xref: /openbmc/linux/net/wireless/nl80211.c (revision b664e06d) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  * Copyright 2015-2017	Intel Deutschland GmbH
7  * Copyright (C) 2018-2019 Intel Corporation
8  */
9 
10 #include <linux/if.h>
11 #include <linux/module.h>
12 #include <linux/err.h>
13 #include <linux/slab.h>
14 #include <linux/list.h>
15 #include <linux/if_ether.h>
16 #include <linux/ieee80211.h>
17 #include <linux/nl80211.h>
18 #include <linux/rtnetlink.h>
19 #include <linux/netlink.h>
20 #include <linux/nospec.h>
21 #include <linux/etherdevice.h>
22 #include <net/net_namespace.h>
23 #include <net/genetlink.h>
24 #include <net/cfg80211.h>
25 #include <net/sock.h>
26 #include <net/inet_connection_sock.h>
27 #include "core.h"
28 #include "nl80211.h"
29 #include "reg.h"
30 #include "rdev-ops.h"
31 
32 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
33 				   struct genl_info *info,
34 				   struct cfg80211_crypto_settings *settings,
35 				   int cipher_limit);
36 
37 /* the netlink family */
38 static struct genl_family nl80211_fam;
39 
40 /* multicast groups */
41 enum nl80211_multicast_groups {
42 	NL80211_MCGRP_CONFIG,
43 	NL80211_MCGRP_SCAN,
44 	NL80211_MCGRP_REGULATORY,
45 	NL80211_MCGRP_MLME,
46 	NL80211_MCGRP_VENDOR,
47 	NL80211_MCGRP_NAN,
48 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
49 };
50 
51 static const struct genl_multicast_group nl80211_mcgrps[] = {
52 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
53 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
54 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
55 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
56 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
57 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
58 #ifdef CONFIG_NL80211_TESTMODE
59 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
60 #endif
61 };
62 
63 /* returns ERR_PTR values */
64 static struct wireless_dev *
65 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
66 {
67 	struct cfg80211_registered_device *rdev;
68 	struct wireless_dev *result = NULL;
69 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
70 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
71 	u64 wdev_id;
72 	int wiphy_idx = -1;
73 	int ifidx = -1;
74 
75 	ASSERT_RTNL();
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
88 		struct wireless_dev *wdev;
89 
90 		if (wiphy_net(&rdev->wiphy) != netns)
91 			continue;
92 
93 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
94 			continue;
95 
96 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
97 			if (have_ifidx && wdev->netdev &&
98 			    wdev->netdev->ifindex == ifidx) {
99 				result = wdev;
100 				break;
101 			}
102 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
103 				result = wdev;
104 				break;
105 			}
106 		}
107 
108 		if (result)
109 			break;
110 	}
111 
112 	if (result)
113 		return result;
114 	return ERR_PTR(-ENODEV);
115 }
116 
117 static struct cfg80211_registered_device *
118 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
119 {
120 	struct cfg80211_registered_device *rdev = NULL, *tmp;
121 	struct net_device *netdev;
122 
123 	ASSERT_RTNL();
124 
125 	if (!attrs[NL80211_ATTR_WIPHY] &&
126 	    !attrs[NL80211_ATTR_IFINDEX] &&
127 	    !attrs[NL80211_ATTR_WDEV])
128 		return ERR_PTR(-EINVAL);
129 
130 	if (attrs[NL80211_ATTR_WIPHY])
131 		rdev = cfg80211_rdev_by_wiphy_idx(
132 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
133 
134 	if (attrs[NL80211_ATTR_WDEV]) {
135 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
136 		struct wireless_dev *wdev;
137 		bool found = false;
138 
139 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
140 		if (tmp) {
141 			/* make sure wdev exists */
142 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
143 				if (wdev->identifier != (u32)wdev_id)
144 					continue;
145 				found = true;
146 				break;
147 			}
148 
149 			if (!found)
150 				tmp = NULL;
151 
152 			if (rdev && tmp != rdev)
153 				return ERR_PTR(-EINVAL);
154 			rdev = tmp;
155 		}
156 	}
157 
158 	if (attrs[NL80211_ATTR_IFINDEX]) {
159 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
160 
161 		netdev = __dev_get_by_index(netns, ifindex);
162 		if (netdev) {
163 			if (netdev->ieee80211_ptr)
164 				tmp = wiphy_to_rdev(
165 					netdev->ieee80211_ptr->wiphy);
166 			else
167 				tmp = NULL;
168 
169 			/* not wireless device -- return error */
170 			if (!tmp)
171 				return ERR_PTR(-EINVAL);
172 
173 			/* mismatch -- return error */
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 
177 			rdev = tmp;
178 		}
179 	}
180 
181 	if (!rdev)
182 		return ERR_PTR(-ENODEV);
183 
184 	if (netns != wiphy_net(&rdev->wiphy))
185 		return ERR_PTR(-ENODEV);
186 
187 	return rdev;
188 }
189 
190 /*
191  * This function returns a pointer to the driver
192  * that the genl_info item that is passed refers to.
193  *
194  * The result of this can be a PTR_ERR and hence must
195  * be checked with IS_ERR() for errors.
196  */
197 static struct cfg80211_registered_device *
198 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
199 {
200 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
201 }
202 
203 static int validate_ie_attr(const struct nlattr *attr,
204 			    struct netlink_ext_ack *extack)
205 {
206 	const u8 *data = nla_data(attr);
207 	unsigned int len = nla_len(attr);
208 	const struct element *elem;
209 
210 	for_each_element(elem, data, len) {
211 		/* nothing */
212 	}
213 
214 	if (for_each_element_completed(elem, data, len))
215 		return 0;
216 
217 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
218 	return -EINVAL;
219 }
220 
221 /* policy for the attributes */
222 static const struct nla_policy
223 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
224 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
225 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
226 					.len = U8_MAX },
227 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
228 					     .len = U8_MAX },
229 };
230 
231 static const struct nla_policy
232 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
233 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
234 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
235 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
236 		NLA_POLICY_MAX(NLA_U8, 15),
237 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
238 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
239 		NLA_POLICY_MAX(NLA_U8, 15),
240 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
241 		NLA_POLICY_MAX(NLA_U8, 31),
242 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
243 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
244 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
245 };
246 
247 static const struct nla_policy
248 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
249 	[NL80211_PMSR_TYPE_FTM] =
250 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
251 };
252 
253 static const struct nla_policy
254 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
255 	[NL80211_PMSR_REQ_ATTR_DATA] =
256 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
257 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
258 };
259 
260 static const struct nla_policy
261 nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
262 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
263 	/*
264 	 * we could specify this again to be the top-level policy,
265 	 * but that would open us up to recursion problems ...
266 	 */
267 	[NL80211_PMSR_PEER_ATTR_CHAN] = { .type = NLA_NESTED },
268 	[NL80211_PMSR_PEER_ATTR_REQ] =
269 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
270 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
271 };
272 
273 static const struct nla_policy
274 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
275 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
276 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
277 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
278 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
279 	[NL80211_PMSR_ATTR_PEERS] =
280 		NLA_POLICY_NESTED_ARRAY(nl80211_psmr_peer_attr_policy),
281 };
282 
283 const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
284 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
285 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
286 				      .len = 20-1 },
287 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
288 
289 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
290 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
291 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
292 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
293 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
294 
295 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
296 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
297 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
298 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
299 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
300 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
301 
302 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
303 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
304 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
305 
306 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
307 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
308 
309 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
310 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
311 				    .len = WLAN_MAX_KEY_LEN },
312 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 5),
313 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
314 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
315 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
316 	[NL80211_ATTR_KEY_TYPE] =
317 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
318 
319 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
320 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
321 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
322 				       .len = IEEE80211_MAX_DATA_LEN },
323 	[NL80211_ATTR_BEACON_TAIL] =
324 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
325 				       IEEE80211_MAX_DATA_LEN),
326 	[NL80211_ATTR_STA_AID] =
327 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
328 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
329 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
330 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
331 					       .len = NL80211_MAX_SUPP_RATES },
332 	[NL80211_ATTR_STA_PLINK_ACTION] =
333 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
334 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
335 		NLA_POLICY_RANGE(NLA_U8,
336 				 NL80211_TX_POWER_AUTOMATIC,
337 				 NL80211_TX_POWER_FIXED),
338 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
339 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
340 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
341 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
342 				   .len = IEEE80211_MAX_MESH_ID_LEN },
343 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
344 
345 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
346 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
347 
348 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
349 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
350 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
351 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
352 					   .len = NL80211_MAX_SUPP_RATES },
353 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
354 
355 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
356 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
357 
358 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
359 
360 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
361 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
362 						   validate_ie_attr,
363 						   IEEE80211_MAX_DATA_LEN),
364 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
365 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
366 
367 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
368 				.len = IEEE80211_MAX_SSID_LEN },
369 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
370 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
371 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
372 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
373 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
374 						  NL80211_MFP_NO,
375 						  NL80211_MFP_OPTIONAL),
376 	[NL80211_ATTR_STA_FLAGS2] = {
377 		.len = sizeof(struct nl80211_sta_flag_update),
378 	},
379 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
380 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
381 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
382 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
383 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
384 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
385 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
386 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
387 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
388 	[NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN },
389 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
390 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
391 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
392 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
393 				 .len = IEEE80211_MAX_DATA_LEN },
394 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
395 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
396 						   NL80211_PS_DISABLED,
397 						   NL80211_PS_ENABLED),
398 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
399 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
400 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
401 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
402 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
403 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
404 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
405 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
406 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
407 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
408 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
409 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
410 	[NL80211_ATTR_STA_PLINK_STATE] =
411 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
412 	[NL80211_ATTR_MESH_PEER_AID] =
413 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
414 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
415 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
416 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
417 	[NL80211_ATTR_HIDDEN_SSID] =
418 		NLA_POLICY_RANGE(NLA_U32,
419 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
420 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
421 	[NL80211_ATTR_IE_PROBE_RESP] =
422 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
423 				       IEEE80211_MAX_DATA_LEN),
424 	[NL80211_ATTR_IE_ASSOC_RESP] =
425 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
426 				       IEEE80211_MAX_DATA_LEN),
427 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
428 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
429 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
430 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
431 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
432 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
433 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
434 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
435 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
436 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
437 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
438 				      .len = IEEE80211_MAX_DATA_LEN },
439 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
440 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
441 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
442 		.len = NL80211_HT_CAPABILITY_LEN
443 	},
444 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
445 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
446 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
447 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
448 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
449 	[NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
450 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
451 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
452 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
453 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
454 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
455 		NLA_POLICY_RANGE(NLA_U32,
456 				 NL80211_MESH_POWER_UNKNOWN + 1,
457 				 NL80211_MESH_POWER_MAX),
458 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
459 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
460 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
461 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
462 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
463 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
464 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
465 		.len = NL80211_VHT_CAPABILITY_LEN,
466 	},
467 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
468 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
469 				  .len = IEEE80211_MAX_DATA_LEN },
470 	[NL80211_ATTR_PEER_AID] =
471 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
472 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
473 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
474 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
475 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
476 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
477 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
478 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
479 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
480 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
481 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
482 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
483 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
484 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
485 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
486 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
487 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
488 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
489 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
490 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
491 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
492 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
493 	[NL80211_ATTR_USER_PRIO] =
494 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
495 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
496 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
497 	[NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
498 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
499 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
500 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
501 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
502 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
503 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
504 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
505 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
506 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
507 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
508 	},
509 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = { .len = ETH_ALEN },
510 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
511 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
512 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
513 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
514 				    .len = FILS_MAX_KEK_LEN },
515 	[NL80211_ATTR_FILS_NONCES] = { .len = 2 * FILS_NONCE_LEN },
516 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
517 	[NL80211_ATTR_BSSID] = { .len = ETH_ALEN },
518 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
519 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
520 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
521 	},
522 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
523 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
524 					     .len = FILS_ERP_MAX_USERNAME_LEN },
525 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
526 					  .len = FILS_ERP_MAX_REALM_LEN },
527 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
528 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
529 					.len = FILS_ERP_MAX_RRK_LEN },
530 	[NL80211_ATTR_FILS_CACHE_ID] = { .len = 2 },
531 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
532 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
533 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
534 
535 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
536 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
537 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
538 	[NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY,
539 					 .len = NL80211_HE_MAX_CAPABILITY_LEN },
540 
541 	[NL80211_ATTR_FTM_RESPONDER] = {
542 		.type = NLA_NESTED,
543 		.validation_data = nl80211_ftm_responder_policy,
544 	},
545 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
546 	[NL80211_ATTR_PEER_MEASUREMENTS] =
547 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
548 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
549 };
550 
551 /* policy for the key attributes */
552 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
553 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
554 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
555 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
556 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
557 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
558 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
559 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
560 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
561 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
562 };
563 
564 /* policy for the key default flags */
565 static const struct nla_policy
566 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
567 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
568 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
569 };
570 
571 #ifdef CONFIG_PM
572 /* policy for WoWLAN attributes */
573 static const struct nla_policy
574 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
575 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
576 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
577 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
578 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
579 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
580 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
581 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
582 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
583 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
584 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
585 };
586 
587 static const struct nla_policy
588 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
589 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
590 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
591 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
592 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
593 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
594 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
595 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
596 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
597 	},
598 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
599 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
600 	},
601 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
602 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
603 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
604 };
605 #endif /* CONFIG_PM */
606 
607 /* policy for coalesce rule attributes */
608 static const struct nla_policy
609 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
610 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
611 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
612 		NLA_POLICY_RANGE(NLA_U32,
613 				 NL80211_COALESCE_CONDITION_MATCH,
614 				 NL80211_COALESCE_CONDITION_NO_MATCH),
615 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
616 };
617 
618 /* policy for GTK rekey offload attributes */
619 static const struct nla_policy
620 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
621 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
622 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
623 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
624 };
625 
626 static const struct nla_policy
627 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
628 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
629 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
630 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
631 };
632 
633 static const struct nla_policy
634 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
635 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
636 						 .len = IEEE80211_MAX_SSID_LEN },
637 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = { .len = ETH_ALEN },
638 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
639 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
640 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
641 };
642 
643 static const struct nla_policy
644 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
645 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
646 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
647 };
648 
649 static const struct nla_policy
650 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
651 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
652 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
653 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
654 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
655 	},
656 };
657 
658 /* policy for NAN function attributes */
659 static const struct nla_policy
660 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
661 	[NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
662 	[NL80211_NAN_FUNC_SERVICE_ID] = {
663 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
664 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
665 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
666 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
667 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
668 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
669 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = { .len = ETH_ALEN },
670 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
671 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
672 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
673 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
674 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
675 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
676 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
677 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
678 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
679 };
680 
681 /* policy for Service Response Filter attributes */
682 static const struct nla_policy
683 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
684 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
685 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
686 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
687 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
688 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
689 };
690 
691 /* policy for packet pattern attributes */
692 static const struct nla_policy
693 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
694 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
695 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
696 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
697 };
698 
699 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
700 			      struct cfg80211_registered_device **rdev,
701 			      struct wireless_dev **wdev)
702 {
703 	int err;
704 
705 	if (!cb->args[0]) {
706 		err = nlmsg_parse_deprecated(cb->nlh,
707 					     GENL_HDRLEN + nl80211_fam.hdrsize,
708 					     genl_family_attrbuf(&nl80211_fam),
709 					     nl80211_fam.maxattr,
710 					     nl80211_policy, NULL);
711 		if (err)
712 			return err;
713 
714 		*wdev = __cfg80211_wdev_from_attrs(
715 					sock_net(cb->skb->sk),
716 					genl_family_attrbuf(&nl80211_fam));
717 		if (IS_ERR(*wdev))
718 			return PTR_ERR(*wdev);
719 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
720 		/* 0 is the first index - add 1 to parse only once */
721 		cb->args[0] = (*rdev)->wiphy_idx + 1;
722 		cb->args[1] = (*wdev)->identifier;
723 	} else {
724 		/* subtract the 1 again here */
725 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
726 		struct wireless_dev *tmp;
727 
728 		if (!wiphy)
729 			return -ENODEV;
730 		*rdev = wiphy_to_rdev(wiphy);
731 		*wdev = NULL;
732 
733 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
734 			if (tmp->identifier == cb->args[1]) {
735 				*wdev = tmp;
736 				break;
737 			}
738 		}
739 
740 		if (!*wdev)
741 			return -ENODEV;
742 	}
743 
744 	return 0;
745 }
746 
747 /* message building helper */
748 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
749 		     int flags, u8 cmd)
750 {
751 	/* since there is no private header just add the generic one */
752 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
753 }
754 
755 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
756 				     const struct ieee80211_reg_rule *rule)
757 {
758 	int j;
759 	struct nlattr *nl_wmm_rules =
760 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
761 
762 	if (!nl_wmm_rules)
763 		goto nla_put_failure;
764 
765 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
766 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
767 
768 		if (!nl_wmm_rule)
769 			goto nla_put_failure;
770 
771 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
772 				rule->wmm_rule.client[j].cw_min) ||
773 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
774 				rule->wmm_rule.client[j].cw_max) ||
775 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
776 			       rule->wmm_rule.client[j].aifsn) ||
777 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
778 			        rule->wmm_rule.client[j].cot))
779 			goto nla_put_failure;
780 
781 		nla_nest_end(msg, nl_wmm_rule);
782 	}
783 	nla_nest_end(msg, nl_wmm_rules);
784 
785 	return 0;
786 
787 nla_put_failure:
788 	return -ENOBUFS;
789 }
790 
791 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
792 				   struct ieee80211_channel *chan,
793 				   bool large)
794 {
795 	/* Some channels must be completely excluded from the
796 	 * list to protect old user-space tools from breaking
797 	 */
798 	if (!large && chan->flags &
799 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
800 		return 0;
801 
802 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
803 			chan->center_freq))
804 		goto nla_put_failure;
805 
806 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
807 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
808 		goto nla_put_failure;
809 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
810 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
811 			goto nla_put_failure;
812 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
813 			goto nla_put_failure;
814 	}
815 	if (chan->flags & IEEE80211_CHAN_RADAR) {
816 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
817 			goto nla_put_failure;
818 		if (large) {
819 			u32 time;
820 
821 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
822 
823 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
824 					chan->dfs_state))
825 				goto nla_put_failure;
826 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
827 					time))
828 				goto nla_put_failure;
829 			if (nla_put_u32(msg,
830 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
831 					chan->dfs_cac_ms))
832 				goto nla_put_failure;
833 		}
834 	}
835 
836 	if (large) {
837 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
838 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
839 			goto nla_put_failure;
840 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
841 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
842 			goto nla_put_failure;
843 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
844 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
845 			goto nla_put_failure;
846 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
847 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
848 			goto nla_put_failure;
849 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
850 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
851 			goto nla_put_failure;
852 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
853 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
854 			goto nla_put_failure;
855 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
856 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
857 			goto nla_put_failure;
858 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
859 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
860 			goto nla_put_failure;
861 	}
862 
863 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
864 			DBM_TO_MBM(chan->max_power)))
865 		goto nla_put_failure;
866 
867 	if (large) {
868 		const struct ieee80211_reg_rule *rule =
869 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
870 
871 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
872 			if (nl80211_msg_put_wmm_rules(msg, rule))
873 				goto nla_put_failure;
874 		}
875 	}
876 
877 	return 0;
878 
879  nla_put_failure:
880 	return -ENOBUFS;
881 }
882 
883 static bool nl80211_put_txq_stats(struct sk_buff *msg,
884 				  struct cfg80211_txq_stats *txqstats,
885 				  int attrtype)
886 {
887 	struct nlattr *txqattr;
888 
889 #define PUT_TXQVAL_U32(attr, memb) do {					  \
890 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
891 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
892 		return false;						  \
893 	} while (0)
894 
895 	txqattr = nla_nest_start_noflag(msg, attrtype);
896 	if (!txqattr)
897 		return false;
898 
899 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
900 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
901 	PUT_TXQVAL_U32(FLOWS, flows);
902 	PUT_TXQVAL_U32(DROPS, drops);
903 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
904 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
905 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
906 	PUT_TXQVAL_U32(COLLISIONS, collisions);
907 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
908 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
909 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
910 	nla_nest_end(msg, txqattr);
911 
912 #undef PUT_TXQVAL_U32
913 	return true;
914 }
915 
916 /* netlink command implementations */
917 
918 struct key_parse {
919 	struct key_params p;
920 	int idx;
921 	int type;
922 	bool def, defmgmt;
923 	bool def_uni, def_multi;
924 };
925 
926 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
927 				 struct key_parse *k)
928 {
929 	struct nlattr *tb[NL80211_KEY_MAX + 1];
930 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
931 					      nl80211_key_policy,
932 					      info->extack);
933 	if (err)
934 		return err;
935 
936 	k->def = !!tb[NL80211_KEY_DEFAULT];
937 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
938 
939 	if (k->def) {
940 		k->def_uni = true;
941 		k->def_multi = true;
942 	}
943 	if (k->defmgmt)
944 		k->def_multi = true;
945 
946 	if (tb[NL80211_KEY_IDX])
947 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
948 
949 	if (tb[NL80211_KEY_DATA]) {
950 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
951 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
952 	}
953 
954 	if (tb[NL80211_KEY_SEQ]) {
955 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
956 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
957 	}
958 
959 	if (tb[NL80211_KEY_CIPHER])
960 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
961 
962 	if (tb[NL80211_KEY_TYPE])
963 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
964 
965 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
966 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
967 
968 		err = nla_parse_nested_deprecated(kdt,
969 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
970 						  tb[NL80211_KEY_DEFAULT_TYPES],
971 						  nl80211_key_default_policy,
972 						  info->extack);
973 		if (err)
974 			return err;
975 
976 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
977 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
978 	}
979 
980 	if (tb[NL80211_KEY_MODE])
981 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
982 
983 	return 0;
984 }
985 
986 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
987 {
988 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
989 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
990 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
991 	}
992 
993 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
994 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
995 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
996 	}
997 
998 	if (info->attrs[NL80211_ATTR_KEY_IDX])
999 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1000 
1001 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1002 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1003 
1004 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1005 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1006 
1007 	if (k->def) {
1008 		k->def_uni = true;
1009 		k->def_multi = true;
1010 	}
1011 	if (k->defmgmt)
1012 		k->def_multi = true;
1013 
1014 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1015 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1016 
1017 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1018 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1019 		int err = nla_parse_nested_deprecated(kdt,
1020 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1021 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1022 						      nl80211_key_default_policy,
1023 						      info->extack);
1024 		if (err)
1025 			return err;
1026 
1027 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1028 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1029 	}
1030 
1031 	return 0;
1032 }
1033 
1034 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1035 {
1036 	int err;
1037 
1038 	memset(k, 0, sizeof(*k));
1039 	k->idx = -1;
1040 	k->type = -1;
1041 
1042 	if (info->attrs[NL80211_ATTR_KEY])
1043 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1044 	else
1045 		err = nl80211_parse_key_old(info, k);
1046 
1047 	if (err)
1048 		return err;
1049 
1050 	if (k->def && k->defmgmt) {
1051 		GENL_SET_ERR_MSG(info, "key with def && defmgmt is invalid");
1052 		return -EINVAL;
1053 	}
1054 
1055 	if (k->defmgmt) {
1056 		if (k->def_uni || !k->def_multi) {
1057 			GENL_SET_ERR_MSG(info, "defmgmt key must be mcast");
1058 			return -EINVAL;
1059 		}
1060 	}
1061 
1062 	if (k->idx != -1) {
1063 		if (k->defmgmt) {
1064 			if (k->idx < 4 || k->idx > 5) {
1065 				GENL_SET_ERR_MSG(info,
1066 						 "defmgmt key idx not 4 or 5");
1067 				return -EINVAL;
1068 			}
1069 		} else if (k->def) {
1070 			if (k->idx < 0 || k->idx > 3) {
1071 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1072 				return -EINVAL;
1073 			}
1074 		} else {
1075 			if (k->idx < 0 || k->idx > 5) {
1076 				GENL_SET_ERR_MSG(info, "key idx not 0-5");
1077 				return -EINVAL;
1078 			}
1079 		}
1080 	}
1081 
1082 	return 0;
1083 }
1084 
1085 static struct cfg80211_cached_keys *
1086 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1087 		       struct genl_info *info, bool *no_ht)
1088 {
1089 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1090 	struct key_parse parse;
1091 	struct nlattr *key;
1092 	struct cfg80211_cached_keys *result;
1093 	int rem, err, def = 0;
1094 	bool have_key = false;
1095 
1096 	nla_for_each_nested(key, keys, rem) {
1097 		have_key = true;
1098 		break;
1099 	}
1100 
1101 	if (!have_key)
1102 		return NULL;
1103 
1104 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1105 	if (!result)
1106 		return ERR_PTR(-ENOMEM);
1107 
1108 	result->def = -1;
1109 
1110 	nla_for_each_nested(key, keys, rem) {
1111 		memset(&parse, 0, sizeof(parse));
1112 		parse.idx = -1;
1113 
1114 		err = nl80211_parse_key_new(info, key, &parse);
1115 		if (err)
1116 			goto error;
1117 		err = -EINVAL;
1118 		if (!parse.p.key)
1119 			goto error;
1120 		if (parse.idx < 0 || parse.idx > 3) {
1121 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1122 			goto error;
1123 		}
1124 		if (parse.def) {
1125 			if (def) {
1126 				GENL_SET_ERR_MSG(info,
1127 						 "only one key can be default");
1128 				goto error;
1129 			}
1130 			def = 1;
1131 			result->def = parse.idx;
1132 			if (!parse.def_uni || !parse.def_multi)
1133 				goto error;
1134 		} else if (parse.defmgmt)
1135 			goto error;
1136 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1137 						     parse.idx, false, NULL);
1138 		if (err)
1139 			goto error;
1140 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1141 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1142 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1143 			err = -EINVAL;
1144 			goto error;
1145 		}
1146 		result->params[parse.idx].cipher = parse.p.cipher;
1147 		result->params[parse.idx].key_len = parse.p.key_len;
1148 		result->params[parse.idx].key = result->data[parse.idx];
1149 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1150 
1151 		/* must be WEP key if we got here */
1152 		if (no_ht)
1153 			*no_ht = true;
1154 	}
1155 
1156 	if (result->def < 0) {
1157 		err = -EINVAL;
1158 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1159 		goto error;
1160 	}
1161 
1162 	return result;
1163  error:
1164 	kfree(result);
1165 	return ERR_PTR(err);
1166 }
1167 
1168 static int nl80211_key_allowed(struct wireless_dev *wdev)
1169 {
1170 	ASSERT_WDEV_LOCK(wdev);
1171 
1172 	switch (wdev->iftype) {
1173 	case NL80211_IFTYPE_AP:
1174 	case NL80211_IFTYPE_AP_VLAN:
1175 	case NL80211_IFTYPE_P2P_GO:
1176 	case NL80211_IFTYPE_MESH_POINT:
1177 		break;
1178 	case NL80211_IFTYPE_ADHOC:
1179 	case NL80211_IFTYPE_STATION:
1180 	case NL80211_IFTYPE_P2P_CLIENT:
1181 		if (!wdev->current_bss)
1182 			return -ENOLINK;
1183 		break;
1184 	case NL80211_IFTYPE_UNSPECIFIED:
1185 	case NL80211_IFTYPE_OCB:
1186 	case NL80211_IFTYPE_MONITOR:
1187 	case NL80211_IFTYPE_NAN:
1188 	case NL80211_IFTYPE_P2P_DEVICE:
1189 	case NL80211_IFTYPE_WDS:
1190 	case NUM_NL80211_IFTYPES:
1191 		return -EINVAL;
1192 	}
1193 
1194 	return 0;
1195 }
1196 
1197 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1198 							struct nlattr *tb)
1199 {
1200 	struct ieee80211_channel *chan;
1201 
1202 	if (tb == NULL)
1203 		return NULL;
1204 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
1205 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1206 		return NULL;
1207 	return chan;
1208 }
1209 
1210 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1211 {
1212 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1213 	int i;
1214 
1215 	if (!nl_modes)
1216 		goto nla_put_failure;
1217 
1218 	i = 0;
1219 	while (ifmodes) {
1220 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1221 			goto nla_put_failure;
1222 		ifmodes >>= 1;
1223 		i++;
1224 	}
1225 
1226 	nla_nest_end(msg, nl_modes);
1227 	return 0;
1228 
1229 nla_put_failure:
1230 	return -ENOBUFS;
1231 }
1232 
1233 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1234 					  struct sk_buff *msg,
1235 					  bool large)
1236 {
1237 	struct nlattr *nl_combis;
1238 	int i, j;
1239 
1240 	nl_combis = nla_nest_start_noflag(msg,
1241 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1242 	if (!nl_combis)
1243 		goto nla_put_failure;
1244 
1245 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1246 		const struct ieee80211_iface_combination *c;
1247 		struct nlattr *nl_combi, *nl_limits;
1248 
1249 		c = &wiphy->iface_combinations[i];
1250 
1251 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1252 		if (!nl_combi)
1253 			goto nla_put_failure;
1254 
1255 		nl_limits = nla_nest_start_noflag(msg,
1256 						  NL80211_IFACE_COMB_LIMITS);
1257 		if (!nl_limits)
1258 			goto nla_put_failure;
1259 
1260 		for (j = 0; j < c->n_limits; j++) {
1261 			struct nlattr *nl_limit;
1262 
1263 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1264 			if (!nl_limit)
1265 				goto nla_put_failure;
1266 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1267 					c->limits[j].max))
1268 				goto nla_put_failure;
1269 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1270 						c->limits[j].types))
1271 				goto nla_put_failure;
1272 			nla_nest_end(msg, nl_limit);
1273 		}
1274 
1275 		nla_nest_end(msg, nl_limits);
1276 
1277 		if (c->beacon_int_infra_match &&
1278 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1279 			goto nla_put_failure;
1280 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1281 				c->num_different_channels) ||
1282 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1283 				c->max_interfaces))
1284 			goto nla_put_failure;
1285 		if (large &&
1286 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1287 				c->radar_detect_widths) ||
1288 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1289 				c->radar_detect_regions)))
1290 			goto nla_put_failure;
1291 		if (c->beacon_int_min_gcd &&
1292 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1293 				c->beacon_int_min_gcd))
1294 			goto nla_put_failure;
1295 
1296 		nla_nest_end(msg, nl_combi);
1297 	}
1298 
1299 	nla_nest_end(msg, nl_combis);
1300 
1301 	return 0;
1302 nla_put_failure:
1303 	return -ENOBUFS;
1304 }
1305 
1306 #ifdef CONFIG_PM
1307 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1308 					struct sk_buff *msg)
1309 {
1310 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1311 	struct nlattr *nl_tcp;
1312 
1313 	if (!tcp)
1314 		return 0;
1315 
1316 	nl_tcp = nla_nest_start_noflag(msg,
1317 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1318 	if (!nl_tcp)
1319 		return -ENOBUFS;
1320 
1321 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1322 			tcp->data_payload_max))
1323 		return -ENOBUFS;
1324 
1325 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1326 			tcp->data_payload_max))
1327 		return -ENOBUFS;
1328 
1329 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1330 		return -ENOBUFS;
1331 
1332 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1333 				sizeof(*tcp->tok), tcp->tok))
1334 		return -ENOBUFS;
1335 
1336 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1337 			tcp->data_interval_max))
1338 		return -ENOBUFS;
1339 
1340 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1341 			tcp->wake_payload_max))
1342 		return -ENOBUFS;
1343 
1344 	nla_nest_end(msg, nl_tcp);
1345 	return 0;
1346 }
1347 
1348 static int nl80211_send_wowlan(struct sk_buff *msg,
1349 			       struct cfg80211_registered_device *rdev,
1350 			       bool large)
1351 {
1352 	struct nlattr *nl_wowlan;
1353 
1354 	if (!rdev->wiphy.wowlan)
1355 		return 0;
1356 
1357 	nl_wowlan = nla_nest_start_noflag(msg,
1358 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1359 	if (!nl_wowlan)
1360 		return -ENOBUFS;
1361 
1362 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1363 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1364 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1365 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1366 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1367 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1368 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1369 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1370 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1371 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1372 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1373 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1374 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1375 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1376 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1377 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1378 		return -ENOBUFS;
1379 
1380 	if (rdev->wiphy.wowlan->n_patterns) {
1381 		struct nl80211_pattern_support pat = {
1382 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1383 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1384 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1385 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1386 		};
1387 
1388 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1389 			    sizeof(pat), &pat))
1390 			return -ENOBUFS;
1391 	}
1392 
1393 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1394 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1395 			rdev->wiphy.wowlan->max_nd_match_sets))
1396 		return -ENOBUFS;
1397 
1398 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1399 		return -ENOBUFS;
1400 
1401 	nla_nest_end(msg, nl_wowlan);
1402 
1403 	return 0;
1404 }
1405 #endif
1406 
1407 static int nl80211_send_coalesce(struct sk_buff *msg,
1408 				 struct cfg80211_registered_device *rdev)
1409 {
1410 	struct nl80211_coalesce_rule_support rule;
1411 
1412 	if (!rdev->wiphy.coalesce)
1413 		return 0;
1414 
1415 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1416 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1417 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1418 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1419 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1420 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1421 
1422 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1423 		return -ENOBUFS;
1424 
1425 	return 0;
1426 }
1427 
1428 static int
1429 nl80211_send_iftype_data(struct sk_buff *msg,
1430 			 const struct ieee80211_sband_iftype_data *iftdata)
1431 {
1432 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1433 
1434 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1435 				iftdata->types_mask))
1436 		return -ENOBUFS;
1437 
1438 	if (he_cap->has_he) {
1439 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1440 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1441 			    he_cap->he_cap_elem.mac_cap_info) ||
1442 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1443 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1444 			    he_cap->he_cap_elem.phy_cap_info) ||
1445 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1446 			    sizeof(he_cap->he_mcs_nss_supp),
1447 			    &he_cap->he_mcs_nss_supp) ||
1448 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1449 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1450 			return -ENOBUFS;
1451 	}
1452 
1453 	return 0;
1454 }
1455 
1456 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1457 				      struct ieee80211_supported_band *sband)
1458 {
1459 	struct nlattr *nl_rates, *nl_rate;
1460 	struct ieee80211_rate *rate;
1461 	int i;
1462 
1463 	/* add HT info */
1464 	if (sband->ht_cap.ht_supported &&
1465 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1466 		     sizeof(sband->ht_cap.mcs),
1467 		     &sband->ht_cap.mcs) ||
1468 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1469 			 sband->ht_cap.cap) ||
1470 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1471 			sband->ht_cap.ampdu_factor) ||
1472 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1473 			sband->ht_cap.ampdu_density)))
1474 		return -ENOBUFS;
1475 
1476 	/* add VHT info */
1477 	if (sband->vht_cap.vht_supported &&
1478 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1479 		     sizeof(sband->vht_cap.vht_mcs),
1480 		     &sband->vht_cap.vht_mcs) ||
1481 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1482 			 sband->vht_cap.cap)))
1483 		return -ENOBUFS;
1484 
1485 	if (sband->n_iftype_data) {
1486 		struct nlattr *nl_iftype_data =
1487 			nla_nest_start_noflag(msg,
1488 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1489 		int err;
1490 
1491 		if (!nl_iftype_data)
1492 			return -ENOBUFS;
1493 
1494 		for (i = 0; i < sband->n_iftype_data; i++) {
1495 			struct nlattr *iftdata;
1496 
1497 			iftdata = nla_nest_start_noflag(msg, i + 1);
1498 			if (!iftdata)
1499 				return -ENOBUFS;
1500 
1501 			err = nl80211_send_iftype_data(msg,
1502 						       &sband->iftype_data[i]);
1503 			if (err)
1504 				return err;
1505 
1506 			nla_nest_end(msg, iftdata);
1507 		}
1508 
1509 		nla_nest_end(msg, nl_iftype_data);
1510 	}
1511 
1512 	/* add bitrates */
1513 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1514 	if (!nl_rates)
1515 		return -ENOBUFS;
1516 
1517 	for (i = 0; i < sband->n_bitrates; i++) {
1518 		nl_rate = nla_nest_start_noflag(msg, i);
1519 		if (!nl_rate)
1520 			return -ENOBUFS;
1521 
1522 		rate = &sband->bitrates[i];
1523 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1524 				rate->bitrate))
1525 			return -ENOBUFS;
1526 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1527 		    nla_put_flag(msg,
1528 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1529 			return -ENOBUFS;
1530 
1531 		nla_nest_end(msg, nl_rate);
1532 	}
1533 
1534 	nla_nest_end(msg, nl_rates);
1535 
1536 	return 0;
1537 }
1538 
1539 static int
1540 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1541 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1542 {
1543 	u16 stypes;
1544 	struct nlattr *nl_ftypes, *nl_ifs;
1545 	enum nl80211_iftype ift;
1546 	int i;
1547 
1548 	if (!mgmt_stypes)
1549 		return 0;
1550 
1551 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1552 	if (!nl_ifs)
1553 		return -ENOBUFS;
1554 
1555 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1556 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1557 		if (!nl_ftypes)
1558 			return -ENOBUFS;
1559 		i = 0;
1560 		stypes = mgmt_stypes[ift].tx;
1561 		while (stypes) {
1562 			if ((stypes & 1) &&
1563 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1564 					(i << 4) | IEEE80211_FTYPE_MGMT))
1565 				return -ENOBUFS;
1566 			stypes >>= 1;
1567 			i++;
1568 		}
1569 		nla_nest_end(msg, nl_ftypes);
1570 	}
1571 
1572 	nla_nest_end(msg, nl_ifs);
1573 
1574 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1575 	if (!nl_ifs)
1576 		return -ENOBUFS;
1577 
1578 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1579 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1580 		if (!nl_ftypes)
1581 			return -ENOBUFS;
1582 		i = 0;
1583 		stypes = mgmt_stypes[ift].rx;
1584 		while (stypes) {
1585 			if ((stypes & 1) &&
1586 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1587 					(i << 4) | IEEE80211_FTYPE_MGMT))
1588 				return -ENOBUFS;
1589 			stypes >>= 1;
1590 			i++;
1591 		}
1592 		nla_nest_end(msg, nl_ftypes);
1593 	}
1594 	nla_nest_end(msg, nl_ifs);
1595 
1596 	return 0;
1597 }
1598 
1599 #define CMD(op, n)							\
1600 	 do {								\
1601 		if (rdev->ops->op) {					\
1602 			i++;						\
1603 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1604 				goto nla_put_failure;			\
1605 		}							\
1606 	} while (0)
1607 
1608 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1609 					struct sk_buff *msg)
1610 {
1611 	int i = 0;
1612 
1613 	/*
1614 	 * do *NOT* add anything into this function, new things need to be
1615 	 * advertised only to new versions of userspace that can deal with
1616 	 * the split (and they can't possibly care about new features...
1617 	 */
1618 	CMD(add_virtual_intf, NEW_INTERFACE);
1619 	CMD(change_virtual_intf, SET_INTERFACE);
1620 	CMD(add_key, NEW_KEY);
1621 	CMD(start_ap, START_AP);
1622 	CMD(add_station, NEW_STATION);
1623 	CMD(add_mpath, NEW_MPATH);
1624 	CMD(update_mesh_config, SET_MESH_CONFIG);
1625 	CMD(change_bss, SET_BSS);
1626 	CMD(auth, AUTHENTICATE);
1627 	CMD(assoc, ASSOCIATE);
1628 	CMD(deauth, DEAUTHENTICATE);
1629 	CMD(disassoc, DISASSOCIATE);
1630 	CMD(join_ibss, JOIN_IBSS);
1631 	CMD(join_mesh, JOIN_MESH);
1632 	CMD(set_pmksa, SET_PMKSA);
1633 	CMD(del_pmksa, DEL_PMKSA);
1634 	CMD(flush_pmksa, FLUSH_PMKSA);
1635 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1636 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1637 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1638 	CMD(mgmt_tx, FRAME);
1639 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1640 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1641 		i++;
1642 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1643 			goto nla_put_failure;
1644 	}
1645 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1646 	    rdev->ops->join_mesh) {
1647 		i++;
1648 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1649 			goto nla_put_failure;
1650 	}
1651 	CMD(set_wds_peer, SET_WDS_PEER);
1652 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1653 		CMD(tdls_mgmt, TDLS_MGMT);
1654 		CMD(tdls_oper, TDLS_OPER);
1655 	}
1656 	if (rdev->wiphy.max_sched_scan_reqs)
1657 		CMD(sched_scan_start, START_SCHED_SCAN);
1658 	CMD(probe_client, PROBE_CLIENT);
1659 	CMD(set_noack_map, SET_NOACK_MAP);
1660 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1661 		i++;
1662 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1663 			goto nla_put_failure;
1664 	}
1665 	CMD(start_p2p_device, START_P2P_DEVICE);
1666 	CMD(set_mcast_rate, SET_MCAST_RATE);
1667 #ifdef CONFIG_NL80211_TESTMODE
1668 	CMD(testmode_cmd, TESTMODE);
1669 #endif
1670 
1671 	if (rdev->ops->connect || rdev->ops->auth) {
1672 		i++;
1673 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1674 			goto nla_put_failure;
1675 	}
1676 
1677 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1678 		i++;
1679 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1680 			goto nla_put_failure;
1681 	}
1682 
1683 	return i;
1684  nla_put_failure:
1685 	return -ENOBUFS;
1686 }
1687 
1688 static int
1689 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1690 			   struct sk_buff *msg)
1691 {
1692 	struct nlattr *ftm;
1693 
1694 	if (!cap->ftm.supported)
1695 		return 0;
1696 
1697 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1698 	if (!ftm)
1699 		return -ENOBUFS;
1700 
1701 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1702 		return -ENOBUFS;
1703 	if (cap->ftm.non_asap &&
1704 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1705 		return -ENOBUFS;
1706 	if (cap->ftm.request_lci &&
1707 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1708 		return -ENOBUFS;
1709 	if (cap->ftm.request_civicloc &&
1710 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1711 		return -ENOBUFS;
1712 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1713 			cap->ftm.preambles))
1714 		return -ENOBUFS;
1715 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
1716 			cap->ftm.bandwidths))
1717 		return -ENOBUFS;
1718 	if (cap->ftm.max_bursts_exponent >= 0 &&
1719 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
1720 			cap->ftm.max_bursts_exponent))
1721 		return -ENOBUFS;
1722 	if (cap->ftm.max_ftms_per_burst &&
1723 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
1724 			cap->ftm.max_ftms_per_burst))
1725 		return -ENOBUFS;
1726 
1727 	nla_nest_end(msg, ftm);
1728 	return 0;
1729 }
1730 
1731 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
1732 				  struct sk_buff *msg)
1733 {
1734 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
1735 	struct nlattr *pmsr, *caps;
1736 
1737 	if (!cap)
1738 		return 0;
1739 
1740 	/*
1741 	 * we don't need to clean up anything here since the caller
1742 	 * will genlmsg_cancel() if we fail
1743 	 */
1744 
1745 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
1746 	if (!pmsr)
1747 		return -ENOBUFS;
1748 
1749 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
1750 		return -ENOBUFS;
1751 
1752 	if (cap->report_ap_tsf &&
1753 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
1754 		return -ENOBUFS;
1755 
1756 	if (cap->randomize_mac_addr &&
1757 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
1758 		return -ENOBUFS;
1759 
1760 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
1761 	if (!caps)
1762 		return -ENOBUFS;
1763 
1764 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
1765 		return -ENOBUFS;
1766 
1767 	nla_nest_end(msg, caps);
1768 	nla_nest_end(msg, pmsr);
1769 
1770 	return 0;
1771 }
1772 
1773 struct nl80211_dump_wiphy_state {
1774 	s64 filter_wiphy;
1775 	long start;
1776 	long split_start, band_start, chan_start, capa_start;
1777 	bool split;
1778 };
1779 
1780 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1781 			      enum nl80211_commands cmd,
1782 			      struct sk_buff *msg, u32 portid, u32 seq,
1783 			      int flags, struct nl80211_dump_wiphy_state *state)
1784 {
1785 	void *hdr;
1786 	struct nlattr *nl_bands, *nl_band;
1787 	struct nlattr *nl_freqs, *nl_freq;
1788 	struct nlattr *nl_cmds;
1789 	enum nl80211_band band;
1790 	struct ieee80211_channel *chan;
1791 	int i;
1792 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1793 				rdev->wiphy.mgmt_stypes;
1794 	u32 features;
1795 
1796 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1797 	if (!hdr)
1798 		return -ENOBUFS;
1799 
1800 	if (WARN_ON(!state))
1801 		return -EINVAL;
1802 
1803 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1804 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1805 			   wiphy_name(&rdev->wiphy)) ||
1806 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1807 			cfg80211_rdev_list_generation))
1808 		goto nla_put_failure;
1809 
1810 	if (cmd != NL80211_CMD_NEW_WIPHY)
1811 		goto finish;
1812 
1813 	switch (state->split_start) {
1814 	case 0:
1815 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1816 			       rdev->wiphy.retry_short) ||
1817 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1818 			       rdev->wiphy.retry_long) ||
1819 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1820 				rdev->wiphy.frag_threshold) ||
1821 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1822 				rdev->wiphy.rts_threshold) ||
1823 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1824 			       rdev->wiphy.coverage_class) ||
1825 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1826 			       rdev->wiphy.max_scan_ssids) ||
1827 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1828 			       rdev->wiphy.max_sched_scan_ssids) ||
1829 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1830 				rdev->wiphy.max_scan_ie_len) ||
1831 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1832 				rdev->wiphy.max_sched_scan_ie_len) ||
1833 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1834 			       rdev->wiphy.max_match_sets) ||
1835 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1836 				rdev->wiphy.max_sched_scan_plans) ||
1837 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1838 				rdev->wiphy.max_sched_scan_plan_interval) ||
1839 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1840 				rdev->wiphy.max_sched_scan_plan_iterations))
1841 			goto nla_put_failure;
1842 
1843 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1844 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1845 			goto nla_put_failure;
1846 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1847 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1848 			goto nla_put_failure;
1849 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1850 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1851 			goto nla_put_failure;
1852 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1853 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1854 			goto nla_put_failure;
1855 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1856 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1857 			goto nla_put_failure;
1858 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1859 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1860 			goto nla_put_failure;
1861 		state->split_start++;
1862 		if (state->split)
1863 			break;
1864 		/* fall through */
1865 	case 1:
1866 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1867 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1868 			    rdev->wiphy.cipher_suites))
1869 			goto nla_put_failure;
1870 
1871 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1872 			       rdev->wiphy.max_num_pmkids))
1873 			goto nla_put_failure;
1874 
1875 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1876 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1877 			goto nla_put_failure;
1878 
1879 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1880 				rdev->wiphy.available_antennas_tx) ||
1881 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1882 				rdev->wiphy.available_antennas_rx))
1883 			goto nla_put_failure;
1884 
1885 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1886 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1887 				rdev->wiphy.probe_resp_offload))
1888 			goto nla_put_failure;
1889 
1890 		if ((rdev->wiphy.available_antennas_tx ||
1891 		     rdev->wiphy.available_antennas_rx) &&
1892 		    rdev->ops->get_antenna) {
1893 			u32 tx_ant = 0, rx_ant = 0;
1894 			int res;
1895 
1896 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1897 			if (!res) {
1898 				if (nla_put_u32(msg,
1899 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1900 						tx_ant) ||
1901 				    nla_put_u32(msg,
1902 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1903 						rx_ant))
1904 					goto nla_put_failure;
1905 			}
1906 		}
1907 
1908 		state->split_start++;
1909 		if (state->split)
1910 			break;
1911 		/* fall through */
1912 	case 2:
1913 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1914 					rdev->wiphy.interface_modes))
1915 				goto nla_put_failure;
1916 		state->split_start++;
1917 		if (state->split)
1918 			break;
1919 		/* fall through */
1920 	case 3:
1921 		nl_bands = nla_nest_start_noflag(msg,
1922 						 NL80211_ATTR_WIPHY_BANDS);
1923 		if (!nl_bands)
1924 			goto nla_put_failure;
1925 
1926 		for (band = state->band_start;
1927 		     band < NUM_NL80211_BANDS; band++) {
1928 			struct ieee80211_supported_band *sband;
1929 
1930 			sband = rdev->wiphy.bands[band];
1931 
1932 			if (!sband)
1933 				continue;
1934 
1935 			nl_band = nla_nest_start_noflag(msg, band);
1936 			if (!nl_band)
1937 				goto nla_put_failure;
1938 
1939 			switch (state->chan_start) {
1940 			case 0:
1941 				if (nl80211_send_band_rateinfo(msg, sband))
1942 					goto nla_put_failure;
1943 				state->chan_start++;
1944 				if (state->split)
1945 					break;
1946 				/* fall through */
1947 			default:
1948 				/* add frequencies */
1949 				nl_freqs = nla_nest_start_noflag(msg,
1950 								 NL80211_BAND_ATTR_FREQS);
1951 				if (!nl_freqs)
1952 					goto nla_put_failure;
1953 
1954 				for (i = state->chan_start - 1;
1955 				     i < sband->n_channels;
1956 				     i++) {
1957 					nl_freq = nla_nest_start_noflag(msg,
1958 									i);
1959 					if (!nl_freq)
1960 						goto nla_put_failure;
1961 
1962 					chan = &sband->channels[i];
1963 
1964 					if (nl80211_msg_put_channel(
1965 							msg, &rdev->wiphy, chan,
1966 							state->split))
1967 						goto nla_put_failure;
1968 
1969 					nla_nest_end(msg, nl_freq);
1970 					if (state->split)
1971 						break;
1972 				}
1973 				if (i < sband->n_channels)
1974 					state->chan_start = i + 2;
1975 				else
1976 					state->chan_start = 0;
1977 				nla_nest_end(msg, nl_freqs);
1978 			}
1979 
1980 			nla_nest_end(msg, nl_band);
1981 
1982 			if (state->split) {
1983 				/* start again here */
1984 				if (state->chan_start)
1985 					band--;
1986 				break;
1987 			}
1988 		}
1989 		nla_nest_end(msg, nl_bands);
1990 
1991 		if (band < NUM_NL80211_BANDS)
1992 			state->band_start = band + 1;
1993 		else
1994 			state->band_start = 0;
1995 
1996 		/* if bands & channels are done, continue outside */
1997 		if (state->band_start == 0 && state->chan_start == 0)
1998 			state->split_start++;
1999 		if (state->split)
2000 			break;
2001 		/* fall through */
2002 	case 4:
2003 		nl_cmds = nla_nest_start_noflag(msg,
2004 						NL80211_ATTR_SUPPORTED_COMMANDS);
2005 		if (!nl_cmds)
2006 			goto nla_put_failure;
2007 
2008 		i = nl80211_add_commands_unsplit(rdev, msg);
2009 		if (i < 0)
2010 			goto nla_put_failure;
2011 		if (state->split) {
2012 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2013 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2014 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2015 				CMD(channel_switch, CHANNEL_SWITCH);
2016 			CMD(set_qos_map, SET_QOS_MAP);
2017 			if (rdev->wiphy.features &
2018 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2019 				CMD(add_tx_ts, ADD_TX_TS);
2020 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2021 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2022 		}
2023 #undef CMD
2024 
2025 		nla_nest_end(msg, nl_cmds);
2026 		state->split_start++;
2027 		if (state->split)
2028 			break;
2029 		/* fall through */
2030 	case 5:
2031 		if (rdev->ops->remain_on_channel &&
2032 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2033 		    nla_put_u32(msg,
2034 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2035 				rdev->wiphy.max_remain_on_channel_duration))
2036 			goto nla_put_failure;
2037 
2038 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2039 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2040 			goto nla_put_failure;
2041 
2042 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2043 			goto nla_put_failure;
2044 		state->split_start++;
2045 		if (state->split)
2046 			break;
2047 		/* fall through */
2048 	case 6:
2049 #ifdef CONFIG_PM
2050 		if (nl80211_send_wowlan(msg, rdev, state->split))
2051 			goto nla_put_failure;
2052 		state->split_start++;
2053 		if (state->split)
2054 			break;
2055 #else
2056 		state->split_start++;
2057 #endif
2058 		/* fall through */
2059 	case 7:
2060 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2061 					rdev->wiphy.software_iftypes))
2062 			goto nla_put_failure;
2063 
2064 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2065 						   state->split))
2066 			goto nla_put_failure;
2067 
2068 		state->split_start++;
2069 		if (state->split)
2070 			break;
2071 		/* fall through */
2072 	case 8:
2073 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2074 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2075 				rdev->wiphy.ap_sme_capa))
2076 			goto nla_put_failure;
2077 
2078 		features = rdev->wiphy.features;
2079 		/*
2080 		 * We can only add the per-channel limit information if the
2081 		 * dump is split, otherwise it makes it too big. Therefore
2082 		 * only advertise it in that case.
2083 		 */
2084 		if (state->split)
2085 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2086 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2087 			goto nla_put_failure;
2088 
2089 		if (rdev->wiphy.ht_capa_mod_mask &&
2090 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2091 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2092 			    rdev->wiphy.ht_capa_mod_mask))
2093 			goto nla_put_failure;
2094 
2095 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2096 		    rdev->wiphy.max_acl_mac_addrs &&
2097 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2098 				rdev->wiphy.max_acl_mac_addrs))
2099 			goto nla_put_failure;
2100 
2101 		/*
2102 		 * Any information below this point is only available to
2103 		 * applications that can deal with it being split. This
2104 		 * helps ensure that newly added capabilities don't break
2105 		 * older tools by overrunning their buffers.
2106 		 *
2107 		 * We still increment split_start so that in the split
2108 		 * case we'll continue with more data in the next round,
2109 		 * but break unconditionally so unsplit data stops here.
