mask_len = DIV_ROUND_UP(pat_len, 8);
13712 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13713 				goto error;
13714 			if (pat_len > wowlan->pattern_max_len ||
13715 			    pat_len < wowlan->pattern_min_len)
13716 				goto error;
13717 
13718 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13719 				pkt_offset = 0;
13720 			else
13721 				pkt_offset = nla_get_u32(
13722 					pat_tb[NL80211_PKTPAT_OFFSET]);
13723 			if (pkt_offset > wowlan->max_pkt_offset)
13724 				goto error;
13725 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13726 
13727 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13728 			if (!mask_pat) {
13729 				err = -ENOMEM;
13730 				goto error;
13731 			}
13732 			new_triggers.patterns[i].mask = mask_pat;
13733 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13734 			       mask_len);
13735 			mask_pat += mask_len;
13736 			new_triggers.patterns[i].pattern = mask_pat;
13737 			new_triggers.patterns[i].pattern_len = pat_len;
13738 			memcpy(mask_pat,
13739 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13740 			       pat_len);
13741 			i++;
13742 		}
13743 	}
13744 
13745 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13746 		regular = true;
13747 		err = nl80211_parse_wowlan_tcp(
13748 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13749 			&new_triggers);
13750 		if (err)
13751 			goto error;
13752 	}
13753 
13754 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13755 		regular = true;
13756 		err = nl80211_parse_wowlan_nd(
13757 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13758 			&new_triggers);
13759 		if (err)
13760 			goto error;
13761 	}
13762 
13763 	/* The 'any' trigger means the device continues operating more or less
13764 	 * as in its normal operation mode and wakes up the host on most of the
13765 	 * normal interrupts (like packet RX, ...)
13766 	 * It therefore makes little sense to combine with the more constrained
13767 	 * wakeup trigger modes.
13768 	 */
13769 	if (new_triggers.any && regular) {
13770 		err = -EINVAL;
13771 		goto error;
13772 	}
13773 
13774 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13775 	if (!ntrig) {
13776 		err = -ENOMEM;
13777 		goto error;
13778 	}
13779 	cfg80211_rdev_free_wowlan(rdev);
13780 	rdev->wiphy.wowlan_config = ntrig;
13781 
13782  set_wakeup:
13783 	if (rdev->ops->set_wakeup &&
13784 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13785 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13786 
13787 	return 0;
13788  error:
13789 	for (i = 0; i < new_triggers.n_patterns; i++)
13790 		kfree(new_triggers.patterns[i].mask);
13791 	kfree(new_triggers.patterns);
13792 	if (new_triggers.tcp && new_triggers.tcp->sock)
13793 		sock_release(new_triggers.tcp->sock);
13794 	kfree(new_triggers.tcp);
13795 	kfree(new_triggers.nd_config);
13796 	return err;
13797 }
13798 #endif
13799 
13800 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13801 				       struct cfg80211_registered_device *rdev)
13802 {
13803 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13804 	int i, j, pat_len;
13805 	struct cfg80211_coalesce_rules *rule;
13806 
13807 	if (!rdev->coalesce->n_rules)
13808 		return 0;
13809 
13810 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13811 	if (!nl_rules)
13812 		return -ENOBUFS;
13813 
13814 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13815 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13816 		if (!nl_rule)
13817 			return -ENOBUFS;
13818 
13819 		rule = &rdev->coalesce->rules[i];
13820 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13821 				rule->delay))
13822 			return -ENOBUFS;
13823 
13824 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13825 				rule->condition))
13826 			return -ENOBUFS;
13827 
13828 		nl_pats = nla_nest_start_noflag(msg,
13829 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13830 		if (!nl_pats)
13831 			return -ENOBUFS;
13832 
13833 		for (j = 0; j < rule->n_patterns; j++) {
13834 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13835 			if (!nl_pat)
13836 				return -ENOBUFS;
13837 			pat_len = rule->patterns[j].pattern_len;
13838 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13839 				    DIV_ROUND_UP(pat_len, 8),
13840 				    rule->patterns[j].mask) ||
13841 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13842 				    rule->patterns[j].pattern) ||
13843 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13844 					rule->patterns[j].pkt_offset))
13845 				return -ENOBUFS;
13846 			nla_nest_end(msg, nl_pat);
13847 		}
13848 		nla_nest_end(msg, nl_pats);
13849 		nla_nest_end(msg, nl_rule);
13850 	}
13851 	nla_nest_end(msg, nl_rules);
13852 
13853 	return 0;
13854 }
13855 
13856 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13857 {
13858 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13859 	struct sk_buff *msg;
13860 	void *hdr;
13861 
13862 	if (!rdev->wiphy.coalesce)
13863 		return -EOPNOTSUPP;
13864 
13865 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13866 	if (!msg)
13867 		return -ENOMEM;
13868 
13869 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13870 			     NL80211_CMD_GET_COALESCE);
13871 	if (!hdr)
13872 		goto nla_put_failure;
13873 
13874 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13875 		goto nla_put_failure;
13876 
13877 	genlmsg_end(msg, hdr);
13878 	return genlmsg_reply(msg, info);
13879 
13880 nla_put_failure:
13881 	nlmsg_free(msg);
13882 	return -ENOBUFS;
13883 }
13884 
13885 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13886 {
13887 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13888 	int i, j;
13889 	struct cfg80211_coalesce_rules *rule;
13890 
13891 	if (!coalesce)
13892 		return;
13893 
13894 	for (i = 0; i < coalesce->n_rules; i++) {
13895 		rule = &coalesce->rules[i];
13896 		for (j = 0; j < rule->n_patterns; j++)
13897 			kfree(rule->patterns[j].mask);
13898 		kfree(rule->patterns);
13899 	}
13900 	kfree(coalesce->rules);
13901 	kfree(coalesce);
13902 	rdev->coalesce = NULL;
13903 }
13904 
13905 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13906 				       struct nlattr *rule,
13907 				       struct cfg80211_coalesce_rules *new_rule)
13908 {
13909 	int err, i;
13910 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13911 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13912 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13913 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13914 
13915 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13916 					  rule, nl80211_coalesce_policy, NULL);
13917 	if (err)
13918 		return err;
13919 
13920 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13921 		new_rule->delay =
13922 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13923 	if (new_rule->delay > coalesce->max_delay)
13924 		return -EINVAL;
13925 
13926 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13927 		new_rule->condition =
13928 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13929 
13930 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13931 		return -EINVAL;
13932 
13933 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13934 			    rem)
13935 		n_patterns++;
13936 	if (n_patterns > coalesce->n_patterns)
13937 		return -EINVAL;
13938 
13939 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13940 				     GFP_KERNEL);
13941 	if (!new_rule->patterns)
13942 		return -ENOMEM;
13943 
13944 	new_rule->n_patterns = n_patterns;
13945 	i = 0;
13946 
13947 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13948 			    rem) {
13949 		u8 *mask_pat;
13950 
13951 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13952 						  pat,
13953 						  nl80211_packet_pattern_policy,
13954 						  NULL);
13955 		if (err)
13956 			return err;
13957 
13958 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13959 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13960 			return -EINVAL;
13961 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13962 		mask_len = DIV_ROUND_UP(pat_len, 8);
13963 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13964 			return -EINVAL;
13965 		if (pat_len > coalesce->pattern_max_len ||
13966 		    pat_len < coalesce->pattern_min_len)
13967 			return -EINVAL;
13968 
13969 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13970 			pkt_offset = 0;
13971 		else
13972 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13973 		if (pkt_offset > coalesce->max_pkt_offset)
13974 			return -EINVAL;
13975 		new_rule->patterns[i].pkt_offset = pkt_offset;
13976 
13977 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13978 		if (!mask_pat)
13979 			return -ENOMEM;
13980 
13981 		new_rule->patterns[i].mask = mask_pat;
13982 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13983 		       mask_len);
13984 
13985 		mask_pat += mask_len;
13986 		new_rule->patterns[i].pattern = mask_pat;
13987 		new_rule->patterns[i].pattern_len = pat_len;
13988 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13989 		       pat_len);
13990 		i++;
13991 	}
13992 
13993 	return 0;
13994 }
13995 
13996 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13997 {
13998 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13999 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14000 	struct cfg80211_coalesce new_coalesce = {};
14001 	struct cfg80211_coalesce *n_coalesce;
14002 	int err, rem_rule, n_rules = 0, i, j;
14003 	struct nlattr *rule;
14004 	struct cfg80211_coalesce_rules *tmp_rule;
14005 
14006 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14007 		return -EOPNOTSUPP;
14008 
14009 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14010 		cfg80211_rdev_free_coalesce(rdev);
14011 		rdev_set_coalesce(rdev, NULL);
14012 		return 0;
14013 	}
14014 
14015 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14016 			    rem_rule)
14017 		n_rules++;
14018 	if (n_rules > coalesce->n_rules)
14019 		return -EINVAL;
14020 
14021 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
14022 				     GFP_KERNEL);
14023 	if (!new_coalesce.rules)
14024 		return -ENOMEM;
14025 
14026 	new_coalesce.n_rules = n_rules;
14027 	i = 0;
14028 
14029 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14030 			    rem_rule) {
14031 		err = nl80211_parse_coalesce_rule(rdev, rule,
14032 						  &new_coalesce.rules[i]);
14033 		if (err)
14034 			goto error;
14035 
14036 		i++;
14037 	}
14038 
14039 	err = rdev_set_coalesce(rdev, &new_coalesce);
14040 	if (err)
14041 		goto error;
14042 
14043 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
14044 	if (!n_coalesce) {
14045 		err = -ENOMEM;
14046 		goto error;
14047 	}
14048 	cfg80211_rdev_free_coalesce(rdev);
14049 	rdev->coalesce = n_coalesce;
14050 
14051 	return 0;
14052 error:
14053 	for (i = 0; i < new_coalesce.n_rules; i++) {
14054 		tmp_rule = &new_coalesce.rules[i];
14055 		for (j = 0; j < tmp_rule->n_patterns; j++)
14056 			kfree(tmp_rule->patterns[j].mask);
14057 		kfree(tmp_rule->patterns);
14058 	}
14059 	kfree(new_coalesce.rules);
14060 
14061 	return err;
14062 }
14063 
14064 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14065 {
14066 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14067 	struct net_device *dev = info->user_ptr[1];
14068 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14069 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14070 	struct cfg80211_gtk_rekey_data rekey_data = {};
14071 	int err;
14072 
14073 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14074 		return -EINVAL;
14075 
14076 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14077 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14078 					  nl80211_rekey_policy, info->extack);
14079 	if (err)
14080 		return err;
14081 
14082 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14083 	    !tb[NL80211_REKEY_DATA_KCK])
14084 		return -EINVAL;
14085 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14086 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14087 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14088 		return -ERANGE;
14089 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14090 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14091 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14092 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14093 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14094 		return -ERANGE;
14095 
14096 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14097 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14098 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14099 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14100 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14101 	if (tb[NL80211_REKEY_DATA_AKM])
14102 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14103 
14104 	wdev_lock(wdev);
14105 	if (!wdev->connected) {
14106 		err = -ENOTCONN;
14107 		goto out;
14108 	}
14109 
14110 	if (!rdev->ops->set_rekey_data) {
14111 		err = -EOPNOTSUPP;
14112 		goto out;
14113 	}
14114 
14115 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
14116  out:
14117 	wdev_unlock(wdev);
14118 	return err;
14119 }
14120 
14121 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14122 					     struct genl_info *info)
14123 {
14124 	struct net_device *dev = info->user_ptr[1];
14125 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14126 
14127 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14128 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14129 		return -EINVAL;
14130 
14131 	if (wdev->ap_unexpected_nlportid)
14132 		return -EBUSY;
14133 
14134 	wdev->ap_unexpected_nlportid = info->snd_portid;
14135 	return 0;
14136 }
14137 
14138 static int nl80211_probe_client(struct sk_buff *skb,
14139 				struct genl_info *info)
14140 {
14141 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14142 	struct net_device *dev = info->user_ptr[1];
14143 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14144 	struct sk_buff *msg;
14145 	void *hdr;
14146 	const u8 *addr;
14147 	u64 cookie;
14148 	int err;
14149 
14150 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14151 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14152 		return -EOPNOTSUPP;
14153 
14154 	if (!info->attrs[NL80211_ATTR_MAC])
14155 		return -EINVAL;
14156 
14157 	if (!rdev->ops->probe_client)
14158 		return -EOPNOTSUPP;
14159 
14160 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14161 	if (!msg)
14162 		return -ENOMEM;
14163 
14164 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14165 			     NL80211_CMD_PROBE_CLIENT);
14166 	if (!hdr) {
14167 		err = -ENOBUFS;
14168 		goto free_msg;
14169 	}
14170 
14171 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14172 
14173 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14174 	if (err)
14175 		goto free_msg;
14176 
14177 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14178 			      NL80211_ATTR_PAD))
14179 		goto nla_put_failure;
14180 
14181 	genlmsg_end(msg, hdr);
14182 
14183 	return genlmsg_reply(msg, info);
14184 
14185  nla_put_failure:
14186 	err = -ENOBUFS;
14187  free_msg:
14188 	nlmsg_free(msg);
14189 	return err;
14190 }
14191 
14192 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14193 {
14194 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14195 	struct cfg80211_beacon_registration *reg, *nreg;
14196 	int rv;
14197 
14198 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14199 		return -EOPNOTSUPP;
14200 
14201 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14202 	if (!nreg)
14203 		return -ENOMEM;
14204 
14205 	/* First, check if already registered. */
14206 	spin_lock_bh(&rdev->beacon_registrations_lock);
14207 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14208 		if (reg->nlportid == info->snd_portid) {
14209 			rv = -EALREADY;
14210 			goto out_err;
14211 		}
14212 	}
14213 	/* Add it to the list */
14214 	nreg->nlportid = info->snd_portid;
14215 	list_add(&nreg->list, &rdev->beacon_registrations);
14216 
14217 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14218 
14219 	return 0;
14220 out_err:
14221 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14222 	kfree(nreg);
14223 	return rv;
14224 }
14225 
14226 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14227 {
14228 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14229 	struct wireless_dev *wdev = info->user_ptr[1];
14230 	int err;
14231 
14232 	if (!rdev->ops->start_p2p_device)
14233 		return -EOPNOTSUPP;
14234 
14235 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14236 		return -EOPNOTSUPP;
14237 
14238 	if (wdev_running(wdev))
14239 		return 0;
14240 
14241 	if (rfkill_blocked(rdev->wiphy.rfkill))
14242 		return -ERFKILL;
14243 
14244 	err = rdev_start_p2p_device(rdev, wdev);
14245 	if (err)
14246 		return err;
14247 
14248 	wdev->is_running = true;
14249 	rdev->opencount++;
14250 
14251 	return 0;
14252 }
14253 
14254 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14255 {
14256 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14257 	struct wireless_dev *wdev = info->user_ptr[1];
14258 
14259 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14260 		return -EOPNOTSUPP;
14261 
14262 	if (!rdev->ops->stop_p2p_device)
14263 		return -EOPNOTSUPP;
14264 
14265 	cfg80211_stop_p2p_device(rdev, wdev);
14266 
14267 	return 0;
14268 }
14269 
14270 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14271 {
14272 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14273 	struct wireless_dev *wdev = info->user_ptr[1];
14274 	struct cfg80211_nan_conf conf = {};
14275 	int err;
14276 
14277 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14278 		return -EOPNOTSUPP;
14279 
14280 	if (wdev_running(wdev))
14281 		return -EEXIST;
14282 
14283 	if (rfkill_blocked(rdev->wiphy.rfkill))
14284 		return -ERFKILL;
14285 
14286 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14287 		return -EINVAL;
14288 
14289 	conf.master_pref =
14290 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14291 
14292 	if (info->attrs[NL80211_ATTR_BANDS]) {
14293 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14294 
14295 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14296 			return -EOPNOTSUPP;
14297 
14298 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14299 			return -EINVAL;
14300 
14301 		conf.bands = bands;
14302 	}
14303 
14304 	err = rdev_start_nan(rdev, wdev, &conf);
14305 	if (err)
14306 		return err;
14307 
14308 	wdev->is_running = true;
14309 	rdev->opencount++;
14310 
14311 	return 0;
14312 }
14313 
14314 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14315 {
14316 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14317 	struct wireless_dev *wdev = info->user_ptr[1];
14318 
14319 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14320 		return -EOPNOTSUPP;
14321 
14322 	cfg80211_stop_nan(rdev, wdev);
14323 
14324 	return 0;
14325 }
14326 
14327 static int validate_nan_filter(struct nlattr *filter_attr)
14328 {
14329 	struct nlattr *attr;
14330 	int len = 0, n_entries = 0, rem;
14331 
14332 	nla_for_each_nested(attr, filter_attr, rem) {
14333 		len += nla_len(attr);
14334 		n_entries++;
14335 	}
14336 
14337 	if (len >= U8_MAX)
14338 		return -EINVAL;
14339 
14340 	return n_entries;
14341 }
14342 
14343 static int handle_nan_filter(struct nlattr *attr_filter,
14344 			     struct cfg80211_nan_func *func,
14345 			     bool tx)
14346 {
14347 	struct nlattr *attr;
14348 	int n_entries, rem, i;
14349 	struct cfg80211_nan_func_filter *filter;
14350 
14351 	n_entries = validate_nan_filter(attr_filter);
14352 	if (n_entries < 0)
14353 		return n_entries;
14354 
14355 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14356 
14357 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14358 	if (!filter)
14359 		return -ENOMEM;
14360 
14361 	i = 0;
14362 	nla_for_each_nested(attr, attr_filter, rem) {
14363 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14364 		if (!filter[i].filter)
14365 			goto err;
14366 
14367 		filter[i].len = nla_len(attr);
14368 		i++;
14369 	}
14370 	if (tx) {
14371 		func->num_tx_filters = n_entries;
14372 		func->tx_filters = filter;
14373 	} else {
14374 		func->num_rx_filters = n_entries;
14375 		func->rx_filters = filter;
14376 	}
14377 
14378 	return 0;
14379 
14380 err:
14381 	i = 0;
14382 	nla_for_each_nested(attr, attr_filter, rem) {
14383 		kfree(filter[i].filter);
14384 		i++;
14385 	}
14386 	kfree(filter);
14387 	return -ENOMEM;
14388 }
14389 
14390 static int nl80211_nan_add_func(struct sk_buff *skb,
14391 				struct genl_info *info)
14392 {
14393 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14394 	struct wireless_dev *wdev = info->user_ptr[1];
14395 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14396 	struct cfg80211_nan_func *func;
14397 	struct sk_buff *msg = NULL;
14398 	void *hdr = NULL;
14399 	int err = 0;
14400 
14401 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14402 		return -EOPNOTSUPP;
14403 
14404 	if (!wdev_running(wdev))
14405 		return -ENOTCONN;
14406 
14407 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14408 		return -EINVAL;
14409 
14410 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14411 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14412 					  nl80211_nan_func_policy,
14413 					  info->extack);
14414 	if (err)
14415 		return err;
14416 
14417 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14418 	if (!func)
14419 		return -ENOMEM;
14420 
14421 	func->cookie = cfg80211_assign_cookie(rdev);
14422 
14423 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14424 		err = -EINVAL;
14425 		goto out;
14426 	}
14427 
14428 
14429 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14430 
14431 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14432 		err = -EINVAL;
14433 		goto out;
14434 	}
14435 
14436 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14437 	       sizeof(func->service_id));
14438 
14439 	func->close_range =
14440 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14441 
14442 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14443 		func->serv_spec_info_len =
14444 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14445 		func->serv_spec_info =
14446 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14447 				func->serv_spec_info_len,
14448 				GFP_KERNEL);
14449 		if (!func->serv_spec_info) {
14450 			err = -ENOMEM;
14451 			goto out;
14452 		}
14453 	}
14454 
14455 	if (tb[NL80211_NAN_FUNC_TTL])
14456 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14457 
14458 	switch (func->type) {
14459 	case NL80211_NAN_FUNC_PUBLISH:
14460 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14461 			err = -EINVAL;
14462 			goto out;
14463 		}
14464 
14465 		func->publish_type =
14466 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14467 		func->publish_bcast =
14468 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14469 
14470 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14471 			func->publish_bcast) {
14472 			err = -EINVAL;
14473 			goto out;
14474 		}
14475 		break;
14476 	case NL80211_NAN_FUNC_SUBSCRIBE:
14477 		func->subscribe_active =
14478 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14479 		break;
14480 	case NL80211_NAN_FUNC_FOLLOW_UP:
14481 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14482 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14483 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14484 			err = -EINVAL;
14485 			goto out;
14486 		}
14487 
14488 		func->followup_id =
14489 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14490 		func->followup_reqid =
14491 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14492 		memcpy(func->followup_dest.addr,
14493 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14494 		       sizeof(func->followup_dest.addr));
14495 		if (func->ttl) {
14496 			err = -EINVAL;
14497 			goto out;
14498 		}
14499 		break;
14500 	default:
14501 		err = -EINVAL;
14502 		goto out;
14503 	}
14504 
14505 	if (tb[NL80211_NAN_FUNC_SRF]) {
14506 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14507 
14508 		err = nla_parse_nested_deprecated(srf_tb,
14509 						  NL80211_NAN_SRF_ATTR_MAX,
14510 						  tb[NL80211_NAN_FUNC_SRF],
14511 						  nl80211_nan_srf_policy,
14512 						  info->extack);
14513 		if (err)
14514 			goto out;
14515 
14516 		func->srf_include =
14517 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14518 
14519 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14520 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14521 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14522 				err = -EINVAL;
14523 				goto out;
14524 			}
14525 
14526 			func->srf_bf_len =
14527 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14528 			func->srf_bf =
14529 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14530 					func->srf_bf_len, GFP_KERNEL);
14531 			if (!func->srf_bf) {
14532 				err = -ENOMEM;
14533 				goto out;
14534 			}
14535 
14536 			func->srf_bf_idx =
14537 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14538 		} else {
14539 			struct nlattr *attr, *mac_attr =
14540 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14541 			int n_entries, rem, i = 0;
14542 
14543 			if (!mac_attr) {
14544 				err = -EINVAL;
14545 				goto out;
14546 			}
14547 
14548 			n_entries = validate_acl_mac_addrs(mac_attr);
14549 			if (n_entries <= 0) {
14550 				err = -EINVAL;
14551 				goto out;
14552 			}
14553 
14554 			func->srf_num_macs = n_entries;
14555 			func->srf_macs =
14556 				kcalloc(n_entries, sizeof(*func->srf_macs),
14557 					GFP_KERNEL);
14558 			if (!func->srf_macs) {
14559 				err = -ENOMEM;
14560 				goto out;
14561 			}
14562 
14563 			nla_for_each_nested(attr, mac_attr, rem)
14564 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14565 				       sizeof(*func->srf_macs));
14566 		}
14567 	}
14568 
14569 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14570 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14571 					func, true);
14572 		if (err)
14573 			goto out;
14574 	}
14575 
