xref: /openbmc/linux/net/wireless/nl80211.c (revision d9679d00) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2021 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 /* policy for the attributes */
289 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
290 
291 static const struct nla_policy
292 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
293 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
294 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
295 					.len = U8_MAX },
296 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
297 					     .len = U8_MAX },
298 };
299 
300 static const struct nla_policy
301 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
302 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
303 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
304 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
305 		NLA_POLICY_MAX(NLA_U8, 15),
306 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
307 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
308 		NLA_POLICY_MAX(NLA_U8, 15),
309 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
310 		NLA_POLICY_MAX(NLA_U8, 31),
311 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
312 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
313 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
314 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
315 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
316 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
317 };
318 
319 static const struct nla_policy
320 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
321 	[NL80211_PMSR_TYPE_FTM] =
322 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
323 };
324 
325 static const struct nla_policy
326 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
327 	[NL80211_PMSR_REQ_ATTR_DATA] =
328 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
329 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
330 };
331 
332 static const struct nla_policy
333 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
334 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
335 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
336 	[NL80211_PMSR_PEER_ATTR_REQ] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
338 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
344 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
345 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
346 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
347 	[NL80211_PMSR_ATTR_PEERS] =
348 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
349 };
350 
351 static const struct nla_policy
352 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
353 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
354 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
355 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
356 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
357 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
358 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
359 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
360 		NLA_POLICY_EXACT_LEN(8),
361 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
362 		NLA_POLICY_EXACT_LEN(8),
363 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
364 };
365 
366 static const struct nla_policy
367 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
368 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
369 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
370 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
371 };
372 
373 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
374 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
375 				    .len = NL80211_MAX_SUPP_RATES },
376 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
377 				.len = NL80211_MAX_SUPP_HT_RATES },
378 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
379 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
380 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
381 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
382 						   NL80211_RATE_INFO_HE_GI_0_8,
383 						   NL80211_RATE_INFO_HE_GI_3_2),
384 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
385 						   NL80211_RATE_INFO_HE_1XLTF,
386 						   NL80211_RATE_INFO_HE_4XLTF),
387 };
388 
389 static const struct nla_policy
390 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
391 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
392 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
393 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
394 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
395 	[NL80211_TID_CONFIG_ATTR_NOACK] =
396 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
397 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
398 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
399 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
400 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
401 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
402 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
403 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
404 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
405 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
406 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
407 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
408 			NLA_POLICY_NESTED(nl80211_txattr_policy),
409 };
410 
411 static const struct nla_policy
412 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
413 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
414 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
415 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
416 			NLA_POLICY_RANGE(NLA_BINARY,
417 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
418 					 IEEE80211_MAX_DATA_LEN),
419 };
420 
421 static const struct nla_policy
422 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
423 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
424 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
425 						       .len = IEEE80211_MAX_DATA_LEN }
426 };
427 
428 static const struct nla_policy
429 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
430 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
431 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
432 };
433 
434 static const struct nla_policy
435 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
436 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
437 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
438 };
439 
440 static const struct nla_policy
441 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
442 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
443 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
444 						NLA_POLICY_MIN(NLA_U8, 1),
445 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
446 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
447 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
448 };
449 
450 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
451 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
452 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
453 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
454 				      .len = 20-1 },
455 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
456 
457 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
458 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
459 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
460 						NL80211_EDMG_CHANNELS_MIN,
461 						NL80211_EDMG_CHANNELS_MAX),
462 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
463 						NL80211_EDMG_BW_CONFIG_MIN,
464 						NL80211_EDMG_BW_CONFIG_MAX),
465 
466 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
467 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
468 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
469 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
470 
471 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
472 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
473 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
474 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
475 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
476 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
477 
478 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
479 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
480 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
481 
482 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
483 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
484 
485 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
486 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
487 				    .len = WLAN_MAX_KEY_LEN },
488 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
489 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
490 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
491 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
492 	[NL80211_ATTR_KEY_TYPE] =
493 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
494 
495 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
496 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
497 	[NL80211_ATTR_BEACON_HEAD] =
498 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
499 				       IEEE80211_MAX_DATA_LEN),
500 	[NL80211_ATTR_BEACON_TAIL] =
501 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
502 				       IEEE80211_MAX_DATA_LEN),
503 	[NL80211_ATTR_STA_AID] =
504 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
505 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
506 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
507 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
508 					       .len = NL80211_MAX_SUPP_RATES },
509 	[NL80211_ATTR_STA_PLINK_ACTION] =
510 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
511 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
512 		NLA_POLICY_RANGE(NLA_U8,
513 				 NL80211_TX_POWER_AUTOMATIC,
514 				 NL80211_TX_POWER_FIXED),
515 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
516 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
517 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
518 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
519 				   .len = IEEE80211_MAX_MESH_ID_LEN },
520 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
521 
522 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
523 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
524 
525 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
526 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
527 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
528 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
529 					   .len = NL80211_MAX_SUPP_RATES },
530 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
531 
532 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
533 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
534 
535 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
536 
537 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
538 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
539 						   validate_ie_attr,
540 						   IEEE80211_MAX_DATA_LEN),
541 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
542 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
543 
544 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
545 				.len = IEEE80211_MAX_SSID_LEN },
546 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
547 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
548 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
549 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
550 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
551 						  NL80211_MFP_NO,
552 						  NL80211_MFP_OPTIONAL),
553 	[NL80211_ATTR_STA_FLAGS2] = {
554 		.len = sizeof(struct nl80211_sta_flag_update),
555 	},
556 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
557 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
558 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
559 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
560 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
561 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
562 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
563 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
564 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
565 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
566 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
567 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
568 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
569 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
570 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
571 				 .len = IEEE80211_MAX_DATA_LEN },
572 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
573 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
574 						   NL80211_PS_DISABLED,
575 						   NL80211_PS_ENABLED),
576 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
577 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
578 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
579 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
580 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
581 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
582 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
583 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
584 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
585 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
586 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
587 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
588 	[NL80211_ATTR_STA_PLINK_STATE] =
589 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
590 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
591 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
592 	[NL80211_ATTR_MESH_PEER_AID] =
593 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
594 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
595 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
596 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
597 	[NL80211_ATTR_HIDDEN_SSID] =
598 		NLA_POLICY_RANGE(NLA_U32,
599 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
600 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
601 	[NL80211_ATTR_IE_PROBE_RESP] =
602 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
603 				       IEEE80211_MAX_DATA_LEN),
604 	[NL80211_ATTR_IE_ASSOC_RESP] =
605 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
606 				       IEEE80211_MAX_DATA_LEN),
607 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
608 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
609 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
610 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
611 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
612 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
613 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
614 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
615 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
616 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
617 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
618 				      .len = IEEE80211_MAX_DATA_LEN },
619 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
620 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
621 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
622 		.len = NL80211_HT_CAPABILITY_LEN
623 	},
624 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
625 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
626 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
627 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
628 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
629 
630 	/* need to include at least Auth Transaction and Status Code */
631 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
632 
633 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
634 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
635 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
636 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
637 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
638 		NLA_POLICY_RANGE(NLA_U32,
639 				 NL80211_MESH_POWER_UNKNOWN + 1,
640 				 NL80211_MESH_POWER_MAX),
641 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
642 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
643 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
644 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
645 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
646 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
647 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
648 		.len = NL80211_VHT_CAPABILITY_LEN,
649 	},
650 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
651 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
652 				  .len = IEEE80211_MAX_DATA_LEN },
653 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
654 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
655 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
656 	[NL80211_ATTR_PEER_AID] =
657 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
658 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
659 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
660 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
661 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
662 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
663 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
664 	/*
665 	 * The value of the Length field of the Supported Operating
666 	 * Classes element is between 2 and 253.
667 	 */
668 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
669 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
670 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
671 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
672 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
673 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
674 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
675 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
676 						  IEEE80211_QOS_MAP_LEN_MIN,
677 						  IEEE80211_QOS_MAP_LEN_MAX),
678 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
679 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
680 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
681 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
682 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
683 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
684 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
685 	[NL80211_ATTR_USER_PRIO] =
686 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
687 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
688 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
689 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
690 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
691 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
692 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
693 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
694 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
695 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
696 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
697 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
698 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
699 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
700 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
701 	},
702 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
703 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
704 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
705 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
706 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
707 				    .len = FILS_MAX_KEK_LEN },
708 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
709 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
710 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
711 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
712 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
713 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
714 	},
715 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
716 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
717 					     .len = FILS_ERP_MAX_USERNAME_LEN },
718 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
719 					  .len = FILS_ERP_MAX_REALM_LEN },
720 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
721 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
722 					.len = FILS_ERP_MAX_RRK_LEN },
723 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
724 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
725 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
726 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
727 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
728 
729 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
730 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
731 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
732 	[NL80211_ATTR_HE_CAPABILITY] =
733 		NLA_POLICY_RANGE(NLA_BINARY,
734 				 NL80211_HE_MIN_CAPABILITY_LEN,
735 				 NL80211_HE_MAX_CAPABILITY_LEN),
736 	[NL80211_ATTR_FTM_RESPONDER] =
737 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
738 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
739 	[NL80211_ATTR_PEER_MEASUREMENTS] =
740 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
741 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
742 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
743 					.len = SAE_PASSWORD_MAX_LEN },
744 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
745 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
746 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
747 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
748 	[NL80211_ATTR_TID_CONFIG] =
749 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
750 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
751 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
752 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
753 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
754 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
755 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
756 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
757 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
758 	[NL80211_ATTR_FILS_DISCOVERY] =
759 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
760 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
761 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
762 	[NL80211_ATTR_S1G_CAPABILITY] =
763 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
764 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
765 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
766 	[NL80211_ATTR_SAE_PWE] =
767 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
768 				 NL80211_SAE_PWE_BOTH),
769 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
770 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
771 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
772 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
773 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
774 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
775 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
776 	[NL80211_ATTR_MBSSID_CONFIG] =
777 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
778 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
779 };
780 
781 /* policy for the key attributes */
782 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
783 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
784 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
785 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
786 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
787 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
788 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
789 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
790 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
791 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
792 };
793 
794 /* policy for the key default flags */
795 static const struct nla_policy
796 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
797 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
798 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
799 };
800 
801 #ifdef CONFIG_PM
802 /* policy for WoWLAN attributes */
803 static const struct nla_policy
804 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
805 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
806 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
807 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
808 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
809 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
810 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
811 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
812 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
813 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
814 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
815 };
816 
817 static const struct nla_policy
818 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
819 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
820 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
821 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
822 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
823 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
824 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
825 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
826 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
827 	},
828 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
829 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
830 	},
831 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
832 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
833 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
834 };
835 #endif /* CONFIG_PM */
836 
837 /* policy for coalesce rule attributes */
838 static const struct nla_policy
839 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
840 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
841 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
842 		NLA_POLICY_RANGE(NLA_U32,
843 				 NL80211_COALESCE_CONDITION_MATCH,
844 				 NL80211_COALESCE_CONDITION_NO_MATCH),
845 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
846 };
847 
848 /* policy for GTK rekey offload attributes */
849 static const struct nla_policy
850 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
851 	[NL80211_REKEY_DATA_KEK] = {
852 		.type = NLA_BINARY,
853 		.len = NL80211_KEK_EXT_LEN
854 	},
855 	[NL80211_REKEY_DATA_KCK] = {
856 		.type = NLA_BINARY,
857 		.len = NL80211_KCK_EXT_LEN
858 	},
859 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
860 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
861 };
862 
863 static const struct nla_policy
864 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
865 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
866 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
867 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
868 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
869 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
870 };
871 
872 static const struct nla_policy
873 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
874 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
875 						 .len = IEEE80211_MAX_SSID_LEN },
876 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
877 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
878 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
879 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
880 };
881 
882 static const struct nla_policy
883 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
884 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
885 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
886 };
887 
888 static const struct nla_policy
889 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
890 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
891 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
892 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
893 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
894 	},
895 };
896 
897 /* policy for NAN function attributes */
898 static const struct nla_policy
899 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
900 	[NL80211_NAN_FUNC_TYPE] =
901 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
902 	[NL80211_NAN_FUNC_SERVICE_ID] = {
903 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
904 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
905 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
906 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
907 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
908 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
909 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
910 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
911 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
912 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
913 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
914 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
915 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
916 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
917 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
918 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
919 };
920 
921 /* policy for Service Response Filter attributes */
922 static const struct nla_policy
923 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
924 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
925 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
926 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
927 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
928 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
929 };
930 
931 /* policy for packet pattern attributes */
932 static const struct nla_policy
933 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
934 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
935 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
936 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
937 };
938 
939 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
940 				     struct cfg80211_registered_device **rdev,
941 				     struct wireless_dev **wdev,
942 				     struct nlattr **attrbuf)
943 {
944 	int err;
945 
946 	if (!cb->args[0]) {
947 		struct nlattr **attrbuf_free = NULL;
948 
949 		if (!attrbuf) {
950 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
951 					  GFP_KERNEL);
952 			if (!attrbuf)
953 				return -ENOMEM;
954 			attrbuf_free = attrbuf;
955 		}
956 
957 		err = nlmsg_parse_deprecated(cb->nlh,
958 					     GENL_HDRLEN + nl80211_fam.hdrsize,
959 					     attrbuf, nl80211_fam.maxattr,
960 					     nl80211_policy, NULL);
961 		if (err) {
962 			kfree(attrbuf_free);
963 			return err;
964 		}
965 
966 		rtnl_lock();
967 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
968 						   attrbuf);
969 		kfree(attrbuf_free);
970 		if (IS_ERR(*wdev)) {
971 			rtnl_unlock();
972 			return PTR_ERR(*wdev);
973 		}
974 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
975 		mutex_lock(&(*rdev)->wiphy.mtx);
976 		rtnl_unlock();
977 		/* 0 is the first index - add 1 to parse only once */
978 		cb->args[0] = (*rdev)->wiphy_idx + 1;
979 		cb->args[1] = (*wdev)->identifier;
980 	} else {
981 		/* subtract the 1 again here */
982 		struct wiphy *wiphy;
983 		struct wireless_dev *tmp;
984 
985 		rtnl_lock();
986 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
987 		if (!wiphy) {
988 			rtnl_unlock();
989 			return -ENODEV;
990 		}
991 		*rdev = wiphy_to_rdev(wiphy);
992 		*wdev = NULL;
993 
994 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
995 			if (tmp->identifier == cb->args[1]) {
996 				*wdev = tmp;
997 				break;
998 			}
999 		}
1000 
1001 		if (!*wdev) {
1002 			rtnl_unlock();
1003 			return -ENODEV;
1004 		}
1005 		mutex_lock(&(*rdev)->wiphy.mtx);
1006 		rtnl_unlock();
1007 	}
1008 
1009 	return 0;
1010 }
1011 
1012 /* message building helper */
1013 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1014 		     int flags, u8 cmd)
1015 {
1016 	/* since there is no private header just add the generic one */
1017 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1018 }
1019 
1020 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1021 				     const struct ieee80211_reg_rule *rule)
1022 {
1023 	int j;
1024 	struct nlattr *nl_wmm_rules =
1025 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1026 
1027 	if (!nl_wmm_rules)
1028 		goto nla_put_failure;
1029 
1030 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1031 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1032 
1033 		if (!nl_wmm_rule)
1034 			goto nla_put_failure;
1035 
1036 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1037 				rule->wmm_rule.client[j].cw_min) ||
1038 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1039 				rule->wmm_rule.client[j].cw_max) ||
1040 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1041 			       rule->wmm_rule.client[j].aifsn) ||
1042 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1043 			        rule->wmm_rule.client[j].cot))
1044 			goto nla_put_failure;
1045 
1046 		nla_nest_end(msg, nl_wmm_rule);
1047 	}
1048 	nla_nest_end(msg, nl_wmm_rules);
1049 
1050 	return 0;
1051 
1052 nla_put_failure:
1053 	return -ENOBUFS;
1054 }
1055 
1056 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1057 				   struct ieee80211_channel *chan,
1058 				   bool large)
1059 {
1060 	/* Some channels must be completely excluded from the
1061 	 * list to protect old user-space tools from breaking
1062 	 */
1063 	if (!large && chan->flags &
1064 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1065 		return 0;
1066 	if (!large && chan->freq_offset)
1067 		return 0;
1068 
1069 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1070 			chan->center_freq))
1071 		goto nla_put_failure;
1072 
1073 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1074 		goto nla_put_failure;
1075 
1076 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1077 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1078 		goto nla_put_failure;
1079 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1080 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1081 			goto nla_put_failure;
1082 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1083 			goto nla_put_failure;
1084 	}
1085 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1086 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1087 			goto nla_put_failure;
1088 		if (large) {
1089 			u32 time;
1090 
1091 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1092 
1093 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1094 					chan->dfs_state))
1095 				goto nla_put_failure;
1096 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1097 					time))
1098 				goto nla_put_failure;
1099 			if (nla_put_u32(msg,
1100 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1101 					chan->dfs_cac_ms))
1102 				goto nla_put_failure;
1103 		}
1104 	}
1105 
1106 	if (large) {
1107 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1108 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1109 			goto nla_put_failure;
1110 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1111 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1112 			goto nla_put_failure;
1113 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1114 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1115 			goto nla_put_failure;
1116 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1117 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1118 			goto nla_put_failure;
1119 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1120 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1121 			goto nla_put_failure;
1122 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1123 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1124 			goto nla_put_failure;
1125 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1126 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1127 			goto nla_put_failure;
1128 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1129 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1130 			goto nla_put_failure;
1131 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1132 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1133 			goto nla_put_failure;
1134 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1135 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1136 			goto nla_put_failure;
1137 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1138 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1139 			goto nla_put_failure;
1140 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1141 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1142 			goto nla_put_failure;
1143 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1144 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1145 			goto nla_put_failure;
1146 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1147 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1148 			goto nla_put_failure;
1149 	}
1150 
1151 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1152 			DBM_TO_MBM(chan->max_power)))
1153 		goto nla_put_failure;
1154 
1155 	if (large) {
1156 		const struct ieee80211_reg_rule *rule =
1157 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1158 
1159 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1160 			if (nl80211_msg_put_wmm_rules(msg, rule))
1161 				goto nla_put_failure;
1162 		}
1163 	}
1164 
1165 	return 0;
1166 
1167  nla_put_failure:
1168 	return -ENOBUFS;
1169 }
1170 
1171 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1172 				  struct cfg80211_txq_stats *txqstats,
1173 				  int attrtype)
1174 {
1175 	struct nlattr *txqattr;
1176 
1177 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1178 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1179 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1180 		return false;						  \
1181 	} while (0)
1182 
1183 	txqattr = nla_nest_start_noflag(msg, attrtype);
1184 	if (!txqattr)
1185 		return false;
1186 
1187 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1188 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1189 	PUT_TXQVAL_U32(FLOWS, flows);
1190 	PUT_TXQVAL_U32(DROPS, drops);
1191 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1192 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1193 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1194 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1195 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1196 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1197 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1198 	nla_nest_end(msg, txqattr);
1199 
1200 #undef PUT_TXQVAL_U32
1201 	return true;
1202 }
1203 
1204 /* netlink command implementations */
1205 
1206 struct key_parse {
1207 	struct key_params p;
1208 	int idx;
1209 	int type;
1210 	bool def, defmgmt, defbeacon;
1211 	bool def_uni, def_multi;
1212 };
1213 
1214 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1215 				 struct key_parse *k)
1216 {
1217 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1218 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1219 					      nl80211_key_policy,
1220 					      info->extack);
1221 	if (err)
1222 		return err;
1223 
1224 	k->def = !!tb[NL80211_KEY_DEFAULT];
1225 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1226 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1227 
1228 	if (k->def) {
1229 		k->def_uni = true;
1230 		k->def_multi = true;
1231 	}
1232 	if (k->defmgmt || k->defbeacon)
1233 		k->def_multi = true;
1234 
1235 	if (tb[NL80211_KEY_IDX])
1236 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1237 
1238 	if (tb[NL80211_KEY_DATA]) {
1239 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1240 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1241 	}
1242 
1243 	if (tb[NL80211_KEY_SEQ]) {
1244 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1245 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1246 	}
1247 
1248 	if (tb[NL80211_KEY_CIPHER])
1249 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1250 
1251 	if (tb[NL80211_KEY_TYPE])
1252 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1253 
1254 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1255 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1256 
1257 		err = nla_parse_nested_deprecated(kdt,
1258 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1259 						  tb[NL80211_KEY_DEFAULT_TYPES],
1260 						  nl80211_key_default_policy,
1261 						  info->extack);
1262 		if (err)
1263 			return err;
1264 
1265 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1266 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1267 	}
1268 
1269 	if (tb[NL80211_KEY_MODE])
1270 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1271 
1272 	return 0;
1273 }
1274 
1275 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1276 {
1277 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1278 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1279 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1280 	}
1281 
1282 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1283 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1284 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1285 	}
1286 
1287 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1288 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1289 
1290 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1291 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1292 
1293 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1294 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1295 
1296 	if (k->def) {
1297 		k->def_uni = true;
1298 		k->def_multi = true;
1299 	}
1300 	if (k->defmgmt)
1301 		k->def_multi = true;
1302 
1303 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1304 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1305 
1306 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1307 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1308 		int err = nla_parse_nested_deprecated(kdt,
1309 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1310 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1311 						      nl80211_key_default_policy,
1312 						      info->extack);
1313 		if (err)
1314 			return err;
1315 
1316 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1317 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1318 	}
1319 
1320 	return 0;
1321 }
1322 
1323 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1324 {
1325 	int err;
1326 
1327 	memset(k, 0, sizeof(*k));
1328 	k->idx = -1;
1329 	k->type = -1;
1330 
1331 	if (info->attrs[NL80211_ATTR_KEY])
1332 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1333 	else
1334 		err = nl80211_parse_key_old(info, k);
1335 
1336 	if (err)
1337 		return err;
1338 
1339 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1340 	    (k->defbeacon ? 1 : 0) > 1) {
1341 		GENL_SET_ERR_MSG(info,
1342 				 "key with multiple default flags is invalid");
1343 		return -EINVAL;
1344 	}
1345 
1346 	if (k->defmgmt || k->defbeacon) {
1347 		if (k->def_uni || !k->def_multi) {
1348 			GENL_SET_ERR_MSG(info,
1349 					 "defmgmt/defbeacon key must be mcast");
1350 			return -EINVAL;
1351 		}
1352 	}
1353 
1354 	if (k->idx != -1) {
1355 		if (k->defmgmt) {
1356 			if (k->idx < 4 || k->idx > 5) {
1357 				GENL_SET_ERR_MSG(info,
1358 						 "defmgmt key idx not 4 or 5");
1359 				return -EINVAL;
1360 			}
1361 		} else if (k->defbeacon) {
1362 			if (k->idx < 6 || k->idx > 7) {
1363 				GENL_SET_ERR_MSG(info,
1364 						 "defbeacon key idx not 6 or 7");
1365 				return -EINVAL;
1366 			}
1367 		} else if (k->def) {
1368 			if (k->idx < 0 || k->idx > 3) {
1369 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1370 				return -EINVAL;
1371 			}
1372 		} else {
1373 			if (k->idx < 0 || k->idx > 7) {
1374 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1375 				return -EINVAL;
1376 			}
1377 		}
1378 	}
1379 
1380 	return 0;
1381 }
1382 
1383 static struct cfg80211_cached_keys *
1384 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1385 		       struct genl_info *info, bool *no_ht)
1386 {
1387 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1388 	struct key_parse parse;
1389 	struct nlattr *key;
1390 	struct cfg80211_cached_keys *result;
1391 	int rem, err, def = 0;
1392 	bool have_key = false;
1393 
1394 	nla_for_each_nested(key, keys, rem) {
1395 		have_key = true;
1396 		break;
1397 	}
1398 
1399 	if (!have_key)
1400 		return NULL;
1401 
1402 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1403 	if (!result)
1404 		return ERR_PTR(-ENOMEM);
1405 
1406 	result->def = -1;
1407 
1408 	nla_for_each_nested(key, keys, rem) {
1409 		memset(&parse, 0, sizeof(parse));
1410 		parse.idx = -1;
1411 
1412 		err = nl80211_parse_key_new(info, key, &parse);
1413 		if (err)
1414 			goto error;
1415 		err = -EINVAL;
1416 		if (!parse.p.key)
1417 			goto error;
1418 		if (parse.idx < 0 || parse.idx > 3) {
1419 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1420 			goto error;
1421 		}
1422 		if (parse.def) {
1423 			if (def) {
1424 				GENL_SET_ERR_MSG(info,
1425 						 "only one key can be default");
1426 				goto error;
1427 			}
1428 			def = 1;
1429 			result->def = parse.idx;
1430 			if (!parse.def_uni || !parse.def_multi)
1431 				goto error;
1432 		} else if (parse.defmgmt)
1433 			goto error;
1434 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1435 						     parse.idx, false, NULL);
1436 		if (err)
1437 			goto error;
1438 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1439 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1440 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1441 			err = -EINVAL;
1442 			goto error;
1443 		}
1444 		result->params[parse.idx].cipher = parse.p.cipher;
1445 		result->params[parse.idx].key_len = parse.p.key_len;
1446 		result->params[parse.idx].key = result->data[parse.idx];
1447 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1448 
1449 		/* must be WEP key if we got here */
1450 		if (no_ht)
1451 			*no_ht = true;
1452 	}
1453 
1454 	if (result->def < 0) {
1455 		err = -EINVAL;
1456 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1457 		goto error;
1458 	}
1459 
1460 	return result;
1461  error:
1462 	kfree(result);
1463 	return ERR_PTR(err);
1464 }
1465 
1466 static int nl80211_key_allowed(struct wireless_dev *wdev)
1467 {
1468 	ASSERT_WDEV_LOCK(wdev);
1469 
1470 	switch (wdev->iftype) {
1471 	case NL80211_IFTYPE_AP:
1472 	case NL80211_IFTYPE_AP_VLAN:
1473 	case NL80211_IFTYPE_P2P_GO:
1474 	case NL80211_IFTYPE_MESH_POINT:
1475 		break;
1476 	case NL80211_IFTYPE_ADHOC:
1477 	case NL80211_IFTYPE_STATION:
1478 	case NL80211_IFTYPE_P2P_CLIENT:
1479 		if (!wdev->current_bss)
1480 			return -ENOLINK;
1481 		break;
1482 	case NL80211_IFTYPE_UNSPECIFIED:
1483 	case NL80211_IFTYPE_OCB:
1484 	case NL80211_IFTYPE_MONITOR:
1485 	case NL80211_IFTYPE_NAN:
1486 	case NL80211_IFTYPE_P2P_DEVICE:
1487 	case NL80211_IFTYPE_WDS:
1488 	case NUM_NL80211_IFTYPES:
1489 		return -EINVAL;
1490 	}
1491 
1492 	return 0;
1493 }
1494 
1495 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1496 							u32 freq)
1497 {
1498 	struct ieee80211_channel *chan;
1499 
1500 	chan = ieee80211_get_channel_khz(wiphy, freq);
1501 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1502 		return NULL;
1503 	return chan;
1504 }
1505 
1506 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1507 {
1508 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1509 	int i;
1510 
1511 	if (!nl_modes)
1512 		goto nla_put_failure;
1513 
1514 	i = 0;
1515 	while (ifmodes) {
1516 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1517 			goto nla_put_failure;
1518 		ifmodes >>= 1;
1519 		i++;
1520 	}
1521 
1522 	nla_nest_end(msg, nl_modes);
1523 	return 0;
1524 
1525 nla_put_failure:
1526 	return -ENOBUFS;
1527 }
1528 
1529 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1530 					  struct sk_buff *msg,
1531 					  bool large)
1532 {
1533 	struct nlattr *nl_combis;
1534 	int i, j;
1535 
1536 	nl_combis = nla_nest_start_noflag(msg,
1537 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1538 	if (!nl_combis)
1539 		goto nla_put_failure;
1540 
1541 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1542 		const struct ieee80211_iface_combination *c;
1543 		struct nlattr *nl_combi, *nl_limits;
1544 
1545 		c = &wiphy->iface_combinations[i];
1546 
1547 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1548 		if (!nl_combi)
1549 			goto nla_put_failure;
1550 
1551 		nl_limits = nla_nest_start_noflag(msg,
1552 						  NL80211_IFACE_COMB_LIMITS);
1553 		if (!nl_limits)
1554 			goto nla_put_failure;
1555 
1556 		for (j = 0; j < c->n_limits; j++) {
1557 			struct nlattr *nl_limit;
1558 
1559 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1560 			if (!nl_limit)
1561 				goto nla_put_failure;
1562 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1563 					c->limits[j].max))
1564 				goto nla_put_failure;
1565 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1566 						c->limits[j].types))
1567 				goto nla_put_failure;
1568 			nla_nest_end(msg, nl_limit);
1569 		}
1570 
1571 		nla_nest_end(msg, nl_limits);
1572 
1573 		if (c->beacon_int_infra_match &&
1574 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1575 			goto nla_put_failure;
1576 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1577 				c->num_different_channels) ||
1578 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1579 				c->max_interfaces))
1580 			goto nla_put_failure;
1581 		if (large &&
1582 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1583 				c->radar_detect_widths) ||
1584 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1585 				c->radar_detect_regions)))
1586 			goto nla_put_failure;
1587 		if (c->beacon_int_min_gcd &&
1588 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1589 				c->beacon_int_min_gcd))
1590 			goto nla_put_failure;
1591 
1592 		nla_nest_end(msg, nl_combi);
1593 	}
1594 
1595 	nla_nest_end(msg, nl_combis);
1596 
1597 	return 0;
1598 nla_put_failure:
1599 	return -ENOBUFS;
1600 }
1601 
1602 #ifdef CONFIG_PM
1603 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1604 					struct sk_buff *msg)
1605 {
1606 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1607 	struct nlattr *nl_tcp;
1608 
1609 	if (!tcp)
1610 		return 0;
1611 
1612 	nl_tcp = nla_nest_start_noflag(msg,
1613 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1614 	if (!nl_tcp)
1615 		return -ENOBUFS;
1616 
1617 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1618 			tcp->data_payload_max))
1619 		return -ENOBUFS;
1620 
1621 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1622 			tcp->data_payload_max))
1623 		return -ENOBUFS;
1624 
1625 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1626 		return -ENOBUFS;
1627 
1628 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1629 				sizeof(*tcp->tok), tcp->tok))
1630 		return -ENOBUFS;
1631 
1632 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1633 			tcp->data_interval_max))
1634 		return -ENOBUFS;
1635 
1636 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1637 			tcp->wake_payload_max))
1638 		return -ENOBUFS;
1639 
1640 	nla_nest_end(msg, nl_tcp);
1641 	return 0;
1642 }
1643 
1644 static int nl80211_send_wowlan(struct sk_buff *msg,
1645 			       struct cfg80211_registered_device *rdev,
1646 			       bool large)
1647 {
1648 	struct nlattr *nl_wowlan;
1649 
1650 	if (!rdev->wiphy.wowlan)
1651 		return 0;
1652 
1653 	nl_wowlan = nla_nest_start_noflag(msg,
1654 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1655 	if (!nl_wowlan)
1656 		return -ENOBUFS;
1657 
1658 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1659 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1660 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1661 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1662 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1663 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1664 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1665 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1666 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1667 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1668 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1669 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1670 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1671 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1672 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1673 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1674 		return -ENOBUFS;
1675 
1676 	if (rdev->wiphy.wowlan->n_patterns) {
1677 		struct nl80211_pattern_support pat = {
1678 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1679 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1680 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1681 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1682 		};
1683 
1684 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1685 			    sizeof(pat), &pat))
1686 			return -ENOBUFS;
1687 	}
1688 
1689 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1690 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1691 			rdev->wiphy.wowlan->max_nd_match_sets))
1692 		return -ENOBUFS;
1693 
1694 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1695 		return -ENOBUFS;
1696 
1697 	nla_nest_end(msg, nl_wowlan);
1698 
1699 	return 0;
1700 }
1701 #endif
1702 
1703 static int nl80211_send_coalesce(struct sk_buff *msg,
1704 				 struct cfg80211_registered_device *rdev)
1705 {
1706 	struct nl80211_coalesce_rule_support rule;
1707 
1708 	if (!rdev->wiphy.coalesce)
1709 		return 0;
1710 
1711 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1712 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1713 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1714 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1715 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1716 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1717 
1718 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1719 		return -ENOBUFS;
1720 
1721 	return 0;
1722 }
1723 
1724 static int
1725 nl80211_send_iftype_data(struct sk_buff *msg,
1726 			 const struct ieee80211_supported_band *sband,
1727 			 const struct ieee80211_sband_iftype_data *iftdata)
1728 {
1729 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1730 
1731 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1732 				iftdata->types_mask))
1733 		return -ENOBUFS;
1734 
1735 	if (he_cap->has_he) {
1736 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1737 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1738 			    he_cap->he_cap_elem.mac_cap_info) ||
1739 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1740 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1741 			    he_cap->he_cap_elem.phy_cap_info) ||
1742 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1743 			    sizeof(he_cap->he_mcs_nss_supp),
1744 			    &he_cap->he_mcs_nss_supp) ||
1745 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1746 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1747 			return -ENOBUFS;
1748 	}
1749 
1750 	if (sband->band == NL80211_BAND_6GHZ &&
1751 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1752 		    sizeof(iftdata->he_6ghz_capa),
1753 		    &iftdata->he_6ghz_capa))
1754 		return -ENOBUFS;
1755 
1756 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1757 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1758 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1759 		return -ENOBUFS;
1760 
1761 	return 0;
1762 }
1763 
1764 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1765 				      struct ieee80211_supported_band *sband,
1766 				      bool large)
1767 {
1768 	struct nlattr *nl_rates, *nl_rate;
1769 	struct ieee80211_rate *rate;
1770 	int i;
1771 
1772 	/* add HT info */
1773 	if (sband->ht_cap.ht_supported &&
1774 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1775 		     sizeof(sband->ht_cap.mcs),
1776 		     &sband->ht_cap.mcs) ||
1777 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1778 			 sband->ht_cap.cap) ||
1779 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1780 			sband->ht_cap.ampdu_factor) ||
1781 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1782 			sband->ht_cap.ampdu_density)))
1783 		return -ENOBUFS;
1784 
1785 	/* add VHT info */
1786 	if (sband->vht_cap.vht_supported &&
1787 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1788 		     sizeof(sband->vht_cap.vht_mcs),
1789 		     &sband->vht_cap.vht_mcs) ||
1790 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1791 			 sband->vht_cap.cap)))
1792 		return -ENOBUFS;
1793 
1794 	if (large && sband->n_iftype_data) {
1795 		struct nlattr *nl_iftype_data =
1796 			nla_nest_start_noflag(msg,
1797 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1798 		int err;
1799 
1800 		if (!nl_iftype_data)
1801 			return -ENOBUFS;
1802 
1803 		for (i = 0; i < sband->n_iftype_data; i++) {
1804 			struct nlattr *iftdata;
1805 
1806 			iftdata = nla_nest_start_noflag(msg, i + 1);
1807 			if (!iftdata)
1808 				return -ENOBUFS;
1809 
1810 			err = nl80211_send_iftype_data(msg, sband,
1811 						       &sband->iftype_data[i]);
1812 			if (err)
1813 				return err;
1814 
1815 			nla_nest_end(msg, iftdata);
1816 		}
1817 
1818 		nla_nest_end(msg, nl_iftype_data);
1819 	}
1820 
1821 	/* add EDMG info */
1822 	if (large && sband->edmg_cap.channels &&
1823 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1824 		       sband->edmg_cap.channels) ||
1825 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1826 		       sband->edmg_cap.bw_config)))
1827 
1828 		return -ENOBUFS;
1829 
1830 	/* add bitrates */
1831 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1832 	if (!nl_rates)
1833 		return -ENOBUFS;
1834 
1835 	for (i = 0; i < sband->n_bitrates; i++) {
1836 		nl_rate = nla_nest_start_noflag(msg, i);
1837 		if (!nl_rate)
1838 			return -ENOBUFS;
1839 
1840 		rate = &sband->bitrates[i];
1841 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1842 				rate->bitrate))
1843 			return -ENOBUFS;
1844 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1845 		    nla_put_flag(msg,
1846 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1847 			return -ENOBUFS;
1848 
1849 		nla_nest_end(msg, nl_rate);
1850 	}
1851 
1852 	nla_nest_end(msg, nl_rates);
1853 
1854 	return 0;
1855 }
1856 
1857 static int
1858 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1859 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1860 {
1861 	u16 stypes;
1862 	struct nlattr *nl_ftypes, *nl_ifs;
1863 	enum nl80211_iftype ift;
1864 	int i;
1865 
1866 	if (!mgmt_stypes)
1867 		return 0;
1868 
1869 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1870 	if (!nl_ifs)
1871 		return -ENOBUFS;
1872 
1873 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1874 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1875 		if (!nl_ftypes)
1876 			return -ENOBUFS;
1877 		i = 0;
1878 		stypes = mgmt_stypes[ift].tx;
1879 		while (stypes) {
1880 			if ((stypes & 1) &&
1881 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1882 					(i << 4) | IEEE80211_FTYPE_MGMT))
1883 				return -ENOBUFS;
1884 			stypes >>= 1;
1885 			i++;
1886 		}
1887 		nla_nest_end(msg, nl_ftypes);
1888 	}
1889 
1890 	nla_nest_end(msg, nl_ifs);
1891 
1892 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1893 	if (!nl_ifs)
1894 		return -ENOBUFS;
1895 
1896 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1897 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1898 		if (!nl_ftypes)
1899 			return -ENOBUFS;
1900 		i = 0;
1901 		stypes = mgmt_stypes[ift].rx;
1902 		while (stypes) {
1903 			if ((stypes & 1) &&
1904 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1905 					(i << 4) | IEEE80211_FTYPE_MGMT))
1906 				return -ENOBUFS;
1907 			stypes >>= 1;
1908 			i++;
1909 		}
1910 		nla_nest_end(msg, nl_ftypes);
1911 	}
1912 	nla_nest_end(msg, nl_ifs);
1913 
1914 	return 0;
1915 }
1916 
1917 #define CMD(op, n)							\
1918 	 do {								\
1919 		if (rdev->ops->op) {					\
1920 			i++;						\
1921 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1922 				goto nla_put_failure;			\
1923 		}							\
1924 	} while (0)
1925 
1926 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1927 					struct sk_buff *msg)
1928 {
1929 	int i = 0;
1930 
1931 	/*
1932 	 * do *NOT* add anything into this function, new things need to be
1933 	 * advertised only to new versions of userspace that can deal with
1934 	 * the split (and they can't possibly care about new features...
1935 	 */
1936 	CMD(add_virtual_intf, NEW_INTERFACE);
1937 	CMD(change_virtual_intf, SET_INTERFACE);
1938 	CMD(add_key, NEW_KEY);
1939 	CMD(start_ap, START_AP);
1940 	CMD(add_station, NEW_STATION);
1941 	CMD(add_mpath, NEW_MPATH);
1942 	CMD(update_mesh_config, SET_MESH_CONFIG);
1943 	CMD(change_bss, SET_BSS);
1944 	CMD(auth, AUTHENTICATE);
1945 	CMD(assoc, ASSOCIATE);
1946 	CMD(deauth, DEAUTHENTICATE);
1947 	CMD(disassoc, DISASSOCIATE);
1948 	CMD(join_ibss, JOIN_IBSS);
1949 	CMD(join_mesh, JOIN_MESH);
1950 	CMD(set_pmksa, SET_PMKSA);
1951 	CMD(del_pmksa, DEL_PMKSA);
1952 	CMD(flush_pmksa, FLUSH_PMKSA);
1953 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1954 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1955 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1956 	CMD(mgmt_tx, FRAME);
1957 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1958 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1959 		i++;
1960 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1961 			goto nla_put_failure;
1962 	}
1963 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1964 	    rdev->ops->join_mesh) {
1965 		i++;
1966 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1967 			goto nla_put_failure;
1968 	}
1969 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1970 		CMD(tdls_mgmt, TDLS_MGMT);
1971 		CMD(tdls_oper, TDLS_OPER);
1972 	}
1973 	if (rdev->wiphy.max_sched_scan_reqs)
1974 		CMD(sched_scan_start, START_SCHED_SCAN);
1975 	CMD(probe_client, PROBE_CLIENT);
1976 	CMD(set_noack_map, SET_NOACK_MAP);
1977 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1978 		i++;
1979 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1980 			goto nla_put_failure;
1981 	}
1982 	CMD(start_p2p_device, START_P2P_DEVICE);
1983 	CMD(set_mcast_rate, SET_MCAST_RATE);
1984 #ifdef CONFIG_NL80211_TESTMODE
1985 	CMD(testmode_cmd, TESTMODE);
1986 #endif
1987 
1988 	if (rdev->ops->connect || rdev->ops->auth) {
1989 		i++;
1990 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1991 			goto nla_put_failure;
1992 	}
1993 
1994 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1995 		i++;
1996 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1997 			goto nla_put_failure;
1998 	}
1999 
2000 	return i;
2001  nla_put_failure:
2002 	return -ENOBUFS;
2003 }
2004 
2005 static int
2006 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2007 			   struct sk_buff *msg)
2008 {
2009 	struct nlattr *ftm;
2010 
2011 	if (!cap->ftm.supported)
2012 		return 0;
2013 
2014 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2015 	if (!ftm)
2016 		return -ENOBUFS;
2017 
2018 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2019 		return -ENOBUFS;
2020 	if (cap->ftm.non_asap &&
2021 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2022 		return -ENOBUFS;
2023 	if (cap->ftm.request_lci &&
2024 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2025 		return -ENOBUFS;
2026 	if (cap->ftm.request_civicloc &&
2027 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2028 		return -ENOBUFS;
2029 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2030 			cap->ftm.preambles))
2031 		return -ENOBUFS;
2032 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2033 			cap->ftm.bandwidths))
2034 		return -ENOBUFS;
2035 	if (cap->ftm.max_bursts_exponent >= 0 &&
2036 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2037 			cap->ftm.max_bursts_exponent))
2038 		return -ENOBUFS;
2039 	if (cap->ftm.max_ftms_per_burst &&
2040 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2041 			cap->ftm.max_ftms_per_burst))
2042 		return -ENOBUFS;
2043 	if (cap->ftm.trigger_based &&
2044 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2045 		return -ENOBUFS;
2046 	if (cap->ftm.non_trigger_based &&
2047 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2048 		return -ENOBUFS;
2049 
2050 	nla_nest_end(msg, ftm);
2051 	return 0;
2052 }
2053 
2054 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2055 				  struct sk_buff *msg)
2056 {
2057 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2058 	struct nlattr *pmsr, *caps;
2059 
2060 	if (!cap)
2061 		return 0;
2062 
2063 	/*
2064 	 * we don't need to clean up anything here since the caller
2065 	 * will genlmsg_cancel() if we fail
2066 	 */
2067 
2068 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2069 	if (!pmsr)
2070 		return -ENOBUFS;
2071 
2072 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2073 		return -ENOBUFS;
2074 
2075 	if (cap->report_ap_tsf &&
2076 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2077 		return -ENOBUFS;
2078 
2079 	if (cap->randomize_mac_addr &&
2080 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2081 		return -ENOBUFS;
2082 
2083 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2084 	if (!caps)
2085 		return -ENOBUFS;
2086 
2087 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2088 		return -ENOBUFS;
2089 
2090 	nla_nest_end(msg, caps);
2091 	nla_nest_end(msg, pmsr);
2092 
2093 	return 0;
2094 }
2095 
2096 static int
2097 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2098 			      struct sk_buff *msg)
2099 {
2100 	int i;
2101 	struct nlattr *nested, *nested_akms;
2102 	const struct wiphy_iftype_akm_suites *iftype_akms;
2103 
2104 	if (!rdev->wiphy.num_iftype_akm_suites ||
2105 	    !rdev->wiphy.iftype_akm_suites)
2106 		return 0;
2107 
2108 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2109 	if (!nested)
2110 		return -ENOBUFS;
2111 
2112 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2113 		nested_akms = nla_nest_start(msg, i + 1);
2114 		if (!nested_akms)
2115 			return -ENOBUFS;
2116 
2117 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2118 
2119 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2120 					iftype_akms->iftypes_mask))
2121 			return -ENOBUFS;
2122 
2123 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2124 			    sizeof(u32) * iftype_akms->n_akm_suites,
2125 			    iftype_akms->akm_suites)) {
2126 			return -ENOBUFS;
2127 		}
2128 		nla_nest_end(msg, nested_akms);
2129 	}
2130 
2131 	nla_nest_end(msg, nested);
2132 
2133 	return 0;
2134 }
2135 
2136 static int
2137 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2138 			       struct sk_buff *msg)
2139 {
2140 	struct nlattr *supp;
2141 
2142 	if (!rdev->wiphy.tid_config_support.vif &&
2143 	    !rdev->wiphy.tid_config_support.peer)
2144 		return 0;
2145 
2146 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2147 	if (!supp)
2148 		return -ENOSPC;
2149 
2150 	if (rdev->wiphy.tid_config_support.vif &&
2151 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2152 			      rdev->wiphy.tid_config_support.vif,
2153 			      NL80211_TID_CONFIG_ATTR_PAD))
2154 		goto fail;
2155 
2156 	if (rdev->wiphy.tid_config_support.peer &&
2157 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2158 			      rdev->wiphy.tid_config_support.peer,
2159 			      NL80211_TID_CONFIG_ATTR_PAD))
2160 		goto fail;
2161 
2162 	/* for now we just use the same value ... makes more sense */
2163 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2164 		       rdev->wiphy.tid_config_support.max_retry))
2165 		goto fail;
2166 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2167 		       rdev->wiphy.tid_config_support.max_retry))
2168 		goto fail;
2169 
2170 	nla_nest_end(msg, supp);
2171 
2172 	return 0;
2173 fail:
2174 	nla_nest_cancel(msg, supp);
2175 	return -ENOBUFS;
2176 }
2177 
2178 static int
2179 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2180 		      struct sk_buff *msg)
2181 {
2182 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2183 	u8 num_freq_ranges;
2184 	int i;
2185 
2186 	if (!rdev->wiphy.sar_capa)
2187 		return 0;
2188 
2189 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2190 
2191 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2192 	if (!sar_capa)
2193 		return -ENOSPC;
2194 
2195 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2196 		goto fail;
2197 
2198 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2199 	if (!specs)
2200 		goto fail;
2201 
2202 	/* report supported freq_ranges */
2203 	for (i = 0; i < num_freq_ranges; i++) {
2204 		sub_freq_range = nla_nest_start(msg, i + 1);
2205 		if (!sub_freq_range)
2206 			goto fail;
2207 
2208 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2209 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2210 			goto fail;
2211 
2212 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2213 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2214 			goto fail;
2215 
2216 		nla_nest_end(msg, sub_freq_range);
2217 	}
2218 
2219 	nla_nest_end(msg, specs);
2220 	nla_nest_end(msg, sar_capa);
2221 
2222 	return 0;
2223 fail:
2224 	nla_nest_cancel(msg, sar_capa);
2225 	return -ENOBUFS;
2226 }
2227 
2228 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2229 {
2230 	struct nlattr *config;
2231 
2232 	if (!wiphy->mbssid_max_interfaces)
2233 		return 0;
2234 
2235 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2236 	if (!config)
2237 		return -ENOBUFS;
2238 
2239 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2240 		       wiphy->mbssid_max_interfaces))
2241 		goto fail;
2242 
2243 	if (wiphy->ema_max_profile_periodicity &&
2244 	    nla_put_u8(msg,
2245 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2246 		       wiphy->ema_max_profile_periodicity))
2247 		goto fail;
2248 
2249 	nla_nest_end(msg, config);
2250 	return 0;
2251 
2252 fail:
2253 	nla_nest_cancel(msg, config);
2254 	return -ENOBUFS;
2255 }
2256 
2257 struct nl80211_dump_wiphy_state {
2258 	s64 filter_wiphy;
2259 	long start;
2260 	long split_start, band_start, chan_start, capa_start;
2261 	bool split;
2262 };
2263 
2264 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2265 			      enum nl80211_commands cmd,
2266 			      struct sk_buff *msg, u32 portid, u32 seq,
2267 			      int flags, struct nl80211_dump_wiphy_state *state)
2268 {
2269 	void *hdr;
2270 	struct nlattr *nl_bands, *nl_band;
2271 	struct nlattr *nl_freqs, *nl_freq;
2272 	struct nlattr *nl_cmds;
2273 	enum nl80211_band band;
2274 	struct ieee80211_channel *chan;
2275 	int i;
2276 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2277 				rdev->wiphy.mgmt_stypes;
2278 	u32 features;
2279 
2280 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2281 	if (!hdr)
2282 		return -ENOBUFS;
2283 
2284 	if (WARN_ON(!state))
2285 		return -EINVAL;
2286 
2287 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2288 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2289 			   wiphy_name(&rdev->wiphy)) ||
2290 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2291 			cfg80211_rdev_list_generation))
2292 		goto nla_put_failure;
2293 
2294 	if (cmd != NL80211_CMD_NEW_WIPHY)
2295 		goto finish;
2296 
2297 	switch (state->split_start) {
2298 	case 0:
2299 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2300 			       rdev->wiphy.retry_short) ||
2301 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2302 			       rdev->wiphy.retry_long) ||
2303 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2304 				rdev->wiphy.frag_threshold) ||
2305 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2306 				rdev->wiphy.rts_threshold) ||
2307 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2308 			       rdev->wiphy.coverage_class) ||
2309 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2310 			       rdev->wiphy.max_scan_ssids) ||
2311 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2312 			       rdev->wiphy.max_sched_scan_ssids) ||
2313 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2314 				rdev->wiphy.max_scan_ie_len) ||
2315 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2316 				rdev->wiphy.max_sched_scan_ie_len) ||
2317 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2318 			       rdev->wiphy.max_match_sets))
2319 			goto nla_put_failure;
2320 
2321 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2322 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2323 			goto nla_put_failure;
2324 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2325 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2326 			goto nla_put_failure;
2327 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2328 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2329 			goto nla_put_failure;
2330 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2331 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2332 			goto nla_put_failure;
2333 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2334 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2335 			goto nla_put_failure;
2336 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2337 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2338 			goto nla_put_failure;
2339 		state->split_start++;
2340 		if (state->split)
2341 			break;
2342 		fallthrough;
2343 	case 1:
2344 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2345 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2346 			    rdev->wiphy.cipher_suites))
2347 			goto nla_put_failure;
2348 
2349 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2350 			       rdev->wiphy.max_num_pmkids))
2351 			goto nla_put_failure;
2352 
2353 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2354 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2355 			goto nla_put_failure;
2356 
2357 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2358 				rdev->wiphy.available_antennas_tx) ||
2359 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2360 				rdev->wiphy.available_antennas_rx))
2361 			goto nla_put_failure;
2362 
2363 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2364 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2365 				rdev->wiphy.probe_resp_offload))
2366 			goto nla_put_failure;
2367 
2368 		if ((rdev->wiphy.available_antennas_tx ||
2369 		     rdev->wiphy.available_antennas_rx) &&
2370 		    rdev->ops->get_antenna) {
2371 			u32 tx_ant = 0, rx_ant = 0;
2372 			int res;
2373 
2374 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2375 			if (!res) {
2376 				if (nla_put_u32(msg,
2377 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2378 						tx_ant) ||
2379 				    nla_put_u32(msg,
2380 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2381 						rx_ant))
2382 					goto nla_put_failure;
2383 			}
2384 		}
2385 
2386 		state->split_start++;
2387 		if (state->split)
2388 			break;
2389 		fallthrough;
2390 	case 2:
2391 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2392 					rdev->wiphy.interface_modes))
2393 				goto nla_put_failure;
2394 		state->split_start++;
2395 		if (state->split)
2396 			break;
2397 		fallthrough;
2398 	case 3:
2399 		nl_bands = nla_nest_start_noflag(msg,
2400 						 NL80211_ATTR_WIPHY_BANDS);
2401 		if (!nl_bands)
2402 			goto nla_put_failure;
2403 
2404 		for (band = state->band_start;
2405 		     band < (state->split ?