2110 		 */
2111 		state->split_start++;
2112 		break;
2113 	case 9:
2114 		if (rdev->wiphy.extended_capabilities &&
2115 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2116 			     rdev->wiphy.extended_capabilities_len,
2117 			     rdev->wiphy.extended_capabilities) ||
2118 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2119 			     rdev->wiphy.extended_capabilities_len,
2120 			     rdev->wiphy.extended_capabilities_mask)))
2121 			goto nla_put_failure;
2122 
2123 		if (rdev->wiphy.vht_capa_mod_mask &&
2124 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2125 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2126 			    rdev->wiphy.vht_capa_mod_mask))
2127 			goto nla_put_failure;
2128 
2129 		state->split_start++;
2130 		break;
2131 	case 10:
2132 		if (nl80211_send_coalesce(msg, rdev))
2133 			goto nla_put_failure;
2134 
2135 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2136 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2137 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2138 			goto nla_put_failure;
2139 
2140 		if (rdev->wiphy.max_ap_assoc_sta &&
2141 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2142 				rdev->wiphy.max_ap_assoc_sta))
2143 			goto nla_put_failure;
2144 
2145 		state->split_start++;
2146 		break;
2147 	case 11:
2148 		if (rdev->wiphy.n_vendor_commands) {
2149 			const struct nl80211_vendor_cmd_info *info;
2150 			struct nlattr *nested;
2151 
2152 			nested = nla_nest_start_noflag(msg,
2153 						       NL80211_ATTR_VENDOR_DATA);
2154 			if (!nested)
2155 				goto nla_put_failure;
2156 
2157 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2158 				info = &rdev->wiphy.vendor_commands[i].info;
2159 				if (nla_put(msg, i + 1, sizeof(*info), info))
2160 					goto nla_put_failure;
2161 			}
2162 			nla_nest_end(msg, nested);
2163 		}
2164 
2165 		if (rdev->wiphy.n_vendor_events) {
2166 			const struct nl80211_vendor_cmd_info *info;
2167 			struct nlattr *nested;
2168 
2169 			nested = nla_nest_start_noflag(msg,
2170 						       NL80211_ATTR_VENDOR_EVENTS);
2171 			if (!nested)
2172 				goto nla_put_failure;
2173 
2174 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2175 				info = &rdev->wiphy.vendor_events[i];
2176 				if (nla_put(msg, i + 1, sizeof(*info), info))
2177 					goto nla_put_failure;
2178 			}
2179 			nla_nest_end(msg, nested);
2180 		}
2181 		state->split_start++;
2182 		break;
2183 	case 12:
2184 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2185 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2186 			       rdev->wiphy.max_num_csa_counters))
2187 			goto nla_put_failure;
2188 
2189 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2190 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2191 			goto nla_put_failure;
2192 
2193 		if (rdev->wiphy.max_sched_scan_reqs &&
2194 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2195 				rdev->wiphy.max_sched_scan_reqs))
2196 			goto nla_put_failure;
2197 
2198 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2199 			    sizeof(rdev->wiphy.ext_features),
2200 			    rdev->wiphy.ext_features))
2201 			goto nla_put_failure;
2202 
2203 		if (rdev->wiphy.bss_select_support) {
2204 			struct nlattr *nested;
2205 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2206 
2207 			nested = nla_nest_start_noflag(msg,
2208 						       NL80211_ATTR_BSS_SELECT);
2209 			if (!nested)
2210 				goto nla_put_failure;
2211 
2212 			i = 0;
2213 			while (bss_select_support) {
2214 				if ((bss_select_support & 1) &&
2215 				    nla_put_flag(msg, i))
2216 					goto nla_put_failure;
2217 				i++;
2218 				bss_select_support >>= 1;
2219 			}
2220 			nla_nest_end(msg, nested);
2221 		}
2222 
2223 		state->split_start++;
2224 		break;
2225 	case 13:
2226 		if (rdev->wiphy.num_iftype_ext_capab &&
2227 		    rdev->wiphy.iftype_ext_capab) {
2228 			struct nlattr *nested_ext_capab, *nested;
2229 
2230 			nested = nla_nest_start_noflag(msg,
2231 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2232 			if (!nested)
2233 				goto nla_put_failure;
2234 
2235 			for (i = state->capa_start;
2236 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2237 				const struct wiphy_iftype_ext_capab *capab;
2238 
2239 				capab = &rdev->wiphy.iftype_ext_capab[i];
2240 
2241 				nested_ext_capab = nla_nest_start_noflag(msg,
2242 									 i);
2243 				if (!nested_ext_capab ||
2244 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2245 						capab->iftype) ||
2246 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2247 					    capab->extended_capabilities_len,
2248 					    capab->extended_capabilities) ||
2249 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2250 					    capab->extended_capabilities_len,
2251 					    capab->extended_capabilities_mask))
2252 					goto nla_put_failure;
2253 
2254 				nla_nest_end(msg, nested_ext_capab);
2255 				if (state->split)
2256 					break;
2257 			}
2258 			nla_nest_end(msg, nested);
2259 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2260 				state->capa_start = i + 1;
2261 				break;
2262 			}
2263 		}
2264 
2265 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2266 				rdev->wiphy.nan_supported_bands))
2267 			goto nla_put_failure;
2268 
2269 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2270 					    NL80211_EXT_FEATURE_TXQS)) {
2271 			struct cfg80211_txq_stats txqstats = {};
2272 			int res;
2273 
2274 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2275 			if (!res &&
2276 			    !nl80211_put_txq_stats(msg, &txqstats,
2277 						   NL80211_ATTR_TXQ_STATS))
2278 				goto nla_put_failure;
2279 
2280 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2281 					rdev->wiphy.txq_limit))
2282 				goto nla_put_failure;
2283 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2284 					rdev->wiphy.txq_memory_limit))
2285 				goto nla_put_failure;
2286 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2287 					rdev->wiphy.txq_quantum))
2288 				goto nla_put_failure;
2289 		}
2290 
2291 		state->split_start++;
2292 		break;
2293 	case 14:
2294 		if (nl80211_send_pmsr_capa(rdev, msg))
2295 			goto nla_put_failure;
2296 
2297 		state->split_start++;
2298 		break;
2299 	case 15:
2300 		if (rdev->wiphy.akm_suites &&
2301 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2302 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2303 			    rdev->wiphy.akm_suites))
2304 			goto nla_put_failure;
2305 
2306 		/* done */
2307 		state->split_start = 0;
2308 		break;
2309 	}
2310  finish:
2311 	genlmsg_end(msg, hdr);
2312 	return 0;
2313 
2314  nla_put_failure:
2315 	genlmsg_cancel(msg, hdr);
2316 	return -EMSGSIZE;
2317 }
2318 
2319 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2320 				    struct netlink_callback *cb,
2321 				    struct nl80211_dump_wiphy_state *state)
2322 {
2323 	struct nlattr **tb = genl_family_attrbuf(&nl80211_fam);
2324 	int ret = nlmsg_parse_deprecated(cb->nlh,
2325 					 GENL_HDRLEN + nl80211_fam.hdrsize,
2326 					 tb, nl80211_fam.maxattr,
2327 					 nl80211_policy, NULL);
2328 	/* ignore parse errors for backward compatibility */
2329 	if (ret)
2330 		return 0;
2331 
2332 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2333 	if (tb[NL80211_ATTR_WIPHY])
2334 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2335 	if (tb[NL80211_ATTR_WDEV])
2336 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2337 	if (tb[NL80211_ATTR_IFINDEX]) {
2338 		struct net_device *netdev;
2339 		struct cfg80211_registered_device *rdev;
2340 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2341 
2342 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2343 		if (!netdev)
2344 			return -ENODEV;
2345 		if (netdev->ieee80211_ptr) {
2346 			rdev = wiphy_to_rdev(
2347 				netdev->ieee80211_ptr->wiphy);
2348 			state->filter_wiphy = rdev->wiphy_idx;
2349 		}
2350 	}
2351 
2352 	return 0;
2353 }
2354 
2355 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2356 {
2357 	int idx = 0, ret;
2358 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2359 	struct cfg80211_registered_device *rdev;
2360 
2361 	rtnl_lock();
2362 	if (!state) {
2363 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2364 		if (!state) {
2365 			rtnl_unlock();
2366 			return -ENOMEM;
2367 		}
2368 		state->filter_wiphy = -1;
2369 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2370 		if (ret) {
2371 			kfree(state);
2372 			rtnl_unlock();
2373 			return ret;
2374 		}
2375 		cb->args[0] = (long)state;
2376 	}
2377 
2378 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2379 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2380 			continue;
2381 		if (++idx <= state->start)
2382 			continue;
2383 		if (state->filter_wiphy != -1 &&
2384 		    state->filter_wiphy != rdev->wiphy_idx)
2385 			continue;
2386 		/* attempt to fit multiple wiphy data chunks into the skb */
2387 		do {
2388 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2389 						 skb,
2390 						 NETLINK_CB(cb->skb).portid,
2391 						 cb->nlh->nlmsg_seq,
2392 						 NLM_F_MULTI, state);
2393 			if (ret < 0) {
2394 				/*
2395 				 * If sending the wiphy data didn't fit (ENOBUFS
2396 				 * or EMSGSIZE returned), this SKB is still
2397 				 * empty (so it's not too big because another
2398 				 * wiphy dataset is already in the skb) and
2399 				 * we've not tried to adjust the dump allocation
2400 				 * yet ... then adjust the alloc size to be
2401 				 * bigger, and return 1 but with the empty skb.
2402 				 * This results in an empty message being RX'ed
2403 				 * in userspace, but that is ignored.
2404 				 *
2405 				 * We can then retry with the larger buffer.
2406 				 */
2407 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2408 				    !skb->len && !state->split &&
2409 				    cb->min_dump_alloc < 4096) {
2410 					cb->min_dump_alloc = 4096;
2411 					state->split_start = 0;
2412 					rtnl_unlock();
2413 					return 1;
2414 				}
2415 				idx--;
2416 				break;
2417 			}
2418 		} while (state->split_start > 0);
2419 		break;
2420 	}
2421 	rtnl_unlock();
2422 
2423 	state->start = idx;
2424 
2425 	return skb->len;
2426 }
2427 
2428 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2429 {
2430 	kfree((void *)cb->args[0]);
2431 	return 0;
2432 }
2433 
2434 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2435 {
2436 	struct sk_buff *msg;
2437 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2438 	struct nl80211_dump_wiphy_state state = {};
2439 
2440 	msg = nlmsg_new(4096, GFP_KERNEL);
2441 	if (!msg)
2442 		return -ENOMEM;
2443 
2444 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2445 			       info->snd_portid, info->snd_seq, 0,
2446 			       &state) < 0) {
2447 		nlmsg_free(msg);
2448 		return -ENOBUFS;
2449 	}
2450 
2451 	return genlmsg_reply(msg, info);
2452 }
2453 
2454 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2455 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2456 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2457 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2458 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2459 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2460 };
2461 
2462 static int parse_txq_params(struct nlattr *tb[],
2463 			    struct ieee80211_txq_params *txq_params)
2464 {
2465 	u8 ac;
2466 
2467 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2468 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2469 	    !tb[NL80211_TXQ_ATTR_AIFS])
2470 		return -EINVAL;
2471 
2472 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2473 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2474 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2475 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2476 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2477 
2478 	if (ac >= NL80211_NUM_ACS)
2479 		return -EINVAL;
2480 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2481 	return 0;
2482 }
2483 
2484 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2485 {
2486 	/*
2487 	 * You can only set the channel explicitly for WDS interfaces,
2488 	 * all others have their channel managed via their respective
2489 	 * "establish a connection" command (connect, join, ...)
2490 	 *
2491 	 * For AP/GO and mesh mode, the channel can be set with the
2492 	 * channel userspace API, but is only stored and passed to the
2493 	 * low-level driver when the AP starts or the mesh is joined.
2494 	 * This is for backward compatibility, userspace can also give
2495 	 * the channel in the start-ap or join-mesh commands instead.
2496 	 *
2497 	 * Monitors are special as they are normally slaved to
2498 	 * whatever else is going on, so they have their own special
2499 	 * operation to set the monitor channel if possible.
2500 	 */
2501 	return !wdev ||
2502 		wdev->iftype == NL80211_IFTYPE_AP ||
2503 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2504 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2505 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2506 }
2507 
2508 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2509 			  struct genl_info *info,
2510 			  struct cfg80211_chan_def *chandef)
2511 {
2512 	struct netlink_ext_ack *extack = info->extack;
2513 	struct nlattr **attrs = info->attrs;
2514 	u32 control_freq;
2515 
2516 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2517 		return -EINVAL;
2518 
2519 	control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);
2520 
2521 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2522 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2523 	chandef->center_freq1 = control_freq;
2524 	chandef->center_freq2 = 0;
2525 
2526 	/* Primary channel not allowed */
2527 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2528 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2529 				    "Channel is disabled");
2530 		return -EINVAL;
2531 	}
2532 
2533 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2534 		enum nl80211_channel_type chantype;
2535 
2536 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2537 
2538 		switch (chantype) {
2539 		case NL80211_CHAN_NO_HT:
2540 		case NL80211_CHAN_HT20:
2541 		case NL80211_CHAN_HT40PLUS:
2542 		case NL80211_CHAN_HT40MINUS:
2543 			cfg80211_chandef_create(chandef, chandef->chan,
2544 						chantype);
2545 			/* user input for center_freq is incorrect */
2546 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2547 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2548 				NL_SET_ERR_MSG_ATTR(extack,
2549 						    attrs[NL80211_ATTR_CENTER_FREQ1],
2550 						    "bad center frequency 1");
2551 				return -EINVAL;
2552 			}
2553 			/* center_freq2 must be zero */
2554 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2555 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2556 				NL_SET_ERR_MSG_ATTR(extack,
2557 						    attrs[NL80211_ATTR_CENTER_FREQ2],
2558 						    "center frequency 2 can't be used");
2559 				return -EINVAL;
2560 			}
2561 			break;
2562 		default:
2563 			NL_SET_ERR_MSG_ATTR(extack,
2564 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2565 					    "invalid channel type");
2566 			return -EINVAL;
2567 		}
2568 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2569 		chandef->width =
2570 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2571 		if (attrs[NL80211_ATTR_CENTER_FREQ1])
2572 			chandef->center_freq1 =
2573 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2574 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
2575 			chandef->center_freq2 =
2576 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2577 	}
2578 
2579 	if (!cfg80211_chandef_valid(chandef)) {
2580 		NL_SET_ERR_MSG(extack, "invalid channel definition");
2581 		return -EINVAL;
2582 	}
2583 
2584 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2585 				     IEEE80211_CHAN_DISABLED)) {
2586 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
2587 		return -EINVAL;
2588 	}
2589 
2590 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2591 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2592 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
2593 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
2594 		return -EINVAL;
2595 	}
2596 
2597 	return 0;
2598 }
2599 
2600 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2601 				 struct net_device *dev,
2602 				 struct genl_info *info)
2603 {
2604 	struct cfg80211_chan_def chandef;
2605 	int result;
2606 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2607 	struct wireless_dev *wdev = NULL;
2608 
2609 	if (dev)
2610 		wdev = dev->ieee80211_ptr;
2611 	if (!nl80211_can_set_dev_channel(wdev))
2612 		return -EOPNOTSUPP;
2613 	if (wdev)
2614 		iftype = wdev->iftype;
2615 
2616 	result = nl80211_parse_chandef(rdev, info, &chandef);
2617 	if (result)
2618 		return result;
2619 
2620 	switch (iftype) {
2621 	case NL80211_IFTYPE_AP:
2622 	case NL80211_IFTYPE_P2P_GO:
2623 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2624 						   iftype)) {
2625 			result = -EINVAL;
2626 			break;
2627 		}
2628 		if (wdev->beacon_interval) {
2629 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2630 			    !(rdev->wiphy.features &
2631 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2632 				result = -EBUSY;
2633 				break;
2634 			}
2635 
2636 			/* Only allow dynamic channel width changes */
2637 			if (chandef.chan != wdev->preset_chandef.chan) {
2638 				result = -EBUSY;
2639 				break;
2640 			}
2641 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2642 			if (result)
2643 				break;
2644 		}
2645 		wdev->preset_chandef = chandef;
2646 		result = 0;
2647 		break;
2648 	case NL80211_IFTYPE_MESH_POINT:
2649 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2650 		break;
2651 	case NL80211_IFTYPE_MONITOR:
2652 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2653 		break;
2654 	default:
2655 		result = -EINVAL;
2656 	}
2657 
2658 	return result;
2659 }
2660 
2661 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2662 {
2663 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2664 	struct net_device *netdev = info->user_ptr[1];
2665 
2666 	return __nl80211_set_channel(rdev, netdev, info);
2667 }
2668 
2669 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2670 {
2671 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2672 	struct net_device *dev = info->user_ptr[1];
2673 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2674 	const u8 *bssid;
2675 
2676 	if (!info->attrs[NL80211_ATTR_MAC])
2677 		return -EINVAL;
2678 
2679 	if (netif_running(dev))
2680 		return -EBUSY;
2681 
2682 	if (!rdev->ops->set_wds_peer)
2683 		return -EOPNOTSUPP;
2684 
2685 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2686 		return -EOPNOTSUPP;
2687 
2688 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2689 	return rdev_set_wds_peer(rdev, dev, bssid);
2690 }
2691 
2692 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2693 {
2694 	struct cfg80211_registered_device *rdev;
2695 	struct net_device *netdev = NULL;
2696 	struct wireless_dev *wdev;
2697 	int result = 0, rem_txq_params = 0;
2698 	struct nlattr *nl_txq_params;
2699 	u32 changed;
2700 	u8 retry_short = 0, retry_long = 0;
2701 	u32 frag_threshold = 0, rts_threshold = 0;
2702 	u8 coverage_class = 0;
2703 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
2704 
2705 	ASSERT_RTNL();
2706 
2707 	/*
2708 	 * Try to find the wiphy and netdev. Normally this
2709 	 * function shouldn't need the netdev, but this is
2710 	 * done for backward compatibility -- previously
2711 	 * setting the channel was done per wiphy, but now
2712 	 * it is per netdev. Previous userland like hostapd
2713 	 * also passed a netdev to set_wiphy, so that it is
2714 	 * possible to let that go to the right netdev!
2715 	 */
2716 
2717 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2718 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2719 
2720 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2721 		if (netdev && netdev->ieee80211_ptr)
2722 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2723 		else
2724 			netdev = NULL;
2725 	}
2726 
2727 	if (!netdev) {
2728 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2729 						  info->attrs);
2730 		if (IS_ERR(rdev))
2731 			return PTR_ERR(rdev);
2732 		wdev = NULL;
2733 		netdev = NULL;
2734 		result = 0;
2735 	} else
2736 		wdev = netdev->ieee80211_ptr;
2737 
2738 	/*
2739 	 * end workaround code, by now the rdev is available
2740 	 * and locked, and wdev may or may not be NULL.
2741 	 */
2742 
2743 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2744 		result = cfg80211_dev_rename(
2745 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2746 
2747 	if (result)
2748 		return result;
2749 
2750 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2751 		struct ieee80211_txq_params txq_params;
2752 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2753 
2754 		if (!rdev->ops->set_txq_params)
2755 			return -EOPNOTSUPP;
2756 
2757 		if (!netdev)
2758 			return -EINVAL;
2759 
2760 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2761 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2762 			return -EINVAL;
2763 
2764 		if (!netif_running(netdev))
2765 			return -ENETDOWN;
2766 
2767 		nla_for_each_nested(nl_txq_params,
2768 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2769 				    rem_txq_params) {
2770 			result = nla_parse_nested_deprecated(tb,
2771 							     NL80211_TXQ_ATTR_MAX,
2772 							     nl_txq_params,
2773 							     txq_params_policy,
2774 							     info->extack);
2775 			if (result)
2776 				return result;
2777 			result = parse_txq_params(tb, &txq_params);
2778 			if (result)
2779 				return result;
2780 
2781 			result = rdev_set_txq_params(rdev, netdev,
2782 						     &txq_params);
2783 			if (result)
2784 				return result;
2785 		}
2786 	}
2787 
2788 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2789 		result = __nl80211_set_channel(
2790 			rdev,
2791 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2792 			info);
2793 		if (result)
2794 			return result;
2795 	}
2796 
2797 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2798 		struct wireless_dev *txp_wdev = wdev;
2799 		enum nl80211_tx_power_setting type;
2800 		int idx, mbm = 0;
2801 
2802 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2803 			txp_wdev = NULL;
2804 
2805 		if (!rdev->ops->set_tx_power)
2806 			return -EOPNOTSUPP;
2807 
2808 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2809 		type = nla_get_u32(info->attrs[idx]);
2810 
2811 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2812 		    (type != NL80211_TX_POWER_AUTOMATIC))
2813 			return -EINVAL;
2814 
2815 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2816 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2817 			mbm = nla_get_u32(info->attrs[idx]);
2818 		}
2819 
2820 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2821 		if (result)
2822 			return result;
2823 	}
2824 
2825 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2826 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2827 		u32 tx_ant, rx_ant;
2828 
2829 		if ((!rdev->wiphy.available_antennas_tx &&
2830 		     !rdev->wiphy.available_antennas_rx) ||
2831 		    !rdev->ops->set_antenna)
2832 			return -EOPNOTSUPP;
2833 
2834 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2835 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2836 
2837 		/* reject antenna configurations which don't match the
2838 		 * available antenna masks, except for the "all" mask */
2839 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2840 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2841 			return -EINVAL;
2842 
2843 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2844 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2845 
2846 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2847 		if (result)
2848 			return result;
2849 	}
2850 
2851 	changed = 0;
2852 
2853 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2854 		retry_short = nla_get_u8(
2855 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2856 
2857 		changed |= WIPHY_PARAM_RETRY_SHORT;
2858 	}
2859 
2860 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2861 		retry_long = nla_get_u8(
2862 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2863 
2864 		changed |= WIPHY_PARAM_RETRY_LONG;
2865 	}
2866 
2867 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2868 		frag_threshold = nla_get_u32(
2869 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2870 		if (frag_threshold < 256)
2871 			return -EINVAL;
2872 
2873 		if (frag_threshold != (u32) -1) {
2874 			/*
2875 			 * Fragments (apart from the last one) are required to
2876 			 * have even length. Make the fragmentation code
2877 			 * simpler by stripping LSB should someone try to use
2878 			 * odd threshold value.
2879 			 */
2880 			frag_threshold &= ~0x1;
2881 		}
2882 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2883 	}
2884 
2885 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2886 		rts_threshold = nla_get_u32(
2887 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2888 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2889 	}
2890 
2891 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2892 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2893 			return -EINVAL;
2894 
2895 		coverage_class = nla_get_u8(
2896 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2897 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2898 	}
2899 
2900 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2901 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2902 			return -EOPNOTSUPP;
2903 
2904 		changed |= WIPHY_PARAM_DYN_ACK;
2905 	}
2906 
2907 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
2908 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2909 					     NL80211_EXT_FEATURE_TXQS))
2910 			return -EOPNOTSUPP;
2911 		txq_limit = nla_get_u32(
2912 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
2913 		changed |= WIPHY_PARAM_TXQ_LIMIT;
2914 	}
2915 
2916 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
2917 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2918 					     NL80211_EXT_FEATURE_TXQS))
2919 			return -EOPNOTSUPP;
2920 		txq_memory_limit = nla_get_u32(
2921 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
2922 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
2923 	}
2924 
2925 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
2926 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2927 					     NL80211_EXT_FEATURE_TXQS))
2928 			return -EOPNOTSUPP;
2929 		txq_quantum = nla_get_u32(
2930 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
2931 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
2932 	}
2933 
2934 	if (changed) {
2935 		u8 old_retry_short, old_retry_long;
2936 		u32 old_frag_threshold, old_rts_threshold;
2937 		u8 old_coverage_class;
2938 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
2939 
2940 		if (!rdev->ops->set_wiphy_params)
2941 			return -EOPNOTSUPP;
2942 
2943 		old_retry_short = rdev->wiphy.retry_short;
2944 		old_retry_long = rdev->wiphy.retry_long;
2945 		old_frag_threshold = rdev->wiphy.frag_threshold;
2946 		old_rts_threshold = rdev->wiphy.rts_threshold;
2947 		old_coverage_class = rdev->wiphy.coverage_class;
2948 		old_txq_limit = rdev->wiphy.txq_limit;
2949 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
2950 		old_txq_quantum = rdev->wiphy.txq_quantum;
2951 
2952 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2953 			rdev->wiphy.retry_short = retry_short;
2954 		if (changed & WIPHY_PARAM_RETRY_LONG)
2955 			rdev->wiphy.retry_long = retry_long;
2956 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2957 			rdev->wiphy.frag_threshold = frag_threshold;
2958 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2959 			rdev->wiphy.rts_threshold = rts_threshold;
2960 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2961 			rdev->wiphy.coverage_class = coverage_class;
2962 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
2963 			rdev->wiphy.txq_limit = txq_limit;
2964 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
2965 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
2966 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
2967 			rdev->wiphy.txq_quantum = txq_quantum;
2968 
2969 		result = rdev_set_wiphy_params(rdev, changed);
2970 		if (result) {
2971 			rdev->wiphy.retry_short = old_retry_short;
2972 			rdev->wiphy.retry_long = old_retry_long;
2973 			rdev->wiphy.frag_threshold = old_frag_threshold;
2974 			rdev->wiphy.rts_threshold = old_rts_threshold;
2975 			rdev->wiphy.coverage_class = old_coverage_class;
2976 			rdev->wiphy.txq_limit = old_txq_limit;
2977 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
2978 			rdev->wiphy.txq_quantum = old_txq_quantum;
2979 			return result;
2980 		}
2981 	}
2982 	return 0;
2983 }
2984 
2985 static int nl80211_send_chandef(struct sk_buff *msg,
2986 				const struct cfg80211_chan_def *chandef)
2987 {
2988 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2989 		return -EINVAL;
2990 
2991 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2992 			chandef->chan->center_freq))
2993 		return -ENOBUFS;
2994 	switch (chandef->width) {
2995 	case NL80211_CHAN_WIDTH_20_NOHT:
2996 	case NL80211_CHAN_WIDTH_20:
2997 	case NL80211_CHAN_WIDTH_40:
2998 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2999 				cfg80211_get_chandef_type(chandef)))
3000 			return -ENOBUFS;
3001 		break;
3002 	default:
3003 		break;
3004 	}
3005 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3006 		return -ENOBUFS;
3007 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3008 		return -ENOBUFS;
3009 	if (chandef->center_freq2 &&
3010 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3011 		return -ENOBUFS;
3012 	return 0;
3013 }
3014 
3015 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3016 			      struct cfg80211_registered_device *rdev,
3017 			      struct wireless_dev *wdev,
3018 			      enum nl80211_commands cmd)
3019 {
3020 	struct net_device *dev = wdev->netdev;
3021 	void *hdr;
3022 
3023 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3024 		cmd != NL80211_CMD_DEL_INTERFACE &&
3025 		cmd != NL80211_CMD_SET_INTERFACE);
3026 
3027 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3028 	if (!hdr)
3029 		return -1;
3030 
3031 	if (dev &&
3032 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3033 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3034 		goto nla_put_failure;
3035 
3036 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3037 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3038 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3039 			      NL80211_ATTR_PAD) ||
3040 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3041 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3042 			rdev->devlist_generation ^
3043 			(cfg80211_rdev_list_generation << 2)) ||
3044 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3045 		goto nla_put_failure;
3046 
3047 	if (rdev->ops->get_channel) {
3048 		int ret;
3049 		struct cfg80211_chan_def chandef;
3050 
3051 		ret = rdev_get_channel(rdev, wdev, &chandef);
3052 		if (ret == 0) {
3053 			if (nl80211_send_chandef(msg, &chandef))
3054 				goto nla_put_failure;
3055 		}
3056 	}
3057 
3058 	if (rdev->ops->get_tx_power) {
3059 		int dbm, ret;
3060 
3061 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3062 		if (ret == 0 &&
3063 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3064 				DBM_TO_MBM(dbm)))
3065 			goto nla_put_failure;
3066 	}
3067 
3068 	wdev_lock(wdev);
3069 	switch (wdev->iftype) {
3070 	case NL80211_IFTYPE_AP:
3071 		if (wdev->ssid_len &&
3072 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3073 			goto nla_put_failure_locked;
3074 		break;
3075 	case NL80211_IFTYPE_STATION:
3076 	case NL80211_IFTYPE_P2P_CLIENT:
3077 	case NL80211_IFTYPE_ADHOC: {
3078 		const u8 *ssid_ie;
3079 		if (!wdev->current_bss)
3080 			break;
3081 		rcu_read_lock();
3082 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3083 					       WLAN_EID_SSID);
3084 		if (ssid_ie &&
3085 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3086 			goto nla_put_failure_rcu_locked;
3087 		rcu_read_unlock();
3088 		break;
3089 		}
3090 	default:
3091 		/* nothing */
3092 		break;
3093 	}
3094 	wdev_unlock(wdev);
3095 
3096 	if (rdev->ops->get_txq_stats) {
3097 		struct cfg80211_txq_stats txqstats = {};
3098 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3099 
3100 		if (ret == 0 &&
3101 		    !nl80211_put_txq_stats(msg, &txqstats,
3102 					   NL80211_ATTR_TXQ_STATS))
3103 			goto nla_put_failure;
3104 	}
3105 
3106 	genlmsg_end(msg, hdr);
3107 	return 0;
3108 
3109  nla_put_failure_rcu_locked:
3110 	rcu_read_unlock();
3111  nla_put_failure_locked:
3112 	wdev_unlock(wdev);
3113  nla_put_failure:
3114 	genlmsg_cancel(msg, hdr);
3115 	return -EMSGSIZE;
3116 }
3117 
3118 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3119 {
3120 	int wp_idx = 0;
3121 	int if_idx = 0;
3122 	int wp_start = cb->args[0];
3123 	int if_start = cb->args[1];
3124 	int filter_wiphy = -1;
3125 	struct cfg80211_registered_device *rdev;
3126 	struct wireless_dev *wdev;
3127 	int ret;
3128 
3129 	rtnl_lock();
3130 	if (!cb->args[2]) {
3131 		struct nl80211_dump_wiphy_state state = {
3132 			.filter_wiphy = -1,
3133 		};
3134 
3135 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3136 		if (ret)
3137 			goto out_unlock;
3138 
3139 		filter_wiphy = state.filter_wiphy;
3140 
3141 		/*
3142 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3143 		 * value needed to determine that parsing is necessary.
3144 		 */
3145 		if (filter_wiphy >= 0)
3146 			cb->args[2] = filter_wiphy + 1;
3147 		else
3148 			cb->args[2] = -1;
3149 	} else if (cb->args[2] > 0) {
3150 		filter_wiphy = cb->args[2] - 1;
3151 	}
3152 
3153 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3154 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3155 			continue;
3156 		if (wp_idx < wp_start) {
3157 			wp_idx++;
3158 			continue;
3159 		}
3160 
3161 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3162 			continue;
3163 
3164 		if_idx = 0;
3165 
3166 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3167 			if (if_idx < if_start) {
3168 				if_idx++;
3169 				continue;
3170 			}
3171 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3172 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3173 					       rdev, wdev,
3174 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3175 				goto out;
3176 			}
3177 			if_idx++;
3178 		}
3179 
3180 		wp_idx++;
3181 	}
3182  out:
3183 	cb->args[0] = wp_idx;
3184 	cb->args[1] = if_idx;
3185 
3186 	ret = skb->len;
3187  out_unlock:
3188 	rtnl_unlock();
3189 
3190 	return ret;
3191 }
3192 
3193 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3194 {
3195 	struct sk_buff *msg;
3196 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3197 	struct wireless_dev *wdev = info->user_ptr[1];
3198 
3199 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3200 	if (!msg)
3201 		return -ENOMEM;
3202 
3203 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3204 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3205 		nlmsg_free(msg);
3206 		return -ENOBUFS;
3207 	}
3208 
3209 	return genlmsg_reply(msg, info);
3210 }
3211 
3212 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3213 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3214 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3215 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3216 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3217 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3218 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3219 };
3220 
3221 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3222 {
3223 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3224 	int flag;
3225 
3226 	*mntrflags = 0;
3227 
3228 	if (!nla)
3229 		return -EINVAL;
3230 
3231 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3232 		return -EINVAL;
3233 
3234 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3235 		if (flags[flag])
3236 			*mntrflags |= (1<<flag);
3237 
3238 	*mntrflags |= MONITOR_FLAG_CHANGED;
3239 
3240 	return 0;
3241 }
3242 
3243 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3244 				     enum nl80211_iftype type,
3245 				     struct genl_info *info,
3246 				     struct vif_params *params)
3247 {
3248 	bool change = false;
3249 	int err;
3250 
3251 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3252 		if (type != NL80211_IFTYPE_MONITOR)
3253 			return -EINVAL;
3254 
3255 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3256 					  &params->flags);
3257 		if (err)
3258 			return err;
3259 
3260 		change = true;
3261 	}
3262 
3263 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3264 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3265 		return -EOPNOTSUPP;
3266 
3267 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3268 		const u8 *mumimo_groups;
3269 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3270 
3271 		if (type != NL80211_IFTYPE_MONITOR)
3272 			return -EINVAL;
3273 
3274 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3275 			return -EOPNOTSUPP;
3276 
3277 		mumimo_groups =
3278 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3279 
3280 		/* bits 0 and 63 are reserved and must be zero */
3281 		if ((mumimo_groups[0] & BIT(0)) ||
3282 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3283 			return -EINVAL;
3284 
3285 		params->vht_mumimo_groups = mumimo_groups;
3286 		change = true;
3287 	}
3288 
3289 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3290 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3291 
3292 		if (type != NL80211_IFTYPE_MONITOR)
3293 			return -EINVAL;
3294 
3295 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3296 			return -EOPNOTSUPP;
3297 
3298 		params->vht_mumimo_follow_addr =
3299 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3300 		change = true;
3301 	}
3302 
3303 	return change ? 1 : 0;
3304 }
3305 
3306 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3307 			       struct net_device *netdev, u8 use_4addr,
3308 			       enum nl80211_iftype iftype)
3309 {
3310 	if (!use_4addr) {
3311 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
3312 			return -EBUSY;
3313 		return 0;
3314 	}
3315 
3316 	switch (iftype) {
3317 	case NL80211_IFTYPE_AP_VLAN:
3318 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3319 			return 0;
3320 		break;
3321 	case NL80211_IFTYPE_STATION:
3322 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3323 			return 0;
3324 		break;
3325 	default:
3326 		break;
3327 	}
3328 
3329 	return -EOPNOTSUPP;
3330 }
3331 
3332 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3333 {
3334 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3335 	struct vif_params params;
3336 	int err;
3337 	enum nl80211_iftype otype, ntype;
3338 	struct net_device *dev = info->user_ptr[1];
3339 	bool change = false;
3340 
3341 	memset(&params, 0, sizeof(params));
3342 
3343 	otype = ntype = dev->ieee80211_ptr->iftype;
3344 
3345 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3346 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3347 		if (otype != ntype)
3348 			change = true;
3349 	}
3350 
3351 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3352 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3353 
3354 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3355 			return -EINVAL;
3356 		if (netif_running(dev))
3357 			return -EBUSY;
3358 
3359 		wdev_lock(wdev);
3360 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3361 			     IEEE80211_MAX_MESH_ID_LEN);
3362 		wdev->mesh_id_up_len =
3363 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3364 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3365 		       wdev->mesh_id_up_len);
3366 		wdev_unlock(wdev);
3367 	}
3368 
3369 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3370 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3371 		change = true;
3372 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3373 		if (err)
3374 			return err;
3375 	} else {
3376 		params.use_4addr = -1;
3377 	}
3378 
3379 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3380 	if (err < 0)
3381 		return err;
3382 	if (err > 0)
3383 		change = true;
3384 
3385 	if (change)
3386 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3387 	else
3388 		err = 0;
3389 
3390 	if (!err && params.use_4addr != -1)
3391 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3392 
3393 	if (change && !err) {
3394 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3395 
3396 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3397 	}
3398 
3399 	return err;
3400 }
3401 
3402 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3403 {
3404 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3405 	struct vif_params params;
3406 	struct wireless_dev *wdev;
3407 	struct sk_buff *msg;
3408 	int err;
3409 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3410 
3411 	/* to avoid failing a new interface creation due to pending removal */
3412 	cfg80211_destroy_ifaces(rdev);
3413 
3414 	memset(&params, 0, sizeof(params));
3415 
3416 	if (!info->attrs[NL80211_ATTR_IFNAME])
3417 		return -EINVAL;
3418 
3419 	if (info->attrs[NL80211_ATTR_IFTYPE])
3420 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3421 
3422 	if (!rdev->ops->add_virtual_intf ||
3423 	    !(rdev->wiphy.interface_modes & (1 << type)))
3424 		return -EOPNOTSUPP;
3425 
3426 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3427 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3428 	    info->attrs[NL80211_ATTR_MAC]) {
3429 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3430 			   ETH_ALEN);
3431 		if (!is_valid_ether_addr(params.macaddr))
3432 			return -EADDRNOTAVAIL;
3433 	}
3434 
3435 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3436 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3437 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3438 		if (err)
3439 			return err;
3440 	}
3441 
3442 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3443 	if (err < 0)
3444 		return err;
3445 
3446 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3447 	if (!msg)
3448 		return -ENOMEM;
3449 
3450 	wdev = rdev_add_virtual_intf(rdev,
3451 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3452 				NET_NAME_USER, type, &params);
3453 	if (WARN_ON(!wdev)) {
3454 		nlmsg_free(msg);
3455 		return -EPROTO;
3456 	} else if (IS_ERR(wdev)) {
3457 		nlmsg_free(msg);
3458 		return PTR_ERR(wdev);
3459 	}
3460 
3461 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3462 		wdev->owner_nlportid = info->snd_portid;
3463 
3464 	switch (type) {
3465 	case NL80211_IFTYPE_MESH_POINT:
3466 		if (!info->attrs[NL80211_ATTR_MESH_ID])
3467 			break;
3468 		wdev_lock(wdev);
3469 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3470 			     IEEE80211_MAX_MESH_ID_LEN);
3471 		wdev->mesh_id_up_len =
3472 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3473 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3474 		       wdev->mesh_id_up_len);
3475 		wdev_unlock(wdev);
3476 		break;
3477 	case NL80211_IFTYPE_NAN:
3478 	case NL80211_IFTYPE_P2P_DEVICE:
3479 		/*
3480 		 * P2P Device and NAN do not have a netdev, so don't go
3481 		 * through the netdev notifier and must be added here
3482 		 */
3483 		cfg80211_init_wdev(rdev, wdev);
3484 		break;
3485 	default:
3486 		break;
3487 	}
3488 
3489 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3490 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3491 		nlmsg_free(msg);
3492 		return -ENOBUFS;
3493 	}
3494 
3495 	return genlmsg_reply(msg, info);
3496 }
3497 
3498 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3499 {
3500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3501 	struct wireless_dev *wdev = info->user_ptr[1];
3502 
3503 	if (!rdev->ops->del_virtual_intf)
3504 		return -EOPNOTSUPP;
3505 
3506 	/*
3507 	 * If we remove a wireless device without a netdev then clear
3508 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
3509 	 * to check if it needs to do dev_put(). Otherwise it crashes
3510 	 * since the wdev has been freed, unlike with a netdev where
3511 	 * we need the dev_put() for the netdev to really be freed.
3512 	 */
3513 	if (!wdev->netdev)
3514 		info->user_ptr[1] = NULL;
3515 
3516 	return rdev_del_virtual_intf(rdev, wdev);
3517 }
3518 
3519 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3520 {
3521 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3522 	struct net_device *dev = info->user_ptr[1];
3523 	u16 noack_map;
3524 
3525 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3526 		return -EINVAL;
3527 
3528 	if (!rdev->ops->set_noack_map)
3529 		return -EOPNOTSUPP;
3530 
3531 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3532 
3533 	return rdev_set_noack_map(rdev, dev, noack_map);
3534 }
3535 
3536 struct get_key_cookie {
3537 	struct sk_buff *msg;
3538 	int error;
3539 	int idx;
3540 };
3541 
3542 static void get_key_callback(void *c, struct key_params *params)
3543 {
3544 	struct nlattr *key;
3545 	struct get_key_cookie *cookie = c;
3546 
3547 	if ((params->key &&
3548 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3549 		     params->key_len, params->key)) ||
3550 	    (params->seq &&
3551 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3552 		     params->seq_len, params->seq)) ||
3553 	    (params->cipher &&
3554 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3555 			 params->cipher)))
3556 		goto nla_put_failure;
3557 
3558 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
3559 	if (!key)
3560 		goto nla_put_failure;
3561 
3562 	if ((params->key &&
3563 	     nla_put(cookie->msg, NL80211_KEY_DATA,
3564 		     params->key_len, params->key)) ||
3565 	    (params->seq &&
3566 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3567 		     params->seq_len, params->seq)) ||
3568 	    (params->cipher &&
3569 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3570 			 params->cipher)))
3571 		goto nla_put_failure;
3572 
3573 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3574 		goto nla_put_failure;
3575 
3576 	nla_nest_end(cookie->msg, key);
3577 
3578 	return;
3579  nla_put_failure:
3580 	cookie->error = 1;
3581 }
3582 
3583 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3584 {
3585 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3586 	int err;
3587 	struct net_device *dev = info->user_ptr[1];
3588 	u8 key_idx = 0;
3589 	const u8 *mac_addr = NULL;
3590 	bool pairwise;
3591 	struct get_key_cookie cookie = {
3592 		.error = 0,
3593 	};
3594 	void *hdr;
3595 	struct sk_buff *msg;
3596 
3597 	if (info->attrs[NL80211_ATTR_KEY_IDX])
3598 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3599 
3600 	if (info->attrs[NL80211_ATTR_MAC])
3601 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3602 
3603 	pairwise = !!mac_addr;
3604 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3605 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3606 
3607 		if (kt != NL80211_KEYTYPE_GROUP &&
3608 		    kt != NL80211_KEYTYPE_PAIRWISE)
3609 			return -EINVAL;
3610 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3611 	}
3612 
3613 	if (!rdev->ops->get_key)
3614 		return -EOPNOTSUPP;
3615 
3616 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3617 		return -ENOENT;
3618 
3619 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3620 	if (!msg)
3621 		return -ENOMEM;
3622 
3623 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3624 			     NL80211_CMD_NEW_KEY);
3625 	if (!hdr)
3626 		goto nla_put_failure;
3627 
3628 	cookie.msg = msg;
3629 	cookie.idx = key_idx;
3630 
3631 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3632 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3633 		goto nla_put_failure;
3634 	if (mac_addr &&
3635 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3636 		goto nla_put_failure;
3637 
3638 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3639 			   get_key_callback);
3640 
3641 	if (err)
3642 		goto free_msg;
3643 
3644 	if (cookie.error)
3645 		goto nla_put_failure;
3646 
3647 	genlmsg_end(msg, hdr);
3648 	return genlmsg_reply(msg, info);
3649 
3650  nla_put_failure:
3651 	err = -ENOBUFS;
3652  free_msg:
3653 	nlmsg_free(msg);
3654 	return err;
3655 }
3656 
3657 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3658 {
3659 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3660 	struct key_parse key;
3661 	int err;
3662 	struct net_device *dev = info->user_ptr[1];
3663 
3664 	err = nl80211_parse_key(info, &key);
3665 	if (err)
3666 		return err;
3667 
3668 	if (key.idx < 0)
3669 		return -EINVAL;
3670 
3671 	/* Only support setting default key and
3672 	 * Extended Key ID action NL80211_KEY_SET_TX.
3673 	 */
3674 	if (!key.def && !key.defmgmt &&
3675 	    !(key.p.mode == NL80211_KEY_SET_TX))
3676 		return -EINVAL;
3677 
3678 	wdev_lock(dev->ieee80211_ptr);
3679 
3680 	if (key.def) {
3681 		if (!rdev->ops->set_default_key) {
3682 			err = -EOPNOTSUPP;
3683 			goto out;
3684 		}
3685 
3686 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3687 		if (err)
3688 			goto out;
3689 
3690 		err = rdev_set_default_key(rdev, dev, key.idx,
3691 						 key.def_uni, key.def_multi);
3692 
3693 		if (err)
3694 			goto out;
3695 
3696 #ifdef CONFIG_CFG80211_WEXT
3697 		dev->ieee80211_ptr->wext.default_key = key.idx;
3698 #endif
3699 	} else if (key.defmgmt) {
3700 		if (key.def_uni || !key.def_multi) {
3701 			err = -EINVAL;
3702 			goto out;
3703 		}
3704 
3705 		if (!rdev->ops->set_default_mgmt_key) {
3706 			err = -EOPNOTSUPP;
3707 			goto out;
3708 		}
3709 
3710 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3711 		if (err)
3712 			goto out;
3713 
3714 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3715 		if (err)
3716 			goto out;
3717 
3718 #ifdef CONFIG_CFG80211_WEXT
3719 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3720 #endif
3721 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
3722 		   wiphy_ext_feature_isset(&rdev->wiphy,
3723 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
3724 		u8 *mac_addr = NULL;
3725 
3726 		if (info->attrs[NL80211_ATTR_MAC])
3727 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3728 
3729 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
3730 			err = -EINVAL;
3731 			goto out;
3732 		}
3733 
3734 		err = rdev_add_key(rdev, dev, key.idx,
3735 				   NL80211_KEYTYPE_PAIRWISE,
3736 				   mac_addr, &key.p);
3737 	} else {
3738 		err = -EINVAL;
3739 	}
3740  out:
3741 	wdev_unlock(dev->ieee80211_ptr);
3742 
3743 	return err;
3744 }
3745 
3746 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3747 {
3748 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3749 	int err;
3750 	struct net_device *dev = info->user_ptr[1];
3751 	struct key_parse key;
3752 	const u8 *mac_addr = NULL;
3753 
3754 	err = nl80211_parse_key(info, &key);
3755 	if (err)
3756 		return err;
3757 
3758 	if (!key.p.key)
3759 		return -EINVAL;
3760 
3761 	if (info->attrs[NL80211_ATTR_MAC])
3762 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3763 
3764 	if (key.type == -1) {
3765 		if (mac_addr)
3766 			key.type = NL80211_KEYTYPE_PAIRWISE;
3767 		else
3768 			key.type = NL80211_KEYTYPE_GROUP;
3769 	}
3770 
3771 	/* for now */
3772 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3773 	    key.type != NL80211_KEYTYPE_GROUP)
3774 		return -EINVAL;
3775 
3776 	if (!rdev->ops->add_key)
3777 		return -EOPNOTSUPP;
3778 
3779 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3780 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3781 					   mac_addr))
3782 		return -EINVAL;
3783 
3784 	wdev_lock(dev->ieee80211_ptr);
3785 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3786 	if (!err)
3787 		err = rdev_add_key(rdev, dev, key.idx,
3788 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3789 				    mac_addr, &key.p);
3790 	wdev_unlock(dev->ieee80211_ptr);
3791 
3792 	return err;
3793 }
3794 
3795 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3796 {
3797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3798 	int err;
3799 	struct net_device *dev = info->user_ptr[1];
3800 	u8 *mac_addr = NULL;
3801 	struct key_parse key;
3802 
3803 	err = nl80211_parse_key(info, &key);
3804 	if (err)
3805 		return err;
3806 
3807 	if (info->attrs[NL80211_ATTR_MAC])
3808 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3809 
3810 	if (key.type == -1) {
3811 		if (mac_addr)
3812 			key.type = NL80211_KEYTYPE_PAIRWISE;
3813 		else
3814 			key.type = NL80211_KEYTYPE_GROUP;
3815 	}
3816 
3817 	/* for now */
3818 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3819 	    key.type != NL80211_KEYTYPE_GROUP)
3820 		return -EINVAL;
3821 
3822 	if (!rdev->ops->del_key)
3823 		return -EOPNOTSUPP;
3824 
3825 	wdev_lock(dev->ieee80211_ptr);
3826 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3827 
3828 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3829 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3830 		err = -ENOENT;
3831 
3832 	if (!err)
3833 		err = rdev_del_key(rdev, dev, key.idx,
3834 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3835 				   mac_addr);
3836 
3837 #ifdef CONFIG_CFG80211_WEXT
3838 	if (!err) {
3839 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3840 			dev->ieee80211_ptr->wext.default_key = -1;
3841 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3842 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3843 	}
3844 #endif
3845 	wdev_unlock(dev->ieee80211_ptr);
3846 
3847 	return err;
3848 }
3849 
3850 /* This function returns an error or the number of nested attributes */
3851 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3852 {
3853 	struct nlattr *attr;
3854 	int n_entries = 0, tmp;
3855 
3856 	nla_for_each_nested(attr, nl_attr, tmp) {
3857 		if (nla_len(attr) != ETH_ALEN)
3858 			return -EINVAL;
3859 
3860 		n_entries++;
3861 	}
3862 
3863 	return n_entries;
3864 }
3865 
3866 /*
3867  * This function parses ACL information and allocates memory for ACL data.
3868  * On successful return, the calling function is responsible to free the
3869  * ACL buffer returned by this function.
3870  */
3871 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3872 						struct genl_info *info)
3873 {
3874 	enum nl80211_acl_policy acl_policy;
3875 	struct nlattr *attr;
3876 	struct cfg80211_acl_data *acl;
3877 	int i = 0, n_entries, tmp;
3878 
3879 	if (!wiphy->max_acl_mac_addrs)
3880 		return ERR_PTR(-EOPNOTSUPP);
3881 
3882 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3883 		return ERR_PTR(-EINVAL);
3884 
3885 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3886 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3887 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3888 		return ERR_PTR(-EINVAL);
3889 
3890 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3891 		return ERR_PTR(-EINVAL);
3892 
3893 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3894 	if (n_entries < 0)
3895 		return ERR_PTR(n_entries);
3896 
3897 	if (n_entries > wiphy->max_acl_mac_addrs)
3898 		return ERR_PTR(-ENOTSUPP);
3899 
3900 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
3901 	if (!acl)
3902 		return ERR_PTR(-ENOMEM);
3903 
3904 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3905 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3906 		i++;
3907 	}
3908 
3909 	acl->n_acl_entries = n_entries;
3910 	acl->acl_policy = acl_policy;
3911 
3912 	return acl;
3913 }
3914 
3915 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3916 {
3917 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3918 	struct net_device *dev = info->user_ptr[1];
3919 	struct cfg80211_acl_data *acl;
3920 	int err;
3921 
3922 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3923 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3924 		return -EOPNOTSUPP;
3925 
3926 	if (!dev->ieee80211_ptr->beacon_interval)
3927 		return -EINVAL;
3928 
3929 	acl = parse_acl_data(&rdev->wiphy, info);
3930 	if (IS_ERR(acl))
3931 		return PTR_ERR(acl);
3932 
3933 	err = rdev_set_mac_acl(rdev, dev, acl);
3934 
3935 	kfree(acl);
3936 
3937 	return err;
3938 }
3939 
3940 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
3941 			   u8 *rates, u8 rates_len)
3942 {
3943 	u8 i;
3944 	u32 mask = 0;
3945 
3946 	for (i = 0; i < rates_len; i++) {
3947 		int rate = (rates[i] & 0x7f) * 5;
3948 		int ridx;
3949 
3950 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
3951 			struct ieee80211_rate *srate =
3952 				&sband->bitrates[ridx];
3953 			if (rate == srate->bitrate) {
3954 				mask |= 1 << ridx;
3955 				break;
3956 			}
3957 		}
3958 		if (ridx == sband->n_bitrates)
3959 			return 0; /* rate not found */
3960 	}
3961 
3962 	return mask;
3963 }
3964 
3965 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
3966 			       u8 *rates, u8 rates_len,
3967 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
3968 {
3969 	u8 i;
3970 
3971 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
3972 
3973 	for (i = 0; i < rates_len; i++) {
3974 		int ridx, rbit;
3975 
3976 		ridx = rates[i] / 8;
3977 		rbit = BIT(rates[i] % 8);
3978 
3979 		/* check validity */
3980 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
3981 			return false;
3982 
3983 		/* check availability */
3984 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
3985 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
3986 			mcs[ridx] |= rbit;
3987 		else
3988 			return false;
3989 	}
3990 
3991 	return true;
3992 }
3993 
3994 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
3995 {
3996 	u16 mcs_mask = 0;
3997 
3998 	switch (vht_mcs_map) {
3999 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4000 		break;
4001 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4002 		mcs_mask = 0x00FF;
4003 		break;
4004 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4005 		mcs_mask = 0x01FF;
4006 		break;
4007 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4008 		mcs_mask = 0x03FF;
4009 		break;
4010 	default:
4011 		break;
4012 	}
4013 
4014 	return mcs_mask;
4015 }
4016 
4017 static void vht_build_mcs_mask(u16 vht_mcs_map,
4018 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4019 {
4020 	u8 nss;
4021 
4022 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4023 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4024 		vht_mcs_map >>= 2;
4025 	}
4026 }
4027 
4028 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4029 			     struct nl80211_txrate_vht *txrate,
4030 			     u16 mcs[NL80211_VHT_NSS_MAX])
4031 {
4032 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4033 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4034 	u8 i;
4035 
4036 	if (!sband->vht_cap.vht_supported)
4037 		return false;
4038 
4039 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4040 
4041 	/* Build vht_mcs_mask from VHT capabilities */
4042 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4043 
4044 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4045 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4046 			mcs[i] = txrate->mcs[i];
4047 		else
4048 			return false;
4049 	}
4050 
4051 	return true;
4052 }
4053 
4054 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
4055 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
4056 				    .len = NL80211_MAX_SUPP_RATES },
4057 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
4058 				.len = NL80211_MAX_SUPP_HT_RATES },
4059 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
4060 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
4061 };
4062 
4063 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4064 					 struct cfg80211_bitrate_mask *mask)
4065 {
4066 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4067 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4068 	int rem, i;
4069 	struct nlattr *tx_rates;
4070 	struct ieee80211_supported_band *sband;
4071 	u16 vht_tx_mcs_map;
4072 
4073 	memset(mask, 0, sizeof(*mask));
4074 	/* Default to all rates enabled */
4075 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4076 		sband = rdev->wiphy.bands[i];
4077 
4078 		if (!sband)
4079 			continue;
4080 
4081 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4082 		memcpy(mask->control[i].ht_mcs,
4083 		       sband->ht_cap.mcs.rx_mask,
4084 		       sizeof(mask->control[i].ht_mcs));
4085 
4086 		if (!sband->vht_cap.vht_supported)
4087 			continue;
4088 
4089 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4090 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4091 	}
4092 
4093 	/* if no rates are given set it back to the defaults */
4094 	if (!info->attrs[NL80211_ATTR_TX_RATES])
4095 		goto out;
4096 
4097 	/* The nested attribute uses enum nl80211_band as the index. This maps
4098 	 * directly to the enum nl80211_band values used in cfg80211.
4099 	 */
4100 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4101 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
4102 		enum nl80211_band band = nla_type(tx_rates);
4103 		int err;
4104 
4105 		if (band < 0 || band >= NUM_NL80211_BANDS)
4106 			return -EINVAL;
4107 		sband = rdev->wiphy.bands[band];
4108 		if (sband == NULL)
4109 			return -EINVAL;
4110 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4111 						  tx_rates,
4112 						  nl80211_txattr_policy,
4113 						  info->extack);
4114 		if (err)
4115 			return err;
4116 		if (tb[NL80211_TXRATE_LEGACY]) {
4117 			mask->control[band].legacy = rateset_to_mask(
4118 				sband,
4119 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4120 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4121 			if ((mask->control[band].legacy == 0) &&
4122 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4123 				return -EINVAL;
4124 		}
4125 		if (tb[NL80211_TXRATE_HT]) {
4126 			if (!ht_rateset_to_mask(
4127 					sband,
4128 					nla_data(tb[NL80211_TXRATE_HT]),
4129 					nla_len(tb[NL80211_TXRATE_HT]),
4130 					mask->control[band].ht_mcs))
4131 				return -EINVAL;
4132 		}
4133 		if (tb[NL80211_TXRATE_VHT]) {
4134 			if (!vht_set_mcs_mask(
4135 					sband,
4136 					nla_data(tb[NL80211_TXRATE_VHT]),
4137 					mask->control[band].vht_mcs))
4138 				return -EINVAL;
4139 		}
4140 		if (tb[NL80211_TXRATE_GI]) {
4141 			mask->control[band].gi =
4142 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4143 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4144 				return -EINVAL;
4145 		}
4146 
4147 		if (mask->control[band].legacy == 0) {
4148 			/* don't allow empty legacy rates if HT or VHT
4149 			 * are not even supported.
4150 			 */
4151 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4152 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
4153 				return -EINVAL;
4154 
4155 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4156 				if (mask->control[band].ht_mcs[i])
4157 					goto out;
4158 
4159 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4160 				if (mask->control[band].vht_mcs[i])
4161 					goto out;
4162 
4163 			/* legacy and mcs rates may not be both empty */
4164 			return -EINVAL;
4165 		}
4166 	}
4167 
4168 out:
4169 	return 0;
4170 }
4171 
4172 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4173 				   enum nl80211_band band,
4174 				   struct cfg80211_bitrate_mask *beacon_rate)
4175 {
4176 	u32 count_ht, count_vht, i;
4177 	u32 rate = beacon_rate->control[band].legacy;
4178 
4179 	/* Allow only one rate */
4180 	if (hweight32(rate) > 1)
4181 		return -EINVAL;
4182 
4183 	count_ht = 0;
4184 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4185 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4186 			return -EINVAL;
4187 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4188 			count_ht++;
4189 			if (count_ht > 1)
4190 				return -EINVAL;
4191 		}
4192 		if (count_ht && rate)
4193 			return -EINVAL;
4194 	}
4195 
4196 	count_vht = 0;
4197 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4198 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4199 			return -EINVAL;
4200 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4201 			count_vht++;
4202 			if (count_vht > 1)
4203 				return -EINVAL;
4204 		}
4205 		if (count_vht && rate)
4206 			return -EINVAL;
4207 	}
4208 
4209 	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4210 		return -EINVAL;
4211 
4212 	if (rate &&
4213 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4214 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4215 		return -EINVAL;
4216 	if (count_ht &&
4217 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4218 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4219 		return -EINVAL;
4220 	if (count_vht &&
4221 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4222 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4223 		return -EINVAL;
4224 
4225 	return 0;
4226 }
4227 
4228 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4229 				struct nlattr *attrs[],
4230 				struct cfg80211_beacon_data *bcn)
4231 {
4232 	bool haveinfo = false;
4233 	int err;
4234 
4235 	memset(bcn, 0, sizeof(*bcn));
4236 
4237 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4238 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4239 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4240 		if (!bcn->head_len)
4241 			return -EINVAL;
4242 		haveinfo = true;
4243 	}
4244 
4245 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4246 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4247 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4248 		haveinfo = true;
4249 	}
4250 
4251 	if (!haveinfo)
4252 		return -EINVAL;
4253 
4254 	if (attrs[NL80211_ATTR_IE]) {
4255 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4256 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4257 	}
4258 
4259 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4260 		bcn->proberesp_ies =
4261 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4262 		bcn->proberesp_ies_len =
4263 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4264 	}
4265 
4266 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4267 		bcn->assocresp_ies =
4268 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4269 		bcn->assocresp_ies_len =
4270 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4271 	}
4272 
4273 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
4274 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4275 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4276 	}
4277 
4278 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4279 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4280 
4281 		err = nla_parse_nested_deprecated(tb,
4282 						  NL80211_FTM_RESP_ATTR_MAX,
4283 						  attrs[NL80211_ATTR_FTM_RESPONDER],
4284 						  NULL, NULL);
4285 		if (err)
4286 			return err;
4287 
4288 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4289 		    wiphy_ext_feature_isset(&rdev->wiphy,
4290 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4291 			bcn->ftm_responder = 1;
4292 		else
4293 			return -EOPNOTSUPP;
4294 
4295 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4296 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4297 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4298 		}
4299 
4300 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4301 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4302 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4303 		}
4304 	} else {
4305 		bcn->ftm_responder = -1;
4306 	}
4307 
4308 	return 0;
4309 }
4310 
4311 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4312 					    const u8 *rates)
4313 {
4314 	int i;
4315 
4316 	if (!rates)
4317 		return;
4318 
4319 	for (i = 0; i < rates[1]; i++) {
4320 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4321 			params->ht_required = true;
4322 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4323 			params->vht_required = true;
4324 	}
4325 }
4326 
4327 /*
4328  * Since the nl80211 API didn't include, from the beginning, attributes about
4329  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4330  * benefit of drivers that rebuild IEs in the firmware.
