xref: /openbmc/linux/net/wireless/nl80211.c (revision c9933d49) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2022 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
460 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
461 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
462 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
463 				      .len = 20-1 },
464 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
465 
466 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
467 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
468 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
469 						NL80211_EDMG_CHANNELS_MIN,
470 						NL80211_EDMG_CHANNELS_MAX),
471 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
472 						NL80211_EDMG_BW_CONFIG_MIN,
473 						NL80211_EDMG_BW_CONFIG_MAX),
474 
475 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
476 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
477 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
478 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
479 
480 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
481 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
482 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
483 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
484 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
485 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
486 
487 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
488 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
489 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
490 
491 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
492 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
493 
494 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
495 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
496 				    .len = WLAN_MAX_KEY_LEN },
497 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
498 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
499 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
500 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
501 	[NL80211_ATTR_KEY_TYPE] =
502 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
503 
504 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
505 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
506 	[NL80211_ATTR_BEACON_HEAD] =
507 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
508 				       IEEE80211_MAX_DATA_LEN),
509 	[NL80211_ATTR_BEACON_TAIL] =
510 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
511 				       IEEE80211_MAX_DATA_LEN),
512 	[NL80211_ATTR_STA_AID] =
513 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
514 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
515 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
516 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
517 					       .len = NL80211_MAX_SUPP_RATES },
518 	[NL80211_ATTR_STA_PLINK_ACTION] =
519 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
520 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
521 		NLA_POLICY_RANGE(NLA_U8,
522 				 NL80211_TX_POWER_AUTOMATIC,
523 				 NL80211_TX_POWER_FIXED),
524 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
525 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
526 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
527 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
528 				   .len = IEEE80211_MAX_MESH_ID_LEN },
529 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
530 
531 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
532 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
533 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
534 
535 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
536 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
537 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
538 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
539 					   .len = NL80211_MAX_SUPP_RATES },
540 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
541 
542 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
543 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
544 
545 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
546 
547 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
548 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
549 						   validate_ie_attr,
550 						   IEEE80211_MAX_DATA_LEN),
551 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
552 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
553 
554 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
555 				.len = IEEE80211_MAX_SSID_LEN },
556 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
557 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
558 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
559 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
560 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
561 						  NL80211_MFP_NO,
562 						  NL80211_MFP_OPTIONAL),
563 	[NL80211_ATTR_STA_FLAGS2] = {
564 		.len = sizeof(struct nl80211_sta_flag_update),
565 	},
566 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
567 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
568 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
569 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
570 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
571 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
572 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
573 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
574 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
575 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
576 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
577 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
578 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
579 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
580 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
581 				 .len = IEEE80211_MAX_DATA_LEN },
582 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
583 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
584 						   NL80211_PS_DISABLED,
585 						   NL80211_PS_ENABLED),
586 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
587 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
588 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
589 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
590 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
591 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
592 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
593 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
594 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
595 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
596 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
597 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
598 	[NL80211_ATTR_STA_PLINK_STATE] =
599 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
600 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
601 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
602 	[NL80211_ATTR_MESH_PEER_AID] =
603 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
604 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
605 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
606 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
607 	[NL80211_ATTR_HIDDEN_SSID] =
608 		NLA_POLICY_RANGE(NLA_U32,
609 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
610 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
611 	[NL80211_ATTR_IE_PROBE_RESP] =
612 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
613 				       IEEE80211_MAX_DATA_LEN),
614 	[NL80211_ATTR_IE_ASSOC_RESP] =
615 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
616 				       IEEE80211_MAX_DATA_LEN),
617 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
618 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
619 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
620 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
621 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
622 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
623 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
624 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
625 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
626 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
627 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
628 				      .len = IEEE80211_MAX_DATA_LEN },
629 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
630 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
631 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
632 		.len = NL80211_HT_CAPABILITY_LEN
633 	},
634 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
635 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
636 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
637 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
638 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
639 
640 	/* need to include at least Auth Transaction and Status Code */
641 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
642 
643 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
644 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
645 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
646 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
647 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
648 		NLA_POLICY_RANGE(NLA_U32,
649 				 NL80211_MESH_POWER_UNKNOWN + 1,
650 				 NL80211_MESH_POWER_MAX),
651 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
652 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
653 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
654 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
655 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
656 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
657 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
658 		.len = NL80211_VHT_CAPABILITY_LEN,
659 	},
660 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
661 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
662 				  .len = IEEE80211_MAX_DATA_LEN },
663 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
664 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
665 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
666 	[NL80211_ATTR_PEER_AID] =
667 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
668 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
669 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
670 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
671 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
672 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
673 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
674 	/*
675 	 * The value of the Length field of the Supported Operating
676 	 * Classes element is between 2 and 253.
677 	 */
678 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
679 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
680 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
681 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
682 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
683 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
684 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
685 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
686 						  IEEE80211_QOS_MAP_LEN_MIN,
687 						  IEEE80211_QOS_MAP_LEN_MAX),
688 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
689 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
690 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
691 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
692 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
693 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
694 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
695 	[NL80211_ATTR_USER_PRIO] =
696 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
697 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
698 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
699 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
700 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
701 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
702 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
703 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
704 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
705 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
706 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
707 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
708 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
709 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
710 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
711 	},
712 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
713 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
714 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
715 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
716 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
717 				    .len = FILS_MAX_KEK_LEN },
718 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
719 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
720 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
721 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
722 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
723 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
724 	},
725 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
726 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
727 					     .len = FILS_ERP_MAX_USERNAME_LEN },
728 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
729 					  .len = FILS_ERP_MAX_REALM_LEN },
730 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
731 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
732 					.len = FILS_ERP_MAX_RRK_LEN },
733 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
734 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
735 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
736 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
737 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
738 
739 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
740 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
741 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
742 	[NL80211_ATTR_HE_CAPABILITY] =
743 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
744 				       NL80211_HE_MAX_CAPABILITY_LEN),
745 	[NL80211_ATTR_FTM_RESPONDER] =
746 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
747 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
748 	[NL80211_ATTR_PEER_MEASUREMENTS] =
749 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
750 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
751 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
752 					.len = SAE_PASSWORD_MAX_LEN },
753 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
754 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
755 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
756 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
757 	[NL80211_ATTR_TID_CONFIG] =
758 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
759 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
760 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
761 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
762 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
763 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
764 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
765 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
766 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
767 	[NL80211_ATTR_FILS_DISCOVERY] =
768 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
769 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
770 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
771 	[NL80211_ATTR_S1G_CAPABILITY] =
772 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
773 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
774 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
775 	[NL80211_ATTR_SAE_PWE] =
776 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
777 				 NL80211_SAE_PWE_BOTH),
778 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
779 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
780 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
781 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
782 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
783 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
784 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
785 	[NL80211_ATTR_MBSSID_CONFIG] =
786 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
787 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
788 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
789 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
790 	[NL80211_ATTR_EHT_CAPABILITY] =
791 		NLA_POLICY_RANGE(NLA_BINARY,
792 				 NL80211_EHT_MIN_CAPABILITY_LEN,
793 				 NL80211_EHT_MAX_CAPABILITY_LEN),
794 };
795 
796 /* policy for the key attributes */
797 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
798 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
799 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
800 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
801 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
802 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
803 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
804 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
805 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
806 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
807 };
808 
809 /* policy for the key default flags */
810 static const struct nla_policy
811 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
812 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
813 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
814 };
815 
816 #ifdef CONFIG_PM
817 /* policy for WoWLAN attributes */
818 static const struct nla_policy
819 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
820 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
821 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
822 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
823 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
824 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
825 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
826 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
827 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
828 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
829 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
830 };
831 
832 static const struct nla_policy
833 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
834 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
835 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
836 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
837 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
838 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
839 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
840 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
841 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
842 	},
843 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
844 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
845 	},
846 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
847 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
848 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
849 };
850 #endif /* CONFIG_PM */
851 
852 /* policy for coalesce rule attributes */
853 static const struct nla_policy
854 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
855 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
856 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
857 		NLA_POLICY_RANGE(NLA_U32,
858 				 NL80211_COALESCE_CONDITION_MATCH,
859 				 NL80211_COALESCE_CONDITION_NO_MATCH),
860 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
861 };
862 
863 /* policy for GTK rekey offload attributes */
864 static const struct nla_policy
865 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
866 	[NL80211_REKEY_DATA_KEK] = {
867 		.type = NLA_BINARY,
868 		.len = NL80211_KEK_EXT_LEN
869 	},
870 	[NL80211_REKEY_DATA_KCK] = {
871 		.type = NLA_BINARY,
872 		.len = NL80211_KCK_EXT_LEN
873 	},
874 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
875 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
876 };
877 
878 static const struct nla_policy
879 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
880 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
881 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
882 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
883 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
884 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
885 };
886 
887 static const struct nla_policy
888 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
889 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
890 						 .len = IEEE80211_MAX_SSID_LEN },
891 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
892 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
893 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
894 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
895 };
896 
897 static const struct nla_policy
898 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
899 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
900 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
901 };
902 
903 static const struct nla_policy
904 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
905 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
906 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
907 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
908 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
909 	},
910 };
911 
912 /* policy for NAN function attributes */
913 static const struct nla_policy
914 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
915 	[NL80211_NAN_FUNC_TYPE] =
916 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
917 	[NL80211_NAN_FUNC_SERVICE_ID] = {
918 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
919 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
920 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
921 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
922 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
923 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
924 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
925 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
926 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
927 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
928 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
929 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
930 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
931 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
932 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
933 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
934 };
935 
936 /* policy for Service Response Filter attributes */
937 static const struct nla_policy
938 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
939 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
940 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
941 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
942 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
943 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
944 };
945 
946 /* policy for packet pattern attributes */
947 static const struct nla_policy
948 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
949 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
950 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
951 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
952 };
953 
954 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
955 				     struct cfg80211_registered_device **rdev,
956 				     struct wireless_dev **wdev,
957 				     struct nlattr **attrbuf)
958 {
959 	int err;
960 
961 	if (!cb->args[0]) {
962 		struct nlattr **attrbuf_free = NULL;
963 
964 		if (!attrbuf) {
965 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
966 					  GFP_KERNEL);
967 			if (!attrbuf)
968 				return -ENOMEM;
969 			attrbuf_free = attrbuf;
970 		}
971 
972 		err = nlmsg_parse_deprecated(cb->nlh,
973 					     GENL_HDRLEN + nl80211_fam.hdrsize,
974 					     attrbuf, nl80211_fam.maxattr,
975 					     nl80211_policy, NULL);
976 		if (err) {
977 			kfree(attrbuf_free);
978 			return err;
979 		}
980 
981 		rtnl_lock();
982 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
983 						   attrbuf);
984 		kfree(attrbuf_free);
985 		if (IS_ERR(*wdev)) {
986 			rtnl_unlock();
987 			return PTR_ERR(*wdev);
988 		}
989 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
990 		mutex_lock(&(*rdev)->wiphy.mtx);
991 		rtnl_unlock();
992 		/* 0 is the first index - add 1 to parse only once */
993 		cb->args[0] = (*rdev)->wiphy_idx + 1;
994 		cb->args[1] = (*wdev)->identifier;
995 	} else {
996 		/* subtract the 1 again here */
997 		struct wiphy *wiphy;
998 		struct wireless_dev *tmp;
999 
1000 		rtnl_lock();
1001 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1002 		if (!wiphy) {
1003 			rtnl_unlock();
1004 			return -ENODEV;
1005 		}
1006 		*rdev = wiphy_to_rdev(wiphy);
1007 		*wdev = NULL;
1008 
1009 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1010 			if (tmp->identifier == cb->args[1]) {
1011 				*wdev = tmp;
1012 				break;
1013 			}
1014 		}
1015 
1016 		if (!*wdev) {
1017 			rtnl_unlock();
1018 			return -ENODEV;
1019 		}
1020 		mutex_lock(&(*rdev)->wiphy.mtx);
1021 		rtnl_unlock();
1022 	}
1023 
1024 	return 0;
1025 }
1026 
1027 /* message building helper */
1028 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1029 		     int flags, u8 cmd)
1030 {
1031 	/* since there is no private header just add the generic one */
1032 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1033 }
1034 
1035 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1036 				     const struct ieee80211_reg_rule *rule)
1037 {
1038 	int j;
1039 	struct nlattr *nl_wmm_rules =
1040 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1041 
1042 	if (!nl_wmm_rules)
1043 		goto nla_put_failure;
1044 
1045 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1046 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1047 
1048 		if (!nl_wmm_rule)
1049 			goto nla_put_failure;
1050 
1051 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1052 				rule->wmm_rule.client[j].cw_min) ||
1053 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1054 				rule->wmm_rule.client[j].cw_max) ||
1055 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1056 			       rule->wmm_rule.client[j].aifsn) ||
1057 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1058 			        rule->wmm_rule.client[j].cot))
1059 			goto nla_put_failure;
1060 
1061 		nla_nest_end(msg, nl_wmm_rule);
1062 	}
1063 	nla_nest_end(msg, nl_wmm_rules);
1064 
1065 	return 0;
1066 
1067 nla_put_failure:
1068 	return -ENOBUFS;
1069 }
1070 
1071 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1072 				   struct ieee80211_channel *chan,
1073 				   bool large)
1074 {
1075 	/* Some channels must be completely excluded from the
1076 	 * list to protect old user-space tools from breaking
1077 	 */
1078 	if (!large && chan->flags &
1079 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1080 		return 0;
1081 	if (!large && chan->freq_offset)
1082 		return 0;
1083 
1084 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1085 			chan->center_freq))
1086 		goto nla_put_failure;
1087 
1088 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1089 		goto nla_put_failure;
1090 
1091 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1092 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1093 		goto nla_put_failure;
1094 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1095 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1096 			goto nla_put_failure;
1097 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1098 			goto nla_put_failure;
1099 	}
1100 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1101 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1102 			goto nla_put_failure;
1103 		if (large) {
1104 			u32 time;
1105 
1106 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1107 
1108 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1109 					chan->dfs_state))
1110 				goto nla_put_failure;
1111 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1112 					time))
1113 				goto nla_put_failure;
1114 			if (nla_put_u32(msg,
1115 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1116 					chan->dfs_cac_ms))
1117 				goto nla_put_failure;
1118 		}
1119 	}
1120 
1121 	if (large) {
1122 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1123 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1124 			goto nla_put_failure;
1125 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1126 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1127 			goto nla_put_failure;
1128 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1129 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1130 			goto nla_put_failure;
1131 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1132 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1133 			goto nla_put_failure;
1134 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1135 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1136 			goto nla_put_failure;
1137 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1138 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1139 			goto nla_put_failure;
1140 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1141 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1142 			goto nla_put_failure;
1143 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1144 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1145 			goto nla_put_failure;
1146 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1147 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1148 			goto nla_put_failure;
1149 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1150 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1151 			goto nla_put_failure;
1152 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1153 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1154 			goto nla_put_failure;
1155 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1156 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1157 			goto nla_put_failure;
1158 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1159 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1160 			goto nla_put_failure;
1161 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1162 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1163 			goto nla_put_failure;
1164 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1165 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1166 			goto nla_put_failure;
1167 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1168 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1169 			goto nla_put_failure;
1170 	}
1171 
1172 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1173 			DBM_TO_MBM(chan->max_power)))
1174 		goto nla_put_failure;
1175 
1176 	if (large) {
1177 		const struct ieee80211_reg_rule *rule =
1178 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1179 
1180 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1181 			if (nl80211_msg_put_wmm_rules(msg, rule))
1182 				goto nla_put_failure;
1183 		}
1184 	}
1185 
1186 	return 0;
1187 
1188  nla_put_failure:
1189 	return -ENOBUFS;
1190 }
1191 
1192 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1193 				  struct cfg80211_txq_stats *txqstats,
1194 				  int attrtype)
1195 {
1196 	struct nlattr *txqattr;
1197 
1198 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1199 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1200 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1201 		return false;						  \
1202 	} while (0)
1203 
1204 	txqattr = nla_nest_start_noflag(msg, attrtype);
1205 	if (!txqattr)
1206 		return false;
1207 
1208 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1209 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1210 	PUT_TXQVAL_U32(FLOWS, flows);
1211 	PUT_TXQVAL_U32(DROPS, drops);
1212 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1213 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1214 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1215 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1216 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1217 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1218 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1219 	nla_nest_end(msg, txqattr);
1220 
1221 #undef PUT_TXQVAL_U32
1222 	return true;
1223 }
1224 
1225 /* netlink command implementations */
1226 
1227 struct key_parse {
1228 	struct key_params p;
1229 	int idx;
1230 	int type;
1231 	bool def, defmgmt, defbeacon;
1232 	bool def_uni, def_multi;
1233 };
1234 
1235 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1236 				 struct key_parse *k)
1237 {
1238 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1239 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1240 					      nl80211_key_policy,
1241 					      info->extack);
1242 	if (err)
1243 		return err;
1244 
1245 	k->def = !!tb[NL80211_KEY_DEFAULT];
1246 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1247 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1248 
1249 	if (k->def) {
1250 		k->def_uni = true;
1251 		k->def_multi = true;
1252 	}
1253 	if (k->defmgmt || k->defbeacon)
1254 		k->def_multi = true;
1255 
1256 	if (tb[NL80211_KEY_IDX])
1257 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1258 
1259 	if (tb[NL80211_KEY_DATA]) {
1260 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1261 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1262 	}
1263 
1264 	if (tb[NL80211_KEY_SEQ]) {
1265 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1266 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1267 	}
1268 
1269 	if (tb[NL80211_KEY_CIPHER])
1270 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1271 
1272 	if (tb[NL80211_KEY_TYPE])
1273 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1274 
1275 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1276 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1277 
1278 		err = nla_parse_nested_deprecated(kdt,
1279 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1280 						  tb[NL80211_KEY_DEFAULT_TYPES],
1281 						  nl80211_key_default_policy,
1282 						  info->extack);
1283 		if (err)
1284 			return err;
1285 
1286 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1287 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1288 	}
1289 
1290 	if (tb[NL80211_KEY_MODE])
1291 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1292 
1293 	return 0;
1294 }
1295 
1296 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1297 {
1298 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1299 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1300 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1301 	}
1302 
1303 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1304 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1305 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1306 	}
1307 
1308 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1309 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1310 
1311 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1312 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1313 
1314 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1315 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1316 
1317 	if (k->def) {
1318 		k->def_uni = true;
1319 		k->def_multi = true;
1320 	}
1321 	if (k->defmgmt)
1322 		k->def_multi = true;
1323 
1324 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1325 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1326 
1327 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1328 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1329 		int err = nla_parse_nested_deprecated(kdt,
1330 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1331 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1332 						      nl80211_key_default_policy,
1333 						      info->extack);
1334 		if (err)
1335 			return err;
1336 
1337 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1338 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1339 	}
1340 
1341 	return 0;
1342 }
1343 
1344 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1345 {
1346 	int err;
1347 
1348 	memset(k, 0, sizeof(*k));
1349 	k->idx = -1;
1350 	k->type = -1;
1351 
1352 	if (info->attrs[NL80211_ATTR_KEY])
1353 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1354 	else
1355 		err = nl80211_parse_key_old(info, k);
1356 
1357 	if (err)
1358 		return err;
1359 
1360 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1361 	    (k->defbeacon ? 1 : 0) > 1) {
1362 		GENL_SET_ERR_MSG(info,
1363 				 "key with multiple default flags is invalid");
1364 		return -EINVAL;
1365 	}
1366 
1367 	if (k->defmgmt || k->defbeacon) {
1368 		if (k->def_uni || !k->def_multi) {
1369 			GENL_SET_ERR_MSG(info,
1370 					 "defmgmt/defbeacon key must be mcast");
1371 			return -EINVAL;
1372 		}
1373 	}
1374 
1375 	if (k->idx != -1) {
1376 		if (k->defmgmt) {
1377 			if (k->idx < 4 || k->idx > 5) {
1378 				GENL_SET_ERR_MSG(info,
1379 						 "defmgmt key idx not 4 or 5");
1380 				return -EINVAL;
1381 			}
1382 		} else if (k->defbeacon) {
1383 			if (k->idx < 6 || k->idx > 7) {
1384 				GENL_SET_ERR_MSG(info,
1385 						 "defbeacon key idx not 6 or 7");
1386 				return -EINVAL;
1387 			}
1388 		} else if (k->def) {
1389 			if (k->idx < 0 || k->idx > 3) {
1390 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1391 				return -EINVAL;
1392 			}
1393 		} else {
1394 			if (k->idx < 0 || k->idx > 7) {
1395 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1396 				return -EINVAL;
1397 			}
1398 		}
1399 	}
1400 
1401 	return 0;
1402 }
1403 
1404 static struct cfg80211_cached_keys *
1405 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1406 		       struct genl_info *info, bool *no_ht)
1407 {
1408 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1409 	struct key_parse parse;
1410 	struct nlattr *key;
1411 	struct cfg80211_cached_keys *result;
1412 	int rem, err, def = 0;
1413 	bool have_key = false;
1414 
1415 	nla_for_each_nested(key, keys, rem) {
1416 		have_key = true;
1417 		break;
1418 	}
1419 
1420 	if (!have_key)
1421 		return NULL;
1422 
1423 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1424 	if (!result)
1425 		return ERR_PTR(-ENOMEM);
1426 
1427 	result->def = -1;
1428 
1429 	nla_for_each_nested(key, keys, rem) {
1430 		memset(&parse, 0, sizeof(parse));
1431 		parse.idx = -1;
1432 
1433 		err = nl80211_parse_key_new(info, key, &parse);
1434 		if (err)
1435 			goto error;
1436 		err = -EINVAL;
1437 		if (!parse.p.key)
1438 			goto error;
1439 		if (parse.idx < 0 || parse.idx > 3) {
1440 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1441 			goto error;
1442 		}
1443 		if (parse.def) {
1444 			if (def) {
1445 				GENL_SET_ERR_MSG(info,
1446 						 "only one key can be default");
1447 				goto error;
1448 			}
1449 			def = 1;
1450 			result->def = parse.idx;
1451 			if (!parse.def_uni || !parse.def_multi)
1452 				goto error;
1453 		} else if (parse.defmgmt)
1454 			goto error;
1455 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1456 						     parse.idx, false, NULL);
1457 		if (err)
1458 			goto error;
1459 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1460 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1461 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1462 			err = -EINVAL;
1463 			goto error;
1464 		}
1465 		result->params[parse.idx].cipher = parse.p.cipher;
1466 		result->params[parse.idx].key_len = parse.p.key_len;
1467 		result->params[parse.idx].key = result->data[parse.idx];
1468 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1469 
1470 		/* must be WEP key if we got here */
1471 		if (no_ht)
1472 			*no_ht = true;
1473 	}
1474 
1475 	if (result->def < 0) {
1476 		err = -EINVAL;
1477 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1478 		goto error;
1479 	}
1480 
1481 	return result;
1482  error:
1483 	kfree(result);
1484 	return ERR_PTR(err);
1485 }
1486 
1487 static int nl80211_key_allowed(struct wireless_dev *wdev)
1488 {
1489 	ASSERT_WDEV_LOCK(wdev);
1490 
1491 	switch (wdev->iftype) {
1492 	case NL80211_IFTYPE_AP:
1493 	case NL80211_IFTYPE_AP_VLAN:
1494 	case NL80211_IFTYPE_P2P_GO:
1495 	case NL80211_IFTYPE_MESH_POINT:
1496 		break;
1497 	case NL80211_IFTYPE_ADHOC:
1498 	case NL80211_IFTYPE_STATION:
1499 	case NL80211_IFTYPE_P2P_CLIENT:
1500 		if (!wdev->current_bss)
1501 			return -ENOLINK;
1502 		break;
1503 	case NL80211_IFTYPE_UNSPECIFIED:
1504 	case NL80211_IFTYPE_OCB:
1505 	case NL80211_IFTYPE_MONITOR:
1506 	case NL80211_IFTYPE_NAN:
1507 	case NL80211_IFTYPE_P2P_DEVICE:
1508 	case NL80211_IFTYPE_WDS:
1509 	case NUM_NL80211_IFTYPES:
1510 		return -EINVAL;
1511 	}
1512 
1513 	return 0;
1514 }
1515 
1516 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1517 							u32 freq)
1518 {
1519 	struct ieee80211_channel *chan;
1520 
1521 	chan = ieee80211_get_channel_khz(wiphy, freq);
1522 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1523 		return NULL;
1524 	return chan;
1525 }
1526 
1527 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1528 {
1529 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1530 	int i;
1531 
1532 	if (!nl_modes)
1533 		goto nla_put_failure;
1534 
1535 	i = 0;
1536 	while (ifmodes) {
1537 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1538 			goto nla_put_failure;
1539 		ifmodes >>= 1;
1540 		i++;
1541 	}
1542 
1543 	nla_nest_end(msg, nl_modes);
1544 	return 0;
1545 
1546 nla_put_failure:
1547 	return -ENOBUFS;
1548 }
1549 
1550 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1551 					  struct sk_buff *msg,
1552 					  bool large)
1553 {
1554 	struct nlattr *nl_combis;
1555 	int i, j;
1556 
1557 	nl_combis = nla_nest_start_noflag(msg,
1558 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1559 	if (!nl_combis)
1560 		goto nla_put_failure;
1561 
1562 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1563 		const struct ieee80211_iface_combination *c;
1564 		struct nlattr *nl_combi, *nl_limits;
1565 
1566 		c = &wiphy->iface_combinations[i];
1567 
1568 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1569 		if (!nl_combi)
1570 			goto nla_put_failure;
1571 
1572 		nl_limits = nla_nest_start_noflag(msg,
1573 						  NL80211_IFACE_COMB_LIMITS);
1574 		if (!nl_limits)
1575 			goto nla_put_failure;
1576 
1577 		for (j = 0; j < c->n_limits; j++) {
1578 			struct nlattr *nl_limit;
1579 
1580 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1581 			if (!nl_limit)
1582 				goto nla_put_failure;
1583 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1584 					c->limits[j].max))
1585 				goto nla_put_failure;
1586 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1587 						c->limits[j].types))
1588 				goto nla_put_failure;
1589 			nla_nest_end(msg, nl_limit);
1590 		}
1591 
1592 		nla_nest_end(msg, nl_limits);
1593 
1594 		if (c->beacon_int_infra_match &&
1595 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1596 			goto nla_put_failure;
1597 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1598 				c->num_different_channels) ||
1599 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1600 				c->max_interfaces))
1601 			goto nla_put_failure;
1602 		if (large &&
1603 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1604 				c->radar_detect_widths) ||
1605 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1606 				c->radar_detect_regions)))
1607 			goto nla_put_failure;
1608 		if (c->beacon_int_min_gcd &&
1609 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1610 				c->beacon_int_min_gcd))
1611 			goto nla_put_failure;
1612 
1613 		nla_nest_end(msg, nl_combi);
1614 	}
1615 
1616 	nla_nest_end(msg, nl_combis);
1617 
1618 	return 0;
1619 nla_put_failure:
1620 	return -ENOBUFS;
1621 }
1622 
1623 #ifdef CONFIG_PM
1624 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1625 					struct sk_buff *msg)
1626 {
1627 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1628 	struct nlattr *nl_tcp;
1629 
1630 	if (!tcp)
1631 		return 0;
1632 
1633 	nl_tcp = nla_nest_start_noflag(msg,
1634 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1635 	if (!nl_tcp)
1636 		return -ENOBUFS;
1637 
1638 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1639 			tcp->data_payload_max))
1640 		return -ENOBUFS;
1641 
1642 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1643 			tcp->data_payload_max))
1644 		return -ENOBUFS;
1645 
1646 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1647 		return -ENOBUFS;
1648 
1649 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1650 				sizeof(*tcp->tok), tcp->tok))
1651 		return -ENOBUFS;
1652 
1653 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1654 			tcp->data_interval_max))
1655 		return -ENOBUFS;
1656 
1657 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1658 			tcp->wake_payload_max))
1659 		return -ENOBUFS;
1660 
1661 	nla_nest_end(msg, nl_tcp);
1662 	return 0;
1663 }
1664 
1665 static int nl80211_send_wowlan(struct sk_buff *msg,
1666 			       struct cfg80211_registered_device *rdev,
1667 			       bool large)
1668 {
1669 	struct nlattr *nl_wowlan;
1670 
1671 	if (!rdev->wiphy.wowlan)
1672 		return 0;
1673 
1674 	nl_wowlan = nla_nest_start_noflag(msg,
1675 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1676 	if (!nl_wowlan)
1677 		return -ENOBUFS;
1678 
1679 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1680 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1681 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1682 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1683 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1684 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1685 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1686 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1687 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1688 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1689 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1690 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1691 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1692 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1693 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1694 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1695 		return -ENOBUFS;
1696 
1697 	if (rdev->wiphy.wowlan->n_patterns) {
1698 		struct nl80211_pattern_support pat = {
1699 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1700 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1701 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1702 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1703 		};
1704 
1705 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1706 			    sizeof(pat), &pat))
1707 			return -ENOBUFS;
1708 	}
1709 
1710 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1711 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1712 			rdev->wiphy.wowlan->max_nd_match_sets))
1713 		return -ENOBUFS;
1714 
1715 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1716 		return -ENOBUFS;
1717 
1718 	nla_nest_end(msg, nl_wowlan);
1719 
1720 	return 0;
1721 }
1722 #endif
1723 
1724 static int nl80211_send_coalesce(struct sk_buff *msg,
1725 				 struct cfg80211_registered_device *rdev)
1726 {
1727 	struct nl80211_coalesce_rule_support rule;
1728 
1729 	if (!rdev->wiphy.coalesce)
1730 		return 0;
1731 
1732 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1733 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1734 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1735 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1736 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1737 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1738 
1739 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1740 		return -ENOBUFS;
1741 
1742 	return 0;
1743 }
1744 
1745 static int
1746 nl80211_send_iftype_data(struct sk_buff *msg,
1747 			 const struct ieee80211_supported_band *sband,
1748 			 const struct ieee80211_sband_iftype_data *iftdata)
1749 {
1750 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1751 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1752 
1753 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1754 				iftdata->types_mask))
1755 		return -ENOBUFS;
1756 
1757 	if (he_cap->has_he) {
1758 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1759 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1760 			    he_cap->he_cap_elem.mac_cap_info) ||
1761 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1762 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1763 			    he_cap->he_cap_elem.phy_cap_info) ||
1764 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1765 			    sizeof(he_cap->he_mcs_nss_supp),
1766 			    &he_cap->he_mcs_nss_supp) ||
1767 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1768 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1769 			return -ENOBUFS;
1770 	}
1771 
1772 	if (eht_cap->has_eht && he_cap->has_he) {
1773 		u8 mcs_nss_size, ppe_thresh_size;
1774 		u16 ppe_thres_hdr;
1775 
1776 		mcs_nss_size =
1777 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1778 						   &eht_cap->eht_cap_elem);
1779 
1780 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1781 		ppe_thresh_size =
1782 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1783 					       eht_cap->eht_cap_elem.phy_cap_info);
1784 
1785 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1786 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1787 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1788 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1789 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1790 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1791 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1792 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1793 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1794 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1795 			return -ENOBUFS;
1796 	}
1797 
1798 	if (sband->band == NL80211_BAND_6GHZ &&
1799 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1800 		    sizeof(iftdata->he_6ghz_capa),
1801 		    &iftdata->he_6ghz_capa))
1802 		return -ENOBUFS;
1803 
1804 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1805 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1806 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1807 		return -ENOBUFS;
1808 
1809 	return 0;
1810 }
1811 
1812 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1813 				      struct ieee80211_supported_band *sband,
1814 				      bool large)
1815 {
1816 	struct nlattr *nl_rates, *nl_rate;
1817 	struct ieee80211_rate *rate;
1818 	int i;
1819 
1820 	/* add HT info */
1821 	if (sband->ht_cap.ht_supported &&
1822 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1823 		     sizeof(sband->ht_cap.mcs),
1824 		     &sband->ht_cap.mcs) ||
1825 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1826 			 sband->ht_cap.cap) ||
1827 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1828 			sband->ht_cap.ampdu_factor) ||
1829 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1830 			sband->ht_cap.ampdu_density)))
1831 		return -ENOBUFS;
1832 
1833 	/* add VHT info */
1834 	if (sband->vht_cap.vht_supported &&
1835 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1836 		     sizeof(sband->vht_cap.vht_mcs),
1837 		     &sband->vht_cap.vht_mcs) ||
1838 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1839 			 sband->vht_cap.cap)))
1840 		return -ENOBUFS;
1841 
1842 	if (large && sband->n_iftype_data) {
1843 		struct nlattr *nl_iftype_data =
1844 			nla_nest_start_noflag(msg,
1845 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1846 		int err;
1847 
1848 		if (!nl_iftype_data)
1849 			return -ENOBUFS;
1850 
1851 		for (i = 0; i < sband->n_iftype_data; i++) {
1852 			struct nlattr *iftdata;
1853 
1854 			iftdata = nla_nest_start_noflag(msg, i + 1);
1855 			if (!iftdata)
1856 				return -ENOBUFS;
1857 
1858 			err = nl80211_send_iftype_data(msg, sband,
1859 						       &sband->iftype_data[i]);
1860 			if (err)
1861 				return err;
1862 
1863 			nla_nest_end(msg, iftdata);
1864 		}
1865 
1866 		nla_nest_end(msg, nl_iftype_data);
1867 	}
1868 
1869 	/* add EDMG info */
1870 	if (large && sband->edmg_cap.channels &&
1871 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1872 		       sband->edmg_cap.channels) ||
1873 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1874 		       sband->edmg_cap.bw_config)))
1875 
1876 		return -ENOBUFS;
1877 
1878 	/* add bitrates */
1879 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1880 	if (!nl_rates)
1881 		return -ENOBUFS;
1882 
1883 	for (i = 0; i < sband->n_bitrates; i++) {
1884 		nl_rate = nla_nest_start_noflag(msg, i);
1885 		if (!nl_rate)
1886 			return -ENOBUFS;
1887 
1888 		rate = &sband->bitrates[i];
1889 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1890 				rate->bitrate))
1891 			return -ENOBUFS;
1892 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1893 		    nla_put_flag(msg,
1894 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1895 			return -ENOBUFS;
1896 
1897 		nla_nest_end(msg, nl_rate);
1898 	}
1899 
1900 	nla_nest_end(msg, nl_rates);
1901 
1902 	return 0;
1903 }
1904 
1905 static int
1906 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1907 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1908 {
1909 	u16 stypes;
1910 	struct nlattr *nl_ftypes, *nl_ifs;
1911 	enum nl80211_iftype ift;
1912 	int i;
1913 
1914 	if (!mgmt_stypes)
1915 		return 0;
1916 
1917 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1918 	if (!nl_ifs)
1919 		return -ENOBUFS;
1920 
1921 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1922 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1923 		if (!nl_ftypes)
1924 			return -ENOBUFS;
1925 		i = 0;
1926 		stypes = mgmt_stypes[ift].tx;
1927 		while (stypes) {
1928 			if ((stypes & 1) &&
1929 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1930 					(i << 4) | IEEE80211_FTYPE_MGMT))
1931 				return -ENOBUFS;
1932 			stypes >>= 1;
1933 			i++;
1934 		}
1935 		nla_nest_end(msg, nl_ftypes);
1936 	}
1937 
1938 	nla_nest_end(msg, nl_ifs);
1939 
1940 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1941 	if (!nl_ifs)
1942 		return -ENOBUFS;
1943 
1944 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1945 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1946 		if (!nl_ftypes)
1947 			return -ENOBUFS;
1948 		i = 0;
1949 		stypes = mgmt_stypes[ift].rx;
1950 		while (stypes) {
1951 			if ((stypes & 1) &&
1952 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1953 					(i << 4) | IEEE80211_FTYPE_MGMT))
1954 				return -ENOBUFS;
1955 			stypes >>= 1;
1956 			i++;
1957 		}
1958 		nla_nest_end(msg, nl_ftypes);
1959 	}
1960 	nla_nest_end(msg, nl_ifs);
1961 
1962 	return 0;
1963 }
1964 
1965 #define CMD(op, n)							\
1966 	 do {								\
1967 		if (rdev->ops->op) {					\
1968 			i++;						\
1969 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1970 				goto nla_put_failure;			\
1971 		}							\
1972 	} while (0)
1973 
1974 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1975 					struct sk_buff *msg)
1976 {
1977 	int i = 0;
1978 
1979 	/*
1980 	 * do *NOT* add anything into this function, new things need to be
1981 	 * advertised only to new versions of userspace that can deal with
1982 	 * the split (and they can't possibly care about new features...
1983 	 */
1984 	CMD(add_virtual_intf, NEW_INTERFACE);
1985 	CMD(change_virtual_intf, SET_INTERFACE);
1986 	CMD(add_key, NEW_KEY);
1987 	CMD(start_ap, START_AP);
1988 	CMD(add_station, NEW_STATION);
1989 	CMD(add_mpath, NEW_MPATH);
1990 	CMD(update_mesh_config, SET_MESH_CONFIG);
1991 	CMD(change_bss, SET_BSS);
1992 	CMD(auth, AUTHENTICATE);
1993 	CMD(assoc, ASSOCIATE);
1994 	CMD(deauth, DEAUTHENTICATE);
1995 	CMD(disassoc, DISASSOCIATE);
1996 	CMD(join_ibss, JOIN_IBSS);
1997 	CMD(join_mesh, JOIN_MESH);
1998 	CMD(set_pmksa, SET_PMKSA);
1999 	CMD(del_pmksa, DEL_PMKSA);
2000 	CMD(flush_pmksa, FLUSH_PMKSA);
2001 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2002 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2003 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2004 	CMD(mgmt_tx, FRAME);
2005 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2006 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2007 		i++;
2008 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2009 			goto nla_put_failure;
2010 	}
2011 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2012 	    rdev->ops->join_mesh) {
2013 		i++;
2014 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2015 			goto nla_put_failure;
2016 	}
2017 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2018 		CMD(tdls_mgmt, TDLS_MGMT);
2019 		CMD(tdls_oper, TDLS_OPER);
2020 	}
2021 	if (rdev->wiphy.max_sched_scan_reqs)
2022 		CMD(sched_scan_start, START_SCHED_SCAN);
2023 	CMD(probe_client, PROBE_CLIENT);
2024 	CMD(set_noack_map, SET_NOACK_MAP);
2025 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2026 		i++;
2027 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2028 			goto nla_put_failure;
2029 	}
2030 	CMD(start_p2p_device, START_P2P_DEVICE);
2031 	CMD(set_mcast_rate, SET_MCAST_RATE);
2032 #ifdef CONFIG_NL80211_TESTMODE
2033 	CMD(testmode_cmd, TESTMODE);
2034 #endif
2035 
2036 	if (rdev->ops->connect || rdev->ops->auth) {
2037 		i++;
2038 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2039 			goto nla_put_failure;
2040 	}
2041 
2042 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2043 		i++;
2044 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2045 			goto nla_put_failure;
2046 	}
2047 
2048 	return i;
2049  nla_put_failure:
2050 	return -ENOBUFS;
2051 }
2052 
2053 static int
2054 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2055 			   struct sk_buff *msg)
2056 {
2057 	struct nlattr *ftm;
2058 
2059 	if (!cap->ftm.supported)
2060 		return 0;
2061 
2062 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2063 	if (!ftm)
2064 		return -ENOBUFS;
2065 
2066 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2067 		return -ENOBUFS;
2068 	if (cap->ftm.non_asap &&
2069 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2070 		return -ENOBUFS;
2071 	if (cap->ftm.request_lci &&
2072 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2073 		return -ENOBUFS;
2074 	if (cap->ftm.request_civicloc &&
2075 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2076 		return -ENOBUFS;
2077 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2078 			cap->ftm.preambles))
2079 		return -ENOBUFS;
2080 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2081 			cap->ftm.bandwidths))
2082 		return -ENOBUFS;
2083 	if (cap->ftm.max_bursts_exponent >= 0 &&
2084 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2085 			cap->ftm.max_bursts_exponent))
2086 		return -ENOBUFS;
2087 	if (cap->ftm.max_ftms_per_burst &&
2088 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2089 			cap->ftm.max_ftms_per_burst))
2090 		return -ENOBUFS;
2091 	if (cap->ftm.trigger_based &&
2092 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2093 		return -ENOBUFS;
2094 	if (cap->ftm.non_trigger_based &&
2095 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2096 		return -ENOBUFS;
2097 
2098 	nla_nest_end(msg, ftm);
2099 	return 0;
2100 }
2101 
2102 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2103 				  struct sk_buff *msg)
2104 {
2105 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2106 	struct nlattr *pmsr, *caps;
2107 
2108 	if (!cap)
2109 		return 0;
2110 
2111 	/*
2112 	 * we don't need to clean up anything here since the caller
2113 	 * will genlmsg_cancel() if we fail
2114 	 */
2115 
2116 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2117 	if (!pmsr)
2118 		return -ENOBUFS;
2119 
2120 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2121 		return -ENOBUFS;
2122 
2123 	if (cap->report_ap_tsf &&
2124 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2125 		return -ENOBUFS;
2126 
2127 	if (cap->randomize_mac_addr &&
2128 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2129 		return -ENOBUFS;
2130 
2131 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2132 	if (!caps)
2133 		return -ENOBUFS;
2134 
2135 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2136 		return -ENOBUFS;
2137 
2138 	nla_nest_end(msg, caps);
2139 	nla_nest_end(msg, pmsr);
2140 
2141 	return 0;
2142 }
2143 
2144 static int
2145 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2146 			      struct sk_buff *msg)
2147 {
2148 	int i;
2149 	struct nlattr *nested, *nested_akms;
2150 	const struct wiphy_iftype_akm_suites *iftype_akms;
2151 
2152 	if (!rdev->wiphy.num_iftype_akm_suites ||
2153 	    !rdev->wiphy.iftype_akm_suites)
2154 		return 0;
2155 
2156 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2157 	if (!nested)
2158 		return -ENOBUFS;
2159 
2160 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2161 		nested_akms = nla_nest_start(msg, i + 1);
2162 		if (!nested_akms)
2163 			return -ENOBUFS;
2164 
2165 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2166 
2167 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2168 					iftype_akms->iftypes_mask))
2169 			return -ENOBUFS;
2170 
2171 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2172 			    sizeof(u32) * iftype_akms->n_akm_suites,
2173 			    iftype_akms->akm_suites)) {
2174 			return -ENOBUFS;
2175 		}
2176 		nla_nest_end(msg, nested_akms);
2177 	}
2178 
2179 	nla_nest_end(msg, nested);
2180 
2181 	return 0;
2182 }
2183 
2184 static int
2185 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2186 			       struct sk_buff *msg)
2187 {
2188 	struct nlattr *supp;
2189 
2190 	if (!rdev->wiphy.tid_config_support.vif &&
2191 	    !rdev->wiphy.tid_config_support.peer)
2192 		return 0;
2193 
2194 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2195 	if (!supp)
2196 		return -ENOSPC;
2197 
2198 	if (rdev->wiphy.tid_config_support.vif &&
2199 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2200 			      rdev->wiphy.tid_config_support.vif,
2201 			      NL80211_TID_CONFIG_ATTR_PAD))
2202 		goto fail;
2203 
2204 	if (rdev->wiphy.tid_config_support.peer &&
2205 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2206 			      rdev->wiphy.tid_config_support.peer,
2207 			      NL80211_TID_CONFIG_ATTR_PAD))
2208 		goto fail;
2209 
2210 	/* for now we just use the same value ... makes more sense */
2211 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2212 		       rdev->wiphy.tid_config_support.max_retry))
2213 		goto fail;
2214 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2215 		       rdev->wiphy.tid_config_support.max_retry))
2216 		goto fail;
2217 
2218 	nla_nest_end(msg, supp);
2219 
2220 	return 0;
2221 fail:
2222 	nla_nest_cancel(msg, supp);
2223 	return -ENOBUFS;
2224 }
2225 
2226 static int
2227 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2228 		      struct sk_buff *msg)
2229 {
2230 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2231 	u8 num_freq_ranges;
2232 	int i;
2233 
2234 	if (!rdev->wiphy.sar_capa)
2235 		return 0;
2236 
2237 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2238 
2239 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2240 	if (!sar_capa)
2241 		return -ENOSPC;
2242 
2243 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2244 		goto fail;
2245 
2246 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2247 	if (!specs)
2248 		goto fail;
2249 
2250 	/* report supported freq_ranges */
2251 	for (i = 0; i < num_freq_ranges; i++) {
2252 		sub_freq_range = nla_nest_start(msg, i + 1);
2253 		if (!sub_freq_range)
2254 			goto fail;
2255 
2256 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2257 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2258 			goto fail;
2259 
2260 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2261 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2262 			goto fail;
2263 
2264 		nla_nest_end(msg, sub_freq_range);
2265 	}
2266 
2267 	nla_nest_end(msg, specs);
2268 	nla_nest_end(msg, sar_capa);
2269 
2270 	return 0;
2271 fail:
2272 	nla_nest_cancel(msg, sar_capa);
2273 	return -ENOBUFS;
2274 }
2275 
2276 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2277 {
2278 	struct nlattr *config;
2279 
2280 	if (!wiphy->mbssid_max_interfaces)
2281 		return 0;
2282 
2283 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2284 	if (!config)
2285 		return -ENOBUFS;
2286 
2287 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2288 		       wiphy->mbssid_max_interfaces))
2289 		goto fail;
2290 
2291 	if (wiphy->ema_max_profile_periodicity &&
2292 	    nla_put_u8(msg,
2293 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2294 		       wiphy->ema_max_profile_periodicity))
2295 		goto fail;
2296 
2297 	nla_nest_end(msg, config);
2298 	return 0;
2299 
2300 fail:
2301 	nla_nest_cancel(msg, config);
2302 	return -ENOBUFS;
2303 }
2304 
2305 struct nl80211_dump_wiphy_state {
2306 	s64 filter_wiphy;
2307 	long start;
2308 	long split_start, band_start, chan_start, capa_start;
2309 	bool split;
2310 };
2311 
2312 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2313 			      enum nl80211_commands cmd,
2314 			      struct sk_buff *msg, u32 portid, u32 seq,
2315 			      int flags, struct nl80211_dump_wiphy_state *state)
2316 {
2317 	void *hdr;
2318 	struct nlattr *nl_bands, *nl_band;
2319 	struct nlattr *nl_freqs, *nl_freq;
2320 	struct nlattr *nl_cmds;
2321 	enum nl80211_band band;
2322 	struct ieee80211_channel *chan;
2323 	int i;
2324 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2325 				rdev->wiphy.mgmt_stypes;
2326 	u32 features;
2327 
2328 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2329 	if (!hdr)
2330 		return -ENOBUFS;
2331 
2332 	if (WARN_ON(!state))
2333 		return -EINVAL;
2334 
2335 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2336 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2337 			   wiphy_name(&rdev->wiphy)) ||
2338 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2339 			cfg80211_rdev_list_generation))
2340 		goto nla_put_failure;
2341 
2342 	if (cmd != NL80211_CMD_NEW_WIPHY)
2343 		goto finish;
2344 
2345 	switch (state->split_start) {
2346 	case 0:
2347 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2348 			       rdev->wiphy.retry_short) ||
2349 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2350 			       rdev->wiphy.retry_long) ||
2351 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2352 				rdev->wiphy.frag_threshold) ||
2353 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2354 				rdev->wiphy.rts_threshold) ||
2355 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2356 			       rdev->wiphy.coverage_class) ||
2357 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2358 			       rdev->wiphy.max_scan_ssids) ||
2359 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2360 			       rdev->wiphy.max_sched_scan_ssids) ||
2361 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2362 				rdev->wiphy.max_scan_ie_len) ||
2363 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2364 				rdev->wiphy.max_sched_scan_ie_len) ||
2365 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2366 			       rdev->wiphy.max_match_sets))
2367 			goto nla_put_failure;
2368 
2369 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2370 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2371 			goto nla_put_failure;
2372 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2373 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2374 			goto nla_put_failure;
2375 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2376 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2377 			goto nla_put_failure;
2378 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2379 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2380 			goto nla_put_failure;
2381 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2382 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2383 			goto nla_put_failure;
2384 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2385 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2386 			goto nla_put_failure;
2387 		state->split_start++;
2388 		if (state->split)
2389 			break;
2390 		fallthrough;
2391 	case 1:
2392 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2393 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2394 			    rdev->wiphy.cipher_suites))
2395 			goto nla_put_failure;
2396 
2397 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2398 			       rdev->wiphy.max_num_pmkids))
2399 			goto nla_put_failure;
2400 
2401 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2402 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2403 			goto nla_put_failure;
2404 
2405 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2406 				rdev->wiphy.available_antennas_tx) ||
2407 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2408 				rdev->wiphy.available_antennas_rx))
2409 			goto nla_put_failure;
2410 
2411 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2412 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2413 				rdev->wiphy.probe_resp_offload))
2414 			goto nla_put_failure;
2415 
2416 		if ((rdev->wiphy.available_antennas_tx ||
2417 		     rdev->wiphy.available_antennas_rx) &&
2418 		    rdev->ops->get_antenna) {
2419 			u32 tx_ant = 0, rx_ant = 0;
2420 			int res;
2421 
2422 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2423 			if (!res) {
2424 				if (nla_put_u32(msg,
2425 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2426 						tx_ant) ||
2427 				    nla_put_u32(msg,
2428 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2429 						rx_ant))
2430 					goto nla_put_failure;
2431 			}
2432 		}
2433 
2434 		state->split_start++;
2435 		if (state->split)
2436 			break;
2437 		fallthrough;
2438 	case 2:
2439 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2440 					rdev->wiphy.interface_modes))
2441 				goto nla_put_failure;
2442 		state->split_start++;
2443 		if (state->split)
2444 			break;
2445 		fallthrough;
2446 	case 3:
2447 		nl_bands = nla_nest_start_noflag(msg,
2448 						 NL80211_ATTR_WIPHY_BANDS);
2449 		if (!nl_bands)
2450 			goto nla_put_failure;
2451 
2452 		for (band = state->band_start;
2453 		     band < (state->split ?
2454 				NUM_NL80211_BANDS :
2455 				NL80211_BAND_60GHZ + 1);
2456 		     band++) {
2457 			struct ieee80211_supported_band *sband;
2458 
2459 			/* omit higher bands for ancient software */
2460 			if (band > NL80211_BAND_5GHZ && !state->split)
2461 				break;
2462 
2463 			sband = rdev->wiphy.bands[band];
2464 
2465 			if (!sband)
2466 				continue;
2467 
2468 			nl_band = nla_nest_start_noflag(msg, band);
2469 			if (!nl_band)
2470 				goto nla_put_failure;
2471 
2472 			switch (state->chan_start) {
2473 			case 0:
2474 				if (nl80211_send_band_rateinfo(msg, sband,
2475 							       state->split))
2476 					goto nla_put_failure;
2477 				state->chan_start++;
2478 				if (state->split)
2479 					break;
2480 				fallthrough;
2481 			default:
2482 				/* add frequencies */
2483 				nl_freqs = nla_nest_start_noflag(msg,
2484 								 NL80211_BAND_ATTR_FREQS);
2485 				if (!nl_freqs)
2486 					goto nla_put_failure;
2487 
2488 				for (i = state->chan_start - 1;
2489 				     i < sband->n_channels;
2490 				     i++) {
2491 					nl_freq = nla_nest_start_noflag(msg,
2492 									i);
2493 					if (!nl_freq)
2494 						goto nla_put_failure;
2495 
2496 					chan = &sband->channels[i];
2497 
2498 					if (nl80211_msg_put_channel(
2499 							msg, &rdev->wiphy, chan,
2500 							state->split))
2501 						goto nla_put_failure;
2502 
2503 					nla_nest_end(msg, nl_freq);
2504 					if (state->split)
2505 						break;
2506 				}
2507 				if (i < sband->n_channels)
2508 					state->chan_start = i + 2;
2509 				else
2510 					state->chan_start = 0;
2511 				nla_nest_end(msg, nl_freqs);
2512 			}
2513 
2514 			nla_nest_end(msg, nl_band);
2515 
2516 			if (state->split) {
2517 				/* start again here */
2518 				if (state->chan_start)
2519 					band--;
2520 				break;
2521 			}
2522 		}
2523 		nla_nest_end(msg, nl_bands);
2524 
2525 		if (band < NUM_NL80211_BANDS)
2526 			state->band_start = band + 1;
2527 		else
2528 			state->band_start = 0;
2529 
2530 		/* if bands & channels are done, continue outside */
2531 		if (state->band_start == 0 && state->chan_start == 0)
2532 			state->split_start++;
2533 		if (state->split)
2534 			break;
2535 		fallthrough;
2536 	case 4:
2537 		nl_cmds = nla_nest_start_noflag(msg,
2538 						NL80211_ATTR_SUPPORTED_COMMANDS);
2539 		if (!nl_cmds)
2540 			goto nla_put_failure;
2541 
2542 		i = nl80211_add_commands_unsplit(rdev, msg);
2543 		if (i < 0)
2544 			goto nla_put_failure;
2545 		if (state->split) {
2546 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2547 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2548 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2549 				CMD(channel_switch, CHANNEL_SWITCH);
2550 			CMD(set_qos_map, SET_QOS_MAP);
2551 			if (rdev->wiphy.features &
2552 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2553 				CMD(add_tx_ts, ADD_TX_TS);
2554 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2555 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2556 			CMD(update_ft_ies, UPDATE_FT_IES);
2557 			if (rdev->wiphy.sar_capa)
2558 				CMD(set_sar_specs, SET_SAR_SPECS);
2559 		}
2560 #undef CMD
2561 
2562 		nla_nest_end(msg, nl_cmds);
2563 		state->split_start++;
2564 		if (state->split)
2565 			break;
2566 		fallthrough;
2567 	case 5:
2568 		if (rdev->ops->remain_on_channel &&
2569 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2570 		    nla_put_u32(msg,
2571 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2572 				rdev->wiphy.max_remain_on_channel_duration))
2573 			goto nla_put_failure;
2574 
2575 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2576 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2577 			goto nla_put_failure;
2578 
2579 		state->split_start++;
2580 		if (state->split)
2581 			break;
2582 		fallthrough;
2583 	case 6:
2584 #ifdef CONFIG_PM
2585 		if (nl80211_send_wowlan(msg, rdev, state->split))
2586 			goto nla_put_failure;
2587 		state->split_start++;
2588 		if (state->split)
2589 			break;
2590 #else
2591 		state->split_start++;
2592 #endif
2593 		fallthrough;
2594 	case 7:
2595 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2596 					rdev->wiphy.software_iftypes))
2597 			goto nla_put_failure;
2598 
2599 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2600 						   state->split))
2601 			goto nla_put_failure;
2602 
2603 		state->split_start++;
2604 		if (state->split)
2605 			break;
2606 		fallthrough;
2607 	case 8:
2608 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2609 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2610 				rdev->wiphy.ap_sme_capa))
2611 			goto nla_put_failure;
2612 
2613 		features = rdev->wiphy.features;
2614 		/*
2615 		 * We can only add the per-channel limit information if the
2616 		 * dump is split, otherwise it makes it too big. Therefore
2617 		 * only advertise it in that case.
2618 		 */
2619 		if (state->split)
2620 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2621 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2622 			goto nla_put_failure;
2623 
2624 		if (rdev->wiphy.ht_capa_mod_mask &&
2625 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2626 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2627 			    rdev->wiphy.ht_capa_mod_mask))
2628 			goto nla_put_failure;
2629 
2630 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2631 		    rdev->wiphy.max_acl_mac_addrs &&
2632 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2633 				rdev->wiphy.max_acl_mac_addrs))
2634 			goto nla_put_failure;
2635 
2636 		/*
2637 		 * Any information below this point is only available to
2638 		 * applications that can deal with it being split. This
2639 		 * helps ensure that newly added capabilities don't break
2640 		 * older tools by overrunning their buffers.
2641 		 *
2642 		 * We still increment split_start so that in the split
2643 		 * case we'll continue with more data in the next round,
2644 		 * but break unconditionally so unsplit data stops here.