2406 				NUM_NL80211_BANDS :
2407 				NL80211_BAND_60GHZ + 1);
2408 		     band++) {
2409 			struct ieee80211_supported_band *sband;
2410 
2411 			/* omit higher bands for ancient software */
2412 			if (band > NL80211_BAND_5GHZ && !state->split)
2413 				break;
2414 
2415 			sband = rdev->wiphy.bands[band];
2416 
2417 			if (!sband)
2418 				continue;
2419 
2420 			nl_band = nla_nest_start_noflag(msg, band);
2421 			if (!nl_band)
2422 				goto nla_put_failure;
2423 
2424 			switch (state->chan_start) {
2425 			case 0:
2426 				if (nl80211_send_band_rateinfo(msg, sband,
2427 							       state->split))
2428 					goto nla_put_failure;
2429 				state->chan_start++;
2430 				if (state->split)
2431 					break;
2432 				fallthrough;
2433 			default:
2434 				/* add frequencies */
2435 				nl_freqs = nla_nest_start_noflag(msg,
2436 								 NL80211_BAND_ATTR_FREQS);
2437 				if (!nl_freqs)
2438 					goto nla_put_failure;
2439 
2440 				for (i = state->chan_start - 1;
2441 				     i < sband->n_channels;
2442 				     i++) {
2443 					nl_freq = nla_nest_start_noflag(msg,
2444 									i);
2445 					if (!nl_freq)
2446 						goto nla_put_failure;
2447 
2448 					chan = &sband->channels[i];
2449 
2450 					if (nl80211_msg_put_channel(
2451 							msg, &rdev->wiphy, chan,
2452 							state->split))
2453 						goto nla_put_failure;
2454 
2455 					nla_nest_end(msg, nl_freq);
2456 					if (state->split)
2457 						break;
2458 				}
2459 				if (i < sband->n_channels)
2460 					state->chan_start = i + 2;
2461 				else
2462 					state->chan_start = 0;
2463 				nla_nest_end(msg, nl_freqs);
2464 			}
2465 
2466 			nla_nest_end(msg, nl_band);
2467 
2468 			if (state->split) {
2469 				/* start again here */
2470 				if (state->chan_start)
2471 					band--;
2472 				break;
2473 			}
2474 		}
2475 		nla_nest_end(msg, nl_bands);
2476 
2477 		if (band < NUM_NL80211_BANDS)
2478 			state->band_start = band + 1;
2479 		else
2480 			state->band_start = 0;
2481 
2482 		/* if bands & channels are done, continue outside */
2483 		if (state->band_start == 0 && state->chan_start == 0)
2484 			state->split_start++;
2485 		if (state->split)
2486 			break;
2487 		fallthrough;
2488 	case 4:
2489 		nl_cmds = nla_nest_start_noflag(msg,
2490 						NL80211_ATTR_SUPPORTED_COMMANDS);
2491 		if (!nl_cmds)
2492 			goto nla_put_failure;
2493 
2494 		i = nl80211_add_commands_unsplit(rdev, msg);
2495 		if (i < 0)
2496 			goto nla_put_failure;
2497 		if (state->split) {
2498 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2499 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2500 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2501 				CMD(channel_switch, CHANNEL_SWITCH);
2502 			CMD(set_qos_map, SET_QOS_MAP);
2503 			if (rdev->wiphy.features &
2504 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2505 				CMD(add_tx_ts, ADD_TX_TS);
2506 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2507 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2508 			CMD(update_ft_ies, UPDATE_FT_IES);
2509 			if (rdev->wiphy.sar_capa)
2510 				CMD(set_sar_specs, SET_SAR_SPECS);
2511 		}
2512 #undef CMD
2513 
2514 		nla_nest_end(msg, nl_cmds);
2515 		state->split_start++;
2516 		if (state->split)
2517 			break;
2518 		fallthrough;
2519 	case 5:
2520 		if (rdev->ops->remain_on_channel &&
2521 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2522 		    nla_put_u32(msg,
2523 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2524 				rdev->wiphy.max_remain_on_channel_duration))
2525 			goto nla_put_failure;
2526 
2527 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2528 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2529 			goto nla_put_failure;
2530 
2531 		state->split_start++;
2532 		if (state->split)
2533 			break;
2534 		fallthrough;
2535 	case 6:
2536 #ifdef CONFIG_PM
2537 		if (nl80211_send_wowlan(msg, rdev, state->split))
2538 			goto nla_put_failure;
2539 		state->split_start++;
2540 		if (state->split)
2541 			break;
2542 #else
2543 		state->split_start++;
2544 #endif
2545 		fallthrough;
2546 	case 7:
2547 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2548 					rdev->wiphy.software_iftypes))
2549 			goto nla_put_failure;
2550 
2551 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2552 						   state->split))
2553 			goto nla_put_failure;
2554 
2555 		state->split_start++;
2556 		if (state->split)
2557 			break;
2558 		fallthrough;
2559 	case 8:
2560 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2561 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2562 				rdev->wiphy.ap_sme_capa))
2563 			goto nla_put_failure;
2564 
2565 		features = rdev->wiphy.features;
2566 		/*
2567 		 * We can only add the per-channel limit information if the
2568 		 * dump is split, otherwise it makes it too big. Therefore
2569 		 * only advertise it in that case.
2570 		 */
2571 		if (state->split)
2572 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2573 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2574 			goto nla_put_failure;
2575 
2576 		if (rdev->wiphy.ht_capa_mod_mask &&
2577 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2578 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2579 			    rdev->wiphy.ht_capa_mod_mask))
2580 			goto nla_put_failure;
2581 
2582 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2583 		    rdev->wiphy.max_acl_mac_addrs &&
2584 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2585 				rdev->wiphy.max_acl_mac_addrs))
2586 			goto nla_put_failure;
2587 
2588 		/*
2589 		 * Any information below this point is only available to
2590 		 * applications that can deal with it being split. This
2591 		 * helps ensure that newly added capabilities don't break
2592 		 * older tools by overrunning their buffers.
2593 		 *
2594 		 * We still increment split_start so that in the split
2595 		 * case we'll continue with more data in the next round,
2596 		 * but break unconditionally so unsplit data stops here.
2597 		 */
2598 		if (state->split)
2599 			state->split_start++;
2600 		else
2601 			state->split_start = 0;
2602 		break;
2603 	case 9:
2604 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2605 			goto nla_put_failure;
2606 
2607 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2608 				rdev->wiphy.max_sched_scan_plans) ||
2609 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2610 				rdev->wiphy.max_sched_scan_plan_interval) ||
2611 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2612 				rdev->wiphy.max_sched_scan_plan_iterations))
2613 			goto nla_put_failure;
2614 
2615 		if (rdev->wiphy.extended_capabilities &&
2616 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2617 			     rdev->wiphy.extended_capabilities_len,
2618 			     rdev->wiphy.extended_capabilities) ||
2619 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2620 			     rdev->wiphy.extended_capabilities_len,
2621 			     rdev->wiphy.extended_capabilities_mask)))
2622 			goto nla_put_failure;
2623 
2624 		if (rdev->wiphy.vht_capa_mod_mask &&
2625 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2626 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2627 			    rdev->wiphy.vht_capa_mod_mask))
2628 			goto nla_put_failure;
2629 
2630 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2631 			    rdev->wiphy.perm_addr))
2632 			goto nla_put_failure;
2633 
2634 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2635 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2636 			    rdev->wiphy.addr_mask))
2637 			goto nla_put_failure;
2638 
2639 		if (rdev->wiphy.n_addresses > 1) {
2640 			void *attr;
2641 
2642 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2643 			if (!attr)
2644 				goto nla_put_failure;
2645 
2646 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2647 				if (nla_put(msg, i + 1, ETH_ALEN,
2648 					    rdev->wiphy.addresses[i].addr))
2649 					goto nla_put_failure;
2650 
2651 			nla_nest_end(msg, attr);
2652 		}
2653 
2654 		state->split_start++;
2655 		break;
2656 	case 10:
2657 		if (nl80211_send_coalesce(msg, rdev))
2658 			goto nla_put_failure;
2659 
2660 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2661 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2662 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2663 			goto nla_put_failure;
2664 
2665 		if (rdev->wiphy.max_ap_assoc_sta &&
2666 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2667 				rdev->wiphy.max_ap_assoc_sta))
2668 			goto nla_put_failure;
2669 
2670 		state->split_start++;
2671 		break;
2672 	case 11:
2673 		if (rdev->wiphy.n_vendor_commands) {
2674 			const struct nl80211_vendor_cmd_info *info;
2675 			struct nlattr *nested;
2676 
2677 			nested = nla_nest_start_noflag(msg,
2678 						       NL80211_ATTR_VENDOR_DATA);
2679 			if (!nested)
2680 				goto nla_put_failure;
2681 
2682 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2683 				info = &rdev->wiphy.vendor_commands[i].info;
2684 				if (nla_put(msg, i + 1, sizeof(*info), info))
2685 					goto nla_put_failure;
2686 			}
2687 			nla_nest_end(msg, nested);
2688 		}
2689 
2690 		if (rdev->wiphy.n_vendor_events) {
2691 			const struct nl80211_vendor_cmd_info *info;
2692 			struct nlattr *nested;
2693 
2694 			nested = nla_nest_start_noflag(msg,
2695 						       NL80211_ATTR_VENDOR_EVENTS);
2696 			if (!nested)
2697 				goto nla_put_failure;
2698 
2699 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2700 				info = &rdev->wiphy.vendor_events[i];
2701 				if (nla_put(msg, i + 1, sizeof(*info), info))
2702 					goto nla_put_failure;
2703 			}
2704 			nla_nest_end(msg, nested);
2705 		}
2706 		state->split_start++;
2707 		break;
2708 	case 12:
2709 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2710 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2711 			       rdev->wiphy.max_num_csa_counters))
2712 			goto nla_put_failure;
2713 
2714 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2715 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2716 			goto nla_put_failure;
2717 
2718 		if (rdev->wiphy.max_sched_scan_reqs &&
2719 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2720 				rdev->wiphy.max_sched_scan_reqs))
2721 			goto nla_put_failure;
2722 
2723 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2724 			    sizeof(rdev->wiphy.ext_features),
2725 			    rdev->wiphy.ext_features))
2726 			goto nla_put_failure;
2727 
2728 		if (rdev->wiphy.bss_select_support) {
2729 			struct nlattr *nested;
2730 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2731 
2732 			nested = nla_nest_start_noflag(msg,
2733 						       NL80211_ATTR_BSS_SELECT);
2734 			if (!nested)
2735 				goto nla_put_failure;
2736 
2737 			i = 0;
2738 			while (bss_select_support) {
2739 				if ((bss_select_support & 1) &&
2740 				    nla_put_flag(msg, i))
2741 					goto nla_put_failure;
2742 				i++;
2743 				bss_select_support >>= 1;
2744 			}
2745 			nla_nest_end(msg, nested);
2746 		}
2747 
2748 		state->split_start++;
2749 		break;
2750 	case 13:
2751 		if (rdev->wiphy.num_iftype_ext_capab &&
2752 		    rdev->wiphy.iftype_ext_capab) {
2753 			struct nlattr *nested_ext_capab, *nested;
2754 
2755 			nested = nla_nest_start_noflag(msg,
2756 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2757 			if (!nested)
2758 				goto nla_put_failure;
2759 
2760 			for (i = state->capa_start;
2761 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2762 				const struct wiphy_iftype_ext_capab *capab;
2763 
2764 				capab = &rdev->wiphy.iftype_ext_capab[i];
2765 
2766 				nested_ext_capab = nla_nest_start_noflag(msg,
2767 									 i);
2768 				if (!nested_ext_capab ||
2769 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2770 						capab->iftype) ||
2771 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2772 					    capab->extended_capabilities_len,
2773 					    capab->extended_capabilities) ||
2774 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2775 					    capab->extended_capabilities_len,
2776 					    capab->extended_capabilities_mask))
2777 					goto nla_put_failure;
2778 
2779 				nla_nest_end(msg, nested_ext_capab);
2780 				if (state->split)
2781 					break;
2782 			}
2783 			nla_nest_end(msg, nested);
2784 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2785 				state->capa_start = i + 1;
2786 				break;
2787 			}
2788 		}
2789 
2790 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2791 				rdev->wiphy.nan_supported_bands))
2792 			goto nla_put_failure;
2793 
2794 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2795 					    NL80211_EXT_FEATURE_TXQS)) {
2796 			struct cfg80211_txq_stats txqstats = {};
2797 			int res;
2798 
2799 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2800 			if (!res &&
2801 			    !nl80211_put_txq_stats(msg, &txqstats,
2802 						   NL80211_ATTR_TXQ_STATS))
2803 				goto nla_put_failure;
2804 
2805 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2806 					rdev->wiphy.txq_limit))
2807 				goto nla_put_failure;
2808 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2809 					rdev->wiphy.txq_memory_limit))
2810 				goto nla_put_failure;
2811 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2812 					rdev->wiphy.txq_quantum))
2813 				goto nla_put_failure;
2814 		}
2815 
2816 		state->split_start++;
2817 		break;
2818 	case 14:
2819 		if (nl80211_send_pmsr_capa(rdev, msg))
2820 			goto nla_put_failure;
2821 
2822 		state->split_start++;
2823 		break;
2824 	case 15:
2825 		if (rdev->wiphy.akm_suites &&
2826 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2827 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2828 			    rdev->wiphy.akm_suites))
2829 			goto nla_put_failure;
2830 
2831 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2832 			goto nla_put_failure;
2833 
2834 		if (nl80211_put_tid_config_support(rdev, msg))
2835 			goto nla_put_failure;
2836 		state->split_start++;
2837 		break;
2838 	case 16:
2839 		if (nl80211_put_sar_specs(rdev, msg))
2840 			goto nla_put_failure;
2841 
2842 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2843 			goto nla_put_failure;
2844 
2845 		/* done */
2846 		state->split_start = 0;
2847 		break;
2848 	}
2849  finish:
2850 	genlmsg_end(msg, hdr);
2851 	return 0;
2852 
2853  nla_put_failure:
2854 	genlmsg_cancel(msg, hdr);
2855 	return -EMSGSIZE;
2856 }
2857 
2858 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2859 				    struct netlink_callback *cb,
2860 				    struct nl80211_dump_wiphy_state *state)
2861 {
2862 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2863 	int ret;
2864 
2865 	if (!tb)
2866 		return -ENOMEM;
2867 
2868 	ret = nlmsg_parse_deprecated(cb->nlh,
2869 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2870 				     tb, nl80211_fam.maxattr,
2871 				     nl80211_policy, NULL);
2872 	/* ignore parse errors for backward compatibility */
2873 	if (ret) {
2874 		ret = 0;
2875 		goto out;
2876 	}
2877 
2878 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2879 	if (tb[NL80211_ATTR_WIPHY])
2880 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2881 	if (tb[NL80211_ATTR_WDEV])
2882 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2883 	if (tb[NL80211_ATTR_IFINDEX]) {
2884 		struct net_device *netdev;
2885 		struct cfg80211_registered_device *rdev;
2886 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2887 
2888 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2889 		if (!netdev) {
2890 			ret = -ENODEV;
2891 			goto out;
2892 		}
2893 		if (netdev->ieee80211_ptr) {
2894 			rdev = wiphy_to_rdev(
2895 				netdev->ieee80211_ptr->wiphy);
2896 			state->filter_wiphy = rdev->wiphy_idx;
2897 		}
2898 	}
2899 
2900 	ret = 0;
2901 out:
2902 	kfree(tb);
2903 	return ret;
2904 }
2905 
2906 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2907 {
2908 	int idx = 0, ret;
2909 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2910 	struct cfg80211_registered_device *rdev;
2911 
2912 	rtnl_lock();
2913 	if (!state) {
2914 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2915 		if (!state) {
2916 			rtnl_unlock();
2917 			return -ENOMEM;
2918 		}
2919 		state->filter_wiphy = -1;
2920 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2921 		if (ret) {
2922 			kfree(state);
2923 			rtnl_unlock();
2924 			return ret;
2925 		}
2926 		cb->args[0] = (long)state;
2927 	}
2928 
2929 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2930 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2931 			continue;
2932 		if (++idx <= state->start)
2933 			continue;
2934 		if (state->filter_wiphy != -1 &&
2935 		    state->filter_wiphy != rdev->wiphy_idx)
2936 			continue;
2937 		/* attempt to fit multiple wiphy data chunks into the skb */
2938 		do {
2939 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2940 						 skb,
2941 						 NETLINK_CB(cb->skb).portid,
2942 						 cb->nlh->nlmsg_seq,
2943 						 NLM_F_MULTI, state);
2944 			if (ret < 0) {
2945 				/*
2946 				 * If sending the wiphy data didn't fit (ENOBUFS
2947 				 * or EMSGSIZE returned), this SKB is still
2948 				 * empty (so it's not too big because another
2949 				 * wiphy dataset is already in the skb) and
2950 				 * we've not tried to adjust the dump allocation
2951 				 * yet ... then adjust the alloc size to be
2952 				 * bigger, and return 1 but with the empty skb.
2953 				 * This results in an empty message being RX'ed
2954 				 * in userspace, but that is ignored.
2955 				 *
2956 				 * We can then retry with the larger buffer.
2957 				 */
2958 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2959 				    !skb->len && !state->split &&
2960 				    cb->min_dump_alloc < 4096) {
2961 					cb->min_dump_alloc = 4096;
2962 					state->split_start = 0;
2963 					rtnl_unlock();
2964 					return 1;
2965 				}
2966 				idx--;
2967 				break;
2968 			}
2969 		} while (state->split_start > 0);
2970 		break;
2971 	}
2972 	rtnl_unlock();
2973 
2974 	state->start = idx;
2975 
2976 	return skb->len;
2977 }
2978 
2979 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2980 {
2981 	kfree((void *)cb->args[0]);
2982 	return 0;
2983 }
2984 
2985 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2986 {
2987 	struct sk_buff *msg;
2988 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2989 	struct nl80211_dump_wiphy_state state = {};
2990 
2991 	msg = nlmsg_new(4096, GFP_KERNEL);
2992 	if (!msg)
2993 		return -ENOMEM;
2994 
2995 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2996 			       info->snd_portid, info->snd_seq, 0,
2997 			       &state) < 0) {
2998 		nlmsg_free(msg);
2999 		return -ENOBUFS;
3000 	}
3001 
3002 	return genlmsg_reply(msg, info);
3003 }
3004 
3005 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3006 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3007 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3008 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3009 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3010 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3011 };
3012 
3013 static int parse_txq_params(struct nlattr *tb[],
3014 			    struct ieee80211_txq_params *txq_params)
3015 {
3016 	u8 ac;
3017 
3018 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3019 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3020 	    !tb[NL80211_TXQ_ATTR_AIFS])
3021 		return -EINVAL;
3022 
3023 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3024 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3025 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3026 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3027 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3028 
3029 	if (ac >= NL80211_NUM_ACS)
3030 		return -EINVAL;
3031 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3032 	return 0;
3033 }
3034 
3035 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3036 {
3037 	/*
3038 	 * You can only set the channel explicitly for some interfaces,
3039 	 * most have their channel managed via their respective
3040 	 * "establish a connection" command (connect, join, ...)
3041 	 *
3042 	 * For AP/GO and mesh mode, the channel can be set with the
3043 	 * channel userspace API, but is only stored and passed to the
3044 	 * low-level driver when the AP starts or the mesh is joined.
3045 	 * This is for backward compatibility, userspace can also give
3046 	 * the channel in the start-ap or join-mesh commands instead.
3047 	 *
3048 	 * Monitors are special as they are normally slaved to
3049 	 * whatever else is going on, so they have their own special
3050 	 * operation to set the monitor channel if possible.
3051 	 */
3052 	return !wdev ||
3053 		wdev->iftype == NL80211_IFTYPE_AP ||
3054 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3055 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3056 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3057 }
3058 
3059 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3060 			  struct genl_info *info,
3061 			  struct cfg80211_chan_def *chandef)
3062 {
3063 	struct netlink_ext_ack *extack = info->extack;
3064 	struct nlattr **attrs = info->attrs;
3065 	u32 control_freq;
3066 
3067 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3068 		return -EINVAL;
3069 
3070 	control_freq = MHZ_TO_KHZ(
3071 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3072 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3073 		control_freq +=
3074 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3075 
3076 	memset(chandef, 0, sizeof(*chandef));
3077 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3078 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3079 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3080 	chandef->freq1_offset = control_freq % 1000;
3081 	chandef->center_freq2 = 0;
3082 
3083 	/* Primary channel not allowed */
3084 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3085 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3086 				    "Channel is disabled");
3087 		return -EINVAL;
3088 	}
3089 
3090 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3091 		enum nl80211_channel_type chantype;
3092 
3093 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3094 
3095 		switch (chantype) {
3096 		case NL80211_CHAN_NO_HT:
3097 		case NL80211_CHAN_HT20:
3098 		case NL80211_CHAN_HT40PLUS:
3099 		case NL80211_CHAN_HT40MINUS:
3100 			cfg80211_chandef_create(chandef, chandef->chan,
3101 						chantype);
3102 			/* user input for center_freq is incorrect */
3103 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3104 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3105 				NL_SET_ERR_MSG_ATTR(extack,
3106 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3107 						    "bad center frequency 1");
3108 				return -EINVAL;
3109 			}
3110 			/* center_freq2 must be zero */
3111 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3112 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3113 				NL_SET_ERR_MSG_ATTR(extack,
3114 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3115 						    "center frequency 2 can't be used");
3116 				return -EINVAL;
3117 			}
3118 			break;
3119 		default:
3120 			NL_SET_ERR_MSG_ATTR(extack,
3121 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3122 					    "invalid channel type");
3123 			return -EINVAL;
3124 		}
3125 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3126 		chandef->width =
3127 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3128 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3129 			chandef->center_freq1 =
3130 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3131 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3132 				chandef->freq1_offset = nla_get_u32(
3133 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3134 			else
3135 				chandef->freq1_offset = 0;
3136 		}
3137 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3138 			chandef->center_freq2 =
3139 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3140 	}
3141 
3142 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3143 		chandef->edmg.channels =
3144 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3145 
3146 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3147 			chandef->edmg.bw_config =
3148 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3149 	} else {
3150 		chandef->edmg.bw_config = 0;
3151 		chandef->edmg.channels = 0;
3152 	}
3153 
3154 	if (!cfg80211_chandef_valid(chandef)) {
3155 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3156 		return -EINVAL;
3157 	}
3158 
3159 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3160 				     IEEE80211_CHAN_DISABLED)) {
3161 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3162 		return -EINVAL;
3163 	}
3164 
3165 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3166 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3167 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3168 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3169 		return -EINVAL;
3170 	}
3171 
3172 	return 0;
3173 }
3174 
3175 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3176 				 struct net_device *dev,
3177 				 struct genl_info *info)
3178 {
3179 	struct cfg80211_chan_def chandef;
3180 	int result;
3181 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3182 	struct wireless_dev *wdev = NULL;
3183 
3184 	if (dev)
3185 		wdev = dev->ieee80211_ptr;
3186 	if (!nl80211_can_set_dev_channel(wdev))
3187 		return -EOPNOTSUPP;
3188 	if (wdev)
3189 		iftype = wdev->iftype;
3190 
3191 	result = nl80211_parse_chandef(rdev, info, &chandef);
3192 	if (result)
3193 		return result;
3194 
3195 	switch (iftype) {
3196 	case NL80211_IFTYPE_AP:
3197 	case NL80211_IFTYPE_P2P_GO:
3198 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3199 						   iftype)) {
3200 			result = -EINVAL;
3201 			break;
3202 		}
3203 		if (wdev->beacon_interval) {
3204 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3205 			    !(rdev->wiphy.features &
3206 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3207 				result = -EBUSY;
3208 				break;
3209 			}
3210 
3211 			/* Only allow dynamic channel width changes */
3212 			if (chandef.chan != wdev->preset_chandef.chan) {
3213 				result = -EBUSY;
3214 				break;
3215 			}
3216 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3217 			if (result)
3218 				break;
3219 		}
3220 		wdev->preset_chandef = chandef;
3221 		result = 0;
3222 		break;
3223 	case NL80211_IFTYPE_MESH_POINT:
3224 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3225 		break;
3226 	case NL80211_IFTYPE_MONITOR:
3227 		result = cfg80211_set_monitor_channel(rdev, &chandef);
3228 		break;
3229 	default:
3230 		result = -EINVAL;
3231 	}
3232 
3233 	return result;
3234 }
3235 
3236 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3237 {
3238 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3239 	struct net_device *netdev = info->user_ptr[1];
3240 
3241 	return __nl80211_set_channel(rdev, netdev, info);
3242 }
3243 
3244 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3245 {
3246 	struct cfg80211_registered_device *rdev = NULL;
3247 	struct net_device *netdev = NULL;
3248 	struct wireless_dev *wdev;
3249 	int result = 0, rem_txq_params = 0;
3250 	struct nlattr *nl_txq_params;
3251 	u32 changed;
3252 	u8 retry_short = 0, retry_long = 0;
3253 	u32 frag_threshold = 0, rts_threshold = 0;
3254 	u8 coverage_class = 0;
3255 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3256 
3257 	rtnl_lock();
3258 	/*
3259 	 * Try to find the wiphy and netdev. Normally this
3260 	 * function shouldn't need the netdev, but this is
3261 	 * done for backward compatibility -- previously
3262 	 * setting the channel was done per wiphy, but now
3263 	 * it is per netdev. Previous userland like hostapd
3264 	 * also passed a netdev to set_wiphy, so that it is
3265 	 * possible to let that go to the right netdev!
3266 	 */
3267 
3268 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3269 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3270 
3271 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3272 		if (netdev && netdev->ieee80211_ptr)
3273 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3274 		else
3275 			netdev = NULL;
3276 	}
3277 
3278 	if (!netdev) {
3279 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3280 						  info->attrs);
3281 		if (IS_ERR(rdev)) {
3282 			rtnl_unlock();
3283 			return PTR_ERR(rdev);
3284 		}
3285 		wdev = NULL;
3286 		netdev = NULL;
3287 		result = 0;
3288 	} else
3289 		wdev = netdev->ieee80211_ptr;
3290 
3291 	wiphy_lock(&rdev->wiphy);
3292 
3293 	/*
3294 	 * end workaround code, by now the rdev is available
3295 	 * and locked, and wdev may or may not be NULL.
3296 	 */
3297 
3298 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3299 		result = cfg80211_dev_rename(
3300 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3301 	rtnl_unlock();
3302 
3303 	if (result)
3304 		goto out;
3305 
3306 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3307 		struct ieee80211_txq_params txq_params;
3308 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3309 
3310 		if (!rdev->ops->set_txq_params) {
3311 			result = -EOPNOTSUPP;
3312 			goto out;
3313 		}
3314 
3315 		if (!netdev) {
3316 			result = -EINVAL;
3317 			goto out;
3318 		}
3319 
3320 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3321 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3322 			result = -EINVAL;
3323 			goto out;
3324 		}
3325 
3326 		if (!netif_running(netdev)) {
3327 			result = -ENETDOWN;
3328 			goto out;
3329 		}
3330 
3331 		nla_for_each_nested(nl_txq_params,
3332 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3333 				    rem_txq_params) {
3334 			result = nla_parse_nested_deprecated(tb,
3335 							     NL80211_TXQ_ATTR_MAX,
3336 							     nl_txq_params,
3337 							     txq_params_policy,
3338 							     info->extack);
3339 			if (result)
3340 				goto out;
3341 			result = parse_txq_params(tb, &txq_params);
3342 			if (result)
3343 				goto out;
3344 
3345 			result = rdev_set_txq_params(rdev, netdev,
3346 						     &txq_params);
3347 			if (result)
3348 				goto out;
3349 		}
3350 	}
3351 
3352 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3353 		result = __nl80211_set_channel(
3354 			rdev,
3355 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3356 			info);
3357 		if (result)
3358 			goto out;
3359 	}
3360 
3361 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3362 		struct wireless_dev *txp_wdev = wdev;
3363 		enum nl80211_tx_power_setting type;
3364 		int idx, mbm = 0;
3365 
3366 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3367 			txp_wdev = NULL;
3368 
3369 		if (!rdev->ops->set_tx_power) {
3370 			result = -EOPNOTSUPP;
3371 			goto out;
3372 		}
3373 
3374 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3375 		type = nla_get_u32(info->attrs[idx]);
3376 
3377 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3378 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3379 			result = -EINVAL;
3380 			goto out;
3381 		}
3382 
3383 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3384 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3385 			mbm = nla_get_u32(info->attrs[idx]);
3386 		}
3387 
3388 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3389 		if (result)
3390 			goto out;
3391 	}
3392 
3393 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3394 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3395 		u32 tx_ant, rx_ant;
3396 
3397 		if ((!rdev->wiphy.available_antennas_tx &&
3398 		     !rdev->wiphy.available_antennas_rx) ||
3399 		    !rdev->ops->set_antenna) {
3400 			result = -EOPNOTSUPP;
3401 			goto out;
3402 		}
3403 
3404 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3405 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3406 
3407 		/* reject antenna configurations which don't match the
3408 		 * available antenna masks, except for the "all" mask */
3409 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3410 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3411 			result = -EINVAL;
3412 			goto out;
3413 		}
3414 
3415 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3416 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3417 
3418 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3419 		if (result)
3420 			goto out;
3421 	}
3422 
3423 	changed = 0;
3424 
3425 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3426 		retry_short = nla_get_u8(
3427 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3428 
3429 		changed |= WIPHY_PARAM_RETRY_SHORT;
3430 	}
3431 
3432 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3433 		retry_long = nla_get_u8(
3434 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3435 
3436 		changed |= WIPHY_PARAM_RETRY_LONG;
3437 	}
3438 
3439 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3440 		frag_threshold = nla_get_u32(
3441 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3442 		if (frag_threshold < 256) {
3443 			result = -EINVAL;
3444 			goto out;
3445 		}
3446 
3447 		if (frag_threshold != (u32) -1) {
3448 			/*
3449 			 * Fragments (apart from the last one) are required to
3450 			 * have even length. Make the fragmentation code
3451 			 * simpler by stripping LSB should someone try to use
3452 			 * odd threshold value.
3453 			 */
3454 			frag_threshold &= ~0x1;
3455 		}
3456 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3457 	}
3458 
3459 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3460 		rts_threshold = nla_get_u32(
3461 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3462 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3463 	}
3464 
3465 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3466 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3467 			result = -EINVAL;
3468 			goto out;
3469 		}
3470 
3471 		coverage_class = nla_get_u8(
3472 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3473 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3474 	}
3475 
3476 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3477 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3478 			result = -EOPNOTSUPP;
3479 			goto out;
3480 		}
3481 
3482 		changed |= WIPHY_PARAM_DYN_ACK;
3483 	}
3484 
3485 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3486 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3487 					     NL80211_EXT_FEATURE_TXQS)) {
3488 			result = -EOPNOTSUPP;
3489 			goto out;
3490 		}
3491 		txq_limit = nla_get_u32(
3492 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3493 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3494 	}
3495 
3496 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3497 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3498 					     NL80211_EXT_FEATURE_TXQS)) {
3499 			result = -EOPNOTSUPP;
3500 			goto out;
3501 		}
3502 		txq_memory_limit = nla_get_u32(
3503 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3504 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3505 	}
3506 
3507 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3508 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3509 					     NL80211_EXT_FEATURE_TXQS)) {
3510 			result = -EOPNOTSUPP;
3511 			goto out;
3512 		}
3513 		txq_quantum = nla_get_u32(
3514 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3515 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3516 	}
3517 
3518 	if (changed) {
3519 		u8 old_retry_short, old_retry_long;
3520 		u32 old_frag_threshold, old_rts_threshold;
3521 		u8 old_coverage_class;
3522 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3523 
3524 		if (!rdev->ops->set_wiphy_params) {
3525 			result = -EOPNOTSUPP;
3526 			goto out;
3527 		}
3528 
3529 		old_retry_short = rdev->wiphy.retry_short;
3530 		old_retry_long = rdev->wiphy.retry_long;
3531 		old_frag_threshold = rdev->wiphy.frag_threshold;
3532 		old_rts_threshold = rdev->wiphy.rts_threshold;
3533 		old_coverage_class = rdev->wiphy.coverage_class;
3534 		old_txq_limit = rdev->wiphy.txq_limit;
3535 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3536 		old_txq_quantum = rdev->wiphy.txq_quantum;
3537 
3538 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3539 			rdev->wiphy.retry_short = retry_short;
3540 		if (changed & WIPHY_PARAM_RETRY_LONG)
3541 			rdev->wiphy.retry_long = retry_long;
3542 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3543 			rdev->wiphy.frag_threshold = frag_threshold;
3544 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3545 			rdev->wiphy.rts_threshold = rts_threshold;
3546 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3547 			rdev->wiphy.coverage_class = coverage_class;
3548 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3549 			rdev->wiphy.txq_limit = txq_limit;
3550 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3551 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3552 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3553 			rdev->wiphy.txq_quantum = txq_quantum;
3554 
3555 		result = rdev_set_wiphy_params(rdev, changed);
3556 		if (result) {
3557 			rdev->wiphy.retry_short = old_retry_short;
3558 			rdev->wiphy.retry_long = old_retry_long;
3559 			rdev->wiphy.frag_threshold = old_frag_threshold;
3560 			rdev->wiphy.rts_threshold = old_rts_threshold;
3561 			rdev->wiphy.coverage_class = old_coverage_class;
3562 			rdev->wiphy.txq_limit = old_txq_limit;
3563 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3564 			rdev->wiphy.txq_quantum = old_txq_quantum;
3565 			goto out;
3566 		}
3567 	}
3568 
3569 	result = 0;
3570 
3571 out:
3572 	wiphy_unlock(&rdev->wiphy);
3573 	return result;
3574 }
3575 
3576 static int nl80211_send_chandef(struct sk_buff *msg,
3577 				const struct cfg80211_chan_def *chandef)
3578 {
3579 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3580 		return -EINVAL;
3581 
3582 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3583 			chandef->chan->center_freq))
3584 		return -ENOBUFS;
3585 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3586 			chandef->chan->freq_offset))
3587 		return -ENOBUFS;
3588 	switch (chandef->width) {
3589 	case NL80211_CHAN_WIDTH_20_NOHT:
3590 	case NL80211_CHAN_WIDTH_20:
3591 	case NL80211_CHAN_WIDTH_40:
3592 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3593 				cfg80211_get_chandef_type(chandef)))
3594 			return -ENOBUFS;
3595 		break;
3596 	default:
3597 		break;
3598 	}
3599 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3600 		return -ENOBUFS;
3601 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3602 		return -ENOBUFS;
3603 	if (chandef->center_freq2 &&
3604 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3605 		return -ENOBUFS;
3606 	return 0;
3607 }
3608 
3609 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3610 			      struct cfg80211_registered_device *rdev,
3611 			      struct wireless_dev *wdev,
3612 			      enum nl80211_commands cmd)
3613 {
3614 	struct net_device *dev = wdev->netdev;
3615 	void *hdr;
3616 
3617 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3618 		cmd != NL80211_CMD_DEL_INTERFACE &&
3619 		cmd != NL80211_CMD_SET_INTERFACE);
3620 
3621 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3622 	if (!hdr)
3623 		return -1;
3624 
3625 	if (dev &&
3626 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3627 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3628 		goto nla_put_failure;
3629 
3630 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3631 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3632 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3633 			      NL80211_ATTR_PAD) ||
3634 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3635 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3636 			rdev->devlist_generation ^
3637 			(cfg80211_rdev_list_generation << 2)) ||
3638 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3639 		goto nla_put_failure;
3640 
3641 	if (rdev->ops->get_channel) {
3642 		int ret;
3643 		struct cfg80211_chan_def chandef = {};
3644 
3645 		ret = rdev_get_channel(rdev, wdev, &chandef);
3646 		if (ret == 0) {
3647 			if (nl80211_send_chandef(msg, &chandef))
3648 				goto nla_put_failure;
3649 		}
3650 	}
3651 
3652 	if (rdev->ops->get_tx_power) {
3653 		int dbm, ret;
3654 
3655 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3656 		if (ret == 0 &&
3657 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3658 				DBM_TO_MBM(dbm)))
3659 			goto nla_put_failure;
3660 	}
3661 
3662 	wdev_lock(wdev);
3663 	switch (wdev->iftype) {
3664 	case NL80211_IFTYPE_AP:
3665 		if (wdev->ssid_len &&
3666 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3667 			goto nla_put_failure_locked;
3668 		break;
3669 	case NL80211_IFTYPE_STATION:
3670 	case NL80211_IFTYPE_P2P_CLIENT:
3671 	case NL80211_IFTYPE_ADHOC: {
3672 		const u8 *ssid_ie;
3673 		if (!wdev->current_bss)
3674 			break;
3675 		rcu_read_lock();
3676 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3677 					       WLAN_EID_SSID);
3678 		if (ssid_ie &&
3679 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3680 			goto nla_put_failure_rcu_locked;
3681 		rcu_read_unlock();
3682 		break;
3683 		}
3684 	default:
3685 		/* nothing */
3686 		break;
3687 	}
3688 	wdev_unlock(wdev);
3689 
3690 	if (rdev->ops->get_txq_stats) {
3691 		struct cfg80211_txq_stats txqstats = {};
3692 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3693 
3694 		if (ret == 0 &&
3695 		    !nl80211_put_txq_stats(msg, &txqstats,
3696 					   NL80211_ATTR_TXQ_STATS))
3697 			goto nla_put_failure;
3698 	}
3699 
3700 	genlmsg_end(msg, hdr);
3701 	return 0;
3702 
3703  nla_put_failure_rcu_locked:
3704 	rcu_read_unlock();
3705  nla_put_failure_locked:
3706 	wdev_unlock(wdev);
3707  nla_put_failure:
3708 	genlmsg_cancel(msg, hdr);
3709 	return -EMSGSIZE;
3710 }
3711 
3712 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3713 {
3714 	int wp_idx = 0;
3715 	int if_idx = 0;
3716 	int wp_start = cb->args[0];
3717 	int if_start = cb->args[1];
3718 	int filter_wiphy = -1;
3719 	struct cfg80211_registered_device *rdev;
3720 	struct wireless_dev *wdev;
3721 	int ret;
3722 
3723 	rtnl_lock();
3724 	if (!cb->args[2]) {
3725 		struct nl80211_dump_wiphy_state state = {
3726 			.filter_wiphy = -1,
3727 		};
3728 
3729 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3730 		if (ret)
3731 			goto out_unlock;
3732 
3733 		filter_wiphy = state.filter_wiphy;
3734 
3735 		/*
3736 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3737 		 * value needed to determine that parsing is necessary.
3738 		 */
3739 		if (filter_wiphy >= 0)
3740 			cb->args[2] = filter_wiphy + 1;
3741 		else
3742 			cb->args[2] = -1;
3743 	} else if (cb->args[2] > 0) {
3744 		filter_wiphy = cb->args[2] - 1;
3745 	}
3746 
3747 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3748 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3749 			continue;
3750 		if (wp_idx < wp_start) {
3751 			wp_idx++;
3752 			continue;
3753 		}
3754 
3755 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3756 			continue;
3757 
3758 		if_idx = 0;
3759 
3760 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3761 			if (if_idx < if_start) {
3762 				if_idx++;
3763 				continue;
3764 			}
3765 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3766 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3767 					       rdev, wdev,
3768 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3769 				goto out;
3770 			}
3771 			if_idx++;
3772 		}
3773 
3774 		wp_idx++;
3775 	}
3776  out:
3777 	cb->args[0] = wp_idx;
3778 	cb->args[1] = if_idx;
3779 
3780 	ret = skb->len;
3781  out_unlock:
3782 	rtnl_unlock();
3783 
3784 	return ret;
3785 }
3786 
3787 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3788 {
3789 	struct sk_buff *msg;
3790 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3791 	struct wireless_dev *wdev = info->user_ptr[1];
3792 
3793 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3794 	if (!msg)
3795 		return -ENOMEM;
3796 
3797 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3798 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3799 		nlmsg_free(msg);
3800 		return -ENOBUFS;
3801 	}
3802 
3803 	return genlmsg_reply(msg, info);
3804 }
3805 
3806 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3807 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3808 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3809 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3810 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3811 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3812 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3813 };
3814 
3815 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3816 {
3817 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3818 	int flag;
3819 
3820 	*mntrflags = 0;
3821 
3822 	if (!nla)
3823 		return -EINVAL;
3824 
3825 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3826 		return -EINVAL;
3827 
3828 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3829 		if (flags[flag])
3830 			*mntrflags |= (1<<flag);
3831 
3832 	*mntrflags |= MONITOR_FLAG_CHANGED;
3833 
3834 	return 0;
3835 }
3836 
3837 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3838 				     enum nl80211_iftype type,
3839 				     struct genl_info *info,
3840 				     struct vif_params *params)
3841 {
3842 	bool change = false;
3843 	int err;
3844 
3845 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3846 		if (type != NL80211_IFTYPE_MONITOR)
3847 			return -EINVAL;
3848 
3849 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3850 					  &params->flags);
3851 		if (err)
3852 			return err;
3853 
3854 		change = true;
3855 	}
3856 
3857 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3858 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3859 		return -EOPNOTSUPP;
3860 
3861 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3862 		const u8 *mumimo_groups;
3863 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3864 
3865 		if (type != NL80211_IFTYPE_MONITOR)
3866 			return -EINVAL;
3867 
3868 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3869 			return -EOPNOTSUPP;
3870 
3871 		mumimo_groups =
3872 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3873 
3874 		/* bits 0 and 63 are reserved and must be zero */
3875 		if ((mumimo_groups[0] & BIT(0)) ||
3876 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3877 			return -EINVAL;
3878 
3879 		params->vht_mumimo_groups = mumimo_groups;
3880 		change = true;
3881 	}
3882 
3883 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3884 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3885 
3886 		if (type != NL80211_IFTYPE_MONITOR)
3887 			return -EINVAL;
3888 
3889 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3890 			return -EOPNOTSUPP;
3891 
3892 		params->vht_mumimo_follow_addr =
3893 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3894 		change = true;
3895 	}
3896 
3897 	return change ? 1 : 0;
3898 }
3899 
3900 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3901 			       struct net_device *netdev, u8 use_4addr,
3902 			       enum nl80211_iftype iftype)
3903 {
3904 	if (!use_4addr) {
3905 		if (netdev && netif_is_bridge_port(netdev))
3906 			return -EBUSY;
3907 		return 0;
3908 	}
3909 
3910 	switch (iftype) {
3911 	case NL80211_IFTYPE_AP_VLAN:
3912 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3913 			return 0;
3914 		break;
3915 	case NL80211_IFTYPE_STATION:
3916 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3917 			return 0;
3918 		break;
3919 	default:
3920 		break;
3921 	}
3922 
3923 	return -EOPNOTSUPP;
3924 }
3925 
3926 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3927 {
3928 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3929 	struct vif_params params;
3930 	int err;
3931 	enum nl80211_iftype otype, ntype;
3932 	struct net_device *dev = info->user_ptr[1];
3933 	bool change = false;
3934 
3935 	memset(&params, 0, sizeof(params));
3936 
3937 	otype = ntype = dev->ieee80211_ptr->iftype;
3938 
3939 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3940 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3941 		if (otype != ntype)
3942 			change = true;
3943 	}
3944 
3945 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3946 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3947 
3948 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3949 			return -EINVAL;
3950 		if (netif_running(dev))
3951 			return -EBUSY;
3952 
3953 		wdev_lock(wdev);
3954 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3955 			     IEEE80211_MAX_MESH_ID_LEN);
3956 		wdev->mesh_id_up_len =
3957 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3958 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3959 		       wdev->mesh_id_up_len);
3960 		wdev_unlock(wdev);
3961 	}
3962 
3963 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3964 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3965 		change = true;
3966 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3967 		if (err)
3968 			return err;
3969 	} else {
3970 		params.use_4addr = -1;
3971 	}
3972 
3973 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3974 	if (err < 0)
3975 		return err;
3976 	if (err > 0)
3977 		change = true;
3978 
3979 	if (change)
3980 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3981 	else
3982 		err = 0;
3983 
3984 	if (!err && params.use_4addr != -1)
3985 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3986 
3987 	if (change && !err) {
3988 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3989 
3990 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3991 	}
3992 
3993 	return err;
3994 }
3995 
3996 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3997 {
3998 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3999 	struct vif_params params;
4000 	struct wireless_dev *wdev;
4001 	struct sk_buff *msg;
4002 	int err;
4003 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4004 
4005 	memset(&params, 0, sizeof(params));
4006 
4007 	if (!info->attrs[NL80211_ATTR_IFNAME])
4008 		return -EINVAL;
4009 
4010 	if (info->attrs[NL80211_ATTR_IFTYPE])
4011 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4012 
4013 	if (!rdev->ops->add_virtual_intf)
4014 		return -EOPNOTSUPP;
4015 
4016 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4017 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4018 	    info->attrs[NL80211_ATTR_MAC]) {
4019 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4020 			   ETH_ALEN);
4021 		if (!is_valid_ether_addr(params.macaddr))
4022 			return -EADDRNOTAVAIL;
4023 	}
4024 
4025 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4026 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4027 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4028 		if (err)
4029 			return err;
4030 	}
4031 
4032 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4033 		return -EOPNOTSUPP;
4034 
4035 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4036 	if (err < 0)
4037 		return err;
4038 
4039 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4040 	if (!msg)
4041 		return -ENOMEM;
4042 
4043 	wdev = rdev_add_virtual_intf(rdev,
4044 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4045 				NET_NAME_USER, type, &params);
4046 	if (WARN_ON(!wdev)) {
4047 		nlmsg_free(msg);
4048 		return -EPROTO;
4049 	} else if (IS_ERR(wdev)) {
4050 		nlmsg_free(msg);
4051 		return PTR_ERR(wdev);
4052 	}
4053 
4054 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4055 		wdev->owner_nlportid = info->snd_portid;
4056 
4057 	switch (type) {
4058 	case NL80211_IFTYPE_MESH_POINT:
4059 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4060 			break;
4061 		wdev_lock(wdev);
4062 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4063 			     IEEE80211_MAX_MESH_ID_LEN);
4064 		wdev->mesh_id_up_len =
4065 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4066 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4067 		       wdev->mesh_id_up_len);
4068 		wdev_unlock(wdev);
4069 		break;
4070 	case NL80211_IFTYPE_NAN:
4071 	case NL80211_IFTYPE_P2P_DEVICE:
4072 		/*
4073 		 * P2P Device and NAN do not have a netdev, so don't go
4074 		 * through the netdev notifier and must be added here
4075 		 */
4076 		cfg80211_init_wdev(wdev);
4077 		cfg80211_register_wdev(rdev, wdev);
4078 		break;
4079 	default:
4080 		break;
4081 	}
4082 
4083 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4084 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4085 		nlmsg_free(msg);
4086 		return -ENOBUFS;
4087 	}
4088 
4089 	return genlmsg_reply(msg, info);
4090 }
4091 
4092 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4093 {
4094 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4095 	int ret;
4096 
4097 	/* to avoid failing a new interface creation due to pending removal */
4098 	cfg80211_destroy_ifaces(rdev);
4099 
4100 	wiphy_lock(&rdev->wiphy);
4101 	ret = _nl80211_new_interface(skb, info);
4102 	wiphy_unlock(&rdev->wiphy);
4103 
4104 	return ret;
4105 }
4106 
4107 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4108 {
4109 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4110 	struct wireless_dev *wdev = info->user_ptr[1];
4111 
4112 	if (!rdev->ops->del_virtual_intf)
4113 		return -EOPNOTSUPP;
4114 
4115 	/*
4116 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4117 	 * reach 0, and thus the rdev cannot be deleted.
4118 	 *
4119 	 * We need to do it for the dev_close(), since that will call
4120 	 * the netdev notifiers, and we need to acquire the mutex there
4121 	 * but don't know if we get there from here or from some other
4122 	 * place (e.g. "ip link set ... down").
4123 	 */
4124 	mutex_unlock(&rdev->wiphy.mtx);
4125 
4126 	/*
4127 	 * If we remove a wireless device without a netdev then clear
4128 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4129 	 * to check if it needs to do dev_put(). Otherwise it crashes
4130 	 * since the wdev has been freed, unlike with a netdev where
4131 	 * we need the dev_put() for the netdev to really be freed.