4331  */
4332 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4333 {
4334 	const struct cfg80211_beacon_data *bcn = &params->beacon;
4335 	size_t ies_len = bcn->tail_len;
4336 	const u8 *ies = bcn->tail;
4337 	const u8 *rates;
4338 	const u8 *cap;
4339 
4340 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4341 	nl80211_check_ap_rate_selectors(params, rates);
4342 
4343 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4344 	nl80211_check_ap_rate_selectors(params, rates);
4345 
4346 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4347 	if (cap && cap[1] >= sizeof(*params->ht_cap))
4348 		params->ht_cap = (void *)(cap + 2);
4349 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4350 	if (cap && cap[1] >= sizeof(*params->vht_cap))
4351 		params->vht_cap = (void *)(cap + 2);
4352 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
4353 	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
4354 		params->he_cap = (void *)(cap + 3);
4355 }
4356 
4357 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4358 				   struct cfg80211_ap_settings *params)
4359 {
4360 	struct wireless_dev *wdev;
4361 	bool ret = false;
4362 
4363 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4364 		if (wdev->iftype != NL80211_IFTYPE_AP &&
4365 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
4366 			continue;
4367 
4368 		if (!wdev->preset_chandef.chan)
4369 			continue;
4370 
4371 		params->chandef = wdev->preset_chandef;
4372 		ret = true;
4373 		break;
4374 	}
4375 
4376 	return ret;
4377 }
4378 
4379 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4380 				    enum nl80211_auth_type auth_type,
4381 				    enum nl80211_commands cmd)
4382 {
4383 	if (auth_type > NL80211_AUTHTYPE_MAX)
4384 		return false;
4385 
4386 	switch (cmd) {
4387 	case NL80211_CMD_AUTHENTICATE:
4388 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4389 		    auth_type == NL80211_AUTHTYPE_SAE)
4390 			return false;
4391 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4392 					     NL80211_EXT_FEATURE_FILS_STA) &&
4393 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4394 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4395 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
4396 			return false;
4397 		return true;
4398 	case NL80211_CMD_CONNECT:
4399 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4400 		    auth_type == NL80211_AUTHTYPE_SAE)
4401 			return false;
4402 
4403 		/* FILS with SK PFS or PK not supported yet */
4404 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4405 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4406 			return false;
4407 		if (!wiphy_ext_feature_isset(
4408 			    &rdev->wiphy,
4409 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4410 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
4411 			return false;
4412 		return true;
4413 	case NL80211_CMD_START_AP:
4414 		/* SAE not supported yet */
4415 		if (auth_type == NL80211_AUTHTYPE_SAE)
4416 			return false;
4417 		/* FILS not supported yet */
4418 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4419 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4420 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4421 			return false;
4422 		return true;
4423 	default:
4424 		return false;
4425 	}
4426 }
4427 
4428 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4429 {
4430 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4431 	struct net_device *dev = info->user_ptr[1];
4432 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4433 	struct cfg80211_ap_settings params;
4434 	int err;
4435 
4436 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4437 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4438 		return -EOPNOTSUPP;
4439 
4440 	if (!rdev->ops->start_ap)
4441 		return -EOPNOTSUPP;
4442 
4443 	if (wdev->beacon_interval)
4444 		return -EALREADY;
4445 
4446 	memset(&params, 0, sizeof(params));
4447 
4448 	/* these are required for START_AP */
4449 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
4450 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
4451 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
4452 		return -EINVAL;
4453 
4454 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
4455 	if (err)
4456 		return err;
4457 
4458 	params.beacon_interval =
4459 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4460 	params.dtim_period =
4461 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
4462 
4463 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
4464 					   params.beacon_interval);
4465 	if (err)
4466 		return err;
4467 
4468 	/*
4469 	 * In theory, some of these attributes should be required here
4470 	 * but since they were not used when the command was originally
4471 	 * added, keep them optional for old user space programs to let
4472 	 * them continue to work with drivers that do not need the
4473 	 * additional information -- drivers must check!
4474 	 */
4475 	if (info->attrs[NL80211_ATTR_SSID]) {
4476 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4477 		params.ssid_len =
4478 			nla_len(info->attrs[NL80211_ATTR_SSID]);
4479 		if (params.ssid_len == 0 ||
4480 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
4481 			return -EINVAL;
4482 	}
4483 
4484 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
4485 		params.hidden_ssid = nla_get_u32(
4486 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
4487 
4488 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4489 
4490 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
4491 		params.auth_type = nla_get_u32(
4492 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
4493 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
4494 					     NL80211_CMD_START_AP))
4495 			return -EINVAL;
4496 	} else
4497 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
4498 
4499 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
4500 				      NL80211_MAX_NR_CIPHER_SUITES);
4501 	if (err)
4502 		return err;
4503 
4504 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
4505 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
4506 			return -EOPNOTSUPP;
4507 		params.inactivity_timeout = nla_get_u16(
4508 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
4509 	}
4510 
4511 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4512 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4513 			return -EINVAL;
4514 		params.p2p_ctwindow =
4515 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4516 		if (params.p2p_ctwindow != 0 &&
4517 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4518 			return -EINVAL;
4519 	}
4520 
4521 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4522 		u8 tmp;
4523 
4524 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4525 			return -EINVAL;
4526 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4527 		params.p2p_opp_ps = tmp;
4528 		if (params.p2p_opp_ps != 0 &&
4529 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4530 			return -EINVAL;
4531 	}
4532 
4533 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4534 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
4535 		if (err)
4536 			return err;
4537 	} else if (wdev->preset_chandef.chan) {
4538 		params.chandef = wdev->preset_chandef;
4539 	} else if (!nl80211_get_ap_channel(rdev, &params))
4540 		return -EINVAL;
4541 
4542 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
4543 					   wdev->iftype))
4544 		return -EINVAL;
4545 
4546 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
4547 		err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
4548 		if (err)
4549 			return err;
4550 
4551 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
4552 					      &params.beacon_rate);
4553 		if (err)
4554 			return err;
4555 	}
4556 
4557 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
4558 		params.smps_mode =
4559 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
4560 		switch (params.smps_mode) {
4561 		case NL80211_SMPS_OFF:
4562 			break;
4563 		case NL80211_SMPS_STATIC:
4564 			if (!(rdev->wiphy.features &
4565 			      NL80211_FEATURE_STATIC_SMPS))
4566 				return -EINVAL;
4567 			break;
4568 		case NL80211_SMPS_DYNAMIC:
4569 			if (!(rdev->wiphy.features &
4570 			      NL80211_FEATURE_DYNAMIC_SMPS))
4571 				return -EINVAL;
4572 			break;
4573 		default:
4574 			return -EINVAL;
4575 		}
4576 	} else {
4577 		params.smps_mode = NL80211_SMPS_OFF;
4578 	}
4579 
4580 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
4581 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
4582 		return -EOPNOTSUPP;
4583 
4584 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
4585 		params.acl = parse_acl_data(&rdev->wiphy, info);
4586 		if (IS_ERR(params.acl))
4587 			return PTR_ERR(params.acl);
4588 	}
4589 
4590 	nl80211_calculate_ap_params(&params);
4591 
4592 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
4593 		params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
4594 
4595 	wdev_lock(wdev);
4596 	err = rdev_start_ap(rdev, dev, &params);
4597 	if (!err) {
4598 		wdev->preset_chandef = params.chandef;
4599 		wdev->beacon_interval = params.beacon_interval;
4600 		wdev->chandef = params.chandef;
4601 		wdev->ssid_len = params.ssid_len;
4602 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
4603 
4604 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4605 			wdev->conn_owner_nlportid = info->snd_portid;
4606 	}
4607 	wdev_unlock(wdev);
4608 
4609 	kfree(params.acl);
4610 
4611 	return err;
4612 }
4613 
4614 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
4615 {
4616 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4617 	struct net_device *dev = info->user_ptr[1];
4618 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4619 	struct cfg80211_beacon_data params;
4620 	int err;
4621 
4622 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4623 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4624 		return -EOPNOTSUPP;
4625 
4626 	if (!rdev->ops->change_beacon)
4627 		return -EOPNOTSUPP;
4628 
4629 	if (!wdev->beacon_interval)
4630 		return -EINVAL;
4631 
4632 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
4633 	if (err)
4634 		return err;
4635 
4636 	wdev_lock(wdev);
4637 	err = rdev_change_beacon(rdev, dev, &params);
4638 	wdev_unlock(wdev);
4639 
4640 	return err;
4641 }
4642 
4643 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
4644 {
4645 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4646 	struct net_device *dev = info->user_ptr[1];
4647 
4648 	return cfg80211_stop_ap(rdev, dev, false);
4649 }
4650 
4651 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
4652 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
4653 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
4654 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
4655 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
4656 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
4657 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
4658 };
4659 
4660 static int parse_station_flags(struct genl_info *info,
4661 			       enum nl80211_iftype iftype,
4662 			       struct station_parameters *params)
4663 {
4664 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
4665 	struct nlattr *nla;
4666 	int flag;
4667 
4668 	/*
4669 	 * Try parsing the new attribute first so userspace
4670 	 * can specify both for older kernels.
4671 	 */
4672 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
4673 	if (nla) {
4674 		struct nl80211_sta_flag_update *sta_flags;
4675 
4676 		sta_flags = nla_data(nla);
4677 		params->sta_flags_mask = sta_flags->mask;
4678 		params->sta_flags_set = sta_flags->set;
4679 		params->sta_flags_set &= params->sta_flags_mask;
4680 		if ((params->sta_flags_mask |
4681 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
4682 			return -EINVAL;
4683 		return 0;
4684 	}
4685 
4686 	/* if present, parse the old attribute */
4687 
4688 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
4689 	if (!nla)
4690 		return 0;
4691 
4692 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
4693 		return -EINVAL;
4694 
4695 	/*
4696 	 * Only allow certain flags for interface types so that
4697 	 * other attributes are silently ignored. Remember that
4698 	 * this is backward compatibility code with old userspace
4699 	 * and shouldn't be hit in other cases anyway.
4700 	 */
4701 	switch (iftype) {
4702 	case NL80211_IFTYPE_AP:
4703 	case NL80211_IFTYPE_AP_VLAN:
4704 	case NL80211_IFTYPE_P2P_GO:
4705 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4706 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4707 					 BIT(NL80211_STA_FLAG_WME) |
4708 					 BIT(NL80211_STA_FLAG_MFP);
4709 		break;
4710 	case NL80211_IFTYPE_P2P_CLIENT:
4711 	case NL80211_IFTYPE_STATION:
4712 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4713 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
4714 		break;
4715 	case NL80211_IFTYPE_MESH_POINT:
4716 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4717 					 BIT(NL80211_STA_FLAG_MFP) |
4718 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
4719 		break;
4720 	default:
4721 		return -EINVAL;
4722 	}
4723 
4724 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
4725 		if (flags[flag]) {
4726 			params->sta_flags_set |= (1<<flag);
4727 
4728 			/* no longer support new API additions in old API */
4729 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
4730 				return -EINVAL;
4731 		}
4732 	}
4733 
4734 	return 0;
4735 }
4736 
4737 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
4738 {
4739 	struct nlattr *rate;
4740 	u32 bitrate;
4741 	u16 bitrate_compat;
4742 	enum nl80211_rate_info rate_flg;
4743 
4744 	rate = nla_nest_start_noflag(msg, attr);
4745 	if (!rate)
4746 		return false;
4747 
4748 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
4749 	bitrate = cfg80211_calculate_bitrate(info);
4750 	/* report 16-bit bitrate only if we can */
4751 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
4752 	if (bitrate > 0 &&
4753 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
4754 		return false;
4755 	if (bitrate_compat > 0 &&
4756 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
4757 		return false;
4758 
4759 	switch (info->bw) {
4760 	case RATE_INFO_BW_5:
4761 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
4762 		break;
4763 	case RATE_INFO_BW_10:
4764 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
4765 		break;
4766 	default:
4767 		WARN_ON(1);
4768 		/* fall through */
4769 	case RATE_INFO_BW_20:
4770 		rate_flg = 0;
4771 		break;
4772 	case RATE_INFO_BW_40:
4773 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
4774 		break;
4775 	case RATE_INFO_BW_80:
4776 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
4777 		break;
4778 	case RATE_INFO_BW_160:
4779 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
4780 		break;
4781 	case RATE_INFO_BW_HE_RU:
4782 		rate_flg = 0;
4783 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
4784 	}
4785 
4786 	if (rate_flg && nla_put_flag(msg, rate_flg))
4787 		return false;
4788 
4789 	if (info->flags & RATE_INFO_FLAGS_MCS) {
4790 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
4791 			return false;
4792 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4793 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4794 			return false;
4795 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
4796 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
4797 			return false;
4798 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
4799 			return false;
4800 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4801 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4802 			return false;
4803 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
4804 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
4805 			return false;
4806 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
4807 			return false;
4808 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
4809 			return false;
4810 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
4811 			return false;
4812 		if (info->bw == RATE_INFO_BW_HE_RU &&
4813 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
4814 			       info->he_ru_alloc))
4815 			return false;
4816 	}
4817 
4818 	nla_nest_end(msg, rate);
4819 	return true;
4820 }
4821 
4822 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
4823 			       int id)
4824 {
4825 	void *attr;
4826 	int i = 0;
4827 
4828 	if (!mask)
4829 		return true;
4830 
4831 	attr = nla_nest_start_noflag(msg, id);
4832 	if (!attr)
4833 		return false;
4834 
4835 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
4836 		if (!(mask & BIT(i)))
4837 			continue;
4838 
4839 		if (nla_put_u8(msg, i, signal[i]))
4840 			return false;
4841 	}
4842 
4843 	nla_nest_end(msg, attr);
4844 
4845 	return true;
4846 }
4847 
4848 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
4849 				u32 seq, int flags,
4850 				struct cfg80211_registered_device *rdev,
4851 				struct net_device *dev,
4852 				const u8 *mac_addr, struct station_info *sinfo)
4853 {
4854 	void *hdr;
4855 	struct nlattr *sinfoattr, *bss_param;
4856 
4857 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4858 	if (!hdr)
4859 		return -1;
4860 
4861 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4862 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
4863 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
4864 		goto nla_put_failure;
4865 
4866 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
4867 	if (!sinfoattr)
4868 		goto nla_put_failure;
4869 
4870 #define PUT_SINFO(attr, memb, type) do {				\
4871 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
4872 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
4873 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
4874 			     sinfo->memb))				\
4875 		goto nla_put_failure;					\
4876 	} while (0)
4877 #define PUT_SINFO_U64(attr, memb) do {					\
4878 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
4879 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
4880 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
4881 		goto nla_put_failure;					\
4882 	} while (0)
4883 
4884 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
4885 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
4886 
4887 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
4888 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
4889 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
4890 			(u32)sinfo->rx_bytes))
4891 		goto nla_put_failure;
4892 
4893 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
4894 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
4895 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
4896 			(u32)sinfo->tx_bytes))
4897 		goto nla_put_failure;
4898 
4899 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
4900 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
4901 	PUT_SINFO(LLID, llid, u16);
4902 	PUT_SINFO(PLID, plid, u16);
4903 	PUT_SINFO(PLINK_STATE, plink_state, u8);
4904 	PUT_SINFO_U64(RX_DURATION, rx_duration);
4905 	PUT_SINFO_U64(TX_DURATION, tx_duration);
4906 
4907 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4908 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
4909 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
4910 
4911 	switch (rdev->wiphy.signal_type) {
4912 	case CFG80211_SIGNAL_TYPE_MBM:
4913 		PUT_SINFO(SIGNAL, signal, u8);
4914 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
4915 		break;
4916 	default:
4917 		break;
4918 	}
4919 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
4920 		if (!nl80211_put_signal(msg, sinfo->chains,
4921 					sinfo->chain_signal,
4922 					NL80211_STA_INFO_CHAIN_SIGNAL))
4923 			goto nla_put_failure;
4924 	}
4925 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
4926 		if (!nl80211_put_signal(msg, sinfo->chains,
4927 					sinfo->chain_signal_avg,
4928 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
4929 			goto nla_put_failure;
4930 	}
4931 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
4932 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
4933 					  NL80211_STA_INFO_TX_BITRATE))
4934 			goto nla_put_failure;
4935 	}
4936 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
4937 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
4938 					  NL80211_STA_INFO_RX_BITRATE))
4939 			goto nla_put_failure;
4940 	}
4941 
4942 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
4943 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
4944 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
4945 	PUT_SINFO(TX_FAILED, tx_failed, u32);
4946 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
4947 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
4948 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
4949 	PUT_SINFO(LOCAL_PM, local_pm, u32);
4950 	PUT_SINFO(PEER_PM, peer_pm, u32);
4951 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
4952 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
4953 
4954 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
4955 		bss_param = nla_nest_start_noflag(msg,
4956 						  NL80211_STA_INFO_BSS_PARAM);
4957 		if (!bss_param)
4958 			goto nla_put_failure;
4959 
4960 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
4961 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
4962 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
4963 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
4964 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
4965 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
4966 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
4967 			       sinfo->bss_param.dtim_period) ||
4968 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
4969 				sinfo->bss_param.beacon_interval))
4970 			goto nla_put_failure;
4971 
4972 		nla_nest_end(msg, bss_param);
4973 	}
4974 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
4975 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
4976 		    sizeof(struct nl80211_sta_flag_update),
4977 		    &sinfo->sta_flags))
4978 		goto nla_put_failure;
4979 
4980 	PUT_SINFO_U64(T_OFFSET, t_offset);
4981 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
4982 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
4983 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
4984 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
4985 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
4986 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4987 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
4988 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
4989 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
4990 	}
4991 
4992 #undef PUT_SINFO
4993 #undef PUT_SINFO_U64
4994 
4995 	if (sinfo->pertid) {
4996 		struct nlattr *tidsattr;
4997 		int tid;
4998 
4999 		tidsattr = nla_nest_start_noflag(msg,
5000 						 NL80211_STA_INFO_TID_STATS);
5001 		if (!tidsattr)
5002 			goto nla_put_failure;
5003 
5004 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5005 			struct cfg80211_tid_stats *tidstats;
5006 			struct nlattr *tidattr;
5007 
5008 			tidstats = &sinfo->pertid[tid];
5009 
5010 			if (!tidstats->filled)
5011 				continue;
5012 
5013 			tidattr = nla_nest_start_noflag(msg, tid + 1);
5014 			if (!tidattr)
5015 				goto nla_put_failure;
5016 
5017 #define PUT_TIDVAL_U64(attr, memb) do {					\
5018 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
5019 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
5020 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
5021 		goto nla_put_failure;					\
5022 	} while (0)
5023 
5024 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5025 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5026 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5027 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5028 
5029 #undef PUT_TIDVAL_U64
5030 			if ((tidstats->filled &
5031 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5032 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5033 						   NL80211_TID_STATS_TXQ_STATS))
5034 				goto nla_put_failure;
5035 
5036 			nla_nest_end(msg, tidattr);
5037 		}
5038 
5039 		nla_nest_end(msg, tidsattr);
5040 	}
5041 
5042 	nla_nest_end(msg, sinfoattr);
5043 
5044 	if (sinfo->assoc_req_ies_len &&
5045 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5046 		    sinfo->assoc_req_ies))
5047 		goto nla_put_failure;
5048 
5049 	cfg80211_sinfo_release_content(sinfo);
5050 	genlmsg_end(msg, hdr);
5051 	return 0;
5052 
5053  nla_put_failure:
5054 	cfg80211_sinfo_release_content(sinfo);
5055 	genlmsg_cancel(msg, hdr);
5056 	return -EMSGSIZE;
5057 }
5058 
5059 static int nl80211_dump_station(struct sk_buff *skb,
5060 				struct netlink_callback *cb)
5061 {
5062 	struct station_info sinfo;
5063 	struct cfg80211_registered_device *rdev;
5064 	struct wireless_dev *wdev;
5065 	u8 mac_addr[ETH_ALEN];
5066 	int sta_idx = cb->args[2];
5067 	int err;
5068 
5069 	rtnl_lock();
5070 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5071 	if (err)
5072 		goto out_err;
5073 
5074 	if (!wdev->netdev) {
5075 		err = -EINVAL;
5076 		goto out_err;
5077 	}
5078 
5079 	if (!rdev->ops->dump_station) {
5080 		err = -EOPNOTSUPP;
5081 		goto out_err;
5082 	}
5083 
5084 	while (1) {
5085 		memset(&sinfo, 0, sizeof(sinfo));
5086 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5087 					mac_addr, &sinfo);
5088 		if (err == -ENOENT)
5089 			break;
5090 		if (err)
5091 			goto out_err;
5092 
5093 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
5094 				NETLINK_CB(cb->skb).portid,
5095 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5096 				rdev, wdev->netdev, mac_addr,
5097 				&sinfo) < 0)
5098 			goto out;
5099 
5100 		sta_idx++;
5101 	}
5102 
5103  out:
5104 	cb->args[2] = sta_idx;
5105 	err = skb->len;
5106  out_err:
5107 	rtnl_unlock();
5108 
5109 	return err;
5110 }
5111 
5112 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
5113 {
5114 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5115 	struct net_device *dev = info->user_ptr[1];
5116 	struct station_info sinfo;
5117 	struct sk_buff *msg;
5118 	u8 *mac_addr = NULL;
5119 	int err;
5120 
5121 	memset(&sinfo, 0, sizeof(sinfo));
5122 
5123 	if (!info->attrs[NL80211_ATTR_MAC])
5124 		return -EINVAL;
5125 
5126 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5127 
5128 	if (!rdev->ops->get_station)
5129 		return -EOPNOTSUPP;
5130 
5131 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
5132 	if (err)
5133 		return err;
5134 
5135 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5136 	if (!msg) {
5137 		cfg80211_sinfo_release_content(&sinfo);
5138 		return -ENOMEM;
5139 	}
5140 
5141 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
5142 				 info->snd_portid, info->snd_seq, 0,
5143 				 rdev, dev, mac_addr, &sinfo) < 0) {
5144 		nlmsg_free(msg);
5145 		return -ENOBUFS;
5146 	}
5147 
5148 	return genlmsg_reply(msg, info);
5149 }
5150 
5151 int cfg80211_check_station_change(struct wiphy *wiphy,
5152 				  struct station_parameters *params,
5153 				  enum cfg80211_station_type statype)
5154 {
5155 	if (params->listen_interval != -1 &&
5156 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5157 		return -EINVAL;
5158 
5159 	if (params->support_p2p_ps != -1 &&
5160 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5161 		return -EINVAL;
5162 
5163 	if (params->aid &&
5164 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
5165 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5166 		return -EINVAL;
5167 
5168 	/* When you run into this, adjust the code below for the new flag */
5169 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5170 
5171 	switch (statype) {
5172 	case CFG80211_STA_MESH_PEER_KERNEL:
5173 	case CFG80211_STA_MESH_PEER_USER:
5174 		/*
5175 		 * No ignoring the TDLS flag here -- the userspace mesh
5176 		 * code doesn't have the bug of including TDLS in the
5177 		 * mask everywhere.
5178 		 */
5179 		if (params->sta_flags_mask &
5180 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5181 				  BIT(NL80211_STA_FLAG_MFP) |
5182 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
5183 			return -EINVAL;
5184 		break;
5185 	case CFG80211_STA_TDLS_PEER_SETUP:
5186 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5187 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5188 			return -EINVAL;
5189 		/* ignore since it can't change */
5190 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5191 		break;
5192 	default:
5193 		/* disallow mesh-specific things */
5194 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
5195 			return -EINVAL;
5196 		if (params->local_pm)
5197 			return -EINVAL;
5198 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5199 			return -EINVAL;
5200 	}
5201 
5202 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5203 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5204 		/* TDLS can't be set, ... */
5205 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5206 			return -EINVAL;
5207 		/*
5208 		 * ... but don't bother the driver with it. This works around
5209 		 * a hostapd/wpa_supplicant issue -- it always includes the
5210 		 * TLDS_PEER flag in the mask even for AP mode.
5211 		 */
5212 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5213 	}
5214 
5215 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5216 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5217 		/* reject other things that can't change */
5218 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5219 			return -EINVAL;
5220 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5221 			return -EINVAL;
5222 		if (params->supported_rates)
5223 			return -EINVAL;
5224 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
5225 		    params->he_capa)
5226 			return -EINVAL;
5227 	}
5228 
5229 	if (statype != CFG80211_STA_AP_CLIENT &&
5230 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5231 		if (params->vlan)
5232 			return -EINVAL;
5233 	}
5234 
5235 	switch (statype) {
5236 	case CFG80211_STA_AP_MLME_CLIENT:
5237 		/* Use this only for authorizing/unauthorizing a station */
5238 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5239 			return -EOPNOTSUPP;
5240 		break;
5241 	case CFG80211_STA_AP_CLIENT:
5242 	case CFG80211_STA_AP_CLIENT_UNASSOC:
5243 		/* accept only the listed bits */
5244 		if (params->sta_flags_mask &
5245 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5246 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5247 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
5248 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5249 				  BIT(NL80211_STA_FLAG_WME) |
5250 				  BIT(NL80211_STA_FLAG_MFP)))
5251 			return -EINVAL;
5252 
5253 		/* but authenticated/associated only if driver handles it */
5254 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5255 		    params->sta_flags_mask &
5256 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5257 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
5258 			return -EINVAL;
5259 		break;
5260 	case CFG80211_STA_IBSS:
5261 	case CFG80211_STA_AP_STA:
5262 		/* reject any changes other than AUTHORIZED */
5263 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
5264 			return -EINVAL;
5265 		break;
5266 	case CFG80211_STA_TDLS_PEER_SETUP:
5267 		/* reject any changes other than AUTHORIZED or WME */
5268 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5269 					       BIT(NL80211_STA_FLAG_WME)))
5270 			return -EINVAL;
5271 		/* force (at least) rates when authorizing */
5272 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
5273 		    !params->supported_rates)
5274 			return -EINVAL;
5275 		break;
5276 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5277 		/* reject any changes */
5278 		return -EINVAL;
5279 	case CFG80211_STA_MESH_PEER_KERNEL:
5280 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5281 			return -EINVAL;
5282 		break;
5283 	case CFG80211_STA_MESH_PEER_USER:
5284 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
5285 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
5286 			return -EINVAL;
5287 		break;
5288 	}
5289 
5290 	/*
5291 	 * Older kernel versions ignored this attribute entirely, so don't
5292 	 * reject attempts to update it but mark it as unused instead so the
5293 	 * driver won't look at the data.
5294 	 */
5295 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
5296 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
5297 		params->opmode_notif_used = false;
5298 
5299 	return 0;
5300 }
5301 EXPORT_SYMBOL(cfg80211_check_station_change);
5302 
5303 /*
5304  * Get vlan interface making sure it is running and on the right wiphy.
5305  */
5306 static struct net_device *get_vlan(struct genl_info *info,
5307 				   struct cfg80211_registered_device *rdev)
5308 {
5309 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
5310 	struct net_device *v;
5311 	int ret;
5312 
5313 	if (!vlanattr)
5314 		return NULL;
5315 
5316 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
5317 	if (!v)
5318 		return ERR_PTR(-ENODEV);
5319 
5320 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
5321 		ret = -EINVAL;
5322 		goto error;
5323 	}
5324 
5325 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5326 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5327 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5328 		ret = -EINVAL;
5329 		goto error;
5330 	}
5331 
5332 	if (!netif_running(v)) {
5333 		ret = -ENETDOWN;
5334 		goto error;
5335 	}
5336 
5337 	return v;
5338  error:
5339 	dev_put(v);
5340 	return ERR_PTR(ret);
5341 }
5342 
5343 static const struct nla_policy
5344 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5345 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5346 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5347 };
5348 
5349 static int nl80211_parse_sta_wme(struct genl_info *info,
5350 				 struct station_parameters *params)
5351 {
5352 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5353 	struct nlattr *nla;
5354 	int err;
5355 
5356 	/* parse WME attributes if present */
5357 	if (!info->attrs[NL80211_ATTR_STA_WME])
5358 		return 0;
5359 
5360 	nla = info->attrs[NL80211_ATTR_STA_WME];
5361 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
5362 					  nl80211_sta_wme_policy,
5363 					  info->extack);
5364 	if (err)
5365 		return err;
5366 
5367 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5368 		params->uapsd_queues = nla_get_u8(
5369 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
5370 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5371 		return -EINVAL;
5372 
5373 	if (tb[NL80211_STA_WME_MAX_SP])
5374 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5375 
5376 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5377 		return -EINVAL;
5378 
5379 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5380 
5381 	return 0;
5382 }
5383 
5384 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5385 				      struct station_parameters *params)
5386 {
5387 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5388 		params->supported_channels =
5389 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5390 		params->supported_channels_len =
5391 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5392 		/*
5393 		 * Need to include at least one (first channel, number of
5394 		 * channels) tuple for each subband, and must have proper
5395 		 * tuples for the rest of the data as well.
5396 		 */
5397 		if (params->supported_channels_len < 2)
5398 			return -EINVAL;
5399 		if (params->supported_channels_len % 2)
5400 			return -EINVAL;
5401 	}
5402 
5403 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5404 		params->supported_oper_classes =
5405 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5406 		params->supported_oper_classes_len =
5407 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5408 		/*
5409 		 * The value of the Length field of the Supported Operating
5410 		 * Classes element is between 2 and 253.
5411 		 */
5412 		if (params->supported_oper_classes_len < 2 ||
5413 		    params->supported_oper_classes_len > 253)
5414 			return -EINVAL;
5415 	}
5416 	return 0;
5417 }
5418 
5419 static int nl80211_set_station_tdls(struct genl_info *info,
5420 				    struct station_parameters *params)
5421 {
5422 	int err;
5423 	/* Dummy STA entry gets updated once the peer capabilities are known */
5424 	if (info->attrs[NL80211_ATTR_PEER_AID])
5425 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5426 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5427 		params->ht_capa =
5428 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5429 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5430 		params->vht_capa =
5431 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5432 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5433 		params->he_capa =
5434 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5435 		params->he_capa_len =
5436 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5437 
5438 		if (params->he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5439 			return -EINVAL;
5440 	}
5441 
5442 	err = nl80211_parse_sta_channel_info(info, params);
5443 	if (err)
5444 		return err;
5445 
5446 	return nl80211_parse_sta_wme(info, params);
5447 }
5448 
5449 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
5450 					     struct station_parameters *params)
5451 {
5452 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5453 	int idx;
5454 
5455 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
5456 		if (!rdev->ops->set_tx_power ||
5457 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5458 					 NL80211_EXT_FEATURE_STA_TX_PWR))
5459 			return -EOPNOTSUPP;
5460 
5461 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
5462 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
5463 
5464 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
5465 			idx = NL80211_ATTR_STA_TX_POWER;
5466 
5467 			if (info->attrs[idx])
5468 				params->txpwr.power =
5469 					nla_get_s16(info->attrs[idx]);
5470 			else
5471 				return -EINVAL;
5472 		}
5473 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
5474 	}
5475 
5476 	return 0;
5477 }
5478 
5479 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
5480 {
5481 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5482 	struct net_device *dev = info->user_ptr[1];
5483 	struct station_parameters params;
5484 	u8 *mac_addr;
5485 	int err;
5486 
5487 	memset(&params, 0, sizeof(params));
5488 
5489 	if (!rdev->ops->change_station)
5490 		return -EOPNOTSUPP;
5491 
5492 	/*
5493 	 * AID and listen_interval properties can be set only for unassociated
5494 	 * station. Include these parameters here and will check them in
5495 	 * cfg80211_check_station_change().
5496 	 */
5497 	if (info->attrs[NL80211_ATTR_STA_AID])
5498 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5499 
5500 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5501 		params.listen_interval =
5502 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5503 	else
5504 		params.listen_interval = -1;
5505 
5506 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
5507 		params.support_p2p_ps =
5508 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5509 	else
5510 		params.support_p2p_ps = -1;
5511 
5512 	if (!info->attrs[NL80211_ATTR_MAC])
5513 		return -EINVAL;
5514 
5515 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5516 
5517 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
5518 		params.supported_rates =
5519 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5520 		params.supported_rates_len =
5521 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5522 	}
5523 
5524 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5525 		params.capability =
5526 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5527 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5528 	}
5529 
5530 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5531 		params.ext_capab =
5532 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5533 		params.ext_capab_len =
5534 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5535 	}
5536 
5537 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5538 		return -EINVAL;
5539 
5540 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5541 		params.plink_action =
5542 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5543 
5544 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
5545 		params.plink_state =
5546 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
5547 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
5548 			params.peer_aid = nla_get_u16(
5549 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
5550 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
5551 	}
5552 
5553 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
5554 		params.local_pm = nla_get_u32(
5555 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
5556 
5557 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5558 		params.opmode_notif_used = true;
5559 		params.opmode_notif =
5560 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5561 	}
5562 
5563 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
5564 		params.airtime_weight =
5565 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
5566 
5567 	if (params.airtime_weight &&
5568 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5569 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5570 		return -EOPNOTSUPP;
5571 
5572 	err = nl80211_parse_sta_txpower_setting(info, &params);
5573 	if (err)
5574 		return err;
5575 
5576 	/* Include parameters for TDLS peer (will check later) */
5577 	err = nl80211_set_station_tdls(info, &params);
5578 	if (err)
5579 		return err;
5580 
5581 	params.vlan = get_vlan(info, rdev);
5582 	if (IS_ERR(params.vlan))
5583 		return PTR_ERR(params.vlan);
5584 
5585 	switch (dev->ieee80211_ptr->iftype) {
5586 	case NL80211_IFTYPE_AP:
5587 	case NL80211_IFTYPE_AP_VLAN:
5588 	case NL80211_IFTYPE_P2P_GO:
5589 	case NL80211_IFTYPE_P2P_CLIENT:
5590 	case NL80211_IFTYPE_STATION:
5591 	case NL80211_IFTYPE_ADHOC:
5592 	case NL80211_IFTYPE_MESH_POINT:
5593 		break;
5594 	default:
5595 		err = -EOPNOTSUPP;
5596 		goto out_put_vlan;
5597 	}
5598 
5599 	/* driver will call cfg80211_check_station_change() */
5600 	err = rdev_change_station(rdev, dev, mac_addr, &params);
5601 
5602  out_put_vlan:
5603 	if (params.vlan)
5604 		dev_put(params.vlan);
5605 
5606 	return err;
5607 }
5608 
5609 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
5610 {
5611 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5612 	int err;
5613 	struct net_device *dev = info->user_ptr[1];
5614 	struct station_parameters params;
5615 	u8 *mac_addr = NULL;
5616 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5617 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
5618 
5619 	memset(&params, 0, sizeof(params));
5620 
5621 	if (!rdev->ops->add_station)
5622 		return -EOPNOTSUPP;
5623 
5624 	if (!info->attrs[NL80211_ATTR_MAC])
5625 		return -EINVAL;
5626 
5627 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5628 		return -EINVAL;
5629 
5630 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
5631 		return -EINVAL;
5632 
5633 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
5634 	    !info->attrs[NL80211_ATTR_PEER_AID])
5635 		return -EINVAL;
5636 
5637 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5638 	params.supported_rates =
5639 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5640 	params.supported_rates_len =
5641 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5642 	params.listen_interval =
5643 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5644 
5645 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
5646 		params.support_p2p_ps =
5647 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5648 	} else {
5649 		/*
5650 		 * if not specified, assume it's supported for P2P GO interface,
5651 		 * and is NOT supported for AP interface
5652 		 */
5653 		params.support_p2p_ps =
5654 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
5655 	}
5656 
5657 	if (info->attrs[NL80211_ATTR_PEER_AID])
5658 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5659 	else
5660 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5661 
5662 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5663 		params.capability =
5664 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5665 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5666 	}
5667 
5668 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5669 		params.ext_capab =
5670 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5671 		params.ext_capab_len =
5672 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5673 	}
5674 
5675 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5676 		params.ht_capa =
5677 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5678 
5679 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5680 		params.vht_capa =
5681 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5682 
5683 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5684 		params.he_capa =
5685 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5686 		params.he_capa_len =
5687 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5688 
5689 		/* max len is validated in nla policy */
5690 		if (params.he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5691 			return -EINVAL;
5692 	}
5693 
5694 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5695 		params.opmode_notif_used = true;
5696 		params.opmode_notif =
5697 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5698 	}
5699 
5700 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5701 		params.plink_action =
5702 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5703 
5704 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
5705 		params.airtime_weight =
5706 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
5707 
5708 	if (params.airtime_weight &&
5709 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5710 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5711 		return -EOPNOTSUPP;
5712 
5713 	err = nl80211_parse_sta_txpower_setting(info, &params);
5714 	if (err)
5715 		return err;
5716 
5717 	err = nl80211_parse_sta_channel_info(info, &params);
5718 	if (err)
5719 		return err;
5720 
5721 	err = nl80211_parse_sta_wme(info, &params);
5722 	if (err)
5723 		return err;
5724 
5725 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5726 		return -EINVAL;
5727 
5728 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
5729 	 * as userspace might just pass through the capabilities from the IEs
5730 	 * directly, rather than enforcing this restriction and returning an
5731 	 * error in this case.
5732 	 */
5733 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
5734 		params.ht_capa = NULL;
5735 		params.vht_capa = NULL;
5736 
5737 		/* HE requires WME */
5738 		if (params.he_capa_len)
5739 			return -EINVAL;
5740 	}
5741 
5742 	/* When you run into this, adjust the code below for the new flag */
5743 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5744 
5745 	switch (dev->ieee80211_ptr->iftype) {
5746 	case NL80211_IFTYPE_AP:
5747 	case NL80211_IFTYPE_AP_VLAN:
5748 	case NL80211_IFTYPE_P2P_GO:
5749 		/* ignore WME attributes if iface/sta is not capable */
5750 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
5751 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
5752 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5753 
5754 		/* TDLS peers cannot be added */
5755 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5756 		    info->attrs[NL80211_ATTR_PEER_AID])
5757 			return -EINVAL;
5758 		/* but don't bother the driver with it */
5759 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5760 
5761 		/* allow authenticated/associated only if driver handles it */
5762 		if (!(rdev->wiphy.features &
5763 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5764 		    params.sta_flags_mask & auth_assoc)
5765 			return -EINVAL;
5766 
5767 		/* Older userspace, or userspace wanting to be compatible with
5768 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
5769 		 * and assoc flags in the mask, but assumes the station will be
5770 		 * added as associated anyway since this was the required driver
5771 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
5772 		 * introduced.
5773 		 * In order to not bother drivers with this quirk in the API
5774 		 * set the flags in both the mask and set for new stations in
5775 		 * this case.
5776 		 */
5777 		if (!(params.sta_flags_mask & auth_assoc)) {
5778 			params.sta_flags_mask |= auth_assoc;
5779 			params.sta_flags_set |= auth_assoc;
5780 		}
5781 
5782 		/* must be last in here for error handling */
5783 		params.vlan = get_vlan(info, rdev);
5784 		if (IS_ERR(params.vlan))
5785 			return PTR_ERR(params.vlan);
5786 		break;
5787 	case NL80211_IFTYPE_MESH_POINT:
5788 		/* ignore uAPSD data */
5789 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5790 
5791 		/* associated is disallowed */
5792 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
5793 			return -EINVAL;
5794 		/* TDLS peers cannot be added */
5795 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5796 		    info->attrs[NL80211_ATTR_PEER_AID])
5797 			return -EINVAL;
5798 		break;
5799 	case NL80211_IFTYPE_STATION:
5800 	case NL80211_IFTYPE_P2P_CLIENT:
5801 		/* ignore uAPSD data */
5802 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5803 
5804 		/* these are disallowed */
5805 		if (params.sta_flags_mask &
5806 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
5807 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
5808 			return -EINVAL;
5809 		/* Only TDLS peers can be added */
5810 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5811 			return -EINVAL;
5812 		/* Can only add if TDLS ... */
5813 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
5814 			return -EOPNOTSUPP;
5815 		/* ... with external setup is supported */
5816 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
5817 			return -EOPNOTSUPP;
5818 		/*
5819 		 * Older wpa_supplicant versions always mark the TDLS peer
5820 		 * as authorized, but it shouldn't yet be.
5821 		 */
5822 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
5823 		break;
5824 	default:
5825 		return -EOPNOTSUPP;
5826 	}
5827 
5828 	/* be aware of params.vlan when changing code here */
5829 
5830 	err = rdev_add_station(rdev, dev, mac_addr, &params);
5831 
5832 	if (params.vlan)
5833 		dev_put(params.vlan);
5834 	return err;
5835 }
5836 
5837 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
5838 {
5839 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5840 	struct net_device *dev = info->user_ptr[1];
5841 	struct station_del_parameters params;
5842 
5843 	memset(&params, 0, sizeof(params));
5844 
5845 	if (info->attrs[NL80211_ATTR_MAC])
5846 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
5847 
5848 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5849 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5850 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
5851 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5852 		return -EINVAL;
5853 
5854 	if (!rdev->ops->del_station)
5855 		return -EOPNOTSUPP;
5856 
5857 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
5858 		params.subtype =
5859 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
5860 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
5861 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
5862 			return -EINVAL;
5863 	} else {
5864 		/* Default to Deauthentication frame */
5865 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
5866 	}
5867 
5868 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
5869 		params.reason_code =
5870 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5871 		if (params.reason_code == 0)
5872 			return -EINVAL; /* 0 is reserved */
5873 	} else {
5874 		/* Default to reason code 2 */
5875 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
5876 	}
5877 
5878 	return rdev_del_station(rdev, dev, &params);
5879 }
5880 
5881 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
5882 				int flags, struct net_device *dev,
5883 				u8 *dst, u8 *next_hop,
5884 				struct mpath_info *pinfo)
5885 {
5886 	void *hdr;
5887 	struct nlattr *pinfoattr;
5888 
5889 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
5890 	if (!hdr)
5891 		return -1;
5892 
5893 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5894 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
5895 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
5896 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
5897 		goto nla_put_failure;
5898 
5899 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
5900 	if (!pinfoattr)
5901 		goto nla_put_failure;
5902 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
5903 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
5904 			pinfo->frame_qlen))
5905 		goto nla_put_failure;
5906 	if (((pinfo->filled & MPATH_INFO_SN) &&
5907 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
5908 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
5909 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
5910 			 pinfo->metric)) ||
5911 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
5912 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
5913 			 pinfo->exptime)) ||
5914 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
5915 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
5916 			pinfo->flags)) ||
5917 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
5918 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
5919 			 pinfo->discovery_timeout)) ||
5920 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
5921 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
5922 			pinfo->discovery_retries)) ||
5923 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
5924 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
5925 			pinfo->hop_count)) ||
5926 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
5927 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
5928 			 pinfo->path_change_count)))
5929 		goto nla_put_failure;
5930 
5931 	nla_nest_end(msg, pinfoattr);
5932 
5933 	genlmsg_end(msg, hdr);
5934 	return 0;
5935 
5936  nla_put_failure:
5937 	genlmsg_cancel(msg, hdr);
5938 	return -EMSGSIZE;
5939 }
5940 
5941 static int nl80211_dump_mpath(struct sk_buff *skb,
5942 			      struct netlink_callback *cb)
5943 {
5944 	struct mpath_info pinfo;
5945 	struct cfg80211_registered_device *rdev;
5946 	struct wireless_dev *wdev;
5947 	u8 dst[ETH_ALEN];
5948 	u8 next_hop[ETH_ALEN];
5949 	int path_idx = cb->args[2];
5950 	int err;
5951 
5952 	rtnl_lock();
5953 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5954 	if (err)
5955 		goto out_err;
5956 
5957 	if (!rdev->ops->dump_mpath) {
5958 		err = -EOPNOTSUPP;
5959 		goto out_err;
5960 	}
5961 
5962 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
5963 		err = -EOPNOTSUPP;
5964 		goto out_err;
5965 	}
5966 
5967 	while (1) {
5968 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
5969 				      next_hop, &pinfo);
5970 		if (err == -ENOENT)
5971 			break;
5972 		if (err)
5973 			goto out_err;
5974 
5975 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
5976 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
5977 				       wdev->netdev, dst, next_hop,
5978 				       &pinfo) < 0)
5979 			goto out;
5980 
5981 		path_idx++;
5982 	}
5983 
5984  out:
5985 	cb->args[2] = path_idx;
5986 	err = skb->len;
5987  out_err:
5988 	rtnl_unlock();
5989 	return err;
5990 }
5991 
5992 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
5993 {
5994 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5995 	int err;
5996 	struct net_device *dev = info->user_ptr[1];
5997 	struct mpath_info pinfo;
5998 	struct sk_buff *msg;
5999 	u8 *dst = NULL;
6000 	u8 next_hop[ETH_ALEN];
6001 
6002 	memset(&pinfo, 0, sizeof(pinfo));
6003 
6004 	if (!info->attrs[NL80211_ATTR_MAC])
6005 		return -EINVAL;
6006 
6007 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6008 
6009 	if (!rdev->ops->get_mpath)
6010 		return -EOPNOTSUPP;
6011 
6012 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6013 		return -EOPNOTSUPP;
6014 
6015 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
6016 	if (err)
6017 		return err;
6018 
6019 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6020 	if (!msg)
6021 		return -ENOMEM;
6022 
6023 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6024 				 dev, dst, next_hop, &pinfo) < 0) {
6025 		nlmsg_free(msg);
6026 		return -ENOBUFS;
6027 	}
6028 
6029 	return genlmsg_reply(msg, info);
6030 }
6031 
6032 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
6033 {
6034 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6035 	struct net_device *dev = info->user_ptr[1];
6036 	u8 *dst = NULL;
6037 	u8 *next_hop = NULL;
6038 
6039 	if (!info->attrs[NL80211_ATTR_MAC])
6040 		return -EINVAL;
6041 
6042 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6043 		return -EINVAL;
6044 
6045 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6046 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6047 
6048 	if (!rdev->ops->change_mpath)
6049 		return -EOPNOTSUPP;
6050 
6051 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6052 		return -EOPNOTSUPP;
6053 
6054 	return rdev_change_mpath(rdev, dev, dst, next_hop);
6055 }
6056 
6057 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
6058 {
6059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6060 	struct net_device *dev = info->user_ptr[1];
6061 	u8 *dst = NULL;
6062 	u8 *next_hop = NULL;
6063 
6064 	if (!info->attrs[NL80211_ATTR_MAC])
6065 		return -EINVAL;
6066 
6067 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6068 		return -EINVAL;
6069 
6070 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6071 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6072 
6073 	if (!rdev->ops->add_mpath)
6074 		return -EOPNOTSUPP;
6075 
6076 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6077 		return -EOPNOTSUPP;
6078 
6079 	return rdev_add_mpath(rdev, dev, dst, next_hop);
6080 }
6081 
6082 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
6083 {
6084 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6085 	struct net_device *dev = info->user_ptr[1];
6086 	u8 *dst = NULL;
6087 
6088 	if (info->attrs[NL80211_ATTR_MAC])
6089 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6090 
6091 	if (!rdev->ops->del_mpath)
6092 		return -EOPNOTSUPP;
6093 
6094 	return rdev_del_mpath(rdev, dev, dst);
6095 }
6096 
6097 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
6098 {
6099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6100 	int err;
6101 	struct net_device *dev = info->user_ptr[1];
6102 	struct mpath_info pinfo;
6103 	struct sk_buff *msg;
6104 	u8 *dst = NULL;
6105 	u8 mpp[ETH_ALEN];
6106 
6107 	memset(&pinfo, 0, sizeof(pinfo));
6108 
6109 	if (!info->attrs[NL80211_ATTR_MAC])
6110 		return -EINVAL;
6111 
6112 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6113 
6114 	if (!rdev->ops->get_mpp)
6115 		return -EOPNOTSUPP;
6116 
6117 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6118 		return -EOPNOTSUPP;
6119 
6120 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
6121 	if (err)
6122 		return err;
6123 
6124 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6125 	if (!msg)
6126 		return -ENOMEM;
6127 
6128 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6129 			       dev, dst, mpp, &pinfo) < 0) {
6130 		nlmsg_free(msg);
6131 		return -ENOBUFS;
6132 	}
6133 
6134 	return genlmsg_reply(msg, info);
6135 }
6136 
6137 static int nl80211_dump_mpp(struct sk_buff *skb,
6138 			    struct netlink_callback *cb)
6139 {
6140 	struct mpath_info pinfo;
6141 	struct cfg80211_registered_device *rdev;
6142 	struct wireless_dev *wdev;
6143 	u8 dst[ETH_ALEN];
6144 	u8 mpp[ETH_ALEN];
6145 	int path_idx = cb->args[2];
6146 	int err;
6147 
6148 	rtnl_lock();
6149 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6150 	if (err)
6151 		goto out_err;
6152 
6153 	if (!rdev->ops->dump_mpp) {
6154 		err = -EOPNOTSUPP;
6155 		goto out_err;
6156 	}
6157 
6158 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6159 		err = -EOPNOTSUPP;
6160 		goto out_err;
6161 	}
6162 
6163 	while (1) {
6164 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
6165 				    mpp, &pinfo);
6166 		if (err == -ENOENT)
6167 			break;
6168 		if (err)
6169 			goto out_err;
6170 
6171 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6172 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6173 				       wdev->netdev, dst, mpp,
6174 				       &pinfo) < 0)
6175 			goto out;
6176 
6177 		path_idx++;
6178 	}
6179 
6180  out:
6181 	cb->args[2] = path_idx;
6182 	err = skb->len;
6183  out_err:
6184 	rtnl_unlock();
6185 	return err;
6186 }
6187 
6188 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
6189 {
6190 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6191 	struct net_device *dev = info->user_ptr[1];
6192 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6193 	struct bss_parameters params;
6194 	int err;
6195 
6196 	memset(&params, 0, sizeof(params));
6197 	/* default to not changing parameters */
6198 	params.use_cts_prot = -1;
6199 	params.use_short_preamble = -1;
6200 	params.use_short_slot_time = -1;
6201 	params.ap_isolate = -1;
6202 	params.ht_opmode = -1;
6203 	params.p2p_ctwindow = -1;
6204 	params.p2p_opp_ps = -1;
6205 
6206 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
6207 		params.use_cts_prot =
6208 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
6209 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
6210 		params.use_short_preamble =
6211 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
6212 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
6213 		params.use_short_slot_time =
6214 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
6215 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6216 		params.basic_rates =
6217 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6218 		params.basic_rates_len =
6219 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6220 	}
6221 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
6222 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
6223 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
6224 		params.ht_opmode =
6225 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
6226 
6227 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6228 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6229 			return -EINVAL;
6230 		params.p2p_ctwindow =
6231 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6232 		if (params.p2p_ctwindow != 0 &&
6233 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
6234 			return -EINVAL;
6235 	}
6236 
6237 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6238 		u8 tmp;
6239 
6240 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6241 			return -EINVAL;
6242 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6243 		params.p2p_opp_ps = tmp;
6244 		if (params.p2p_opp_ps &&
6245 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
6246 			return -EINVAL;
6247 	}
6248 
6249 	if (!rdev->ops->change_bss)
6250 		return -EOPNOTSUPP;
6251 
6252 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6253 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6254 		return -EOPNOTSUPP;
6255 
6256 	wdev_lock(wdev);
6257 	err = rdev_change_bss(rdev, dev, &params);
6258 	wdev_unlock(wdev);
6259 
6260 	return err;
6261 }
6262 
6263 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
6264 {
6265 	char *data = NULL;
6266 	bool is_indoor;
6267 	enum nl80211_user_reg_hint_type user_reg_hint_type;
6268 	u32 owner_nlportid;
6269 
6270 	/*
6271 	 * You should only get this when cfg80211 hasn't yet initialized
6272 	 * completely when built-in to the kernel right between the time
6273 	 * window between nl80211_init() and regulatory_init(), if that is
6274 	 * even possible.