2645 		 */
2646 		if (state->split)
2647 			state->split_start++;
2648 		else
2649 			state->split_start = 0;
2650 		break;
2651 	case 9:
2652 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2653 			goto nla_put_failure;
2654 
2655 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2656 				rdev->wiphy.max_sched_scan_plans) ||
2657 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2658 				rdev->wiphy.max_sched_scan_plan_interval) ||
2659 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2660 				rdev->wiphy.max_sched_scan_plan_iterations))
2661 			goto nla_put_failure;
2662 
2663 		if (rdev->wiphy.extended_capabilities &&
2664 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2665 			     rdev->wiphy.extended_capabilities_len,
2666 			     rdev->wiphy.extended_capabilities) ||
2667 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2668 			     rdev->wiphy.extended_capabilities_len,
2669 			     rdev->wiphy.extended_capabilities_mask)))
2670 			goto nla_put_failure;
2671 
2672 		if (rdev->wiphy.vht_capa_mod_mask &&
2673 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2674 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2675 			    rdev->wiphy.vht_capa_mod_mask))
2676 			goto nla_put_failure;
2677 
2678 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2679 			    rdev->wiphy.perm_addr))
2680 			goto nla_put_failure;
2681 
2682 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2683 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2684 			    rdev->wiphy.addr_mask))
2685 			goto nla_put_failure;
2686 
2687 		if (rdev->wiphy.n_addresses > 1) {
2688 			void *attr;
2689 
2690 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2691 			if (!attr)
2692 				goto nla_put_failure;
2693 
2694 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2695 				if (nla_put(msg, i + 1, ETH_ALEN,
2696 					    rdev->wiphy.addresses[i].addr))
2697 					goto nla_put_failure;
2698 
2699 			nla_nest_end(msg, attr);
2700 		}
2701 
2702 		state->split_start++;
2703 		break;
2704 	case 10:
2705 		if (nl80211_send_coalesce(msg, rdev))
2706 			goto nla_put_failure;
2707 
2708 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2709 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2710 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2711 			goto nla_put_failure;
2712 
2713 		if (rdev->wiphy.max_ap_assoc_sta &&
2714 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2715 				rdev->wiphy.max_ap_assoc_sta))
2716 			goto nla_put_failure;
2717 
2718 		state->split_start++;
2719 		break;
2720 	case 11:
2721 		if (rdev->wiphy.n_vendor_commands) {
2722 			const struct nl80211_vendor_cmd_info *info;
2723 			struct nlattr *nested;
2724 
2725 			nested = nla_nest_start_noflag(msg,
2726 						       NL80211_ATTR_VENDOR_DATA);
2727 			if (!nested)
2728 				goto nla_put_failure;
2729 
2730 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2731 				info = &rdev->wiphy.vendor_commands[i].info;
2732 				if (nla_put(msg, i + 1, sizeof(*info), info))
2733 					goto nla_put_failure;
2734 			}
2735 			nla_nest_end(msg, nested);
2736 		}
2737 
2738 		if (rdev->wiphy.n_vendor_events) {
2739 			const struct nl80211_vendor_cmd_info *info;
2740 			struct nlattr *nested;
2741 
2742 			nested = nla_nest_start_noflag(msg,
2743 						       NL80211_ATTR_VENDOR_EVENTS);
2744 			if (!nested)
2745 				goto nla_put_failure;
2746 
2747 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2748 				info = &rdev->wiphy.vendor_events[i];
2749 				if (nla_put(msg, i + 1, sizeof(*info), info))
2750 					goto nla_put_failure;
2751 			}
2752 			nla_nest_end(msg, nested);
2753 		}
2754 		state->split_start++;
2755 		break;
2756 	case 12:
2757 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2758 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2759 			       rdev->wiphy.max_num_csa_counters))
2760 			goto nla_put_failure;
2761 
2762 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2763 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2764 			goto nla_put_failure;
2765 
2766 		if (rdev->wiphy.max_sched_scan_reqs &&
2767 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2768 				rdev->wiphy.max_sched_scan_reqs))
2769 			goto nla_put_failure;
2770 
2771 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2772 			    sizeof(rdev->wiphy.ext_features),
2773 			    rdev->wiphy.ext_features))
2774 			goto nla_put_failure;
2775 
2776 		if (rdev->wiphy.bss_select_support) {
2777 			struct nlattr *nested;
2778 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2779 
2780 			nested = nla_nest_start_noflag(msg,
2781 						       NL80211_ATTR_BSS_SELECT);
2782 			if (!nested)
2783 				goto nla_put_failure;
2784 
2785 			i = 0;
2786 			while (bss_select_support) {
2787 				if ((bss_select_support & 1) &&
2788 				    nla_put_flag(msg, i))
2789 					goto nla_put_failure;
2790 				i++;
2791 				bss_select_support >>= 1;
2792 			}
2793 			nla_nest_end(msg, nested);
2794 		}
2795 
2796 		state->split_start++;
2797 		break;
2798 	case 13:
2799 		if (rdev->wiphy.num_iftype_ext_capab &&
2800 		    rdev->wiphy.iftype_ext_capab) {
2801 			struct nlattr *nested_ext_capab, *nested;
2802 
2803 			nested = nla_nest_start_noflag(msg,
2804 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2805 			if (!nested)
2806 				goto nla_put_failure;
2807 
2808 			for (i = state->capa_start;
2809 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2810 				const struct wiphy_iftype_ext_capab *capab;
2811 
2812 				capab = &rdev->wiphy.iftype_ext_capab[i];
2813 
2814 				nested_ext_capab = nla_nest_start_noflag(msg,
2815 									 i);
2816 				if (!nested_ext_capab ||
2817 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2818 						capab->iftype) ||
2819 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2820 					    capab->extended_capabilities_len,
2821 					    capab->extended_capabilities) ||
2822 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2823 					    capab->extended_capabilities_len,
2824 					    capab->extended_capabilities_mask))
2825 					goto nla_put_failure;
2826 
2827 				nla_nest_end(msg, nested_ext_capab);
2828 				if (state->split)
2829 					break;
2830 			}
2831 			nla_nest_end(msg, nested);
2832 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2833 				state->capa_start = i + 1;
2834 				break;
2835 			}
2836 		}
2837 
2838 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2839 				rdev->wiphy.nan_supported_bands))
2840 			goto nla_put_failure;
2841 
2842 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2843 					    NL80211_EXT_FEATURE_TXQS)) {
2844 			struct cfg80211_txq_stats txqstats = {};
2845 			int res;
2846 
2847 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2848 			if (!res &&
2849 			    !nl80211_put_txq_stats(msg, &txqstats,
2850 						   NL80211_ATTR_TXQ_STATS))
2851 				goto nla_put_failure;
2852 
2853 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2854 					rdev->wiphy.txq_limit))
2855 				goto nla_put_failure;
2856 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2857 					rdev->wiphy.txq_memory_limit))
2858 				goto nla_put_failure;
2859 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2860 					rdev->wiphy.txq_quantum))
2861 				goto nla_put_failure;
2862 		}
2863 
2864 		state->split_start++;
2865 		break;
2866 	case 14:
2867 		if (nl80211_send_pmsr_capa(rdev, msg))
2868 			goto nla_put_failure;
2869 
2870 		state->split_start++;
2871 		break;
2872 	case 15:
2873 		if (rdev->wiphy.akm_suites &&
2874 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2875 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2876 			    rdev->wiphy.akm_suites))
2877 			goto nla_put_failure;
2878 
2879 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2880 			goto nla_put_failure;
2881 
2882 		if (nl80211_put_tid_config_support(rdev, msg))
2883 			goto nla_put_failure;
2884 		state->split_start++;
2885 		break;
2886 	case 16:
2887 		if (nl80211_put_sar_specs(rdev, msg))
2888 			goto nla_put_failure;
2889 
2890 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2891 			goto nla_put_failure;
2892 
2893 		/* done */
2894 		state->split_start = 0;
2895 		break;
2896 	}
2897  finish:
2898 	genlmsg_end(msg, hdr);
2899 	return 0;
2900 
2901  nla_put_failure:
2902 	genlmsg_cancel(msg, hdr);
2903 	return -EMSGSIZE;
2904 }
2905 
2906 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2907 				    struct netlink_callback *cb,
2908 				    struct nl80211_dump_wiphy_state *state)
2909 {
2910 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2911 	int ret;
2912 
2913 	if (!tb)
2914 		return -ENOMEM;
2915 
2916 	ret = nlmsg_parse_deprecated(cb->nlh,
2917 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2918 				     tb, nl80211_fam.maxattr,
2919 				     nl80211_policy, NULL);
2920 	/* ignore parse errors for backward compatibility */
2921 	if (ret) {
2922 		ret = 0;
2923 		goto out;
2924 	}
2925 
2926 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2927 	if (tb[NL80211_ATTR_WIPHY])
2928 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2929 	if (tb[NL80211_ATTR_WDEV])
2930 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2931 	if (tb[NL80211_ATTR_IFINDEX]) {
2932 		struct net_device *netdev;
2933 		struct cfg80211_registered_device *rdev;
2934 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2935 
2936 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2937 		if (!netdev) {
2938 			ret = -ENODEV;
2939 			goto out;
2940 		}
2941 		if (netdev->ieee80211_ptr) {
2942 			rdev = wiphy_to_rdev(
2943 				netdev->ieee80211_ptr->wiphy);
2944 			state->filter_wiphy = rdev->wiphy_idx;
2945 		}
2946 	}
2947 
2948 	ret = 0;
2949 out:
2950 	kfree(tb);
2951 	return ret;
2952 }
2953 
2954 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2955 {
2956 	int idx = 0, ret;
2957 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2958 	struct cfg80211_registered_device *rdev;
2959 
2960 	rtnl_lock();
2961 	if (!state) {
2962 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2963 		if (!state) {
2964 			rtnl_unlock();
2965 			return -ENOMEM;
2966 		}
2967 		state->filter_wiphy = -1;
2968 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2969 		if (ret) {
2970 			kfree(state);
2971 			rtnl_unlock();
2972 			return ret;
2973 		}
2974 		cb->args[0] = (long)state;
2975 	}
2976 
2977 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2978 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2979 			continue;
2980 		if (++idx <= state->start)
2981 			continue;
2982 		if (state->filter_wiphy != -1 &&
2983 		    state->filter_wiphy != rdev->wiphy_idx)
2984 			continue;
2985 		/* attempt to fit multiple wiphy data chunks into the skb */
2986 		do {
2987 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2988 						 skb,
2989 						 NETLINK_CB(cb->skb).portid,
2990 						 cb->nlh->nlmsg_seq,
2991 						 NLM_F_MULTI, state);
2992 			if (ret < 0) {
2993 				/*
2994 				 * If sending the wiphy data didn't fit (ENOBUFS
2995 				 * or EMSGSIZE returned), this SKB is still
2996 				 * empty (so it's not too big because another
2997 				 * wiphy dataset is already in the skb) and
2998 				 * we've not tried to adjust the dump allocation
2999 				 * yet ... then adjust the alloc size to be
3000 				 * bigger, and return 1 but with the empty skb.
3001 				 * This results in an empty message being RX'ed
3002 				 * in userspace, but that is ignored.
3003 				 *
3004 				 * We can then retry with the larger buffer.
3005 				 */
3006 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3007 				    !skb->len && !state->split &&
3008 				    cb->min_dump_alloc < 4096) {
3009 					cb->min_dump_alloc = 4096;
3010 					state->split_start = 0;
3011 					rtnl_unlock();
3012 					return 1;
3013 				}
3014 				idx--;
3015 				break;
3016 			}
3017 		} while (state->split_start > 0);
3018 		break;
3019 	}
3020 	rtnl_unlock();
3021 
3022 	state->start = idx;
3023 
3024 	return skb->len;
3025 }
3026 
3027 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3028 {
3029 	kfree((void *)cb->args[0]);
3030 	return 0;
3031 }
3032 
3033 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3034 {
3035 	struct sk_buff *msg;
3036 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3037 	struct nl80211_dump_wiphy_state state = {};
3038 
3039 	msg = nlmsg_new(4096, GFP_KERNEL);
3040 	if (!msg)
3041 		return -ENOMEM;
3042 
3043 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3044 			       info->snd_portid, info->snd_seq, 0,
3045 			       &state) < 0) {
3046 		nlmsg_free(msg);
3047 		return -ENOBUFS;
3048 	}
3049 
3050 	return genlmsg_reply(msg, info);
3051 }
3052 
3053 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3054 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3055 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3056 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3057 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3058 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3059 };
3060 
3061 static int parse_txq_params(struct nlattr *tb[],
3062 			    struct ieee80211_txq_params *txq_params)
3063 {
3064 	u8 ac;
3065 
3066 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3067 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3068 	    !tb[NL80211_TXQ_ATTR_AIFS])
3069 		return -EINVAL;
3070 
3071 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3072 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3073 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3074 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3075 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3076 
3077 	if (ac >= NL80211_NUM_ACS)
3078 		return -EINVAL;
3079 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3080 	return 0;
3081 }
3082 
3083 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3084 {
3085 	/*
3086 	 * You can only set the channel explicitly for some interfaces,
3087 	 * most have their channel managed via their respective
3088 	 * "establish a connection" command (connect, join, ...)
3089 	 *
3090 	 * For AP/GO and mesh mode, the channel can be set with the
3091 	 * channel userspace API, but is only stored and passed to the
3092 	 * low-level driver when the AP starts or the mesh is joined.
3093 	 * This is for backward compatibility, userspace can also give
3094 	 * the channel in the start-ap or join-mesh commands instead.
3095 	 *
3096 	 * Monitors are special as they are normally slaved to
3097 	 * whatever else is going on, so they have their own special
3098 	 * operation to set the monitor channel if possible.
3099 	 */
3100 	return !wdev ||
3101 		wdev->iftype == NL80211_IFTYPE_AP ||
3102 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3103 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3104 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3105 }
3106 
3107 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3108 			  struct genl_info *info,
3109 			  struct cfg80211_chan_def *chandef)
3110 {
3111 	struct netlink_ext_ack *extack = info->extack;
3112 	struct nlattr **attrs = info->attrs;
3113 	u32 control_freq;
3114 
3115 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3116 		return -EINVAL;
3117 
3118 	control_freq = MHZ_TO_KHZ(
3119 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3120 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3121 		control_freq +=
3122 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3123 
3124 	memset(chandef, 0, sizeof(*chandef));
3125 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3126 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3127 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3128 	chandef->freq1_offset = control_freq % 1000;
3129 	chandef->center_freq2 = 0;
3130 
3131 	/* Primary channel not allowed */
3132 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3133 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3134 				    "Channel is disabled");
3135 		return -EINVAL;
3136 	}
3137 
3138 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3139 		enum nl80211_channel_type chantype;
3140 
3141 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3142 
3143 		switch (chantype) {
3144 		case NL80211_CHAN_NO_HT:
3145 		case NL80211_CHAN_HT20:
3146 		case NL80211_CHAN_HT40PLUS:
3147 		case NL80211_CHAN_HT40MINUS:
3148 			cfg80211_chandef_create(chandef, chandef->chan,
3149 						chantype);
3150 			/* user input for center_freq is incorrect */
3151 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3152 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3153 				NL_SET_ERR_MSG_ATTR(extack,
3154 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3155 						    "bad center frequency 1");
3156 				return -EINVAL;
3157 			}
3158 			/* center_freq2 must be zero */
3159 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3160 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3161 				NL_SET_ERR_MSG_ATTR(extack,
3162 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3163 						    "center frequency 2 can't be used");
3164 				return -EINVAL;
3165 			}
3166 			break;
3167 		default:
3168 			NL_SET_ERR_MSG_ATTR(extack,
3169 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3170 					    "invalid channel type");
3171 			return -EINVAL;
3172 		}
3173 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3174 		chandef->width =
3175 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3176 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3177 			chandef->center_freq1 =
3178 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3179 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3180 				chandef->freq1_offset = nla_get_u32(
3181 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3182 			else
3183 				chandef->freq1_offset = 0;
3184 		}
3185 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3186 			chandef->center_freq2 =
3187 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3188 	}
3189 
3190 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3191 		chandef->edmg.channels =
3192 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3193 
3194 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3195 			chandef->edmg.bw_config =
3196 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3197 	} else {
3198 		chandef->edmg.bw_config = 0;
3199 		chandef->edmg.channels = 0;
3200 	}
3201 
3202 	if (!cfg80211_chandef_valid(chandef)) {
3203 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3204 		return -EINVAL;
3205 	}
3206 
3207 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3208 				     IEEE80211_CHAN_DISABLED)) {
3209 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3210 		return -EINVAL;
3211 	}
3212 
3213 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3214 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3215 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3216 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3217 		return -EINVAL;
3218 	}
3219 
3220 	return 0;
3221 }
3222 
3223 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3224 				 struct net_device *dev,
3225 				 struct genl_info *info)
3226 {
3227 	struct cfg80211_chan_def chandef;
3228 	int result;
3229 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3230 	struct wireless_dev *wdev = NULL;
3231 
3232 	if (dev)
3233 		wdev = dev->ieee80211_ptr;
3234 	if (!nl80211_can_set_dev_channel(wdev))
3235 		return -EOPNOTSUPP;
3236 	if (wdev)
3237 		iftype = wdev->iftype;
3238 
3239 	result = nl80211_parse_chandef(rdev, info, &chandef);
3240 	if (result)
3241 		return result;
3242 
3243 	switch (iftype) {
3244 	case NL80211_IFTYPE_AP:
3245 	case NL80211_IFTYPE_P2P_GO:
3246 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3247 						   iftype)) {
3248 			result = -EINVAL;
3249 			break;
3250 		}
3251 		if (wdev->beacon_interval) {
3252 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3253 			    !(rdev->wiphy.features &
3254 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3255 				result = -EBUSY;
3256 				break;
3257 			}
3258 
3259 			/* Only allow dynamic channel width changes */
3260 			if (chandef.chan != wdev->preset_chandef.chan) {
3261 				result = -EBUSY;
3262 				break;
3263 			}
3264 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3265 			if (result)
3266 				break;
3267 		}
3268 		wdev->preset_chandef = chandef;
3269 		result = 0;
3270 		break;
3271 	case NL80211_IFTYPE_MESH_POINT:
3272 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3273 		break;
3274 	case NL80211_IFTYPE_MONITOR:
3275 		result = cfg80211_set_monitor_channel(rdev, &chandef);
3276 		break;
3277 	default:
3278 		result = -EINVAL;
3279 	}
3280 
3281 	return result;
3282 }
3283 
3284 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3285 {
3286 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3287 	struct net_device *netdev = info->user_ptr[1];
3288 
3289 	return __nl80211_set_channel(rdev, netdev, info);
3290 }
3291 
3292 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3293 {
3294 	struct cfg80211_registered_device *rdev = NULL;
3295 	struct net_device *netdev = NULL;
3296 	struct wireless_dev *wdev;
3297 	int result = 0, rem_txq_params = 0;
3298 	struct nlattr *nl_txq_params;
3299 	u32 changed;
3300 	u8 retry_short = 0, retry_long = 0;
3301 	u32 frag_threshold = 0, rts_threshold = 0;
3302 	u8 coverage_class = 0;
3303 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3304 
3305 	rtnl_lock();
3306 	/*
3307 	 * Try to find the wiphy and netdev. Normally this
3308 	 * function shouldn't need the netdev, but this is
3309 	 * done for backward compatibility -- previously
3310 	 * setting the channel was done per wiphy, but now
3311 	 * it is per netdev. Previous userland like hostapd
3312 	 * also passed a netdev to set_wiphy, so that it is
3313 	 * possible to let that go to the right netdev!
3314 	 */
3315 
3316 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3317 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3318 
3319 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3320 		if (netdev && netdev->ieee80211_ptr)
3321 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3322 		else
3323 			netdev = NULL;
3324 	}
3325 
3326 	if (!netdev) {
3327 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3328 						  info->attrs);
3329 		if (IS_ERR(rdev)) {
3330 			rtnl_unlock();
3331 			return PTR_ERR(rdev);
3332 		}
3333 		wdev = NULL;
3334 		netdev = NULL;
3335 		result = 0;
3336 	} else
3337 		wdev = netdev->ieee80211_ptr;
3338 
3339 	wiphy_lock(&rdev->wiphy);
3340 
3341 	/*
3342 	 * end workaround code, by now the rdev is available
3343 	 * and locked, and wdev may or may not be NULL.
3344 	 */
3345 
3346 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3347 		result = cfg80211_dev_rename(
3348 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3349 	rtnl_unlock();
3350 
3351 	if (result)
3352 		goto out;
3353 
3354 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3355 		struct ieee80211_txq_params txq_params;
3356 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3357 
3358 		if (!rdev->ops->set_txq_params) {
3359 			result = -EOPNOTSUPP;
3360 			goto out;
3361 		}
3362 
3363 		if (!netdev) {
3364 			result = -EINVAL;
3365 			goto out;
3366 		}
3367 
3368 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3369 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3370 			result = -EINVAL;
3371 			goto out;
3372 		}
3373 
3374 		if (!netif_running(netdev)) {
3375 			result = -ENETDOWN;
3376 			goto out;
3377 		}
3378 
3379 		nla_for_each_nested(nl_txq_params,
3380 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3381 				    rem_txq_params) {
3382 			result = nla_parse_nested_deprecated(tb,
3383 							     NL80211_TXQ_ATTR_MAX,
3384 							     nl_txq_params,
3385 							     txq_params_policy,
3386 							     info->extack);
3387 			if (result)
3388 				goto out;
3389 			result = parse_txq_params(tb, &txq_params);
3390 			if (result)
3391 				goto out;
3392 
3393 			result = rdev_set_txq_params(rdev, netdev,
3394 						     &txq_params);
3395 			if (result)
3396 				goto out;
3397 		}
3398 	}
3399 
3400 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3401 		result = __nl80211_set_channel(
3402 			rdev,
3403 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3404 			info);
3405 		if (result)
3406 			goto out;
3407 	}
3408 
3409 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3410 		struct wireless_dev *txp_wdev = wdev;
3411 		enum nl80211_tx_power_setting type;
3412 		int idx, mbm = 0;
3413 
3414 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3415 			txp_wdev = NULL;
3416 
3417 		if (!rdev->ops->set_tx_power) {
3418 			result = -EOPNOTSUPP;
3419 			goto out;
3420 		}
3421 
3422 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3423 		type = nla_get_u32(info->attrs[idx]);
3424 
3425 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3426 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3427 			result = -EINVAL;
3428 			goto out;
3429 		}
3430 
3431 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3432 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3433 			mbm = nla_get_u32(info->attrs[idx]);
3434 		}
3435 
3436 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3437 		if (result)
3438 			goto out;
3439 	}
3440 
3441 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3442 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3443 		u32 tx_ant, rx_ant;
3444 
3445 		if ((!rdev->wiphy.available_antennas_tx &&
3446 		     !rdev->wiphy.available_antennas_rx) ||
3447 		    !rdev->ops->set_antenna) {
3448 			result = -EOPNOTSUPP;
3449 			goto out;
3450 		}
3451 
3452 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3453 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3454 
3455 		/* reject antenna configurations which don't match the
3456 		 * available antenna masks, except for the "all" mask */
3457 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3458 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3459 			result = -EINVAL;
3460 			goto out;
3461 		}
3462 
3463 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3464 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3465 
3466 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3467 		if (result)
3468 			goto out;
3469 	}
3470 
3471 	changed = 0;
3472 
3473 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3474 		retry_short = nla_get_u8(
3475 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3476 
3477 		changed |= WIPHY_PARAM_RETRY_SHORT;
3478 	}
3479 
3480 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3481 		retry_long = nla_get_u8(
3482 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3483 
3484 		changed |= WIPHY_PARAM_RETRY_LONG;
3485 	}
3486 
3487 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3488 		frag_threshold = nla_get_u32(
3489 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3490 		if (frag_threshold < 256) {
3491 			result = -EINVAL;
3492 			goto out;
3493 		}
3494 
3495 		if (frag_threshold != (u32) -1) {
3496 			/*
3497 			 * Fragments (apart from the last one) are required to
3498 			 * have even length. Make the fragmentation code
3499 			 * simpler by stripping LSB should someone try to use
3500 			 * odd threshold value.
3501 			 */
3502 			frag_threshold &= ~0x1;
3503 		}
3504 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3505 	}
3506 
3507 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3508 		rts_threshold = nla_get_u32(
3509 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3510 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3511 	}
3512 
3513 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3514 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3515 			result = -EINVAL;
3516 			goto out;
3517 		}
3518 
3519 		coverage_class = nla_get_u8(
3520 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3521 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3522 	}
3523 
3524 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3525 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3526 			result = -EOPNOTSUPP;
3527 			goto out;
3528 		}
3529 
3530 		changed |= WIPHY_PARAM_DYN_ACK;
3531 	}
3532 
3533 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3534 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3535 					     NL80211_EXT_FEATURE_TXQS)) {
3536 			result = -EOPNOTSUPP;
3537 			goto out;
3538 		}
3539 		txq_limit = nla_get_u32(
3540 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3541 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3542 	}
3543 
3544 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3545 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3546 					     NL80211_EXT_FEATURE_TXQS)) {
3547 			result = -EOPNOTSUPP;
3548 			goto out;
3549 		}
3550 		txq_memory_limit = nla_get_u32(
3551 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3552 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3553 	}
3554 
3555 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3556 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3557 					     NL80211_EXT_FEATURE_TXQS)) {
3558 			result = -EOPNOTSUPP;
3559 			goto out;
3560 		}
3561 		txq_quantum = nla_get_u32(
3562 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3563 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3564 	}
3565 
3566 	if (changed) {
3567 		u8 old_retry_short, old_retry_long;
3568 		u32 old_frag_threshold, old_rts_threshold;
3569 		u8 old_coverage_class;
3570 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3571 
3572 		if (!rdev->ops->set_wiphy_params) {
3573 			result = -EOPNOTSUPP;
3574 			goto out;
3575 		}
3576 
3577 		old_retry_short = rdev->wiphy.retry_short;
3578 		old_retry_long = rdev->wiphy.retry_long;
3579 		old_frag_threshold = rdev->wiphy.frag_threshold;
3580 		old_rts_threshold = rdev->wiphy.rts_threshold;
3581 		old_coverage_class = rdev->wiphy.coverage_class;
3582 		old_txq_limit = rdev->wiphy.txq_limit;
3583 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3584 		old_txq_quantum = rdev->wiphy.txq_quantum;
3585 
3586 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3587 			rdev->wiphy.retry_short = retry_short;
3588 		if (changed & WIPHY_PARAM_RETRY_LONG)
3589 			rdev->wiphy.retry_long = retry_long;
3590 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3591 			rdev->wiphy.frag_threshold = frag_threshold;
3592 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3593 			rdev->wiphy.rts_threshold = rts_threshold;
3594 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3595 			rdev->wiphy.coverage_class = coverage_class;
3596 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3597 			rdev->wiphy.txq_limit = txq_limit;
3598 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3599 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3600 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3601 			rdev->wiphy.txq_quantum = txq_quantum;
3602 
3603 		result = rdev_set_wiphy_params(rdev, changed);
3604 		if (result) {
3605 			rdev->wiphy.retry_short = old_retry_short;
3606 			rdev->wiphy.retry_long = old_retry_long;
3607 			rdev->wiphy.frag_threshold = old_frag_threshold;
3608 			rdev->wiphy.rts_threshold = old_rts_threshold;
3609 			rdev->wiphy.coverage_class = old_coverage_class;
3610 			rdev->wiphy.txq_limit = old_txq_limit;
3611 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3612 			rdev->wiphy.txq_quantum = old_txq_quantum;
3613 			goto out;
3614 		}
3615 	}
3616 
3617 	result = 0;
3618 
3619 out:
3620 	wiphy_unlock(&rdev->wiphy);
3621 	return result;
3622 }
3623 
3624 static int nl80211_send_chandef(struct sk_buff *msg,
3625 				const struct cfg80211_chan_def *chandef)
3626 {
3627 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3628 		return -EINVAL;
3629 
3630 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3631 			chandef->chan->center_freq))
3632 		return -ENOBUFS;
3633 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3634 			chandef->chan->freq_offset))
3635 		return -ENOBUFS;
3636 	switch (chandef->width) {
3637 	case NL80211_CHAN_WIDTH_20_NOHT:
3638 	case NL80211_CHAN_WIDTH_20:
3639 	case NL80211_CHAN_WIDTH_40:
3640 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3641 				cfg80211_get_chandef_type(chandef)))
3642 			return -ENOBUFS;
3643 		break;
3644 	default:
3645 		break;
3646 	}
3647 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3648 		return -ENOBUFS;
3649 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3650 		return -ENOBUFS;
3651 	if (chandef->center_freq2 &&
3652 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3653 		return -ENOBUFS;
3654 	return 0;
3655 }
3656 
3657 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3658 			      struct cfg80211_registered_device *rdev,
3659 			      struct wireless_dev *wdev,
3660 			      enum nl80211_commands cmd)
3661 {
3662 	struct net_device *dev = wdev->netdev;
3663 	void *hdr;
3664 
3665 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3666 		cmd != NL80211_CMD_DEL_INTERFACE &&
3667 		cmd != NL80211_CMD_SET_INTERFACE);
3668 
3669 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3670 	if (!hdr)
3671 		return -1;
3672 
3673 	if (dev &&
3674 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3675 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3676 		goto nla_put_failure;
3677 
3678 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3679 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3680 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3681 			      NL80211_ATTR_PAD) ||
3682 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3683 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3684 			rdev->devlist_generation ^
3685 			(cfg80211_rdev_list_generation << 2)) ||
3686 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3687 		goto nla_put_failure;
3688 
3689 	if (rdev->ops->get_channel) {
3690 		int ret;
3691 		struct cfg80211_chan_def chandef = {};
3692 
3693 		ret = rdev_get_channel(rdev, wdev, &chandef);
3694 		if (ret == 0) {
3695 			if (nl80211_send_chandef(msg, &chandef))
3696 				goto nla_put_failure;
3697 		}
3698 	}
3699 
3700 	if (rdev->ops->get_tx_power) {
3701 		int dbm, ret;
3702 
3703 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3704 		if (ret == 0 &&
3705 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3706 				DBM_TO_MBM(dbm)))
3707 			goto nla_put_failure;
3708 	}
3709 
3710 	wdev_lock(wdev);
3711 	switch (wdev->iftype) {
3712 	case NL80211_IFTYPE_AP:
3713 	case NL80211_IFTYPE_P2P_GO:
3714 		if (wdev->ssid_len &&
3715 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3716 			goto nla_put_failure_locked;
3717 		break;
3718 	case NL80211_IFTYPE_STATION:
3719 	case NL80211_IFTYPE_P2P_CLIENT:
3720 	case NL80211_IFTYPE_ADHOC: {
3721 		const struct element *ssid_elem;
3722 
3723 		if (!wdev->current_bss)
3724 			break;
3725 		rcu_read_lock();
3726 		ssid_elem = ieee80211_bss_get_elem(&wdev->current_bss->pub,
3727 						   WLAN_EID_SSID);
3728 		if (ssid_elem &&
3729 		    nla_put(msg, NL80211_ATTR_SSID, ssid_elem->datalen,
3730 			    ssid_elem->data))
3731 			goto nla_put_failure_rcu_locked;
3732 		rcu_read_unlock();
3733 		break;
3734 		}
3735 	default:
3736 		/* nothing */
3737 		break;
3738 	}
3739 	wdev_unlock(wdev);
3740 
3741 	if (rdev->ops->get_txq_stats) {
3742 		struct cfg80211_txq_stats txqstats = {};
3743 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3744 
3745 		if (ret == 0 &&
3746 		    !nl80211_put_txq_stats(msg, &txqstats,
3747 					   NL80211_ATTR_TXQ_STATS))
3748 			goto nla_put_failure;
3749 	}
3750 
3751 	genlmsg_end(msg, hdr);
3752 	return 0;
3753 
3754  nla_put_failure_rcu_locked:
3755 	rcu_read_unlock();
3756  nla_put_failure_locked:
3757 	wdev_unlock(wdev);
3758  nla_put_failure:
3759 	genlmsg_cancel(msg, hdr);
3760 	return -EMSGSIZE;
3761 }
3762 
3763 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3764 {
3765 	int wp_idx = 0;
3766 	int if_idx = 0;
3767 	int wp_start = cb->args[0];
3768 	int if_start = cb->args[1];
3769 	int filter_wiphy = -1;
3770 	struct cfg80211_registered_device *rdev;
3771 	struct wireless_dev *wdev;
3772 	int ret;
3773 
3774 	rtnl_lock();
3775 	if (!cb->args[2]) {
3776 		struct nl80211_dump_wiphy_state state = {
3777 			.filter_wiphy = -1,
3778 		};
3779 
3780 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3781 		if (ret)
3782 			goto out_unlock;
3783 
3784 		filter_wiphy = state.filter_wiphy;
3785 
3786 		/*
3787 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3788 		 * value needed to determine that parsing is necessary.
3789 		 */
3790 		if (filter_wiphy >= 0)
3791 			cb->args[2] = filter_wiphy + 1;
3792 		else
3793 			cb->args[2] = -1;
3794 	} else if (cb->args[2] > 0) {
3795 		filter_wiphy = cb->args[2] - 1;
3796 	}
3797 
3798 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3799 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3800 			continue;
3801 		if (wp_idx < wp_start) {
3802 			wp_idx++;
3803 			continue;
3804 		}
3805 
3806 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3807 			continue;
3808 
3809 		if_idx = 0;
3810 
3811 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3812 			if (if_idx < if_start) {
3813 				if_idx++;
3814 				continue;
3815 			}
3816 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3817 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3818 					       rdev, wdev,
3819 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3820 				goto out;
3821 			}
3822 			if_idx++;
3823 		}
3824 
3825 		wp_idx++;
3826 	}
3827  out:
3828 	cb->args[0] = wp_idx;
3829 	cb->args[1] = if_idx;
3830 
3831 	ret = skb->len;
3832  out_unlock:
3833 	rtnl_unlock();
3834 
3835 	return ret;
3836 }
3837 
3838 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3839 {
3840 	struct sk_buff *msg;
3841 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3842 	struct wireless_dev *wdev = info->user_ptr[1];
3843 
3844 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3845 	if (!msg)
3846 		return -ENOMEM;
3847 
3848 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3849 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3850 		nlmsg_free(msg);
3851 		return -ENOBUFS;
3852 	}
3853 
3854 	return genlmsg_reply(msg, info);
3855 }
3856 
3857 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3858 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3859 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3860 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3861 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3862 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3863 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3864 };
3865 
3866 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3867 {
3868 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3869 	int flag;
3870 
3871 	*mntrflags = 0;
3872 
3873 	if (!nla)
3874 		return -EINVAL;
3875 
3876 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3877 		return -EINVAL;
3878 
3879 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3880 		if (flags[flag])
3881 			*mntrflags |= (1<<flag);
3882 
3883 	*mntrflags |= MONITOR_FLAG_CHANGED;
3884 
3885 	return 0;
3886 }
3887 
3888 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3889 				     enum nl80211_iftype type,
3890 				     struct genl_info *info,
3891 				     struct vif_params *params)
3892 {
3893 	bool change = false;
3894 	int err;
3895 
3896 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3897 		if (type != NL80211_IFTYPE_MONITOR)
3898 			return -EINVAL;
3899 
3900 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3901 					  &params->flags);
3902 		if (err)
3903 			return err;
3904 
3905 		change = true;
3906 	}
3907 
3908 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3909 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3910 		return -EOPNOTSUPP;
3911 
3912 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3913 		const u8 *mumimo_groups;
3914 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3915 
3916 		if (type != NL80211_IFTYPE_MONITOR)
3917 			return -EINVAL;
3918 
3919 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3920 			return -EOPNOTSUPP;
3921 
3922 		mumimo_groups =
3923 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3924 
3925 		/* bits 0 and 63 are reserved and must be zero */
3926 		if ((mumimo_groups[0] & BIT(0)) ||
3927 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3928 			return -EINVAL;
3929 
3930 		params->vht_mumimo_groups = mumimo_groups;
3931 		change = true;
3932 	}
3933 
3934 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3935 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3936 
3937 		if (type != NL80211_IFTYPE_MONITOR)
3938 			return -EINVAL;
3939 
3940 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3941 			return -EOPNOTSUPP;
3942 
3943 		params->vht_mumimo_follow_addr =
3944 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3945 		change = true;
3946 	}
3947 
3948 	return change ? 1 : 0;
3949 }
3950 
3951 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3952 			       struct net_device *netdev, u8 use_4addr,
3953 			       enum nl80211_iftype iftype)
3954 {
3955 	if (!use_4addr) {
3956 		if (netdev && netif_is_bridge_port(netdev))
3957 			return -EBUSY;
3958 		return 0;
3959 	}
3960 
3961 	switch (iftype) {
3962 	case NL80211_IFTYPE_AP_VLAN:
3963 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3964 			return 0;
3965 		break;
3966 	case NL80211_IFTYPE_STATION:
3967 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3968 			return 0;
3969 		break;
3970 	default:
3971 		break;
3972 	}
3973 
3974 	return -EOPNOTSUPP;
3975 }
3976 
3977 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3978 {
3979 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3980 	struct vif_params params;
3981 	int err;
3982 	enum nl80211_iftype otype, ntype;
3983 	struct net_device *dev = info->user_ptr[1];
3984 	bool change = false;
3985 
3986 	memset(&params, 0, sizeof(params));
3987 
3988 	otype = ntype = dev->ieee80211_ptr->iftype;
3989 
3990 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3991 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3992 		if (otype != ntype)
3993 			change = true;
3994 	}
3995 
3996 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3997 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3998 
3999 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4000 			return -EINVAL;
4001 		if (netif_running(dev))
4002 			return -EBUSY;
4003 
4004 		wdev_lock(wdev);
4005 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4006 			     IEEE80211_MAX_MESH_ID_LEN);
4007 		wdev->mesh_id_up_len =
4008 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4009 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4010 		       wdev->mesh_id_up_len);
4011 		wdev_unlock(wdev);
4012 	}
4013 
4014 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4015 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4016 		change = true;
4017 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4018 		if (err)
4019 			return err;
4020 	} else {
4021 		params.use_4addr = -1;
4022 	}
4023 
4024 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4025 	if (err < 0)
4026 		return err;
4027 	if (err > 0)
4028 		change = true;
4029 
4030 	if (change)
4031 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4032 	else
4033 		err = 0;
4034 
4035 	if (!err && params.use_4addr != -1)
4036 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4037 
4038 	if (change && !err) {
4039 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4040 
4041 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4042 	}
4043 
4044 	return err;
4045 }
4046 
4047 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4048 {
4049 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4050 	struct vif_params params;
4051 	struct wireless_dev *wdev;
4052 	struct sk_buff *msg;
4053 	int err;
4054 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4055 
4056 	memset(&params, 0, sizeof(params));
4057 
4058 	if (!info->attrs[NL80211_ATTR_IFNAME])
4059 		return -EINVAL;
4060 
4061 	if (info->attrs[NL80211_ATTR_IFTYPE])
4062 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4063 
4064 	if (!rdev->ops->add_virtual_intf)
4065 		return -EOPNOTSUPP;
4066 
4067 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4068 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4069 	    info->attrs[NL80211_ATTR_MAC]) {
4070 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4071 			   ETH_ALEN);
4072 		if (!is_valid_ether_addr(params.macaddr))
4073 			return -EADDRNOTAVAIL;
4074 	}
4075 
4076 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4077 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4078 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4079 		if (err)
4080 			return err;
4081 	}
4082 
4083 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4084 		return -EOPNOTSUPP;
4085 
4086 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4087 	if (err < 0)
4088 		return err;
4089 
4090 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4091 	if (!msg)
4092 		return -ENOMEM;
4093 
4094 	wdev = rdev_add_virtual_intf(rdev,
4095 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4096 				NET_NAME_USER, type, &params);
4097 	if (WARN_ON(!wdev)) {
4098 		nlmsg_free(msg);
4099 		return -EPROTO;
4100 	} else if (IS_ERR(wdev)) {
4101 		nlmsg_free(msg);
4102 		return PTR_ERR(wdev);
4103 	}
4104 
4105 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4106 		wdev->owner_nlportid = info->snd_portid;
4107 
4108 	switch (type) {
4109 	case NL80211_IFTYPE_MESH_POINT:
4110 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4111 			break;
4112 		wdev_lock(wdev);
4113 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4114 			     IEEE80211_MAX_MESH_ID_LEN);
4115 		wdev->mesh_id_up_len =
4116 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4117 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4118 		       wdev->mesh_id_up_len);
4119 		wdev_unlock(wdev);
4120 		break;
4121 	case NL80211_IFTYPE_NAN:
4122 	case NL80211_IFTYPE_P2P_DEVICE:
4123 		/*
4124 		 * P2P Device and NAN do not have a netdev, so don't go
4125 		 * through the netdev notifier and must be added here
4126 		 */
4127 		cfg80211_init_wdev(wdev);
4128 		cfg80211_register_wdev(rdev, wdev);
4129 		break;
4130 	default:
4131 		break;
4132 	}
4133 
4134 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4135 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4136 		nlmsg_free(msg);
4137 		return -ENOBUFS;
4138 	}
4139 
4140 	return genlmsg_reply(msg, info);
4141 }
4142 
4143 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4144 {
4145 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4146 	int ret;
4147 
4148 	/* to avoid failing a new interface creation due to pending removal */
4149 	cfg80211_destroy_ifaces(rdev);
4150 
4151 	wiphy_lock(&rdev->wiphy);
4152 	ret = _nl80211_new_interface(skb, info);
4153 	wiphy_unlock(&rdev->wiphy);
4154 
4155 	return ret;
4156 }
4157 
4158 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4159 {
4160 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4161 	struct wireless_dev *wdev = info->user_ptr[1];
4162 
4163 	if (!rdev->ops->del_virtual_intf)
4164 		return -EOPNOTSUPP;
4165 
4166 	/*
4167 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4168 	 * reach 0, and thus the rdev cannot be deleted.
4169 	 *
4170 	 * We need to do it for the dev_close(), since that will call
4171 	 * the netdev notifiers, and we need to acquire the mutex there
4172 	 * but don't know if we get there from here or from some other
4173 	 * place (e.g. "ip link set ... down").
4174 	 */
4175 	mutex_unlock(&rdev->wiphy.mtx);
4176 
4177 	/*
4178 	 * If we remove a wireless device without a netdev then clear
4179 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4180 	 * to check if it needs to do dev_put(). Otherwise it crashes
4181 	 * since the wdev has been freed, unlike with a netdev where
4182 	 * we need the dev_put() for the netdev to really be freed.
4183 	 */
4184 	if (!wdev->netdev)
4185 		info->user_ptr[1] = NULL;
4186 	else
4187 		dev_close(wdev->netdev);
4188 
4189 	mutex_lock(&rdev->wiphy.mtx);
4190 
4191 	return rdev_del_virtual_intf(rdev, wdev);
4192 }
4193 
4194 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4195 {
4196 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4197 	struct net_device *dev = info->user_ptr[1];
4198 	u16 noack_map;
4199 
4200 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4201 		return -EINVAL;
4202 
4203 	if (!rdev->ops->set_noack_map)
4204 		return -EOPNOTSUPP;
4205 
4206 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4207 
4208 	return rdev_set_noack_map(rdev, dev, noack_map);
4209 }
4210 
4211 struct get_key_cookie {
4212 	struct sk_buff *msg;
4213 	int error;
4214 	int idx;
4215 };
4216 
4217 static void get_key_callback(void *c, struct key_params *params)
4218 {
4219 	struct nlattr *key;
4220 	struct get_key_cookie *cookie = c;
4221 
4222 	if ((params->key &&
4223 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4224 		     params->key_len, params->key)) ||
4225 	    (params->seq &&
4226 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4227 		     params->seq_len, params->seq)) ||
4228 	    (params->cipher &&
4229 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4230 			 params->cipher)))
4231 		goto nla_put_failure;
4232 
4233 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4234 	if (!key)
4235 		goto nla_put_failure;
4236 
4237 	if ((params->key &&
4238 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4239 		     params->key_len, params->key)) ||
4240 	    (params->seq &&
4241 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4242 		     params->seq_len, params->seq)) ||
4243 	    (params->cipher &&
4244 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4245 			 params->cipher)))
4246 		goto nla_put_failure;
4247 
4248 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4249 		goto nla_put_failure;
4250 
4251 	nla_nest_end(cookie->msg, key);
4252 
4253 	return;
4254  nla_put_failure:
4255 	cookie->error = 1;
4256 }
4257 
4258 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4259 {
4260 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4261 	int err;
4262 	struct net_device *dev = info->user_ptr[1];
4263 	u8 key_idx = 0;
4264 	const u8 *mac_addr = NULL;
4265 	bool pairwise;
4266 	struct get_key_cookie cookie = {
4267 		.error = 0,
4268 	};
4269 	void *hdr;
4270 	struct sk_buff *msg;
4271 	bool bigtk_support = false;
4272 
4273 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4274 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4275 		bigtk_support = true;
4276 
4277 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4278 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4279 	    wiphy_ext_feature_isset(&rdev->wiphy,
4280 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4281 		bigtk_support = true;
4282 
4283 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4284 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4285 
4286 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4287 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4288 			return -EINVAL;
4289 		}
4290 	}
4291 
4292 	if (info->attrs[NL80211_ATTR_MAC])
4293 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4294 
4295 	pairwise = !!mac_addr;
4296 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4297 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4298 
4299 		if (kt != NL80211_KEYTYPE_GROUP &&
4300 		    kt != NL80211_KEYTYPE_PAIRWISE)
4301 			return -EINVAL;
4302 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4303 	}
4304 
4305 	if (!rdev->ops->get_key)
4306 		return -EOPNOTSUPP;
4307 
4308 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4309 		return -ENOENT;
4310 
4311 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4312 	if (!msg)
4313 		return -ENOMEM;
4314 
4315 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4316 			     NL80211_CMD_NEW_KEY);
4317 	if (!hdr)
4318 		goto nla_put_failure;
4319 
4320 	cookie.msg = msg;
4321 	cookie.idx = key_idx;
4322 
4323 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4324 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4325 		goto nla_put_failure;
4326 	if (mac_addr &&
4327 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4328 		goto nla_put_failure;
4329 
4330 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4331 			   get_key_callback);
4332 
4333 	if (err)
4334 		goto free_msg;
4335 
4336 	if (cookie.error)
4337 		goto nla_put_failure;
4338 
4339 	genlmsg_end(msg, hdr);
4340 	return genlmsg_reply(msg, info);
4341 
4342  nla_put_failure:
4343 	err = -ENOBUFS;
4344  free_msg:
4345 	nlmsg_free(msg);
4346 	return err;
4347 }
4348 
4349 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4350 {
4351 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4352 	struct key_parse key;
4353 	int err;
4354 	struct net_device *dev = info->user_ptr[1];
4355 
4356 	err = nl80211_parse_key(info, &key);
4357 	if (err)
4358 		return err;
4359 
4360 	if (key.idx < 0)
4361 		return -EINVAL;
4362 
4363 	/* Only support setting default key and
4364 	 * Extended Key ID action NL80211_KEY_SET_TX.
4365 	 */
4366 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4367 	    !(key.p.mode == NL80211_KEY_SET_TX))
4368 		return -EINVAL;
4369 
4370 	wdev_lock(dev->ieee80211_ptr);
4371 
4372 	if (key.def) {
4373 		if (!rdev->ops->set_default_key) {
4374 			err = -EOPNOTSUPP;
4375 			goto out;
4376 		}
4377 
4378 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4379 		if (err)
4380 			goto out;
4381 
4382 		err = rdev_set_default_key(rdev, dev, key.idx,
4383 						 key.def_uni, key.def_multi);
4384 
4385 		if (err)
4386 			goto out;
4387 
4388 #ifdef CONFIG_CFG80211_WEXT
4389 		dev->ieee80211_ptr->wext.default_key = key.idx;
4390 #endif
4391 	} else if (key.defmgmt) {
4392 		if (key.def_uni || !key.def_multi) {
4393 			err = -EINVAL;
4394 			goto out;
4395 		}
4396 
4397 		if (!rdev->ops->set_default_mgmt_key) {
4398 			err = -EOPNOTSUPP;
4399 			goto out;
4400 		}
4401 
4402 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4403 		if (err)
4404 			goto out;
4405 
4406 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4407 		if (err)
4408 			goto out;
4409 
4410 #ifdef CONFIG_CFG80211_WEXT
4411 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4412 #endif
4413 	} else if (key.defbeacon) {
4414 		if (key.def_uni || !key.def_multi) {
4415 			err = -EINVAL;
4416 			goto out;
4417 		}
4418 
4419 		if (!rdev->ops->set_default_beacon_key) {
4420 			err = -EOPNOTSUPP;
4421 			goto out;
4422 		}
4423 
4424 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4425 		if (err)
4426 			goto out;
4427 
4428 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4429 		if (err)
4430 			goto out;
4431 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4432 		   wiphy_ext_feature_isset(&rdev->wiphy,
4433 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4434 		u8 *mac_addr = NULL;
4435 
4436 		if (info->attrs[NL80211_ATTR_MAC])
4437 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4438 
4439 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4440 			err = -EINVAL;
4441 			goto out;
4442 		}
4443 
4444 		err = rdev_add_key(rdev, dev, key.idx,
4445 				   NL80211_KEYTYPE_PAIRWISE,
4446 				   mac_addr, &key.p);
4447 	} else {
4448 		err = -EINVAL;
4449 	}
4450  out:
4451 	wdev_unlock(dev->ieee80211_ptr);
4452 
4453 	return err;
4454 }
4455 
4456 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4457 {
4458 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4459 	int err;
4460 	struct net_device *dev = info->user_ptr[1];
4461 	struct key_parse key;
4462 	const u8 *mac_addr = NULL;
4463 
4464 	err = nl80211_parse_key(info, &key);
4465 	if (err)
4466 		return err;
4467 
4468 	if (!key.p.key) {
4469 		GENL_SET_ERR_MSG(info, "no key");
4470 		return -EINVAL;
4471 	}
4472 
4473 	if (info->attrs[NL80211_ATTR_MAC])
4474 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4475 
4476 	if (key.type == -1) {
4477 		if (mac_addr)
4478 			key.type = NL80211_KEYTYPE_PAIRWISE;
4479 		else
4480 			key.type = NL80211_KEYTYPE_GROUP;
4481 	}
4482 
4483 	/* for now */
4484 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4485 	    key.type != NL80211_KEYTYPE_GROUP) {
4486 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4487 		return -EINVAL;
4488 	}
4489 
4490 	if (key.type == NL80211_KEYTYPE_GROUP &&
4491 	    info->attrs[NL80211_ATTR_VLAN_ID])
4492 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4493 
4494 	if (!rdev->ops->add_key)
4495 		return -EOPNOTSUPP;
4496 
4497 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4498 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4499 					   mac_addr)) {
4500 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4501 		return -EINVAL;
4502 	}
4503 
4504 	wdev_lock(dev->ieee80211_ptr);
4505 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4506 	if (err)
4507 		GENL_SET_ERR_MSG(info, "key not allowed");
4508 	if (!err) {
4509 		err = rdev_add_key(rdev, dev, key.idx,
4510 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4511 				    mac_addr, &key.p);
4512 		if (err)
4513 			GENL_SET_ERR_MSG(info, "key addition failed");
4514 	}
4515 	wdev_unlock(dev->ieee80211_ptr);
4516 
4517 	return err;
4518 }
4519 
4520 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4521 {
4522 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4523 	int err;
4524 	struct net_device *dev = info->user_ptr[1];
4525 	u8 *mac_addr = NULL;
4526 	struct key_parse key;
4527 
4528 	err = nl80211_parse_key(info, &key);
4529 	if (err)
4530 		return err;
4531 
4532 	if (info->attrs[NL80211_ATTR_MAC])
4533 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4534 
4535 	if (key.type == -1) {
4536 		if (mac_addr)
4537 			key.type = NL80211_KEYTYPE_PAIRWISE;
4538 		else
4539 			key.type = NL80211_KEYTYPE_GROUP;
4540 	}
4541 
4542 	/* for now */
4543 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4544 	    key.type != NL80211_KEYTYPE_GROUP)
4545 		return -EINVAL;
4546 
4547 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4548 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4549 		return -EINVAL;
4550 
4551 	if (!rdev->ops->del_key)
4552 		return -EOPNOTSUPP;
4553 
4554 	wdev_lock(dev->ieee80211_ptr);
4555 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4556 
4557 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4558 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4559 		err = -ENOENT;
4560 
4561 	if (!err)
4562 		err = rdev_del_key(rdev, dev, key.idx,
4563 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4564 				   mac_addr);
4565 
4566 #ifdef CONFIG_CFG80211_WEXT
4567 	if (!err) {
4568 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4569 			dev->ieee80211_ptr->wext.default_key = -1;
4570 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4571 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4572 	}
4573 #endif
4574 	wdev_unlock(dev->ieee80211_ptr);
4575 
4576 	return err;
4577 }
4578 
4579 /* This function returns an error or the number of nested attributes */
4580 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4581 {
4582 	struct nlattr *attr;
4583 	int n_entries = 0, tmp;
4584 
4585 	nla_for_each_nested(attr, nl_attr, tmp) {
4586 		if (nla_len(attr) != ETH_ALEN)
4587 			return -EINVAL;
4588 
4589 		n_entries++;
4590 	}
4591 
4592 	return n_entries;
4593 }
4594 
4595 /*
4596  * This function parses ACL information and allocates memory for ACL data.
4597  * On successful return, the calling function is responsible to free the
4598  * ACL buffer returned by this function.
4599  */
4600 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4601 						struct genl_info *info)
4602 {
4603 	enum nl80211_acl_policy acl_policy;
4604 	struct nlattr *attr;
4605 	struct cfg80211_acl_data *acl;
4606 	int i = 0, n_entries, tmp;
4607 
4608 	if (!wiphy->max_acl_mac_addrs)
4609 		return ERR_PTR(-EOPNOTSUPP);
4610 
4611 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4612 		return ERR_PTR(-EINVAL);
4613 
4614 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4615 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4616 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4617 		return ERR_PTR(-EINVAL);
4618 
4619 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4620 		return ERR_PTR(-EINVAL);
4621 
4622 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4623 	if (n_entries < 0)
4624 		return ERR_PTR(n_entries);
4625 
4626 	if (n_entries > wiphy->max_acl_mac_addrs)
4627 		return ERR_PTR(-ENOTSUPP);
4628 
4629 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4630 	if (!acl)
4631 		return ERR_PTR(-ENOMEM);
4632 
4633 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4634 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4635 		i++;
4636 	}
4637 
4638 	acl->n_acl_entries = n_entries;
4639 	acl->acl_policy = acl_policy;
4640 
4641 	return acl;
4642 }
4643 
4644 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4645 {
4646 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4647 	struct net_device *dev = info->user_ptr[1];
4648 	struct cfg80211_acl_data *acl;
4649 	int err;
4650 
4651 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4652 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4653 		return -EOPNOTSUPP;
4654 
4655 	if (!dev->ieee80211_ptr->beacon_interval)
4656 		return -EINVAL;
4657 
4658 	acl = parse_acl_data(&rdev->wiphy, info);
4659 	if (IS_ERR(acl))
4660 		return PTR_ERR(acl);
4661 
4662 	err = rdev_set_mac_acl(rdev, dev, acl);
4663 
4664 	kfree(acl);
4665 
4666 	return err;
4667 }
4668 
4669 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4670 			   u8 *rates, u8 rates_len)
4671 {
4672 	u8 i;
4673 	u32 mask = 0;
4674 
4675 	for (i = 0; i < rates_len; i++) {
4676 		int rate = (rates[i] & 0x7f) * 5;
4677 		int ridx;
4678 
4679 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4680 			struct ieee80211_rate *srate =
4681 				&sband->bitrates[ridx];
4682 			if (rate == srate->bitrate) {
4683 				mask |= 1 << ridx;
4684 				break;
4685 			}
4686 		}
4687 		if (ridx == sband->n_bitrates)
4688 			return 0; /* rate not found */
4689 	}
4690 
4691 	return mask;
4692 }
4693 
4694 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4695 			       u8 *rates, u8 rates_len,
4696 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4697 {
4698 	u8 i;
4699 
4700 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4701 
4702 	for (i = 0; i < rates_len; i++) {
4703 		int ridx, rbit;
4704 
4705 		ridx = rates[i] / 8;
4706 		rbit = BIT(rates[i] % 8);
4707 
4708 		/* check validity */
4709 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4710 			return false;
4711 
4712 		/* check availability */
4713 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4714 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4715 			mcs[ridx] |= rbit;
4716 		else
4717 			return false;
4718 	}
4719 
4720 	return true;
4721 }
4722 
4723 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4724 {
4725 	u16 mcs_mask = 0;
4726 
4727 	switch (vht_mcs_map) {
4728 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4729 		break;
4730 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4731 		mcs_mask = 0x00FF;
4732 		break;
4733 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4734 		mcs_mask = 0x01FF;
4735 		break;
4736 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4737 		mcs_mask = 0x03FF;
4738 		break;
4739 	default:
4740 		break;
4741 	}
4742 
4743 	return mcs_mask;
4744 }
4745 
4746 static void vht_build_mcs_mask(u16 vht_mcs_map,
4747 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4748 {
4749 	u8 nss;
4750 
4751 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4752 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4753 		vht_mcs_map >>= 2;
4754 	}
4755 }
4756 
4757 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4758 			     struct nl80211_txrate_vht *txrate,
4759 			     u16 mcs[NL80211_VHT_NSS_MAX])
4760 {
4761 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4762 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4763 	u8 i;
4764 
4765 	if (!sband->vht_cap.vht_supported)
4766 		return false;
4767 
4768 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4769 
4770 	/* Build vht_mcs_mask from VHT capabilities */
4771 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4772 
4773 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4774 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4775 			mcs[i] = txrate->mcs[i];
4776 		else
4777 			return false;
4778 	}
4779 
4780 	return true;
4781 }
4782 
4783 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4784 {
4785 	switch (he_mcs_map) {
4786 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4787 		return 0;
4788 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4789 		return 0x00FF;
4790 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4791 		return 0x03FF;
4792 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4793 		return 0xFFF;
4794 	default:
4795 		break;
4796 	}
4797 	return 0;
4798 }
4799 
4800 static void he_build_mcs_mask(u16 he_mcs_map,
4801 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4802 {
4803 	u8 nss;
4804 
4805 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4806 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4807 		he_mcs_map >>= 2;
4808 	}
4809 }
4810 
4811 static u16 he_get_txmcsmap(struct genl_info *info,
4812 			   const struct ieee80211_sta_he_cap *he_cap)
4813 {
4814 	struct net_device *dev = info->user_ptr[1];
4815 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4816 	__le16	tx_mcs;
4817 
4818 	switch (wdev->chandef.width) {
4819 	case NL80211_CHAN_WIDTH_80P80:
4820 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4821 		break;
4822 	case NL80211_CHAN_WIDTH_160:
4823 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4824 		break;
4825 	default:
4826 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4827 		break;
4828 	}
4829 	return le16_to_cpu(tx_mcs);
4830 }
4831 
4832 static bool he_set_mcs_mask(struct genl_info *info,
4833 			    struct wireless_dev *wdev,
4834 			    struct ieee80211_supported_band *sband,
4835 			    struct nl80211_txrate_he *txrate,
4836 			    u16 mcs[NL80211_HE_NSS_MAX])
4837 {
4838 	const struct ieee80211_sta_he_cap *he_cap;
4839 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4840 	u16 tx_mcs_map = 0;
4841 	u8 i;
4842 
4843 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4844 	if (!he_cap)
4845 		return false;
4846 
4847 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4848 
4849 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4850 
4851 	/* Build he_mcs_mask from HE capabilities */
4852 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4853 
4854 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4855 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4856 			mcs[i] = txrate->mcs[i];
4857 		else
4858 			return false;
4859 	}
4860 
4861 	return true;
4862 }
4863 
4864 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4865 					 struct nlattr *attrs[],
4866 					 enum nl80211_attrs attr,
4867 					 struct cfg80211_bitrate_mask *mask,
4868 					 struct net_device *dev,
4869 					 bool default_all_enabled)
4870 {
4871 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4872 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4873 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4874 	int rem, i;
4875 	struct nlattr *tx_rates;
4876 	struct ieee80211_supported_band *sband;
4877 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4878 
4879 	memset(mask, 0, sizeof(*mask));
4880 	/* Default to all rates enabled */
4881 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4882 		const struct ieee80211_sta_he_cap *he_cap;
4883 
4884 		if (!default_all_enabled)
4885 			break;
4886 
4887 		sband = rdev->wiphy.bands[i];
4888 
4889 		if (!sband)
4890 			continue;
4891 
4892 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4893 		memcpy(mask->control[i].ht_mcs,
4894 		       sband->ht_cap.mcs.rx_mask,
4895 		       sizeof(mask->control[i].ht_mcs));
4896 
4897 		if (sband->vht_cap.vht_supported) {
4898 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4899 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4900 		}
4901 
4902 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4903 		if (!he_cap)
4904 			continue;
4905 
4906 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4907 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4908 
4909 		mask->control[i].he_gi = 0xFF;
4910 		mask->control[i].he_ltf = 0xFF;
4911 	}
4912 
4913 	/* if no rates are given set it back to the defaults */
4914 	if (!attrs[attr])
4915 		goto out;
4916 
4917 	/* The nested attribute uses enum nl80211_band as the index. This maps
4918 	 * directly to the enum nl80211_band values used in cfg80211.
4919 	 */
4920 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4921 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4922 		enum nl80211_band band = nla_type(tx_rates);
4923 		int err;
4924 
4925 		if (band < 0 || band >= NUM_NL80211_BANDS)
4926 			return -EINVAL;
4927 		sband = rdev->wiphy.bands[band];
4928 		if (sband == NULL)
4929 			return -EINVAL;
4930 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4931 						  tx_rates,
4932 						  nl80211_txattr_policy,
4933 						  info->extack);
4934 		if (err)
4935 			return err;
4936 		if (tb[NL80211_TXRATE_LEGACY]) {
4937 			mask->control[band].legacy = rateset_to_mask(
4938 				sband,
4939 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4940 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4941 			if ((mask->control[band].legacy == 0) &&
4942 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4943 				return -EINVAL;
4944 		}
4945 		if (tb[NL80211_TXRATE_HT]) {
4946 			if (!ht_rateset_to_mask(
4947 					sband,
4948 					nla_data(tb[NL80211_TXRATE_HT]),
4949 					nla_len(tb[NL80211_TXRATE_HT]),
4950 					mask->control[band].ht_mcs))
4951 				return -EINVAL;
4952 		}
4953 
4954 		if (tb[NL80211_TXRATE_VHT]) {
4955 			if (!vht_set_mcs_mask(
4956 					sband,
4957 					nla_data(tb[NL80211_TXRATE_VHT]),
4958 					mask->control[band].vht_mcs))
4959 				return -EINVAL;
4960 		}
4961 
4962 		if (tb[NL80211_TXRATE_GI]) {
4963 			mask->control[band].gi =
4964 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4965 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4966 				return -EINVAL;
4967 		}
4968 		if (tb[NL80211_TXRATE_HE] &&
4969 		    !he_set_mcs_mask(info, wdev, sband,
4970 				     nla_data(tb[NL80211_TXRATE_HE]),
4971 				     mask->control[band].he_mcs))
4972 			return -EINVAL;
4973 
4974 		if (tb[NL80211_TXRATE_HE_GI])
4975 			mask->control[band].he_gi =
4976 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4977 		if (tb[NL80211_TXRATE_HE_LTF])
4978 			mask->control[band].he_ltf =
4979 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4980 
4981 		if (mask->control[band].legacy == 0) {
4982 			/* don't allow empty legacy rates if HT, VHT or HE
4983 			 * are not even supported.