4132 	 */
4133 	if (!wdev->netdev)
4134 		info->user_ptr[1] = NULL;
4135 	else
4136 		dev_close(wdev->netdev);
4137 
4138 	mutex_lock(&rdev->wiphy.mtx);
4139 
4140 	return rdev_del_virtual_intf(rdev, wdev);
4141 }
4142 
4143 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4144 {
4145 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4146 	struct net_device *dev = info->user_ptr[1];
4147 	u16 noack_map;
4148 
4149 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4150 		return -EINVAL;
4151 
4152 	if (!rdev->ops->set_noack_map)
4153 		return -EOPNOTSUPP;
4154 
4155 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4156 
4157 	return rdev_set_noack_map(rdev, dev, noack_map);
4158 }
4159 
4160 struct get_key_cookie {
4161 	struct sk_buff *msg;
4162 	int error;
4163 	int idx;
4164 };
4165 
4166 static void get_key_callback(void *c, struct key_params *params)
4167 {
4168 	struct nlattr *key;
4169 	struct get_key_cookie *cookie = c;
4170 
4171 	if ((params->key &&
4172 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4173 		     params->key_len, params->key)) ||
4174 	    (params->seq &&
4175 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4176 		     params->seq_len, params->seq)) ||
4177 	    (params->cipher &&
4178 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4179 			 params->cipher)))
4180 		goto nla_put_failure;
4181 
4182 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4183 	if (!key)
4184 		goto nla_put_failure;
4185 
4186 	if ((params->key &&
4187 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4188 		     params->key_len, params->key)) ||
4189 	    (params->seq &&
4190 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4191 		     params->seq_len, params->seq)) ||
4192 	    (params->cipher &&
4193 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4194 			 params->cipher)))
4195 		goto nla_put_failure;
4196 
4197 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4198 		goto nla_put_failure;
4199 
4200 	nla_nest_end(cookie->msg, key);
4201 
4202 	return;
4203  nla_put_failure:
4204 	cookie->error = 1;
4205 }
4206 
4207 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4208 {
4209 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4210 	int err;
4211 	struct net_device *dev = info->user_ptr[1];
4212 	u8 key_idx = 0;
4213 	const u8 *mac_addr = NULL;
4214 	bool pairwise;
4215 	struct get_key_cookie cookie = {
4216 		.error = 0,
4217 	};
4218 	void *hdr;
4219 	struct sk_buff *msg;
4220 	bool bigtk_support = false;
4221 
4222 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4223 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4224 		bigtk_support = true;
4225 
4226 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4227 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4228 	    wiphy_ext_feature_isset(&rdev->wiphy,
4229 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4230 		bigtk_support = true;
4231 
4232 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4233 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4234 
4235 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4236 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4237 			return -EINVAL;
4238 		}
4239 	}
4240 
4241 	if (info->attrs[NL80211_ATTR_MAC])
4242 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4243 
4244 	pairwise = !!mac_addr;
4245 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4246 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4247 
4248 		if (kt != NL80211_KEYTYPE_GROUP &&
4249 		    kt != NL80211_KEYTYPE_PAIRWISE)
4250 			return -EINVAL;
4251 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4252 	}
4253 
4254 	if (!rdev->ops->get_key)
4255 		return -EOPNOTSUPP;
4256 
4257 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4258 		return -ENOENT;
4259 
4260 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4261 	if (!msg)
4262 		return -ENOMEM;
4263 
4264 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4265 			     NL80211_CMD_NEW_KEY);
4266 	if (!hdr)
4267 		goto nla_put_failure;
4268 
4269 	cookie.msg = msg;
4270 	cookie.idx = key_idx;
4271 
4272 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4273 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4274 		goto nla_put_failure;
4275 	if (mac_addr &&
4276 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4277 		goto nla_put_failure;
4278 
4279 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4280 			   get_key_callback);
4281 
4282 	if (err)
4283 		goto free_msg;
4284 
4285 	if (cookie.error)
4286 		goto nla_put_failure;
4287 
4288 	genlmsg_end(msg, hdr);
4289 	return genlmsg_reply(msg, info);
4290 
4291  nla_put_failure:
4292 	err = -ENOBUFS;
4293  free_msg:
4294 	nlmsg_free(msg);
4295 	return err;
4296 }
4297 
4298 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4299 {
4300 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4301 	struct key_parse key;
4302 	int err;
4303 	struct net_device *dev = info->user_ptr[1];
4304 
4305 	err = nl80211_parse_key(info, &key);
4306 	if (err)
4307 		return err;
4308 
4309 	if (key.idx < 0)
4310 		return -EINVAL;
4311 
4312 	/* Only support setting default key and
4313 	 * Extended Key ID action NL80211_KEY_SET_TX.
4314 	 */
4315 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4316 	    !(key.p.mode == NL80211_KEY_SET_TX))
4317 		return -EINVAL;
4318 
4319 	wdev_lock(dev->ieee80211_ptr);
4320 
4321 	if (key.def) {
4322 		if (!rdev->ops->set_default_key) {
4323 			err = -EOPNOTSUPP;
4324 			goto out;
4325 		}
4326 
4327 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4328 		if (err)
4329 			goto out;
4330 
4331 		err = rdev_set_default_key(rdev, dev, key.idx,
4332 						 key.def_uni, key.def_multi);
4333 
4334 		if (err)
4335 			goto out;
4336 
4337 #ifdef CONFIG_CFG80211_WEXT
4338 		dev->ieee80211_ptr->wext.default_key = key.idx;
4339 #endif
4340 	} else if (key.defmgmt) {
4341 		if (key.def_uni || !key.def_multi) {
4342 			err = -EINVAL;
4343 			goto out;
4344 		}
4345 
4346 		if (!rdev->ops->set_default_mgmt_key) {
4347 			err = -EOPNOTSUPP;
4348 			goto out;
4349 		}
4350 
4351 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4352 		if (err)
4353 			goto out;
4354 
4355 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4356 		if (err)
4357 			goto out;
4358 
4359 #ifdef CONFIG_CFG80211_WEXT
4360 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4361 #endif
4362 	} else if (key.defbeacon) {
4363 		if (key.def_uni || !key.def_multi) {
4364 			err = -EINVAL;
4365 			goto out;
4366 		}
4367 
4368 		if (!rdev->ops->set_default_beacon_key) {
4369 			err = -EOPNOTSUPP;
4370 			goto out;
4371 		}
4372 
4373 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4374 		if (err)
4375 			goto out;
4376 
4377 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4378 		if (err)
4379 			goto out;
4380 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4381 		   wiphy_ext_feature_isset(&rdev->wiphy,
4382 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4383 		u8 *mac_addr = NULL;
4384 
4385 		if (info->attrs[NL80211_ATTR_MAC])
4386 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4387 
4388 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4389 			err = -EINVAL;
4390 			goto out;
4391 		}
4392 
4393 		err = rdev_add_key(rdev, dev, key.idx,
4394 				   NL80211_KEYTYPE_PAIRWISE,
4395 				   mac_addr, &key.p);
4396 	} else {
4397 		err = -EINVAL;
4398 	}
4399  out:
4400 	wdev_unlock(dev->ieee80211_ptr);
4401 
4402 	return err;
4403 }
4404 
4405 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4406 {
4407 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4408 	int err;
4409 	struct net_device *dev = info->user_ptr[1];
4410 	struct key_parse key;
4411 	const u8 *mac_addr = NULL;
4412 
4413 	err = nl80211_parse_key(info, &key);
4414 	if (err)
4415 		return err;
4416 
4417 	if (!key.p.key) {
4418 		GENL_SET_ERR_MSG(info, "no key");
4419 		return -EINVAL;
4420 	}
4421 
4422 	if (info->attrs[NL80211_ATTR_MAC])
4423 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4424 
4425 	if (key.type == -1) {
4426 		if (mac_addr)
4427 			key.type = NL80211_KEYTYPE_PAIRWISE;
4428 		else
4429 			key.type = NL80211_KEYTYPE_GROUP;
4430 	}
4431 
4432 	/* for now */
4433 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4434 	    key.type != NL80211_KEYTYPE_GROUP) {
4435 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4436 		return -EINVAL;
4437 	}
4438 
4439 	if (key.type == NL80211_KEYTYPE_GROUP &&
4440 	    info->attrs[NL80211_ATTR_VLAN_ID])
4441 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4442 
4443 	if (!rdev->ops->add_key)
4444 		return -EOPNOTSUPP;
4445 
4446 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4447 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4448 					   mac_addr)) {
4449 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4450 		return -EINVAL;
4451 	}
4452 
4453 	wdev_lock(dev->ieee80211_ptr);
4454 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4455 	if (err)
4456 		GENL_SET_ERR_MSG(info, "key not allowed");
4457 	if (!err) {
4458 		err = rdev_add_key(rdev, dev, key.idx,
4459 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4460 				    mac_addr, &key.p);
4461 		if (err)
4462 			GENL_SET_ERR_MSG(info, "key addition failed");
4463 	}
4464 	wdev_unlock(dev->ieee80211_ptr);
4465 
4466 	return err;
4467 }
4468 
4469 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4470 {
4471 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4472 	int err;
4473 	struct net_device *dev = info->user_ptr[1];
4474 	u8 *mac_addr = NULL;
4475 	struct key_parse key;
4476 
4477 	err = nl80211_parse_key(info, &key);
4478 	if (err)
4479 		return err;
4480 
4481 	if (info->attrs[NL80211_ATTR_MAC])
4482 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4483 
4484 	if (key.type == -1) {
4485 		if (mac_addr)
4486 			key.type = NL80211_KEYTYPE_PAIRWISE;
4487 		else
4488 			key.type = NL80211_KEYTYPE_GROUP;
4489 	}
4490 
4491 	/* for now */
4492 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4493 	    key.type != NL80211_KEYTYPE_GROUP)
4494 		return -EINVAL;
4495 
4496 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4497 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4498 		return -EINVAL;
4499 
4500 	if (!rdev->ops->del_key)
4501 		return -EOPNOTSUPP;
4502 
4503 	wdev_lock(dev->ieee80211_ptr);
4504 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4505 
4506 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4507 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4508 		err = -ENOENT;
4509 
4510 	if (!err)
4511 		err = rdev_del_key(rdev, dev, key.idx,
4512 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4513 				   mac_addr);
4514 
4515 #ifdef CONFIG_CFG80211_WEXT
4516 	if (!err) {
4517 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4518 			dev->ieee80211_ptr->wext.default_key = -1;
4519 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4520 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4521 	}
4522 #endif
4523 	wdev_unlock(dev->ieee80211_ptr);
4524 
4525 	return err;
4526 }
4527 
4528 /* This function returns an error or the number of nested attributes */
4529 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4530 {
4531 	struct nlattr *attr;
4532 	int n_entries = 0, tmp;
4533 
4534 	nla_for_each_nested(attr, nl_attr, tmp) {
4535 		if (nla_len(attr) != ETH_ALEN)
4536 			return -EINVAL;
4537 
4538 		n_entries++;
4539 	}
4540 
4541 	return n_entries;
4542 }
4543 
4544 /*
4545  * This function parses ACL information and allocates memory for ACL data.
4546  * On successful return, the calling function is responsible to free the
4547  * ACL buffer returned by this function.
4548  */
4549 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4550 						struct genl_info *info)
4551 {
4552 	enum nl80211_acl_policy acl_policy;
4553 	struct nlattr *attr;
4554 	struct cfg80211_acl_data *acl;
4555 	int i = 0, n_entries, tmp;
4556 
4557 	if (!wiphy->max_acl_mac_addrs)
4558 		return ERR_PTR(-EOPNOTSUPP);
4559 
4560 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4561 		return ERR_PTR(-EINVAL);
4562 
4563 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4564 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4565 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4566 		return ERR_PTR(-EINVAL);
4567 
4568 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4569 		return ERR_PTR(-EINVAL);
4570 
4571 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4572 	if (n_entries < 0)
4573 		return ERR_PTR(n_entries);
4574 
4575 	if (n_entries > wiphy->max_acl_mac_addrs)
4576 		return ERR_PTR(-ENOTSUPP);
4577 
4578 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4579 	if (!acl)
4580 		return ERR_PTR(-ENOMEM);
4581 
4582 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4583 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4584 		i++;
4585 	}
4586 
4587 	acl->n_acl_entries = n_entries;
4588 	acl->acl_policy = acl_policy;
4589 
4590 	return acl;
4591 }
4592 
4593 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4594 {
4595 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4596 	struct net_device *dev = info->user_ptr[1];
4597 	struct cfg80211_acl_data *acl;
4598 	int err;
4599 
4600 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4601 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4602 		return -EOPNOTSUPP;
4603 
4604 	if (!dev->ieee80211_ptr->beacon_interval)
4605 		return -EINVAL;
4606 
4607 	acl = parse_acl_data(&rdev->wiphy, info);
4608 	if (IS_ERR(acl))
4609 		return PTR_ERR(acl);
4610 
4611 	err = rdev_set_mac_acl(rdev, dev, acl);
4612 
4613 	kfree(acl);
4614 
4615 	return err;
4616 }
4617 
4618 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4619 			   u8 *rates, u8 rates_len)
4620 {
4621 	u8 i;
4622 	u32 mask = 0;
4623 
4624 	for (i = 0; i < rates_len; i++) {
4625 		int rate = (rates[i] & 0x7f) * 5;
4626 		int ridx;
4627 
4628 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4629 			struct ieee80211_rate *srate =
4630 				&sband->bitrates[ridx];
4631 			if (rate == srate->bitrate) {
4632 				mask |= 1 << ridx;
4633 				break;
4634 			}
4635 		}
4636 		if (ridx == sband->n_bitrates)
4637 			return 0; /* rate not found */
4638 	}
4639 
4640 	return mask;
4641 }
4642 
4643 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4644 			       u8 *rates, u8 rates_len,
4645 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4646 {
4647 	u8 i;
4648 
4649 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4650 
4651 	for (i = 0; i < rates_len; i++) {
4652 		int ridx, rbit;
4653 
4654 		ridx = rates[i] / 8;
4655 		rbit = BIT(rates[i] % 8);
4656 
4657 		/* check validity */
4658 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4659 			return false;
4660 
4661 		/* check availability */
4662 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4663 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4664 			mcs[ridx] |= rbit;
4665 		else
4666 			return false;
4667 	}
4668 
4669 	return true;
4670 }
4671 
4672 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4673 {
4674 	u16 mcs_mask = 0;
4675 
4676 	switch (vht_mcs_map) {
4677 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4678 		break;
4679 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4680 		mcs_mask = 0x00FF;
4681 		break;
4682 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4683 		mcs_mask = 0x01FF;
4684 		break;
4685 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4686 		mcs_mask = 0x03FF;
4687 		break;
4688 	default:
4689 		break;
4690 	}
4691 
4692 	return mcs_mask;
4693 }
4694 
4695 static void vht_build_mcs_mask(u16 vht_mcs_map,
4696 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4697 {
4698 	u8 nss;
4699 
4700 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4701 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4702 		vht_mcs_map >>= 2;
4703 	}
4704 }
4705 
4706 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4707 			     struct nl80211_txrate_vht *txrate,
4708 			     u16 mcs[NL80211_VHT_NSS_MAX])
4709 {
4710 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4711 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4712 	u8 i;
4713 
4714 	if (!sband->vht_cap.vht_supported)
4715 		return false;
4716 
4717 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4718 
4719 	/* Build vht_mcs_mask from VHT capabilities */
4720 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4721 
4722 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4723 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4724 			mcs[i] = txrate->mcs[i];
4725 		else
4726 			return false;
4727 	}
4728 
4729 	return true;
4730 }
4731 
4732 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4733 {
4734 	switch (he_mcs_map) {
4735 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4736 		return 0;
4737 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4738 		return 0x00FF;
4739 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4740 		return 0x03FF;
4741 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4742 		return 0xFFF;
4743 	default:
4744 		break;
4745 	}
4746 	return 0;
4747 }
4748 
4749 static void he_build_mcs_mask(u16 he_mcs_map,
4750 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4751 {
4752 	u8 nss;
4753 
4754 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4755 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4756 		he_mcs_map >>= 2;
4757 	}
4758 }
4759 
4760 static u16 he_get_txmcsmap(struct genl_info *info,
4761 			   const struct ieee80211_sta_he_cap *he_cap)
4762 {
4763 	struct net_device *dev = info->user_ptr[1];
4764 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4765 	__le16	tx_mcs;
4766 
4767 	switch (wdev->chandef.width) {
4768 	case NL80211_CHAN_WIDTH_80P80:
4769 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4770 		break;
4771 	case NL80211_CHAN_WIDTH_160:
4772 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4773 		break;
4774 	default:
4775 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4776 		break;
4777 	}
4778 	return le16_to_cpu(tx_mcs);
4779 }
4780 
4781 static bool he_set_mcs_mask(struct genl_info *info,
4782 			    struct wireless_dev *wdev,
4783 			    struct ieee80211_supported_band *sband,
4784 			    struct nl80211_txrate_he *txrate,
4785 			    u16 mcs[NL80211_HE_NSS_MAX])
4786 {
4787 	const struct ieee80211_sta_he_cap *he_cap;
4788 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4789 	u16 tx_mcs_map = 0;
4790 	u8 i;
4791 
4792 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4793 	if (!he_cap)
4794 		return false;
4795 
4796 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4797 
4798 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4799 
4800 	/* Build he_mcs_mask from HE capabilities */
4801 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4802 
4803 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4804 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4805 			mcs[i] = txrate->mcs[i];
4806 		else
4807 			return false;
4808 	}
4809 
4810 	return true;
4811 }
4812 
4813 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4814 					 struct nlattr *attrs[],
4815 					 enum nl80211_attrs attr,
4816 					 struct cfg80211_bitrate_mask *mask,
4817 					 struct net_device *dev,
4818 					 bool default_all_enabled)
4819 {
4820 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4821 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4822 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4823 	int rem, i;
4824 	struct nlattr *tx_rates;
4825 	struct ieee80211_supported_band *sband;
4826 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4827 
4828 	memset(mask, 0, sizeof(*mask));
4829 	/* Default to all rates enabled */
4830 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4831 		const struct ieee80211_sta_he_cap *he_cap;
4832 
4833 		if (!default_all_enabled)
4834 			break;
4835 
4836 		sband = rdev->wiphy.bands[i];
4837 
4838 		if (!sband)
4839 			continue;
4840 
4841 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4842 		memcpy(mask->control[i].ht_mcs,
4843 		       sband->ht_cap.mcs.rx_mask,
4844 		       sizeof(mask->control[i].ht_mcs));
4845 
4846 		if (sband->vht_cap.vht_supported) {
4847 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4848 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4849 		}
4850 
4851 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4852 		if (!he_cap)
4853 			continue;
4854 
4855 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4856 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4857 
4858 		mask->control[i].he_gi = 0xFF;
4859 		mask->control[i].he_ltf = 0xFF;
4860 	}
4861 
4862 	/* if no rates are given set it back to the defaults */
4863 	if (!attrs[attr])
4864 		goto out;
4865 
4866 	/* The nested attribute uses enum nl80211_band as the index. This maps
4867 	 * directly to the enum nl80211_band values used in cfg80211.
4868 	 */
4869 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4870 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4871 		enum nl80211_band band = nla_type(tx_rates);
4872 		int err;
4873 
4874 		if (band < 0 || band >= NUM_NL80211_BANDS)
4875 			return -EINVAL;
4876 		sband = rdev->wiphy.bands[band];
4877 		if (sband == NULL)
4878 			return -EINVAL;
4879 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4880 						  tx_rates,
4881 						  nl80211_txattr_policy,
4882 						  info->extack);
4883 		if (err)
4884 			return err;
4885 		if (tb[NL80211_TXRATE_LEGACY]) {
4886 			mask->control[band].legacy = rateset_to_mask(
4887 				sband,
4888 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4889 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4890 			if ((mask->control[band].legacy == 0) &&
4891 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4892 				return -EINVAL;
4893 		}
4894 		if (tb[NL80211_TXRATE_HT]) {
4895 			if (!ht_rateset_to_mask(
4896 					sband,
4897 					nla_data(tb[NL80211_TXRATE_HT]),
4898 					nla_len(tb[NL80211_TXRATE_HT]),
4899 					mask->control[band].ht_mcs))
4900 				return -EINVAL;
4901 		}
4902 
4903 		if (tb[NL80211_TXRATE_VHT]) {
4904 			if (!vht_set_mcs_mask(
4905 					sband,
4906 					nla_data(tb[NL80211_TXRATE_VHT]),
4907 					mask->control[band].vht_mcs))
4908 				return -EINVAL;
4909 		}
4910 
4911 		if (tb[NL80211_TXRATE_GI]) {
4912 			mask->control[band].gi =
4913 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4914 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4915 				return -EINVAL;
4916 		}
4917 		if (tb[NL80211_TXRATE_HE] &&
4918 		    !he_set_mcs_mask(info, wdev, sband,
4919 				     nla_data(tb[NL80211_TXRATE_HE]),
4920 				     mask->control[band].he_mcs))
4921 			return -EINVAL;
4922 
4923 		if (tb[NL80211_TXRATE_HE_GI])
4924 			mask->control[band].he_gi =
4925 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4926 		if (tb[NL80211_TXRATE_HE_LTF])
4927 			mask->control[band].he_ltf =
4928 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4929 
4930 		if (mask->control[band].legacy == 0) {
4931 			/* don't allow empty legacy rates if HT, VHT or HE
4932 			 * are not even supported.
4933 			 */
4934 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4935 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4936 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4937 				return -EINVAL;
4938 
4939 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4940 				if (mask->control[band].ht_mcs[i])
4941 					goto out;
4942 
4943 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4944 				if (mask->control[band].vht_mcs[i])
4945 					goto out;
4946 
4947 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
4948 				if (mask->control[band].he_mcs[i])
4949 					goto out;
4950 
4951 			/* legacy and mcs rates may not be both empty */
4952 			return -EINVAL;
4953 		}
4954 	}
4955 
4956 out:
4957 	return 0;
4958 }
4959 
4960 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4961 				   enum nl80211_band band,
4962 				   struct cfg80211_bitrate_mask *beacon_rate)
4963 {
4964 	u32 count_ht, count_vht, count_he, i;
4965 	u32 rate = beacon_rate->control[band].legacy;
4966 
4967 	/* Allow only one rate */
4968 	if (hweight32(rate) > 1)
4969 		return -EINVAL;
4970 
4971 	count_ht = 0;
4972 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4973 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4974 			return -EINVAL;
4975 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4976 			count_ht++;
4977 			if (count_ht > 1)
4978 				return -EINVAL;
4979 		}
4980 		if (count_ht && rate)
4981 			return -EINVAL;
4982 	}
4983 
4984 	count_vht = 0;
4985 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4986 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4987 			return -EINVAL;
4988 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4989 			count_vht++;
4990 			if (count_vht > 1)
4991 				return -EINVAL;
4992 		}
4993 		if (count_vht && rate)
4994 			return -EINVAL;
4995 	}
4996 
4997 	count_he = 0;
4998 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4999 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5000 			return -EINVAL;
5001 		} else if (beacon_rate->control[band].he_mcs[i]) {
5002 			count_he++;
5003 			if (count_he > 1)
5004 				return -EINVAL;
5005 		}
5006 		if (count_he && rate)
5007 			return -EINVAL;
5008 	}
5009 
5010 	if ((count_ht && count_vht && count_he) ||
5011 	    (!rate && !count_ht && !count_vht && !count_he))
5012 		return -EINVAL;
5013 
5014 	if (rate &&
5015 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5016 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5017 		return -EINVAL;
5018 	if (count_ht &&
5019 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5020 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5021 		return -EINVAL;
5022 	if (count_vht &&
5023 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5024 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5025 		return -EINVAL;
5026 	if (count_he &&
5027 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5028 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5029 		return -EINVAL;
5030 
5031 	return 0;
5032 }
5033 
5034 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5035 				       struct net_device *dev,
5036 				       struct nlattr *attrs,
5037 				       struct cfg80211_mbssid_config *config,
5038 				       u8 num_elems)
5039 {
5040 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5041 
5042 	if (!wiphy->mbssid_max_interfaces)
5043 		return -EOPNOTSUPP;
5044 
5045 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5046 			     NULL) ||
5047 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5048 		return -EINVAL;
5049 
5050 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5051 	if (config->ema) {
5052 		if (!wiphy->ema_max_profile_periodicity)
5053 			return -EOPNOTSUPP;
5054 
5055 		if (num_elems > wiphy->ema_max_profile_periodicity)
5056 			return -EINVAL;
5057 	}
5058 
5059 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5060 	if (config->index >= wiphy->mbssid_max_interfaces ||
5061 	    (!config->index && !num_elems))
5062 		return -EINVAL;
5063 
5064 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5065 		u32 tx_ifindex =
5066 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5067 
5068 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5069 		    (config->index && tx_ifindex == dev->ifindex))
5070 			return -EINVAL;
5071 
5072 		if (tx_ifindex != dev->ifindex) {
5073 			struct net_device *tx_netdev =
5074 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5075 
5076 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5077 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5078 			    tx_netdev->ieee80211_ptr->iftype !=
5079 							NL80211_IFTYPE_AP) {
5080 				dev_put(tx_netdev);
5081 				return -EINVAL;
5082 			}
5083 
5084 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5085 		} else {
5086 			config->tx_wdev = dev->ieee80211_ptr;
5087 		}
5088 	} else if (!config->index) {
5089 		config->tx_wdev = dev->ieee80211_ptr;
5090 	} else {
5091 		return -EINVAL;
5092 	}
5093 
5094 	return 0;
5095 }
5096 
5097 static struct cfg80211_mbssid_elems *
5098 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5099 {
5100 	struct nlattr *nl_elems;
5101 	struct cfg80211_mbssid_elems *elems;
5102 	int rem_elems;
5103 	u8 i = 0, num_elems = 0;
5104 
5105 	if (!wiphy->mbssid_max_interfaces)
5106 		return ERR_PTR(-EINVAL);
5107 
5108 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5109 		num_elems++;
5110 
5111 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5112 	if (!elems)
5113 		return ERR_PTR(-ENOMEM);
5114 
5115 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5116 		elems->elem[i].data = nla_data(nl_elems);
5117 		elems->elem[i].len = nla_len(nl_elems);
5118 		i++;
5119 	}
5120 	elems->cnt = num_elems;
5121 	return elems;
5122 }
5123 
5124 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5125 				struct nlattr *attrs[],
5126 				struct cfg80211_beacon_data *bcn)
5127 {
5128 	bool haveinfo = false;
5129 	int err;
5130 
5131 	memset(bcn, 0, sizeof(*bcn));
5132 
5133 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5134 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5135 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5136 		if (!bcn->head_len)
5137 			return -EINVAL;
5138 		haveinfo = true;
5139 	}
5140 
5141 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5142 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5143 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5144 		haveinfo = true;
5145 	}
5146 
5147 	if (!haveinfo)
5148 		return -EINVAL;
5149 
5150 	if (attrs[NL80211_ATTR_IE]) {
5151 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5152 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5153 	}
5154 
5155 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5156 		bcn->proberesp_ies =
5157 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5158 		bcn->proberesp_ies_len =
5159 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5160 	}
5161 
5162 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5163 		bcn->assocresp_ies =
5164 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5165 		bcn->assocresp_ies_len =
5166 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5167 	}
5168 
5169 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5170 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5171 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5172 	}
5173 
5174 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5175 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5176 
5177 		err = nla_parse_nested_deprecated(tb,
5178 						  NL80211_FTM_RESP_ATTR_MAX,
5179 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5180 						  NULL, NULL);
5181 		if (err)
5182 			return err;
5183 
5184 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5185 		    wiphy_ext_feature_isset(&rdev->wiphy,
5186 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5187 			bcn->ftm_responder = 1;
5188 		else
5189 			return -EOPNOTSUPP;
5190 
5191 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5192 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5193 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5194 		}
5195 
5196 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5197 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5198 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5199 		}
5200 	} else {
5201 		bcn->ftm_responder = -1;
5202 	}
5203 
5204 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5205 		struct cfg80211_mbssid_elems *mbssid =
5206 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5207 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5208 
5209 		if (IS_ERR(mbssid))
5210 			return PTR_ERR(mbssid);
5211 
5212 		bcn->mbssid_ies = mbssid;
5213 	}
5214 
5215 	return 0;
5216 }
5217 
5218 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5219 				    struct ieee80211_he_obss_pd *he_obss_pd)
5220 {
5221 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5222 	int err;
5223 
5224 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5225 			       he_obss_pd_policy, NULL);
5226 	if (err)
5227 		return err;
5228 
5229 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5230 		return -EINVAL;
5231 
5232 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5233 
5234 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5235 		he_obss_pd->min_offset =
5236 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5237 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5238 		he_obss_pd->max_offset =
5239 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5240 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5241 		he_obss_pd->non_srg_max_offset =
5242 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5243 
5244 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5245 		return -EINVAL;
5246 
5247 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5248 		memcpy(he_obss_pd->bss_color_bitmap,
5249 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5250 		       sizeof(he_obss_pd->bss_color_bitmap));
5251 
5252 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5253 		memcpy(he_obss_pd->partial_bssid_bitmap,
5254 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5255 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5256 
5257 	he_obss_pd->enable = true;
5258 
5259 	return 0;
5260 }
5261 
5262 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5263 				      struct cfg80211_he_bss_color *he_bss_color)
5264 {
5265 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5266 	int err;
5267 
5268 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5269 			       he_bss_color_policy, NULL);
5270 	if (err)
5271 		return err;
5272 
5273 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5274 		return -EINVAL;
5275 
5276 	he_bss_color->color =
5277 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5278 	he_bss_color->enabled =
5279 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5280 	he_bss_color->partial =
5281 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5282 
5283 	return 0;
5284 }
5285 
5286 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5287 					struct nlattr *attrs,
5288 					struct cfg80211_ap_settings *params)
5289 {
5290 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5291 	int ret;
5292 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5293 
5294 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5295 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5296 		return -EINVAL;
5297 
5298 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5299 			       NULL, NULL);
5300 	if (ret)
5301 		return ret;
5302 
5303 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5304 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5305 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5306 		return -EINVAL;
5307 
5308 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5309 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5310 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5311 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5312 
5313 	return 0;
5314 }
5315 
5316 static int
5317 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5318 				     struct nlattr *attrs,
5319 				     struct cfg80211_ap_settings *params)
5320 {
5321 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5322 	int ret;
5323 	struct cfg80211_unsol_bcast_probe_resp *presp =
5324 					&params->unsol_bcast_probe_resp;
5325 
5326 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5327 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5328 		return -EINVAL;
5329 
5330 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5331 			       attrs, NULL, NULL);
5332 	if (ret)
5333 		return ret;
5334 
5335 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5336 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5337 		return -EINVAL;
5338 
5339 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5340 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5341 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5342 	return 0;
5343 }
5344 
5345 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5346 					    const struct element *rates)
5347 {
5348 	int i;
5349 
5350 	if (!rates)
5351 		return;
5352 
5353 	for (i = 0; i < rates->datalen; i++) {
5354 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5355 			params->ht_required = true;
5356 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5357 			params->vht_required = true;
5358 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5359 			params->he_required = true;
5360 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5361 			params->sae_h2e_required = true;
5362 	}
5363 }
5364 
5365 /*
5366  * Since the nl80211 API didn't include, from the beginning, attributes about
5367  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5368  * benefit of drivers that rebuild IEs in the firmware.
5369  */
5370 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5371 {
5372 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5373 	size_t ies_len = bcn->tail_len;
5374 	const u8 *ies = bcn->tail;
5375 	const struct element *rates;
5376 	const struct element *cap;
5377 
5378 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5379 	nl80211_check_ap_rate_selectors(params, rates);
5380 
5381 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5382 	nl80211_check_ap_rate_selectors(params, rates);
5383 
5384 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5385 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5386 		params->ht_cap = (void *)cap->data;
5387 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5388 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5389 		params->vht_cap = (void *)cap->data;
5390 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5391 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5392 		params->he_cap = (void *)(cap->data + 1);
5393 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5394 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5395 		params->he_oper = (void *)(cap->data + 1);
5396 }
5397 
5398 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5399 				   struct cfg80211_ap_settings *params)
5400 {
5401 	struct wireless_dev *wdev;
5402 	bool ret = false;
5403 
5404 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5405 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5406 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5407 			continue;
5408 
5409 		if (!wdev->preset_chandef.chan)
5410 			continue;
5411 
5412 		params->chandef = wdev->preset_chandef;
5413 		ret = true;
5414 		break;
5415 	}
5416 
5417 	return ret;
5418 }
5419 
5420 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5421 				    enum nl80211_auth_type auth_type,
5422 				    enum nl80211_commands cmd)
5423 {
5424 	if (auth_type > NL80211_AUTHTYPE_MAX)
5425 		return false;
5426 
5427 	switch (cmd) {
5428 	case NL80211_CMD_AUTHENTICATE:
5429 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5430 		    auth_type == NL80211_AUTHTYPE_SAE)
5431 			return false;
5432 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5433 					     NL80211_EXT_FEATURE_FILS_STA) &&
5434 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5435 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5436 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5437 			return false;
5438 		return true;
5439 	case NL80211_CMD_CONNECT:
5440 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5441 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5442 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5443 		    auth_type == NL80211_AUTHTYPE_SAE)
5444 			return false;
5445 
5446 		/* FILS with SK PFS or PK not supported yet */
5447 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5448 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5449 			return false;
5450 		if (!wiphy_ext_feature_isset(
5451 			    &rdev->wiphy,
5452 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5453 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5454 			return false;
5455 		return true;
5456 	case NL80211_CMD_START_AP:
5457 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5458 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5459 		    auth_type == NL80211_AUTHTYPE_SAE)
5460 			return false;
5461 		/* FILS not supported yet */
5462 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5463 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5464 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5465 			return false;
5466 		return true;
5467 	default:
5468 		return false;
5469 	}
5470 }
5471 
5472 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5473 {
5474 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5475 	struct net_device *dev = info->user_ptr[1];
5476 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5477 	struct cfg80211_ap_settings *params;
5478 	int err;
5479 
5480 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5481 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5482 		return -EOPNOTSUPP;
5483 
5484 	if (!rdev->ops->start_ap)
5485 		return -EOPNOTSUPP;
5486 
5487 	if (wdev->beacon_interval)
5488 		return -EALREADY;
5489 
5490 	/* these are required for START_AP */
5491 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5492 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5493 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5494 		return -EINVAL;
5495 
5496 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5497 	if (!params)
5498 		return -ENOMEM;
5499 
5500 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5501 	if (err)
5502 		goto out;
5503 
5504 	params->beacon_interval =
5505 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5506 	params->dtim_period =
5507 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5508 
5509 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5510 					   params->beacon_interval);
5511 	if (err)
5512 		goto out;
5513 
5514 	/*
5515 	 * In theory, some of these attributes should be required here
5516 	 * but since they were not used when the command was originally
5517 	 * added, keep them optional for old user space programs to let
5518 	 * them continue to work with drivers that do not need the
5519 	 * additional information -- drivers must check!
5520 	 */
5521 	if (info->attrs[NL80211_ATTR_SSID]) {
5522 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5523 		params->ssid_len =
5524 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5525 		if (params->ssid_len == 0) {
5526 			err = -EINVAL;
5527 			goto out;
5528 		}
5529 	}
5530 
5531 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5532 		params->hidden_ssid = nla_get_u32(
5533 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5534 
5535 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5536 
5537 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5538 		params->auth_type = nla_get_u32(
5539 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5540 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5541 					     NL80211_CMD_START_AP)) {
5542 			err = -EINVAL;
5543 			goto out;
5544 		}
5545 	} else
5546 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5547 
5548 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5549 				      NL80211_MAX_NR_CIPHER_SUITES);
5550 	if (err)
5551 		goto out;
5552 
5553 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5554 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5555 			err = -EOPNOTSUPP;
5556 			goto out;
5557 		}
5558 		params->inactivity_timeout = nla_get_u16(
5559 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5560 	}
5561 
5562 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5563 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5564 			err = -EINVAL;
5565 			goto out;
5566 		}
5567 		params->p2p_ctwindow =
5568 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5569 		if (params->p2p_ctwindow != 0 &&
5570 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5571 			err = -EINVAL;
5572 			goto out;
5573 		}
5574 	}
5575 
5576 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5577 		u8 tmp;
5578 
5579 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5580 			err = -EINVAL;
5581 			goto out;
5582 		}
5583 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5584 		params->p2p_opp_ps = tmp;
5585 		if (params->p2p_opp_ps != 0 &&
5586 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5587 			err = -EINVAL;
5588 			goto out;
5589 		}
5590 	}
5591 
5592 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5593 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5594 		if (err)
5595 			goto out;
5596 	} else if (wdev->preset_chandef.chan) {
5597 		params->chandef = wdev->preset_chandef;
5598 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5599 		err = -EINVAL;
5600 		goto out;
5601 	}
5602 
5603 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5604 					   wdev->iftype)) {
5605 		err = -EINVAL;
5606 		goto out;
5607 	}
5608 
5609 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5610 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5611 						    NL80211_ATTR_TX_RATES,
5612 						    &params->beacon_rate,
5613 						    dev, false);
5614 		if (err)
5615 			goto out;
5616 
5617 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
5618 					      &params->beacon_rate);
5619 		if (err)
5620 			goto out;
5621 	}
5622 
5623 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5624 		params->smps_mode =
5625 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5626 		switch (params->smps_mode) {
5627 		case NL80211_SMPS_OFF:
5628 			break;
5629 		case NL80211_SMPS_STATIC:
5630 			if (!(rdev->wiphy.features &
5631 			      NL80211_FEATURE_STATIC_SMPS)) {
5632 				err = -EINVAL;
5633 				goto out;
5634 			}
5635 			break;
5636 		case NL80211_SMPS_DYNAMIC:
5637 			if (!(rdev->wiphy.features &
5638 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
5639 				err = -EINVAL;
5640 				goto out;
5641 			}
5642 			break;
5643 		default:
5644 			err = -EINVAL;
5645 			goto out;
5646 		}
5647 	} else {
5648 		params->smps_mode = NL80211_SMPS_OFF;
5649 	}
5650 
5651 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5652 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
5653 		err = -EOPNOTSUPP;
5654 		goto out;
5655 	}
5656 
5657 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5658 		params->acl = parse_acl_data(&rdev->wiphy, info);
5659 		if (IS_ERR(params->acl)) {
5660 			err = PTR_ERR(params->acl);
5661 			params->acl = NULL;
5662 			goto out;
5663 		}
5664 	}
5665 
5666 	params->twt_responder =
5667 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5668 
5669 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5670 		err = nl80211_parse_he_obss_pd(
5671 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5672 					&params->he_obss_pd);
5673 		if (err)
5674 			goto out;
5675 	}
5676 
5677 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5678 		err = nl80211_parse_he_bss_color(
5679 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5680 					&params->he_bss_color);
5681 		if (err)
5682 			goto out;
5683 	}
5684 
5685 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5686 		err = nl80211_parse_fils_discovery(rdev,
5687 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5688 						   params);
5689 		if (err)
5690 			goto out;
5691 	}
5692 
5693 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5694 		err = nl80211_parse_unsol_bcast_probe_resp(
5695 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5696 			params);
5697 		if (err)
5698 			goto out;
5699 	}
5700 
5701 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
5702 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
5703 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
5704 						  &params->mbssid_config,
5705 						  params->beacon.mbssid_ies ?
5706 							params->beacon.mbssid_ies->cnt :
5707 							0);
5708 		if (err)
5709 			goto out;
5710 	}
5711 
5712 	nl80211_calculate_ap_params(params);
5713 
5714 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5715 		params->flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5716 
5717 	wdev_lock(wdev);
5718 	err = rdev_start_ap(rdev, dev, params);
5719 	if (!err) {
5720 		wdev->preset_chandef = params->chandef;
5721 		wdev->beacon_interval = params->beacon_interval;
5722 		wdev->chandef = params->chandef;
5723 		wdev->ssid_len = params->ssid_len;
5724 		memcpy(wdev->ssid, params->ssid, wdev->ssid_len);
5725 
5726 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5727 			wdev->conn_owner_nlportid = info->snd_portid;
5728 	}
5729 	wdev_unlock(wdev);
5730 
5731 out:
5732 	kfree(params->acl);
5733 	kfree(params->beacon.mbssid_ies);
5734 	if (params->mbssid_config.tx_wdev &&
5735 	    params->mbssid_config.tx_wdev->netdev &&
5736 	    params->mbssid_config.tx_wdev->netdev != dev)
5737 		dev_put(params->mbssid_config.tx_wdev->netdev);
5738 	kfree(params);
5739 
5740 	return err;
5741 }
5742 
5743 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5744 {
5745 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5746 	struct net_device *dev = info->user_ptr[1];
5747 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5748 	struct cfg80211_beacon_data params;
5749 	int err;
5750 
5751 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5752 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5753 		return -EOPNOTSUPP;
5754 
5755 	if (!rdev->ops->change_beacon)
5756 		return -EOPNOTSUPP;
5757 
5758 	if (!wdev->beacon_interval)
5759 		return -EINVAL;
5760 
5761 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5762 	if (err)
5763 		goto out;
5764 
5765 	wdev_lock(wdev);
5766 	err = rdev_change_beacon(rdev, dev, &params);
5767 	wdev_unlock(wdev);
5768 
5769 out:
5770 	kfree(params.mbssid_ies);
5771 	return err;
5772 }
5773 
5774 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5775 {
5776 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5777 	struct net_device *dev = info->user_ptr[1];
5778 
5779 	return cfg80211_stop_ap(rdev, dev, false);
5780 }
5781 
5782 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5783 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5784 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5785 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5786 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5787 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5788 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5789 };
5790 
5791 static int parse_station_flags(struct genl_info *info,
5792 			       enum nl80211_iftype iftype,
5793 			       struct station_parameters *params)
5794 {
5795 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5796 	struct nlattr *nla;
5797 	int flag;
5798 
5799 	/*
5800 	 * Try parsing the new attribute first so userspace
5801 	 * can specify both for older kernels.
5802 	 */
5803 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5804 	if (nla) {
5805 		struct nl80211_sta_flag_update *sta_flags;
5806 
5807 		sta_flags = nla_data(nla);
5808 		params->sta_flags_mask = sta_flags->mask;
5809 		params->sta_flags_set = sta_flags->set;
5810 		params->sta_flags_set &= params->sta_flags_mask;
5811 		if ((params->sta_flags_mask |
5812 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5813 			return -EINVAL;
5814 		return 0;
5815 	}
5816 
5817 	/* if present, parse the old attribute */
5818 
5819 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5820 	if (!nla)
5821 		return 0;
5822 
5823 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5824 		return -EINVAL;
5825 
5826 	/*
5827 	 * Only allow certain flags for interface types so that
5828 	 * other attributes are silently ignored. Remember that
5829 	 * this is backward compatibility code with old userspace
5830 	 * and shouldn't be hit in other cases anyway.
5831 	 */
5832 	switch (iftype) {
5833 	case NL80211_IFTYPE_AP:
5834 	case NL80211_IFTYPE_AP_VLAN:
5835 	case NL80211_IFTYPE_P2P_GO:
5836 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5837 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5838 					 BIT(NL80211_STA_FLAG_WME) |
5839 					 BIT(NL80211_STA_FLAG_MFP);
5840 		break;
5841 	case NL80211_IFTYPE_P2P_CLIENT:
5842 	case NL80211_IFTYPE_STATION:
5843 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5844 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5845 		break;
5846 	case NL80211_IFTYPE_MESH_POINT:
5847 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5848 					 BIT(NL80211_STA_FLAG_MFP) |
5849 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5850 		break;
5851 	default:
5852 		return -EINVAL;
5853 	}
5854 
5855 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5856 		if (flags[flag]) {
5857 			params->sta_flags_set |= (1<<flag);
5858 
5859 			/* no longer support new API additions in old API */
5860 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5861 				return -EINVAL;
5862 		}
5863 	}
5864 
5865 	return 0;
5866 }
5867 
5868 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5869 {
5870 	struct nlattr *rate;
5871 	u32 bitrate;
5872 	u16 bitrate_compat;
5873 	enum nl80211_rate_info rate_flg;
5874 
5875 	rate = nla_nest_start_noflag(msg, attr);
5876 	if (!rate)
5877 		return false;
5878 
5879 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5880 	bitrate = cfg80211_calculate_bitrate(info);
5881 	/* report 16-bit bitrate only if we can */
5882 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5883 	if (bitrate > 0 &&
5884 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5885 		return false;
5886 	if (bitrate_compat > 0 &&
5887 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5888 		return false;
5889 
5890 	switch (info->bw) {
5891 	case RATE_INFO_BW_5:
5892 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5893 		break;
5894 	case RATE_INFO_BW_10:
5895 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5896 		break;
5897 	default:
5898 		WARN_ON(1);
5899 		fallthrough;
5900 	case RATE_INFO_BW_20:
5901 		rate_flg = 0;
5902 		break;
5903 	case RATE_INFO_BW_40:
5904 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5905 		break;
5906 	case RATE_INFO_BW_80:
5907 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5908 		break;
5909 	case RATE_INFO_BW_160:
5910 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5911 		break;
5912 	case RATE_INFO_BW_HE_RU:
5913 		rate_flg = 0;
5914 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5915 	}
5916 
5917 	if (rate_flg && nla_put_flag(msg, rate_flg))
5918 		return false;
5919 
5920 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5921 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5922 			return false;
5923 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5924 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5925 			return false;
5926 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5927 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5928 			return false;
5929 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5930 			return false;
5931 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5932 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5933 			return false;
5934 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5935 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5936 			return false;
5937 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5938 			return false;
5939 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
5940 			return false;
5941 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
5942 			return false;
5943 		if (info->bw == RATE_INFO_BW_HE_RU &&
5944 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
5945 			       info->he_ru_alloc))
5946 			return false;
5947 	}
5948 
5949 	nla_nest_end(msg, rate);
5950 	return true;
5951 }
5952 
5953 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
5954 			       int id)
5955 {
5956 	void *attr;
5957 	int i = 0;
5958 
5959 	if (!mask)
5960 		return true;
5961 
5962 	attr = nla_nest_start_noflag(msg, id);
5963 	if (!attr)
5964 		return false;
5965 
5966 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5967 		if (!(mask & BIT(i)))
5968 			continue;
5969 
5970 		if (nla_put_u8(msg, i, signal[i]))
5971 			return false;
5972 	}
5973 
5974 	nla_nest_end(msg, attr);
5975 
5976 	return true;
5977 }
5978 
5979 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5980 				u32 seq, int flags,
5981 				struct cfg80211_registered_device *rdev,
5982 				struct net_device *dev,
5983 				const u8 *mac_addr, struct station_info *sinfo)
5984 {
5985 	void *hdr;
5986 	struct nlattr *sinfoattr, *bss_param;
5987 
5988 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5989 	if (!hdr) {
5990 		cfg80211_sinfo_release_content(sinfo);
5991 		return -1;
5992 	}
5993 
5994 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5995 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
5996 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
5997 		goto nla_put_failure;
5998 
5999 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6000 	if (!sinfoattr)
6001 		goto nla_put_failure;
6002 
6003 #define PUT_SINFO(attr, memb, type) do {				\
6004 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6005 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6006 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6007 			     sinfo->memb))				\
6008 		goto nla_put_failure;					\
6009 	} while (0)
6010 #define PUT_SINFO_U64(attr, memb) do {					\
6011 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6012 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6013 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6014 		goto nla_put_failure;					\
6015 	} while (0)
6016 
6017 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6018 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6019 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6020 
6021 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6022 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6023 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6024 			(u32)sinfo->rx_bytes))
6025 		goto nla_put_failure;
6026 
6027 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6028 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6029 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6030 			(u32)sinfo->tx_bytes))
6031 		goto nla_put_failure;
6032 
6033 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6034 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6035 	PUT_SINFO(LLID, llid, u16);
6036 	PUT_SINFO(PLID, plid, u16);
6037 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6038 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6039 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6040 
6041 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6042 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6043 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6044 
6045 	switch (rdev->wiphy.signal_type) {
6046 	case CFG80211_SIGNAL_TYPE_MBM:
6047 		PUT_SINFO(SIGNAL, signal, u8);
6048 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6049 		break;
6050 	default:
6051 		break;
6052 	}
6053 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6054 		if (!nl80211_put_signal(msg, sinfo->chains,
6055 					sinfo->chain_signal,
6056 					NL80211_STA_INFO_CHAIN_SIGNAL))
6057 			goto nla_put_failure;
6058 	}
6059 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6060 		if (!nl80211_put_signal(msg, sinfo->chains,
6061 					sinfo->chain_signal_avg,
6062 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6063 			goto nla_put_failure;
6064 	}
6065 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6066 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6067 					  NL80211_STA_INFO_TX_BITRATE))
6068 			goto nla_put_failure;
6069 	}
6070 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6071 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6072 					  NL80211_STA_INFO_RX_BITRATE))
6073 			goto nla_put_failure;
6074 	}
6075 
6076 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6077 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6078 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6079 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6080 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6081 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6082 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6083 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6084 	PUT_SINFO(PEER_PM, peer_pm, u32);
6085 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6086 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6087 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6088 
6089 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6090 		bss_param = nla_nest_start_noflag(msg,
6091 						  NL80211_STA_INFO_BSS_PARAM);
6092 		if (!bss_param)
6093 			goto nla_put_failure;
6094 
6095 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6096 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6097 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6098 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6099 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6100 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6101 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6102 			       sinfo->bss_param.dtim_period) ||
6103 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6104 				sinfo->bss_param.beacon_interval))
6105 			goto nla_put_failure;
6106 
6107 		nla_nest_end(msg, bss_param);
6108 	}
6109 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6110 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6111 		    sizeof(struct nl80211_sta_flag_update),
6112 		    &sinfo->sta_flags))
6113 		goto nla_put_failure;
6114 
6115 	PUT_SINFO_U64(T_OFFSET, t_offset);
6116 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6117 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6118 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6119 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6120 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6121 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6122 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6123 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6124 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6125 	}
6126 
6127 #undef PUT_SINFO
6128 #undef PUT_SINFO_U64
6129 
6130 	if (sinfo->pertid) {
6131 		struct nlattr *tidsattr;
6132 		int tid;
6133 
6134 		tidsattr = nla_nest_start_noflag(msg,
6135 						 NL80211_STA_INFO_TID_STATS);
6136 		if (!tidsattr)
6137 			goto nla_put_failure;
6138 
6139 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6140 			struct cfg80211_tid_stats *tidstats;
6141 			struct nlattr *tidattr;
6142 
6143 			tidstats = &sinfo->pertid[tid];
6144 
6145 			if (!tidstats->filled)
6146 				continue;
6147 
6148 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6149 			if (!tidattr)
6150 				goto nla_put_failure;
6151 
6152 #define PUT_TIDVAL_U64(attr, memb) do {					\
6153 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6154 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6155 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6156 		goto nla_put_failure;					\
6157 	} while (0)
6158 
6159 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6160 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6161 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6162 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6163 
6164 #undef PUT_TIDVAL_U64
6165 			if ((tidstats->filled &
6166 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6167 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6168 						   NL80211_TID_STATS_TXQ_STATS))
6169 				goto nla_put_failure;
6170 
6171 			nla_nest_end(msg, tidattr);
6172 		}
6173 
6174 		nla_nest_end(msg, tidsattr);
6175 	}
6176 
6177 	nla_nest_end(msg, sinfoattr);
6178 
6179 	if (sinfo->assoc_req_ies_len &&
6180 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6181 		    sinfo->assoc_req_ies))
6182 		goto nla_put_failure;
6183 
6184 	cfg80211_sinfo_release_content(sinfo);
6185 	genlmsg_end(msg, hdr);
6186 	return 0;
6187 
6188  nla_put_failure:
6189 	cfg80211_sinfo_release_content(sinfo);
6190 	genlmsg_cancel(msg, hdr);
6191 	return -EMSGSIZE;
6192 }
6193 
6194 static int nl80211_dump_station(struct sk_buff *skb,
6195 				struct netlink_callback *cb)
6196 {
6197 	struct station_info sinfo;
6198 	struct cfg80211_registered_device *rdev;
6199 	struct wireless_dev *wdev;
6200 	u8 mac_addr[ETH_ALEN];
6201 	int sta_idx = cb->args[2];
6202 	int err;
6203 
6204 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6205 	if (err)
6206 		return err;
6207 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6208 	__acquire(&rdev->wiphy.mtx);
6209 
6210 	if (!wdev->netdev) {
6211 		err = -EINVAL;
6212 		goto out_err;
6213 	}
6214 
6215 	if (!rdev->ops->dump_station) {
6216 		err = -EOPNOTSUPP;
6217 		goto out_err;
6218 	}
6219 
6220 	while (1) {
6221 		memset(&sinfo, 0, sizeof(sinfo));
6222 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6223 					mac_addr, &sinfo);
6224 		if (err == -ENOENT)
6225 			break;
6226 		if (err)
6227 			goto out_err;
6228 
6229 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6230 				NETLINK_CB(cb->skb).portid,
6231 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6232 				rdev, wdev->netdev, mac_addr,
6233 				&sinfo) < 0)
6234 			goto out;
6235 
6236 		sta_idx++;
6237 	}
6238 
6239  out:
6240 	cb->args[2] = sta_idx;
6241 	err = skb->len;
6242  out_err:
6243 	wiphy_unlock(&rdev->wiphy);
6244 
6245 	return err;
6246 }
6247 
6248 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6249 {
6250 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6251 	struct net_device *dev = info->user_ptr[1];
6252 	struct station_info sinfo;
6253 	struct sk_buff *msg;
6254 	u8 *mac_addr = NULL;
6255 	int err;
6256 
6257 	memset(&sinfo, 0, sizeof(sinfo));
6258 
6259 	if (!info->attrs[NL80211_ATTR_MAC])
6260 		return -EINVAL;
6261 
6262 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6263 
6264 	if (!rdev->ops->get_station)
6265 		return -EOPNOTSUPP;
6266 
6267 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6268 	if (err)
6269 		return err;
6270 
6271 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6272 	if (!msg) {
6273 		cfg80211_sinfo_release_content(&sinfo);
6274 		return -ENOMEM;
6275 	}
6276 
6277 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6278 				 info->snd_portid, info->snd_seq, 0,
6279 				 rdev, dev, mac_addr, &sinfo) < 0) {
6280 		nlmsg_free(msg);
6281 		return -ENOBUFS;
6282 	}
6283 
6284 	return genlmsg_reply(msg, info);
6285 }
6286 
6287 int cfg80211_check_station_change(struct wiphy *wiphy,
6288 				  struct station_parameters *params,
6289 				  enum cfg80211_station_type statype)
6290 {
6291 	if (params->listen_interval != -1 &&
6292 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6293 		return -EINVAL;
6294 
6295 	if (params->support_p2p_ps != -1 &&
6296 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6297 		return -EINVAL;
6298 
6299 	if (params->aid &&
6300 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6301 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6302 		return -EINVAL;
6303 
6304 	/* When you run into this, adjust the code below for the new flag */
6305 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6306 
6307 	switch (statype) {
6308 	case CFG80211_STA_MESH_PEER_KERNEL:
6309 	case CFG80211_STA_MESH_PEER_USER:
6310 		/*
6311 		 * No ignoring the TDLS flag here -- the userspace mesh
6312 		 * code doesn't have the bug of including TDLS in the
6313 		 * mask everywhere.