6275 	 */
6276 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
6277 		return -EINPROGRESS;
6278 
6279 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
6280 		user_reg_hint_type =
6281 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
6282 	else
6283 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
6284 
6285 	switch (user_reg_hint_type) {
6286 	case NL80211_USER_REG_HINT_USER:
6287 	case NL80211_USER_REG_HINT_CELL_BASE:
6288 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6289 			return -EINVAL;
6290 
6291 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6292 		return regulatory_hint_user(data, user_reg_hint_type);
6293 	case NL80211_USER_REG_HINT_INDOOR:
6294 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
6295 			owner_nlportid = info->snd_portid;
6296 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
6297 		} else {
6298 			owner_nlportid = 0;
6299 			is_indoor = true;
6300 		}
6301 
6302 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
6303 	default:
6304 		return -EINVAL;
6305 	}
6306 }
6307 
6308 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
6309 {
6310 	return reg_reload_regdb();
6311 }
6312 
6313 static int nl80211_get_mesh_config(struct sk_buff *skb,
6314 				   struct genl_info *info)
6315 {
6316 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6317 	struct net_device *dev = info->user_ptr[1];
6318 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6319 	struct mesh_config cur_params;
6320 	int err = 0;
6321 	void *hdr;
6322 	struct nlattr *pinfoattr;
6323 	struct sk_buff *msg;
6324 
6325 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6326 		return -EOPNOTSUPP;
6327 
6328 	if (!rdev->ops->get_mesh_config)
6329 		return -EOPNOTSUPP;
6330 
6331 	wdev_lock(wdev);
6332 	/* If not connected, get default parameters */
6333 	if (!wdev->mesh_id_len)
6334 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
6335 	else
6336 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
6337 	wdev_unlock(wdev);
6338 
6339 	if (err)
6340 		return err;
6341 
6342 	/* Draw up a netlink message to send back */
6343 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6344 	if (!msg)
6345 		return -ENOMEM;
6346 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6347 			     NL80211_CMD_GET_MESH_CONFIG);
6348 	if (!hdr)
6349 		goto out;
6350 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
6351 	if (!pinfoattr)
6352 		goto nla_put_failure;
6353 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6354 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
6355 			cur_params.dot11MeshRetryTimeout) ||
6356 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6357 			cur_params.dot11MeshConfirmTimeout) ||
6358 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
6359 			cur_params.dot11MeshHoldingTimeout) ||
6360 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
6361 			cur_params.dot11MeshMaxPeerLinks) ||
6362 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
6363 		       cur_params.dot11MeshMaxRetries) ||
6364 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
6365 		       cur_params.dot11MeshTTL) ||
6366 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
6367 		       cur_params.element_ttl) ||
6368 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6369 		       cur_params.auto_open_plinks) ||
6370 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6371 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
6372 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6373 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
6374 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
6375 			cur_params.path_refresh_time) ||
6376 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6377 			cur_params.min_discovery_timeout) ||
6378 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6379 			cur_params.dot11MeshHWMPactivePathTimeout) ||
6380 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6381 			cur_params.dot11MeshHWMPpreqMinInterval) ||
6382 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6383 			cur_params.dot11MeshHWMPperrMinInterval) ||
6384 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6385 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
6386 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
6387 		       cur_params.dot11MeshHWMPRootMode) ||
6388 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6389 			cur_params.dot11MeshHWMPRannInterval) ||
6390 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6391 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
6392 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
6393 		       cur_params.dot11MeshForwarding) ||
6394 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
6395 			cur_params.rssi_threshold) ||
6396 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
6397 			cur_params.ht_opmode) ||
6398 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6399 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
6400 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6401 			cur_params.dot11MeshHWMProotInterval) ||
6402 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6403 			cur_params.dot11MeshHWMPconfirmationInterval) ||
6404 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
6405 			cur_params.power_mode) ||
6406 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
6407 			cur_params.dot11MeshAwakeWindowDuration) ||
6408 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
6409 			cur_params.plink_timeout) ||
6410 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
6411 		       cur_params.dot11MeshConnectedToMeshGate))
6412 		goto nla_put_failure;
6413 	nla_nest_end(msg, pinfoattr);
6414 	genlmsg_end(msg, hdr);
6415 	return genlmsg_reply(msg, info);
6416 
6417  nla_put_failure:
6418  out:
6419 	nlmsg_free(msg);
6420 	return -ENOBUFS;
6421 }
6422 
6423 static const struct nla_policy
6424 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
6425 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
6426 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6427 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
6428 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6429 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
6430 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6431 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
6432 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
6433 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
6434 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6435 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6436 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
6437 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
6438 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
6439 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
6440 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
6441 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
6442 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
6443 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
6444 		NLA_POLICY_MIN(NLA_U16, 1),
6445 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
6446 		NLA_POLICY_MIN(NLA_U16, 1),
6447 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
6448 		NLA_POLICY_MIN(NLA_U16, 1),
6449 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
6450 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
6451 		NLA_POLICY_MIN(NLA_U16, 1),
6452 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
6453 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
6454 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
6455 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
6456 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
6457 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
6458 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
6459 		NLA_POLICY_MIN(NLA_U16, 1),
6460 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
6461 		NLA_POLICY_MIN(NLA_U16, 1),
6462 	[NL80211_MESHCONF_POWER_MODE] =
6463 		NLA_POLICY_RANGE(NLA_U32,
6464 				 NL80211_MESH_POWER_ACTIVE,
6465 				 NL80211_MESH_POWER_MAX),
6466 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
6467 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
6468 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
6469 };
6470 
6471 static const struct nla_policy
6472 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
6473 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
6474 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
6475 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
6476 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
6477 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
6478 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
6479 	[NL80211_MESH_SETUP_IE] =
6480 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
6481 				       IEEE80211_MAX_DATA_LEN),
6482 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
6483 };
6484 
6485 static int nl80211_parse_mesh_config(struct genl_info *info,
6486 				     struct mesh_config *cfg,
6487 				     u32 *mask_out)
6488 {
6489 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
6490 	u32 mask = 0;
6491 	u16 ht_opmode;
6492 
6493 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
6494 do {									\
6495 	if (tb[attr]) {							\
6496 		cfg->param = fn(tb[attr]);				\
6497 		mask |= BIT((attr) - 1);				\
6498 	}								\
6499 } while (0)
6500 
6501 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
6502 		return -EINVAL;
6503 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
6504 		return -EINVAL;
6505 
6506 	/* This makes sure that there aren't more than 32 mesh config
6507 	 * parameters (otherwise our bitfield scheme would not work.) */
6508 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
6509 
6510 	/* Fill in the params struct */
6511 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
6512 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
6513 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
6514 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
6515 				  nla_get_u16);
6516 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
6517 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
6518 				  nla_get_u16);
6519 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
6520 				  NL80211_MESHCONF_MAX_PEER_LINKS,
6521 				  nla_get_u16);
6522 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
6523 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
6524 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
6525 				  NL80211_MESHCONF_TTL, nla_get_u8);
6526 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
6527 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
6528 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
6529 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6530 				  nla_get_u8);
6531 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
6532 				  mask,
6533 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6534 				  nla_get_u32);
6535 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
6536 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6537 				  nla_get_u8);
6538 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
6539 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
6540 				  nla_get_u32);
6541 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
6542 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
6543 		return -EINVAL;
6544 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
6545 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6546 				  nla_get_u16);
6547 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
6548 				  mask,
6549 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6550 				  nla_get_u32);
6551 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
6552 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
6553 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
6554 		return -EINVAL;
6555 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
6556 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6557 				  nla_get_u16);
6558 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
6559 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6560 				  nla_get_u16);
6561 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6562 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
6563 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6564 				  nla_get_u16);
6565 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
6566 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
6567 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
6568 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6569 				  nla_get_u16);
6570 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
6571 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6572 				  nla_get_u8);
6573 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
6574 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
6575 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
6576 				  NL80211_MESHCONF_RSSI_THRESHOLD,
6577 				  nla_get_s32);
6578 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
6579 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
6580 				  nla_get_u8);
6581 	/*
6582 	 * Check HT operation mode based on
6583 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
6584 	 */
6585 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
6586 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
6587 
6588 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
6589 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
6590 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
6591 			return -EINVAL;
6592 
6593 		/* NON_HT_STA bit is reserved, but some programs set it */
6594 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
6595 
6596 		cfg->ht_opmode = ht_opmode;
6597 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
6598 	}
6599 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6600 				  dot11MeshHWMPactivePathToRootTimeout, mask,
6601 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6602 				  nla_get_u32);
6603 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
6604 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
6605 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
6606 		return -EINVAL;
6607 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
6608 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6609 				  nla_get_u16);
6610 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
6611 				  mask,
6612 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6613 				  nla_get_u16);
6614 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
6615 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
6616 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
6617 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
6618 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
6619 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
6620 	if (mask_out)
6621 		*mask_out = mask;
6622 
6623 	return 0;
6624 
6625 #undef FILL_IN_MESH_PARAM_IF_SET
6626 }
6627 
6628 static int nl80211_parse_mesh_setup(struct genl_info *info,
6629 				     struct mesh_setup *setup)
6630 {
6631 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6632 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
6633 
6634 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
6635 		return -EINVAL;
6636 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
6637 		return -EINVAL;
6638 
6639 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
6640 		setup->sync_method =
6641 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
6642 		 IEEE80211_SYNC_METHOD_VENDOR :
6643 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
6644 
6645 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
6646 		setup->path_sel_proto =
6647 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
6648 		 IEEE80211_PATH_PROTOCOL_VENDOR :
6649 		 IEEE80211_PATH_PROTOCOL_HWMP;
6650 
6651 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
6652 		setup->path_metric =
6653 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
6654 		 IEEE80211_PATH_METRIC_VENDOR :
6655 		 IEEE80211_PATH_METRIC_AIRTIME;
6656 
6657 	if (tb[NL80211_MESH_SETUP_IE]) {
6658 		struct nlattr *ieattr =
6659 			tb[NL80211_MESH_SETUP_IE];
6660 		setup->ie = nla_data(ieattr);
6661 		setup->ie_len = nla_len(ieattr);
6662 	}
6663 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
6664 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
6665 		return -EINVAL;
6666 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
6667 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
6668 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
6669 	if (setup->is_secure)
6670 		setup->user_mpm = true;
6671 
6672 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
6673 		if (!setup->user_mpm)
6674 			return -EINVAL;
6675 		setup->auth_id =
6676 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
6677 	}
6678 
6679 	return 0;
6680 }
6681 
6682 static int nl80211_update_mesh_config(struct sk_buff *skb,
6683 				      struct genl_info *info)
6684 {
6685 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6686 	struct net_device *dev = info->user_ptr[1];
6687 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6688 	struct mesh_config cfg;
6689 	u32 mask;
6690 	int err;
6691 
6692 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6693 		return -EOPNOTSUPP;
6694 
6695 	if (!rdev->ops->update_mesh_config)
6696 		return -EOPNOTSUPP;
6697 
6698 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
6699 	if (err)
6700 		return err;
6701 
6702 	wdev_lock(wdev);
6703 	if (!wdev->mesh_id_len)
6704 		err = -ENOLINK;
6705 
6706 	if (!err)
6707 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
6708 
6709 	wdev_unlock(wdev);
6710 
6711 	return err;
6712 }
6713 
6714 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
6715 			      struct sk_buff *msg)
6716 {
6717 	struct nlattr *nl_reg_rules;
6718 	unsigned int i;
6719 
6720 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
6721 	    (regdom->dfs_region &&
6722 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
6723 		goto nla_put_failure;
6724 
6725 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
6726 	if (!nl_reg_rules)
6727 		goto nla_put_failure;
6728 
6729 	for (i = 0; i < regdom->n_reg_rules; i++) {
6730 		struct nlattr *nl_reg_rule;
6731 		const struct ieee80211_reg_rule *reg_rule;
6732 		const struct ieee80211_freq_range *freq_range;
6733 		const struct ieee80211_power_rule *power_rule;
6734 		unsigned int max_bandwidth_khz;
6735 
6736 		reg_rule = &regdom->reg_rules[i];
6737 		freq_range = &reg_rule->freq_range;
6738 		power_rule = &reg_rule->power_rule;
6739 
6740 		nl_reg_rule = nla_nest_start_noflag(msg, i);
6741 		if (!nl_reg_rule)
6742 			goto nla_put_failure;
6743 
6744 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
6745 		if (!max_bandwidth_khz)
6746 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
6747 								  reg_rule);
6748 
6749 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
6750 				reg_rule->flags) ||
6751 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
6752 				freq_range->start_freq_khz) ||
6753 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
6754 				freq_range->end_freq_khz) ||
6755 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
6756 				max_bandwidth_khz) ||
6757 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
6758 				power_rule->max_antenna_gain) ||
6759 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
6760 				power_rule->max_eirp) ||
6761 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
6762 				reg_rule->dfs_cac_ms))
6763 			goto nla_put_failure;
6764 
6765 		nla_nest_end(msg, nl_reg_rule);
6766 	}
6767 
6768 	nla_nest_end(msg, nl_reg_rules);
6769 	return 0;
6770 
6771 nla_put_failure:
6772 	return -EMSGSIZE;
6773 }
6774 
6775 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
6776 {
6777 	const struct ieee80211_regdomain *regdom = NULL;
6778 	struct cfg80211_registered_device *rdev;
6779 	struct wiphy *wiphy = NULL;
6780 	struct sk_buff *msg;
6781 	void *hdr;
6782 
6783 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6784 	if (!msg)
6785 		return -ENOBUFS;
6786 
6787 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6788 			     NL80211_CMD_GET_REG);
6789 	if (!hdr)
6790 		goto put_failure;
6791 
6792 	if (info->attrs[NL80211_ATTR_WIPHY]) {
6793 		bool self_managed;
6794 
6795 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
6796 		if (IS_ERR(rdev)) {
6797 			nlmsg_free(msg);
6798 			return PTR_ERR(rdev);
6799 		}
6800 
6801 		wiphy = &rdev->wiphy;
6802 		self_managed = wiphy->regulatory_flags &
6803 			       REGULATORY_WIPHY_SELF_MANAGED;
6804 		regdom = get_wiphy_regdom(wiphy);
6805 
6806 		/* a self-managed-reg device must have a private regdom */
6807 		if (WARN_ON(!regdom && self_managed)) {
6808 			nlmsg_free(msg);
6809 			return -EINVAL;
6810 		}
6811 
6812 		if (regdom &&
6813 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6814 			goto nla_put_failure;
6815 	}
6816 
6817 	if (!wiphy && reg_last_request_cell_base() &&
6818 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6819 			NL80211_USER_REG_HINT_CELL_BASE))
6820 		goto nla_put_failure;
6821 
6822 	rcu_read_lock();
6823 
6824 	if (!regdom)
6825 		regdom = rcu_dereference(cfg80211_regdomain);
6826 
6827 	if (nl80211_put_regdom(regdom, msg))
6828 		goto nla_put_failure_rcu;
6829 
6830 	rcu_read_unlock();
6831 
6832 	genlmsg_end(msg, hdr);
6833 	return genlmsg_reply(msg, info);
6834 
6835 nla_put_failure_rcu:
6836 	rcu_read_unlock();
6837 nla_put_failure:
6838 put_failure:
6839 	nlmsg_free(msg);
6840 	return -EMSGSIZE;
6841 }
6842 
6843 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
6844 			       u32 seq, int flags, struct wiphy *wiphy,
6845 			       const struct ieee80211_regdomain *regdom)
6846 {
6847 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6848 				   NL80211_CMD_GET_REG);
6849 
6850 	if (!hdr)
6851 		return -1;
6852 
6853 	genl_dump_check_consistent(cb, hdr);
6854 
6855 	if (nl80211_put_regdom(regdom, msg))
6856 		goto nla_put_failure;
6857 
6858 	if (!wiphy && reg_last_request_cell_base() &&
6859 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6860 			NL80211_USER_REG_HINT_CELL_BASE))
6861 		goto nla_put_failure;
6862 
6863 	if (wiphy &&
6864 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6865 		goto nla_put_failure;
6866 
6867 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
6868 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
6869 		goto nla_put_failure;
6870 
6871 	genlmsg_end(msg, hdr);
6872 	return 0;
6873 
6874 nla_put_failure:
6875 	genlmsg_cancel(msg, hdr);
6876 	return -EMSGSIZE;
6877 }
6878 
6879 static int nl80211_get_reg_dump(struct sk_buff *skb,
6880 				struct netlink_callback *cb)
6881 {
6882 	const struct ieee80211_regdomain *regdom = NULL;
6883 	struct cfg80211_registered_device *rdev;
6884 	int err, reg_idx, start = cb->args[2];
6885 
6886 	rtnl_lock();
6887 
6888 	if (cfg80211_regdomain && start == 0) {
6889 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6890 					  NLM_F_MULTI, NULL,
6891 					  rtnl_dereference(cfg80211_regdomain));
6892 		if (err < 0)
6893 			goto out_err;
6894 	}
6895 
6896 	/* the global regdom is idx 0 */
6897 	reg_idx = 1;
6898 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
6899 		regdom = get_wiphy_regdom(&rdev->wiphy);
6900 		if (!regdom)
6901 			continue;
6902 
6903 		if (++reg_idx <= start)
6904 			continue;
6905 
6906 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6907 					  NLM_F_MULTI, &rdev->wiphy, regdom);
6908 		if (err < 0) {
6909 			reg_idx--;
6910 			break;
6911 		}
6912 	}
6913 
6914 	cb->args[2] = reg_idx;
6915 	err = skb->len;
6916 out_err:
6917 	rtnl_unlock();
6918 	return err;
6919 }
6920 
6921 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
6922 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
6923 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
6924 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
6925 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
6926 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
6927 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
6928 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
6929 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
6930 };
6931 
6932 static int parse_reg_rule(struct nlattr *tb[],
6933 	struct ieee80211_reg_rule *reg_rule)
6934 {
6935 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
6936 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
6937 
6938 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
6939 		return -EINVAL;
6940 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
6941 		return -EINVAL;
6942 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
6943 		return -EINVAL;
6944 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
6945 		return -EINVAL;
6946 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
6947 		return -EINVAL;
6948 
6949 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
6950 
6951 	freq_range->start_freq_khz =
6952 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
6953 	freq_range->end_freq_khz =
6954 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
6955 	freq_range->max_bandwidth_khz =
6956 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
6957 
6958 	power_rule->max_eirp =
6959 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
6960 
6961 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
6962 		power_rule->max_antenna_gain =
6963 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
6964 
6965 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
6966 		reg_rule->dfs_cac_ms =
6967 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
6968 
6969 	return 0;
6970 }
6971 
6972 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
6973 {
6974 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
6975 	struct nlattr *nl_reg_rule;
6976 	char *alpha2;
6977 	int rem_reg_rules, r;
6978 	u32 num_rules = 0, rule_idx = 0;
6979 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
6980 	struct ieee80211_regdomain *rd;
6981 
6982 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6983 		return -EINVAL;
6984 
6985 	if (!info->attrs[NL80211_ATTR_REG_RULES])
6986 		return -EINVAL;
6987 
6988 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6989 
6990 	if (info->attrs[NL80211_ATTR_DFS_REGION])
6991 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
6992 
6993 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6994 			    rem_reg_rules) {
6995 		num_rules++;
6996 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
6997 			return -EINVAL;
6998 	}
6999 
7000 	if (!reg_is_valid_request(alpha2))
7001 		return -EINVAL;
7002 
7003 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
7004 	if (!rd)
7005 		return -ENOMEM;
7006 
7007 	rd->n_reg_rules = num_rules;
7008 	rd->alpha2[0] = alpha2[0];
7009 	rd->alpha2[1] = alpha2[1];
7010 
7011 	/*
7012 	 * Disable DFS master mode if the DFS region was
7013 	 * not supported or known on this kernel.
7014 	 */
7015 	if (reg_supported_dfs_region(dfs_region))
7016 		rd->dfs_region = dfs_region;
7017 
7018 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7019 			    rem_reg_rules) {
7020 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
7021 						nl_reg_rule, reg_rule_policy,
7022 						info->extack);
7023 		if (r)
7024 			goto bad_reg;
7025 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
7026 		if (r)
7027 			goto bad_reg;
7028 
7029 		rule_idx++;
7030 
7031 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
7032 			r = -EINVAL;
7033 			goto bad_reg;
7034 		}
7035 	}
7036 
7037 	/* set_regdom takes ownership of rd */
7038 	return set_regdom(rd, REGD_SOURCE_CRDA);
7039  bad_reg:
7040 	kfree(rd);
7041 	return r;
7042 }
7043 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
7044 
7045 static int validate_scan_freqs(struct nlattr *freqs)
7046 {
7047 	struct nlattr *attr1, *attr2;
7048 	int n_channels = 0, tmp1, tmp2;
7049 
7050 	nla_for_each_nested(attr1, freqs, tmp1)
7051 		if (nla_len(attr1) != sizeof(u32))
7052 			return 0;
7053 
7054 	nla_for_each_nested(attr1, freqs, tmp1) {
7055 		n_channels++;
7056 		/*
7057 		 * Some hardware has a limited channel list for
7058 		 * scanning, and it is pretty much nonsensical
7059 		 * to scan for a channel twice, so disallow that
7060 		 * and don't require drivers to check that the
7061 		 * channel list they get isn't longer than what
7062 		 * they can scan, as long as they can scan all
7063 		 * the channels they registered at once.
7064 		 */
7065 		nla_for_each_nested(attr2, freqs, tmp2)
7066 			if (attr1 != attr2 &&
7067 			    nla_get_u32(attr1) == nla_get_u32(attr2))
7068 				return 0;
7069 	}
7070 
7071 	return n_channels;
7072 }
7073 
7074 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
7075 {
7076 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
7077 }
7078 
7079 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
7080 			    struct cfg80211_bss_selection *bss_select)
7081 {
7082 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
7083 	struct nlattr *nest;
7084 	int err;
7085 	bool found = false;
7086 	int i;
7087 
7088 	/* only process one nested attribute */
7089 	nest = nla_data(nla);
7090 	if (!nla_ok(nest, nla_len(nest)))
7091 		return -EINVAL;
7092 
7093 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
7094 					  nest, nl80211_bss_select_policy,
7095 					  NULL);
7096 	if (err)
7097 		return err;
7098 
7099 	/* only one attribute may be given */
7100 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
7101 		if (attr[i]) {
7102 			if (found)
7103 				return -EINVAL;
7104 			found = true;
7105 		}
7106 	}
7107 
7108 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
7109 
7110 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
7111 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
7112 
7113 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
7114 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
7115 		bss_select->param.band_pref =
7116 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
7117 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
7118 			return -EINVAL;
7119 	}
7120 
7121 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
7122 		struct nl80211_bss_select_rssi_adjust *adj_param;
7123 
7124 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
7125 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
7126 		bss_select->param.adjust.band = adj_param->band;
7127 		bss_select->param.adjust.delta = adj_param->delta;
7128 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
7129 			return -EINVAL;
7130 	}
7131 
7132 	/* user-space did not provide behaviour attribute */
7133 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
7134 		return -EINVAL;
7135 
7136 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
7137 		return -EINVAL;
7138 
7139 	return 0;
7140 }
7141 
7142 int nl80211_parse_random_mac(struct nlattr **attrs,
7143 			     u8 *mac_addr, u8 *mac_addr_mask)
7144 {
7145 	int i;
7146 
7147 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
7148 		eth_zero_addr(mac_addr);
7149 		eth_zero_addr(mac_addr_mask);
7150 		mac_addr[0] = 0x2;
7151 		mac_addr_mask[0] = 0x3;
7152 
7153 		return 0;
7154 	}
7155 
7156 	/* need both or none */
7157 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
7158 		return -EINVAL;
7159 
7160 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
7161 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
7162 
7163 	/* don't allow or configure an mcast address */
7164 	if (!is_multicast_ether_addr(mac_addr_mask) ||
7165 	    is_multicast_ether_addr(mac_addr))
7166 		return -EINVAL;
7167 
7168 	/*
7169 	 * allow users to pass a MAC address that has bits set outside
7170 	 * of the mask, but don't bother drivers with having to deal
7171 	 * with such bits
7172 	 */
7173 	for (i = 0; i < ETH_ALEN; i++)
7174 		mac_addr[i] &= mac_addr_mask[i];
7175 
7176 	return 0;
7177 }
7178 
7179 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
7180 {
7181 	ASSERT_WDEV_LOCK(wdev);
7182 
7183 	if (!cfg80211_beaconing_iface_active(wdev))
7184 		return true;
7185 
7186 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
7187 		return true;
7188 
7189 	return regulatory_pre_cac_allowed(wdev->wiphy);
7190 }
7191 
7192 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
7193 				    enum nl80211_ext_feature_index feat)
7194 {
7195 	if (!(flags & flag))
7196 		return true;
7197 	if (wiphy_ext_feature_isset(wiphy, feat))
7198 		return true;
7199 	return false;
7200 }
7201 
7202 static int
7203 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
7204 			 void *request, struct nlattr **attrs,
7205 			 bool is_sched_scan)
7206 {
7207 	u8 *mac_addr, *mac_addr_mask;
7208 	u32 *flags;
7209 	enum nl80211_feature_flags randomness_flag;
7210 
7211 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
7212 		return 0;
7213 
7214 	if (is_sched_scan) {
7215 		struct cfg80211_sched_scan_request *req = request;
7216 
7217 		randomness_flag = wdev ?
7218 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
7219 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
7220 		flags = &req->flags;
7221 		mac_addr = req->mac_addr;
7222 		mac_addr_mask = req->mac_addr_mask;
7223 	} else {
7224 		struct cfg80211_scan_request *req = request;
7225 
7226 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
7227 		flags = &req->flags;
7228 		mac_addr = req->mac_addr;
7229 		mac_addr_mask = req->mac_addr_mask;
7230 	}
7231 
7232 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
7233 
7234 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
7235 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
7236 	    !nl80211_check_scan_feat(wiphy, *flags,
7237 				     NL80211_SCAN_FLAG_LOW_SPAN,
7238 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
7239 	    !nl80211_check_scan_feat(wiphy, *flags,
7240 				     NL80211_SCAN_FLAG_LOW_POWER,
7241 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
7242 	    !nl80211_check_scan_feat(wiphy, *flags,
7243 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
7244 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
7245 	    !nl80211_check_scan_feat(wiphy, *flags,
7246 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
7247 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
7248 	    !nl80211_check_scan_feat(wiphy, *flags,
7249 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
7250 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
7251 	    !nl80211_check_scan_feat(wiphy, *flags,
7252 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
7253 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
7254 	    !nl80211_check_scan_feat(wiphy, *flags,
7255 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
7256 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
7257 	    !nl80211_check_scan_feat(wiphy, *flags,
7258 				     NL80211_SCAN_FLAG_RANDOM_SN,
7259 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
7260 	    !nl80211_check_scan_feat(wiphy, *flags,
7261 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
7262 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
7263 		return -EOPNOTSUPP;
7264 
7265 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
7266 		int err;
7267 
7268 		if (!(wiphy->features & randomness_flag) ||
7269 		    (wdev && wdev->current_bss))
7270 			return -EOPNOTSUPP;
7271 
7272 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
7273 		if (err)
7274 			return err;
7275 	}
7276 
7277 	return 0;
7278 }
7279 
7280 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
7281 {
7282 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7283 	struct wireless_dev *wdev = info->user_ptr[1];
7284 	struct cfg80211_scan_request *request;
7285 	struct nlattr *attr;
7286 	struct wiphy *wiphy;
7287 	int err, tmp, n_ssids = 0, n_channels, i;
7288 	size_t ie_len;
7289 
7290 	wiphy = &rdev->wiphy;
7291 
7292 	if (wdev->iftype == NL80211_IFTYPE_NAN)
7293 		return -EOPNOTSUPP;
7294 
7295 	if (!rdev->ops->scan)
7296 		return -EOPNOTSUPP;
7297 
7298 	if (rdev->scan_req || rdev->scan_msg) {
7299 		err = -EBUSY;
7300 		goto unlock;
7301 	}
7302 
7303 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7304 		n_channels = validate_scan_freqs(
7305 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7306 		if (!n_channels) {
7307 			err = -EINVAL;
7308 			goto unlock;
7309 		}
7310 	} else {
7311 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7312 	}
7313 
7314 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
7315 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
7316 			n_ssids++;
7317 
7318 	if (n_ssids > wiphy->max_scan_ssids) {
7319 		err = -EINVAL;
7320 		goto unlock;
7321 	}
7322 
7323 	if (info->attrs[NL80211_ATTR_IE])
7324 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7325 	else
7326 		ie_len = 0;
7327 
7328 	if (ie_len > wiphy->max_scan_ie_len) {
7329 		err = -EINVAL;
7330 		goto unlock;
7331 	}
7332 
7333 	request = kzalloc(sizeof(*request)
7334 			+ sizeof(*request->ssids) * n_ssids
7335 			+ sizeof(*request->channels) * n_channels
7336 			+ ie_len, GFP_KERNEL);
7337 	if (!request) {
7338 		err = -ENOMEM;
7339 		goto unlock;
7340 	}
7341 
7342 	if (n_ssids)
7343 		request->ssids = (void *)&request->channels[n_channels];
7344 	request->n_ssids = n_ssids;
7345 	if (ie_len) {
7346 		if (n_ssids)
7347 			request->ie = (void *)(request->ssids + n_ssids);
7348 		else
7349 			request->ie = (void *)(request->channels + n_channels);
7350 	}
7351 
7352 	i = 0;
7353 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7354 		/* user specified, bail out if channel not found */
7355 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
7356 			struct ieee80211_channel *chan;
7357 
7358 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7359 
7360 			if (!chan) {
7361 				err = -EINVAL;
7362 				goto out_free;
7363 			}
7364 
7365 			/* ignore disabled channels */
7366 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7367 				continue;
7368 
7369 			request->channels[i] = chan;
7370 			i++;
7371 		}
7372 	} else {
7373 		enum nl80211_band band;
7374 
7375 		/* all channels */
7376 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7377 			int j;
7378 
7379 			if (!wiphy->bands[band])
7380 				continue;
7381 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7382 				struct ieee80211_channel *chan;
7383 
7384 				chan = &wiphy->bands[band]->channels[j];
7385 
7386 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7387 					continue;
7388 
7389 				request->channels[i] = chan;
7390 				i++;
7391 			}
7392 		}
7393 	}
7394 
7395 	if (!i) {
7396 		err = -EINVAL;
7397 		goto out_free;
7398 	}
7399 
7400 	request->n_channels = i;
7401 
7402 	wdev_lock(wdev);
7403 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
7404 		struct ieee80211_channel *chan;
7405 
7406 		if (request->n_channels != 1) {
7407 			wdev_unlock(wdev);
7408 			err = -EBUSY;
7409 			goto out_free;
7410 		}
7411 
7412 		chan = request->channels[0];
7413 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
7414 			wdev_unlock(wdev);
7415 			err = -EBUSY;
7416 			goto out_free;
7417 		}
7418 	}
7419 	wdev_unlock(wdev);
7420 
7421 	i = 0;
7422 	if (n_ssids) {
7423 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
7424 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7425 				err = -EINVAL;
7426 				goto out_free;
7427 			}
7428 			request->ssids[i].ssid_len = nla_len(attr);
7429 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
7430 			i++;
7431 		}
7432 	}
7433 
7434 	if (info->attrs[NL80211_ATTR_IE]) {
7435 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7436 		memcpy((void *)request->ie,
7437 		       nla_data(info->attrs[NL80211_ATTR_IE]),
7438 		       request->ie_len);
7439 	}
7440 
7441 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7442 		if (wiphy->bands[i])
7443 			request->rates[i] =
7444 				(1 << wiphy->bands[i]->n_bitrates) - 1;
7445 
7446 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
7447 		nla_for_each_nested(attr,
7448 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
7449 				    tmp) {
7450 			enum nl80211_band band = nla_type(attr);
7451 
7452 			if (band < 0 || band >= NUM_NL80211_BANDS) {
7453 				err = -EINVAL;
7454 				goto out_free;
7455 			}
7456 
7457 			if (!wiphy->bands[band])
7458 				continue;
7459 
7460 			err = ieee80211_get_ratemask(wiphy->bands[band],
7461 						     nla_data(attr),
7462 						     nla_len(attr),
7463 						     &request->rates[band]);
7464 			if (err)
7465 				goto out_free;
7466 		}
7467 	}
7468 
7469 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
7470 		if (!wiphy_ext_feature_isset(wiphy,
7471 					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
7472 			err = -EOPNOTSUPP;
7473 			goto out_free;
7474 		}
7475 
7476 		request->duration =
7477 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
7478 		request->duration_mandatory =
7479 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
7480 	}
7481 
7482 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
7483 				       false);
7484 	if (err)
7485 		goto out_free;
7486 
7487 	request->no_cck =
7488 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7489 
7490 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
7491 	 * BSSID to scan for. This was problematic because that same attribute
7492 	 * was already used for another purpose (local random MAC address). The
7493 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
7494 	 * compatibility with older userspace components, also use the
7495 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
7496 	 * the specific BSSID use case instead of the random MAC address
7497 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
7498 	 */
7499 	if (info->attrs[NL80211_ATTR_BSSID])
7500 		memcpy(request->bssid,
7501 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
7502 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
7503 		 info->attrs[NL80211_ATTR_MAC])
7504 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
7505 		       ETH_ALEN);
7506 	else
7507 		eth_broadcast_addr(request->bssid);
7508 
7509 	request->wdev = wdev;
7510 	request->wiphy = &rdev->wiphy;
7511 	request->scan_start = jiffies;
7512 
7513 	rdev->scan_req = request;
7514 	err = rdev_scan(rdev, request);
7515 
7516 	if (!err) {
7517 		nl80211_send_scan_start(rdev, wdev);
7518 		if (wdev->netdev)
7519 			dev_hold(wdev->netdev);
7520 	} else {
7521  out_free:
7522 		rdev->scan_req = NULL;
7523 		kfree(request);
7524 	}
7525 
7526  unlock:
7527 	return err;
7528 }
7529 
7530 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
7531 {
7532 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7533 	struct wireless_dev *wdev = info->user_ptr[1];
7534 
7535 	if (!rdev->ops->abort_scan)
7536 		return -EOPNOTSUPP;
7537 
7538 	if (rdev->scan_msg)
7539 		return 0;
7540 
7541 	if (!rdev->scan_req)
7542 		return -ENOENT;
7543 
7544 	rdev_abort_scan(rdev, wdev);
7545 	return 0;
7546 }
7547 
7548 static int
7549 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
7550 			       struct cfg80211_sched_scan_request *request,
7551 			       struct nlattr **attrs)
7552 {
7553 	int tmp, err, i = 0;
7554 	struct nlattr *attr;
7555 
7556 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7557 		u32 interval;
7558 
7559 		/*
7560 		 * If scan plans are not specified,
7561 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
7562 		 * case one scan plan will be set with the specified scan
7563 		 * interval and infinite number of iterations.
7564 		 */
7565 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
7566 		if (!interval)
7567 			return -EINVAL;
7568 
7569 		request->scan_plans[0].interval =
7570 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
7571 		if (!request->scan_plans[0].interval)
7572 			return -EINVAL;
7573 
7574 		if (request->scan_plans[0].interval >
7575 		    wiphy->max_sched_scan_plan_interval)
7576 			request->scan_plans[0].interval =
7577 				wiphy->max_sched_scan_plan_interval;
7578 
7579 		return 0;
7580 	}
7581 
7582 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
7583 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
7584 
7585 		if (WARN_ON(i >= n_plans))
7586 			return -EINVAL;
7587 
7588 		err = nla_parse_nested_deprecated(plan,
7589 						  NL80211_SCHED_SCAN_PLAN_MAX,
7590 						  attr, nl80211_plan_policy,
7591 						  NULL);
7592 		if (err)
7593 			return err;
7594 
7595 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
7596 			return -EINVAL;
7597 
7598 		request->scan_plans[i].interval =
7599 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
7600 		if (!request->scan_plans[i].interval ||
7601 		    request->scan_plans[i].interval >
7602 		    wiphy->max_sched_scan_plan_interval)
7603 			return -EINVAL;
7604 
7605 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
7606 			request->scan_plans[i].iterations =
7607 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
7608 			if (!request->scan_plans[i].iterations ||
7609 			    (request->scan_plans[i].iterations >
7610 			     wiphy->max_sched_scan_plan_iterations))
7611 				return -EINVAL;
7612 		} else if (i < n_plans - 1) {
7613 			/*
7614 			 * All scan plans but the last one must specify
7615 			 * a finite number of iterations
7616 			 */
7617 			return -EINVAL;
7618 		}
7619 
7620 		i++;
7621 	}
7622 
7623 	/*
7624 	 * The last scan plan must not specify the number of
7625 	 * iterations, it is supposed to run infinitely
7626 	 */
7627 	if (request->scan_plans[n_plans - 1].iterations)
7628 		return  -EINVAL;
7629 
7630 	return 0;
7631 }
7632 
7633 static int
7634 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
7635 				       struct cfg80211_match_set *match_sets,
7636 				       struct nlattr *tb_band_rssi,
7637 				       s32 rssi_thold)
7638 {
7639 	struct nlattr *attr;
7640 	int i, tmp, ret = 0;
7641 
7642 	if (!wiphy_ext_feature_isset(wiphy,
7643 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
7644 		if (tb_band_rssi)
7645 			ret = -EOPNOTSUPP;
7646 		else
7647 			for (i = 0; i < NUM_NL80211_BANDS; i++)
7648 				match_sets->per_band_rssi_thold[i] =
7649 					NL80211_SCAN_RSSI_THOLD_OFF;
7650 		return ret;
7651 	}
7652 
7653 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7654 		match_sets->per_band_rssi_thold[i] = rssi_thold;
7655 
7656 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
7657 		enum nl80211_band band = nla_type(attr);
7658 
7659 		if (band < 0 || band >= NUM_NL80211_BANDS)
7660 			return -EINVAL;
7661 
7662 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
7663 	}
7664 
7665 	return 0;
7666 }
7667 
7668 static struct cfg80211_sched_scan_request *
7669 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
7670 			 struct nlattr **attrs, int max_match_sets)
7671 {
7672 	struct cfg80211_sched_scan_request *request;
7673 	struct nlattr *attr;
7674 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
7675 	enum nl80211_band band;
7676 	size_t ie_len;
7677 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
7678 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
7679 
7680 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7681 		n_channels = validate_scan_freqs(
7682 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7683 		if (!n_channels)
7684 			return ERR_PTR(-EINVAL);
7685 	} else {
7686 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7687 	}
7688 
7689 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
7690 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7691 				    tmp)
7692 			n_ssids++;
7693 
7694 	if (n_ssids > wiphy->max_sched_scan_ssids)
7695 		return ERR_PTR(-EINVAL);
7696 
7697 	/*
7698 	 * First, count the number of 'real' matchsets. Due to an issue with
7699 	 * the old implementation, matchsets containing only the RSSI attribute
7700 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
7701 	 * RSSI for all matchsets, rather than their own matchset for reporting
7702 	 * all APs with a strong RSSI. This is needed to be compatible with
7703 	 * older userspace that treated a matchset with only the RSSI as the
7704 	 * global RSSI for all other matchsets - if there are other matchsets.
7705 	 */
7706 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7707 		nla_for_each_nested(attr,
7708 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7709 				    tmp) {
7710 			struct nlattr *rssi;
7711 
7712 			err = nla_parse_nested_deprecated(tb,
7713 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7714 							  attr,
7715 							  nl80211_match_policy,
7716 							  NULL);
7717 			if (err)
7718 				return ERR_PTR(err);
7719 
7720 			/* SSID and BSSID are mutually exclusive */
7721 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
7722 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
7723 				return ERR_PTR(-EINVAL);
7724 
7725 			/* add other standalone attributes here */
7726 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
7727 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
7728 				n_match_sets++;
7729 				continue;
7730 			}
7731 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7732 			if (rssi)
7733 				default_match_rssi = nla_get_s32(rssi);
7734 		}
7735 	}
7736 
7737 	/* However, if there's no other matchset, add the RSSI one */
7738 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
7739 		n_match_sets = 1;
7740 
7741 	if (n_match_sets > max_match_sets)
7742 		return ERR_PTR(-EINVAL);
7743 
7744 	if (attrs[NL80211_ATTR_IE])
7745 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
7746 	else
7747 		ie_len = 0;
7748 
7749 	if (ie_len > wiphy->max_sched_scan_ie_len)
7750 		return ERR_PTR(-EINVAL);
7751 
7752 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7753 		/*
7754 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
7755 		 * each scan plan already specifies its own interval
7756 		 */
7757 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7758 			return ERR_PTR(-EINVAL);
7759 
7760 		nla_for_each_nested(attr,
7761 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
7762 			n_plans++;
7763 	} else {
7764 		/*
7765 		 * The scan interval attribute is kept for backward
7766 		 * compatibility. If no scan plans are specified and sched scan
7767 		 * interval is specified, one scan plan will be set with this
7768 		 * scan interval and infinite number of iterations.
7769 		 */
7770 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7771 			return ERR_PTR(-EINVAL);
7772 
7773 		n_plans = 1;
7774 	}
7775 
7776 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
7777 		return ERR_PTR(-EINVAL);
7778 
7779 	if (!wiphy_ext_feature_isset(
7780 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
7781 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
7782 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
7783 		return ERR_PTR(-EINVAL);
7784 
7785 	request = kzalloc(sizeof(*request)
7786 			+ sizeof(*request->ssids) * n_ssids
7787 			+ sizeof(*request->match_sets) * n_match_sets
7788 			+ sizeof(*request->scan_plans) * n_plans
7789 			+ sizeof(*request->channels) * n_channels
7790 			+ ie_len, GFP_KERNEL);
7791 	if (!request)
7792 		return ERR_PTR(-ENOMEM);
7793 
7794 	if (n_ssids)
7795 		request->ssids = (void *)&request->channels[n_channels];
7796 	request->n_ssids = n_ssids;
7797 	if (ie_len) {
7798 		if (n_ssids)
7799 			request->ie = (void *)(request->ssids + n_ssids);
7800 		else
7801 			request->ie = (void *)(request->channels + n_channels);
7802 	}
7803 
7804 	if (n_match_sets) {
7805 		if (request->ie)
7806 			request->match_sets = (void *)(request->ie + ie_len);
7807 		else if (n_ssids)
7808 			request->match_sets =
7809 				(void *)(request->ssids + n_ssids);
7810 		else
7811 			request->match_sets =
7812 				(void *)(request->channels + n_channels);
7813 	}
7814 	request->n_match_sets = n_match_sets;
7815 
7816 	if (n_match_sets)
7817 		request->scan_plans = (void *)(request->match_sets +
7818 					       n_match_sets);
7819 	else if (request->ie)
7820 		request->scan_plans = (void *)(request->ie + ie_len);
7821 	else if (n_ssids)
7822 		request->scan_plans = (void *)(request->ssids + n_ssids);
7823 	else
7824 		request->scan_plans = (void *)(request->channels + n_channels);
7825 
7826 	request->n_scan_plans = n_plans;
7827 
7828 	i = 0;
7829 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7830 		/* user specified, bail out if channel not found */
7831 		nla_for_each_nested(attr,
7832 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
7833 				    tmp) {
7834 			struct ieee80211_channel *chan;
7835 
7836 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7837 
7838 			if (!chan) {
7839 				err = -EINVAL;
7840 				goto out_free;
7841 			}
7842 
7843 			/* ignore disabled channels */
7844 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7845 				continue;
7846 
7847 			request->channels[i] = chan;
7848 			i++;
7849 		}
7850 	} else {
7851 		/* all channels */
7852 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7853 			int j;
7854 
7855 			if (!wiphy->bands[band])
7856 				continue;
7857 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7858 				struct ieee80211_channel *chan;
7859 
7860 				chan = &wiphy->bands[band]->channels[j];
7861 
7862 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7863 					continue;
7864 
7865 				request->channels[i] = chan;
7866 				i++;
7867 			}
7868 		}
7869 	}
7870 
7871 	if (!i) {
7872 		err = -EINVAL;
7873 		goto out_free;
7874 	}
7875 
7876 	request->n_channels = i;
7877 
7878 	i = 0;
7879 	if (n_ssids) {
7880 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7881 				    tmp) {
7882 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7883 				err = -EINVAL;
7884 				goto out_free;
7885 			}
7886 			request->ssids[i].ssid_len = nla_len(attr);
7887 			memcpy(request->ssids[i].ssid, nla_data(attr),
7888 			       nla_len(attr));
7889 			i++;
7890 		}
7891 	}
7892 
7893 	i = 0;
7894 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7895 		nla_for_each_nested(attr,
7896 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7897 				    tmp) {
7898 			struct nlattr *ssid, *bssid, *rssi;
7899 
7900 			err = nla_parse_nested_deprecated(tb,
7901 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7902 							  attr,
7903 							  nl80211_match_policy,
7904 							  NULL);
7905 			if (err)
7906 				goto out_free;
7907 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
7908 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
7909 
7910 			if (!ssid && !bssid) {
7911 				i++;
7912 				continue;
7913 			}
7914 
7915 			if (WARN_ON(i >= n_match_sets)) {
7916 				/* this indicates a programming error,
7917 				 * the loop above should have verified
7918 				 * things properly
7919 				 */
7920 				err = -EINVAL;
7921 				goto out_free;
7922 			}
7923 
7924 			if (ssid) {
7925 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
7926 					err = -EINVAL;
7927 					goto out_free;
7928 				}
7929 				memcpy(request->match_sets[i].ssid.ssid,
7930 				       nla_data(ssid), nla_len(ssid));
7931 				request->match_sets[i].ssid.ssid_len =
7932 					nla_len(ssid);
7933 			}
7934 			if (bssid) {
7935 				if (nla_len(bssid) != ETH_ALEN) {
7936 					err = -EINVAL;
7937 					goto out_free;
7938 				}
7939 				memcpy(request->match_sets[i].bssid,
7940 				       nla_data(bssid), ETH_ALEN);
7941 			}
7942 
7943 			/* special attribute - old implementation w/a */
7944 			request->match_sets[i].rssi_thold = default_match_rssi;
7945 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7946 			if (rssi)
7947 				request->match_sets[i].rssi_thold =
7948 					nla_get_s32(rssi);
7949 
7950 			/* Parse per band RSSI attribute */
7951 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
7952 				&request->match_sets[i],
7953 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
7954 				request->match_sets[i].rssi_thold);
7955 			if (err)
7956 				goto out_free;
7957 
7958 			i++;
7959 		}
7960 
7961 		/* there was no other matchset, so the RSSI one is alone */
7962 		if (i == 0 && n_match_sets)
7963 			request->match_sets[0].rssi_thold = default_match_rssi;
7964 
7965 		request->min_rssi_thold = INT_MAX;
7966 		for (i = 0; i < n_match_sets; i++)
7967 			request->min_rssi_thold =
7968 				min(request->match_sets[i].rssi_thold,
7969 				    request->min_rssi_thold);
7970 	} else {
7971 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
7972 	}
7973 
7974 	if (ie_len) {
7975 		request->ie_len = ie_len;
7976 		memcpy((void *)request->ie,
7977 		       nla_data(attrs[NL80211_ATTR_IE]),
7978 		       request->ie_len);
7979 	}
7980 
7981 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
7982 	if (err)
7983 		goto out_free;
7984 
7985 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
7986 		request->delay =
7987 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
7988 
7989 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
7990 		request->relative_rssi = nla_get_s8(
7991 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
7992 		request->relative_rssi_set = true;
7993 	}
7994 
7995 	if (request->relative_rssi_set &&
7996 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
7997 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
7998 
7999 		rssi_adjust = nla_data(
8000 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
8001 		request->rssi_adjust.band = rssi_adjust->band;
8002 		request->rssi_adjust.delta = rssi_adjust->delta;
8003 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
8004 			err = -EINVAL;
8005 			goto out_free;
8006 		}
8007 	}
8008 
8009 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
8010 	if (err)
8011 		goto out_free;
8012 
8013 	request->scan_start = jiffies;
8014 
8015 	return request;
8016 
8017 out_free:
8018 	kfree(request);
8019 	return ERR_PTR(err);
8020 }
8021 
8022 static int nl80211_start_sched_scan(struct sk_buff *skb,
8023 				    struct genl_info *info)
8024 {
8025 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8026 	struct net_device *dev = info->user_ptr[1];
8027 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8028 	struct cfg80211_sched_scan_request *sched_scan_req;
8029 	bool want_multi;
8030 	int err;
8031 
8032 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
8033 		return -EOPNOTSUPP;
8034 
8035 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
8036 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
8037 	if (err)
8038 		return err;
8039 
8040 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
8041 						  info->attrs,
8042 						  rdev->wiphy.max_match_sets);
8043 
8044 	err = PTR_ERR_OR_ZERO(sched_scan_req);
8045 	if (err)
8046 		goto out_err;
8047 
8048 	/* leave request id zero for legacy request
8049 	 * or if driver does not support multi-scheduled scan
8050 	 */
8051 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1) {
8052 		while (!sched_scan_req->reqid)
8053 			sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
8054 	}
8055 
8056 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
8057 	if (err)
8058 		goto out_free;
8059 
8060 	sched_scan_req->dev = dev;
8061 	sched_scan_req->wiphy = &rdev->wiphy;
8062 
8063 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
8064 		sched_scan_req->owner_nlportid = info->snd_portid;
8065 
8066 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
8067 
8068 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
8069 	return 0;
8070 
8071 out_free:
8072 	kfree(sched_scan_req);
8073 out_err:
8074 	return err;
8075 }
8076 
8077 static int nl80211_stop_sched_scan(struct sk_buff *skb,
8078 				   struct genl_info *info)
8079 {
8080 	struct cfg80211_sched_scan_request *req;
8081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8082 	u64 cookie;
8083 
8084 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
8085 		return -EOPNOTSUPP;
8086 
8087 	if (info->attrs[NL80211_ATTR_COOKIE]) {
8088 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8089 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
8090 	}
8091 
8092 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
8093 				     struct cfg80211_sched_scan_request,
8094 				     list);
8095 	if (!req || req->reqid ||
8096 	    (req->owner_nlportid &&
8097 	     req->owner_nlportid != info->snd_portid))
8098 		return -ENOENT;
8099 
8100 	return cfg80211_stop_sched_scan_req(rdev, req, false);
8101 }
8102 
8103 static int nl80211_start_radar_detection(struct sk_buff *skb,
8104 					 struct genl_info *info)
8105 {
8106 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8107 	struct net_device *dev = info->user_ptr[1];
8108 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8109 	struct wiphy *wiphy = wdev->wiphy;
8110 	struct cfg80211_chan_def chandef;
8111 	enum nl80211_dfs_regions dfs_region;
8112 	unsigned int cac_time_ms;
8113 	int err;
8114 
8115 	dfs_region = reg_get_dfs_region(wiphy);
8116 	if (dfs_region == NL80211_DFS_UNSET)
8117 		return -EINVAL;
8118 
8119 	err = nl80211_parse_chandef(rdev, info, &chandef);
8120 	if (err)
8121 		return err;
8122 
8123 	if (netif_carrier_ok(dev))
8124 		return -EBUSY;
8125 
8126 	if (wdev->cac_started)
8127 		return -EBUSY;
8128 
8129 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8130 	if (err < 0)
8131 		return err;
8132 
8133 	if (err == 0)
8134 		return -EINVAL;
8135 
8136 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
8137 		return -EINVAL;
8138 
8139 	/* CAC start is offloaded to HW and can't be started manually */
8140 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
8141 		return -EOPNOTSUPP;
8142 
8143 	if (!rdev->ops->start_radar_detection)
8144 		return -EOPNOTSUPP;
8145 
8146 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
8147 	if (WARN_ON(!cac_time_ms))
8148 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
8149 
8150 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
8151 	if (!err) {
8152 		wdev->chandef = chandef;
8153 		wdev->cac_started = true;
8154 		wdev->cac_start_time = jiffies;
8155 		wdev->cac_time_ms = cac_time_ms;
8156 	}
8157 	return err;
8158 }
8159 
8160 static int nl80211_notify_radar_detection(struct sk_buff *skb,
8161 					  struct genl_info *info)
8162 {
8163 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8164 	struct net_device *dev = info->user_ptr[1];
8165 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8166 	struct wiphy *wiphy = wdev->wiphy;
8167 	struct cfg80211_chan_def chandef;
8168 	enum nl80211_dfs_regions dfs_region;
8169 	int err;
8170 
8171 	dfs_region = reg_get_dfs_region(wiphy);
8172 	if (dfs_region == NL80211_DFS_UNSET) {
8173 		GENL_SET_ERR_MSG(info,
8174 				 "DFS Region is not set. Unexpected Radar indication");
8175 		return -EINVAL;
8176 	}
8177 
8178 	err = nl80211_parse_chandef(rdev, info, &chandef);
8179 	if (err) {
8180 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
8181 		return err;
8182 	}
8183 
8184 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8185 	if (err < 0) {
8186 		GENL_SET_ERR_MSG(info, "chandef is invalid");
8187 		return err;
8188 	}
8189 
8190 	if (err == 0) {
8191 		GENL_SET_ERR_MSG(info,
8192 				 "Unexpected Radar indication for chandef/iftype");
8193 		return -EINVAL;
8194 	}
8195 
8196 	/* Do not process this notification if radar is already detected
8197 	 * by kernel on this channel, and return success.
8198 	 */
8199 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
8200 		return 0;
8201 
8202 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
8203 
8204 	cfg80211_sched_dfs_chan_update(rdev);
8205 
8206 	rdev->radar_chandef = chandef;
8207 
8208 	/* Propagate this notification to other radios as well */
8209 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
8210 
8211 	return 0;
8212 }
8213 
8214 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
8215 {
8216 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8217 	struct net_device *dev = info->user_ptr[1];
8218 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8219 	struct cfg80211_csa_settings params;
8220 	/* csa_attrs is defined static to avoid waste of stack size - this
8221 	 * function is called under RTNL lock, so this should not be a problem.
8222 	 */
8223 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
8224 	int err;
8225 	bool need_new_beacon = false;
8226 	bool need_handle_dfs_flag = true;
8227 	int len, i;
8228 	u32 cs_count;
8229 
8230 	if (!rdev->ops->channel_switch ||
8231 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
8232 		return -EOPNOTSUPP;
8233 
8234 	switch (dev->ieee80211_ptr->iftype) {
8235 	case NL80211_IFTYPE_AP:
8236 	case NL80211_IFTYPE_P2P_GO:
8237 		need_new_beacon = true;
8238 		/* For all modes except AP the handle_dfs flag needs to be
8239 		 * supplied to tell the kernel that userspace will handle radar
8240 		 * events when they happen. Otherwise a switch to a channel
8241 		 * requiring DFS will be rejected.
8242 		 */
8243 		need_handle_dfs_flag = false;
8244 
8245 		/* useless if AP is not running */
8246 		if (!wdev->beacon_interval)
8247 			return -ENOTCONN;
8248 		break;
8249 	case NL80211_IFTYPE_ADHOC:
8250 		if (!wdev->ssid_len)
8251 			return -ENOTCONN;
8252 		break;
8253 	case NL80211_IFTYPE_MESH_POINT:
8254 		if (!wdev->mesh_id_len)
8255 			return -ENOTCONN;
8256 		break;
8257 	default:
8258 		return -EOPNOTSUPP;
8259 	}
8260 
8261 	memset(&params, 0, sizeof(params));
8262 	params.beacon_csa.ftm_responder = -1;
8263 
8264 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8265 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
8266 		return -EINVAL;
8267 
8268 	/* only important for AP, IBSS and mesh create IEs internally */
8269 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
8270 		return -EINVAL;
8271 
8272 	/* Even though the attribute is u32, the specification says
8273 	 * u8, so let's make sure we don't overflow.