14576 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14577 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14578 					func, false);
14579 		if (err)
14580 			goto out;
14581 	}
14582 
14583 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14584 	if (!msg) {
14585 		err = -ENOMEM;
14586 		goto out;
14587 	}
14588 
14589 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14590 			     NL80211_CMD_ADD_NAN_FUNCTION);
14591 	/* This can't really happen - we just allocated 4KB */
14592 	if (WARN_ON(!hdr)) {
14593 		err = -ENOMEM;
14594 		goto out;
14595 	}
14596 
14597 	err = rdev_add_nan_func(rdev, wdev, func);
14598 out:
14599 	if (err < 0) {
14600 		cfg80211_free_nan_func(func);
14601 		nlmsg_free(msg);
14602 		return err;
14603 	}
14604 
14605 	/* propagate the instance id and cookie to userspace  */
14606 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14607 			      NL80211_ATTR_PAD))
14608 		goto nla_put_failure;
14609 
14610 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14611 	if (!func_attr)
14612 		goto nla_put_failure;
14613 
14614 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14615 		       func->instance_id))
14616 		goto nla_put_failure;
14617 
14618 	nla_nest_end(msg, func_attr);
14619 
14620 	genlmsg_end(msg, hdr);
14621 	return genlmsg_reply(msg, info);
14622 
14623 nla_put_failure:
14624 	nlmsg_free(msg);
14625 	return -ENOBUFS;
14626 }
14627 
14628 static int nl80211_nan_del_func(struct sk_buff *skb,
14629 			       struct genl_info *info)
14630 {
14631 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14632 	struct wireless_dev *wdev = info->user_ptr[1];
14633 	u64 cookie;
14634 
14635 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14636 		return -EOPNOTSUPP;
14637 
14638 	if (!wdev_running(wdev))
14639 		return -ENOTCONN;
14640 
14641 	if (!info->attrs[NL80211_ATTR_COOKIE])
14642 		return -EINVAL;
14643 
14644 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14645 
14646 	rdev_del_nan_func(rdev, wdev, cookie);
14647 
14648 	return 0;
14649 }
14650 
14651 static int nl80211_nan_change_config(struct sk_buff *skb,
14652 				     struct genl_info *info)
14653 {
14654 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14655 	struct wireless_dev *wdev = info->user_ptr[1];
14656 	struct cfg80211_nan_conf conf = {};
14657 	u32 changed = 0;
14658 
14659 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14660 		return -EOPNOTSUPP;
14661 
14662 	if (!wdev_running(wdev))
14663 		return -ENOTCONN;
14664 
14665 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14666 		conf.master_pref =
14667 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14668 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14669 			return -EINVAL;
14670 
14671 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14672 	}
14673 
14674 	if (info->attrs[NL80211_ATTR_BANDS]) {
14675 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14676 
14677 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14678 			return -EOPNOTSUPP;
14679 
14680 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14681 			return -EINVAL;
14682 
14683 		conf.bands = bands;
14684 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14685 	}
14686 
14687 	if (!changed)
14688 		return -EINVAL;
14689 
14690 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14691 }
14692 
14693 void cfg80211_nan_match(struct wireless_dev *wdev,
14694 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14695 {
14696 	struct wiphy *wiphy = wdev->wiphy;
14697 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14698 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14699 	struct sk_buff *msg;
14700 	void *hdr;
14701 
14702 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14703 		return;
14704 
14705 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14706 	if (!msg)
14707 		return;
14708 
14709 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14710 	if (!hdr) {
14711 		nlmsg_free(msg);
14712 		return;
14713 	}
14714 
14715 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14716 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14717 					 wdev->netdev->ifindex)) ||
14718 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14719 			      NL80211_ATTR_PAD))
14720 		goto nla_put_failure;
14721 
14722 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14723 			      NL80211_ATTR_PAD) ||
14724 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14725 		goto nla_put_failure;
14726 
14727 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14728 	if (!match_attr)
14729 		goto nla_put_failure;
14730 
14731 	local_func_attr = nla_nest_start_noflag(msg,
14732 						NL80211_NAN_MATCH_FUNC_LOCAL);
14733 	if (!local_func_attr)
14734 		goto nla_put_failure;
14735 
14736 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14737 		goto nla_put_failure;
14738 
14739 	nla_nest_end(msg, local_func_attr);
14740 
14741 	peer_func_attr = nla_nest_start_noflag(msg,
14742 					       NL80211_NAN_MATCH_FUNC_PEER);
14743 	if (!peer_func_attr)
14744 		goto nla_put_failure;
14745 
14746 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14747 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14748 		goto nla_put_failure;
14749 
14750 	if (match->info && match->info_len &&
14751 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14752 		    match->info))
14753 		goto nla_put_failure;
14754 
14755 	nla_nest_end(msg, peer_func_attr);
14756 	nla_nest_end(msg, match_attr);
14757 	genlmsg_end(msg, hdr);
14758 
14759 	if (!wdev->owner_nlportid)
14760 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14761 					msg, 0, NL80211_MCGRP_NAN, gfp);
14762 	else
14763 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14764 				wdev->owner_nlportid);
14765 
14766 	return;
14767 
14768 nla_put_failure:
14769 	nlmsg_free(msg);
14770 }
14771 EXPORT_SYMBOL(cfg80211_nan_match);
14772 
14773 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14774 				  u8 inst_id,
14775 				  enum nl80211_nan_func_term_reason reason,
14776 				  u64 cookie, gfp_t gfp)
14777 {
14778 	struct wiphy *wiphy = wdev->wiphy;
14779 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14780 	struct sk_buff *msg;
14781 	struct nlattr *func_attr;
14782 	void *hdr;
14783 
14784 	if (WARN_ON(!inst_id))
14785 		return;
14786 
14787 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14788 	if (!msg)
14789 		return;
14790 
14791 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14792 	if (!hdr) {
14793 		nlmsg_free(msg);
14794 		return;
14795 	}
14796 
14797 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14798 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14799 					 wdev->netdev->ifindex)) ||
14800 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14801 			      NL80211_ATTR_PAD))
14802 		goto nla_put_failure;
14803 
14804 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14805 			      NL80211_ATTR_PAD))
14806 		goto nla_put_failure;
14807 
14808 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14809 	if (!func_attr)
14810 		goto nla_put_failure;
14811 
14812 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14813 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14814 		goto nla_put_failure;
14815 
14816 	nla_nest_end(msg, func_attr);
14817 	genlmsg_end(msg, hdr);
14818 
14819 	if (!wdev->owner_nlportid)
14820 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14821 					msg, 0, NL80211_MCGRP_NAN, gfp);
14822 	else
14823 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14824 				wdev->owner_nlportid);
14825 
14826 	return;
14827 
14828 nla_put_failure:
14829 	nlmsg_free(msg);
14830 }
14831 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14832 
14833 static int nl80211_get_protocol_features(struct sk_buff *skb,
14834 					 struct genl_info *info)
14835 {
14836 	void *hdr;
14837 	struct sk_buff *msg;
14838 
14839 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14840 	if (!msg)
14841 		return -ENOMEM;
14842 
14843 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14844 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14845 	if (!hdr)
14846 		goto nla_put_failure;
14847 
14848 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14849 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14850 		goto nla_put_failure;
14851 
14852 	genlmsg_end(msg, hdr);
14853 	return genlmsg_reply(msg, info);
14854 
14855  nla_put_failure:
14856 	kfree_skb(msg);
14857 	return -ENOBUFS;
14858 }
14859 
14860 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14861 {
14862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14863 	struct cfg80211_update_ft_ies_params ft_params;
14864 	struct net_device *dev = info->user_ptr[1];
14865 
14866 	if (!rdev->ops->update_ft_ies)
14867 		return -EOPNOTSUPP;
14868 
14869 	if (!info->attrs[NL80211_ATTR_MDID] ||
14870 	    !info->attrs[NL80211_ATTR_IE])
14871 		return -EINVAL;
14872 
14873 	memset(&ft_params, 0, sizeof(ft_params));
14874 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14875 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14876 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14877 
14878 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14879 }
14880 
14881 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14882 				       struct genl_info *info)
14883 {
14884 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14885 	struct wireless_dev *wdev = info->user_ptr[1];
14886 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14887 	u16 duration;
14888 	int ret;
14889 
14890 	if (!rdev->ops->crit_proto_start)
14891 		return -EOPNOTSUPP;
14892 
14893 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14894 		return -EINVAL;
14895 
14896 	if (rdev->crit_proto_nlportid)
14897 		return -EBUSY;
14898 
14899 	/* determine protocol if provided */
14900 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14901 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14902 
14903 	if (proto >= NUM_NL80211_CRIT_PROTO)
14904 		return -EINVAL;
14905 
14906 	/* timeout must be provided */
14907 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14908 		return -EINVAL;
14909 
14910 	duration =
14911 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14912 
14913 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14914 	if (!ret)
14915 		rdev->crit_proto_nlportid = info->snd_portid;
14916 
14917 	return ret;
14918 }
14919 
14920 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14921 				      struct genl_info *info)
14922 {
14923 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14924 	struct wireless_dev *wdev = info->user_ptr[1];
14925 
14926 	if (!rdev->ops->crit_proto_stop)
14927 		return -EOPNOTSUPP;
14928 
14929 	if (rdev->crit_proto_nlportid) {
14930 		rdev->crit_proto_nlportid = 0;
14931 		rdev_crit_proto_stop(rdev, wdev);
14932 	}
14933 	return 0;
14934 }
14935 
14936 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14937 				       struct nlattr *attr,
14938 				       struct netlink_ext_ack *extack)
14939 {
14940 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14941 		if (attr->nla_type & NLA_F_NESTED) {
14942 			NL_SET_ERR_MSG_ATTR(extack, attr,
14943 					    "unexpected nested data");
14944 			return -EINVAL;
14945 		}
14946 
14947 		return 0;
14948 	}
14949 
14950 	if (!(attr->nla_type & NLA_F_NESTED)) {
14951 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14952 		return -EINVAL;
14953 	}
14954 
14955 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14956 }
14957 
14958 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14959 {
14960 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14961 	struct wireless_dev *wdev =
14962 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14963 					   info->attrs);
14964 	int i, err;
14965 	u32 vid, subcmd;
14966 
14967 	if (!rdev->wiphy.vendor_commands)
14968 		return -EOPNOTSUPP;
14969 
14970 	if (IS_ERR(wdev)) {
14971 		err = PTR_ERR(wdev);
14972 		if (err != -EINVAL)
14973 			return err;
14974 		wdev = NULL;
14975 	} else if (wdev->wiphy != &rdev->wiphy) {
14976 		return -EINVAL;
14977 	}
14978 
14979 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14980 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14981 		return -EINVAL;
14982 
14983 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14984 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14985 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14986 		const struct wiphy_vendor_command *vcmd;
14987 		void *data = NULL;
14988 		int len = 0;
14989 
14990 		vcmd = &rdev->wiphy.vendor_commands[i];
14991 
14992 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14993 			continue;
14994 
14995 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14996 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14997 			if (!wdev)
14998 				return -EINVAL;
14999 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15000 			    !wdev->netdev)
15001 				return -EINVAL;
15002 
15003 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15004 				if (!wdev_running(wdev))
15005 					return -ENETDOWN;
15006 			}
15007 		} else {
15008 			wdev = NULL;
15009 		}
15010 
15011 		if (!vcmd->doit)
15012 			return -EOPNOTSUPP;
15013 
15014 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15015 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15016 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15017 
15018 			err = nl80211_vendor_check_policy(vcmd,
15019 					info->attrs[NL80211_ATTR_VENDOR_DATA],
15020 					info->extack);
15021 			if (err)
15022 				return err;
15023 		}
15024 
15025 		rdev->cur_cmd_info = info;
15026 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15027 		rdev->cur_cmd_info = NULL;
15028 		return err;
15029 	}
15030 
15031 	return -EOPNOTSUPP;
15032 }
15033 
15034 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15035 				       struct netlink_callback *cb,
15036 				       struct cfg80211_registered_device **rdev,
15037 				       struct wireless_dev **wdev)
15038 {
15039 	struct nlattr **attrbuf;
15040 	u32 vid, subcmd;
15041 	unsigned int i;
15042 	int vcmd_idx = -1;
15043 	int err;
15044 	void *data = NULL;
15045 	unsigned int data_len = 0;
15046 
15047 	if (cb->args[0]) {
15048 		/* subtract the 1 again here */
15049 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15050 		struct wireless_dev *tmp;
15051 
15052 		if (!wiphy)
15053 			return -ENODEV;
15054 		*rdev = wiphy_to_rdev(wiphy);
15055 		*wdev = NULL;
15056 
15057 		if (cb->args[1]) {
15058 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15059 				if (tmp->identifier == cb->args[1] - 1) {
15060 					*wdev = tmp;
15061 					break;
15062 				}
15063 			}
15064 		}
15065 
15066 		/* keep rtnl locked in successful case */
15067 		return 0;
15068 	}
15069 
15070 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15071 	if (!attrbuf)
15072 		return -ENOMEM;
15073 
15074 	err = nlmsg_parse_deprecated(cb->nlh,
15075 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15076 				     attrbuf, nl80211_fam.maxattr,
15077 				     nl80211_policy, NULL);
15078 	if (err)
15079 		goto out;
15080 
15081 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15082 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15083 		err = -EINVAL;
15084 		goto out;
15085 	}
15086 
15087 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15088 	if (IS_ERR(*wdev))
15089 		*wdev = NULL;
15090 
15091 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15092 	if (IS_ERR(*rdev)) {
15093 		err = PTR_ERR(*rdev);
15094 		goto out;
15095 	}
15096 
15097 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15098 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15099 
15100 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15101 		const struct wiphy_vendor_command *vcmd;
15102 
15103 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15104 
15105 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15106 			continue;
15107 
15108 		if (!vcmd->dumpit) {
15109 			err = -EOPNOTSUPP;
15110 			goto out;
15111 		}
15112 
15113 		vcmd_idx = i;
15114 		break;
15115 	}
15116 
15117 	if (vcmd_idx < 0) {
15118 		err = -EOPNOTSUPP;
15119 		goto out;
15120 	}
15121 
15122 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15123 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15124 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15125 
15126 		err = nl80211_vendor_check_policy(
15127 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15128 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15129 				cb->extack);
15130 		if (err)
15131 			goto out;
15132 	}
15133 
15134 	/* 0 is the first index - add 1 to parse only once */
15135 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15136 	/* add 1 to know if it was NULL */
15137 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15138 	cb->args[2] = vcmd_idx;
15139 	cb->args[3] = (unsigned long)data;
15140 	cb->args[4] = data_len;
15141 
15142 	/* keep rtnl locked in successful case */
15143 	err = 0;
15144 out:
15145 	kfree(attrbuf);
15146 	return err;
15147 }
15148 
15149 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15150 				   struct netlink_callback *cb)
15151 {
15152 	struct cfg80211_registered_device *rdev;
15153 	struct wireless_dev *wdev;
15154 	unsigned int vcmd_idx;
15155 	const struct wiphy_vendor_command *vcmd;
15156 	void *data;
15157 	int data_len;
15158 	int err;
15159 	struct nlattr *vendor_data;
15160 
15161 	rtnl_lock();
15162 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15163 	if (err)
15164 		goto out;
15165 
15166 	vcmd_idx = cb->args[2];
15167 	data = (void *)cb->args[3];
15168 	data_len = cb->args[4];
15169 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15170 
15171 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15172 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15173 		if (!wdev) {
15174 			err = -EINVAL;
15175 			goto out;
15176 		}
15177 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15178 		    !wdev->netdev) {
15179 			err = -EINVAL;
15180 			goto out;
15181 		}
15182 
15183 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15184 			if (!wdev_running(wdev)) {
15185 				err = -ENETDOWN;
15186 				goto out;
15187 			}
15188 		}
15189 	}
15190 
15191 	while (1) {
15192 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15193 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15194 					   NL80211_CMD_VENDOR);
15195 		if (!hdr)
15196 			break;
15197 
15198 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15199 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15200 					       wdev_id(wdev),
15201 					       NL80211_ATTR_PAD))) {
15202 			genlmsg_cancel(skb, hdr);
15203 			break;
15204 		}
15205 
15206 		vendor_data = nla_nest_start_noflag(skb,
15207 						    NL80211_ATTR_VENDOR_DATA);
15208 		if (!vendor_data) {
15209 			genlmsg_cancel(skb, hdr);
15210 			break;
15211 		}
15212 
15213 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15214 				   (unsigned long *)&cb->args[5]);
15215 		nla_nest_end(skb, vendor_data);
15216 
15217 		if (err == -ENOBUFS || err == -ENOENT) {
15218 			genlmsg_cancel(skb, hdr);
15219 			break;
15220 		} else if (err <= 0) {
15221 			genlmsg_cancel(skb, hdr);
15222 			goto out;
15223 		}
15224 
15225 		genlmsg_end(skb, hdr);
15226 	}
15227 
15228 	err = skb->len;
15229  out:
15230 	rtnl_unlock();
15231 	return err;
15232 }
15233 
15234 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15235 					   enum nl80211_commands cmd,
15236 					   enum nl80211_attrs attr,
15237 					   int approxlen)
15238 {
15239 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15240 
15241 	if (WARN_ON(!rdev->cur_cmd_info))
15242 		return NULL;
15243 
15244 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15245 					   rdev->cur_cmd_info->snd_portid,
15246 					   rdev->cur_cmd_info->snd_seq,
15247 					   cmd, attr, NULL, GFP_KERNEL);
15248 }
15249 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15250 
15251 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15252 {
15253 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15254 	void *hdr = ((void **)skb->cb)[1];
15255 	struct nlattr *data = ((void **)skb->cb)[2];
15256 
15257 	/* clear CB data for netlink core to own from now on */
15258 	memset(skb->cb, 0, sizeof(skb->cb));
15259 
15260 	if (WARN_ON(!rdev->cur_cmd_info)) {
15261 		kfree_skb(skb);
15262 		return -EINVAL;
15263 	}
15264 
15265 	nla_nest_end(skb, data);
15266 	genlmsg_end(skb, hdr);
15267 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15268 }
15269 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15270 
15271 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15272 {
15273 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15274 
15275 	if (WARN_ON(!rdev->cur_cmd_info))
15276 		return 0;
15277 
15278 	return rdev->cur_cmd_info->snd_portid;
15279 }
15280 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15281 
15282 static int nl80211_set_qos_map(struct sk_buff *skb,
15283 			       struct genl_info *info)
15284 {
15285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15286 	struct cfg80211_qos_map *qos_map = NULL;
15287 	struct net_device *dev = info->user_ptr[1];
15288 	u8 *pos, len, num_des, des_len, des;
15289 	int ret;
15290 
15291 	if (!rdev->ops->set_qos_map)
15292 		return -EOPNOTSUPP;
15293 
15294 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15295 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15296 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15297 
15298 		if (len % 2)
15299 			return -EINVAL;
15300 
15301 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15302 		if (!qos_map)
15303 			return -ENOMEM;
15304 
15305 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15306 		if (num_des) {
15307 			des_len = num_des *
15308 				sizeof(struct cfg80211_dscp_exception);
15309 			memcpy(qos_map->dscp_exception, pos, des_len);
15310 			qos_map->num_des = num_des;
15311 			for (des = 0; des < num_des; des++) {
15312 				if (qos_map->dscp_exception[des].up > 7) {
15313 					kfree(qos_map);
15314 					return -EINVAL;
15315 				}
15316 			}
15317 			pos += des_len;
15318 		}
15319 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15320 	}
15321 
15322 	wdev_lock(dev->ieee80211_ptr);
15323 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15324 	if (!ret)
15325 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15326 	wdev_unlock(dev->ieee80211_ptr);
15327 
15328 	kfree(qos_map);
15329 	return ret;
15330 }
15331 
15332 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15333 {
15334 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15335 	struct net_device *dev = info->user_ptr[1];
15336 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15337 	const u8 *peer;
15338 	u8 tsid, up;
15339 	u16 admitted_time = 0;
15340 	int err;
15341 
15342 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15343 		return -EOPNOTSUPP;
15344 
15345 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15346 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15347 		return -EINVAL;
15348 
15349 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15350 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15351 
15352 	/* WMM uses TIDs 0-7 even for TSPEC */
15353 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15354 		/* TODO: handle 802.11 TSPEC/admission control
15355 		 * need more attributes for that (e.g. BA session requirement);
15356 		 * change the WMM adminssion test above to allow both then
15357 		 */
15358 		return -EINVAL;
15359 	}
15360 
15361 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15362 
15363 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15364 		admitted_time =
15365 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15366 		if (!admitted_time)
15367 			return -EINVAL;
15368 	}
15369 
15370 	wdev_lock(wdev);
15371 	switch (wdev->iftype) {
15372 	case NL80211_IFTYPE_STATION:
15373 	case NL80211_IFTYPE_P2P_CLIENT:
15374 		if (wdev->connected)
15375 			break;
15376 		err = -ENOTCONN;
15377 		goto out;
15378 	default:
15379 		err = -EOPNOTSUPP;
15380 		goto out;
15381 	}
15382 
15383 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15384 
15385  out:
15386 	wdev_unlock(wdev);
15387 	return err;
15388 }
15389 
15390 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15391 {
15392 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15393 	struct net_device *dev = info->user_ptr[1];
15394 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15395 	const u8 *peer;
15396 	u8 tsid;
15397 	int err;
15398 
15399 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15400 		return -EINVAL;
15401 
15402 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15403 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15404 
15405 	wdev_lock(wdev);
15406 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
15407 	wdev_unlock(wdev);
15408 
15409 	return err;
15410 }
15411 
15412 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15413 				       struct genl_info *info)
15414 {
15415 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15416 	struct net_device *dev = info->user_ptr[1];
15417 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15418 	struct cfg80211_chan_def chandef = {};
15419 	const u8 *addr;
15420 	u8 oper_class;
15421 	int err;
15422 
15423 	if (!rdev->ops->tdls_channel_switch ||
15424 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15425 		return -EOPNOTSUPP;
15426 
15427 	switch (dev->ieee80211_ptr->iftype) {
15428 	case NL80211_IFTYPE_STATION:
15429 	case NL80211_IFTYPE_P2P_CLIENT:
15430 		break;
15431 	default:
15432 		return -EOPNOTSUPP;
15433 	}
15434 
15435 	if (!info->attrs[NL80211_ATTR_MAC] ||
15436 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15437 		return -EINVAL;
15438 
15439 	err = nl80211_parse_chandef(rdev, info, &chandef);
15440 	if (err)
15441 		return err;
15442 
15443 	/*
15444 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15445 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15446 	 * specification is not defined for them.