4984 			 */
4985 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4986 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4987 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4988 				return -EINVAL;
4989 
4990 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4991 				if (mask->control[band].ht_mcs[i])
4992 					goto out;
4993 
4994 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4995 				if (mask->control[band].vht_mcs[i])
4996 					goto out;
4997 
4998 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
4999 				if (mask->control[band].he_mcs[i])
5000 					goto out;
5001 
5002 			/* legacy and mcs rates may not be both empty */
5003 			return -EINVAL;
5004 		}
5005 	}
5006 
5007 out:
5008 	return 0;
5009 }
5010 
5011 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5012 				   enum nl80211_band band,
5013 				   struct cfg80211_bitrate_mask *beacon_rate)
5014 {
5015 	u32 count_ht, count_vht, count_he, i;
5016 	u32 rate = beacon_rate->control[band].legacy;
5017 
5018 	/* Allow only one rate */
5019 	if (hweight32(rate) > 1)
5020 		return -EINVAL;
5021 
5022 	count_ht = 0;
5023 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5024 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5025 			return -EINVAL;
5026 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5027 			count_ht++;
5028 			if (count_ht > 1)
5029 				return -EINVAL;
5030 		}
5031 		if (count_ht && rate)
5032 			return -EINVAL;
5033 	}
5034 
5035 	count_vht = 0;
5036 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5037 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5038 			return -EINVAL;
5039 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5040 			count_vht++;
5041 			if (count_vht > 1)
5042 				return -EINVAL;
5043 		}
5044 		if (count_vht && rate)
5045 			return -EINVAL;
5046 	}
5047 
5048 	count_he = 0;
5049 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5050 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5051 			return -EINVAL;
5052 		} else if (beacon_rate->control[band].he_mcs[i]) {
5053 			count_he++;
5054 			if (count_he > 1)
5055 				return -EINVAL;
5056 		}
5057 		if (count_he && rate)
5058 			return -EINVAL;
5059 	}
5060 
5061 	if ((count_ht && count_vht && count_he) ||
5062 	    (!rate && !count_ht && !count_vht && !count_he))
5063 		return -EINVAL;
5064 
5065 	if (rate &&
5066 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5067 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5068 		return -EINVAL;
5069 	if (count_ht &&
5070 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5071 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5072 		return -EINVAL;
5073 	if (count_vht &&
5074 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5075 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5076 		return -EINVAL;
5077 	if (count_he &&
5078 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5079 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5080 		return -EINVAL;
5081 
5082 	return 0;
5083 }
5084 
5085 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5086 				       struct net_device *dev,
5087 				       struct nlattr *attrs,
5088 				       struct cfg80211_mbssid_config *config,
5089 				       u8 num_elems)
5090 {
5091 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5092 
5093 	if (!wiphy->mbssid_max_interfaces)
5094 		return -EOPNOTSUPP;
5095 
5096 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5097 			     NULL) ||
5098 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5099 		return -EINVAL;
5100 
5101 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5102 	if (config->ema) {
5103 		if (!wiphy->ema_max_profile_periodicity)
5104 			return -EOPNOTSUPP;
5105 
5106 		if (num_elems > wiphy->ema_max_profile_periodicity)
5107 			return -EINVAL;
5108 	}
5109 
5110 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5111 	if (config->index >= wiphy->mbssid_max_interfaces ||
5112 	    (!config->index && !num_elems))
5113 		return -EINVAL;
5114 
5115 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5116 		u32 tx_ifindex =
5117 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5118 
5119 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5120 		    (config->index && tx_ifindex == dev->ifindex))
5121 			return -EINVAL;
5122 
5123 		if (tx_ifindex != dev->ifindex) {
5124 			struct net_device *tx_netdev =
5125 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5126 
5127 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5128 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5129 			    tx_netdev->ieee80211_ptr->iftype !=
5130 							NL80211_IFTYPE_AP) {
5131 				dev_put(tx_netdev);
5132 				return -EINVAL;
5133 			}
5134 
5135 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5136 		} else {
5137 			config->tx_wdev = dev->ieee80211_ptr;
5138 		}
5139 	} else if (!config->index) {
5140 		config->tx_wdev = dev->ieee80211_ptr;
5141 	} else {
5142 		return -EINVAL;
5143 	}
5144 
5145 	return 0;
5146 }
5147 
5148 static struct cfg80211_mbssid_elems *
5149 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5150 {
5151 	struct nlattr *nl_elems;
5152 	struct cfg80211_mbssid_elems *elems;
5153 	int rem_elems;
5154 	u8 i = 0, num_elems = 0;
5155 
5156 	if (!wiphy->mbssid_max_interfaces)
5157 		return ERR_PTR(-EINVAL);
5158 
5159 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5160 		num_elems++;
5161 
5162 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5163 	if (!elems)
5164 		return ERR_PTR(-ENOMEM);
5165 
5166 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5167 		elems->elem[i].data = nla_data(nl_elems);
5168 		elems->elem[i].len = nla_len(nl_elems);
5169 		i++;
5170 	}
5171 	elems->cnt = num_elems;
5172 	return elems;
5173 }
5174 
5175 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5176 				struct nlattr *attrs[],
5177 				struct cfg80211_beacon_data *bcn)
5178 {
5179 	bool haveinfo = false;
5180 	int err;
5181 
5182 	memset(bcn, 0, sizeof(*bcn));
5183 
5184 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5185 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5186 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5187 		if (!bcn->head_len)
5188 			return -EINVAL;
5189 		haveinfo = true;
5190 	}
5191 
5192 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5193 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5194 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5195 		haveinfo = true;
5196 	}
5197 
5198 	if (!haveinfo)
5199 		return -EINVAL;
5200 
5201 	if (attrs[NL80211_ATTR_IE]) {
5202 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5203 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5204 	}
5205 
5206 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5207 		bcn->proberesp_ies =
5208 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5209 		bcn->proberesp_ies_len =
5210 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5211 	}
5212 
5213 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5214 		bcn->assocresp_ies =
5215 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5216 		bcn->assocresp_ies_len =
5217 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5218 	}
5219 
5220 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5221 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5222 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5223 	}
5224 
5225 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5226 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5227 
5228 		err = nla_parse_nested_deprecated(tb,
5229 						  NL80211_FTM_RESP_ATTR_MAX,
5230 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5231 						  NULL, NULL);
5232 		if (err)
5233 			return err;
5234 
5235 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5236 		    wiphy_ext_feature_isset(&rdev->wiphy,
5237 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5238 			bcn->ftm_responder = 1;
5239 		else
5240 			return -EOPNOTSUPP;
5241 
5242 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5243 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5244 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5245 		}
5246 
5247 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5248 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5249 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5250 		}
5251 	} else {
5252 		bcn->ftm_responder = -1;
5253 	}
5254 
5255 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5256 		struct cfg80211_mbssid_elems *mbssid =
5257 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5258 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5259 
5260 		if (IS_ERR(mbssid))
5261 			return PTR_ERR(mbssid);
5262 
5263 		bcn->mbssid_ies = mbssid;
5264 	}
5265 
5266 	return 0;
5267 }
5268 
5269 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5270 				    struct ieee80211_he_obss_pd *he_obss_pd)
5271 {
5272 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5273 	int err;
5274 
5275 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5276 			       he_obss_pd_policy, NULL);
5277 	if (err)
5278 		return err;
5279 
5280 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5281 		return -EINVAL;
5282 
5283 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5284 
5285 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5286 		he_obss_pd->min_offset =
5287 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5288 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5289 		he_obss_pd->max_offset =
5290 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5291 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5292 		he_obss_pd->non_srg_max_offset =
5293 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5294 
5295 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5296 		return -EINVAL;
5297 
5298 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5299 		memcpy(he_obss_pd->bss_color_bitmap,
5300 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5301 		       sizeof(he_obss_pd->bss_color_bitmap));
5302 
5303 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5304 		memcpy(he_obss_pd->partial_bssid_bitmap,
5305 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5306 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5307 
5308 	he_obss_pd->enable = true;
5309 
5310 	return 0;
5311 }
5312 
5313 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5314 				      struct cfg80211_he_bss_color *he_bss_color)
5315 {
5316 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5317 	int err;
5318 
5319 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5320 			       he_bss_color_policy, NULL);
5321 	if (err)
5322 		return err;
5323 
5324 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5325 		return -EINVAL;
5326 
5327 	he_bss_color->color =
5328 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5329 	he_bss_color->enabled =
5330 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5331 	he_bss_color->partial =
5332 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5333 
5334 	return 0;
5335 }
5336 
5337 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5338 					struct nlattr *attrs,
5339 					struct cfg80211_ap_settings *params)
5340 {
5341 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5342 	int ret;
5343 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5344 
5345 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5346 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5347 		return -EINVAL;
5348 
5349 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5350 			       NULL, NULL);
5351 	if (ret)
5352 		return ret;
5353 
5354 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5355 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5356 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5357 		return -EINVAL;
5358 
5359 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5360 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5361 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5362 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5363 
5364 	return 0;
5365 }
5366 
5367 static int
5368 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5369 				     struct nlattr *attrs,
5370 				     struct cfg80211_ap_settings *params)
5371 {
5372 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5373 	int ret;
5374 	struct cfg80211_unsol_bcast_probe_resp *presp =
5375 					&params->unsol_bcast_probe_resp;
5376 
5377 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5378 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5379 		return -EINVAL;
5380 
5381 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5382 			       attrs, NULL, NULL);
5383 	if (ret)
5384 		return ret;
5385 
5386 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5387 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5388 		return -EINVAL;
5389 
5390 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5391 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5392 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5393 	return 0;
5394 }
5395 
5396 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5397 					    const struct element *rates)
5398 {
5399 	int i;
5400 
5401 	if (!rates)
5402 		return;
5403 
5404 	for (i = 0; i < rates->datalen; i++) {
5405 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5406 			params->ht_required = true;
5407 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5408 			params->vht_required = true;
5409 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5410 			params->he_required = true;
5411 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5412 			params->sae_h2e_required = true;
5413 	}
5414 }
5415 
5416 /*
5417  * Since the nl80211 API didn't include, from the beginning, attributes about
5418  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5419  * benefit of drivers that rebuild IEs in the firmware.
5420  */
5421 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5422 {
5423 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5424 	size_t ies_len = bcn->tail_len;
5425 	const u8 *ies = bcn->tail;
5426 	const struct element *rates;
5427 	const struct element *cap;
5428 
5429 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5430 	nl80211_check_ap_rate_selectors(params, rates);
5431 
5432 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5433 	nl80211_check_ap_rate_selectors(params, rates);
5434 
5435 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5436 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5437 		params->ht_cap = (void *)cap->data;
5438 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5439 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5440 		params->vht_cap = (void *)cap->data;
5441 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5442 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5443 		params->he_cap = (void *)(cap->data + 1);
5444 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5445 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5446 		params->he_oper = (void *)(cap->data + 1);
5447 }
5448 
5449 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5450 				   struct cfg80211_ap_settings *params)
5451 {
5452 	struct wireless_dev *wdev;
5453 	bool ret = false;
5454 
5455 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5456 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5457 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5458 			continue;
5459 
5460 		if (!wdev->preset_chandef.chan)
5461 			continue;
5462 
5463 		params->chandef = wdev->preset_chandef;
5464 		ret = true;
5465 		break;
5466 	}
5467 
5468 	return ret;
5469 }
5470 
5471 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5472 				    enum nl80211_auth_type auth_type,
5473 				    enum nl80211_commands cmd)
5474 {
5475 	if (auth_type > NL80211_AUTHTYPE_MAX)
5476 		return false;
5477 
5478 	switch (cmd) {
5479 	case NL80211_CMD_AUTHENTICATE:
5480 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5481 		    auth_type == NL80211_AUTHTYPE_SAE)
5482 			return false;
5483 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5484 					     NL80211_EXT_FEATURE_FILS_STA) &&
5485 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5486 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5487 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5488 			return false;
5489 		return true;
5490 	case NL80211_CMD_CONNECT:
5491 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5492 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5493 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5494 		    auth_type == NL80211_AUTHTYPE_SAE)
5495 			return false;
5496 
5497 		/* FILS with SK PFS or PK not supported yet */
5498 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5499 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5500 			return false;
5501 		if (!wiphy_ext_feature_isset(
5502 			    &rdev->wiphy,
5503 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5504 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5505 			return false;
5506 		return true;
5507 	case NL80211_CMD_START_AP:
5508 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5509 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5510 		    auth_type == NL80211_AUTHTYPE_SAE)
5511 			return false;
5512 		/* FILS not supported yet */
5513 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5514 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5515 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5516 			return false;
5517 		return true;
5518 	default:
5519 		return false;
5520 	}
5521 }
5522 
5523 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5524 {
5525 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5526 	struct net_device *dev = info->user_ptr[1];
5527 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5528 	struct cfg80211_ap_settings *params;
5529 	int err;
5530 
5531 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5532 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5533 		return -EOPNOTSUPP;
5534 
5535 	if (!rdev->ops->start_ap)
5536 		return -EOPNOTSUPP;
5537 
5538 	if (wdev->beacon_interval)
5539 		return -EALREADY;
5540 
5541 	/* these are required for START_AP */
5542 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5543 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5544 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5545 		return -EINVAL;
5546 
5547 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5548 	if (!params)
5549 		return -ENOMEM;
5550 
5551 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5552 	if (err)
5553 		goto out;
5554 
5555 	params->beacon_interval =
5556 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5557 	params->dtim_period =
5558 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5559 
5560 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5561 					   params->beacon_interval);
5562 	if (err)
5563 		goto out;
5564 
5565 	/*
5566 	 * In theory, some of these attributes should be required here
5567 	 * but since they were not used when the command was originally
5568 	 * added, keep them optional for old user space programs to let
5569 	 * them continue to work with drivers that do not need the
5570 	 * additional information -- drivers must check!
5571 	 */
5572 	if (info->attrs[NL80211_ATTR_SSID]) {
5573 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5574 		params->ssid_len =
5575 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5576 		if (params->ssid_len == 0) {
5577 			err = -EINVAL;
5578 			goto out;
5579 		}
5580 	}
5581 
5582 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5583 		params->hidden_ssid = nla_get_u32(
5584 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5585 
5586 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5587 
5588 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5589 		params->auth_type = nla_get_u32(
5590 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5591 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5592 					     NL80211_CMD_START_AP)) {
5593 			err = -EINVAL;
5594 			goto out;
5595 		}
5596 	} else
5597 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5598 
5599 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5600 				      NL80211_MAX_NR_CIPHER_SUITES);
5601 	if (err)
5602 		goto out;
5603 
5604 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5605 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5606 			err = -EOPNOTSUPP;
5607 			goto out;
5608 		}
5609 		params->inactivity_timeout = nla_get_u16(
5610 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5611 	}
5612 
5613 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5614 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5615 			err = -EINVAL;
5616 			goto out;
5617 		}
5618 		params->p2p_ctwindow =
5619 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5620 		if (params->p2p_ctwindow != 0 &&
5621 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5622 			err = -EINVAL;
5623 			goto out;
5624 		}
5625 	}
5626 
5627 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5628 		u8 tmp;
5629 
5630 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5631 			err = -EINVAL;
5632 			goto out;
5633 		}
5634 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5635 		params->p2p_opp_ps = tmp;
5636 		if (params->p2p_opp_ps != 0 &&
5637 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5638 			err = -EINVAL;
5639 			goto out;
5640 		}
5641 	}
5642 
5643 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5644 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5645 		if (err)
5646 			goto out;
5647 	} else if (wdev->preset_chandef.chan) {
5648 		params->chandef = wdev->preset_chandef;
5649 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5650 		err = -EINVAL;
5651 		goto out;
5652 	}
5653 
5654 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5655 					   wdev->iftype)) {
5656 		err = -EINVAL;
5657 		goto out;
5658 	}
5659 
5660 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5661 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5662 						    NL80211_ATTR_TX_RATES,
5663 						    &params->beacon_rate,
5664 						    dev, false);
5665 		if (err)
5666 			goto out;
5667 
5668 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
5669 					      &params->beacon_rate);
5670 		if (err)
5671 			goto out;
5672 	}
5673 
5674 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5675 		params->smps_mode =
5676 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5677 		switch (params->smps_mode) {
5678 		case NL80211_SMPS_OFF:
5679 			break;
5680 		case NL80211_SMPS_STATIC:
5681 			if (!(rdev->wiphy.features &
5682 			      NL80211_FEATURE_STATIC_SMPS)) {
5683 				err = -EINVAL;
5684 				goto out;
5685 			}
5686 			break;
5687 		case NL80211_SMPS_DYNAMIC:
5688 			if (!(rdev->wiphy.features &
5689 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
5690 				err = -EINVAL;
5691 				goto out;
5692 			}
5693 			break;
5694 		default:
5695 			err = -EINVAL;
5696 			goto out;
5697 		}
5698 	} else {
5699 		params->smps_mode = NL80211_SMPS_OFF;
5700 	}
5701 
5702 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5703 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
5704 		err = -EOPNOTSUPP;
5705 		goto out;
5706 	}
5707 
5708 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5709 		params->acl = parse_acl_data(&rdev->wiphy, info);
5710 		if (IS_ERR(params->acl)) {
5711 			err = PTR_ERR(params->acl);
5712 			params->acl = NULL;
5713 			goto out;
5714 		}
5715 	}
5716 
5717 	params->twt_responder =
5718 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5719 
5720 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5721 		err = nl80211_parse_he_obss_pd(
5722 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5723 					&params->he_obss_pd);
5724 		if (err)
5725 			goto out;
5726 	}
5727 
5728 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5729 		err = nl80211_parse_he_bss_color(
5730 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5731 					&params->he_bss_color);
5732 		if (err)
5733 			goto out;
5734 	}
5735 
5736 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5737 		err = nl80211_parse_fils_discovery(rdev,
5738 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5739 						   params);
5740 		if (err)
5741 			goto out;
5742 	}
5743 
5744 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5745 		err = nl80211_parse_unsol_bcast_probe_resp(
5746 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5747 			params);
5748 		if (err)
5749 			goto out;
5750 	}
5751 
5752 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
5753 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
5754 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
5755 						  &params->mbssid_config,
5756 						  params->beacon.mbssid_ies ?
5757 							params->beacon.mbssid_ies->cnt :
5758 							0);
5759 		if (err)
5760 			goto out;
5761 	}
5762 
5763 	nl80211_calculate_ap_params(params);
5764 
5765 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
5766 		params->flags = nla_get_u32(
5767 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
5768 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5769 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5770 
5771 	wdev_lock(wdev);
5772 	err = rdev_start_ap(rdev, dev, params);
5773 	if (!err) {
5774 		wdev->preset_chandef = params->chandef;
5775 		wdev->beacon_interval = params->beacon_interval;
5776 		wdev->chandef = params->chandef;
5777 		wdev->ssid_len = params->ssid_len;
5778 		memcpy(wdev->ssid, params->ssid, wdev->ssid_len);
5779 
5780 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5781 			wdev->conn_owner_nlportid = info->snd_portid;
5782 	}
5783 	wdev_unlock(wdev);
5784 
5785 out:
5786 	kfree(params->acl);
5787 	kfree(params->beacon.mbssid_ies);
5788 	if (params->mbssid_config.tx_wdev &&
5789 	    params->mbssid_config.tx_wdev->netdev &&
5790 	    params->mbssid_config.tx_wdev->netdev != dev)
5791 		dev_put(params->mbssid_config.tx_wdev->netdev);
5792 	kfree(params);
5793 
5794 	return err;
5795 }
5796 
5797 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5798 {
5799 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5800 	struct net_device *dev = info->user_ptr[1];
5801 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5802 	struct cfg80211_beacon_data params;
5803 	int err;
5804 
5805 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5806 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5807 		return -EOPNOTSUPP;
5808 
5809 	if (!rdev->ops->change_beacon)
5810 		return -EOPNOTSUPP;
5811 
5812 	if (!wdev->beacon_interval)
5813 		return -EINVAL;
5814 
5815 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5816 	if (err)
5817 		goto out;
5818 
5819 	wdev_lock(wdev);
5820 	err = rdev_change_beacon(rdev, dev, &params);
5821 	wdev_unlock(wdev);
5822 
5823 out:
5824 	kfree(params.mbssid_ies);
5825 	return err;
5826 }
5827 
5828 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5829 {
5830 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5831 	struct net_device *dev = info->user_ptr[1];
5832 
5833 	return cfg80211_stop_ap(rdev, dev, false);
5834 }
5835 
5836 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5837 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5838 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5839 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5840 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5841 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5842 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5843 };
5844 
5845 static int parse_station_flags(struct genl_info *info,
5846 			       enum nl80211_iftype iftype,
5847 			       struct station_parameters *params)
5848 {
5849 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5850 	struct nlattr *nla;
5851 	int flag;
5852 
5853 	/*
5854 	 * Try parsing the new attribute first so userspace
5855 	 * can specify both for older kernels.
5856 	 */
5857 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5858 	if (nla) {
5859 		struct nl80211_sta_flag_update *sta_flags;
5860 
5861 		sta_flags = nla_data(nla);
5862 		params->sta_flags_mask = sta_flags->mask;
5863 		params->sta_flags_set = sta_flags->set;
5864 		params->sta_flags_set &= params->sta_flags_mask;
5865 		if ((params->sta_flags_mask |
5866 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5867 			return -EINVAL;
5868 		return 0;
5869 	}
5870 
5871 	/* if present, parse the old attribute */
5872 
5873 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5874 	if (!nla)
5875 		return 0;
5876 
5877 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5878 		return -EINVAL;
5879 
5880 	/*
5881 	 * Only allow certain flags for interface types so that
5882 	 * other attributes are silently ignored. Remember that
5883 	 * this is backward compatibility code with old userspace
5884 	 * and shouldn't be hit in other cases anyway.
5885 	 */
5886 	switch (iftype) {
5887 	case NL80211_IFTYPE_AP:
5888 	case NL80211_IFTYPE_AP_VLAN:
5889 	case NL80211_IFTYPE_P2P_GO:
5890 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5891 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5892 					 BIT(NL80211_STA_FLAG_WME) |
5893 					 BIT(NL80211_STA_FLAG_MFP);
5894 		break;
5895 	case NL80211_IFTYPE_P2P_CLIENT:
5896 	case NL80211_IFTYPE_STATION:
5897 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5898 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5899 		break;
5900 	case NL80211_IFTYPE_MESH_POINT:
5901 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5902 					 BIT(NL80211_STA_FLAG_MFP) |
5903 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5904 		break;
5905 	default:
5906 		return -EINVAL;
5907 	}
5908 
5909 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5910 		if (flags[flag]) {
5911 			params->sta_flags_set |= (1<<flag);
5912 
5913 			/* no longer support new API additions in old API */
5914 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5915 				return -EINVAL;
5916 		}
5917 	}
5918 
5919 	return 0;
5920 }
5921 
5922 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5923 {
5924 	struct nlattr *rate;
5925 	u32 bitrate;
5926 	u16 bitrate_compat;
5927 	enum nl80211_rate_info rate_flg;
5928 
5929 	rate = nla_nest_start_noflag(msg, attr);
5930 	if (!rate)
5931 		return false;
5932 
5933 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5934 	bitrate = cfg80211_calculate_bitrate(info);
5935 	/* report 16-bit bitrate only if we can */
5936 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5937 	if (bitrate > 0 &&
5938 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5939 		return false;
5940 	if (bitrate_compat > 0 &&
5941 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5942 		return false;
5943 
5944 	switch (info->bw) {
5945 	case RATE_INFO_BW_5:
5946 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5947 		break;
5948 	case RATE_INFO_BW_10:
5949 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5950 		break;
5951 	default:
5952 		WARN_ON(1);
5953 		fallthrough;
5954 	case RATE_INFO_BW_20:
5955 		rate_flg = 0;
5956 		break;
5957 	case RATE_INFO_BW_40:
5958 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5959 		break;
5960 	case RATE_INFO_BW_80:
5961 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5962 		break;
5963 	case RATE_INFO_BW_160:
5964 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5965 		break;
5966 	case RATE_INFO_BW_HE_RU:
5967 		rate_flg = 0;
5968 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5969 		break;
5970 	case RATE_INFO_BW_320:
5971 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
5972 		break;
5973 	case RATE_INFO_BW_EHT_RU:
5974 		rate_flg = 0;
5975 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
5976 		break;
5977 	}
5978 
5979 	if (rate_flg && nla_put_flag(msg, rate_flg))
5980 		return false;
5981 
5982 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5983 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5984 			return false;
5985 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5986 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5987 			return false;
5988 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5989 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5990 			return false;
5991 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5992 			return false;
5993 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5994 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5995 			return false;
5996 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5997 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5998 			return false;
5999 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6000 			return false;
6001 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6002 			return false;
6003 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6004 			return false;
6005 		if (info->bw == RATE_INFO_BW_HE_RU &&
6006 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6007 			       info->he_ru_alloc))
6008 			return false;
6009 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6010 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6011 			return false;
6012 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6013 			return false;
6014 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6015 			return false;
6016 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6017 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6018 			       info->eht_ru_alloc))
6019 			return false;
6020 	}
6021 
6022 	nla_nest_end(msg, rate);
6023 	return true;
6024 }
6025 
6026 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6027 			       int id)
6028 {
6029 	void *attr;
6030 	int i = 0;
6031 
6032 	if (!mask)
6033 		return true;
6034 
6035 	attr = nla_nest_start_noflag(msg, id);
6036 	if (!attr)
6037 		return false;
6038 
6039 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6040 		if (!(mask & BIT(i)))
6041 			continue;
6042 
6043 		if (nla_put_u8(msg, i, signal[i]))
6044 			return false;
6045 	}
6046 
6047 	nla_nest_end(msg, attr);
6048 
6049 	return true;
6050 }
6051 
6052 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6053 				u32 seq, int flags,
6054 				struct cfg80211_registered_device *rdev,
6055 				struct net_device *dev,
6056 				const u8 *mac_addr, struct station_info *sinfo)
6057 {
6058 	void *hdr;
6059 	struct nlattr *sinfoattr, *bss_param;
6060 
6061 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6062 	if (!hdr) {
6063 		cfg80211_sinfo_release_content(sinfo);
6064 		return -1;
6065 	}
6066 
6067 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6068 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6069 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6070 		goto nla_put_failure;
6071 
6072 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6073 	if (!sinfoattr)
6074 		goto nla_put_failure;
6075 
6076 #define PUT_SINFO(attr, memb, type) do {				\
6077 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6078 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6079 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6080 			     sinfo->memb))				\
6081 		goto nla_put_failure;					\
6082 	} while (0)
6083 #define PUT_SINFO_U64(attr, memb) do {					\
6084 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6085 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6086 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6087 		goto nla_put_failure;					\
6088 	} while (0)
6089 
6090 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6091 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6092 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6093 
6094 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6095 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6096 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6097 			(u32)sinfo->rx_bytes))
6098 		goto nla_put_failure;
6099 
6100 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6101 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6102 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6103 			(u32)sinfo->tx_bytes))
6104 		goto nla_put_failure;
6105 
6106 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6107 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6108 	PUT_SINFO(LLID, llid, u16);
6109 	PUT_SINFO(PLID, plid, u16);
6110 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6111 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6112 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6113 
6114 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6115 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6116 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6117 
6118 	switch (rdev->wiphy.signal_type) {
6119 	case CFG80211_SIGNAL_TYPE_MBM:
6120 		PUT_SINFO(SIGNAL, signal, u8);
6121 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6122 		break;
6123 	default:
6124 		break;
6125 	}
6126 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6127 		if (!nl80211_put_signal(msg, sinfo->chains,
6128 					sinfo->chain_signal,
6129 					NL80211_STA_INFO_CHAIN_SIGNAL))
6130 			goto nla_put_failure;
6131 	}
6132 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6133 		if (!nl80211_put_signal(msg, sinfo->chains,
6134 					sinfo->chain_signal_avg,
6135 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6136 			goto nla_put_failure;
6137 	}
6138 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6139 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6140 					  NL80211_STA_INFO_TX_BITRATE))
6141 			goto nla_put_failure;
6142 	}
6143 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6144 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6145 					  NL80211_STA_INFO_RX_BITRATE))
6146 			goto nla_put_failure;
6147 	}
6148 
6149 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6150 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6151 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6152 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6153 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6154 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6155 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6156 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6157 	PUT_SINFO(PEER_PM, peer_pm, u32);
6158 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6159 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6160 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6161 
6162 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6163 		bss_param = nla_nest_start_noflag(msg,
6164 						  NL80211_STA_INFO_BSS_PARAM);
6165 		if (!bss_param)
6166 			goto nla_put_failure;
6167 
6168 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6169 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6170 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6171 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6172 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6173 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6174 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6175 			       sinfo->bss_param.dtim_period) ||
6176 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6177 				sinfo->bss_param.beacon_interval))
6178 			goto nla_put_failure;
6179 
6180 		nla_nest_end(msg, bss_param);
6181 	}
6182 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6183 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6184 		    sizeof(struct nl80211_sta_flag_update),
6185 		    &sinfo->sta_flags))
6186 		goto nla_put_failure;
6187 
6188 	PUT_SINFO_U64(T_OFFSET, t_offset);
6189 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6190 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6191 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6192 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6193 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6194 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6195 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6196 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6197 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6198 	}
6199 
6200 #undef PUT_SINFO
6201 #undef PUT_SINFO_U64
6202 
6203 	if (sinfo->pertid) {
6204 		struct nlattr *tidsattr;
6205 		int tid;
6206 
6207 		tidsattr = nla_nest_start_noflag(msg,
6208 						 NL80211_STA_INFO_TID_STATS);
6209 		if (!tidsattr)
6210 			goto nla_put_failure;
6211 
6212 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6213 			struct cfg80211_tid_stats *tidstats;
6214 			struct nlattr *tidattr;
6215 
6216 			tidstats = &sinfo->pertid[tid];
6217 
6218 			if (!tidstats->filled)
6219 				continue;
6220 
6221 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6222 			if (!tidattr)
6223 				goto nla_put_failure;
6224 
6225 #define PUT_TIDVAL_U64(attr, memb) do {					\
6226 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6227 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6228 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6229 		goto nla_put_failure;					\
6230 	} while (0)
6231 
6232 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6233 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6234 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6235 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6236 
6237 #undef PUT_TIDVAL_U64
6238 			if ((tidstats->filled &
6239 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6240 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6241 						   NL80211_TID_STATS_TXQ_STATS))
6242 				goto nla_put_failure;
6243 
6244 			nla_nest_end(msg, tidattr);
6245 		}
6246 
6247 		nla_nest_end(msg, tidsattr);
6248 	}
6249 
6250 	nla_nest_end(msg, sinfoattr);
6251 
6252 	if (sinfo->assoc_req_ies_len &&
6253 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6254 		    sinfo->assoc_req_ies))
6255 		goto nla_put_failure;
6256 
6257 	cfg80211_sinfo_release_content(sinfo);
6258 	genlmsg_end(msg, hdr);
6259 	return 0;
6260 
6261  nla_put_failure:
6262 	cfg80211_sinfo_release_content(sinfo);
6263 	genlmsg_cancel(msg, hdr);
6264 	return -EMSGSIZE;
6265 }
6266 
6267 static int nl80211_dump_station(struct sk_buff *skb,
6268 				struct netlink_callback *cb)
6269 {
6270 	struct station_info sinfo;
6271 	struct cfg80211_registered_device *rdev;
6272 	struct wireless_dev *wdev;
6273 	u8 mac_addr[ETH_ALEN];
6274 	int sta_idx = cb->args[2];
6275 	int err;
6276 
6277 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6278 	if (err)
6279 		return err;
6280 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6281 	__acquire(&rdev->wiphy.mtx);
6282 
6283 	if (!wdev->netdev) {
6284 		err = -EINVAL;
6285 		goto out_err;
6286 	}
6287 
6288 	if (!rdev->ops->dump_station) {
6289 		err = -EOPNOTSUPP;
6290 		goto out_err;
6291 	}
6292 
6293 	while (1) {
6294 		memset(&sinfo, 0, sizeof(sinfo));
6295 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6296 					mac_addr, &sinfo);
6297 		if (err == -ENOENT)
6298 			break;
6299 		if (err)
6300 			goto out_err;
6301 
6302 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6303 				NETLINK_CB(cb->skb).portid,
6304 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6305 				rdev, wdev->netdev, mac_addr,
6306 				&sinfo) < 0)
6307 			goto out;
6308 
6309 		sta_idx++;
6310 	}
6311 
6312  out:
6313 	cb->args[2] = sta_idx;
6314 	err = skb->len;
6315  out_err:
6316 	wiphy_unlock(&rdev->wiphy);
6317 
6318 	return err;
6319 }
6320 
6321 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6322 {
6323 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6324 	struct net_device *dev = info->user_ptr[1];
6325 	struct station_info sinfo;
6326 	struct sk_buff *msg;
6327 	u8 *mac_addr = NULL;
6328 	int err;
6329 
6330 	memset(&sinfo, 0, sizeof(sinfo));
6331 
6332 	if (!info->attrs[NL80211_ATTR_MAC])
6333 		return -EINVAL;
6334 
6335 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6336 
6337 	if (!rdev->ops->get_station)
6338 		return -EOPNOTSUPP;
6339 
6340 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6341 	if (err)
6342 		return err;
6343 
6344 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6345 	if (!msg) {
6346 		cfg80211_sinfo_release_content(&sinfo);
6347 		return -ENOMEM;
6348 	}
6349 
6350 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6351 				 info->snd_portid, info->snd_seq, 0,
6352 				 rdev, dev, mac_addr, &sinfo) < 0) {
6353 		nlmsg_free(msg);
6354 		return -ENOBUFS;
6355 	}
6356 
6357 	return genlmsg_reply(msg, info);
6358 }
6359 
6360 int cfg80211_check_station_change(struct wiphy *wiphy,
6361 				  struct station_parameters *params,
6362 				  enum cfg80211_station_type statype)
6363 {
6364 	if (params->listen_interval != -1 &&
6365 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6366 		return -EINVAL;
6367 
6368 	if (params->support_p2p_ps != -1 &&
6369 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6370 		return -EINVAL;
6371 
6372 	if (params->aid &&
6373 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6374 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6375 		return -EINVAL;
6376 
6377 	/* When you run into this, adjust the code below for the new flag */
6378 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6379 
6380 	switch (statype) {
6381 	case CFG80211_STA_MESH_PEER_KERNEL:
6382 	case CFG80211_STA_MESH_PEER_USER:
6383 		/*
6384 		 * No ignoring the TDLS flag here -- the userspace mesh
6385 		 * code doesn't have the bug of including TDLS in the
6386 		 * mask everywhere.
6387 		 */
6388 		if (params->sta_flags_mask &
6389 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6390 				  BIT(NL80211_STA_FLAG_MFP) |
6391 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6392 			return -EINVAL;
6393 		break;
6394 	case CFG80211_STA_TDLS_PEER_SETUP:
6395 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6396 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6397 			return -EINVAL;
6398 		/* ignore since it can't change */
6399 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6400 		break;
6401 	default:
6402 		/* disallow mesh-specific things */
6403 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6404 			return -EINVAL;
6405 		if (params->local_pm)
6406 			return -EINVAL;
6407 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6408 			return -EINVAL;
6409 	}
6410 
6411 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6412 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6413 		/* TDLS can't be set, ... */
6414 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6415 			return -EINVAL;
6416 		/*
6417 		 * ... but don't bother the driver with it. This works around
6418 		 * a hostapd/wpa_supplicant issue -- it always includes the
6419 		 * TLDS_PEER flag in the mask even for AP mode.
6420 		 */
6421 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6422 	}
6423 
6424 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6425 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6426 		/* reject other things that can't change */
6427 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6428 			return -EINVAL;
6429 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6430 			return -EINVAL;
6431 		if (params->supported_rates)
6432 			return -EINVAL;
6433 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
6434 		    params->he_capa || params->eht_capa)
6435 			return -EINVAL;
6436 	}
6437 
6438 	if (statype != CFG80211_STA_AP_CLIENT &&
6439 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6440 		if (params->vlan)
6441 			return -EINVAL;
6442 	}
6443 
6444 	switch (statype) {
6445 	case CFG80211_STA_AP_MLME_CLIENT:
6446 		/* Use this only for authorizing/unauthorizing a station */
6447 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6448 			return -EOPNOTSUPP;
6449 		break;
6450 	case CFG80211_STA_AP_CLIENT:
6451 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6452 		/* accept only the listed bits */
6453 		if (params->sta_flags_mask &
6454 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6455 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6456 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6457 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6458 				  BIT(NL80211_STA_FLAG_WME) |
6459 				  BIT(NL80211_STA_FLAG_MFP)))
6460 			return -EINVAL;
6461 
6462 		/* but authenticated/associated only if driver handles it */
6463 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6464 		    params->sta_flags_mask &
6465 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6466 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6467 			return -EINVAL;
6468 		break;
6469 	case CFG80211_STA_IBSS:
6470 	case CFG80211_STA_AP_STA:
6471 		/* reject any changes other than AUTHORIZED */
6472 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6473 			return -EINVAL;
6474 		break;
6475 	case CFG80211_STA_TDLS_PEER_SETUP:
6476 		/* reject any changes other than AUTHORIZED or WME */
6477 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6478 					       BIT(NL80211_STA_FLAG_WME)))
6479 			return -EINVAL;
6480 		/* force (at least) rates when authorizing */
6481 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6482 		    !params->supported_rates)
6483 			return -EINVAL;
6484 		break;
6485 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6486 		/* reject any changes */
6487 		return -EINVAL;
6488 	case CFG80211_STA_MESH_PEER_KERNEL:
6489 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6490 			return -EINVAL;
6491 		break;
6492 	case CFG80211_STA_MESH_PEER_USER:
6493 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6494 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6495 			return -EINVAL;
6496 		break;
6497 	}
6498 
6499 	/*
6500 	 * Older kernel versions ignored this attribute entirely, so don't
6501 	 * reject attempts to update it but mark it as unused instead so the
6502 	 * driver won't look at the data.
6503 	 */
6504 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6505 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6506 		params->opmode_notif_used = false;
6507 
6508 	return 0;
6509 }
6510 EXPORT_SYMBOL(cfg80211_check_station_change);
6511 
6512 /*
6513  * Get vlan interface making sure it is running and on the right wiphy.
6514  */
6515 static struct net_device *get_vlan(struct genl_info *info,
6516 				   struct cfg80211_registered_device *rdev)
6517 {
6518 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6519 	struct net_device *v;
6520 	int ret;
6521 
6522 	if (!vlanattr)
6523 		return NULL;
6524 
6525 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6526 	if (!v)
6527 		return ERR_PTR(-ENODEV);
6528 
6529 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6530 		ret = -EINVAL;
6531 		goto error;
6532 	}
6533 
6534 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6535 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6536 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6537 		ret = -EINVAL;
6538 		goto error;
6539 	}
6540 
6541 	if (!netif_running(v)) {
6542 		ret = -ENETDOWN;
6543 		goto error;
6544 	}
6545 
6546 	return v;
6547  error:
6548 	dev_put(v);
6549 	return ERR_PTR(ret);
6550 }
6551 
6552 static const struct nla_policy
6553 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6554 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6555 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6556 };
6557 
6558 static int nl80211_parse_sta_wme(struct genl_info *info,
6559 				 struct station_parameters *params)
6560 {
6561 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6562 	struct nlattr *nla;
6563 	int err;
6564 
6565 	/* parse WME attributes if present */
6566 	if (!info->attrs[NL80211_ATTR_STA_WME])
6567 		return 0;
6568 
6569 	nla = info->attrs[NL80211_ATTR_STA_WME];
6570 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6571 					  nl80211_sta_wme_policy,
6572 					  info->extack);
6573 	if (err)
6574 		return err;
6575 
6576 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6577 		params->uapsd_queues = nla_get_u8(
6578 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6579 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6580 		return -EINVAL;
6581 
6582 	if (tb[NL80211_STA_WME_MAX_SP])
6583 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6584 
6585 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6586 		return -EINVAL;
6587 
6588 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6589 
6590 	return 0;
6591 }
6592 
6593 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6594 				      struct station_parameters *params)
6595 {
6596 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6597 		params->supported_channels =
6598 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6599 		params->supported_channels_len =
6600 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6601 		/*
6602 		 * Need to include at least one (first channel, number of
6603 		 * channels) tuple for each subband (checked in policy),
6604 		 * and must have proper tuples for the rest of the data as well.
6605 		 */
6606 		if (params->supported_channels_len % 2)
6607 			return -EINVAL;
6608 	}
6609 
6610 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6611 		params->supported_oper_classes =
6612 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6613 		params->supported_oper_classes_len =
6614 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6615 	}
6616 	return 0;
6617 }
6618 
6619 static int nl80211_set_station_tdls(struct genl_info *info,
6620 				    struct station_parameters *params)
6621 {
6622 	int err;
6623 	/* Dummy STA entry gets updated once the peer capabilities are known */
6624 	if (info->attrs[NL80211_ATTR_PEER_AID])
6625 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6626 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6627 		params->ht_capa =
6628 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6629 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6630 		params->vht_capa =
6631 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6632 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6633 		params->he_capa =
6634 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6635 		params->he_capa_len =
6636 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6637 
6638 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6639 			params->eht_capa =
6640 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6641 			params->eht_capa_len =
6642 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6643 
6644 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_capa,
6645 							(const u8 *)params->eht_capa,
6646 							params->eht_capa_len))
6647 				return -EINVAL;
6648 		}
6649 	}
6650 
6651 	err = nl80211_parse_sta_channel_info(info, params);
6652 	if (err)
6653 		return err;
6654 
6655 	return nl80211_parse_sta_wme(info, params);
6656 }
6657 
6658 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6659 					     struct station_parameters *params)
6660 {
6661 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6662 	int idx;
6663 
6664 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6665 		if (!rdev->ops->set_tx_power ||
6666 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6667 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6668 			return -EOPNOTSUPP;
6669 
6670 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6671 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6672 
6673 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6674 			idx = NL80211_ATTR_STA_TX_POWER;
6675 
6676 			if (info->attrs[idx])
6677 				params->txpwr.power =
6678 					nla_get_s16(info->attrs[idx]);
6679 			else
6680 				return -EINVAL;
6681 		}
6682 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6683 	}
6684 
6685 	return 0;
6686 }
6687 
6688 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6689 {
6690 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6691 	struct net_device *dev = info->user_ptr[1];
6692 	struct station_parameters params;
6693 	u8 *mac_addr;
6694 	int err;
6695 
6696 	memset(&params, 0, sizeof(params));
6697 
6698 	if (!rdev->ops->change_station)
6699 		return -EOPNOTSUPP;
6700 
6701 	/*
6702 	 * AID and listen_interval properties can be set only for unassociated
6703 	 * station. Include these parameters here and will check them in
6704 	 * cfg80211_check_station_change().
6705 	 */
6706 	if (info->attrs[NL80211_ATTR_STA_AID])
6707 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6708 
6709 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6710 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6711 
6712 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6713 		params.listen_interval =
6714 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6715 	else
6716 		params.listen_interval = -1;
6717 
6718 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6719 		params.support_p2p_ps =
6720 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6721 	else
6722 		params.support_p2p_ps = -1;
6723 
6724 	if (!info->attrs[NL80211_ATTR_MAC])
6725 		return -EINVAL;
6726 
6727 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6728 
6729 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6730 		params.supported_rates =
6731 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6732 		params.supported_rates_len =
6733 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6734 	}
6735 
6736 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6737 		params.capability =
6738 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6739 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6740 	}
6741 
6742 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6743 		params.ext_capab =
6744 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6745 		params.ext_capab_len =
6746 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6747 	}
6748 
6749 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6750 		return -EINVAL;
6751 
6752 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6753 		params.plink_action =
6754 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6755 
6756 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6757 		params.plink_state =
6758 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6759 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6760 			params.peer_aid = nla_get_u16(
6761 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6762 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6763 	}
6764 
6765 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6766 		params.local_pm = nla_get_u32(
6767 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6768 
6769 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6770 		params.opmode_notif_used = true;
6771 		params.opmode_notif =
6772 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6773 	}
6774 
6775 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6776 		params.he_6ghz_capa =
6777 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6778 
6779 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6780 		params.airtime_weight =
6781 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6782 
6783 	if (params.airtime_weight &&
6784 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6785 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6786 		return -EOPNOTSUPP;
6787 
6788 	err = nl80211_parse_sta_txpower_setting(info, &params);
6789 	if (err)
6790 		return err;
6791 
6792 	/* Include parameters for TDLS peer (will check later) */
6793 	err = nl80211_set_station_tdls(info, &params);
6794 	if (err)
6795 		return err;
6796 
6797 	params.vlan = get_vlan(info, rdev);
6798 	if (IS_ERR(params.vlan))
6799 		return PTR_ERR(params.vlan);
6800 
6801 	switch (dev->ieee80211_ptr->iftype) {
6802 	case NL80211_IFTYPE_AP:
6803 	case NL80211_IFTYPE_AP_VLAN:
6804 	case NL80211_IFTYPE_P2P_GO:
6805 	case NL80211_IFTYPE_P2P_CLIENT:
6806 	case NL80211_IFTYPE_STATION:
6807 	case NL80211_IFTYPE_ADHOC:
6808 	case NL80211_IFTYPE_MESH_POINT:
6809 		break;
6810 	default:
6811 		err = -EOPNOTSUPP;
6812 		goto out_put_vlan;
6813 	}
6814 
6815 	/* driver will call cfg80211_check_station_change() */
6816 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6817 
6818  out_put_vlan:
6819 	dev_put(params.vlan);
6820 
6821 	return err;
6822 }
6823 
6824 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6825 {
6826 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6827 	int err;
6828 	struct net_device *dev = info->user_ptr[1];
6829 	struct station_parameters params;
6830 	u8 *mac_addr = NULL;
6831 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6832 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6833 
6834 	memset(&params, 0, sizeof(params));
6835 
6836 	if (!rdev->ops->add_station)
6837 		return -EOPNOTSUPP;
6838 
6839 	if (!info->attrs[NL80211_ATTR_MAC])
6840 		return -EINVAL;
6841 
6842 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6843 		return -EINVAL;
6844 
6845 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6846 		return -EINVAL;
6847 
6848 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6849 	    !info->attrs[NL80211_ATTR_PEER_AID])
6850 		return -EINVAL;
6851 
6852 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6853 	params.supported_rates =
6854 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6855 	params.supported_rates_len =
6856 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6857 	params.listen_interval =
6858 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6859 
6860 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6861 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6862 
6863 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6864 		params.support_p2p_ps =
6865 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6866 	} else {
6867 		/*
6868 		 * if not specified, assume it's supported for P2P GO interface,
6869 		 * and is NOT supported for AP interface
6870 		 */
6871 		params.support_p2p_ps =
6872 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6873 	}
6874 
6875 	if (info->attrs[NL80211_ATTR_PEER_AID])
6876 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6877 	else
6878 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6879 
6880 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6881 		params.capability =
6882 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6883 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6884 	}
6885 
6886 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6887 		params.ext_capab =
6888 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6889 		params.ext_capab_len =
6890 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6891 	}
6892 
6893 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6894 		params.ht_capa =
6895 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6896 
6897 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6898 		params.vht_capa =
6899 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6900 
6901 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6902 		params.he_capa =
6903 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6904 		params.he_capa_len =
6905 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6906 
6907 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6908 			params.eht_capa =
6909 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6910 			params.eht_capa_len =
6911 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6912 
6913 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
6914 							(const u8 *)params.eht_capa,
6915 							params.eht_capa_len))
6916 				return -EINVAL;
6917 		}
6918 	}
6919 
6920 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6921 		params.he_6ghz_capa =
6922 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6923 
6924 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6925 		params.opmode_notif_used = true;
6926 		params.opmode_notif =
6927 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6928 	}
6929 
6930 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6931 		params.plink_action =
6932 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6933 
6934 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6935 		params.airtime_weight =
6936 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6937 
6938 	if (params.airtime_weight &&
6939 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6940 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6941 		return -EOPNOTSUPP;
6942 
6943 	err = nl80211_parse_sta_txpower_setting(info, &params);
6944 	if (err)
6945 		return err;
6946 
6947 	err = nl80211_parse_sta_channel_info(info, &params);
6948 	if (err)
6949 		return err;
6950 
6951 	err = nl80211_parse_sta_wme(info, &params);
6952 	if (err)
6953 		return err;
6954 
6955 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6956 		return -EINVAL;
6957 
6958 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6959 	 * as userspace might just pass through the capabilities from the IEs
6960 	 * directly, rather than enforcing this restriction and returning an
6961 	 * error in this case.
6962 	 */
6963 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6964 		params.ht_capa = NULL;
6965 		params.vht_capa = NULL;
6966 
6967 		/* HE and EHT require WME */
6968 		if (params.he_capa_len || params.he_6ghz_capa ||
6969 		    params.eht_capa_len)
6970 			return -EINVAL;
6971 	}
6972 
6973 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6974 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6975 		return -EINVAL;
6976 
6977 	/* When you run into this, adjust the code below for the new flag */
6978 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6979 
6980 	switch (dev->ieee80211_ptr->iftype) {
6981 	case NL80211_IFTYPE_AP:
6982 	case NL80211_IFTYPE_AP_VLAN:
6983 	case NL80211_IFTYPE_P2P_GO:
6984 		/* ignore WME attributes if iface/sta is not capable */
6985 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6986 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6987 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6988 
6989 		/* TDLS peers cannot be added */
6990 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6991 		    info->attrs[NL80211_ATTR_PEER_AID])
6992 			return -EINVAL;
6993 		/* but don't bother the driver with it */
6994 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6995 
6996 		/* allow authenticated/associated only if driver handles it */
6997 		if (!(rdev->wiphy.features &
6998 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6999 		    params.sta_flags_mask & auth_assoc)
7000 			return -EINVAL;
7001 
7002 		/* Older userspace, or userspace wanting to be compatible with
7003 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7004 		 * and assoc flags in the mask, but assumes the station will be
7005 		 * added as associated anyway since this was the required driver
7006 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7007 		 * introduced.
7008 		 * In order to not bother drivers with this quirk in the API
7009 		 * set the flags in both the mask and set for new stations in
7010 		 * this case.
7011 		 */
7012 		if (!(params.sta_flags_mask & auth_assoc)) {
7013 			params.sta_flags_mask |= auth_assoc;
7014 			params.sta_flags_set |= auth_assoc;
7015 		}
7016 
7017 		/* must be last in here for error handling */
7018 		params.vlan = get_vlan(info, rdev);
7019 		if (IS_ERR(params.vlan))
7020 			return PTR_ERR(params.vlan);
7021 		break;
7022 	case NL80211_IFTYPE_MESH_POINT:
7023 		/* ignore uAPSD data */
7024 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7025 
7026 		/* associated is disallowed */
7027 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7028 			return -EINVAL;
7029 		/* TDLS peers cannot be added */
7030 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7031 		    info->attrs[NL80211_ATTR_PEER_AID])
7032 			return -EINVAL;
7033 		break;
7034 	case NL80211_IFTYPE_STATION:
7035 	case NL80211_IFTYPE_P2P_CLIENT:
7036 		/* ignore uAPSD data */
7037 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7038 
7039 		/* these are disallowed */
7040 		if (params.sta_flags_mask &
7041 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7042 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7043 			return -EINVAL;
7044 		/* Only TDLS peers can be added */
7045 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7046 			return -EINVAL;
7047 		/* Can only add if TDLS ... */
7048 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7049 			return -EOPNOTSUPP;
7050 		/* ... with external setup is supported */
7051 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7052 			return -EOPNOTSUPP;
7053 		/*
7054 		 * Older wpa_supplicant versions always mark the TDLS peer
7055 		 * as authorized, but it shouldn't yet be.
7056 		 */
7057 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7058 		break;
7059 	default:
7060 		return -EOPNOTSUPP;
7061 	}
7062 
7063 	/* be aware of params.vlan when changing code here */
7064 
7065 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7066 
7067 	dev_put(params.vlan);
7068 	return err;
7069 }
7070 
7071 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7072 {
7073 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7074 	struct net_device *dev = info->user_ptr[1];
7075 	struct station_del_parameters params;
7076 
7077 	memset(&params, 0, sizeof(params));
7078 
7079 	if (info->attrs[NL80211_ATTR_MAC])
7080 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7081 
7082 	switch (dev->ieee80211_ptr->iftype) {
7083 	case NL80211_IFTYPE_AP:
7084 	case NL80211_IFTYPE_AP_VLAN:
7085 	case NL80211_IFTYPE_MESH_POINT:
7086 	case NL80211_IFTYPE_P2P_GO:
7087 		/* always accept these */
7088 		break;
7089 	case NL80211_IFTYPE_ADHOC:
7090 		/* conditionally accept */
7091 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7092 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7093 			break;
7094 		return -EINVAL;
7095 	default:
7096 		return -EINVAL;
7097 	}
7098 
7099 	if (!rdev->ops->del_station)
7100 		return -EOPNOTSUPP;
7101 
7102 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7103 		params.subtype =
7104 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7105 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7106 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7107 			return -EINVAL;
7108 	} else {
7109 		/* Default to Deauthentication frame */
7110 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7111 	}
7112 
7113 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7114 		params.reason_code =
7115 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7116 		if (params.reason_code == 0)
7117 			return -EINVAL; /* 0 is reserved */
7118 	} else {
7119 		/* Default to reason code 2 */
7120 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7121 	}
7122 
7123 	return rdev_del_station(rdev, dev, &params);
7124 }
7125 
7126 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7127 				int flags, struct net_device *dev,
7128 				u8 *dst, u8 *next_hop,
7129 				struct mpath_info *pinfo)
7130 {
7131 	void *hdr;
7132 	struct nlattr *pinfoattr;
7133 
7134 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7135 	if (!hdr)
7136 		return -1;
7137 
7138 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7139 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7140 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7141 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7142 		goto nla_put_failure;
7143 
7144 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7145 	if (!pinfoattr)
7146 		goto nla_put_failure;
7147 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7148 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7149 			pinfo->frame_qlen))
7150 		goto nla_put_failure;
7151 	if (((pinfo->filled & MPATH_INFO_SN) &&
7152 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7153 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7154 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7155 			 pinfo->metric)) ||
7156 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7157 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7158 			 pinfo->exptime)) ||
7159 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7160 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7161 			pinfo->flags)) ||
7162 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7163 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7164 			 pinfo->discovery_timeout)) ||
7165 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7166 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7167 			pinfo->discovery_retries)) ||
7168 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7169 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7170 			pinfo->hop_count)) ||
7171 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7172 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7173 			 pinfo->path_change_count)))
7174 		goto nla_put_failure;
7175 
7176 	nla_nest_end(msg, pinfoattr);
7177 
7178 	genlmsg_end(msg, hdr);
7179 	return 0;
7180 
7181  nla_put_failure:
7182 	genlmsg_cancel(msg, hdr);
7183 	return -EMSGSIZE;
7184 }
7185 
7186 static int nl80211_dump_mpath(struct sk_buff *skb,
7187 			      struct netlink_callback *cb)
7188 {
7189 	struct mpath_info pinfo;
7190 	struct cfg80211_registered_device *rdev;
7191 	struct wireless_dev *wdev;
7192 	u8 dst[ETH_ALEN];
7193 	u8 next_hop[ETH_ALEN];
7194 	int path_idx = cb->args[2];
7195 	int err;
7196 
7197 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7198 	if (err)
7199 		return err;
7200 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7201 	__acquire(&rdev->wiphy.mtx);
7202 
7203 	if (!rdev->ops->dump_mpath) {
7204 		err = -EOPNOTSUPP;
7205 		goto out_err;
7206 	}
7207 
7208 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7209 		err = -EOPNOTSUPP;
7210 		goto out_err;
7211 	}
7212 
7213 	while (1) {
7214 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7215 				      next_hop, &pinfo);
7216 		if (err == -ENOENT)
7217 			break;
7218 		if (err)
7219 			goto out_err;
7220 
7221 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7222 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7223 				       wdev->netdev, dst, next_hop,
7224 				       &pinfo) < 0)
7225 			goto out;
7226 
7227 		path_idx++;
7228 	}
7229 
7230  out:
7231 	cb->args[2] = path_idx;
7232 	err = skb->len;
7233  out_err:
7234 	wiphy_unlock(&rdev->wiphy);
7235 	return err;
7236 }
7237 
7238 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7239 {
7240 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7241 	int err;
7242 	struct net_device *dev = info->user_ptr[1];
7243 	struct mpath_info pinfo;
7244 	struct sk_buff *msg;
7245 	u8 *dst = NULL;
7246 	u8 next_hop[ETH_ALEN];
7247 
7248 	memset(&pinfo, 0, sizeof(pinfo));
7249 
7250 	if (!info->attrs[NL80211_ATTR_MAC])
7251 		return -EINVAL;
7252 
7253 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7254 
7255 	if (!rdev->ops->get_mpath)
7256 		return -EOPNOTSUPP;
7257 
7258 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7259 		return -EOPNOTSUPP;
7260 
7261 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7262 	if (err)
7263 		return err;
7264 
7265 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7266 	if (!msg)
7267 		return -ENOMEM;
7268 
7269 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7270 				 dev, dst, next_hop, &pinfo) < 0) {
7271 		nlmsg_free(msg);
7272 		return -ENOBUFS;
7273 	}
7274 
7275 	return genlmsg_reply(msg, info);
7276 }
7277 
7278 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7279 {
7280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7281 	struct net_device *dev = info->user_ptr[1];
7282 	u8 *dst = NULL;
7283 	u8 *next_hop = NULL;
7284 
7285 	if (!info->attrs[NL80211_ATTR_MAC])
7286 		return -EINVAL;
7287 
7288 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7289 		return -EINVAL;
7290 
7291 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7292 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7293 
7294 	if (!rdev->ops->change_mpath)
7295 		return -EOPNOTSUPP;
7296 
7297 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7298 		return -EOPNOTSUPP;
7299 
7300 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7301 }
7302 
7303 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7304 {
7305 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7306 	struct net_device *dev = info->user_ptr[1];
7307 	u8 *dst = NULL;
7308 	u8 *next_hop = NULL;
7309 
7310 	if (!info->attrs[NL80211_ATTR_MAC])
7311 		return -EINVAL;
7312 
7313 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7314 		return -EINVAL;
7315 
7316 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7317 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7318 
7319 	if (!rdev->ops->add_mpath)
7320 		return -EOPNOTSUPP;
7321 
7322 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7323 		return -EOPNOTSUPP;
7324 
7325 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7326 }
7327 
7328 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7329 {
7330 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7331 	struct net_device *dev = info->user_ptr[1];
7332 	u8 *dst = NULL;
7333 
7334 	if (info->attrs[NL80211_ATTR_MAC])
7335 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7336 
7337 	if (!rdev->ops->del_mpath)
7338 		return -EOPNOTSUPP;
7339 
7340 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7341 		return -EOPNOTSUPP;
7342 
7343 	return rdev_del_mpath(rdev, dev, dst);
7344 }
7345 
7346 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7347 {
7348 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7349 	int err;
7350 	struct net_device *dev = info->user_ptr[1];
7351 	struct mpath_info pinfo;
7352 	struct sk_buff *msg;
7353 	u8 *dst = NULL;
7354 	u8 mpp[ETH_ALEN];
7355 
7356 	memset(&pinfo, 0, sizeof(pinfo));
7357 
7358 	if (!info->attrs[NL80211_ATTR_MAC])
7359 		return -EINVAL;
7360 
7361 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7362 
7363 	if (!rdev->ops->get_mpp)
7364 		return -EOPNOTSUPP;
7365 
7366 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7367 		return -EOPNOTSUPP;
7368 
7369 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7370 	if (err)
7371 		return err;
7372 
7373 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7374 	if (!msg)
7375 		return -ENOMEM;
7376 
7377 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7378 			       dev, dst, mpp, &pinfo) < 0) {
7379 		nlmsg_free(msg);
7380 		return -ENOBUFS;
7381 	}
7382 
7383 	return genlmsg_reply(msg, info);
7384 }
7385 
7386 static int nl80211_dump_mpp(struct sk_buff *skb,
7387 			    struct netlink_callback *cb)
7388 {
7389 	struct mpath_info pinfo;
7390 	struct cfg80211_registered_device *rdev;
7391 	struct wireless_dev *wdev;
7392 	u8 dst[ETH_ALEN];
7393 	u8 mpp[ETH_ALEN];
7394 	int path_idx = cb->args[2];
7395 	int err;
7396 
7397 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7398 	if (err)
7399 		return err;
7400 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7401 	__acquire(&rdev->wiphy.mtx);
7402 
7403 	if (!rdev->ops->dump_mpp) {
7404 		err = -EOPNOTSUPP;
7405 		goto out_err;
7406 	}
7407 
7408 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7409 		err = -EOPNOTSUPP;
7410 		goto out_err;
7411 	}
7412 
7413 	while (1) {
7414 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7415 				    mpp, &pinfo);
7416 		if (err == -ENOENT)
7417 			break;
7418 		if (err)
7419 			goto out_err;
7420 
7421 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7422 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7423 				       wdev->netdev, dst, mpp,
7424 				       &pinfo) < 0)
7425 			goto out;
7426 
7427 		path_idx++;
7428 	}
7429 
7430  out:
7431 	cb->args[2] = path_idx;
7432 	err = skb->len;
7433  out_err:
7434 	wiphy_unlock(&rdev->wiphy);
7435 	return err;
7436 }
7437 
7438 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7439 {
7440 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7441 	struct net_device *dev = info->user_ptr[1];
7442 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7443 	struct bss_parameters params;
7444 	int err;
7445 
7446 	memset(&params, 0, sizeof(params));
7447 	/* default to not changing parameters */
7448 	params.use_cts_prot = -1;
7449 	params.use_short_preamble = -1;
7450 	params.use_short_slot_time = -1;
7451 	params.ap_isolate = -1;
7452 	params.ht_opmode = -1;
7453 	params.p2p_ctwindow = -1;
7454 	params.p2p_opp_ps = -1;
7455 
7456 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7457 		params.use_cts_prot =
7458 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7459 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7460 		params.use_short_preamble =
7461 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7462 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7463 		params.use_short_slot_time =
7464 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7465 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7466 		params.basic_rates =
7467 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7468 		params.basic_rates_len =
7469 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7470 	}
7471 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7472 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7473 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7474 		params.ht_opmode =
7475 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7476 
7477 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7478 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7479 			return -EINVAL;
7480 		params.p2p_ctwindow =
7481 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7482 		if (params.p2p_ctwindow != 0 &&
7483 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7484 			return -EINVAL;
7485 	}
7486 
7487 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7488 		u8 tmp;
7489 
7490 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7491 			return -EINVAL;
7492 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7493 		params.p2p_opp_ps = tmp;
7494 		if (params.p2p_opp_ps &&
7495 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7496 			return -EINVAL;
7497 	}
7498 
7499 	if (!rdev->ops->change_bss)
7500 		return -EOPNOTSUPP;
7501 
7502 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7503 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7504 		return -EOPNOTSUPP;
7505 
7506 	wdev_lock(wdev);
7507 	err = rdev_change_bss(rdev, dev, &params);
7508 	wdev_unlock(wdev);
7509 
7510 	return err;
7511 }
7512 
7513 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7514 {
7515 	char *data = NULL;
7516 	bool is_indoor;
7517 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7518 	u32 owner_nlportid;
7519 
7520 	/*
7521 	 * You should only get this when cfg80211 hasn't yet initialized
7522 	 * completely when built-in to the kernel right between the time
7523 	 * window between nl80211_init() and regulatory_init(), if that is
7524 	 * even possible.