8274 	 */
8275 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
8276 	if (cs_count > 255)
8277 		return -EINVAL;
8278 
8279 	params.count = cs_count;
8280 
8281 	if (!need_new_beacon)
8282 		goto skip_beacons;
8283 
8284 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
8285 	if (err)
8286 		return err;
8287 
8288 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
8289 					  info->attrs[NL80211_ATTR_CSA_IES],
8290 					  nl80211_policy, info->extack);
8291 	if (err)
8292 		return err;
8293 
8294 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
8295 	if (err)
8296 		return err;
8297 
8298 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
8299 		return -EINVAL;
8300 
8301 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8302 	if (!len || (len % sizeof(u16)))
8303 		return -EINVAL;
8304 
8305 	params.n_counter_offsets_beacon = len / sizeof(u16);
8306 	if (rdev->wiphy.max_num_csa_counters &&
8307 	    (params.n_counter_offsets_beacon >
8308 	     rdev->wiphy.max_num_csa_counters))
8309 		return -EINVAL;
8310 
8311 	params.counter_offsets_beacon =
8312 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8313 
8314 	/* sanity checks - counters should fit and be the same */
8315 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
8316 		u16 offset = params.counter_offsets_beacon[i];
8317 
8318 		if (offset >= params.beacon_csa.tail_len)
8319 			return -EINVAL;
8320 
8321 		if (params.beacon_csa.tail[offset] != params.count)
8322 			return -EINVAL;
8323 	}
8324 
8325 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
8326 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8327 		if (!len || (len % sizeof(u16)))
8328 			return -EINVAL;
8329 
8330 		params.n_counter_offsets_presp = len / sizeof(u16);
8331 		if (rdev->wiphy.max_num_csa_counters &&
8332 		    (params.n_counter_offsets_presp >
8333 		     rdev->wiphy.max_num_csa_counters))
8334 			return -EINVAL;
8335 
8336 		params.counter_offsets_presp =
8337 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8338 
8339 		/* sanity checks - counters should fit and be the same */
8340 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
8341 			u16 offset = params.counter_offsets_presp[i];
8342 
8343 			if (offset >= params.beacon_csa.probe_resp_len)
8344 				return -EINVAL;
8345 
8346 			if (params.beacon_csa.probe_resp[offset] !=
8347 			    params.count)
8348 				return -EINVAL;
8349 		}
8350 	}
8351 
8352 skip_beacons:
8353 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
8354 	if (err)
8355 		return err;
8356 
8357 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
8358 					   wdev->iftype))
8359 		return -EINVAL;
8360 
8361 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
8362 					    &params.chandef,
8363 					    wdev->iftype);
8364 	if (err < 0)
8365 		return err;
8366 
8367 	if (err > 0) {
8368 		params.radar_required = true;
8369 		if (need_handle_dfs_flag &&
8370 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
8371 			return -EINVAL;
8372 		}
8373 	}
8374 
8375 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
8376 		params.block_tx = true;
8377 
8378 	wdev_lock(wdev);
8379 	err = rdev_channel_switch(rdev, dev, &params);
8380 	wdev_unlock(wdev);
8381 
8382 	return err;
8383 }
8384 
8385 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
8386 			    u32 seq, int flags,
8387 			    struct cfg80211_registered_device *rdev,
8388 			    struct wireless_dev *wdev,
8389 			    struct cfg80211_internal_bss *intbss)
8390 {
8391 	struct cfg80211_bss *res = &intbss->pub;
8392 	const struct cfg80211_bss_ies *ies;
8393 	void *hdr;
8394 	struct nlattr *bss;
8395 
8396 	ASSERT_WDEV_LOCK(wdev);
8397 
8398 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8399 			     NL80211_CMD_NEW_SCAN_RESULTS);
8400 	if (!hdr)
8401 		return -1;
8402 
8403 	genl_dump_check_consistent(cb, hdr);
8404 
8405 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
8406 		goto nla_put_failure;
8407 	if (wdev->netdev &&
8408 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
8409 		goto nla_put_failure;
8410 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
8411 			      NL80211_ATTR_PAD))
8412 		goto nla_put_failure;
8413 
8414 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
8415 	if (!bss)
8416 		goto nla_put_failure;
8417 	if ((!is_zero_ether_addr(res->bssid) &&
8418 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
8419 		goto nla_put_failure;
8420 
8421 	rcu_read_lock();
8422 	/* indicate whether we have probe response data or not */
8423 	if (rcu_access_pointer(res->proberesp_ies) &&
8424 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
8425 		goto fail_unlock_rcu;
8426 
8427 	/* this pointer prefers to be pointed to probe response data
8428 	 * but is always valid
8429 	 */
8430 	ies = rcu_dereference(res->ies);
8431 	if (ies) {
8432 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
8433 				      NL80211_BSS_PAD))
8434 			goto fail_unlock_rcu;
8435 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
8436 					ies->len, ies->data))
8437 			goto fail_unlock_rcu;
8438 	}
8439 
8440 	/* and this pointer is always (unless driver didn't know) beacon data */
8441 	ies = rcu_dereference(res->beacon_ies);
8442 	if (ies && ies->from_beacon) {
8443 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
8444 				      NL80211_BSS_PAD))
8445 			goto fail_unlock_rcu;
8446 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
8447 					ies->len, ies->data))
8448 			goto fail_unlock_rcu;
8449 	}
8450 	rcu_read_unlock();
8451 
8452 	if (res->beacon_interval &&
8453 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
8454 		goto nla_put_failure;
8455 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
8456 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
8457 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
8458 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
8459 			jiffies_to_msecs(jiffies - intbss->ts)))
8460 		goto nla_put_failure;
8461 
8462 	if (intbss->parent_tsf &&
8463 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
8464 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
8465 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
8466 		     intbss->parent_bssid)))
8467 		goto nla_put_failure;
8468 
8469 	if (intbss->ts_boottime &&
8470 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
8471 			      intbss->ts_boottime, NL80211_BSS_PAD))
8472 		goto nla_put_failure;
8473 
8474 	if (!nl80211_put_signal(msg, intbss->pub.chains,
8475 				intbss->pub.chain_signal,
8476 				NL80211_BSS_CHAIN_SIGNAL))
8477 		goto nla_put_failure;
8478 
8479 	switch (rdev->wiphy.signal_type) {
8480 	case CFG80211_SIGNAL_TYPE_MBM:
8481 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
8482 			goto nla_put_failure;
8483 		break;
8484 	case CFG80211_SIGNAL_TYPE_UNSPEC:
8485 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
8486 			goto nla_put_failure;
8487 		break;
8488 	default:
8489 		break;
8490 	}
8491 
8492 	switch (wdev->iftype) {
8493 	case NL80211_IFTYPE_P2P_CLIENT:
8494 	case NL80211_IFTYPE_STATION:
8495 		if (intbss == wdev->current_bss &&
8496 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8497 				NL80211_BSS_STATUS_ASSOCIATED))
8498 			goto nla_put_failure;
8499 		break;
8500 	case NL80211_IFTYPE_ADHOC:
8501 		if (intbss == wdev->current_bss &&
8502 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8503 				NL80211_BSS_STATUS_IBSS_JOINED))
8504 			goto nla_put_failure;
8505 		break;
8506 	default:
8507 		break;
8508 	}
8509 
8510 	nla_nest_end(msg, bss);
8511 
8512 	genlmsg_end(msg, hdr);
8513 	return 0;
8514 
8515  fail_unlock_rcu:
8516 	rcu_read_unlock();
8517  nla_put_failure:
8518 	genlmsg_cancel(msg, hdr);
8519 	return -EMSGSIZE;
8520 }
8521 
8522 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
8523 {
8524 	struct cfg80211_registered_device *rdev;
8525 	struct cfg80211_internal_bss *scan;
8526 	struct wireless_dev *wdev;
8527 	int start = cb->args[2], idx = 0;
8528 	int err;
8529 
8530 	rtnl_lock();
8531 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8532 	if (err) {
8533 		rtnl_unlock();
8534 		return err;
8535 	}
8536 
8537 	wdev_lock(wdev);
8538 	spin_lock_bh(&rdev->bss_lock);
8539 
8540 	/*
8541 	 * dump_scan will be called multiple times to break up the scan results
8542 	 * into multiple messages.  It is unlikely that any more bss-es will be
8543 	 * expired after the first call, so only call only call this on the
8544 	 * first dump_scan invocation.
8545 	 */
8546 	if (start == 0)
8547 		cfg80211_bss_expire(rdev);
8548 
8549 	cb->seq = rdev->bss_generation;
8550 
8551 	list_for_each_entry(scan, &rdev->bss_list, list) {
8552 		if (++idx <= start)
8553 			continue;
8554 		if (nl80211_send_bss(skb, cb,
8555 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8556 				rdev, wdev, scan) < 0) {
8557 			idx--;
8558 			break;
8559 		}
8560 	}
8561 
8562 	spin_unlock_bh(&rdev->bss_lock);
8563 	wdev_unlock(wdev);
8564 
8565 	cb->args[2] = idx;
8566 	rtnl_unlock();
8567 
8568 	return skb->len;
8569 }
8570 
8571 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
8572 			       int flags, struct net_device *dev,
8573 			       bool allow_radio_stats,
8574 			       struct survey_info *survey)
8575 {
8576 	void *hdr;
8577 	struct nlattr *infoattr;
8578 
8579 	/* skip radio stats if userspace didn't request them */
8580 	if (!survey->channel && !allow_radio_stats)
8581 		return 0;
8582 
8583 	hdr = nl80211hdr_put(msg, portid, seq, flags,
8584 			     NL80211_CMD_NEW_SURVEY_RESULTS);
8585 	if (!hdr)
8586 		return -ENOMEM;
8587 
8588 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
8589 		goto nla_put_failure;
8590 
8591 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
8592 	if (!infoattr)
8593 		goto nla_put_failure;
8594 
8595 	if (survey->channel &&
8596 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
8597 			survey->channel->center_freq))
8598 		goto nla_put_failure;
8599 
8600 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
8601 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
8602 		goto nla_put_failure;
8603 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
8604 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
8605 		goto nla_put_failure;
8606 	if ((survey->filled & SURVEY_INFO_TIME) &&
8607 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
8608 			survey->time, NL80211_SURVEY_INFO_PAD))
8609 		goto nla_put_failure;
8610 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
8611 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
8612 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
8613 		goto nla_put_failure;
8614 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
8615 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
8616 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
8617 		goto nla_put_failure;
8618 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
8619 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
8620 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
8621 		goto nla_put_failure;
8622 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
8623 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
8624 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
8625 		goto nla_put_failure;
8626 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
8627 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
8628 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
8629 		goto nla_put_failure;
8630 
8631 	nla_nest_end(msg, infoattr);
8632 
8633 	genlmsg_end(msg, hdr);
8634 	return 0;
8635 
8636  nla_put_failure:
8637 	genlmsg_cancel(msg, hdr);
8638 	return -EMSGSIZE;
8639 }
8640 
8641 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
8642 {
8643 	struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
8644 	struct survey_info survey;
8645 	struct cfg80211_registered_device *rdev;
8646 	struct wireless_dev *wdev;
8647 	int survey_idx = cb->args[2];
8648 	int res;
8649 	bool radio_stats;
8650 
8651 	rtnl_lock();
8652 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8653 	if (res)
8654 		goto out_err;
8655 
8656 	/* prepare_wdev_dump parsed the attributes */
8657 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
8658 
8659 	if (!wdev->netdev) {
8660 		res = -EINVAL;
8661 		goto out_err;
8662 	}
8663 
8664 	if (!rdev->ops->dump_survey) {
8665 		res = -EOPNOTSUPP;
8666 		goto out_err;
8667 	}
8668 
8669 	while (1) {
8670 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
8671 		if (res == -ENOENT)
8672 			break;
8673 		if (res)
8674 			goto out_err;
8675 
8676 		/* don't send disabled channels, but do send non-channel data */
8677 		if (survey.channel &&
8678 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
8679 			survey_idx++;
8680 			continue;
8681 		}
8682 
8683 		if (nl80211_send_survey(skb,
8684 				NETLINK_CB(cb->skb).portid,
8685 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8686 				wdev->netdev, radio_stats, &survey) < 0)
8687 			goto out;
8688 		survey_idx++;
8689 	}
8690 
8691  out:
8692 	cb->args[2] = survey_idx;
8693 	res = skb->len;
8694  out_err:
8695 	rtnl_unlock();
8696 	return res;
8697 }
8698 
8699 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
8700 {
8701 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
8702 				  NL80211_WPA_VERSION_2));
8703 }
8704 
8705 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
8706 {
8707 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8708 	struct net_device *dev = info->user_ptr[1];
8709 	struct ieee80211_channel *chan;
8710 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
8711 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
8712 	enum nl80211_auth_type auth_type;
8713 	struct key_parse key;
8714 	bool local_state_change;
8715 
8716 	if (!info->attrs[NL80211_ATTR_MAC])
8717 		return -EINVAL;
8718 
8719 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
8720 		return -EINVAL;
8721 
8722 	if (!info->attrs[NL80211_ATTR_SSID])
8723 		return -EINVAL;
8724 
8725 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8726 		return -EINVAL;
8727 
8728 	err = nl80211_parse_key(info, &key);
8729 	if (err)
8730 		return err;
8731 
8732 	if (key.idx >= 0) {
8733 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
8734 			return -EINVAL;
8735 		if (!key.p.key || !key.p.key_len)
8736 			return -EINVAL;
8737 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
8738 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
8739 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
8740 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
8741 			return -EINVAL;
8742 		if (key.idx > 3)
8743 			return -EINVAL;
8744 	} else {
8745 		key.p.key_len = 0;
8746 		key.p.key = NULL;
8747 	}
8748 
8749 	if (key.idx >= 0) {
8750 		int i;
8751 		bool ok = false;
8752 
8753 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
8754 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
8755 				ok = true;
8756 				break;
8757 			}
8758 		}
8759 		if (!ok)
8760 			return -EINVAL;
8761 	}
8762 
8763 	if (!rdev->ops->auth)
8764 		return -EOPNOTSUPP;
8765 
8766 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8767 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8768 		return -EOPNOTSUPP;
8769 
8770 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8771 	chan = nl80211_get_valid_chan(&rdev->wiphy,
8772 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8773 	if (!chan)
8774 		return -EINVAL;
8775 
8776 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8777 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8778 
8779 	if (info->attrs[NL80211_ATTR_IE]) {
8780 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8781 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8782 	}
8783 
8784 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
8785 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
8786 		return -EINVAL;
8787 
8788 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
8789 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
8790 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
8791 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
8792 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
8793 		return -EINVAL;
8794 
8795 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
8796 		if (auth_type != NL80211_AUTHTYPE_SAE &&
8797 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
8798 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
8799 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
8800 			return -EINVAL;
8801 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
8802 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
8803 		/* need to include at least Auth Transaction and Status Code */
8804 		if (auth_data_len < 4)
8805 			return -EINVAL;
8806 	}
8807 
8808 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8809 
8810 	/*
8811 	 * Since we no longer track auth state, ignore
8812 	 * requests to only change local state.
8813 	 */
8814 	if (local_state_change)
8815 		return 0;
8816 
8817 	wdev_lock(dev->ieee80211_ptr);
8818 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
8819 				 ssid, ssid_len, ie, ie_len,
8820 				 key.p.key, key.p.key_len, key.idx,
8821 				 auth_data, auth_data_len);
8822 	wdev_unlock(dev->ieee80211_ptr);
8823 	return err;
8824 }
8825 
8826 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
8827 				     struct genl_info *info)
8828 {
8829 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8830 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
8831 		return -EINVAL;
8832 	}
8833 
8834 	if (!rdev->ops->tx_control_port ||
8835 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8836 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
8837 		return -EOPNOTSUPP;
8838 
8839 	return 0;
8840 }
8841 
8842 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
8843 				   struct genl_info *info,
8844 				   struct cfg80211_crypto_settings *settings,
8845 				   int cipher_limit)
8846 {
8847 	memset(settings, 0, sizeof(*settings));
8848 
8849 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
8850 
8851 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
8852 		u16 proto;
8853 
8854 		proto = nla_get_u16(
8855 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
8856 		settings->control_port_ethertype = cpu_to_be16(proto);
8857 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
8858 		    proto != ETH_P_PAE)
8859 			return -EINVAL;
8860 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
8861 			settings->control_port_no_encrypt = true;
8862 	} else
8863 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
8864 
8865 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
8866 		int r = validate_pae_over_nl80211(rdev, info);
8867 
8868 		if (r < 0)
8869 			return r;
8870 
8871 		settings->control_port_over_nl80211 = true;
8872 	}
8873 
8874 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
8875 		void *data;
8876 		int len, i;
8877 
8878 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
8879 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
8880 		settings->n_ciphers_pairwise = len / sizeof(u32);
8881 
8882 		if (len % sizeof(u32))
8883 			return -EINVAL;
8884 
8885 		if (settings->n_ciphers_pairwise > cipher_limit)
8886 			return -EINVAL;
8887 
8888 		memcpy(settings->ciphers_pairwise, data, len);
8889 
8890 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
8891 			if (!cfg80211_supported_cipher_suite(
8892 					&rdev->wiphy,
8893 					settings->ciphers_pairwise[i]))
8894 				return -EINVAL;
8895 	}
8896 
8897 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
8898 		settings->cipher_group =
8899 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
8900 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
8901 						     settings->cipher_group))
8902 			return -EINVAL;
8903 	}
8904 
8905 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
8906 		settings->wpa_versions =
8907 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
8908 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
8909 			return -EINVAL;
8910 	}
8911 
8912 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
8913 		void *data;
8914 		int len;
8915 
8916 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
8917 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
8918 		settings->n_akm_suites = len / sizeof(u32);
8919 
8920 		if (len % sizeof(u32))
8921 			return -EINVAL;
8922 
8923 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
8924 			return -EINVAL;
8925 
8926 		memcpy(settings->akm_suites, data, len);
8927 	}
8928 
8929 	if (info->attrs[NL80211_ATTR_PMK]) {
8930 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
8931 			return -EINVAL;
8932 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8933 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK))
8934 			return -EINVAL;
8935 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
8936 	}
8937 
8938 	return 0;
8939 }
8940 
8941 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
8942 {
8943 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8944 	struct net_device *dev = info->user_ptr[1];
8945 	struct ieee80211_channel *chan;
8946 	struct cfg80211_assoc_request req = {};
8947 	const u8 *bssid, *ssid;
8948 	int err, ssid_len = 0;
8949 
8950 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
8951 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
8952 		return -EPERM;
8953 
8954 	if (!info->attrs[NL80211_ATTR_MAC] ||
8955 	    !info->attrs[NL80211_ATTR_SSID] ||
8956 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
8957 		return -EINVAL;
8958 
8959 	if (!rdev->ops->assoc)
8960 		return -EOPNOTSUPP;
8961 
8962 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8963 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8964 		return -EOPNOTSUPP;
8965 
8966 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8967 
8968 	chan = nl80211_get_valid_chan(&rdev->wiphy,
8969 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8970 	if (!chan)
8971 		return -EINVAL;
8972 
8973 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8974 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8975 
8976 	if (info->attrs[NL80211_ATTR_IE]) {
8977 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8978 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8979 	}
8980 
8981 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
8982 		enum nl80211_mfp mfp =
8983 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
8984 		if (mfp == NL80211_MFP_REQUIRED)
8985 			req.use_mfp = true;
8986 		else if (mfp != NL80211_MFP_NO)
8987 			return -EINVAL;
8988 	}
8989 
8990 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
8991 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
8992 
8993 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
8994 		req.flags |= ASSOC_REQ_DISABLE_HT;
8995 
8996 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8997 		memcpy(&req.ht_capa_mask,
8998 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
8999 		       sizeof(req.ht_capa_mask));
9000 
9001 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9002 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9003 			return -EINVAL;
9004 		memcpy(&req.ht_capa,
9005 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9006 		       sizeof(req.ht_capa));
9007 	}
9008 
9009 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9010 		req.flags |= ASSOC_REQ_DISABLE_VHT;
9011 
9012 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9013 		memcpy(&req.vht_capa_mask,
9014 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9015 		       sizeof(req.vht_capa_mask));
9016 
9017 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9018 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9019 			return -EINVAL;
9020 		memcpy(&req.vht_capa,
9021 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9022 		       sizeof(req.vht_capa));
9023 	}
9024 
9025 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9026 		if (!((rdev->wiphy.features &
9027 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9028 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9029 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9030 					     NL80211_EXT_FEATURE_RRM))
9031 			return -EINVAL;
9032 		req.flags |= ASSOC_REQ_USE_RRM;
9033 	}
9034 
9035 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
9036 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
9037 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
9038 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
9039 			return -EINVAL;
9040 		req.fils_nonces =
9041 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
9042 	}
9043 
9044 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
9045 	if (!err) {
9046 		wdev_lock(dev->ieee80211_ptr);
9047 
9048 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
9049 					  ssid, ssid_len, &req);
9050 
9051 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9052 			dev->ieee80211_ptr->conn_owner_nlportid =
9053 				info->snd_portid;
9054 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9055 			       bssid, ETH_ALEN);
9056 		}
9057 
9058 		wdev_unlock(dev->ieee80211_ptr);
9059 	}
9060 
9061 	return err;
9062 }
9063 
9064 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
9065 {
9066 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9067 	struct net_device *dev = info->user_ptr[1];
9068 	const u8 *ie = NULL, *bssid;
9069 	int ie_len = 0, err;
9070 	u16 reason_code;
9071 	bool local_state_change;
9072 
9073 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9074 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9075 		return -EPERM;
9076 
9077 	if (!info->attrs[NL80211_ATTR_MAC])
9078 		return -EINVAL;
9079 
9080 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9081 		return -EINVAL;
9082 
9083 	if (!rdev->ops->deauth)
9084 		return -EOPNOTSUPP;
9085 
9086 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9087 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9088 		return -EOPNOTSUPP;
9089 
9090 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9091 
9092 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9093 	if (reason_code == 0) {
9094 		/* Reason Code 0 is reserved */
9095 		return -EINVAL;
9096 	}
9097 
9098 	if (info->attrs[NL80211_ATTR_IE]) {
9099 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9100 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9101 	}
9102 
9103 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9104 
9105 	wdev_lock(dev->ieee80211_ptr);
9106 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
9107 				   local_state_change);
9108 	wdev_unlock(dev->ieee80211_ptr);
9109 	return err;
9110 }
9111 
9112 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
9113 {
9114 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9115 	struct net_device *dev = info->user_ptr[1];
9116 	const u8 *ie = NULL, *bssid;
9117 	int ie_len = 0, err;
9118 	u16 reason_code;
9119 	bool local_state_change;
9120 
9121 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9122 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9123 		return -EPERM;
9124 
9125 	if (!info->attrs[NL80211_ATTR_MAC])
9126 		return -EINVAL;
9127 
9128 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9129 		return -EINVAL;
9130 
9131 	if (!rdev->ops->disassoc)
9132 		return -EOPNOTSUPP;
9133 
9134 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9135 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9136 		return -EOPNOTSUPP;
9137 
9138 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9139 
9140 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9141 	if (reason_code == 0) {
9142 		/* Reason Code 0 is reserved */
9143 		return -EINVAL;
9144 	}
9145 
9146 	if (info->attrs[NL80211_ATTR_IE]) {
9147 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9148 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9149 	}
9150 
9151 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9152 
9153 	wdev_lock(dev->ieee80211_ptr);
9154 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
9155 				     local_state_change);
9156 	wdev_unlock(dev->ieee80211_ptr);
9157 	return err;
9158 }
9159 
9160 static bool
9161 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
9162 			 int mcast_rate[NUM_NL80211_BANDS],
9163 			 int rateval)
9164 {
9165 	struct wiphy *wiphy = &rdev->wiphy;
9166 	bool found = false;
9167 	int band, i;
9168 
9169 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
9170 		struct ieee80211_supported_band *sband;
9171 
9172 		sband = wiphy->bands[band];
9173 		if (!sband)
9174 			continue;
9175 
9176 		for (i = 0; i < sband->n_bitrates; i++) {
9177 			if (sband->bitrates[i].bitrate == rateval) {
9178 				mcast_rate[band] = i + 1;
9179 				found = true;
9180 				break;
9181 			}
9182 		}
9183 	}
9184 
9185 	return found;
9186 }
9187 
9188 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
9189 {
9190 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9191 	struct net_device *dev = info->user_ptr[1];
9192 	struct cfg80211_ibss_params ibss;
9193 	struct wiphy *wiphy;
9194 	struct cfg80211_cached_keys *connkeys = NULL;
9195 	int err;
9196 
9197 	memset(&ibss, 0, sizeof(ibss));
9198 
9199 	if (!info->attrs[NL80211_ATTR_SSID] ||
9200 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9201 		return -EINVAL;
9202 
9203 	ibss.beacon_interval = 100;
9204 
9205 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
9206 		ibss.beacon_interval =
9207 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9208 
9209 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
9210 					   ibss.beacon_interval);
9211 	if (err)
9212 		return err;
9213 
9214 	if (!rdev->ops->join_ibss)
9215 		return -EOPNOTSUPP;
9216 
9217 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9218 		return -EOPNOTSUPP;
9219 
9220 	wiphy = &rdev->wiphy;
9221 
9222 	if (info->attrs[NL80211_ATTR_MAC]) {
9223 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9224 
9225 		if (!is_valid_ether_addr(ibss.bssid))
9226 			return -EINVAL;
9227 	}
9228 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9229 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9230 
9231 	if (info->attrs[NL80211_ATTR_IE]) {
9232 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9233 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9234 	}
9235 
9236 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
9237 	if (err)
9238 		return err;
9239 
9240 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
9241 				     NL80211_IFTYPE_ADHOC))
9242 		return -EINVAL;
9243 
9244 	switch (ibss.chandef.width) {
9245 	case NL80211_CHAN_WIDTH_5:
9246 	case NL80211_CHAN_WIDTH_10:
9247 	case NL80211_CHAN_WIDTH_20_NOHT:
9248 		break;
9249 	case NL80211_CHAN_WIDTH_20:
9250 	case NL80211_CHAN_WIDTH_40:
9251 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9252 			return -EINVAL;
9253 		break;
9254 	case NL80211_CHAN_WIDTH_80:
9255 	case NL80211_CHAN_WIDTH_80P80:
9256 	case NL80211_CHAN_WIDTH_160:
9257 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9258 			return -EINVAL;
9259 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9260 					     NL80211_EXT_FEATURE_VHT_IBSS))
9261 			return -EINVAL;
9262 		break;
9263 	default:
9264 		return -EINVAL;
9265 	}
9266 
9267 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
9268 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
9269 
9270 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9271 		u8 *rates =
9272 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9273 		int n_rates =
9274 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9275 		struct ieee80211_supported_band *sband =
9276 			wiphy->bands[ibss.chandef.chan->band];
9277 
9278 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9279 					     &ibss.basic_rates);
9280 		if (err)
9281 			return err;
9282 	}
9283 
9284 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9285 		memcpy(&ibss.ht_capa_mask,
9286 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9287 		       sizeof(ibss.ht_capa_mask));
9288 
9289 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9290 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9291 			return -EINVAL;
9292 		memcpy(&ibss.ht_capa,
9293 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9294 		       sizeof(ibss.ht_capa));
9295 	}
9296 
9297 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9298 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
9299 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9300 		return -EINVAL;
9301 
9302 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9303 		bool no_ht = false;
9304 
9305 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
9306 		if (IS_ERR(connkeys))
9307 			return PTR_ERR(connkeys);
9308 
9309 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
9310 		    no_ht) {
9311 			kzfree(connkeys);
9312 			return -EINVAL;
9313 		}
9314 	}
9315 
9316 	ibss.control_port =
9317 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
9318 
9319 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9320 		int r = validate_pae_over_nl80211(rdev, info);
9321 
9322 		if (r < 0) {
9323 			kzfree(connkeys);
9324 			return r;
9325 		}
9326 
9327 		ibss.control_port_over_nl80211 = true;
9328 	}
9329 
9330 	ibss.userspace_handles_dfs =
9331 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
9332 
9333 	wdev_lock(dev->ieee80211_ptr);
9334 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
9335 	if (err)
9336 		kzfree(connkeys);
9337 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9338 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9339 	wdev_unlock(dev->ieee80211_ptr);
9340 
9341 	return err;
9342 }
9343 
9344 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
9345 {
9346 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9347 	struct net_device *dev = info->user_ptr[1];
9348 
9349 	if (!rdev->ops->leave_ibss)
9350 		return -EOPNOTSUPP;
9351 
9352 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9353 		return -EOPNOTSUPP;
9354 
9355 	return cfg80211_leave_ibss(rdev, dev, false);
9356 }
9357 
9358 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
9359 {
9360 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9361 	struct net_device *dev = info->user_ptr[1];
9362 	int mcast_rate[NUM_NL80211_BANDS];
9363 	u32 nla_rate;
9364 	int err;
9365 
9366 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
9367 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
9368 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
9369 		return -EOPNOTSUPP;
9370 
9371 	if (!rdev->ops->set_mcast_rate)
9372 		return -EOPNOTSUPP;
9373 
9374 	memset(mcast_rate, 0, sizeof(mcast_rate));
9375 
9376 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
9377 		return -EINVAL;
9378 
9379 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
9380 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
9381 		return -EINVAL;
9382 
9383 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
9384 
9385 	return err;
9386 }
9387 
9388 static struct sk_buff *
9389 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
9390 			    struct wireless_dev *wdev, int approxlen,
9391 			    u32 portid, u32 seq, enum nl80211_commands cmd,
9392 			    enum nl80211_attrs attr,
9393 			    const struct nl80211_vendor_cmd_info *info,
9394 			    gfp_t gfp)
9395 {
9396 	struct sk_buff *skb;
9397 	void *hdr;
9398 	struct nlattr *data;
9399 
9400 	skb = nlmsg_new(approxlen + 100, gfp);
9401 	if (!skb)
9402 		return NULL;
9403 
9404 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
9405 	if (!hdr) {
9406 		kfree_skb(skb);
9407 		return NULL;
9408 	}
9409 
9410 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
9411 		goto nla_put_failure;
9412 
9413 	if (info) {
9414 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
9415 				info->vendor_id))
9416 			goto nla_put_failure;
9417 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
9418 				info->subcmd))
9419 			goto nla_put_failure;
9420 	}
9421 
9422 	if (wdev) {
9423 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
9424 				      wdev_id(wdev), NL80211_ATTR_PAD))
9425 			goto nla_put_failure;
9426 		if (wdev->netdev &&
9427 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
9428 				wdev->netdev->ifindex))
9429 			goto nla_put_failure;
9430 	}
9431 
9432 	data = nla_nest_start_noflag(skb, attr);
9433 	if (!data)
9434 		goto nla_put_failure;
9435 
9436 	((void **)skb->cb)[0] = rdev;
9437 	((void **)skb->cb)[1] = hdr;
9438 	((void **)skb->cb)[2] = data;
9439 
9440 	return skb;
9441 
9442  nla_put_failure:
9443 	kfree_skb(skb);
9444 	return NULL;
9445 }
9446 
9447 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
9448 					   struct wireless_dev *wdev,
9449 					   enum nl80211_commands cmd,
9450 					   enum nl80211_attrs attr,
9451 					   unsigned int portid,
9452 					   int vendor_event_idx,
9453 					   int approxlen, gfp_t gfp)
9454 {
9455 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9456 	const struct nl80211_vendor_cmd_info *info;
9457 
9458 	switch (cmd) {
9459 	case NL80211_CMD_TESTMODE:
9460 		if (WARN_ON(vendor_event_idx != -1))
9461 			return NULL;
9462 		info = NULL;
9463 		break;
9464 	case NL80211_CMD_VENDOR:
9465 		if (WARN_ON(vendor_event_idx < 0 ||
9466 			    vendor_event_idx >= wiphy->n_vendor_events))
9467 			return NULL;
9468 		info = &wiphy->vendor_events[vendor_event_idx];
9469 		break;
9470 	default:
9471 		WARN_ON(1);
9472 		return NULL;
9473 	}
9474 
9475 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
9476 					   cmd, attr, info, gfp);
9477 }
9478 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
9479 
9480 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
9481 {
9482 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9483 	void *hdr = ((void **)skb->cb)[1];
9484 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
9485 	struct nlattr *data = ((void **)skb->cb)[2];
9486 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
9487 
9488 	/* clear CB data for netlink core to own from now on */
9489 	memset(skb->cb, 0, sizeof(skb->cb));
9490 
9491 	nla_nest_end(skb, data);
9492 	genlmsg_end(skb, hdr);
9493 
9494 	if (nlhdr->nlmsg_pid) {
9495 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
9496 				nlhdr->nlmsg_pid);
9497 	} else {
9498 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
9499 			mcgrp = NL80211_MCGRP_VENDOR;
9500 
9501 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
9502 					skb, 0, mcgrp, gfp);
9503 	}
9504 }
9505 EXPORT_SYMBOL(__cfg80211_send_event_skb);
9506 
9507 #ifdef CONFIG_NL80211_TESTMODE
9508 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
9509 {
9510 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9511 	struct wireless_dev *wdev =
9512 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9513 	int err;
9514 
9515 	if (!rdev->ops->testmode_cmd)
9516 		return -EOPNOTSUPP;
9517 
9518 	if (IS_ERR(wdev)) {
9519 		err = PTR_ERR(wdev);
9520 		if (err != -EINVAL)
9521 			return err;
9522 		wdev = NULL;
9523 	} else if (wdev->wiphy != &rdev->wiphy) {
9524 		return -EINVAL;
9525 	}
9526 
9527 	if (!info->attrs[NL80211_ATTR_TESTDATA])
9528 		return -EINVAL;
9529 
9530 	rdev->cur_cmd_info = info;
9531 	err = rdev_testmode_cmd(rdev, wdev,
9532 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
9533 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
9534 	rdev->cur_cmd_info = NULL;
9535 
9536 	return err;
9537 }
9538 
9539 static int nl80211_testmode_dump(struct sk_buff *skb,
9540 				 struct netlink_callback *cb)
9541 {
9542 	struct cfg80211_registered_device *rdev;
9543 	int err;
9544 	long phy_idx;
9545 	void *data = NULL;
9546 	int data_len = 0;
9547 
9548 	rtnl_lock();
9549 
9550 	if (cb->args[0]) {
9551 		/*
9552 		 * 0 is a valid index, but not valid for args[0],
9553 		 * so we need to offset by 1.
9554 		 */
9555 		phy_idx = cb->args[0] - 1;
9556 
9557 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
9558 		if (!rdev) {
9559 			err = -ENOENT;
9560 			goto out_err;
9561 		}
9562 	} else {
9563 		struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
9564 
9565 		err = nlmsg_parse_deprecated(cb->nlh,
9566 					     GENL_HDRLEN + nl80211_fam.hdrsize,
9567 					     attrbuf, nl80211_fam.maxattr,
9568 					     nl80211_policy, NULL);
9569 		if (err)
9570 			goto out_err;
9571 
9572 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
9573 		if (IS_ERR(rdev)) {
9574 			err = PTR_ERR(rdev);
9575 			goto out_err;
9576 		}
9577 		phy_idx = rdev->wiphy_idx;
9578 
9579 		if (attrbuf[NL80211_ATTR_TESTDATA])
9580 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
9581 	}
9582 
9583 	if (cb->args[1]) {
9584 		data = nla_data((void *)cb->args[1]);
9585 		data_len = nla_len((void *)cb->args[1]);
9586 	}
9587 
9588 	if (!rdev->ops->testmode_dump) {
9589 		err = -EOPNOTSUPP;
9590 		goto out_err;
9591 	}
9592 
9593 	while (1) {
9594 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
9595 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
9596 					   NL80211_CMD_TESTMODE);
9597 		struct nlattr *tmdata;
9598 
9599 		if (!hdr)
9600 			break;
9601 
9602 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
9603 			genlmsg_cancel(skb, hdr);
9604 			break;
9605 		}
9606 
9607 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
9608 		if (!tmdata) {
9609 			genlmsg_cancel(skb, hdr);
9610 			break;
9611 		}
9612 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
9613 		nla_nest_end(skb, tmdata);
9614 
9615 		if (err == -ENOBUFS || err == -ENOENT) {
9616 			genlmsg_cancel(skb, hdr);
9617 			break;
9618 		} else if (err) {
9619 			genlmsg_cancel(skb, hdr);
9620 			goto out_err;
9621 		}
9622 
9623 		genlmsg_end(skb, hdr);
9624 	}
9625 
9626 	err = skb->len;
9627 	/* see above */
9628 	cb->args[0] = phy_idx + 1;
9629  out_err:
9630 	rtnl_unlock();
9631 	return err;
9632 }
9633 #endif
9634 
9635 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
9636 {
9637 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9638 	struct net_device *dev = info->user_ptr[1];
9639 	struct cfg80211_connect_params connect;
9640 	struct wiphy *wiphy;
9641 	struct cfg80211_cached_keys *connkeys = NULL;
9642 	int err;
9643 
9644 	memset(&connect, 0, sizeof(connect));
9645 
9646 	if (!info->attrs[NL80211_ATTR_SSID] ||
9647 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9648 		return -EINVAL;
9649 
9650 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9651 		connect.auth_type =
9652 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9653 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
9654 					     NL80211_CMD_CONNECT))
9655 			return -EINVAL;
9656 	} else
9657 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
9658 
9659 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
9660 
9661 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
9662 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9663 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
9664 		return -EINVAL;
9665 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
9666 
9667 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
9668 				      NL80211_MAX_NR_CIPHER_SUITES);
9669 	if (err)
9670 		return err;
9671 
9672 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9673 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9674 		return -EOPNOTSUPP;
9675 
9676 	wiphy = &rdev->wiphy;
9677 
9678 	connect.bg_scan_period = -1;
9679 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
9680 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
9681 		connect.bg_scan_period =
9682 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
9683 	}
9684 
9685 	if (info->attrs[NL80211_ATTR_MAC])
9686 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9687 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
9688 		connect.bssid_hint =
9689 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
9690 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9691 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9692 
9693 	if (info->attrs[NL80211_ATTR_IE]) {
9694 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9695 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9696 	}
9697 
9698 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9699 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9700 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
9701 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9702 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
9703 			return -EOPNOTSUPP;
9704 	} else {
9705 		connect.mfp = NL80211_MFP_NO;
9706 	}
9707 
9708 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9709 		connect.prev_bssid =
9710 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9711 
9712 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9713 		connect.channel = nl80211_get_valid_chan(
9714 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9715 		if (!connect.channel)
9716 			return -EINVAL;
9717 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
9718 		connect.channel_hint = nl80211_get_valid_chan(
9719 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
9720 		if (!connect.channel_hint)
9721 			return -EINVAL;
9722 	}
9723 
9724 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9725 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
9726 		if (IS_ERR(connkeys))
9727 			return PTR_ERR(connkeys);
9728 	}
9729 
9730 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9731 		connect.flags |= ASSOC_REQ_DISABLE_HT;
9732 
9733 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9734 		memcpy(&connect.ht_capa_mask,
9735 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9736 		       sizeof(connect.ht_capa_mask));
9737 
9738 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9739 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
9740 			kzfree(connkeys);
9741 			return -EINVAL;
9742 		}
9743 		memcpy(&connect.ht_capa,
9744 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9745 		       sizeof(connect.ht_capa));
9746 	}
9747 
9748 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9749 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
9750 
9751 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9752 		memcpy(&connect.vht_capa_mask,
9753 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9754 		       sizeof(connect.vht_capa_mask));
9755 
9756 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9757 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
9758 			kzfree(connkeys);
9759 			return -EINVAL;
9760 		}
9761 		memcpy(&connect.vht_capa,
9762 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9763 		       sizeof(connect.vht_capa));
9764 	}
9765 
9766 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9767 		if (!((rdev->wiphy.features &
9768 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9769 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9770 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9771 					     NL80211_EXT_FEATURE_RRM)) {
9772 			kzfree(connkeys);
9773 			return -EINVAL;
9774 		}
9775 		connect.flags |= ASSOC_REQ_USE_RRM;
9776 	}
9777 
9778 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
9779 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
9780 		kzfree(connkeys);
9781 		return -EOPNOTSUPP;
9782 	}
9783 
9784 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
9785 		/* bss selection makes no sense if bssid is set */
9786 		if (connect.bssid) {
9787 			kzfree(connkeys);
9788 			return -EINVAL;
9789 		}
9790 
9791 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
9792 				       wiphy, &connect.bss_select);
9793 		if (err) {
9794 			kzfree(connkeys);
9795 			return err;
9796 		}
9797 	}
9798 
9799 	if (wiphy_ext_feature_isset(&rdev->wiphy,
9800 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
9801 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
9802 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
9803 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
9804 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9805 		connect.fils_erp_username =
9806 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9807 		connect.fils_erp_username_len =
9808 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9809 		connect.fils_erp_realm =
9810 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9811 		connect.fils_erp_realm_len =
9812 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9813 		connect.fils_erp_next_seq_num =
9814 			nla_get_u16(
9815 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
9816 		connect.fils_erp_rrk =
9817 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9818 		connect.fils_erp_rrk_len =
9819 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9820 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
9821 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
9822 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
9823 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9824 		kzfree(connkeys);
9825 		return -EINVAL;
9826 	}
9827 
9828 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
9829 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9830 			kzfree(connkeys);
9831 			GENL_SET_ERR_MSG(info,
9832 					 "external auth requires connection ownership");
9833 			return -EINVAL;
9834 		}
9835 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
9836 	}
9837 
9838 	wdev_lock(dev->ieee80211_ptr);
9839 
9840 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
9841 			       connect.prev_bssid);
9842 	if (err)
9843 		kzfree(connkeys);
9844 
9845 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9846 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9847 		if (connect.bssid)
9848 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9849 			       connect.bssid, ETH_ALEN);
9850 		else
9851 			memset(dev->ieee80211_ptr->disconnect_bssid,
9852 			       0, ETH_ALEN);
9853 	}
9854 
9855 	wdev_unlock(dev->ieee80211_ptr);
9856 
9857 	return err;
9858 }
9859 
9860 static int nl80211_update_connect_params(struct sk_buff *skb,
9861 					 struct genl_info *info)
9862 {
9863 	struct cfg80211_connect_params connect = {};
9864 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9865 	struct net_device *dev = info->user_ptr[1];
9866 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9867 	bool fils_sk_offload;
9868 	u32 auth_type;
9869 	u32 changed = 0;
9870 	int ret;
9871 
9872 	if (!rdev->ops->update_connect_params)
9873 		return -EOPNOTSUPP;
9874 
9875 	if (info->attrs[NL80211_ATTR_IE]) {
9876 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9877 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9878 		changed |= UPDATE_ASSOC_IES;
9879 	}
9880 
9881 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
9882 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
9883 
9884 	/*
9885 	 * when driver supports fils-sk offload all attributes must be
9886 	 * provided. So the else covers "fils-sk-not-all" and
9887 	 * "no-fils-sk-any".
9888 	 */
9889 	if (fils_sk_offload &&
9890 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
9891 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
9892 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
9893 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9894 		connect.fils_erp_username =
9895 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9896 		connect.fils_erp_username_len =
9897 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9898 		connect.fils_erp_realm =
9899 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9900 		connect.fils_erp_realm_len =
9901 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9902 		connect.fils_erp_next_seq_num =
9903 			nla_get_u16(
9904 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
9905 		connect.fils_erp_rrk =
9906 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9907 		connect.fils_erp_rrk_len =
9908 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9909 		changed |= UPDATE_FILS_ERP_INFO;
9910 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
9911 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
9912 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
9913 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9914 		return -EINVAL;
9915 	}
9916 
9917 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9918 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9919 		if (!nl80211_valid_auth_type(rdev, auth_type,
9920 					     NL80211_CMD_CONNECT))
9921 			return -EINVAL;
9922 
9923 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
9924 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
9925 			return -EINVAL;
9926 
9927 		connect.auth_type = auth_type;
9928 		changed |= UPDATE_AUTH_TYPE;
9929 	}
9930 
9931 	wdev_lock(dev->ieee80211_ptr);
9932 	if (!wdev->current_bss)
9933 		ret = -ENOLINK;
9934 	else
9935 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
9936 	wdev_unlock(dev->ieee80211_ptr);
9937 
9938 	return ret;
9939 }
9940 
9941 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
9942 {
9943 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9944 	struct net_device *dev = info->user_ptr[1];
9945 	u16 reason;
9946 	int ret;
9947 
9948 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9949 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9950 		return -EPERM;
9951 
9952 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9953 		reason = WLAN_REASON_DEAUTH_LEAVING;
9954 	else
9955 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9956 
9957 	if (reason == 0)
9958 		return -EINVAL;
9959 
9960 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9961 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9962 		return -EOPNOTSUPP;
9963 
9964 	wdev_lock(dev->ieee80211_ptr);
9965 	ret = cfg80211_disconnect(rdev, dev, reason, true);
9966 	wdev_unlock(dev->ieee80211_ptr);
9967 	return ret;
9968 }
9969 
9970 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
9971 {
9972 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9973 	struct net *net;
9974 	int err;
9975 
9976 	if (info->attrs[NL80211_ATTR_PID]) {
9977 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
9978 
9979 		net = get_net_ns_by_pid(pid);
9980 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
9981 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
9982 
9983 		net = get_net_ns_by_fd(fd);
9984 	} else {
9985 		return -EINVAL;
9986 	}
9987 
9988 	if (IS_ERR(net))
9989 		return PTR_ERR(net);
9990 
9991 	err = 0;
9992 
9993 	/* check if anything to do */
9994 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
9995 		err = cfg80211_switch_netns(rdev, net);
9996 
9997 	put_net(net);
9998 	return err;
9999 }
10000 
10001 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
10002 {
10003 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10004 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
10005 			struct cfg80211_pmksa *pmksa) = NULL;
10006 	struct net_device *dev = info->user_ptr[1];
10007 	struct cfg80211_pmksa pmksa;
10008 
10009 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
10010 
10011 	if (!info->attrs[NL80211_ATTR_PMKID])
10012 		return -EINVAL;
10013 
10014 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
10015 
10016 	if (info->attrs[NL80211_ATTR_MAC]) {
10017 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10018 	} else if (info->attrs[NL80211_ATTR_SSID] &&
10019 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
10020 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
10021 		    info->attrs[NL80211_ATTR_PMK])) {
10022 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10023 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10024 		pmksa.cache_id =
10025 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
10026 	} else {
10027 		return -EINVAL;
10028 	}
10029 	if (info->attrs[NL80211_ATTR_PMK]) {
10030 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10031 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
10032 	}
10033 
10034 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10035 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
10036 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
10037 	      wiphy_ext_feature_isset(&rdev->wiphy,
10038 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
10039 		return -EOPNOTSUPP;
10040 
10041 	switch (info->genlhdr->cmd) {
10042 	case NL80211_CMD_SET_PMKSA:
10043 		rdev_ops = rdev->ops->set_pmksa;
10044 		break;
10045 	case NL80211_CMD_DEL_PMKSA:
10046 		rdev_ops = rdev->ops->del_pmksa;
10047 		break;
10048 	default:
10049 		WARN_ON(1);
10050 		break;
10051 	}
10052 
10053 	if (!rdev_ops)
10054 		return -EOPNOTSUPP;
10055 
10056 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
10057 }
10058 
10059 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
10060 {
10061 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10062 	struct net_device *dev = info->user_ptr[1];
10063 
10064 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10065 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10066 		return -EOPNOTSUPP;
10067 
10068 	if (!rdev->ops->flush_pmksa)
10069 		return -EOPNOTSUPP;
10070 
10071 	return rdev_flush_pmksa(rdev, dev);
10072 }
10073 
10074 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
10075 {
10076 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10077 	struct net_device *dev = info->user_ptr[1];
10078 	u8 action_code, dialog_token;
10079 	u32 peer_capability = 0;
10080 	u16 status_code;
10081 	u8 *peer;
10082 	bool initiator;
10083 
10084 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10085 	    !rdev->ops->tdls_mgmt)
10086 		return -EOPNOTSUPP;
10087 
10088 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
10089 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
10090 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
10091 	    !info->attrs[NL80211_ATTR_IE] ||
10092 	    !info->attrs[NL80211_ATTR_MAC])
10093 		return -EINVAL;
10094 
10095 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10096 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
10097 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
10098 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
10099 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
10100 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
10101 		peer_capability =
10102 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
10103 
10104 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
10105 			      dialog_token, status_code, peer_capability,
10106 			      initiator,
10107 			      nla_data(info->attrs[NL80211_ATTR_IE]),
10108 			      nla_len(info->attrs[NL80211_ATTR_IE]));
10109 }
10110 
10111 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
10112 {
10113 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10114 	struct net_device *dev = info->user_ptr[1];
10115 	enum nl80211_tdls_operation operation;
10116 	u8 *peer;
10117 
10118 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10119 	    !rdev->ops->tdls_oper)
10120 		return -EOPNOTSUPP;
10121 
10122 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
10123 	    !info->attrs[NL80211_ATTR_MAC])
10124 		return -EINVAL;
10125 
10126 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
10127 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10128 
10129 	return rdev_tdls_oper(rdev, dev, peer, operation);
10130 }
10131 
10132 static int nl80211_remain_on_channel(struct sk_buff *skb,
10133 				     struct genl_info *info)
10134 {
10135 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10136 	struct wireless_dev *wdev = info->user_ptr[1];
10137 	struct cfg80211_chan_def chandef;
10138 	const struct cfg80211_chan_def *compat_chandef;
10139 	struct sk_buff *msg;
10140 	void *hdr;
10141 	u64 cookie;
10142 	u32 duration;
10143 	int err;
10144 
10145 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10146 	    !info->attrs[NL80211_ATTR_DURATION])
10147 		return -EINVAL;
10148 
10149 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10150 
10151 	if (!rdev->ops->remain_on_channel ||
10152 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
10153 		return -EOPNOTSUPP;
10154 
10155 	/*
10156 	 * We should be on that channel for at least a minimum amount of
10157 	 * time (10ms) but no longer than the driver supports.
10158 	 */
10159 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10160 	    duration > rdev->wiphy.max_remain_on_channel_duration)
10161 		return -EINVAL;
10162 
10163 	err = nl80211_parse_chandef(rdev, info, &chandef);
10164 	if (err)
10165 		return err;
10166 
10167 	wdev_lock(wdev);
10168 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
10169 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
10170 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
10171 							     &chandef);
10172 		if (compat_chandef != &chandef) {
10173 			wdev_unlock(wdev);
10174 			return -EBUSY;
10175 		}
10176 	}
10177 	wdev_unlock(wdev);
10178 
10179 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10180 	if (!msg)
10181 		return -ENOMEM;
10182 
10183 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10184 			     NL80211_CMD_REMAIN_ON_CHANNEL);
10185 	if (!hdr) {
10186 		err = -ENOBUFS;
10187 		goto free_msg;
10188 	}
10189 
10190 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
10191 				     duration, &cookie);
10192 
10193 	if (err)
10194 		goto free_msg;
10195 
10196 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10197 			      NL80211_ATTR_PAD))
10198 		goto nla_put_failure;
10199 
10200 	genlmsg_end(msg, hdr);
10201 
10202 	return genlmsg_reply(msg, info);
10203 
10204  nla_put_failure:
10205 	err = -ENOBUFS;
10206  free_msg:
10207 	nlmsg_free(msg);
10208 	return err;
10209 }
10210 
10211 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
10212 					    struct genl_info *info)
10213 {
10214 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10215 	struct wireless_dev *wdev = info->user_ptr[1];
10216 	u64 cookie;
10217 
10218 	if (!info->attrs[NL80211_ATTR_COOKIE])
10219 		return -EINVAL;
10220 
10221 	if (!rdev->ops->cancel_remain_on_channel)
10222 		return -EOPNOTSUPP;
10223 
10224 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10225 
10226 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
10227 }
10228 
10229 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
10230 				       struct genl_info *info)
10231 {
10232 	struct cfg80211_bitrate_mask mask;
10233 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10234 	struct net_device *dev = info->user_ptr[1];
10235 	int err;
10236 
10237 	if (!rdev->ops->set_bitrate_mask)
10238 		return -EOPNOTSUPP;
10239 
10240 	err = nl80211_parse_tx_bitrate_mask(info, &mask);
10241 	if (err)
10242 		return err;
10243 
10244 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
10245 }
10246 
10247 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
10248 {
10249 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10250 	struct wireless_dev *wdev = info->user_ptr[1];
10251 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
10252 
10253 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
10254 		return -EINVAL;
10255 
10256 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
10257 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
10258 
10259 	switch (wdev->iftype) {
10260 	case NL80211_IFTYPE_STATION:
10261 	case NL80211_IFTYPE_ADHOC:
10262 	case NL80211_IFTYPE_P2P_CLIENT:
10263 	case NL80211_IFTYPE_AP:
10264 	case NL80211_IFTYPE_AP_VLAN:
10265 	case NL80211_IFTYPE_MESH_POINT:
10266 	case NL80211_IFTYPE_P2P_GO:
10267 	case NL80211_IFTYPE_P2P_DEVICE:
10268 		break;
10269 	case NL80211_IFTYPE_NAN:
10270 	default:
10271 		return -EOPNOTSUPP;
10272 	}
10273 
10274 	/* not much point in registering if we can't reply */
10275 	if (!rdev->ops->mgmt_tx)
10276 		return -EOPNOTSUPP;
10277 
10278 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
10279 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10280 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
10281 }
10282 
10283 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
10284 {
10285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10286 	struct wireless_dev *wdev = info->user_ptr[1];
10287 	struct cfg80211_chan_def chandef;
10288 	int err;
10289 	void *hdr = NULL;
10290 	u64 cookie;
10291 	struct sk_buff *msg = NULL;
10292 	struct cfg80211_mgmt_tx_params params = {
10293 		.dont_wait_for_ack =
10294 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
10295 	};
10296 
10297 	if (!info->attrs[NL80211_ATTR_FRAME])
10298 		return -EINVAL;
10299 
10300 	if (!rdev->ops->mgmt_tx)
10301 		return -EOPNOTSUPP;
10302 
10303 	switch (wdev->iftype) {
10304 	case NL80211_IFTYPE_P2P_DEVICE:
10305 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10306 			return -EINVAL;
10307 	case NL80211_IFTYPE_STATION:
10308 	case NL80211_IFTYPE_ADHOC:
10309 	case NL80211_IFTYPE_P2P_CLIENT:
10310 	case NL80211_IFTYPE_AP:
10311 	case NL80211_IFTYPE_AP_VLAN:
10312 	case NL80211_IFTYPE_MESH_POINT:
10313 	case NL80211_IFTYPE_P2P_GO:
10314 		break;
10315 	case NL80211_IFTYPE_NAN:
10316 	default:
10317 		return -EOPNOTSUPP;
10318 	}
10319 
10320 	if (info->attrs[NL80211_ATTR_DURATION]) {
10321 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10322 			return -EINVAL;
10323 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10324 
10325 		/*
10326 		 * We should wait on the channel for at least a minimum amount
10327 		 * of time (10ms) but no longer than the driver supports.
10328 		 */
10329 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10330 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
10331 			return -EINVAL;
10332 	}
10333 
10334 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
10335 
10336 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10337 		return -EINVAL;
10338 
10339 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10340 
10341 	/* get the channel if any has been specified, otherwise pass NULL to
10342 	 * the driver. The latter will use the current one
10343 	 */
10344 	chandef.chan = NULL;
10345 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10346 		err = nl80211_parse_chandef(rdev, info, &chandef);
10347 		if (err)
10348 			return err;
10349 	}
10350 
10351 	if (!chandef.chan && params.offchan)
10352 		return -EINVAL;
10353 
10354 	wdev_lock(wdev);
10355 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
10356 		wdev_unlock(wdev);
10357 		return -EBUSY;
10358 	}
10359 	wdev_unlock(wdev);
10360 
10361 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
10362 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
10363 
10364 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
10365 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10366 		int i;
10367 
10368 		if (len % sizeof(u16))
10369 			return -EINVAL;
10370 
10371 		params.n_csa_offsets = len / sizeof(u16);
10372 		params.csa_offsets =
10373 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10374 
10375 		/* check that all the offsets fit the frame */
10376 		for (i = 0; i < params.n_csa_offsets; i++) {
10377 			if (params.csa_offsets[i] >= params.len)
10378 				return -EINVAL;
10379 		}
10380 	}
10381 
10382 	if (!params.dont_wait_for_ack) {
10383 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10384 		if (!msg)
10385 			return -ENOMEM;
10386 
10387 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10388 				     NL80211_CMD_FRAME);
10389 		if (!hdr) {
10390 			err = -ENOBUFS;
10391 			goto free_msg;
10392 		}
10393 	}
10394 
10395 	params.chan = chandef.chan;
10396 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
10397 	if (err)
10398 		goto free_msg;
10399 
10400 	if (msg) {
10401 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10402 				      NL80211_ATTR_PAD))
10403 			goto nla_put_failure;
10404 
10405 		genlmsg_end(msg, hdr);
10406 		return genlmsg_reply(msg, info);
10407 	}
10408 
10409 	return 0;
10410 
10411  nla_put_failure:
10412 	err = -ENOBUFS;
10413  free_msg:
10414 	nlmsg_free(msg);
10415 	return err;
10416 }
10417 
10418 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
10419 {
10420 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10421 	struct wireless_dev *wdev = info->user_ptr[1];
10422 	u64 cookie;
10423 
10424 	if (!info->attrs[NL80211_ATTR_COOKIE])
10425 		return -EINVAL;
10426 
10427 	if (!rdev->ops->mgmt_tx_cancel_wait)
10428 		return -EOPNOTSUPP;
10429 
10430 	switch (wdev->iftype) {
10431 	case NL80211_IFTYPE_STATION:
10432 	case NL80211_IFTYPE_ADHOC:
10433 	case NL80211_IFTYPE_P2P_CLIENT:
10434 	case NL80211_IFTYPE_AP:
10435 	case NL80211_IFTYPE_AP_VLAN:
10436 	case NL80211_IFTYPE_P2P_GO:
10437 	case NL80211_IFTYPE_P2P_DEVICE:
10438 		break;
10439 	case NL80211_IFTYPE_NAN:
10440 	default:
10441 		return -EOPNOTSUPP;
10442 	}
10443 
10444 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10445 
10446 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
10447 }
10448 
10449 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
10450 {
10451 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10452 	struct wireless_dev *wdev;
10453 	struct net_device *dev = info->user_ptr[1];
10454 	u8 ps_state;
10455 	bool state;
10456 	int err;
10457 
10458 	if (!info->attrs[NL80211_ATTR_PS_STATE])
10459 		return -EINVAL;
10460 
10461 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
10462 
10463 	wdev = dev->ieee80211_ptr;
10464 
10465 	if (!rdev->ops->set_power_mgmt)
10466 		return -EOPNOTSUPP;
10467 
10468 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
10469 
10470 	if (state == wdev->ps)
10471 		return 0;
10472 
10473 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
10474 	if (!err)
10475 		wdev->ps = state;
10476 	return err;
10477 }
10478 
10479 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
10480 {
10481 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10482 	enum nl80211_ps_state ps_state;
10483 	struct wireless_dev *wdev;
10484 	struct net_device *dev = info->user_ptr[1];
10485 	struct sk_buff *msg;
10486 	void *hdr;
10487 	int err;
10488 
10489 	wdev = dev->ieee80211_ptr;
10490 
10491 	if (!rdev->ops->set_power_mgmt)
10492 		return -EOPNOTSUPP;
10493 
10494 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10495 	if (!msg)
10496 		return -ENOMEM;
10497 
10498 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10499 			     NL80211_CMD_GET_POWER_SAVE);
10500 	if (!hdr) {
10501 		err = -ENOBUFS;
10502 		goto free_msg;
10503 	}
10504 
10505 	if (wdev->ps)
10506 		ps_state = NL80211_PS_ENABLED;
10507 	else
10508 		ps_state = NL80211_PS_DISABLED;
10509 
10510 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
10511 		goto nla_put_failure;
10512 
10513 	genlmsg_end(msg, hdr);
10514 	return genlmsg_reply(msg, info);
10515 
10516  nla_put_failure:
10517 	err = -ENOBUFS;
10518  free_msg:
10519 	nlmsg_free(msg);
10520 	return err;
10521 }
10522 
10523 static const struct nla_policy
10524 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
10525 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
10526 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
10527 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
10528 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
10529 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
10530 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
10531 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
10532 };
10533 
10534 static int nl80211_set_cqm_txe(struct genl_info *info,
10535 			       u32 rate, u32 pkts, u32 intvl)
10536 {
10537 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10538 	struct net_device *dev = info->user_ptr[1];
10539 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10540 
10541 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
10542 		return -EINVAL;
10543 
10544 	if (!rdev->ops->set_cqm_txe_config)
10545 		return -EOPNOTSUPP;
10546 
10547 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10548 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10549 		return -EOPNOTSUPP;
10550 
10551 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
10552 }
10553 
10554 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
10555 				    struct net_device *dev)
10556 {
10557 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10558 	s32 last, low, high;
10559 	u32 hyst;
10560 	int i, n, low_index;
10561 	int err;
10562 
10563 	/* RSSI reporting disabled? */
10564 	if (!wdev->cqm_config)
10565 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
10566 
10567 	/*
10568 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
10569 	 * event has been received yet, we should receive an event after a
10570 	 * connection is established and enough beacons received to calculate
10571 	 * the average.