6314 		 */
6315 		if (params->sta_flags_mask &
6316 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6317 				  BIT(NL80211_STA_FLAG_MFP) |
6318 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6319 			return -EINVAL;
6320 		break;
6321 	case CFG80211_STA_TDLS_PEER_SETUP:
6322 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6323 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6324 			return -EINVAL;
6325 		/* ignore since it can't change */
6326 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6327 		break;
6328 	default:
6329 		/* disallow mesh-specific things */
6330 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6331 			return -EINVAL;
6332 		if (params->local_pm)
6333 			return -EINVAL;
6334 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6335 			return -EINVAL;
6336 	}
6337 
6338 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6339 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6340 		/* TDLS can't be set, ... */
6341 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6342 			return -EINVAL;
6343 		/*
6344 		 * ... but don't bother the driver with it. This works around
6345 		 * a hostapd/wpa_supplicant issue -- it always includes the
6346 		 * TLDS_PEER flag in the mask even for AP mode.
6347 		 */
6348 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6349 	}
6350 
6351 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6352 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6353 		/* reject other things that can't change */
6354 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6355 			return -EINVAL;
6356 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6357 			return -EINVAL;
6358 		if (params->supported_rates)
6359 			return -EINVAL;
6360 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
6361 		    params->he_capa)
6362 			return -EINVAL;
6363 	}
6364 
6365 	if (statype != CFG80211_STA_AP_CLIENT &&
6366 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6367 		if (params->vlan)
6368 			return -EINVAL;
6369 	}
6370 
6371 	switch (statype) {
6372 	case CFG80211_STA_AP_MLME_CLIENT:
6373 		/* Use this only for authorizing/unauthorizing a station */
6374 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6375 			return -EOPNOTSUPP;
6376 		break;
6377 	case CFG80211_STA_AP_CLIENT:
6378 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6379 		/* accept only the listed bits */
6380 		if (params->sta_flags_mask &
6381 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6382 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6383 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6384 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6385 				  BIT(NL80211_STA_FLAG_WME) |
6386 				  BIT(NL80211_STA_FLAG_MFP)))
6387 			return -EINVAL;
6388 
6389 		/* but authenticated/associated only if driver handles it */
6390 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6391 		    params->sta_flags_mask &
6392 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6393 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6394 			return -EINVAL;
6395 		break;
6396 	case CFG80211_STA_IBSS:
6397 	case CFG80211_STA_AP_STA:
6398 		/* reject any changes other than AUTHORIZED */
6399 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6400 			return -EINVAL;
6401 		break;
6402 	case CFG80211_STA_TDLS_PEER_SETUP:
6403 		/* reject any changes other than AUTHORIZED or WME */
6404 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6405 					       BIT(NL80211_STA_FLAG_WME)))
6406 			return -EINVAL;
6407 		/* force (at least) rates when authorizing */
6408 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6409 		    !params->supported_rates)
6410 			return -EINVAL;
6411 		break;
6412 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6413 		/* reject any changes */
6414 		return -EINVAL;
6415 	case CFG80211_STA_MESH_PEER_KERNEL:
6416 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6417 			return -EINVAL;
6418 		break;
6419 	case CFG80211_STA_MESH_PEER_USER:
6420 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6421 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6422 			return -EINVAL;
6423 		break;
6424 	}
6425 
6426 	/*
6427 	 * Older kernel versions ignored this attribute entirely, so don't
6428 	 * reject attempts to update it but mark it as unused instead so the
6429 	 * driver won't look at the data.
6430 	 */
6431 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6432 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6433 		params->opmode_notif_used = false;
6434 
6435 	return 0;
6436 }
6437 EXPORT_SYMBOL(cfg80211_check_station_change);
6438 
6439 /*
6440  * Get vlan interface making sure it is running and on the right wiphy.
6441  */
6442 static struct net_device *get_vlan(struct genl_info *info,
6443 				   struct cfg80211_registered_device *rdev)
6444 {
6445 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6446 	struct net_device *v;
6447 	int ret;
6448 
6449 	if (!vlanattr)
6450 		return NULL;
6451 
6452 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6453 	if (!v)
6454 		return ERR_PTR(-ENODEV);
6455 
6456 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6457 		ret = -EINVAL;
6458 		goto error;
6459 	}
6460 
6461 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6462 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6463 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6464 		ret = -EINVAL;
6465 		goto error;
6466 	}
6467 
6468 	if (!netif_running(v)) {
6469 		ret = -ENETDOWN;
6470 		goto error;
6471 	}
6472 
6473 	return v;
6474  error:
6475 	dev_put(v);
6476 	return ERR_PTR(ret);
6477 }
6478 
6479 static const struct nla_policy
6480 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6481 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6482 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6483 };
6484 
6485 static int nl80211_parse_sta_wme(struct genl_info *info,
6486 				 struct station_parameters *params)
6487 {
6488 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6489 	struct nlattr *nla;
6490 	int err;
6491 
6492 	/* parse WME attributes if present */
6493 	if (!info->attrs[NL80211_ATTR_STA_WME])
6494 		return 0;
6495 
6496 	nla = info->attrs[NL80211_ATTR_STA_WME];
6497 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6498 					  nl80211_sta_wme_policy,
6499 					  info->extack);
6500 	if (err)
6501 		return err;
6502 
6503 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6504 		params->uapsd_queues = nla_get_u8(
6505 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6506 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6507 		return -EINVAL;
6508 
6509 	if (tb[NL80211_STA_WME_MAX_SP])
6510 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6511 
6512 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6513 		return -EINVAL;
6514 
6515 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6516 
6517 	return 0;
6518 }
6519 
6520 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6521 				      struct station_parameters *params)
6522 {
6523 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6524 		params->supported_channels =
6525 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6526 		params->supported_channels_len =
6527 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6528 		/*
6529 		 * Need to include at least one (first channel, number of
6530 		 * channels) tuple for each subband (checked in policy),
6531 		 * and must have proper tuples for the rest of the data as well.
6532 		 */
6533 		if (params->supported_channels_len % 2)
6534 			return -EINVAL;
6535 	}
6536 
6537 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6538 		params->supported_oper_classes =
6539 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6540 		params->supported_oper_classes_len =
6541 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6542 	}
6543 	return 0;
6544 }
6545 
6546 static int nl80211_set_station_tdls(struct genl_info *info,
6547 				    struct station_parameters *params)
6548 {
6549 	int err;
6550 	/* Dummy STA entry gets updated once the peer capabilities are known */
6551 	if (info->attrs[NL80211_ATTR_PEER_AID])
6552 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6553 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6554 		params->ht_capa =
6555 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6556 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6557 		params->vht_capa =
6558 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6559 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6560 		params->he_capa =
6561 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6562 		params->he_capa_len =
6563 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6564 	}
6565 
6566 	err = nl80211_parse_sta_channel_info(info, params);
6567 	if (err)
6568 		return err;
6569 
6570 	return nl80211_parse_sta_wme(info, params);
6571 }
6572 
6573 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6574 					     struct station_parameters *params)
6575 {
6576 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6577 	int idx;
6578 
6579 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6580 		if (!rdev->ops->set_tx_power ||
6581 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6582 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6583 			return -EOPNOTSUPP;
6584 
6585 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6586 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6587 
6588 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6589 			idx = NL80211_ATTR_STA_TX_POWER;
6590 
6591 			if (info->attrs[idx])
6592 				params->txpwr.power =
6593 					nla_get_s16(info->attrs[idx]);
6594 			else
6595 				return -EINVAL;
6596 		}
6597 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6598 	}
6599 
6600 	return 0;
6601 }
6602 
6603 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6604 {
6605 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6606 	struct net_device *dev = info->user_ptr[1];
6607 	struct station_parameters params;
6608 	u8 *mac_addr;
6609 	int err;
6610 
6611 	memset(&params, 0, sizeof(params));
6612 
6613 	if (!rdev->ops->change_station)
6614 		return -EOPNOTSUPP;
6615 
6616 	/*
6617 	 * AID and listen_interval properties can be set only for unassociated
6618 	 * station. Include these parameters here and will check them in
6619 	 * cfg80211_check_station_change().
6620 	 */
6621 	if (info->attrs[NL80211_ATTR_STA_AID])
6622 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6623 
6624 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6625 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6626 
6627 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6628 		params.listen_interval =
6629 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6630 	else
6631 		params.listen_interval = -1;
6632 
6633 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6634 		params.support_p2p_ps =
6635 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6636 	else
6637 		params.support_p2p_ps = -1;
6638 
6639 	if (!info->attrs[NL80211_ATTR_MAC])
6640 		return -EINVAL;
6641 
6642 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6643 
6644 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6645 		params.supported_rates =
6646 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6647 		params.supported_rates_len =
6648 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6649 	}
6650 
6651 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6652 		params.capability =
6653 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6654 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6655 	}
6656 
6657 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6658 		params.ext_capab =
6659 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6660 		params.ext_capab_len =
6661 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6662 	}
6663 
6664 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6665 		return -EINVAL;
6666 
6667 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6668 		params.plink_action =
6669 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6670 
6671 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6672 		params.plink_state =
6673 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6674 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6675 			params.peer_aid = nla_get_u16(
6676 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6677 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6678 	}
6679 
6680 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6681 		params.local_pm = nla_get_u32(
6682 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6683 
6684 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6685 		params.opmode_notif_used = true;
6686 		params.opmode_notif =
6687 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6688 	}
6689 
6690 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6691 		params.he_6ghz_capa =
6692 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6693 
6694 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6695 		params.airtime_weight =
6696 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6697 
6698 	if (params.airtime_weight &&
6699 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6700 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6701 		return -EOPNOTSUPP;
6702 
6703 	err = nl80211_parse_sta_txpower_setting(info, &params);
6704 	if (err)
6705 		return err;
6706 
6707 	/* Include parameters for TDLS peer (will check later) */
6708 	err = nl80211_set_station_tdls(info, &params);
6709 	if (err)
6710 		return err;
6711 
6712 	params.vlan = get_vlan(info, rdev);
6713 	if (IS_ERR(params.vlan))
6714 		return PTR_ERR(params.vlan);
6715 
6716 	switch (dev->ieee80211_ptr->iftype) {
6717 	case NL80211_IFTYPE_AP:
6718 	case NL80211_IFTYPE_AP_VLAN:
6719 	case NL80211_IFTYPE_P2P_GO:
6720 	case NL80211_IFTYPE_P2P_CLIENT:
6721 	case NL80211_IFTYPE_STATION:
6722 	case NL80211_IFTYPE_ADHOC:
6723 	case NL80211_IFTYPE_MESH_POINT:
6724 		break;
6725 	default:
6726 		err = -EOPNOTSUPP;
6727 		goto out_put_vlan;
6728 	}
6729 
6730 	/* driver will call cfg80211_check_station_change() */
6731 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6732 
6733  out_put_vlan:
6734 	dev_put(params.vlan);
6735 
6736 	return err;
6737 }
6738 
6739 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6740 {
6741 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6742 	int err;
6743 	struct net_device *dev = info->user_ptr[1];
6744 	struct station_parameters params;
6745 	u8 *mac_addr = NULL;
6746 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6747 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6748 
6749 	memset(&params, 0, sizeof(params));
6750 
6751 	if (!rdev->ops->add_station)
6752 		return -EOPNOTSUPP;
6753 
6754 	if (!info->attrs[NL80211_ATTR_MAC])
6755 		return -EINVAL;
6756 
6757 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6758 		return -EINVAL;
6759 
6760 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6761 		return -EINVAL;
6762 
6763 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6764 	    !info->attrs[NL80211_ATTR_PEER_AID])
6765 		return -EINVAL;
6766 
6767 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6768 	params.supported_rates =
6769 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6770 	params.supported_rates_len =
6771 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6772 	params.listen_interval =
6773 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6774 
6775 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6776 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6777 
6778 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6779 		params.support_p2p_ps =
6780 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6781 	} else {
6782 		/*
6783 		 * if not specified, assume it's supported for P2P GO interface,
6784 		 * and is NOT supported for AP interface
6785 		 */
6786 		params.support_p2p_ps =
6787 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6788 	}
6789 
6790 	if (info->attrs[NL80211_ATTR_PEER_AID])
6791 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6792 	else
6793 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6794 
6795 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6796 		params.capability =
6797 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6798 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6799 	}
6800 
6801 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6802 		params.ext_capab =
6803 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6804 		params.ext_capab_len =
6805 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6806 	}
6807 
6808 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6809 		params.ht_capa =
6810 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6811 
6812 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6813 		params.vht_capa =
6814 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6815 
6816 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6817 		params.he_capa =
6818 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6819 		params.he_capa_len =
6820 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6821 	}
6822 
6823 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6824 		params.he_6ghz_capa =
6825 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6826 
6827 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6828 		params.opmode_notif_used = true;
6829 		params.opmode_notif =
6830 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6831 	}
6832 
6833 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6834 		params.plink_action =
6835 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6836 
6837 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6838 		params.airtime_weight =
6839 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6840 
6841 	if (params.airtime_weight &&
6842 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6843 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6844 		return -EOPNOTSUPP;
6845 
6846 	err = nl80211_parse_sta_txpower_setting(info, &params);
6847 	if (err)
6848 		return err;
6849 
6850 	err = nl80211_parse_sta_channel_info(info, &params);
6851 	if (err)
6852 		return err;
6853 
6854 	err = nl80211_parse_sta_wme(info, &params);
6855 	if (err)
6856 		return err;
6857 
6858 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6859 		return -EINVAL;
6860 
6861 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6862 	 * as userspace might just pass through the capabilities from the IEs
6863 	 * directly, rather than enforcing this restriction and returning an
6864 	 * error in this case.
6865 	 */
6866 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6867 		params.ht_capa = NULL;
6868 		params.vht_capa = NULL;
6869 
6870 		/* HE requires WME */
6871 		if (params.he_capa_len || params.he_6ghz_capa)
6872 			return -EINVAL;
6873 	}
6874 
6875 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6876 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6877 		return -EINVAL;
6878 
6879 	/* When you run into this, adjust the code below for the new flag */
6880 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6881 
6882 	switch (dev->ieee80211_ptr->iftype) {
6883 	case NL80211_IFTYPE_AP:
6884 	case NL80211_IFTYPE_AP_VLAN:
6885 	case NL80211_IFTYPE_P2P_GO:
6886 		/* ignore WME attributes if iface/sta is not capable */
6887 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6888 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6889 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6890 
6891 		/* TDLS peers cannot be added */
6892 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6893 		    info->attrs[NL80211_ATTR_PEER_AID])
6894 			return -EINVAL;
6895 		/* but don't bother the driver with it */
6896 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6897 
6898 		/* allow authenticated/associated only if driver handles it */
6899 		if (!(rdev->wiphy.features &
6900 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6901 		    params.sta_flags_mask & auth_assoc)
6902 			return -EINVAL;
6903 
6904 		/* Older userspace, or userspace wanting to be compatible with
6905 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
6906 		 * and assoc flags in the mask, but assumes the station will be
6907 		 * added as associated anyway since this was the required driver
6908 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
6909 		 * introduced.
6910 		 * In order to not bother drivers with this quirk in the API
6911 		 * set the flags in both the mask and set for new stations in
6912 		 * this case.
6913 		 */
6914 		if (!(params.sta_flags_mask & auth_assoc)) {
6915 			params.sta_flags_mask |= auth_assoc;
6916 			params.sta_flags_set |= auth_assoc;
6917 		}
6918 
6919 		/* must be last in here for error handling */
6920 		params.vlan = get_vlan(info, rdev);
6921 		if (IS_ERR(params.vlan))
6922 			return PTR_ERR(params.vlan);
6923 		break;
6924 	case NL80211_IFTYPE_MESH_POINT:
6925 		/* ignore uAPSD data */
6926 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6927 
6928 		/* associated is disallowed */
6929 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
6930 			return -EINVAL;
6931 		/* TDLS peers cannot be added */
6932 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6933 		    info->attrs[NL80211_ATTR_PEER_AID])
6934 			return -EINVAL;
6935 		break;
6936 	case NL80211_IFTYPE_STATION:
6937 	case NL80211_IFTYPE_P2P_CLIENT:
6938 		/* ignore uAPSD data */
6939 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6940 
6941 		/* these are disallowed */
6942 		if (params.sta_flags_mask &
6943 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
6944 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
6945 			return -EINVAL;
6946 		/* Only TDLS peers can be added */
6947 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6948 			return -EINVAL;
6949 		/* Can only add if TDLS ... */
6950 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
6951 			return -EOPNOTSUPP;
6952 		/* ... with external setup is supported */
6953 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
6954 			return -EOPNOTSUPP;
6955 		/*
6956 		 * Older wpa_supplicant versions always mark the TDLS peer
6957 		 * as authorized, but it shouldn't yet be.
6958 		 */
6959 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6960 		break;
6961 	default:
6962 		return -EOPNOTSUPP;
6963 	}
6964 
6965 	/* be aware of params.vlan when changing code here */
6966 
6967 	err = rdev_add_station(rdev, dev, mac_addr, &params);
6968 
6969 	dev_put(params.vlan);
6970 	return err;
6971 }
6972 
6973 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6974 {
6975 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6976 	struct net_device *dev = info->user_ptr[1];
6977 	struct station_del_parameters params;
6978 
6979 	memset(&params, 0, sizeof(params));
6980 
6981 	if (info->attrs[NL80211_ATTR_MAC])
6982 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6983 
6984 	switch (dev->ieee80211_ptr->iftype) {
6985 	case NL80211_IFTYPE_AP:
6986 	case NL80211_IFTYPE_AP_VLAN:
6987 	case NL80211_IFTYPE_MESH_POINT:
6988 	case NL80211_IFTYPE_P2P_GO:
6989 		/* always accept these */
6990 		break;
6991 	case NL80211_IFTYPE_ADHOC:
6992 		/* conditionally accept */
6993 		if (wiphy_ext_feature_isset(&rdev->wiphy,
6994 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
6995 			break;
6996 		return -EINVAL;
6997 	default:
6998 		return -EINVAL;
6999 	}
7000 
7001 	if (!rdev->ops->del_station)
7002 		return -EOPNOTSUPP;
7003 
7004 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7005 		params.subtype =
7006 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7007 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7008 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7009 			return -EINVAL;
7010 	} else {
7011 		/* Default to Deauthentication frame */
7012 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7013 	}
7014 
7015 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7016 		params.reason_code =
7017 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7018 		if (params.reason_code == 0)
7019 			return -EINVAL; /* 0 is reserved */
7020 	} else {
7021 		/* Default to reason code 2 */
7022 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7023 	}
7024 
7025 	return rdev_del_station(rdev, dev, &params);
7026 }
7027 
7028 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7029 				int flags, struct net_device *dev,
7030 				u8 *dst, u8 *next_hop,
7031 				struct mpath_info *pinfo)
7032 {
7033 	void *hdr;
7034 	struct nlattr *pinfoattr;
7035 
7036 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7037 	if (!hdr)
7038 		return -1;
7039 
7040 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7041 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7042 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7043 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7044 		goto nla_put_failure;
7045 
7046 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7047 	if (!pinfoattr)
7048 		goto nla_put_failure;
7049 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7050 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7051 			pinfo->frame_qlen))
7052 		goto nla_put_failure;
7053 	if (((pinfo->filled & MPATH_INFO_SN) &&
7054 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7055 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7056 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7057 			 pinfo->metric)) ||
7058 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7059 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7060 			 pinfo->exptime)) ||
7061 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7062 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7063 			pinfo->flags)) ||
7064 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7065 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7066 			 pinfo->discovery_timeout)) ||
7067 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7068 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7069 			pinfo->discovery_retries)) ||
7070 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7071 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7072 			pinfo->hop_count)) ||
7073 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7074 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7075 			 pinfo->path_change_count)))
7076 		goto nla_put_failure;
7077 
7078 	nla_nest_end(msg, pinfoattr);
7079 
7080 	genlmsg_end(msg, hdr);
7081 	return 0;
7082 
7083  nla_put_failure:
7084 	genlmsg_cancel(msg, hdr);
7085 	return -EMSGSIZE;
7086 }
7087 
7088 static int nl80211_dump_mpath(struct sk_buff *skb,
7089 			      struct netlink_callback *cb)
7090 {
7091 	struct mpath_info pinfo;
7092 	struct cfg80211_registered_device *rdev;
7093 	struct wireless_dev *wdev;
7094 	u8 dst[ETH_ALEN];
7095 	u8 next_hop[ETH_ALEN];
7096 	int path_idx = cb->args[2];
7097 	int err;
7098 
7099 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7100 	if (err)
7101 		return err;
7102 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7103 	__acquire(&rdev->wiphy.mtx);
7104 
7105 	if (!rdev->ops->dump_mpath) {
7106 		err = -EOPNOTSUPP;
7107 		goto out_err;
7108 	}
7109 
7110 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7111 		err = -EOPNOTSUPP;
7112 		goto out_err;
7113 	}
7114 
7115 	while (1) {
7116 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7117 				      next_hop, &pinfo);
7118 		if (err == -ENOENT)
7119 			break;
7120 		if (err)
7121 			goto out_err;
7122 
7123 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7124 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7125 				       wdev->netdev, dst, next_hop,
7126 				       &pinfo) < 0)
7127 			goto out;
7128 
7129 		path_idx++;
7130 	}
7131 
7132  out:
7133 	cb->args[2] = path_idx;
7134 	err = skb->len;
7135  out_err:
7136 	wiphy_unlock(&rdev->wiphy);
7137 	return err;
7138 }
7139 
7140 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7141 {
7142 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7143 	int err;
7144 	struct net_device *dev = info->user_ptr[1];
7145 	struct mpath_info pinfo;
7146 	struct sk_buff *msg;
7147 	u8 *dst = NULL;
7148 	u8 next_hop[ETH_ALEN];
7149 
7150 	memset(&pinfo, 0, sizeof(pinfo));
7151 
7152 	if (!info->attrs[NL80211_ATTR_MAC])
7153 		return -EINVAL;
7154 
7155 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7156 
7157 	if (!rdev->ops->get_mpath)
7158 		return -EOPNOTSUPP;
7159 
7160 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7161 		return -EOPNOTSUPP;
7162 
7163 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7164 	if (err)
7165 		return err;
7166 
7167 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7168 	if (!msg)
7169 		return -ENOMEM;
7170 
7171 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7172 				 dev, dst, next_hop, &pinfo) < 0) {
7173 		nlmsg_free(msg);
7174 		return -ENOBUFS;
7175 	}
7176 
7177 	return genlmsg_reply(msg, info);
7178 }
7179 
7180 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7181 {
7182 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7183 	struct net_device *dev = info->user_ptr[1];
7184 	u8 *dst = NULL;
7185 	u8 *next_hop = NULL;
7186 
7187 	if (!info->attrs[NL80211_ATTR_MAC])
7188 		return -EINVAL;
7189 
7190 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7191 		return -EINVAL;
7192 
7193 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7194 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7195 
7196 	if (!rdev->ops->change_mpath)
7197 		return -EOPNOTSUPP;
7198 
7199 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7200 		return -EOPNOTSUPP;
7201 
7202 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7203 }
7204 
7205 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7206 {
7207 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7208 	struct net_device *dev = info->user_ptr[1];
7209 	u8 *dst = NULL;
7210 	u8 *next_hop = NULL;
7211 
7212 	if (!info->attrs[NL80211_ATTR_MAC])
7213 		return -EINVAL;
7214 
7215 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7216 		return -EINVAL;
7217 
7218 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7219 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7220 
7221 	if (!rdev->ops->add_mpath)
7222 		return -EOPNOTSUPP;
7223 
7224 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7225 		return -EOPNOTSUPP;
7226 
7227 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7228 }
7229 
7230 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7231 {
7232 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7233 	struct net_device *dev = info->user_ptr[1];
7234 	u8 *dst = NULL;
7235 
7236 	if (info->attrs[NL80211_ATTR_MAC])
7237 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7238 
7239 	if (!rdev->ops->del_mpath)
7240 		return -EOPNOTSUPP;
7241 
7242 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7243 		return -EOPNOTSUPP;
7244 
7245 	return rdev_del_mpath(rdev, dev, dst);
7246 }
7247 
7248 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7249 {
7250 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7251 	int err;
7252 	struct net_device *dev = info->user_ptr[1];
7253 	struct mpath_info pinfo;
7254 	struct sk_buff *msg;
7255 	u8 *dst = NULL;
7256 	u8 mpp[ETH_ALEN];
7257 
7258 	memset(&pinfo, 0, sizeof(pinfo));
7259 
7260 	if (!info->attrs[NL80211_ATTR_MAC])
7261 		return -EINVAL;
7262 
7263 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7264 
7265 	if (!rdev->ops->get_mpp)
7266 		return -EOPNOTSUPP;
7267 
7268 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7269 		return -EOPNOTSUPP;
7270 
7271 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7272 	if (err)
7273 		return err;
7274 
7275 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7276 	if (!msg)
7277 		return -ENOMEM;
7278 
7279 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7280 			       dev, dst, mpp, &pinfo) < 0) {
7281 		nlmsg_free(msg);
7282 		return -ENOBUFS;
7283 	}
7284 
7285 	return genlmsg_reply(msg, info);
7286 }
7287 
7288 static int nl80211_dump_mpp(struct sk_buff *skb,
7289 			    struct netlink_callback *cb)
7290 {
7291 	struct mpath_info pinfo;
7292 	struct cfg80211_registered_device *rdev;
7293 	struct wireless_dev *wdev;
7294 	u8 dst[ETH_ALEN];
7295 	u8 mpp[ETH_ALEN];
7296 	int path_idx = cb->args[2];
7297 	int err;
7298 
7299 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7300 	if (err)
7301 		return err;
7302 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7303 	__acquire(&rdev->wiphy.mtx);
7304 
7305 	if (!rdev->ops->dump_mpp) {
7306 		err = -EOPNOTSUPP;
7307 		goto out_err;
7308 	}
7309 
7310 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7311 		err = -EOPNOTSUPP;
7312 		goto out_err;
7313 	}
7314 
7315 	while (1) {
7316 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7317 				    mpp, &pinfo);
7318 		if (err == -ENOENT)
7319 			break;
7320 		if (err)
7321 			goto out_err;
7322 
7323 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7324 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7325 				       wdev->netdev, dst, mpp,
7326 				       &pinfo) < 0)
7327 			goto out;
7328 
7329 		path_idx++;
7330 	}
7331 
7332  out:
7333 	cb->args[2] = path_idx;
7334 	err = skb->len;
7335  out_err:
7336 	wiphy_unlock(&rdev->wiphy);
7337 	return err;
7338 }
7339 
7340 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7341 {
7342 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7343 	struct net_device *dev = info->user_ptr[1];
7344 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7345 	struct bss_parameters params;
7346 	int err;
7347 
7348 	memset(&params, 0, sizeof(params));
7349 	/* default to not changing parameters */
7350 	params.use_cts_prot = -1;
7351 	params.use_short_preamble = -1;
7352 	params.use_short_slot_time = -1;
7353 	params.ap_isolate = -1;
7354 	params.ht_opmode = -1;
7355 	params.p2p_ctwindow = -1;
7356 	params.p2p_opp_ps = -1;
7357 
7358 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7359 		params.use_cts_prot =
7360 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7361 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7362 		params.use_short_preamble =
7363 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7364 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7365 		params.use_short_slot_time =
7366 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7367 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7368 		params.basic_rates =
7369 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7370 		params.basic_rates_len =
7371 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7372 	}
7373 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7374 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7375 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7376 		params.ht_opmode =
7377 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7378 
7379 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7380 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7381 			return -EINVAL;
7382 		params.p2p_ctwindow =
7383 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7384 		if (params.p2p_ctwindow != 0 &&
7385 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7386 			return -EINVAL;
7387 	}
7388 
7389 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7390 		u8 tmp;
7391 
7392 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7393 			return -EINVAL;
7394 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7395 		params.p2p_opp_ps = tmp;
7396 		if (params.p2p_opp_ps &&
7397 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7398 			return -EINVAL;
7399 	}
7400 
7401 	if (!rdev->ops->change_bss)
7402 		return -EOPNOTSUPP;
7403 
7404 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7405 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7406 		return -EOPNOTSUPP;
7407 
7408 	wdev_lock(wdev);
7409 	err = rdev_change_bss(rdev, dev, &params);
7410 	wdev_unlock(wdev);
7411 
7412 	return err;
7413 }
7414 
7415 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7416 {
7417 	char *data = NULL;
7418 	bool is_indoor;
7419 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7420 	u32 owner_nlportid;
7421 
7422 	/*
7423 	 * You should only get this when cfg80211 hasn't yet initialized
7424 	 * completely when built-in to the kernel right between the time
7425 	 * window between nl80211_init() and regulatory_init(), if that is
7426 	 * even possible.
7427 	 */
7428 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7429 		return -EINPROGRESS;
7430 
7431 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7432 		user_reg_hint_type =
7433 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7434 	else
7435 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7436 
7437 	switch (user_reg_hint_type) {
7438 	case NL80211_USER_REG_HINT_USER:
7439 	case NL80211_USER_REG_HINT_CELL_BASE:
7440 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7441 			return -EINVAL;
7442 
7443 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7444 		return regulatory_hint_user(data, user_reg_hint_type);
7445 	case NL80211_USER_REG_HINT_INDOOR:
7446 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7447 			owner_nlportid = info->snd_portid;
7448 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7449 		} else {
7450 			owner_nlportid = 0;
7451 			is_indoor = true;
7452 		}
7453 
7454 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7455 	default:
7456 		return -EINVAL;
7457 	}
7458 }
7459 
7460 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7461 {
7462 	return reg_reload_regdb();
7463 }
7464 
7465 static int nl80211_get_mesh_config(struct sk_buff *skb,
7466 				   struct genl_info *info)
7467 {
7468 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7469 	struct net_device *dev = info->user_ptr[1];
7470 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7471 	struct mesh_config cur_params;
7472 	int err = 0;
7473 	void *hdr;
7474 	struct nlattr *pinfoattr;
7475 	struct sk_buff *msg;
7476 
7477 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7478 		return -EOPNOTSUPP;
7479 
7480 	if (!rdev->ops->get_mesh_config)
7481 		return -EOPNOTSUPP;
7482 
7483 	wdev_lock(wdev);
7484 	/* If not connected, get default parameters */
7485 	if (!wdev->mesh_id_len)
7486 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7487 	else
7488 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7489 	wdev_unlock(wdev);
7490 
7491 	if (err)
7492 		return err;
7493 
7494 	/* Draw up a netlink message to send back */
7495 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7496 	if (!msg)
7497 		return -ENOMEM;
7498 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7499 			     NL80211_CMD_GET_MESH_CONFIG);
7500 	if (!hdr)
7501 		goto out;
7502 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7503 	if (!pinfoattr)
7504 		goto nla_put_failure;
7505 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7506 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7507 			cur_params.dot11MeshRetryTimeout) ||
7508 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7509 			cur_params.dot11MeshConfirmTimeout) ||
7510 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7511 			cur_params.dot11MeshHoldingTimeout) ||
7512 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7513 			cur_params.dot11MeshMaxPeerLinks) ||
7514 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7515 		       cur_params.dot11MeshMaxRetries) ||
7516 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7517 		       cur_params.dot11MeshTTL) ||
7518 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7519 		       cur_params.element_ttl) ||
7520 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7521 		       cur_params.auto_open_plinks) ||
7522 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7523 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7524 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7525 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7526 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7527 			cur_params.path_refresh_time) ||
7528 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7529 			cur_params.min_discovery_timeout) ||
7530 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7531 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7532 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7533 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7534 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7535 			cur_params.dot11MeshHWMPperrMinInterval) ||
7536 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7537 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7538 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7539 		       cur_params.dot11MeshHWMPRootMode) ||
7540 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7541 			cur_params.dot11MeshHWMPRannInterval) ||
7542 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7543 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7544 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7545 		       cur_params.dot11MeshForwarding) ||
7546 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7547 			cur_params.rssi_threshold) ||
7548 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7549 			cur_params.ht_opmode) ||
7550 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7551 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7552 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7553 			cur_params.dot11MeshHWMProotInterval) ||
7554 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7555 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7556 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7557 			cur_params.power_mode) ||
7558 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7559 			cur_params.dot11MeshAwakeWindowDuration) ||
7560 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7561 			cur_params.plink_timeout) ||
7562 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7563 		       cur_params.dot11MeshConnectedToMeshGate) ||
7564 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7565 		       cur_params.dot11MeshNolearn) ||
7566 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7567 		       cur_params.dot11MeshConnectedToAuthServer))
7568 		goto nla_put_failure;
7569 	nla_nest_end(msg, pinfoattr);
7570 	genlmsg_end(msg, hdr);
7571 	return genlmsg_reply(msg, info);
7572 
7573  nla_put_failure:
7574  out:
7575 	nlmsg_free(msg);
7576 	return -ENOBUFS;
7577 }
7578 
7579 static const struct nla_policy
7580 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7581 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7582 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7583 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7584 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7585 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7586 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7587 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7588 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7589 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7590 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7591 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7592 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7593 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7594 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7595 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7596 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7597 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7598 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7599 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7600 		NLA_POLICY_MIN(NLA_U16, 1),
7601 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7602 		NLA_POLICY_MIN(NLA_U16, 1),
7603 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7604 		NLA_POLICY_MIN(NLA_U16, 1),
7605 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7606 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7607 		NLA_POLICY_MIN(NLA_U16, 1),
7608 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7609 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7610 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7611 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7612 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7613 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7614 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7615 		NLA_POLICY_MIN(NLA_U16, 1),
7616 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7617 		NLA_POLICY_MIN(NLA_U16, 1),
7618 	[NL80211_MESHCONF_POWER_MODE] =
7619 		NLA_POLICY_RANGE(NLA_U32,
7620 				 NL80211_MESH_POWER_ACTIVE,
7621 				 NL80211_MESH_POWER_MAX),
7622 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7623 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7624 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7625 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7626 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7627 };
7628 
7629 static const struct nla_policy
7630 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7631 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7632 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7633 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7634 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7635 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7636 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7637 	[NL80211_MESH_SETUP_IE] =
7638 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7639 				       IEEE80211_MAX_DATA_LEN),
7640 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7641 };
7642 
7643 static int nl80211_parse_mesh_config(struct genl_info *info,
7644 				     struct mesh_config *cfg,
7645 				     u32 *mask_out)
7646 {
7647 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7648 	u32 mask = 0;
7649 	u16 ht_opmode;
7650 
7651 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7652 do {									\
7653 	if (tb[attr]) {							\
7654 		cfg->param = fn(tb[attr]);				\
7655 		mask |= BIT((attr) - 1);				\
7656 	}								\
7657 } while (0)
7658 
7659 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7660 		return -EINVAL;
7661 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7662 		return -EINVAL;
7663 
7664 	/* This makes sure that there aren't more than 32 mesh config
7665 	 * parameters (otherwise our bitfield scheme would not work.) */
7666 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7667 
7668 	/* Fill in the params struct */
7669 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7670 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7671 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7672 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7673 				  nla_get_u16);
7674 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7675 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7676 				  nla_get_u16);
7677 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7678 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7679 				  nla_get_u16);
7680 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7681 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7682 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7683 				  NL80211_MESHCONF_TTL, nla_get_u8);
7684 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7685 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7686 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7687 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7688 				  nla_get_u8);
7689 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7690 				  mask,
7691 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7692 				  nla_get_u32);
7693 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7694 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7695 				  nla_get_u8);
7696 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7697 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7698 				  nla_get_u32);
7699 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7700 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7701 		return -EINVAL;
7702 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7703 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7704 				  nla_get_u16);
7705 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7706 				  mask,
7707 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7708 				  nla_get_u32);
7709 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7710 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7711 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7712 		return -EINVAL;
7713 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7714 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7715 				  nla_get_u16);
7716 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7717 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7718 				  nla_get_u16);
7719 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7720 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7721 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7722 				  nla_get_u16);
7723 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7724 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7725 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7726 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7727 				  nla_get_u16);
7728 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7729 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7730 				  nla_get_u8);
7731 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7732 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7733 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7734 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7735 				  nla_get_s32);
7736 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7737 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7738 				  nla_get_u8);
7739 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7740 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7741 				  nla_get_u8);
7742 	/*
7743 	 * Check HT operation mode based on
7744 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7745 	 */
7746 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7747 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7748 
7749 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7750 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7751 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7752 			return -EINVAL;
7753 
7754 		/* NON_HT_STA bit is reserved, but some programs set it */
7755 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7756 
7757 		cfg->ht_opmode = ht_opmode;
7758 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7759 	}
7760 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7761 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7762 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7763 				  nla_get_u32);
7764 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7765 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7766 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7767 		return -EINVAL;
7768 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7769 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7770 				  nla_get_u16);
7771 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7772 				  mask,
7773 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7774 				  nla_get_u16);
7775 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7776 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7777 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7778 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7779 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7780 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7781 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7782 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7783 	if (mask_out)
7784 		*mask_out = mask;
7785 
7786 	return 0;
7787 
7788 #undef FILL_IN_MESH_PARAM_IF_SET
7789 }
7790 
7791 static int nl80211_parse_mesh_setup(struct genl_info *info,
7792 				     struct mesh_setup *setup)
7793 {
7794 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7795 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7796 
7797 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7798 		return -EINVAL;
7799 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7800 		return -EINVAL;
7801 
7802 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7803 		setup->sync_method =
7804 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7805 		 IEEE80211_SYNC_METHOD_VENDOR :
7806 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7807 
7808 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7809 		setup->path_sel_proto =
7810 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7811 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7812 		 IEEE80211_PATH_PROTOCOL_HWMP;
7813 
7814 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7815 		setup->path_metric =
7816 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7817 		 IEEE80211_PATH_METRIC_VENDOR :
7818 		 IEEE80211_PATH_METRIC_AIRTIME;
7819 
7820 	if (tb[NL80211_MESH_SETUP_IE]) {
7821 		struct nlattr *ieattr =
7822 			tb[NL80211_MESH_SETUP_IE];
7823 		setup->ie = nla_data(ieattr);
7824 		setup->ie_len = nla_len(ieattr);
7825 	}
7826 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7827 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7828 		return -EINVAL;
7829 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7830 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7831 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7832 	if (setup->is_secure)
7833 		setup->user_mpm = true;
7834 
7835 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7836 		if (!setup->user_mpm)
7837 			return -EINVAL;
7838 		setup->auth_id =
7839 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7840 	}
7841 
7842 	return 0;
7843 }
7844 
7845 static int nl80211_update_mesh_config(struct sk_buff *skb,
7846 				      struct genl_info *info)
7847 {
7848 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7849 	struct net_device *dev = info->user_ptr[1];
7850 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7851 	struct mesh_config cfg;
7852 	u32 mask;
7853 	int err;
7854 
7855 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7856 		return -EOPNOTSUPP;
7857 
7858 	if (!rdev->ops->update_mesh_config)
7859 		return -EOPNOTSUPP;
7860 
7861 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7862 	if (err)
7863 		return err;
7864 
7865 	wdev_lock(wdev);
7866 	if (!wdev->mesh_id_len)
7867 		err = -ENOLINK;
7868 
7869 	if (!err)
7870 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7871 
7872 	wdev_unlock(wdev);
7873 
7874 	return err;
7875 }
7876 
7877 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7878 			      struct sk_buff *msg)
7879 {
7880 	struct nlattr *nl_reg_rules;
7881 	unsigned int i;
7882 
7883 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7884 	    (regdom->dfs_region &&
7885 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7886 		goto nla_put_failure;
7887 
7888 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7889 	if (!nl_reg_rules)
7890 		goto nla_put_failure;
7891 
7892 	for (i = 0; i < regdom->n_reg_rules; i++) {
7893 		struct nlattr *nl_reg_rule;
7894 		const struct ieee80211_reg_rule *reg_rule;
7895 		const struct ieee80211_freq_range *freq_range;
7896 		const struct ieee80211_power_rule *power_rule;
7897 		unsigned int max_bandwidth_khz;
7898 
7899 		reg_rule = &regdom->reg_rules[i];
7900 		freq_range = &reg_rule->freq_range;
7901 		power_rule = &reg_rule->power_rule;
7902 
7903 		nl_reg_rule = nla_nest_start_noflag(msg, i);
7904 		if (!nl_reg_rule)
7905 			goto nla_put_failure;
7906 
7907 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
7908 		if (!max_bandwidth_khz)
7909 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
7910 								  reg_rule);
7911 
7912 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
7913 				reg_rule->flags) ||
7914 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
7915 				freq_range->start_freq_khz) ||
7916 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
7917 				freq_range->end_freq_khz) ||
7918 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
7919 				max_bandwidth_khz) ||
7920 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
7921 				power_rule->max_antenna_gain) ||
7922 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
7923 				power_rule->max_eirp) ||
7924 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
7925 				reg_rule->dfs_cac_ms))
7926 			goto nla_put_failure;
7927 
7928 		nla_nest_end(msg, nl_reg_rule);
7929 	}
7930 
7931 	nla_nest_end(msg, nl_reg_rules);
7932 	return 0;
7933 
7934 nla_put_failure:
7935 	return -EMSGSIZE;
7936 }
7937 
7938 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
7939 {
7940 	const struct ieee80211_regdomain *regdom = NULL;
7941 	struct cfg80211_registered_device *rdev;
7942 	struct wiphy *wiphy = NULL;
7943 	struct sk_buff *msg;
7944 	void *hdr;
7945 
7946 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7947 	if (!msg)
7948 		return -ENOBUFS;
7949 
7950 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7951 			     NL80211_CMD_GET_REG);
7952 	if (!hdr)
7953 		goto put_failure;
7954 
7955 	rtnl_lock();
7956 
7957 	if (info->attrs[NL80211_ATTR_WIPHY]) {
7958 		bool self_managed;
7959 
7960 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
7961 		if (IS_ERR(rdev)) {
7962 			nlmsg_free(msg);
7963 			rtnl_unlock();
7964 			return PTR_ERR(rdev);
7965 		}
7966 
7967 		wiphy = &rdev->wiphy;
7968 		self_managed = wiphy->regulatory_flags &
7969 			       REGULATORY_WIPHY_SELF_MANAGED;
7970 		regdom = get_wiphy_regdom(wiphy);
7971 
7972 		/* a self-managed-reg device must have a private regdom */
7973 		if (WARN_ON(!regdom && self_managed)) {
7974 			nlmsg_free(msg);
7975 			rtnl_unlock();
7976 			return -EINVAL;
7977 		}
7978 
7979 		if (regdom &&
7980 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7981 			goto nla_put_failure;
7982 	}
7983 
7984 	if (!wiphy && reg_last_request_cell_base() &&
7985 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7986 			NL80211_USER_REG_HINT_CELL_BASE))
7987 		goto nla_put_failure;
7988 
7989 	rcu_read_lock();
7990 
7991 	if (!regdom)
7992 		regdom = rcu_dereference(cfg80211_regdomain);
7993 
7994 	if (nl80211_put_regdom(regdom, msg))
7995 		goto nla_put_failure_rcu;
7996 
7997 	rcu_read_unlock();
7998 
7999 	genlmsg_end(msg, hdr);
8000 	rtnl_unlock();
8001 	return genlmsg_reply(msg, info);
8002 
8003 nla_put_failure_rcu:
8004 	rcu_read_unlock();
8005 nla_put_failure:
8006 	rtnl_unlock();
8007 put_failure:
8008 	nlmsg_free(msg);
8009 	return -EMSGSIZE;
8010 }
8011 
8012 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8013 			       u32 seq, int flags, struct wiphy *wiphy,
8014 			       const struct ieee80211_regdomain *regdom)
8015 {
8016 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8017 				   NL80211_CMD_GET_REG);
8018 
8019 	if (!hdr)
8020 		return -1;
8021 
8022 	genl_dump_check_consistent(cb, hdr);
8023 
8024 	if (nl80211_put_regdom(regdom, msg))
8025 		goto nla_put_failure;
8026 
8027 	if (!wiphy && reg_last_request_cell_base() &&
8028 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8029 			NL80211_USER_REG_HINT_CELL_BASE))
8030 		goto nla_put_failure;
8031 
8032 	if (wiphy &&
8033 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8034 		goto nla_put_failure;
8035 
8036 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8037 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8038 		goto nla_put_failure;
8039 
8040 	genlmsg_end(msg, hdr);
8041 	return 0;
8042 
8043 nla_put_failure:
8044 	genlmsg_cancel(msg, hdr);
8045 	return -EMSGSIZE;
8046 }
8047 
8048 static int nl80211_get_reg_dump(struct sk_buff *skb,
8049 				struct netlink_callback *cb)
8050 {
8051 	const struct ieee80211_regdomain *regdom = NULL;
8052 	struct cfg80211_registered_device *rdev;
8053 	int err, reg_idx, start = cb->args[2];
8054 
8055 	rtnl_lock();
8056 
8057 	if (cfg80211_regdomain && start == 0) {
8058 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8059 					  NLM_F_MULTI, NULL,
8060 					  rtnl_dereference(cfg80211_regdomain));
8061 		if (err < 0)
8062 			goto out_err;
8063 	}
8064 
8065 	/* the global regdom is idx 0 */
8066 	reg_idx = 1;
8067 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
8068 		regdom = get_wiphy_regdom(&rdev->wiphy);
8069 		if (!regdom)
8070 			continue;
8071 
8072 		if (++reg_idx <= start)
8073 			continue;
8074 
8075 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8076 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8077 		if (err < 0) {
8078 			reg_idx--;
8079 			break;
8080 		}
8081 	}
8082 
8083 	cb->args[2] = reg_idx;
8084 	err = skb->len;
8085 out_err:
8086 	rtnl_unlock();
8087 	return err;
8088 }
8089 
8090 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8091 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8092 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8093 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8094 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8095 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8096 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8097 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8098 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8099 };
8100 
8101 static int parse_reg_rule(struct nlattr *tb[],
8102 	struct ieee80211_reg_rule *reg_rule)
8103 {
8104 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8105 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8106 
8107 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8108 		return -EINVAL;
8109 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8110 		return -EINVAL;
8111 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8112 		return -EINVAL;
8113 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8114 		return -EINVAL;
8115 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8116 		return -EINVAL;
8117 
8118 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8119 
8120 	freq_range->start_freq_khz =
8121 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8122 	freq_range->end_freq_khz =
8123 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8124 	freq_range->max_bandwidth_khz =
8125 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8126 
8127 	power_rule->max_eirp =
8128 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8129 
8130 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8131 		power_rule->max_antenna_gain =
8132 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8133 
8134 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8135 		reg_rule->dfs_cac_ms =
8136 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8137 
8138 	return 0;
8139 }
8140 
8141 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8142 {
8143 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8144 	struct nlattr *nl_reg_rule;
8145 	char *alpha2;
8146 	int rem_reg_rules, r;
8147 	u32 num_rules = 0, rule_idx = 0;
8148 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8149 	struct ieee80211_regdomain *rd;
8150 
8151 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8152 		return -EINVAL;
8153 
8154 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8155 		return -EINVAL;
8156 
8157 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8158 
8159 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8160 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8161 
8162 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8163 			    rem_reg_rules) {
8164 		num_rules++;
8165 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8166 			return -EINVAL;
8167 	}
8168 
8169 	rtnl_lock();
8170 	if (!reg_is_valid_request(alpha2)) {
8171 		r = -EINVAL;
8172 		goto out;
8173 	}
8174 
8175 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8176 	if (!rd) {
8177 		r = -ENOMEM;
8178 		goto out;
8179 	}
8180 
8181 	rd->n_reg_rules = num_rules;
8182 	rd->alpha2[0] = alpha2[0];
8183 	rd->alpha2[1] = alpha2[1];
8184 
8185 	/*
8186 	 * Disable DFS master mode if the DFS region was
8187 	 * not supported or known on this kernel.