7525 	 */
7526 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7527 		return -EINPROGRESS;
7528 
7529 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7530 		user_reg_hint_type =
7531 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7532 	else
7533 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7534 
7535 	switch (user_reg_hint_type) {
7536 	case NL80211_USER_REG_HINT_USER:
7537 	case NL80211_USER_REG_HINT_CELL_BASE:
7538 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7539 			return -EINVAL;
7540 
7541 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7542 		return regulatory_hint_user(data, user_reg_hint_type);
7543 	case NL80211_USER_REG_HINT_INDOOR:
7544 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7545 			owner_nlportid = info->snd_portid;
7546 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7547 		} else {
7548 			owner_nlportid = 0;
7549 			is_indoor = true;
7550 		}
7551 
7552 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7553 	default:
7554 		return -EINVAL;
7555 	}
7556 }
7557 
7558 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7559 {
7560 	return reg_reload_regdb();
7561 }
7562 
7563 static int nl80211_get_mesh_config(struct sk_buff *skb,
7564 				   struct genl_info *info)
7565 {
7566 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7567 	struct net_device *dev = info->user_ptr[1];
7568 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7569 	struct mesh_config cur_params;
7570 	int err = 0;
7571 	void *hdr;
7572 	struct nlattr *pinfoattr;
7573 	struct sk_buff *msg;
7574 
7575 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7576 		return -EOPNOTSUPP;
7577 
7578 	if (!rdev->ops->get_mesh_config)
7579 		return -EOPNOTSUPP;
7580 
7581 	wdev_lock(wdev);
7582 	/* If not connected, get default parameters */
7583 	if (!wdev->mesh_id_len)
7584 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7585 	else
7586 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7587 	wdev_unlock(wdev);
7588 
7589 	if (err)
7590 		return err;
7591 
7592 	/* Draw up a netlink message to send back */
7593 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7594 	if (!msg)
7595 		return -ENOMEM;
7596 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7597 			     NL80211_CMD_GET_MESH_CONFIG);
7598 	if (!hdr)
7599 		goto out;
7600 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7601 	if (!pinfoattr)
7602 		goto nla_put_failure;
7603 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7604 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7605 			cur_params.dot11MeshRetryTimeout) ||
7606 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7607 			cur_params.dot11MeshConfirmTimeout) ||
7608 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7609 			cur_params.dot11MeshHoldingTimeout) ||
7610 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7611 			cur_params.dot11MeshMaxPeerLinks) ||
7612 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7613 		       cur_params.dot11MeshMaxRetries) ||
7614 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7615 		       cur_params.dot11MeshTTL) ||
7616 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7617 		       cur_params.element_ttl) ||
7618 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7619 		       cur_params.auto_open_plinks) ||
7620 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7621 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7622 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7623 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7624 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7625 			cur_params.path_refresh_time) ||
7626 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7627 			cur_params.min_discovery_timeout) ||
7628 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7629 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7630 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7631 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7632 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7633 			cur_params.dot11MeshHWMPperrMinInterval) ||
7634 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7635 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7636 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7637 		       cur_params.dot11MeshHWMPRootMode) ||
7638 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7639 			cur_params.dot11MeshHWMPRannInterval) ||
7640 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7641 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7642 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7643 		       cur_params.dot11MeshForwarding) ||
7644 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7645 			cur_params.rssi_threshold) ||
7646 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7647 			cur_params.ht_opmode) ||
7648 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7649 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7650 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7651 			cur_params.dot11MeshHWMProotInterval) ||
7652 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7653 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7654 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7655 			cur_params.power_mode) ||
7656 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7657 			cur_params.dot11MeshAwakeWindowDuration) ||
7658 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7659 			cur_params.plink_timeout) ||
7660 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7661 		       cur_params.dot11MeshConnectedToMeshGate) ||
7662 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7663 		       cur_params.dot11MeshNolearn) ||
7664 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7665 		       cur_params.dot11MeshConnectedToAuthServer))
7666 		goto nla_put_failure;
7667 	nla_nest_end(msg, pinfoattr);
7668 	genlmsg_end(msg, hdr);
7669 	return genlmsg_reply(msg, info);
7670 
7671  nla_put_failure:
7672  out:
7673 	nlmsg_free(msg);
7674 	return -ENOBUFS;
7675 }
7676 
7677 static const struct nla_policy
7678 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7679 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7680 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7681 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7682 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7683 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7684 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7685 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7686 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7687 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7688 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7689 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7690 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7691 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7692 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7693 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7694 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7695 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7696 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7697 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7698 		NLA_POLICY_MIN(NLA_U16, 1),
7699 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7700 		NLA_POLICY_MIN(NLA_U16, 1),
7701 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7702 		NLA_POLICY_MIN(NLA_U16, 1),
7703 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7704 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7705 		NLA_POLICY_MIN(NLA_U16, 1),
7706 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7707 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7708 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7709 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7710 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7711 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7712 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7713 		NLA_POLICY_MIN(NLA_U16, 1),
7714 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7715 		NLA_POLICY_MIN(NLA_U16, 1),
7716 	[NL80211_MESHCONF_POWER_MODE] =
7717 		NLA_POLICY_RANGE(NLA_U32,
7718 				 NL80211_MESH_POWER_ACTIVE,
7719 				 NL80211_MESH_POWER_MAX),
7720 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7721 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7722 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7723 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7724 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7725 };
7726 
7727 static const struct nla_policy
7728 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7729 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7730 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7731 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7732 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7733 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7734 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7735 	[NL80211_MESH_SETUP_IE] =
7736 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7737 				       IEEE80211_MAX_DATA_LEN),
7738 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7739 };
7740 
7741 static int nl80211_parse_mesh_config(struct genl_info *info,
7742 				     struct mesh_config *cfg,
7743 				     u32 *mask_out)
7744 {
7745 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7746 	u32 mask = 0;
7747 	u16 ht_opmode;
7748 
7749 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7750 do {									\
7751 	if (tb[attr]) {							\
7752 		cfg->param = fn(tb[attr]);				\
7753 		mask |= BIT((attr) - 1);				\
7754 	}								\
7755 } while (0)
7756 
7757 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7758 		return -EINVAL;
7759 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7760 		return -EINVAL;
7761 
7762 	/* This makes sure that there aren't more than 32 mesh config
7763 	 * parameters (otherwise our bitfield scheme would not work.) */
7764 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7765 
7766 	/* Fill in the params struct */
7767 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7768 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7769 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7770 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7771 				  nla_get_u16);
7772 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7773 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7774 				  nla_get_u16);
7775 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7776 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7777 				  nla_get_u16);
7778 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7779 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7780 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7781 				  NL80211_MESHCONF_TTL, nla_get_u8);
7782 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7783 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7784 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7785 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7786 				  nla_get_u8);
7787 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7788 				  mask,
7789 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7790 				  nla_get_u32);
7791 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7792 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7793 				  nla_get_u8);
7794 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7795 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7796 				  nla_get_u32);
7797 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7798 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7799 		return -EINVAL;
7800 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7801 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7802 				  nla_get_u16);
7803 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7804 				  mask,
7805 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7806 				  nla_get_u32);
7807 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7808 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7809 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7810 		return -EINVAL;
7811 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7812 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7813 				  nla_get_u16);
7814 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7815 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7816 				  nla_get_u16);
7817 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7818 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7819 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7820 				  nla_get_u16);
7821 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7822 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7823 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7824 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7825 				  nla_get_u16);
7826 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7827 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7828 				  nla_get_u8);
7829 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7830 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7831 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7832 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7833 				  nla_get_s32);
7834 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7835 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7836 				  nla_get_u8);
7837 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7838 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7839 				  nla_get_u8);
7840 	/*
7841 	 * Check HT operation mode based on
7842 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7843 	 */
7844 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7845 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7846 
7847 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7848 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7849 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7850 			return -EINVAL;
7851 
7852 		/* NON_HT_STA bit is reserved, but some programs set it */
7853 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7854 
7855 		cfg->ht_opmode = ht_opmode;
7856 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7857 	}
7858 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7859 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7860 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7861 				  nla_get_u32);
7862 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7863 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7864 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7865 		return -EINVAL;
7866 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7867 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7868 				  nla_get_u16);
7869 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7870 				  mask,
7871 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7872 				  nla_get_u16);
7873 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7874 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7875 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7876 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7877 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7878 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7879 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7880 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7881 	if (mask_out)
7882 		*mask_out = mask;
7883 
7884 	return 0;
7885 
7886 #undef FILL_IN_MESH_PARAM_IF_SET
7887 }
7888 
7889 static int nl80211_parse_mesh_setup(struct genl_info *info,
7890 				     struct mesh_setup *setup)
7891 {
7892 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7893 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7894 
7895 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7896 		return -EINVAL;
7897 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7898 		return -EINVAL;
7899 
7900 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7901 		setup->sync_method =
7902 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7903 		 IEEE80211_SYNC_METHOD_VENDOR :
7904 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7905 
7906 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7907 		setup->path_sel_proto =
7908 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7909 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7910 		 IEEE80211_PATH_PROTOCOL_HWMP;
7911 
7912 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7913 		setup->path_metric =
7914 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7915 		 IEEE80211_PATH_METRIC_VENDOR :
7916 		 IEEE80211_PATH_METRIC_AIRTIME;
7917 
7918 	if (tb[NL80211_MESH_SETUP_IE]) {
7919 		struct nlattr *ieattr =
7920 			tb[NL80211_MESH_SETUP_IE];
7921 		setup->ie = nla_data(ieattr);
7922 		setup->ie_len = nla_len(ieattr);
7923 	}
7924 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7925 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7926 		return -EINVAL;
7927 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7928 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7929 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7930 	if (setup->is_secure)
7931 		setup->user_mpm = true;
7932 
7933 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7934 		if (!setup->user_mpm)
7935 			return -EINVAL;
7936 		setup->auth_id =
7937 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7938 	}
7939 
7940 	return 0;
7941 }
7942 
7943 static int nl80211_update_mesh_config(struct sk_buff *skb,
7944 				      struct genl_info *info)
7945 {
7946 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7947 	struct net_device *dev = info->user_ptr[1];
7948 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7949 	struct mesh_config cfg;
7950 	u32 mask;
7951 	int err;
7952 
7953 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7954 		return -EOPNOTSUPP;
7955 
7956 	if (!rdev->ops->update_mesh_config)
7957 		return -EOPNOTSUPP;
7958 
7959 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7960 	if (err)
7961 		return err;
7962 
7963 	wdev_lock(wdev);
7964 	if (!wdev->mesh_id_len)
7965 		err = -ENOLINK;
7966 
7967 	if (!err)
7968 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7969 
7970 	wdev_unlock(wdev);
7971 
7972 	return err;
7973 }
7974 
7975 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7976 			      struct sk_buff *msg)
7977 {
7978 	struct nlattr *nl_reg_rules;
7979 	unsigned int i;
7980 
7981 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7982 	    (regdom->dfs_region &&
7983 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7984 		goto nla_put_failure;
7985 
7986 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7987 	if (!nl_reg_rules)
7988 		goto nla_put_failure;
7989 
7990 	for (i = 0; i < regdom->n_reg_rules; i++) {
7991 		struct nlattr *nl_reg_rule;
7992 		const struct ieee80211_reg_rule *reg_rule;
7993 		const struct ieee80211_freq_range *freq_range;
7994 		const struct ieee80211_power_rule *power_rule;
7995 		unsigned int max_bandwidth_khz;
7996 
7997 		reg_rule = &regdom->reg_rules[i];
7998 		freq_range = &reg_rule->freq_range;
7999 		power_rule = &reg_rule->power_rule;
8000 
8001 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8002 		if (!nl_reg_rule)
8003 			goto nla_put_failure;
8004 
8005 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8006 		if (!max_bandwidth_khz)
8007 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8008 								  reg_rule);
8009 
8010 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8011 				reg_rule->flags) ||
8012 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8013 				freq_range->start_freq_khz) ||
8014 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8015 				freq_range->end_freq_khz) ||
8016 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8017 				max_bandwidth_khz) ||
8018 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8019 				power_rule->max_antenna_gain) ||
8020 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8021 				power_rule->max_eirp) ||
8022 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8023 				reg_rule->dfs_cac_ms))
8024 			goto nla_put_failure;
8025 
8026 		nla_nest_end(msg, nl_reg_rule);
8027 	}
8028 
8029 	nla_nest_end(msg, nl_reg_rules);
8030 	return 0;
8031 
8032 nla_put_failure:
8033 	return -EMSGSIZE;
8034 }
8035 
8036 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8037 {
8038 	const struct ieee80211_regdomain *regdom = NULL;
8039 	struct cfg80211_registered_device *rdev;
8040 	struct wiphy *wiphy = NULL;
8041 	struct sk_buff *msg;
8042 	int err = -EMSGSIZE;
8043 	void *hdr;
8044 
8045 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8046 	if (!msg)
8047 		return -ENOBUFS;
8048 
8049 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8050 			     NL80211_CMD_GET_REG);
8051 	if (!hdr)
8052 		goto put_failure;
8053 
8054 	rtnl_lock();
8055 
8056 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8057 		bool self_managed;
8058 
8059 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8060 		if (IS_ERR(rdev)) {
8061 			err = PTR_ERR(rdev);
8062 			goto nla_put_failure;
8063 		}
8064 
8065 		wiphy = &rdev->wiphy;
8066 		self_managed = wiphy->regulatory_flags &
8067 			       REGULATORY_WIPHY_SELF_MANAGED;
8068 
8069 		rcu_read_lock();
8070 
8071 		regdom = get_wiphy_regdom(wiphy);
8072 
8073 		/* a self-managed-reg device must have a private regdom */
8074 		if (WARN_ON(!regdom && self_managed)) {
8075 			err = -EINVAL;
8076 			goto nla_put_failure_rcu;
8077 		}
8078 
8079 		if (regdom &&
8080 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8081 			goto nla_put_failure_rcu;
8082 	} else {
8083 		rcu_read_lock();
8084 	}
8085 
8086 	if (!wiphy && reg_last_request_cell_base() &&
8087 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8088 			NL80211_USER_REG_HINT_CELL_BASE))
8089 		goto nla_put_failure_rcu;
8090 
8091 	if (!regdom)
8092 		regdom = rcu_dereference(cfg80211_regdomain);
8093 
8094 	if (nl80211_put_regdom(regdom, msg))
8095 		goto nla_put_failure_rcu;
8096 
8097 	rcu_read_unlock();
8098 
8099 	genlmsg_end(msg, hdr);
8100 	rtnl_unlock();
8101 	return genlmsg_reply(msg, info);
8102 
8103 nla_put_failure_rcu:
8104 	rcu_read_unlock();
8105 nla_put_failure:
8106 	rtnl_unlock();
8107 put_failure:
8108 	nlmsg_free(msg);
8109 	return err;
8110 }
8111 
8112 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8113 			       u32 seq, int flags, struct wiphy *wiphy,
8114 			       const struct ieee80211_regdomain *regdom)
8115 {
8116 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8117 				   NL80211_CMD_GET_REG);
8118 
8119 	if (!hdr)
8120 		return -1;
8121 
8122 	genl_dump_check_consistent(cb, hdr);
8123 
8124 	if (nl80211_put_regdom(regdom, msg))
8125 		goto nla_put_failure;
8126 
8127 	if (!wiphy && reg_last_request_cell_base() &&
8128 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8129 			NL80211_USER_REG_HINT_CELL_BASE))
8130 		goto nla_put_failure;
8131 
8132 	if (wiphy &&
8133 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8134 		goto nla_put_failure;
8135 
8136 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8137 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8138 		goto nla_put_failure;
8139 
8140 	genlmsg_end(msg, hdr);
8141 	return 0;
8142 
8143 nla_put_failure:
8144 	genlmsg_cancel(msg, hdr);
8145 	return -EMSGSIZE;
8146 }
8147 
8148 static int nl80211_get_reg_dump(struct sk_buff *skb,
8149 				struct netlink_callback *cb)
8150 {
8151 	const struct ieee80211_regdomain *regdom = NULL;
8152 	struct cfg80211_registered_device *rdev;
8153 	int err, reg_idx, start = cb->args[2];
8154 
8155 	rcu_read_lock();
8156 
8157 	if (cfg80211_regdomain && start == 0) {
8158 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8159 					  NLM_F_MULTI, NULL,
8160 					  rcu_dereference(cfg80211_regdomain));
8161 		if (err < 0)
8162 			goto out_err;
8163 	}
8164 
8165 	/* the global regdom is idx 0 */
8166 	reg_idx = 1;
8167 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8168 		regdom = get_wiphy_regdom(&rdev->wiphy);
8169 		if (!regdom)
8170 			continue;
8171 
8172 		if (++reg_idx <= start)
8173 			continue;
8174 
8175 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8176 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8177 		if (err < 0) {
8178 			reg_idx--;
8179 			break;
8180 		}
8181 	}
8182 
8183 	cb->args[2] = reg_idx;
8184 	err = skb->len;
8185 out_err:
8186 	rcu_read_unlock();
8187 	return err;
8188 }
8189 
8190 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8191 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8192 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8193 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8194 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8195 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8196 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8197 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8198 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8199 };
8200 
8201 static int parse_reg_rule(struct nlattr *tb[],
8202 	struct ieee80211_reg_rule *reg_rule)
8203 {
8204 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8205 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8206 
8207 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8208 		return -EINVAL;
8209 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8210 		return -EINVAL;
8211 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8212 		return -EINVAL;
8213 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8214 		return -EINVAL;
8215 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8216 		return -EINVAL;
8217 
8218 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8219 
8220 	freq_range->start_freq_khz =
8221 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8222 	freq_range->end_freq_khz =
8223 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8224 	freq_range->max_bandwidth_khz =
8225 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8226 
8227 	power_rule->max_eirp =
8228 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8229 
8230 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8231 		power_rule->max_antenna_gain =
8232 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8233 
8234 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8235 		reg_rule->dfs_cac_ms =
8236 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8237 
8238 	return 0;
8239 }
8240 
8241 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8242 {
8243 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8244 	struct nlattr *nl_reg_rule;
8245 	char *alpha2;
8246 	int rem_reg_rules, r;
8247 	u32 num_rules = 0, rule_idx = 0;
8248 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8249 	struct ieee80211_regdomain *rd;
8250 
8251 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8252 		return -EINVAL;
8253 
8254 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8255 		return -EINVAL;
8256 
8257 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8258 
8259 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8260 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8261 
8262 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8263 			    rem_reg_rules) {
8264 		num_rules++;
8265 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8266 			return -EINVAL;
8267 	}
8268 
8269 	rtnl_lock();
8270 	if (!reg_is_valid_request(alpha2)) {
8271 		r = -EINVAL;
8272 		goto out;
8273 	}
8274 
8275 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8276 	if (!rd) {
8277 		r = -ENOMEM;
8278 		goto out;
8279 	}
8280 
8281 	rd->n_reg_rules = num_rules;
8282 	rd->alpha2[0] = alpha2[0];
8283 	rd->alpha2[1] = alpha2[1];
8284 
8285 	/*
8286 	 * Disable DFS master mode if the DFS region was
8287 	 * not supported or known on this kernel.
8288 	 */
8289 	if (reg_supported_dfs_region(dfs_region))
8290 		rd->dfs_region = dfs_region;
8291 
8292 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8293 			    rem_reg_rules) {
8294 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8295 						nl_reg_rule, reg_rule_policy,
8296 						info->extack);
8297 		if (r)
8298 			goto bad_reg;
8299 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8300 		if (r)
8301 			goto bad_reg;
8302 
8303 		rule_idx++;
8304 
8305 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8306 			r = -EINVAL;
8307 			goto bad_reg;
8308 		}
8309 	}
8310 
8311 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8312 	/* set_regdom takes ownership of rd */
8313 	rd = NULL;
8314  bad_reg:
8315 	kfree(rd);
8316  out:
8317 	rtnl_unlock();
8318 	return r;
8319 }
8320 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8321 
8322 static int validate_scan_freqs(struct nlattr *freqs)
8323 {
8324 	struct nlattr *attr1, *attr2;
8325 	int n_channels = 0, tmp1, tmp2;
8326 
8327 	nla_for_each_nested(attr1, freqs, tmp1)
8328 		if (nla_len(attr1) != sizeof(u32))
8329 			return 0;
8330 
8331 	nla_for_each_nested(attr1, freqs, tmp1) {
8332 		n_channels++;
8333 		/*
8334 		 * Some hardware has a limited channel list for
8335 		 * scanning, and it is pretty much nonsensical
8336 		 * to scan for a channel twice, so disallow that
8337 		 * and don't require drivers to check that the
8338 		 * channel list they get isn't longer than what
8339 		 * they can scan, as long as they can scan all
8340 		 * the channels they registered at once.
8341 		 */
8342 		nla_for_each_nested(attr2, freqs, tmp2)
8343 			if (attr1 != attr2 &&
8344 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8345 				return 0;
8346 	}
8347 
8348 	return n_channels;
8349 }
8350 
8351 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8352 {
8353 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8354 }
8355 
8356 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8357 			    struct cfg80211_bss_selection *bss_select)
8358 {
8359 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8360 	struct nlattr *nest;
8361 	int err;
8362 	bool found = false;
8363 	int i;
8364 
8365 	/* only process one nested attribute */
8366 	nest = nla_data(nla);
8367 	if (!nla_ok(nest, nla_len(nest)))
8368 		return -EINVAL;
8369 
8370 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8371 					  nest, nl80211_bss_select_policy,
8372 					  NULL);
8373 	if (err)
8374 		return err;
8375 
8376 	/* only one attribute may be given */
8377 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8378 		if (attr[i]) {
8379 			if (found)
8380 				return -EINVAL;
8381 			found = true;
8382 		}
8383 	}
8384 
8385 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8386 
8387 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8388 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8389 
8390 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8391 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8392 		bss_select->param.band_pref =
8393 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8394 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8395 			return -EINVAL;
8396 	}
8397 
8398 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8399 		struct nl80211_bss_select_rssi_adjust *adj_param;
8400 
8401 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8402 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8403 		bss_select->param.adjust.band = adj_param->band;
8404 		bss_select->param.adjust.delta = adj_param->delta;
8405 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8406 			return -EINVAL;
8407 	}
8408 
8409 	/* user-space did not provide behaviour attribute */
8410 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8411 		return -EINVAL;
8412 
8413 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8414 		return -EINVAL;
8415 
8416 	return 0;
8417 }
8418 
8419 int nl80211_parse_random_mac(struct nlattr **attrs,
8420 			     u8 *mac_addr, u8 *mac_addr_mask)
8421 {
8422 	int i;
8423 
8424 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8425 		eth_zero_addr(mac_addr);
8426 		eth_zero_addr(mac_addr_mask);
8427 		mac_addr[0] = 0x2;
8428 		mac_addr_mask[0] = 0x3;
8429 
8430 		return 0;
8431 	}
8432 
8433 	/* need both or none */
8434 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8435 		return -EINVAL;
8436 
8437 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8438 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8439 
8440 	/* don't allow or configure an mcast address */
8441 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8442 	    is_multicast_ether_addr(mac_addr))
8443 		return -EINVAL;
8444 
8445 	/*
8446 	 * allow users to pass a MAC address that has bits set outside
8447 	 * of the mask, but don't bother drivers with having to deal
8448 	 * with such bits
8449 	 */
8450 	for (i = 0; i < ETH_ALEN; i++)
8451 		mac_addr[i] &= mac_addr_mask[i];
8452 
8453 	return 0;
8454 }
8455 
8456 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
8457 {
8458 	ASSERT_WDEV_LOCK(wdev);
8459 
8460 	if (!cfg80211_beaconing_iface_active(wdev))
8461 		return true;
8462 
8463 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
8464 		return true;
8465 
8466 	return regulatory_pre_cac_allowed(wdev->wiphy);
8467 }
8468 
8469 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8470 				    enum nl80211_ext_feature_index feat)
8471 {
8472 	if (!(flags & flag))
8473 		return true;
8474 	if (wiphy_ext_feature_isset(wiphy, feat))
8475 		return true;
8476 	return false;
8477 }
8478 
8479 static int
8480 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8481 			 void *request, struct nlattr **attrs,
8482 			 bool is_sched_scan)
8483 {
8484 	u8 *mac_addr, *mac_addr_mask;
8485 	u32 *flags;
8486 	enum nl80211_feature_flags randomness_flag;
8487 
8488 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8489 		return 0;
8490 
8491 	if (is_sched_scan) {
8492 		struct cfg80211_sched_scan_request *req = request;
8493 
8494 		randomness_flag = wdev ?
8495 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8496 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8497 		flags = &req->flags;
8498 		mac_addr = req->mac_addr;
8499 		mac_addr_mask = req->mac_addr_mask;
8500 	} else {
8501 		struct cfg80211_scan_request *req = request;
8502 
8503 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8504 		flags = &req->flags;
8505 		mac_addr = req->mac_addr;
8506 		mac_addr_mask = req->mac_addr_mask;
8507 	}
8508 
8509 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8510 
8511 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8512 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8513 	    !nl80211_check_scan_feat(wiphy, *flags,
8514 				     NL80211_SCAN_FLAG_LOW_SPAN,
8515 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8516 	    !nl80211_check_scan_feat(wiphy, *flags,
8517 				     NL80211_SCAN_FLAG_LOW_POWER,
8518 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8519 	    !nl80211_check_scan_feat(wiphy, *flags,
8520 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8521 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8522 	    !nl80211_check_scan_feat(wiphy, *flags,
8523 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8524 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8525 	    !nl80211_check_scan_feat(wiphy, *flags,
8526 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8527 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8528 	    !nl80211_check_scan_feat(wiphy, *flags,
8529 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8530 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8531 	    !nl80211_check_scan_feat(wiphy, *flags,
8532 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8533 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8534 	    !nl80211_check_scan_feat(wiphy, *flags,
8535 				     NL80211_SCAN_FLAG_RANDOM_SN,
8536 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8537 	    !nl80211_check_scan_feat(wiphy, *flags,
8538 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8539 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8540 		return -EOPNOTSUPP;
8541 
8542 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8543 		int err;
8544 
8545 		if (!(wiphy->features & randomness_flag) ||
8546 		    (wdev && wdev->current_bss))
8547 			return -EOPNOTSUPP;
8548 
8549 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8550 		if (err)
8551 			return err;
8552 	}
8553 
8554 	return 0;
8555 }
8556 
8557 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8558 {
8559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8560 	struct wireless_dev *wdev = info->user_ptr[1];
8561 	struct cfg80211_scan_request *request;
8562 	struct nlattr *scan_freqs = NULL;
8563 	bool scan_freqs_khz = false;
8564 	struct nlattr *attr;
8565 	struct wiphy *wiphy;
8566 	int err, tmp, n_ssids = 0, n_channels, i;
8567 	size_t ie_len;
8568 
8569 	wiphy = &rdev->wiphy;
8570 
8571 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8572 		return -EOPNOTSUPP;
8573 
8574 	if (!rdev->ops->scan)
8575 		return -EOPNOTSUPP;
8576 
8577 	if (rdev->scan_req || rdev->scan_msg)
8578 		return -EBUSY;
8579 
8580 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8581 		if (!wiphy_ext_feature_isset(wiphy,
8582 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8583 			return -EOPNOTSUPP;
8584 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8585 		scan_freqs_khz = true;
8586 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8587 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8588 
8589 	if (scan_freqs) {
8590 		n_channels = validate_scan_freqs(scan_freqs);
8591 		if (!n_channels)
8592 			return -EINVAL;
8593 	} else {
8594 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8595 	}
8596 
8597 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8598 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8599 			n_ssids++;
8600 
8601 	if (n_ssids > wiphy->max_scan_ssids)
8602 		return -EINVAL;
8603 
8604 	if (info->attrs[NL80211_ATTR_IE])
8605 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8606 	else
8607 		ie_len = 0;
8608 
8609 	if (ie_len > wiphy->max_scan_ie_len)
8610 		return -EINVAL;
8611 
8612 	request = kzalloc(sizeof(*request)
8613 			+ sizeof(*request->ssids) * n_ssids
8614 			+ sizeof(*request->channels) * n_channels
8615 			+ ie_len, GFP_KERNEL);
8616 	if (!request)
8617 		return -ENOMEM;
8618 
8619 	if (n_ssids)
8620 		request->ssids = (void *)&request->channels[n_channels];
8621 	request->n_ssids = n_ssids;
8622 	if (ie_len) {
8623 		if (n_ssids)
8624 			request->ie = (void *)(request->ssids + n_ssids);
8625 		else
8626 			request->ie = (void *)(request->channels + n_channels);
8627 	}
8628 
8629 	i = 0;
8630 	if (scan_freqs) {
8631 		/* user specified, bail out if channel not found */
8632 		nla_for_each_nested(attr, scan_freqs, tmp) {
8633 			struct ieee80211_channel *chan;
8634 			int freq = nla_get_u32(attr);
8635 
8636 			if (!scan_freqs_khz)
8637 				freq = MHZ_TO_KHZ(freq);
8638 
8639 			chan = ieee80211_get_channel_khz(wiphy, freq);
8640 			if (!chan) {
8641 				err = -EINVAL;
8642 				goto out_free;
8643 			}
8644 
8645 			/* ignore disabled channels */
8646 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8647 				continue;
8648 
8649 			request->channels[i] = chan;
8650 			i++;
8651 		}
8652 	} else {
8653 		enum nl80211_band band;
8654 
8655 		/* all channels */
8656 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8657 			int j;
8658 
8659 			if (!wiphy->bands[band])
8660 				continue;
8661 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8662 				struct ieee80211_channel *chan;
8663 
8664 				chan = &wiphy->bands[band]->channels[j];
8665 
8666 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8667 					continue;
8668 
8669 				request->channels[i] = chan;
8670 				i++;
8671 			}
8672 		}
8673 	}
8674 
8675 	if (!i) {
8676 		err = -EINVAL;
8677 		goto out_free;
8678 	}
8679 
8680 	request->n_channels = i;
8681 
8682 	wdev_lock(wdev);
8683 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8684 		struct ieee80211_channel *chan;
8685 
8686 		if (request->n_channels != 1) {
8687 			wdev_unlock(wdev);
8688 			err = -EBUSY;
8689 			goto out_free;
8690 		}
8691 
8692 		chan = request->channels[0];
8693 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8694 			wdev_unlock(wdev);
8695 			err = -EBUSY;
8696 			goto out_free;
8697 		}
8698 	}
8699 	wdev_unlock(wdev);
8700 
8701 	i = 0;
8702 	if (n_ssids) {
8703 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8704 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8705 				err = -EINVAL;
8706 				goto out_free;
8707 			}
8708 			request->ssids[i].ssid_len = nla_len(attr);
8709 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8710 			i++;
8711 		}
8712 	}
8713 
8714 	if (info->attrs[NL80211_ATTR_IE]) {
8715 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8716 		memcpy((void *)request->ie,
8717 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8718 		       request->ie_len);
8719 	}
8720 
8721 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8722 		if (wiphy->bands[i])
8723 			request->rates[i] =
8724 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8725 
8726 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8727 		nla_for_each_nested(attr,
8728 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8729 				    tmp) {
8730 			enum nl80211_band band = nla_type(attr);
8731 
8732 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8733 				err = -EINVAL;
8734 				goto out_free;
8735 			}
8736 
8737 			if (!wiphy->bands[band])
8738 				continue;
8739 
8740 			err = ieee80211_get_ratemask(wiphy->bands[band],
8741 						     nla_data(attr),
8742 						     nla_len(attr),
8743 						     &request->rates[band]);
8744 			if (err)
8745 				goto out_free;
8746 		}
8747 	}
8748 
8749 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8750 		request->duration =
8751 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8752 		request->duration_mandatory =
8753 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8754 	}
8755 
8756 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8757 				       false);
8758 	if (err)
8759 		goto out_free;
8760 
8761 	request->no_cck =
8762 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8763 
8764 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8765 	 * BSSID to scan for. This was problematic because that same attribute
8766 	 * was already used for another purpose (local random MAC address). The
8767 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8768 	 * compatibility with older userspace components, also use the
8769 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8770 	 * the specific BSSID use case instead of the random MAC address
8771 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8772 	 */
8773 	if (info->attrs[NL80211_ATTR_BSSID])
8774 		memcpy(request->bssid,
8775 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8776 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8777 		 info->attrs[NL80211_ATTR_MAC])
8778 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8779 		       ETH_ALEN);
8780 	else
8781 		eth_broadcast_addr(request->bssid);
8782 
8783 	request->wdev = wdev;
8784 	request->wiphy = &rdev->wiphy;
8785 	request->scan_start = jiffies;
8786 
8787 	rdev->scan_req = request;
8788 	err = cfg80211_scan(rdev);
8789 
8790 	if (err)
8791 		goto out_free;
8792 
8793 	nl80211_send_scan_start(rdev, wdev);
8794 	dev_hold(wdev->netdev);
8795 
8796 	return 0;
8797 
8798  out_free:
8799 	rdev->scan_req = NULL;
8800 	kfree(request);
8801 
8802 	return err;
8803 }
8804 
8805 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8806 {
8807 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8808 	struct wireless_dev *wdev = info->user_ptr[1];
8809 
8810 	if (!rdev->ops->abort_scan)
8811 		return -EOPNOTSUPP;
8812 
8813 	if (rdev->scan_msg)
8814 		return 0;
8815 
8816 	if (!rdev->scan_req)
8817 		return -ENOENT;
8818 
8819 	rdev_abort_scan(rdev, wdev);
8820 	return 0;
8821 }
8822 
8823 static int
8824 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8825 			       struct cfg80211_sched_scan_request *request,
8826 			       struct nlattr **attrs)
8827 {
8828 	int tmp, err, i = 0;
8829 	struct nlattr *attr;
8830 
8831 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8832 		u32 interval;
8833 
8834 		/*
8835 		 * If scan plans are not specified,
8836 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8837 		 * case one scan plan will be set with the specified scan
8838 		 * interval and infinite number of iterations.
8839 		 */
8840 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8841 		if (!interval)
8842 			return -EINVAL;
8843 
8844 		request->scan_plans[0].interval =
8845 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8846 		if (!request->scan_plans[0].interval)
8847 			return -EINVAL;
8848 
8849 		if (request->scan_plans[0].interval >
8850 		    wiphy->max_sched_scan_plan_interval)
8851 			request->scan_plans[0].interval =
8852 				wiphy->max_sched_scan_plan_interval;
8853 
8854 		return 0;
8855 	}
8856 
8857 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8858 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8859 
8860 		if (WARN_ON(i >= n_plans))
8861 			return -EINVAL;
8862 
8863 		err = nla_parse_nested_deprecated(plan,
8864 						  NL80211_SCHED_SCAN_PLAN_MAX,
8865 						  attr, nl80211_plan_policy,
8866 						  NULL);
8867 		if (err)
8868 			return err;
8869 
8870 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8871 			return -EINVAL;
8872 
8873 		request->scan_plans[i].interval =
8874 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8875 		if (!request->scan_plans[i].interval ||
8876 		    request->scan_plans[i].interval >
8877 		    wiphy->max_sched_scan_plan_interval)
8878 			return -EINVAL;
8879 
8880 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8881 			request->scan_plans[i].iterations =
8882 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8883 			if (!request->scan_plans[i].iterations ||
8884 			    (request->scan_plans[i].iterations >
8885 			     wiphy->max_sched_scan_plan_iterations))
8886 				return -EINVAL;
8887 		} else if (i < n_plans - 1) {
8888 			/*
8889 			 * All scan plans but the last one must specify
8890 			 * a finite number of iterations
8891 			 */
8892 			return -EINVAL;
8893 		}
8894 
8895 		i++;
8896 	}
8897 
8898 	/*
8899 	 * The last scan plan must not specify the number of
8900 	 * iterations, it is supposed to run infinitely
8901 	 */
8902 	if (request->scan_plans[n_plans - 1].iterations)
8903 		return  -EINVAL;
8904 
8905 	return 0;
8906 }
8907 
8908 static int
8909 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8910 				       struct cfg80211_match_set *match_sets,
8911 				       struct nlattr *tb_band_rssi,
8912 				       s32 rssi_thold)
8913 {
8914 	struct nlattr *attr;
8915 	int i, tmp, ret = 0;
8916 
8917 	if (!wiphy_ext_feature_isset(wiphy,
8918 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8919 		if (tb_band_rssi)
8920 			ret = -EOPNOTSUPP;
8921 		else
8922 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8923 				match_sets->per_band_rssi_thold[i] =
8924 					NL80211_SCAN_RSSI_THOLD_OFF;
8925 		return ret;
8926 	}
8927 
8928 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8929 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8930 
8931 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8932 		enum nl80211_band band = nla_type(attr);
8933 
8934 		if (band < 0 || band >= NUM_NL80211_BANDS)
8935 			return -EINVAL;
8936 
8937 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8938 	}
8939 
8940 	return 0;
8941 }
8942 
8943 static struct cfg80211_sched_scan_request *
8944 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8945 			 struct nlattr **attrs, int max_match_sets)
8946 {
8947 	struct cfg80211_sched_scan_request *request;
8948 	struct nlattr *attr;
8949 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8950 	enum nl80211_band band;
8951 	size_t ie_len;
8952 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8953 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8954 
8955 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8956 		n_channels = validate_scan_freqs(
8957 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8958 		if (!n_channels)
8959 			return ERR_PTR(-EINVAL);
8960 	} else {
8961 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8962 	}
8963 
8964 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8965 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8966 				    tmp)
8967 			n_ssids++;
8968 
8969 	if (n_ssids > wiphy->max_sched_scan_ssids)
8970 		return ERR_PTR(-EINVAL);
8971 
8972 	/*
8973 	 * First, count the number of 'real' matchsets. Due to an issue with
8974 	 * the old implementation, matchsets containing only the RSSI attribute
8975 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8976 	 * RSSI for all matchsets, rather than their own matchset for reporting
8977 	 * all APs with a strong RSSI. This is needed to be compatible with
8978 	 * older userspace that treated a matchset with only the RSSI as the
8979 	 * global RSSI for all other matchsets - if there are other matchsets.
8980 	 */
8981 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8982 		nla_for_each_nested(attr,
8983 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8984 				    tmp) {
8985 			struct nlattr *rssi;
8986 
8987 			err = nla_parse_nested_deprecated(tb,
8988 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8989 							  attr,
8990 							  nl80211_match_policy,
8991 							  NULL);
8992 			if (err)
8993 				return ERR_PTR(err);
8994 
8995 			/* SSID and BSSID are mutually exclusive */
8996 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8997 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8998 				return ERR_PTR(-EINVAL);
8999 
9000 			/* add other standalone attributes here */
9001 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9002 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9003 				n_match_sets++;
9004 				continue;
9005 			}
9006 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9007 			if (rssi)
9008 				default_match_rssi = nla_get_s32(rssi);
9009 		}
9010 	}
9011 
9012 	/* However, if there's no other matchset, add the RSSI one */
9013 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9014 		n_match_sets = 1;
9015 
9016 	if (n_match_sets > max_match_sets)
9017 		return ERR_PTR(-EINVAL);
9018 
9019 	if (attrs[NL80211_ATTR_IE])
9020 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9021 	else
9022 		ie_len = 0;
9023 
9024 	if (ie_len > wiphy->max_sched_scan_ie_len)
9025 		return ERR_PTR(-EINVAL);
9026 
9027 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9028 		/*
9029 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9030 		 * each scan plan already specifies its own interval
9031 		 */
9032 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9033 			return ERR_PTR(-EINVAL);
9034 
9035 		nla_for_each_nested(attr,
9036 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9037 			n_plans++;
9038 	} else {
9039 		/*
9040 		 * The scan interval attribute is kept for backward
9041 		 * compatibility. If no scan plans are specified and sched scan
9042 		 * interval is specified, one scan plan will be set with this
9043 		 * scan interval and infinite number of iterations.
9044 		 */
9045 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9046 			return ERR_PTR(-EINVAL);
9047 
9048 		n_plans = 1;
9049 	}
9050 
9051 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9052 		return ERR_PTR(-EINVAL);
9053 
9054 	if (!wiphy_ext_feature_isset(
9055 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9056 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9057 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9058 		return ERR_PTR(-EINVAL);
9059 
9060 	request = kzalloc(sizeof(*request)
9061 			+ sizeof(*request->ssids) * n_ssids
9062 			+ sizeof(*request->match_sets) * n_match_sets
9063 			+ sizeof(*request->scan_plans) * n_plans
9064 			+ sizeof(*request->channels) * n_channels
9065 			+ ie_len, GFP_KERNEL);
9066 	if (!request)
9067 		return ERR_PTR(-ENOMEM);
9068 
9069 	if (n_ssids)
9070 		request->ssids = (void *)&request->channels[n_channels];
9071 	request->n_ssids = n_ssids;
9072 	if (ie_len) {
9073 		if (n_ssids)
9074 			request->ie = (void *)(request->ssids + n_ssids);
9075 		else
9076 			request->ie = (void *)(request->channels + n_channels);
9077 	}
9078 
9079 	if (n_match_sets) {
9080 		if (request->ie)
9081 			request->match_sets = (void *)(request->ie + ie_len);
9082 		else if (n_ssids)
9083 			request->match_sets =
9084 				(void *)(request->ssids + n_ssids);
9085 		else
9086 			request->match_sets =
9087 				(void *)(request->channels + n_channels);
9088 	}
9089 	request->n_match_sets = n_match_sets;
9090 
9091 	if (n_match_sets)
9092 		request->scan_plans = (void *)(request->match_sets +
9093 					       n_match_sets);
9094 	else if (request->ie)
9095 		request->scan_plans = (void *)(request->ie + ie_len);
9096 	else if (n_ssids)
9097 		request->scan_plans = (void *)(request->ssids + n_ssids);
9098 	else
9099 		request->scan_plans = (void *)(request->channels + n_channels);
9100 
9101 	request->n_scan_plans = n_plans;
9102 
9103 	i = 0;
9104 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9105 		/* user specified, bail out if channel not found */
9106 		nla_for_each_nested(attr,
9107 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9108 				    tmp) {
9109 			struct ieee80211_channel *chan;
9110 
9111 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9112 
9113 			if (!chan) {
9114 				err = -EINVAL;
9115 				goto out_free;
9116 			}
9117 
9118 			/* ignore disabled channels */
9119 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9120 				continue;
9121 
9122 			request->channels[i] = chan;
9123 			i++;
9124 		}
9125 	} else {
9126 		/* all channels */
9127 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9128 			int j;
9129 
9130 			if (!wiphy->bands[band])
9131 				continue;
9132 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9133 				struct ieee80211_channel *chan;
9134 
9135 				chan = &wiphy->bands[band]->channels[j];
9136 
9137 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9138 					continue;
9139 
9140 				request->channels[i] = chan;
9141 				i++;
9142 			}
9143 		}
9144 	}
9145 
9146 	if (!i) {
9147 		err = -EINVAL;
9148 		goto out_free;
9149 	}
9150 
9151 	request->n_channels = i;
9152 
9153 	i = 0;
9154 	if (n_ssids) {
9155 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9156 				    tmp) {
9157 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9158 				err = -EINVAL;
9159 				goto out_free;
9160 			}
9161 			request->ssids[i].ssid_len = nla_len(attr);
9162 			memcpy(request->ssids[i].ssid, nla_data(attr),
9163 			       nla_len(attr));
9164 			i++;
9165 		}
9166 	}
9167 
9168 	i = 0;
9169 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9170 		nla_for_each_nested(attr,
9171 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9172 				    tmp) {
9173 			struct nlattr *ssid, *bssid, *rssi;
9174 
9175 			err = nla_parse_nested_deprecated(tb,
9176 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9177 							  attr,
9178 							  nl80211_match_policy,
9179 							  NULL);
9180 			if (err)
9181 				goto out_free;
9182 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9183 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9184 
9185 			if (!ssid && !bssid) {
9186 				i++;
9187 				continue;
9188 			}
9189 
9190 			if (WARN_ON(i >= n_match_sets)) {
9191 				/* this indicates a programming error,
9192 				 * the loop above should have verified
9193 				 * things properly
9194 				 */
9195 				err = -EINVAL;
9196 				goto out_free;
9197 			}
9198 
9199 			if (ssid) {
9200 				memcpy(request->match_sets[i].ssid.ssid,
9201 				       nla_data(ssid), nla_len(ssid));
9202 				request->match_sets[i].ssid.ssid_len =
9203 					nla_len(ssid);
9204 			}
9205 			if (bssid)
9206 				memcpy(request->match_sets[i].bssid,
9207 				       nla_data(bssid), ETH_ALEN);
9208 
9209 			/* special attribute - old implementation w/a */
9210 			request->match_sets[i].rssi_thold = default_match_rssi;
9211 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9212 			if (rssi)
9213 				request->match_sets[i].rssi_thold =
9214 					nla_get_s32(rssi);
9215 
9216 			/* Parse per band RSSI attribute */
9217 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9218 				&request->match_sets[i],
9219 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9220 				request->match_sets[i].rssi_thold);
9221 			if (err)
9222 				goto out_free;
9223 
9224 			i++;
9225 		}
9226 
9227 		/* there was no other matchset, so the RSSI one is alone */
9228 		if (i == 0 && n_match_sets)
9229 			request->match_sets[0].rssi_thold = default_match_rssi;
9230 
9231 		request->min_rssi_thold = INT_MAX;
9232 		for (i = 0; i < n_match_sets; i++)
9233 			request->min_rssi_thold =
9234 				min(request->match_sets[i].rssi_thold,
9235 				    request->min_rssi_thold);
9236 	} else {
9237 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9238 	}
9239 
9240 	if (ie_len) {
9241 		request->ie_len = ie_len;
9242 		memcpy((void *)request->ie,
9243 		       nla_data(attrs[NL80211_ATTR_IE]),
9244 		       request->ie_len);
9245 	}
9246 
9247 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9248 	if (err)
9249 		goto out_free;
9250 
9251 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9252 		request->delay =
9253 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9254 
9255 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9256 		request->relative_rssi = nla_get_s8(
9257 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9258 		request->relative_rssi_set = true;
9259 	}
9260 
9261 	if (request->relative_rssi_set &&
9262 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9263 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9264 
9265 		rssi_adjust = nla_data(
9266 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9267 		request->rssi_adjust.band = rssi_adjust->band;
9268 		request->rssi_adjust.delta = rssi_adjust->delta;
9269 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9270 			err = -EINVAL;
9271 			goto out_free;
9272 		}
9273 	}
9274 
9275 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9276 	if (err)
9277 		goto out_free;
9278 
9279 	request->scan_start = jiffies;
9280 
9281 	return request;
9282 
9283 out_free:
9284 	kfree(request);
9285 	return ERR_PTR(err);
9286 }
9287 
9288 static int nl80211_start_sched_scan(struct sk_buff *skb,
9289 				    struct genl_info *info)
9290 {
9291 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9292 	struct net_device *dev = info->user_ptr[1];
9293 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9294 	struct cfg80211_sched_scan_request *sched_scan_req;
9295 	bool want_multi;
9296 	int err;
9297 
9298 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9299 		return -EOPNOTSUPP;
9300 
9301 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9302 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9303 	if (err)
9304 		return err;
9305 
9306 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9307 						  info->attrs,
9308 						  rdev->wiphy.max_match_sets);
9309 
9310 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9311 	if (err)
9312 		goto out_err;
9313 
9314 	/* leave request id zero for legacy request
9315 	 * or if driver does not support multi-scheduled scan
9316 	 */
9317 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9318 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9319 
9320 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9321 	if (err)
9322 		goto out_free;
9323 
9324 	sched_scan_req->dev = dev;
9325 	sched_scan_req->wiphy = &rdev->wiphy;
9326 
9327 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9328 		sched_scan_req->owner_nlportid = info->snd_portid;
9329 
9330 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9331 
9332 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9333 	return 0;
9334 
9335 out_free:
9336 	kfree(sched_scan_req);
9337 out_err:
9338 	return err;
9339 }
9340 
9341 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9342 				   struct genl_info *info)
9343 {
9344 	struct cfg80211_sched_scan_request *req;
9345 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9346 	u64 cookie;
9347 
9348 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9349 		return -EOPNOTSUPP;
9350 
9351 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9352 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9353 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9354 	}
9355 
9356 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9357 				     struct cfg80211_sched_scan_request,
9358 				     list);
9359 	if (!req || req->reqid ||
9360 	    (req->owner_nlportid &&
9361 	     req->owner_nlportid != info->snd_portid))
9362 		return -ENOENT;
9363 
9364 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9365 }
9366 
9367 static int nl80211_start_radar_detection(struct sk_buff *skb,
9368 					 struct genl_info *info)
9369 {
9370 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9371 	struct net_device *dev = info->user_ptr[1];
9372 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9373 	struct wiphy *wiphy = wdev->wiphy;
9374 	struct cfg80211_chan_def chandef;
9375 	enum nl80211_dfs_regions dfs_region;
9376 	unsigned int cac_time_ms;
9377 	int err = -EINVAL;
9378 
9379 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9380 
9381 	wiphy_lock(wiphy);
9382 
9383 	dfs_region = reg_get_dfs_region(wiphy);
9384 	if (dfs_region == NL80211_DFS_UNSET)
9385 		goto unlock;
9386 
9387 	err = nl80211_parse_chandef(rdev, info, &chandef);
9388 	if (err)
9389 		goto unlock;
9390 
9391 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9392 	if (err < 0)
9393 		goto unlock;
9394 
9395 	if (err == 0) {
9396 		err = -EINVAL;
9397 		goto unlock;
9398 	}
9399 
9400 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9401 		err = -EINVAL;
9402 		goto unlock;
9403 	}
9404 
9405 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9406 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9407 								&chandef);
9408 		goto unlock;
9409 	}
9410 
9411 	if (netif_carrier_ok(dev)) {
9412 		err = -EBUSY;
9413 		goto unlock;
9414 	}
9415 
9416 	if (wdev->cac_started) {
9417 		err = -EBUSY;
9418 		goto unlock;
9419 	}
9420 
9421 	/* CAC start is offloaded to HW and can't be started manually */
9422 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9423 		err = -EOPNOTSUPP;
9424 		goto unlock;
9425 	}
9426 
9427 	if (!rdev->ops->start_radar_detection) {
9428 		err = -EOPNOTSUPP;
9429 		goto unlock;
9430 	}
9431 
9432 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9433 	if (WARN_ON(!cac_time_ms))
9434 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9435 
9436 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9437 	if (!err) {
9438 		wdev->chandef = chandef;
9439 		wdev->cac_started = true;
9440 		wdev->cac_start_time = jiffies;
9441 		wdev->cac_time_ms = cac_time_ms;
9442 	}
9443 unlock:
9444 	wiphy_unlock(wiphy);
9445 
9446 	return err;
9447 }
9448 
9449 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9450 					  struct genl_info *info)
9451 {
9452 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9453 	struct net_device *dev = info->user_ptr[1];
9454 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9455 	struct wiphy *wiphy = wdev->wiphy;
9456 	struct cfg80211_chan_def chandef;
9457 	enum nl80211_dfs_regions dfs_region;
9458 	int err;
9459 
9460 	dfs_region = reg_get_dfs_region(wiphy);
9461 	if (dfs_region == NL80211_DFS_UNSET) {
9462 		GENL_SET_ERR_MSG(info,
9463 				 "DFS Region is not set. Unexpected Radar indication");
9464 		return -EINVAL;
9465 	}
9466 
9467 	err = nl80211_parse_chandef(rdev, info, &chandef);
9468 	if (err) {
9469 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9470 		return err;
9471 	}
9472 
9473 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9474 	if (err < 0) {
9475 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9476 		return err;
9477 	}
9478 
9479 	if (err == 0) {
9480 		GENL_SET_ERR_MSG(info,
9481 				 "Unexpected Radar indication for chandef/iftype");
9482 		return -EINVAL;
9483 	}
9484 
9485 	/* Do not process this notification if radar is already detected
9486 	 * by kernel on this channel, and return success.
9487 	 */
9488 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9489 		return 0;
9490 
9491 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9492 
9493 	cfg80211_sched_dfs_chan_update(rdev);
9494 
9495 	rdev->radar_chandef = chandef;
9496 
9497 	/* Propagate this notification to other radios as well */
9498 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9499 
9500 	return 0;
9501 }
9502 
9503 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9504 {
9505 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9506 	struct net_device *dev = info->user_ptr[1];
9507 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9508 	struct cfg80211_csa_settings params;
9509 	struct nlattr **csa_attrs = NULL;
9510 	int err;
9511 	bool need_new_beacon = false;
9512 	bool need_handle_dfs_flag = true;
9513 	int len, i;
9514 	u32 cs_count;
9515 
9516 	if (!rdev->ops->channel_switch ||
9517 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9518 		return -EOPNOTSUPP;
9519 
9520 	switch (dev->ieee80211_ptr->iftype) {
9521 	case NL80211_IFTYPE_AP:
9522 	case NL80211_IFTYPE_P2P_GO:
9523 		need_new_beacon = true;
9524 		/* For all modes except AP the handle_dfs flag needs to be
9525 		 * supplied to tell the kernel that userspace will handle radar
9526 		 * events when they happen. Otherwise a switch to a channel
9527 		 * requiring DFS will be rejected.
9528 		 */
9529 		need_handle_dfs_flag = false;
9530 
9531 		/* useless if AP is not running */
9532 		if (!wdev->beacon_interval)
9533 			return -ENOTCONN;
9534 		break;
9535 	case NL80211_IFTYPE_ADHOC:
9536 		if (!wdev->ssid_len)
9537 			return -ENOTCONN;
9538 		break;
9539 	case NL80211_IFTYPE_MESH_POINT:
9540 		if (!wdev->mesh_id_len)
9541 			return -ENOTCONN;
9542 		break;
9543 	default:
9544 		return -EOPNOTSUPP;
9545 	}
9546 
9547 	memset(&params, 0, sizeof(params));
9548 	params.beacon_csa.ftm_responder = -1;
9549 
9550 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9551 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9552 		return -EINVAL;
9553 
9554 	/* only important for AP, IBSS and mesh create IEs internally */
9555 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9556 		return -EINVAL;
9557 
9558 	/* Even though the attribute is u32, the specification says
9559 	 * u8, so let's make sure we don't overflow.