15447 	 */
15448 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15449 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15450 	    chandef.width != NL80211_CHAN_WIDTH_20)
15451 		return -EINVAL;
15452 
15453 	/* we will be active on the TDLS link */
15454 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15455 					   wdev->iftype))
15456 		return -EINVAL;
15457 
15458 	/* don't allow switching to DFS channels */
15459 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15460 		return -EINVAL;
15461 
15462 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15463 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15464 
15465 	wdev_lock(wdev);
15466 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15467 	wdev_unlock(wdev);
15468 
15469 	return err;
15470 }
15471 
15472 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15473 					      struct genl_info *info)
15474 {
15475 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15476 	struct net_device *dev = info->user_ptr[1];
15477 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15478 	const u8 *addr;
15479 
15480 	if (!rdev->ops->tdls_channel_switch ||
15481 	    !rdev->ops->tdls_cancel_channel_switch ||
15482 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15483 		return -EOPNOTSUPP;
15484 
15485 	switch (dev->ieee80211_ptr->iftype) {
15486 	case NL80211_IFTYPE_STATION:
15487 	case NL80211_IFTYPE_P2P_CLIENT:
15488 		break;
15489 	default:
15490 		return -EOPNOTSUPP;
15491 	}
15492 
15493 	if (!info->attrs[NL80211_ATTR_MAC])
15494 		return -EINVAL;
15495 
15496 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15497 
15498 	wdev_lock(wdev);
15499 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15500 	wdev_unlock(wdev);
15501 
15502 	return 0;
15503 }
15504 
15505 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15506 					    struct genl_info *info)
15507 {
15508 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15509 	struct net_device *dev = info->user_ptr[1];
15510 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15511 	const struct nlattr *nla;
15512 	bool enabled;
15513 
15514 	if (!rdev->ops->set_multicast_to_unicast)
15515 		return -EOPNOTSUPP;
15516 
15517 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15518 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15519 		return -EOPNOTSUPP;
15520 
15521 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15522 	enabled = nla_get_flag(nla);
15523 
15524 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15525 }
15526 
15527 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15528 {
15529 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15530 	struct net_device *dev = info->user_ptr[1];
15531 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15532 	struct cfg80211_pmk_conf pmk_conf = {};
15533 	int ret;
15534 
15535 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15536 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15537 		return -EOPNOTSUPP;
15538 
15539 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15540 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15541 		return -EOPNOTSUPP;
15542 
15543 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15544 		return -EINVAL;
15545 
15546 	wdev_lock(wdev);
15547 	if (!wdev->connected) {
15548 		ret = -ENOTCONN;
15549 		goto out;
15550 	}
15551 
15552 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15553 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN)) {
15554 		ret = -EINVAL;
15555 		goto out;
15556 	}
15557 
15558 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15559 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15560 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15561 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
15562 		ret = -EINVAL;
15563 		goto out;
15564 	}
15565 
15566 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15567 		pmk_conf.pmk_r0_name =
15568 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15569 
15570 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
15571 out:
15572 	wdev_unlock(wdev);
15573 	return ret;
15574 }
15575 
15576 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15577 {
15578 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15579 	struct net_device *dev = info->user_ptr[1];
15580 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15581 	const u8 *aa;
15582 	int ret;
15583 
15584 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15585 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15586 		return -EOPNOTSUPP;
15587 
15588 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15589 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15590 		return -EOPNOTSUPP;
15591 
15592 	if (!info->attrs[NL80211_ATTR_MAC])
15593 		return -EINVAL;
15594 
15595 	wdev_lock(wdev);
15596 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15597 	ret = rdev_del_pmk(rdev, dev, aa);
15598 	wdev_unlock(wdev);
15599 
15600 	return ret;
15601 }
15602 
15603 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15604 {
15605 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15606 	struct net_device *dev = info->user_ptr[1];
15607 	struct cfg80211_external_auth_params params;
15608 
15609 	if (!rdev->ops->external_auth)
15610 		return -EOPNOTSUPP;
15611 
15612 	if (!info->attrs[NL80211_ATTR_SSID] &&
15613 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15614 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15615 		return -EINVAL;
15616 
15617 	if (!info->attrs[NL80211_ATTR_BSSID])
15618 		return -EINVAL;
15619 
15620 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15621 		return -EINVAL;
15622 
15623 	memset(&params, 0, sizeof(params));
15624 
15625 	if (info->attrs[NL80211_ATTR_SSID]) {
15626 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15627 		if (params.ssid.ssid_len == 0)
15628 			return -EINVAL;
15629 		memcpy(params.ssid.ssid,
15630 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15631 		       params.ssid.ssid_len);
15632 	}
15633 
15634 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15635 	       ETH_ALEN);
15636 
15637 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15638 
15639 	if (info->attrs[NL80211_ATTR_PMKID])
15640 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15641 
15642 	return rdev_external_auth(rdev, dev, &params);
15643 }
15644 
15645 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15646 {
15647 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15648 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15649 	struct net_device *dev = info->user_ptr[1];
15650 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15651 	const u8 *buf;
15652 	size_t len;
15653 	u8 *dest;
15654 	u16 proto;
15655 	bool noencrypt;
15656 	u64 cookie = 0;
15657 	int link_id;
15658 	int err;
15659 
15660 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15661 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15662 		return -EOPNOTSUPP;
15663 
15664 	if (!rdev->ops->tx_control_port)
15665 		return -EOPNOTSUPP;
15666 
15667 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15668 	    !info->attrs[NL80211_ATTR_MAC] ||
15669 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15670 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15671 		return -EINVAL;
15672 	}
15673 
15674 	wdev_lock(wdev);
15675 
15676 	switch (wdev->iftype) {
15677 	case NL80211_IFTYPE_AP:
15678 	case NL80211_IFTYPE_P2P_GO:
15679 	case NL80211_IFTYPE_MESH_POINT:
15680 		break;
15681 	case NL80211_IFTYPE_ADHOC:
15682 		if (wdev->u.ibss.current_bss)
15683 			break;
15684 		err = -ENOTCONN;
15685 		goto out;
15686 	case NL80211_IFTYPE_STATION:
15687 	case NL80211_IFTYPE_P2P_CLIENT:
15688 		if (wdev->connected)
15689 			break;
15690 		err = -ENOTCONN;
15691 		goto out;
15692 	default:
15693 		err = -EOPNOTSUPP;
15694 		goto out;
15695 	}
15696 
15697 	wdev_unlock(wdev);
15698 
15699 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15700 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15701 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15702 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15703 	noencrypt =
15704 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15705 
15706 	link_id = nl80211_link_id_or_invalid(info->attrs);
15707 
15708 	err = rdev_tx_control_port(rdev, dev, buf, len,
15709 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15710 				   dont_wait_for_ack ? NULL : &cookie);
15711 	if (!err && !dont_wait_for_ack)
15712 		nl_set_extack_cookie_u64(info->extack, cookie);
15713 	return err;
15714  out:
15715 	wdev_unlock(wdev);
15716 	return err;
15717 }
15718 
15719 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15720 					   struct genl_info *info)
15721 {
15722 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15723 	struct net_device *dev = info->user_ptr[1];
15724 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15725 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15726 	unsigned int link_id = nl80211_link_id(info->attrs);
15727 	struct sk_buff *msg;
15728 	void *hdr;
15729 	struct nlattr *ftm_stats_attr;
15730 	int err;
15731 
15732 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15733 	    !wdev->links[link_id].ap.beacon_interval)
15734 		return -EOPNOTSUPP;
15735 
15736 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15737 	if (err)
15738 		return err;
15739 
15740 	if (!ftm_stats.filled)
15741 		return -ENODATA;
15742 
15743 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15744 	if (!msg)
15745 		return -ENOMEM;
15746 
15747 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15748 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15749 	if (!hdr)
15750 		goto nla_put_failure;
15751 
15752 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15753 		goto nla_put_failure;
15754 
15755 	ftm_stats_attr = nla_nest_start_noflag(msg,
15756 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15757 	if (!ftm_stats_attr)
15758 		goto nla_put_failure;
15759 
15760 #define SET_FTM(field, name, type)					 \
15761 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15762 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15763 			     ftm_stats.field))				 \
15764 		goto nla_put_failure; } while (0)
15765 #define SET_FTM_U64(field, name)					 \
15766 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15767 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15768 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15769 		goto nla_put_failure; } while (0)
15770 
15771 	SET_FTM(success_num, SUCCESS_NUM, u32);
15772 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15773 	SET_FTM(failed_num, FAILED_NUM, u32);
15774 	SET_FTM(asap_num, ASAP_NUM, u32);
15775 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15776 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15777 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15778 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15779 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15780 #undef SET_FTM
15781 
15782 	nla_nest_end(msg, ftm_stats_attr);
15783 
15784 	genlmsg_end(msg, hdr);
15785 	return genlmsg_reply(msg, info);
15786 
15787 nla_put_failure:
15788 	nlmsg_free(msg);
15789 	return -ENOBUFS;
15790 }
15791 
15792 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15793 {
15794 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15795 	struct cfg80211_update_owe_info owe_info;
15796 	struct net_device *dev = info->user_ptr[1];
15797 
15798 	if (!rdev->ops->update_owe_info)
15799 		return -EOPNOTSUPP;
15800 
15801 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15802 	    !info->attrs[NL80211_ATTR_MAC])
15803 		return -EINVAL;
15804 
15805 	memset(&owe_info, 0, sizeof(owe_info));
15806 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15807 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15808 
15809 	if (info->attrs[NL80211_ATTR_IE]) {
15810 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15811 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15812 	}
15813 
15814 	return rdev_update_owe_info(rdev, dev, &owe_info);
15815 }
15816 
15817 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15818 {
15819 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15820 	struct net_device *dev = info->user_ptr[1];
15821 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15822 	struct station_info sinfo = {};
15823 	const u8 *buf;
15824 	size_t len;
15825 	u8 *dest;
15826 	int err;
15827 
15828 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15829 		return -EOPNOTSUPP;
15830 
15831 	if (!info->attrs[NL80211_ATTR_MAC] ||
15832 	    !info->attrs[NL80211_ATTR_FRAME]) {
15833 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15834 		return -EINVAL;
15835 	}
15836 
15837 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15838 		return -EOPNOTSUPP;
15839 
15840 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15841 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15842 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15843 
15844 	if (len < sizeof(struct ethhdr))
15845 		return -EINVAL;
15846 
15847 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15848 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15849 		return -EINVAL;
15850 
15851 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15852 	if (err)
15853 		return err;
15854 
15855 	cfg80211_sinfo_release_content(&sinfo);
15856 
15857 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15858 }
15859 
15860 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15861 			  struct nlattr *attrs[], struct net_device *dev,
15862 			  struct cfg80211_tid_cfg *tid_conf,
15863 			  struct genl_info *info, const u8 *peer,
15864 			  unsigned int link_id)
15865 {
15866 	struct netlink_ext_ack *extack = info->extack;
15867 	u64 mask;
15868 	int err;
15869 
15870 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15871 		return -EINVAL;
15872 
15873 	tid_conf->config_override =
15874 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15875 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15876 
15877 	if (tid_conf->config_override) {
15878 		if (rdev->ops->reset_tid_config) {
15879 			err = rdev_reset_tid_config(rdev, dev, peer,
15880 						    tid_conf->tids);
15881 			if (err)
15882 				return err;
15883 		} else {
15884 			return -EINVAL;
15885 		}
15886 	}
15887 
15888 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15889 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15890 		tid_conf->noack =
15891 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15892 	}
15893 
15894 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15895 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15896 		tid_conf->retry_short =
15897 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15898 
15899 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15900 			return -EINVAL;
15901 	}
15902 
15903 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15904 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15905 		tid_conf->retry_long =
15906 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15907 
15908 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15909 			return -EINVAL;
15910 	}
15911 
15912 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15913 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15914 		tid_conf->ampdu =
15915 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15916 	}
15917 
15918 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15919 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15920 		tid_conf->rtscts =
15921 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15922 	}
15923 
15924 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15925 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15926 		tid_conf->amsdu =
15927 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15928 	}
15929 
15930 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15931 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15932 
15933 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15934 
15935 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15936 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15937 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15938 						    &tid_conf->txrate_mask, dev,
15939 						    true, link_id);
15940 			if (err)
15941 				return err;
15942 
15943 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15944 		}
15945 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15946 	}
15947 
15948 	if (peer)
15949 		mask = rdev->wiphy.tid_config_support.peer;
15950 	else
15951 		mask = rdev->wiphy.tid_config_support.vif;
15952 
15953 	if (tid_conf->mask & ~mask) {
15954 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15955 		return -ENOTSUPP;
15956 	}
15957 
15958 	return 0;
15959 }
15960 
15961 static int nl80211_set_tid_config(struct sk_buff *skb,
15962 				  struct genl_info *info)
15963 {
15964 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15965 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15966 	unsigned int link_id = nl80211_link_id(info->attrs);
15967 	struct net_device *dev = info->user_ptr[1];
15968 	struct cfg80211_tid_config *tid_config;
15969 	struct nlattr *tid;
15970 	int conf_idx = 0, rem_conf;
15971 	int ret = -EINVAL;
15972 	u32 num_conf = 0;
15973 
15974 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15975 		return -EINVAL;
15976 
15977 	if (!rdev->ops->set_tid_config)
15978 		return -EOPNOTSUPP;
15979 
15980 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15981 			    rem_conf)
15982 		num_conf++;
15983 
15984 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15985 			     GFP_KERNEL);
15986 	if (!tid_config)
15987 		return -ENOMEM;
15988 
15989 	tid_config->n_tid_conf = num_conf;
15990 
15991 	if (info->attrs[NL80211_ATTR_MAC])
15992 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15993 
15994 	wdev_lock(dev->ieee80211_ptr);
15995 
15996 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15997 			    rem_conf) {
15998 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15999 				       tid, NULL, NULL);
16000 
16001 		if (ret)
16002 			goto bad_tid_conf;
16003 
16004 		ret = parse_tid_conf(rdev, attrs, dev,
16005 				     &tid_config->tid_conf[conf_idx],
16006 				     info, tid_config->peer, link_id);
16007 		if (ret)
16008 			goto bad_tid_conf;
16009 
16010 		conf_idx++;
16011 	}
16012 
16013 	ret = rdev_set_tid_config(rdev, dev, tid_config);
16014 
16015 bad_tid_conf:
16016 	kfree(tid_config);
16017 	wdev_unlock(dev->ieee80211_ptr);
16018 	return ret;
16019 }
16020 
16021 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
16022 {
16023 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16024 	struct cfg80211_color_change_settings params = {};
16025 	struct net_device *dev = info->user_ptr[1];
16026 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16027 	struct nlattr **tb;
16028 	u16 offset;
16029 	int err;
16030 
16031 	if (!rdev->ops->color_change)
16032 		return -EOPNOTSUPP;
16033 
16034 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16035 				     NL80211_EXT_FEATURE_BSS_COLOR))
16036 		return -EOPNOTSUPP;
16037 
16038 	if (wdev->iftype != NL80211_IFTYPE_AP)
16039 		return -EOPNOTSUPP;
16040 
16041 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16042 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16043 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16044 		return -EINVAL;
16045 
16046 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16047 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16048 
16049 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16050 				   info->extack);
16051 	if (err)
16052 		return err;
16053 
16054 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16055 	if (!tb)
16056 		return -ENOMEM;
16057 
16058 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16059 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16060 			       nl80211_policy, info->extack);
16061 	if (err)
16062 		goto out;
16063 
16064 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16065 				   info->extack);
16066 	if (err)
16067 		goto out;
16068 
16069 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16070 		err = -EINVAL;
16071 		goto out;
16072 	}
16073 
16074 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16075 		err = -EINVAL;
16076 		goto out;
16077 	}
16078 
16079 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16080 	if (offset >= params.beacon_color_change.tail_len) {
16081 		err = -EINVAL;
16082 		goto out;
16083 	}
16084 
16085 	if (params.beacon_color_change.tail[offset] != params.count) {
16086 		err = -EINVAL;
16087 		goto out;
16088 	}
16089 
16090 	params.counter_offset_beacon = offset;
16091 
16092 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16093 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16094 		    sizeof(u16)) {
16095 			err = -EINVAL;
16096 			goto out;
16097 		}
16098 
16099 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16100 		if (offset >= params.beacon_color_change.probe_resp_len) {
16101 			err = -EINVAL;
16102 			goto out;
16103 		}
16104 
16105 		if (params.beacon_color_change.probe_resp[offset] !=
16106 		    params.count) {
16107 			err = -EINVAL;
16108 			goto out;
16109 		}
16110 
16111 		params.counter_offset_presp = offset;
16112 	}
16113 
16114 	wdev_lock(wdev);
16115 	err = rdev_color_change(rdev, dev, &params);
16116 	wdev_unlock(wdev);
16117 
16118 out:
16119 	kfree(params.beacon_next.mbssid_ies);
16120 	kfree(params.beacon_color_change.mbssid_ies);
16121 	kfree(params.beacon_next.rnr_ies);
16122 	kfree(params.beacon_color_change.rnr_ies);
16123 	kfree(tb);
16124 	return err;
16125 }
16126 
16127 static int nl80211_set_fils_aad(struct sk_buff *skb,
16128 				struct genl_info *info)
16129 {
16130 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16131 	struct net_device *dev = info->user_ptr[1];
16132 	struct cfg80211_fils_aad fils_aad = {};
16133 	u8 *nonces;
16134 
16135 	if (!info->attrs[NL80211_ATTR_MAC] ||
16136 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16137 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16138 		return -EINVAL;
16139 
16140 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16141 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16142 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16143 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16144 	fils_aad.snonce = nonces;
16145 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16146 
16147 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16148 }
16149 
16150 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16151 {
16152 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16153 	unsigned int link_id = nl80211_link_id(info->attrs);
16154 	struct net_device *dev = info->user_ptr[1];
16155 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16156 	int ret;
16157 
16158 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16159 		return -EINVAL;
16160 
16161 	switch (wdev->iftype) {
16162 	case NL80211_IFTYPE_AP:
16163 		break;
16164 	default:
16165 		return -EINVAL;
16166 	}
16167 
16168 	if (!info->attrs[NL80211_ATTR_MAC] ||
16169 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16170 		return -EINVAL;
16171 
16172 	wdev_lock(wdev);
16173 	wdev->valid_links |= BIT(link_id);
16174 	ether_addr_copy(wdev->links[link_id].addr,
16175 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16176 
16177 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16178 	if (ret) {
16179 		wdev->valid_links &= ~BIT(link_id);
16180 		eth_zero_addr(wdev->links[link_id].addr);
16181 	}
16182 	wdev_unlock(wdev);
16183 
16184 	return ret;
16185 }
16186 
16187 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16188 {
16189 	unsigned int link_id = nl80211_link_id(info->attrs);
16190 	struct net_device *dev = info->user_ptr[1];
16191 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16192 
16193 	/* cannot remove if there's no link */
16194 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16195 		return -EINVAL;
16196 
16197 	switch (wdev->iftype) {
16198 	case NL80211_IFTYPE_AP:
16199 		break;
16200 	default:
16201 		return -EINVAL;
16202 	}
16203 
16204 	wdev_lock(wdev);
16205 	cfg80211_remove_link(wdev, link_id);
16206 	wdev_unlock(wdev);
16207 
16208 	return 0;
16209 }
16210 
16211 static int
16212 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16213 			     bool add)
16214 {
16215 	struct link_station_parameters params = {};
16216 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16217 	struct net_device *dev = info->user_ptr[1];
16218 	int err;
16219 
16220 	if ((add && !rdev->ops->add_link_station) ||
16221 	    (!add && !rdev->ops->mod_link_station))
16222 		return -EOPNOTSUPP;
16223 
16224 	if (add && !info->attrs[NL80211_ATTR_MAC])
16225 		return -EINVAL;
16226 
16227 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16228 		return -EINVAL;
16229 
16230 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16231 		return -EINVAL;
16232 
16233 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16234 
16235 	if (info->attrs[NL80211_ATTR_MAC]) {
16236 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16237 		if (!is_valid_ether_addr(params.link_mac))
16238 			return -EINVAL;
16239 	}
16240 
16241 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16242 		return -EINVAL;
16243 
16244 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16245 
16246 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16247 		params.supported_rates =
16248 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16249 		params.supported_rates_len =
16250 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16251 	}
16252 
16253 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16254 		params.ht_capa =
16255 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16256 
16257 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16258 		params.vht_capa =
16259 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16260 
16261 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16262 		params.he_capa =
16263 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16264 		params.he_capa_len =
16265 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16266 
16267 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16268 			params.eht_capa =
16269 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16270 			params.eht_capa_len =
16271 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16272 
16273 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16274 							(const u8 *)params.eht_capa,
16275 							params.eht_capa_len,
16276 							false))
16277 				return -EINVAL;
16278 		}
16279 	}
16280 
16281 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16282 		params.he_6ghz_capa =
16283 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16284 
16285 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16286 		params.opmode_notif_used = true;
16287 		params.opmode_notif =
16288 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16289 	}
16290 
16291 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16292 						&params.txpwr_set);
16293 	if (err)
16294 		return err;
16295 