10572 	 */
10573 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
10574 	    rdev->ops->get_station) {
10575 		struct station_info sinfo = {};
10576 		u8 *mac_addr;
10577 
10578 		mac_addr = wdev->current_bss->pub.bssid;
10579 
10580 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
10581 		if (err)
10582 			return err;
10583 
10584 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
10585 			wdev->cqm_config->last_rssi_event_value =
10586 				(s8) sinfo.rx_beacon_signal_avg;
10587 	}
10588 
10589 	last = wdev->cqm_config->last_rssi_event_value;
10590 	hyst = wdev->cqm_config->rssi_hyst;
10591 	n = wdev->cqm_config->n_rssi_thresholds;
10592 
10593 	for (i = 0; i < n; i++)
10594 		if (last < wdev->cqm_config->rssi_thresholds[i])
10595 			break;
10596 
10597 	low_index = i - 1;
10598 	if (low_index >= 0) {
10599 		low_index = array_index_nospec(low_index, n);
10600 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
10601 	} else {
10602 		low = S32_MIN;
10603 	}
10604 	if (i < n) {
10605 		i = array_index_nospec(i, n);
10606 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
10607 	} else {
10608 		high = S32_MAX;
10609 	}
10610 
10611 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
10612 }
10613 
10614 static int nl80211_set_cqm_rssi(struct genl_info *info,
10615 				const s32 *thresholds, int n_thresholds,
10616 				u32 hysteresis)
10617 {
10618 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10619 	struct net_device *dev = info->user_ptr[1];
10620 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10621 	int i, err;
10622 	s32 prev = S32_MIN;
10623 
10624 	/* Check all values negative and sorted */
10625 	for (i = 0; i < n_thresholds; i++) {
10626 		if (thresholds[i] > 0 || thresholds[i] <= prev)
10627 			return -EINVAL;
10628 
10629 		prev = thresholds[i];
10630 	}
10631 
10632 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10633 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10634 		return -EOPNOTSUPP;
10635 
10636 	wdev_lock(wdev);
10637 	cfg80211_cqm_config_free(wdev);
10638 	wdev_unlock(wdev);
10639 
10640 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
10641 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
10642 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
10643 
10644 		return rdev_set_cqm_rssi_config(rdev, dev,
10645 						thresholds[0], hysteresis);
10646 	}
10647 
10648 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
10649 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
10650 		return -EOPNOTSUPP;
10651 
10652 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
10653 		n_thresholds = 0;
10654 
10655 	wdev_lock(wdev);
10656 	if (n_thresholds) {
10657 		struct cfg80211_cqm_config *cqm_config;
10658 
10659 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
10660 				     n_thresholds * sizeof(s32), GFP_KERNEL);
10661 		if (!cqm_config) {
10662 			err = -ENOMEM;
10663 			goto unlock;
10664 		}
10665 
10666 		cqm_config->rssi_hyst = hysteresis;
10667 		cqm_config->n_rssi_thresholds = n_thresholds;
10668 		memcpy(cqm_config->rssi_thresholds, thresholds,
10669 		       n_thresholds * sizeof(s32));
10670 
10671 		wdev->cqm_config = cqm_config;
10672 	}
10673 
10674 	err = cfg80211_cqm_rssi_update(rdev, dev);
10675 
10676 unlock:
10677 	wdev_unlock(wdev);
10678 
10679 	return err;
10680 }
10681 
10682 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
10683 {
10684 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
10685 	struct nlattr *cqm;
10686 	int err;
10687 
10688 	cqm = info->attrs[NL80211_ATTR_CQM];
10689 	if (!cqm)
10690 		return -EINVAL;
10691 
10692 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
10693 					  nl80211_attr_cqm_policy,
10694 					  info->extack);
10695 	if (err)
10696 		return err;
10697 
10698 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
10699 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
10700 		const s32 *thresholds =
10701 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10702 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10703 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
10704 
10705 		if (len % 4)
10706 			return -EINVAL;
10707 
10708 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
10709 					    hysteresis);
10710 	}
10711 
10712 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
10713 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
10714 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
10715 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
10716 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
10717 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
10718 
10719 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
10720 	}
10721 
10722 	return -EINVAL;
10723 }
10724 
10725 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
10726 {
10727 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10728 	struct net_device *dev = info->user_ptr[1];
10729 	struct ocb_setup setup = {};
10730 	int err;
10731 
10732 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10733 	if (err)
10734 		return err;
10735 
10736 	return cfg80211_join_ocb(rdev, dev, &setup);
10737 }
10738 
10739 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
10740 {
10741 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10742 	struct net_device *dev = info->user_ptr[1];
10743 
10744 	return cfg80211_leave_ocb(rdev, dev);
10745 }
10746 
10747 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
10748 {
10749 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10750 	struct net_device *dev = info->user_ptr[1];
10751 	struct mesh_config cfg;
10752 	struct mesh_setup setup;
10753 	int err;
10754 
10755 	/* start with default */
10756 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
10757 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
10758 
10759 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
10760 		/* and parse parameters if given */
10761 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
10762 		if (err)
10763 			return err;
10764 	}
10765 
10766 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
10767 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
10768 		return -EINVAL;
10769 
10770 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
10771 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
10772 
10773 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10774 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
10775 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10776 			return -EINVAL;
10777 
10778 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
10779 		setup.beacon_interval =
10780 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10781 
10782 		err = cfg80211_validate_beacon_int(rdev,
10783 						   NL80211_IFTYPE_MESH_POINT,
10784 						   setup.beacon_interval);
10785 		if (err)
10786 			return err;
10787 	}
10788 
10789 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
10790 		setup.dtim_period =
10791 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
10792 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
10793 			return -EINVAL;
10794 	}
10795 
10796 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
10797 		/* parse additional setup parameters if given */
10798 		err = nl80211_parse_mesh_setup(info, &setup);
10799 		if (err)
10800 			return err;
10801 	}
10802 
10803 	if (setup.user_mpm)
10804 		cfg.auto_open_plinks = false;
10805 
10806 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10807 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10808 		if (err)
10809 			return err;
10810 	} else {
10811 		/* __cfg80211_join_mesh() will sort it out */
10812 		setup.chandef.chan = NULL;
10813 	}
10814 
10815 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10816 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10817 		int n_rates =
10818 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10819 		struct ieee80211_supported_band *sband;
10820 
10821 		if (!setup.chandef.chan)
10822 			return -EINVAL;
10823 
10824 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
10825 
10826 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10827 					     &setup.basic_rates);
10828 		if (err)
10829 			return err;
10830 	}
10831 
10832 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
10833 		err = nl80211_parse_tx_bitrate_mask(info, &setup.beacon_rate);
10834 		if (err)
10835 			return err;
10836 
10837 		if (!setup.chandef.chan)
10838 			return -EINVAL;
10839 
10840 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
10841 					      &setup.beacon_rate);
10842 		if (err)
10843 			return err;
10844 	}
10845 
10846 	setup.userspace_handles_dfs =
10847 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10848 
10849 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10850 		int r = validate_pae_over_nl80211(rdev, info);
10851 
10852 		if (r < 0)
10853 			return r;
10854 
10855 		setup.control_port_over_nl80211 = true;
10856 	}
10857 
10858 	wdev_lock(dev->ieee80211_ptr);
10859 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
10860 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
10861 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10862 	wdev_unlock(dev->ieee80211_ptr);
10863 
10864 	return err;
10865 }
10866 
10867 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
10868 {
10869 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10870 	struct net_device *dev = info->user_ptr[1];
10871 
10872 	return cfg80211_leave_mesh(rdev, dev);
10873 }
10874 
10875 #ifdef CONFIG_PM
10876 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
10877 					struct cfg80211_registered_device *rdev)
10878 {
10879 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
10880 	struct nlattr *nl_pats, *nl_pat;
10881 	int i, pat_len;
10882 
10883 	if (!wowlan->n_patterns)
10884 		return 0;
10885 
10886 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
10887 	if (!nl_pats)
10888 		return -ENOBUFS;
10889 
10890 	for (i = 0; i < wowlan->n_patterns; i++) {
10891 		nl_pat = nla_nest_start_noflag(msg, i + 1);
10892 		if (!nl_pat)
10893 			return -ENOBUFS;
10894 		pat_len = wowlan->patterns[i].pattern_len;
10895 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
10896 			    wowlan->patterns[i].mask) ||
10897 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
10898 			    wowlan->patterns[i].pattern) ||
10899 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
10900 				wowlan->patterns[i].pkt_offset))
10901 			return -ENOBUFS;
10902 		nla_nest_end(msg, nl_pat);
10903 	}
10904 	nla_nest_end(msg, nl_pats);
10905 
10906 	return 0;
10907 }
10908 
10909 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
10910 				   struct cfg80211_wowlan_tcp *tcp)
10911 {
10912 	struct nlattr *nl_tcp;
10913 
10914 	if (!tcp)
10915 		return 0;
10916 
10917 	nl_tcp = nla_nest_start_noflag(msg,
10918 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
10919 	if (!nl_tcp)
10920 		return -ENOBUFS;
10921 
10922 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
10923 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
10924 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
10925 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
10926 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
10927 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
10928 		    tcp->payload_len, tcp->payload) ||
10929 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
10930 			tcp->data_interval) ||
10931 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
10932 		    tcp->wake_len, tcp->wake_data) ||
10933 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
10934 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
10935 		return -ENOBUFS;
10936 
10937 	if (tcp->payload_seq.len &&
10938 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
10939 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
10940 		return -ENOBUFS;
10941 
10942 	if (tcp->payload_tok.len &&
10943 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
10944 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
10945 		    &tcp->payload_tok))
10946 		return -ENOBUFS;
10947 
10948 	nla_nest_end(msg, nl_tcp);
10949 
10950 	return 0;
10951 }
10952 
10953 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
10954 				  struct cfg80211_sched_scan_request *req)
10955 {
10956 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
10957 	int i;
10958 
10959 	if (!req)
10960 		return 0;
10961 
10962 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
10963 	if (!nd)
10964 		return -ENOBUFS;
10965 
10966 	if (req->n_scan_plans == 1 &&
10967 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
10968 			req->scan_plans[0].interval * 1000))
10969 		return -ENOBUFS;
10970 
10971 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
10972 		return -ENOBUFS;
10973 
10974 	if (req->relative_rssi_set) {
10975 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
10976 
10977 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
10978 			       req->relative_rssi))
10979 			return -ENOBUFS;
10980 
10981 		rssi_adjust.band = req->rssi_adjust.band;
10982 		rssi_adjust.delta = req->rssi_adjust.delta;
10983 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
10984 			    sizeof(rssi_adjust), &rssi_adjust))
10985 			return -ENOBUFS;
10986 	}
10987 
10988 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
10989 	if (!freqs)
10990 		return -ENOBUFS;
10991 
10992 	for (i = 0; i < req->n_channels; i++) {
10993 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
10994 			return -ENOBUFS;
10995 	}
10996 
10997 	nla_nest_end(msg, freqs);
10998 
10999 	if (req->n_match_sets) {
11000 		matches = nla_nest_start_noflag(msg,
11001 						NL80211_ATTR_SCHED_SCAN_MATCH);
11002 		if (!matches)
11003 			return -ENOBUFS;
11004 
11005 		for (i = 0; i < req->n_match_sets; i++) {
11006 			match = nla_nest_start_noflag(msg, i);
11007 			if (!match)
11008 				return -ENOBUFS;
11009 
11010 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
11011 				    req->match_sets[i].ssid.ssid_len,
11012 				    req->match_sets[i].ssid.ssid))
11013 				return -ENOBUFS;
11014 			nla_nest_end(msg, match);
11015 		}
11016 		nla_nest_end(msg, matches);
11017 	}
11018 
11019 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
11020 	if (!scan_plans)
11021 		return -ENOBUFS;
11022 
11023 	for (i = 0; i < req->n_scan_plans; i++) {
11024 		scan_plan = nla_nest_start_noflag(msg, i + 1);
11025 		if (!scan_plan)
11026 			return -ENOBUFS;
11027 
11028 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
11029 				req->scan_plans[i].interval) ||
11030 		    (req->scan_plans[i].iterations &&
11031 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
11032 				 req->scan_plans[i].iterations)))
11033 			return -ENOBUFS;
11034 		nla_nest_end(msg, scan_plan);
11035 	}
11036 	nla_nest_end(msg, scan_plans);
11037 
11038 	nla_nest_end(msg, nd);
11039 
11040 	return 0;
11041 }
11042 
11043 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
11044 {
11045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11046 	struct sk_buff *msg;
11047 	void *hdr;
11048 	u32 size = NLMSG_DEFAULT_SIZE;
11049 
11050 	if (!rdev->wiphy.wowlan)
11051 		return -EOPNOTSUPP;
11052 
11053 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
11054 		/* adjust size to have room for all the data */
11055 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
11056 			rdev->wiphy.wowlan_config->tcp->payload_len +
11057 			rdev->wiphy.wowlan_config->tcp->wake_len +
11058 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
11059 	}
11060 
11061 	msg = nlmsg_new(size, GFP_KERNEL);
11062 	if (!msg)
11063 		return -ENOMEM;
11064 
11065 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11066 			     NL80211_CMD_GET_WOWLAN);
11067 	if (!hdr)
11068 		goto nla_put_failure;
11069 
11070 	if (rdev->wiphy.wowlan_config) {
11071 		struct nlattr *nl_wowlan;
11072 
11073 		nl_wowlan = nla_nest_start_noflag(msg,
11074 						  NL80211_ATTR_WOWLAN_TRIGGERS);
11075 		if (!nl_wowlan)
11076 			goto nla_put_failure;
11077 
11078 		if ((rdev->wiphy.wowlan_config->any &&
11079 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
11080 		    (rdev->wiphy.wowlan_config->disconnect &&
11081 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
11082 		    (rdev->wiphy.wowlan_config->magic_pkt &&
11083 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
11084 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
11085 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
11086 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
11087 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
11088 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
11089 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
11090 		    (rdev->wiphy.wowlan_config->rfkill_release &&
11091 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
11092 			goto nla_put_failure;
11093 
11094 		if (nl80211_send_wowlan_patterns(msg, rdev))
11095 			goto nla_put_failure;
11096 
11097 		if (nl80211_send_wowlan_tcp(msg,
11098 					    rdev->wiphy.wowlan_config->tcp))
11099 			goto nla_put_failure;
11100 
11101 		if (nl80211_send_wowlan_nd(
11102 			    msg,
11103 			    rdev->wiphy.wowlan_config->nd_config))
11104 			goto nla_put_failure;
11105 
11106 		nla_nest_end(msg, nl_wowlan);
11107 	}
11108 
11109 	genlmsg_end(msg, hdr);
11110 	return genlmsg_reply(msg, info);
11111 
11112 nla_put_failure:
11113 	nlmsg_free(msg);
11114 	return -ENOBUFS;
11115 }
11116 
11117 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
11118 				    struct nlattr *attr,
11119 				    struct cfg80211_wowlan *trig)
11120 {
11121 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
11122 	struct cfg80211_wowlan_tcp *cfg;
11123 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
11124 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
11125 	u32 size;
11126 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
11127 	int err, port;
11128 
11129 	if (!rdev->wiphy.wowlan->tcp)
11130 		return -EINVAL;
11131 
11132 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
11133 					  nl80211_wowlan_tcp_policy, NULL);
11134 	if (err)
11135 		return err;
11136 
11137 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
11138 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
11139 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
11140 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
11141 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
11142 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
11143 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
11144 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
11145 		return -EINVAL;
11146 
11147 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
11148 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
11149 		return -EINVAL;
11150 
11151 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
11152 			rdev->wiphy.wowlan->tcp->data_interval_max ||
11153 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
11154 		return -EINVAL;
11155 
11156 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
11157 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
11158 		return -EINVAL;
11159 
11160 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
11161 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
11162 		return -EINVAL;
11163 
11164 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
11165 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11166 
11167 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11168 		tokens_size = tokln - sizeof(*tok);
11169 
11170 		if (!tok->len || tokens_size % tok->len)
11171 			return -EINVAL;
11172 		if (!rdev->wiphy.wowlan->tcp->tok)
11173 			return -EINVAL;
11174 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
11175 			return -EINVAL;
11176 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
11177 			return -EINVAL;
11178 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
11179 			return -EINVAL;
11180 		if (tok->offset + tok->len > data_size)
11181 			return -EINVAL;
11182 	}
11183 
11184 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
11185 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
11186 		if (!rdev->wiphy.wowlan->tcp->seq)
11187 			return -EINVAL;
11188 		if (seq->len == 0 || seq->len > 4)
11189 			return -EINVAL;
11190 		if (seq->len + seq->offset > data_size)
11191 			return -EINVAL;
11192 	}
11193 
11194 	size = sizeof(*cfg);
11195 	size += data_size;
11196 	size += wake_size + wake_mask_size;
11197 	size += tokens_size;
11198 
11199 	cfg = kzalloc(size, GFP_KERNEL);
11200 	if (!cfg)
11201 		return -ENOMEM;
11202 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
11203 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
11204 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
11205 	       ETH_ALEN);
11206 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
11207 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
11208 	else
11209 		port = 0;
11210 #ifdef CONFIG_INET
11211 	/* allocate a socket and port for it and use it */
11212 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
11213 			    IPPROTO_TCP, &cfg->sock, 1);
11214 	if (err) {
11215 		kfree(cfg);
11216 		return err;
11217 	}
11218 	if (inet_csk_get_port(cfg->sock->sk, port)) {
11219 		sock_release(cfg->sock);
11220 		kfree(cfg);
11221 		return -EADDRINUSE;
11222 	}
11223 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
11224 #else
11225 	if (!port) {
11226 		kfree(cfg);
11227 		return -EINVAL;
11228 	}
11229 	cfg->src_port = port;
11230 #endif
11231 
11232 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
11233 	cfg->payload_len = data_size;
11234 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
11235 	memcpy((void *)cfg->payload,
11236 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
11237 	       data_size);
11238 	if (seq)
11239 		cfg->payload_seq = *seq;
11240 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
11241 	cfg->wake_len = wake_size;
11242 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
11243 	memcpy((void *)cfg->wake_data,
11244 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
11245 	       wake_size);
11246 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
11247 			 data_size + wake_size;
11248 	memcpy((void *)cfg->wake_mask,
11249 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
11250 	       wake_mask_size);
11251 	if (tok) {
11252 		cfg->tokens_size = tokens_size;
11253 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
11254 	}
11255 
11256 	trig->tcp = cfg;
11257 
11258 	return 0;
11259 }
11260 
11261 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
11262 				   const struct wiphy_wowlan_support *wowlan,
11263 				   struct nlattr *attr,
11264 				   struct cfg80211_wowlan *trig)
11265 {
11266 	struct nlattr **tb;
11267 	int err;
11268 
11269 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
11270 	if (!tb)
11271 		return -ENOMEM;
11272 
11273 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
11274 		err = -EOPNOTSUPP;
11275 		goto out;
11276 	}
11277 
11278 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
11279 					  nl80211_policy, NULL);
11280 	if (err)
11281 		goto out;
11282 
11283 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
11284 						   wowlan->max_nd_match_sets);
11285 	err = PTR_ERR_OR_ZERO(trig->nd_config);
11286 	if (err)
11287 		trig->nd_config = NULL;
11288 
11289 out:
11290 	kfree(tb);
11291 	return err;
11292 }
11293 
11294 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
11295 {
11296 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11297 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
11298 	struct cfg80211_wowlan new_triggers = {};
11299 	struct cfg80211_wowlan *ntrig;
11300 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
11301 	int err, i;
11302 	bool prev_enabled = rdev->wiphy.wowlan_config;
11303 	bool regular = false;
11304 
11305 	if (!wowlan)
11306 		return -EOPNOTSUPP;
11307 
11308 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
11309 		cfg80211_rdev_free_wowlan(rdev);
11310 		rdev->wiphy.wowlan_config = NULL;
11311 		goto set_wakeup;
11312 	}
11313 
11314 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
11315 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
11316 					  nl80211_wowlan_policy, info->extack);
11317 	if (err)
11318 		return err;
11319 
11320 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
11321 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
11322 			return -EINVAL;
11323 		new_triggers.any = true;
11324 	}
11325 
11326 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
11327 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
11328 			return -EINVAL;
11329 		new_triggers.disconnect = true;
11330 		regular = true;
11331 	}
11332 
11333 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
11334 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
11335 			return -EINVAL;
11336 		new_triggers.magic_pkt = true;
11337 		regular = true;
11338 	}
11339 
11340 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
11341 		return -EINVAL;
11342 
11343 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
11344 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
11345 			return -EINVAL;
11346 		new_triggers.gtk_rekey_failure = true;
11347 		regular = true;
11348 	}
11349 
11350 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
11351 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
11352 			return -EINVAL;
11353 		new_triggers.eap_identity_req = true;
11354 		regular = true;
11355 	}
11356 
11357 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
11358 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
11359 			return -EINVAL;
11360 		new_triggers.four_way_handshake = true;
11361 		regular = true;
11362 	}
11363 
11364 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
11365 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
11366 			return -EINVAL;
11367 		new_triggers.rfkill_release = true;
11368 		regular = true;
11369 	}
11370 
11371 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
11372 		struct nlattr *pat;
11373 		int n_patterns = 0;
11374 		int rem, pat_len, mask_len, pkt_offset;
11375 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11376 
11377 		regular = true;
11378 
11379 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11380 				    rem)
11381 			n_patterns++;
11382 		if (n_patterns > wowlan->n_patterns)
11383 			return -EINVAL;
11384 
11385 		new_triggers.patterns = kcalloc(n_patterns,
11386 						sizeof(new_triggers.patterns[0]),
11387 						GFP_KERNEL);
11388 		if (!new_triggers.patterns)
11389 			return -ENOMEM;
11390 
11391 		new_triggers.n_patterns = n_patterns;
11392 		i = 0;
11393 
11394 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11395 				    rem) {
11396 			u8 *mask_pat;
11397 
11398 			err = nla_parse_nested_deprecated(pat_tb,
11399 							  MAX_NL80211_PKTPAT,
11400 							  pat,
11401 							  nl80211_packet_pattern_policy,
11402 							  info->extack);
11403 			if (err)
11404 				goto error;
11405 
11406 			err = -EINVAL;
11407 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
11408 			    !pat_tb[NL80211_PKTPAT_PATTERN])
11409 				goto error;
11410 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11411 			mask_len = DIV_ROUND_UP(pat_len, 8);
11412 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11413 				goto error;
11414 			if (pat_len > wowlan->pattern_max_len ||
11415 			    pat_len < wowlan->pattern_min_len)
11416 				goto error;
11417 
11418 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
11419 				pkt_offset = 0;
11420 			else
11421 				pkt_offset = nla_get_u32(
11422 					pat_tb[NL80211_PKTPAT_OFFSET]);
11423 			if (pkt_offset > wowlan->max_pkt_offset)
11424 				goto error;
11425 			new_triggers.patterns[i].pkt_offset = pkt_offset;
11426 
11427 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11428 			if (!mask_pat) {
11429 				err = -ENOMEM;
11430 				goto error;
11431 			}
11432 			new_triggers.patterns[i].mask = mask_pat;
11433 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11434 			       mask_len);
11435 			mask_pat += mask_len;
11436 			new_triggers.patterns[i].pattern = mask_pat;
11437 			new_triggers.patterns[i].pattern_len = pat_len;
11438 			memcpy(mask_pat,
11439 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11440 			       pat_len);
11441 			i++;
11442 		}
11443 	}
11444 
11445 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
11446 		regular = true;
11447 		err = nl80211_parse_wowlan_tcp(
11448 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
11449 			&new_triggers);
11450 		if (err)
11451 			goto error;
11452 	}
11453 
11454 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
11455 		regular = true;
11456 		err = nl80211_parse_wowlan_nd(
11457 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
11458 			&new_triggers);
11459 		if (err)
11460 			goto error;
11461 	}
11462 
11463 	/* The 'any' trigger means the device continues operating more or less
11464 	 * as in its normal operation mode and wakes up the host on most of the
11465 	 * normal interrupts (like packet RX, ...)
11466 	 * It therefore makes little sense to combine with the more constrained
11467 	 * wakeup trigger modes.
11468 	 */
11469 	if (new_triggers.any && regular) {
11470 		err = -EINVAL;
11471 		goto error;
11472 	}
11473 
11474 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
11475 	if (!ntrig) {
11476 		err = -ENOMEM;
11477 		goto error;
11478 	}
11479 	cfg80211_rdev_free_wowlan(rdev);
11480 	rdev->wiphy.wowlan_config = ntrig;
11481 
11482  set_wakeup:
11483 	if (rdev->ops->set_wakeup &&
11484 	    prev_enabled != !!rdev->wiphy.wowlan_config)
11485 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
11486 
11487 	return 0;
11488  error:
11489 	for (i = 0; i < new_triggers.n_patterns; i++)
11490 		kfree(new_triggers.patterns[i].mask);
11491 	kfree(new_triggers.patterns);
11492 	if (new_triggers.tcp && new_triggers.tcp->sock)
11493 		sock_release(new_triggers.tcp->sock);
11494 	kfree(new_triggers.tcp);
11495 	kfree(new_triggers.nd_config);
11496 	return err;
11497 }
11498 #endif
11499 
11500 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
11501 				       struct cfg80211_registered_device *rdev)
11502 {
11503 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
11504 	int i, j, pat_len;
11505 	struct cfg80211_coalesce_rules *rule;
11506 
11507 	if (!rdev->coalesce->n_rules)
11508 		return 0;
11509 
11510 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
11511 	if (!nl_rules)
11512 		return -ENOBUFS;
11513 
11514 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
11515 		nl_rule = nla_nest_start_noflag(msg, i + 1);
11516 		if (!nl_rule)
11517 			return -ENOBUFS;
11518 
11519 		rule = &rdev->coalesce->rules[i];
11520 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
11521 				rule->delay))
11522 			return -ENOBUFS;
11523 
11524 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
11525 				rule->condition))
11526 			return -ENOBUFS;
11527 
11528 		nl_pats = nla_nest_start_noflag(msg,
11529 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
11530 		if (!nl_pats)
11531 			return -ENOBUFS;
11532 
11533 		for (j = 0; j < rule->n_patterns; j++) {
11534 			nl_pat = nla_nest_start_noflag(msg, j + 1);
11535 			if (!nl_pat)
11536 				return -ENOBUFS;
11537 			pat_len = rule->patterns[j].pattern_len;
11538 			if (nla_put(msg, NL80211_PKTPAT_MASK,
11539 				    DIV_ROUND_UP(pat_len, 8),
11540 				    rule->patterns[j].mask) ||
11541 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11542 				    rule->patterns[j].pattern) ||
11543 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11544 					rule->patterns[j].pkt_offset))
11545 				return -ENOBUFS;
11546 			nla_nest_end(msg, nl_pat);
11547 		}
11548 		nla_nest_end(msg, nl_pats);
11549 		nla_nest_end(msg, nl_rule);
11550 	}
11551 	nla_nest_end(msg, nl_rules);
11552 
11553 	return 0;
11554 }
11555 
11556 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
11557 {
11558 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11559 	struct sk_buff *msg;
11560 	void *hdr;
11561 
11562 	if (!rdev->wiphy.coalesce)
11563 		return -EOPNOTSUPP;
11564 
11565 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11566 	if (!msg)
11567 		return -ENOMEM;
11568 
11569 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11570 			     NL80211_CMD_GET_COALESCE);
11571 	if (!hdr)
11572 		goto nla_put_failure;
11573 
11574 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
11575 		goto nla_put_failure;
11576 
11577 	genlmsg_end(msg, hdr);
11578 	return genlmsg_reply(msg, info);
11579 
11580 nla_put_failure:
11581 	nlmsg_free(msg);
11582 	return -ENOBUFS;
11583 }
11584 
11585 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
11586 {
11587 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
11588 	int i, j;
11589 	struct cfg80211_coalesce_rules *rule;
11590 
11591 	if (!coalesce)
11592 		return;
11593 
11594 	for (i = 0; i < coalesce->n_rules; i++) {
11595 		rule = &coalesce->rules[i];
11596 		for (j = 0; j < rule->n_patterns; j++)
11597 			kfree(rule->patterns[j].mask);
11598 		kfree(rule->patterns);
11599 	}
11600 	kfree(coalesce->rules);
11601 	kfree(coalesce);
11602 	rdev->coalesce = NULL;
11603 }
11604 
11605 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
11606 				       struct nlattr *rule,
11607 				       struct cfg80211_coalesce_rules *new_rule)
11608 {
11609 	int err, i;
11610 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11611 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
11612 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
11613 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11614 
11615 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
11616 					  rule, nl80211_coalesce_policy, NULL);
11617 	if (err)
11618 		return err;
11619 
11620 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
11621 		new_rule->delay =
11622 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
11623 	if (new_rule->delay > coalesce->max_delay)
11624 		return -EINVAL;
11625 
11626 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
11627 		new_rule->condition =
11628 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
11629 
11630 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
11631 		return -EINVAL;
11632 
11633 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11634 			    rem)
11635 		n_patterns++;
11636 	if (n_patterns > coalesce->n_patterns)
11637 		return -EINVAL;
11638 
11639 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
11640 				     GFP_KERNEL);
11641 	if (!new_rule->patterns)
11642 		return -ENOMEM;
11643 
11644 	new_rule->n_patterns = n_patterns;
11645 	i = 0;
11646 
11647 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11648 			    rem) {
11649 		u8 *mask_pat;
11650 
11651 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
11652 						  pat,
11653 						  nl80211_packet_pattern_policy,
11654 						  NULL);
11655 		if (err)
11656 			return err;
11657 
11658 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
11659 		    !pat_tb[NL80211_PKTPAT_PATTERN])
11660 			return -EINVAL;
11661 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11662 		mask_len = DIV_ROUND_UP(pat_len, 8);
11663 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11664 			return -EINVAL;
11665 		if (pat_len > coalesce->pattern_max_len ||
11666 		    pat_len < coalesce->pattern_min_len)
11667 			return -EINVAL;
11668 
11669 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
11670 			pkt_offset = 0;
11671 		else
11672 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
11673 		if (pkt_offset > coalesce->max_pkt_offset)
11674 			return -EINVAL;
11675 		new_rule->patterns[i].pkt_offset = pkt_offset;
11676 
11677 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11678 		if (!mask_pat)
11679 			return -ENOMEM;
11680 
11681 		new_rule->patterns[i].mask = mask_pat;
11682 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11683 		       mask_len);
11684 
11685 		mask_pat += mask_len;
11686 		new_rule->patterns[i].pattern = mask_pat;
11687 		new_rule->patterns[i].pattern_len = pat_len;
11688 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11689 		       pat_len);
11690 		i++;
11691 	}
11692 
11693 	return 0;
11694 }
11695 
11696 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
11697 {
11698 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11699 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11700 	struct cfg80211_coalesce new_coalesce = {};
11701 	struct cfg80211_coalesce *n_coalesce;
11702 	int err, rem_rule, n_rules = 0, i, j;
11703 	struct nlattr *rule;
11704 	struct cfg80211_coalesce_rules *tmp_rule;
11705 
11706 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
11707 		return -EOPNOTSUPP;
11708 
11709 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
11710 		cfg80211_rdev_free_coalesce(rdev);
11711 		rdev_set_coalesce(rdev, NULL);
11712 		return 0;
11713 	}
11714 
11715 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11716 			    rem_rule)
11717 		n_rules++;
11718 	if (n_rules > coalesce->n_rules)
11719 		return -EINVAL;
11720 
11721 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
11722 				     GFP_KERNEL);
11723 	if (!new_coalesce.rules)
11724 		return -ENOMEM;
11725 
11726 	new_coalesce.n_rules = n_rules;
11727 	i = 0;
11728 
11729 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11730 			    rem_rule) {
11731 		err = nl80211_parse_coalesce_rule(rdev, rule,
11732 						  &new_coalesce.rules[i]);
11733 		if (err)
11734 			goto error;
11735 
11736 		i++;
11737 	}
11738 
11739 	err = rdev_set_coalesce(rdev, &new_coalesce);
11740 	if (err)
11741 		goto error;
11742 
11743 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
11744 	if (!n_coalesce) {
11745 		err = -ENOMEM;
11746 		goto error;
11747 	}
11748 	cfg80211_rdev_free_coalesce(rdev);
11749 	rdev->coalesce = n_coalesce;
11750 
11751 	return 0;
11752 error:
11753 	for (i = 0; i < new_coalesce.n_rules; i++) {
11754 		tmp_rule = &new_coalesce.rules[i];
11755 		for (j = 0; j < tmp_rule->n_patterns; j++)
11756 			kfree(tmp_rule->patterns[j].mask);
11757 		kfree(tmp_rule->patterns);
11758 	}
11759 	kfree(new_coalesce.rules);
11760 
11761 	return err;
11762 }
11763 
11764 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
11765 {
11766 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11767 	struct net_device *dev = info->user_ptr[1];
11768 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11769 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
11770 	struct cfg80211_gtk_rekey_data rekey_data;
11771 	int err;
11772 
11773 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
11774 		return -EINVAL;
11775 
11776 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
11777 					  info->attrs[NL80211_ATTR_REKEY_DATA],
11778 					  nl80211_rekey_policy, info->extack);
11779 	if (err)
11780 		return err;
11781 
11782 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
11783 	    !tb[NL80211_REKEY_DATA_KCK])
11784 		return -EINVAL;
11785 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
11786 		return -ERANGE;
11787 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
11788 		return -ERANGE;
11789 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
11790 		return -ERANGE;
11791 
11792 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
11793 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
11794 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
11795 
11796 	wdev_lock(wdev);
11797 	if (!wdev->current_bss) {
11798 		err = -ENOTCONN;
11799 		goto out;
11800 	}
11801 
11802 	if (!rdev->ops->set_rekey_data) {
11803 		err = -EOPNOTSUPP;
11804 		goto out;
11805 	}
11806 
11807 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
11808  out:
11809 	wdev_unlock(wdev);
11810 	return err;
11811 }
11812 
11813 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
11814 					     struct genl_info *info)
11815 {
11816 	struct net_device *dev = info->user_ptr[1];
11817 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11818 
11819 	if (wdev->iftype != NL80211_IFTYPE_AP &&
11820 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
11821 		return -EINVAL;
11822 
11823 	if (wdev->ap_unexpected_nlportid)
11824 		return -EBUSY;
11825 
11826 	wdev->ap_unexpected_nlportid = info->snd_portid;
11827 	return 0;
11828 }
11829 
11830 static int nl80211_probe_client(struct sk_buff *skb,
11831 				struct genl_info *info)
11832 {
11833 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11834 	struct net_device *dev = info->user_ptr[1];
11835 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11836 	struct sk_buff *msg;
11837 	void *hdr;
11838 	const u8 *addr;
11839 	u64 cookie;
11840 	int err;
11841 
11842 	if (wdev->iftype != NL80211_IFTYPE_AP &&
11843 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
11844 		return -EOPNOTSUPP;
11845 
11846 	if (!info->attrs[NL80211_ATTR_MAC])
11847 		return -EINVAL;
11848 
11849 	if (!rdev->ops->probe_client)
11850 		return -EOPNOTSUPP;
11851 
11852 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11853 	if (!msg)
11854 		return -ENOMEM;
11855 
11856 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11857 			     NL80211_CMD_PROBE_CLIENT);
11858 	if (!hdr) {
11859 		err = -ENOBUFS;
11860 		goto free_msg;
11861 	}
11862 
11863 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
11864 
11865 	err = rdev_probe_client(rdev, dev, addr, &cookie);
11866 	if (err)
11867 		goto free_msg;
11868 
11869 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11870 			      NL80211_ATTR_PAD))
11871 		goto nla_put_failure;
11872 
11873 	genlmsg_end(msg, hdr);
11874 
11875 	return genlmsg_reply(msg, info);
11876 
11877  nla_put_failure:
11878 	err = -ENOBUFS;
11879  free_msg:
11880 	nlmsg_free(msg);
11881 	return err;
11882 }
11883 
11884 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
11885 {
11886 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11887 	struct cfg80211_beacon_registration *reg, *nreg;
11888 	int rv;
11889 
11890 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
11891 		return -EOPNOTSUPP;
11892 
11893 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
11894 	if (!nreg)
11895 		return -ENOMEM;
11896 
11897 	/* First, check if already registered. */
11898 	spin_lock_bh(&rdev->beacon_registrations_lock);
11899 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
11900 		if (reg->nlportid == info->snd_portid) {
11901 			rv = -EALREADY;
11902 			goto out_err;
11903 		}
11904 	}
11905 	/* Add it to the list */
11906 	nreg->nlportid = info->snd_portid;
11907 	list_add(&nreg->list, &rdev->beacon_registrations);
11908 
11909 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11910 
11911 	return 0;
11912 out_err:
11913 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11914 	kfree(nreg);
11915 	return rv;
11916 }
11917 
11918 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
11919 {
11920 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11921 	struct wireless_dev *wdev = info->user_ptr[1];
11922 	int err;
11923 
11924 	if (!rdev->ops->start_p2p_device)
11925 		return -EOPNOTSUPP;
11926 
11927 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
11928 		return -EOPNOTSUPP;
11929 
11930 	if (wdev_running(wdev))
11931 		return 0;
11932 
11933 	if (rfkill_blocked(rdev->rfkill))
11934 		return -ERFKILL;
11935 
11936 	err = rdev_start_p2p_device(rdev, wdev);
11937 	if (err)
11938 		return err;
11939 
11940 	wdev->is_running = true;
11941 	rdev->opencount++;
11942 
11943 	return 0;
11944 }
11945 
11946 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
11947 {
11948 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11949 	struct wireless_dev *wdev = info->user_ptr[1];
11950 
11951 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
11952 		return -EOPNOTSUPP;
11953 
11954 	if (!rdev->ops->stop_p2p_device)
11955 		return -EOPNOTSUPP;
11956 
11957 	cfg80211_stop_p2p_device(rdev, wdev);
11958 
11959 	return 0;
11960 }
11961 
11962 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
11963 {
11964 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11965 	struct wireless_dev *wdev = info->user_ptr[1];
11966 	struct cfg80211_nan_conf conf = {};
11967 	int err;
11968 
11969 	if (wdev->iftype != NL80211_IFTYPE_NAN)
11970 		return -EOPNOTSUPP;
11971 
11972 	if (wdev_running(wdev))
11973 		return -EEXIST;
11974 
11975 	if (rfkill_blocked(rdev->rfkill))
11976 		return -ERFKILL;
11977 
11978 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
11979 		return -EINVAL;
11980 
11981 	conf.master_pref =
11982 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
11983 
11984 	if (info->attrs[NL80211_ATTR_BANDS]) {
11985 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
11986 
11987 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
11988 			return -EOPNOTSUPP;
11989 
11990 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
11991 			return -EINVAL;
11992 
11993 		conf.bands = bands;
11994 	}
11995 
11996 	err = rdev_start_nan(rdev, wdev, &conf);
11997 	if (err)
11998 		return err;
11999 
12000 	wdev->is_running = true;
12001 	rdev->opencount++;
12002 
12003 	return 0;
12004 }
12005 
12006 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
12007 {
12008 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12009 	struct wireless_dev *wdev = info->user_ptr[1];
12010 
12011 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12012 		return -EOPNOTSUPP;
12013 
12014 	cfg80211_stop_nan(rdev, wdev);
12015 
12016 	return 0;
12017 }
12018 
12019 static int validate_nan_filter(struct nlattr *filter_attr)
12020 {
12021 	struct nlattr *attr;
12022 	int len = 0, n_entries = 0, rem;
12023 
12024 	nla_for_each_nested(attr, filter_attr, rem) {
12025 		len += nla_len(attr);
12026 		n_entries++;
12027 	}
12028 
12029 	if (len >= U8_MAX)
12030 		return -EINVAL;
12031 
12032 	return n_entries;
12033 }
12034 
12035 static int handle_nan_filter(struct nlattr *attr_filter,
12036 			     struct cfg80211_nan_func *func,
12037 			     bool tx)
12038 {
12039 	struct nlattr *attr;
12040 	int n_entries, rem, i;
12041 	struct cfg80211_nan_func_filter *filter;
12042 
12043 	n_entries = validate_nan_filter(attr_filter);
12044 	if (n_entries < 0)
12045 		return n_entries;
12046 
12047 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
12048 
12049 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
12050 	if (!filter)
12051 		return -ENOMEM;
12052 
12053 	i = 0;
12054 	nla_for_each_nested(attr, attr_filter, rem) {
12055 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
12056 		filter[i].len = nla_len(attr);
12057 		i++;
12058 	}
12059 	if (tx) {
12060 		func->num_tx_filters = n_entries;
12061 		func->tx_filters = filter;
12062 	} else {
12063 		func->num_rx_filters = n_entries;
12064 		func->rx_filters = filter;
12065 	}
12066 
12067 	return 0;
12068 }
12069 
12070 static int nl80211_nan_add_func(struct sk_buff *skb,
12071 				struct genl_info *info)
12072 {
12073 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12074 	struct wireless_dev *wdev = info->user_ptr[1];
12075 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
12076 	struct cfg80211_nan_func *func;
12077 	struct sk_buff *msg = NULL;
12078 	void *hdr = NULL;
12079 	int err = 0;
12080 
12081 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12082 		return -EOPNOTSUPP;
12083 
12084 	if (!wdev_running(wdev))
12085 		return -ENOTCONN;
12086 
12087 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
12088 		return -EINVAL;
12089 
12090 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
12091 					  info->attrs[NL80211_ATTR_NAN_FUNC],
12092 					  nl80211_nan_func_policy,
12093 					  info->extack);
12094 	if (err)
12095 		return err;
12096 
12097 	func = kzalloc(sizeof(*func), GFP_KERNEL);
12098 	if (!func)
12099 		return -ENOMEM;
12100 
12101 	func->cookie = cfg80211_assign_cookie(rdev);
12102 
12103 	if (!tb[NL80211_NAN_FUNC_TYPE] ||
12104 	    nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]) > NL80211_NAN_FUNC_MAX_TYPE) {
12105 		err = -EINVAL;
12106 		goto out;
12107 	}
12108 
12109 
12110 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
12111 
12112 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
12113 		err = -EINVAL;
12114 		goto out;
12115 	}
12116 
12117 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
12118 	       sizeof(func->service_id));
12119 
12120 	func->close_range =
12121 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
12122 
12123 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
12124 		func->serv_spec_info_len =
12125 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
12126 		func->serv_spec_info =
12127 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
12128 				func->serv_spec_info_len,
12129 				GFP_KERNEL);
12130 		if (!func->serv_spec_info) {
12131 			err = -ENOMEM;
12132 			goto out;
12133 		}
12134 	}
12135 
12136 	if (tb[NL80211_NAN_FUNC_TTL])
12137 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
12138 
12139 	switch (func->type) {
12140 	case NL80211_NAN_FUNC_PUBLISH:
12141 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
12142 			err = -EINVAL;
12143 			goto out;
12144 		}
12145 
12146 		func->publish_type =
12147 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
12148 		func->publish_bcast =
12149 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
12150 
12151 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
12152 			func->publish_bcast) {
12153 			err = -EINVAL;
12154 			goto out;
12155 		}
12156 		break;
12157 	case NL80211_NAN_FUNC_SUBSCRIBE:
12158 		func->subscribe_active =
12159 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
12160 		break;
12161 	case NL80211_NAN_FUNC_FOLLOW_UP:
12162 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
12163 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
12164 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
12165 			err = -EINVAL;
12166 			goto out;
12167 		}
12168 
12169 		func->followup_id =
12170 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
12171 		func->followup_reqid =
12172 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
12173 		memcpy(func->followup_dest.addr,
12174 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
12175 		       sizeof(func->followup_dest.addr));
12176 		if (func->ttl) {
12177 			err = -EINVAL;
12178 			goto out;
12179 		}
12180 		break;
12181 	default:
12182 		err = -EINVAL;
12183 		goto out;
12184 	}
12185 
12186 	if (tb[NL80211_NAN_FUNC_SRF]) {
12187 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
12188 
12189 		err = nla_parse_nested_deprecated(srf_tb,
12190 						  NL80211_NAN_SRF_ATTR_MAX,
12191 						  tb[NL80211_NAN_FUNC_SRF],
12192 						  nl80211_nan_srf_policy,
12193 						  info->extack);
12194 		if (err)
12195 			goto out;
12196 
12197 		func->srf_include =
12198 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
12199 
12200 		if (srf_tb[NL80211_NAN_SRF_BF]) {
12201 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
12202 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
12203 				err = -EINVAL;
12204 				goto out;
12205 			}
12206 
12207 			func->srf_bf_len =
12208 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
12209 			func->srf_bf =
12210 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
12211 					func->srf_bf_len, GFP_KERNEL);
12212 			if (!func->srf_bf) {
12213 				err = -ENOMEM;
12214 				goto out;
12215 			}
12216 
12217 			func->srf_bf_idx =
12218 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
12219 		} else {
12220 			struct nlattr *attr, *mac_attr =
12221 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
12222 			int n_entries, rem, i = 0;
12223 
12224 			if (!mac_attr) {
12225 				err = -EINVAL;
12226 				goto out;
12227 			}
12228 
12229 			n_entries = validate_acl_mac_addrs(mac_attr);
12230 			if (n_entries <= 0) {
12231 				err = -EINVAL;
12232 				goto out;
12233 			}
12234 
12235 			func->srf_num_macs = n_entries;
12236 			func->srf_macs =
12237 				kcalloc(n_entries, sizeof(*func->srf_macs),
12238 					GFP_KERNEL);
12239 			if (!func->srf_macs) {
12240 				err = -ENOMEM;
12241 				goto out;
12242 			}
12243 
12244 			nla_for_each_nested(attr, mac_attr, rem)
12245 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
12246 				       sizeof(*func->srf_macs));
12247 		}
12248 	}
12249 
12250 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
12251 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
12252 					func, true);
12253 		if (err)
12254 			goto out;
12255 	}
12256 
12257 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
12258 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
12259 					func, false);
12260 		if (err)
12261 			goto out;
12262 	}
12263 
12264 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12265 	if (!msg) {
12266 		err = -ENOMEM;
12267 		goto out;
12268 	}
12269 
12270 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12271 			     NL80211_CMD_ADD_NAN_FUNCTION);
12272 	/* This can't really happen - we just allocated 4KB */
12273 	if (WARN_ON(!hdr)) {
12274 		err = -ENOMEM;
12275 		goto out;
12276 	}
12277 
12278 	err = rdev_add_nan_func(rdev, wdev, func);
12279 out:
12280 	if (err < 0) {
12281 		cfg80211_free_nan_func(func);
12282 		nlmsg_free(msg);
12283 		return err;
12284 	}
12285 
12286 	/* propagate the instance id and cookie to userspace  */
12287 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
12288 			      NL80211_ATTR_PAD))
12289 		goto nla_put_failure;
12290 
12291 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12292 	if (!func_attr)
12293 		goto nla_put_failure;
12294 
12295 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
12296 		       func->instance_id))
12297 		goto nla_put_failure;
12298 
12299 	nla_nest_end(msg, func_attr);
12300 
12301 	genlmsg_end(msg, hdr);
12302 	return genlmsg_reply(msg, info);
12303 
12304 nla_put_failure:
12305 	nlmsg_free(msg);
12306 	return -ENOBUFS;
12307 }
12308 
12309 static int nl80211_nan_del_func(struct sk_buff *skb,
12310 			       struct genl_info *info)
12311 {
12312 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12313 	struct wireless_dev *wdev = info->user_ptr[1];
12314 	u64 cookie;
12315 
12316 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12317 		return -EOPNOTSUPP;
12318 
12319 	if (!wdev_running(wdev))
12320 		return -ENOTCONN;
12321 
12322 	if (!info->attrs[NL80211_ATTR_COOKIE])
12323 		return -EINVAL;
12324 
12325 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12326 
12327 	rdev_del_nan_func(rdev, wdev, cookie);
12328 
12329 	return 0;
12330 }
12331 
12332 static int nl80211_nan_change_config(struct sk_buff *skb,
12333 				     struct genl_info *info)
12334 {
12335 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12336 	struct wireless_dev *wdev = info->user_ptr[1];
12337 	struct cfg80211_nan_conf conf = {};
12338 	u32 changed = 0;
12339 
12340 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12341 		return -EOPNOTSUPP;
12342 
12343 	if (!wdev_running(wdev))
12344 		return -ENOTCONN;
12345 
12346 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
12347 		conf.master_pref =
12348 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12349 		if (conf.master_pref <= 1 || conf.master_pref == 255)
12350 			return -EINVAL;
12351 
12352 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
12353 	}
12354 
12355 	if (info->attrs[NL80211_ATTR_BANDS]) {
12356 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12357 
12358 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12359 			return -EOPNOTSUPP;
12360 
12361 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12362 			return -EINVAL;
12363 
12364 		conf.bands = bands;
12365 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
12366 	}
12367 
12368 	if (!changed)
12369 		return -EINVAL;
12370 
12371 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
12372 }
12373 
12374 void cfg80211_nan_match(struct wireless_dev *wdev,
12375 			struct cfg80211_nan_match_params *match, gfp_t gfp)
12376 {
12377 	struct wiphy *wiphy = wdev->wiphy;
12378 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12379 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
12380 	struct sk_buff *msg;
12381 	void *hdr;
12382 
12383 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
12384 		return;
12385 
12386 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12387 	if (!msg)
12388 		return;
12389 
12390 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
12391 	if (!hdr) {
12392 		nlmsg_free(msg);
12393 		return;
12394 	}
12395 
12396 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12397 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12398 					 wdev->netdev->ifindex)) ||
12399 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12400 			      NL80211_ATTR_PAD))
12401 		goto nla_put_failure;
12402 
12403 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
12404 			      NL80211_ATTR_PAD) ||
12405 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
12406 		goto nla_put_failure;
12407 
12408 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
12409 	if (!match_attr)
12410 		goto nla_put_failure;
12411 
12412 	local_func_attr = nla_nest_start_noflag(msg,
12413 						NL80211_NAN_MATCH_FUNC_LOCAL);
12414 	if (!local_func_attr)
12415 		goto nla_put_failure;
12416 
12417 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
12418 		goto nla_put_failure;
12419 
12420 	nla_nest_end(msg, local_func_attr);
12421 
12422 	peer_func_attr = nla_nest_start_noflag(msg,
12423 					       NL80211_NAN_MATCH_FUNC_PEER);
12424 	if (!peer_func_attr)
12425 		goto nla_put_failure;
12426 
12427 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
12428 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
12429 		goto nla_put_failure;
12430 
12431 	if (match->info && match->info_len &&
12432 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
12433 		    match->info))
12434 		goto nla_put_failure;
12435 
12436 	nla_nest_end(msg, peer_func_attr);
12437 	nla_nest_end(msg, match_attr);
12438 	genlmsg_end(msg, hdr);
12439 
12440 	if (!wdev->owner_nlportid)
12441 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12442 					msg, 0, NL80211_MCGRP_NAN, gfp);
12443 	else
12444 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12445 				wdev->owner_nlportid);
12446 
12447 	return;
12448 
12449 nla_put_failure:
12450 	nlmsg_free(msg);
12451 }
12452 EXPORT_SYMBOL(cfg80211_nan_match);
12453 
12454 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
12455 				  u8 inst_id,
12456 				  enum nl80211_nan_func_term_reason reason,
12457 				  u64 cookie, gfp_t gfp)
12458 {
12459 	struct wiphy *wiphy = wdev->wiphy;
12460 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12461 	struct sk_buff *msg;
12462 	struct nlattr *func_attr;
12463 	void *hdr;
12464 
12465 	if (WARN_ON(!inst_id))
12466 		return;
12467 
12468 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12469 	if (!msg)
12470 		return;
12471 
12472 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
12473 	if (!hdr) {
12474 		nlmsg_free(msg);
12475 		return;
12476 	}
12477 
12478 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12479 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12480 					 wdev->netdev->ifindex)) ||
12481 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12482 			      NL80211_ATTR_PAD))
12483 		goto nla_put_failure;
12484 
12485 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12486 			      NL80211_ATTR_PAD))
12487 		goto nla_put_failure;
12488 
12489 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12490 	if (!func_attr)
12491 		goto nla_put_failure;
12492 
12493 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
12494 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
12495 		goto nla_put_failure;
12496 
12497 	nla_nest_end(msg, func_attr);
12498 	genlmsg_end(msg, hdr);
12499 
12500 	if (!wdev->owner_nlportid)
12501 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12502 					msg, 0, NL80211_MCGRP_NAN, gfp);
12503 	else
12504 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12505 				wdev->owner_nlportid);
12506 
12507 	return;
12508 
12509 nla_put_failure:
12510 	nlmsg_free(msg);
12511 }
12512 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
12513 
12514 static int nl80211_get_protocol_features(struct sk_buff *skb,
12515 					 struct genl_info *info)
12516 {
12517 	void *hdr;
12518 	struct sk_buff *msg;
12519 
12520 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12521 	if (!msg)
12522 		return -ENOMEM;
12523 
12524 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12525 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
12526 	if (!hdr)
12527 		goto nla_put_failure;
12528 
12529 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
12530 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
12531 		goto nla_put_failure;
12532 
12533 	genlmsg_end(msg, hdr);
12534 	return genlmsg_reply(msg, info);
12535 
12536  nla_put_failure:
12537 	kfree_skb(msg);
12538 	return -ENOBUFS;
12539 }
12540 
12541 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
12542 {
12543 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12544 	struct cfg80211_update_ft_ies_params ft_params;
12545 	struct net_device *dev = info->user_ptr[1];
12546 
12547 	if (!rdev->ops->update_ft_ies)
12548 		return -EOPNOTSUPP;
12549 
12550 	if (!info->attrs[NL80211_ATTR_MDID] ||
12551 	    !info->attrs[NL80211_ATTR_IE])
12552 		return -EINVAL;
12553 
12554 	memset(&ft_params, 0, sizeof(ft_params));
12555 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
12556 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12557 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12558 
12559 	return rdev_update_ft_ies(rdev, dev, &ft_params);
12560 }
12561 
12562 static int nl80211_crit_protocol_start(struct sk_buff *skb,
12563 				       struct genl_info *info)
12564 {
12565 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12566 	struct wireless_dev *wdev = info->user_ptr[1];
12567 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
12568 	u16 duration;
12569 	int ret;
12570 
12571 	if (!rdev->ops->crit_proto_start)
12572 		return -EOPNOTSUPP;
12573 
12574 	if (WARN_ON(!rdev->ops->crit_proto_stop))
12575 		return -EINVAL;
12576 
12577 	if (rdev->crit_proto_nlportid)
12578 		return -EBUSY;
12579 
12580 	/* determine protocol if provided */
12581 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
12582 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
12583 
12584 	if (proto >= NUM_NL80211_CRIT_PROTO)
12585 		return -EINVAL;
12586 
12587 	/* timeout must be provided */
12588 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
12589 		return -EINVAL;
12590 
12591 	duration =
12592 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
12593 
12594 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
12595 		return -ERANGE;
12596 
12597 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
12598 	if (!ret)
12599 		rdev->crit_proto_nlportid = info->snd_portid;
12600 
12601 	return ret;
12602 }
12603 
12604 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
12605 				      struct genl_info *info)
12606 {
12607 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12608 	struct wireless_dev *wdev = info->user_ptr[1];
12609 
12610 	if (!rdev->ops->crit_proto_stop)
12611 		return -EOPNOTSUPP;
12612 
12613 	if (rdev->crit_proto_nlportid) {
12614 		rdev->crit_proto_nlportid = 0;
12615 		rdev_crit_proto_stop(rdev, wdev);
12616 	}
12617 	return 0;
12618 }
12619 
12620 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
12621 {
12622 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12623 	struct wireless_dev *wdev =
12624 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
12625 	int i, err;
12626 	u32 vid, subcmd;
12627 
12628 	if (!rdev->wiphy.vendor_commands)
12629 		return -EOPNOTSUPP;
12630 
12631 	if (IS_ERR(wdev)) {
12632 		err = PTR_ERR(wdev);
12633 		if (err != -EINVAL)
12634 			return err;
12635 		wdev = NULL;
12636 	} else if (wdev->wiphy != &rdev->wiphy) {
12637 		return -EINVAL;
12638 	}
12639 
12640 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
12641 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
12642 		return -EINVAL;
12643 
12644 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
12645 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
12646 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
12647 		const struct wiphy_vendor_command *vcmd;
12648 		void *data = NULL;
12649 		int len = 0;
12650 
12651 		vcmd = &rdev->wiphy.vendor_commands[i];
12652 
12653 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12654 			continue;
12655 
12656 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12657 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12658 			if (!wdev)
12659 				return -EINVAL;
12660 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12661 			    !wdev->netdev)
12662 				return -EINVAL;
12663 
12664 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12665 				if (!wdev_running(wdev))
12666 					return -ENETDOWN;
12667 			}
12668 
12669 			if (!vcmd->doit)
12670 				return -EOPNOTSUPP;
12671 		} else {
12672 			wdev = NULL;
12673 		}
12674 
12675 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
12676 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12677 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12678 		}
12679 
12680 		rdev->cur_cmd_info = info;
12681 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
12682 							  data, len);
12683 		rdev->cur_cmd_info = NULL;
12684 		return err;
12685 	}
12686 
12687 	return -EOPNOTSUPP;
12688 }
12689 
12690 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
12691 				       struct netlink_callback *cb,
12692 				       struct cfg80211_registered_device **rdev,
12693 				       struct wireless_dev **wdev)
12694 {
12695 	struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
12696 	u32 vid, subcmd;
12697 	unsigned int i;
12698 	int vcmd_idx = -1;
12699 	int err;
12700 	void *data = NULL;
12701 	unsigned int data_len = 0;
12702 
12703 	if (cb->args[0]) {
12704 		/* subtract the 1 again here */
12705 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
12706 		struct wireless_dev *tmp;
12707 
12708 		if (!wiphy)
12709 			return -ENODEV;
12710 		*rdev = wiphy_to_rdev(wiphy);
12711 		*wdev = NULL;
12712 
12713 		if (cb->args[1]) {
12714 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
12715 				if (tmp->identifier == cb->args[1] - 1) {
12716 					*wdev = tmp;
12717 					break;
12718 				}
12719 			}
12720 		}
12721 
12722 		/* keep rtnl locked in successful case */
12723 		return 0;
12724 	}
12725 
12726 	err = nlmsg_parse_deprecated(cb->nlh,
12727 				     GENL_HDRLEN + nl80211_fam.hdrsize,
12728 				     attrbuf, nl80211_fam.maxattr,
12729 				     nl80211_policy, NULL);
12730 	if (err)
12731 		return err;
12732 
12733 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
12734 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD])
12735 		return -EINVAL;
12736 
12737 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
12738 	if (IS_ERR(*wdev))
12739 		*wdev = NULL;
12740 
12741 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
12742 	if (IS_ERR(*rdev))
12743 		return PTR_ERR(*rdev);
12744 
12745 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
12746 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
12747 
12748 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
12749 		const struct wiphy_vendor_command *vcmd;
12750 
12751 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
12752 
12753 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12754 			continue;
12755 
12756 		if (!vcmd->dumpit)
12757 			return -EOPNOTSUPP;
12758 
12759 		vcmd_idx = i;
12760 		break;
12761 	}
12762 
12763 	if (vcmd_idx < 0)
12764 		return -EOPNOTSUPP;
12765 
12766 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
12767 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
12768 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
12769 	}
12770 
12771 	/* 0 is the first index - add 1 to parse only once */
12772 	cb->args[0] = (*rdev)->wiphy_idx + 1;
12773 	/* add 1 to know if it was NULL */
12774 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
12775 	cb->args[2] = vcmd_idx;
12776 	cb->args[3] = (unsigned long)data;
12777 	cb->args[4] = data_len;
12778 
12779 	/* keep rtnl locked in successful case */
12780 	return 0;
12781 }
12782 
12783 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
12784 				   struct netlink_callback *cb)
12785 {
12786 	struct cfg80211_registered_device *rdev;
12787 	struct wireless_dev *wdev;
12788 	unsigned int vcmd_idx;
12789 	const struct wiphy_vendor_command *vcmd;
12790 	void *data;
12791 	int data_len;
12792 	int err;
12793 	struct nlattr *vendor_data;
12794 
12795 	rtnl_lock();
12796 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
12797 	if (err)
12798 		goto out;
12799 
12800 	vcmd_idx = cb->args[2];
12801 	data = (void *)cb->args[3];
12802 	data_len = cb->args[4];
12803 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
12804 
12805 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12806 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12807 		if (!wdev) {
12808 			err = -EINVAL;
12809 			goto out;
12810 		}
12811 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12812 		    !wdev->netdev) {
12813 			err = -EINVAL;
12814 			goto out;
12815 		}
12816 
12817 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12818 			if (!wdev_running(wdev)) {
12819 				err = -ENETDOWN;
12820 				goto out;
12821 			}
12822 		}
12823 	}
12824 
12825 	while (1) {
12826 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
12827 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
12828 					   NL80211_CMD_VENDOR);
12829 		if (!hdr)
12830 			break;
12831 
12832 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12833 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
12834 					       wdev_id(wdev),
12835 					       NL80211_ATTR_PAD))) {
12836 			genlmsg_cancel(skb, hdr);
12837 			break;
12838 		}
12839 
12840 		vendor_data = nla_nest_start_noflag(skb,
12841 						    NL80211_ATTR_VENDOR_DATA);
12842 		if (!vendor_data) {
12843 			genlmsg_cancel(skb, hdr);
12844 			break;
12845 		}
12846 
12847 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
12848 				   (unsigned long *)&cb->args[5]);
12849 		nla_nest_end(skb, vendor_data);
12850 
12851 		if (err == -ENOBUFS || err == -ENOENT) {
12852 			genlmsg_cancel(skb, hdr);
12853 			break;
12854 		} else if (err) {
12855 			genlmsg_cancel(skb, hdr);
12856 			goto out;
12857 		}
12858 
12859 		genlmsg_end(skb, hdr);
12860 	}
12861 
12862 	err = skb->len;
12863  out:
12864 	rtnl_unlock();
12865 	return err;
12866 }
12867 
12868 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
12869 					   enum nl80211_commands cmd,
12870 					   enum nl80211_attrs attr,
12871 					   int approxlen)
12872 {
12873 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12874 
12875 	if (WARN_ON(!rdev->cur_cmd_info))
12876 		return NULL;
12877 
12878 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
12879 					   rdev->cur_cmd_info->snd_portid,
12880 					   rdev->cur_cmd_info->snd_seq,
12881 					   cmd, attr, NULL, GFP_KERNEL);
12882 }
12883 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
12884 
12885 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
12886 {
12887 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
12888 	void *hdr = ((void **)skb->cb)[1];
12889 	struct nlattr *data = ((void **)skb->cb)[2];
12890 
12891 	/* clear CB data for netlink core to own from now on */
12892 	memset(skb->cb, 0, sizeof(skb->cb));
12893 
12894 	if (WARN_ON(!rdev->cur_cmd_info)) {
12895 		kfree_skb(skb);
12896 		return -EINVAL;
12897 	}
12898 
12899 	nla_nest_end(skb, data);
12900 	genlmsg_end(skb, hdr);
12901 	return genlmsg_reply(skb, rdev->cur_cmd_info);
12902 }
12903 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
12904 
12905 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
12906 {
12907 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12908 
12909 	if (WARN_ON(!rdev->cur_cmd_info))
12910 		return 0;
12911 
12912 	return rdev->cur_cmd_info->snd_portid;
12913 }
12914 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
12915 
12916 static int nl80211_set_qos_map(struct sk_buff *skb,
12917 			       struct genl_info *info)
12918 {
12919 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12920 	struct cfg80211_qos_map *qos_map = NULL;
12921 	struct net_device *dev = info->user_ptr[1];
12922 	u8 *pos, len, num_des, des_len, des;
12923 	int ret;
12924 
12925 	if (!rdev->ops->set_qos_map)
12926 		return -EOPNOTSUPP;
12927 
12928 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
12929 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
12930 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
12931 
12932 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
12933 		    len > IEEE80211_QOS_MAP_LEN_MAX)
12934 			return -EINVAL;
12935 
12936 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
12937 		if (!qos_map)
12938 			return -ENOMEM;
12939 
12940 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
12941 		if (num_des) {
12942 			des_len = num_des *
12943 				sizeof(struct cfg80211_dscp_exception);
12944 			memcpy(qos_map->dscp_exception, pos, des_len);
12945 			qos_map->num_des = num_des;
12946 			for (des = 0; des < num_des; des++) {
12947 				if (qos_map->dscp_exception[des].up > 7) {
12948 					kfree(qos_map);
12949 					return -EINVAL;
12950 				}
12951 			}
12952 			pos += des_len;
12953 		}
12954 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
12955 	}
12956 
12957 	wdev_lock(dev->ieee80211_ptr);
12958 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
12959 	if (!ret)
12960 		ret = rdev_set_qos_map(rdev, dev, qos_map);
12961 	wdev_unlock(dev->ieee80211_ptr);
12962 
12963 	kfree(qos_map);
12964 	return ret;
12965 }
12966 
12967 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
12968 {
12969 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12970 	struct net_device *dev = info->user_ptr[1];
12971 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12972 	const u8 *peer;
12973 	u8 tsid, up;
12974 	u16 admitted_time = 0;
12975 	int err;
12976 
12977 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
12978 		return -EOPNOTSUPP;
12979 
12980 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
12981 	    !info->attrs[NL80211_ATTR_USER_PRIO])
12982 		return -EINVAL;
12983 
12984 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
12985 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
12986 
12987 	/* WMM uses TIDs 0-7 even for TSPEC */
12988 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
12989 		/* TODO: handle 802.11 TSPEC/admission control
12990 		 * need more attributes for that (e.g. BA session requirement);
12991 		 * change the WMM adminssion test above to allow both then
12992 		 */
12993 		return -EINVAL;
12994 	}
12995 
12996 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12997 
12998 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
12999 		admitted_time =
13000 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
13001 		if (!admitted_time)
13002 			return -EINVAL;
13003 	}
13004 
13005 	wdev_lock(wdev);
13006 	switch (wdev->iftype) {
13007 	case NL80211_IFTYPE_STATION:
13008 	case NL80211_IFTYPE_P2P_CLIENT:
13009 		if (wdev->current_bss)
13010 			break;
13011 		err = -ENOTCONN;
13012 		goto out;
13013 	default:
13014 		err = -EOPNOTSUPP;
13015 		goto out;
13016 	}
13017 
13018 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
13019 
13020  out:
13021 	wdev_unlock(wdev);
13022 	return err;
13023 }
13024 
13025 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
13026 {
13027 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13028 	struct net_device *dev = info->user_ptr[1];
13029 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13030 	const u8 *peer;
13031 	u8 tsid;
13032 	int err;
13033 
13034 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
13035 		return -EINVAL;
13036 
13037 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13038 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13039 
13040 	wdev_lock(wdev);
13041 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
13042 	wdev_unlock(wdev);
13043 
13044 	return err;
13045 }
13046 
13047 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
13048 				       struct genl_info *info)
13049 {
13050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13051 	struct net_device *dev = info->user_ptr[1];
13052 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13053 	struct cfg80211_chan_def chandef = {};
13054 	const u8 *addr;
13055 	u8 oper_class;
13056 	int err;
13057 
13058 	if (!rdev->ops->tdls_channel_switch ||
13059 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13060 		return -EOPNOTSUPP;
13061 
13062 	switch (dev->ieee80211_ptr->iftype) {
13063 	case NL80211_IFTYPE_STATION:
13064 	case NL80211_IFTYPE_P2P_CLIENT:
13065 		break;
13066 	default:
13067 		return -EOPNOTSUPP;
13068 	}
13069 
13070 	if (!info->attrs[NL80211_ATTR_MAC] ||
13071 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
13072 		return -EINVAL;
13073 
13074 	err = nl80211_parse_chandef(rdev, info, &chandef);
13075 	if (err)
13076 		return err;
13077 
13078 	/*
13079 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
13080 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
13081 	 * specification is not defined for them.