9560 	 */
9561 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9562 	if (cs_count > 255)
9563 		return -EINVAL;
9564 
9565 	params.count = cs_count;
9566 
9567 	if (!need_new_beacon)
9568 		goto skip_beacons;
9569 
9570 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9571 	if (err)
9572 		goto free;
9573 
9574 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9575 			    GFP_KERNEL);
9576 	if (!csa_attrs) {
9577 		err = -ENOMEM;
9578 		goto free;
9579 	}
9580 
9581 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9582 					  info->attrs[NL80211_ATTR_CSA_IES],
9583 					  nl80211_policy, info->extack);
9584 	if (err)
9585 		goto free;
9586 
9587 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9588 	if (err)
9589 		goto free;
9590 
9591 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9592 		err = -EINVAL;
9593 		goto free;
9594 	}
9595 
9596 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9597 	if (!len || (len % sizeof(u16))) {
9598 		err = -EINVAL;
9599 		goto free;
9600 	}
9601 
9602 	params.n_counter_offsets_beacon = len / sizeof(u16);
9603 	if (rdev->wiphy.max_num_csa_counters &&
9604 	    (params.n_counter_offsets_beacon >
9605 	     rdev->wiphy.max_num_csa_counters)) {
9606 		err = -EINVAL;
9607 		goto free;
9608 	}
9609 
9610 	params.counter_offsets_beacon =
9611 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9612 
9613 	/* sanity checks - counters should fit and be the same */
9614 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9615 		u16 offset = params.counter_offsets_beacon[i];
9616 
9617 		if (offset >= params.beacon_csa.tail_len) {
9618 			err = -EINVAL;
9619 			goto free;
9620 		}
9621 
9622 		if (params.beacon_csa.tail[offset] != params.count) {
9623 			err = -EINVAL;
9624 			goto free;
9625 		}
9626 	}
9627 
9628 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9629 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9630 		if (!len || (len % sizeof(u16))) {
9631 			err = -EINVAL;
9632 			goto free;
9633 		}
9634 
9635 		params.n_counter_offsets_presp = len / sizeof(u16);
9636 		if (rdev->wiphy.max_num_csa_counters &&
9637 		    (params.n_counter_offsets_presp >
9638 		     rdev->wiphy.max_num_csa_counters)) {
9639 			err = -EINVAL;
9640 			goto free;
9641 		}
9642 
9643 		params.counter_offsets_presp =
9644 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9645 
9646 		/* sanity checks - counters should fit and be the same */
9647 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9648 			u16 offset = params.counter_offsets_presp[i];
9649 
9650 			if (offset >= params.beacon_csa.probe_resp_len) {
9651 				err = -EINVAL;
9652 				goto free;
9653 			}
9654 
9655 			if (params.beacon_csa.probe_resp[offset] !=
9656 			    params.count) {
9657 				err = -EINVAL;
9658 				goto free;
9659 			}
9660 		}
9661 	}
9662 
9663 skip_beacons:
9664 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9665 	if (err)
9666 		goto free;
9667 
9668 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9669 					   wdev->iftype)) {
9670 		err = -EINVAL;
9671 		goto free;
9672 	}
9673 
9674 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9675 					    &params.chandef,
9676 					    wdev->iftype);
9677 	if (err < 0)
9678 		goto free;
9679 
9680 	if (err > 0) {
9681 		params.radar_required = true;
9682 		if (need_handle_dfs_flag &&
9683 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9684 			err = -EINVAL;
9685 			goto free;
9686 		}
9687 	}
9688 
9689 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9690 		params.block_tx = true;
9691 
9692 	wdev_lock(wdev);
9693 	err = rdev_channel_switch(rdev, dev, &params);
9694 	wdev_unlock(wdev);
9695 
9696 free:
9697 	kfree(params.beacon_after.mbssid_ies);
9698 	kfree(params.beacon_csa.mbssid_ies);
9699 	kfree(csa_attrs);
9700 	return err;
9701 }
9702 
9703 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9704 			    u32 seq, int flags,
9705 			    struct cfg80211_registered_device *rdev,
9706 			    struct wireless_dev *wdev,
9707 			    struct cfg80211_internal_bss *intbss)
9708 {
9709 	struct cfg80211_bss *res = &intbss->pub;
9710 	const struct cfg80211_bss_ies *ies;
9711 	void *hdr;
9712 	struct nlattr *bss;
9713 
9714 	ASSERT_WDEV_LOCK(wdev);
9715 
9716 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9717 			     NL80211_CMD_NEW_SCAN_RESULTS);
9718 	if (!hdr)
9719 		return -1;
9720 
9721 	genl_dump_check_consistent(cb, hdr);
9722 
9723 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9724 		goto nla_put_failure;
9725 	if (wdev->netdev &&
9726 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9727 		goto nla_put_failure;
9728 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9729 			      NL80211_ATTR_PAD))
9730 		goto nla_put_failure;
9731 
9732 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9733 	if (!bss)
9734 		goto nla_put_failure;
9735 	if ((!is_zero_ether_addr(res->bssid) &&
9736 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9737 		goto nla_put_failure;
9738 
9739 	rcu_read_lock();
9740 	/* indicate whether we have probe response data or not */
9741 	if (rcu_access_pointer(res->proberesp_ies) &&
9742 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9743 		goto fail_unlock_rcu;
9744 
9745 	/* this pointer prefers to be pointed to probe response data
9746 	 * but is always valid
9747 	 */
9748 	ies = rcu_dereference(res->ies);
9749 	if (ies) {
9750 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9751 				      NL80211_BSS_PAD))
9752 			goto fail_unlock_rcu;
9753 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9754 					ies->len, ies->data))
9755 			goto fail_unlock_rcu;
9756 	}
9757 
9758 	/* and this pointer is always (unless driver didn't know) beacon data */
9759 	ies = rcu_dereference(res->beacon_ies);
9760 	if (ies && ies->from_beacon) {
9761 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9762 				      NL80211_BSS_PAD))
9763 			goto fail_unlock_rcu;
9764 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9765 					ies->len, ies->data))
9766 			goto fail_unlock_rcu;
9767 	}
9768 	rcu_read_unlock();
9769 
9770 	if (res->beacon_interval &&
9771 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9772 		goto nla_put_failure;
9773 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9774 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9775 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9776 			res->channel->freq_offset) ||
9777 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9778 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9779 			jiffies_to_msecs(jiffies - intbss->ts)))
9780 		goto nla_put_failure;
9781 
9782 	if (intbss->parent_tsf &&
9783 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9784 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9785 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9786 		     intbss->parent_bssid)))
9787 		goto nla_put_failure;
9788 
9789 	if (intbss->ts_boottime &&
9790 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9791 			      intbss->ts_boottime, NL80211_BSS_PAD))
9792 		goto nla_put_failure;
9793 
9794 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9795 				intbss->pub.chain_signal,
9796 				NL80211_BSS_CHAIN_SIGNAL))
9797 		goto nla_put_failure;
9798 
9799 	switch (rdev->wiphy.signal_type) {
9800 	case CFG80211_SIGNAL_TYPE_MBM:
9801 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9802 			goto nla_put_failure;
9803 		break;
9804 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9805 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9806 			goto nla_put_failure;
9807 		break;
9808 	default:
9809 		break;
9810 	}
9811 
9812 	switch (wdev->iftype) {
9813 	case NL80211_IFTYPE_P2P_CLIENT:
9814 	case NL80211_IFTYPE_STATION:
9815 		if (intbss == wdev->current_bss &&
9816 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9817 				NL80211_BSS_STATUS_ASSOCIATED))
9818 			goto nla_put_failure;
9819 		break;
9820 	case NL80211_IFTYPE_ADHOC:
9821 		if (intbss == wdev->current_bss &&
9822 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9823 				NL80211_BSS_STATUS_IBSS_JOINED))
9824 			goto nla_put_failure;
9825 		break;
9826 	default:
9827 		break;
9828 	}
9829 
9830 	nla_nest_end(msg, bss);
9831 
9832 	genlmsg_end(msg, hdr);
9833 	return 0;
9834 
9835  fail_unlock_rcu:
9836 	rcu_read_unlock();
9837  nla_put_failure:
9838 	genlmsg_cancel(msg, hdr);
9839 	return -EMSGSIZE;
9840 }
9841 
9842 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9843 {
9844 	struct cfg80211_registered_device *rdev;
9845 	struct cfg80211_internal_bss *scan;
9846 	struct wireless_dev *wdev;
9847 	int start = cb->args[2], idx = 0;
9848 	int err;
9849 
9850 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9851 	if (err)
9852 		return err;
9853 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9854 	__acquire(&rdev->wiphy.mtx);
9855 
9856 	wdev_lock(wdev);
9857 	spin_lock_bh(&rdev->bss_lock);
9858 
9859 	/*
9860 	 * dump_scan will be called multiple times to break up the scan results
9861 	 * into multiple messages.  It is unlikely that any more bss-es will be
9862 	 * expired after the first call, so only call only call this on the
9863 	 * first dump_scan invocation.
9864 	 */
9865 	if (start == 0)
9866 		cfg80211_bss_expire(rdev);
9867 
9868 	cb->seq = rdev->bss_generation;
9869 
9870 	list_for_each_entry(scan, &rdev->bss_list, list) {
9871 		if (++idx <= start)
9872 			continue;
9873 		if (nl80211_send_bss(skb, cb,
9874 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9875 				rdev, wdev, scan) < 0) {
9876 			idx--;
9877 			break;
9878 		}
9879 	}
9880 
9881 	spin_unlock_bh(&rdev->bss_lock);
9882 	wdev_unlock(wdev);
9883 
9884 	cb->args[2] = idx;
9885 	wiphy_unlock(&rdev->wiphy);
9886 
9887 	return skb->len;
9888 }
9889 
9890 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9891 			       int flags, struct net_device *dev,
9892 			       bool allow_radio_stats,
9893 			       struct survey_info *survey)
9894 {
9895 	void *hdr;
9896 	struct nlattr *infoattr;
9897 
9898 	/* skip radio stats if userspace didn't request them */
9899 	if (!survey->channel && !allow_radio_stats)
9900 		return 0;
9901 
9902 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9903 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9904 	if (!hdr)
9905 		return -ENOMEM;
9906 
9907 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9908 		goto nla_put_failure;
9909 
9910 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9911 	if (!infoattr)
9912 		goto nla_put_failure;
9913 
9914 	if (survey->channel &&
9915 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9916 			survey->channel->center_freq))
9917 		goto nla_put_failure;
9918 
9919 	if (survey->channel && survey->channel->freq_offset &&
9920 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9921 			survey->channel->freq_offset))
9922 		goto nla_put_failure;
9923 
9924 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9925 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9926 		goto nla_put_failure;
9927 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9928 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9929 		goto nla_put_failure;
9930 	if ((survey->filled & SURVEY_INFO_TIME) &&
9931 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9932 			survey->time, NL80211_SURVEY_INFO_PAD))
9933 		goto nla_put_failure;
9934 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9935 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9936 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9937 		goto nla_put_failure;
9938 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9939 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9940 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9941 		goto nla_put_failure;
9942 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9943 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9944 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9945 		goto nla_put_failure;
9946 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9947 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9948 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9949 		goto nla_put_failure;
9950 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9951 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9952 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9953 		goto nla_put_failure;
9954 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9955 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9956 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9957 		goto nla_put_failure;
9958 
9959 	nla_nest_end(msg, infoattr);
9960 
9961 	genlmsg_end(msg, hdr);
9962 	return 0;
9963 
9964  nla_put_failure:
9965 	genlmsg_cancel(msg, hdr);
9966 	return -EMSGSIZE;
9967 }
9968 
9969 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9970 {
9971 	struct nlattr **attrbuf;
9972 	struct survey_info survey;
9973 	struct cfg80211_registered_device *rdev;
9974 	struct wireless_dev *wdev;
9975 	int survey_idx = cb->args[2];
9976 	int res;
9977 	bool radio_stats;
9978 
9979 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9980 	if (!attrbuf)
9981 		return -ENOMEM;
9982 
9983 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
9984 	if (res) {
9985 		kfree(attrbuf);
9986 		return res;
9987 	}
9988 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9989 	__acquire(&rdev->wiphy.mtx);
9990 
9991 	/* prepare_wdev_dump parsed the attributes */
9992 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9993 
9994 	if (!wdev->netdev) {
9995 		res = -EINVAL;
9996 		goto out_err;
9997 	}
9998 
9999 	if (!rdev->ops->dump_survey) {
10000 		res = -EOPNOTSUPP;
10001 		goto out_err;
10002 	}
10003 
10004 	while (1) {
10005 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10006 		if (res == -ENOENT)
10007 			break;
10008 		if (res)
10009 			goto out_err;
10010 
10011 		/* don't send disabled channels, but do send non-channel data */
10012 		if (survey.channel &&
10013 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10014 			survey_idx++;
10015 			continue;
10016 		}
10017 
10018 		if (nl80211_send_survey(skb,
10019 				NETLINK_CB(cb->skb).portid,
10020 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10021 				wdev->netdev, radio_stats, &survey) < 0)
10022 			goto out;
10023 		survey_idx++;
10024 	}
10025 
10026  out:
10027 	cb->args[2] = survey_idx;
10028 	res = skb->len;
10029  out_err:
10030 	kfree(attrbuf);
10031 	wiphy_unlock(&rdev->wiphy);
10032 	return res;
10033 }
10034 
10035 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10036 {
10037 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10038 				  NL80211_WPA_VERSION_2 |
10039 				  NL80211_WPA_VERSION_3));
10040 }
10041 
10042 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10043 {
10044 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10045 	struct net_device *dev = info->user_ptr[1];
10046 	struct ieee80211_channel *chan;
10047 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
10048 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
10049 	enum nl80211_auth_type auth_type;
10050 	struct key_parse key;
10051 	bool local_state_change;
10052 	u32 freq;
10053 
10054 	if (!info->attrs[NL80211_ATTR_MAC])
10055 		return -EINVAL;
10056 
10057 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10058 		return -EINVAL;
10059 
10060 	if (!info->attrs[NL80211_ATTR_SSID])
10061 		return -EINVAL;
10062 
10063 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10064 		return -EINVAL;
10065 
10066 	err = nl80211_parse_key(info, &key);
10067 	if (err)
10068 		return err;
10069 
10070 	if (key.idx >= 0) {
10071 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10072 			return -EINVAL;
10073 		if (!key.p.key || !key.p.key_len)
10074 			return -EINVAL;
10075 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10076 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10077 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10078 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10079 			return -EINVAL;
10080 		if (key.idx > 3)
10081 			return -EINVAL;
10082 	} else {
10083 		key.p.key_len = 0;
10084 		key.p.key = NULL;
10085 	}
10086 
10087 	if (key.idx >= 0) {
10088 		int i;
10089 		bool ok = false;
10090 
10091 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10092 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10093 				ok = true;
10094 				break;
10095 			}
10096 		}
10097 		if (!ok)
10098 			return -EINVAL;
10099 	}
10100 
10101 	if (!rdev->ops->auth)
10102 		return -EOPNOTSUPP;
10103 
10104 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10105 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10106 		return -EOPNOTSUPP;
10107 
10108 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10109 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10110 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10111 		freq +=
10112 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10113 
10114 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10115 	if (!chan)
10116 		return -EINVAL;
10117 
10118 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10119 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10120 
10121 	if (info->attrs[NL80211_ATTR_IE]) {
10122 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10123 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10124 	}
10125 
10126 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10127 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10128 		return -EINVAL;
10129 
10130 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10131 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10132 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10133 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10134 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10135 		return -EINVAL;
10136 
10137 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10138 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10139 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10140 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10141 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10142 			return -EINVAL;
10143 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10144 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10145 	}
10146 
10147 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10148 
10149 	/*
10150 	 * Since we no longer track auth state, ignore
10151 	 * requests to only change local state.
10152 	 */
10153 	if (local_state_change)
10154 		return 0;
10155 
10156 	wdev_lock(dev->ieee80211_ptr);
10157 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
10158 				 ssid, ssid_len, ie, ie_len,
10159 				 key.p.key, key.p.key_len, key.idx,
10160 				 auth_data, auth_data_len);
10161 	wdev_unlock(dev->ieee80211_ptr);
10162 	return err;
10163 }
10164 
10165 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10166 				     struct genl_info *info)
10167 {
10168 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10169 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10170 		return -EINVAL;
10171 	}
10172 
10173 	if (!rdev->ops->tx_control_port ||
10174 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10175 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10176 		return -EOPNOTSUPP;
10177 
10178 	return 0;
10179 }
10180 
10181 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10182 				   struct genl_info *info,
10183 				   struct cfg80211_crypto_settings *settings,
10184 				   int cipher_limit)
10185 {
10186 	memset(settings, 0, sizeof(*settings));
10187 
10188 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10189 
10190 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10191 		u16 proto;
10192 
10193 		proto = nla_get_u16(
10194 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10195 		settings->control_port_ethertype = cpu_to_be16(proto);
10196 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10197 		    proto != ETH_P_PAE)
10198 			return -EINVAL;
10199 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10200 			settings->control_port_no_encrypt = true;
10201 	} else
10202 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10203 
10204 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10205 		int r = validate_pae_over_nl80211(rdev, info);
10206 
10207 		if (r < 0)
10208 			return r;
10209 
10210 		settings->control_port_over_nl80211 = true;
10211 
10212 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10213 			settings->control_port_no_preauth = true;
10214 	}
10215 
10216 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10217 		void *data;
10218 		int len, i;
10219 
10220 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10221 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10222 		settings->n_ciphers_pairwise = len / sizeof(u32);
10223 
10224 		if (len % sizeof(u32))
10225 			return -EINVAL;
10226 
10227 		if (settings->n_ciphers_pairwise > cipher_limit)
10228 			return -EINVAL;
10229 
10230 		memcpy(settings->ciphers_pairwise, data, len);
10231 
10232 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10233 			if (!cfg80211_supported_cipher_suite(
10234 					&rdev->wiphy,
10235 					settings->ciphers_pairwise[i]))
10236 				return -EINVAL;
10237 	}
10238 
10239 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10240 		settings->cipher_group =
10241 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10242 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10243 						     settings->cipher_group))
10244 			return -EINVAL;
10245 	}
10246 
10247 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10248 		settings->wpa_versions =
10249 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10250 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10251 			return -EINVAL;
10252 	}
10253 
10254 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10255 		void *data;
10256 		int len;
10257 
10258 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10259 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10260 		settings->n_akm_suites = len / sizeof(u32);
10261 
10262 		if (len % sizeof(u32))
10263 			return -EINVAL;
10264 
10265 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
10266 			return -EINVAL;
10267 
10268 		memcpy(settings->akm_suites, data, len);
10269 	}
10270 
10271 	if (info->attrs[NL80211_ATTR_PMK]) {
10272 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10273 			return -EINVAL;
10274 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10275 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10276 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10277 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10278 			return -EINVAL;
10279 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10280 	}
10281 
10282 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10283 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10284 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10285 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10286 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10287 			return -EINVAL;
10288 		settings->sae_pwd =
10289 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10290 		settings->sae_pwd_len =
10291 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10292 	}
10293 
10294 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10295 		settings->sae_pwe =
10296 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10297 	else
10298 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10299 
10300 	return 0;
10301 }
10302 
10303 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10304 {
10305 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10306 	struct net_device *dev = info->user_ptr[1];
10307 	struct ieee80211_channel *chan;
10308 	struct cfg80211_assoc_request req = {};
10309 	const u8 *bssid, *ssid;
10310 	int err, ssid_len = 0;
10311 	u32 freq;
10312 
10313 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10314 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10315 		return -EPERM;
10316 
10317 	if (!info->attrs[NL80211_ATTR_MAC] ||
10318 	    !info->attrs[NL80211_ATTR_SSID] ||
10319 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
10320 		return -EINVAL;
10321 
10322 	if (!rdev->ops->assoc)
10323 		return -EOPNOTSUPP;
10324 
10325 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10326 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10327 		return -EOPNOTSUPP;
10328 
10329 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10330 
10331 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10332 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10333 		freq +=
10334 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10335 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10336 	if (!chan)
10337 		return -EINVAL;
10338 
10339 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10340 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10341 
10342 	if (info->attrs[NL80211_ATTR_IE]) {
10343 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10344 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10345 	}
10346 
10347 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10348 		enum nl80211_mfp mfp =
10349 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10350 		if (mfp == NL80211_MFP_REQUIRED)
10351 			req.use_mfp = true;
10352 		else if (mfp != NL80211_MFP_NO)
10353 			return -EINVAL;
10354 	}
10355 
10356 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10357 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10358 
10359 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10360 		req.flags |= ASSOC_REQ_DISABLE_HT;
10361 
10362 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10363 		memcpy(&req.ht_capa_mask,
10364 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10365 		       sizeof(req.ht_capa_mask));
10366 
10367 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10368 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10369 			return -EINVAL;
10370 		memcpy(&req.ht_capa,
10371 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10372 		       sizeof(req.ht_capa));
10373 	}
10374 
10375 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10376 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10377 
10378 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10379 		req.flags |= ASSOC_REQ_DISABLE_HE;
10380 
10381 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10382 		memcpy(&req.vht_capa_mask,
10383 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10384 		       sizeof(req.vht_capa_mask));
10385 
10386 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10387 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10388 			return -EINVAL;
10389 		memcpy(&req.vht_capa,
10390 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10391 		       sizeof(req.vht_capa));
10392 	}
10393 
10394 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10395 		if (!((rdev->wiphy.features &
10396 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10397 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10398 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10399 					     NL80211_EXT_FEATURE_RRM))
10400 			return -EINVAL;
10401 		req.flags |= ASSOC_REQ_USE_RRM;
10402 	}
10403 
10404 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10405 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10406 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10407 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10408 			return -EINVAL;
10409 		req.fils_nonces =
10410 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10411 	}
10412 
10413 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10414 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10415 			return -EINVAL;
10416 		memcpy(&req.s1g_capa_mask,
10417 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10418 		       sizeof(req.s1g_capa_mask));
10419 	}
10420 
10421 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10422 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10423 			return -EINVAL;
10424 		memcpy(&req.s1g_capa,
10425 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10426 		       sizeof(req.s1g_capa));
10427 	}
10428 
10429 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10430 	if (!err) {
10431 		wdev_lock(dev->ieee80211_ptr);
10432 
10433 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
10434 					  ssid, ssid_len, &req);
10435 
10436 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10437 			dev->ieee80211_ptr->conn_owner_nlportid =
10438 				info->snd_portid;
10439 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10440 			       bssid, ETH_ALEN);
10441 		}
10442 
10443 		wdev_unlock(dev->ieee80211_ptr);
10444 	}
10445 
10446 	return err;
10447 }
10448 
10449 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10450 {
10451 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10452 	struct net_device *dev = info->user_ptr[1];
10453 	const u8 *ie = NULL, *bssid;
10454 	int ie_len = 0, err;
10455 	u16 reason_code;
10456 	bool local_state_change;
10457 
10458 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10459 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10460 		return -EPERM;
10461 
10462 	if (!info->attrs[NL80211_ATTR_MAC])
10463 		return -EINVAL;
10464 
10465 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10466 		return -EINVAL;
10467 
10468 	if (!rdev->ops->deauth)
10469 		return -EOPNOTSUPP;
10470 
10471 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10472 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10473 		return -EOPNOTSUPP;
10474 
10475 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10476 
10477 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10478 	if (reason_code == 0) {
10479 		/* Reason Code 0 is reserved */
10480 		return -EINVAL;
10481 	}
10482 
10483 	if (info->attrs[NL80211_ATTR_IE]) {
10484 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10485 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10486 	}
10487 
10488 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10489 
10490 	wdev_lock(dev->ieee80211_ptr);
10491 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10492 				   local_state_change);
10493 	wdev_unlock(dev->ieee80211_ptr);
10494 	return err;
10495 }
10496 
10497 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10498 {
10499 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10500 	struct net_device *dev = info->user_ptr[1];
10501 	const u8 *ie = NULL, *bssid;
10502 	int ie_len = 0, err;
10503 	u16 reason_code;
10504 	bool local_state_change;
10505 
10506 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10507 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10508 		return -EPERM;
10509 
10510 	if (!info->attrs[NL80211_ATTR_MAC])
10511 		return -EINVAL;
10512 
10513 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10514 		return -EINVAL;
10515 
10516 	if (!rdev->ops->disassoc)
10517 		return -EOPNOTSUPP;
10518 
10519 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10520 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10521 		return -EOPNOTSUPP;
10522 
10523 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10524 
10525 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10526 	if (reason_code == 0) {
10527 		/* Reason Code 0 is reserved */
10528 		return -EINVAL;
10529 	}
10530 
10531 	if (info->attrs[NL80211_ATTR_IE]) {
10532 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10533 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10534 	}
10535 
10536 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10537 
10538 	wdev_lock(dev->ieee80211_ptr);
10539 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10540 				     local_state_change);
10541 	wdev_unlock(dev->ieee80211_ptr);
10542 	return err;
10543 }
10544 
10545 static bool
10546 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10547 			 int mcast_rate[NUM_NL80211_BANDS],
10548 			 int rateval)
10549 {
10550 	struct wiphy *wiphy = &rdev->wiphy;
10551 	bool found = false;
10552 	int band, i;
10553 
10554 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10555 		struct ieee80211_supported_band *sband;
10556 
10557 		sband = wiphy->bands[band];
10558 		if (!sband)
10559 			continue;
10560 
10561 		for (i = 0; i < sband->n_bitrates; i++) {
10562 			if (sband->bitrates[i].bitrate == rateval) {
10563 				mcast_rate[band] = i + 1;
10564 				found = true;
10565 				break;
10566 			}
10567 		}
10568 	}
10569 
10570 	return found;
10571 }
10572 
10573 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10574 {
10575 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10576 	struct net_device *dev = info->user_ptr[1];
10577 	struct cfg80211_ibss_params ibss;
10578 	struct wiphy *wiphy;
10579 	struct cfg80211_cached_keys *connkeys = NULL;
10580 	int err;
10581 
10582 	memset(&ibss, 0, sizeof(ibss));
10583 
10584 	if (!info->attrs[NL80211_ATTR_SSID] ||
10585 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10586 		return -EINVAL;
10587 
10588 	ibss.beacon_interval = 100;
10589 
10590 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10591 		ibss.beacon_interval =
10592 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10593 
10594 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10595 					   ibss.beacon_interval);
10596 	if (err)
10597 		return err;
10598 
10599 	if (!rdev->ops->join_ibss)
10600 		return -EOPNOTSUPP;
10601 
10602 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10603 		return -EOPNOTSUPP;
10604 
10605 	wiphy = &rdev->wiphy;
10606 
10607 	if (info->attrs[NL80211_ATTR_MAC]) {
10608 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10609 
10610 		if (!is_valid_ether_addr(ibss.bssid))
10611 			return -EINVAL;
10612 	}
10613 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10614 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10615 
10616 	if (info->attrs[NL80211_ATTR_IE]) {
10617 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10618 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10619 	}
10620 
10621 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10622 	if (err)
10623 		return err;
10624 
10625 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10626 				     NL80211_IFTYPE_ADHOC))
10627 		return -EINVAL;
10628 
10629 	switch (ibss.chandef.width) {
10630 	case NL80211_CHAN_WIDTH_5:
10631 	case NL80211_CHAN_WIDTH_10:
10632 	case NL80211_CHAN_WIDTH_20_NOHT:
10633 		break;
10634 	case NL80211_CHAN_WIDTH_20:
10635 	case NL80211_CHAN_WIDTH_40:
10636 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10637 			return -EINVAL;
10638 		break;
10639 	case NL80211_CHAN_WIDTH_80:
10640 	case NL80211_CHAN_WIDTH_80P80:
10641 	case NL80211_CHAN_WIDTH_160:
10642 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10643 			return -EINVAL;
10644 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10645 					     NL80211_EXT_FEATURE_VHT_IBSS))
10646 			return -EINVAL;
10647 		break;
10648 	case NL80211_CHAN_WIDTH_320:
10649 		return -EINVAL;
10650 	default:
10651 		return -EINVAL;
10652 	}
10653 
10654 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10655 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10656 
10657 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10658 		u8 *rates =
10659 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10660 		int n_rates =
10661 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10662 		struct ieee80211_supported_band *sband =
10663 			wiphy->bands[ibss.chandef.chan->band];
10664 
10665 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10666 					     &ibss.basic_rates);
10667 		if (err)
10668 			return err;
10669 	}
10670 
10671 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10672 		memcpy(&ibss.ht_capa_mask,
10673 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10674 		       sizeof(ibss.ht_capa_mask));
10675 
10676 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10677 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10678 			return -EINVAL;
10679 		memcpy(&ibss.ht_capa,
10680 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10681 		       sizeof(ibss.ht_capa));
10682 	}
10683 
10684 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10685 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10686 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10687 		return -EINVAL;
10688 
10689 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10690 		bool no_ht = false;
10691 
10692 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10693 		if (IS_ERR(connkeys))
10694 			return PTR_ERR(connkeys);
10695 
10696 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10697 		    no_ht) {
10698 			kfree_sensitive(connkeys);
10699 			return -EINVAL;
10700 		}
10701 	}
10702 
10703 	ibss.control_port =
10704 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10705 
10706 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10707 		int r = validate_pae_over_nl80211(rdev, info);
10708 
10709 		if (r < 0) {
10710 			kfree_sensitive(connkeys);
10711 			return r;
10712 		}
10713 
10714 		ibss.control_port_over_nl80211 = true;
10715 	}
10716 
10717 	ibss.userspace_handles_dfs =
10718 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10719 
10720 	wdev_lock(dev->ieee80211_ptr);
10721 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10722 	if (err)
10723 		kfree_sensitive(connkeys);
10724 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10725 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10726 	wdev_unlock(dev->ieee80211_ptr);
10727 
10728 	return err;
10729 }
10730 
10731 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10732 {
10733 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10734 	struct net_device *dev = info->user_ptr[1];
10735 
10736 	if (!rdev->ops->leave_ibss)
10737 		return -EOPNOTSUPP;
10738 
10739 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10740 		return -EOPNOTSUPP;
10741 
10742 	return cfg80211_leave_ibss(rdev, dev, false);
10743 }
10744 
10745 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10746 {
10747 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10748 	struct net_device *dev = info->user_ptr[1];
10749 	int mcast_rate[NUM_NL80211_BANDS];
10750 	u32 nla_rate;
10751 	int err;
10752 
10753 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10754 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10755 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10756 		return -EOPNOTSUPP;
10757 
10758 	if (!rdev->ops->set_mcast_rate)
10759 		return -EOPNOTSUPP;
10760 
10761 	memset(mcast_rate, 0, sizeof(mcast_rate));
10762 
10763 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10764 		return -EINVAL;
10765 
10766 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10767 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10768 		return -EINVAL;
10769 
10770 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10771 
10772 	return err;
10773 }
10774 
10775 static struct sk_buff *
10776 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10777 			    struct wireless_dev *wdev, int approxlen,
10778 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10779 			    enum nl80211_attrs attr,
10780 			    const struct nl80211_vendor_cmd_info *info,
10781 			    gfp_t gfp)
10782 {
10783 	struct sk_buff *skb;
10784 	void *hdr;
10785 	struct nlattr *data;
10786 
10787 	skb = nlmsg_new(approxlen + 100, gfp);
10788 	if (!skb)
10789 		return NULL;
10790 
10791 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10792 	if (!hdr) {
10793 		kfree_skb(skb);
10794 		return NULL;
10795 	}
10796 
10797 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10798 		goto nla_put_failure;
10799 
10800 	if (info) {
10801 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10802 				info->vendor_id))
10803 			goto nla_put_failure;
10804 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10805 				info->subcmd))
10806 			goto nla_put_failure;
10807 	}
10808 
10809 	if (wdev) {
10810 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10811 				      wdev_id(wdev), NL80211_ATTR_PAD))
10812 			goto nla_put_failure;
10813 		if (wdev->netdev &&
10814 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10815 				wdev->netdev->ifindex))
10816 			goto nla_put_failure;
10817 	}
10818 
10819 	data = nla_nest_start_noflag(skb, attr);
10820 	if (!data)
10821 		goto nla_put_failure;
10822 
10823 	((void **)skb->cb)[0] = rdev;
10824 	((void **)skb->cb)[1] = hdr;
10825 	((void **)skb->cb)[2] = data;
10826 
10827 	return skb;
10828 
10829  nla_put_failure:
10830 	kfree_skb(skb);
10831 	return NULL;
10832 }
10833 
10834 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10835 					   struct wireless_dev *wdev,
10836 					   enum nl80211_commands cmd,
10837 					   enum nl80211_attrs attr,
10838 					   unsigned int portid,
10839 					   int vendor_event_idx,
10840 					   int approxlen, gfp_t gfp)
10841 {
10842 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10843 	const struct nl80211_vendor_cmd_info *info;
10844 
10845 	switch (cmd) {
10846 	case NL80211_CMD_TESTMODE:
10847 		if (WARN_ON(vendor_event_idx != -1))
10848 			return NULL;
10849 		info = NULL;
10850 		break;
10851 	case NL80211_CMD_VENDOR:
10852 		if (WARN_ON(vendor_event_idx < 0 ||
10853 			    vendor_event_idx >= wiphy->n_vendor_events))
10854 			return NULL;
10855 		info = &wiphy->vendor_events[vendor_event_idx];
10856 		break;
10857 	default:
10858 		WARN_ON(1);
10859 		return NULL;
10860 	}
10861 
10862 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10863 					   cmd, attr, info, gfp);
10864 }
10865 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10866 
10867 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10868 {
10869 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10870 	void *hdr = ((void **)skb->cb)[1];
10871 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10872 	struct nlattr *data = ((void **)skb->cb)[2];
10873 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10874 
10875 	/* clear CB data for netlink core to own from now on */
10876 	memset(skb->cb, 0, sizeof(skb->cb));
10877 
10878 	nla_nest_end(skb, data);
10879 	genlmsg_end(skb, hdr);
10880 
10881 	if (nlhdr->nlmsg_pid) {
10882 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10883 				nlhdr->nlmsg_pid);
10884 	} else {
10885 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10886 			mcgrp = NL80211_MCGRP_VENDOR;
10887 
10888 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10889 					skb, 0, mcgrp, gfp);
10890 	}
10891 }
10892 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10893 
10894 #ifdef CONFIG_NL80211_TESTMODE
10895 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10896 {
10897 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10898 	struct wireless_dev *wdev;
10899 	int err;
10900 
10901 	lockdep_assert_held(&rdev->wiphy.mtx);
10902 
10903 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
10904 					  info->attrs);
10905 
10906 	if (!rdev->ops->testmode_cmd)
10907 		return -EOPNOTSUPP;
10908 
10909 	if (IS_ERR(wdev)) {
10910 		err = PTR_ERR(wdev);
10911 		if (err != -EINVAL)
10912 			return err;
10913 		wdev = NULL;
10914 	} else if (wdev->wiphy != &rdev->wiphy) {
10915 		return -EINVAL;
10916 	}
10917 
10918 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10919 		return -EINVAL;
10920 
10921 	rdev->cur_cmd_info = info;
10922 	err = rdev_testmode_cmd(rdev, wdev,
10923 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10924 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10925 	rdev->cur_cmd_info = NULL;
10926 
10927 	return err;
10928 }
10929 
10930 static int nl80211_testmode_dump(struct sk_buff *skb,
10931 				 struct netlink_callback *cb)
10932 {
10933 	struct cfg80211_registered_device *rdev;
10934 	struct nlattr **attrbuf = NULL;
10935 	int err;
10936 	long phy_idx;
10937 	void *data = NULL;
10938 	int data_len = 0;
10939 
10940 	rtnl_lock();
10941 
10942 	if (cb->args[0]) {
10943 		/*
10944 		 * 0 is a valid index, but not valid for args[0],
10945 		 * so we need to offset by 1.
10946 		 */
10947 		phy_idx = cb->args[0] - 1;
10948 
10949 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10950 		if (!rdev) {
10951 			err = -ENOENT;
10952 			goto out_err;
10953 		}
10954 	} else {
10955 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10956 				  GFP_KERNEL);
10957 		if (!attrbuf) {
10958 			err = -ENOMEM;
10959 			goto out_err;
10960 		}
10961 
10962 		err = nlmsg_parse_deprecated(cb->nlh,
10963 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10964 					     attrbuf, nl80211_fam.maxattr,
10965 					     nl80211_policy, NULL);
10966 		if (err)
10967 			goto out_err;
10968 
10969 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10970 		if (IS_ERR(rdev)) {
10971 			err = PTR_ERR(rdev);
10972 			goto out_err;
10973 		}
10974 		phy_idx = rdev->wiphy_idx;
10975 
10976 		if (attrbuf[NL80211_ATTR_TESTDATA])
10977 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10978 	}
10979 
10980 	if (cb->args[1]) {
10981 		data = nla_data((void *)cb->args[1]);
10982 		data_len = nla_len((void *)cb->args[1]);
10983 	}
10984 
10985 	if (!rdev->ops->testmode_dump) {
10986 		err = -EOPNOTSUPP;
10987 		goto out_err;
10988 	}
10989 
10990 	while (1) {
10991 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10992 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10993 					   NL80211_CMD_TESTMODE);
10994 		struct nlattr *tmdata;
10995 
10996 		if (!hdr)
10997 			break;
10998 
10999 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11000 			genlmsg_cancel(skb, hdr);
11001 			break;
11002 		}
11003 
11004 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11005 		if (!tmdata) {
11006 			genlmsg_cancel(skb, hdr);
11007 			break;
11008 		}
11009 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11010 		nla_nest_end(skb, tmdata);
11011 
11012 		if (err == -ENOBUFS || err == -ENOENT) {
11013 			genlmsg_cancel(skb, hdr);
11014 			break;
11015 		} else if (err) {
11016 			genlmsg_cancel(skb, hdr);
11017 			goto out_err;
11018 		}
11019 
11020 		genlmsg_end(skb, hdr);
11021 	}
11022 
11023 	err = skb->len;
11024 	/* see above */
11025 	cb->args[0] = phy_idx + 1;
11026  out_err:
11027 	kfree(attrbuf);
11028 	rtnl_unlock();
11029 	return err;
11030 }
11031 #endif
11032 
11033 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11034 {
11035 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11036 	struct net_device *dev = info->user_ptr[1];
11037 	struct cfg80211_connect_params connect;
11038 	struct wiphy *wiphy;
11039 	struct cfg80211_cached_keys *connkeys = NULL;
11040 	u32 freq = 0;
11041 	int err;
11042 
11043 	memset(&connect, 0, sizeof(connect));
11044 
11045 	if (!info->attrs[NL80211_ATTR_SSID] ||
11046 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11047 		return -EINVAL;
11048 
11049 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11050 		connect.auth_type =
11051 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11052 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11053 					     NL80211_CMD_CONNECT))
11054 			return -EINVAL;
11055 	} else
11056 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11057 
11058 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11059 
11060 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11061 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11062 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11063 		return -EINVAL;
11064 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11065 
11066 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11067 				      NL80211_MAX_NR_CIPHER_SUITES);
11068 	if (err)
11069 		return err;
11070 
11071 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11072 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11073 		return -EOPNOTSUPP;
11074 
11075 	wiphy = &rdev->wiphy;
11076 
11077 	connect.bg_scan_period = -1;
11078 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11079 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11080 		connect.bg_scan_period =
11081 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11082 	}
11083 
11084 	if (info->attrs[NL80211_ATTR_MAC])
11085 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11086 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11087 		connect.bssid_hint =
11088 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11089 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11090 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11091 
11092 	if (info->attrs[NL80211_ATTR_IE]) {
11093 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11094 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11095 	}
11096 
11097 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11098 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11099 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11100 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11101 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11102 			return -EOPNOTSUPP;
11103 	} else {
11104 		connect.mfp = NL80211_MFP_NO;
11105 	}
11106 
11107 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11108 		connect.prev_bssid =
11109 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11110 
11111 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11112 		freq = MHZ_TO_KHZ(nla_get_u32(
11113 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11114 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11115 		freq +=
11116 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11117 
11118 	if (freq) {
11119 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11120 		if (!connect.channel)
11121 			return -EINVAL;
11122 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11123 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11124 		freq = MHZ_TO_KHZ(freq);
11125 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11126 		if (!connect.channel_hint)
11127 			return -EINVAL;
11128 	}
11129 
11130 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11131 		connect.edmg.channels =
11132 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11133 
11134 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11135 			connect.edmg.bw_config =
11136 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11137 	}
11138 
11139 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11140 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11141 		if (IS_ERR(connkeys))
11142 			return PTR_ERR(connkeys);
11143 	}
11144 
11145 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11146 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11147 
11148 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11149 		memcpy(&connect.ht_capa_mask,
11150 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11151 		       sizeof(connect.ht_capa_mask));
11152 
11153 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11154 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11155 			kfree_sensitive(connkeys);
11156 			return -EINVAL;
11157 		}
11158 		memcpy(&connect.ht_capa,
11159 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11160 		       sizeof(connect.ht_capa));
11161 	}
11162 
11163 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11164 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11165 
11166 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11167 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11168 
11169 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11170 		memcpy(&connect.vht_capa_mask,
11171 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11172 		       sizeof(connect.vht_capa_mask));
11173 
11174 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11175 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11176 			kfree_sensitive(connkeys);
11177 			return -EINVAL;
11178 		}
11179 		memcpy(&connect.vht_capa,
11180 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11181 		       sizeof(connect.vht_capa));
11182 	}
11183 
11184 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11185 		if (!((rdev->wiphy.features &
11186 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11187 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11188 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11189 					     NL80211_EXT_FEATURE_RRM)) {
11190 			kfree_sensitive(connkeys);
11191 			return -EINVAL;
11192 		}
11193 		connect.flags |= ASSOC_REQ_USE_RRM;
11194 	}
11195 
11196 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11197 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11198 		kfree_sensitive(connkeys);
11199 		return -EOPNOTSUPP;
11200 	}
11201 
11202 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11203 		/* bss selection makes no sense if bssid is set */
11204 		if (connect.bssid) {
11205 			kfree_sensitive(connkeys);
11206 			return -EINVAL;
11207 		}
11208 
11209 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11210 				       wiphy, &connect.bss_select);
11211 		if (err) {
11212 			kfree_sensitive(connkeys);
11213 			return err;
11214 		}
11215 	}
11216 
11217 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11218 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11219 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11220 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11221 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11222 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11223 		connect.fils_erp_username =
11224 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11225 		connect.fils_erp_username_len =
11226 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11227 		connect.fils_erp_realm =
11228 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11229 		connect.fils_erp_realm_len =
11230 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11231 		connect.fils_erp_next_seq_num =
11232 			nla_get_u16(
11233 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11234 		connect.fils_erp_rrk =
11235 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11236 		connect.fils_erp_rrk_len =
11237 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11238 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11239 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11240 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11241 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11242 		kfree_sensitive(connkeys);
11243 		return -EINVAL;
11244 	}
11245 
11246 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11247 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11248 			kfree_sensitive(connkeys);
11249 			GENL_SET_ERR_MSG(info,
11250 					 "external auth requires connection ownership");
11251 			return -EINVAL;
11252 		}
11253 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11254 	}
11255 
11256 	wdev_lock(dev->ieee80211_ptr);
11257 
11258 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11259 			       connect.prev_bssid);
11260 	if (err)
11261 		kfree_sensitive(connkeys);
11262 
11263 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11264 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11265 		if (connect.bssid)
11266 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11267 			       connect.bssid, ETH_ALEN);
11268 		else
11269 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11270 	}
11271 
11272 	wdev_unlock(dev->ieee80211_ptr);
11273 
11274 	return err;
11275 }
11276 
11277 static int nl80211_update_connect_params(struct sk_buff *skb,
11278 					 struct genl_info *info)
11279 {
11280 	struct cfg80211_connect_params connect = {};
11281 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11282 	struct net_device *dev = info->user_ptr[1];
11283 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11284 	bool fils_sk_offload;
11285 	u32 auth_type;
11286 	u32 changed = 0;
11287 	int ret;
11288 
11289 	if (!rdev->ops->update_connect_params)
11290 		return -EOPNOTSUPP;
11291 
11292 	if (info->attrs[NL80211_ATTR_IE]) {
11293 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11294 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11295 		changed |= UPDATE_ASSOC_IES;
11296 	}
11297 
11298 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11299 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11300 
11301 	/*
11302 	 * when driver supports fils-sk offload all attributes must be
11303 	 * provided. So the else covers "fils-sk-not-all" and
11304 	 * "no-fils-sk-any".
11305 	 */
11306 	if (fils_sk_offload &&
11307 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11308 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11309 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11310 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11311 		connect.fils_erp_username =
11312 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11313 		connect.fils_erp_username_len =
11314 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11315 		connect.fils_erp_realm =
11316 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11317 		connect.fils_erp_realm_len =
11318 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11319 		connect.fils_erp_next_seq_num =
11320 			nla_get_u16(
11321 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11322 		connect.fils_erp_rrk =
11323 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11324 		connect.fils_erp_rrk_len =
11325 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11326 		changed |= UPDATE_FILS_ERP_INFO;
11327 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11328 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11329 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11330 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11331 		return -EINVAL;
11332 	}
11333 
11334 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11335 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11336 		if (!nl80211_valid_auth_type(rdev, auth_type,
11337 					     NL80211_CMD_CONNECT))
11338 			return -EINVAL;
11339 
11340 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11341 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11342 			return -EINVAL;
11343 
11344 		connect.auth_type = auth_type;
11345 		changed |= UPDATE_AUTH_TYPE;
11346 	}
11347 
11348 	wdev_lock(dev->ieee80211_ptr);
11349 	if (!wdev->current_bss)
11350 		ret = -ENOLINK;
11351 	else
11352 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11353 	wdev_unlock(dev->ieee80211_ptr);
11354 
11355 	return ret;
11356 }
11357 
11358 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11359 {
11360 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11361 	struct net_device *dev = info->user_ptr[1];
11362 	u16 reason;
11363 	int ret;
11364 
11365 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11366 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11367 		return -EPERM;
11368 
11369 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11370 		reason = WLAN_REASON_DEAUTH_LEAVING;
11371 	else
11372 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11373 
11374 	if (reason == 0)
11375 		return -EINVAL;
11376 
11377 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11378 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11379 		return -EOPNOTSUPP;
11380 
11381 	wdev_lock(dev->ieee80211_ptr);
11382 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11383 	wdev_unlock(dev->ieee80211_ptr);
11384 	return ret;
11385 }
11386 
11387 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11388 {
11389 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11390 	struct net *net;
11391 	int err;
11392 
11393 	if (info->attrs[NL80211_ATTR_PID]) {
11394 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11395 
11396 		net = get_net_ns_by_pid(pid);
11397 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11398 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11399 
11400 		net = get_net_ns_by_fd(fd);
11401 	} else {
11402 		return -EINVAL;
11403 	}
11404 
11405 	if (IS_ERR(net))
11406 		return PTR_ERR(net);
11407 
11408 	err = 0;
11409 
11410 	/* check if anything to do */
11411 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11412 		err = cfg80211_switch_netns(rdev, net);
11413 
11414 	put_net(net);
11415 	return err;
11416 }
11417 
11418 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11419 {
11420 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11421 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11422 			struct cfg80211_pmksa *pmksa) = NULL;
11423 	struct net_device *dev = info->user_ptr[1];
11424 	struct cfg80211_pmksa pmksa;
11425 
11426 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11427 
11428 	if (!info->attrs[NL80211_ATTR_PMKID])
11429 		return -EINVAL;
11430 
11431 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11432 
11433 	if (info->attrs[NL80211_ATTR_MAC]) {
11434 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11435 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11436 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11437 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11438 		    info->attrs[NL80211_ATTR_PMK])) {
11439 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11440 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11441 		pmksa.cache_id =
11442 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11443 	} else {
11444 		return -EINVAL;
11445 	}
11446 	if (info->attrs[NL80211_ATTR_PMK]) {
11447 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11448 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11449 	}
11450 
11451 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11452 		pmksa.pmk_lifetime =
11453 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11454 
11455 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11456 		pmksa.pmk_reauth_threshold =
11457 			nla_get_u8(
11458 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11459 
11460 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11461 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11462 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11463 	      wiphy_ext_feature_isset(&rdev->wiphy,
11464 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11465 		return -EOPNOTSUPP;
11466 
11467 	switch (info->genlhdr->cmd) {
11468 	case NL80211_CMD_SET_PMKSA:
11469 		rdev_ops = rdev->ops->set_pmksa;
11470 		break;
11471 	case NL80211_CMD_DEL_PMKSA:
11472 		rdev_ops = rdev->ops->del_pmksa;
11473 		break;
11474 	default:
11475 		WARN_ON(1);
11476 		break;
11477 	}
11478 
11479 	if (!rdev_ops)
11480 		return -EOPNOTSUPP;
11481 
11482 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11483 }
11484 
11485 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11486 {
11487 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11488 	struct net_device *dev = info->user_ptr[1];
11489 
11490 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11491 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11492 		return -EOPNOTSUPP;
11493 
11494 	if (!rdev->ops->flush_pmksa)
11495 		return -EOPNOTSUPP;
11496 
11497 	return rdev_flush_pmksa(rdev, dev);
11498 }
11499 
11500 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11501 {
11502 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11503 	struct net_device *dev = info->user_ptr[1];
11504 	u8 action_code, dialog_token;
11505 	u32 peer_capability = 0;
11506 	u16 status_code;
11507 	u8 *peer;
11508 	bool initiator;
11509 
11510 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11511 	    !rdev->ops->tdls_mgmt)
11512 		return -EOPNOTSUPP;
11513 
11514 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11515 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11516 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11517 	    !info->attrs[NL80211_ATTR_IE] ||
11518 	    !info->attrs[NL80211_ATTR_MAC])
11519 		return -EINVAL;
11520 
11521 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11522 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11523 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11524 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11525 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11526 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11527 		peer_capability =
11528 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11529 
11530 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11531 			      dialog_token, status_code, peer_capability,
11532 			      initiator,
11533 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11534 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11535 }
11536 
11537 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11538 {
11539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11540 	struct net_device *dev = info->user_ptr[1];
11541 	enum nl80211_tdls_operation operation;
11542 	u8 *peer;
11543 
11544 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11545 	    !rdev->ops->tdls_oper)
11546 		return -EOPNOTSUPP;
11547 
11548 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11549 	    !info->attrs[NL80211_ATTR_MAC])
11550 		return -EINVAL;
11551 
11552 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11553 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11554 
11555 	return rdev_tdls_oper(rdev, dev, peer, operation);
11556 }
11557 
11558 static int nl80211_remain_on_channel(struct sk_buff *skb,
11559 				     struct genl_info *info)
11560 {
11561 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11562 	struct wireless_dev *wdev = info->user_ptr[1];
11563 	struct cfg80211_chan_def chandef;
11564 	const struct cfg80211_chan_def *compat_chandef;
11565 	struct sk_buff *msg;
11566 	void *hdr;
11567 	u64 cookie;
11568 	u32 duration;
11569 	int err;
11570 
11571 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11572 	    !info->attrs[NL80211_ATTR_DURATION])
11573 		return -EINVAL;
11574 
11575 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11576 
11577 	if (!rdev->ops->remain_on_channel ||
11578 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11579 		return -EOPNOTSUPP;
11580 
11581 	/*
11582 	 * We should be on that channel for at least a minimum amount of
11583 	 * time (10ms) but no longer than the driver supports.
11584 	 */
11585 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11586 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11587 		return -EINVAL;
11588 
11589 	err = nl80211_parse_chandef(rdev, info, &chandef);
11590 	if (err)
11591 		return err;
11592 
11593 	wdev_lock(wdev);
11594 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11595 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11596 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11597 							     &chandef);
11598 		if (compat_chandef != &chandef) {
11599 			wdev_unlock(wdev);
11600 			return -EBUSY;
11601 		}
11602 	}
11603 	wdev_unlock(wdev);
11604 
11605 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11606 	if (!msg)
11607 		return -ENOMEM;
11608 
11609 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11610 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11611 	if (!hdr) {
11612 		err = -ENOBUFS;
11613 		goto free_msg;
11614 	}
11615 
11616 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11617 				     duration, &cookie);
11618 
11619 	if (err)
11620 		goto free_msg;
11621 
11622 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11623 			      NL80211_ATTR_PAD))
11624 		goto nla_put_failure;
11625 
11626 	genlmsg_end(msg, hdr);
11627 
11628 	return genlmsg_reply(msg, info);
11629 
11630  nla_put_failure:
11631 	err = -ENOBUFS;
11632  free_msg:
11633 	nlmsg_free(msg);
11634 	return err;
11635 }
11636 
11637 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11638 					    struct genl_info *info)
11639 {
11640 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11641 	struct wireless_dev *wdev = info->user_ptr[1];
11642 	u64 cookie;
11643 
11644 	if (!info->attrs[NL80211_ATTR_COOKIE])
11645 		return -EINVAL;
11646 
11647 	if (!rdev->ops->cancel_remain_on_channel)
11648 		return -EOPNOTSUPP;
11649 
11650 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11651 
11652 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11653 }
11654 
11655 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11656 				       struct genl_info *info)
11657 {
11658 	struct cfg80211_bitrate_mask mask;
11659 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11660 	struct net_device *dev = info->user_ptr[1];
11661 	int err;
11662 
11663 	if (!rdev->ops->set_bitrate_mask)
11664 		return -EOPNOTSUPP;
11665 
11666 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11667 					    NL80211_ATTR_TX_RATES, &mask,
11668 					    dev, true);
11669 	if (err)
11670 		return err;
11671 
11672 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11673 }
11674 
11675 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11676 {
11677 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11678 	struct wireless_dev *wdev = info->user_ptr[1];
11679 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11680 
11681 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11682 		return -EINVAL;
11683 
11684 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11685 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11686 
11687 	switch (wdev->iftype) {
11688 	case NL80211_IFTYPE_STATION:
11689 	case NL80211_IFTYPE_ADHOC:
11690 	case NL80211_IFTYPE_P2P_CLIENT:
11691 	case NL80211_IFTYPE_AP:
11692 	case NL80211_IFTYPE_AP_VLAN:
11693 	case NL80211_IFTYPE_MESH_POINT:
11694 	case NL80211_IFTYPE_P2P_GO:
11695 	case NL80211_IFTYPE_P2P_DEVICE:
11696 		break;
11697 	case NL80211_IFTYPE_NAN:
11698 	default:
11699 		return -EOPNOTSUPP;
11700 	}
11701 
11702 	/* not much point in registering if we can't reply */
11703 	if (!rdev->ops->mgmt_tx)
11704 		return -EOPNOTSUPP;
11705 
11706 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11707 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11708 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11709 		GENL_SET_ERR_MSG(info,
11710 				 "multicast RX registrations are not supported");
11711 		return -EOPNOTSUPP;
11712 	}
11713 
11714 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11715 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11716 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11717 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11718 					   info->extack);
11719 }
11720 
11721 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11722 {
11723 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11724 	struct wireless_dev *wdev = info->user_ptr[1];
11725 	struct cfg80211_chan_def chandef;
11726 	int err;
11727 	void *hdr = NULL;
11728 	u64 cookie;
11729 	struct sk_buff *msg = NULL;
11730 	struct cfg80211_mgmt_tx_params params = {
11731 		.dont_wait_for_ack =
11732 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11733 	};
11734 
11735 	if (!info->attrs[NL80211_ATTR_FRAME])
11736 		return -EINVAL;
11737 
11738 	if (!rdev->ops->mgmt_tx)
11739 		return -EOPNOTSUPP;
11740 
11741 	switch (wdev->iftype) {
11742 	case NL80211_IFTYPE_P2P_DEVICE:
11743 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11744 			return -EINVAL;
11745 		break;
11746 	case NL80211_IFTYPE_STATION:
11747 	case NL80211_IFTYPE_ADHOC:
11748 	case NL80211_IFTYPE_P2P_CLIENT:
11749 	case NL80211_IFTYPE_AP:
11750 	case NL80211_IFTYPE_AP_VLAN:
11751 	case NL80211_IFTYPE_MESH_POINT:
11752 	case NL80211_IFTYPE_P2P_GO:
11753 		break;
11754 	case NL80211_IFTYPE_NAN:
11755 	default:
11756 		return -EOPNOTSUPP;
11757 	}
11758 
11759 	if (info->attrs[NL80211_ATTR_DURATION]) {
11760 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11761 			return -EINVAL;
11762 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11763 
11764 		/*
11765 		 * We should wait on the channel for at least a minimum amount
11766 		 * of time (10ms) but no longer than the driver supports.