16296 	wdev_lock(dev->ieee80211_ptr);
16297 	if (add)
16298 		err = rdev_add_link_station(rdev, dev, &params);
16299 	else
16300 		err = rdev_mod_link_station(rdev, dev, &params);
16301 	wdev_unlock(dev->ieee80211_ptr);
16302 
16303 	return err;
16304 }
16305 
16306 static int
16307 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16308 {
16309 	return nl80211_add_mod_link_station(skb, info, true);
16310 }
16311 
16312 static int
16313 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16314 {
16315 	return nl80211_add_mod_link_station(skb, info, false);
16316 }
16317 
16318 static int
16319 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16320 {
16321 	struct link_station_del_parameters params = {};
16322 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16323 	struct net_device *dev = info->user_ptr[1];
16324 	int ret;
16325 
16326 	if (!rdev->ops->del_link_station)
16327 		return -EOPNOTSUPP;
16328 
16329 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16330 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16331 		return -EINVAL;
16332 
16333 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16334 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16335 
16336 	wdev_lock(dev->ieee80211_ptr);
16337 	ret = rdev_del_link_station(rdev, dev, &params);
16338 	wdev_unlock(dev->ieee80211_ptr);
16339 
16340 	return ret;
16341 }
16342 
16343 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16344 				    struct genl_info *info)
16345 {
16346 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16347 	struct net_device *dev = info->user_ptr[1];
16348 	struct cfg80211_set_hw_timestamp hwts = {};
16349 
16350 	if (!rdev->wiphy.hw_timestamp_max_peers)
16351 		return -EOPNOTSUPP;
16352 
16353 	if (!info->attrs[NL80211_ATTR_MAC] &&
16354 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16355 		return -EOPNOTSUPP;
16356 
16357 	if (info->attrs[NL80211_ATTR_MAC])
16358 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16359 
16360 	hwts.enable =
16361 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16362 
16363 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16364 }
16365 
16366 #define NL80211_FLAG_NEED_WIPHY		0x01
16367 #define NL80211_FLAG_NEED_NETDEV	0x02
16368 #define NL80211_FLAG_NEED_RTNL		0x04
16369 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16370 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16371 					 NL80211_FLAG_CHECK_NETDEV_UP)
16372 #define NL80211_FLAG_NEED_WDEV		0x10
16373 /* If a netdev is associated, it must be UP, P2P must be started */
16374 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16375 					 NL80211_FLAG_CHECK_NETDEV_UP)
16376 #define NL80211_FLAG_CLEAR_SKB		0x20
16377 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16378 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16379 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16380 
16381 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16382 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16383 	SELECTOR(__sel, WIPHY,				\
16384 		 NL80211_FLAG_NEED_WIPHY)		\
16385 	SELECTOR(__sel, WDEV,				\
16386 		 NL80211_FLAG_NEED_WDEV)		\
16387 	SELECTOR(__sel, NETDEV,				\
16388 		 NL80211_FLAG_NEED_NETDEV)		\
16389 	SELECTOR(__sel, NETDEV_LINK,			\
16390 		 NL80211_FLAG_NEED_NETDEV |		\
16391 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16392 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16393 		 NL80211_FLAG_NEED_NETDEV |		\
16394 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16395 	SELECTOR(__sel, WIPHY_RTNL,			\
16396 		 NL80211_FLAG_NEED_WIPHY |		\
16397 		 NL80211_FLAG_NEED_RTNL)		\
16398 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16399 		 NL80211_FLAG_NEED_WIPHY |		\
16400 		 NL80211_FLAG_NEED_RTNL |		\
16401 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16402 	SELECTOR(__sel, WDEV_RTNL,			\
16403 		 NL80211_FLAG_NEED_WDEV |		\
16404 		 NL80211_FLAG_NEED_RTNL)		\
16405 	SELECTOR(__sel, NETDEV_RTNL,			\
16406 		 NL80211_FLAG_NEED_NETDEV |		\
16407 		 NL80211_FLAG_NEED_RTNL)		\
16408 	SELECTOR(__sel, NETDEV_UP,			\
16409 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16410 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16411 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16412 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16413 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16414 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16415 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16416 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16417 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16418 		 NL80211_FLAG_CLEAR_SKB |		\
16419 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16420 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16421 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16422 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16423 	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
16424 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16425 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16426 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16427 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16428 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16429 		 NL80211_FLAG_CLEAR_SKB)		\
16430 	SELECTOR(__sel, WDEV_UP,			\
16431 		 NL80211_FLAG_NEED_WDEV_UP)		\
16432 	SELECTOR(__sel, WDEV_UP_LINK,			\
16433 		 NL80211_FLAG_NEED_WDEV_UP |		\
16434 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16435 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16436 		 NL80211_FLAG_NEED_WDEV_UP |		\
16437 		 NL80211_FLAG_NEED_RTNL)		\
16438 	SELECTOR(__sel, WIPHY_CLEAR,			\
16439 		 NL80211_FLAG_NEED_WIPHY |		\
16440 		 NL80211_FLAG_CLEAR_SKB)
16441 
16442 enum nl80211_internal_flags_selector {
16443 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16444 	INTERNAL_FLAG_SELECTORS(_)
16445 #undef SELECTOR
16446 };
16447 
16448 static u32 nl80211_internal_flags[] = {
16449 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16450 	INTERNAL_FLAG_SELECTORS(_)
16451 #undef SELECTOR
16452 };
16453 
16454 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16455 			    struct sk_buff *skb,
16456 			    struct genl_info *info)
16457 {
16458 	struct cfg80211_registered_device *rdev = NULL;
16459 	struct wireless_dev *wdev = NULL;
16460 	struct net_device *dev = NULL;
16461 	u32 internal_flags;
16462 	int err;
16463 
16464 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16465 		return -EINVAL;
16466 
16467 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16468 
16469 	rtnl_lock();
16470 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16471 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16472 		if (IS_ERR(rdev)) {
16473 			err = PTR_ERR(rdev);
16474 			goto out_unlock;
16475 		}
16476 		info->user_ptr[0] = rdev;
16477 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16478 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16479 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16480 						  info->attrs);
16481 		if (IS_ERR(wdev)) {
16482 			err = PTR_ERR(wdev);
16483 			goto out_unlock;
16484 		}
16485 
16486 		dev = wdev->netdev;
16487 		dev_hold(dev);
16488 		rdev = wiphy_to_rdev(wdev->wiphy);
16489 
16490 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16491 			if (!dev) {
16492 				err = -EINVAL;
16493 				goto out_unlock;
16494 			}
16495 
16496 			info->user_ptr[1] = dev;
16497 		} else {
16498 			info->user_ptr[1] = wdev;
16499 		}
16500 
16501 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16502 		    !wdev_running(wdev)) {
16503 			err = -ENETDOWN;
16504 			goto out_unlock;
16505 		}
16506 
16507 		info->user_ptr[0] = rdev;
16508 	}
16509 
16510 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16511 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16512 
16513 		if (!wdev) {
16514 			err = -EINVAL;
16515 			goto out_unlock;
16516 		}
16517 
16518 		/* MLO -> require valid link ID */
16519 		if (wdev->valid_links &&
16520 		    (!link_id ||
16521 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16522 			err = -EINVAL;
16523 			goto out_unlock;
16524 		}
16525 
16526 		/* non-MLO -> no link ID attribute accepted */
16527 		if (!wdev->valid_links && link_id) {
16528 			err = -EINVAL;
16529 			goto out_unlock;
16530 		}
16531 	}
16532 
16533 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16534 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16535 		    (wdev && wdev->valid_links)) {
16536 			err = -EINVAL;
16537 			goto out_unlock;
16538 		}
16539 	}
16540 
16541 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16542 		wiphy_lock(&rdev->wiphy);
16543 		/* we keep the mutex locked until post_doit */
16544 		__release(&rdev->wiphy.mtx);
16545 	}
16546 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16547 		rtnl_unlock();
16548 
16549 	return 0;
16550 out_unlock:
16551 	rtnl_unlock();
16552 	dev_put(dev);
16553 	return err;
16554 }
16555 
16556 static void nl80211_post_doit(const struct genl_split_ops *ops,
16557 			      struct sk_buff *skb,
16558 			      struct genl_info *info)
16559 {
16560 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16561 
16562 	if (info->user_ptr[1]) {
16563 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16564 			struct wireless_dev *wdev = info->user_ptr[1];
16565 
16566 			dev_put(wdev->netdev);
16567 		} else {
16568 			dev_put(info->user_ptr[1]);
16569 		}
16570 	}
16571 
16572 	if (info->user_ptr[0] &&
16573 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16574 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16575 
16576 		/* we kept the mutex locked since pre_doit */
16577 		__acquire(&rdev->wiphy.mtx);
16578 		wiphy_unlock(&rdev->wiphy);
16579 	}
16580 
16581 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16582 		rtnl_unlock();
16583 
16584 	/* If needed, clear the netlink message payload from the SKB
16585 	 * as it might contain key data that shouldn't stick around on
16586 	 * the heap after the SKB is freed. The netlink message header
16587 	 * is still needed for further processing, so leave it intact.
16588 	 */
16589 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16590 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16591 
16592 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16593 	}
16594 }
16595 
16596 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16597 				     struct cfg80211_sar_specs *sar_specs,
16598 				     struct nlattr *spec[], int index)
16599 {
16600 	u32 range_index, i;
16601 
16602 	if (!sar_specs || !spec)
16603 		return -EINVAL;
16604 
16605 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16606 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16607 		return -EINVAL;
16608 
16609 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16610 
16611 	/* check if range_index exceeds num_freq_ranges */
16612 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16613 		return -EINVAL;
16614 
16615 	/* check if range_index duplicates */
16616 	for (i = 0; i < index; i++) {
16617 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16618 			return -EINVAL;
16619 	}
16620 
16621 	sar_specs->sub_specs[index].power =
16622 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16623 
16624 	sar_specs->sub_specs[index].freq_range_index = range_index;
16625 
16626 	return 0;
16627 }
16628 
16629 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16630 {
16631 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16632 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16633 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16634 	struct cfg80211_sar_specs *sar_spec;
16635 	enum nl80211_sar_type type;
16636 	struct nlattr *spec_list;
16637 	u32 specs;
16638 	int rem, err;
16639 
16640 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16641 		return -EOPNOTSUPP;
16642 
16643 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16644 		return -EINVAL;
16645 
16646 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16647 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16648 			 NULL, NULL);
16649 
16650 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16651 		return -EINVAL;
16652 
16653 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16654 	if (type != rdev->wiphy.sar_capa->type)
16655 		return -EINVAL;
16656 
16657 	specs = 0;
16658 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16659 		specs++;
16660 
16661 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16662 		return -EINVAL;
16663 
16664 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16665 	if (!sar_spec)
16666 		return -ENOMEM;
16667 
16668 	sar_spec->type = type;
16669 	specs = 0;
16670 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16671 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16672 				 spec_list, NULL, NULL);
16673 
16674 		switch (type) {
16675 		case NL80211_SAR_TYPE_POWER:
16676 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16677 						      spec, specs)) {
16678 				err = -EINVAL;
16679 				goto error;
16680 			}
16681 			break;
16682 		default:
16683 			err = -EINVAL;
16684 			goto error;
16685 		}
16686 		specs++;
16687 	}
16688 
16689 	sar_spec->num_sub_specs = specs;
16690 
16691 	rdev->cur_cmd_info = info;
16692 	err = rdev_set_sar_specs(rdev, sar_spec);
16693 	rdev->cur_cmd_info = NULL;
16694 error:
16695 	kfree(sar_spec);
16696 	return err;
16697 }
16698 
16699 #define SELECTOR(__sel, name, value) \
16700 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16701 int __missing_selector(void);
16702 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16703 
16704 static const struct genl_ops nl80211_ops[] = {
16705 	{
16706 		.cmd = NL80211_CMD_GET_WIPHY,
16707 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16708 		.doit = nl80211_get_wiphy,
16709 		.dumpit = nl80211_dump_wiphy,
16710 		.done = nl80211_dump_wiphy_done,
16711 		/* can be retrieved by unprivileged users */
16712 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16713 	},
16714 };
16715 
16716 static const struct genl_small_ops nl80211_small_ops[] = {
16717 	{
16718 		.cmd = NL80211_CMD_SET_WIPHY,
16719 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16720 		.doit = nl80211_set_wiphy,
16721 		.flags = GENL_UNS_ADMIN_PERM,
16722 	},
16723 	{
16724 		.cmd = NL80211_CMD_GET_INTERFACE,
16725 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16726 		.doit = nl80211_get_interface,
16727 		.dumpit = nl80211_dump_interface,
16728 		/* can be retrieved by unprivileged users */
16729 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16730 	},
16731 	{
16732 		.cmd = NL80211_CMD_SET_INTERFACE,
16733 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16734 		.doit = nl80211_set_interface,
16735 		.flags = GENL_UNS_ADMIN_PERM,
16736 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16737 					 NL80211_FLAG_NEED_RTNL),
16738 	},
16739 	{
16740 		.cmd = NL80211_CMD_NEW_INTERFACE,
16741 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16742 		.doit = nl80211_new_interface,
16743 		.flags = GENL_UNS_ADMIN_PERM,
16744 		.internal_flags =
16745 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16746 			       NL80211_FLAG_NEED_RTNL |
16747 			       /* we take the wiphy mutex later ourselves */
16748 			       NL80211_FLAG_NO_WIPHY_MTX),
16749 	},
16750 	{
16751 		.cmd = NL80211_CMD_DEL_INTERFACE,
16752 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16753 		.doit = nl80211_del_interface,
16754 		.flags = GENL_UNS_ADMIN_PERM,
16755 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16756 					 NL80211_FLAG_NEED_RTNL),
16757 	},
16758 	{
16759 		.cmd = NL80211_CMD_GET_KEY,
16760 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16761 		.doit = nl80211_get_key,
16762 		.flags = GENL_UNS_ADMIN_PERM,
16763 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16764 	},
16765 	{
16766 		.cmd = NL80211_CMD_SET_KEY,
16767 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16768 		.doit = nl80211_set_key,
16769 		.flags = GENL_UNS_ADMIN_PERM,
16770 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16771 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16772 					 NL80211_FLAG_CLEAR_SKB),
16773 	},
16774 	{
16775 		.cmd = NL80211_CMD_NEW_KEY,
16776 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16777 		.doit = nl80211_new_key,
16778 		.flags = GENL_UNS_ADMIN_PERM,
16779 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16780 					 NL80211_FLAG_CLEAR_SKB),
16781 	},
16782 	{
16783 		.cmd = NL80211_CMD_DEL_KEY,
16784 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16785 		.doit = nl80211_del_key,
16786 		.flags = GENL_UNS_ADMIN_PERM,
16787 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16788 	},
16789 	{
16790 		.cmd = NL80211_CMD_SET_BEACON,
16791 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16792 		.flags = GENL_UNS_ADMIN_PERM,
16793 		.doit = nl80211_set_beacon,
16794 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16795 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16796 	},
16797 	{
16798 		.cmd = NL80211_CMD_START_AP,
16799 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16800 		.flags = GENL_UNS_ADMIN_PERM,
16801 		.doit = nl80211_start_ap,
16802 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16803 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16804 	},
16805 	{
16806 		.cmd = NL80211_CMD_STOP_AP,
16807 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16808 		.flags = GENL_UNS_ADMIN_PERM,
16809 		.doit = nl80211_stop_ap,
16810 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16811 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16812 	},
16813 	{
16814 		.cmd = NL80211_CMD_GET_STATION,
16815 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16816 		.doit = nl80211_get_station,
16817 		.dumpit = nl80211_dump_station,
16818 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16819 	},
16820 	{
16821 		.cmd = NL80211_CMD_SET_STATION,
16822 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16823 		.doit = nl80211_set_station,
16824 		.flags = GENL_UNS_ADMIN_PERM,
16825 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16826 	},
16827 	{
16828 		.cmd = NL80211_CMD_NEW_STATION,
16829 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16830 		.doit = nl80211_new_station,
16831 		.flags = GENL_UNS_ADMIN_PERM,
16832 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16833 	},
16834 	{
16835 		.cmd = NL80211_CMD_DEL_STATION,
16836 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16837 		.doit = nl80211_del_station,
16838 		.flags = GENL_UNS_ADMIN_PERM,
16839 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16840 	},
16841 	{
16842 		.cmd = NL80211_CMD_GET_MPATH,
16843 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16844 		.doit = nl80211_get_mpath,
16845 		.dumpit = nl80211_dump_mpath,
16846 		.flags = GENL_UNS_ADMIN_PERM,
16847 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16848 	},
16849 	{
16850 		.cmd = NL80211_CMD_GET_MPP,
16851 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16852 		.doit = nl80211_get_mpp,
16853 		.dumpit = nl80211_dump_mpp,
16854 		.flags = GENL_UNS_ADMIN_PERM,
16855 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16856 	},
16857 	{
16858 		.cmd = NL80211_CMD_SET_MPATH,
16859 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16860 		.doit = nl80211_set_mpath,
16861 		.flags = GENL_UNS_ADMIN_PERM,
16862 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16863 	},
16864 	{
16865 		.cmd = NL80211_CMD_NEW_MPATH,
16866 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16867 		.doit = nl80211_new_mpath,
16868 		.flags = GENL_UNS_ADMIN_PERM,
16869 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16870 	},
16871 	{
16872 		.cmd = NL80211_CMD_DEL_MPATH,
16873 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16874 		.doit = nl80211_del_mpath,
16875 		.flags = GENL_UNS_ADMIN_PERM,
16876 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16877 	},
16878 	{
16879 		.cmd = NL80211_CMD_SET_BSS,
16880 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16881 		.doit = nl80211_set_bss,
16882 		.flags = GENL_UNS_ADMIN_PERM,
16883 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16884 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16885 	},
16886 	{
16887 		.cmd = NL80211_CMD_GET_REG,
16888 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16889 		.doit = nl80211_get_reg_do,
16890 		.dumpit = nl80211_get_reg_dump,
16891 		/* can be retrieved by unprivileged users */
16892 	},
16893 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
16894 	{
16895 		.cmd = NL80211_CMD_SET_REG,
16896 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16897 		.doit = nl80211_set_reg,
16898 		.flags = GENL_ADMIN_PERM,
16899 	},
16900 #endif
16901 	{
16902 		.cmd = NL80211_CMD_REQ_SET_REG,
16903 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16904 		.doit = nl80211_req_set_reg,
16905 		.flags = GENL_ADMIN_PERM,
16906 	},
16907 	{
16908 		.cmd = NL80211_CMD_RELOAD_REGDB,
16909 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16910 		.doit = nl80211_reload_regdb,
16911 		.flags = GENL_ADMIN_PERM,
16912 	},
16913 	{
16914 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
16915 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16916 		.doit = nl80211_get_mesh_config,
16917 		/* can be retrieved by unprivileged users */
16918 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16919 	},
16920 	{
16921 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
16922 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16923 		.doit = nl80211_update_mesh_config,
16924 		.flags = GENL_UNS_ADMIN_PERM,
16925 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16926 	},
16927 	{
16928 		.cmd = NL80211_CMD_TRIGGER_SCAN,
16929 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16930 		.doit = nl80211_trigger_scan,
16931 		.flags = GENL_UNS_ADMIN_PERM,
16932 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16933 	},
16934 	{
16935 		.cmd = NL80211_CMD_ABORT_SCAN,
16936 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16937 		.doit = nl80211_abort_scan,
16938 		.flags = GENL_UNS_ADMIN_PERM,
16939 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16940 	},
16941 	{
16942 		.cmd = NL80211_CMD_GET_SCAN,
16943 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16944 		.dumpit = nl80211_dump_scan,
16945 	},
16946 	{
16947 		.cmd = NL80211_CMD_START_SCHED_SCAN,
16948 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16949 		.doit = nl80211_start_sched_scan,
16950 		.flags = GENL_UNS_ADMIN_PERM,
16951 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16952 	},
16953 	{
16954 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
16955 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16956 		.doit = nl80211_stop_sched_scan,
16957 		.flags = GENL_UNS_ADMIN_PERM,
16958 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16959 	},
16960 	{
16961 		.cmd = NL80211_CMD_AUTHENTICATE,
16962 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16963 		.doit = nl80211_authenticate,
16964 		.flags = GENL_UNS_ADMIN_PERM,
16965 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16966 					 NL80211_FLAG_CLEAR_SKB),
16967 	},
16968 	{
16969 		.cmd = NL80211_CMD_ASSOCIATE,
16970 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16971 		.doit = nl80211_associate,
16972 		.flags = GENL_UNS_ADMIN_PERM,
16973 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16974 					 NL80211_FLAG_CLEAR_SKB),
16975 	},
16976 	{
16977 		.cmd = NL80211_CMD_DEAUTHENTICATE,
16978 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16979 		.doit = nl80211_deauthenticate,
16980 		.flags = GENL_UNS_ADMIN_PERM,
16981 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16982 	},
16983 	{
16984 		.cmd = NL80211_CMD_DISASSOCIATE,
16985 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16986 		.doit = nl80211_disassociate,
16987 		.flags = GENL_UNS_ADMIN_PERM,
16988 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16989 	},
16990 	{
16991 		.cmd = NL80211_CMD_JOIN_IBSS,
16992 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16993 		.doit = nl80211_join_ibss,
16994 		.flags = GENL_UNS_ADMIN_PERM,
16995 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16996 	},
16997 	{
16998 		.cmd = NL80211_CMD_LEAVE_IBSS,
16999 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17000 		.doit = nl80211_leave_ibss,
17001 		.flags = GENL_UNS_ADMIN_PERM,
17002 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17003 	},
17004 #ifdef CONFIG_NL80211_TESTMODE
17005 	{
17006 		.cmd = NL80211_CMD_TESTMODE,
17007 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17008 		.doit = nl80211_testmode_do,
17009 		.dumpit = nl80211_testmode_dump,
17010 		.flags = GENL_UNS_ADMIN_PERM,
17011 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17012 	},
17013 #endif
17014 	{
17015 		.cmd = NL80211_CMD_CONNECT,
17016 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17017 		.doit = nl80211_connect,
17018 		.flags = GENL_UNS_ADMIN_PERM,
17019 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17020 					 NL80211_FLAG_CLEAR_SKB),
17021 	},
17022 	{
17023 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17024 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17025 		.doit = nl80211_update_connect_params,
17026 		.flags = GENL_ADMIN_PERM,
17027 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17028 					 NL80211_FLAG_CLEAR_SKB),
17029 	},
17030 	{
17031 		.cmd = NL80211_CMD_DISCONNECT,
17032 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17033 		.doit = nl80211_disconnect,
17034 		.flags = GENL_UNS_ADMIN_PERM,
17035 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17036 	},
17037 	{
17038 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17039 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17040 		.doit = nl80211_wiphy_netns,
17041 		.flags = GENL_UNS_ADMIN_PERM,
17042 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17043 					 NL80211_FLAG_NEED_RTNL |
17044 					 NL80211_FLAG_NO_WIPHY_MTX),
17045 	},
17046 	{
17047 		.cmd = NL80211_CMD_GET_SURVEY,
17048 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17049 		.dumpit = nl80211_dump_survey,
17050 	},
17051 	{
17052 		.cmd = NL80211_CMD_SET_PMKSA,
17053 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17054 		.doit = nl80211_setdel_pmksa,
17055 		.flags = GENL_UNS_ADMIN_PERM,
17056 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17057 					 NL80211_FLAG_CLEAR_SKB),
17058 	},
17059 	{
17060 		.cmd = NL80211_CMD_DEL_PMKSA,
17061 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17062 		.doit = nl80211_setdel_pmksa,
17063 		.flags = GENL_UNS_ADMIN_PERM,
17064 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17065 	},
17066 	{
17067 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17068 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17069 		.doit = nl80211_flush_pmksa,
17070 		.flags = GENL_UNS_ADMIN_PERM,
17071 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17072 	},
17073 	{
17074 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17075 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17076 		.doit = nl80211_remain_on_channel,