8188 	 */
8189 	if (reg_supported_dfs_region(dfs_region))
8190 		rd->dfs_region = dfs_region;
8191 
8192 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8193 			    rem_reg_rules) {
8194 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8195 						nl_reg_rule, reg_rule_policy,
8196 						info->extack);
8197 		if (r)
8198 			goto bad_reg;
8199 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8200 		if (r)
8201 			goto bad_reg;
8202 
8203 		rule_idx++;
8204 
8205 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8206 			r = -EINVAL;
8207 			goto bad_reg;
8208 		}
8209 	}
8210 
8211 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8212 	/* set_regdom takes ownership of rd */
8213 	rd = NULL;
8214  bad_reg:
8215 	kfree(rd);
8216  out:
8217 	rtnl_unlock();
8218 	return r;
8219 }
8220 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8221 
8222 static int validate_scan_freqs(struct nlattr *freqs)
8223 {
8224 	struct nlattr *attr1, *attr2;
8225 	int n_channels = 0, tmp1, tmp2;
8226 
8227 	nla_for_each_nested(attr1, freqs, tmp1)
8228 		if (nla_len(attr1) != sizeof(u32))
8229 			return 0;
8230 
8231 	nla_for_each_nested(attr1, freqs, tmp1) {
8232 		n_channels++;
8233 		/*
8234 		 * Some hardware has a limited channel list for
8235 		 * scanning, and it is pretty much nonsensical
8236 		 * to scan for a channel twice, so disallow that
8237 		 * and don't require drivers to check that the
8238 		 * channel list they get isn't longer than what
8239 		 * they can scan, as long as they can scan all
8240 		 * the channels they registered at once.
8241 		 */
8242 		nla_for_each_nested(attr2, freqs, tmp2)
8243 			if (attr1 != attr2 &&
8244 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8245 				return 0;
8246 	}
8247 
8248 	return n_channels;
8249 }
8250 
8251 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8252 {
8253 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8254 }
8255 
8256 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8257 			    struct cfg80211_bss_selection *bss_select)
8258 {
8259 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8260 	struct nlattr *nest;
8261 	int err;
8262 	bool found = false;
8263 	int i;
8264 
8265 	/* only process one nested attribute */
8266 	nest = nla_data(nla);
8267 	if (!nla_ok(nest, nla_len(nest)))
8268 		return -EINVAL;
8269 
8270 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8271 					  nest, nl80211_bss_select_policy,
8272 					  NULL);
8273 	if (err)
8274 		return err;
8275 
8276 	/* only one attribute may be given */
8277 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8278 		if (attr[i]) {
8279 			if (found)
8280 				return -EINVAL;
8281 			found = true;
8282 		}
8283 	}
8284 
8285 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8286 
8287 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8288 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8289 
8290 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8291 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8292 		bss_select->param.band_pref =
8293 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8294 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8295 			return -EINVAL;
8296 	}
8297 
8298 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8299 		struct nl80211_bss_select_rssi_adjust *adj_param;
8300 
8301 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8302 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8303 		bss_select->param.adjust.band = adj_param->band;
8304 		bss_select->param.adjust.delta = adj_param->delta;
8305 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8306 			return -EINVAL;
8307 	}
8308 
8309 	/* user-space did not provide behaviour attribute */
8310 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8311 		return -EINVAL;
8312 
8313 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8314 		return -EINVAL;
8315 
8316 	return 0;
8317 }
8318 
8319 int nl80211_parse_random_mac(struct nlattr **attrs,
8320 			     u8 *mac_addr, u8 *mac_addr_mask)
8321 {
8322 	int i;
8323 
8324 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8325 		eth_zero_addr(mac_addr);
8326 		eth_zero_addr(mac_addr_mask);
8327 		mac_addr[0] = 0x2;
8328 		mac_addr_mask[0] = 0x3;
8329 
8330 		return 0;
8331 	}
8332 
8333 	/* need both or none */
8334 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8335 		return -EINVAL;
8336 
8337 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8338 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8339 
8340 	/* don't allow or configure an mcast address */
8341 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8342 	    is_multicast_ether_addr(mac_addr))
8343 		return -EINVAL;
8344 
8345 	/*
8346 	 * allow users to pass a MAC address that has bits set outside
8347 	 * of the mask, but don't bother drivers with having to deal
8348 	 * with such bits
8349 	 */
8350 	for (i = 0; i < ETH_ALEN; i++)
8351 		mac_addr[i] &= mac_addr_mask[i];
8352 
8353 	return 0;
8354 }
8355 
8356 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
8357 {
8358 	ASSERT_WDEV_LOCK(wdev);
8359 
8360 	if (!cfg80211_beaconing_iface_active(wdev))
8361 		return true;
8362 
8363 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
8364 		return true;
8365 
8366 	return regulatory_pre_cac_allowed(wdev->wiphy);
8367 }
8368 
8369 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8370 				    enum nl80211_ext_feature_index feat)
8371 {
8372 	if (!(flags & flag))
8373 		return true;
8374 	if (wiphy_ext_feature_isset(wiphy, feat))
8375 		return true;
8376 	return false;
8377 }
8378 
8379 static int
8380 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8381 			 void *request, struct nlattr **attrs,
8382 			 bool is_sched_scan)
8383 {
8384 	u8 *mac_addr, *mac_addr_mask;
8385 	u32 *flags;
8386 	enum nl80211_feature_flags randomness_flag;
8387 
8388 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8389 		return 0;
8390 
8391 	if (is_sched_scan) {
8392 		struct cfg80211_sched_scan_request *req = request;
8393 
8394 		randomness_flag = wdev ?
8395 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8396 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8397 		flags = &req->flags;
8398 		mac_addr = req->mac_addr;
8399 		mac_addr_mask = req->mac_addr_mask;
8400 	} else {
8401 		struct cfg80211_scan_request *req = request;
8402 
8403 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8404 		flags = &req->flags;
8405 		mac_addr = req->mac_addr;
8406 		mac_addr_mask = req->mac_addr_mask;
8407 	}
8408 
8409 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8410 
8411 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8412 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8413 	    !nl80211_check_scan_feat(wiphy, *flags,
8414 				     NL80211_SCAN_FLAG_LOW_SPAN,
8415 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8416 	    !nl80211_check_scan_feat(wiphy, *flags,
8417 				     NL80211_SCAN_FLAG_LOW_POWER,
8418 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8419 	    !nl80211_check_scan_feat(wiphy, *flags,
8420 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8421 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8422 	    !nl80211_check_scan_feat(wiphy, *flags,
8423 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8424 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8425 	    !nl80211_check_scan_feat(wiphy, *flags,
8426 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8427 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8428 	    !nl80211_check_scan_feat(wiphy, *flags,
8429 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8430 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8431 	    !nl80211_check_scan_feat(wiphy, *flags,
8432 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8433 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8434 	    !nl80211_check_scan_feat(wiphy, *flags,
8435 				     NL80211_SCAN_FLAG_RANDOM_SN,
8436 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8437 	    !nl80211_check_scan_feat(wiphy, *flags,
8438 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8439 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8440 		return -EOPNOTSUPP;
8441 
8442 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8443 		int err;
8444 
8445 		if (!(wiphy->features & randomness_flag) ||
8446 		    (wdev && wdev->current_bss))
8447 			return -EOPNOTSUPP;
8448 
8449 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8450 		if (err)
8451 			return err;
8452 	}
8453 
8454 	return 0;
8455 }
8456 
8457 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8458 {
8459 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8460 	struct wireless_dev *wdev = info->user_ptr[1];
8461 	struct cfg80211_scan_request *request;
8462 	struct nlattr *scan_freqs = NULL;
8463 	bool scan_freqs_khz = false;
8464 	struct nlattr *attr;
8465 	struct wiphy *wiphy;
8466 	int err, tmp, n_ssids = 0, n_channels, i;
8467 	size_t ie_len;
8468 
8469 	wiphy = &rdev->wiphy;
8470 
8471 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8472 		return -EOPNOTSUPP;
8473 
8474 	if (!rdev->ops->scan)
8475 		return -EOPNOTSUPP;
8476 
8477 	if (rdev->scan_req || rdev->scan_msg)
8478 		return -EBUSY;
8479 
8480 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8481 		if (!wiphy_ext_feature_isset(wiphy,
8482 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8483 			return -EOPNOTSUPP;
8484 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8485 		scan_freqs_khz = true;
8486 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8487 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8488 
8489 	if (scan_freqs) {
8490 		n_channels = validate_scan_freqs(scan_freqs);
8491 		if (!n_channels)
8492 			return -EINVAL;
8493 	} else {
8494 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8495 	}
8496 
8497 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8498 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8499 			n_ssids++;
8500 
8501 	if (n_ssids > wiphy->max_scan_ssids)
8502 		return -EINVAL;
8503 
8504 	if (info->attrs[NL80211_ATTR_IE])
8505 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8506 	else
8507 		ie_len = 0;
8508 
8509 	if (ie_len > wiphy->max_scan_ie_len)
8510 		return -EINVAL;
8511 
8512 	request = kzalloc(sizeof(*request)
8513 			+ sizeof(*request->ssids) * n_ssids
8514 			+ sizeof(*request->channels) * n_channels
8515 			+ ie_len, GFP_KERNEL);
8516 	if (!request)
8517 		return -ENOMEM;
8518 
8519 	if (n_ssids)
8520 		request->ssids = (void *)&request->channels[n_channels];
8521 	request->n_ssids = n_ssids;
8522 	if (ie_len) {
8523 		if (n_ssids)
8524 			request->ie = (void *)(request->ssids + n_ssids);
8525 		else
8526 			request->ie = (void *)(request->channels + n_channels);
8527 	}
8528 
8529 	i = 0;
8530 	if (scan_freqs) {
8531 		/* user specified, bail out if channel not found */
8532 		nla_for_each_nested(attr, scan_freqs, tmp) {
8533 			struct ieee80211_channel *chan;
8534 			int freq = nla_get_u32(attr);
8535 
8536 			if (!scan_freqs_khz)
8537 				freq = MHZ_TO_KHZ(freq);
8538 
8539 			chan = ieee80211_get_channel_khz(wiphy, freq);
8540 			if (!chan) {
8541 				err = -EINVAL;
8542 				goto out_free;
8543 			}
8544 
8545 			/* ignore disabled channels */
8546 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8547 				continue;
8548 
8549 			request->channels[i] = chan;
8550 			i++;
8551 		}
8552 	} else {
8553 		enum nl80211_band band;
8554 
8555 		/* all channels */
8556 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8557 			int j;
8558 
8559 			if (!wiphy->bands[band])
8560 				continue;
8561 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8562 				struct ieee80211_channel *chan;
8563 
8564 				chan = &wiphy->bands[band]->channels[j];
8565 
8566 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8567 					continue;
8568 
8569 				request->channels[i] = chan;
8570 				i++;
8571 			}
8572 		}
8573 	}
8574 
8575 	if (!i) {
8576 		err = -EINVAL;
8577 		goto out_free;
8578 	}
8579 
8580 	request->n_channels = i;
8581 
8582 	wdev_lock(wdev);
8583 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8584 		struct ieee80211_channel *chan;
8585 
8586 		if (request->n_channels != 1) {
8587 			wdev_unlock(wdev);
8588 			err = -EBUSY;
8589 			goto out_free;
8590 		}
8591 
8592 		chan = request->channels[0];
8593 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8594 			wdev_unlock(wdev);
8595 			err = -EBUSY;
8596 			goto out_free;
8597 		}
8598 	}
8599 	wdev_unlock(wdev);
8600 
8601 	i = 0;
8602 	if (n_ssids) {
8603 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8604 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8605 				err = -EINVAL;
8606 				goto out_free;
8607 			}
8608 			request->ssids[i].ssid_len = nla_len(attr);
8609 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8610 			i++;
8611 		}
8612 	}
8613 
8614 	if (info->attrs[NL80211_ATTR_IE]) {
8615 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8616 		memcpy((void *)request->ie,
8617 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8618 		       request->ie_len);
8619 	}
8620 
8621 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8622 		if (wiphy->bands[i])
8623 			request->rates[i] =
8624 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8625 
8626 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8627 		nla_for_each_nested(attr,
8628 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8629 				    tmp) {
8630 			enum nl80211_band band = nla_type(attr);
8631 
8632 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8633 				err = -EINVAL;
8634 				goto out_free;
8635 			}
8636 
8637 			if (!wiphy->bands[band])
8638 				continue;
8639 
8640 			err = ieee80211_get_ratemask(wiphy->bands[band],
8641 						     nla_data(attr),
8642 						     nla_len(attr),
8643 						     &request->rates[band]);
8644 			if (err)
8645 				goto out_free;
8646 		}
8647 	}
8648 
8649 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8650 		request->duration =
8651 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8652 		request->duration_mandatory =
8653 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8654 	}
8655 
8656 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8657 				       false);
8658 	if (err)
8659 		goto out_free;
8660 
8661 	request->no_cck =
8662 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8663 
8664 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8665 	 * BSSID to scan for. This was problematic because that same attribute
8666 	 * was already used for another purpose (local random MAC address). The
8667 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8668 	 * compatibility with older userspace components, also use the
8669 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8670 	 * the specific BSSID use case instead of the random MAC address
8671 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8672 	 */
8673 	if (info->attrs[NL80211_ATTR_BSSID])
8674 		memcpy(request->bssid,
8675 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8676 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8677 		 info->attrs[NL80211_ATTR_MAC])
8678 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8679 		       ETH_ALEN);
8680 	else
8681 		eth_broadcast_addr(request->bssid);
8682 
8683 	request->wdev = wdev;
8684 	request->wiphy = &rdev->wiphy;
8685 	request->scan_start = jiffies;
8686 
8687 	rdev->scan_req = request;
8688 	err = cfg80211_scan(rdev);
8689 
8690 	if (err)
8691 		goto out_free;
8692 
8693 	nl80211_send_scan_start(rdev, wdev);
8694 	dev_hold(wdev->netdev);
8695 
8696 	return 0;
8697 
8698  out_free:
8699 	rdev->scan_req = NULL;
8700 	kfree(request);
8701 
8702 	return err;
8703 }
8704 
8705 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8706 {
8707 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8708 	struct wireless_dev *wdev = info->user_ptr[1];
8709 
8710 	if (!rdev->ops->abort_scan)
8711 		return -EOPNOTSUPP;
8712 
8713 	if (rdev->scan_msg)
8714 		return 0;
8715 
8716 	if (!rdev->scan_req)
8717 		return -ENOENT;
8718 
8719 	rdev_abort_scan(rdev, wdev);
8720 	return 0;
8721 }
8722 
8723 static int
8724 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8725 			       struct cfg80211_sched_scan_request *request,
8726 			       struct nlattr **attrs)
8727 {
8728 	int tmp, err, i = 0;
8729 	struct nlattr *attr;
8730 
8731 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8732 		u32 interval;
8733 
8734 		/*
8735 		 * If scan plans are not specified,
8736 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8737 		 * case one scan plan will be set with the specified scan
8738 		 * interval and infinite number of iterations.
8739 		 */
8740 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8741 		if (!interval)
8742 			return -EINVAL;
8743 
8744 		request->scan_plans[0].interval =
8745 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8746 		if (!request->scan_plans[0].interval)
8747 			return -EINVAL;
8748 
8749 		if (request->scan_plans[0].interval >
8750 		    wiphy->max_sched_scan_plan_interval)
8751 			request->scan_plans[0].interval =
8752 				wiphy->max_sched_scan_plan_interval;
8753 
8754 		return 0;
8755 	}
8756 
8757 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8758 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8759 
8760 		if (WARN_ON(i >= n_plans))
8761 			return -EINVAL;
8762 
8763 		err = nla_parse_nested_deprecated(plan,
8764 						  NL80211_SCHED_SCAN_PLAN_MAX,
8765 						  attr, nl80211_plan_policy,
8766 						  NULL);
8767 		if (err)
8768 			return err;
8769 
8770 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8771 			return -EINVAL;
8772 
8773 		request->scan_plans[i].interval =
8774 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8775 		if (!request->scan_plans[i].interval ||
8776 		    request->scan_plans[i].interval >
8777 		    wiphy->max_sched_scan_plan_interval)
8778 			return -EINVAL;
8779 
8780 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8781 			request->scan_plans[i].iterations =
8782 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8783 			if (!request->scan_plans[i].iterations ||
8784 			    (request->scan_plans[i].iterations >
8785 			     wiphy->max_sched_scan_plan_iterations))
8786 				return -EINVAL;
8787 		} else if (i < n_plans - 1) {
8788 			/*
8789 			 * All scan plans but the last one must specify
8790 			 * a finite number of iterations
8791 			 */
8792 			return -EINVAL;
8793 		}
8794 
8795 		i++;
8796 	}
8797 
8798 	/*
8799 	 * The last scan plan must not specify the number of
8800 	 * iterations, it is supposed to run infinitely
8801 	 */
8802 	if (request->scan_plans[n_plans - 1].iterations)
8803 		return  -EINVAL;
8804 
8805 	return 0;
8806 }
8807 
8808 static int
8809 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8810 				       struct cfg80211_match_set *match_sets,
8811 				       struct nlattr *tb_band_rssi,
8812 				       s32 rssi_thold)
8813 {
8814 	struct nlattr *attr;
8815 	int i, tmp, ret = 0;
8816 
8817 	if (!wiphy_ext_feature_isset(wiphy,
8818 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8819 		if (tb_band_rssi)
8820 			ret = -EOPNOTSUPP;
8821 		else
8822 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8823 				match_sets->per_band_rssi_thold[i] =
8824 					NL80211_SCAN_RSSI_THOLD_OFF;
8825 		return ret;
8826 	}
8827 
8828 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8829 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8830 
8831 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8832 		enum nl80211_band band = nla_type(attr);
8833 
8834 		if (band < 0 || band >= NUM_NL80211_BANDS)
8835 			return -EINVAL;
8836 
8837 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8838 	}
8839 
8840 	return 0;
8841 }
8842 
8843 static struct cfg80211_sched_scan_request *
8844 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8845 			 struct nlattr **attrs, int max_match_sets)
8846 {
8847 	struct cfg80211_sched_scan_request *request;
8848 	struct nlattr *attr;
8849 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8850 	enum nl80211_band band;
8851 	size_t ie_len;
8852 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8853 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8854 
8855 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8856 		n_channels = validate_scan_freqs(
8857 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8858 		if (!n_channels)
8859 			return ERR_PTR(-EINVAL);
8860 	} else {
8861 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8862 	}
8863 
8864 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8865 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8866 				    tmp)
8867 			n_ssids++;
8868 
8869 	if (n_ssids > wiphy->max_sched_scan_ssids)
8870 		return ERR_PTR(-EINVAL);
8871 
8872 	/*
8873 	 * First, count the number of 'real' matchsets. Due to an issue with
8874 	 * the old implementation, matchsets containing only the RSSI attribute
8875 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8876 	 * RSSI for all matchsets, rather than their own matchset for reporting
8877 	 * all APs with a strong RSSI. This is needed to be compatible with
8878 	 * older userspace that treated a matchset with only the RSSI as the
8879 	 * global RSSI for all other matchsets - if there are other matchsets.
8880 	 */
8881 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8882 		nla_for_each_nested(attr,
8883 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8884 				    tmp) {
8885 			struct nlattr *rssi;
8886 
8887 			err = nla_parse_nested_deprecated(tb,
8888 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8889 							  attr,
8890 							  nl80211_match_policy,
8891 							  NULL);
8892 			if (err)
8893 				return ERR_PTR(err);
8894 
8895 			/* SSID and BSSID are mutually exclusive */
8896 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8897 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8898 				return ERR_PTR(-EINVAL);
8899 
8900 			/* add other standalone attributes here */
8901 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
8902 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
8903 				n_match_sets++;
8904 				continue;
8905 			}
8906 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8907 			if (rssi)
8908 				default_match_rssi = nla_get_s32(rssi);
8909 		}
8910 	}
8911 
8912 	/* However, if there's no other matchset, add the RSSI one */
8913 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
8914 		n_match_sets = 1;
8915 
8916 	if (n_match_sets > max_match_sets)
8917 		return ERR_PTR(-EINVAL);
8918 
8919 	if (attrs[NL80211_ATTR_IE])
8920 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
8921 	else
8922 		ie_len = 0;
8923 
8924 	if (ie_len > wiphy->max_sched_scan_ie_len)
8925 		return ERR_PTR(-EINVAL);
8926 
8927 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8928 		/*
8929 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
8930 		 * each scan plan already specifies its own interval
8931 		 */
8932 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8933 			return ERR_PTR(-EINVAL);
8934 
8935 		nla_for_each_nested(attr,
8936 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
8937 			n_plans++;
8938 	} else {
8939 		/*
8940 		 * The scan interval attribute is kept for backward
8941 		 * compatibility. If no scan plans are specified and sched scan
8942 		 * interval is specified, one scan plan will be set with this
8943 		 * scan interval and infinite number of iterations.
8944 		 */
8945 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8946 			return ERR_PTR(-EINVAL);
8947 
8948 		n_plans = 1;
8949 	}
8950 
8951 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
8952 		return ERR_PTR(-EINVAL);
8953 
8954 	if (!wiphy_ext_feature_isset(
8955 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
8956 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
8957 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
8958 		return ERR_PTR(-EINVAL);
8959 
8960 	request = kzalloc(sizeof(*request)
8961 			+ sizeof(*request->ssids) * n_ssids
8962 			+ sizeof(*request->match_sets) * n_match_sets
8963 			+ sizeof(*request->scan_plans) * n_plans
8964 			+ sizeof(*request->channels) * n_channels
8965 			+ ie_len, GFP_KERNEL);
8966 	if (!request)
8967 		return ERR_PTR(-ENOMEM);
8968 
8969 	if (n_ssids)
8970 		request->ssids = (void *)&request->channels[n_channels];
8971 	request->n_ssids = n_ssids;
8972 	if (ie_len) {
8973 		if (n_ssids)
8974 			request->ie = (void *)(request->ssids + n_ssids);
8975 		else
8976 			request->ie = (void *)(request->channels + n_channels);
8977 	}
8978 
8979 	if (n_match_sets) {
8980 		if (request->ie)
8981 			request->match_sets = (void *)(request->ie + ie_len);
8982 		else if (n_ssids)
8983 			request->match_sets =
8984 				(void *)(request->ssids + n_ssids);
8985 		else
8986 			request->match_sets =
8987 				(void *)(request->channels + n_channels);
8988 	}
8989 	request->n_match_sets = n_match_sets;
8990 
8991 	if (n_match_sets)
8992 		request->scan_plans = (void *)(request->match_sets +
8993 					       n_match_sets);
8994 	else if (request->ie)
8995 		request->scan_plans = (void *)(request->ie + ie_len);
8996 	else if (n_ssids)
8997 		request->scan_plans = (void *)(request->ssids + n_ssids);
8998 	else
8999 		request->scan_plans = (void *)(request->channels + n_channels);
9000 
9001 	request->n_scan_plans = n_plans;
9002 
9003 	i = 0;
9004 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9005 		/* user specified, bail out if channel not found */
9006 		nla_for_each_nested(attr,
9007 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9008 				    tmp) {
9009 			struct ieee80211_channel *chan;
9010 
9011 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9012 
9013 			if (!chan) {
9014 				err = -EINVAL;
9015 				goto out_free;
9016 			}
9017 
9018 			/* ignore disabled channels */
9019 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9020 				continue;
9021 
9022 			request->channels[i] = chan;
9023 			i++;
9024 		}
9025 	} else {
9026 		/* all channels */
9027 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9028 			int j;
9029 
9030 			if (!wiphy->bands[band])
9031 				continue;
9032 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9033 				struct ieee80211_channel *chan;
9034 
9035 				chan = &wiphy->bands[band]->channels[j];
9036 
9037 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9038 					continue;
9039 
9040 				request->channels[i] = chan;
9041 				i++;
9042 			}
9043 		}
9044 	}
9045 
9046 	if (!i) {
9047 		err = -EINVAL;
9048 		goto out_free;
9049 	}
9050 
9051 	request->n_channels = i;
9052 
9053 	i = 0;
9054 	if (n_ssids) {
9055 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9056 				    tmp) {
9057 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9058 				err = -EINVAL;
9059 				goto out_free;
9060 			}
9061 			request->ssids[i].ssid_len = nla_len(attr);
9062 			memcpy(request->ssids[i].ssid, nla_data(attr),
9063 			       nla_len(attr));
9064 			i++;
9065 		}
9066 	}
9067 
9068 	i = 0;
9069 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9070 		nla_for_each_nested(attr,
9071 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9072 				    tmp) {
9073 			struct nlattr *ssid, *bssid, *rssi;
9074 
9075 			err = nla_parse_nested_deprecated(tb,
9076 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9077 							  attr,
9078 							  nl80211_match_policy,
9079 							  NULL);
9080 			if (err)
9081 				goto out_free;
9082 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9083 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9084 
9085 			if (!ssid && !bssid) {
9086 				i++;
9087 				continue;
9088 			}
9089 
9090 			if (WARN_ON(i >= n_match_sets)) {
9091 				/* this indicates a programming error,
9092 				 * the loop above should have verified
9093 				 * things properly
9094 				 */
9095 				err = -EINVAL;
9096 				goto out_free;
9097 			}
9098 
9099 			if (ssid) {
9100 				memcpy(request->match_sets[i].ssid.ssid,
9101 				       nla_data(ssid), nla_len(ssid));
9102 				request->match_sets[i].ssid.ssid_len =
9103 					nla_len(ssid);
9104 			}
9105 			if (bssid)
9106 				memcpy(request->match_sets[i].bssid,
9107 				       nla_data(bssid), ETH_ALEN);
9108 
9109 			/* special attribute - old implementation w/a */
9110 			request->match_sets[i].rssi_thold = default_match_rssi;
9111 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9112 			if (rssi)
9113 				request->match_sets[i].rssi_thold =
9114 					nla_get_s32(rssi);
9115 
9116 			/* Parse per band RSSI attribute */
9117 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9118 				&request->match_sets[i],
9119 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9120 				request->match_sets[i].rssi_thold);
9121 			if (err)
9122 				goto out_free;
9123 
9124 			i++;
9125 		}
9126 
9127 		/* there was no other matchset, so the RSSI one is alone */
9128 		if (i == 0 && n_match_sets)
9129 			request->match_sets[0].rssi_thold = default_match_rssi;
9130 
9131 		request->min_rssi_thold = INT_MAX;
9132 		for (i = 0; i < n_match_sets; i++)
9133 			request->min_rssi_thold =
9134 				min(request->match_sets[i].rssi_thold,
9135 				    request->min_rssi_thold);
9136 	} else {
9137 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9138 	}
9139 
9140 	if (ie_len) {
9141 		request->ie_len = ie_len;
9142 		memcpy((void *)request->ie,
9143 		       nla_data(attrs[NL80211_ATTR_IE]),
9144 		       request->ie_len);
9145 	}
9146 
9147 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9148 	if (err)
9149 		goto out_free;
9150 
9151 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9152 		request->delay =
9153 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9154 
9155 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9156 		request->relative_rssi = nla_get_s8(
9157 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9158 		request->relative_rssi_set = true;
9159 	}
9160 
9161 	if (request->relative_rssi_set &&
9162 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9163 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9164 
9165 		rssi_adjust = nla_data(
9166 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9167 		request->rssi_adjust.band = rssi_adjust->band;
9168 		request->rssi_adjust.delta = rssi_adjust->delta;
9169 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9170 			err = -EINVAL;
9171 			goto out_free;
9172 		}
9173 	}
9174 
9175 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9176 	if (err)
9177 		goto out_free;
9178 
9179 	request->scan_start = jiffies;
9180 
9181 	return request;
9182 
9183 out_free:
9184 	kfree(request);
9185 	return ERR_PTR(err);
9186 }
9187 
9188 static int nl80211_start_sched_scan(struct sk_buff *skb,
9189 				    struct genl_info *info)
9190 {
9191 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9192 	struct net_device *dev = info->user_ptr[1];
9193 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9194 	struct cfg80211_sched_scan_request *sched_scan_req;
9195 	bool want_multi;
9196 	int err;
9197 
9198 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9199 		return -EOPNOTSUPP;
9200 
9201 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9202 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9203 	if (err)
9204 		return err;
9205 
9206 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9207 						  info->attrs,
9208 						  rdev->wiphy.max_match_sets);
9209 
9210 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9211 	if (err)
9212 		goto out_err;
9213 
9214 	/* leave request id zero for legacy request
9215 	 * or if driver does not support multi-scheduled scan
9216 	 */
9217 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9218 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9219 
9220 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9221 	if (err)
9222 		goto out_free;
9223 
9224 	sched_scan_req->dev = dev;
9225 	sched_scan_req->wiphy = &rdev->wiphy;
9226 
9227 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9228 		sched_scan_req->owner_nlportid = info->snd_portid;
9229 
9230 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9231 
9232 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9233 	return 0;
9234 
9235 out_free:
9236 	kfree(sched_scan_req);
9237 out_err:
9238 	return err;
9239 }
9240 
9241 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9242 				   struct genl_info *info)
9243 {
9244 	struct cfg80211_sched_scan_request *req;
9245 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9246 	u64 cookie;
9247 
9248 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9249 		return -EOPNOTSUPP;
9250 
9251 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9252 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9253 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9254 	}
9255 
9256 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9257 				     struct cfg80211_sched_scan_request,
9258 				     list);
9259 	if (!req || req->reqid ||
9260 	    (req->owner_nlportid &&
9261 	     req->owner_nlportid != info->snd_portid))
9262 		return -ENOENT;
9263 
9264 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9265 }
9266 
9267 static int nl80211_start_radar_detection(struct sk_buff *skb,
9268 					 struct genl_info *info)
9269 {
9270 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9271 	struct net_device *dev = info->user_ptr[1];
9272 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9273 	struct wiphy *wiphy = wdev->wiphy;
9274 	struct cfg80211_chan_def chandef;
9275 	enum nl80211_dfs_regions dfs_region;
9276 	unsigned int cac_time_ms;
9277 	int err;
9278 
9279 	dfs_region = reg_get_dfs_region(wiphy);
9280 	if (dfs_region == NL80211_DFS_UNSET)
9281 		return -EINVAL;
9282 
9283 	err = nl80211_parse_chandef(rdev, info, &chandef);
9284 	if (err)
9285 		return err;
9286 
9287 	if (netif_carrier_ok(dev))
9288 		return -EBUSY;
9289 
9290 	if (wdev->cac_started)
9291 		return -EBUSY;
9292 
9293 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9294 	if (err < 0)
9295 		return err;
9296 
9297 	if (err == 0)
9298 		return -EINVAL;
9299 
9300 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
9301 		return -EINVAL;
9302 
9303 	/* CAC start is offloaded to HW and can't be started manually */
9304 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
9305 		return -EOPNOTSUPP;
9306 
9307 	if (!rdev->ops->start_radar_detection)
9308 		return -EOPNOTSUPP;
9309 
9310 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9311 	if (WARN_ON(!cac_time_ms))
9312 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9313 
9314 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9315 	if (!err) {
9316 		wdev->chandef = chandef;
9317 		wdev->cac_started = true;
9318 		wdev->cac_start_time = jiffies;
9319 		wdev->cac_time_ms = cac_time_ms;
9320 	}
9321 	return err;
9322 }
9323 
9324 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9325 					  struct genl_info *info)
9326 {
9327 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9328 	struct net_device *dev = info->user_ptr[1];
9329 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9330 	struct wiphy *wiphy = wdev->wiphy;
9331 	struct cfg80211_chan_def chandef;
9332 	enum nl80211_dfs_regions dfs_region;
9333 	int err;
9334 
9335 	dfs_region = reg_get_dfs_region(wiphy);
9336 	if (dfs_region == NL80211_DFS_UNSET) {
9337 		GENL_SET_ERR_MSG(info,
9338 				 "DFS Region is not set. Unexpected Radar indication");
9339 		return -EINVAL;
9340 	}
9341 
9342 	err = nl80211_parse_chandef(rdev, info, &chandef);
9343 	if (err) {
9344 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9345 		return err;
9346 	}
9347 
9348 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9349 	if (err < 0) {
9350 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9351 		return err;
9352 	}
9353 
9354 	if (err == 0) {
9355 		GENL_SET_ERR_MSG(info,
9356 				 "Unexpected Radar indication for chandef/iftype");
9357 		return -EINVAL;
9358 	}
9359 
9360 	/* Do not process this notification if radar is already detected
9361 	 * by kernel on this channel, and return success.
9362 	 */
9363 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9364 		return 0;
9365 
9366 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9367 
9368 	cfg80211_sched_dfs_chan_update(rdev);
9369 
9370 	rdev->radar_chandef = chandef;
9371 
9372 	/* Propagate this notification to other radios as well */
9373 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9374 
9375 	return 0;
9376 }
9377 
9378 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9379 {
9380 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9381 	struct net_device *dev = info->user_ptr[1];
9382 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9383 	struct cfg80211_csa_settings params;
9384 	struct nlattr **csa_attrs = NULL;
9385 	int err;
9386 	bool need_new_beacon = false;
9387 	bool need_handle_dfs_flag = true;
9388 	int len, i;
9389 	u32 cs_count;
9390 
9391 	if (!rdev->ops->channel_switch ||
9392 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9393 		return -EOPNOTSUPP;
9394 
9395 	switch (dev->ieee80211_ptr->iftype) {
9396 	case NL80211_IFTYPE_AP:
9397 	case NL80211_IFTYPE_P2P_GO:
9398 		need_new_beacon = true;
9399 		/* For all modes except AP the handle_dfs flag needs to be
9400 		 * supplied to tell the kernel that userspace will handle radar
9401 		 * events when they happen. Otherwise a switch to a channel
9402 		 * requiring DFS will be rejected.
9403 		 */
9404 		need_handle_dfs_flag = false;
9405 
9406 		/* useless if AP is not running */
9407 		if (!wdev->beacon_interval)
9408 			return -ENOTCONN;
9409 		break;
9410 	case NL80211_IFTYPE_ADHOC:
9411 		if (!wdev->ssid_len)
9412 			return -ENOTCONN;
9413 		break;
9414 	case NL80211_IFTYPE_MESH_POINT:
9415 		if (!wdev->mesh_id_len)
9416 			return -ENOTCONN;
9417 		break;
9418 	default:
9419 		return -EOPNOTSUPP;
9420 	}
9421 
9422 	memset(&params, 0, sizeof(params));
9423 	params.beacon_csa.ftm_responder = -1;
9424 
9425 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9426 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9427 		return -EINVAL;
9428 
9429 	/* only important for AP, IBSS and mesh create IEs internally */
9430 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9431 		return -EINVAL;
9432 
9433 	/* Even though the attribute is u32, the specification says
9434 	 * u8, so let's make sure we don't overflow.
9435 	 */
9436 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9437 	if (cs_count > 255)
9438 		return -EINVAL;
9439 
9440 	params.count = cs_count;
9441 
9442 	if (!need_new_beacon)
9443 		goto skip_beacons;
9444 
9445 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9446 	if (err)
9447 		goto free;
9448 
9449 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9450 			    GFP_KERNEL);
9451 	if (!csa_attrs) {
9452 		err = -ENOMEM;
9453 		goto free;
9454 	}
9455 
9456 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9457 					  info->attrs[NL80211_ATTR_CSA_IES],
9458 					  nl80211_policy, info->extack);
9459 	if (err)
9460 		goto free;
9461 
9462 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9463 	if (err)
9464 		goto free;
9465 
9466 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9467 		err = -EINVAL;
9468 		goto free;
9469 	}
9470 
9471 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9472 	if (!len || (len % sizeof(u16))) {
9473 		err = -EINVAL;
9474 		goto free;
9475 	}
9476 
9477 	params.n_counter_offsets_beacon = len / sizeof(u16);
9478 	if (rdev->wiphy.max_num_csa_counters &&
9479 	    (params.n_counter_offsets_beacon >
9480 	     rdev->wiphy.max_num_csa_counters)) {
9481 		err = -EINVAL;
9482 		goto free;
9483 	}
9484 
9485 	params.counter_offsets_beacon =
9486 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9487 
9488 	/* sanity checks - counters should fit and be the same */
9489 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9490 		u16 offset = params.counter_offsets_beacon[i];
9491 
9492 		if (offset >= params.beacon_csa.tail_len) {
9493 			err = -EINVAL;
9494 			goto free;
9495 		}
9496 
9497 		if (params.beacon_csa.tail[offset] != params.count) {
9498 			err = -EINVAL;
9499 			goto free;
9500 		}
9501 	}
9502 
9503 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9504 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9505 		if (!len || (len % sizeof(u16))) {
9506 			err = -EINVAL;
9507 			goto free;
9508 		}
9509 
9510 		params.n_counter_offsets_presp = len / sizeof(u16);
9511 		if (rdev->wiphy.max_num_csa_counters &&
9512 		    (params.n_counter_offsets_presp >
9513 		     rdev->wiphy.max_num_csa_counters)) {
9514 			err = -EINVAL;
9515 			goto free;
9516 		}
9517 
9518 		params.counter_offsets_presp =
9519 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9520 
9521 		/* sanity checks - counters should fit and be the same */
9522 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9523 			u16 offset = params.counter_offsets_presp[i];
9524 
9525 			if (offset >= params.beacon_csa.probe_resp_len) {
9526 				err = -EINVAL;
9527 				goto free;
9528 			}
9529 
9530 			if (params.beacon_csa.probe_resp[offset] !=
9531 			    params.count) {
9532 				err = -EINVAL;
9533 				goto free;
9534 			}
9535 		}
9536 	}
9537 
9538 skip_beacons:
9539 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9540 	if (err)
9541 		goto free;
9542 
9543 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9544 					   wdev->iftype)) {
9545 		err = -EINVAL;
9546 		goto free;
9547 	}
9548 
9549 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9550 					    &params.chandef,
9551 					    wdev->iftype);
9552 	if (err < 0)
9553 		goto free;
9554 
9555 	if (err > 0) {
9556 		params.radar_required = true;
9557 		if (need_handle_dfs_flag &&
9558 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9559 			err = -EINVAL;
9560 			goto free;
9561 		}
9562 	}
9563 
9564 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9565 		params.block_tx = true;
9566 
9567 	wdev_lock(wdev);
9568 	err = rdev_channel_switch(rdev, dev, &params);
9569 	wdev_unlock(wdev);
9570 
9571 free:
9572 	kfree(params.beacon_after.mbssid_ies);
9573 	kfree(params.beacon_csa.mbssid_ies);
9574 	kfree(csa_attrs);
9575 	return err;
9576 }
9577 
9578 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9579 			    u32 seq, int flags,
9580 			    struct cfg80211_registered_device *rdev,
9581 			    struct wireless_dev *wdev,
9582 			    struct cfg80211_internal_bss *intbss)
9583 {
9584 	struct cfg80211_bss *res = &intbss->pub;
9585 	const struct cfg80211_bss_ies *ies;
9586 	void *hdr;
9587 	struct nlattr *bss;
9588 
9589 	ASSERT_WDEV_LOCK(wdev);
9590 
9591 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9592 			     NL80211_CMD_NEW_SCAN_RESULTS);
9593 	if (!hdr)
9594 		return -1;
9595 
9596 	genl_dump_check_consistent(cb, hdr);
9597 
9598 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9599 		goto nla_put_failure;
9600 	if (wdev->netdev &&
9601 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9602 		goto nla_put_failure;
9603 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9604 			      NL80211_ATTR_PAD))
9605 		goto nla_put_failure;
9606 
9607 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9608 	if (!bss)
9609 		goto nla_put_failure;
9610 	if ((!is_zero_ether_addr(res->bssid) &&
9611 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9612 		goto nla_put_failure;
9613 
9614 	rcu_read_lock();
9615 	/* indicate whether we have probe response data or not */
9616 	if (rcu_access_pointer(res->proberesp_ies) &&
9617 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9618 		goto fail_unlock_rcu;
9619 
9620 	/* this pointer prefers to be pointed to probe response data
9621 	 * but is always valid
9622 	 */
9623 	ies = rcu_dereference(res->ies);
9624 	if (ies) {
9625 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9626 				      NL80211_BSS_PAD))
9627 			goto fail_unlock_rcu;
9628 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9629 					ies->len, ies->data))
9630 			goto fail_unlock_rcu;
9631 	}
9632 
9633 	/* and this pointer is always (unless driver didn't know) beacon data */
9634 	ies = rcu_dereference(res->beacon_ies);
9635 	if (ies && ies->from_beacon) {
9636 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9637 				      NL80211_BSS_PAD))
9638 			goto fail_unlock_rcu;
9639 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9640 					ies->len, ies->data))
9641 			goto fail_unlock_rcu;
9642 	}
9643 	rcu_read_unlock();
9644 
9645 	if (res->beacon_interval &&
9646 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9647 		goto nla_put_failure;
9648 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9649 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9650 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9651 			res->channel->freq_offset) ||
9652 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9653 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9654 			jiffies_to_msecs(jiffies - intbss->ts)))
9655 		goto nla_put_failure;
9656 
9657 	if (intbss->parent_tsf &&
9658 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9659 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9660 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9661 		     intbss->parent_bssid)))
9662 		goto nla_put_failure;
9663 
9664 	if (intbss->ts_boottime &&
9665 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9666 			      intbss->ts_boottime, NL80211_BSS_PAD))
9667 		goto nla_put_failure;
9668 
9669 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9670 				intbss->pub.chain_signal,
9671 				NL80211_BSS_CHAIN_SIGNAL))
9672 		goto nla_put_failure;
9673 
9674 	switch (rdev->wiphy.signal_type) {
9675 	case CFG80211_SIGNAL_TYPE_MBM:
9676 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9677 			goto nla_put_failure;
9678 		break;
9679 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9680 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9681 			goto nla_put_failure;
9682 		break;
9683 	default:
9684 		break;
9685 	}
9686 
9687 	switch (wdev->iftype) {
9688 	case NL80211_IFTYPE_P2P_CLIENT:
9689 	case NL80211_IFTYPE_STATION:
9690 		if (intbss == wdev->current_bss &&
9691 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9692 				NL80211_BSS_STATUS_ASSOCIATED))
9693 			goto nla_put_failure;
9694 		break;
9695 	case NL80211_IFTYPE_ADHOC:
9696 		if (intbss == wdev->current_bss &&
9697 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9698 				NL80211_BSS_STATUS_IBSS_JOINED))
9699 			goto nla_put_failure;
9700 		break;
9701 	default:
9702 		break;
9703 	}
9704 
9705 	nla_nest_end(msg, bss);
9706 
9707 	genlmsg_end(msg, hdr);
9708 	return 0;
9709 
9710  fail_unlock_rcu:
9711 	rcu_read_unlock();
9712  nla_put_failure:
9713 	genlmsg_cancel(msg, hdr);
9714 	return -EMSGSIZE;
9715 }
9716 
9717 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9718 {
9719 	struct cfg80211_registered_device *rdev;
9720 	struct cfg80211_internal_bss *scan;
9721 	struct wireless_dev *wdev;
9722 	int start = cb->args[2], idx = 0;
9723 	int err;
9724 
9725 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9726 	if (err)
9727 		return err;
9728 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9729 	__acquire(&rdev->wiphy.mtx);
9730 
9731 	wdev_lock(wdev);
9732 	spin_lock_bh(&rdev->bss_lock);
9733 
9734 	/*
9735 	 * dump_scan will be called multiple times to break up the scan results
9736 	 * into multiple messages.  It is unlikely that any more bss-es will be
9737 	 * expired after the first call, so only call only call this on the
9738 	 * first dump_scan invocation.
9739 	 */
9740 	if (start == 0)
9741 		cfg80211_bss_expire(rdev);
9742 
9743 	cb->seq = rdev->bss_generation;
9744 
9745 	list_for_each_entry(scan, &rdev->bss_list, list) {
9746 		if (++idx <= start)
9747 			continue;
9748 		if (nl80211_send_bss(skb, cb,
9749 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9750 				rdev, wdev, scan) < 0) {
9751 			idx--;
9752 			break;
9753 		}
9754 	}
9755 
9756 	spin_unlock_bh(&rdev->bss_lock);
9757 	wdev_unlock(wdev);
9758 
9759 	cb->args[2] = idx;
9760 	wiphy_unlock(&rdev->wiphy);
9761 
9762 	return skb->len;
9763 }
9764 
9765 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9766 			       int flags, struct net_device *dev,
9767 			       bool allow_radio_stats,
9768 			       struct survey_info *survey)
9769 {
9770 	void *hdr;
9771 	struct nlattr *infoattr;
9772 
9773 	/* skip radio stats if userspace didn't request them */
9774 	if (!survey->channel && !allow_radio_stats)
9775 		return 0;
9776 
9777 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9778 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9779 	if (!hdr)
9780 		return -ENOMEM;
9781 
9782 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9783 		goto nla_put_failure;
9784 
9785 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9786 	if (!infoattr)
9787 		goto nla_put_failure;
9788 
9789 	if (survey->channel &&
9790 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9791 			survey->channel->center_freq))
9792 		goto nla_put_failure;
9793 
9794 	if (survey->channel && survey->channel->freq_offset &&
9795 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9796 			survey->channel->freq_offset))
9797 		goto nla_put_failure;
9798 
9799 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9800 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9801 		goto nla_put_failure;
9802 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9803 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9804 		goto nla_put_failure;
9805 	if ((survey->filled & SURVEY_INFO_TIME) &&
9806 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9807 			survey->time, NL80211_SURVEY_INFO_PAD))
9808 		goto nla_put_failure;
9809 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9810 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9811 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9812 		goto nla_put_failure;
9813 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9814 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9815 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9816 		goto nla_put_failure;
9817 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9818 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9819 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9820 		goto nla_put_failure;
9821 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9822 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9823 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9824 		goto nla_put_failure;
9825 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9826 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9827 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9828 		goto nla_put_failure;
9829 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9830 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9831 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9832 		goto nla_put_failure;
9833 
9834 	nla_nest_end(msg, infoattr);
9835 
9836 	genlmsg_end(msg, hdr);
9837 	return 0;
9838 
9839  nla_put_failure:
9840 	genlmsg_cancel(msg, hdr);
9841 	return -EMSGSIZE;
9842 }
9843 
9844 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9845 {
9846 	struct nlattr **attrbuf;
9847 	struct survey_info survey;
9848 	struct cfg80211_registered_device *rdev;
9849 	struct wireless_dev *wdev;
9850 	int survey_idx = cb->args[2];
9851 	int res;
9852 	bool radio_stats;
9853 
9854 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9855 	if (!attrbuf)
9856 		return -ENOMEM;
9857 
9858 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
9859 	if (res) {
9860 		kfree(attrbuf);
9861 		return res;
9862 	}
9863 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9864 	__acquire(&rdev->wiphy.mtx);
9865 
9866 	/* prepare_wdev_dump parsed the attributes */
9867 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9868 
9869 	if (!wdev->netdev) {
9870 		res = -EINVAL;
9871 		goto out_err;
9872 	}
9873 
9874 	if (!rdev->ops->dump_survey) {
9875 		res = -EOPNOTSUPP;
9876 		goto out_err;
9877 	}
9878 
9879 	while (1) {
9880 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
9881 		if (res == -ENOENT)
9882 			break;
9883 		if (res)
9884 			goto out_err;
9885 
9886 		/* don't send disabled channels, but do send non-channel data */
9887 		if (survey.channel &&
9888 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
9889 			survey_idx++;
9890 			continue;
9891 		}
9892 
9893 		if (nl80211_send_survey(skb,
9894 				NETLINK_CB(cb->skb).portid,
9895 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9896 				wdev->netdev, radio_stats, &survey) < 0)
9897 			goto out;
9898 		survey_idx++;
9899 	}
9900 
9901  out:
9902 	cb->args[2] = survey_idx;
9903 	res = skb->len;
9904  out_err:
9905 	kfree(attrbuf);
9906 	wiphy_unlock(&rdev->wiphy);
9907 	return res;
9908 }
9909 
9910 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
9911 {
9912 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
9913 				  NL80211_WPA_VERSION_2 |
9914 				  NL80211_WPA_VERSION_3));
9915 }
9916 
9917 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
9918 {
9919 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9920 	struct net_device *dev = info->user_ptr[1];
9921 	struct ieee80211_channel *chan;
9922 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
9923 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
9924 	enum nl80211_auth_type auth_type;
9925 	struct key_parse key;
9926 	bool local_state_change;
9927 	u32 freq;
9928 
9929 	if (!info->attrs[NL80211_ATTR_MAC])
9930 		return -EINVAL;
9931 
9932 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
9933 		return -EINVAL;
9934 
9935 	if (!info->attrs[NL80211_ATTR_SSID])
9936 		return -EINVAL;
9937 
9938 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9939 		return -EINVAL;
9940 
9941 	err = nl80211_parse_key(info, &key);
9942 	if (err)
9943 		return err;
9944 
9945 	if (key.idx >= 0) {
9946 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
9947 			return -EINVAL;
9948 		if (!key.p.key || !key.p.key_len)
9949 			return -EINVAL;
9950 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
9951 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
9952 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
9953 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
9954 			return -EINVAL;
9955 		if (key.idx > 3)
9956 			return -EINVAL;
9957 	} else {
9958 		key.p.key_len = 0;
9959 		key.p.key = NULL;
9960 	}
9961 
9962 	if (key.idx >= 0) {
9963 		int i;
9964 		bool ok = false;
9965 
9966 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
9967 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
9968 				ok = true;
9969 				break;
9970 			}
9971 		}
9972 		if (!ok)
9973 			return -EINVAL;
9974 	}
9975 
9976 	if (!rdev->ops->auth)
9977 		return -EOPNOTSUPP;
9978 
9979 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9980 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9981 		return -EOPNOTSUPP;
9982 
9983 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9984 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
9985 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
9986 		freq +=
9987 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
9988 
9989 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
9990 	if (!chan)
9991 		return -EINVAL;
9992 
9993 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9994 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9995 
9996 	if (info->attrs[NL80211_ATTR_IE]) {
9997 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9998 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9999 	}
10000 
10001 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10002 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10003 		return -EINVAL;
10004 
10005 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10006 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10007 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10008 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10009 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10010 		return -EINVAL;
10011 
10012 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10013 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10014 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10015 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10016 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10017 			return -EINVAL;
10018 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10019 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10020 	}
10021 
10022 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10023 
10024 	/*
10025 	 * Since we no longer track auth state, ignore
10026 	 * requests to only change local state.