13082 	 */
13083 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
13084 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
13085 	    chandef.width != NL80211_CHAN_WIDTH_20)
13086 		return -EINVAL;
13087 
13088 	/* we will be active on the TDLS link */
13089 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
13090 					   wdev->iftype))
13091 		return -EINVAL;
13092 
13093 	/* don't allow switching to DFS channels */
13094 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
13095 		return -EINVAL;
13096 
13097 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13098 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
13099 
13100 	wdev_lock(wdev);
13101 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
13102 	wdev_unlock(wdev);
13103 
13104 	return err;
13105 }
13106 
13107 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
13108 					      struct genl_info *info)
13109 {
13110 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13111 	struct net_device *dev = info->user_ptr[1];
13112 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13113 	const u8 *addr;
13114 
13115 	if (!rdev->ops->tdls_channel_switch ||
13116 	    !rdev->ops->tdls_cancel_channel_switch ||
13117 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13118 		return -EOPNOTSUPP;
13119 
13120 	switch (dev->ieee80211_ptr->iftype) {
13121 	case NL80211_IFTYPE_STATION:
13122 	case NL80211_IFTYPE_P2P_CLIENT:
13123 		break;
13124 	default:
13125 		return -EOPNOTSUPP;
13126 	}
13127 
13128 	if (!info->attrs[NL80211_ATTR_MAC])
13129 		return -EINVAL;
13130 
13131 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13132 
13133 	wdev_lock(wdev);
13134 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
13135 	wdev_unlock(wdev);
13136 
13137 	return 0;
13138 }
13139 
13140 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
13141 					    struct genl_info *info)
13142 {
13143 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13144 	struct net_device *dev = info->user_ptr[1];
13145 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13146 	const struct nlattr *nla;
13147 	bool enabled;
13148 
13149 	if (!rdev->ops->set_multicast_to_unicast)
13150 		return -EOPNOTSUPP;
13151 
13152 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13153 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13154 		return -EOPNOTSUPP;
13155 
13156 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
13157 	enabled = nla_get_flag(nla);
13158 
13159 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
13160 }
13161 
13162 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
13163 {
13164 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13165 	struct net_device *dev = info->user_ptr[1];
13166 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13167 	struct cfg80211_pmk_conf pmk_conf = {};
13168 	int ret;
13169 
13170 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13171 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13172 		return -EOPNOTSUPP;
13173 
13174 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13175 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13176 		return -EOPNOTSUPP;
13177 
13178 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
13179 		return -EINVAL;
13180 
13181 	wdev_lock(wdev);
13182 	if (!wdev->current_bss) {
13183 		ret = -ENOTCONN;
13184 		goto out;
13185 	}
13186 
13187 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13188 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
13189 		ret = -EINVAL;
13190 		goto out;
13191 	}
13192 
13193 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13194 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13195 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
13196 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
13197 		ret = -EINVAL;
13198 		goto out;
13199 	}
13200 
13201 	if (info->attrs[NL80211_ATTR_PMKR0_NAME]) {
13202 		int r0_name_len = nla_len(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13203 
13204 		if (r0_name_len != WLAN_PMK_NAME_LEN) {
13205 			ret = -EINVAL;
13206 			goto out;
13207 		}
13208 
13209 		pmk_conf.pmk_r0_name =
13210 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13211 	}
13212 
13213 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
13214 out:
13215 	wdev_unlock(wdev);
13216 	return ret;
13217 }
13218 
13219 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
13220 {
13221 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13222 	struct net_device *dev = info->user_ptr[1];
13223 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13224 	const u8 *aa;
13225 	int ret;
13226 
13227 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13228 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13229 		return -EOPNOTSUPP;
13230 
13231 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13232 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13233 		return -EOPNOTSUPP;
13234 
13235 	if (!info->attrs[NL80211_ATTR_MAC])
13236 		return -EINVAL;
13237 
13238 	wdev_lock(wdev);
13239 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13240 	ret = rdev_del_pmk(rdev, dev, aa);
13241 	wdev_unlock(wdev);
13242 
13243 	return ret;
13244 }
13245 
13246 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
13247 {
13248 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13249 	struct net_device *dev = info->user_ptr[1];
13250 	struct cfg80211_external_auth_params params;
13251 
13252 	if (!rdev->ops->external_auth)
13253 		return -EOPNOTSUPP;
13254 
13255 	if (!info->attrs[NL80211_ATTR_SSID] &&
13256 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
13257 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
13258 		return -EINVAL;
13259 
13260 	if (!info->attrs[NL80211_ATTR_BSSID])
13261 		return -EINVAL;
13262 
13263 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
13264 		return -EINVAL;
13265 
13266 	memset(&params, 0, sizeof(params));
13267 
13268 	if (info->attrs[NL80211_ATTR_SSID]) {
13269 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13270 		if (params.ssid.ssid_len == 0 ||
13271 		    params.ssid.ssid_len > IEEE80211_MAX_SSID_LEN)
13272 			return -EINVAL;
13273 		memcpy(params.ssid.ssid,
13274 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
13275 		       params.ssid.ssid_len);
13276 	}
13277 
13278 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
13279 	       ETH_ALEN);
13280 
13281 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13282 
13283 	if (info->attrs[NL80211_ATTR_PMKID])
13284 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13285 
13286 	return rdev_external_auth(rdev, dev, &params);
13287 }
13288 
13289 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
13290 {
13291 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13292 	struct net_device *dev = info->user_ptr[1];
13293 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13294 	const u8 *buf;
13295 	size_t len;
13296 	u8 *dest;
13297 	u16 proto;
13298 	bool noencrypt;
13299 	int err;
13300 
13301 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13302 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
13303 		return -EOPNOTSUPP;
13304 
13305 	if (!rdev->ops->tx_control_port)
13306 		return -EOPNOTSUPP;
13307 
13308 	if (!info->attrs[NL80211_ATTR_FRAME] ||
13309 	    !info->attrs[NL80211_ATTR_MAC] ||
13310 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
13311 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
13312 		return -EINVAL;
13313 	}
13314 
13315 	wdev_lock(wdev);
13316 
13317 	switch (wdev->iftype) {
13318 	case NL80211_IFTYPE_AP:
13319 	case NL80211_IFTYPE_P2P_GO:
13320 	case NL80211_IFTYPE_MESH_POINT:
13321 		break;
13322 	case NL80211_IFTYPE_ADHOC:
13323 	case NL80211_IFTYPE_STATION:
13324 	case NL80211_IFTYPE_P2P_CLIENT:
13325 		if (wdev->current_bss)
13326 			break;
13327 		err = -ENOTCONN;
13328 		goto out;
13329 	default:
13330 		err = -EOPNOTSUPP;
13331 		goto out;
13332 	}
13333 
13334 	wdev_unlock(wdev);
13335 
13336 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13337 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13338 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13339 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
13340 	noencrypt =
13341 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
13342 
13343 	return rdev_tx_control_port(rdev, dev, buf, len,
13344 				    dest, cpu_to_be16(proto), noencrypt);
13345 
13346  out:
13347 	wdev_unlock(wdev);
13348 	return err;
13349 }
13350 
13351 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
13352 					   struct genl_info *info)
13353 {
13354 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13355 	struct net_device *dev = info->user_ptr[1];
13356 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13357 	struct cfg80211_ftm_responder_stats ftm_stats = {};
13358 	struct sk_buff *msg;
13359 	void *hdr;
13360 	struct nlattr *ftm_stats_attr;
13361 	int err;
13362 
13363 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
13364 		return -EOPNOTSUPP;
13365 
13366 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
13367 	if (err)
13368 		return err;
13369 
13370 	if (!ftm_stats.filled)
13371 		return -ENODATA;
13372 
13373 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13374 	if (!msg)
13375 		return -ENOMEM;
13376 
13377 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13378 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
13379 	if (!hdr)
13380 		return -ENOBUFS;
13381 
13382 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
13383 		goto nla_put_failure;
13384 
13385 	ftm_stats_attr = nla_nest_start_noflag(msg,
13386 					       NL80211_ATTR_FTM_RESPONDER_STATS);
13387 	if (!ftm_stats_attr)
13388 		goto nla_put_failure;
13389 
13390 #define SET_FTM(field, name, type)					 \
13391 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13392 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
13393 			     ftm_stats.field))				 \
13394 		goto nla_put_failure; } while (0)
13395 #define SET_FTM_U64(field, name)					 \
13396 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13397 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
13398 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
13399 		goto nla_put_failure; } while (0)
13400 
13401 	SET_FTM(success_num, SUCCESS_NUM, u32);
13402 	SET_FTM(partial_num, PARTIAL_NUM, u32);
13403 	SET_FTM(failed_num, FAILED_NUM, u32);
13404 	SET_FTM(asap_num, ASAP_NUM, u32);
13405 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
13406 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
13407 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
13408 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
13409 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
13410 #undef SET_FTM
13411 
13412 	nla_nest_end(msg, ftm_stats_attr);
13413 
13414 	genlmsg_end(msg, hdr);
13415 	return genlmsg_reply(msg, info);
13416 
13417 nla_put_failure:
13418 	nlmsg_free(msg);
13419 	return -ENOBUFS;
13420 }
13421 
13422 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
13423 {
13424 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13425 	struct cfg80211_update_owe_info owe_info;
13426 	struct net_device *dev = info->user_ptr[1];
13427 
13428 	if (!rdev->ops->update_owe_info)
13429 		return -EOPNOTSUPP;
13430 
13431 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
13432 	    !info->attrs[NL80211_ATTR_MAC])
13433 		return -EINVAL;
13434 
13435 	memset(&owe_info, 0, sizeof(owe_info));
13436 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13437 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
13438 
13439 	if (info->attrs[NL80211_ATTR_IE]) {
13440 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13441 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13442 	}
13443 
13444 	return rdev_update_owe_info(rdev, dev, &owe_info);
13445 }
13446 
13447 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
13448 {
13449 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13450 	struct net_device *dev = info->user_ptr[1];
13451 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13452 	struct station_info sinfo = {};
13453 	const u8 *buf;
13454 	size_t len;
13455 	u8 *dest;
13456 	int err;
13457 
13458 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
13459 		return -EOPNOTSUPP;
13460 
13461 	if (!info->attrs[NL80211_ATTR_MAC] ||
13462 	    !info->attrs[NL80211_ATTR_FRAME]) {
13463 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
13464 		return -EINVAL;
13465 	}
13466 
13467 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
13468 		return -EOPNOTSUPP;
13469 
13470 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13471 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13472 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13473 
13474 	if (len < sizeof(struct ethhdr))
13475 		return -EINVAL;
13476 
13477 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
13478 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
13479 		return -EINVAL;
13480 
13481 	err = rdev_get_station(rdev, dev, dest, &sinfo);
13482 	if (err)
13483 		return err;
13484 
13485 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
13486 }
13487 
13488 #define NL80211_FLAG_NEED_WIPHY		0x01
13489 #define NL80211_FLAG_NEED_NETDEV	0x02
13490 #define NL80211_FLAG_NEED_RTNL		0x04
13491 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
13492 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
13493 					 NL80211_FLAG_CHECK_NETDEV_UP)
13494 #define NL80211_FLAG_NEED_WDEV		0x10
13495 /* If a netdev is associated, it must be UP, P2P must be started */
13496 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
13497 					 NL80211_FLAG_CHECK_NETDEV_UP)
13498 #define NL80211_FLAG_CLEAR_SKB		0x20
13499 
13500 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
13501 			    struct genl_info *info)
13502 {
13503 	struct cfg80211_registered_device *rdev;
13504 	struct wireless_dev *wdev;
13505 	struct net_device *dev;
13506 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
13507 
13508 	if (rtnl)
13509 		rtnl_lock();
13510 
13511 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
13512 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
13513 		if (IS_ERR(rdev)) {
13514 			if (rtnl)
13515 				rtnl_unlock();
13516 			return PTR_ERR(rdev);
13517 		}
13518 		info->user_ptr[0] = rdev;
13519 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
13520 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13521 		ASSERT_RTNL();
13522 
13523 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
13524 						  info->attrs);
13525 		if (IS_ERR(wdev)) {
13526 			if (rtnl)
13527 				rtnl_unlock();
13528 			return PTR_ERR(wdev);
13529 		}
13530 
13531 		dev = wdev->netdev;
13532 		rdev = wiphy_to_rdev(wdev->wiphy);
13533 
13534 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
13535 			if (!dev) {
13536 				if (rtnl)
13537 					rtnl_unlock();
13538 				return -EINVAL;
13539 			}
13540 
13541 			info->user_ptr[1] = dev;
13542 		} else {
13543 			info->user_ptr[1] = wdev;
13544 		}
13545 
13546 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
13547 		    !wdev_running(wdev)) {
13548 			if (rtnl)
13549 				rtnl_unlock();
13550 			return -ENETDOWN;
13551 		}
13552 
13553 		if (dev)
13554 			dev_hold(dev);
13555 
13556 		info->user_ptr[0] = rdev;
13557 	}
13558 
13559 	return 0;
13560 }
13561 
13562 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
13563 			      struct genl_info *info)
13564 {
13565 	if (info->user_ptr[1]) {
13566 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
13567 			struct wireless_dev *wdev = info->user_ptr[1];
13568 
13569 			if (wdev->netdev)
13570 				dev_put(wdev->netdev);
13571 		} else {
13572 			dev_put(info->user_ptr[1]);
13573 		}
13574 	}
13575 
13576 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
13577 		rtnl_unlock();
13578 
13579 	/* If needed, clear the netlink message payload from the SKB
13580 	 * as it might contain key data that shouldn't stick around on
13581 	 * the heap after the SKB is freed. The netlink message header
13582 	 * is still needed for further processing, so leave it intact.
13583 	 */
13584 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
13585 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
13586 
13587 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
13588 	}
13589 }
13590 
13591 static const struct genl_ops nl80211_ops[] = {
13592 	{
13593 		.cmd = NL80211_CMD_GET_WIPHY,
13594 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13595 		.doit = nl80211_get_wiphy,
13596 		.dumpit = nl80211_dump_wiphy,
13597 		.done = nl80211_dump_wiphy_done,
13598 		/* can be retrieved by unprivileged users */
13599 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13600 				  NL80211_FLAG_NEED_RTNL,
13601 	},
13602 	{
13603 		.cmd = NL80211_CMD_SET_WIPHY,
13604 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13605 		.doit = nl80211_set_wiphy,
13606 		.flags = GENL_UNS_ADMIN_PERM,
13607 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13608 	},
13609 	{
13610 		.cmd = NL80211_CMD_GET_INTERFACE,
13611 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13612 		.doit = nl80211_get_interface,
13613 		.dumpit = nl80211_dump_interface,
13614 		/* can be retrieved by unprivileged users */
13615 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13616 				  NL80211_FLAG_NEED_RTNL,
13617 	},
13618 	{
13619 		.cmd = NL80211_CMD_SET_INTERFACE,
13620 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13621 		.doit = nl80211_set_interface,
13622 		.flags = GENL_UNS_ADMIN_PERM,
13623 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13624 				  NL80211_FLAG_NEED_RTNL,
13625 	},
13626 	{
13627 		.cmd = NL80211_CMD_NEW_INTERFACE,
13628 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13629 		.doit = nl80211_new_interface,
13630 		.flags = GENL_UNS_ADMIN_PERM,
13631 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13632 				  NL80211_FLAG_NEED_RTNL,
13633 	},
13634 	{
13635 		.cmd = NL80211_CMD_DEL_INTERFACE,
13636 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13637 		.doit = nl80211_del_interface,
13638 		.flags = GENL_UNS_ADMIN_PERM,
13639 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13640 				  NL80211_FLAG_NEED_RTNL,
13641 	},
13642 	{
13643 		.cmd = NL80211_CMD_GET_KEY,
13644 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13645 		.doit = nl80211_get_key,
13646 		.flags = GENL_UNS_ADMIN_PERM,
13647 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13648 				  NL80211_FLAG_NEED_RTNL,
13649 	},
13650 	{
13651 		.cmd = NL80211_CMD_SET_KEY,
13652 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13653 		.doit = nl80211_set_key,
13654 		.flags = GENL_UNS_ADMIN_PERM,
13655 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13656 				  NL80211_FLAG_NEED_RTNL |
13657 				  NL80211_FLAG_CLEAR_SKB,
13658 	},
13659 	{
13660 		.cmd = NL80211_CMD_NEW_KEY,
13661 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13662 		.doit = nl80211_new_key,
13663 		.flags = GENL_UNS_ADMIN_PERM,
13664 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13665 				  NL80211_FLAG_NEED_RTNL |
13666 				  NL80211_FLAG_CLEAR_SKB,
13667 	},
13668 	{
13669 		.cmd = NL80211_CMD_DEL_KEY,
13670 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13671 		.doit = nl80211_del_key,
13672 		.flags = GENL_UNS_ADMIN_PERM,
13673 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13674 				  NL80211_FLAG_NEED_RTNL,
13675 	},
13676 	{
13677 		.cmd = NL80211_CMD_SET_BEACON,
13678 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13679 		.flags = GENL_UNS_ADMIN_PERM,
13680 		.doit = nl80211_set_beacon,
13681 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13682 				  NL80211_FLAG_NEED_RTNL,
13683 	},
13684 	{
13685 		.cmd = NL80211_CMD_START_AP,
13686 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13687 		.flags = GENL_UNS_ADMIN_PERM,
13688 		.doit = nl80211_start_ap,
13689 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13690 				  NL80211_FLAG_NEED_RTNL,
13691 	},
13692 	{
13693 		.cmd = NL80211_CMD_STOP_AP,
13694 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13695 		.flags = GENL_UNS_ADMIN_PERM,
13696 		.doit = nl80211_stop_ap,
13697 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13698 				  NL80211_FLAG_NEED_RTNL,
13699 	},
13700 	{
13701 		.cmd = NL80211_CMD_GET_STATION,
13702 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13703 		.doit = nl80211_get_station,
13704 		.dumpit = nl80211_dump_station,
13705 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13706 				  NL80211_FLAG_NEED_RTNL,
13707 	},
13708 	{
13709 		.cmd = NL80211_CMD_SET_STATION,
13710 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13711 		.doit = nl80211_set_station,
13712 		.flags = GENL_UNS_ADMIN_PERM,
13713 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13714 				  NL80211_FLAG_NEED_RTNL,
13715 	},
13716 	{
13717 		.cmd = NL80211_CMD_NEW_STATION,
13718 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13719 		.doit = nl80211_new_station,
13720 		.flags = GENL_UNS_ADMIN_PERM,
13721 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13722 				  NL80211_FLAG_NEED_RTNL,
13723 	},
13724 	{
13725 		.cmd = NL80211_CMD_DEL_STATION,
13726 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13727 		.doit = nl80211_del_station,
13728 		.flags = GENL_UNS_ADMIN_PERM,
13729 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13730 				  NL80211_FLAG_NEED_RTNL,
13731 	},
13732 	{
13733 		.cmd = NL80211_CMD_GET_MPATH,
13734 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13735 		.doit = nl80211_get_mpath,
13736 		.dumpit = nl80211_dump_mpath,
13737 		.flags = GENL_UNS_ADMIN_PERM,
13738 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13739 				  NL80211_FLAG_NEED_RTNL,
13740 	},
13741 	{
13742 		.cmd = NL80211_CMD_GET_MPP,
13743 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13744 		.doit = nl80211_get_mpp,
13745 		.dumpit = nl80211_dump_mpp,
13746 		.flags = GENL_UNS_ADMIN_PERM,
13747 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13748 				  NL80211_FLAG_NEED_RTNL,
13749 	},
13750 	{
13751 		.cmd = NL80211_CMD_SET_MPATH,
13752 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13753 		.doit = nl80211_set_mpath,
13754 		.flags = GENL_UNS_ADMIN_PERM,
13755 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13756 				  NL80211_FLAG_NEED_RTNL,
13757 	},
13758 	{
13759 		.cmd = NL80211_CMD_NEW_MPATH,
13760 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13761 		.doit = nl80211_new_mpath,
13762 		.flags = GENL_UNS_ADMIN_PERM,
13763 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13764 				  NL80211_FLAG_NEED_RTNL,
13765 	},
13766 	{
13767 		.cmd = NL80211_CMD_DEL_MPATH,
13768 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13769 		.doit = nl80211_del_mpath,
13770 		.flags = GENL_UNS_ADMIN_PERM,
13771 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13772 				  NL80211_FLAG_NEED_RTNL,
13773 	},
13774 	{
13775 		.cmd = NL80211_CMD_SET_BSS,
13776 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13777 		.doit = nl80211_set_bss,
13778 		.flags = GENL_UNS_ADMIN_PERM,
13779 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13780 				  NL80211_FLAG_NEED_RTNL,
13781 	},
13782 	{
13783 		.cmd = NL80211_CMD_GET_REG,
13784 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13785 		.doit = nl80211_get_reg_do,
13786 		.dumpit = nl80211_get_reg_dump,
13787 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13788 		/* can be retrieved by unprivileged users */
13789 	},
13790 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
13791 	{
13792 		.cmd = NL80211_CMD_SET_REG,
13793 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13794 		.doit = nl80211_set_reg,
13795 		.flags = GENL_ADMIN_PERM,
13796 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13797 	},
13798 #endif
13799 	{
13800 		.cmd = NL80211_CMD_REQ_SET_REG,
13801 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13802 		.doit = nl80211_req_set_reg,
13803 		.flags = GENL_ADMIN_PERM,
13804 	},
13805 	{
13806 		.cmd = NL80211_CMD_RELOAD_REGDB,
13807 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13808 		.doit = nl80211_reload_regdb,
13809 		.flags = GENL_ADMIN_PERM,
13810 	},
13811 	{
13812 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
13813 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13814 		.doit = nl80211_get_mesh_config,
13815 		/* can be retrieved by unprivileged users */
13816 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13817 				  NL80211_FLAG_NEED_RTNL,
13818 	},
13819 	{
13820 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
13821 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13822 		.doit = nl80211_update_mesh_config,
13823 		.flags = GENL_UNS_ADMIN_PERM,
13824 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13825 				  NL80211_FLAG_NEED_RTNL,
13826 	},
13827 	{
13828 		.cmd = NL80211_CMD_TRIGGER_SCAN,
13829 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13830 		.doit = nl80211_trigger_scan,
13831 		.flags = GENL_UNS_ADMIN_PERM,
13832 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13833 				  NL80211_FLAG_NEED_RTNL,
13834 	},
13835 	{
13836 		.cmd = NL80211_CMD_ABORT_SCAN,
13837 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13838 		.doit = nl80211_abort_scan,
13839 		.flags = GENL_UNS_ADMIN_PERM,
13840 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13841 				  NL80211_FLAG_NEED_RTNL,
13842 	},
13843 	{
13844 		.cmd = NL80211_CMD_GET_SCAN,
13845 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13846 		.dumpit = nl80211_dump_scan,
13847 	},
13848 	{
13849 		.cmd = NL80211_CMD_START_SCHED_SCAN,
13850 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13851 		.doit = nl80211_start_sched_scan,
13852 		.flags = GENL_UNS_ADMIN_PERM,
13853 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13854 				  NL80211_FLAG_NEED_RTNL,
13855 	},
13856 	{
13857 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
13858 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13859 		.doit = nl80211_stop_sched_scan,
13860 		.flags = GENL_UNS_ADMIN_PERM,
13861 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13862 				  NL80211_FLAG_NEED_RTNL,
13863 	},
13864 	{
13865 		.cmd = NL80211_CMD_AUTHENTICATE,
13866 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13867 		.doit = nl80211_authenticate,
13868 		.flags = GENL_UNS_ADMIN_PERM,
13869 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13870 				  NL80211_FLAG_NEED_RTNL |
13871 				  NL80211_FLAG_CLEAR_SKB,
13872 	},
13873 	{
13874 		.cmd = NL80211_CMD_ASSOCIATE,
13875 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13876 		.doit = nl80211_associate,
13877 		.flags = GENL_UNS_ADMIN_PERM,
13878 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13879 				  NL80211_FLAG_NEED_RTNL |
13880 				  NL80211_FLAG_CLEAR_SKB,
13881 	},
13882 	{
13883 		.cmd = NL80211_CMD_DEAUTHENTICATE,
13884 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13885 		.doit = nl80211_deauthenticate,
13886 		.flags = GENL_UNS_ADMIN_PERM,
13887 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13888 				  NL80211_FLAG_NEED_RTNL,
13889 	},
13890 	{
13891 		.cmd = NL80211_CMD_DISASSOCIATE,
13892 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13893 		.doit = nl80211_disassociate,
13894 		.flags = GENL_UNS_ADMIN_PERM,
13895 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13896 				  NL80211_FLAG_NEED_RTNL,
13897 	},
13898 	{
13899 		.cmd = NL80211_CMD_JOIN_IBSS,
13900 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13901 		.doit = nl80211_join_ibss,
13902 		.flags = GENL_UNS_ADMIN_PERM,
13903 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13904 				  NL80211_FLAG_NEED_RTNL,
13905 	},
13906 	{
13907 		.cmd = NL80211_CMD_LEAVE_IBSS,
13908 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13909 		.doit = nl80211_leave_ibss,
13910 		.flags = GENL_UNS_ADMIN_PERM,
13911 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13912 				  NL80211_FLAG_NEED_RTNL,
13913 	},
13914 #ifdef CONFIG_NL80211_TESTMODE
13915 	{
13916 		.cmd = NL80211_CMD_TESTMODE,
13917 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13918 		.doit = nl80211_testmode_do,
13919 		.dumpit = nl80211_testmode_dump,
13920 		.flags = GENL_UNS_ADMIN_PERM,
13921 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13922 				  NL80211_FLAG_NEED_RTNL,
13923 	},
13924 #endif
13925 	{
13926 		.cmd = NL80211_CMD_CONNECT,
13927 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13928 		.doit = nl80211_connect,
13929 		.flags = GENL_UNS_ADMIN_PERM,
13930 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13931 				  NL80211_FLAG_NEED_RTNL |
13932 				  NL80211_FLAG_CLEAR_SKB,
13933 	},
13934 	{
13935 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
13936 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13937 		.doit = nl80211_update_connect_params,
13938 		.flags = GENL_ADMIN_PERM,
13939 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13940 				  NL80211_FLAG_NEED_RTNL |
13941 				  NL80211_FLAG_CLEAR_SKB,
13942 	},
13943 	{
13944 		.cmd = NL80211_CMD_DISCONNECT,
13945 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13946 		.doit = nl80211_disconnect,
13947 		.flags = GENL_UNS_ADMIN_PERM,
13948 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13949 				  NL80211_FLAG_NEED_RTNL,
13950 	},
13951 	{
13952 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
13953 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13954 		.doit = nl80211_wiphy_netns,
13955 		.flags = GENL_UNS_ADMIN_PERM,
13956 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13957 				  NL80211_FLAG_NEED_RTNL,
13958 	},
13959 	{
13960 		.cmd = NL80211_CMD_GET_SURVEY,
13961 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13962 		.dumpit = nl80211_dump_survey,
13963 	},
13964 	{
13965 		.cmd = NL80211_CMD_SET_PMKSA,
13966 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13967 		.doit = nl80211_setdel_pmksa,
13968 		.flags = GENL_UNS_ADMIN_PERM,
13969 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13970 				  NL80211_FLAG_NEED_RTNL |
13971 				  NL80211_FLAG_CLEAR_SKB,
13972 	},
13973 	{
13974 		.cmd = NL80211_CMD_DEL_PMKSA,
13975 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13976 		.doit = nl80211_setdel_pmksa,
13977 		.flags = GENL_UNS_ADMIN_PERM,
13978 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13979 				  NL80211_FLAG_NEED_RTNL,
13980 	},
13981 	{
13982 		.cmd = NL80211_CMD_FLUSH_PMKSA,
13983 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13984 		.doit = nl80211_flush_pmksa,
13985 		.flags = GENL_UNS_ADMIN_PERM,
13986 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13987 				  NL80211_FLAG_NEED_RTNL,
13988 	},
13989 	{
13990 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
13991 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
13992 		.doit = nl80211_remain_on_channel,
13993 		.flags = GENL_UNS_ADMIN_PERM,
13994 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13995 				  NL80211_FLAG_NEED_RTNL,
13996 	},
13997 	{
13998 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
13999 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14000 		.doit = nl80211_cancel_remain_on_channel,
14001 		.flags = GENL_UNS_ADMIN_PERM,
14002 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14003 				  NL80211_FLAG_NEED_RTNL,
14004 	},
14005 	{
14006 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
14007 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14008 		.doit = nl80211_set_tx_bitrate_mask,
14009 		.flags = GENL_UNS_ADMIN_PERM,
14010 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14011 				  NL80211_FLAG_NEED_RTNL,
14012 	},
14013 	{
14014 		.cmd = NL80211_CMD_REGISTER_FRAME,
14015 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14016 		.doit = nl80211_register_mgmt,
14017 		.flags = GENL_UNS_ADMIN_PERM,
14018 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14019 				  NL80211_FLAG_NEED_RTNL,
14020 	},
14021 	{
14022 		.cmd = NL80211_CMD_FRAME,
14023 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14024 		.doit = nl80211_tx_mgmt,
14025 		.flags = GENL_UNS_ADMIN_PERM,
14026 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14027 				  NL80211_FLAG_NEED_RTNL,
14028 	},
14029 	{
14030 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
14031 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14032 		.doit = nl80211_tx_mgmt_cancel_wait,
14033 		.flags = GENL_UNS_ADMIN_PERM,
14034 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14035 				  NL80211_FLAG_NEED_RTNL,
14036 	},
14037 	{
14038 		.cmd = NL80211_CMD_SET_POWER_SAVE,
14039 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14040 		.doit = nl80211_set_power_save,
14041 		.flags = GENL_UNS_ADMIN_PERM,
14042 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14043 				  NL80211_FLAG_NEED_RTNL,
14044 	},
14045 	{
14046 		.cmd = NL80211_CMD_GET_POWER_SAVE,
14047 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14048 		.doit = nl80211_get_power_save,
14049 		/* can be retrieved by unprivileged users */
14050 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14051 				  NL80211_FLAG_NEED_RTNL,
14052 	},
14053 	{
14054 		.cmd = NL80211_CMD_SET_CQM,
14055 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14056 		.doit = nl80211_set_cqm,
14057 		.flags = GENL_UNS_ADMIN_PERM,
14058 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14059 				  NL80211_FLAG_NEED_RTNL,
14060 	},
14061 	{
14062 		.cmd = NL80211_CMD_SET_CHANNEL,
14063 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14064 		.doit = nl80211_set_channel,
14065 		.flags = GENL_UNS_ADMIN_PERM,
14066 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14067 				  NL80211_FLAG_NEED_RTNL,
14068 	},
14069 	{
14070 		.cmd = NL80211_CMD_SET_WDS_PEER,
14071 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14072 		.doit = nl80211_set_wds_peer,
14073 		.flags = GENL_UNS_ADMIN_PERM,
14074 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14075 				  NL80211_FLAG_NEED_RTNL,
14076 	},
14077 	{
14078 		.cmd = NL80211_CMD_JOIN_MESH,
14079 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14080 		.doit = nl80211_join_mesh,
14081 		.flags = GENL_UNS_ADMIN_PERM,
14082 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14083 				  NL80211_FLAG_NEED_RTNL,
14084 	},
14085 	{
14086 		.cmd = NL80211_CMD_LEAVE_MESH,
14087 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14088 		.doit = nl80211_leave_mesh,
14089 		.flags = GENL_UNS_ADMIN_PERM,
14090 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14091 				  NL80211_FLAG_NEED_RTNL,
14092 	},
14093 	{
14094 		.cmd = NL80211_CMD_JOIN_OCB,
14095 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14096 		.doit = nl80211_join_ocb,
14097 		.flags = GENL_UNS_ADMIN_PERM,
14098 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14099 				  NL80211_FLAG_NEED_RTNL,
14100 	},
14101 	{
14102 		.cmd = NL80211_CMD_LEAVE_OCB,
14103 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14104 		.doit = nl80211_leave_ocb,
14105 		.flags = GENL_UNS_ADMIN_PERM,
14106 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14107 				  NL80211_FLAG_NEED_RTNL,
14108 	},
14109 #ifdef CONFIG_PM
14110 	{
14111 		.cmd = NL80211_CMD_GET_WOWLAN,
14112 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14113 		.doit = nl80211_get_wowlan,
14114 		/* can be retrieved by unprivileged users */
14115 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14116 				  NL80211_FLAG_NEED_RTNL,
14117 	},
14118 	{
14119 		.cmd = NL80211_CMD_SET_WOWLAN,
14120 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14121 		.doit = nl80211_set_wowlan,
14122 		.flags = GENL_UNS_ADMIN_PERM,
14123 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14124 				  NL80211_FLAG_NEED_RTNL,
14125 	},
14126 #endif
14127 	{
14128 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
14129 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14130 		.doit = nl80211_set_rekey_data,
14131 		.flags = GENL_UNS_ADMIN_PERM,
14132 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14133 				  NL80211_FLAG_NEED_RTNL |
14134 				  NL80211_FLAG_CLEAR_SKB,
14135 	},
14136 	{
14137 		.cmd = NL80211_CMD_TDLS_MGMT,
14138 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14139 		.doit = nl80211_tdls_mgmt,
14140 		.flags = GENL_UNS_ADMIN_PERM,
14141 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14142 				  NL80211_FLAG_NEED_RTNL,
14143 	},
14144 	{
14145 		.cmd = NL80211_CMD_TDLS_OPER,
14146 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14147 		.doit = nl80211_tdls_oper,
14148 		.flags = GENL_UNS_ADMIN_PERM,
14149 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14150 				  NL80211_FLAG_NEED_RTNL,
14151 	},
14152 	{
14153 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
14154 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14155 		.doit = nl80211_register_unexpected_frame,
14156 		.flags = GENL_UNS_ADMIN_PERM,
14157 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14158 				  NL80211_FLAG_NEED_RTNL,
14159 	},
14160 	{
14161 		.cmd = NL80211_CMD_PROBE_CLIENT,
14162 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14163 		.doit = nl80211_probe_client,
14164 		.flags = GENL_UNS_ADMIN_PERM,
14165 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14166 				  NL80211_FLAG_NEED_RTNL,
14167 	},
14168 	{
14169 		.cmd = NL80211_CMD_REGISTER_BEACONS,
14170 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14171 		.doit = nl80211_register_beacons,
14172 		.flags = GENL_UNS_ADMIN_PERM,
14173 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14174 				  NL80211_FLAG_NEED_RTNL,
14175 	},
14176 	{
14177 		.cmd = NL80211_CMD_SET_NOACK_MAP,
14178 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14179 		.doit = nl80211_set_noack_map,
14180 		.flags = GENL_UNS_ADMIN_PERM,
14181 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14182 				  NL80211_FLAG_NEED_RTNL,
14183 	},
14184 	{
14185 		.cmd = NL80211_CMD_START_P2P_DEVICE,
14186 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14187 		.doit = nl80211_start_p2p_device,
14188 		.flags = GENL_UNS_ADMIN_PERM,
14189 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14190 				  NL80211_FLAG_NEED_RTNL,
14191 	},
14192 	{
14193 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
14194 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14195 		.doit = nl80211_stop_p2p_device,
14196 		.flags = GENL_UNS_ADMIN_PERM,
14197 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14198 				  NL80211_FLAG_NEED_RTNL,
14199 	},
14200 	{
14201 		.cmd = NL80211_CMD_START_NAN,
14202 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14203 		.doit = nl80211_start_nan,
14204 		.flags = GENL_ADMIN_PERM,
14205 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14206 				  NL80211_FLAG_NEED_RTNL,
14207 	},
14208 	{
14209 		.cmd = NL80211_CMD_STOP_NAN,
14210 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14211 		.doit = nl80211_stop_nan,
14212 		.flags = GENL_ADMIN_PERM,
14213 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14214 				  NL80211_FLAG_NEED_RTNL,
14215 	},
14216 	{
14217 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
14218 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14219 		.doit = nl80211_nan_add_func,
14220 		.flags = GENL_ADMIN_PERM,
14221 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14222 				  NL80211_FLAG_NEED_RTNL,
14223 	},
14224 	{
14225 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
14226 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14227 		.doit = nl80211_nan_del_func,
14228 		.flags = GENL_ADMIN_PERM,
14229 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14230 				  NL80211_FLAG_NEED_RTNL,
14231 	},
14232 	{
14233 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
14234 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14235 		.doit = nl80211_nan_change_config,
14236 		.flags = GENL_ADMIN_PERM,
14237 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14238 				  NL80211_FLAG_NEED_RTNL,
14239 	},
14240 	{
14241 		.cmd = NL80211_CMD_SET_MCAST_RATE,
14242 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14243 		.doit = nl80211_set_mcast_rate,
14244 		.flags = GENL_UNS_ADMIN_PERM,
14245 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14246 				  NL80211_FLAG_NEED_RTNL,
14247 	},
14248 	{
14249 		.cmd = NL80211_CMD_SET_MAC_ACL,
14250 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14251 		.doit = nl80211_set_mac_acl,
14252 		.flags = GENL_UNS_ADMIN_PERM,
14253 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14254 				  NL80211_FLAG_NEED_RTNL,
14255 	},
14256 	{
14257 		.cmd = NL80211_CMD_RADAR_DETECT,
14258 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14259 		.doit = nl80211_start_radar_detection,
14260 		.flags = GENL_UNS_ADMIN_PERM,
14261 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14262 				  NL80211_FLAG_NEED_RTNL,
14263 	},
14264 	{
14265 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
14266 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14267 		.doit = nl80211_get_protocol_features,
14268 	},
14269 	{
14270 		.cmd = NL80211_CMD_UPDATE_FT_IES,
14271 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14272 		.doit = nl80211_update_ft_ies,
14273 		.flags = GENL_UNS_ADMIN_PERM,
14274 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14275 				  NL80211_FLAG_NEED_RTNL,
14276 	},
14277 	{
14278 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
14279 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14280 		.doit = nl80211_crit_protocol_start,
14281 		.flags = GENL_UNS_ADMIN_PERM,
14282 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14283 				  NL80211_FLAG_NEED_RTNL,
14284 	},
14285 	{
14286 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
14287 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14288 		.doit = nl80211_crit_protocol_stop,
14289 		.flags = GENL_UNS_ADMIN_PERM,
14290 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14291 				  NL80211_FLAG_NEED_RTNL,
14292 	},
14293 	{
14294 		.cmd = NL80211_CMD_GET_COALESCE,
14295 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14296 		.doit = nl80211_get_coalesce,
14297 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14298 				  NL80211_FLAG_NEED_RTNL,
14299 	},
14300 	{
14301 		.cmd = NL80211_CMD_SET_COALESCE,
14302 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14303 		.doit = nl80211_set_coalesce,
14304 		.flags = GENL_UNS_ADMIN_PERM,
14305 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14306 				  NL80211_FLAG_NEED_RTNL,
14307 	},
14308 	{
14309 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
14310 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14311 		.doit = nl80211_channel_switch,
14312 		.flags = GENL_UNS_ADMIN_PERM,
14313 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14314 				  NL80211_FLAG_NEED_RTNL,
14315 	},
14316 	{
14317 		.cmd = NL80211_CMD_VENDOR,
14318 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14319 		.doit = nl80211_vendor_cmd,
14320 		.dumpit = nl80211_vendor_cmd_dump,
14321 		.flags = GENL_UNS_ADMIN_PERM,
14322 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14323 				  NL80211_FLAG_NEED_RTNL |
14324 				  NL80211_FLAG_CLEAR_SKB,
14325 	},
14326 	{
14327 		.cmd = NL80211_CMD_SET_QOS_MAP,
14328 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14329 		.doit = nl80211_set_qos_map,
14330 		.flags = GENL_UNS_ADMIN_PERM,
14331 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14332 				  NL80211_FLAG_NEED_RTNL,
14333 	},
14334 	{
14335 		.cmd = NL80211_CMD_ADD_TX_TS,
14336 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14337 		.doit = nl80211_add_tx_ts,
14338 		.flags = GENL_UNS_ADMIN_PERM,
14339 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14340 				  NL80211_FLAG_NEED_RTNL,
14341 	},
14342 	{
14343 		.cmd = NL80211_CMD_DEL_TX_TS,
14344 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14345 		.doit = nl80211_del_tx_ts,
14346 		.flags = GENL_UNS_ADMIN_PERM,
14347 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14348 				  NL80211_FLAG_NEED_RTNL,
14349 	},
14350 	{
14351 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
14352 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14353 		.doit = nl80211_tdls_channel_switch,
14354 		.flags = GENL_UNS_ADMIN_PERM,
14355 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14356 				  NL80211_FLAG_NEED_RTNL,
14357 	},
14358 	{
14359 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
14360 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14361 		.doit = nl80211_tdls_cancel_channel_switch,
14362 		.flags = GENL_UNS_ADMIN_PERM,
14363 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14364 				  NL80211_FLAG_NEED_RTNL,
14365 	},
14366 	{
14367 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
14368 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14369 		.doit = nl80211_set_multicast_to_unicast,
14370 		.flags = GENL_UNS_ADMIN_PERM,
14371 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14372 				  NL80211_FLAG_NEED_RTNL,
14373 	},
14374 	{
14375 		.cmd = NL80211_CMD_SET_PMK,
14376 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14377 		.doit = nl80211_set_pmk,
14378 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14379 				  NL80211_FLAG_NEED_RTNL |
14380 				  NL80211_FLAG_CLEAR_SKB,
14381 	},
14382 	{
14383 		.cmd = NL80211_CMD_DEL_PMK,
14384 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14385 		.doit = nl80211_del_pmk,
14386 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14387 				  NL80211_FLAG_NEED_RTNL,
14388 	},
14389 	{
14390 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
14391 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14392 		.doit = nl80211_external_auth,
14393 		.flags = GENL_ADMIN_PERM,
14394 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14395 				  NL80211_FLAG_NEED_RTNL,
14396 	},
14397 	{
14398 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
14399 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14400 		.doit = nl80211_tx_control_port,
14401 		.flags = GENL_UNS_ADMIN_PERM,
14402 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14403 				  NL80211_FLAG_NEED_RTNL,
14404 	},
14405 	{
14406 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
14407 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14408 		.doit = nl80211_get_ftm_responder_stats,
14409 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14410 				  NL80211_FLAG_NEED_RTNL,
14411 	},
14412 	{
14413 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
14414 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14415 		.doit = nl80211_pmsr_start,
14416 		.flags = GENL_UNS_ADMIN_PERM,
14417 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14418 				  NL80211_FLAG_NEED_RTNL,
14419 	},
14420 	{
14421 		.cmd = NL80211_CMD_NOTIFY_RADAR,
14422 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14423 		.doit = nl80211_notify_radar_detection,
14424 		.flags = GENL_UNS_ADMIN_PERM,
14425 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14426 				  NL80211_FLAG_NEED_RTNL,
14427 	},
14428 	{
14429 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
14430 		.doit = nl80211_update_owe_info,
14431 		.flags = GENL_ADMIN_PERM,
14432 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14433 				  NL80211_FLAG_NEED_RTNL,
14434 	},
14435 	{
14436 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
14437 		.doit = nl80211_probe_mesh_link,
14438 		.flags = GENL_UNS_ADMIN_PERM,
14439 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14440 				  NL80211_FLAG_NEED_RTNL,
14441 	},
14442 };
14443 
14444 static struct genl_family nl80211_fam __ro_after_init = {
14445 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
14446 	.hdrsize = 0,			/* no private header */
14447 	.version = 1,			/* no particular meaning now */
14448 	.maxattr = NL80211_ATTR_MAX,
14449 	.policy = nl80211_policy,
14450 	.netnsok = true,
14451 	.pre_doit = nl80211_pre_doit,
14452 	.post_doit = nl80211_post_doit,
14453 	.module = THIS_MODULE,
14454 	.ops = nl80211_ops,
14455 	.n_ops = ARRAY_SIZE(nl80211_ops),
14456 	.mcgrps = nl80211_mcgrps,
14457 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
14458 };
14459 
14460 /* notification functions */
14461 
14462 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
14463 			  enum nl80211_commands cmd)
14464 {
14465 	struct sk_buff *msg;
14466 	struct nl80211_dump_wiphy_state state = {};
14467 
14468 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
14469 		cmd != NL80211_CMD_DEL_WIPHY);
14470 
14471 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14472 	if (!msg)
14473 		return;
14474 
14475 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
14476 		nlmsg_free(msg);
14477 		return;
14478 	}
14479 
14480 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14481 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
14482 }
14483 
14484 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
14485 				struct wireless_dev *wdev,
14486 				enum nl80211_commands cmd)
14487 {
14488 	struct sk_buff *msg;
14489 
14490 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14491 	if (!msg)
14492 		return;
14493 
14494 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
14495 		nlmsg_free(msg);
14496 		return;
14497 	}
14498 
14499 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14500 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
14501 }
14502 
14503 static int nl80211_add_scan_req(struct sk_buff *msg,
14504 				struct cfg80211_registered_device *rdev)
14505 {
14506 	struct cfg80211_scan_request *req = rdev->scan_req;
14507 	struct nlattr *nest;
14508 	int i;
14509 
14510 	if (WARN_ON(!req))
14511 		return 0;
14512 
14513 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
14514 	if (!nest)
14515 		goto nla_put_failure;
14516 	for (i = 0; i < req->n_ssids; i++) {
14517 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
14518 			goto nla_put_failure;
14519 	}
14520 	nla_nest_end(msg, nest);
14521 
14522 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14523 	if (!nest)
14524 		goto nla_put_failure;
14525 	for (i = 0; i < req->n_channels; i++) {
14526 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14527 			goto nla_put_failure;
14528 	}
14529 	nla_nest_end(msg, nest);
14530 
14531 	if (req->ie &&
14532 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
14533 		goto nla_put_failure;
14534 
14535 	if (req->flags &&
14536 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
14537 		goto nla_put_failure;
14538 
14539 	if (req->info.scan_start_tsf &&
14540 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
14541 			       req->info.scan_start_tsf, NL80211_BSS_PAD) ||
14542 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
14543 		     req->info.tsf_bssid)))
14544 		goto nla_put_failure;
14545 
14546 	return 0;
14547  nla_put_failure:
14548 	return -ENOBUFS;
14549 }
14550 
14551 static int nl80211_prep_scan_msg(struct sk_buff *msg,
14552 				 struct cfg80211_registered_device *rdev,
14553 				 struct wireless_dev *wdev,
14554 				 u32 portid, u32 seq, int flags,
14555 				 u32 cmd)
14556 {
14557 	void *hdr;
14558 
14559 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
14560 	if (!hdr)
14561 		return -1;
14562 
14563 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14564 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14565 					 wdev->netdev->ifindex)) ||
14566 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14567 			      NL80211_ATTR_PAD))
14568 		goto nla_put_failure;
14569 
14570 	/* ignore errors and send incomplete event anyway */
14571 	nl80211_add_scan_req(msg, rdev);
14572 
14573 	genlmsg_end(msg, hdr);
14574 	return 0;
14575 
14576  nla_put_failure:
14577 	genlmsg_cancel(msg, hdr);
14578 	return -EMSGSIZE;
14579 }
14580 
14581 static int
14582 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
14583 			    struct cfg80211_sched_scan_request *req, u32 cmd)
14584 {
14585 	void *hdr;
14586 
14587 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14588 	if (!hdr)
14589 		return -1;
14590 
14591 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
14592 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
14593 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
14594 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
14595 			      NL80211_ATTR_PAD))
14596 		goto nla_put_failure;
14597 
14598 	genlmsg_end(msg, hdr);
14599 	return 0;
14600 
14601  nla_put_failure:
14602 	genlmsg_cancel(msg, hdr);
14603 	return -EMSGSIZE;
14604 }
14605 
14606 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
14607 			     struct wireless_dev *wdev)
14608 {
14609 	struct sk_buff *msg;
14610 
14611 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14612 	if (!msg)
14613 		return;
14614 
14615 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14616 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
14617 		nlmsg_free(msg);
14618 		return;
14619 	}
14620 
14621 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14622 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14623 }
14624 
14625 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
14626 				       struct wireless_dev *wdev, bool aborted)
14627 {
14628 	struct sk_buff *msg;
14629 
14630 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14631 	if (!msg)
14632 		return NULL;
14633 
14634 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
14635 				  aborted ? NL80211_CMD_SCAN_ABORTED :
14636 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
14637 		nlmsg_free(msg);
14638 		return NULL;
14639 	}
14640 
14641 	return msg;
14642 }
14643 
14644 /* send message created by nl80211_build_scan_msg() */
14645 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
14646 			   struct sk_buff *msg)
14647 {
14648 	if (!msg)
14649 		return;
14650 
14651 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14652 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14653 }
14654 
14655 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
14656 {
14657 	struct sk_buff *msg;
14658 
14659 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14660 	if (!msg)
14661 		return;
14662 
14663 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
14664 		nlmsg_free(msg);
14665 		return;
14666 	}
14667 
14668 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
14669 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14670 }
14671 
14672 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
14673 					  struct regulatory_request *request)
14674 {
14675 	/* Userspace can always count this one always being set */
14676 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
14677 		goto nla_put_failure;
14678 
14679 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
14680 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14681 			       NL80211_REGDOM_TYPE_WORLD))
14682 			goto nla_put_failure;
14683 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
14684 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14685 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
14686 			goto nla_put_failure;
14687 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
14688 		   request->intersect) {
14689 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14690 			       NL80211_REGDOM_TYPE_INTERSECTION))
14691 			goto nla_put_failure;
14692 	} else {
14693 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14694 			       NL80211_REGDOM_TYPE_COUNTRY) ||
14695 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
14696 				   request->alpha2))
14697 			goto nla_put_failure;
14698 	}
14699 
14700 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
14701 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
14702 
14703 		if (wiphy &&
14704 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
14705 			goto nla_put_failure;
14706 
14707 		if (wiphy &&
14708 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
14709 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
14710 			goto nla_put_failure;
14711 	}
14712 
14713 	return true;
14714 
14715 nla_put_failure:
14716 	return false;
14717 }
14718 
14719 /*
14720  * This can happen on global regulatory changes or device specific settings
14721  * based on custom regulatory domains.