17077 		.flags = GENL_UNS_ADMIN_PERM,
17078 		/* FIXME: requiring a link ID here is probably not good */
17079 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17080 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17081 	},
17082 	{
17083 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17084 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17085 		.doit = nl80211_cancel_remain_on_channel,
17086 		.flags = GENL_UNS_ADMIN_PERM,
17087 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17088 	},
17089 	{
17090 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17091 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17092 		.doit = nl80211_set_tx_bitrate_mask,
17093 		.flags = GENL_UNS_ADMIN_PERM,
17094 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17095 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17096 	},
17097 	{
17098 		.cmd = NL80211_CMD_REGISTER_FRAME,
17099 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17100 		.doit = nl80211_register_mgmt,
17101 		.flags = GENL_UNS_ADMIN_PERM,
17102 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17103 	},
17104 	{
17105 		.cmd = NL80211_CMD_FRAME,
17106 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17107 		.doit = nl80211_tx_mgmt,
17108 		.flags = GENL_UNS_ADMIN_PERM,
17109 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17110 	},
17111 	{
17112 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17113 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17114 		.doit = nl80211_tx_mgmt_cancel_wait,
17115 		.flags = GENL_UNS_ADMIN_PERM,
17116 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17117 	},
17118 	{
17119 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17120 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17121 		.doit = nl80211_set_power_save,
17122 		.flags = GENL_UNS_ADMIN_PERM,
17123 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17124 	},
17125 	{
17126 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17127 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17128 		.doit = nl80211_get_power_save,
17129 		/* can be retrieved by unprivileged users */
17130 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17131 	},
17132 	{
17133 		.cmd = NL80211_CMD_SET_CQM,
17134 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17135 		.doit = nl80211_set_cqm,
17136 		.flags = GENL_UNS_ADMIN_PERM,
17137 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17138 	},
17139 	{
17140 		.cmd = NL80211_CMD_SET_CHANNEL,
17141 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17142 		.doit = nl80211_set_channel,
17143 		.flags = GENL_UNS_ADMIN_PERM,
17144 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17145 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17146 	},
17147 	{
17148 		.cmd = NL80211_CMD_JOIN_MESH,
17149 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17150 		.doit = nl80211_join_mesh,
17151 		.flags = GENL_UNS_ADMIN_PERM,
17152 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17153 	},
17154 	{
17155 		.cmd = NL80211_CMD_LEAVE_MESH,
17156 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17157 		.doit = nl80211_leave_mesh,
17158 		.flags = GENL_UNS_ADMIN_PERM,
17159 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17160 	},
17161 	{
17162 		.cmd = NL80211_CMD_JOIN_OCB,
17163 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17164 		.doit = nl80211_join_ocb,
17165 		.flags = GENL_UNS_ADMIN_PERM,
17166 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17167 	},
17168 	{
17169 		.cmd = NL80211_CMD_LEAVE_OCB,
17170 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17171 		.doit = nl80211_leave_ocb,
17172 		.flags = GENL_UNS_ADMIN_PERM,
17173 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17174 	},
17175 #ifdef CONFIG_PM
17176 	{
17177 		.cmd = NL80211_CMD_GET_WOWLAN,
17178 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17179 		.doit = nl80211_get_wowlan,
17180 		/* can be retrieved by unprivileged users */
17181 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17182 	},
17183 	{
17184 		.cmd = NL80211_CMD_SET_WOWLAN,
17185 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17186 		.doit = nl80211_set_wowlan,
17187 		.flags = GENL_UNS_ADMIN_PERM,
17188 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17189 	},
17190 #endif
17191 	{
17192 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17193 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17194 		.doit = nl80211_set_rekey_data,
17195 		.flags = GENL_UNS_ADMIN_PERM,
17196 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17197 					 NL80211_FLAG_CLEAR_SKB),
17198 	},
17199 	{
17200 		.cmd = NL80211_CMD_TDLS_MGMT,
17201 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17202 		.doit = nl80211_tdls_mgmt,
17203 		.flags = GENL_UNS_ADMIN_PERM,
17204 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17205 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17206 	},
17207 	{
17208 		.cmd = NL80211_CMD_TDLS_OPER,
17209 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17210 		.doit = nl80211_tdls_oper,
17211 		.flags = GENL_UNS_ADMIN_PERM,
17212 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17213 	},
17214 	{
17215 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17216 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17217 		.doit = nl80211_register_unexpected_frame,
17218 		.flags = GENL_UNS_ADMIN_PERM,
17219 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17220 	},
17221 	{
17222 		.cmd = NL80211_CMD_PROBE_CLIENT,
17223 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17224 		.doit = nl80211_probe_client,
17225 		.flags = GENL_UNS_ADMIN_PERM,
17226 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17227 	},
17228 	{
17229 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17230 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17231 		.doit = nl80211_register_beacons,
17232 		.flags = GENL_UNS_ADMIN_PERM,
17233 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17234 	},
17235 	{
17236 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17237 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17238 		.doit = nl80211_set_noack_map,
17239 		.flags = GENL_UNS_ADMIN_PERM,
17240 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17241 	},
17242 	{
17243 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17244 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17245 		.doit = nl80211_start_p2p_device,
17246 		.flags = GENL_UNS_ADMIN_PERM,
17247 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17248 					 NL80211_FLAG_NEED_RTNL),
17249 	},
17250 	{
17251 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17252 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17253 		.doit = nl80211_stop_p2p_device,
17254 		.flags = GENL_UNS_ADMIN_PERM,
17255 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17256 					 NL80211_FLAG_NEED_RTNL),
17257 	},
17258 	{
17259 		.cmd = NL80211_CMD_START_NAN,
17260 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17261 		.doit = nl80211_start_nan,
17262 		.flags = GENL_ADMIN_PERM,
17263 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17264 					 NL80211_FLAG_NEED_RTNL),
17265 	},
17266 	{
17267 		.cmd = NL80211_CMD_STOP_NAN,
17268 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17269 		.doit = nl80211_stop_nan,
17270 		.flags = GENL_ADMIN_PERM,
17271 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17272 					 NL80211_FLAG_NEED_RTNL),
17273 	},
17274 	{
17275 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17276 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17277 		.doit = nl80211_nan_add_func,
17278 		.flags = GENL_ADMIN_PERM,
17279 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17280 	},
17281 	{
17282 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17283 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17284 		.doit = nl80211_nan_del_func,
17285 		.flags = GENL_ADMIN_PERM,
17286 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17287 	},
17288 	{
17289 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17290 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17291 		.doit = nl80211_nan_change_config,
17292 		.flags = GENL_ADMIN_PERM,
17293 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17294 	},
17295 	{
17296 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17297 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17298 		.doit = nl80211_set_mcast_rate,
17299 		.flags = GENL_UNS_ADMIN_PERM,
17300 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17301 	},
17302 	{
17303 		.cmd = NL80211_CMD_SET_MAC_ACL,
17304 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17305 		.doit = nl80211_set_mac_acl,
17306 		.flags = GENL_UNS_ADMIN_PERM,
17307 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17308 					 NL80211_FLAG_MLO_UNSUPPORTED),
17309 	},
17310 	{
17311 		.cmd = NL80211_CMD_RADAR_DETECT,
17312 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17313 		.doit = nl80211_start_radar_detection,
17314 		.flags = GENL_UNS_ADMIN_PERM,
17315 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17316 					 NL80211_FLAG_NO_WIPHY_MTX |
17317 					 NL80211_FLAG_MLO_UNSUPPORTED),
17318 	},
17319 	{
17320 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17321 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17322 		.doit = nl80211_get_protocol_features,
17323 	},
17324 	{
17325 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17326 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17327 		.doit = nl80211_update_ft_ies,
17328 		.flags = GENL_UNS_ADMIN_PERM,
17329 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17330 	},
17331 	{
17332 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17333 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17334 		.doit = nl80211_crit_protocol_start,
17335 		.flags = GENL_UNS_ADMIN_PERM,
17336 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17337 	},
17338 	{
17339 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17340 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17341 		.doit = nl80211_crit_protocol_stop,
17342 		.flags = GENL_UNS_ADMIN_PERM,
17343 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17344 	},
17345 	{
17346 		.cmd = NL80211_CMD_GET_COALESCE,
17347 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17348 		.doit = nl80211_get_coalesce,
17349 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17350 	},
17351 	{
17352 		.cmd = NL80211_CMD_SET_COALESCE,
17353 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17354 		.doit = nl80211_set_coalesce,
17355 		.flags = GENL_UNS_ADMIN_PERM,
17356 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17357 	},
17358 	{
17359 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17360 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17361 		.doit = nl80211_channel_switch,
17362 		.flags = GENL_UNS_ADMIN_PERM,
17363 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17364 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17365 	},
17366 	{
17367 		.cmd = NL80211_CMD_VENDOR,
17368 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17369 		.doit = nl80211_vendor_cmd,
17370 		.dumpit = nl80211_vendor_cmd_dump,
17371 		.flags = GENL_UNS_ADMIN_PERM,
17372 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17373 					 NL80211_FLAG_CLEAR_SKB),
17374 	},
17375 	{
17376 		.cmd = NL80211_CMD_SET_QOS_MAP,
17377 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17378 		.doit = nl80211_set_qos_map,
17379 		.flags = GENL_UNS_ADMIN_PERM,
17380 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17381 	},
17382 	{
17383 		.cmd = NL80211_CMD_ADD_TX_TS,
17384 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17385 		.doit = nl80211_add_tx_ts,
17386 		.flags = GENL_UNS_ADMIN_PERM,
17387 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17388 					 NL80211_FLAG_MLO_UNSUPPORTED),
17389 	},
17390 	{
17391 		.cmd = NL80211_CMD_DEL_TX_TS,
17392 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17393 		.doit = nl80211_del_tx_ts,
17394 		.flags = GENL_UNS_ADMIN_PERM,
17395 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17396 	},
17397 	{
17398 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17399 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17400 		.doit = nl80211_tdls_channel_switch,
17401 		.flags = GENL_UNS_ADMIN_PERM,
17402 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17403 	},
17404 	{
17405 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17406 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17407 		.doit = nl80211_tdls_cancel_channel_switch,
17408 		.flags = GENL_UNS_ADMIN_PERM,
17409 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17410 	},
17411 	{
17412 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17413 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17414 		.doit = nl80211_set_multicast_to_unicast,
17415 		.flags = GENL_UNS_ADMIN_PERM,
17416 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17417 	},
17418 	{
17419 		.cmd = NL80211_CMD_SET_PMK,
17420 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17421 		.doit = nl80211_set_pmk,
17422 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17423 					 NL80211_FLAG_CLEAR_SKB),
17424 	},
17425 	{
17426 		.cmd = NL80211_CMD_DEL_PMK,
17427 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17428 		.doit = nl80211_del_pmk,
17429 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17430 	},
17431 	{
17432 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17433 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17434 		.doit = nl80211_external_auth,
17435 		.flags = GENL_ADMIN_PERM,
17436 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17437 	},
17438 	{
17439 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17440 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17441 		.doit = nl80211_tx_control_port,
17442 		.flags = GENL_UNS_ADMIN_PERM,
17443 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17444 	},
17445 	{
17446 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17447 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17448 		.doit = nl80211_get_ftm_responder_stats,
17449 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17450 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17451 	},
17452 	{
17453 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17454 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17455 		.doit = nl80211_pmsr_start,
17456 		.flags = GENL_UNS_ADMIN_PERM,
17457 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17458 	},
17459 	{
17460 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17461 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17462 		.doit = nl80211_notify_radar_detection,
17463 		.flags = GENL_UNS_ADMIN_PERM,
17464 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17465 	},
17466 	{
17467 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17468 		.doit = nl80211_update_owe_info,
17469 		.flags = GENL_ADMIN_PERM,
17470 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17471 	},
17472 	{
17473 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17474 		.doit = nl80211_probe_mesh_link,
17475 		.flags = GENL_UNS_ADMIN_PERM,
17476 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17477 	},
17478 	{
17479 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17480 		.doit = nl80211_set_tid_config,
17481 		.flags = GENL_UNS_ADMIN_PERM,
17482 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17483 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17484 	},
17485 	{
17486 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17487 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17488 		.doit = nl80211_set_sar_specs,
17489 		.flags = GENL_UNS_ADMIN_PERM,
17490 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17491 					 NL80211_FLAG_NEED_RTNL),
17492 	},
17493 	{
17494 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17495 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17496 		.doit = nl80211_color_change,
17497 		.flags = GENL_UNS_ADMIN_PERM,
17498 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17499 	},
17500 	{
17501 		.cmd = NL80211_CMD_SET_FILS_AAD,
17502 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17503 		.doit = nl80211_set_fils_aad,
17504 		.flags = GENL_UNS_ADMIN_PERM,
17505 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17506 	},
17507 	{
17508 		.cmd = NL80211_CMD_ADD_LINK,
17509 		.doit = nl80211_add_link,
17510 		.flags = GENL_UNS_ADMIN_PERM,
17511 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17512 	},
17513 	{
17514 		.cmd = NL80211_CMD_REMOVE_LINK,
17515 		.doit = nl80211_remove_link,
17516 		.flags = GENL_UNS_ADMIN_PERM,
17517 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17518 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17519 	},
17520 	{
17521 		.cmd = NL80211_CMD_ADD_LINK_STA,
17522 		.doit = nl80211_add_link_station,
17523 		.flags = GENL_UNS_ADMIN_PERM,
17524 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17525 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17526 	},
17527 	{
17528 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17529 		.doit = nl80211_modify_link_station,
17530 		.flags = GENL_UNS_ADMIN_PERM,
17531 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17532 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17533 	},
17534 	{
17535 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17536 		.doit = nl80211_remove_link_station,
17537 		.flags = GENL_UNS_ADMIN_PERM,
17538 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17539 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17540 	},
17541 	{
17542 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17543 		.doit = nl80211_set_hw_timestamp,
17544 		.flags = GENL_UNS_ADMIN_PERM,
17545 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17546 	},
17547 };
17548 
17549 static struct genl_family nl80211_fam __ro_after_init = {
17550 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17551 	.hdrsize = 0,			/* no private header */
17552 	.version = 1,			/* no particular meaning now */
17553 	.maxattr = NL80211_ATTR_MAX,
17554 	.policy = nl80211_policy,
17555 	.netnsok = true,
17556 	.pre_doit = nl80211_pre_doit,
17557 	.post_doit = nl80211_post_doit,
17558 	.module = THIS_MODULE,
17559 	.ops = nl80211_ops,
17560 	.n_ops = ARRAY_SIZE(nl80211_ops),
17561 	.small_ops = nl80211_small_ops,
17562 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17563 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17564 	.mcgrps = nl80211_mcgrps,
17565 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17566 	.parallel_ops = true,
17567 };
17568 
17569 /* notification functions */
17570 
17571 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17572 			  enum nl80211_commands cmd)
17573 {
17574 	struct sk_buff *msg;
17575 	struct nl80211_dump_wiphy_state state = {};
17576 
17577 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17578 		cmd != NL80211_CMD_DEL_WIPHY);
17579 
17580 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17581 	if (!msg)
17582 		return;
17583 
17584 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17585 		nlmsg_free(msg);
17586 		return;
17587 	}
17588 
17589 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17590 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17591 }
17592 
17593 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17594 				struct wireless_dev *wdev,
17595 				enum nl80211_commands cmd)
17596 {
17597 	struct sk_buff *msg;
17598 
17599 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17600 	if (!msg)
17601 		return;
17602 
17603 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17604 		nlmsg_free(msg);
17605 		return;
17606 	}
17607 
17608 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17609 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17610 }
17611 
17612 static int nl80211_add_scan_req(struct sk_buff *msg,
17613 				struct cfg80211_registered_device *rdev)
17614 {
17615 	struct cfg80211_scan_request *req = rdev->scan_req;
17616 	struct nlattr *nest;
17617 	int i;
17618 	struct cfg80211_scan_info *info;
17619 
17620 	if (WARN_ON(!req))
17621 		return 0;
17622 
17623 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17624 	if (!nest)
17625 		goto nla_put_failure;
17626 	for (i = 0; i < req->n_ssids; i++) {
17627 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17628 			goto nla_put_failure;
17629 	}
17630 	nla_nest_end(msg, nest);
17631 
17632 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17633 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17634 		if (!nest)
17635 			goto nla_put_failure;
17636 		for (i = 0; i < req->n_channels; i++) {
17637 			if (nla_put_u32(msg, i,
17638 				   ieee80211_channel_to_khz(req->channels[i])))
17639 				goto nla_put_failure;
17640 		}
17641 		nla_nest_end(msg, nest);
17642 	} else {
17643 		nest = nla_nest_start_noflag(msg,
17644 					     NL80211_ATTR_SCAN_FREQUENCIES);
17645 		if (!nest)
17646 			goto nla_put_failure;
17647 		for (i = 0; i < req->n_channels; i++) {
17648 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17649 				goto nla_put_failure;
17650 		}
17651 		nla_nest_end(msg, nest);
17652 	}
17653 
17654 	if (req->ie &&
17655 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17656 		goto nla_put_failure;
17657 
17658 	if (req->flags &&
17659 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17660 		goto nla_put_failure;
17661 
17662 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17663 		&rdev->scan_req->info;
17664 	if (info->scan_start_tsf &&
17665 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17666 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17667 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17668 		     info->tsf_bssid)))
17669 		goto nla_put_failure;
17670 
17671 	return 0;
17672  nla_put_failure:
17673 	return -ENOBUFS;
17674 }
17675 
17676 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17677 				 struct cfg80211_registered_device *rdev,
17678 				 struct wireless_dev *wdev,
17679 				 u32 portid, u32 seq, int flags,
17680 				 u32 cmd)
17681 {
17682 	void *hdr;
17683 
17684 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17685 	if (!hdr)
17686 		return -1;
17687 
17688 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17689 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17690 					 wdev->netdev->ifindex)) ||
17691 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17692 			      NL80211_ATTR_PAD))
17693 		goto nla_put_failure;
17694 
17695 	/* ignore errors and send incomplete event anyway */
17696 	nl80211_add_scan_req(msg, rdev);
17697 
17698 	genlmsg_end(msg, hdr);
17699 	return 0;
17700 
17701  nla_put_failure:
17702 	genlmsg_cancel(msg, hdr);
17703 	return -EMSGSIZE;
17704 }
17705 
17706 static int
17707 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17708 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17709 {
17710 	void *hdr;
17711 
17712 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17713 	if (!hdr)
17714 		return -1;
17715 
17716 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17717 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17718 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17719 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17720 			      NL80211_ATTR_PAD))
17721 		goto nla_put_failure;
17722 
17723 	genlmsg_end(msg, hdr);
17724 	return 0;
17725 
17726  nla_put_failure:
17727 	genlmsg_cancel(msg, hdr);
17728 	return -EMSGSIZE;
17729 }
17730 
17731 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17732 			     struct wireless_dev *wdev)
17733 {
17734 	struct sk_buff *msg;
17735 
17736 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17737 	if (!msg)
17738 		return;
17739 
17740 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17741 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17742 		nlmsg_free(msg);
17743 		return;
17744 	}
17745 
17746 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17747 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17748 }
17749 
17750 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17751 				       struct wireless_dev *wdev, bool aborted)
17752 {
17753 	struct sk_buff *msg;
17754 
17755 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17756 	if (!msg)
17757 		return NULL;
17758 
17759 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17760 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17761 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17762 		nlmsg_free(msg);
17763 		return NULL;
17764 	}
17765 
17766 	return msg;
17767 }
17768 
17769 /* send message created by nl80211_build_scan_msg() */
17770 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17771 			   struct sk_buff *msg)
17772 {
17773 	if (!msg)
17774 		return;
17775 
17776 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17777 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17778 }
17779 
17780 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17781 {
17782 	struct sk_buff *msg;
17783 
17784 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17785 	if (!msg)
17786 		return;
17787 
17788 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17789 		nlmsg_free(msg);
17790 		return;
17791 	}
17792 
17793 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17794 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17795 }
17796 
17797 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17798 					  struct regulatory_request *request)
17799 {
17800 	/* Userspace can always count this one always being set */
17801 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17802 		goto nla_put_failure;
17803 
17804 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17805 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17806 			       NL80211_REGDOM_TYPE_WORLD))
17807 			goto nla_put_failure;
17808 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17809 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17810 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17811 			goto nla_put_failure;
17812 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17813 		   request->intersect) {
17814 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17815 			       NL80211_REGDOM_TYPE_INTERSECTION))
17816 			goto nla_put_failure;
17817 	} else {
17818 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17819 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17820 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17821 				   request->alpha2))
17822 			goto nla_put_failure;
17823 	}
17824 
17825 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17826 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17827 
17828 		if (wiphy &&
17829 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17830 			goto nla_put_failure;
17831 
17832 		if (wiphy &&
17833 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17834 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17835 			goto nla_put_failure;
17836 	}
17837 
17838 	return true;
17839 
17840 nla_put_failure:
17841 	return false;
17842 }
17843 
17844 /*
17845  * This can happen on global regulatory changes or device specific settings
17846  * based on custom regulatory domains.