10027 	 */
10028 	if (local_state_change)
10029 		return 0;
10030 
10031 	wdev_lock(dev->ieee80211_ptr);
10032 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
10033 				 ssid, ssid_len, ie, ie_len,
10034 				 key.p.key, key.p.key_len, key.idx,
10035 				 auth_data, auth_data_len);
10036 	wdev_unlock(dev->ieee80211_ptr);
10037 	return err;
10038 }
10039 
10040 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10041 				     struct genl_info *info)
10042 {
10043 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10044 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10045 		return -EINVAL;
10046 	}
10047 
10048 	if (!rdev->ops->tx_control_port ||
10049 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10050 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10051 		return -EOPNOTSUPP;
10052 
10053 	return 0;
10054 }
10055 
10056 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10057 				   struct genl_info *info,
10058 				   struct cfg80211_crypto_settings *settings,
10059 				   int cipher_limit)
10060 {
10061 	memset(settings, 0, sizeof(*settings));
10062 
10063 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10064 
10065 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10066 		u16 proto;
10067 
10068 		proto = nla_get_u16(
10069 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10070 		settings->control_port_ethertype = cpu_to_be16(proto);
10071 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10072 		    proto != ETH_P_PAE)
10073 			return -EINVAL;
10074 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10075 			settings->control_port_no_encrypt = true;
10076 	} else
10077 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10078 
10079 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10080 		int r = validate_pae_over_nl80211(rdev, info);
10081 
10082 		if (r < 0)
10083 			return r;
10084 
10085 		settings->control_port_over_nl80211 = true;
10086 
10087 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10088 			settings->control_port_no_preauth = true;
10089 	}
10090 
10091 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10092 		void *data;
10093 		int len, i;
10094 
10095 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10096 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10097 		settings->n_ciphers_pairwise = len / sizeof(u32);
10098 
10099 		if (len % sizeof(u32))
10100 			return -EINVAL;
10101 
10102 		if (settings->n_ciphers_pairwise > cipher_limit)
10103 			return -EINVAL;
10104 
10105 		memcpy(settings->ciphers_pairwise, data, len);
10106 
10107 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10108 			if (!cfg80211_supported_cipher_suite(
10109 					&rdev->wiphy,
10110 					settings->ciphers_pairwise[i]))
10111 				return -EINVAL;
10112 	}
10113 
10114 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10115 		settings->cipher_group =
10116 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10117 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10118 						     settings->cipher_group))
10119 			return -EINVAL;
10120 	}
10121 
10122 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10123 		settings->wpa_versions =
10124 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10125 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10126 			return -EINVAL;
10127 	}
10128 
10129 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10130 		void *data;
10131 		int len;
10132 
10133 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10134 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10135 		settings->n_akm_suites = len / sizeof(u32);
10136 
10137 		if (len % sizeof(u32))
10138 			return -EINVAL;
10139 
10140 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
10141 			return -EINVAL;
10142 
10143 		memcpy(settings->akm_suites, data, len);
10144 	}
10145 
10146 	if (info->attrs[NL80211_ATTR_PMK]) {
10147 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10148 			return -EINVAL;
10149 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10150 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10151 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10152 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10153 			return -EINVAL;
10154 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10155 	}
10156 
10157 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10158 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10159 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10160 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10161 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10162 			return -EINVAL;
10163 		settings->sae_pwd =
10164 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10165 		settings->sae_pwd_len =
10166 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10167 	}
10168 
10169 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10170 		settings->sae_pwe =
10171 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10172 	else
10173 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10174 
10175 	return 0;
10176 }
10177 
10178 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10179 {
10180 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10181 	struct net_device *dev = info->user_ptr[1];
10182 	struct ieee80211_channel *chan;
10183 	struct cfg80211_assoc_request req = {};
10184 	const u8 *bssid, *ssid;
10185 	int err, ssid_len = 0;
10186 	u32 freq;
10187 
10188 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10189 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10190 		return -EPERM;
10191 
10192 	if (!info->attrs[NL80211_ATTR_MAC] ||
10193 	    !info->attrs[NL80211_ATTR_SSID] ||
10194 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
10195 		return -EINVAL;
10196 
10197 	if (!rdev->ops->assoc)
10198 		return -EOPNOTSUPP;
10199 
10200 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10201 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10202 		return -EOPNOTSUPP;
10203 
10204 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10205 
10206 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10207 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10208 		freq +=
10209 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10210 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10211 	if (!chan)
10212 		return -EINVAL;
10213 
10214 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10215 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10216 
10217 	if (info->attrs[NL80211_ATTR_IE]) {
10218 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10219 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10220 	}
10221 
10222 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10223 		enum nl80211_mfp mfp =
10224 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10225 		if (mfp == NL80211_MFP_REQUIRED)
10226 			req.use_mfp = true;
10227 		else if (mfp != NL80211_MFP_NO)
10228 			return -EINVAL;
10229 	}
10230 
10231 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10232 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10233 
10234 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10235 		req.flags |= ASSOC_REQ_DISABLE_HT;
10236 
10237 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10238 		memcpy(&req.ht_capa_mask,
10239 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10240 		       sizeof(req.ht_capa_mask));
10241 
10242 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10243 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10244 			return -EINVAL;
10245 		memcpy(&req.ht_capa,
10246 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10247 		       sizeof(req.ht_capa));
10248 	}
10249 
10250 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10251 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10252 
10253 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10254 		req.flags |= ASSOC_REQ_DISABLE_HE;
10255 
10256 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10257 		memcpy(&req.vht_capa_mask,
10258 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10259 		       sizeof(req.vht_capa_mask));
10260 
10261 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10262 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10263 			return -EINVAL;
10264 		memcpy(&req.vht_capa,
10265 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10266 		       sizeof(req.vht_capa));
10267 	}
10268 
10269 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10270 		if (!((rdev->wiphy.features &
10271 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10272 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10273 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10274 					     NL80211_EXT_FEATURE_RRM))
10275 			return -EINVAL;
10276 		req.flags |= ASSOC_REQ_USE_RRM;
10277 	}
10278 
10279 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10280 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10281 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10282 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10283 			return -EINVAL;
10284 		req.fils_nonces =
10285 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10286 	}
10287 
10288 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10289 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10290 			return -EINVAL;
10291 		memcpy(&req.s1g_capa_mask,
10292 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10293 		       sizeof(req.s1g_capa_mask));
10294 	}
10295 
10296 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10297 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10298 			return -EINVAL;
10299 		memcpy(&req.s1g_capa,
10300 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10301 		       sizeof(req.s1g_capa));
10302 	}
10303 
10304 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10305 	if (!err) {
10306 		wdev_lock(dev->ieee80211_ptr);
10307 
10308 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
10309 					  ssid, ssid_len, &req);
10310 
10311 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10312 			dev->ieee80211_ptr->conn_owner_nlportid =
10313 				info->snd_portid;
10314 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10315 			       bssid, ETH_ALEN);
10316 		}
10317 
10318 		wdev_unlock(dev->ieee80211_ptr);
10319 	}
10320 
10321 	return err;
10322 }
10323 
10324 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10325 {
10326 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10327 	struct net_device *dev = info->user_ptr[1];
10328 	const u8 *ie = NULL, *bssid;
10329 	int ie_len = 0, err;
10330 	u16 reason_code;
10331 	bool local_state_change;
10332 
10333 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10334 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10335 		return -EPERM;
10336 
10337 	if (!info->attrs[NL80211_ATTR_MAC])
10338 		return -EINVAL;
10339 
10340 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10341 		return -EINVAL;
10342 
10343 	if (!rdev->ops->deauth)
10344 		return -EOPNOTSUPP;
10345 
10346 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10347 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10348 		return -EOPNOTSUPP;
10349 
10350 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10351 
10352 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10353 	if (reason_code == 0) {
10354 		/* Reason Code 0 is reserved */
10355 		return -EINVAL;
10356 	}
10357 
10358 	if (info->attrs[NL80211_ATTR_IE]) {
10359 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10360 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10361 	}
10362 
10363 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10364 
10365 	wdev_lock(dev->ieee80211_ptr);
10366 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10367 				   local_state_change);
10368 	wdev_unlock(dev->ieee80211_ptr);
10369 	return err;
10370 }
10371 
10372 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10373 {
10374 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10375 	struct net_device *dev = info->user_ptr[1];
10376 	const u8 *ie = NULL, *bssid;
10377 	int ie_len = 0, err;
10378 	u16 reason_code;
10379 	bool local_state_change;
10380 
10381 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10382 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10383 		return -EPERM;
10384 
10385 	if (!info->attrs[NL80211_ATTR_MAC])
10386 		return -EINVAL;
10387 
10388 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10389 		return -EINVAL;
10390 
10391 	if (!rdev->ops->disassoc)
10392 		return -EOPNOTSUPP;
10393 
10394 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10395 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10396 		return -EOPNOTSUPP;
10397 
10398 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10399 
10400 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10401 	if (reason_code == 0) {
10402 		/* Reason Code 0 is reserved */
10403 		return -EINVAL;
10404 	}
10405 
10406 	if (info->attrs[NL80211_ATTR_IE]) {
10407 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10408 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10409 	}
10410 
10411 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10412 
10413 	wdev_lock(dev->ieee80211_ptr);
10414 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10415 				     local_state_change);
10416 	wdev_unlock(dev->ieee80211_ptr);
10417 	return err;
10418 }
10419 
10420 static bool
10421 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10422 			 int mcast_rate[NUM_NL80211_BANDS],
10423 			 int rateval)
10424 {
10425 	struct wiphy *wiphy = &rdev->wiphy;
10426 	bool found = false;
10427 	int band, i;
10428 
10429 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10430 		struct ieee80211_supported_band *sband;
10431 
10432 		sband = wiphy->bands[band];
10433 		if (!sband)
10434 			continue;
10435 
10436 		for (i = 0; i < sband->n_bitrates; i++) {
10437 			if (sband->bitrates[i].bitrate == rateval) {
10438 				mcast_rate[band] = i + 1;
10439 				found = true;
10440 				break;
10441 			}
10442 		}
10443 	}
10444 
10445 	return found;
10446 }
10447 
10448 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10449 {
10450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10451 	struct net_device *dev = info->user_ptr[1];
10452 	struct cfg80211_ibss_params ibss;
10453 	struct wiphy *wiphy;
10454 	struct cfg80211_cached_keys *connkeys = NULL;
10455 	int err;
10456 
10457 	memset(&ibss, 0, sizeof(ibss));
10458 
10459 	if (!info->attrs[NL80211_ATTR_SSID] ||
10460 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10461 		return -EINVAL;
10462 
10463 	ibss.beacon_interval = 100;
10464 
10465 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10466 		ibss.beacon_interval =
10467 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10468 
10469 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10470 					   ibss.beacon_interval);
10471 	if (err)
10472 		return err;
10473 
10474 	if (!rdev->ops->join_ibss)
10475 		return -EOPNOTSUPP;
10476 
10477 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10478 		return -EOPNOTSUPP;
10479 
10480 	wiphy = &rdev->wiphy;
10481 
10482 	if (info->attrs[NL80211_ATTR_MAC]) {
10483 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10484 
10485 		if (!is_valid_ether_addr(ibss.bssid))
10486 			return -EINVAL;
10487 	}
10488 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10489 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10490 
10491 	if (info->attrs[NL80211_ATTR_IE]) {
10492 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10493 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10494 	}
10495 
10496 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10497 	if (err)
10498 		return err;
10499 
10500 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10501 				     NL80211_IFTYPE_ADHOC))
10502 		return -EINVAL;
10503 
10504 	switch (ibss.chandef.width) {
10505 	case NL80211_CHAN_WIDTH_5:
10506 	case NL80211_CHAN_WIDTH_10:
10507 	case NL80211_CHAN_WIDTH_20_NOHT:
10508 		break;
10509 	case NL80211_CHAN_WIDTH_20:
10510 	case NL80211_CHAN_WIDTH_40:
10511 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10512 			return -EINVAL;
10513 		break;
10514 	case NL80211_CHAN_WIDTH_80:
10515 	case NL80211_CHAN_WIDTH_80P80:
10516 	case NL80211_CHAN_WIDTH_160:
10517 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10518 			return -EINVAL;
10519 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10520 					     NL80211_EXT_FEATURE_VHT_IBSS))
10521 			return -EINVAL;
10522 		break;
10523 	default:
10524 		return -EINVAL;
10525 	}
10526 
10527 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10528 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10529 
10530 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10531 		u8 *rates =
10532 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10533 		int n_rates =
10534 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10535 		struct ieee80211_supported_band *sband =
10536 			wiphy->bands[ibss.chandef.chan->band];
10537 
10538 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10539 					     &ibss.basic_rates);
10540 		if (err)
10541 			return err;
10542 	}
10543 
10544 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10545 		memcpy(&ibss.ht_capa_mask,
10546 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10547 		       sizeof(ibss.ht_capa_mask));
10548 
10549 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10550 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10551 			return -EINVAL;
10552 		memcpy(&ibss.ht_capa,
10553 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10554 		       sizeof(ibss.ht_capa));
10555 	}
10556 
10557 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10558 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10559 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10560 		return -EINVAL;
10561 
10562 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10563 		bool no_ht = false;
10564 
10565 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10566 		if (IS_ERR(connkeys))
10567 			return PTR_ERR(connkeys);
10568 
10569 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10570 		    no_ht) {
10571 			kfree_sensitive(connkeys);
10572 			return -EINVAL;
10573 		}
10574 	}
10575 
10576 	ibss.control_port =
10577 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10578 
10579 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10580 		int r = validate_pae_over_nl80211(rdev, info);
10581 
10582 		if (r < 0) {
10583 			kfree_sensitive(connkeys);
10584 			return r;
10585 		}
10586 
10587 		ibss.control_port_over_nl80211 = true;
10588 	}
10589 
10590 	ibss.userspace_handles_dfs =
10591 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10592 
10593 	wdev_lock(dev->ieee80211_ptr);
10594 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10595 	if (err)
10596 		kfree_sensitive(connkeys);
10597 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10598 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10599 	wdev_unlock(dev->ieee80211_ptr);
10600 
10601 	return err;
10602 }
10603 
10604 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10605 {
10606 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10607 	struct net_device *dev = info->user_ptr[1];
10608 
10609 	if (!rdev->ops->leave_ibss)
10610 		return -EOPNOTSUPP;
10611 
10612 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10613 		return -EOPNOTSUPP;
10614 
10615 	return cfg80211_leave_ibss(rdev, dev, false);
10616 }
10617 
10618 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10619 {
10620 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10621 	struct net_device *dev = info->user_ptr[1];
10622 	int mcast_rate[NUM_NL80211_BANDS];
10623 	u32 nla_rate;
10624 	int err;
10625 
10626 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10627 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10628 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10629 		return -EOPNOTSUPP;
10630 
10631 	if (!rdev->ops->set_mcast_rate)
10632 		return -EOPNOTSUPP;
10633 
10634 	memset(mcast_rate, 0, sizeof(mcast_rate));
10635 
10636 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10637 		return -EINVAL;
10638 
10639 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10640 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10641 		return -EINVAL;
10642 
10643 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10644 
10645 	return err;
10646 }
10647 
10648 static struct sk_buff *
10649 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10650 			    struct wireless_dev *wdev, int approxlen,
10651 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10652 			    enum nl80211_attrs attr,
10653 			    const struct nl80211_vendor_cmd_info *info,
10654 			    gfp_t gfp)
10655 {
10656 	struct sk_buff *skb;
10657 	void *hdr;
10658 	struct nlattr *data;
10659 
10660 	skb = nlmsg_new(approxlen + 100, gfp);
10661 	if (!skb)
10662 		return NULL;
10663 
10664 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10665 	if (!hdr) {
10666 		kfree_skb(skb);
10667 		return NULL;
10668 	}
10669 
10670 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10671 		goto nla_put_failure;
10672 
10673 	if (info) {
10674 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10675 				info->vendor_id))
10676 			goto nla_put_failure;
10677 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10678 				info->subcmd))
10679 			goto nla_put_failure;
10680 	}
10681 
10682 	if (wdev) {
10683 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10684 				      wdev_id(wdev), NL80211_ATTR_PAD))
10685 			goto nla_put_failure;
10686 		if (wdev->netdev &&
10687 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10688 				wdev->netdev->ifindex))
10689 			goto nla_put_failure;
10690 	}
10691 
10692 	data = nla_nest_start_noflag(skb, attr);
10693 	if (!data)
10694 		goto nla_put_failure;
10695 
10696 	((void **)skb->cb)[0] = rdev;
10697 	((void **)skb->cb)[1] = hdr;
10698 	((void **)skb->cb)[2] = data;
10699 
10700 	return skb;
10701 
10702  nla_put_failure:
10703 	kfree_skb(skb);
10704 	return NULL;
10705 }
10706 
10707 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10708 					   struct wireless_dev *wdev,
10709 					   enum nl80211_commands cmd,
10710 					   enum nl80211_attrs attr,
10711 					   unsigned int portid,
10712 					   int vendor_event_idx,
10713 					   int approxlen, gfp_t gfp)
10714 {
10715 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10716 	const struct nl80211_vendor_cmd_info *info;
10717 
10718 	switch (cmd) {
10719 	case NL80211_CMD_TESTMODE:
10720 		if (WARN_ON(vendor_event_idx != -1))
10721 			return NULL;
10722 		info = NULL;
10723 		break;
10724 	case NL80211_CMD_VENDOR:
10725 		if (WARN_ON(vendor_event_idx < 0 ||
10726 			    vendor_event_idx >= wiphy->n_vendor_events))
10727 			return NULL;
10728 		info = &wiphy->vendor_events[vendor_event_idx];
10729 		break;
10730 	default:
10731 		WARN_ON(1);
10732 		return NULL;
10733 	}
10734 
10735 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10736 					   cmd, attr, info, gfp);
10737 }
10738 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10739 
10740 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10741 {
10742 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10743 	void *hdr = ((void **)skb->cb)[1];
10744 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10745 	struct nlattr *data = ((void **)skb->cb)[2];
10746 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10747 
10748 	/* clear CB data for netlink core to own from now on */
10749 	memset(skb->cb, 0, sizeof(skb->cb));
10750 
10751 	nla_nest_end(skb, data);
10752 	genlmsg_end(skb, hdr);
10753 
10754 	if (nlhdr->nlmsg_pid) {
10755 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10756 				nlhdr->nlmsg_pid);
10757 	} else {
10758 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10759 			mcgrp = NL80211_MCGRP_VENDOR;
10760 
10761 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10762 					skb, 0, mcgrp, gfp);
10763 	}
10764 }
10765 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10766 
10767 #ifdef CONFIG_NL80211_TESTMODE
10768 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10769 {
10770 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10771 	struct wireless_dev *wdev;
10772 	int err;
10773 
10774 	lockdep_assert_held(&rdev->wiphy.mtx);
10775 
10776 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
10777 					  info->attrs);
10778 
10779 	if (!rdev->ops->testmode_cmd)
10780 		return -EOPNOTSUPP;
10781 
10782 	if (IS_ERR(wdev)) {
10783 		err = PTR_ERR(wdev);
10784 		if (err != -EINVAL)
10785 			return err;
10786 		wdev = NULL;
10787 	} else if (wdev->wiphy != &rdev->wiphy) {
10788 		return -EINVAL;
10789 	}
10790 
10791 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10792 		return -EINVAL;
10793 
10794 	rdev->cur_cmd_info = info;
10795 	err = rdev_testmode_cmd(rdev, wdev,
10796 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10797 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10798 	rdev->cur_cmd_info = NULL;
10799 
10800 	return err;
10801 }
10802 
10803 static int nl80211_testmode_dump(struct sk_buff *skb,
10804 				 struct netlink_callback *cb)
10805 {
10806 	struct cfg80211_registered_device *rdev;
10807 	struct nlattr **attrbuf = NULL;
10808 	int err;
10809 	long phy_idx;
10810 	void *data = NULL;
10811 	int data_len = 0;
10812 
10813 	rtnl_lock();
10814 
10815 	if (cb->args[0]) {
10816 		/*
10817 		 * 0 is a valid index, but not valid for args[0],
10818 		 * so we need to offset by 1.
10819 		 */
10820 		phy_idx = cb->args[0] - 1;
10821 
10822 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10823 		if (!rdev) {
10824 			err = -ENOENT;
10825 			goto out_err;
10826 		}
10827 	} else {
10828 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10829 				  GFP_KERNEL);
10830 		if (!attrbuf) {
10831 			err = -ENOMEM;
10832 			goto out_err;
10833 		}
10834 
10835 		err = nlmsg_parse_deprecated(cb->nlh,
10836 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10837 					     attrbuf, nl80211_fam.maxattr,
10838 					     nl80211_policy, NULL);
10839 		if (err)
10840 			goto out_err;
10841 
10842 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10843 		if (IS_ERR(rdev)) {
10844 			err = PTR_ERR(rdev);
10845 			goto out_err;
10846 		}
10847 		phy_idx = rdev->wiphy_idx;
10848 
10849 		if (attrbuf[NL80211_ATTR_TESTDATA])
10850 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10851 	}
10852 
10853 	if (cb->args[1]) {
10854 		data = nla_data((void *)cb->args[1]);
10855 		data_len = nla_len((void *)cb->args[1]);
10856 	}
10857 
10858 	if (!rdev->ops->testmode_dump) {
10859 		err = -EOPNOTSUPP;
10860 		goto out_err;
10861 	}
10862 
10863 	while (1) {
10864 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10865 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10866 					   NL80211_CMD_TESTMODE);
10867 		struct nlattr *tmdata;
10868 
10869 		if (!hdr)
10870 			break;
10871 
10872 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10873 			genlmsg_cancel(skb, hdr);
10874 			break;
10875 		}
10876 
10877 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
10878 		if (!tmdata) {
10879 			genlmsg_cancel(skb, hdr);
10880 			break;
10881 		}
10882 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
10883 		nla_nest_end(skb, tmdata);
10884 
10885 		if (err == -ENOBUFS || err == -ENOENT) {
10886 			genlmsg_cancel(skb, hdr);
10887 			break;
10888 		} else if (err) {
10889 			genlmsg_cancel(skb, hdr);
10890 			goto out_err;
10891 		}
10892 
10893 		genlmsg_end(skb, hdr);
10894 	}
10895 
10896 	err = skb->len;
10897 	/* see above */
10898 	cb->args[0] = phy_idx + 1;
10899  out_err:
10900 	kfree(attrbuf);
10901 	rtnl_unlock();
10902 	return err;
10903 }
10904 #endif
10905 
10906 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
10907 {
10908 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10909 	struct net_device *dev = info->user_ptr[1];
10910 	struct cfg80211_connect_params connect;
10911 	struct wiphy *wiphy;
10912 	struct cfg80211_cached_keys *connkeys = NULL;
10913 	u32 freq = 0;
10914 	int err;
10915 
10916 	memset(&connect, 0, sizeof(connect));
10917 
10918 	if (!info->attrs[NL80211_ATTR_SSID] ||
10919 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10920 		return -EINVAL;
10921 
10922 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10923 		connect.auth_type =
10924 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10925 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
10926 					     NL80211_CMD_CONNECT))
10927 			return -EINVAL;
10928 	} else
10929 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
10930 
10931 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
10932 
10933 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
10934 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10935 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
10936 		return -EINVAL;
10937 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
10938 
10939 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
10940 				      NL80211_MAX_NR_CIPHER_SUITES);
10941 	if (err)
10942 		return err;
10943 
10944 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10945 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10946 		return -EOPNOTSUPP;
10947 
10948 	wiphy = &rdev->wiphy;
10949 
10950 	connect.bg_scan_period = -1;
10951 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
10952 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
10953 		connect.bg_scan_period =
10954 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
10955 	}
10956 
10957 	if (info->attrs[NL80211_ATTR_MAC])
10958 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10959 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
10960 		connect.bssid_hint =
10961 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
10962 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10963 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10964 
10965 	if (info->attrs[NL80211_ATTR_IE]) {
10966 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10967 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10968 	}
10969 
10970 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10971 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10972 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
10973 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10974 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
10975 			return -EOPNOTSUPP;
10976 	} else {
10977 		connect.mfp = NL80211_MFP_NO;
10978 	}
10979 
10980 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10981 		connect.prev_bssid =
10982 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10983 
10984 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
10985 		freq = MHZ_TO_KHZ(nla_get_u32(
10986 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10987 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10988 		freq +=
10989 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10990 
10991 	if (freq) {
10992 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
10993 		if (!connect.channel)
10994 			return -EINVAL;
10995 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
10996 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
10997 		freq = MHZ_TO_KHZ(freq);
10998 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
10999 		if (!connect.channel_hint)
11000 			return -EINVAL;
11001 	}
11002 
11003 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11004 		connect.edmg.channels =
11005 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11006 
11007 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11008 			connect.edmg.bw_config =
11009 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11010 	}
11011 
11012 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11013 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11014 		if (IS_ERR(connkeys))
11015 			return PTR_ERR(connkeys);
11016 	}
11017 
11018 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11019 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11020 
11021 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11022 		memcpy(&connect.ht_capa_mask,
11023 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11024 		       sizeof(connect.ht_capa_mask));
11025 
11026 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11027 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11028 			kfree_sensitive(connkeys);
11029 			return -EINVAL;
11030 		}
11031 		memcpy(&connect.ht_capa,
11032 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11033 		       sizeof(connect.ht_capa));
11034 	}
11035 
11036 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11037 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11038 
11039 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11040 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11041 
11042 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11043 		memcpy(&connect.vht_capa_mask,
11044 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11045 		       sizeof(connect.vht_capa_mask));
11046 
11047 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11048 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11049 			kfree_sensitive(connkeys);
11050 			return -EINVAL;
11051 		}
11052 		memcpy(&connect.vht_capa,
11053 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11054 		       sizeof(connect.vht_capa));
11055 	}
11056 
11057 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11058 		if (!((rdev->wiphy.features &
11059 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11060 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11061 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11062 					     NL80211_EXT_FEATURE_RRM)) {
11063 			kfree_sensitive(connkeys);
11064 			return -EINVAL;
11065 		}
11066 		connect.flags |= ASSOC_REQ_USE_RRM;
11067 	}
11068 
11069 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11070 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11071 		kfree_sensitive(connkeys);
11072 		return -EOPNOTSUPP;
11073 	}
11074 
11075 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11076 		/* bss selection makes no sense if bssid is set */
11077 		if (connect.bssid) {
11078 			kfree_sensitive(connkeys);
11079 			return -EINVAL;
11080 		}
11081 
11082 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11083 				       wiphy, &connect.bss_select);
11084 		if (err) {
11085 			kfree_sensitive(connkeys);
11086 			return err;
11087 		}
11088 	}
11089 
11090 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11091 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11092 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11093 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11094 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11095 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11096 		connect.fils_erp_username =
11097 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11098 		connect.fils_erp_username_len =
11099 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11100 		connect.fils_erp_realm =
11101 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11102 		connect.fils_erp_realm_len =
11103 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11104 		connect.fils_erp_next_seq_num =
11105 			nla_get_u16(
11106 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11107 		connect.fils_erp_rrk =
11108 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11109 		connect.fils_erp_rrk_len =
11110 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11111 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11112 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11113 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11114 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11115 		kfree_sensitive(connkeys);
11116 		return -EINVAL;
11117 	}
11118 
11119 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11120 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11121 			kfree_sensitive(connkeys);
11122 			GENL_SET_ERR_MSG(info,
11123 					 "external auth requires connection ownership");
11124 			return -EINVAL;
11125 		}
11126 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11127 	}
11128 
11129 	wdev_lock(dev->ieee80211_ptr);
11130 
11131 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11132 			       connect.prev_bssid);
11133 	if (err)
11134 		kfree_sensitive(connkeys);
11135 
11136 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11137 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11138 		if (connect.bssid)
11139 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11140 			       connect.bssid, ETH_ALEN);
11141 		else
11142 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11143 	}
11144 
11145 	wdev_unlock(dev->ieee80211_ptr);
11146 
11147 	return err;
11148 }
11149 
11150 static int nl80211_update_connect_params(struct sk_buff *skb,
11151 					 struct genl_info *info)
11152 {
11153 	struct cfg80211_connect_params connect = {};
11154 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11155 	struct net_device *dev = info->user_ptr[1];
11156 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11157 	bool fils_sk_offload;
11158 	u32 auth_type;
11159 	u32 changed = 0;
11160 	int ret;
11161 
11162 	if (!rdev->ops->update_connect_params)
11163 		return -EOPNOTSUPP;
11164 
11165 	if (info->attrs[NL80211_ATTR_IE]) {
11166 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11167 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11168 		changed |= UPDATE_ASSOC_IES;
11169 	}
11170 
11171 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11172 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11173 
11174 	/*
11175 	 * when driver supports fils-sk offload all attributes must be
11176 	 * provided. So the else covers "fils-sk-not-all" and
11177 	 * "no-fils-sk-any".
11178 	 */
11179 	if (fils_sk_offload &&
11180 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11181 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11182 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11183 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11184 		connect.fils_erp_username =
11185 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11186 		connect.fils_erp_username_len =
11187 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11188 		connect.fils_erp_realm =
11189 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11190 		connect.fils_erp_realm_len =
11191 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11192 		connect.fils_erp_next_seq_num =
11193 			nla_get_u16(
11194 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11195 		connect.fils_erp_rrk =
11196 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11197 		connect.fils_erp_rrk_len =
11198 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11199 		changed |= UPDATE_FILS_ERP_INFO;
11200 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11201 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11202 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11203 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11204 		return -EINVAL;
11205 	}
11206 
11207 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11208 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11209 		if (!nl80211_valid_auth_type(rdev, auth_type,
11210 					     NL80211_CMD_CONNECT))
11211 			return -EINVAL;
11212 
11213 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11214 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11215 			return -EINVAL;
11216 
11217 		connect.auth_type = auth_type;
11218 		changed |= UPDATE_AUTH_TYPE;
11219 	}
11220 
11221 	wdev_lock(dev->ieee80211_ptr);
11222 	if (!wdev->current_bss)
11223 		ret = -ENOLINK;
11224 	else
11225 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11226 	wdev_unlock(dev->ieee80211_ptr);
11227 
11228 	return ret;
11229 }
11230 
11231 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11232 {
11233 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11234 	struct net_device *dev = info->user_ptr[1];
11235 	u16 reason;
11236 	int ret;
11237 
11238 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11239 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11240 		return -EPERM;
11241 
11242 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11243 		reason = WLAN_REASON_DEAUTH_LEAVING;
11244 	else
11245 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11246 
11247 	if (reason == 0)
11248 		return -EINVAL;
11249 
11250 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11251 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11252 		return -EOPNOTSUPP;
11253 
11254 	wdev_lock(dev->ieee80211_ptr);
11255 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11256 	wdev_unlock(dev->ieee80211_ptr);
11257 	return ret;
11258 }
11259 
11260 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11261 {
11262 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11263 	struct net *net;
11264 	int err;
11265 
11266 	if (info->attrs[NL80211_ATTR_PID]) {
11267 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11268 
11269 		net = get_net_ns_by_pid(pid);
11270 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11271 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11272 
11273 		net = get_net_ns_by_fd(fd);
11274 	} else {
11275 		return -EINVAL;
11276 	}
11277 
11278 	if (IS_ERR(net))
11279 		return PTR_ERR(net);
11280 
11281 	err = 0;
11282 
11283 	/* check if anything to do */
11284 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11285 		err = cfg80211_switch_netns(rdev, net);
11286 
11287 	put_net(net);
11288 	return err;
11289 }
11290 
11291 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11292 {
11293 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11294 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11295 			struct cfg80211_pmksa *pmksa) = NULL;
11296 	struct net_device *dev = info->user_ptr[1];
11297 	struct cfg80211_pmksa pmksa;
11298 
11299 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11300 
11301 	if (!info->attrs[NL80211_ATTR_PMKID])
11302 		return -EINVAL;
11303 
11304 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11305 
11306 	if (info->attrs[NL80211_ATTR_MAC]) {
11307 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11308 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11309 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11310 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11311 		    info->attrs[NL80211_ATTR_PMK])) {
11312 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11313 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11314 		pmksa.cache_id =
11315 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11316 	} else {
11317 		return -EINVAL;
11318 	}
11319 	if (info->attrs[NL80211_ATTR_PMK]) {
11320 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11321 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11322 	}
11323 
11324 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11325 		pmksa.pmk_lifetime =
11326 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11327 
11328 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11329 		pmksa.pmk_reauth_threshold =
11330 			nla_get_u8(
11331 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11332 
11333 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11334 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11335 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11336 	      wiphy_ext_feature_isset(&rdev->wiphy,
11337 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11338 		return -EOPNOTSUPP;
11339 
11340 	switch (info->genlhdr->cmd) {
11341 	case NL80211_CMD_SET_PMKSA:
11342 		rdev_ops = rdev->ops->set_pmksa;
11343 		break;
11344 	case NL80211_CMD_DEL_PMKSA:
11345 		rdev_ops = rdev->ops->del_pmksa;
11346 		break;
11347 	default:
11348 		WARN_ON(1);
11349 		break;
11350 	}
11351 
11352 	if (!rdev_ops)
11353 		return -EOPNOTSUPP;
11354 
11355 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11356 }
11357 
11358 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11359 {
11360 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11361 	struct net_device *dev = info->user_ptr[1];
11362 
11363 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11364 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11365 		return -EOPNOTSUPP;
11366 
11367 	if (!rdev->ops->flush_pmksa)
11368 		return -EOPNOTSUPP;
11369 
11370 	return rdev_flush_pmksa(rdev, dev);
11371 }
11372 
11373 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11374 {
11375 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11376 	struct net_device *dev = info->user_ptr[1];
11377 	u8 action_code, dialog_token;
11378 	u32 peer_capability = 0;
11379 	u16 status_code;
11380 	u8 *peer;
11381 	bool initiator;
11382 
11383 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11384 	    !rdev->ops->tdls_mgmt)
11385 		return -EOPNOTSUPP;
11386 
11387 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11388 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11389 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11390 	    !info->attrs[NL80211_ATTR_IE] ||
11391 	    !info->attrs[NL80211_ATTR_MAC])
11392 		return -EINVAL;
11393 
11394 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11395 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11396 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11397 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11398 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11399 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11400 		peer_capability =
11401 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11402 
11403 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11404 			      dialog_token, status_code, peer_capability,
11405 			      initiator,
11406 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11407 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11408 }
11409 
11410 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11411 {
11412 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11413 	struct net_device *dev = info->user_ptr[1];
11414 	enum nl80211_tdls_operation operation;
11415 	u8 *peer;
11416 
11417 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11418 	    !rdev->ops->tdls_oper)
11419 		return -EOPNOTSUPP;
11420 
11421 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11422 	    !info->attrs[NL80211_ATTR_MAC])
11423 		return -EINVAL;
11424 
11425 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11426 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11427 
11428 	return rdev_tdls_oper(rdev, dev, peer, operation);
11429 }
11430 
11431 static int nl80211_remain_on_channel(struct sk_buff *skb,
11432 				     struct genl_info *info)
11433 {
11434 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11435 	struct wireless_dev *wdev = info->user_ptr[1];
11436 	struct cfg80211_chan_def chandef;
11437 	const struct cfg80211_chan_def *compat_chandef;
11438 	struct sk_buff *msg;
11439 	void *hdr;
11440 	u64 cookie;
11441 	u32 duration;
11442 	int err;
11443 
11444 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11445 	    !info->attrs[NL80211_ATTR_DURATION])
11446 		return -EINVAL;
11447 
11448 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11449 
11450 	if (!rdev->ops->remain_on_channel ||
11451 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11452 		return -EOPNOTSUPP;
11453 
11454 	/*
11455 	 * We should be on that channel for at least a minimum amount of
11456 	 * time (10ms) but no longer than the driver supports.
11457 	 */
11458 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11459 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11460 		return -EINVAL;
11461 
11462 	err = nl80211_parse_chandef(rdev, info, &chandef);
11463 	if (err)
11464 		return err;
11465 
11466 	wdev_lock(wdev);
11467 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11468 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11469 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11470 							     &chandef);
11471 		if (compat_chandef != &chandef) {
11472 			wdev_unlock(wdev);
11473 			return -EBUSY;
11474 		}
11475 	}
11476 	wdev_unlock(wdev);
11477 
11478 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11479 	if (!msg)
11480 		return -ENOMEM;
11481 
11482 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11483 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11484 	if (!hdr) {
11485 		err = -ENOBUFS;
11486 		goto free_msg;
11487 	}
11488 
11489 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11490 				     duration, &cookie);
11491 
11492 	if (err)
11493 		goto free_msg;
11494 
11495 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11496 			      NL80211_ATTR_PAD))
11497 		goto nla_put_failure;
11498 
11499 	genlmsg_end(msg, hdr);
11500 
11501 	return genlmsg_reply(msg, info);
11502 
11503  nla_put_failure:
11504 	err = -ENOBUFS;
11505  free_msg:
11506 	nlmsg_free(msg);
11507 	return err;
11508 }
11509 
11510 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11511 					    struct genl_info *info)
11512 {
11513 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11514 	struct wireless_dev *wdev = info->user_ptr[1];
11515 	u64 cookie;
11516 
11517 	if (!info->attrs[NL80211_ATTR_COOKIE])
11518 		return -EINVAL;
11519 
11520 	if (!rdev->ops->cancel_remain_on_channel)
11521 		return -EOPNOTSUPP;
11522 
11523 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11524 
11525 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11526 }
11527 
11528 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11529 				       struct genl_info *info)
11530 {
11531 	struct cfg80211_bitrate_mask mask;
11532 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11533 	struct net_device *dev = info->user_ptr[1];
11534 	int err;
11535 
11536 	if (!rdev->ops->set_bitrate_mask)
11537 		return -EOPNOTSUPP;
11538 
11539 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11540 					    NL80211_ATTR_TX_RATES, &mask,
11541 					    dev, true);
11542 	if (err)
11543 		return err;
11544 
11545 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11546 }
11547 
11548 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11549 {
11550 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11551 	struct wireless_dev *wdev = info->user_ptr[1];
11552 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11553 
11554 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11555 		return -EINVAL;
11556 
11557 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11558 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11559 
11560 	switch (wdev->iftype) {
11561 	case NL80211_IFTYPE_STATION:
11562 	case NL80211_IFTYPE_ADHOC:
11563 	case NL80211_IFTYPE_P2P_CLIENT:
11564 	case NL80211_IFTYPE_AP:
11565 	case NL80211_IFTYPE_AP_VLAN:
11566 	case NL80211_IFTYPE_MESH_POINT:
11567 	case NL80211_IFTYPE_P2P_GO:
11568 	case NL80211_IFTYPE_P2P_DEVICE:
11569 		break;
11570 	case NL80211_IFTYPE_NAN:
11571 	default:
11572 		return -EOPNOTSUPP;
11573 	}
11574 
11575 	/* not much point in registering if we can't reply */
11576 	if (!rdev->ops->mgmt_tx)
11577 		return -EOPNOTSUPP;
11578 
11579 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11580 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11581 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11582 		GENL_SET_ERR_MSG(info,
11583 				 "multicast RX registrations are not supported");
11584 		return -EOPNOTSUPP;
11585 	}
11586 
11587 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11588 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11589 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11590 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11591 					   info->extack);
11592 }
11593 
11594 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11595 {
11596 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11597 	struct wireless_dev *wdev = info->user_ptr[1];
11598 	struct cfg80211_chan_def chandef;
11599 	int err;
11600 	void *hdr = NULL;
11601 	u64 cookie;
11602 	struct sk_buff *msg = NULL;
11603 	struct cfg80211_mgmt_tx_params params = {
11604 		.dont_wait_for_ack =
11605 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11606 	};
11607 
11608 	if (!info->attrs[NL80211_ATTR_FRAME])
11609 		return -EINVAL;
11610 
11611 	if (!rdev->ops->mgmt_tx)
11612 		return -EOPNOTSUPP;
11613 
11614 	switch (wdev->iftype) {
11615 	case NL80211_IFTYPE_P2P_DEVICE:
11616 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11617 			return -EINVAL;
11618 		break;
11619 	case NL80211_IFTYPE_STATION:
11620 	case NL80211_IFTYPE_ADHOC:
11621 	case NL80211_IFTYPE_P2P_CLIENT:
11622 	case NL80211_IFTYPE_AP:
11623 	case NL80211_IFTYPE_AP_VLAN:
11624 	case NL80211_IFTYPE_MESH_POINT:
11625 	case NL80211_IFTYPE_P2P_GO:
11626 		break;
11627 	case NL80211_IFTYPE_NAN:
11628 	default:
11629 		return -EOPNOTSUPP;
11630 	}
11631 
11632 	if (info->attrs[NL80211_ATTR_DURATION]) {
11633 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11634 			return -EINVAL;
11635 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11636 
11637 		/*
11638 		 * We should wait on the channel for at least a minimum amount
11639 		 * of time (10ms) but no longer than the driver supports.
11640 		 */
11641 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11642 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11643 			return -EINVAL;
11644 	}
11645 
11646 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11647 
11648 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11649 		return -EINVAL;
11650 
11651 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11652 
11653 	/* get the channel if any has been specified, otherwise pass NULL to
11654 	 * the driver. The latter will use the current one
11655 	 */
11656 	chandef.chan = NULL;
11657 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11658 		err = nl80211_parse_chandef(rdev, info, &chandef);
11659 		if (err)
11660 			return err;
11661 	}
11662 
11663 	if (!chandef.chan && params.offchan)
11664 		return -EINVAL;
11665 
11666 	wdev_lock(wdev);
11667 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11668 		wdev_unlock(wdev);
11669 		return -EBUSY;
11670 	}
11671 	wdev_unlock(wdev);
11672 
11673 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11674 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11675 
11676 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11677 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11678 		int i;
11679 
11680 		if (len % sizeof(u16))
11681 			return -EINVAL;
11682 
11683 		params.n_csa_offsets = len / sizeof(u16);
11684 		params.csa_offsets =
11685 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11686 
11687 		/* check that all the offsets fit the frame */
11688 		for (i = 0; i < params.n_csa_offsets; i++) {
11689 			if (params.csa_offsets[i] >= params.len)
11690 				return -EINVAL;
11691 		}
11692 	}
11693 
11694 	if (!params.dont_wait_for_ack) {
11695 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11696 		if (!msg)
11697 			return -ENOMEM;
11698 
11699 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11700 				     NL80211_CMD_FRAME);
11701 		if (!hdr) {
11702 			err = -ENOBUFS;
11703 			goto free_msg;
11704 		}
11705 	}
11706 
11707 	params.chan = chandef.chan;
11708 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11709 	if (err)
11710 		goto free_msg;
11711 
11712 	if (msg) {
11713 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11714 				      NL80211_ATTR_PAD))
11715 			goto nla_put_failure;
11716 
11717 		genlmsg_end(msg, hdr);
11718 		return genlmsg_reply(msg, info);
11719 	}
11720 
11721 	return 0;
11722 
11723  nla_put_failure:
11724 	err = -ENOBUFS;
11725  free_msg:
11726 	nlmsg_free(msg);
11727 	return err;
11728 }
11729 
11730 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11731 {
11732 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11733 	struct wireless_dev *wdev = info->user_ptr[1];
11734 	u64 cookie;
11735 
11736 	if (!info->attrs[NL80211_ATTR_COOKIE])
11737 		return -EINVAL;
11738 
11739 	if (!rdev->ops->mgmt_tx_cancel_wait)
11740 		return -EOPNOTSUPP;
11741 
11742 	switch (wdev->iftype) {
11743 	case NL80211_IFTYPE_STATION:
11744 	case NL80211_IFTYPE_ADHOC:
11745 	case NL80211_IFTYPE_P2P_CLIENT:
11746 	case NL80211_IFTYPE_AP:
11747 	case NL80211_IFTYPE_AP_VLAN:
11748 	case NL80211_IFTYPE_P2P_GO:
11749 	case NL80211_IFTYPE_P2P_DEVICE:
11750 		break;
11751 	case NL80211_IFTYPE_NAN:
11752 	default:
11753 		return -EOPNOTSUPP;
11754 	}
11755 
11756 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11757 
11758 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11759 }
11760 
11761 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11762 {
11763 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11764 	struct wireless_dev *wdev;
11765 	struct net_device *dev = info->user_ptr[1];
11766 	u8 ps_state;
11767 	bool state;
11768 	int err;
11769 
11770 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11771 		return -EINVAL;
11772 
11773 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11774 
11775 	wdev = dev->ieee80211_ptr;
11776 
11777 	if (!rdev->ops->set_power_mgmt)
11778 		return -EOPNOTSUPP;
11779 
11780 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11781 
11782 	if (state == wdev->ps)
11783 		return 0;
11784 
11785 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11786 	if (!err)
11787 		wdev->ps = state;
11788 	return err;
11789 }
11790 
11791 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11792 {
11793 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11794 	enum nl80211_ps_state ps_state;
11795 	struct wireless_dev *wdev;
11796 	struct net_device *dev = info->user_ptr[1];
11797 	struct sk_buff *msg;
11798 	void *hdr;
11799 	int err;
11800 
11801 	wdev = dev->ieee80211_ptr;
11802 
11803 	if (!rdev->ops->set_power_mgmt)
11804 		return -EOPNOTSUPP;
11805 
11806 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11807 	if (!msg)
11808 		return -ENOMEM;
11809 
11810 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11811 			     NL80211_CMD_GET_POWER_SAVE);
11812 	if (!hdr) {
11813 		err = -ENOBUFS;
11814 		goto free_msg;
11815 	}
11816 
11817 	if (wdev->ps)
11818 		ps_state = NL80211_PS_ENABLED;
11819 	else
11820 		ps_state = NL80211_PS_DISABLED;
11821 
11822 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11823 		goto nla_put_failure;
11824 
11825 	genlmsg_end(msg, hdr);
11826 	return genlmsg_reply(msg, info);
11827 
11828  nla_put_failure:
11829 	err = -ENOBUFS;
11830  free_msg:
11831 	nlmsg_free(msg);
11832 	return err;
11833 }
11834 
11835 static const struct nla_policy
11836 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11837 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11838 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11839 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11840 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11841 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11842 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11843 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11844 };
11845 
11846 static int nl80211_set_cqm_txe(struct genl_info *info,
11847 			       u32 rate, u32 pkts, u32 intvl)
11848 {
11849 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11850 	struct net_device *dev = info->user_ptr[1];
11851 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11852 
11853 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11854 		return -EINVAL;
11855 
11856 	if (!rdev->ops->set_cqm_txe_config)
11857 		return -EOPNOTSUPP;
11858 
11859 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11860 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11861 		return -EOPNOTSUPP;
11862 
11863 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11864 }
11865 
11866 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11867 				    struct net_device *dev)
11868 {
11869 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11870 	s32 last, low, high;
11871 	u32 hyst;
11872 	int i, n, low_index;
11873 	int err;
11874 
11875 	/* RSSI reporting disabled? */
11876 	if (!wdev->cqm_config)
11877 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
11878 
11879 	/*
11880 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
11881 	 * event has been received yet, we should receive an event after a
11882 	 * connection is established and enough beacons received to calculate
11883 	 * the average.