11767 		 */
11768 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11769 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11770 			return -EINVAL;
11771 	}
11772 
11773 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11774 
11775 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11776 		return -EINVAL;
11777 
11778 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11779 
11780 	/* get the channel if any has been specified, otherwise pass NULL to
11781 	 * the driver. The latter will use the current one
11782 	 */
11783 	chandef.chan = NULL;
11784 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11785 		err = nl80211_parse_chandef(rdev, info, &chandef);
11786 		if (err)
11787 			return err;
11788 	}
11789 
11790 	if (!chandef.chan && params.offchan)
11791 		return -EINVAL;
11792 
11793 	wdev_lock(wdev);
11794 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11795 		wdev_unlock(wdev);
11796 		return -EBUSY;
11797 	}
11798 	wdev_unlock(wdev);
11799 
11800 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11801 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11802 
11803 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11804 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11805 		int i;
11806 
11807 		if (len % sizeof(u16))
11808 			return -EINVAL;
11809 
11810 		params.n_csa_offsets = len / sizeof(u16);
11811 		params.csa_offsets =
11812 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11813 
11814 		/* check that all the offsets fit the frame */
11815 		for (i = 0; i < params.n_csa_offsets; i++) {
11816 			if (params.csa_offsets[i] >= params.len)
11817 				return -EINVAL;
11818 		}
11819 	}
11820 
11821 	if (!params.dont_wait_for_ack) {
11822 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11823 		if (!msg)
11824 			return -ENOMEM;
11825 
11826 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11827 				     NL80211_CMD_FRAME);
11828 		if (!hdr) {
11829 			err = -ENOBUFS;
11830 			goto free_msg;
11831 		}
11832 	}
11833 
11834 	params.chan = chandef.chan;
11835 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11836 	if (err)
11837 		goto free_msg;
11838 
11839 	if (msg) {
11840 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11841 				      NL80211_ATTR_PAD))
11842 			goto nla_put_failure;
11843 
11844 		genlmsg_end(msg, hdr);
11845 		return genlmsg_reply(msg, info);
11846 	}
11847 
11848 	return 0;
11849 
11850  nla_put_failure:
11851 	err = -ENOBUFS;
11852  free_msg:
11853 	nlmsg_free(msg);
11854 	return err;
11855 }
11856 
11857 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11858 {
11859 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11860 	struct wireless_dev *wdev = info->user_ptr[1];
11861 	u64 cookie;
11862 
11863 	if (!info->attrs[NL80211_ATTR_COOKIE])
11864 		return -EINVAL;
11865 
11866 	if (!rdev->ops->mgmt_tx_cancel_wait)
11867 		return -EOPNOTSUPP;
11868 
11869 	switch (wdev->iftype) {
11870 	case NL80211_IFTYPE_STATION:
11871 	case NL80211_IFTYPE_ADHOC:
11872 	case NL80211_IFTYPE_P2P_CLIENT:
11873 	case NL80211_IFTYPE_AP:
11874 	case NL80211_IFTYPE_AP_VLAN:
11875 	case NL80211_IFTYPE_P2P_GO:
11876 	case NL80211_IFTYPE_P2P_DEVICE:
11877 		break;
11878 	case NL80211_IFTYPE_NAN:
11879 	default:
11880 		return -EOPNOTSUPP;
11881 	}
11882 
11883 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11884 
11885 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11886 }
11887 
11888 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11889 {
11890 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11891 	struct wireless_dev *wdev;
11892 	struct net_device *dev = info->user_ptr[1];
11893 	u8 ps_state;
11894 	bool state;
11895 	int err;
11896 
11897 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11898 		return -EINVAL;
11899 
11900 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11901 
11902 	wdev = dev->ieee80211_ptr;
11903 
11904 	if (!rdev->ops->set_power_mgmt)
11905 		return -EOPNOTSUPP;
11906 
11907 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11908 
11909 	if (state == wdev->ps)
11910 		return 0;
11911 
11912 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11913 	if (!err)
11914 		wdev->ps = state;
11915 	return err;
11916 }
11917 
11918 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11919 {
11920 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11921 	enum nl80211_ps_state ps_state;
11922 	struct wireless_dev *wdev;
11923 	struct net_device *dev = info->user_ptr[1];
11924 	struct sk_buff *msg;
11925 	void *hdr;
11926 	int err;
11927 
11928 	wdev = dev->ieee80211_ptr;
11929 
11930 	if (!rdev->ops->set_power_mgmt)
11931 		return -EOPNOTSUPP;
11932 
11933 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11934 	if (!msg)
11935 		return -ENOMEM;
11936 
11937 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11938 			     NL80211_CMD_GET_POWER_SAVE);
11939 	if (!hdr) {
11940 		err = -ENOBUFS;
11941 		goto free_msg;
11942 	}
11943 
11944 	if (wdev->ps)
11945 		ps_state = NL80211_PS_ENABLED;
11946 	else
11947 		ps_state = NL80211_PS_DISABLED;
11948 
11949 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11950 		goto nla_put_failure;
11951 
11952 	genlmsg_end(msg, hdr);
11953 	return genlmsg_reply(msg, info);
11954 
11955  nla_put_failure:
11956 	err = -ENOBUFS;
11957  free_msg:
11958 	nlmsg_free(msg);
11959 	return err;
11960 }
11961 
11962 static const struct nla_policy
11963 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11964 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11965 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11966 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11967 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11968 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11969 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11970 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11971 };
11972 
11973 static int nl80211_set_cqm_txe(struct genl_info *info,
11974 			       u32 rate, u32 pkts, u32 intvl)
11975 {
11976 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11977 	struct net_device *dev = info->user_ptr[1];
11978 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11979 
11980 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11981 		return -EINVAL;
11982 
11983 	if (!rdev->ops->set_cqm_txe_config)
11984 		return -EOPNOTSUPP;
11985 
11986 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11987 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11988 		return -EOPNOTSUPP;
11989 
11990 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11991 }
11992 
11993 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11994 				    struct net_device *dev)
11995 {
11996 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11997 	s32 last, low, high;
11998 	u32 hyst;
11999 	int i, n, low_index;
12000 	int err;
12001 
12002 	/* RSSI reporting disabled? */
12003 	if (!wdev->cqm_config)
12004 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12005 
12006 	/*
12007 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12008 	 * event has been received yet, we should receive an event after a
12009 	 * connection is established and enough beacons received to calculate
12010 	 * the average.
12011 	 */
12012 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
12013 	    rdev->ops->get_station) {
12014 		struct station_info sinfo = {};
12015 		u8 *mac_addr;
12016 
12017 		mac_addr = wdev->current_bss->pub.bssid;
12018 
12019 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12020 		if (err)
12021 			return err;
12022 
12023 		cfg80211_sinfo_release_content(&sinfo);
12024 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12025 			wdev->cqm_config->last_rssi_event_value =
12026 				(s8) sinfo.rx_beacon_signal_avg;
12027 	}
12028 
12029 	last = wdev->cqm_config->last_rssi_event_value;
12030 	hyst = wdev->cqm_config->rssi_hyst;
12031 	n = wdev->cqm_config->n_rssi_thresholds;
12032 
12033 	for (i = 0; i < n; i++) {
12034 		i = array_index_nospec(i, n);
12035 		if (last < wdev->cqm_config->rssi_thresholds[i])
12036 			break;
12037 	}
12038 
12039 	low_index = i - 1;
12040 	if (low_index >= 0) {
12041 		low_index = array_index_nospec(low_index, n);
12042 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
12043 	} else {
12044 		low = S32_MIN;
12045 	}
12046 	if (i < n) {
12047 		i = array_index_nospec(i, n);
12048 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
12049 	} else {
12050 		high = S32_MAX;
12051 	}
12052 
12053 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12054 }
12055 
12056 static int nl80211_set_cqm_rssi(struct genl_info *info,
12057 				const s32 *thresholds, int n_thresholds,
12058 				u32 hysteresis)
12059 {
12060 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12061 	struct net_device *dev = info->user_ptr[1];
12062 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12063 	int i, err;
12064 	s32 prev = S32_MIN;
12065 
12066 	/* Check all values negative and sorted */
12067 	for (i = 0; i < n_thresholds; i++) {
12068 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12069 			return -EINVAL;
12070 
12071 		prev = thresholds[i];
12072 	}
12073 
12074 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12075 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12076 		return -EOPNOTSUPP;
12077 
12078 	wdev_lock(wdev);
12079 	cfg80211_cqm_config_free(wdev);
12080 	wdev_unlock(wdev);
12081 
12082 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
12083 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
12084 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12085 
12086 		return rdev_set_cqm_rssi_config(rdev, dev,
12087 						thresholds[0], hysteresis);
12088 	}
12089 
12090 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12091 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
12092 		return -EOPNOTSUPP;
12093 
12094 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12095 		n_thresholds = 0;
12096 
12097 	wdev_lock(wdev);
12098 	if (n_thresholds) {
12099 		struct cfg80211_cqm_config *cqm_config;
12100 
12101 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12102 						 n_thresholds),
12103 				     GFP_KERNEL);
12104 		if (!cqm_config) {
12105 			err = -ENOMEM;
12106 			goto unlock;
12107 		}
12108 
12109 		cqm_config->rssi_hyst = hysteresis;
12110 		cqm_config->n_rssi_thresholds = n_thresholds;
12111 		memcpy(cqm_config->rssi_thresholds, thresholds,
12112 		       flex_array_size(cqm_config, rssi_thresholds,
12113 				       n_thresholds));
12114 
12115 		wdev->cqm_config = cqm_config;
12116 	}
12117 
12118 	err = cfg80211_cqm_rssi_update(rdev, dev);
12119 
12120 unlock:
12121 	wdev_unlock(wdev);
12122 
12123 	return err;
12124 }
12125 
12126 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12127 {
12128 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12129 	struct nlattr *cqm;
12130 	int err;
12131 
12132 	cqm = info->attrs[NL80211_ATTR_CQM];
12133 	if (!cqm)
12134 		return -EINVAL;
12135 
12136 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12137 					  nl80211_attr_cqm_policy,
12138 					  info->extack);
12139 	if (err)
12140 		return err;
12141 
12142 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12143 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12144 		const s32 *thresholds =
12145 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12146 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12147 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12148 
12149 		if (len % 4)
12150 			return -EINVAL;
12151 
12152 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12153 					    hysteresis);
12154 	}
12155 
12156 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12157 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12158 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12159 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12160 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12161 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12162 
12163 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12164 	}
12165 
12166 	return -EINVAL;
12167 }
12168 
12169 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12170 {
12171 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12172 	struct net_device *dev = info->user_ptr[1];
12173 	struct ocb_setup setup = {};
12174 	int err;
12175 
12176 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12177 	if (err)
12178 		return err;
12179 
12180 	return cfg80211_join_ocb(rdev, dev, &setup);
12181 }
12182 
12183 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12184 {
12185 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12186 	struct net_device *dev = info->user_ptr[1];
12187 
12188 	return cfg80211_leave_ocb(rdev, dev);
12189 }
12190 
12191 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12192 {
12193 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12194 	struct net_device *dev = info->user_ptr[1];
12195 	struct mesh_config cfg;
12196 	struct mesh_setup setup;
12197 	int err;
12198 
12199 	/* start with default */
12200 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12201 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12202 
12203 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12204 		/* and parse parameters if given */
12205 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12206 		if (err)
12207 			return err;
12208 	}
12209 
12210 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12211 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12212 		return -EINVAL;
12213 
12214 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12215 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12216 
12217 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12218 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12219 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12220 			return -EINVAL;
12221 
12222 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12223 		setup.beacon_interval =
12224 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12225 
12226 		err = cfg80211_validate_beacon_int(rdev,
12227 						   NL80211_IFTYPE_MESH_POINT,
12228 						   setup.beacon_interval);
12229 		if (err)
12230 			return err;
12231 	}
12232 
12233 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12234 		setup.dtim_period =
12235 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12236 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12237 			return -EINVAL;
12238 	}
12239 
12240 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12241 		/* parse additional setup parameters if given */
12242 		err = nl80211_parse_mesh_setup(info, &setup);
12243 		if (err)
12244 			return err;
12245 	}
12246 
12247 	if (setup.user_mpm)
12248 		cfg.auto_open_plinks = false;
12249 
12250 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12251 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12252 		if (err)
12253 			return err;
12254 	} else {
12255 		/* __cfg80211_join_mesh() will sort it out */
12256 		setup.chandef.chan = NULL;
12257 	}
12258 
12259 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12260 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12261 		int n_rates =
12262 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12263 		struct ieee80211_supported_band *sband;
12264 
12265 		if (!setup.chandef.chan)
12266 			return -EINVAL;
12267 
12268 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12269 
12270 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12271 					     &setup.basic_rates);
12272 		if (err)
12273 			return err;
12274 	}
12275 
12276 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12277 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12278 						    NL80211_ATTR_TX_RATES,
12279 						    &setup.beacon_rate,
12280 						    dev, false);
12281 		if (err)
12282 			return err;
12283 
12284 		if (!setup.chandef.chan)
12285 			return -EINVAL;
12286 
12287 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12288 					      &setup.beacon_rate);
12289 		if (err)
12290 			return err;
12291 	}
12292 
12293 	setup.userspace_handles_dfs =
12294 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12295 
12296 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12297 		int r = validate_pae_over_nl80211(rdev, info);
12298 
12299 		if (r < 0)
12300 			return r;
12301 
12302 		setup.control_port_over_nl80211 = true;
12303 	}
12304 
12305 	wdev_lock(dev->ieee80211_ptr);
12306 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12307 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12308 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12309 	wdev_unlock(dev->ieee80211_ptr);
12310 
12311 	return err;
12312 }
12313 
12314 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12315 {
12316 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12317 	struct net_device *dev = info->user_ptr[1];
12318 
12319 	return cfg80211_leave_mesh(rdev, dev);
12320 }
12321 
12322 #ifdef CONFIG_PM
12323 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
12324 					struct cfg80211_registered_device *rdev)
12325 {
12326 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
12327 	struct nlattr *nl_pats, *nl_pat;
12328 	int i, pat_len;
12329 
12330 	if (!wowlan->n_patterns)
12331 		return 0;
12332 
12333 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12334 	if (!nl_pats)
12335 		return -ENOBUFS;
12336 
12337 	for (i = 0; i < wowlan->n_patterns; i++) {
12338 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12339 		if (!nl_pat)
12340 			return -ENOBUFS;
12341 		pat_len = wowlan->patterns[i].pattern_len;
12342 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12343 			    wowlan->patterns[i].mask) ||
12344 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12345 			    wowlan->patterns[i].pattern) ||
12346 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12347 				wowlan->patterns[i].pkt_offset))
12348 			return -ENOBUFS;
12349 		nla_nest_end(msg, nl_pat);
12350 	}
12351 	nla_nest_end(msg, nl_pats);
12352 
12353 	return 0;
12354 }
12355 
12356 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12357 				   struct cfg80211_wowlan_tcp *tcp)
12358 {
12359 	struct nlattr *nl_tcp;
12360 
12361 	if (!tcp)
12362 		return 0;
12363 
12364 	nl_tcp = nla_nest_start_noflag(msg,
12365 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12366 	if (!nl_tcp)
12367 		return -ENOBUFS;
12368 
12369 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12370 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12371 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12372 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12373 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12374 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12375 		    tcp->payload_len, tcp->payload) ||
12376 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12377 			tcp->data_interval) ||
12378 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12379 		    tcp->wake_len, tcp->wake_data) ||
12380 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12381 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12382 		return -ENOBUFS;
12383 
12384 	if (tcp->payload_seq.len &&
12385 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12386 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12387 		return -ENOBUFS;
12388 
12389 	if (tcp->payload_tok.len &&
12390 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12391 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12392 		    &tcp->payload_tok))
12393 		return -ENOBUFS;
12394 
12395 	nla_nest_end(msg, nl_tcp);
12396 
12397 	return 0;
12398 }
12399 
12400 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12401 				  struct cfg80211_sched_scan_request *req)
12402 {
12403 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12404 	int i;
12405 
12406 	if (!req)
12407 		return 0;
12408 
12409 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12410 	if (!nd)
12411 		return -ENOBUFS;
12412 
12413 	if (req->n_scan_plans == 1 &&
12414 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12415 			req->scan_plans[0].interval * 1000))
12416 		return -ENOBUFS;
12417 
12418 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12419 		return -ENOBUFS;
12420 
12421 	if (req->relative_rssi_set) {
12422 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12423 
12424 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12425 			       req->relative_rssi))
12426 			return -ENOBUFS;
12427 
12428 		rssi_adjust.band = req->rssi_adjust.band;
12429 		rssi_adjust.delta = req->rssi_adjust.delta;
12430 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12431 			    sizeof(rssi_adjust), &rssi_adjust))
12432 			return -ENOBUFS;
12433 	}
12434 
12435 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12436 	if (!freqs)
12437 		return -ENOBUFS;
12438 
12439 	for (i = 0; i < req->n_channels; i++) {
12440 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12441 			return -ENOBUFS;
12442 	}
12443 
12444 	nla_nest_end(msg, freqs);
12445 
12446 	if (req->n_match_sets) {
12447 		matches = nla_nest_start_noflag(msg,
12448 						NL80211_ATTR_SCHED_SCAN_MATCH);
12449 		if (!matches)
12450 			return -ENOBUFS;
12451 
12452 		for (i = 0; i < req->n_match_sets; i++) {
12453 			match = nla_nest_start_noflag(msg, i);
12454 			if (!match)
12455 				return -ENOBUFS;
12456 
12457 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12458 				    req->match_sets[i].ssid.ssid_len,
12459 				    req->match_sets[i].ssid.ssid))
12460 				return -ENOBUFS;
12461 			nla_nest_end(msg, match);
12462 		}
12463 		nla_nest_end(msg, matches);
12464 	}
12465 
12466 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12467 	if (!scan_plans)
12468 		return -ENOBUFS;
12469 
12470 	for (i = 0; i < req->n_scan_plans; i++) {
12471 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12472 		if (!scan_plan)
12473 			return -ENOBUFS;
12474 
12475 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12476 				req->scan_plans[i].interval) ||
12477 		    (req->scan_plans[i].iterations &&
12478 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12479 				 req->scan_plans[i].iterations)))
12480 			return -ENOBUFS;
12481 		nla_nest_end(msg, scan_plan);
12482 	}
12483 	nla_nest_end(msg, scan_plans);
12484 
12485 	nla_nest_end(msg, nd);
12486 
12487 	return 0;
12488 }
12489 
12490 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12491 {
12492 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12493 	struct sk_buff *msg;
12494 	void *hdr;
12495 	u32 size = NLMSG_DEFAULT_SIZE;
12496 
12497 	if (!rdev->wiphy.wowlan)
12498 		return -EOPNOTSUPP;
12499 
12500 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12501 		/* adjust size to have room for all the data */
12502 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12503 			rdev->wiphy.wowlan_config->tcp->payload_len +
12504 			rdev->wiphy.wowlan_config->tcp->wake_len +
12505 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12506 	}
12507 
12508 	msg = nlmsg_new(size, GFP_KERNEL);
12509 	if (!msg)
12510 		return -ENOMEM;
12511 
12512 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12513 			     NL80211_CMD_GET_WOWLAN);
12514 	if (!hdr)
12515 		goto nla_put_failure;
12516 
12517 	if (rdev->wiphy.wowlan_config) {
12518 		struct nlattr *nl_wowlan;
12519 
12520 		nl_wowlan = nla_nest_start_noflag(msg,
12521 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12522 		if (!nl_wowlan)
12523 			goto nla_put_failure;
12524 
12525 		if ((rdev->wiphy.wowlan_config->any &&
12526 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
12527 		    (rdev->wiphy.wowlan_config->disconnect &&
12528 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
12529 		    (rdev->wiphy.wowlan_config->magic_pkt &&
12530 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
12531 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
12532 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
12533 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
12534 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
12535 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
12536 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
12537 		    (rdev->wiphy.wowlan_config->rfkill_release &&
12538 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
12539 			goto nla_put_failure;
12540 
12541 		if (nl80211_send_wowlan_patterns(msg, rdev))
12542 			goto nla_put_failure;
12543 
12544 		if (nl80211_send_wowlan_tcp(msg,
12545 					    rdev->wiphy.wowlan_config->tcp))
12546 			goto nla_put_failure;
12547 
12548 		if (nl80211_send_wowlan_nd(
12549 			    msg,
12550 			    rdev->wiphy.wowlan_config->nd_config))
12551 			goto nla_put_failure;
12552 
12553 		nla_nest_end(msg, nl_wowlan);
12554 	}
12555 
12556 	genlmsg_end(msg, hdr);
12557 	return genlmsg_reply(msg, info);
12558 
12559 nla_put_failure:
12560 	nlmsg_free(msg);
12561 	return -ENOBUFS;
12562 }
12563 
12564 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12565 				    struct nlattr *attr,
12566 				    struct cfg80211_wowlan *trig)
12567 {
12568 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12569 	struct cfg80211_wowlan_tcp *cfg;
12570 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12571 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12572 	u32 size;
12573 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12574 	int err, port;
12575 
12576 	if (!rdev->wiphy.wowlan->tcp)
12577 		return -EINVAL;
12578 
12579 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12580 					  nl80211_wowlan_tcp_policy, NULL);
12581 	if (err)
12582 		return err;
12583 
12584 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12585 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12586 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12587 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12588 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12589 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12590 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12591 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12592 		return -EINVAL;
12593 
12594 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12595 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12596 		return -EINVAL;
12597 
12598 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12599 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12600 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12601 		return -EINVAL;
12602 
12603 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12604 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12605 		return -EINVAL;
12606 
12607 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12608 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12609 		return -EINVAL;
12610 
12611 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12612 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12613 
12614 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12615 		tokens_size = tokln - sizeof(*tok);
12616 
12617 		if (!tok->len || tokens_size % tok->len)
12618 			return -EINVAL;
12619 		if (!rdev->wiphy.wowlan->tcp->tok)
12620 			return -EINVAL;
12621 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12622 			return -EINVAL;
12623 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12624 			return -EINVAL;
12625 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12626 			return -EINVAL;
12627 		if (tok->offset + tok->len > data_size)
12628 			return -EINVAL;
12629 	}
12630 
12631 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12632 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12633 		if (!rdev->wiphy.wowlan->tcp->seq)
12634 			return -EINVAL;
12635 		if (seq->len == 0 || seq->len > 4)
12636 			return -EINVAL;
12637 		if (seq->len + seq->offset > data_size)
12638 			return -EINVAL;
12639 	}
12640 
12641 	size = sizeof(*cfg);
12642 	size += data_size;
12643 	size += wake_size + wake_mask_size;
12644 	size += tokens_size;
12645 
12646 	cfg = kzalloc(size, GFP_KERNEL);
12647 	if (!cfg)
12648 		return -ENOMEM;
12649 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12650 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12651 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12652 	       ETH_ALEN);
12653 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12654 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12655 	else
12656 		port = 0;
12657 #ifdef CONFIG_INET
12658 	/* allocate a socket and port for it and use it */
12659 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12660 			    IPPROTO_TCP, &cfg->sock, 1);
12661 	if (err) {
12662 		kfree(cfg);
12663 		return err;
12664 	}
12665 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12666 		sock_release(cfg->sock);
12667 		kfree(cfg);
12668 		return -EADDRINUSE;
12669 	}
12670 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12671 #else
12672 	if (!port) {
12673 		kfree(cfg);
12674 		return -EINVAL;
12675 	}
12676 	cfg->src_port = port;
12677 #endif
12678 
12679 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12680 	cfg->payload_len = data_size;
12681 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12682 	memcpy((void *)cfg->payload,
12683 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12684 	       data_size);
12685 	if (seq)
12686 		cfg->payload_seq = *seq;
12687 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12688 	cfg->wake_len = wake_size;
12689 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12690 	memcpy((void *)cfg->wake_data,
12691 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12692 	       wake_size);
12693 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12694 			 data_size + wake_size;
12695 	memcpy((void *)cfg->wake_mask,
12696 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12697 	       wake_mask_size);
12698 	if (tok) {
12699 		cfg->tokens_size = tokens_size;
12700 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12701 	}
12702 
12703 	trig->tcp = cfg;
12704 
12705 	return 0;
12706 }
12707 
12708 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12709 				   const struct wiphy_wowlan_support *wowlan,
12710 				   struct nlattr *attr,
12711 				   struct cfg80211_wowlan *trig)
12712 {
12713 	struct nlattr **tb;
12714 	int err;
12715 
12716 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12717 	if (!tb)
12718 		return -ENOMEM;
12719 
12720 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12721 		err = -EOPNOTSUPP;
12722 		goto out;
12723 	}
12724 
12725 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12726 					  nl80211_policy, NULL);
12727 	if (err)
12728 		goto out;
12729 
12730 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12731 						   wowlan->max_nd_match_sets);
12732 	err = PTR_ERR_OR_ZERO(trig->nd_config);
12733 	if (err)
12734 		trig->nd_config = NULL;
12735 
12736 out:
12737 	kfree(tb);
12738 	return err;
12739 }
12740 
12741 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12742 {
12743 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12744 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12745 	struct cfg80211_wowlan new_triggers = {};
12746 	struct cfg80211_wowlan *ntrig;
12747 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12748 	int err, i;
12749 	bool prev_enabled = rdev->wiphy.wowlan_config;
12750 	bool regular = false;
12751 
12752 	if (!wowlan)
12753 		return -EOPNOTSUPP;
12754 
12755 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12756 		cfg80211_rdev_free_wowlan(rdev);
12757 		rdev->wiphy.wowlan_config = NULL;
12758 		goto set_wakeup;
12759 	}
12760 
12761 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12762 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12763 					  nl80211_wowlan_policy, info->extack);
12764 	if (err)
12765 		return err;
12766 
12767 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12768 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12769 			return -EINVAL;
12770 		new_triggers.any = true;
12771 	}
12772 
12773 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12774 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12775 			return -EINVAL;
12776 		new_triggers.disconnect = true;
12777 		regular = true;
12778 	}
12779 
12780 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12781 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12782 			return -EINVAL;
12783 		new_triggers.magic_pkt = true;
12784 		regular = true;
12785 	}
12786 
12787 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12788 		return -EINVAL;
12789 
12790 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12791 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12792 			return -EINVAL;
12793 		new_triggers.gtk_rekey_failure = true;
12794 		regular = true;
12795 	}
12796 
12797 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12798 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12799 			return -EINVAL;
12800 		new_triggers.eap_identity_req = true;
12801 		regular = true;
12802 	}
12803 
12804 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12805 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12806 			return -EINVAL;
12807 		new_triggers.four_way_handshake = true;
12808 		regular = true;
12809 	}
12810 
12811 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12812 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12813 			return -EINVAL;
12814 		new_triggers.rfkill_release = true;
12815 		regular = true;
12816 	}
12817 
12818 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12819 		struct nlattr *pat;
12820 		int n_patterns = 0;
12821 		int rem, pat_len, mask_len, pkt_offset;
12822 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12823 
12824 		regular = true;
12825 
12826 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12827 				    rem)
12828 			n_patterns++;
12829 		if (n_patterns > wowlan->n_patterns)
12830 			return -EINVAL;
12831 
12832 		new_triggers.patterns = kcalloc(n_patterns,
12833 						sizeof(new_triggers.patterns[0]),
12834 						GFP_KERNEL);
12835 		if (!new_triggers.patterns)
12836 			return -ENOMEM;
12837 
12838 		new_triggers.n_patterns = n_patterns;
12839 		i = 0;
12840 
12841 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12842 				    rem) {
12843 			u8 *mask_pat;
12844 
12845 			err = nla_parse_nested_deprecated(pat_tb,
12846 							  MAX_NL80211_PKTPAT,
12847 							  pat,
12848 							  nl80211_packet_pattern_policy,
12849 							  info->extack);
12850 			if (err)
12851 				goto error;
12852 
12853 			err = -EINVAL;
12854 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12855 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12856 				goto error;
12857 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12858 			mask_len = DIV_ROUND_UP(pat_len, 8);
12859 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12860 				goto error;
12861 			if (pat_len > wowlan->pattern_max_len ||
12862 			    pat_len < wowlan->pattern_min_len)
12863 				goto error;
12864 
12865 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12866 				pkt_offset = 0;
12867 			else
12868 				pkt_offset = nla_get_u32(
12869 					pat_tb[NL80211_PKTPAT_OFFSET]);
12870 			if (pkt_offset > wowlan->max_pkt_offset)
12871 				goto error;
12872 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12873 
12874 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12875 			if (!mask_pat) {
12876 				err = -ENOMEM;
12877 				goto error;
12878 			}
12879 			new_triggers.patterns[i].mask = mask_pat;
12880 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12881 			       mask_len);
12882 			mask_pat += mask_len;
12883 			new_triggers.patterns[i].pattern = mask_pat;
12884 			new_triggers.patterns[i].pattern_len = pat_len;
12885 			memcpy(mask_pat,
12886 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12887 			       pat_len);
12888 			i++;
12889 		}
12890 	}
12891 
12892 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12893 		regular = true;
12894 		err = nl80211_parse_wowlan_tcp(
12895 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12896 			&new_triggers);
12897 		if (err)
12898 			goto error;
12899 	}
12900 
12901 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12902 		regular = true;
12903 		err = nl80211_parse_wowlan_nd(
12904 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12905 			&new_triggers);
12906 		if (err)
12907 			goto error;
12908 	}
12909 
12910 	/* The 'any' trigger means the device continues operating more or less
12911 	 * as in its normal operation mode and wakes up the host on most of the
12912 	 * normal interrupts (like packet RX, ...)
12913 	 * It therefore makes little sense to combine with the more constrained
12914 	 * wakeup trigger modes.
12915 	 */
12916 	if (new_triggers.any && regular) {
12917 		err = -EINVAL;
12918 		goto error;
12919 	}
12920 
12921 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12922 	if (!ntrig) {
12923 		err = -ENOMEM;
12924 		goto error;
12925 	}
12926 	cfg80211_rdev_free_wowlan(rdev);
12927 	rdev->wiphy.wowlan_config = ntrig;
12928 
12929  set_wakeup:
12930 	if (rdev->ops->set_wakeup &&
12931 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12932 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12933 
12934 	return 0;
12935  error:
12936 	for (i = 0; i < new_triggers.n_patterns; i++)
12937 		kfree(new_triggers.patterns[i].mask);
12938 	kfree(new_triggers.patterns);
12939 	if (new_triggers.tcp && new_triggers.tcp->sock)
12940 		sock_release(new_triggers.tcp->sock);
12941 	kfree(new_triggers.tcp);
12942 	kfree(new_triggers.nd_config);
12943 	return err;
12944 }
12945 #endif
12946 
12947 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12948 				       struct cfg80211_registered_device *rdev)
12949 {
12950 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12951 	int i, j, pat_len;
12952 	struct cfg80211_coalesce_rules *rule;
12953 
12954 	if (!rdev->coalesce->n_rules)
12955 		return 0;
12956 
12957 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12958 	if (!nl_rules)
12959 		return -ENOBUFS;
12960 
12961 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12962 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12963 		if (!nl_rule)
12964 			return -ENOBUFS;
12965 
12966 		rule = &rdev->coalesce->rules[i];
12967 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12968 				rule->delay))
12969 			return -ENOBUFS;
12970 
12971 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12972 				rule->condition))
12973 			return -ENOBUFS;
12974 
12975 		nl_pats = nla_nest_start_noflag(msg,
12976 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12977 		if (!nl_pats)
12978 			return -ENOBUFS;
12979 
12980 		for (j = 0; j < rule->n_patterns; j++) {
12981 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12982 			if (!nl_pat)
12983 				return -ENOBUFS;
12984 			pat_len = rule->patterns[j].pattern_len;
12985 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12986 				    DIV_ROUND_UP(pat_len, 8),
12987 				    rule->patterns[j].mask) ||
12988 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12989 				    rule->patterns[j].pattern) ||
12990 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12991 					rule->patterns[j].pkt_offset))
12992 				return -ENOBUFS;
12993 			nla_nest_end(msg, nl_pat);
12994 		}
12995 		nla_nest_end(msg, nl_pats);
12996 		nla_nest_end(msg, nl_rule);
12997 	}
12998 	nla_nest_end(msg, nl_rules);
12999 
13000 	return 0;
13001 }
13002 
13003 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13004 {
13005 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13006 	struct sk_buff *msg;
13007 	void *hdr;
13008 
13009 	if (!rdev->wiphy.coalesce)
13010 		return -EOPNOTSUPP;
13011 
13012 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13013 	if (!msg)
13014 		return -ENOMEM;
13015 
13016 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13017 			     NL80211_CMD_GET_COALESCE);
13018 	if (!hdr)
13019 		goto nla_put_failure;
13020 
13021 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13022 		goto nla_put_failure;
13023 
13024 	genlmsg_end(msg, hdr);
13025 	return genlmsg_reply(msg, info);
13026 
13027 nla_put_failure:
13028 	nlmsg_free(msg);
13029 	return -ENOBUFS;
13030 }
13031 
13032 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13033 {
13034 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13035 	int i, j;
13036 	struct cfg80211_coalesce_rules *rule;
13037 
13038 	if (!coalesce)
13039 		return;
13040 
13041 	for (i = 0; i < coalesce->n_rules; i++) {
13042 		rule = &coalesce->rules[i];
13043 		for (j = 0; j < rule->n_patterns; j++)
13044 			kfree(rule->patterns[j].mask);
13045 		kfree(rule->patterns);
13046 	}
13047 	kfree(coalesce->rules);
13048 	kfree(coalesce);
13049 	rdev->coalesce = NULL;
13050 }
13051 
13052 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13053 				       struct nlattr *rule,
13054 				       struct cfg80211_coalesce_rules *new_rule)
13055 {
13056 	int err, i;
13057 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13058 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13059 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13060 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13061 
13062 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13063 					  rule, nl80211_coalesce_policy, NULL);
13064 	if (err)
13065 		return err;
13066 
13067 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13068 		new_rule->delay =
13069 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13070 	if (new_rule->delay > coalesce->max_delay)
13071 		return -EINVAL;
13072 
13073 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13074 		new_rule->condition =
13075 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13076 
13077 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13078 		return -EINVAL;
13079 
13080 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13081 			    rem)
13082 		n_patterns++;
13083 	if (n_patterns > coalesce->n_patterns)
13084 		return -EINVAL;
13085 
13086 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13087 				     GFP_KERNEL);
13088 	if (!new_rule->patterns)
13089 		return -ENOMEM;
13090 
13091 	new_rule->n_patterns = n_patterns;
13092 	i = 0;
13093 
13094 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13095 			    rem) {
13096 		u8 *mask_pat;
13097 
13098 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13099 						  pat,
13100 						  nl80211_packet_pattern_policy,
13101 						  NULL);
13102 		if (err)
13103 			return err;
13104 
13105 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13106 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13107 			return -EINVAL;
13108 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13109 		mask_len = DIV_ROUND_UP(pat_len, 8);
13110 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13111 			return -EINVAL;
13112 		if (pat_len > coalesce->pattern_max_len ||
13113 		    pat_len < coalesce->pattern_min_len)
13114 			return -EINVAL;
13115 
13116 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13117 			pkt_offset = 0;
13118 		else
13119 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13120 		if (pkt_offset > coalesce->max_pkt_offset)
13121 			return -EINVAL;
13122 		new_rule->patterns[i].pkt_offset = pkt_offset;
13123 
13124 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13125 		if (!mask_pat)
13126 			return -ENOMEM;
13127 
13128 		new_rule->patterns[i].mask = mask_pat;
13129 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13130 		       mask_len);
13131 
13132 		mask_pat += mask_len;
13133 		new_rule->patterns[i].pattern = mask_pat;
13134 		new_rule->patterns[i].pattern_len = pat_len;
13135 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13136 		       pat_len);
13137 		i++;
13138 	}
13139 
13140 	return 0;
13141 }
13142 
13143 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13144 {
13145 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13146 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13147 	struct cfg80211_coalesce new_coalesce = {};
13148 	struct cfg80211_coalesce *n_coalesce;
13149 	int err, rem_rule, n_rules = 0, i, j;
13150 	struct nlattr *rule;
13151 	struct cfg80211_coalesce_rules *tmp_rule;
13152 
13153 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13154 		return -EOPNOTSUPP;
13155 
13156 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13157 		cfg80211_rdev_free_coalesce(rdev);
13158 		rdev_set_coalesce(rdev, NULL);
13159 		return 0;
13160 	}
13161 
13162 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13163 			    rem_rule)
13164 		n_rules++;
13165 	if (n_rules > coalesce->n_rules)
13166 		return -EINVAL;
13167 
13168 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13169 				     GFP_KERNEL);
13170 	if (!new_coalesce.rules)
13171 		return -ENOMEM;
13172 
13173 	new_coalesce.n_rules = n_rules;
13174 	i = 0;
13175 
13176 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13177 			    rem_rule) {
13178 		err = nl80211_parse_coalesce_rule(rdev, rule,
13179 						  &new_coalesce.rules[i]);
13180 		if (err)
13181 			goto error;
13182 
13183 		i++;
13184 	}
13185 
13186 	err = rdev_set_coalesce(rdev, &new_coalesce);
13187 	if (err)
13188 		goto error;
13189 
13190 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13191 	if (!n_coalesce) {
13192 		err = -ENOMEM;
13193 		goto error;
13194 	}
13195 	cfg80211_rdev_free_coalesce(rdev);
13196 	rdev->coalesce = n_coalesce;
13197 
13198 	return 0;
13199 error:
13200 	for (i = 0; i < new_coalesce.n_rules; i++) {
13201 		tmp_rule = &new_coalesce.rules[i];
13202 		for (j = 0; j < tmp_rule->n_patterns; j++)
13203 			kfree(tmp_rule->patterns[j].mask);
13204 		kfree(tmp_rule->patterns);
13205 	}
13206 	kfree(new_coalesce.rules);
13207 
13208 	return err;
13209 }
13210 
13211 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13212 {
13213 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13214 	struct net_device *dev = info->user_ptr[1];
13215 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13216 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13217 	struct cfg80211_gtk_rekey_data rekey_data = {};
13218 	int err;
13219 
13220 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13221 		return -EINVAL;
13222 
13223 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13224 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13225 					  nl80211_rekey_policy, info->extack);
13226 	if (err)
13227 		return err;
13228 
13229 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13230 	    !tb[NL80211_REKEY_DATA_KCK])
13231 		return -EINVAL;
13232 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13233 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13234 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13235 		return -ERANGE;
13236 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13237 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13238 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
13239 		return -ERANGE;
13240 
13241 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13242 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13243 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13244 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13245 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13246 	if (tb[NL80211_REKEY_DATA_AKM])
13247 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13248 
13249 	wdev_lock(wdev);
13250 	if (!wdev->current_bss) {
13251 		err = -ENOTCONN;
13252 		goto out;
13253 	}
13254 
13255 	if (!rdev->ops->set_rekey_data) {
13256 		err = -EOPNOTSUPP;
13257 		goto out;
13258 	}
13259 
13260 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13261  out:
13262 	wdev_unlock(wdev);
13263 	return err;
13264 }
13265 
13266 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13267 					     struct genl_info *info)
13268 {
13269 	struct net_device *dev = info->user_ptr[1];
13270 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13271 
13272 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13273 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13274 		return -EINVAL;
13275 
13276 	if (wdev->ap_unexpected_nlportid)
13277 		return -EBUSY;
13278 
13279 	wdev->ap_unexpected_nlportid = info->snd_portid;
13280 	return 0;
13281 }
13282 
13283 static int nl80211_probe_client(struct sk_buff *skb,
13284 				struct genl_info *info)
13285 {
13286 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13287 	struct net_device *dev = info->user_ptr[1];
13288 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13289 	struct sk_buff *msg;
13290 	void *hdr;
13291 	const u8 *addr;
13292 	u64 cookie;
13293 	int err;
13294 
13295 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13296 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13297 		return -EOPNOTSUPP;
13298 
13299 	if (!info->attrs[NL80211_ATTR_MAC])
13300 		return -EINVAL;
13301 
13302 	if (!rdev->ops->probe_client)
13303 		return -EOPNOTSUPP;
13304 
13305 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13306 	if (!msg)
13307 		return -ENOMEM;
13308 
13309 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13310 			     NL80211_CMD_PROBE_CLIENT);
13311 	if (!hdr) {
13312 		err = -ENOBUFS;
13313 		goto free_msg;
13314 	}
13315 
13316 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13317 
13318 	err = rdev_probe_client(rdev, dev, addr, &cookie);
13319 	if (err)
13320 		goto free_msg;
13321 
13322 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13323 			      NL80211_ATTR_PAD))
13324 		goto nla_put_failure;
13325 
13326 	genlmsg_end(msg, hdr);
13327 
13328 	return genlmsg_reply(msg, info);
13329 
13330  nla_put_failure:
13331 	err = -ENOBUFS;
13332  free_msg:
13333 	nlmsg_free(msg);
13334 	return err;
13335 }
13336 
13337 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13338 {
13339 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13340 	struct cfg80211_beacon_registration *reg, *nreg;
13341 	int rv;
13342 
13343 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13344 		return -EOPNOTSUPP;
13345 
13346 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13347 	if (!nreg)
13348 		return -ENOMEM;
13349 
13350 	/* First, check if already registered. */
13351 	spin_lock_bh(&rdev->beacon_registrations_lock);
13352 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13353 		if (reg->nlportid == info->snd_portid) {
13354 			rv = -EALREADY;
13355 			goto out_err;
13356 		}
13357 	}
13358 	/* Add it to the list */
13359 	nreg->nlportid = info->snd_portid;
13360 	list_add(&nreg->list, &rdev->beacon_registrations);
13361 
13362 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13363 
13364 	return 0;
13365 out_err:
13366 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13367 	kfree(nreg);
13368 	return rv;
13369 }
13370 
13371 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13372 {
13373 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13374 	struct wireless_dev *wdev = info->user_ptr[1];
13375 	int err;
13376 
13377 	if (!rdev->ops->start_p2p_device)
13378 		return -EOPNOTSUPP;
13379 
13380 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13381 		return -EOPNOTSUPP;
13382 
13383 	if (wdev_running(wdev))
13384 		return 0;
13385 
13386 	if (rfkill_blocked(rdev->wiphy.rfkill))
13387 		return -ERFKILL;
13388 
13389 	err = rdev_start_p2p_device(rdev, wdev);
13390 	if (err)
13391 		return err;
13392 
13393 	wdev->is_running = true;
13394 	rdev->opencount++;
13395 
13396 	return 0;
13397 }
13398 
13399 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13400 {
13401 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13402 	struct wireless_dev *wdev = info->user_ptr[1];
13403 
13404 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13405 		return -EOPNOTSUPP;
13406 
13407 	if (!rdev->ops->stop_p2p_device)
13408 		return -EOPNOTSUPP;
13409 
13410 	cfg80211_stop_p2p_device(rdev, wdev);
13411 
13412 	return 0;
13413 }
13414 
13415 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13416 {
13417 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13418 	struct wireless_dev *wdev = info->user_ptr[1];
13419 	struct cfg80211_nan_conf conf = {};
13420 	int err;
13421 
13422 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13423 		return -EOPNOTSUPP;
13424 
13425 	if (wdev_running(wdev))
13426 		return -EEXIST;
13427 
13428 	if (rfkill_blocked(rdev->wiphy.rfkill))
13429 		return -ERFKILL;
13430 
13431 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13432 		return -EINVAL;
13433 
13434 	conf.master_pref =
13435 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13436 
13437 	if (info->attrs[NL80211_ATTR_BANDS]) {
13438 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13439 
13440 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13441 			return -EOPNOTSUPP;
13442 
13443 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13444 			return -EINVAL;
13445 
13446 		conf.bands = bands;
13447 	}
13448 
13449 	err = rdev_start_nan(rdev, wdev, &conf);
13450 	if (err)
13451 		return err;
13452 
13453 	wdev->is_running = true;
13454 	rdev->opencount++;
13455 
13456 	return 0;
13457 }
13458 
13459 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13460 {
13461 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13462 	struct wireless_dev *wdev = info->user_ptr[1];
13463 
13464 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13465 		return -EOPNOTSUPP;
13466 
13467 	cfg80211_stop_nan(rdev, wdev);
13468 
13469 	return 0;
13470 }
13471 
13472 static int validate_nan_filter(struct nlattr *filter_attr)
13473 {
13474 	struct nlattr *attr;
13475 	int len = 0, n_entries = 0, rem;
13476 
13477 	nla_for_each_nested(attr, filter_attr, rem) {
13478 		len += nla_len(attr);
13479 		n_entries++;
13480 	}
13481 
13482 	if (len >= U8_MAX)
13483 		return -EINVAL;
13484 
13485 	return n_entries;
13486 }
13487 
13488 static int handle_nan_filter(struct nlattr *attr_filter,
13489 			     struct cfg80211_nan_func *func,
13490 			     bool tx)
13491 {
13492 	struct nlattr *attr;
13493 	int n_entries, rem, i;
13494 	struct cfg80211_nan_func_filter *filter;
13495 
13496 	n_entries = validate_nan_filter(attr_filter);
13497 	if (n_entries < 0)
13498 		return n_entries;
13499 
13500 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13501 
13502 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13503 	if (!filter)
13504 		return -ENOMEM;
13505 
13506 	i = 0;
13507 	nla_for_each_nested(attr, attr_filter, rem) {
13508 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13509 		if (!filter[i].filter)
13510 			goto err;
13511 
13512 		filter[i].len = nla_len(attr);
13513 		i++;
13514 	}
13515 	if (tx) {
13516 		func->num_tx_filters = n_entries;
13517 		func->tx_filters = filter;
13518 	} else {
13519 		func->num_rx_filters = n_entries;
13520 		func->rx_filters = filter;
13521 	}
13522 
13523 	return 0;
13524 
13525 err:
13526 	i = 0;
13527 	nla_for_each_nested(attr, attr_filter, rem) {
13528 		kfree(filter[i].filter);
13529 		i++;
13530 	}
13531 	kfree(filter);
13532 	return -ENOMEM;
13533 }
13534 
13535 static int nl80211_nan_add_func(struct sk_buff *skb,
13536 				struct genl_info *info)
13537 {
13538 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13539 	struct wireless_dev *wdev = info->user_ptr[1];
13540 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
13541 	struct cfg80211_nan_func *func;
13542 	struct sk_buff *msg = NULL;
13543 	void *hdr = NULL;
13544 	int err = 0;
13545 
13546 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13547 		return -EOPNOTSUPP;
13548 
13549 	if (!wdev_running(wdev))
13550 		return -ENOTCONN;
13551 
13552 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13553 		return -EINVAL;
13554 
13555 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13556 					  info->attrs[NL80211_ATTR_NAN_FUNC],
13557 					  nl80211_nan_func_policy,
13558 					  info->extack);
13559 	if (err)
13560 		return err;
13561 
13562 	func = kzalloc(sizeof(*func), GFP_KERNEL);
13563 	if (!func)
13564 		return -ENOMEM;
13565 
13566 	func->cookie = cfg80211_assign_cookie(rdev);
13567 
13568 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13569 		err = -EINVAL;
13570 		goto out;
13571 	}
13572 
13573 
13574 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13575 
13576 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13577 		err = -EINVAL;
13578 		goto out;
13579 	}
13580 
13581 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13582 	       sizeof(func->service_id));
13583 
13584 	func->close_range =
13585 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13586 
13587 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13588 		func->serv_spec_info_len =
13589 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13590 		func->serv_spec_info =
13591 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13592 				func->serv_spec_info_len,
13593 				GFP_KERNEL);
13594 		if (!func->serv_spec_info) {
13595 			err = -ENOMEM;
13596 			goto out;
13597 		}
13598 	}
13599 
13600 	if (tb[NL80211_NAN_FUNC_TTL])
13601 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13602 
13603 	switch (func->type) {
13604 	case NL80211_NAN_FUNC_PUBLISH:
13605 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13606 			err = -EINVAL;
13607 			goto out;
13608 		}
13609 
13610 		func->publish_type =
13611 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13612 		func->publish_bcast =
13613 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13614 
13615 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13616 			func->publish_bcast) {
13617 			err = -EINVAL;
13618 			goto out;
13619 		}
13620 		break;
13621 	case NL80211_NAN_FUNC_SUBSCRIBE:
13622 		func->subscribe_active =
13623 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13624 		break;
13625 	case NL80211_NAN_FUNC_FOLLOW_UP:
13626 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13627 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13628 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13629 			err = -EINVAL;
13630 			goto out;
13631 		}
13632 
13633 		func->followup_id =
13634 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13635 		func->followup_reqid =
13636 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13637 		memcpy(func->followup_dest.addr,
13638 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13639 		       sizeof(func->followup_dest.addr));
13640 		if (func->ttl) {
13641 			err = -EINVAL;
13642 			goto out;
13643 		}
13644 		break;
13645 	default:
13646 		err = -EINVAL;
13647 		goto out;
13648 	}
13649 
13650 	if (tb[NL80211_NAN_FUNC_SRF]) {
13651 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13652 
13653 		err = nla_parse_nested_deprecated(srf_tb,
13654 						  NL80211_NAN_SRF_ATTR_MAX,
13655 						  tb[NL80211_NAN_FUNC_SRF],
13656 						  nl80211_nan_srf_policy,
13657 						  info->extack);
13658 		if (err)
13659 			goto out;
13660 
13661 		func->srf_include =
13662 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13663 
13664 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13665 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13666 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13667 				err = -EINVAL;
13668 				goto out;
13669 			}
13670 
13671 			func->srf_bf_len =
13672 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13673 			func->srf_bf =
13674 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13675 					func->srf_bf_len, GFP_KERNEL);
13676 			if (!func->srf_bf) {
13677 				err = -ENOMEM;
13678 				goto out;
13679 			}
13680 
13681 			func->srf_bf_idx =
13682 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13683 		} else {
13684 			struct nlattr *attr, *mac_attr =
13685 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13686 			int n_entries, rem, i = 0;
13687 
13688 			if (!mac_attr) {
13689 				err = -EINVAL;
13690 				goto out;
13691 			}
13692 
13693 			n_entries = validate_acl_mac_addrs(mac_attr);
13694 			if (n_entries <= 0) {
13695 				err = -EINVAL;
13696 				goto out;
13697 			}
13698 
13699 			func->srf_num_macs = n_entries;
13700 			func->srf_macs =
13701 				kcalloc(n_entries, sizeof(*func->srf_macs),
13702 					GFP_KERNEL);
13703 			if (!func->srf_macs) {
13704 				err = -ENOMEM;
13705 				goto out;
13706 			}
13707 
13708 			nla_for_each_nested(attr, mac_attr, rem)
13709 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13710 				       sizeof(*func->srf_macs));
13711 		}
13712 	}
13713 
13714 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13715 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13716 					func, true);
13717 		if (err)
13718 			goto out;
13719 	}
13720 
13721 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13722 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13723 					func, false);
13724 		if (err)
13725 			goto out;
13726 	}
13727 
13728 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13729 	if (!msg) {
13730 		err = -ENOMEM;
13731 		goto out;
13732 	}
13733 
13734 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13735 			     NL80211_CMD_ADD_NAN_FUNCTION);
13736 	/* This can't really happen - we just allocated 4KB */
13737 	if (WARN_ON(!hdr)) {
13738 		err = -ENOMEM;
13739 		goto out;
13740 	}
13741 
13742 	err = rdev_add_nan_func(rdev, wdev, func);
13743 out:
13744 	if (err < 0) {
13745 		cfg80211_free_nan_func(func);
13746 		nlmsg_free(msg);
13747 		return err;
13748 	}
13749 
13750 	/* propagate the instance id and cookie to userspace  */
13751 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13752 			      NL80211_ATTR_PAD))
13753 		goto nla_put_failure;
13754 
13755 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13756 	if (!func_attr)
13757 		goto nla_put_failure;
13758 
13759 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13760 		       func->instance_id))
13761 		goto nla_put_failure;
13762 
13763 	nla_nest_end(msg, func_attr);
13764 
13765 	genlmsg_end(msg, hdr);
13766 	return genlmsg_reply(msg, info);
13767 
13768 nla_put_failure:
13769 	nlmsg_free(msg);
13770 	return -ENOBUFS;
13771 }
13772 
13773 static int nl80211_nan_del_func(struct sk_buff *skb,
13774 			       struct genl_info *info)
13775 {
13776 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13777 	struct wireless_dev *wdev = info->user_ptr[1];
13778 	u64 cookie;
13779 
13780 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13781 		return -EOPNOTSUPP;
13782 
13783 	if (!wdev_running(wdev))
13784 		return -ENOTCONN;
13785 
13786 	if (!info->attrs[NL80211_ATTR_COOKIE])
13787 		return -EINVAL;
13788 
13789 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13790 
13791 	rdev_del_nan_func(rdev, wdev, cookie);
13792 
13793 	return 0;
13794 }
13795 
13796 static int nl80211_nan_change_config(struct sk_buff *skb,
13797 				     struct genl_info *info)
13798 {
13799 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13800 	struct wireless_dev *wdev = info->user_ptr[1];
13801 	struct cfg80211_nan_conf conf = {};
13802 	u32 changed = 0;
13803 
13804 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13805 		return -EOPNOTSUPP;
13806 
13807 	if (!wdev_running(wdev))
13808 		return -ENOTCONN;
13809 
13810 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13811 		conf.master_pref =
13812 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13813 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13814 			return -EINVAL;
13815 
13816 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13817 	}
13818 
13819 	if (info->attrs[NL80211_ATTR_BANDS]) {
13820 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13821 
13822 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13823 			return -EOPNOTSUPP;
13824 
13825 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13826 			return -EINVAL;
13827 
13828 		conf.bands = bands;
13829 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13830 	}
13831 
13832 	if (!changed)
13833 		return -EINVAL;
13834 
13835 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13836 }
13837 
13838 void cfg80211_nan_match(struct wireless_dev *wdev,
13839 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13840 {
13841 	struct wiphy *wiphy = wdev->wiphy;
13842 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13843 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13844 	struct sk_buff *msg;
13845 	void *hdr;
13846 
13847 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13848 		return;
13849 
13850 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13851 	if (!msg)
13852 		return;
13853 
13854 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13855 	if (!hdr) {
13856 		nlmsg_free(msg);
13857 		return;
13858 	}
13859 
13860 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13861 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13862 					 wdev->netdev->ifindex)) ||
13863 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13864 			      NL80211_ATTR_PAD))
13865 		goto nla_put_failure;
13866 
13867 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13868 			      NL80211_ATTR_PAD) ||
13869 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13870 		goto nla_put_failure;
13871 
13872 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13873 	if (!match_attr)
13874 		goto nla_put_failure;
13875 
13876 	local_func_attr = nla_nest_start_noflag(msg,
13877 						NL80211_NAN_MATCH_FUNC_LOCAL);
13878 	if (!local_func_attr)
13879 		goto nla_put_failure;
13880 
13881 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13882 		goto nla_put_failure;
13883 
13884 	nla_nest_end(msg, local_func_attr);
13885 
13886 	peer_func_attr = nla_nest_start_noflag(msg,
13887 					       NL80211_NAN_MATCH_FUNC_PEER);
13888 	if (!peer_func_attr)
13889 		goto nla_put_failure;
13890 
13891 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13892 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13893 		goto nla_put_failure;
13894 
13895 	if (match->info && match->info_len &&
13896 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13897 		    match->info))
13898 		goto nla_put_failure;
13899 
13900 	nla_nest_end(msg, peer_func_attr);
13901 	nla_nest_end(msg, match_attr);
13902 	genlmsg_end(msg, hdr);
13903 
13904 	if (!wdev->owner_nlportid)
13905 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13906 					msg, 0, NL80211_MCGRP_NAN, gfp);
13907 	else
13908 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13909 				wdev->owner_nlportid);
13910 
13911 	return;
13912 
13913 nla_put_failure:
13914 	nlmsg_free(msg);
13915 }
13916 EXPORT_SYMBOL(cfg80211_nan_match);
13917 
13918 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13919 				  u8 inst_id,
13920 				  enum nl80211_nan_func_term_reason reason,
13921 				  u64 cookie, gfp_t gfp)
13922 {
13923 	struct wiphy *wiphy = wdev->wiphy;
13924 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13925 	struct sk_buff *msg;
13926 	struct nlattr *func_attr;
13927 	void *hdr;
13928 
13929 	if (WARN_ON(!inst_id))
13930 		return;
13931 
13932 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13933 	if (!msg)
13934 		return;
13935 
13936 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13937 	if (!hdr) {
13938 		nlmsg_free(msg);
13939 		return;
13940 	}
13941 
13942 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13943 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13944 					 wdev->netdev->ifindex)) ||
13945 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13946 			      NL80211_ATTR_PAD))
13947 		goto nla_put_failure;
13948 
13949 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13950 			      NL80211_ATTR_PAD))
13951 		goto nla_put_failure;
13952 
13953 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13954 	if (!func_attr)
13955 		goto nla_put_failure;
13956 
13957 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13958 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13959 		goto nla_put_failure;
13960 
13961 	nla_nest_end(msg, func_attr);
13962 	genlmsg_end(msg, hdr);
13963 
13964 	if (!wdev->owner_nlportid)
13965 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13966 					msg, 0, NL80211_MCGRP_NAN, gfp);
13967 	else
13968 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13969 				wdev->owner_nlportid);
13970 
13971 	return;
13972 
13973 nla_put_failure:
13974 	nlmsg_free(msg);
13975 }
13976 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13977 
13978 static int nl80211_get_protocol_features(struct sk_buff *skb,
13979 					 struct genl_info *info)
13980 {
13981 	void *hdr;
13982 	struct sk_buff *msg;
13983 
13984 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13985 	if (!msg)
13986 		return -ENOMEM;
13987 
13988 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13989 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13990 	if (!hdr)
13991 		goto nla_put_failure;
13992 
13993 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13994 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13995 		goto nla_put_failure;
13996 
13997 	genlmsg_end(msg, hdr);
13998 	return genlmsg_reply(msg, info);
13999 
14000  nla_put_failure:
14001 	kfree_skb(msg);
14002 	return -ENOBUFS;
14003 }
14004 
14005 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14006 {
14007 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14008 	struct cfg80211_update_ft_ies_params ft_params;
14009 	struct net_device *dev = info->user_ptr[1];
14010 
14011 	if (!rdev->ops->update_ft_ies)
14012 		return -EOPNOTSUPP;
14013 
14014 	if (!info->attrs[NL80211_ATTR_MDID] ||
14015 	    !info->attrs[NL80211_ATTR_IE])
14016 		return -EINVAL;
14017 
14018 	memset(&ft_params, 0, sizeof(ft_params));
14019 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14020 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14021 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14022 
14023 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14024 }
14025 
14026 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14027 				       struct genl_info *info)
14028 {
14029 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14030 	struct wireless_dev *wdev = info->user_ptr[1];
14031 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14032 	u16 duration;
14033 	int ret;
14034 
14035 	if (!rdev->ops->crit_proto_start)
14036 		return -EOPNOTSUPP;
14037 
14038 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14039 		return -EINVAL;
14040 
14041 	if (rdev->crit_proto_nlportid)
14042 		return -EBUSY;
14043 
14044 	/* determine protocol if provided */
14045 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14046 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14047 
14048 	if (proto >= NUM_NL80211_CRIT_PROTO)
14049 		return -EINVAL;
14050 
14051 	/* timeout must be provided */
14052 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14053 		return -EINVAL;
14054 
14055 	duration =
14056 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14057 
14058 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14059 	if (!ret)
14060 		rdev->crit_proto_nlportid = info->snd_portid;
14061 
14062 	return ret;
14063 }
14064 
14065 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14066 				      struct genl_info *info)
14067 {
14068 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14069 	struct wireless_dev *wdev = info->user_ptr[1];
14070 
14071 	if (!rdev->ops->crit_proto_stop)
14072 		return -EOPNOTSUPP;
14073 
14074 	if (rdev->crit_proto_nlportid) {
14075 		rdev->crit_proto_nlportid = 0;
14076 		rdev_crit_proto_stop(rdev, wdev);
14077 	}
14078 	return 0;
14079 }
14080 
14081 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14082 				       struct nlattr *attr,
14083 				       struct netlink_ext_ack *extack)
14084 {
14085 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14086 		if (attr->nla_type & NLA_F_NESTED) {
14087 			NL_SET_ERR_MSG_ATTR(extack, attr,
14088 					    "unexpected nested data");
14089 			return -EINVAL;
14090 		}
14091 
14092 		return 0;
14093 	}
14094 
14095 	if (!(attr->nla_type & NLA_F_NESTED)) {
14096 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14097 		return -EINVAL;
14098 	}
14099 
14100 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14101 }
14102 
14103 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14104 {
14105 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14106 	struct wireless_dev *wdev =
14107 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14108 					   info->attrs);
14109 	int i, err;
14110 	u32 vid, subcmd;
14111 
14112 	if (!rdev->wiphy.vendor_commands)
14113 		return -EOPNOTSUPP;
14114 
14115 	if (IS_ERR(wdev)) {
14116 		err = PTR_ERR(wdev);
14117 		if (err != -EINVAL)
14118 			return err;
14119 		wdev = NULL;
14120 	} else if (wdev->wiphy != &rdev->wiphy) {
14121 		return -EINVAL;
14122 	}
14123 
14124 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14125 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14126 		return -EINVAL;
14127 
14128 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14129 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14130 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14131 		const struct wiphy_vendor_command *vcmd;
14132 		void *data = NULL;
14133 		int len = 0;
14134 
14135 		vcmd = &rdev->wiphy.vendor_commands[i];
14136 
14137 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14138 			continue;
14139 
14140 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14141 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14142 			if (!wdev)
14143 				return -EINVAL;
14144 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14145 			    !wdev->netdev)
14146 				return -EINVAL;
14147 
14148 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14149 				if (!wdev_running(wdev))
14150 					return -ENETDOWN;
14151 			}
14152 		} else {
14153 			wdev = NULL;
14154 		}
14155 
14156 		if (!vcmd->doit)
14157 			return -EOPNOTSUPP;
14158 
14159 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14160 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14161 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14162 
14163 			err = nl80211_vendor_check_policy(vcmd,
14164 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14165 					info->extack);
14166 			if (err)
14167 				return err;
14168 		}
14169 
14170 		rdev->cur_cmd_info = info;
14171 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14172 		rdev->cur_cmd_info = NULL;
14173 		return err;
14174 	}
14175 
14176 	return -EOPNOTSUPP;
14177 }
14178 
14179 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14180 				       struct netlink_callback *cb,
14181 				       struct cfg80211_registered_device **rdev,
14182 				       struct wireless_dev **wdev)
14183 {
14184 	struct nlattr **attrbuf;
14185 	u32 vid, subcmd;
14186 	unsigned int i;
14187 	int vcmd_idx = -1;
14188 	int err;
14189 	void *data = NULL;
14190 	unsigned int data_len = 0;
14191 
14192 	if (cb->args[0]) {
14193 		/* subtract the 1 again here */
14194 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14195 		struct wireless_dev *tmp;
14196 
14197 		if (!wiphy)
14198 			return -ENODEV;
14199 		*rdev = wiphy_to_rdev(wiphy);
14200 		*wdev = NULL;
14201 
14202 		if (cb->args[1]) {
14203 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14204 				if (tmp->identifier == cb->args[1] - 1) {
14205 					*wdev = tmp;
14206 					break;
14207 				}
14208 			}
14209 		}
14210 
14211 		/* keep rtnl locked in successful case */
14212 		return 0;
14213 	}
14214 
14215 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14216 	if (!attrbuf)
14217 		return -ENOMEM;
14218 
14219 	err = nlmsg_parse_deprecated(cb->nlh,
14220 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14221 				     attrbuf, nl80211_fam.maxattr,
14222 				     nl80211_policy, NULL);
14223 	if (err)
14224 		goto out;
14225 
14226 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14227 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14228 		err = -EINVAL;
14229 		goto out;
14230 	}
14231 
14232 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14233 	if (IS_ERR(*wdev))
14234 		*wdev = NULL;
14235 
14236 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14237 	if (IS_ERR(*rdev)) {
14238 		err = PTR_ERR(*rdev);
14239 		goto out;
14240 	}
14241 
14242 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14243 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14244 
14245 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14246 		const struct wiphy_vendor_command *vcmd;
14247 
14248 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14249 
14250 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14251 			continue;
14252 
14253 		if (!vcmd->dumpit) {
14254 			err = -EOPNOTSUPP;
14255 			goto out;
14256 		}
14257 
14258 		vcmd_idx = i;
14259 		break;
14260 	}
14261 
14262 	if (vcmd_idx < 0) {
14263 		err = -EOPNOTSUPP;
14264 		goto out;
14265 	}
14266 
14267 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14268 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14269 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14270 
14271 		err = nl80211_vendor_check_policy(
14272 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14273 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14274 				cb->extack);
14275 		if (err)
14276 			goto out;
14277 	}
14278 
14279 	/* 0 is the first index - add 1 to parse only once */
14280 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14281 	/* add 1 to know if it was NULL */
14282 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14283 	cb->args[2] = vcmd_idx;
14284 	cb->args[3] = (unsigned long)data;
14285 	cb->args[4] = data_len;
14286 
14287 	/* keep rtnl locked in successful case */
14288 	err = 0;
14289 out:
14290 	kfree(attrbuf);
14291 	return err;
14292 }
14293 
14294 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14295 				   struct netlink_callback *cb)
14296 {
14297 	struct cfg80211_registered_device *rdev;
14298 	struct wireless_dev *wdev;
14299 	unsigned int vcmd_idx;
14300 	const struct wiphy_vendor_command *vcmd;
14301 	void *data;
14302 	int data_len;
14303 	int err;
14304 	struct nlattr *vendor_data;
14305 
14306 	rtnl_lock();
14307 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14308 	if (err)
14309 		goto out;
14310 
14311 	vcmd_idx = cb->args[2];
14312 	data = (void *)cb->args[3];
14313 	data_len = cb->args[4];
14314 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14315 
14316 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14317 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14318 		if (!wdev) {
14319 			err = -EINVAL;
14320 			goto out;
14321 		}
14322 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14323 		    !wdev->netdev) {
14324 			err = -EINVAL;
14325 			goto out;
14326 		}
14327 
14328 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14329 			if (!wdev_running(wdev)) {
14330 				err = -ENETDOWN;
14331 				goto out;
14332 			}
14333 		}
14334 	}
14335 
14336 	while (1) {
14337 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
14338 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
14339 					   NL80211_CMD_VENDOR);
14340 		if (!hdr)
14341 			break;
14342 
14343 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14344 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14345 					       wdev_id(wdev),
14346 					       NL80211_ATTR_PAD))) {
14347 			genlmsg_cancel(skb, hdr);
14348 			break;
14349 		}
14350 
14351 		vendor_data = nla_nest_start_noflag(skb,
14352 						    NL80211_ATTR_VENDOR_DATA);
14353 		if (!vendor_data) {
14354 			genlmsg_cancel(skb, hdr);
14355 			break;
14356 		}
14357 
14358 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14359 				   (unsigned long *)&cb->args[5]);
14360 		nla_nest_end(skb, vendor_data);
14361 
14362 		if (err == -ENOBUFS || err == -ENOENT) {
14363 			genlmsg_cancel(skb, hdr);
14364 			break;
14365 		} else if (err <= 0) {
14366 			genlmsg_cancel(skb, hdr);
14367 			goto out;
14368 		}
14369 
14370 		genlmsg_end(skb, hdr);
14371 	}
14372 
14373 	err = skb->len;
14374  out:
14375 	rtnl_unlock();
14376 	return err;
14377 }
14378 
14379 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14380 					   enum nl80211_commands cmd,
14381 					   enum nl80211_attrs attr,
14382 					   int approxlen)
14383 {
14384 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14385 
14386 	if (WARN_ON(!rdev->cur_cmd_info))
14387 		return NULL;
14388 
14389 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14390 					   rdev->cur_cmd_info->snd_portid,
14391 					   rdev->cur_cmd_info->snd_seq,
14392 					   cmd, attr, NULL, GFP_KERNEL);
14393 }
14394 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14395 
14396 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14397 {
14398 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14399 	void *hdr = ((void **)skb->cb)[1];
14400 	struct nlattr *data = ((void **)skb->cb)[2];
14401 
14402 	/* clear CB data for netlink core to own from now on */
14403 	memset(skb->cb, 0, sizeof(skb->cb));
14404 
14405 	if (WARN_ON(!rdev->cur_cmd_info)) {
14406 		kfree_skb(skb);
14407 		return -EINVAL;
14408 	}
14409 
14410 	nla_nest_end(skb, data);
14411 	genlmsg_end(skb, hdr);
14412 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14413 }
14414 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14415 
14416 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14417 {
14418 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14419 
14420 	if (WARN_ON(!rdev->cur_cmd_info))
14421 		return 0;
14422 
14423 	return rdev->cur_cmd_info->snd_portid;
14424 }
14425 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14426 
14427 static int nl80211_set_qos_map(struct sk_buff *skb,
14428 			       struct genl_info *info)
14429 {
14430 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14431 	struct cfg80211_qos_map *qos_map = NULL;
14432 	struct net_device *dev = info->user_ptr[1];
14433 	u8 *pos, len, num_des, des_len, des;
14434 	int ret;
14435 
14436 	if (!rdev->ops->set_qos_map)
14437 		return -EOPNOTSUPP;
14438 
14439 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14440 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14441 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14442 
14443 		if (len % 2)
14444 			return -EINVAL;
14445 
14446 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14447 		if (!qos_map)
14448 			return -ENOMEM;
14449 
14450 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14451 		if (num_des) {
14452 			des_len = num_des *
14453 				sizeof(struct cfg80211_dscp_exception);
14454 			memcpy(qos_map->dscp_exception, pos, des_len);
14455 			qos_map->num_des = num_des;
14456 			for (des = 0; des < num_des; des++) {
14457 				if (qos_map->dscp_exception[des].up > 7) {
14458 					kfree(qos_map);
14459 					return -EINVAL;
14460 				}
14461 			}
14462 			pos += des_len;
14463 		}
14464 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14465 	}
14466 
14467 	wdev_lock(dev->ieee80211_ptr);
14468 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14469 	if (!ret)
14470 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14471 	wdev_unlock(dev->ieee80211_ptr);
14472 
14473 	kfree(qos_map);
14474 	return ret;
14475 }
14476 
14477 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14478 {
14479 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14480 	struct net_device *dev = info->user_ptr[1];
14481 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14482 	const u8 *peer;
14483 	u8 tsid, up;
14484 	u16 admitted_time = 0;
14485 	int err;
14486 
14487 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14488 		return -EOPNOTSUPP;
14489 
14490 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14491 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14492 		return -EINVAL;
14493 
14494 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14495 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14496 
14497 	/* WMM uses TIDs 0-7 even for TSPEC */
14498 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14499 		/* TODO: handle 802.11 TSPEC/admission control
14500 		 * need more attributes for that (e.g. BA session requirement);
14501 		 * change the WMM adminssion test above to allow both then
14502 		 */
14503 		return -EINVAL;
14504 	}
14505 
14506 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14507 
14508 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14509 		admitted_time =
14510 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14511 		if (!admitted_time)
14512 			return -EINVAL;
14513 	}
14514 
14515 	wdev_lock(wdev);
14516 	switch (wdev->iftype) {
14517 	case NL80211_IFTYPE_STATION:
14518 	case NL80211_IFTYPE_P2P_CLIENT:
14519 		if (wdev->current_bss)
14520 			break;
14521 		err = -ENOTCONN;
14522 		goto out;
14523 	default:
14524 		err = -EOPNOTSUPP;
14525 		goto out;
14526 	}
14527 
14528 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
14529 
14530  out:
14531 	wdev_unlock(wdev);
14532 	return err;
14533 }
14534 
14535 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
14536 {
14537 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14538 	struct net_device *dev = info->user_ptr[1];
14539 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14540 	const u8 *peer;
14541 	u8 tsid;
14542 	int err;
14543 
14544 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
14545 		return -EINVAL;
14546 
14547 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14548 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14549 
14550 	wdev_lock(wdev);
14551 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
14552 	wdev_unlock(wdev);
14553 
14554 	return err;
14555 }
14556 
14557 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14558 				       struct genl_info *info)
14559 {
14560 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14561 	struct net_device *dev = info->user_ptr[1];
14562 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14563 	struct cfg80211_chan_def chandef = {};
14564 	const u8 *addr;
14565 	u8 oper_class;
14566 	int err;
14567 
14568 	if (!rdev->ops->tdls_channel_switch ||
14569 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14570 		return -EOPNOTSUPP;
14571 
14572 	switch (dev->ieee80211_ptr->iftype) {
14573 	case NL80211_IFTYPE_STATION:
14574 	case NL80211_IFTYPE_P2P_CLIENT:
14575 		break;
14576 	default:
14577 		return -EOPNOTSUPP;
14578 	}
14579 
14580 	if (!info->attrs[NL80211_ATTR_MAC] ||
14581 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14582 		return -EINVAL;
14583 
14584 	err = nl80211_parse_chandef(rdev, info, &chandef);
14585 	if (err)
14586 		return err;
14587 
14588 	/*
14589 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14590 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14591 	 * specification is not defined for them.