17847  */
17848 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17849 				     struct regulatory_request *request)
17850 {
17851 	struct sk_buff *msg;
17852 	void *hdr;
17853 
17854 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17855 	if (!msg)
17856 		return;
17857 
17858 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17859 	if (!hdr)
17860 		goto nla_put_failure;
17861 
17862 	if (!nl80211_reg_change_event_fill(msg, request))
17863 		goto nla_put_failure;
17864 
17865 	genlmsg_end(msg, hdr);
17866 
17867 	rcu_read_lock();
17868 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17869 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17870 	rcu_read_unlock();
17871 
17872 	return;
17873 
17874 nla_put_failure:
17875 	nlmsg_free(msg);
17876 }
17877 
17878 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17879 				    struct net_device *netdev,
17880 				    const u8 *buf, size_t len,
17881 				    enum nl80211_commands cmd, gfp_t gfp,
17882 				    int uapsd_queues, const u8 *req_ies,
17883 				    size_t req_ies_len, bool reconnect)
17884 {
17885 	struct sk_buff *msg;
17886 	void *hdr;
17887 
17888 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
17889 	if (!msg)
17890 		return;
17891 
17892 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17893 	if (!hdr) {
17894 		nlmsg_free(msg);
17895 		return;
17896 	}
17897 
17898 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17899 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17900 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17901 	    (req_ies &&
17902 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
17903 		goto nla_put_failure;
17904 
17905 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
17906 		goto nla_put_failure;
17907 
17908 	if (uapsd_queues >= 0) {
17909 		struct nlattr *nla_wmm =
17910 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
17911 		if (!nla_wmm)
17912 			goto nla_put_failure;
17913 
17914 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
17915 			       uapsd_queues))
17916 			goto nla_put_failure;
17917 
17918 		nla_nest_end(msg, nla_wmm);
17919 	}
17920 
17921 	genlmsg_end(msg, hdr);
17922 
17923 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17924 				NL80211_MCGRP_MLME, gfp);
17925 	return;
17926 
17927  nla_put_failure:
17928 	nlmsg_free(msg);
17929 }
17930 
17931 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
17932 			  struct net_device *netdev, const u8 *buf,
17933 			  size_t len, gfp_t gfp)
17934 {
17935 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17936 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
17937 				false);
17938 }
17939 
17940 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
17941 			   struct net_device *netdev,
17942 			   struct cfg80211_rx_assoc_resp *data)
17943 {
17944 	nl80211_send_mlme_event(rdev, netdev, data->buf, data->len,
17945 				NL80211_CMD_ASSOCIATE, GFP_KERNEL,
17946 				data->uapsd_queues,
17947 				data->req_ies, data->req_ies_len, false);
17948 }
17949 
17950 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
17951 			 struct net_device *netdev, const u8 *buf,
17952 			 size_t len, bool reconnect, gfp_t gfp)
17953 {
17954 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17955 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
17956 				reconnect);
17957 }
17958 
17959 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
17960 			   struct net_device *netdev, const u8 *buf,
17961 			   size_t len, bool reconnect, gfp_t gfp)
17962 {
17963 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17964 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
17965 				reconnect);
17966 }
17967 
17968 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
17969 				  size_t len)
17970 {
17971 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17972 	struct wiphy *wiphy = wdev->wiphy;
17973 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17974 	const struct ieee80211_mgmt *mgmt = (void *)buf;
17975 	u32 cmd;
17976 
17977 	if (WARN_ON(len < 2))
17978 		return;
17979 
17980 	if (ieee80211_is_deauth(mgmt->frame_control)) {
17981 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
17982 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
17983 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
17984 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
17985 		if (wdev->unprot_beacon_reported &&
17986 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
17987 			return;
17988 		cmd = NL80211_CMD_UNPROT_BEACON;
17989 		wdev->unprot_beacon_reported = jiffies;
17990 	} else {
17991 		return;
17992 	}
17993 
17994 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
17995 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
17996 				NULL, 0, false);
17997 }
17998 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
17999 
18000 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18001 				      struct net_device *netdev, int cmd,
18002 				      const u8 *addr, gfp_t gfp)
18003 {
18004 	struct sk_buff *msg;
18005 	void *hdr;
18006 
18007 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18008 	if (!msg)
18009 		return;
18010 
18011 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18012 	if (!hdr) {
18013 		nlmsg_free(msg);
18014 		return;
18015 	}
18016 
18017 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18018 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18019 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18020 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18021 		goto nla_put_failure;
18022 
18023 	genlmsg_end(msg, hdr);
18024 
18025 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18026 				NL80211_MCGRP_MLME, gfp);
18027 	return;
18028 
18029  nla_put_failure:
18030 	nlmsg_free(msg);
18031 }
18032 
18033 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18034 			       struct net_device *netdev, const u8 *addr,
18035 			       gfp_t gfp)
18036 {
18037 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18038 				  addr, gfp);
18039 }
18040 
18041 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18042 				struct net_device *netdev, const u8 *addr,
18043 				gfp_t gfp)
18044 {
18045 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18046 				  addr, gfp);
18047 }
18048 
18049 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18050 				 struct net_device *netdev,
18051 				 struct cfg80211_connect_resp_params *cr,
18052 				 gfp_t gfp)
18053 {
18054 	struct sk_buff *msg;
18055 	void *hdr;
18056 	unsigned int link;
18057 	size_t link_info_size = 0;
18058 	const u8 *connected_addr = cr->valid_links ?
18059 				   cr->ap_mld_addr : cr->links[0].bssid;
18060 
18061 	if (cr->valid_links) {
18062 		for_each_valid_link(cr, link) {
18063 			/* Nested attribute header */
18064 			link_info_size += NLA_HDRLEN;
18065 			/* Link ID */
18066 			link_info_size += nla_total_size(sizeof(u8));
18067 			link_info_size += cr->links[link].addr ?
18068 					  nla_total_size(ETH_ALEN) : 0;
18069 			link_info_size += (cr->links[link].bssid ||
18070 					   cr->links[link].bss) ?
18071 					  nla_total_size(ETH_ALEN) : 0;
18072 			link_info_size += nla_total_size(sizeof(u16));
18073 		}
18074 	}
18075 
18076 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18077 			cr->fils.kek_len + cr->fils.pmk_len +
18078 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18079 			gfp);
18080 	if (!msg)
18081 		return;
18082 
18083 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18084 	if (!hdr) {
18085 		nlmsg_free(msg);
18086 		return;
18087 	}
18088 
18089 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18090 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18091 	    (connected_addr &&
18092 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18093 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18094 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18095 			cr->status) ||
18096 	    (cr->status < 0 &&
18097 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18098 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18099 			  cr->timeout_reason))) ||
18100 	    (cr->req_ie &&
18101 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18102 	    (cr->resp_ie &&
18103 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18104 		     cr->resp_ie)) ||
18105 	    (cr->fils.update_erp_next_seq_num &&
18106 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18107 			 cr->fils.erp_next_seq_num)) ||
18108 	    (cr->status == WLAN_STATUS_SUCCESS &&
18109 	     ((cr->fils.kek &&
18110 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18111 		       cr->fils.kek)) ||
18112 	      (cr->fils.pmk &&
18113 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18114 	      (cr->fils.pmkid &&
18115 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18116 		goto nla_put_failure;
18117 
18118 	if (cr->valid_links) {
18119 		int i = 1;
18120 		struct nlattr *nested;
18121 
18122 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18123 		if (!nested)
18124 			goto nla_put_failure;
18125 
18126 		for_each_valid_link(cr, link) {
18127 			struct nlattr *nested_mlo_links;
18128 			const u8 *bssid = cr->links[link].bss ?
18129 					  cr->links[link].bss->bssid :
18130 					  cr->links[link].bssid;
18131 
18132 			nested_mlo_links = nla_nest_start(msg, i);
18133 			if (!nested_mlo_links)
18134 				goto nla_put_failure;
18135 
18136 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18137 			    (bssid &&
18138 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18139 			    (cr->links[link].addr &&
18140 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18141 				     cr->links[link].addr)) ||
18142 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18143 					cr->links[link].status))
18144 				goto nla_put_failure;
18145 
18146 			nla_nest_end(msg, nested_mlo_links);
18147 			i++;
18148 		}
18149 		nla_nest_end(msg, nested);
18150 	}
18151 
18152 	genlmsg_end(msg, hdr);
18153 
18154 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18155 				NL80211_MCGRP_MLME, gfp);
18156 	return;
18157 
18158  nla_put_failure:
18159 	nlmsg_free(msg);
18160 }
18161 
18162 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18163 			 struct net_device *netdev,
18164 			 struct cfg80211_roam_info *info, gfp_t gfp)
18165 {
18166 	struct sk_buff *msg;
18167 	void *hdr;
18168 	size_t link_info_size = 0;
18169 	unsigned int link;
18170 	const u8 *connected_addr = info->ap_mld_addr ?
18171 				   info->ap_mld_addr :
18172 				   (info->links[0].bss ?
18173 				    info->links[0].bss->bssid :
18174 				    info->links[0].bssid);
18175 
18176 	if (info->valid_links) {
18177 		for_each_valid_link(info, link) {
18178 			/* Nested attribute header */
18179 			link_info_size += NLA_HDRLEN;
18180 			/* Link ID */
18181 			link_info_size += nla_total_size(sizeof(u8));
18182 			link_info_size += info->links[link].addr ?
18183 					  nla_total_size(ETH_ALEN) : 0;
18184 			link_info_size += (info->links[link].bssid ||
18185 					   info->links[link].bss) ?
18186 					  nla_total_size(ETH_ALEN) : 0;
18187 		}
18188 	}
18189 
18190 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18191 			info->fils.kek_len + info->fils.pmk_len +
18192 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18193 			link_info_size, gfp);
18194 	if (!msg)
18195 		return;
18196 
18197 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18198 	if (!hdr) {
18199 		nlmsg_free(msg);
18200 		return;
18201 	}
18202 
18203 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18204 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18205 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18206 	    (info->req_ie &&
18207 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18208 		     info->req_ie)) ||
18209 	    (info->resp_ie &&
18210 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18211 		     info->resp_ie)) ||
18212 	    (info->fils.update_erp_next_seq_num &&
18213 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18214 			 info->fils.erp_next_seq_num)) ||
18215 	    (info->fils.kek &&
18216 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18217 		     info->fils.kek)) ||
18218 	    (info->fils.pmk &&
18219 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18220 	    (info->fils.pmkid &&
18221 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18222 		goto nla_put_failure;
18223 
18224 	if (info->valid_links) {
18225 		int i = 1;
18226 		struct nlattr *nested;
18227 
18228 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18229 		if (!nested)
18230 			goto nla_put_failure;
18231 
18232 		for_each_valid_link(info, link) {
18233 			struct nlattr *nested_mlo_links;
18234 			const u8 *bssid = info->links[link].bss ?
18235 					  info->links[link].bss->bssid :
18236 					  info->links[link].bssid;
18237 
18238 			nested_mlo_links = nla_nest_start(msg, i);
18239 			if (!nested_mlo_links)
18240 				goto nla_put_failure;
18241 
18242 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18243 			    (bssid &&
18244 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18245 			    (info->links[link].addr &&
18246 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18247 				     info->links[link].addr)))
18248 				goto nla_put_failure;
18249 
18250 			nla_nest_end(msg, nested_mlo_links);
18251 			i++;
18252 		}
18253 		nla_nest_end(msg, nested);
18254 	}
18255 
18256 	genlmsg_end(msg, hdr);
18257 
18258 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18259 				NL80211_MCGRP_MLME, gfp);
18260 	return;
18261 
18262  nla_put_failure:
18263 	nlmsg_free(msg);
18264 }
18265 
18266 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18267 				  struct net_device *netdev, const u8 *bssid,
18268 				  const u8 *td_bitmap, u8 td_bitmap_len)
18269 {
18270 	struct sk_buff *msg;
18271 	void *hdr;
18272 
18273 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18274 	if (!msg)
18275 		return;
18276 
18277 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18278 	if (!hdr) {
18279 		nlmsg_free(msg);
18280 		return;
18281 	}
18282 
18283 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18284 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18285 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18286 		goto nla_put_failure;
18287 
18288 	if ((td_bitmap_len > 0) && td_bitmap)
18289 		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
18290 			    td_bitmap_len, td_bitmap))
18291 			goto nla_put_failure;
18292 
18293 	genlmsg_end(msg, hdr);
18294 
18295 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18296 				NL80211_MCGRP_MLME, GFP_KERNEL);
18297 	return;
18298 
18299  nla_put_failure:
18300 	nlmsg_free(msg);
18301 }
18302 
18303 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18304 			       struct net_device *netdev, u16 reason,
18305 			       const u8 *ie, size_t ie_len, bool from_ap)
18306 {
18307 	struct sk_buff *msg;
18308 	void *hdr;
18309 
18310 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18311 	if (!msg)
18312 		return;
18313 
18314 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18315 	if (!hdr) {
18316 		nlmsg_free(msg);
18317 		return;
18318 	}
18319 
18320 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18321 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18322 	    (reason &&
18323 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18324 	    (from_ap &&
18325 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18326 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18327 		goto nla_put_failure;
18328 
18329 	genlmsg_end(msg, hdr);
18330 
18331 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18332 				NL80211_MCGRP_MLME, GFP_KERNEL);
18333 	return;
18334 
18335  nla_put_failure:
18336 	nlmsg_free(msg);
18337 }
18338 
18339 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18340 {
18341 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18342 	struct wiphy *wiphy = wdev->wiphy;
18343 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18344 	struct sk_buff *msg;
18345 	struct nlattr *links;
18346 	void *hdr;
18347 
18348 	ASSERT_WDEV_LOCK(wdev);
18349 	trace_cfg80211_links_removed(dev, link_mask);
18350 
18351 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18352 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18353 		return;
18354 
18355 	if (WARN_ON(!wdev->valid_links || !link_mask ||
18356 		    (wdev->valid_links & link_mask) != link_mask ||
18357 		    wdev->valid_links == link_mask))
18358 		return;
18359 
18360 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18361 	wdev->valid_links &= ~link_mask;
18362 
18363 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18364 	if (!msg)
18365 		return;
18366 
18367 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18368 	if (!hdr) {
18369 		nlmsg_free(msg);
18370 		return;
18371 	}
18372 
18373 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18374 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18375 		goto nla_put_failure;
18376 
18377 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18378 	if (!links)
18379 		goto nla_put_failure;
18380 
18381 	while (link_mask) {
18382 		struct nlattr *link;
18383 		int link_id = __ffs(link_mask);
18384 
18385 		link = nla_nest_start(msg, link_id + 1);
18386 		if (!link)
18387 			goto nla_put_failure;
18388 
18389 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18390 			goto nla_put_failure;
18391 
18392 		nla_nest_end(msg, link);
18393 		link_mask &= ~(1 << link_id);
18394 	}
18395 
18396 	nla_nest_end(msg, links);
18397 
18398 	genlmsg_end(msg, hdr);
18399 
18400 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18401 				NL80211_MCGRP_MLME, GFP_KERNEL);
18402 	return;
18403 
18404  nla_put_failure:
18405 	nlmsg_free(msg);
18406 }
18407 EXPORT_SYMBOL(cfg80211_links_removed);
18408 
18409 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18410 			     struct net_device *netdev, const u8 *bssid,
18411 			     gfp_t gfp)
18412 {
18413 	struct sk_buff *msg;
18414 	void *hdr;
18415 
18416 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18417 	if (!msg)
18418 		return;
18419 
18420 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18421 	if (!hdr) {
18422 		nlmsg_free(msg);
18423 		return;
18424 	}
18425 
18426 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18427 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18428 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18429 		goto nla_put_failure;
18430 
18431 	genlmsg_end(msg, hdr);
18432 
18433 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18434 				NL80211_MCGRP_MLME, gfp);
18435 	return;
18436 
18437  nla_put_failure:
18438 	nlmsg_free(msg);
18439 }
18440 
18441 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18442 					const u8 *ie, u8 ie_len,
18443 					int sig_dbm, gfp_t gfp)
18444 {
18445 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18446 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18447 	struct sk_buff *msg;
18448 	void *hdr;
18449 
18450 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18451 		return;
18452 
18453 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18454 
18455 	msg = nlmsg_new(100 + ie_len, gfp);
18456 	if (!msg)
18457 		return;
18458 
18459 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18460 	if (!hdr) {
18461 		nlmsg_free(msg);
18462 		return;
18463 	}
18464 
18465 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18466 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18467 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18468 	    (ie_len && ie &&
18469 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18470 	    (sig_dbm &&
18471 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18472 		goto nla_put_failure;
18473 
18474 	genlmsg_end(msg, hdr);
18475 
18476 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18477 				NL80211_MCGRP_MLME, gfp);
18478 	return;
18479 
18480  nla_put_failure:
18481 	nlmsg_free(msg);
18482 }
18483 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18484 
18485 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18486 				 struct net_device *netdev, const u8 *addr,
18487 				 enum nl80211_key_type key_type, int key_id,
18488 				 const u8 *tsc, gfp_t gfp)
18489 {
18490 	struct sk_buff *msg;
18491 	void *hdr;
18492 
18493 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18494 	if (!msg)
18495 		return;
18496 
18497 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18498 	if (!hdr) {
18499 		nlmsg_free(msg);
18500 		return;
18501 	}
18502 
18503 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18504 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18505 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18506 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18507 	    (key_id != -1 &&
18508 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18509 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18510 		goto nla_put_failure;
18511 
18512 	genlmsg_end(msg, hdr);
18513 
18514 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18515 				NL80211_MCGRP_MLME, gfp);
18516 	return;
18517 
18518  nla_put_failure:
18519 	nlmsg_free(msg);
18520 }
18521 
18522 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18523 				    struct ieee80211_channel *channel_before,
18524 				    struct ieee80211_channel *channel_after)
18525 {
18526 	struct sk_buff *msg;
18527 	void *hdr;
18528 	struct nlattr *nl_freq;
18529 
18530 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18531 	if (!msg)
18532 		return;
18533 
18534 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18535 	if (!hdr) {
18536 		nlmsg_free(msg);
18537 		return;
18538 	}
18539 
18540 	/*
18541 	 * Since we are applying the beacon hint to a wiphy we know its
18542 	 * wiphy_idx is valid
18543 	 */
18544 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18545 		goto nla_put_failure;
18546 
18547 	/* Before */
18548 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18549 	if (!nl_freq)
18550 		goto nla_put_failure;
18551 
18552 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18553 		goto nla_put_failure;
18554 	nla_nest_end(msg, nl_freq);
18555 
18556 	/* After */
18557 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18558 	if (!nl_freq)
18559 		goto nla_put_failure;
18560 
18561 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18562 		goto nla_put_failure;
18563 	nla_nest_end(msg, nl_freq);
18564 
18565 	genlmsg_end(msg, hdr);
18566 
18567 	rcu_read_lock();
18568 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18569 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18570 	rcu_read_unlock();
18571 
18572 	return;
18573 
18574 nla_put_failure:
18575 	nlmsg_free(msg);
18576 }
18577 
18578 static void nl80211_send_remain_on_chan_event(
18579 	int cmd, struct cfg80211_registered_device *rdev,
18580 	struct wireless_dev *wdev, u64 cookie,
18581 	struct ieee80211_channel *chan,
18582 	unsigned int duration, gfp_t gfp)
18583 {
18584 	struct sk_buff *msg;
18585 	void *hdr;
18586 
18587 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18588 	if (!msg)
18589 		return;
18590 
18591 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18592 	if (!hdr) {
18593 		nlmsg_free(msg);
18594 		return;
18595 	}
18596 
18597 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18598 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18599 					 wdev->netdev->ifindex)) ||
18600 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18601 			      NL80211_ATTR_PAD) ||
18602 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18603 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18604 			NL80211_CHAN_NO_HT) ||
18605 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18606 			      NL80211_ATTR_PAD))
18607 		goto nla_put_failure;
18608 
18609 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18610 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18611 		goto nla_put_failure;
18612 
18613 	genlmsg_end(msg, hdr);
18614 
18615 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18616 				NL80211_MCGRP_MLME, gfp);
18617 	return;
18618 
18619  nla_put_failure:
18620 	nlmsg_free(msg);
18621 }
18622 
18623 void cfg80211_assoc_comeback(struct net_device *netdev,
18624 			     const u8 *ap_addr, u32 timeout)
18625 {
18626 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18627 	struct wiphy *wiphy = wdev->wiphy;
18628 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18629 	struct sk_buff *msg;
18630 	void *hdr;
18631 
18632 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18633 
18634 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18635 	if (!msg)
18636 		return;
18637 
18638 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18639 	if (!hdr) {
18640 		nlmsg_free(msg);
18641 		return;
18642 	}
18643 