11884 	 */
11885 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
11886 	    rdev->ops->get_station) {
11887 		struct station_info sinfo = {};
11888 		u8 *mac_addr;
11889 
11890 		mac_addr = wdev->current_bss->pub.bssid;
11891 
11892 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
11893 		if (err)
11894 			return err;
11895 
11896 		cfg80211_sinfo_release_content(&sinfo);
11897 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
11898 			wdev->cqm_config->last_rssi_event_value =
11899 				(s8) sinfo.rx_beacon_signal_avg;
11900 	}
11901 
11902 	last = wdev->cqm_config->last_rssi_event_value;
11903 	hyst = wdev->cqm_config->rssi_hyst;
11904 	n = wdev->cqm_config->n_rssi_thresholds;
11905 
11906 	for (i = 0; i < n; i++) {
11907 		i = array_index_nospec(i, n);
11908 		if (last < wdev->cqm_config->rssi_thresholds[i])
11909 			break;
11910 	}
11911 
11912 	low_index = i - 1;
11913 	if (low_index >= 0) {
11914 		low_index = array_index_nospec(low_index, n);
11915 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
11916 	} else {
11917 		low = S32_MIN;
11918 	}
11919 	if (i < n) {
11920 		i = array_index_nospec(i, n);
11921 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
11922 	} else {
11923 		high = S32_MAX;
11924 	}
11925 
11926 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
11927 }
11928 
11929 static int nl80211_set_cqm_rssi(struct genl_info *info,
11930 				const s32 *thresholds, int n_thresholds,
11931 				u32 hysteresis)
11932 {
11933 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11934 	struct net_device *dev = info->user_ptr[1];
11935 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11936 	int i, err;
11937 	s32 prev = S32_MIN;
11938 
11939 	/* Check all values negative and sorted */
11940 	for (i = 0; i < n_thresholds; i++) {
11941 		if (thresholds[i] > 0 || thresholds[i] <= prev)
11942 			return -EINVAL;
11943 
11944 		prev = thresholds[i];
11945 	}
11946 
11947 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11948 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11949 		return -EOPNOTSUPP;
11950 
11951 	wdev_lock(wdev);
11952 	cfg80211_cqm_config_free(wdev);
11953 	wdev_unlock(wdev);
11954 
11955 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
11956 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
11957 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
11958 
11959 		return rdev_set_cqm_rssi_config(rdev, dev,
11960 						thresholds[0], hysteresis);
11961 	}
11962 
11963 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
11964 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
11965 		return -EOPNOTSUPP;
11966 
11967 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
11968 		n_thresholds = 0;
11969 
11970 	wdev_lock(wdev);
11971 	if (n_thresholds) {
11972 		struct cfg80211_cqm_config *cqm_config;
11973 
11974 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
11975 						 n_thresholds),
11976 				     GFP_KERNEL);
11977 		if (!cqm_config) {
11978 			err = -ENOMEM;
11979 			goto unlock;
11980 		}
11981 
11982 		cqm_config->rssi_hyst = hysteresis;
11983 		cqm_config->n_rssi_thresholds = n_thresholds;
11984 		memcpy(cqm_config->rssi_thresholds, thresholds,
11985 		       flex_array_size(cqm_config, rssi_thresholds,
11986 				       n_thresholds));
11987 
11988 		wdev->cqm_config = cqm_config;
11989 	}
11990 
11991 	err = cfg80211_cqm_rssi_update(rdev, dev);
11992 
11993 unlock:
11994 	wdev_unlock(wdev);
11995 
11996 	return err;
11997 }
11998 
11999 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12000 {
12001 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12002 	struct nlattr *cqm;
12003 	int err;
12004 
12005 	cqm = info->attrs[NL80211_ATTR_CQM];
12006 	if (!cqm)
12007 		return -EINVAL;
12008 
12009 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12010 					  nl80211_attr_cqm_policy,
12011 					  info->extack);
12012 	if (err)
12013 		return err;
12014 
12015 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12016 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12017 		const s32 *thresholds =
12018 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12019 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12020 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12021 
12022 		if (len % 4)
12023 			return -EINVAL;
12024 
12025 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12026 					    hysteresis);
12027 	}
12028 
12029 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12030 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12031 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12032 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12033 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12034 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12035 
12036 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12037 	}
12038 
12039 	return -EINVAL;
12040 }
12041 
12042 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12043 {
12044 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12045 	struct net_device *dev = info->user_ptr[1];
12046 	struct ocb_setup setup = {};
12047 	int err;
12048 
12049 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12050 	if (err)
12051 		return err;
12052 
12053 	return cfg80211_join_ocb(rdev, dev, &setup);
12054 }
12055 
12056 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12057 {
12058 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12059 	struct net_device *dev = info->user_ptr[1];
12060 
12061 	return cfg80211_leave_ocb(rdev, dev);
12062 }
12063 
12064 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12065 {
12066 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12067 	struct net_device *dev = info->user_ptr[1];
12068 	struct mesh_config cfg;
12069 	struct mesh_setup setup;
12070 	int err;
12071 
12072 	/* start with default */
12073 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12074 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12075 
12076 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12077 		/* and parse parameters if given */
12078 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12079 		if (err)
12080 			return err;
12081 	}
12082 
12083 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12084 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12085 		return -EINVAL;
12086 
12087 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12088 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12089 
12090 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12091 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12092 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12093 			return -EINVAL;
12094 
12095 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12096 		setup.beacon_interval =
12097 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12098 
12099 		err = cfg80211_validate_beacon_int(rdev,
12100 						   NL80211_IFTYPE_MESH_POINT,
12101 						   setup.beacon_interval);
12102 		if (err)
12103 			return err;
12104 	}
12105 
12106 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12107 		setup.dtim_period =
12108 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12109 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12110 			return -EINVAL;
12111 	}
12112 
12113 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12114 		/* parse additional setup parameters if given */
12115 		err = nl80211_parse_mesh_setup(info, &setup);
12116 		if (err)
12117 			return err;
12118 	}
12119 
12120 	if (setup.user_mpm)
12121 		cfg.auto_open_plinks = false;
12122 
12123 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12124 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12125 		if (err)
12126 			return err;
12127 	} else {
12128 		/* __cfg80211_join_mesh() will sort it out */
12129 		setup.chandef.chan = NULL;
12130 	}
12131 
12132 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12133 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12134 		int n_rates =
12135 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12136 		struct ieee80211_supported_band *sband;
12137 
12138 		if (!setup.chandef.chan)
12139 			return -EINVAL;
12140 
12141 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12142 
12143 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12144 					     &setup.basic_rates);
12145 		if (err)
12146 			return err;
12147 	}
12148 
12149 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12150 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12151 						    NL80211_ATTR_TX_RATES,
12152 						    &setup.beacon_rate,
12153 						    dev, false);
12154 		if (err)
12155 			return err;
12156 
12157 		if (!setup.chandef.chan)
12158 			return -EINVAL;
12159 
12160 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12161 					      &setup.beacon_rate);
12162 		if (err)
12163 			return err;
12164 	}
12165 
12166 	setup.userspace_handles_dfs =
12167 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12168 
12169 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12170 		int r = validate_pae_over_nl80211(rdev, info);
12171 
12172 		if (r < 0)
12173 			return r;
12174 
12175 		setup.control_port_over_nl80211 = true;
12176 	}
12177 
12178 	wdev_lock(dev->ieee80211_ptr);
12179 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12180 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12181 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12182 	wdev_unlock(dev->ieee80211_ptr);
12183 
12184 	return err;
12185 }
12186 
12187 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12188 {
12189 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12190 	struct net_device *dev = info->user_ptr[1];
12191 
12192 	return cfg80211_leave_mesh(rdev, dev);
12193 }
12194 
12195 #ifdef CONFIG_PM
12196 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
12197 					struct cfg80211_registered_device *rdev)
12198 {
12199 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
12200 	struct nlattr *nl_pats, *nl_pat;
12201 	int i, pat_len;
12202 
12203 	if (!wowlan->n_patterns)
12204 		return 0;
12205 
12206 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12207 	if (!nl_pats)
12208 		return -ENOBUFS;
12209 
12210 	for (i = 0; i < wowlan->n_patterns; i++) {
12211 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12212 		if (!nl_pat)
12213 			return -ENOBUFS;
12214 		pat_len = wowlan->patterns[i].pattern_len;
12215 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12216 			    wowlan->patterns[i].mask) ||
12217 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12218 			    wowlan->patterns[i].pattern) ||
12219 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12220 				wowlan->patterns[i].pkt_offset))
12221 			return -ENOBUFS;
12222 		nla_nest_end(msg, nl_pat);
12223 	}
12224 	nla_nest_end(msg, nl_pats);
12225 
12226 	return 0;
12227 }
12228 
12229 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12230 				   struct cfg80211_wowlan_tcp *tcp)
12231 {
12232 	struct nlattr *nl_tcp;
12233 
12234 	if (!tcp)
12235 		return 0;
12236 
12237 	nl_tcp = nla_nest_start_noflag(msg,
12238 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12239 	if (!nl_tcp)
12240 		return -ENOBUFS;
12241 
12242 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12243 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12244 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12245 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12246 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12247 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12248 		    tcp->payload_len, tcp->payload) ||
12249 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12250 			tcp->data_interval) ||
12251 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12252 		    tcp->wake_len, tcp->wake_data) ||
12253 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12254 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12255 		return -ENOBUFS;
12256 
12257 	if (tcp->payload_seq.len &&
12258 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12259 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12260 		return -ENOBUFS;
12261 
12262 	if (tcp->payload_tok.len &&
12263 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12264 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12265 		    &tcp->payload_tok))
12266 		return -ENOBUFS;
12267 
12268 	nla_nest_end(msg, nl_tcp);
12269 
12270 	return 0;
12271 }
12272 
12273 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12274 				  struct cfg80211_sched_scan_request *req)
12275 {
12276 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12277 	int i;
12278 
12279 	if (!req)
12280 		return 0;
12281 
12282 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12283 	if (!nd)
12284 		return -ENOBUFS;
12285 
12286 	if (req->n_scan_plans == 1 &&
12287 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12288 			req->scan_plans[0].interval * 1000))
12289 		return -ENOBUFS;
12290 
12291 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12292 		return -ENOBUFS;
12293 
12294 	if (req->relative_rssi_set) {
12295 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12296 
12297 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12298 			       req->relative_rssi))
12299 			return -ENOBUFS;
12300 
12301 		rssi_adjust.band = req->rssi_adjust.band;
12302 		rssi_adjust.delta = req->rssi_adjust.delta;
12303 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12304 			    sizeof(rssi_adjust), &rssi_adjust))
12305 			return -ENOBUFS;
12306 	}
12307 
12308 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12309 	if (!freqs)
12310 		return -ENOBUFS;
12311 
12312 	for (i = 0; i < req->n_channels; i++) {
12313 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12314 			return -ENOBUFS;
12315 	}
12316 
12317 	nla_nest_end(msg, freqs);
12318 
12319 	if (req->n_match_sets) {
12320 		matches = nla_nest_start_noflag(msg,
12321 						NL80211_ATTR_SCHED_SCAN_MATCH);
12322 		if (!matches)
12323 			return -ENOBUFS;
12324 
12325 		for (i = 0; i < req->n_match_sets; i++) {
12326 			match = nla_nest_start_noflag(msg, i);
12327 			if (!match)
12328 				return -ENOBUFS;
12329 
12330 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12331 				    req->match_sets[i].ssid.ssid_len,
12332 				    req->match_sets[i].ssid.ssid))
12333 				return -ENOBUFS;
12334 			nla_nest_end(msg, match);
12335 		}
12336 		nla_nest_end(msg, matches);
12337 	}
12338 
12339 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12340 	if (!scan_plans)
12341 		return -ENOBUFS;
12342 
12343 	for (i = 0; i < req->n_scan_plans; i++) {
12344 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12345 		if (!scan_plan)
12346 			return -ENOBUFS;
12347 
12348 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12349 				req->scan_plans[i].interval) ||
12350 		    (req->scan_plans[i].iterations &&
12351 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12352 				 req->scan_plans[i].iterations)))
12353 			return -ENOBUFS;
12354 		nla_nest_end(msg, scan_plan);
12355 	}
12356 	nla_nest_end(msg, scan_plans);
12357 
12358 	nla_nest_end(msg, nd);
12359 
12360 	return 0;
12361 }
12362 
12363 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12364 {
12365 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12366 	struct sk_buff *msg;
12367 	void *hdr;
12368 	u32 size = NLMSG_DEFAULT_SIZE;
12369 
12370 	if (!rdev->wiphy.wowlan)
12371 		return -EOPNOTSUPP;
12372 
12373 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12374 		/* adjust size to have room for all the data */
12375 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12376 			rdev->wiphy.wowlan_config->tcp->payload_len +
12377 			rdev->wiphy.wowlan_config->tcp->wake_len +
12378 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12379 	}
12380 
12381 	msg = nlmsg_new(size, GFP_KERNEL);
12382 	if (!msg)
12383 		return -ENOMEM;
12384 
12385 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12386 			     NL80211_CMD_GET_WOWLAN);
12387 	if (!hdr)
12388 		goto nla_put_failure;
12389 
12390 	if (rdev->wiphy.wowlan_config) {
12391 		struct nlattr *nl_wowlan;
12392 
12393 		nl_wowlan = nla_nest_start_noflag(msg,
12394 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12395 		if (!nl_wowlan)
12396 			goto nla_put_failure;
12397 
12398 		if ((rdev->wiphy.wowlan_config->any &&
12399 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
12400 		    (rdev->wiphy.wowlan_config->disconnect &&
12401 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
12402 		    (rdev->wiphy.wowlan_config->magic_pkt &&
12403 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
12404 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
12405 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
12406 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
12407 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
12408 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
12409 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
12410 		    (rdev->wiphy.wowlan_config->rfkill_release &&
12411 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
12412 			goto nla_put_failure;
12413 
12414 		if (nl80211_send_wowlan_patterns(msg, rdev))
12415 			goto nla_put_failure;
12416 
12417 		if (nl80211_send_wowlan_tcp(msg,
12418 					    rdev->wiphy.wowlan_config->tcp))
12419 			goto nla_put_failure;
12420 
12421 		if (nl80211_send_wowlan_nd(
12422 			    msg,
12423 			    rdev->wiphy.wowlan_config->nd_config))
12424 			goto nla_put_failure;
12425 
12426 		nla_nest_end(msg, nl_wowlan);
12427 	}
12428 
12429 	genlmsg_end(msg, hdr);
12430 	return genlmsg_reply(msg, info);
12431 
12432 nla_put_failure:
12433 	nlmsg_free(msg);
12434 	return -ENOBUFS;
12435 }
12436 
12437 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12438 				    struct nlattr *attr,
12439 				    struct cfg80211_wowlan *trig)
12440 {
12441 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12442 	struct cfg80211_wowlan_tcp *cfg;
12443 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12444 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12445 	u32 size;
12446 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12447 	int err, port;
12448 
12449 	if (!rdev->wiphy.wowlan->tcp)
12450 		return -EINVAL;
12451 
12452 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12453 					  nl80211_wowlan_tcp_policy, NULL);
12454 	if (err)
12455 		return err;
12456 
12457 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12458 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12459 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12460 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12461 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12462 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12463 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12464 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12465 		return -EINVAL;
12466 
12467 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12468 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12469 		return -EINVAL;
12470 
12471 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12472 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12473 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12474 		return -EINVAL;
12475 
12476 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12477 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12478 		return -EINVAL;
12479 
12480 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12481 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12482 		return -EINVAL;
12483 
12484 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12485 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12486 
12487 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12488 		tokens_size = tokln - sizeof(*tok);
12489 
12490 		if (!tok->len || tokens_size % tok->len)
12491 			return -EINVAL;
12492 		if (!rdev->wiphy.wowlan->tcp->tok)
12493 			return -EINVAL;
12494 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12495 			return -EINVAL;
12496 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12497 			return -EINVAL;
12498 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12499 			return -EINVAL;
12500 		if (tok->offset + tok->len > data_size)
12501 			return -EINVAL;
12502 	}
12503 
12504 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12505 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12506 		if (!rdev->wiphy.wowlan->tcp->seq)
12507 			return -EINVAL;
12508 		if (seq->len == 0 || seq->len > 4)
12509 			return -EINVAL;
12510 		if (seq->len + seq->offset > data_size)
12511 			return -EINVAL;
12512 	}
12513 
12514 	size = sizeof(*cfg);
12515 	size += data_size;
12516 	size += wake_size + wake_mask_size;
12517 	size += tokens_size;
12518 
12519 	cfg = kzalloc(size, GFP_KERNEL);
12520 	if (!cfg)
12521 		return -ENOMEM;
12522 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12523 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12524 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12525 	       ETH_ALEN);
12526 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12527 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12528 	else
12529 		port = 0;
12530 #ifdef CONFIG_INET
12531 	/* allocate a socket and port for it and use it */
12532 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12533 			    IPPROTO_TCP, &cfg->sock, 1);
12534 	if (err) {
12535 		kfree(cfg);
12536 		return err;
12537 	}
12538 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12539 		sock_release(cfg->sock);
12540 		kfree(cfg);
12541 		return -EADDRINUSE;
12542 	}
12543 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12544 #else
12545 	if (!port) {
12546 		kfree(cfg);
12547 		return -EINVAL;
12548 	}
12549 	cfg->src_port = port;
12550 #endif
12551 
12552 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12553 	cfg->payload_len = data_size;
12554 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12555 	memcpy((void *)cfg->payload,
12556 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12557 	       data_size);
12558 	if (seq)
12559 		cfg->payload_seq = *seq;
12560 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12561 	cfg->wake_len = wake_size;
12562 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12563 	memcpy((void *)cfg->wake_data,
12564 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12565 	       wake_size);
12566 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12567 			 data_size + wake_size;
12568 	memcpy((void *)cfg->wake_mask,
12569 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12570 	       wake_mask_size);
12571 	if (tok) {
12572 		cfg->tokens_size = tokens_size;
12573 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12574 	}
12575 
12576 	trig->tcp = cfg;
12577 
12578 	return 0;
12579 }
12580 
12581 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12582 				   const struct wiphy_wowlan_support *wowlan,
12583 				   struct nlattr *attr,
12584 				   struct cfg80211_wowlan *trig)
12585 {
12586 	struct nlattr **tb;
12587 	int err;
12588 
12589 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12590 	if (!tb)
12591 		return -ENOMEM;
12592 
12593 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12594 		err = -EOPNOTSUPP;
12595 		goto out;
12596 	}
12597 
12598 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12599 					  nl80211_policy, NULL);
12600 	if (err)
12601 		goto out;
12602 
12603 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12604 						   wowlan->max_nd_match_sets);
12605 	err = PTR_ERR_OR_ZERO(trig->nd_config);
12606 	if (err)
12607 		trig->nd_config = NULL;
12608 
12609 out:
12610 	kfree(tb);
12611 	return err;
12612 }
12613 
12614 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12615 {
12616 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12617 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12618 	struct cfg80211_wowlan new_triggers = {};
12619 	struct cfg80211_wowlan *ntrig;
12620 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12621 	int err, i;
12622 	bool prev_enabled = rdev->wiphy.wowlan_config;
12623 	bool regular = false;
12624 
12625 	if (!wowlan)
12626 		return -EOPNOTSUPP;
12627 
12628 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12629 		cfg80211_rdev_free_wowlan(rdev);
12630 		rdev->wiphy.wowlan_config = NULL;
12631 		goto set_wakeup;
12632 	}
12633 
12634 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12635 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12636 					  nl80211_wowlan_policy, info->extack);
12637 	if (err)
12638 		return err;
12639 
12640 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12641 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12642 			return -EINVAL;
12643 		new_triggers.any = true;
12644 	}
12645 
12646 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12647 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12648 			return -EINVAL;
12649 		new_triggers.disconnect = true;
12650 		regular = true;
12651 	}
12652 
12653 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12654 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12655 			return -EINVAL;
12656 		new_triggers.magic_pkt = true;
12657 		regular = true;
12658 	}
12659 
12660 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12661 		return -EINVAL;
12662 
12663 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12664 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12665 			return -EINVAL;
12666 		new_triggers.gtk_rekey_failure = true;
12667 		regular = true;
12668 	}
12669 
12670 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12671 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12672 			return -EINVAL;
12673 		new_triggers.eap_identity_req = true;
12674 		regular = true;
12675 	}
12676 
12677 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12678 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12679 			return -EINVAL;
12680 		new_triggers.four_way_handshake = true;
12681 		regular = true;
12682 	}
12683 
12684 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12685 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12686 			return -EINVAL;
12687 		new_triggers.rfkill_release = true;
12688 		regular = true;
12689 	}
12690 
12691 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12692 		struct nlattr *pat;
12693 		int n_patterns = 0;
12694 		int rem, pat_len, mask_len, pkt_offset;
12695 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12696 
12697 		regular = true;
12698 
12699 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12700 				    rem)
12701 			n_patterns++;
12702 		if (n_patterns > wowlan->n_patterns)
12703 			return -EINVAL;
12704 
12705 		new_triggers.patterns = kcalloc(n_patterns,
12706 						sizeof(new_triggers.patterns[0]),
12707 						GFP_KERNEL);
12708 		if (!new_triggers.patterns)
12709 			return -ENOMEM;
12710 
12711 		new_triggers.n_patterns = n_patterns;
12712 		i = 0;
12713 
12714 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12715 				    rem) {
12716 			u8 *mask_pat;
12717 
12718 			err = nla_parse_nested_deprecated(pat_tb,
12719 							  MAX_NL80211_PKTPAT,
12720 							  pat,
12721 							  nl80211_packet_pattern_policy,
12722 							  info->extack);
12723 			if (err)
12724 				goto error;
12725 
12726 			err = -EINVAL;
12727 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12728 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12729 				goto error;
12730 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12731 			mask_len = DIV_ROUND_UP(pat_len, 8);
12732 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12733 				goto error;
12734 			if (pat_len > wowlan->pattern_max_len ||
12735 			    pat_len < wowlan->pattern_min_len)
12736 				goto error;
12737 
12738 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12739 				pkt_offset = 0;
12740 			else
12741 				pkt_offset = nla_get_u32(
12742 					pat_tb[NL80211_PKTPAT_OFFSET]);
12743 			if (pkt_offset > wowlan->max_pkt_offset)
12744 				goto error;
12745 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12746 
12747 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12748 			if (!mask_pat) {
12749 				err = -ENOMEM;
12750 				goto error;
12751 			}
12752 			new_triggers.patterns[i].mask = mask_pat;
12753 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12754 			       mask_len);
12755 			mask_pat += mask_len;
12756 			new_triggers.patterns[i].pattern = mask_pat;
12757 			new_triggers.patterns[i].pattern_len = pat_len;
12758 			memcpy(mask_pat,
12759 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12760 			       pat_len);
12761 			i++;
12762 		}
12763 	}
12764 
12765 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12766 		regular = true;
12767 		err = nl80211_parse_wowlan_tcp(
12768 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12769 			&new_triggers);
12770 		if (err)
12771 			goto error;
12772 	}
12773 
12774 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12775 		regular = true;
12776 		err = nl80211_parse_wowlan_nd(
12777 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12778 			&new_triggers);
12779 		if (err)
12780 			goto error;
12781 	}
12782 
12783 	/* The 'any' trigger means the device continues operating more or less
12784 	 * as in its normal operation mode and wakes up the host on most of the
12785 	 * normal interrupts (like packet RX, ...)
12786 	 * It therefore makes little sense to combine with the more constrained
12787 	 * wakeup trigger modes.
12788 	 */
12789 	if (new_triggers.any && regular) {
12790 		err = -EINVAL;
12791 		goto error;
12792 	}
12793 
12794 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12795 	if (!ntrig) {
12796 		err = -ENOMEM;
12797 		goto error;
12798 	}
12799 	cfg80211_rdev_free_wowlan(rdev);
12800 	rdev->wiphy.wowlan_config = ntrig;
12801 
12802  set_wakeup:
12803 	if (rdev->ops->set_wakeup &&
12804 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12805 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12806 
12807 	return 0;
12808  error:
12809 	for (i = 0; i < new_triggers.n_patterns; i++)
12810 		kfree(new_triggers.patterns[i].mask);
12811 	kfree(new_triggers.patterns);
12812 	if (new_triggers.tcp && new_triggers.tcp->sock)
12813 		sock_release(new_triggers.tcp->sock);
12814 	kfree(new_triggers.tcp);
12815 	kfree(new_triggers.nd_config);
12816 	return err;
12817 }
12818 #endif
12819 
12820 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12821 				       struct cfg80211_registered_device *rdev)
12822 {
12823 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12824 	int i, j, pat_len;
12825 	struct cfg80211_coalesce_rules *rule;
12826 
12827 	if (!rdev->coalesce->n_rules)
12828 		return 0;
12829 
12830 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12831 	if (!nl_rules)
12832 		return -ENOBUFS;
12833 
12834 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12835 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12836 		if (!nl_rule)
12837 			return -ENOBUFS;
12838 
12839 		rule = &rdev->coalesce->rules[i];
12840 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12841 				rule->delay))
12842 			return -ENOBUFS;
12843 
12844 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12845 				rule->condition))
12846 			return -ENOBUFS;
12847 
12848 		nl_pats = nla_nest_start_noflag(msg,
12849 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12850 		if (!nl_pats)
12851 			return -ENOBUFS;
12852 
12853 		for (j = 0; j < rule->n_patterns; j++) {
12854 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12855 			if (!nl_pat)
12856 				return -ENOBUFS;
12857 			pat_len = rule->patterns[j].pattern_len;
12858 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12859 				    DIV_ROUND_UP(pat_len, 8),
12860 				    rule->patterns[j].mask) ||
12861 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12862 				    rule->patterns[j].pattern) ||
12863 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12864 					rule->patterns[j].pkt_offset))
12865 				return -ENOBUFS;
12866 			nla_nest_end(msg, nl_pat);
12867 		}
12868 		nla_nest_end(msg, nl_pats);
12869 		nla_nest_end(msg, nl_rule);
12870 	}
12871 	nla_nest_end(msg, nl_rules);
12872 
12873 	return 0;
12874 }
12875 
12876 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
12877 {
12878 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12879 	struct sk_buff *msg;
12880 	void *hdr;
12881 
12882 	if (!rdev->wiphy.coalesce)
12883 		return -EOPNOTSUPP;
12884 
12885 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12886 	if (!msg)
12887 		return -ENOMEM;
12888 
12889 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12890 			     NL80211_CMD_GET_COALESCE);
12891 	if (!hdr)
12892 		goto nla_put_failure;
12893 
12894 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
12895 		goto nla_put_failure;
12896 
12897 	genlmsg_end(msg, hdr);
12898 	return genlmsg_reply(msg, info);
12899 
12900 nla_put_failure:
12901 	nlmsg_free(msg);
12902 	return -ENOBUFS;
12903 }
12904 
12905 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
12906 {
12907 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
12908 	int i, j;
12909 	struct cfg80211_coalesce_rules *rule;
12910 
12911 	if (!coalesce)
12912 		return;
12913 
12914 	for (i = 0; i < coalesce->n_rules; i++) {
12915 		rule = &coalesce->rules[i];
12916 		for (j = 0; j < rule->n_patterns; j++)
12917 			kfree(rule->patterns[j].mask);
12918 		kfree(rule->patterns);
12919 	}
12920 	kfree(coalesce->rules);
12921 	kfree(coalesce);
12922 	rdev->coalesce = NULL;
12923 }
12924 
12925 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
12926 				       struct nlattr *rule,
12927 				       struct cfg80211_coalesce_rules *new_rule)
12928 {
12929 	int err, i;
12930 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12931 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
12932 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
12933 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12934 
12935 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
12936 					  rule, nl80211_coalesce_policy, NULL);
12937 	if (err)
12938 		return err;
12939 
12940 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
12941 		new_rule->delay =
12942 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
12943 	if (new_rule->delay > coalesce->max_delay)
12944 		return -EINVAL;
12945 
12946 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
12947 		new_rule->condition =
12948 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
12949 
12950 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
12951 		return -EINVAL;
12952 
12953 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12954 			    rem)
12955 		n_patterns++;
12956 	if (n_patterns > coalesce->n_patterns)
12957 		return -EINVAL;
12958 
12959 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
12960 				     GFP_KERNEL);
12961 	if (!new_rule->patterns)
12962 		return -ENOMEM;
12963 
12964 	new_rule->n_patterns = n_patterns;
12965 	i = 0;
12966 
12967 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12968 			    rem) {
12969 		u8 *mask_pat;
12970 
12971 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
12972 						  pat,
12973 						  nl80211_packet_pattern_policy,
12974 						  NULL);
12975 		if (err)
12976 			return err;
12977 
12978 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
12979 		    !pat_tb[NL80211_PKTPAT_PATTERN])
12980 			return -EINVAL;
12981 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12982 		mask_len = DIV_ROUND_UP(pat_len, 8);
12983 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12984 			return -EINVAL;
12985 		if (pat_len > coalesce->pattern_max_len ||
12986 		    pat_len < coalesce->pattern_min_len)
12987 			return -EINVAL;
12988 
12989 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
12990 			pkt_offset = 0;
12991 		else
12992 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
12993 		if (pkt_offset > coalesce->max_pkt_offset)
12994 			return -EINVAL;
12995 		new_rule->patterns[i].pkt_offset = pkt_offset;
12996 
12997 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12998 		if (!mask_pat)
12999 			return -ENOMEM;
13000 
13001 		new_rule->patterns[i].mask = mask_pat;
13002 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13003 		       mask_len);
13004 
13005 		mask_pat += mask_len;
13006 		new_rule->patterns[i].pattern = mask_pat;
13007 		new_rule->patterns[i].pattern_len = pat_len;
13008 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13009 		       pat_len);
13010 		i++;
13011 	}
13012 
13013 	return 0;
13014 }
13015 
13016 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13017 {
13018 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13019 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13020 	struct cfg80211_coalesce new_coalesce = {};
13021 	struct cfg80211_coalesce *n_coalesce;
13022 	int err, rem_rule, n_rules = 0, i, j;
13023 	struct nlattr *rule;
13024 	struct cfg80211_coalesce_rules *tmp_rule;
13025 
13026 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13027 		return -EOPNOTSUPP;
13028 
13029 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13030 		cfg80211_rdev_free_coalesce(rdev);
13031 		rdev_set_coalesce(rdev, NULL);
13032 		return 0;
13033 	}
13034 
13035 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13036 			    rem_rule)
13037 		n_rules++;
13038 	if (n_rules > coalesce->n_rules)
13039 		return -EINVAL;
13040 
13041 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13042 				     GFP_KERNEL);
13043 	if (!new_coalesce.rules)
13044 		return -ENOMEM;
13045 
13046 	new_coalesce.n_rules = n_rules;
13047 	i = 0;
13048 
13049 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13050 			    rem_rule) {
13051 		err = nl80211_parse_coalesce_rule(rdev, rule,
13052 						  &new_coalesce.rules[i]);
13053 		if (err)
13054 			goto error;
13055 
13056 		i++;
13057 	}
13058 
13059 	err = rdev_set_coalesce(rdev, &new_coalesce);
13060 	if (err)
13061 		goto error;
13062 
13063 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13064 	if (!n_coalesce) {
13065 		err = -ENOMEM;
13066 		goto error;
13067 	}
13068 	cfg80211_rdev_free_coalesce(rdev);
13069 	rdev->coalesce = n_coalesce;
13070 
13071 	return 0;
13072 error:
13073 	for (i = 0; i < new_coalesce.n_rules; i++) {
13074 		tmp_rule = &new_coalesce.rules[i];
13075 		for (j = 0; j < tmp_rule->n_patterns; j++)
13076 			kfree(tmp_rule->patterns[j].mask);
13077 		kfree(tmp_rule->patterns);
13078 	}
13079 	kfree(new_coalesce.rules);
13080 
13081 	return err;
13082 }
13083 
13084 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13085 {
13086 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13087 	struct net_device *dev = info->user_ptr[1];
13088 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13089 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13090 	struct cfg80211_gtk_rekey_data rekey_data = {};
13091 	int err;
13092 
13093 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13094 		return -EINVAL;
13095 
13096 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13097 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13098 					  nl80211_rekey_policy, info->extack);
13099 	if (err)
13100 		return err;
13101 
13102 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13103 	    !tb[NL80211_REKEY_DATA_KCK])
13104 		return -EINVAL;
13105 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13106 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13107 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13108 		return -ERANGE;
13109 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13110 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13111 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
13112 		return -ERANGE;
13113 
13114 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13115 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13116 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13117 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13118 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13119 	if (tb[NL80211_REKEY_DATA_AKM])
13120 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13121 
13122 	wdev_lock(wdev);
13123 	if (!wdev->current_bss) {
13124 		err = -ENOTCONN;
13125 		goto out;
13126 	}
13127 
13128 	if (!rdev->ops->set_rekey_data) {
13129 		err = -EOPNOTSUPP;
13130 		goto out;
13131 	}
13132 
13133 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13134  out:
13135 	wdev_unlock(wdev);
13136 	return err;
13137 }
13138 
13139 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13140 					     struct genl_info *info)
13141 {
13142 	struct net_device *dev = info->user_ptr[1];
13143 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13144 
13145 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13146 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13147 		return -EINVAL;
13148 
13149 	if (wdev->ap_unexpected_nlportid)
13150 		return -EBUSY;
13151 
13152 	wdev->ap_unexpected_nlportid = info->snd_portid;
13153 	return 0;
13154 }
13155 
13156 static int nl80211_probe_client(struct sk_buff *skb,
13157 				struct genl_info *info)
13158 {
13159 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13160 	struct net_device *dev = info->user_ptr[1];
13161 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13162 	struct sk_buff *msg;
13163 	void *hdr;
13164 	const u8 *addr;
13165 	u64 cookie;
13166 	int err;
13167 
13168 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13169 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13170 		return -EOPNOTSUPP;
13171 
13172 	if (!info->attrs[NL80211_ATTR_MAC])
13173 		return -EINVAL;
13174 
13175 	if (!rdev->ops->probe_client)
13176 		return -EOPNOTSUPP;
13177 
13178 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13179 	if (!msg)
13180 		return -ENOMEM;
13181 
13182 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13183 			     NL80211_CMD_PROBE_CLIENT);
13184 	if (!hdr) {
13185 		err = -ENOBUFS;
13186 		goto free_msg;
13187 	}
13188 
13189 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13190 
13191 	err = rdev_probe_client(rdev, dev, addr, &cookie);
13192 	if (err)
13193 		goto free_msg;
13194 
13195 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13196 			      NL80211_ATTR_PAD))
13197 		goto nla_put_failure;
13198 
13199 	genlmsg_end(msg, hdr);
13200 
13201 	return genlmsg_reply(msg, info);
13202 
13203  nla_put_failure:
13204 	err = -ENOBUFS;
13205  free_msg:
13206 	nlmsg_free(msg);
13207 	return err;
13208 }
13209 
13210 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13211 {
13212 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13213 	struct cfg80211_beacon_registration *reg, *nreg;
13214 	int rv;
13215 
13216 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13217 		return -EOPNOTSUPP;
13218 
13219 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13220 	if (!nreg)
13221 		return -ENOMEM;
13222 
13223 	/* First, check if already registered. */
13224 	spin_lock_bh(&rdev->beacon_registrations_lock);
13225 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13226 		if (reg->nlportid == info->snd_portid) {
13227 			rv = -EALREADY;
13228 			goto out_err;
13229 		}
13230 	}
13231 	/* Add it to the list */
13232 	nreg->nlportid = info->snd_portid;
13233 	list_add(&nreg->list, &rdev->beacon_registrations);
13234 
13235 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13236 
13237 	return 0;
13238 out_err:
13239 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13240 	kfree(nreg);
13241 	return rv;
13242 }
13243 
13244 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13245 {
13246 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13247 	struct wireless_dev *wdev = info->user_ptr[1];
13248 	int err;
13249 
13250 	if (!rdev->ops->start_p2p_device)
13251 		return -EOPNOTSUPP;
13252 
13253 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13254 		return -EOPNOTSUPP;
13255 
13256 	if (wdev_running(wdev))
13257 		return 0;
13258 
13259 	if (rfkill_blocked(rdev->wiphy.rfkill))
13260 		return -ERFKILL;
13261 
13262 	err = rdev_start_p2p_device(rdev, wdev);
13263 	if (err)
13264 		return err;
13265 
13266 	wdev->is_running = true;
13267 	rdev->opencount++;
13268 
13269 	return 0;
13270 }
13271 
13272 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13273 {
13274 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13275 	struct wireless_dev *wdev = info->user_ptr[1];
13276 
13277 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13278 		return -EOPNOTSUPP;
13279 
13280 	if (!rdev->ops->stop_p2p_device)
13281 		return -EOPNOTSUPP;
13282 
13283 	cfg80211_stop_p2p_device(rdev, wdev);
13284 
13285 	return 0;
13286 }
13287 
13288 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13289 {
13290 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13291 	struct wireless_dev *wdev = info->user_ptr[1];
13292 	struct cfg80211_nan_conf conf = {};
13293 	int err;
13294 
13295 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13296 		return -EOPNOTSUPP;
13297 
13298 	if (wdev_running(wdev))
13299 		return -EEXIST;
13300 
13301 	if (rfkill_blocked(rdev->wiphy.rfkill))
13302 		return -ERFKILL;
13303 
13304 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13305 		return -EINVAL;
13306 
13307 	conf.master_pref =
13308 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13309 
13310 	if (info->attrs[NL80211_ATTR_BANDS]) {
13311 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13312 
13313 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13314 			return -EOPNOTSUPP;
13315 
13316 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13317 			return -EINVAL;
13318 
13319 		conf.bands = bands;
13320 	}
13321 
13322 	err = rdev_start_nan(rdev, wdev, &conf);
13323 	if (err)
13324 		return err;
13325 
13326 	wdev->is_running = true;
13327 	rdev->opencount++;
13328 
13329 	return 0;
13330 }
13331 
13332 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13333 {
13334 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13335 	struct wireless_dev *wdev = info->user_ptr[1];
13336 
13337 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13338 		return -EOPNOTSUPP;
13339 
13340 	cfg80211_stop_nan(rdev, wdev);
13341 
13342 	return 0;
13343 }
13344 
13345 static int validate_nan_filter(struct nlattr *filter_attr)
13346 {
13347 	struct nlattr *attr;
13348 	int len = 0, n_entries = 0, rem;
13349 
13350 	nla_for_each_nested(attr, filter_attr, rem) {
13351 		len += nla_len(attr);
13352 		n_entries++;
13353 	}
13354 
13355 	if (len >= U8_MAX)
13356 		return -EINVAL;
13357 
13358 	return n_entries;
13359 }
13360 
13361 static int handle_nan_filter(struct nlattr *attr_filter,
13362 			     struct cfg80211_nan_func *func,
13363 			     bool tx)
13364 {
13365 	struct nlattr *attr;
13366 	int n_entries, rem, i;
13367 	struct cfg80211_nan_func_filter *filter;
13368 
13369 	n_entries = validate_nan_filter(attr_filter);
13370 	if (n_entries < 0)
13371 		return n_entries;
13372 
13373 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13374 
13375 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13376 	if (!filter)
13377 		return -ENOMEM;
13378 
13379 	i = 0;
13380 	nla_for_each_nested(attr, attr_filter, rem) {
13381 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13382 		filter[i].len = nla_len(attr);
13383 		i++;
13384 	}
13385 	if (tx) {
13386 		func->num_tx_filters = n_entries;
13387 		func->tx_filters = filter;
13388 	} else {
13389 		func->num_rx_filters = n_entries;
13390 		func->rx_filters = filter;
13391 	}
13392 
13393 	return 0;
13394 }
13395 
13396 static int nl80211_nan_add_func(struct sk_buff *skb,
13397 				struct genl_info *info)
13398 {
13399 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13400 	struct wireless_dev *wdev = info->user_ptr[1];
13401 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
13402 	struct cfg80211_nan_func *func;
13403 	struct sk_buff *msg = NULL;
13404 	void *hdr = NULL;
13405 	int err = 0;
13406 
13407 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13408 		return -EOPNOTSUPP;
13409 
13410 	if (!wdev_running(wdev))
13411 		return -ENOTCONN;
13412 
13413 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13414 		return -EINVAL;
13415 
13416 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13417 					  info->attrs[NL80211_ATTR_NAN_FUNC],
13418 					  nl80211_nan_func_policy,
13419 					  info->extack);
13420 	if (err)
13421 		return err;
13422 
13423 	func = kzalloc(sizeof(*func), GFP_KERNEL);
13424 	if (!func)
13425 		return -ENOMEM;
13426 
13427 	func->cookie = cfg80211_assign_cookie(rdev);
13428 
13429 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13430 		err = -EINVAL;
13431 		goto out;
13432 	}
13433 
13434 
13435 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13436 
13437 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13438 		err = -EINVAL;
13439 		goto out;
13440 	}
13441 
13442 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13443 	       sizeof(func->service_id));
13444 
13445 	func->close_range =
13446 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13447 
13448 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13449 		func->serv_spec_info_len =
13450 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13451 		func->serv_spec_info =
13452 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13453 				func->serv_spec_info_len,
13454 				GFP_KERNEL);
13455 		if (!func->serv_spec_info) {
13456 			err = -ENOMEM;
13457 			goto out;
13458 		}
13459 	}
13460 
13461 	if (tb[NL80211_NAN_FUNC_TTL])
13462 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13463 
13464 	switch (func->type) {
13465 	case NL80211_NAN_FUNC_PUBLISH:
13466 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13467 			err = -EINVAL;
13468 			goto out;
13469 		}
13470 
13471 		func->publish_type =
13472 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13473 		func->publish_bcast =
13474 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13475 
13476 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13477 			func->publish_bcast) {
13478 			err = -EINVAL;
13479 			goto out;
13480 		}
13481 		break;
13482 	case NL80211_NAN_FUNC_SUBSCRIBE:
13483 		func->subscribe_active =
13484 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13485 		break;
13486 	case NL80211_NAN_FUNC_FOLLOW_UP:
13487 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13488 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13489 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13490 			err = -EINVAL;
13491 			goto out;
13492 		}
13493 
13494 		func->followup_id =
13495 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13496 		func->followup_reqid =
13497 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13498 		memcpy(func->followup_dest.addr,
13499 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13500 		       sizeof(func->followup_dest.addr));
13501 		if (func->ttl) {
13502 			err = -EINVAL;
13503 			goto out;
13504 		}
13505 		break;
13506 	default:
13507 		err = -EINVAL;
13508 		goto out;
13509 	}
13510 
13511 	if (tb[NL80211_NAN_FUNC_SRF]) {
13512 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13513 
13514 		err = nla_parse_nested_deprecated(srf_tb,
13515 						  NL80211_NAN_SRF_ATTR_MAX,
13516 						  tb[NL80211_NAN_FUNC_SRF],
13517 						  nl80211_nan_srf_policy,
13518 						  info->extack);
13519 		if (err)
13520 			goto out;
13521 
13522 		func->srf_include =
13523 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13524 
13525 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13526 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13527 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13528 				err = -EINVAL;
13529 				goto out;
13530 			}
13531 
13532 			func->srf_bf_len =
13533 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13534 			func->srf_bf =
13535 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13536 					func->srf_bf_len, GFP_KERNEL);
13537 			if (!func->srf_bf) {
13538 				err = -ENOMEM;
13539 				goto out;
13540 			}
13541 
13542 			func->srf_bf_idx =
13543 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13544 		} else {
13545 			struct nlattr *attr, *mac_attr =
13546 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13547 			int n_entries, rem, i = 0;
13548 
13549 			if (!mac_attr) {
13550 				err = -EINVAL;
13551 				goto out;
13552 			}
13553 
13554 			n_entries = validate_acl_mac_addrs(mac_attr);
13555 			if (n_entries <= 0) {
13556 				err = -EINVAL;
13557 				goto out;
13558 			}
13559 
13560 			func->srf_num_macs = n_entries;
13561 			func->srf_macs =
13562 				kcalloc(n_entries, sizeof(*func->srf_macs),
13563 					GFP_KERNEL);
13564 			if (!func->srf_macs) {
13565 				err = -ENOMEM;
13566 				goto out;
13567 			}
13568 
13569 			nla_for_each_nested(attr, mac_attr, rem)
13570 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13571 				       sizeof(*func->srf_macs));
13572 		}
13573 	}
13574 
13575 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13576 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13577 					func, true);
13578 		if (err)
13579 			goto out;
13580 	}
13581 
13582 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13583 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13584 					func, false);
13585 		if (err)
13586 			goto out;
13587 	}
13588 
13589 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13590 	if (!msg) {
13591 		err = -ENOMEM;
13592 		goto out;
13593 	}
13594 
13595 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13596 			     NL80211_CMD_ADD_NAN_FUNCTION);
13597 	/* This can't really happen - we just allocated 4KB */
13598 	if (WARN_ON(!hdr)) {
13599 		err = -ENOMEM;
13600 		goto out;
13601 	}
13602 
13603 	err = rdev_add_nan_func(rdev, wdev, func);
13604 out:
13605 	if (err < 0) {
13606 		cfg80211_free_nan_func(func);
13607 		nlmsg_free(msg);
13608 		return err;
13609 	}
13610 
13611 	/* propagate the instance id and cookie to userspace  */
13612 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13613 			      NL80211_ATTR_PAD))
13614 		goto nla_put_failure;
13615 
13616 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13617 	if (!func_attr)
13618 		goto nla_put_failure;
13619 
13620 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13621 		       func->instance_id))
13622 		goto nla_put_failure;
13623 
13624 	nla_nest_end(msg, func_attr);
13625 
13626 	genlmsg_end(msg, hdr);
13627 	return genlmsg_reply(msg, info);
13628 
13629 nla_put_failure:
13630 	nlmsg_free(msg);
13631 	return -ENOBUFS;
13632 }
13633 
13634 static int nl80211_nan_del_func(struct sk_buff *skb,
13635 			       struct genl_info *info)
13636 {
13637 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13638 	struct wireless_dev *wdev = info->user_ptr[1];
13639 	u64 cookie;
13640 
13641 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13642 		return -EOPNOTSUPP;
13643 
13644 	if (!wdev_running(wdev))
13645 		return -ENOTCONN;
13646 
13647 	if (!info->attrs[NL80211_ATTR_COOKIE])
13648 		return -EINVAL;
13649 
13650 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13651 
13652 	rdev_del_nan_func(rdev, wdev, cookie);
13653 
13654 	return 0;
13655 }
13656 
13657 static int nl80211_nan_change_config(struct sk_buff *skb,
13658 				     struct genl_info *info)
13659 {
13660 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13661 	struct wireless_dev *wdev = info->user_ptr[1];
13662 	struct cfg80211_nan_conf conf = {};
13663 	u32 changed = 0;
13664 
13665 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13666 		return -EOPNOTSUPP;
13667 
13668 	if (!wdev_running(wdev))
13669 		return -ENOTCONN;
13670 
13671 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13672 		conf.master_pref =
13673 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13674 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13675 			return -EINVAL;
13676 
13677 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13678 	}
13679 
13680 	if (info->attrs[NL80211_ATTR_BANDS]) {
13681 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13682 
13683 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13684 			return -EOPNOTSUPP;
13685 
13686 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13687 			return -EINVAL;
13688 
13689 		conf.bands = bands;
13690 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13691 	}
13692 
13693 	if (!changed)
13694 		return -EINVAL;
13695 
13696 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13697 }
13698 
13699 void cfg80211_nan_match(struct wireless_dev *wdev,
13700 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13701 {
13702 	struct wiphy *wiphy = wdev->wiphy;
13703 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13704 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13705 	struct sk_buff *msg;
13706 	void *hdr;
13707 
13708 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13709 		return;
13710 
13711 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13712 	if (!msg)
13713 		return;
13714 
13715 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13716 	if (!hdr) {
13717 		nlmsg_free(msg);
13718 		return;
13719 	}
13720 
13721 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13722 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13723 					 wdev->netdev->ifindex)) ||
13724 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13725 			      NL80211_ATTR_PAD))
13726 		goto nla_put_failure;
13727 
13728 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13729 			      NL80211_ATTR_PAD) ||
13730 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13731 		goto nla_put_failure;
13732 
13733 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13734 	if (!match_attr)
13735 		goto nla_put_failure;
13736 
13737 	local_func_attr = nla_nest_start_noflag(msg,
13738 						NL80211_NAN_MATCH_FUNC_LOCAL);
13739 	if (!local_func_attr)
13740 		goto nla_put_failure;
13741 
13742 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13743 		goto nla_put_failure;
13744 
13745 	nla_nest_end(msg, local_func_attr);
13746 
13747 	peer_func_attr = nla_nest_start_noflag(msg,
13748 					       NL80211_NAN_MATCH_FUNC_PEER);
13749 	if (!peer_func_attr)
13750 		goto nla_put_failure;
13751 
13752 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13753 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13754 		goto nla_put_failure;
13755 
13756 	if (match->info && match->info_len &&
13757 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13758 		    match->info))
13759 		goto nla_put_failure;
13760 
13761 	nla_nest_end(msg, peer_func_attr);
13762 	nla_nest_end(msg, match_attr);
13763 	genlmsg_end(msg, hdr);
13764 
13765 	if (!wdev->owner_nlportid)
13766 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13767 					msg, 0, NL80211_MCGRP_NAN, gfp);
13768 	else
13769 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13770 				wdev->owner_nlportid);
13771 
13772 	return;
13773 
13774 nla_put_failure:
13775 	nlmsg_free(msg);
13776 }
13777 EXPORT_SYMBOL(cfg80211_nan_match);
13778 
13779 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13780 				  u8 inst_id,
13781 				  enum nl80211_nan_func_term_reason reason,
13782 				  u64 cookie, gfp_t gfp)
13783 {
13784 	struct wiphy *wiphy = wdev->wiphy;
13785 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13786 	struct sk_buff *msg;
13787 	struct nlattr *func_attr;
13788 	void *hdr;
13789 
13790 	if (WARN_ON(!inst_id))
13791 		return;
13792 
13793 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13794 	if (!msg)
13795 		return;
13796 
13797 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13798 	if (!hdr) {
13799 		nlmsg_free(msg);
13800 		return;
13801 	}
13802 
13803 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13804 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13805 					 wdev->netdev->ifindex)) ||
13806 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13807 			      NL80211_ATTR_PAD))
13808 		goto nla_put_failure;
13809 
13810 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13811 			      NL80211_ATTR_PAD))
13812 		goto nla_put_failure;
13813 
13814 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13815 	if (!func_attr)
13816 		goto nla_put_failure;
13817 
13818 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13819 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13820 		goto nla_put_failure;
13821 
13822 	nla_nest_end(msg, func_attr);
13823 	genlmsg_end(msg, hdr);
13824 
13825 	if (!wdev->owner_nlportid)