14592 	 */
14593 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14594 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14595 	    chandef.width != NL80211_CHAN_WIDTH_20)
14596 		return -EINVAL;
14597 
14598 	/* we will be active on the TDLS link */
14599 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14600 					   wdev->iftype))
14601 		return -EINVAL;
14602 
14603 	/* don't allow switching to DFS channels */
14604 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14605 		return -EINVAL;
14606 
14607 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14608 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14609 
14610 	wdev_lock(wdev);
14611 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14612 	wdev_unlock(wdev);
14613 
14614 	return err;
14615 }
14616 
14617 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14618 					      struct genl_info *info)
14619 {
14620 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14621 	struct net_device *dev = info->user_ptr[1];
14622 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14623 	const u8 *addr;
14624 
14625 	if (!rdev->ops->tdls_channel_switch ||
14626 	    !rdev->ops->tdls_cancel_channel_switch ||
14627 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14628 		return -EOPNOTSUPP;
14629 
14630 	switch (dev->ieee80211_ptr->iftype) {
14631 	case NL80211_IFTYPE_STATION:
14632 	case NL80211_IFTYPE_P2P_CLIENT:
14633 		break;
14634 	default:
14635 		return -EOPNOTSUPP;
14636 	}
14637 
14638 	if (!info->attrs[NL80211_ATTR_MAC])
14639 		return -EINVAL;
14640 
14641 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14642 
14643 	wdev_lock(wdev);
14644 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14645 	wdev_unlock(wdev);
14646 
14647 	return 0;
14648 }
14649 
14650 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14651 					    struct genl_info *info)
14652 {
14653 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14654 	struct net_device *dev = info->user_ptr[1];
14655 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14656 	const struct nlattr *nla;
14657 	bool enabled;
14658 
14659 	if (!rdev->ops->set_multicast_to_unicast)
14660 		return -EOPNOTSUPP;
14661 
14662 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14663 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14664 		return -EOPNOTSUPP;
14665 
14666 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14667 	enabled = nla_get_flag(nla);
14668 
14669 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14670 }
14671 
14672 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14673 {
14674 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14675 	struct net_device *dev = info->user_ptr[1];
14676 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14677 	struct cfg80211_pmk_conf pmk_conf = {};
14678 	int ret;
14679 
14680 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14681 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14682 		return -EOPNOTSUPP;
14683 
14684 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14685 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14686 		return -EOPNOTSUPP;
14687 
14688 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14689 		return -EINVAL;
14690 
14691 	wdev_lock(wdev);
14692 	if (!wdev->current_bss) {
14693 		ret = -ENOTCONN;
14694 		goto out;
14695 	}
14696 
14697 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14698 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14699 		ret = -EINVAL;
14700 		goto out;
14701 	}
14702 
14703 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14704 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14705 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14706 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14707 		ret = -EINVAL;
14708 		goto out;
14709 	}
14710 
14711 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14712 		pmk_conf.pmk_r0_name =
14713 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14714 
14715 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14716 out:
14717 	wdev_unlock(wdev);
14718 	return ret;
14719 }
14720 
14721 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14722 {
14723 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14724 	struct net_device *dev = info->user_ptr[1];
14725 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14726 	const u8 *aa;
14727 	int ret;
14728 
14729 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14730 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14731 		return -EOPNOTSUPP;
14732 
14733 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14734 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14735 		return -EOPNOTSUPP;
14736 
14737 	if (!info->attrs[NL80211_ATTR_MAC])
14738 		return -EINVAL;
14739 
14740 	wdev_lock(wdev);
14741 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14742 	ret = rdev_del_pmk(rdev, dev, aa);
14743 	wdev_unlock(wdev);
14744 
14745 	return ret;
14746 }
14747 
14748 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14749 {
14750 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14751 	struct net_device *dev = info->user_ptr[1];
14752 	struct cfg80211_external_auth_params params;
14753 
14754 	if (!rdev->ops->external_auth)
14755 		return -EOPNOTSUPP;
14756 
14757 	if (!info->attrs[NL80211_ATTR_SSID] &&
14758 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14759 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14760 		return -EINVAL;
14761 
14762 	if (!info->attrs[NL80211_ATTR_BSSID])
14763 		return -EINVAL;
14764 
14765 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14766 		return -EINVAL;
14767 
14768 	memset(&params, 0, sizeof(params));
14769 
14770 	if (info->attrs[NL80211_ATTR_SSID]) {
14771 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14772 		if (params.ssid.ssid_len == 0)
14773 			return -EINVAL;
14774 		memcpy(params.ssid.ssid,
14775 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14776 		       params.ssid.ssid_len);
14777 	}
14778 
14779 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14780 	       ETH_ALEN);
14781 
14782 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14783 
14784 	if (info->attrs[NL80211_ATTR_PMKID])
14785 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14786 
14787 	return rdev_external_auth(rdev, dev, &params);
14788 }
14789 
14790 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14791 {
14792 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14793 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14794 	struct net_device *dev = info->user_ptr[1];
14795 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14796 	const u8 *buf;
14797 	size_t len;
14798 	u8 *dest;
14799 	u16 proto;
14800 	bool noencrypt;
14801 	u64 cookie = 0;
14802 	int err;
14803 
14804 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14805 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14806 		return -EOPNOTSUPP;
14807 
14808 	if (!rdev->ops->tx_control_port)
14809 		return -EOPNOTSUPP;
14810 
14811 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14812 	    !info->attrs[NL80211_ATTR_MAC] ||
14813 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14814 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14815 		return -EINVAL;
14816 	}
14817 
14818 	wdev_lock(wdev);
14819 
14820 	switch (wdev->iftype) {
14821 	case NL80211_IFTYPE_AP:
14822 	case NL80211_IFTYPE_P2P_GO:
14823 	case NL80211_IFTYPE_MESH_POINT:
14824 		break;
14825 	case NL80211_IFTYPE_ADHOC:
14826 	case NL80211_IFTYPE_STATION:
14827 	case NL80211_IFTYPE_P2P_CLIENT:
14828 		if (wdev->current_bss)
14829 			break;
14830 		err = -ENOTCONN;
14831 		goto out;
14832 	default:
14833 		err = -EOPNOTSUPP;
14834 		goto out;
14835 	}
14836 
14837 	wdev_unlock(wdev);
14838 
14839 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14840 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14841 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14842 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14843 	noencrypt =
14844 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14845 
14846 	err = rdev_tx_control_port(rdev, dev, buf, len,
14847 				   dest, cpu_to_be16(proto), noencrypt,
14848 				   dont_wait_for_ack ? NULL : &cookie);
14849 	if (!err && !dont_wait_for_ack)
14850 		nl_set_extack_cookie_u64(info->extack, cookie);
14851 	return err;
14852  out:
14853 	wdev_unlock(wdev);
14854 	return err;
14855 }
14856 
14857 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14858 					   struct genl_info *info)
14859 {
14860 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14861 	struct net_device *dev = info->user_ptr[1];
14862 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14863 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14864 	struct sk_buff *msg;
14865 	void *hdr;
14866 	struct nlattr *ftm_stats_attr;
14867 	int err;
14868 
14869 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14870 		return -EOPNOTSUPP;
14871 
14872 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14873 	if (err)
14874 		return err;
14875 
14876 	if (!ftm_stats.filled)
14877 		return -ENODATA;
14878 
14879 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14880 	if (!msg)
14881 		return -ENOMEM;
14882 
14883 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14884 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14885 	if (!hdr)
14886 		goto nla_put_failure;
14887 
14888 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14889 		goto nla_put_failure;
14890 
14891 	ftm_stats_attr = nla_nest_start_noflag(msg,
14892 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14893 	if (!ftm_stats_attr)
14894 		goto nla_put_failure;
14895 
14896 #define SET_FTM(field, name, type)					 \
14897 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14898 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14899 			     ftm_stats.field))				 \
14900 		goto nla_put_failure; } while (0)
14901 #define SET_FTM_U64(field, name)					 \
14902 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14903 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14904 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14905 		goto nla_put_failure; } while (0)
14906 
14907 	SET_FTM(success_num, SUCCESS_NUM, u32);
14908 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14909 	SET_FTM(failed_num, FAILED_NUM, u32);
14910 	SET_FTM(asap_num, ASAP_NUM, u32);
14911 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14912 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14913 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14914 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14915 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14916 #undef SET_FTM
14917 
14918 	nla_nest_end(msg, ftm_stats_attr);
14919 
14920 	genlmsg_end(msg, hdr);
14921 	return genlmsg_reply(msg, info);
14922 
14923 nla_put_failure:
14924 	nlmsg_free(msg);
14925 	return -ENOBUFS;
14926 }
14927 
14928 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14929 {
14930 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14931 	struct cfg80211_update_owe_info owe_info;
14932 	struct net_device *dev = info->user_ptr[1];
14933 
14934 	if (!rdev->ops->update_owe_info)
14935 		return -EOPNOTSUPP;
14936 
14937 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14938 	    !info->attrs[NL80211_ATTR_MAC])
14939 		return -EINVAL;
14940 
14941 	memset(&owe_info, 0, sizeof(owe_info));
14942 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14943 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14944 
14945 	if (info->attrs[NL80211_ATTR_IE]) {
14946 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14947 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14948 	}
14949 
14950 	return rdev_update_owe_info(rdev, dev, &owe_info);
14951 }
14952 
14953 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14954 {
14955 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14956 	struct net_device *dev = info->user_ptr[1];
14957 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14958 	struct station_info sinfo = {};
14959 	const u8 *buf;
14960 	size_t len;
14961 	u8 *dest;
14962 	int err;
14963 
14964 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14965 		return -EOPNOTSUPP;
14966 
14967 	if (!info->attrs[NL80211_ATTR_MAC] ||
14968 	    !info->attrs[NL80211_ATTR_FRAME]) {
14969 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14970 		return -EINVAL;
14971 	}
14972 
14973 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14974 		return -EOPNOTSUPP;
14975 
14976 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14977 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14978 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14979 
14980 	if (len < sizeof(struct ethhdr))
14981 		return -EINVAL;
14982 
14983 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14984 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14985 		return -EINVAL;
14986 
14987 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14988 	if (err)
14989 		return err;
14990 
14991 	cfg80211_sinfo_release_content(&sinfo);
14992 
14993 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14994 }
14995 
14996 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14997 			  struct nlattr *attrs[], struct net_device *dev,
14998 			  struct cfg80211_tid_cfg *tid_conf,
14999 			  struct genl_info *info, const u8 *peer)
15000 {
15001 	struct netlink_ext_ack *extack = info->extack;
15002 	u64 mask;
15003 	int err;
15004 
15005 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15006 		return -EINVAL;
15007 
15008 	tid_conf->config_override =
15009 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15010 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15011 
15012 	if (tid_conf->config_override) {
15013 		if (rdev->ops->reset_tid_config) {
15014 			err = rdev_reset_tid_config(rdev, dev, peer,
15015 						    tid_conf->tids);
15016 			if (err)
15017 				return err;
15018 		} else {
15019 			return -EINVAL;
15020 		}
15021 	}
15022 
15023 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15024 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15025 		tid_conf->noack =
15026 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15027 	}
15028 
15029 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15030 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15031 		tid_conf->retry_short =
15032 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15033 
15034 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15035 			return -EINVAL;
15036 	}
15037 
15038 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15039 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15040 		tid_conf->retry_long =
15041 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15042 
15043 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15044 			return -EINVAL;
15045 	}
15046 
15047 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15048 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15049 		tid_conf->ampdu =
15050 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15051 	}
15052 
15053 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15054 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15055 		tid_conf->rtscts =
15056 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15057 	}
15058 
15059 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15060 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15061 		tid_conf->amsdu =
15062 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15063 	}
15064 
15065 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15066 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15067 
15068 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15069 
15070 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15071 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15072 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15073 						    &tid_conf->txrate_mask, dev,
15074 						    true);
15075 			if (err)
15076 				return err;
15077 
15078 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15079 		}
15080 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15081 	}
15082 
15083 	if (peer)
15084 		mask = rdev->wiphy.tid_config_support.peer;
15085 	else
15086 		mask = rdev->wiphy.tid_config_support.vif;
15087 
15088 	if (tid_conf->mask & ~mask) {
15089 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15090 		return -ENOTSUPP;
15091 	}
15092 
15093 	return 0;
15094 }
15095 
15096 static int nl80211_set_tid_config(struct sk_buff *skb,
15097 				  struct genl_info *info)
15098 {
15099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15100 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15101 	struct net_device *dev = info->user_ptr[1];
15102 	struct cfg80211_tid_config *tid_config;
15103 	struct nlattr *tid;
15104 	int conf_idx = 0, rem_conf;
15105 	int ret = -EINVAL;
15106 	u32 num_conf = 0;
15107 
15108 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15109 		return -EINVAL;
15110 
15111 	if (!rdev->ops->set_tid_config)
15112 		return -EOPNOTSUPP;
15113 
15114 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15115 			    rem_conf)
15116 		num_conf++;
15117 
15118 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15119 			     GFP_KERNEL);
15120 	if (!tid_config)
15121 		return -ENOMEM;
15122 
15123 	tid_config->n_tid_conf = num_conf;
15124 
15125 	if (info->attrs[NL80211_ATTR_MAC])
15126 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15127 
15128 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15129 			    rem_conf) {
15130 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15131 				       tid, NULL, NULL);
15132 
15133 		if (ret)
15134 			goto bad_tid_conf;
15135 
15136 		ret = parse_tid_conf(rdev, attrs, dev,
15137 				     &tid_config->tid_conf[conf_idx],
15138 				     info, tid_config->peer);
15139 		if (ret)
15140 			goto bad_tid_conf;
15141 
15142 		conf_idx++;
15143 	}
15144 
15145 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15146 
15147 bad_tid_conf:
15148 	kfree(tid_config);
15149 	return ret;
15150 }
15151 
15152 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15153 {
15154 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15155 	struct cfg80211_color_change_settings params = {};
15156 	struct net_device *dev = info->user_ptr[1];
15157 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15158 	struct nlattr **tb;
15159 	u16 offset;
15160 	int err;
15161 
15162 	if (!rdev->ops->color_change)
15163 		return -EOPNOTSUPP;
15164 
15165 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15166 				     NL80211_EXT_FEATURE_BSS_COLOR))
15167 		return -EOPNOTSUPP;
15168 
15169 	if (wdev->iftype != NL80211_IFTYPE_AP)
15170 		return -EOPNOTSUPP;
15171 
15172 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15173 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15174 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15175 		return -EINVAL;
15176 
15177 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15178 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15179 
15180 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15181 	if (err)
15182 		return err;
15183 
15184 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15185 	if (!tb)
15186 		return -ENOMEM;
15187 
15188 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15189 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15190 			       nl80211_policy, info->extack);
15191 	if (err)
15192 		goto out;
15193 
15194 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15195 	if (err)
15196 		goto out;
15197 
15198 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15199 		err = -EINVAL;
15200 		goto out;
15201 	}
15202 
15203 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15204 		err = -EINVAL;
15205 		goto out;
15206 	}
15207 
15208 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15209 	if (offset >= params.beacon_color_change.tail_len) {
15210 		err = -EINVAL;
15211 		goto out;
15212 	}
15213 
15214 	if (params.beacon_color_change.tail[offset] != params.count) {
15215 		err = -EINVAL;
15216 		goto out;
15217 	}
15218 
15219 	params.counter_offset_beacon = offset;
15220 
15221 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15222 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15223 		    sizeof(u16)) {
15224 			err = -EINVAL;
15225 			goto out;
15226 		}
15227 
15228 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15229 		if (offset >= params.beacon_color_change.probe_resp_len) {
15230 			err = -EINVAL;
15231 			goto out;
15232 		}
15233 
15234 		if (params.beacon_color_change.probe_resp[offset] !=
15235 		    params.count) {
15236 			err = -EINVAL;
15237 			goto out;
15238 		}
15239 
15240 		params.counter_offset_presp = offset;
15241 	}
15242 
15243 	wdev_lock(wdev);
15244 	err = rdev_color_change(rdev, dev, &params);
15245 	wdev_unlock(wdev);
15246 
15247 out:
15248 	kfree(params.beacon_next.mbssid_ies);
15249 	kfree(params.beacon_color_change.mbssid_ies);
15250 	kfree(tb);
15251 	return err;
15252 }
15253 
15254 static int nl80211_set_fils_aad(struct sk_buff *skb,
15255 				struct genl_info *info)
15256 {
15257 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15258 	struct net_device *dev = info->user_ptr[1];
15259 	struct cfg80211_fils_aad fils_aad = {};
15260 	u8 *nonces;
15261 
15262 	if (!info->attrs[NL80211_ATTR_MAC] ||
15263 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15264 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15265 		return -EINVAL;
15266 
15267 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15268 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15269 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15270 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15271 	fils_aad.snonce = nonces;
15272 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15273 
15274 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15275 }
15276 
15277 #define NL80211_FLAG_NEED_WIPHY		0x01
15278 #define NL80211_FLAG_NEED_NETDEV	0x02
15279 #define NL80211_FLAG_NEED_RTNL		0x04
15280 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
15281 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
15282 					 NL80211_FLAG_CHECK_NETDEV_UP)
15283 #define NL80211_FLAG_NEED_WDEV		0x10
15284 /* If a netdev is associated, it must be UP, P2P must be started */
15285 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
15286 					 NL80211_FLAG_CHECK_NETDEV_UP)
15287 #define NL80211_FLAG_CLEAR_SKB		0x20
15288 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
15289 
15290 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
15291 			    struct genl_info *info)
15292 {
15293 	struct cfg80211_registered_device *rdev = NULL;
15294 	struct wireless_dev *wdev;
15295 	struct net_device *dev;
15296 
15297 	rtnl_lock();
15298 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
15299 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
15300 		if (IS_ERR(rdev)) {
15301 			rtnl_unlock();
15302 			return PTR_ERR(rdev);
15303 		}
15304 		info->user_ptr[0] = rdev;
15305 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
15306 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15307 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
15308 						  info->attrs);
15309 		if (IS_ERR(wdev)) {
15310 			rtnl_unlock();
15311 			return PTR_ERR(wdev);
15312 		}
15313 
15314 		dev = wdev->netdev;
15315 		rdev = wiphy_to_rdev(wdev->wiphy);
15316 
15317 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
15318 			if (!dev) {
15319 				rtnl_unlock();
15320 				return -EINVAL;
15321 			}
15322 
15323 			info->user_ptr[1] = dev;
15324 		} else {
15325 			info->user_ptr[1] = wdev;
15326 		}
15327 
15328 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
15329 		    !wdev_running(wdev)) {
15330 			rtnl_unlock();
15331 			return -ENETDOWN;
15332 		}
15333 
15334 		dev_hold(dev);
15335 		info->user_ptr[0] = rdev;
15336 	}
15337 
15338 	if (rdev && !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15339 		wiphy_lock(&rdev->wiphy);
15340 		/* we keep the mutex locked until post_doit */
15341 		__release(&rdev->wiphy.mtx);
15342 	}
15343 	if (!(ops->internal_flags & NL80211_FLAG_NEED_RTNL))
15344 		rtnl_unlock();
15345 
15346 	return 0;
15347 }
15348 
15349 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
15350 			      struct genl_info *info)
15351 {
15352 	if (info->user_ptr[1]) {
15353 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15354 			struct wireless_dev *wdev = info->user_ptr[1];
15355 
15356 			dev_put(wdev->netdev);
15357 		} else {
15358 			dev_put(info->user_ptr[1]);
15359 		}
15360 	}
15361 
15362 	if (info->user_ptr[0] &&
15363 	    !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15364 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
15365 
15366 		/* we kept the mutex locked since pre_doit */
15367 		__acquire(&rdev->wiphy.mtx);
15368 		wiphy_unlock(&rdev->wiphy);
15369 	}
15370 
15371 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
15372 		rtnl_unlock();
15373 
15374 	/* If needed, clear the netlink message payload from the SKB
15375 	 * as it might contain key data that shouldn't stick around on
15376 	 * the heap after the SKB is freed. The netlink message header
15377 	 * is still needed for further processing, so leave it intact.
15378 	 */
15379 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
15380 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
15381 
15382 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
15383 	}
15384 }
15385 
15386 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
15387 				     struct cfg80211_sar_specs *sar_specs,
15388 				     struct nlattr *spec[], int index)
15389 {
15390 	u32 range_index, i;
15391 
15392 	if (!sar_specs || !spec)
15393 		return -EINVAL;
15394 
15395 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
15396 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
15397 		return -EINVAL;
15398 
15399 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
15400 
15401 	/* check if range_index exceeds num_freq_ranges */
15402 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
15403 		return -EINVAL;
15404 
15405 	/* check if range_index duplicates */
15406 	for (i = 0; i < index; i++) {
15407 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
15408 			return -EINVAL;
15409 	}
15410 
15411 	sar_specs->sub_specs[index].power =
15412 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
15413 
15414 	sar_specs->sub_specs[index].freq_range_index = range_index;
15415 
15416 	return 0;
15417 }
15418 
15419 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
15420 {
15421 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15422 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
15423 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
15424 	struct cfg80211_sar_specs *sar_spec;
15425 	enum nl80211_sar_type type;
15426 	struct nlattr *spec_list;
15427 	u32 specs;
15428 	int rem, err;
15429 
15430 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
15431 		return -EOPNOTSUPP;
15432 
15433 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
15434 		return -EINVAL;
15435 
15436 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
15437 			 info->attrs[NL80211_ATTR_SAR_SPEC],
15438 			 NULL, NULL);
15439 
15440 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
15441 		return -EINVAL;
15442 
15443 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
15444 	if (type != rdev->wiphy.sar_capa->type)
15445 		return -EINVAL;
15446 
15447 	specs = 0;
15448 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
15449 		specs++;
15450 
15451 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
15452 		return -EINVAL;
15453 
15454 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
15455 	if (!sar_spec)
15456 		return -ENOMEM;
15457 
15458 	sar_spec->type = type;
15459 	specs = 0;
15460 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
15461 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
15462 				 spec_list, NULL, NULL);
15463 
15464 		switch (type) {
15465 		case NL80211_SAR_TYPE_POWER:
15466 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
15467 						      spec, specs)) {
15468 				err = -EINVAL;
15469 				goto error;
15470 			}
15471 			break;
15472 		default:
15473 			err = -EINVAL;
15474 			goto error;
15475 		}
15476 		specs++;
15477 	}
15478 
15479 	sar_spec->num_sub_specs = specs;
15480 
15481 	rdev->cur_cmd_info = info;
15482 	err = rdev_set_sar_specs(rdev, sar_spec);
15483 	rdev->cur_cmd_info = NULL;
15484 error:
15485 	kfree(sar_spec);
15486 	return err;
15487 }
15488 
15489 static const struct genl_ops nl80211_ops[] = {
15490 	{
15491 		.cmd = NL80211_CMD_GET_WIPHY,
15492 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15493 		.doit = nl80211_get_wiphy,
15494 		.dumpit = nl80211_dump_wiphy,
15495 		.done = nl80211_dump_wiphy_done,
15496 		/* can be retrieved by unprivileged users */
15497 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15498 	},
15499 };
15500 
15501 static const struct genl_small_ops nl80211_small_ops[] = {
15502 	{
15503 		.cmd = NL80211_CMD_SET_WIPHY,
15504 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15505 		.doit = nl80211_set_wiphy,
15506 		.flags = GENL_UNS_ADMIN_PERM,
15507 	},
15508 	{
15509 		.cmd = NL80211_CMD_GET_INTERFACE,
15510 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15511 		.doit = nl80211_get_interface,
15512 		.dumpit = nl80211_dump_interface,
15513 		/* can be retrieved by unprivileged users */
15514 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15515 	},
15516 	{
15517 		.cmd = NL80211_CMD_SET_INTERFACE,
15518 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15519 		.doit = nl80211_set_interface,
15520 		.flags = GENL_UNS_ADMIN_PERM,
15521 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15522 				  NL80211_FLAG_NEED_RTNL,
15523 	},
15524 	{
15525 		.cmd = NL80211_CMD_NEW_INTERFACE,
15526 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15527 		.doit = nl80211_new_interface,
15528 		.flags = GENL_UNS_ADMIN_PERM,
15529 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15530 				  NL80211_FLAG_NEED_RTNL |
15531 				  /* we take the wiphy mutex later ourselves */
15532 				  NL80211_FLAG_NO_WIPHY_MTX,
15533 	},
15534 	{
15535 		.cmd = NL80211_CMD_DEL_INTERFACE,
15536 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15537 		.doit = nl80211_del_interface,
15538 		.flags = GENL_UNS_ADMIN_PERM,
15539 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15540 				  NL80211_FLAG_NEED_RTNL,
15541 	},
15542 	{
15543 		.cmd = NL80211_CMD_GET_KEY,
15544 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15545 		.doit = nl80211_get_key,
15546 		.flags = GENL_UNS_ADMIN_PERM,
15547 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15548 	},
15549 	{
15550 		.cmd = NL80211_CMD_SET_KEY,
15551 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15552 		.doit = nl80211_set_key,
15553 		.flags = GENL_UNS_ADMIN_PERM,
15554 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15555 				  NL80211_FLAG_CLEAR_SKB,
15556 	},
15557 	{
15558 		.cmd = NL80211_CMD_NEW_KEY,
15559 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15560 		.doit = nl80211_new_key,
15561 		.flags = GENL_UNS_ADMIN_PERM,
15562 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15563 				  NL80211_FLAG_CLEAR_SKB,
15564 	},
15565 	{
15566 		.cmd = NL80211_CMD_DEL_KEY,
15567 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15568 		.doit = nl80211_del_key,
15569 		.flags = GENL_UNS_ADMIN_PERM,
15570 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15571 	},
15572 	{
15573 		.cmd = NL80211_CMD_SET_BEACON,
15574 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15575 		.flags = GENL_UNS_ADMIN_PERM,
15576 		.doit = nl80211_set_beacon,
15577 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15578 	},
15579 	{
15580 		.cmd = NL80211_CMD_START_AP,
15581 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15582 		.flags = GENL_UNS_ADMIN_PERM,
15583 		.doit = nl80211_start_ap,
15584 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15585 	},
15586 	{
15587 		.cmd = NL80211_CMD_STOP_AP,
15588 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15589 		.flags = GENL_UNS_ADMIN_PERM,
15590 		.doit = nl80211_stop_ap,
15591 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15592 	},
15593 	{
15594 		.cmd = NL80211_CMD_GET_STATION,
15595 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15596 		.doit = nl80211_get_station,
15597 		.dumpit = nl80211_dump_station,
15598 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15599 	},
15600 	{
15601 		.cmd = NL80211_CMD_SET_STATION,
15602 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15603 		.doit = nl80211_set_station,
15604 		.flags = GENL_UNS_ADMIN_PERM,
15605 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15606 	},
15607 	{
15608 		.cmd = NL80211_CMD_NEW_STATION,
15609 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15610 		.doit = nl80211_new_station,
15611 		.flags = GENL_UNS_ADMIN_PERM,
15612 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15613 	},
15614 	{
15615 		.cmd = NL80211_CMD_DEL_STATION,
15616 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15617 		.doit = nl80211_del_station,
15618 		.flags = GENL_UNS_ADMIN_PERM,
15619 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15620 	},
15621 	{
15622 		.cmd = NL80211_CMD_GET_MPATH,
15623 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15624 		.doit = nl80211_get_mpath,
15625 		.dumpit = nl80211_dump_mpath,
15626 		.flags = GENL_UNS_ADMIN_PERM,
15627 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15628 	},
15629 	{
15630 		.cmd = NL80211_CMD_GET_MPP,
15631 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15632 		.doit = nl80211_get_mpp,
15633 		.dumpit = nl80211_dump_mpp,
15634 		.flags = GENL_UNS_ADMIN_PERM,
15635 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15636 	},
15637 	{
15638 		.cmd = NL80211_CMD_SET_MPATH,
15639 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15640 		.doit = nl80211_set_mpath,
15641 		.flags = GENL_UNS_ADMIN_PERM,
15642 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15643 	},
15644 	{
15645 		.cmd = NL80211_CMD_NEW_MPATH,
15646 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15647 		.doit = nl80211_new_mpath,
15648 		.flags = GENL_UNS_ADMIN_PERM,
15649 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15650 	},
15651 	{
15652 		.cmd = NL80211_CMD_DEL_MPATH,
15653 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15654 		.doit = nl80211_del_mpath,
15655 		.flags = GENL_UNS_ADMIN_PERM,
15656 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15657 	},
15658 	{
15659 		.cmd = NL80211_CMD_SET_BSS,
15660 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15661 		.doit = nl80211_set_bss,
15662 		.flags = GENL_UNS_ADMIN_PERM,
15663 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15664 	},
15665 	{
15666 		.cmd = NL80211_CMD_GET_REG,
15667 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15668 		.doit = nl80211_get_reg_do,
15669 		.dumpit = nl80211_get_reg_dump,
15670 		.internal_flags = 0,
15671 		/* can be retrieved by unprivileged users */
15672 	},
15673 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
15674 	{
15675 		.cmd = NL80211_CMD_SET_REG,
15676 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15677 		.doit = nl80211_set_reg,
15678 		.flags = GENL_ADMIN_PERM,
15679 		.internal_flags = 0,
15680 	},
15681 #endif
15682 	{
15683 		.cmd = NL80211_CMD_REQ_SET_REG,
15684 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15685 		.doit = nl80211_req_set_reg,
15686 		.flags = GENL_ADMIN_PERM,
15687 	},
15688 	{
15689 		.cmd = NL80211_CMD_RELOAD_REGDB,
15690 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15691 		.doit = nl80211_reload_regdb,
15692 		.flags = GENL_ADMIN_PERM,
15693 	},
15694 	{
15695 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
15696 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15697 		.doit = nl80211_get_mesh_config,
15698 		/* can be retrieved by unprivileged users */
15699 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15700 	},
15701 	{
15702 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
15703 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15704 		.doit = nl80211_update_mesh_config,
15705 		.flags = GENL_UNS_ADMIN_PERM,
15706 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15707 	},
15708 	{
15709 		.cmd = NL80211_CMD_TRIGGER_SCAN,
15710 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15711 		.doit = nl80211_trigger_scan,
15712 		.flags = GENL_UNS_ADMIN_PERM,
15713 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15714 	},
15715 	{
15716 		.cmd = NL80211_CMD_ABORT_SCAN,
15717 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15718 		.doit = nl80211_abort_scan,
15719 		.flags = GENL_UNS_ADMIN_PERM,
15720 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15721 	},
15722 	{
15723 		.cmd = NL80211_CMD_GET_SCAN,
15724 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15725 		.dumpit = nl80211_dump_scan,
15726 	},
15727 	{
15728 		.cmd = NL80211_CMD_START_SCHED_SCAN,
15729 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15730 		.doit = nl80211_start_sched_scan,
15731 		.flags = GENL_UNS_ADMIN_PERM,
15732 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15733 	},
15734 	{
15735 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
15736 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15737 		.doit = nl80211_stop_sched_scan,
15738 		.flags = GENL_UNS_ADMIN_PERM,
15739 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15740 	},
15741 	{
15742 		.cmd = NL80211_CMD_AUTHENTICATE,
15743 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15744 		.doit = nl80211_authenticate,
15745 		.flags = GENL_UNS_ADMIN_PERM,
15746 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15747 				  0 |
15748 				  NL80211_FLAG_CLEAR_SKB,
15749 	},
15750 	{
15751 		.cmd = NL80211_CMD_ASSOCIATE,
15752 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15753 		.doit = nl80211_associate,
15754 		.flags = GENL_UNS_ADMIN_PERM,
15755 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15756 				  0 |
15757 				  NL80211_FLAG_CLEAR_SKB,
15758 	},
15759 	{
15760 		.cmd = NL80211_CMD_DEAUTHENTICATE,
15761 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15762 		.doit = nl80211_deauthenticate,
15763 		.flags = GENL_UNS_ADMIN_PERM,
15764 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15765 	},
15766 	{
15767 		.cmd = NL80211_CMD_DISASSOCIATE,
15768 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15769 		.doit = nl80211_disassociate,
15770 		.flags = GENL_UNS_ADMIN_PERM,
15771 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15772 	},
15773 	{
15774 		.cmd = NL80211_CMD_JOIN_IBSS,
15775 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15776 		.doit = nl80211_join_ibss,
15777 		.flags = GENL_UNS_ADMIN_PERM,
15778 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15779 	},
15780 	{
15781 		.cmd = NL80211_CMD_LEAVE_IBSS,
15782 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15783 		.doit = nl80211_leave_ibss,
15784 		.flags = GENL_UNS_ADMIN_PERM,
15785 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15786 	},
15787 #ifdef CONFIG_NL80211_TESTMODE
15788 	{
15789 		.cmd = NL80211_CMD_TESTMODE,
15790 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15791 		.doit = nl80211_testmode_do,
15792 		.dumpit = nl80211_testmode_dump,
15793 		.flags = GENL_UNS_ADMIN_PERM,
15794 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15795 	},
15796 #endif
15797 	{
15798 		.cmd = NL80211_CMD_CONNECT,
15799 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15800 		.doit = nl80211_connect,
15801 		.flags = GENL_UNS_ADMIN_PERM,
15802 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15803 				  0 |
15804 				  NL80211_FLAG_CLEAR_SKB,
15805 	},
15806 	{
15807 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15808 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15809 		.doit = nl80211_update_connect_params,
15810 		.flags = GENL_ADMIN_PERM,
15811 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15812 				  0 |
15813 				  NL80211_FLAG_CLEAR_SKB,
15814 	},
15815 	{
15816 		.cmd = NL80211_CMD_DISCONNECT,
15817 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15818 		.doit = nl80211_disconnect,
15819 		.flags = GENL_UNS_ADMIN_PERM,
15820 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15821 	},
15822 	{
15823 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15824 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15825 		.doit = nl80211_wiphy_netns,
15826 		.flags = GENL_UNS_ADMIN_PERM,
15827 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15828 				  NL80211_FLAG_NEED_RTNL |
15829 				  NL80211_FLAG_NO_WIPHY_MTX,
15830 	},
15831 	{
15832 		.cmd = NL80211_CMD_GET_SURVEY,
15833 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15834 		.dumpit = nl80211_dump_survey,
15835 	},
15836 	{
15837 		.cmd = NL80211_CMD_SET_PMKSA,
15838 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15839 		.doit = nl80211_setdel_pmksa,
15840 		.flags = GENL_UNS_ADMIN_PERM,
15841 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15842 				  0 |
15843 				  NL80211_FLAG_CLEAR_SKB,
15844 	},
15845 	{
15846 		.cmd = NL80211_CMD_DEL_PMKSA,
15847 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15848 		.doit = nl80211_setdel_pmksa,
15849 		.flags = GENL_UNS_ADMIN_PERM,
15850 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15851 	},
15852 	{
15853 		.cmd = NL80211_CMD_FLUSH_PMKSA,
15854 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15855 		.doit = nl80211_flush_pmksa,
15856 		.flags = GENL_UNS_ADMIN_PERM,
15857 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15858 	},
15859 	{
15860 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15861 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15862 		.doit = nl80211_remain_on_channel,
15863 		.flags = GENL_UNS_ADMIN_PERM,
15864 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15865 	},
15866 	{
15867 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15868 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15869 		.doit = nl80211_cancel_remain_on_channel,
15870 		.flags = GENL_UNS_ADMIN_PERM,
15871 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15872 	},
15873 	{
15874 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15875 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15876 		.doit = nl80211_set_tx_bitrate_mask,
15877 		.flags = GENL_UNS_ADMIN_PERM,
15878 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15879 	},
15880 	{
15881 		.cmd = NL80211_CMD_REGISTER_FRAME,
15882 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15883 		.doit = nl80211_register_mgmt,
15884 		.flags = GENL_UNS_ADMIN_PERM,
15885 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15886 	},
15887 	{
15888 		.cmd = NL80211_CMD_FRAME,
15889 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15890 		.doit = nl80211_tx_mgmt,
15891 		.flags = GENL_UNS_ADMIN_PERM,
15892 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15893 	},
15894 	{
15895 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15896 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15897 		.doit = nl80211_tx_mgmt_cancel_wait,
15898 		.flags = GENL_UNS_ADMIN_PERM,
15899 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15900 	},
15901 	{
15902 		.cmd = NL80211_CMD_SET_POWER_SAVE,
15903 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15904 		.doit = nl80211_set_power_save,
15905 		.flags = GENL_UNS_ADMIN_PERM,
15906 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15907 	},
15908 	{
15909 		.cmd = NL80211_CMD_GET_POWER_SAVE,
15910 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15911 		.doit = nl80211_get_power_save,
15912 		/* can be retrieved by unprivileged users */
15913 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15914 	},
15915 	{
15916 		.cmd = NL80211_CMD_SET_CQM,
15917 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15918 		.doit = nl80211_set_cqm,
15919 		.flags = GENL_UNS_ADMIN_PERM,
15920 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15921 	},
15922 	{
15923 		.cmd = NL80211_CMD_SET_CHANNEL,
15924 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15925 		.doit = nl80211_set_channel,
15926 		.flags = GENL_UNS_ADMIN_PERM,
15927 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15928 	},
15929 	{
15930 		.cmd = NL80211_CMD_JOIN_MESH,
15931 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15932 		.doit = nl80211_join_mesh,
15933 		.flags = GENL_UNS_ADMIN_PERM,
15934 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15935 	},
15936 	{
15937 		.cmd = NL80211_CMD_LEAVE_MESH,
15938 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15939 		.doit = nl80211_leave_mesh,
15940 		.flags = GENL_UNS_ADMIN_PERM,
15941 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15942 	},
15943 	{
15944 		.cmd = NL80211_CMD_JOIN_OCB,
15945 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15946 		.doit = nl80211_join_ocb,
15947 		.flags = GENL_UNS_ADMIN_PERM,
15948 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15949 	},
15950 	{
15951 		.cmd = NL80211_CMD_LEAVE_OCB,
15952 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15953 		.doit = nl80211_leave_ocb,
15954 		.flags = GENL_UNS_ADMIN_PERM,
15955 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15956 	},
15957 #ifdef CONFIG_PM
15958 	{
15959 		.cmd = NL80211_CMD_GET_WOWLAN,
15960 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15961 		.doit = nl80211_get_wowlan,
15962 		/* can be retrieved by unprivileged users */
15963 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15964 	},
15965 	{
15966 		.cmd = NL80211_CMD_SET_WOWLAN,
15967 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15968 		.doit = nl80211_set_wowlan,
15969 		.flags = GENL_UNS_ADMIN_PERM,
15970 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15971 	},
15972 #endif
15973 	{
15974 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15975 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15976 		.doit = nl80211_set_rekey_data,
15977 		.flags = GENL_UNS_ADMIN_PERM,
15978 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15979 				  0 |
15980 				  NL80211_FLAG_CLEAR_SKB,
15981 	},
15982 	{
15983 		.cmd = NL80211_CMD_TDLS_MGMT,
15984 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15985 		.doit = nl80211_tdls_mgmt,
15986 		.flags = GENL_UNS_ADMIN_PERM,
15987 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15988 	},
15989 	{
15990 		.cmd = NL80211_CMD_TDLS_OPER,
15991 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15992 		.doit = nl80211_tdls_oper,
15993 		.flags = GENL_UNS_ADMIN_PERM,
15994 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15995 	},
15996 	{
15997 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
15998 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15999 		.doit = nl80211_register_unexpected_frame,
16000 		.flags = GENL_UNS_ADMIN_PERM,
16001 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16002 	},
16003 	{
16004 		.cmd = NL80211_CMD_PROBE_CLIENT,
16005 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16006 		.doit = nl80211_probe_client,
16007 		.flags = GENL_UNS_ADMIN_PERM,
16008 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16009 	},
16010 	{
16011 		.cmd = NL80211_CMD_REGISTER_BEACONS,
16012 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16013 		.doit = nl80211_register_beacons,
16014 		.flags = GENL_UNS_ADMIN_PERM,
16015 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16016 	},
16017 	{
16018 		.cmd = NL80211_CMD_SET_NOACK_MAP,
16019 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16020 		.doit = nl80211_set_noack_map,
16021 		.flags = GENL_UNS_ADMIN_PERM,
16022 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16023 	},
16024 	{
16025 		.cmd = NL80211_CMD_START_P2P_DEVICE,
16026 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16027 		.doit = nl80211_start_p2p_device,
16028 		.flags = GENL_UNS_ADMIN_PERM,
16029 		.internal_flags = NL80211_FLAG_NEED_WDEV |
16030 				  NL80211_FLAG_NEED_RTNL,
16031 	},
16032 	{
16033 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
16034 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16035 		.doit = nl80211_stop_p2p_device,
16036 		.flags = GENL_UNS_ADMIN_PERM,
16037 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
16038 				  NL80211_FLAG_NEED_RTNL,
16039 	},
16040 	{
16041 		.cmd = NL80211_CMD_START_NAN,
16042 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16043 		.doit = nl80211_start_nan,
16044 		.flags = GENL_ADMIN_PERM,
16045 		.internal_flags = NL80211_FLAG_NEED_WDEV |
16046 				  NL80211_FLAG_NEED_RTNL,
16047 	},
16048 	{
16049 		.cmd = NL80211_CMD_STOP_NAN,
16050 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16051 		.doit = nl80211_stop_nan,
16052 		.flags = GENL_ADMIN_PERM,
16053 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
16054 				  NL80211_FLAG_NEED_RTNL,
16055 	},
16056 	{
16057 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
16058 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16059 		.doit = nl80211_nan_add_func,
16060 		.flags = GENL_ADMIN_PERM,
16061 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16062 	},
16063 	{
16064 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
16065 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16066 		.doit = nl80211_nan_del_func,
16067 		.flags = GENL_ADMIN_PERM,
16068 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16069 	},
16070 	{
16071 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
16072 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16073 		.doit = nl80211_nan_change_config,
16074 		.flags = GENL_ADMIN_PERM,
16075 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16076 	},
16077 	{
16078 		.cmd = NL80211_CMD_SET_MCAST_RATE,
16079 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16080 		.doit = nl80211_set_mcast_rate,
16081 		.flags = GENL_UNS_ADMIN_PERM,
16082 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16083 	},
16084 	{
16085 		.cmd = NL80211_CMD_SET_MAC_ACL,
16086 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16087 		.doit = nl80211_set_mac_acl,
16088 		.flags = GENL_UNS_ADMIN_PERM,
16089 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16090 	},
16091 	{
16092 		.cmd = NL80211_CMD_RADAR_DETECT,
16093 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16094 		.doit = nl80211_start_radar_detection,
16095 		.flags = GENL_UNS_ADMIN_PERM,
16096 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16097 				  NL80211_FLAG_NO_WIPHY_MTX,
16098 	},
16099 	{
16100 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
16101 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16102 		.doit = nl80211_get_protocol_features,
16103 	},
16104 	{
16105 		.cmd = NL80211_CMD_UPDATE_FT_IES,
16106 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16107 		.doit = nl80211_update_ft_ies,
16108 		.flags = GENL_UNS_ADMIN_PERM,
16109 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16110 	},
16111 	{
16112 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
16113 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16114 		.doit = nl80211_crit_protocol_start,
16115 		.flags = GENL_UNS_ADMIN_PERM,
16116 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16117 	},
16118 	{
16119 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
16120 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16121 		.doit = nl80211_crit_protocol_stop,
16122 		.flags = GENL_UNS_ADMIN_PERM,
16123 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16124 	},
16125 	{
16126 		.cmd = NL80211_CMD_GET_COALESCE,
16127 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16128 		.doit = nl80211_get_coalesce,
16129 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16130 	},
16131 	{
16132 		.cmd = NL80211_CMD_SET_COALESCE,
16133 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16134 		.doit = nl80211_set_coalesce,
16135 		.flags = GENL_UNS_ADMIN_PERM,
16136 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16137 	},
16138 	{
16139 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
16140 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16141 		.doit = nl80211_channel_switch,
16142 		.flags = GENL_UNS_ADMIN_PERM,
16143 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16144 	},
16145 	{
16146 		.cmd = NL80211_CMD_VENDOR,
16147 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16148 		.doit = nl80211_vendor_cmd,
16149 		.dumpit = nl80211_vendor_cmd_dump,
16150 		.flags = GENL_UNS_ADMIN_PERM,
16151 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16152 				  0 |
16153 				  NL80211_FLAG_CLEAR_SKB,
16154 	},
16155 	{
16156 		.cmd = NL80211_CMD_SET_QOS_MAP,
16157 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16158 		.doit = nl80211_set_qos_map,
16159 		.flags = GENL_UNS_ADMIN_PERM,
16160 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16161 	},
16162 	{
16163 		.cmd = NL80211_CMD_ADD_TX_TS,
16164 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16165 		.doit = nl80211_add_tx_ts,
16166 		.flags = GENL_UNS_ADMIN_PERM,
16167 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16168 	},
16169 	{
16170 		.cmd = NL80211_CMD_DEL_TX_TS,
16171 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16172 		.doit = nl80211_del_tx_ts,
16173 		.flags = GENL_UNS_ADMIN_PERM,
16174 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16175 	},
16176 	{
16177 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
16178 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16179 		.doit = nl80211_tdls_channel_switch,
16180 		.flags = GENL_UNS_ADMIN_PERM,
16181 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16182 	},
16183 	{
16184 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
16185 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16186 		.doit = nl80211_tdls_cancel_channel_switch,
16187 		.flags = GENL_UNS_ADMIN_PERM,
16188 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16189 	},
16190 	{
16191 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
16192 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16193 		.doit = nl80211_set_multicast_to_unicast,
16194 		.flags = GENL_UNS_ADMIN_PERM,
16195 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16196 	},
16197 	{
16198 		.cmd = NL80211_CMD_SET_PMK,
16199 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16200 		.doit = nl80211_set_pmk,
16201 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16202 				  0 |
16203 				  NL80211_FLAG_CLEAR_SKB,
16204 	},
16205 	{
16206 		.cmd = NL80211_CMD_DEL_PMK,
16207 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16208 		.doit = nl80211_del_pmk,
16209 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16210 	},
16211 	{
16212 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
16213 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16214 		.doit = nl80211_external_auth,
16215 		.flags = GENL_ADMIN_PERM,
16216 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16217 	},
16218 	{
16219 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
16220 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16221 		.doit = nl80211_tx_control_port,
16222 		.flags = GENL_UNS_ADMIN_PERM,
16223 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16224 	},
16225 	{
16226 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
16227 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16228 		.doit = nl80211_get_ftm_responder_stats,
16229 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16230 	},
16231 	{
16232 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
16233 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16234 		.doit = nl80211_pmsr_start,
16235 		.flags = GENL_UNS_ADMIN_PERM,
16236 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16237 	},
16238 	{
16239 		.cmd = NL80211_CMD_NOTIFY_RADAR,
16240 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16241 		.doit = nl80211_notify_radar_detection,
16242 		.flags = GENL_UNS_ADMIN_PERM,
16243 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16244 	},
16245 	{
16246 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
16247 		.doit = nl80211_update_owe_info,
16248 		.flags = GENL_ADMIN_PERM,
16249 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16250 	},
16251 	{
16252 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
16253 		.doit = nl80211_probe_mesh_link,
16254 		.flags = GENL_UNS_ADMIN_PERM,
16255 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16256 	},
16257 	{
16258 		.cmd = NL80211_CMD_SET_TID_CONFIG,
16259 		.doit = nl80211_set_tid_config,
16260 		.flags = GENL_UNS_ADMIN_PERM,
16261 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16262 	},
16263 	{
16264 		.cmd = NL80211_CMD_SET_SAR_SPECS,
16265 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16266 		.doit = nl80211_set_sar_specs,
16267 		.flags = GENL_UNS_ADMIN_PERM,
16268 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16269 				  NL80211_FLAG_NEED_RTNL,
16270 	},
16271 	{
16272 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
16273 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16274 		.doit = nl80211_color_change,
16275 		.flags = GENL_UNS_ADMIN_PERM,
16276 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16277 				  NL80211_FLAG_NEED_RTNL,
16278 	},
16279 	{
16280 		.cmd = NL80211_CMD_SET_FILS_AAD,
16281 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16282 		.doit = nl80211_set_fils_aad,
16283 		.flags = GENL_UNS_ADMIN_PERM,
16284 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16285 	},
16286 };
16287 
16288 static struct genl_family nl80211_fam __ro_after_init = {
16289 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
16290 	.hdrsize = 0,			/* no private header */
16291 	.version = 1,			/* no particular meaning now */
16292 	.maxattr = NL80211_ATTR_MAX,
16293 	.policy = nl80211_policy,
16294 	.netnsok = true,
16295 	.pre_doit = nl80211_pre_doit,
16296 	.post_doit = nl80211_post_doit,
16297 	.module = THIS_MODULE,
16298 	.ops = nl80211_ops,
16299 	.n_ops = ARRAY_SIZE(nl80211_ops),
16300 	.small_ops = nl80211_small_ops,
16301 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
16302 	.mcgrps = nl80211_mcgrps,
16303 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
16304 	.parallel_ops = true,
16305 };
16306 
16307 /* notification functions */
16308 
16309 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
16310 			  enum nl80211_commands cmd)
16311 {
16312 	struct sk_buff *msg;
16313 	struct nl80211_dump_wiphy_state state = {};
16314 
16315 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
16316 		cmd != NL80211_CMD_DEL_WIPHY);
16317 
16318 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16319 	if (!msg)
16320 		return;
16321 
16322 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
16323 		nlmsg_free(msg);
16324 		return;
16325 	}
16326 
16327 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16328 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16329 }
16330 
16331 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
16332 				struct wireless_dev *wdev,
16333 				enum nl80211_commands cmd)
16334 {
16335 	struct sk_buff *msg;
16336 
16337 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16338 	if (!msg)
16339 		return;
16340 
16341 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
16342 		nlmsg_free(msg);
16343 		return;
16344 	}
16345 
16346 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16347 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16348 }
16349 
16350 static int nl80211_add_scan_req(struct sk_buff *msg,
16351 				struct cfg80211_registered_device *rdev)
16352 {
16353 	struct cfg80211_scan_request *req = rdev->scan_req;
16354 	struct nlattr *nest;
16355 	int i;
16356 	struct cfg80211_scan_info *info;
16357 
16358 	if (WARN_ON(!req))
16359 		return 0;
16360 
16361 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
16362 	if (!nest)
16363 		goto nla_put_failure;
16364 	for (i = 0; i < req->n_ssids; i++) {
16365 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
16366 			goto nla_put_failure;
16367 	}
16368 	nla_nest_end(msg, nest);
16369 
16370 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
16371 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
16372 		if (!nest)
16373 			goto nla_put_failure;
16374 		for (i = 0; i < req->n_channels; i++) {
16375 			if (nla_put_u32(msg, i,
16376 				   ieee80211_channel_to_khz(req->channels[i])))
16377 				goto nla_put_failure;
16378 		}
16379 		nla_nest_end(msg, nest);
16380 	} else {
16381 		nest = nla_nest_start_noflag(msg,
16382 					     NL80211_ATTR_SCAN_FREQUENCIES);
16383 		if (!nest)
16384 			goto nla_put_failure;
16385 		for (i = 0; i < req->n_channels; i++) {
16386 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
16387 				goto nla_put_failure;
16388 		}
16389 		nla_nest_end(msg, nest);
16390 	}
16391 
16392 	if (req->ie &&
16393 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
16394 		goto nla_put_failure;
16395 
16396 	if (req->flags &&
16397 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
16398 		goto nla_put_failure;
16399 
16400 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
16401 		&rdev->scan_req->info;
16402 	if (info->scan_start_tsf &&
16403 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
16404 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
16405 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
16406 		     info->tsf_bssid)))
16407 		goto nla_put_failure;
16408 
16409 	return 0;
16410  nla_put_failure:
16411 	return -ENOBUFS;
16412 }
16413 
16414 static int nl80211_prep_scan_msg(struct sk_buff *msg,
16415 				 struct cfg80211_registered_device *rdev,
16416 				 struct wireless_dev *wdev,
16417 				 u32 portid, u32 seq, int flags,
16418 				 u32 cmd)
16419 {
16420 	void *hdr;
16421 
16422 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
16423 	if (!hdr)
16424 		return -1;
16425 
16426 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16427 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16428 					 wdev->netdev->ifindex)) ||
16429 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16430 			      NL80211_ATTR_PAD))
16431 		goto nla_put_failure;
16432 
16433 	/* ignore errors and send incomplete event anyway */
16434 	nl80211_add_scan_req(msg, rdev);
16435 
16436 	genlmsg_end(msg, hdr);
16437 	return 0;
16438 
16439  nla_put_failure:
16440 	genlmsg_cancel(msg, hdr);
16441 	return -EMSGSIZE;
16442 }
16443 
16444 static int
16445 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
16446 			    struct cfg80211_sched_scan_request *req, u32 cmd)
16447 {
16448 	void *hdr;
16449 
16450 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16451 	if (!hdr)
16452 		return -1;
16453 
16454 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
16455 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
16456 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
16457 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
16458 			      NL80211_ATTR_PAD))
16459 		goto nla_put_failure;
16460 
16461 	genlmsg_end(msg, hdr);
16462 	return 0;
16463 
16464  nla_put_failure:
16465 	genlmsg_cancel(msg, hdr);
16466 	return -EMSGSIZE;
16467 }
16468 
16469 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
16470 			     struct wireless_dev *wdev)
16471 {
16472 	struct sk_buff *msg;
16473 
16474 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16475 	if (!msg)
16476 		return;
16477 
16478 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16479 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
16480 		nlmsg_free(msg);
16481 		return;
16482 	}
16483 
16484 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16485 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16486 }
16487 
16488 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
16489 				       struct wireless_dev *wdev, bool aborted)
16490 {
16491 	struct sk_buff *msg;
16492 
16493 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16494 	if (!msg)
16495 		return NULL;
16496 
16497 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16498 				  aborted ? NL80211_CMD_SCAN_ABORTED :
16499 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
16500 		nlmsg_free(msg);
16501 		return NULL;
16502 	}
16503 
16504 	return msg;
16505 }
16506 
16507 /* send message created by nl80211_build_scan_msg() */
16508 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
16509 			   struct sk_buff *msg)
16510 {
16511 	if (!msg)
16512 		return;
16513 
16514 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16515 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16516 }
16517 
16518 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
16519 {
16520 	struct sk_buff *msg;
16521 
16522 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16523 	if (!msg)
16524 		return;
16525 
16526 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
16527 		nlmsg_free(msg);
16528 		return;
16529 	}
16530 
16531 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
16532 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16533 }
16534 
16535 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
16536 					  struct regulatory_request *request)
16537 {
16538 	/* Userspace can always count this one always being set */
16539 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
16540 		goto nla_put_failure;
16541 
16542 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
16543 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16544 			       NL80211_REGDOM_TYPE_WORLD))
16545 			goto nla_put_failure;
16546 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
16547 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16548 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
16549 			goto nla_put_failure;
16550 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
16551 		   request->intersect) {
16552 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16553 			       NL80211_REGDOM_TYPE_INTERSECTION))
16554 			goto nla_put_failure;
16555 	} else {
16556 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16557 			       NL80211_REGDOM_TYPE_COUNTRY) ||
16558 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
16559 				   request->alpha2))
16560 			goto nla_put_failure;
16561 	}
16562 
16563 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
16564 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
16565 
16566 		if (wiphy &&
16567 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
16568 			goto nla_put_failure;
16569 
16570 		if (wiphy &&
16571 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
16572 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
16573 			goto nla_put_failure;
16574 	}
16575 
16576 	return true;
16577 
16578 nla_put_failure:
16579 	return false;
16580 }
16581 
16582 /*
16583  * This can happen on global regulatory changes or device specific settings
16584  * based on custom regulatory domains.