18644 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18645 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18646 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18647 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18648 		goto nla_put_failure;
18649 
18650 	genlmsg_end(msg, hdr);
18651 
18652 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18653 				NL80211_MCGRP_MLME, GFP_KERNEL);
18654 	return;
18655 
18656  nla_put_failure:
18657 	nlmsg_free(msg);
18658 }
18659 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18660 
18661 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18662 			       struct ieee80211_channel *chan,
18663 			       unsigned int duration, gfp_t gfp)
18664 {
18665 	struct wiphy *wiphy = wdev->wiphy;
18666 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18667 
18668 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18669 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18670 					  rdev, wdev, cookie, chan,
18671 					  duration, gfp);
18672 }
18673 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18674 
18675 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18676 					struct ieee80211_channel *chan,
18677 					gfp_t gfp)
18678 {
18679 	struct wiphy *wiphy = wdev->wiphy;
18680 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18681 
18682 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18683 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18684 					  rdev, wdev, cookie, chan, 0, gfp);
18685 }
18686 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18687 
18688 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18689 					struct ieee80211_channel *chan,
18690 					gfp_t gfp)
18691 {
18692 	struct wiphy *wiphy = wdev->wiphy;
18693 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18694 
18695 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18696 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18697 					  rdev, wdev, cookie, chan, 0, gfp);
18698 }
18699 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18700 
18701 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18702 		      struct station_info *sinfo, gfp_t gfp)
18703 {
18704 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18705 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18706 	struct sk_buff *msg;
18707 
18708 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18709 
18710 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18711 	if (!msg)
18712 		return;
18713 
18714 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18715 				 rdev, dev, mac_addr, sinfo) < 0) {
18716 		nlmsg_free(msg);
18717 		return;
18718 	}
18719 
18720 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18721 				NL80211_MCGRP_MLME, gfp);
18722 }
18723 EXPORT_SYMBOL(cfg80211_new_sta);
18724 
18725 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18726 			    struct station_info *sinfo, gfp_t gfp)
18727 {
18728 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18729 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18730 	struct sk_buff *msg;
18731 	struct station_info empty_sinfo = {};
18732 
18733 	if (!sinfo)
18734 		sinfo = &empty_sinfo;
18735 
18736 	trace_cfg80211_del_sta(dev, mac_addr);
18737 
18738 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18739 	if (!msg) {
18740 		cfg80211_sinfo_release_content(sinfo);
18741 		return;
18742 	}
18743 
18744 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18745 				 rdev, dev, mac_addr, sinfo) < 0) {
18746 		nlmsg_free(msg);
18747 		return;
18748 	}
18749 
18750 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18751 				NL80211_MCGRP_MLME, gfp);
18752 }
18753 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18754 
18755 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18756 			  enum nl80211_connect_failed_reason reason,
18757 			  gfp_t gfp)
18758 {
18759 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18760 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18761 	struct sk_buff *msg;
18762 	void *hdr;
18763 
18764 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18765 	if (!msg)
18766 		return;
18767 
18768 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18769 	if (!hdr) {
18770 		nlmsg_free(msg);
18771 		return;
18772 	}
18773 
18774 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18775 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18776 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18777 		goto nla_put_failure;
18778 
18779 	genlmsg_end(msg, hdr);
18780 
18781 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18782 				NL80211_MCGRP_MLME, gfp);
18783 	return;
18784 
18785  nla_put_failure:
18786 	nlmsg_free(msg);
18787 }
18788 EXPORT_SYMBOL(cfg80211_conn_failed);
18789 
18790 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18791 				       const u8 *addr, gfp_t gfp)
18792 {
18793 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18794 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18795 	struct sk_buff *msg;
18796 	void *hdr;
18797 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18798 
18799 	if (!nlportid)
18800 		return false;
18801 
18802 	msg = nlmsg_new(100, gfp);
18803 	if (!msg)
18804 		return true;
18805 
18806 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18807 	if (!hdr) {
18808 		nlmsg_free(msg);
18809 		return true;
18810 	}
18811 
18812 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18813 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18814 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18815 		goto nla_put_failure;
18816 
18817 	genlmsg_end(msg, hdr);
18818 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18819 	return true;
18820 
18821  nla_put_failure:
18822 	nlmsg_free(msg);
18823 	return true;
18824 }
18825 
18826 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18827 				const u8 *addr, gfp_t gfp)
18828 {
18829 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18830 	bool ret;
18831 
18832 	trace_cfg80211_rx_spurious_frame(dev, addr);
18833 
18834 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18835 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18836 		trace_cfg80211_return_bool(false);
18837 		return false;
18838 	}
18839 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18840 					 addr, gfp);
18841 	trace_cfg80211_return_bool(ret);
18842 	return ret;
18843 }
18844 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18845 
18846 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18847 					const u8 *addr, gfp_t gfp)
18848 {
18849 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18850 	bool ret;
18851 
18852 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18853 
18854 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18855 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18856 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18857 		trace_cfg80211_return_bool(false);
18858 		return false;
18859 	}
18860 	ret = __nl80211_unexpected_frame(dev,
18861 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
18862 					 addr, gfp);
18863 	trace_cfg80211_return_bool(ret);
18864 	return ret;
18865 }
18866 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
18867 
18868 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
18869 		      struct wireless_dev *wdev, u32 nlportid,
18870 		      struct cfg80211_rx_info *info, gfp_t gfp)
18871 {
18872 	struct net_device *netdev = wdev->netdev;
18873 	struct sk_buff *msg;
18874 	void *hdr;
18875 
18876 	msg = nlmsg_new(100 + info->len, gfp);
18877 	if (!msg)
18878 		return -ENOMEM;
18879 
18880 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18881 	if (!hdr) {
18882 		nlmsg_free(msg);
18883 		return -ENOMEM;
18884 	}
18885 
18886 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18887 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18888 					netdev->ifindex)) ||
18889 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18890 			      NL80211_ATTR_PAD) ||
18891 	    (info->have_link_id &&
18892 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
18893 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
18894 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
18895 	    (info->sig_dbm &&
18896 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
18897 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
18898 	    (info->flags &&
18899 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
18900 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
18901 						  NL80211_ATTR_RX_HW_TIMESTAMP,
18902 						  info->rx_tstamp,
18903 						  NL80211_ATTR_PAD)) ||
18904 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
18905 						   NL80211_ATTR_TX_HW_TIMESTAMP,
18906 						   info->ack_tstamp,
18907 						   NL80211_ATTR_PAD)))
18908 		goto nla_put_failure;
18909 
18910 	genlmsg_end(msg, hdr);
18911 
18912 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18913 
18914  nla_put_failure:
18915 	nlmsg_free(msg);
18916 	return -ENOBUFS;
18917 }
18918 
18919 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
18920 				    struct cfg80211_tx_status *status,
18921 				    gfp_t gfp, enum nl80211_commands command)
18922 {
18923 	struct wiphy *wiphy = wdev->wiphy;
18924 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18925 	struct net_device *netdev = wdev->netdev;
18926 	struct sk_buff *msg;
18927 	void *hdr;
18928 
18929 	if (command == NL80211_CMD_FRAME_TX_STATUS)
18930 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
18931 					      status->ack);
18932 	else
18933 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
18934 						      status->ack);
18935 
18936 	msg = nlmsg_new(100 + status->len, gfp);
18937 	if (!msg)
18938 		return;
18939 
18940 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
18941 	if (!hdr) {
18942 		nlmsg_free(msg);
18943 		return;
18944 	}
18945 
18946 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18947 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18948 				   netdev->ifindex)) ||
18949 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18950 			      NL80211_ATTR_PAD) ||
18951 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
18952 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
18953 			      NL80211_ATTR_PAD) ||
18954 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18955 	    (status->tx_tstamp &&
18956 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
18957 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
18958 	    (status->ack_tstamp &&
18959 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
18960 			       status->ack_tstamp, NL80211_ATTR_PAD)))
18961 		goto nla_put_failure;
18962 
18963 	genlmsg_end(msg, hdr);
18964 
18965 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18966 				NL80211_MCGRP_MLME, gfp);
18967 	return;
18968 
18969 nla_put_failure:
18970 	nlmsg_free(msg);
18971 }
18972 
18973 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
18974 				     const u8 *buf, size_t len, bool ack,
18975 				     gfp_t gfp)
18976 {
18977 	struct cfg80211_tx_status status = {
18978 		.cookie = cookie,
18979 		.buf = buf,
18980 		.len = len,
18981 		.ack = ack
18982 	};
18983 
18984 	nl80211_frame_tx_status(wdev, &status, gfp,
18985 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
18986 }
18987 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
18988 
18989 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
18990 				 struct cfg80211_tx_status *status, gfp_t gfp)
18991 {
18992 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
18993 }
18994 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
18995 
18996 static int __nl80211_rx_control_port(struct net_device *dev,
18997 				     struct sk_buff *skb,
18998 				     bool unencrypted,
18999 				     int link_id,
19000 				     gfp_t gfp)
19001 {
19002 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19003 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19004 	struct ethhdr *ehdr = eth_hdr(skb);
19005 	const u8 *addr = ehdr->h_source;
19006 	u16 proto = be16_to_cpu(skb->protocol);
19007 	struct sk_buff *msg;
19008 	void *hdr;
19009 	struct nlattr *frame;
19010 
19011 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19012 
19013 	if (!nlportid)
19014 		return -ENOENT;
19015 
19016 	msg = nlmsg_new(100 + skb->len, gfp);
19017 	if (!msg)
19018 		return -ENOMEM;
19019 
19020 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19021 	if (!hdr) {
19022 		nlmsg_free(msg);
19023 		return -ENOBUFS;
19024 	}
19025 
19026 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19027 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19028 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19029 			      NL80211_ATTR_PAD) ||
19030 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19031 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19032 	    (link_id >= 0 &&
19033 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19034 	    (unencrypted && nla_put_flag(msg,
19035 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19036 		goto nla_put_failure;
19037 
19038 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19039 	if (!frame)
19040 		goto nla_put_failure;
19041 
19042 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19043 	genlmsg_end(msg, hdr);
19044 
19045 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19046 
19047  nla_put_failure:
19048 	nlmsg_free(msg);
19049 	return -ENOBUFS;
19050 }
19051 
19052 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19053 			      bool unencrypted, int link_id)
19054 {
19055 	int ret;
19056 
19057 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19058 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19059 					GFP_ATOMIC);
19060 	trace_cfg80211_return_bool(ret == 0);
19061 	return ret == 0;
19062 }
19063 EXPORT_SYMBOL(cfg80211_rx_control_port);
19064 
19065 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19066 					    const char *mac, gfp_t gfp)
19067 {
19068 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19069 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19070 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19071 	void **cb;
19072 
19073 	if (!msg)
19074 		return NULL;
19075 
19076 	cb = (void **)msg->cb;
19077 
19078 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19079 	if (!cb[0]) {
19080 		nlmsg_free(msg);
19081 		return NULL;
19082 	}
19083 
19084 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19085 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19086 		goto nla_put_failure;
19087 
19088 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19089 		goto nla_put_failure;
19090 
19091 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19092 	if (!cb[1])
19093 		goto nla_put_failure;
19094 
19095 	cb[2] = rdev;
19096 
19097 	return msg;
19098  nla_put_failure:
19099 	nlmsg_free(msg);
19100 	return NULL;
19101 }
19102 
19103 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19104 {
19105 	void **cb = (void **)msg->cb;
19106 	struct cfg80211_registered_device *rdev = cb[2];
19107 
19108 	nla_nest_end(msg, cb[1]);
19109 	genlmsg_end(msg, cb[0]);
19110 
19111 	memset(msg->cb, 0, sizeof(msg->cb));
19112 
19113 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19114 				NL80211_MCGRP_MLME, gfp);
19115 }
19116 
19117 void cfg80211_cqm_rssi_notify(struct net_device *dev,
19118 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19119 			      s32 rssi_level, gfp_t gfp)
19120 {
19121 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19122 	struct cfg80211_cqm_config *cqm_config;
19123 
19124 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19125 
19126 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19127 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19128 		return;
19129 
19130 	rcu_read_lock();
19131 	cqm_config = rcu_dereference(wdev->cqm_config);
19132 	if (cqm_config) {
19133 		cqm_config->last_rssi_event_value = rssi_level;
19134 		cqm_config->last_rssi_event_type = rssi_event;
19135 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
19136 	}
19137 	rcu_read_unlock();
19138 }
19139 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19140 
19141 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
19142 {
19143 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
19144 						 cqm_rssi_work);
19145 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19146 	enum nl80211_cqm_rssi_threshold_event rssi_event;
19147 	struct cfg80211_cqm_config *cqm_config;
19148 	struct sk_buff *msg;
19149 	s32 rssi_level;
19150 
19151 	wdev_lock(wdev);
19152 	cqm_config = rcu_dereference_protected(wdev->cqm_config,
19153 					       lockdep_is_held(&wdev->mtx));
19154 	if (!cqm_config)
19155 		goto unlock;
19156 
19157 	if (cqm_config->use_range_api)
19158 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
19159 
19160 	rssi_level = cqm_config->last_rssi_event_value;
19161 	rssi_event = cqm_config->last_rssi_event_type;
19162 
19163 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
19164 	if (!msg)
19165 		goto unlock;
19166 
19167 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19168 			rssi_event))
19169 		goto nla_put_failure;
19170 
19171 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19172 				      rssi_level))
19173 		goto nla_put_failure;
19174 
19175 	cfg80211_send_cqm(msg, GFP_KERNEL);
19176 
19177 	goto unlock;
19178 
19179  nla_put_failure:
19180 	nlmsg_free(msg);
19181  unlock:
19182 	wdev_unlock(wdev);
19183 }
19184 
19185 void cfg80211_cqm_txe_notify(struct net_device *dev,
19186 			     const u8 *peer, u32 num_packets,
19187 			     u32 rate, u32 intvl, gfp_t gfp)
19188 {
19189 	struct sk_buff *msg;
19190 
19191 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19192 	if (!msg)
19193 		return;
19194 
19195 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19196 		goto nla_put_failure;
19197 
19198 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19199 		goto nla_put_failure;
19200 
19201 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19202 		goto nla_put_failure;
19203 
19204 	cfg80211_send_cqm(msg, gfp);
19205 	return;
19206 
19207  nla_put_failure:
19208 	nlmsg_free(msg);
19209 }
19210 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19211 
19212 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19213 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19214 {
19215 	struct sk_buff *msg;
19216 
19217 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19218 
19219 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19220 	if (!msg)
19221 		return;
19222 
19223 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19224 		goto nla_put_failure;
19225 
19226 	cfg80211_send_cqm(msg, gfp);
19227 	return;
19228 
19229  nla_put_failure:
19230 	nlmsg_free(msg);
19231 }
19232 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19233 
19234 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19235 {
19236 	struct sk_buff *msg;
19237 
19238 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19239 	if (!msg)
19240 		return;
19241 
19242 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19243 		goto nla_put_failure;
19244 
19245 	cfg80211_send_cqm(msg, gfp);
19246 	return;
19247 
19248  nla_put_failure:
19249 	nlmsg_free(msg);
19250 }
19251 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19252 
19253 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19254 				     struct net_device *netdev, const u8 *bssid,
19255 				     const u8 *replay_ctr, gfp_t gfp)
19256 {
19257 	struct sk_buff *msg;
19258 	struct nlattr *rekey_attr;
19259 	void *hdr;
19260 
19261 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19262 	if (!msg)
19263 		return;
19264 
19265 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19266 	if (!hdr) {
19267 		nlmsg_free(msg);
19268 		return;
19269 	}
19270 
19271 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19272 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19273 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19274 		goto nla_put_failure;
19275 
19276 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19277 	if (!rekey_attr)
19278 		goto nla_put_failure;
19279 
19280 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19281 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19282 		goto nla_put_failure;
19283 
19284 	nla_nest_end(msg, rekey_attr);
19285 
19286 	genlmsg_end(msg, hdr);
19287 
19288 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19289 				NL80211_MCGRP_MLME, gfp);
19290 	return;
19291 
19292  nla_put_failure:
19293 	nlmsg_free(msg);
19294 }
19295 
19296 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19297 			       const u8 *replay_ctr, gfp_t gfp)
19298 {
19299 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19300 	struct wiphy *wiphy = wdev->wiphy;
19301 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19302 
19303 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19304 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19305 }
19306 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19307 
19308 static void
19309 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19310 			       struct net_device *netdev, int index,
19311 			       const u8 *bssid, bool preauth, gfp_t gfp)
19312 {
19313 	struct sk_buff *msg;
19314 	struct nlattr *attr;
19315 	void *hdr;
19316 
19317 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19318 	if (!msg)
19319 		return;
19320 
19321 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19322 	if (!hdr) {
19323 		nlmsg_free(msg);
19324 		return;
19325 	}
19326 
19327 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19328 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19329 		goto nla_put_failure;
19330 
19331 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19332 	if (!attr)
19333 		goto nla_put_failure;
19334 
19335 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19336 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19337 	    (preauth &&
19338 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19339 		goto nla_put_failure;
19340 
19341 	nla_nest_end(msg, attr);
19342 
19343 	genlmsg_end(msg, hdr);
19344 
19345 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19346 				NL80211_MCGRP_MLME, gfp);
19347 	return;
19348 
19349  nla_put_failure:
19350 	nlmsg_free(msg);
19351 }
19352 
19353 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19354 				     const u8 *bssid, bool preauth, gfp_t gfp)
19355 {
19356 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19357 	struct wiphy *wiphy = wdev->wiphy;
19358 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19359 
19360 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19361 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19362 }
19363 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19364 
19365 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19366 				     struct net_device *netdev,
19367 				     unsigned int link_id,
19368 				     struct cfg80211_chan_def *chandef,
19369 				     gfp_t gfp,
19370 				     enum nl80211_commands notif,
19371 				     u8 count, bool quiet, u16 punct_bitmap)
19372 {
19373 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19374 	struct sk_buff *msg;
19375 	void *hdr;
19376 
19377 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19378 	if (!msg)
19379 		return;
19380 
19381 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19382 	if (!hdr) {
19383 		nlmsg_free(msg);
19384 		return;
19385 	}
19386 
19387 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19388 		goto nla_put_failure;
19389 
19390 	if (wdev->valid_links &&
19391 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19392 		goto nla_put_failure;
19393 
19394 	if (nl80211_send_chandef(msg, chandef))
19395 		goto nla_put_failure;
19396 
19397 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19398 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19399 			goto nla_put_failure;
19400 		if (quiet &&
19401 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19402 			goto nla_put_failure;
19403 	}
19404 
19405 	if (nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, punct_bitmap))
19406 		goto nla_put_failure;
19407 
19408 	genlmsg_end(msg, hdr);
19409 
19410 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19411 				NL80211_MCGRP_MLME, gfp);
19412 	return;
19413 
19414  nla_put_failure:
19415 	nlmsg_free(msg);
19416 }
19417 
19418 void cfg80211_ch_switch_notify(struct net_device *dev,
19419 			       struct cfg80211_chan_def *chandef,
19420 			       unsigned int link_id, u16 punct_bitmap)
19421 {
19422 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19423 	struct wiphy *wiphy = wdev->wiphy;
19424 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19425 
19426 	ASSERT_WDEV_LOCK(wdev);
19427 	WARN_INVALID_LINK_ID(wdev, link_id);
19428 
19429 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id, punct_bitmap);
19430 
19431 	switch (wdev->iftype) {
19432 	case NL80211_IFTYPE_STATION:
19433 	case NL80211_IFTYPE_P2P_CLIENT:
19434 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19435 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19436 							chandef->chan);
19437 		break;
19438 	case NL80211_IFTYPE_MESH_POINT:
19439 		wdev->u.mesh.chandef = *chandef;
19440 		wdev->u.mesh.preset_chandef = *chandef;
19441 		break;
19442 	case NL80211_IFTYPE_AP:
19443 	case NL80211_IFTYPE_P2P_GO:
19444 		wdev->links[link_id].ap.chandef = *chandef;
19445 		break;
19446 	case NL80211_IFTYPE_ADHOC:
19447 		wdev->u.ibss.chandef = *chandef;
19448 		break;
19449 	default:
19450 		WARN_ON(1);
19451 		break;
19452 	}
19453 
19454 	cfg80211_sched_dfs_chan_update(rdev);
19455 
19456 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19457 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false,
19458 				 punct_bitmap);
19459 }
19460 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19461 
19462 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19463 				       struct cfg80211_chan_def *chandef,
19464 				       unsigned int link_id, u8 count,
19465 				       bool quiet, u16 punct_bitmap)
19466 {
19467 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19468 	struct wiphy *wiphy = wdev->wiphy;
19469 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19470 
19471 	ASSERT_WDEV_LOCK(wdev);
19472 	WARN_INVALID_LINK_ID(wdev, link_id);
19473 
19474 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id,
19475 						punct_bitmap);
19476 
19477 
19478 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19479 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19480 				 count, quiet, punct_bitmap);
19481 }
19482 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19483 
19484 int cfg80211_bss_color_notify(struct net_device *dev,
19485 			      enum nl80211_commands cmd, u8 count,
19486 			      u64 color_bitmap)
19487 {
19488 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19489 	struct wiphy *wiphy = wdev->wiphy;
19490 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19491 	struct sk_buff *msg;
19492 	void *hdr;
19493 
19494 	ASSERT_WDEV_LOCK(wdev);
19495 
19496 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19497 
19498 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19499 	if (!msg)
19500 		return -ENOMEM;
19501 
19502 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19503 	if (!hdr)
19504 		goto nla_put_failure;
19505 
19506 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19507 		goto nla_put_failure;
19508 
19509 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19510 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19511 		goto nla_put_failure;
19512 
19513 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19514 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19515 			      color_bitmap, NL80211_ATTR_PAD))
19516 		goto nla_put_failure;
19517 
19518 	genlmsg_end(msg, hdr);
19519 
19520 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19521 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19522 
19523 nla_put_failure:
19524 	nlmsg_free(msg);
19525 	return -EINVAL;
19526 }
19527 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19528 
19529 void
19530 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19531 		     const struct cfg80211_chan_def *chandef,
19532 		     enum nl80211_radar_event event,
19533 		     struct net_device *netdev, gfp_t gfp)
19534 {
19535 	struct sk_buff *msg;
19536 	void *hdr;
19537 
19538 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19539 	if (!msg)
19540 		return;
19541 
19542 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19543 	if (!hdr) {
19544 		nlmsg_free(msg);
19545 		return;
19546 	}
19547 
19548 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19549 		goto nla_put_failure;
19550 
19551 	/* NOP and radar events don't need a netdev parameter */
19552 	if (netdev) {
19553 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19554 
19555 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19556 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19557 				      NL80211_ATTR_PAD))
19558 			goto nla_put_failure;
19559 	}
19560 
19561 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19562 		goto nla_put_failure;
19563 
19564 	if (nl80211_send_chandef(msg, chandef))
19565 		goto nla_put_failure;
19566 
19567 	genlmsg_end(msg, hdr);
19568 
19569 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19570 				NL80211_MCGRP_MLME, gfp);
19571 	return;
19572 
19573  nla_put_failure:
19574 	nlmsg_free(msg);
19575 }
19576 
19577 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19578 				       struct sta_opmode_info *sta_opmode,
19579 				       gfp_t gfp)
19580 {
19581 	struct sk_buff *msg;
19582 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19583 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19584 	void *hdr;
19585 
19586 	if (WARN_ON(!mac))
19587 		return;
19588 
19589 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19590 	if (!msg)
19591 		return;
19592 
19593 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19594 	if (!hdr) {
19595 		nlmsg_free(msg);
19596 		return;
19597 	}
19598 
19599 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19600 		goto nla_put_failure;
19601 
19602 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19603 		goto nla_put_failure;
19604 
19605 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19606 		goto nla_put_failure;
19607 
19608 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19609 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19610 		goto nla_put_failure;
19611 
19612 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19613 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19614 		goto nla_put_failure;
19615 
19616 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19617 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19618 		goto nla_put_failure;
19619 
19620 	genlmsg_end(msg, hdr);
19621 
19622 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19623 				NL80211_MCGRP_MLME, gfp);
19624 
19625 	return;
19626 
19627 nla_put_failure:
19628 	nlmsg_free(msg);
19629 }
19630 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19631 
19632 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19633 			   u64 cookie, bool acked, s32 ack_signal,
19634 			   bool is_valid_ack_signal, gfp_t gfp)
19635 {
19636 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19637 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19638 	struct sk_buff *msg;
19639 	void *hdr;
19640 
19641 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19642 
19643 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19644 
19645 	if (!msg)
19646 		return;
19647 
19648 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19649 	if (!hdr) {
19650 		nlmsg_free(msg);
19651 		return;
19652 	}
19653 
19654 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19655 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19656 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19657 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19658 			      NL80211_ATTR_PAD) ||
19659 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19660 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19661 						ack_signal)))
19662 		goto nla_put_failure;
19663 
19664 	genlmsg_end(msg, hdr);
19665 
19666 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19667 				NL80211_MCGRP_MLME, gfp);
19668 	return;
19669 
19670  nla_put_failure:
19671 	nlmsg_free(msg);
19672 }
19673 EXPORT_SYMBOL(cfg80211_probe_status);
19674 
19675 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19676 				     size_t len, int freq, int sig_dbm)
19677 {
19678 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19679 	struct sk_buff *msg;
19680 	void *hdr;
19681 	struct cfg80211_beacon_registration *reg;
19682 
19683 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19684 
19685 	spin_lock_bh(&rdev->beacon_registrations_lock);
19686 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19687 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19688 		if (!msg) {
19689 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19690 			return;
19691 		}
19692 
19693 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19694 		if (!hdr)
19695 			goto nla_put_failure;
19696 
19697 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19698 		    (freq &&
19699 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19700 				  KHZ_TO_MHZ(freq)) ||
19701 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19702 				  freq % 1000))) ||
19703 		    (sig_dbm &&
19704 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19705 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19706 			goto nla_put_failure;
19707 
19708 		genlmsg_end(msg, hdr);
19709 
19710 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19711 	}
19712 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19713 	return;
19714 
19715  nla_put_failure:
19716 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19717 	nlmsg_free(msg);
19718 }
19719 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19720 
19721 #ifdef CONFIG_PM
19722 static int cfg80211_net_detect_results(struct sk_buff *msg,
19723 				       struct cfg80211_wowlan_wakeup *wakeup)
19724 {
19725 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19726 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19727 	int i, j;
19728 
19729 	nl_results = nla_nest_start_noflag(msg,
19730 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19731 	if (!nl_results)
19732 		return -EMSGSIZE;
19733 
19734 	for (i = 0; i < nd->n_matches; i++) {
19735 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19736 
19737 		nl_match = nla_nest_start_noflag(msg, i);
19738 		if (!nl_match)
19739 			break;
19740 
19741 		/* The SSID attribute is optional in nl80211, but for
19742 		 * simplicity reasons it's always present in the
19743 		 * cfg80211 structure.  If a driver can't pass the
19744 		 * SSID, that needs to be changed.  A zero length SSID
19745 		 * is still a valid SSID (wildcard), so it cannot be
19746 		 * used for this purpose.
19747 		 */
19748 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19749 			    match->ssid.ssid)) {
19750 			nla_nest_cancel(msg, nl_match);
19751 			goto out;
19752 		}
19753 
19754 		if (match->n_channels) {
19755 			nl_freqs = nla_nest_start_noflag(msg,
19756 							 NL80211_ATTR_SCAN_FREQUENCIES);
19757 			if (!nl_freqs) {
19758 				nla_nest_cancel(msg, nl_match);
19759 				goto out;
19760 			}
19761 
19762 			for (j = 0; j < match->n_channels; j++) {
19763 				if (nla_put_u32(msg, j, match->channels[j])) {
19764 					nla_nest_cancel(msg, nl_freqs);
19765 					nla_nest_cancel(msg, nl_match);
19766 					goto out;
19767 				}
19768 			}
19769 
19770 			nla_nest_end(msg, nl_freqs);
19771 		}
19772 
19773 		nla_nest_end(msg, nl_match);
19774 	}
19775 
19776 out:
19777 	nla_nest_end(msg, nl_results);
19778 	return 0;
19779 }
19780 
19781 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19782 				   struct cfg80211_wowlan_wakeup *wakeup,
19783 				   gfp_t gfp)
19784 {
19785 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19786 	struct sk_buff *msg;
19787 	void *hdr;
19788 	int size = 200;
19789 
19790 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19791 
19792 	if (wakeup)
19793 		size += wakeup->packet_present_len;
19794 
19795 	msg = nlmsg_new(size, gfp);
19796 	if (!msg)
19797 		return;
19798 
19799 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19800 	if (!hdr)
19801 		goto free_msg;
19802 
19803 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19804 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19805 			      NL80211_ATTR_PAD))
19806 		goto free_msg;
19807 
19808 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19809 					wdev->netdev->ifindex))
19810 		goto free_msg;
19811 
19812 	if (wakeup) {
19813 		struct nlattr *reasons;
19814 
19815 		reasons = nla_nest_start_noflag(msg,
19816 						NL80211_ATTR_WOWLAN_TRIGGERS);
19817 		if (!reasons)
19818 			goto free_msg;
19819 
19820 		if (wakeup->disconnect &&
19821 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19822 			goto free_msg;
19823 		if (wakeup->magic_pkt &&
19824 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19825 			goto free_msg;
19826 		if (wakeup->gtk_rekey_failure &&
19827 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19828 			goto free_msg;
19829 		if (wakeup->eap_identity_req &&
19830 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19831 			goto free_msg;
19832 		if (wakeup->four_way_handshake &&
19833 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19834 			goto free_msg;
19835 		if (wakeup->rfkill_release &&
19836 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19837 			goto free_msg;
19838 
19839 		if (wakeup->pattern_idx >= 0 &&
19840 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19841 				wakeup->pattern_idx))
19842 			goto free_msg;
19843 
19844 		if (wakeup->tcp_match &&
19845 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19846 			goto free_msg;
19847 
19848 		if (wakeup->tcp_connlost &&
19849 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
19850 			goto free_msg;
19851 
19852 		if (wakeup->tcp_nomoretokens &&
19853 		    nla_put_flag(msg,
19854 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
19855 			goto free_msg;
19856 
19857 		if (wakeup->packet) {
19858 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
19859 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19860 
19861 			if (!wakeup->packet_80211) {
19862 				pkt_attr =
19863 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
19864 				len_attr =
19865 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
19866 			}
19867 
19868 			if (wakeup->packet_len &&
19869 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
19870 				goto free_msg;
19871 
19872 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
19873 				    wakeup->packet))
19874 				goto free_msg;
19875 		}
19876 
19877 		if (wakeup->net_detect &&
19878 		    cfg80211_net_detect_results(msg, wakeup))
19879 				goto free_msg;
19880 
19881 		nla_nest_end(msg, reasons);
19882 	}
19883 
19884 	genlmsg_end(msg, hdr);
19885 
19886 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19887 				NL80211_MCGRP_MLME, gfp);
19888 	return;
19889 
19890  free_msg:
19891 	nlmsg_free(msg);
19892 }
19893 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
19894 #endif
19895 
19896 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
19897 				enum nl80211_tdls_operation oper,
19898 				u16 reason_code, gfp_t gfp)
19899 {
19900 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19901 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19902 	struct sk_buff *msg;
19903 	void *hdr;
19904 
19905 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
19906 					 reason_code);
19907 
19908 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19909 	if (!msg)
19910 		return;
19911 
19912 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
19913 	if (!hdr) {
19914 		nlmsg_free(msg);
19915 		return;
19916 	}
19917 
19918 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19919 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19920 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
19921 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
19922 	    (reason_code > 0 &&
19923 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
19924 		goto nla_put_failure;
19925 
19926 	genlmsg_end(msg, hdr);
19927 
19928 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19929 				NL80211_MCGRP_MLME, gfp);
19930 	return;
19931 
19932  nla_put_failure:
19933 	nlmsg_free(msg);
19934 }
19935 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
19936 
19937 static int nl80211_netlink_notify(struct notifier_block * nb,
19938 				  unsigned long state,
19939 				  void *_notify)
19940 {
19941 	struct netlink_notify *notify = _notify;
19942 	struct cfg80211_registered_device *rdev;
19943 	struct wireless_dev *wdev;
19944 	struct cfg80211_beacon_registration *reg, *tmp;
19945 
19946 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
19947 		return NOTIFY_DONE;
19948 
19949 	rcu_read_lock();
19950 
19951 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
19952 		struct cfg80211_sched_scan_request *sched_scan_req;
19953 
19954 		list_for_each_entry_rcu(sched_scan_req,
19955 					&rdev->sched_scan_req_list,
19956 					list) {
19957 			if (sched_scan_req->owner_nlportid == notify->portid) {
19958 				sched_scan_req->nl_owner_dead = true;
19959 				wiphy_work_queue(&rdev->wiphy,
19960 						 &rdev->sched_scan_stop_wk);
19961 			}
19962 		}
19963 
19964 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
19965 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
19966 
19967 			if (wdev->owner_nlportid == notify->portid) {
19968 				wdev->nl_owner_dead = true;
19969 				schedule_work(&rdev->destroy_work);
19970 			} else if (wdev->conn_owner_nlportid == notify->portid) {
19971 				schedule_work(&wdev->disconnect_wk);
19972 			}
19973 
19974 			cfg80211_release_pmsr(wdev, notify->portid);
19975 		}
19976 
19977 		spin_lock_bh(&rdev->beacon_registrations_lock);
19978 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
19979 					 list) {
19980 			if (reg->nlportid == notify->portid) {
19981 				list_del(&reg->list);
19982 				kfree(reg);
19983 				break;
19984 			}
19985 		}
19986 		spin_unlock_bh(&rdev->beacon_registrations_lock);
19987 	}
19988 
19989 	rcu_read_unlock();
19990 
19991 	/*
19992 	 * It is possible that the user space process that is controlling the
19993 	 * indoor setting disappeared, so notify the regulatory core.
19994 	 */
19995 	regulatory_netlink_notify(notify->portid);
19996 	return NOTIFY_OK;
19997 }
19998 
19999 static struct notifier_block nl80211_netlink_notifier = {
20000 	.notifier_call = nl80211_netlink_notify,
20001 };
20002 
20003 void cfg80211_ft_event(struct net_device *netdev,
20004 		       struct cfg80211_ft_event_params *ft_event)
20005 {
20006 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20007 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20008 	struct sk_buff *msg;
20009 	void *hdr;
20010 
20011 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20012 
20013 	if (!ft_event->target_ap)
20014 		return;
20015 
20016 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20017 			GFP_KERNEL);
20018 	if (!msg)
20019 		return;
20020 
20021 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20022 	if (!hdr)
20023 		goto out;
20024 
20025 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20026 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20027 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20028 		goto out;
20029 
20030 	if (ft_event->ies &&
20031 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20032 		goto out;
20033 	if (ft_event->ric_ies &&
20034 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20035 		    ft_event->ric_ies))
20036 		goto out;
20037 
20038 	genlmsg_end(msg, hdr);
20039 
20040 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20041 				NL80211_MCGRP_MLME, GFP_KERNEL);
20042 	return;
20043  out:
20044 	nlmsg_free(msg);
20045 }
20046 EXPORT_SYMBOL(cfg80211_ft_event);
20047 
20048 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20049 {
20050 	struct cfg80211_registered_device *rdev;
20051 	struct sk_buff *msg;
20052 	void *hdr;
20053 	u32 nlportid;
20054 
20055 	rdev = wiphy_to_rdev(wdev->wiphy);
20056 	if (!rdev->crit_proto_nlportid)
20057 		return;
20058 
20059 	nlportid = rdev->crit_proto_nlportid;
20060 	rdev->crit_proto_nlportid = 0;
20061 
20062 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20063 	if (!msg)
20064 		return;
20065 
20066 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20067 	if (!hdr)
20068 		goto nla_put_failure;
20069 
20070 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20071 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20072 			      NL80211_ATTR_PAD))
20073 		goto nla_put_failure;
20074 
20075 	genlmsg_end(msg, hdr);
20076 
20077 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20078 	return;
20079 
20080  nla_put_failure:
20081 	nlmsg_free(msg);
20082 }
20083 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20084 
20085 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20086 {
20087 	struct wiphy *wiphy = wdev->wiphy;
20088 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20089 	struct sk_buff *msg;
20090 	void *hdr;
20091 
20092 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20093 	if (!msg)
20094 		return;
20095 
20096 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20097 	if (!hdr)
20098 		goto out;
20099 
20100 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20101 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20102 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20103 			      NL80211_ATTR_PAD) ||
20104 	    (wdev->valid_links &&
20105 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20106 		goto out;
20107 
20108 	genlmsg_end(msg, hdr);
20109 
20110 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20111 				NL80211_MCGRP_MLME, GFP_KERNEL);
20112 	return;
20113  out:
20114 	nlmsg_free(msg);
20115 }
20116 
20117 int cfg80211_external_auth_request(struct net_device *dev,
20118 				   struct cfg80211_external_auth_params *params,
20119 				   gfp_t gfp)
20120 {
20121 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20122 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20123 	struct sk_buff *msg;
20124 	void *hdr;
20125 
20126 	if (!wdev->conn_owner_nlportid)
20127 		return -EINVAL;
20128 
20129 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20130 	if (!msg)
20131 		return -ENOMEM;
20132 
20133 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20134 	if (!hdr)
20135 		goto nla_put_failure;
20136 
20137 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20138 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20139 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
20140 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20141 			params->action) ||
20142 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20143 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20144 		    params->ssid.ssid) ||
20145 	    (!is_zero_ether_addr(params->mld_addr) &&
20146 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20147 		goto nla_put_failure;
20148 
20149 	genlmsg_end(msg, hdr);
20150 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20151 			wdev->conn_owner_nlportid);
20152 	return 0;
20153 
20154  nla_put_failure:
20155 	nlmsg_free(msg);
20156 	return -ENOBUFS;
20157 }
20158 EXPORT_SYMBOL(cfg80211_external_auth_request);
20159 
20160 void cfg80211_update_owe_info_event(struct net_device *netdev,
20161 				    struct cfg80211_update_owe_info *owe_info,
20162 				    gfp_t gfp)
20163 {
20164 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20165 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20166 	struct sk_buff *msg;
20167 	void *hdr;
20168 
20169 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20170 
20171 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20172 	if (!msg)
20173 		return;
20174 
20175 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20176 	if (!hdr)
20177 		goto nla_put_failure;
20178 
20179 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20180 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20181 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20182 		goto nla_put_failure;
20183 
20184 	if (!owe_info->ie_len ||
20185 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20186 		goto nla_put_failure;
20187 
20188 	if (owe_info->assoc_link_id != -1) {
20189 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20190 			       owe_info->assoc_link_id))
20191 			goto nla_put_failure;
20192 
20193 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20194 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20195 			    owe_info->peer_mld_addr))
20196 			goto nla_put_failure;
20197 	}
20198 
20199 	genlmsg_end(msg, hdr);
20200 
20201 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20202 				NL80211_MCGRP_MLME, gfp);
20203 	return;
20204 
20205 nla_put_failure:
20206 	genlmsg_cancel(msg, hdr);
20207 	nlmsg_free(msg);
20208 }
20209 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20210 
20211 /* initialisation/exit functions */
20212 
20213 int __init nl80211_init(void)
20214 {
20215 	int err;
20216 
20217 	err = genl_register_family(&nl80211_fam);
20218 	if (err)
20219 		return err;
20220 
20221 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20222 	if (err)
20223 		goto err_out;
20224 
20225 	return 0;
20226  err_out:
20227 	genl_unregister_family(&nl80211_fam);
20228 	return err;
20229 }
20230 
20231 void nl80211_exit(void)
20232 {
20233 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20234 	genl_unregister_family(&nl80211_fam);
20235 }
20236