14722  */
14723 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
14724 				     struct regulatory_request *request)
14725 {
14726 	struct sk_buff *msg;
14727 	void *hdr;
14728 
14729 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14730 	if (!msg)
14731 		return;
14732 
14733 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
14734 	if (!hdr) {
14735 		nlmsg_free(msg);
14736 		return;
14737 	}
14738 
14739 	if (nl80211_reg_change_event_fill(msg, request) == false)
14740 		goto nla_put_failure;
14741 
14742 	genlmsg_end(msg, hdr);
14743 
14744 	rcu_read_lock();
14745 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
14746 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
14747 	rcu_read_unlock();
14748 
14749 	return;
14750 
14751 nla_put_failure:
14752 	nlmsg_free(msg);
14753 }
14754 
14755 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
14756 				    struct net_device *netdev,
14757 				    const u8 *buf, size_t len,
14758 				    enum nl80211_commands cmd, gfp_t gfp,
14759 				    int uapsd_queues, const u8 *req_ies,
14760 				    size_t req_ies_len)
14761 {
14762 	struct sk_buff *msg;
14763 	void *hdr;
14764 
14765 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
14766 	if (!msg)
14767 		return;
14768 
14769 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14770 	if (!hdr) {
14771 		nlmsg_free(msg);
14772 		return;
14773 	}
14774 
14775 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14776 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14777 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
14778 	    (req_ies &&
14779 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
14780 		goto nla_put_failure;
14781 
14782 	if (uapsd_queues >= 0) {
14783 		struct nlattr *nla_wmm =
14784 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
14785 		if (!nla_wmm)
14786 			goto nla_put_failure;
14787 
14788 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
14789 			       uapsd_queues))
14790 			goto nla_put_failure;
14791 
14792 		nla_nest_end(msg, nla_wmm);
14793 	}
14794 
14795 	genlmsg_end(msg, hdr);
14796 
14797 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14798 				NL80211_MCGRP_MLME, gfp);
14799 	return;
14800 
14801  nla_put_failure:
14802 	nlmsg_free(msg);
14803 }
14804 
14805 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
14806 			  struct net_device *netdev, const u8 *buf,
14807 			  size_t len, gfp_t gfp)
14808 {
14809 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14810 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0);
14811 }
14812 
14813 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
14814 			   struct net_device *netdev, const u8 *buf,
14815 			   size_t len, gfp_t gfp, int uapsd_queues,
14816 			   const u8 *req_ies, size_t req_ies_len)
14817 {
14818 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14819 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
14820 				req_ies, req_ies_len);
14821 }
14822 
14823 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
14824 			 struct net_device *netdev, const u8 *buf,
14825 			 size_t len, gfp_t gfp)
14826 {
14827 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14828 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0);
14829 }
14830 
14831 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
14832 			   struct net_device *netdev, const u8 *buf,
14833 			   size_t len, gfp_t gfp)
14834 {
14835 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14836 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0);
14837 }
14838 
14839 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
14840 				  size_t len)
14841 {
14842 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14843 	struct wiphy *wiphy = wdev->wiphy;
14844 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14845 	const struct ieee80211_mgmt *mgmt = (void *)buf;
14846 	u32 cmd;
14847 
14848 	if (WARN_ON(len < 2))
14849 		return;
14850 
14851 	if (ieee80211_is_deauth(mgmt->frame_control))
14852 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
14853 	else
14854 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
14855 
14856 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
14857 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
14858 				NULL, 0);
14859 }
14860 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
14861 
14862 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
14863 				      struct net_device *netdev, int cmd,
14864 				      const u8 *addr, gfp_t gfp)
14865 {
14866 	struct sk_buff *msg;
14867 	void *hdr;
14868 
14869 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14870 	if (!msg)
14871 		return;
14872 
14873 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14874 	if (!hdr) {
14875 		nlmsg_free(msg);
14876 		return;
14877 	}
14878 
14879 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14880 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14881 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
14882 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
14883 		goto nla_put_failure;
14884 
14885 	genlmsg_end(msg, hdr);
14886 
14887 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14888 				NL80211_MCGRP_MLME, gfp);
14889 	return;
14890 
14891  nla_put_failure:
14892 	nlmsg_free(msg);
14893 }
14894 
14895 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
14896 			       struct net_device *netdev, const u8 *addr,
14897 			       gfp_t gfp)
14898 {
14899 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
14900 				  addr, gfp);
14901 }
14902 
14903 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
14904 				struct net_device *netdev, const u8 *addr,
14905 				gfp_t gfp)
14906 {
14907 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
14908 				  addr, gfp);
14909 }
14910 
14911 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
14912 				 struct net_device *netdev,
14913 				 struct cfg80211_connect_resp_params *cr,
14914 				 gfp_t gfp)
14915 {
14916 	struct sk_buff *msg;
14917 	void *hdr;
14918 
14919 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
14920 			cr->fils.kek_len + cr->fils.pmk_len +
14921 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
14922 	if (!msg)
14923 		return;
14924 
14925 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
14926 	if (!hdr) {
14927 		nlmsg_free(msg);
14928 		return;
14929 	}
14930 
14931 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14932 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14933 	    (cr->bssid &&
14934 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
14935 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
14936 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
14937 			cr->status) ||
14938 	    (cr->status < 0 &&
14939 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
14940 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
14941 			  cr->timeout_reason))) ||
14942 	    (cr->req_ie &&
14943 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
14944 	    (cr->resp_ie &&
14945 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
14946 		     cr->resp_ie)) ||
14947 	    (cr->fils.update_erp_next_seq_num &&
14948 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
14949 			 cr->fils.erp_next_seq_num)) ||
14950 	    (cr->status == WLAN_STATUS_SUCCESS &&
14951 	     ((cr->fils.kek &&
14952 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
14953 		       cr->fils.kek)) ||
14954 	      (cr->fils.pmk &&
14955 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
14956 	      (cr->fils.pmkid &&
14957 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
14958 		goto nla_put_failure;
14959 
14960 	genlmsg_end(msg, hdr);
14961 
14962 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14963 				NL80211_MCGRP_MLME, gfp);
14964 	return;
14965 
14966  nla_put_failure:
14967 	nlmsg_free(msg);
14968 }
14969 
14970 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
14971 			 struct net_device *netdev,
14972 			 struct cfg80211_roam_info *info, gfp_t gfp)
14973 {
14974 	struct sk_buff *msg;
14975 	void *hdr;
14976 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
14977 
14978 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
14979 			info->fils.kek_len + info->fils.pmk_len +
14980 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
14981 	if (!msg)
14982 		return;
14983 
14984 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
14985 	if (!hdr) {
14986 		nlmsg_free(msg);
14987 		return;
14988 	}
14989 
14990 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14991 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14992 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
14993 	    (info->req_ie &&
14994 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
14995 		     info->req_ie)) ||
14996 	    (info->resp_ie &&
14997 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
14998 		     info->resp_ie)) ||
14999 	    (info->fils.update_erp_next_seq_num &&
15000 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15001 			 info->fils.erp_next_seq_num)) ||
15002 	    (info->fils.kek &&
15003 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
15004 		     info->fils.kek)) ||
15005 	    (info->fils.pmk &&
15006 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
15007 	    (info->fils.pmkid &&
15008 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
15009 		goto nla_put_failure;
15010 
15011 	genlmsg_end(msg, hdr);
15012 
15013 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15014 				NL80211_MCGRP_MLME, gfp);
15015 	return;
15016 
15017  nla_put_failure:
15018 	nlmsg_free(msg);
15019 }
15020 
15021 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
15022 				  struct net_device *netdev, const u8 *bssid)
15023 {
15024 	struct sk_buff *msg;
15025 	void *hdr;
15026 
15027 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15028 	if (!msg)
15029 		return;
15030 
15031 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
15032 	if (!hdr) {
15033 		nlmsg_free(msg);
15034 		return;
15035 	}
15036 
15037 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15038 		goto nla_put_failure;
15039 
15040 	genlmsg_end(msg, hdr);
15041 
15042 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15043 				NL80211_MCGRP_MLME, GFP_KERNEL);
15044 	return;
15045 
15046  nla_put_failure:
15047 	nlmsg_free(msg);
15048 }
15049 
15050 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
15051 			       struct net_device *netdev, u16 reason,
15052 			       const u8 *ie, size_t ie_len, bool from_ap)
15053 {
15054 	struct sk_buff *msg;
15055 	void *hdr;
15056 
15057 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
15058 	if (!msg)
15059 		return;
15060 
15061 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
15062 	if (!hdr) {
15063 		nlmsg_free(msg);
15064 		return;
15065 	}
15066 
15067 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15068 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15069 	    (reason &&
15070 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
15071 	    (from_ap &&
15072 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
15073 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
15074 		goto nla_put_failure;
15075 
15076 	genlmsg_end(msg, hdr);
15077 
15078 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15079 				NL80211_MCGRP_MLME, GFP_KERNEL);
15080 	return;
15081 
15082  nla_put_failure:
15083 	nlmsg_free(msg);
15084 }
15085 
15086 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
15087 			     struct net_device *netdev, const u8 *bssid,
15088 			     gfp_t gfp)
15089 {
15090 	struct sk_buff *msg;
15091 	void *hdr;
15092 
15093 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15094 	if (!msg)
15095 		return;
15096 
15097 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
15098 	if (!hdr) {
15099 		nlmsg_free(msg);
15100 		return;
15101 	}
15102 
15103 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15104 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15105 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15106 		goto nla_put_failure;
15107 
15108 	genlmsg_end(msg, hdr);
15109 
15110 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15111 				NL80211_MCGRP_MLME, gfp);
15112 	return;
15113 
15114  nla_put_failure:
15115 	nlmsg_free(msg);
15116 }
15117 
15118 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
15119 					const u8 *ie, u8 ie_len,
15120 					int sig_dbm, gfp_t gfp)
15121 {
15122 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15123 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15124 	struct sk_buff *msg;
15125 	void *hdr;
15126 
15127 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
15128 		return;
15129 
15130 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
15131 
15132 	msg = nlmsg_new(100 + ie_len, gfp);
15133 	if (!msg)
15134 		return;
15135 
15136 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
15137 	if (!hdr) {
15138 		nlmsg_free(msg);
15139 		return;
15140 	}
15141 
15142 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15143 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15144 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15145 	    (ie_len && ie &&
15146 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
15147 	    (sig_dbm &&
15148 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
15149 		goto nla_put_failure;
15150 
15151 	genlmsg_end(msg, hdr);
15152 
15153 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15154 				NL80211_MCGRP_MLME, gfp);
15155 	return;
15156 
15157  nla_put_failure:
15158 	nlmsg_free(msg);
15159 }
15160 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
15161 
15162 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
15163 				 struct net_device *netdev, const u8 *addr,
15164 				 enum nl80211_key_type key_type, int key_id,
15165 				 const u8 *tsc, gfp_t gfp)
15166 {
15167 	struct sk_buff *msg;
15168 	void *hdr;
15169 
15170 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15171 	if (!msg)
15172 		return;
15173 
15174 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
15175 	if (!hdr) {
15176 		nlmsg_free(msg);
15177 		return;
15178 	}
15179 
15180 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15181 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15182 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
15183 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
15184 	    (key_id != -1 &&
15185 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
15186 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
15187 		goto nla_put_failure;
15188 
15189 	genlmsg_end(msg, hdr);
15190 
15191 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15192 				NL80211_MCGRP_MLME, gfp);
15193 	return;
15194 
15195  nla_put_failure:
15196 	nlmsg_free(msg);
15197 }
15198 
15199 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
15200 				    struct ieee80211_channel *channel_before,
15201 				    struct ieee80211_channel *channel_after)
15202 {
15203 	struct sk_buff *msg;
15204 	void *hdr;
15205 	struct nlattr *nl_freq;
15206 
15207 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
15208 	if (!msg)
15209 		return;
15210 
15211 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
15212 	if (!hdr) {
15213 		nlmsg_free(msg);
15214 		return;
15215 	}
15216 
15217 	/*
15218 	 * Since we are applying the beacon hint to a wiphy we know its
15219 	 * wiphy_idx is valid
15220 	 */
15221 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
15222 		goto nla_put_failure;
15223 
15224 	/* Before */
15225 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
15226 	if (!nl_freq)
15227 		goto nla_put_failure;
15228 
15229 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
15230 		goto nla_put_failure;
15231 	nla_nest_end(msg, nl_freq);
15232 
15233 	/* After */
15234 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
15235 	if (!nl_freq)
15236 		goto nla_put_failure;
15237 
15238 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
15239 		goto nla_put_failure;
15240 	nla_nest_end(msg, nl_freq);
15241 
15242 	genlmsg_end(msg, hdr);
15243 
15244 	rcu_read_lock();
15245 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15246 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15247 	rcu_read_unlock();
15248 
15249 	return;
15250 
15251 nla_put_failure:
15252 	nlmsg_free(msg);
15253 }
15254 
15255 static void nl80211_send_remain_on_chan_event(
15256 	int cmd, struct cfg80211_registered_device *rdev,
15257 	struct wireless_dev *wdev, u64 cookie,
15258 	struct ieee80211_channel *chan,
15259 	unsigned int duration, gfp_t gfp)
15260 {
15261 	struct sk_buff *msg;
15262 	void *hdr;
15263 
15264 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15265 	if (!msg)
15266 		return;
15267 
15268 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15269 	if (!hdr) {
15270 		nlmsg_free(msg);
15271 		return;
15272 	}
15273 
15274 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15275 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15276 					 wdev->netdev->ifindex)) ||
15277 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15278 			      NL80211_ATTR_PAD) ||
15279 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
15280 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
15281 			NL80211_CHAN_NO_HT) ||
15282 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15283 			      NL80211_ATTR_PAD))
15284 		goto nla_put_failure;
15285 
15286 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
15287 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
15288 		goto nla_put_failure;
15289 
15290 	genlmsg_end(msg, hdr);
15291 
15292 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15293 				NL80211_MCGRP_MLME, gfp);
15294 	return;
15295 
15296  nla_put_failure:
15297 	nlmsg_free(msg);
15298 }
15299 
15300 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
15301 			       struct ieee80211_channel *chan,
15302 			       unsigned int duration, gfp_t gfp)
15303 {
15304 	struct wiphy *wiphy = wdev->wiphy;
15305 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15306 
15307 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
15308 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
15309 					  rdev, wdev, cookie, chan,
15310 					  duration, gfp);
15311 }
15312 EXPORT_SYMBOL(cfg80211_ready_on_channel);
15313 
15314 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
15315 					struct ieee80211_channel *chan,
15316 					gfp_t gfp)
15317 {
15318 	struct wiphy *wiphy = wdev->wiphy;
15319 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15320 
15321 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
15322 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15323 					  rdev, wdev, cookie, chan, 0, gfp);
15324 }
15325 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
15326 
15327 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
15328 		      struct station_info *sinfo, gfp_t gfp)
15329 {
15330 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15331 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15332 	struct sk_buff *msg;
15333 
15334 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
15335 
15336 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15337 	if (!msg)
15338 		return;
15339 
15340 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
15341 				 rdev, dev, mac_addr, sinfo) < 0) {
15342 		nlmsg_free(msg);
15343 		return;
15344 	}
15345 
15346 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15347 				NL80211_MCGRP_MLME, gfp);
15348 }
15349 EXPORT_SYMBOL(cfg80211_new_sta);
15350 
15351 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
15352 			    struct station_info *sinfo, gfp_t gfp)
15353 {
15354 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15355 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15356 	struct sk_buff *msg;
15357 	struct station_info empty_sinfo = {};
15358 
15359 	if (!sinfo)
15360 		sinfo = &empty_sinfo;
15361 
15362 	trace_cfg80211_del_sta(dev, mac_addr);
15363 
15364 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15365 	if (!msg) {
15366 		cfg80211_sinfo_release_content(sinfo);
15367 		return;
15368 	}
15369 
15370 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
15371 				 rdev, dev, mac_addr, sinfo) < 0) {
15372 		nlmsg_free(msg);
15373 		return;
15374 	}
15375 
15376 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15377 				NL80211_MCGRP_MLME, gfp);
15378 }
15379 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
15380 
15381 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
15382 			  enum nl80211_connect_failed_reason reason,
15383 			  gfp_t gfp)
15384 {
15385 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
15386 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15387 	struct sk_buff *msg;
15388 	void *hdr;
15389 
15390 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
15391 	if (!msg)
15392 		return;
15393 
15394 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
15395 	if (!hdr) {
15396 		nlmsg_free(msg);
15397 		return;
15398 	}
15399 
15400 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15401 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
15402 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
15403 		goto nla_put_failure;
15404 
15405 	genlmsg_end(msg, hdr);
15406 
15407 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15408 				NL80211_MCGRP_MLME, gfp);
15409 	return;
15410 
15411  nla_put_failure:
15412 	nlmsg_free(msg);
15413 }
15414 EXPORT_SYMBOL(cfg80211_conn_failed);
15415 
15416 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
15417 				       const u8 *addr, gfp_t gfp)
15418 {
15419 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15420 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15421 	struct sk_buff *msg;
15422 	void *hdr;
15423 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
15424 
15425 	if (!nlportid)
15426 		return false;
15427 
15428 	msg = nlmsg_new(100, gfp);
15429 	if (!msg)
15430 		return true;
15431 
15432 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15433 	if (!hdr) {
15434 		nlmsg_free(msg);
15435 		return true;
15436 	}
15437 
15438 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15439 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15440 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
15441 		goto nla_put_failure;
15442 
15443 	genlmsg_end(msg, hdr);
15444 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15445 	return true;
15446 
15447  nla_put_failure:
15448 	nlmsg_free(msg);
15449 	return true;
15450 }
15451 
15452 bool cfg80211_rx_spurious_frame(struct net_device *dev,
15453 				const u8 *addr, gfp_t gfp)
15454 {
15455 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15456 	bool ret;
15457 
15458 	trace_cfg80211_rx_spurious_frame(dev, addr);
15459 
15460 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15461 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
15462 		trace_cfg80211_return_bool(false);
15463 		return false;
15464 	}
15465 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
15466 					 addr, gfp);
15467 	trace_cfg80211_return_bool(ret);
15468 	return ret;
15469 }
15470 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
15471 
15472 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
15473 					const u8 *addr, gfp_t gfp)
15474 {
15475 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15476 	bool ret;
15477 
15478 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
15479 
15480 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
15481 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
15482 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
15483 		trace_cfg80211_return_bool(false);
15484 		return false;
15485 	}
15486 	ret = __nl80211_unexpected_frame(dev,
15487 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
15488 					 addr, gfp);
15489 	trace_cfg80211_return_bool(ret);
15490 	return ret;
15491 }
15492 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
15493 
15494 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
15495 		      struct wireless_dev *wdev, u32 nlportid,
15496 		      int freq, int sig_dbm,
15497 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
15498 {
15499 	struct net_device *netdev = wdev->netdev;
15500 	struct sk_buff *msg;
15501 	void *hdr;
15502 
15503 	msg = nlmsg_new(100 + len, gfp);
15504 	if (!msg)
15505 		return -ENOMEM;
15506 
15507 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
15508 	if (!hdr) {
15509 		nlmsg_free(msg);
15510 		return -ENOMEM;
15511 	}
15512 
15513 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15514 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15515 					netdev->ifindex)) ||
15516 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15517 			      NL80211_ATTR_PAD) ||
15518 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
15519 	    (sig_dbm &&
15520 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
15521 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15522 	    (flags &&
15523 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
15524 		goto nla_put_failure;
15525 
15526 	genlmsg_end(msg, hdr);
15527 
15528 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15529 
15530  nla_put_failure:
15531 	nlmsg_free(msg);
15532 	return -ENOBUFS;
15533 }
15534 
15535 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
15536 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
15537 {
15538 	struct wiphy *wiphy = wdev->wiphy;
15539 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15540 	struct net_device *netdev = wdev->netdev;
15541 	struct sk_buff *msg;
15542 	void *hdr;
15543 
15544 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
15545 
15546 	msg = nlmsg_new(100 + len, gfp);
15547 	if (!msg)
15548 		return;
15549 
15550 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
15551 	if (!hdr) {
15552 		nlmsg_free(msg);
15553 		return;
15554 	}
15555 
15556 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15557 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15558 				   netdev->ifindex)) ||
15559 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15560 			      NL80211_ATTR_PAD) ||
15561 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15562 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15563 			      NL80211_ATTR_PAD) ||
15564 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
15565 		goto nla_put_failure;
15566 
15567 	genlmsg_end(msg, hdr);
15568 
15569 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15570 				NL80211_MCGRP_MLME, gfp);
15571 	return;
15572 
15573  nla_put_failure:
15574 	nlmsg_free(msg);
15575 }
15576 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
15577 
15578 static int __nl80211_rx_control_port(struct net_device *dev,
15579 				     struct sk_buff *skb,
15580 				     bool unencrypted, gfp_t gfp)
15581 {
15582 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15583 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15584 	struct ethhdr *ehdr = eth_hdr(skb);
15585 	const u8 *addr = ehdr->h_source;
15586 	u16 proto = be16_to_cpu(skb->protocol);
15587 	struct sk_buff *msg;
15588 	void *hdr;
15589 	struct nlattr *frame;
15590 
15591 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
15592 
15593 	if (!nlportid)
15594 		return -ENOENT;
15595 
15596 	msg = nlmsg_new(100 + skb->len, gfp);
15597 	if (!msg)
15598 		return -ENOMEM;
15599 
15600 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
15601 	if (!hdr) {
15602 		nlmsg_free(msg);
15603 		return -ENOBUFS;
15604 	}
15605 
15606 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15607 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15608 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15609 			      NL80211_ATTR_PAD) ||
15610 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15611 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
15612 	    (unencrypted && nla_put_flag(msg,
15613 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
15614 		goto nla_put_failure;
15615 
15616 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
15617 	if (!frame)
15618 		goto nla_put_failure;
15619 
15620 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
15621 	genlmsg_end(msg, hdr);
15622 
15623 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15624 
15625  nla_put_failure:
15626 	nlmsg_free(msg);
15627 	return -ENOBUFS;
15628 }
15629 
15630 bool cfg80211_rx_control_port(struct net_device *dev,
15631 			      struct sk_buff *skb, bool unencrypted)
15632 {
15633 	int ret;
15634 
15635 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
15636 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
15637 	trace_cfg80211_return_bool(ret == 0);
15638 	return ret == 0;
15639 }
15640 EXPORT_SYMBOL(cfg80211_rx_control_port);
15641 
15642 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
15643 					    const char *mac, gfp_t gfp)
15644 {
15645 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15646 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15647 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15648 	void **cb;
15649 
15650 	if (!msg)
15651 		return NULL;
15652 
15653 	cb = (void **)msg->cb;
15654 
15655 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
15656 	if (!cb[0]) {
15657 		nlmsg_free(msg);
15658 		return NULL;
15659 	}
15660 
15661 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15662 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15663 		goto nla_put_failure;
15664 
15665 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
15666 		goto nla_put_failure;
15667 
15668 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
15669 	if (!cb[1])
15670 		goto nla_put_failure;
15671 
15672 	cb[2] = rdev;
15673 
15674 	return msg;
15675  nla_put_failure:
15676 	nlmsg_free(msg);
15677 	return NULL;
15678 }
15679 
15680 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
15681 {
15682 	void **cb = (void **)msg->cb;
15683 	struct cfg80211_registered_device *rdev = cb[2];
15684 
15685 	nla_nest_end(msg, cb[1]);
15686 	genlmsg_end(msg, cb[0]);
15687 
15688 	memset(msg->cb, 0, sizeof(msg->cb));
15689 
15690 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15691 				NL80211_MCGRP_MLME, gfp);
15692 }
15693 
15694 void cfg80211_cqm_rssi_notify(struct net_device *dev,
15695 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
15696 			      s32 rssi_level, gfp_t gfp)
15697 {
15698 	struct sk_buff *msg;
15699 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15700 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15701 
15702 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
15703 
15704 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
15705 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
15706 		return;
15707 
15708 	if (wdev->cqm_config) {
15709 		wdev->cqm_config->last_rssi_event_value = rssi_level;
15710 
15711 		cfg80211_cqm_rssi_update(rdev, dev);
15712 
15713 		if (rssi_level == 0)
15714 			rssi_level = wdev->cqm_config->last_rssi_event_value;
15715 	}
15716 
15717 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15718 	if (!msg)
15719 		return;
15720 
15721 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
15722 			rssi_event))
15723 		goto nla_put_failure;
15724 
15725 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
15726 				      rssi_level))
15727 		goto nla_put_failure;
15728 
15729 	cfg80211_send_cqm(msg, gfp);
15730 
15731 	return;
15732 
15733  nla_put_failure:
15734 	nlmsg_free(msg);
15735 }
15736 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
15737 
15738 void cfg80211_cqm_txe_notify(struct net_device *dev,
15739 			     const u8 *peer, u32 num_packets,
15740 			     u32 rate, u32 intvl, gfp_t gfp)
15741 {
15742 	struct sk_buff *msg;
15743 
15744 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
15745 	if (!msg)
15746 		return;
15747 
15748 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
15749 		goto nla_put_failure;
15750 
15751 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
15752 		goto nla_put_failure;
15753 
15754 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
15755 		goto nla_put_failure;
15756 
15757 	cfg80211_send_cqm(msg, gfp);
15758 	return;
15759 
15760  nla_put_failure:
15761 	nlmsg_free(msg);
15762 }
15763 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
15764 
15765 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
15766 				 const u8 *peer, u32 num_packets, gfp_t gfp)
15767 {
15768 	struct sk_buff *msg;
15769 
15770 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
15771 
15772 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
15773 	if (!msg)
15774 		return;
15775 
15776 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
15777 		goto nla_put_failure;
15778 
15779 	cfg80211_send_cqm(msg, gfp);
15780 	return;
15781 
15782  nla_put_failure:
15783 	nlmsg_free(msg);
15784 }
15785 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
15786 
15787 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
15788 {
15789 	struct sk_buff *msg;
15790 
15791 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15792 	if (!msg)
15793 		return;
15794 
15795 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
15796 		goto nla_put_failure;
15797 
15798 	cfg80211_send_cqm(msg, gfp);
15799 	return;
15800 
15801  nla_put_failure:
15802 	nlmsg_free(msg);
15803 }
15804 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
15805 
15806 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
15807 				     struct net_device *netdev, const u8 *bssid,
15808 				     const u8 *replay_ctr, gfp_t gfp)
15809 {
15810 	struct sk_buff *msg;
15811 	struct nlattr *rekey_attr;
15812 	void *hdr;
15813 
15814 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15815 	if (!msg)
15816 		return;
15817 
15818 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
15819 	if (!hdr) {
15820 		nlmsg_free(msg);
15821 		return;
15822 	}
15823 
15824 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15825 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15826 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15827 		goto nla_put_failure;
15828 
15829 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
15830 	if (!rekey_attr)
15831 		goto nla_put_failure;
15832 
15833 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
15834 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
15835 		goto nla_put_failure;
15836 
15837 	nla_nest_end(msg, rekey_attr);
15838 
15839 	genlmsg_end(msg, hdr);
15840 
15841 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15842 				NL80211_MCGRP_MLME, gfp);
15843 	return;
15844 
15845  nla_put_failure:
15846 	nlmsg_free(msg);
15847 }
15848 
15849 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
15850 			       const u8 *replay_ctr, gfp_t gfp)
15851 {
15852 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15853 	struct wiphy *wiphy = wdev->wiphy;
15854 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15855 
15856 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
15857 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
15858 }
15859 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
15860 
15861 static void
15862 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
15863 			       struct net_device *netdev, int index,
15864 			       const u8 *bssid, bool preauth, gfp_t gfp)
15865 {
15866 	struct sk_buff *msg;
15867 	struct nlattr *attr;
15868 	void *hdr;
15869 
15870 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15871 	if (!msg)
15872 		return;
15873 
15874 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
15875 	if (!hdr) {
15876 		nlmsg_free(msg);
15877 		return;
15878 	}
15879 
15880 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15881 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
15882 		goto nla_put_failure;
15883 
15884 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
15885 	if (!attr)
15886 		goto nla_put_failure;
15887 
15888 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
15889 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
15890 	    (preauth &&
15891 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
15892 		goto nla_put_failure;
15893 
15894 	nla_nest_end(msg, attr);
15895 
15896 	genlmsg_end(msg, hdr);
15897 
15898 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15899 				NL80211_MCGRP_MLME, gfp);
15900 	return;
15901 
15902  nla_put_failure:
15903 	nlmsg_free(msg);
15904 }
15905 
15906 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
15907 				     const u8 *bssid, bool preauth, gfp_t gfp)
15908 {
15909 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15910 	struct wiphy *wiphy = wdev->wiphy;
15911 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15912 
15913 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
15914 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
15915 }
15916 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
15917 
15918 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
15919 				     struct net_device *netdev,
15920 				     struct cfg80211_chan_def *chandef,
15921 				     gfp_t gfp,
15922 				     enum nl80211_commands notif,
15923 				     u8 count)
15924 {
15925 	struct sk_buff *msg;
15926 	void *hdr;
15927 
15928 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15929 	if (!msg)
15930 		return;
15931 
15932 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
15933 	if (!hdr) {
15934 		nlmsg_free(msg);
15935 		return;
15936 	}
15937 
15938 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
15939 		goto nla_put_failure;
15940 
15941 	if (nl80211_send_chandef(msg, chandef))
15942 		goto nla_put_failure;
15943 
15944 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
15945 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
15946 			goto nla_put_failure;
15947 
15948 	genlmsg_end(msg, hdr);
15949 
15950 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15951 				NL80211_MCGRP_MLME, gfp);
15952 	return;
15953 
15954  nla_put_failure:
15955 	nlmsg_free(msg);
15956 }
15957 
15958 void cfg80211_ch_switch_notify(struct net_device *dev,
15959 			       struct cfg80211_chan_def *chandef)
15960 {
15961 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15962 	struct wiphy *wiphy = wdev->wiphy;
15963 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15964 
15965 	ASSERT_WDEV_LOCK(wdev);
15966 
15967 	trace_cfg80211_ch_switch_notify(dev, chandef);
15968 
15969 	wdev->chandef = *chandef;
15970 	wdev->preset_chandef = *chandef;
15971 
15972 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
15973 	    !WARN_ON(!wdev->current_bss))
15974 		wdev->current_bss->pub.channel = chandef->chan;
15975 
15976 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
15977 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
15978 }
15979 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
15980 
15981 void cfg80211_ch_switch_started_notify(struct net_device *dev,
15982 				       struct cfg80211_chan_def *chandef,
15983 				       u8 count)
15984 {
15985 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15986 	struct wiphy *wiphy = wdev->wiphy;
15987 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15988 
15989 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
15990 
15991 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
15992 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
15993 }
15994 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
15995 
15996 void
15997 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
15998 		     const struct cfg80211_chan_def *chandef,
15999 		     enum nl80211_radar_event event,
16000 		     struct net_device *netdev, gfp_t gfp)
16001 {
16002 	struct sk_buff *msg;
16003 	void *hdr;
16004 
16005 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16006 	if (!msg)
16007 		return;
16008 
16009 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
16010 	if (!hdr) {
16011 		nlmsg_free(msg);
16012 		return;
16013 	}
16014 
16015 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16016 		goto nla_put_failure;
16017 
16018 	/* NOP and radar events don't need a netdev parameter */
16019 	if (netdev) {
16020 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
16021 
16022 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16023 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16024 				      NL80211_ATTR_PAD))
16025 			goto nla_put_failure;
16026 	}
16027 
16028 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
16029 		goto nla_put_failure;
16030 
16031 	if (nl80211_send_chandef(msg, chandef))
16032 		goto nla_put_failure;
16033 
16034 	genlmsg_end(msg, hdr);
16035 
16036 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16037 				NL80211_MCGRP_MLME, gfp);
16038 	return;
16039 
16040  nla_put_failure:
16041 	nlmsg_free(msg);
16042 }
16043 
16044 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
16045 				       struct sta_opmode_info *sta_opmode,
16046 				       gfp_t gfp)
16047 {
16048 	struct sk_buff *msg;
16049 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16050 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16051 	void *hdr;
16052 
16053 	if (WARN_ON(!mac))
16054 		return;
16055 
16056 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16057 	if (!msg)
16058 		return;
16059 
16060 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
16061 	if (!hdr) {
16062 		nlmsg_free(msg);
16063 		return;
16064 	}
16065 
16066 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16067 		goto nla_put_failure;
16068 
16069 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16070 		goto nla_put_failure;
16071 
16072 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
16073 		goto nla_put_failure;
16074 
16075 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
16076 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
16077 		goto nla_put_failure;
16078 
16079 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
16080 	    nla_put_u8(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
16081 		goto nla_put_failure;
16082 
16083 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
16084 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
16085 		goto nla_put_failure;
16086 
16087 	genlmsg_end(msg, hdr);
16088 
16089 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16090 				NL80211_MCGRP_MLME, gfp);
16091 
16092 	return;
16093 
16094 nla_put_failure:
16095 	nlmsg_free(msg);
16096 }
16097 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
16098 
16099 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
16100 			   u64 cookie, bool acked, s32 ack_signal,
16101 			   bool is_valid_ack_signal, gfp_t gfp)
16102 {
16103 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16104 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16105 	struct sk_buff *msg;
16106 	void *hdr;
16107 
16108 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
16109 
16110 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16111 
16112 	if (!msg)
16113 		return;
16114 
16115 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
16116 	if (!hdr) {
16117 		nlmsg_free(msg);
16118 		return;
16119 	}
16120 
16121 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16122 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16123 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16124 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16125 			      NL80211_ATTR_PAD) ||
16126 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
16127 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
16128 						ack_signal)))
16129 		goto nla_put_failure;
16130 
16131 	genlmsg_end(msg, hdr);
16132 
16133 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16134 				NL80211_MCGRP_MLME, gfp);
16135 	return;
16136 
16137  nla_put_failure:
16138 	nlmsg_free(msg);
16139 }
16140 EXPORT_SYMBOL(cfg80211_probe_status);
16141 
16142 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
16143 				 const u8 *frame, size_t len,
16144 				 int freq, int sig_dbm)
16145 {
16146 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16147 	struct sk_buff *msg;
16148 	void *hdr;
16149 	struct cfg80211_beacon_registration *reg;
16150 
16151 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
16152 
16153 	spin_lock_bh(&rdev->beacon_registrations_lock);
16154 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
16155 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
16156 		if (!msg) {
16157 			spin_unlock_bh(&rdev->beacon_registrations_lock);
16158 			return;
16159 		}
16160 
16161 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16162 		if (!hdr)
16163 			goto nla_put_failure;
16164 
16165 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16166 		    (freq &&
16167 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
16168 		    (sig_dbm &&
16169 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16170 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
16171 			goto nla_put_failure;
16172 
16173 		genlmsg_end(msg, hdr);
16174 
16175 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
16176 	}
16177 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16178 	return;
16179 
16180  nla_put_failure:
16181 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16182 	nlmsg_free(msg);
16183 }
16184 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
16185 
16186 #ifdef CONFIG_PM
16187 static int cfg80211_net_detect_results(struct sk_buff *msg,
16188 				       struct cfg80211_wowlan_wakeup *wakeup)
16189 {
16190 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
16191 	struct nlattr *nl_results, *nl_match, *nl_freqs;
16192 	int i, j;
16193 
16194 	nl_results = nla_nest_start_noflag(msg,
16195 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
16196 	if (!nl_results)
16197 		return -EMSGSIZE;
16198 
16199 	for (i = 0; i < nd->n_matches; i++) {
16200 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
16201 
16202 		nl_match = nla_nest_start_noflag(msg, i);
16203 		if (!nl_match)
16204 			break;
16205 
16206 		/* The SSID attribute is optional in nl80211, but for
16207 		 * simplicity reasons it's always present in the
16208 		 * cfg80211 structure.  If a driver can't pass the
16209 		 * SSID, that needs to be changed.  A zero length SSID
16210 		 * is still a valid SSID (wildcard), so it cannot be
16211 		 * used for this purpose.
16212 		 */
16213 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
16214 			    match->ssid.ssid)) {
16215 			nla_nest_cancel(msg, nl_match);
16216 			goto out;
16217 		}
16218 
16219 		if (match->n_channels) {
16220 			nl_freqs = nla_nest_start_noflag(msg,
16221 							 NL80211_ATTR_SCAN_FREQUENCIES);
16222 			if (!nl_freqs) {
16223 				nla_nest_cancel(msg, nl_match);
16224 				goto out;
16225 			}
16226 
16227 			for (j = 0; j < match->n_channels; j++) {
16228 				if (nla_put_u32(msg, j, match->channels[j])) {
16229 					nla_nest_cancel(msg, nl_freqs);
16230 					nla_nest_cancel(msg, nl_match);
16231 					goto out;
16232 				}
16233 			}
16234 
16235 			nla_nest_end(msg, nl_freqs);
16236 		}
16237 
16238 		nla_nest_end(msg, nl_match);
16239 	}
16240 
16241 out:
16242 	nla_nest_end(msg, nl_results);
16243 	return 0;
16244 }
16245 
16246 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
16247 				   struct cfg80211_wowlan_wakeup *wakeup,
16248 				   gfp_t gfp)
16249 {
16250 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16251 	struct sk_buff *msg;
16252 	void *hdr;
16253 	int size = 200;
16254 
16255 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
16256 
16257 	if (wakeup)
16258 		size += wakeup->packet_present_len;
16259 
16260 	msg = nlmsg_new(size, gfp);
16261 	if (!msg)
16262 		return;
16263 
16264 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
16265 	if (!hdr)
16266 		goto free_msg;
16267 
16268 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16269 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16270 			      NL80211_ATTR_PAD))
16271 		goto free_msg;
16272 
16273 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16274 					wdev->netdev->ifindex))
16275 		goto free_msg;
16276 
16277 	if (wakeup) {
16278 		struct nlattr *reasons;
16279 
16280 		reasons = nla_nest_start_noflag(msg,
16281 						NL80211_ATTR_WOWLAN_TRIGGERS);
16282 		if (!reasons)
16283 			goto free_msg;
16284 
16285 		if (wakeup->disconnect &&
16286 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
16287 			goto free_msg;
16288 		if (wakeup->magic_pkt &&
16289 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
16290 			goto free_msg;
16291 		if (wakeup->gtk_rekey_failure &&
16292 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
16293 			goto free_msg;
16294 		if (wakeup->eap_identity_req &&
16295 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
16296 			goto free_msg;
16297 		if (wakeup->four_way_handshake &&
16298 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
16299 			goto free_msg;
16300 		if (wakeup->rfkill_release &&
16301 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
16302 			goto free_msg;
16303 
16304 		if (wakeup->pattern_idx >= 0 &&
16305 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
16306 				wakeup->pattern_idx))
16307 			goto free_msg;
16308 
16309 		if (wakeup->tcp_match &&
16310 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
16311 			goto free_msg;
16312 
16313 		if (wakeup->tcp_connlost &&
16314 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
16315 			goto free_msg;
16316 
16317 		if (wakeup->tcp_nomoretokens &&
16318 		    nla_put_flag(msg,
16319 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
16320 			goto free_msg;
16321 
16322 		if (wakeup->packet) {
16323 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
16324 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
16325 
16326 			if (!wakeup->packet_80211) {
16327 				pkt_attr =
16328 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
16329 				len_attr =
16330 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
16331 			}
16332 
16333 			if (wakeup->packet_len &&
16334 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
16335 				goto free_msg;
16336 
16337 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
16338 				    wakeup->packet))
16339 				goto free_msg;
16340 		}
16341 
16342 		if (wakeup->net_detect &&
16343 		    cfg80211_net_detect_results(msg, wakeup))
16344 				goto free_msg;
16345 
16346 		nla_nest_end(msg, reasons);
16347 	}
16348 
16349 	genlmsg_end(msg, hdr);
16350 
16351 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16352 				NL80211_MCGRP_MLME, gfp);
16353 	return;
16354 
16355  free_msg:
16356 	nlmsg_free(msg);
16357 }
16358 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
16359 #endif
16360 
16361 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
16362 				enum nl80211_tdls_operation oper,
16363 				u16 reason_code, gfp_t gfp)
16364 {
16365 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16366 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16367 	struct sk_buff *msg;
16368 	void *hdr;
16369 
16370 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
16371 					 reason_code);
16372 
16373 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16374 	if (!msg)
16375 		return;
16376 
16377 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
16378 	if (!hdr) {
16379 		nlmsg_free(msg);
16380 		return;
16381 	}
16382 
16383 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16384 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16385 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
16386 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
16387 	    (reason_code > 0 &&
16388 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
16389 		goto nla_put_failure;
16390 
16391 	genlmsg_end(msg, hdr);
16392 
16393 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16394 				NL80211_MCGRP_MLME, gfp);
16395 	return;
16396 
16397  nla_put_failure:
16398 	nlmsg_free(msg);
16399 }
16400 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
16401 
16402 static int nl80211_netlink_notify(struct notifier_block * nb,
16403 				  unsigned long state,
16404 				  void *_notify)
16405 {
16406 	struct netlink_notify *notify = _notify;
16407 	struct cfg80211_registered_device *rdev;
16408 	struct wireless_dev *wdev;
16409 	struct cfg80211_beacon_registration *reg, *tmp;
16410 
16411 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
16412 		return NOTIFY_DONE;
16413 
16414 	rcu_read_lock();
16415 
16416 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
16417 		struct cfg80211_sched_scan_request *sched_scan_req;
16418 
16419 		list_for_each_entry_rcu(sched_scan_req,
16420 					&rdev->sched_scan_req_list,
16421 					list) {
16422 			if (sched_scan_req->owner_nlportid == notify->portid) {
16423 				sched_scan_req->nl_owner_dead = true;
16424 				schedule_work(&rdev->sched_scan_stop_wk);
16425 			}
16426 		}
16427 
16428 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
16429 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
16430 
16431 			if (wdev->owner_nlportid == notify->portid) {
16432 				wdev->nl_owner_dead = true;
16433 				schedule_work(&rdev->destroy_work);
16434 			} else if (wdev->conn_owner_nlportid == notify->portid) {
16435 				schedule_work(&wdev->disconnect_wk);
16436 			}
16437 
16438 			cfg80211_release_pmsr(wdev, notify->portid);
16439 		}
16440 
16441 		spin_lock_bh(&rdev->beacon_registrations_lock);
16442 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
16443 					 list) {
16444 			if (reg->nlportid == notify->portid) {
16445 				list_del(&reg->list);
16446 				kfree(reg);
16447 				break;
16448 			}
16449 		}
16450 		spin_unlock_bh(&rdev->beacon_registrations_lock);
16451 	}
16452 
16453 	rcu_read_unlock();
16454 
16455 	/*
16456 	 * It is possible that the user space process that is controlling the
16457 	 * indoor setting disappeared, so notify the regulatory core.
16458 	 */
16459 	regulatory_netlink_notify(notify->portid);
16460 	return NOTIFY_OK;
16461 }
16462 
16463 static struct notifier_block nl80211_netlink_notifier = {
16464 	.notifier_call = nl80211_netlink_notify,
16465 };
16466 
16467 void cfg80211_ft_event(struct net_device *netdev,
16468 		       struct cfg80211_ft_event_params *ft_event)
16469 {
16470 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
16471 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16472 	struct sk_buff *msg;
16473 	void *hdr;
16474 
16475 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
16476 
16477 	if (!ft_event->target_ap)
16478 		return;
16479 
16480 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
16481 			GFP_KERNEL);
16482 	if (!msg)
16483 		return;
16484 
16485 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
16486 	if (!hdr)
16487 		goto out;
16488 
16489 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16490 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16491 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
16492 		goto out;
16493 
16494 	if (ft_event->ies &&
16495 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
16496 		goto out;
16497 	if (ft_event->ric_ies &&
16498 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
16499 		    ft_event->ric_ies))
16500 		goto out;
16501 
16502 	genlmsg_end(msg, hdr);
16503 
16504 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16505 				NL80211_MCGRP_MLME, GFP_KERNEL);
16506 	return;
16507  out:
16508 	nlmsg_free(msg);
16509 }
16510 EXPORT_SYMBOL(cfg80211_ft_event);
16511 
16512 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
16513 {
16514 	struct cfg80211_registered_device *rdev;
16515 	struct sk_buff *msg;
16516 	void *hdr;
16517 	u32 nlportid;
16518 
16519 	rdev = wiphy_to_rdev(wdev->wiphy);
16520 	if (!rdev->crit_proto_nlportid)
16521 		return;
16522 
16523 	nlportid = rdev->crit_proto_nlportid;
16524 	rdev->crit_proto_nlportid = 0;
16525 
16526 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16527 	if (!msg)
16528 		return;
16529 
16530 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
16531 	if (!hdr)
16532 		goto nla_put_failure;
16533 
16534 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16535 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16536 			      NL80211_ATTR_PAD))
16537 		goto nla_put_failure;
16538 
16539 	genlmsg_end(msg, hdr);
16540 
16541 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16542 	return;
16543 
16544  nla_put_failure:
16545 	nlmsg_free(msg);
16546 }
16547 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
16548 
16549 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
16550 {
16551 	struct wiphy *wiphy = wdev->wiphy;
16552 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16553 	struct sk_buff *msg;
16554 	void *hdr;
16555 
16556 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16557 	if (!msg)
16558 		return;
16559 
16560 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
16561 	if (!hdr)
16562 		goto out;
16563 
16564 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16565 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
16566 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16567 			      NL80211_ATTR_PAD))
16568 		goto out;
16569 
16570 	genlmsg_end(msg, hdr);
16571 
16572 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
16573 				NL80211_MCGRP_MLME, GFP_KERNEL);
16574 	return;
16575  out:
16576 	nlmsg_free(msg);
16577 }
16578 
16579 int cfg80211_external_auth_request(struct net_device *dev,
16580 				   struct cfg80211_external_auth_params *params,
16581 				   gfp_t gfp)
16582 {
16583 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16584 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16585 	struct sk_buff *msg;
16586 	void *hdr;
16587 
16588 	if (!wdev->conn_owner_nlportid)
16589 		return -EINVAL;
16590 
16591 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16592 	if (!msg)
16593 		return -ENOMEM;
16594 
16595 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
16596 	if (!hdr)
16597 		goto nla_put_failure;
16598 
16599 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16600 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16601 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
16602 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
16603 			params->action) ||
16604 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
16605 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
16606 		    params->ssid.ssid))
16607 		goto nla_put_failure;
16608 
16609 	genlmsg_end(msg, hdr);
16610 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16611 			wdev->conn_owner_nlportid);
16612 	return 0;
16613 
16614  nla_put_failure:
16615 	nlmsg_free(msg);
16616 	return -ENOBUFS;
16617 }
16618 EXPORT_SYMBOL(cfg80211_external_auth_request);
16619 
16620 void cfg80211_update_owe_info_event(struct net_device *netdev,
16621 				    struct cfg80211_update_owe_info *owe_info,
16622 				    gfp_t gfp)
16623 {
16624 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
16625 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16626 	struct sk_buff *msg;
16627 	void *hdr;
16628 
16629 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
16630 
16631 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16632 	if (!msg)
16633 		return;
16634 
16635 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
16636 	if (!hdr)
16637 		goto nla_put_failure;
16638 
16639 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16640 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16641 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
16642 		goto nla_put_failure;
16643 
16644 	if (!owe_info->ie_len ||
16645 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
16646 		goto nla_put_failure;
16647 
16648 	genlmsg_end(msg, hdr);
16649 
16650 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16651 				NL80211_MCGRP_MLME, gfp);
16652 	return;
16653 
16654 nla_put_failure:
16655 	genlmsg_cancel(msg, hdr);
16656 	nlmsg_free(msg);
16657 }
16658 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
16659 
16660 /* initialisation/exit functions */
16661 
16662 int __init nl80211_init(void)
16663 {
16664 	int err;
16665 
16666 	err = genl_register_family(&nl80211_fam);
16667 	if (err)
16668 		return err;
16669 
16670 	err = netlink_register_notifier(&nl80211_netlink_notifier);
16671 	if (err)
16672 		goto err_out;
16673 
16674 	return 0;
16675  err_out:
16676 	genl_unregister_family(&nl80211_fam);
16677 	return err;
16678 }
16679 
16680 void nl80211_exit(void)
16681 {
16682 	netlink_unregister_notifier(&nl80211_netlink_notifier);
16683 	genl_unregister_family(&nl80211_fam);
16684 }
16685