16585  */
16586 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
16587 				     struct regulatory_request *request)
16588 {
16589 	struct sk_buff *msg;
16590 	void *hdr;
16591 
16592 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16593 	if (!msg)
16594 		return;
16595 
16596 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
16597 	if (!hdr)
16598 		goto nla_put_failure;
16599 
16600 	if (!nl80211_reg_change_event_fill(msg, request))
16601 		goto nla_put_failure;
16602 
16603 	genlmsg_end(msg, hdr);
16604 
16605 	rcu_read_lock();
16606 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16607 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16608 	rcu_read_unlock();
16609 
16610 	return;
16611 
16612 nla_put_failure:
16613 	nlmsg_free(msg);
16614 }
16615 
16616 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
16617 				    struct net_device *netdev,
16618 				    const u8 *buf, size_t len,
16619 				    enum nl80211_commands cmd, gfp_t gfp,
16620 				    int uapsd_queues, const u8 *req_ies,
16621 				    size_t req_ies_len, bool reconnect)
16622 {
16623 	struct sk_buff *msg;
16624 	void *hdr;
16625 
16626 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
16627 	if (!msg)
16628 		return;
16629 
16630 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16631 	if (!hdr) {
16632 		nlmsg_free(msg);
16633 		return;
16634 	}
16635 
16636 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16637 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16638 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16639 	    (req_ies &&
16640 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
16641 		goto nla_put_failure;
16642 
16643 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
16644 		goto nla_put_failure;
16645 
16646 	if (uapsd_queues >= 0) {
16647 		struct nlattr *nla_wmm =
16648 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
16649 		if (!nla_wmm)
16650 			goto nla_put_failure;
16651 
16652 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
16653 			       uapsd_queues))
16654 			goto nla_put_failure;
16655 
16656 		nla_nest_end(msg, nla_wmm);
16657 	}
16658 
16659 	genlmsg_end(msg, hdr);
16660 
16661 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16662 				NL80211_MCGRP_MLME, gfp);
16663 	return;
16664 
16665  nla_put_failure:
16666 	nlmsg_free(msg);
16667 }
16668 
16669 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
16670 			  struct net_device *netdev, const u8 *buf,
16671 			  size_t len, gfp_t gfp)
16672 {
16673 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16674 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
16675 				false);
16676 }
16677 
16678 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
16679 			   struct net_device *netdev, const u8 *buf,
16680 			   size_t len, gfp_t gfp, int uapsd_queues,
16681 			   const u8 *req_ies, size_t req_ies_len)
16682 {
16683 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16684 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
16685 				req_ies, req_ies_len, false);
16686 }
16687 
16688 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
16689 			 struct net_device *netdev, const u8 *buf,
16690 			 size_t len, bool reconnect, gfp_t gfp)
16691 {
16692 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16693 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
16694 				reconnect);
16695 }
16696 
16697 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
16698 			   struct net_device *netdev, const u8 *buf,
16699 			   size_t len, bool reconnect, gfp_t gfp)
16700 {
16701 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16702 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
16703 				reconnect);
16704 }
16705 
16706 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
16707 				  size_t len)
16708 {
16709 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16710 	struct wiphy *wiphy = wdev->wiphy;
16711 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16712 	const struct ieee80211_mgmt *mgmt = (void *)buf;
16713 	u32 cmd;
16714 
16715 	if (WARN_ON(len < 2))
16716 		return;
16717 
16718 	if (ieee80211_is_deauth(mgmt->frame_control)) {
16719 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
16720 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
16721 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
16722 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
16723 		if (wdev->unprot_beacon_reported &&
16724 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
16725 			return;
16726 		cmd = NL80211_CMD_UNPROT_BEACON;
16727 		wdev->unprot_beacon_reported = jiffies;
16728 	} else {
16729 		return;
16730 	}
16731 
16732 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
16733 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
16734 				NULL, 0, false);
16735 }
16736 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
16737 
16738 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
16739 				      struct net_device *netdev, int cmd,
16740 				      const u8 *addr, gfp_t gfp)
16741 {
16742 	struct sk_buff *msg;
16743 	void *hdr;
16744 
16745 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16746 	if (!msg)
16747 		return;
16748 
16749 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16750 	if (!hdr) {
16751 		nlmsg_free(msg);
16752 		return;
16753 	}
16754 
16755 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16756 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16757 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16758 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16759 		goto nla_put_failure;
16760 
16761 	genlmsg_end(msg, hdr);
16762 
16763 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16764 				NL80211_MCGRP_MLME, gfp);
16765 	return;
16766 
16767  nla_put_failure:
16768 	nlmsg_free(msg);
16769 }
16770 
16771 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16772 			       struct net_device *netdev, const u8 *addr,
16773 			       gfp_t gfp)
16774 {
16775 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16776 				  addr, gfp);
16777 }
16778 
16779 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16780 				struct net_device *netdev, const u8 *addr,
16781 				gfp_t gfp)
16782 {
16783 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16784 				  addr, gfp);
16785 }
16786 
16787 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16788 				 struct net_device *netdev,
16789 				 struct cfg80211_connect_resp_params *cr,
16790 				 gfp_t gfp)
16791 {
16792 	struct sk_buff *msg;
16793 	void *hdr;
16794 
16795 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16796 			cr->fils.kek_len + cr->fils.pmk_len +
16797 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16798 	if (!msg)
16799 		return;
16800 
16801 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16802 	if (!hdr) {
16803 		nlmsg_free(msg);
16804 		return;
16805 	}
16806 
16807 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16808 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16809 	    (cr->bssid &&
16810 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16811 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16812 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16813 			cr->status) ||
16814 	    (cr->status < 0 &&
16815 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16816 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16817 			  cr->timeout_reason))) ||
16818 	    (cr->req_ie &&
16819 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16820 	    (cr->resp_ie &&
16821 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16822 		     cr->resp_ie)) ||
16823 	    (cr->fils.update_erp_next_seq_num &&
16824 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16825 			 cr->fils.erp_next_seq_num)) ||
16826 	    (cr->status == WLAN_STATUS_SUCCESS &&
16827 	     ((cr->fils.kek &&
16828 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16829 		       cr->fils.kek)) ||
16830 	      (cr->fils.pmk &&
16831 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16832 	      (cr->fils.pmkid &&
16833 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16834 		goto nla_put_failure;
16835 
16836 	genlmsg_end(msg, hdr);
16837 
16838 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16839 				NL80211_MCGRP_MLME, gfp);
16840 	return;
16841 
16842  nla_put_failure:
16843 	nlmsg_free(msg);
16844 }
16845 
16846 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16847 			 struct net_device *netdev,
16848 			 struct cfg80211_roam_info *info, gfp_t gfp)
16849 {
16850 	struct sk_buff *msg;
16851 	void *hdr;
16852 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16853 
16854 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16855 			info->fils.kek_len + info->fils.pmk_len +
16856 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16857 	if (!msg)
16858 		return;
16859 
16860 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16861 	if (!hdr) {
16862 		nlmsg_free(msg);
16863 		return;
16864 	}
16865 
16866 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16867 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16868 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16869 	    (info->req_ie &&
16870 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16871 		     info->req_ie)) ||
16872 	    (info->resp_ie &&
16873 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16874 		     info->resp_ie)) ||
16875 	    (info->fils.update_erp_next_seq_num &&
16876 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16877 			 info->fils.erp_next_seq_num)) ||
16878 	    (info->fils.kek &&
16879 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16880 		     info->fils.kek)) ||
16881 	    (info->fils.pmk &&
16882 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16883 	    (info->fils.pmkid &&
16884 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16885 		goto nla_put_failure;
16886 
16887 	genlmsg_end(msg, hdr);
16888 
16889 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16890 				NL80211_MCGRP_MLME, gfp);
16891 	return;
16892 
16893  nla_put_failure:
16894 	nlmsg_free(msg);
16895 }
16896 
16897 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16898 				  struct net_device *netdev, const u8 *bssid)
16899 {
16900 	struct sk_buff *msg;
16901 	void *hdr;
16902 
16903 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16904 	if (!msg)
16905 		return;
16906 
16907 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16908 	if (!hdr) {
16909 		nlmsg_free(msg);
16910 		return;
16911 	}
16912 
16913 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16914 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16915 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16916 		goto nla_put_failure;
16917 
16918 	genlmsg_end(msg, hdr);
16919 
16920 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16921 				NL80211_MCGRP_MLME, GFP_KERNEL);
16922 	return;
16923 
16924  nla_put_failure:
16925 	nlmsg_free(msg);
16926 }
16927 
16928 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
16929 			       struct net_device *netdev, u16 reason,
16930 			       const u8 *ie, size_t ie_len, bool from_ap)
16931 {
16932 	struct sk_buff *msg;
16933 	void *hdr;
16934 
16935 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
16936 	if (!msg)
16937 		return;
16938 
16939 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
16940 	if (!hdr) {
16941 		nlmsg_free(msg);
16942 		return;
16943 	}
16944 
16945 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16946 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16947 	    (reason &&
16948 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
16949 	    (from_ap &&
16950 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
16951 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
16952 		goto nla_put_failure;
16953 
16954 	genlmsg_end(msg, hdr);
16955 
16956 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16957 				NL80211_MCGRP_MLME, GFP_KERNEL);
16958 	return;
16959 
16960  nla_put_failure:
16961 	nlmsg_free(msg);
16962 }
16963 
16964 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16965 			     struct net_device *netdev, const u8 *bssid,
16966 			     gfp_t gfp)
16967 {
16968 	struct sk_buff *msg;
16969 	void *hdr;
16970 
16971 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16972 	if (!msg)
16973 		return;
16974 
16975 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16976 	if (!hdr) {
16977 		nlmsg_free(msg);
16978 		return;
16979 	}
16980 
16981 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16982 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16983 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16984 		goto nla_put_failure;
16985 
16986 	genlmsg_end(msg, hdr);
16987 
16988 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16989 				NL80211_MCGRP_MLME, gfp);
16990 	return;
16991 
16992  nla_put_failure:
16993 	nlmsg_free(msg);
16994 }
16995 
16996 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
16997 					const u8 *ie, u8 ie_len,
16998 					int sig_dbm, gfp_t gfp)
16999 {
17000 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17001 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17002 	struct sk_buff *msg;
17003 	void *hdr;
17004 
17005 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
17006 		return;
17007 
17008 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
17009 
17010 	msg = nlmsg_new(100 + ie_len, gfp);
17011 	if (!msg)
17012 		return;
17013 
17014 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
17015 	if (!hdr) {
17016 		nlmsg_free(msg);
17017 		return;
17018 	}
17019 
17020 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17021 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17022 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17023 	    (ie_len && ie &&
17024 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
17025 	    (sig_dbm &&
17026 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
17027 		goto nla_put_failure;
17028 
17029 	genlmsg_end(msg, hdr);
17030 
17031 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17032 				NL80211_MCGRP_MLME, gfp);
17033 	return;
17034 
17035  nla_put_failure:
17036 	nlmsg_free(msg);
17037 }
17038 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
17039 
17040 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
17041 				 struct net_device *netdev, const u8 *addr,
17042 				 enum nl80211_key_type key_type, int key_id,
17043 				 const u8 *tsc, gfp_t gfp)
17044 {
17045 	struct sk_buff *msg;
17046 	void *hdr;
17047 
17048 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17049 	if (!msg)
17050 		return;
17051 
17052 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
17053 	if (!hdr) {
17054 		nlmsg_free(msg);
17055 		return;
17056 	}
17057 
17058 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17059 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17060 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
17061 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
17062 	    (key_id != -1 &&
17063 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
17064 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
17065 		goto nla_put_failure;
17066 
17067 	genlmsg_end(msg, hdr);
17068 
17069 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17070 				NL80211_MCGRP_MLME, gfp);
17071 	return;
17072 
17073  nla_put_failure:
17074 	nlmsg_free(msg);
17075 }
17076 
17077 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
17078 				    struct ieee80211_channel *channel_before,
17079 				    struct ieee80211_channel *channel_after)
17080 {
17081 	struct sk_buff *msg;
17082 	void *hdr;
17083 	struct nlattr *nl_freq;
17084 
17085 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
17086 	if (!msg)
17087 		return;
17088 
17089 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
17090 	if (!hdr) {
17091 		nlmsg_free(msg);
17092 		return;
17093 	}
17094 
17095 	/*
17096 	 * Since we are applying the beacon hint to a wiphy we know its
17097 	 * wiphy_idx is valid
17098 	 */
17099 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
17100 		goto nla_put_failure;
17101 
17102 	/* Before */
17103 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
17104 	if (!nl_freq)
17105 		goto nla_put_failure;
17106 
17107 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
17108 		goto nla_put_failure;
17109 	nla_nest_end(msg, nl_freq);
17110 
17111 	/* After */
17112 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
17113 	if (!nl_freq)
17114 		goto nla_put_failure;
17115 
17116 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
17117 		goto nla_put_failure;
17118 	nla_nest_end(msg, nl_freq);
17119 
17120 	genlmsg_end(msg, hdr);
17121 
17122 	rcu_read_lock();
17123 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17124 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17125 	rcu_read_unlock();
17126 
17127 	return;
17128 
17129 nla_put_failure:
17130 	nlmsg_free(msg);
17131 }
17132 
17133 static void nl80211_send_remain_on_chan_event(
17134 	int cmd, struct cfg80211_registered_device *rdev,
17135 	struct wireless_dev *wdev, u64 cookie,
17136 	struct ieee80211_channel *chan,
17137 	unsigned int duration, gfp_t gfp)
17138 {
17139 	struct sk_buff *msg;
17140 	void *hdr;
17141 
17142 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17143 	if (!msg)
17144 		return;
17145 
17146 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17147 	if (!hdr) {
17148 		nlmsg_free(msg);
17149 		return;
17150 	}
17151 
17152 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17153 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17154 					 wdev->netdev->ifindex)) ||
17155 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17156 			      NL80211_ATTR_PAD) ||
17157 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
17158 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
17159 			NL80211_CHAN_NO_HT) ||
17160 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17161 			      NL80211_ATTR_PAD))
17162 		goto nla_put_failure;
17163 
17164 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
17165 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
17166 		goto nla_put_failure;
17167 
17168 	genlmsg_end(msg, hdr);
17169 
17170 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17171 				NL80211_MCGRP_MLME, gfp);
17172 	return;
17173 
17174  nla_put_failure:
17175 	nlmsg_free(msg);
17176 }
17177 
17178 void cfg80211_assoc_comeback(struct net_device *netdev,
17179 			     struct cfg80211_bss *bss, u32 timeout)
17180 {
17181 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
17182 	struct wiphy *wiphy = wdev->wiphy;
17183 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17184 	struct sk_buff *msg;
17185 	void *hdr;
17186 
17187 	trace_cfg80211_assoc_comeback(wdev, bss->bssid, timeout);
17188 
17189 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17190 	if (!msg)
17191 		return;
17192 
17193 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
17194 	if (!hdr) {
17195 		nlmsg_free(msg);
17196 		return;
17197 	}
17198 
17199 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17200 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17201 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bss->bssid) ||
17202 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
17203 		goto nla_put_failure;
17204 
17205 	genlmsg_end(msg, hdr);
17206 
17207 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17208 				NL80211_MCGRP_MLME, GFP_KERNEL);
17209 	return;
17210 
17211  nla_put_failure:
17212 	nlmsg_free(msg);
17213 }
17214 EXPORT_SYMBOL(cfg80211_assoc_comeback);
17215 
17216 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
17217 			       struct ieee80211_channel *chan,
17218 			       unsigned int duration, gfp_t gfp)
17219 {
17220 	struct wiphy *wiphy = wdev->wiphy;
17221 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17222 
17223 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
17224 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
17225 					  rdev, wdev, cookie, chan,
17226 					  duration, gfp);
17227 }
17228 EXPORT_SYMBOL(cfg80211_ready_on_channel);
17229 
17230 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
17231 					struct ieee80211_channel *chan,
17232 					gfp_t gfp)
17233 {
17234 	struct wiphy *wiphy = wdev->wiphy;
17235 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17236 
17237 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
17238 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17239 					  rdev, wdev, cookie, chan, 0, gfp);
17240 }
17241 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
17242 
17243 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
17244 					struct ieee80211_channel *chan,
17245 					gfp_t gfp)
17246 {
17247 	struct wiphy *wiphy = wdev->wiphy;
17248 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17249 
17250 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
17251 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
17252 					  rdev, wdev, cookie, chan, 0, gfp);
17253 }
17254 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
17255 
17256 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
17257 		      struct station_info *sinfo, gfp_t gfp)
17258 {
17259 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17260 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17261 	struct sk_buff *msg;
17262 
17263 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
17264 
17265 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17266 	if (!msg)
17267 		return;
17268 
17269 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
17270 				 rdev, dev, mac_addr, sinfo) < 0) {
17271 		nlmsg_free(msg);
17272 		return;
17273 	}
17274 
17275 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17276 				NL80211_MCGRP_MLME, gfp);
17277 }
17278 EXPORT_SYMBOL(cfg80211_new_sta);
17279 
17280 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
17281 			    struct station_info *sinfo, gfp_t gfp)
17282 {
17283 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17284 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17285 	struct sk_buff *msg;
17286 	struct station_info empty_sinfo = {};
17287 
17288 	if (!sinfo)
17289 		sinfo = &empty_sinfo;
17290 
17291 	trace_cfg80211_del_sta(dev, mac_addr);
17292 
17293 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17294 	if (!msg) {
17295 		cfg80211_sinfo_release_content(sinfo);
17296 		return;
17297 	}
17298 
17299 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
17300 				 rdev, dev, mac_addr, sinfo) < 0) {
17301 		nlmsg_free(msg);
17302 		return;
17303 	}
17304 
17305 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17306 				NL80211_MCGRP_MLME, gfp);
17307 }
17308 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
17309 
17310 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
17311 			  enum nl80211_connect_failed_reason reason,
17312 			  gfp_t gfp)
17313 {
17314 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17315 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17316 	struct sk_buff *msg;
17317 	void *hdr;
17318 
17319 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
17320 	if (!msg)
17321 		return;
17322 
17323 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
17324 	if (!hdr) {
17325 		nlmsg_free(msg);
17326 		return;
17327 	}
17328 
17329 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17330 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
17331 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
17332 		goto nla_put_failure;
17333 
17334 	genlmsg_end(msg, hdr);
17335 
17336 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17337 				NL80211_MCGRP_MLME, gfp);
17338 	return;
17339 
17340  nla_put_failure:
17341 	nlmsg_free(msg);
17342 }
17343 EXPORT_SYMBOL(cfg80211_conn_failed);
17344 
17345 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
17346 				       const u8 *addr, gfp_t gfp)
17347 {
17348 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17349 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17350 	struct sk_buff *msg;
17351 	void *hdr;
17352 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
17353 
17354 	if (!nlportid)
17355 		return false;
17356 
17357 	msg = nlmsg_new(100, gfp);
17358 	if (!msg)
17359 		return true;
17360 
17361 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17362 	if (!hdr) {
17363 		nlmsg_free(msg);
17364 		return true;
17365 	}
17366 
17367 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17368 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17369 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17370 		goto nla_put_failure;
17371 
17372 	genlmsg_end(msg, hdr);
17373 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17374 	return true;
17375 
17376  nla_put_failure:
17377 	nlmsg_free(msg);
17378 	return true;
17379 }
17380 
17381 bool cfg80211_rx_spurious_frame(struct net_device *dev,
17382 				const u8 *addr, gfp_t gfp)
17383 {
17384 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17385 	bool ret;
17386 
17387 	trace_cfg80211_rx_spurious_frame(dev, addr);
17388 
17389 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17390 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
17391 		trace_cfg80211_return_bool(false);
17392 		return false;
17393 	}
17394 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
17395 					 addr, gfp);
17396 	trace_cfg80211_return_bool(ret);
17397 	return ret;
17398 }
17399 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
17400 
17401 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
17402 					const u8 *addr, gfp_t gfp)
17403 {
17404 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17405 	bool ret;
17406 
17407 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
17408 
17409 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17410 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
17411 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
17412 		trace_cfg80211_return_bool(false);
17413 		return false;
17414 	}
17415 	ret = __nl80211_unexpected_frame(dev,
17416 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
17417 					 addr, gfp);
17418 	trace_cfg80211_return_bool(ret);
17419 	return ret;
17420 }
17421 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
17422 
17423 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
17424 		      struct wireless_dev *wdev, u32 nlportid,
17425 		      int freq, int sig_dbm,
17426 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
17427 {
17428 	struct net_device *netdev = wdev->netdev;
17429 	struct sk_buff *msg;
17430 	void *hdr;
17431 
17432 	msg = nlmsg_new(100 + len, gfp);
17433 	if (!msg)
17434 		return -ENOMEM;
17435 
17436 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17437 	if (!hdr) {
17438 		nlmsg_free(msg);
17439 		return -ENOMEM;
17440 	}
17441 
17442 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17443 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17444 					netdev->ifindex)) ||
17445 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17446 			      NL80211_ATTR_PAD) ||
17447 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
17448 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
17449 	    (sig_dbm &&
17450 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17451 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17452 	    (flags &&
17453 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
17454 		goto nla_put_failure;
17455 
17456 	genlmsg_end(msg, hdr);
17457 
17458 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17459 
17460  nla_put_failure:
17461 	nlmsg_free(msg);
17462 	return -ENOBUFS;
17463 }
17464 
17465 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
17466 				    const u8 *buf, size_t len, bool ack,
17467 				    gfp_t gfp, enum nl80211_commands command)
17468 {
17469 	struct wiphy *wiphy = wdev->wiphy;
17470 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17471 	struct net_device *netdev = wdev->netdev;
17472 	struct sk_buff *msg;
17473 	void *hdr;
17474 
17475 	if (command == NL80211_CMD_FRAME_TX_STATUS)
17476 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
17477 	else
17478 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
17479 
17480 	msg = nlmsg_new(100 + len, gfp);
17481 	if (!msg)
17482 		return;
17483 
17484 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
17485 	if (!hdr) {
17486 		nlmsg_free(msg);
17487 		return;
17488 	}
17489 
17490 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17491 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17492 				   netdev->ifindex)) ||
17493 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17494 			      NL80211_ATTR_PAD) ||
17495 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17496 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17497 			      NL80211_ATTR_PAD) ||
17498 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
17499 		goto nla_put_failure;
17500 
17501 	genlmsg_end(msg, hdr);
17502 
17503 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17504 				NL80211_MCGRP_MLME, gfp);
17505 	return;
17506 
17507 nla_put_failure:
17508 	nlmsg_free(msg);
17509 }
17510 
17511 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
17512 				     const u8 *buf, size_t len, bool ack,
17513 				     gfp_t gfp)
17514 {
17515 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17516 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
17517 }
17518 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
17519 
17520 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
17521 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
17522 {
17523 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17524 				NL80211_CMD_FRAME_TX_STATUS);
17525 }
17526 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
17527 
17528 static int __nl80211_rx_control_port(struct net_device *dev,
17529 				     struct sk_buff *skb,
17530 				     bool unencrypted, gfp_t gfp)
17531 {
17532 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17533 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17534 	struct ethhdr *ehdr = eth_hdr(skb);
17535 	const u8 *addr = ehdr->h_source;
17536 	u16 proto = be16_to_cpu(skb->protocol);
17537 	struct sk_buff *msg;
17538 	void *hdr;
17539 	struct nlattr *frame;
17540 
17541 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
17542 
17543 	if (!nlportid)
17544 		return -ENOENT;
17545 
17546 	msg = nlmsg_new(100 + skb->len, gfp);
17547 	if (!msg)
17548 		return -ENOMEM;
17549 
17550 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
17551 	if (!hdr) {
17552 		nlmsg_free(msg);
17553 		return -ENOBUFS;
17554 	}
17555 
17556 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17557 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17558 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17559 			      NL80211_ATTR_PAD) ||
17560 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17561 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
17562 	    (unencrypted && nla_put_flag(msg,
17563 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
17564 		goto nla_put_failure;
17565 
17566 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
17567 	if (!frame)
17568 		goto nla_put_failure;
17569 
17570 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
17571 	genlmsg_end(msg, hdr);
17572 
17573 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17574 
17575  nla_put_failure:
17576 	nlmsg_free(msg);
17577 	return -ENOBUFS;
17578 }
17579 
17580 bool cfg80211_rx_control_port(struct net_device *dev,
17581 			      struct sk_buff *skb, bool unencrypted)
17582 {
17583 	int ret;
17584 
17585 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
17586 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
17587 	trace_cfg80211_return_bool(ret == 0);
17588 	return ret == 0;
17589 }
17590 EXPORT_SYMBOL(cfg80211_rx_control_port);
17591 
17592 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
17593 					    const char *mac, gfp_t gfp)
17594 {
17595 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17596 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17597 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17598 	void **cb;
17599 
17600 	if (!msg)
17601 		return NULL;
17602 
17603 	cb = (void **)msg->cb;
17604 
17605 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
17606 	if (!cb[0]) {
17607 		nlmsg_free(msg);
17608 		return NULL;
17609 	}
17610 
17611 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17612 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17613 		goto nla_put_failure;
17614 
17615 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17616 		goto nla_put_failure;
17617 
17618 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
17619 	if (!cb[1])
17620 		goto nla_put_failure;
17621 
17622 	cb[2] = rdev;
17623 
17624 	return msg;
17625  nla_put_failure:
17626 	nlmsg_free(msg);
17627 	return NULL;
17628 }
17629 
17630 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
17631 {
17632 	void **cb = (void **)msg->cb;
17633 	struct cfg80211_registered_device *rdev = cb[2];
17634 
17635 	nla_nest_end(msg, cb[1]);
17636 	genlmsg_end(msg, cb[0]);
17637 
17638 	memset(msg->cb, 0, sizeof(msg->cb));
17639 
17640 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17641 				NL80211_MCGRP_MLME, gfp);
17642 }
17643 
17644 void cfg80211_cqm_rssi_notify(struct net_device *dev,
17645 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
17646 			      s32 rssi_level, gfp_t gfp)
17647 {
17648 	struct sk_buff *msg;
17649 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17650 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17651 
17652 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
17653 
17654 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
17655 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
17656 		return;
17657 
17658 	if (wdev->cqm_config) {
17659 		wdev->cqm_config->last_rssi_event_value = rssi_level;
17660 
17661 		cfg80211_cqm_rssi_update(rdev, dev);
17662 
17663 		if (rssi_level == 0)
17664 			rssi_level = wdev->cqm_config->last_rssi_event_value;
17665 	}
17666 
17667 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17668 	if (!msg)
17669 		return;
17670 
17671 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
17672 			rssi_event))
17673 		goto nla_put_failure;
17674 
17675 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
17676 				      rssi_level))
17677 		goto nla_put_failure;
17678 
17679 	cfg80211_send_cqm(msg, gfp);
17680 
17681 	return;
17682 
17683  nla_put_failure:
17684 	nlmsg_free(msg);
17685 }
17686 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
17687 
17688 void cfg80211_cqm_txe_notify(struct net_device *dev,
17689 			     const u8 *peer, u32 num_packets,
17690 			     u32 rate, u32 intvl, gfp_t gfp)
17691 {
17692 	struct sk_buff *msg;
17693 
17694 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17695 	if (!msg)
17696 		return;
17697 
17698 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
17699 		goto nla_put_failure;
17700 
17701 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
17702 		goto nla_put_failure;
17703 
17704 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
17705 		goto nla_put_failure;
17706 
17707 	cfg80211_send_cqm(msg, gfp);
17708 	return;
17709 
17710  nla_put_failure:
17711 	nlmsg_free(msg);
17712 }
17713 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
17714 
17715 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
17716 				 const u8 *peer, u32 num_packets, gfp_t gfp)
17717 {
17718 	struct sk_buff *msg;
17719 
17720 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
17721 
17722 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17723 	if (!msg)
17724 		return;
17725 
17726 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
17727 		goto nla_put_failure;
17728 
17729 	cfg80211_send_cqm(msg, gfp);
17730 	return;
17731 
17732  nla_put_failure:
17733 	nlmsg_free(msg);
17734 }
17735 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
17736 
17737 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
17738 {
17739 	struct sk_buff *msg;
17740 
17741 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17742 	if (!msg)
17743 		return;
17744 
17745 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
17746 		goto nla_put_failure;
17747 
17748 	cfg80211_send_cqm(msg, gfp);
17749 	return;
17750 
17751  nla_put_failure:
17752 	nlmsg_free(msg);
17753 }
17754 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
17755 
17756 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
17757 				     struct net_device *netdev, const u8 *bssid,
17758 				     const u8 *replay_ctr, gfp_t gfp)
17759 {
17760 	struct sk_buff *msg;
17761 	struct nlattr *rekey_attr;
17762 	void *hdr;
17763 
17764 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17765 	if (!msg)
17766 		return;
17767 
17768 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
17769 	if (!hdr) {
17770 		nlmsg_free(msg);
17771 		return;
17772 	}
17773 
17774 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17775 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17776 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17777 		goto nla_put_failure;
17778 
17779 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
17780 	if (!rekey_attr)
17781 		goto nla_put_failure;
17782 
17783 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
17784 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
17785 		goto nla_put_failure;
17786 
17787 	nla_nest_end(msg, rekey_attr);
17788 
17789 	genlmsg_end(msg, hdr);
17790 
17791 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17792 				NL80211_MCGRP_MLME, gfp);
17793 	return;
17794 
17795  nla_put_failure:
17796 	nlmsg_free(msg);
17797 }
17798 
17799 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
17800 			       const u8 *replay_ctr, gfp_t gfp)
17801 {
17802 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17803 	struct wiphy *wiphy = wdev->wiphy;
17804 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17805 
17806 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
17807 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
17808 }
17809 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17810 
17811 static void
17812 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17813 			       struct net_device *netdev, int index,
17814 			       const u8 *bssid, bool preauth, gfp_t gfp)
17815 {
17816 	struct sk_buff *msg;
17817 	struct nlattr *attr;
17818 	void *hdr;
17819 
17820 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17821 	if (!msg)
17822 		return;
17823 
17824 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17825 	if (!hdr) {
17826 		nlmsg_free(msg);
17827 		return;
17828 	}
17829 
17830 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17831 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17832 		goto nla_put_failure;
17833 
17834 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17835 	if (!attr)
17836 		goto nla_put_failure;
17837 
17838 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17839 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17840 	    (preauth &&
17841 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17842 		goto nla_put_failure;
17843 
17844 	nla_nest_end(msg, attr);
17845 
17846 	genlmsg_end(msg, hdr);
17847 
17848 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17849 				NL80211_MCGRP_MLME, gfp);
17850 	return;
17851 
17852  nla_put_failure:
17853 	nlmsg_free(msg);
17854 }
17855 
17856 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17857 				     const u8 *bssid, bool preauth, gfp_t gfp)
17858 {
17859 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17860 	struct wiphy *wiphy = wdev->wiphy;
17861 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17862 
17863 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17864 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17865 }
17866 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17867 
17868 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17869 				     struct net_device *netdev,
17870 				     struct cfg80211_chan_def *chandef,
17871 				     gfp_t gfp,
17872 				     enum nl80211_commands notif,
17873 				     u8 count, bool quiet)
17874 {
17875 	struct sk_buff *msg;
17876 	void *hdr;
17877 
17878 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17879 	if (!msg)
17880 		return;
17881 
17882 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17883 	if (!hdr) {
17884 		nlmsg_free(msg);
17885 		return;
17886 	}
17887 
17888 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17889 		goto nla_put_failure;
17890 
17891 	if (nl80211_send_chandef(msg, chandef))
17892 		goto nla_put_failure;
17893 
17894 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
17895 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
17896 			goto nla_put_failure;
17897 		if (quiet &&
17898 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
17899 			goto nla_put_failure;
17900 	}
17901 
17902 	genlmsg_end(msg, hdr);
17903 
17904 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17905 				NL80211_MCGRP_MLME, gfp);
17906 	return;
17907 
17908  nla_put_failure:
17909 	nlmsg_free(msg);
17910 }
17911 
17912 void cfg80211_ch_switch_notify(struct net_device *dev,
17913 			       struct cfg80211_chan_def *chandef)
17914 {
17915 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17916 	struct wiphy *wiphy = wdev->wiphy;
17917 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17918 
17919 	ASSERT_WDEV_LOCK(wdev);
17920 
17921 	trace_cfg80211_ch_switch_notify(dev, chandef);
17922 
17923 	wdev->chandef = *chandef;
17924 	wdev->preset_chandef = *chandef;
17925 
17926 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
17927 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
17928 	    !WARN_ON(!wdev->current_bss))
17929 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
17930 
17931 	cfg80211_sched_dfs_chan_update(rdev);
17932 
17933 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17934 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
17935 }
17936 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
17937 
17938 void cfg80211_ch_switch_started_notify(struct net_device *dev,
17939 				       struct cfg80211_chan_def *chandef,
17940 				       u8 count, bool quiet)
17941 {
17942 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17943 	struct wiphy *wiphy = wdev->wiphy;
17944 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17945 
17946 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
17947 
17948 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17949 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
17950 				 count, quiet);
17951 }
17952 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
17953 
17954 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
17955 			      enum nl80211_commands cmd, u8 count,
17956 			      u64 color_bitmap)
17957 {
17958 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17959 	struct wiphy *wiphy = wdev->wiphy;
17960 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17961 	struct sk_buff *msg;
17962 	void *hdr;
17963 
17964 	ASSERT_WDEV_LOCK(wdev);
17965 
17966 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
17967 
17968 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17969 	if (!msg)
17970 		return -ENOMEM;
17971 
17972 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17973 	if (!hdr)
17974 		goto nla_put_failure;
17975 
17976 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17977 		goto nla_put_failure;
17978 
17979 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
17980 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
17981 		goto nla_put_failure;
17982 
17983 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
17984 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
17985 			      color_bitmap, NL80211_ATTR_PAD))
17986 		goto nla_put_failure;
17987 
17988 	genlmsg_end(msg, hdr);
17989 
17990 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
17991 				       msg, 0, NL80211_MCGRP_MLME, gfp);
17992 
17993 nla_put_failure:
17994 	nlmsg_free(msg);
17995 	return -EINVAL;
17996 }
17997 EXPORT_SYMBOL(cfg80211_bss_color_notify);
17998 
17999 void
18000 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
18001 		     const struct cfg80211_chan_def *chandef,
18002 		     enum nl80211_radar_event event,
18003 		     struct net_device *netdev, gfp_t gfp)
18004 {
18005 	struct sk_buff *msg;
18006 	void *hdr;
18007 
18008 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18009 	if (!msg)
18010 		return;
18011 
18012 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
18013 	if (!hdr) {
18014 		nlmsg_free(msg);
18015 		return;
18016 	}
18017 
18018 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18019 		goto nla_put_failure;
18020 
18021 	/* NOP and radar events don't need a netdev parameter */
18022 	if (netdev) {
18023 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
18024 
18025 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18026 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18027 				      NL80211_ATTR_PAD))
18028 			goto nla_put_failure;
18029 	}
18030 
18031 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
18032 		goto nla_put_failure;
18033 
18034 	if (nl80211_send_chandef(msg, chandef))
18035 		goto nla_put_failure;
18036 
18037 	genlmsg_end(msg, hdr);
18038 
18039 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18040 				NL80211_MCGRP_MLME, gfp);
18041 	return;
18042 
18043  nla_put_failure:
18044 	nlmsg_free(msg);
18045 }
18046 
18047 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
18048 				       struct sta_opmode_info *sta_opmode,
18049 				       gfp_t gfp)
18050 {
18051 	struct sk_buff *msg;
18052 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18053 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18054 	void *hdr;
18055 
18056 	if (WARN_ON(!mac))
18057 		return;
18058 
18059 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18060 	if (!msg)
18061 		return;
18062 
18063 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
18064 	if (!hdr) {
18065 		nlmsg_free(msg);
18066 		return;
18067 	}
18068 
18069 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18070 		goto nla_put_failure;
18071 
18072 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18073 		goto nla_put_failure;
18074 
18075 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
18076 		goto nla_put_failure;
18077 
18078 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
18079 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
18080 		goto nla_put_failure;
18081 
18082 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
18083 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
18084 		goto nla_put_failure;
18085 
18086 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
18087 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
18088 		goto nla_put_failure;
18089 
18090 	genlmsg_end(msg, hdr);
18091 
18092 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18093 				NL80211_MCGRP_MLME, gfp);
18094 
18095 	return;
18096 
18097 nla_put_failure:
18098 	nlmsg_free(msg);
18099 }
18100 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
18101 
18102 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
18103 			   u64 cookie, bool acked, s32 ack_signal,
18104 			   bool is_valid_ack_signal, gfp_t gfp)
18105 {
18106 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18107 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18108 	struct sk_buff *msg;
18109 	void *hdr;
18110 
18111 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
18112 
18113 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18114 
18115 	if (!msg)
18116 		return;
18117 
18118 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
18119 	if (!hdr) {
18120 		nlmsg_free(msg);
18121 		return;
18122 	}
18123 
18124 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18125 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18126 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18127 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18128 			      NL80211_ATTR_PAD) ||
18129 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18130 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
18131 						ack_signal)))
18132 		goto nla_put_failure;
18133 
18134 	genlmsg_end(msg, hdr);
18135 
18136 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18137 				NL80211_MCGRP_MLME, gfp);
18138 	return;
18139 
18140  nla_put_failure:
18141 	nlmsg_free(msg);
18142 }
18143 EXPORT_SYMBOL(cfg80211_probe_status);
18144 
18145 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
18146 				     size_t len, int freq, int sig_dbm)
18147 {
18148 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18149 	struct sk_buff *msg;
18150 	void *hdr;
18151 	struct cfg80211_beacon_registration *reg;
18152 
18153 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
18154 
18155 	spin_lock_bh(&rdev->beacon_registrations_lock);
18156 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
18157 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
18158 		if (!msg) {
18159 			spin_unlock_bh(&rdev->beacon_registrations_lock);
18160 			return;
18161 		}
18162 
18163 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18164 		if (!hdr)
18165 			goto nla_put_failure;
18166 
18167 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18168 		    (freq &&
18169 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
18170 				  KHZ_TO_MHZ(freq)) ||
18171 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
18172 				  freq % 1000))) ||
18173 		    (sig_dbm &&
18174 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
18175 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
18176 			goto nla_put_failure;
18177 
18178 		genlmsg_end(msg, hdr);
18179 
18180 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
18181 	}
18182 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18183 	return;
18184 
18185  nla_put_failure:
18186 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18187 	nlmsg_free(msg);
18188 }
18189 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
18190 
18191 #ifdef CONFIG_PM
18192 static int cfg80211_net_detect_results(struct sk_buff *msg,
18193 				       struct cfg80211_wowlan_wakeup *wakeup)
18194 {
18195 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
18196 	struct nlattr *nl_results, *nl_match, *nl_freqs;
18197 	int i, j;
18198 
18199 	nl_results = nla_nest_start_noflag(msg,
18200 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
18201 	if (!nl_results)
18202 		return -EMSGSIZE;
18203 
18204 	for (i = 0; i < nd->n_matches; i++) {
18205 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
18206 
18207 		nl_match = nla_nest_start_noflag(msg, i);
18208 		if (!nl_match)
18209 			break;
18210 
18211 		/* The SSID attribute is optional in nl80211, but for
18212 		 * simplicity reasons it's always present in the
18213 		 * cfg80211 structure.  If a driver can't pass the
18214 		 * SSID, that needs to be changed.  A zero length SSID
18215 		 * is still a valid SSID (wildcard), so it cannot be
18216 		 * used for this purpose.
18217 		 */
18218 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
18219 			    match->ssid.ssid)) {
18220 			nla_nest_cancel(msg, nl_match);
18221 			goto out;
18222 		}
18223 
18224 		if (match->n_channels) {
18225 			nl_freqs = nla_nest_start_noflag(msg,
18226 							 NL80211_ATTR_SCAN_FREQUENCIES);
18227 			if (!nl_freqs) {
18228 				nla_nest_cancel(msg, nl_match);
18229 				goto out;
18230 			}
18231 
18232 			for (j = 0; j < match->n_channels; j++) {
18233 				if (nla_put_u32(msg, j, match->channels[j])) {
18234 					nla_nest_cancel(msg, nl_freqs);
18235 					nla_nest_cancel(msg, nl_match);
18236 					goto out;
18237 				}
18238 			}
18239 
18240 			nla_nest_end(msg, nl_freqs);
18241 		}
18242 
18243 		nla_nest_end(msg, nl_match);
18244 	}
18245 
18246 out:
18247 	nla_nest_end(msg, nl_results);
18248 	return 0;
18249 }
18250 
18251 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
18252 				   struct cfg80211_wowlan_wakeup *wakeup,
18253 				   gfp_t gfp)
18254 {
18255 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18256 	struct sk_buff *msg;
18257 	void *hdr;
18258 	int size = 200;
18259 
18260 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
18261 
18262 	if (wakeup)
18263 		size += wakeup->packet_present_len;
18264 
18265 	msg = nlmsg_new(size, gfp);
18266 	if (!msg)
18267 		return;
18268 
18269 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
18270 	if (!hdr)
18271 		goto free_msg;
18272 
18273 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18274 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18275 			      NL80211_ATTR_PAD))
18276 		goto free_msg;
18277 
18278 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18279 					wdev->netdev->ifindex))
18280 		goto free_msg;
18281 
18282 	if (wakeup) {
18283 		struct nlattr *reasons;
18284 
18285 		reasons = nla_nest_start_noflag(msg,
18286 						NL80211_ATTR_WOWLAN_TRIGGERS);
18287 		if (!reasons)
18288 			goto free_msg;
18289 
18290 		if (wakeup->disconnect &&
18291 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
18292 			goto free_msg;
18293 		if (wakeup->magic_pkt &&
18294 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
18295 			goto free_msg;
18296 		if (wakeup->gtk_rekey_failure &&
18297 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
18298 			goto free_msg;
18299 		if (wakeup->eap_identity_req &&
18300 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
18301 			goto free_msg;
18302 		if (wakeup->four_way_handshake &&
18303 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
18304 			goto free_msg;
18305 		if (wakeup->rfkill_release &&
18306 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
18307 			goto free_msg;
18308 
18309 		if (wakeup->pattern_idx >= 0 &&
18310 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
18311 				wakeup->pattern_idx))
18312 			goto free_msg;
18313 
18314 		if (wakeup->tcp_match &&
18315 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
18316 			goto free_msg;
18317 
18318 		if (wakeup->tcp_connlost &&
18319 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
18320 			goto free_msg;
18321 
18322 		if (wakeup->tcp_nomoretokens &&
18323 		    nla_put_flag(msg,
18324 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
18325 			goto free_msg;
18326 
18327 		if (wakeup->packet) {
18328 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
18329 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
18330 
18331 			if (!wakeup->packet_80211) {
18332 				pkt_attr =
18333 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
18334 				len_attr =
18335 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
18336 			}
18337 
18338 			if (wakeup->packet_len &&
18339 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
18340 				goto free_msg;
18341 
18342 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
18343 				    wakeup->packet))
18344 				goto free_msg;
18345 		}
18346 
18347 		if (wakeup->net_detect &&
18348 		    cfg80211_net_detect_results(msg, wakeup))
18349 				goto free_msg;
18350 
18351 		nla_nest_end(msg, reasons);
18352 	}
18353 
18354 	genlmsg_end(msg, hdr);
18355 
18356 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18357 				NL80211_MCGRP_MLME, gfp);
18358 	return;
18359 
18360  free_msg:
18361 	nlmsg_free(msg);
18362 }
18363 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
18364 #endif
18365 
18366 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
18367 				enum nl80211_tdls_operation oper,
18368 				u16 reason_code, gfp_t gfp)
18369 {
18370 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18371 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18372 	struct sk_buff *msg;
18373 	void *hdr;
18374 
18375 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
18376 					 reason_code);
18377 
18378 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18379 	if (!msg)
18380 		return;
18381 
18382 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
18383 	if (!hdr) {
18384 		nlmsg_free(msg);
18385 		return;
18386 	}
18387 
18388 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18389 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18390 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
18391 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
18392 	    (reason_code > 0 &&
18393 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
18394 		goto nla_put_failure;
18395 
18396 	genlmsg_end(msg, hdr);
18397 
18398 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18399 				NL80211_MCGRP_MLME, gfp);
18400 	return;
18401 
18402  nla_put_failure:
18403 	nlmsg_free(msg);
18404 }
18405 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
18406 
18407 static int nl80211_netlink_notify(struct notifier_block * nb,
18408 				  unsigned long state,
18409 				  void *_notify)
18410 {
18411 	struct netlink_notify *notify = _notify;
18412 	struct cfg80211_registered_device *rdev;
18413 	struct wireless_dev *wdev;
18414 	struct cfg80211_beacon_registration *reg, *tmp;
18415 
18416 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
18417 		return NOTIFY_DONE;
18418 
18419 	rcu_read_lock();
18420 
18421 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
18422 		struct cfg80211_sched_scan_request *sched_scan_req;
18423 
18424 		list_for_each_entry_rcu(sched_scan_req,
18425 					&rdev->sched_scan_req_list,
18426 					list) {
18427 			if (sched_scan_req->owner_nlportid == notify->portid) {
18428 				sched_scan_req->nl_owner_dead = true;
18429 				schedule_work(&rdev->sched_scan_stop_wk);
18430 			}
18431 		}
18432 
18433 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
18434 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
18435 
18436 			if (wdev->owner_nlportid == notify->portid) {
18437 				wdev->nl_owner_dead = true;
18438 				schedule_work(&rdev->destroy_work);
18439 			} else if (wdev->conn_owner_nlportid == notify->portid) {
18440 				schedule_work(&wdev->disconnect_wk);
18441 			}
18442 
18443 			cfg80211_release_pmsr(wdev, notify->portid);
18444 		}
18445 
18446 		spin_lock_bh(&rdev->beacon_registrations_lock);
18447 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
18448 					 list) {
18449 			if (reg->nlportid == notify->portid) {
18450 				list_del(&reg->list);
18451 				kfree(reg);
18452 				break;
18453 			}
18454 		}
18455 		spin_unlock_bh(&rdev->beacon_registrations_lock);
18456 	}
18457 
18458 	rcu_read_unlock();
18459 
18460 	/*
18461 	 * It is possible that the user space process that is controlling the
18462 	 * indoor setting disappeared, so notify the regulatory core.
18463 	 */
18464 	regulatory_netlink_notify(notify->portid);
18465 	return NOTIFY_OK;
18466 }
18467 
18468 static struct notifier_block nl80211_netlink_notifier = {
18469 	.notifier_call = nl80211_netlink_notify,
18470 };
18471 
18472 void cfg80211_ft_event(struct net_device *netdev,
18473 		       struct cfg80211_ft_event_params *ft_event)
18474 {
18475 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18476 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18477 	struct sk_buff *msg;
18478 	void *hdr;
18479 
18480 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
18481 
18482 	if (!ft_event->target_ap)
18483 		return;
18484 
18485 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
18486 			GFP_KERNEL);
18487 	if (!msg)
18488 		return;
18489 
18490 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
18491 	if (!hdr)
18492 		goto out;
18493 
18494 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18495 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18496 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
18497 		goto out;
18498 
18499 	if (ft_event->ies &&
18500 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
18501 		goto out;
18502 	if (ft_event->ric_ies &&
18503 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
18504 		    ft_event->ric_ies))
18505 		goto out;
18506 
18507 	genlmsg_end(msg, hdr);
18508 
18509 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18510 				NL80211_MCGRP_MLME, GFP_KERNEL);
18511 	return;
18512  out:
18513 	nlmsg_free(msg);
18514 }
18515 EXPORT_SYMBOL(cfg80211_ft_event);
18516 
18517 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
18518 {
18519 	struct cfg80211_registered_device *rdev;
18520 	struct sk_buff *msg;
18521 	void *hdr;
18522 	u32 nlportid;
18523 
18524 	rdev = wiphy_to_rdev(wdev->wiphy);
18525 	if (!rdev->crit_proto_nlportid)
18526 		return;
18527 
18528 	nlportid = rdev->crit_proto_nlportid;
18529 	rdev->crit_proto_nlportid = 0;
18530 
18531 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18532 	if (!msg)
18533 		return;
18534 
18535 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
18536 	if (!hdr)
18537 		goto nla_put_failure;
18538 
18539 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18540 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18541 			      NL80211_ATTR_PAD))
18542 		goto nla_put_failure;
18543 
18544 	genlmsg_end(msg, hdr);
18545 
18546 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18547 	return;
18548 
18549  nla_put_failure:
18550 	nlmsg_free(msg);
18551 }
18552 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
18553 
18554 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
18555 {
18556 	struct wiphy *wiphy = wdev->wiphy;
18557 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18558 	struct sk_buff *msg;
18559 	void *hdr;
18560 
18561 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18562 	if (!msg)
18563 		return;
18564 
18565 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
18566 	if (!hdr)
18567 		goto out;
18568 
18569 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18570 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
18571 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18572 			      NL80211_ATTR_PAD))
18573 		goto out;
18574 
18575 	genlmsg_end(msg, hdr);
18576 
18577 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
18578 				NL80211_MCGRP_MLME, GFP_KERNEL);
18579 	return;
18580  out:
18581 	nlmsg_free(msg);
18582 }
18583 
18584 int cfg80211_external_auth_request(struct net_device *dev,
18585 				   struct cfg80211_external_auth_params *params,
18586 				   gfp_t gfp)
18587 {
18588 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18589 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18590 	struct sk_buff *msg;
18591 	void *hdr;
18592 
18593 	if (!wdev->conn_owner_nlportid)
18594 		return -EINVAL;
18595 
18596 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18597 	if (!msg)
18598 		return -ENOMEM;
18599 
18600 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
18601 	if (!hdr)
18602 		goto nla_put_failure;
18603 
18604 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18605 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18606 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
18607 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
18608 			params->action) ||
18609 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
18610 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
18611 		    params->ssid.ssid))
18612 		goto nla_put_failure;
18613 
18614 	genlmsg_end(msg, hdr);
18615 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
18616 			wdev->conn_owner_nlportid);
18617 	return 0;
18618 
18619  nla_put_failure:
18620 	nlmsg_free(msg);
18621 	return -ENOBUFS;
18622 }
18623 EXPORT_SYMBOL(cfg80211_external_auth_request);
18624 
18625 void cfg80211_update_owe_info_event(struct net_device *netdev,
18626 				    struct cfg80211_update_owe_info *owe_info,
18627 				    gfp_t gfp)
18628 {
18629 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18630 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18631 	struct sk_buff *msg;
18632 	void *hdr;
18633 
18634 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
18635 
18636 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18637 	if (!msg)
18638 		return;
18639 
18640 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
18641 	if (!hdr)
18642 		goto nla_put_failure;
18643 
18644 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18645 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18646 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
18647 		goto nla_put_failure;
18648 
18649 	if (!owe_info->ie_len ||
18650 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
18651 		goto nla_put_failure;
18652 
18653 	genlmsg_end(msg, hdr);
18654 
18655 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18656 				NL80211_MCGRP_MLME, gfp);
18657 	return;
18658 
18659 nla_put_failure:
18660 	genlmsg_cancel(msg, hdr);
18661 	nlmsg_free(msg);
18662 }
18663 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
18664 
18665 /* initialisation/exit functions */
18666 
18667 int __init nl80211_init(void)
18668 {
18669 	int err;
18670 
18671 	err = genl_register_family(&nl80211_fam);
18672 	if (err)
18673 		return err;
18674 
18675 	err = netlink_register_notifier(&nl80211_netlink_notifier);
18676 	if (err)
18677 		goto err_out;
18678 
18679 	return 0;
18680  err_out:
18681 	genl_unregister_family(&nl80211_fam);
18682 	return err;
18683 }
18684 
18685 void nl80211_exit(void)
18686 {
18687 	netlink_unregister_notifier(&nl80211_netlink_notifier);
18688 	genl_unregister_family(&nl80211_fam);
18689 }
18690