13826 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13827 					msg, 0, NL80211_MCGRP_NAN, gfp);
13828 	else
13829 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13830 				wdev->owner_nlportid);
13831 
13832 	return;
13833 
13834 nla_put_failure:
13835 	nlmsg_free(msg);
13836 }
13837 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13838 
13839 static int nl80211_get_protocol_features(struct sk_buff *skb,
13840 					 struct genl_info *info)
13841 {
13842 	void *hdr;
13843 	struct sk_buff *msg;
13844 
13845 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13846 	if (!msg)
13847 		return -ENOMEM;
13848 
13849 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13850 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13851 	if (!hdr)
13852 		goto nla_put_failure;
13853 
13854 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13855 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13856 		goto nla_put_failure;
13857 
13858 	genlmsg_end(msg, hdr);
13859 	return genlmsg_reply(msg, info);
13860 
13861  nla_put_failure:
13862 	kfree_skb(msg);
13863 	return -ENOBUFS;
13864 }
13865 
13866 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
13867 {
13868 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13869 	struct cfg80211_update_ft_ies_params ft_params;
13870 	struct net_device *dev = info->user_ptr[1];
13871 
13872 	if (!rdev->ops->update_ft_ies)
13873 		return -EOPNOTSUPP;
13874 
13875 	if (!info->attrs[NL80211_ATTR_MDID] ||
13876 	    !info->attrs[NL80211_ATTR_IE])
13877 		return -EINVAL;
13878 
13879 	memset(&ft_params, 0, sizeof(ft_params));
13880 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
13881 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13882 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13883 
13884 	return rdev_update_ft_ies(rdev, dev, &ft_params);
13885 }
13886 
13887 static int nl80211_crit_protocol_start(struct sk_buff *skb,
13888 				       struct genl_info *info)
13889 {
13890 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13891 	struct wireless_dev *wdev = info->user_ptr[1];
13892 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
13893 	u16 duration;
13894 	int ret;
13895 
13896 	if (!rdev->ops->crit_proto_start)
13897 		return -EOPNOTSUPP;
13898 
13899 	if (WARN_ON(!rdev->ops->crit_proto_stop))
13900 		return -EINVAL;
13901 
13902 	if (rdev->crit_proto_nlportid)
13903 		return -EBUSY;
13904 
13905 	/* determine protocol if provided */
13906 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
13907 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
13908 
13909 	if (proto >= NUM_NL80211_CRIT_PROTO)
13910 		return -EINVAL;
13911 
13912 	/* timeout must be provided */
13913 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
13914 		return -EINVAL;
13915 
13916 	duration =
13917 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
13918 
13919 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
13920 	if (!ret)
13921 		rdev->crit_proto_nlportid = info->snd_portid;
13922 
13923 	return ret;
13924 }
13925 
13926 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
13927 				      struct genl_info *info)
13928 {
13929 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13930 	struct wireless_dev *wdev = info->user_ptr[1];
13931 
13932 	if (!rdev->ops->crit_proto_stop)
13933 		return -EOPNOTSUPP;
13934 
13935 	if (rdev->crit_proto_nlportid) {
13936 		rdev->crit_proto_nlportid = 0;
13937 		rdev_crit_proto_stop(rdev, wdev);
13938 	}
13939 	return 0;
13940 }
13941 
13942 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
13943 				       struct nlattr *attr,
13944 				       struct netlink_ext_ack *extack)
13945 {
13946 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
13947 		if (attr->nla_type & NLA_F_NESTED) {
13948 			NL_SET_ERR_MSG_ATTR(extack, attr,
13949 					    "unexpected nested data");
13950 			return -EINVAL;
13951 		}
13952 
13953 		return 0;
13954 	}
13955 
13956 	if (!(attr->nla_type & NLA_F_NESTED)) {
13957 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
13958 		return -EINVAL;
13959 	}
13960 
13961 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
13962 }
13963 
13964 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
13965 {
13966 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13967 	struct wireless_dev *wdev =
13968 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
13969 					   info->attrs);
13970 	int i, err;
13971 	u32 vid, subcmd;
13972 
13973 	if (!rdev->wiphy.vendor_commands)
13974 		return -EOPNOTSUPP;
13975 
13976 	if (IS_ERR(wdev)) {
13977 		err = PTR_ERR(wdev);
13978 		if (err != -EINVAL)
13979 			return err;
13980 		wdev = NULL;
13981 	} else if (wdev->wiphy != &rdev->wiphy) {
13982 		return -EINVAL;
13983 	}
13984 
13985 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
13986 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
13987 		return -EINVAL;
13988 
13989 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
13990 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
13991 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
13992 		const struct wiphy_vendor_command *vcmd;
13993 		void *data = NULL;
13994 		int len = 0;
13995 
13996 		vcmd = &rdev->wiphy.vendor_commands[i];
13997 
13998 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13999 			continue;
14000 
14001 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14002 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14003 			if (!wdev)
14004 				return -EINVAL;
14005 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14006 			    !wdev->netdev)
14007 				return -EINVAL;
14008 
14009 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14010 				if (!wdev_running(wdev))
14011 					return -ENETDOWN;
14012 			}
14013 		} else {
14014 			wdev = NULL;
14015 		}
14016 
14017 		if (!vcmd->doit)
14018 			return -EOPNOTSUPP;
14019 
14020 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14021 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14022 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14023 
14024 			err = nl80211_vendor_check_policy(vcmd,
14025 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14026 					info->extack);
14027 			if (err)
14028 				return err;
14029 		}
14030 
14031 		rdev->cur_cmd_info = info;
14032 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14033 		rdev->cur_cmd_info = NULL;
14034 		return err;
14035 	}
14036 
14037 	return -EOPNOTSUPP;
14038 }
14039 
14040 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14041 				       struct netlink_callback *cb,
14042 				       struct cfg80211_registered_device **rdev,
14043 				       struct wireless_dev **wdev)
14044 {
14045 	struct nlattr **attrbuf;
14046 	u32 vid, subcmd;
14047 	unsigned int i;
14048 	int vcmd_idx = -1;
14049 	int err;
14050 	void *data = NULL;
14051 	unsigned int data_len = 0;
14052 
14053 	if (cb->args[0]) {
14054 		/* subtract the 1 again here */
14055 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14056 		struct wireless_dev *tmp;
14057 
14058 		if (!wiphy)
14059 			return -ENODEV;
14060 		*rdev = wiphy_to_rdev(wiphy);
14061 		*wdev = NULL;
14062 
14063 		if (cb->args[1]) {
14064 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14065 				if (tmp->identifier == cb->args[1] - 1) {
14066 					*wdev = tmp;
14067 					break;
14068 				}
14069 			}
14070 		}
14071 
14072 		/* keep rtnl locked in successful case */
14073 		return 0;
14074 	}
14075 
14076 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14077 	if (!attrbuf)
14078 		return -ENOMEM;
14079 
14080 	err = nlmsg_parse_deprecated(cb->nlh,
14081 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14082 				     attrbuf, nl80211_fam.maxattr,
14083 				     nl80211_policy, NULL);
14084 	if (err)
14085 		goto out;
14086 
14087 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14088 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14089 		err = -EINVAL;
14090 		goto out;
14091 	}
14092 
14093 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14094 	if (IS_ERR(*wdev))
14095 		*wdev = NULL;
14096 
14097 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14098 	if (IS_ERR(*rdev)) {
14099 		err = PTR_ERR(*rdev);
14100 		goto out;
14101 	}
14102 
14103 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14104 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14105 
14106 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14107 		const struct wiphy_vendor_command *vcmd;
14108 
14109 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14110 
14111 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14112 			continue;
14113 
14114 		if (!vcmd->dumpit) {
14115 			err = -EOPNOTSUPP;
14116 			goto out;
14117 		}
14118 
14119 		vcmd_idx = i;
14120 		break;
14121 	}
14122 
14123 	if (vcmd_idx < 0) {
14124 		err = -EOPNOTSUPP;
14125 		goto out;
14126 	}
14127 
14128 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14129 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14130 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14131 
14132 		err = nl80211_vendor_check_policy(
14133 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14134 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14135 				cb->extack);
14136 		if (err)
14137 			goto out;
14138 	}
14139 
14140 	/* 0 is the first index - add 1 to parse only once */
14141 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14142 	/* add 1 to know if it was NULL */
14143 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14144 	cb->args[2] = vcmd_idx;
14145 	cb->args[3] = (unsigned long)data;
14146 	cb->args[4] = data_len;
14147 
14148 	/* keep rtnl locked in successful case */
14149 	err = 0;
14150 out:
14151 	kfree(attrbuf);
14152 	return err;
14153 }
14154 
14155 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14156 				   struct netlink_callback *cb)
14157 {
14158 	struct cfg80211_registered_device *rdev;
14159 	struct wireless_dev *wdev;
14160 	unsigned int vcmd_idx;
14161 	const struct wiphy_vendor_command *vcmd;
14162 	void *data;
14163 	int data_len;
14164 	int err;
14165 	struct nlattr *vendor_data;
14166 
14167 	rtnl_lock();
14168 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14169 	if (err)
14170 		goto out;
14171 
14172 	vcmd_idx = cb->args[2];
14173 	data = (void *)cb->args[3];
14174 	data_len = cb->args[4];
14175 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14176 
14177 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14178 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14179 		if (!wdev) {
14180 			err = -EINVAL;
14181 			goto out;
14182 		}
14183 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14184 		    !wdev->netdev) {
14185 			err = -EINVAL;
14186 			goto out;
14187 		}
14188 
14189 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14190 			if (!wdev_running(wdev)) {
14191 				err = -ENETDOWN;
14192 				goto out;
14193 			}
14194 		}
14195 	}
14196 
14197 	while (1) {
14198 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
14199 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
14200 					   NL80211_CMD_VENDOR);
14201 		if (!hdr)
14202 			break;
14203 
14204 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14205 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14206 					       wdev_id(wdev),
14207 					       NL80211_ATTR_PAD))) {
14208 			genlmsg_cancel(skb, hdr);
14209 			break;
14210 		}
14211 
14212 		vendor_data = nla_nest_start_noflag(skb,
14213 						    NL80211_ATTR_VENDOR_DATA);
14214 		if (!vendor_data) {
14215 			genlmsg_cancel(skb, hdr);
14216 			break;
14217 		}
14218 
14219 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14220 				   (unsigned long *)&cb->args[5]);
14221 		nla_nest_end(skb, vendor_data);
14222 
14223 		if (err == -ENOBUFS || err == -ENOENT) {
14224 			genlmsg_cancel(skb, hdr);
14225 			break;
14226 		} else if (err <= 0) {
14227 			genlmsg_cancel(skb, hdr);
14228 			goto out;
14229 		}
14230 
14231 		genlmsg_end(skb, hdr);
14232 	}
14233 
14234 	err = skb->len;
14235  out:
14236 	rtnl_unlock();
14237 	return err;
14238 }
14239 
14240 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14241 					   enum nl80211_commands cmd,
14242 					   enum nl80211_attrs attr,
14243 					   int approxlen)
14244 {
14245 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14246 
14247 	if (WARN_ON(!rdev->cur_cmd_info))
14248 		return NULL;
14249 
14250 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14251 					   rdev->cur_cmd_info->snd_portid,
14252 					   rdev->cur_cmd_info->snd_seq,
14253 					   cmd, attr, NULL, GFP_KERNEL);
14254 }
14255 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14256 
14257 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14258 {
14259 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14260 	void *hdr = ((void **)skb->cb)[1];
14261 	struct nlattr *data = ((void **)skb->cb)[2];
14262 
14263 	/* clear CB data for netlink core to own from now on */
14264 	memset(skb->cb, 0, sizeof(skb->cb));
14265 
14266 	if (WARN_ON(!rdev->cur_cmd_info)) {
14267 		kfree_skb(skb);
14268 		return -EINVAL;
14269 	}
14270 
14271 	nla_nest_end(skb, data);
14272 	genlmsg_end(skb, hdr);
14273 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14274 }
14275 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14276 
14277 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14278 {
14279 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14280 
14281 	if (WARN_ON(!rdev->cur_cmd_info))
14282 		return 0;
14283 
14284 	return rdev->cur_cmd_info->snd_portid;
14285 }
14286 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14287 
14288 static int nl80211_set_qos_map(struct sk_buff *skb,
14289 			       struct genl_info *info)
14290 {
14291 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14292 	struct cfg80211_qos_map *qos_map = NULL;
14293 	struct net_device *dev = info->user_ptr[1];
14294 	u8 *pos, len, num_des, des_len, des;
14295 	int ret;
14296 
14297 	if (!rdev->ops->set_qos_map)
14298 		return -EOPNOTSUPP;
14299 
14300 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14301 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14302 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14303 
14304 		if (len % 2)
14305 			return -EINVAL;
14306 
14307 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14308 		if (!qos_map)
14309 			return -ENOMEM;
14310 
14311 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14312 		if (num_des) {
14313 			des_len = num_des *
14314 				sizeof(struct cfg80211_dscp_exception);
14315 			memcpy(qos_map->dscp_exception, pos, des_len);
14316 			qos_map->num_des = num_des;
14317 			for (des = 0; des < num_des; des++) {
14318 				if (qos_map->dscp_exception[des].up > 7) {
14319 					kfree(qos_map);
14320 					return -EINVAL;
14321 				}
14322 			}
14323 			pos += des_len;
14324 		}
14325 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14326 	}
14327 
14328 	wdev_lock(dev->ieee80211_ptr);
14329 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14330 	if (!ret)
14331 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14332 	wdev_unlock(dev->ieee80211_ptr);
14333 
14334 	kfree(qos_map);
14335 	return ret;
14336 }
14337 
14338 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14339 {
14340 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14341 	struct net_device *dev = info->user_ptr[1];
14342 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14343 	const u8 *peer;
14344 	u8 tsid, up;
14345 	u16 admitted_time = 0;
14346 	int err;
14347 
14348 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14349 		return -EOPNOTSUPP;
14350 
14351 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14352 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14353 		return -EINVAL;
14354 
14355 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14356 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14357 
14358 	/* WMM uses TIDs 0-7 even for TSPEC */
14359 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14360 		/* TODO: handle 802.11 TSPEC/admission control
14361 		 * need more attributes for that (e.g. BA session requirement);
14362 		 * change the WMM adminssion test above to allow both then
14363 		 */
14364 		return -EINVAL;
14365 	}
14366 
14367 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14368 
14369 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14370 		admitted_time =
14371 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14372 		if (!admitted_time)
14373 			return -EINVAL;
14374 	}
14375 
14376 	wdev_lock(wdev);
14377 	switch (wdev->iftype) {
14378 	case NL80211_IFTYPE_STATION:
14379 	case NL80211_IFTYPE_P2P_CLIENT:
14380 		if (wdev->current_bss)
14381 			break;
14382 		err = -ENOTCONN;
14383 		goto out;
14384 	default:
14385 		err = -EOPNOTSUPP;
14386 		goto out;
14387 	}
14388 
14389 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
14390 
14391  out:
14392 	wdev_unlock(wdev);
14393 	return err;
14394 }
14395 
14396 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
14397 {
14398 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14399 	struct net_device *dev = info->user_ptr[1];
14400 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14401 	const u8 *peer;
14402 	u8 tsid;
14403 	int err;
14404 
14405 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
14406 		return -EINVAL;
14407 
14408 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14409 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14410 
14411 	wdev_lock(wdev);
14412 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
14413 	wdev_unlock(wdev);
14414 
14415 	return err;
14416 }
14417 
14418 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14419 				       struct genl_info *info)
14420 {
14421 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14422 	struct net_device *dev = info->user_ptr[1];
14423 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14424 	struct cfg80211_chan_def chandef = {};
14425 	const u8 *addr;
14426 	u8 oper_class;
14427 	int err;
14428 
14429 	if (!rdev->ops->tdls_channel_switch ||
14430 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14431 		return -EOPNOTSUPP;
14432 
14433 	switch (dev->ieee80211_ptr->iftype) {
14434 	case NL80211_IFTYPE_STATION:
14435 	case NL80211_IFTYPE_P2P_CLIENT:
14436 		break;
14437 	default:
14438 		return -EOPNOTSUPP;
14439 	}
14440 
14441 	if (!info->attrs[NL80211_ATTR_MAC] ||
14442 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14443 		return -EINVAL;
14444 
14445 	err = nl80211_parse_chandef(rdev, info, &chandef);
14446 	if (err)
14447 		return err;
14448 
14449 	/*
14450 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14451 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14452 	 * specification is not defined for them.
14453 	 */
14454 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14455 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14456 	    chandef.width != NL80211_CHAN_WIDTH_20)
14457 		return -EINVAL;
14458 
14459 	/* we will be active on the TDLS link */
14460 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14461 					   wdev->iftype))
14462 		return -EINVAL;
14463 
14464 	/* don't allow switching to DFS channels */
14465 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14466 		return -EINVAL;
14467 
14468 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14469 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14470 
14471 	wdev_lock(wdev);
14472 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14473 	wdev_unlock(wdev);
14474 
14475 	return err;
14476 }
14477 
14478 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14479 					      struct genl_info *info)
14480 {
14481 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14482 	struct net_device *dev = info->user_ptr[1];
14483 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14484 	const u8 *addr;
14485 
14486 	if (!rdev->ops->tdls_channel_switch ||
14487 	    !rdev->ops->tdls_cancel_channel_switch ||
14488 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14489 		return -EOPNOTSUPP;
14490 
14491 	switch (dev->ieee80211_ptr->iftype) {
14492 	case NL80211_IFTYPE_STATION:
14493 	case NL80211_IFTYPE_P2P_CLIENT:
14494 		break;
14495 	default:
14496 		return -EOPNOTSUPP;
14497 	}
14498 
14499 	if (!info->attrs[NL80211_ATTR_MAC])
14500 		return -EINVAL;
14501 
14502 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14503 
14504 	wdev_lock(wdev);
14505 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14506 	wdev_unlock(wdev);
14507 
14508 	return 0;
14509 }
14510 
14511 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14512 					    struct genl_info *info)
14513 {
14514 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14515 	struct net_device *dev = info->user_ptr[1];
14516 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14517 	const struct nlattr *nla;
14518 	bool enabled;
14519 
14520 	if (!rdev->ops->set_multicast_to_unicast)
14521 		return -EOPNOTSUPP;
14522 
14523 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14524 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14525 		return -EOPNOTSUPP;
14526 
14527 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14528 	enabled = nla_get_flag(nla);
14529 
14530 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14531 }
14532 
14533 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14534 {
14535 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14536 	struct net_device *dev = info->user_ptr[1];
14537 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14538 	struct cfg80211_pmk_conf pmk_conf = {};
14539 	int ret;
14540 
14541 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14542 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14543 		return -EOPNOTSUPP;
14544 
14545 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14546 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14547 		return -EOPNOTSUPP;
14548 
14549 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14550 		return -EINVAL;
14551 
14552 	wdev_lock(wdev);
14553 	if (!wdev->current_bss) {
14554 		ret = -ENOTCONN;
14555 		goto out;
14556 	}
14557 
14558 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14559 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14560 		ret = -EINVAL;
14561 		goto out;
14562 	}
14563 
14564 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14565 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14566 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14567 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14568 		ret = -EINVAL;
14569 		goto out;
14570 	}
14571 
14572 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14573 		pmk_conf.pmk_r0_name =
14574 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14575 
14576 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14577 out:
14578 	wdev_unlock(wdev);
14579 	return ret;
14580 }
14581 
14582 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14583 {
14584 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14585 	struct net_device *dev = info->user_ptr[1];
14586 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14587 	const u8 *aa;
14588 	int ret;
14589 
14590 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14591 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14592 		return -EOPNOTSUPP;
14593 
14594 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14595 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14596 		return -EOPNOTSUPP;
14597 
14598 	if (!info->attrs[NL80211_ATTR_MAC])
14599 		return -EINVAL;
14600 
14601 	wdev_lock(wdev);
14602 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14603 	ret = rdev_del_pmk(rdev, dev, aa);
14604 	wdev_unlock(wdev);
14605 
14606 	return ret;
14607 }
14608 
14609 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14610 {
14611 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14612 	struct net_device *dev = info->user_ptr[1];
14613 	struct cfg80211_external_auth_params params;
14614 
14615 	if (!rdev->ops->external_auth)
14616 		return -EOPNOTSUPP;
14617 
14618 	if (!info->attrs[NL80211_ATTR_SSID] &&
14619 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14620 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14621 		return -EINVAL;
14622 
14623 	if (!info->attrs[NL80211_ATTR_BSSID])
14624 		return -EINVAL;
14625 
14626 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14627 		return -EINVAL;
14628 
14629 	memset(&params, 0, sizeof(params));
14630 
14631 	if (info->attrs[NL80211_ATTR_SSID]) {
14632 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14633 		if (params.ssid.ssid_len == 0)
14634 			return -EINVAL;
14635 		memcpy(params.ssid.ssid,
14636 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14637 		       params.ssid.ssid_len);
14638 	}
14639 
14640 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14641 	       ETH_ALEN);
14642 
14643 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14644 
14645 	if (info->attrs[NL80211_ATTR_PMKID])
14646 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14647 
14648 	return rdev_external_auth(rdev, dev, &params);
14649 }
14650 
14651 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14652 {
14653 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14654 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14655 	struct net_device *dev = info->user_ptr[1];
14656 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14657 	const u8 *buf;
14658 	size_t len;
14659 	u8 *dest;
14660 	u16 proto;
14661 	bool noencrypt;
14662 	u64 cookie = 0;
14663 	int err;
14664 
14665 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14666 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14667 		return -EOPNOTSUPP;
14668 
14669 	if (!rdev->ops->tx_control_port)
14670 		return -EOPNOTSUPP;
14671 
14672 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14673 	    !info->attrs[NL80211_ATTR_MAC] ||
14674 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14675 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14676 		return -EINVAL;
14677 	}
14678 
14679 	wdev_lock(wdev);
14680 
14681 	switch (wdev->iftype) {
14682 	case NL80211_IFTYPE_AP:
14683 	case NL80211_IFTYPE_P2P_GO:
14684 	case NL80211_IFTYPE_MESH_POINT:
14685 		break;
14686 	case NL80211_IFTYPE_ADHOC:
14687 	case NL80211_IFTYPE_STATION:
14688 	case NL80211_IFTYPE_P2P_CLIENT:
14689 		if (wdev->current_bss)
14690 			break;
14691 		err = -ENOTCONN;
14692 		goto out;
14693 	default:
14694 		err = -EOPNOTSUPP;
14695 		goto out;
14696 	}
14697 
14698 	wdev_unlock(wdev);
14699 
14700 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14701 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14702 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14703 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14704 	noencrypt =
14705 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14706 
14707 	err = rdev_tx_control_port(rdev, dev, buf, len,
14708 				   dest, cpu_to_be16(proto), noencrypt,
14709 				   dont_wait_for_ack ? NULL : &cookie);
14710 	if (!err && !dont_wait_for_ack)
14711 		nl_set_extack_cookie_u64(info->extack, cookie);
14712 	return err;
14713  out:
14714 	wdev_unlock(wdev);
14715 	return err;
14716 }
14717 
14718 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14719 					   struct genl_info *info)
14720 {
14721 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14722 	struct net_device *dev = info->user_ptr[1];
14723 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14724 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14725 	struct sk_buff *msg;
14726 	void *hdr;
14727 	struct nlattr *ftm_stats_attr;
14728 	int err;
14729 
14730 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14731 		return -EOPNOTSUPP;
14732 
14733 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14734 	if (err)
14735 		return err;
14736 
14737 	if (!ftm_stats.filled)
14738 		return -ENODATA;
14739 
14740 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14741 	if (!msg)
14742 		return -ENOMEM;
14743 
14744 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14745 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14746 	if (!hdr)
14747 		goto nla_put_failure;
14748 
14749 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14750 		goto nla_put_failure;
14751 
14752 	ftm_stats_attr = nla_nest_start_noflag(msg,
14753 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14754 	if (!ftm_stats_attr)
14755 		goto nla_put_failure;
14756 
14757 #define SET_FTM(field, name, type)					 \
14758 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14759 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14760 			     ftm_stats.field))				 \
14761 		goto nla_put_failure; } while (0)
14762 #define SET_FTM_U64(field, name)					 \
14763 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14764 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14765 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14766 		goto nla_put_failure; } while (0)
14767 
14768 	SET_FTM(success_num, SUCCESS_NUM, u32);
14769 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14770 	SET_FTM(failed_num, FAILED_NUM, u32);
14771 	SET_FTM(asap_num, ASAP_NUM, u32);
14772 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14773 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14774 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14775 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14776 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14777 #undef SET_FTM
14778 
14779 	nla_nest_end(msg, ftm_stats_attr);
14780 
14781 	genlmsg_end(msg, hdr);
14782 	return genlmsg_reply(msg, info);
14783 
14784 nla_put_failure:
14785 	nlmsg_free(msg);
14786 	return -ENOBUFS;
14787 }
14788 
14789 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14790 {
14791 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14792 	struct cfg80211_update_owe_info owe_info;
14793 	struct net_device *dev = info->user_ptr[1];
14794 
14795 	if (!rdev->ops->update_owe_info)
14796 		return -EOPNOTSUPP;
14797 
14798 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14799 	    !info->attrs[NL80211_ATTR_MAC])
14800 		return -EINVAL;
14801 
14802 	memset(&owe_info, 0, sizeof(owe_info));
14803 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14804 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14805 
14806 	if (info->attrs[NL80211_ATTR_IE]) {
14807 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14808 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14809 	}
14810 
14811 	return rdev_update_owe_info(rdev, dev, &owe_info);
14812 }
14813 
14814 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14815 {
14816 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14817 	struct net_device *dev = info->user_ptr[1];
14818 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14819 	struct station_info sinfo = {};
14820 	const u8 *buf;
14821 	size_t len;
14822 	u8 *dest;
14823 	int err;
14824 
14825 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14826 		return -EOPNOTSUPP;
14827 
14828 	if (!info->attrs[NL80211_ATTR_MAC] ||
14829 	    !info->attrs[NL80211_ATTR_FRAME]) {
14830 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14831 		return -EINVAL;
14832 	}
14833 
14834 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14835 		return -EOPNOTSUPP;
14836 
14837 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14838 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14839 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14840 
14841 	if (len < sizeof(struct ethhdr))
14842 		return -EINVAL;
14843 
14844 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14845 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14846 		return -EINVAL;
14847 
14848 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14849 	if (err)
14850 		return err;
14851 
14852 	cfg80211_sinfo_release_content(&sinfo);
14853 
14854 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14855 }
14856 
14857 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14858 			  struct nlattr *attrs[], struct net_device *dev,
14859 			  struct cfg80211_tid_cfg *tid_conf,
14860 			  struct genl_info *info, const u8 *peer)
14861 {
14862 	struct netlink_ext_ack *extack = info->extack;
14863 	u64 mask;
14864 	int err;
14865 
14866 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
14867 		return -EINVAL;
14868 
14869 	tid_conf->config_override =
14870 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
14871 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
14872 
14873 	if (tid_conf->config_override) {
14874 		if (rdev->ops->reset_tid_config) {
14875 			err = rdev_reset_tid_config(rdev, dev, peer,
14876 						    tid_conf->tids);
14877 			if (err)
14878 				return err;
14879 		} else {
14880 			return -EINVAL;
14881 		}
14882 	}
14883 
14884 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
14885 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
14886 		tid_conf->noack =
14887 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
14888 	}
14889 
14890 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
14891 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
14892 		tid_conf->retry_short =
14893 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
14894 
14895 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
14896 			return -EINVAL;
14897 	}
14898 
14899 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
14900 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
14901 		tid_conf->retry_long =
14902 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
14903 
14904 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
14905 			return -EINVAL;
14906 	}
14907 
14908 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
14909 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
14910 		tid_conf->ampdu =
14911 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
14912 	}
14913 
14914 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
14915 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
14916 		tid_conf->rtscts =
14917 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
14918 	}
14919 
14920 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
14921 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
14922 		tid_conf->amsdu =
14923 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
14924 	}
14925 
14926 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
14927 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
14928 
14929 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
14930 
14931 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
14932 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
14933 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
14934 						    &tid_conf->txrate_mask, dev,
14935 						    true);
14936 			if (err)
14937 				return err;
14938 
14939 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
14940 		}
14941 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
14942 	}
14943 
14944 	if (peer)
14945 		mask = rdev->wiphy.tid_config_support.peer;
14946 	else
14947 		mask = rdev->wiphy.tid_config_support.vif;
14948 
14949 	if (tid_conf->mask & ~mask) {
14950 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
14951 		return -ENOTSUPP;
14952 	}
14953 
14954 	return 0;
14955 }
14956 
14957 static int nl80211_set_tid_config(struct sk_buff *skb,
14958 				  struct genl_info *info)
14959 {
14960 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14961 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
14962 	struct net_device *dev = info->user_ptr[1];
14963 	struct cfg80211_tid_config *tid_config;
14964 	struct nlattr *tid;
14965 	int conf_idx = 0, rem_conf;
14966 	int ret = -EINVAL;
14967 	u32 num_conf = 0;
14968 
14969 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
14970 		return -EINVAL;
14971 
14972 	if (!rdev->ops->set_tid_config)
14973 		return -EOPNOTSUPP;
14974 
14975 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14976 			    rem_conf)
14977 		num_conf++;
14978 
14979 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
14980 			     GFP_KERNEL);
14981 	if (!tid_config)
14982 		return -ENOMEM;
14983 
14984 	tid_config->n_tid_conf = num_conf;
14985 
14986 	if (info->attrs[NL80211_ATTR_MAC])
14987 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14988 
14989 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14990 			    rem_conf) {
14991 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
14992 				       tid, NULL, NULL);
14993 
14994 		if (ret)
14995 			goto bad_tid_conf;
14996 
14997 		ret = parse_tid_conf(rdev, attrs, dev,
14998 				     &tid_config->tid_conf[conf_idx],
14999 				     info, tid_config->peer);
15000 		if (ret)
15001 			goto bad_tid_conf;
15002 
15003 		conf_idx++;
15004 	}
15005 
15006 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15007 
15008 bad_tid_conf:
15009 	kfree(tid_config);
15010 	return ret;
15011 }
15012 
15013 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15014 {
15015 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15016 	struct cfg80211_color_change_settings params = {};
15017 	struct net_device *dev = info->user_ptr[1];
15018 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15019 	struct nlattr **tb;
15020 	u16 offset;
15021 	int err;
15022 
15023 	if (!rdev->ops->color_change)
15024 		return -EOPNOTSUPP;
15025 
15026 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15027 				     NL80211_EXT_FEATURE_BSS_COLOR))
15028 		return -EOPNOTSUPP;
15029 
15030 	if (wdev->iftype != NL80211_IFTYPE_AP)
15031 		return -EOPNOTSUPP;
15032 
15033 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15034 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15035 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15036 		return -EINVAL;
15037 
15038 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15039 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15040 
15041 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15042 	if (err)
15043 		return err;
15044 
15045 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15046 	if (!tb)
15047 		return -ENOMEM;
15048 
15049 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15050 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15051 			       nl80211_policy, info->extack);
15052 	if (err)
15053 		goto out;
15054 
15055 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15056 	if (err)
15057 		goto out;
15058 
15059 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15060 		err = -EINVAL;
15061 		goto out;
15062 	}
15063 
15064 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15065 		err = -EINVAL;
15066 		goto out;
15067 	}
15068 
15069 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15070 	if (offset >= params.beacon_color_change.tail_len) {
15071 		err = -EINVAL;
15072 		goto out;
15073 	}
15074 
15075 	if (params.beacon_color_change.tail[offset] != params.count) {
15076 		err = -EINVAL;
15077 		goto out;
15078 	}
15079 
15080 	params.counter_offset_beacon = offset;
15081 
15082 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15083 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15084 		    sizeof(u16)) {
15085 			err = -EINVAL;
15086 			goto out;
15087 		}
15088 
15089 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15090 		if (offset >= params.beacon_color_change.probe_resp_len) {
15091 			err = -EINVAL;
15092 			goto out;
15093 		}
15094 
15095 		if (params.beacon_color_change.probe_resp[offset] !=
15096 		    params.count) {
15097 			err = -EINVAL;
15098 			goto out;
15099 		}
15100 
15101 		params.counter_offset_presp = offset;
15102 	}
15103 
15104 	wdev_lock(wdev);
15105 	err = rdev_color_change(rdev, dev, &params);
15106 	wdev_unlock(wdev);
15107 
15108 out:
15109 	kfree(params.beacon_next.mbssid_ies);
15110 	kfree(params.beacon_color_change.mbssid_ies);
15111 	kfree(tb);
15112 	return err;
15113 }
15114 
15115 static int nl80211_set_fils_aad(struct sk_buff *skb,
15116 				struct genl_info *info)
15117 {
15118 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15119 	struct net_device *dev = info->user_ptr[1];
15120 	struct cfg80211_fils_aad fils_aad = {};
15121 	u8 *nonces;
15122 
15123 	if (!info->attrs[NL80211_ATTR_MAC] ||
15124 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15125 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15126 		return -EINVAL;
15127 
15128 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15129 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15130 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15131 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15132 	fils_aad.snonce = nonces;
15133 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15134 
15135 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15136 }
15137 
15138 #define NL80211_FLAG_NEED_WIPHY		0x01
15139 #define NL80211_FLAG_NEED_NETDEV	0x02
15140 #define NL80211_FLAG_NEED_RTNL		0x04
15141 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
15142 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
15143 					 NL80211_FLAG_CHECK_NETDEV_UP)
15144 #define NL80211_FLAG_NEED_WDEV		0x10
15145 /* If a netdev is associated, it must be UP, P2P must be started */
15146 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
15147 					 NL80211_FLAG_CHECK_NETDEV_UP)
15148 #define NL80211_FLAG_CLEAR_SKB		0x20
15149 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
15150 
15151 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
15152 			    struct genl_info *info)
15153 {
15154 	struct cfg80211_registered_device *rdev = NULL;
15155 	struct wireless_dev *wdev;
15156 	struct net_device *dev;
15157 
15158 	rtnl_lock();
15159 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
15160 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
15161 		if (IS_ERR(rdev)) {
15162 			rtnl_unlock();
15163 			return PTR_ERR(rdev);
15164 		}
15165 		info->user_ptr[0] = rdev;
15166 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
15167 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15168 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
15169 						  info->attrs);
15170 		if (IS_ERR(wdev)) {
15171 			rtnl_unlock();
15172 			return PTR_ERR(wdev);
15173 		}
15174 
15175 		dev = wdev->netdev;
15176 		rdev = wiphy_to_rdev(wdev->wiphy);
15177 
15178 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
15179 			if (!dev) {
15180 				rtnl_unlock();
15181 				return -EINVAL;
15182 			}
15183 
15184 			info->user_ptr[1] = dev;
15185 		} else {
15186 			info->user_ptr[1] = wdev;
15187 		}
15188 
15189 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
15190 		    !wdev_running(wdev)) {
15191 			rtnl_unlock();
15192 			return -ENETDOWN;
15193 		}
15194 
15195 		dev_hold(dev);
15196 		info->user_ptr[0] = rdev;
15197 	}
15198 
15199 	if (rdev && !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15200 		wiphy_lock(&rdev->wiphy);
15201 		/* we keep the mutex locked until post_doit */
15202 		__release(&rdev->wiphy.mtx);
15203 	}
15204 	if (!(ops->internal_flags & NL80211_FLAG_NEED_RTNL))
15205 		rtnl_unlock();
15206 
15207 	return 0;
15208 }
15209 
15210 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
15211 			      struct genl_info *info)
15212 {
15213 	if (info->user_ptr[1]) {
15214 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15215 			struct wireless_dev *wdev = info->user_ptr[1];
15216 
15217 			dev_put(wdev->netdev);
15218 		} else {
15219 			dev_put(info->user_ptr[1]);
15220 		}
15221 	}
15222 
15223 	if (info->user_ptr[0] &&
15224 	    !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15225 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
15226 
15227 		/* we kept the mutex locked since pre_doit */
15228 		__acquire(&rdev->wiphy.mtx);
15229 		wiphy_unlock(&rdev->wiphy);
15230 	}
15231 
15232 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
15233 		rtnl_unlock();
15234 
15235 	/* If needed, clear the netlink message payload from the SKB
15236 	 * as it might contain key data that shouldn't stick around on
15237 	 * the heap after the SKB is freed. The netlink message header
15238 	 * is still needed for further processing, so leave it intact.
15239 	 */
15240 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
15241 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
15242 
15243 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
15244 	}
15245 }
15246 
15247 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
15248 				     struct cfg80211_sar_specs *sar_specs,
15249 				     struct nlattr *spec[], int index)
15250 {
15251 	u32 range_index, i;
15252 
15253 	if (!sar_specs || !spec)
15254 		return -EINVAL;
15255 
15256 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
15257 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
15258 		return -EINVAL;
15259 
15260 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
15261 
15262 	/* check if range_index exceeds num_freq_ranges */
15263 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
15264 		return -EINVAL;
15265 
15266 	/* check if range_index duplicates */
15267 	for (i = 0; i < index; i++) {
15268 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
15269 			return -EINVAL;
15270 	}
15271 
15272 	sar_specs->sub_specs[index].power =
15273 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
15274 
15275 	sar_specs->sub_specs[index].freq_range_index = range_index;
15276 
15277 	return 0;
15278 }
15279 
15280 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
15281 {
15282 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15283 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
15284 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
15285 	struct cfg80211_sar_specs *sar_spec;
15286 	enum nl80211_sar_type type;
15287 	struct nlattr *spec_list;
15288 	u32 specs;
15289 	int rem, err;
15290 
15291 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
15292 		return -EOPNOTSUPP;
15293 
15294 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
15295 		return -EINVAL;
15296 
15297 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
15298 			 info->attrs[NL80211_ATTR_SAR_SPEC],
15299 			 NULL, NULL);
15300 
15301 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
15302 		return -EINVAL;
15303 
15304 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
15305 	if (type != rdev->wiphy.sar_capa->type)
15306 		return -EINVAL;
15307 
15308 	specs = 0;
15309 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
15310 		specs++;
15311 
15312 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
15313 		return -EINVAL;
15314 
15315 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
15316 	if (!sar_spec)
15317 		return -ENOMEM;
15318 
15319 	sar_spec->type = type;
15320 	specs = 0;
15321 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
15322 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
15323 				 spec_list, NULL, NULL);
15324 
15325 		switch (type) {
15326 		case NL80211_SAR_TYPE_POWER:
15327 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
15328 						      spec, specs)) {
15329 				err = -EINVAL;
15330 				goto error;
15331 			}
15332 			break;
15333 		default:
15334 			err = -EINVAL;
15335 			goto error;
15336 		}
15337 		specs++;
15338 	}
15339 
15340 	sar_spec->num_sub_specs = specs;
15341 
15342 	rdev->cur_cmd_info = info;
15343 	err = rdev_set_sar_specs(rdev, sar_spec);
15344 	rdev->cur_cmd_info = NULL;
15345 error:
15346 	kfree(sar_spec);
15347 	return err;
15348 }
15349 
15350 static const struct genl_ops nl80211_ops[] = {
15351 	{
15352 		.cmd = NL80211_CMD_GET_WIPHY,
15353 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15354 		.doit = nl80211_get_wiphy,
15355 		.dumpit = nl80211_dump_wiphy,
15356 		.done = nl80211_dump_wiphy_done,
15357 		/* can be retrieved by unprivileged users */
15358 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15359 	},
15360 };
15361 
15362 static const struct genl_small_ops nl80211_small_ops[] = {
15363 	{
15364 		.cmd = NL80211_CMD_SET_WIPHY,
15365 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15366 		.doit = nl80211_set_wiphy,
15367 		.flags = GENL_UNS_ADMIN_PERM,
15368 	},
15369 	{
15370 		.cmd = NL80211_CMD_GET_INTERFACE,
15371 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15372 		.doit = nl80211_get_interface,
15373 		.dumpit = nl80211_dump_interface,
15374 		/* can be retrieved by unprivileged users */
15375 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15376 	},
15377 	{
15378 		.cmd = NL80211_CMD_SET_INTERFACE,
15379 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15380 		.doit = nl80211_set_interface,
15381 		.flags = GENL_UNS_ADMIN_PERM,
15382 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15383 				  NL80211_FLAG_NEED_RTNL,
15384 	},
15385 	{
15386 		.cmd = NL80211_CMD_NEW_INTERFACE,
15387 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15388 		.doit = nl80211_new_interface,
15389 		.flags = GENL_UNS_ADMIN_PERM,
15390 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15391 				  NL80211_FLAG_NEED_RTNL |
15392 				  /* we take the wiphy mutex later ourselves */
15393 				  NL80211_FLAG_NO_WIPHY_MTX,
15394 	},
15395 	{
15396 		.cmd = NL80211_CMD_DEL_INTERFACE,
15397 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15398 		.doit = nl80211_del_interface,
15399 		.flags = GENL_UNS_ADMIN_PERM,
15400 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15401 				  NL80211_FLAG_NEED_RTNL,
15402 	},
15403 	{
15404 		.cmd = NL80211_CMD_GET_KEY,
15405 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15406 		.doit = nl80211_get_key,
15407 		.flags = GENL_UNS_ADMIN_PERM,
15408 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15409 	},
15410 	{
15411 		.cmd = NL80211_CMD_SET_KEY,
15412 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15413 		.doit = nl80211_set_key,
15414 		.flags = GENL_UNS_ADMIN_PERM,
15415 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15416 				  NL80211_FLAG_CLEAR_SKB,
15417 	},
15418 	{
15419 		.cmd = NL80211_CMD_NEW_KEY,
15420 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15421 		.doit = nl80211_new_key,
15422 		.flags = GENL_UNS_ADMIN_PERM,
15423 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15424 				  NL80211_FLAG_CLEAR_SKB,
15425 	},
15426 	{
15427 		.cmd = NL80211_CMD_DEL_KEY,
15428 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15429 		.doit = nl80211_del_key,
15430 		.flags = GENL_UNS_ADMIN_PERM,
15431 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15432 	},
15433 	{
15434 		.cmd = NL80211_CMD_SET_BEACON,
15435 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15436 		.flags = GENL_UNS_ADMIN_PERM,
15437 		.doit = nl80211_set_beacon,
15438 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15439 	},
15440 	{
15441 		.cmd = NL80211_CMD_START_AP,
15442 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15443 		.flags = GENL_UNS_ADMIN_PERM,
15444 		.doit = nl80211_start_ap,
15445 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15446 	},
15447 	{
15448 		.cmd = NL80211_CMD_STOP_AP,
15449 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15450 		.flags = GENL_UNS_ADMIN_PERM,
15451 		.doit = nl80211_stop_ap,
15452 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15453 	},
15454 	{
15455 		.cmd = NL80211_CMD_GET_STATION,
15456 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15457 		.doit = nl80211_get_station,
15458 		.dumpit = nl80211_dump_station,
15459 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15460 	},
15461 	{
15462 		.cmd = NL80211_CMD_SET_STATION,
15463 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15464 		.doit = nl80211_set_station,
15465 		.flags = GENL_UNS_ADMIN_PERM,
15466 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15467 	},
15468 	{
15469 		.cmd = NL80211_CMD_NEW_STATION,
15470 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15471 		.doit = nl80211_new_station,
15472 		.flags = GENL_UNS_ADMIN_PERM,
15473 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15474 	},
15475 	{
15476 		.cmd = NL80211_CMD_DEL_STATION,
15477 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15478 		.doit = nl80211_del_station,
15479 		.flags = GENL_UNS_ADMIN_PERM,
15480 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15481 	},
15482 	{
15483 		.cmd = NL80211_CMD_GET_MPATH,
15484 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15485 		.doit = nl80211_get_mpath,
15486 		.dumpit = nl80211_dump_mpath,
15487 		.flags = GENL_UNS_ADMIN_PERM,
15488 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15489 	},
15490 	{
15491 		.cmd = NL80211_CMD_GET_MPP,
15492 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15493 		.doit = nl80211_get_mpp,
15494 		.dumpit = nl80211_dump_mpp,
15495 		.flags = GENL_UNS_ADMIN_PERM,
15496 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15497 	},
15498 	{
15499 		.cmd = NL80211_CMD_SET_MPATH,
15500 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15501 		.doit = nl80211_set_mpath,
15502 		.flags = GENL_UNS_ADMIN_PERM,
15503 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15504 	},
15505 	{
15506 		.cmd = NL80211_CMD_NEW_MPATH,
15507 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15508 		.doit = nl80211_new_mpath,
15509 		.flags = GENL_UNS_ADMIN_PERM,
15510 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15511 	},
15512 	{
15513 		.cmd = NL80211_CMD_DEL_MPATH,
15514 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15515 		.doit = nl80211_del_mpath,
15516 		.flags = GENL_UNS_ADMIN_PERM,
15517 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15518 	},
15519 	{
15520 		.cmd = NL80211_CMD_SET_BSS,
15521 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15522 		.doit = nl80211_set_bss,
15523 		.flags = GENL_UNS_ADMIN_PERM,
15524 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15525 	},
15526 	{
15527 		.cmd = NL80211_CMD_GET_REG,
15528 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15529 		.doit = nl80211_get_reg_do,
15530 		.dumpit = nl80211_get_reg_dump,
15531 		.internal_flags = 0,
15532 		/* can be retrieved by unprivileged users */
15533 	},
15534 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
15535 	{
15536 		.cmd = NL80211_CMD_SET_REG,
15537 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15538 		.doit = nl80211_set_reg,
15539 		.flags = GENL_ADMIN_PERM,
15540 		.internal_flags = 0,
15541 	},
15542 #endif
15543 	{
15544 		.cmd = NL80211_CMD_REQ_SET_REG,
15545 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15546 		.doit = nl80211_req_set_reg,
15547 		.flags = GENL_ADMIN_PERM,
15548 	},
15549 	{
15550 		.cmd = NL80211_CMD_RELOAD_REGDB,
15551 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15552 		.doit = nl80211_reload_regdb,
15553 		.flags = GENL_ADMIN_PERM,
15554 	},
15555 	{
15556 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
15557 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15558 		.doit = nl80211_get_mesh_config,
15559 		/* can be retrieved by unprivileged users */
15560 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15561 	},
15562 	{
15563 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
15564 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15565 		.doit = nl80211_update_mesh_config,
15566 		.flags = GENL_UNS_ADMIN_PERM,
15567 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15568 	},
15569 	{
15570 		.cmd = NL80211_CMD_TRIGGER_SCAN,
15571 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15572 		.doit = nl80211_trigger_scan,
15573 		.flags = GENL_UNS_ADMIN_PERM,
15574 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15575 	},
15576 	{
15577 		.cmd = NL80211_CMD_ABORT_SCAN,
15578 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15579 		.doit = nl80211_abort_scan,
15580 		.flags = GENL_UNS_ADMIN_PERM,
15581 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15582 	},
15583 	{
15584 		.cmd = NL80211_CMD_GET_SCAN,
15585 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15586 		.dumpit = nl80211_dump_scan,
15587 	},
15588 	{
15589 		.cmd = NL80211_CMD_START_SCHED_SCAN,
15590 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15591 		.doit = nl80211_start_sched_scan,
15592 		.flags = GENL_UNS_ADMIN_PERM,
15593 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15594 	},
15595 	{
15596 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
15597 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15598 		.doit = nl80211_stop_sched_scan,
15599 		.flags = GENL_UNS_ADMIN_PERM,
15600 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15601 	},
15602 	{
15603 		.cmd = NL80211_CMD_AUTHENTICATE,
15604 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15605 		.doit = nl80211_authenticate,
15606 		.flags = GENL_UNS_ADMIN_PERM,
15607 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15608 				  0 |
15609 				  NL80211_FLAG_CLEAR_SKB,
15610 	},
15611 	{
15612 		.cmd = NL80211_CMD_ASSOCIATE,
15613 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15614 		.doit = nl80211_associate,
15615 		.flags = GENL_UNS_ADMIN_PERM,
15616 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15617 				  0 |
15618 				  NL80211_FLAG_CLEAR_SKB,
15619 	},
15620 	{
15621 		.cmd = NL80211_CMD_DEAUTHENTICATE,
15622 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15623 		.doit = nl80211_deauthenticate,
15624 		.flags = GENL_UNS_ADMIN_PERM,
15625 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15626 	},
15627 	{
15628 		.cmd = NL80211_CMD_DISASSOCIATE,
15629 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15630 		.doit = nl80211_disassociate,
15631 		.flags = GENL_UNS_ADMIN_PERM,
15632 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15633 	},
15634 	{
15635 		.cmd = NL80211_CMD_JOIN_IBSS,
15636 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15637 		.doit = nl80211_join_ibss,
15638 		.flags = GENL_UNS_ADMIN_PERM,
15639 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15640 	},
15641 	{
15642 		.cmd = NL80211_CMD_LEAVE_IBSS,
15643 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15644 		.doit = nl80211_leave_ibss,
15645 		.flags = GENL_UNS_ADMIN_PERM,
15646 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15647 	},
15648 #ifdef CONFIG_NL80211_TESTMODE
15649 	{
15650 		.cmd = NL80211_CMD_TESTMODE,
15651 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15652 		.doit = nl80211_testmode_do,
15653 		.dumpit = nl80211_testmode_dump,
15654 		.flags = GENL_UNS_ADMIN_PERM,
15655 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15656 	},
15657 #endif
15658 	{
15659 		.cmd = NL80211_CMD_CONNECT,
15660 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15661 		.doit = nl80211_connect,
15662 		.flags = GENL_UNS_ADMIN_PERM,
15663 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15664 				  0 |
15665 				  NL80211_FLAG_CLEAR_SKB,
15666 	},
15667 	{
15668 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15669 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15670 		.doit = nl80211_update_connect_params,
15671 		.flags = GENL_ADMIN_PERM,
15672 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15673 				  0 |
15674 				  NL80211_FLAG_CLEAR_SKB,
15675 	},
15676 	{
15677 		.cmd = NL80211_CMD_DISCONNECT,
15678 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15679 		.doit = nl80211_disconnect,
15680 		.flags = GENL_UNS_ADMIN_PERM,
15681 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15682 	},
15683 	{
15684 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15685 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15686 		.doit = nl80211_wiphy_netns,
15687 		.flags = GENL_UNS_ADMIN_PERM,
15688 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15689 				  NL80211_FLAG_NEED_RTNL |
15690 				  NL80211_FLAG_NO_WIPHY_MTX,
15691 	},
15692 	{
15693 		.cmd = NL80211_CMD_GET_SURVEY,
15694 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15695 		.dumpit = nl80211_dump_survey,
15696 	},
15697 	{
15698 		.cmd = NL80211_CMD_SET_PMKSA,
15699 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15700 		.doit = nl80211_setdel_pmksa,
15701 		.flags = GENL_UNS_ADMIN_PERM,
15702 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15703 				  0 |
15704 				  NL80211_FLAG_CLEAR_SKB,
15705 	},
15706 	{
15707 		.cmd = NL80211_CMD_DEL_PMKSA,
15708 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15709 		.doit = nl80211_setdel_pmksa,
15710 		.flags = GENL_UNS_ADMIN_PERM,
15711 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15712 	},
15713 	{
15714 		.cmd = NL80211_CMD_FLUSH_PMKSA,
15715 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15716 		.doit = nl80211_flush_pmksa,
15717 		.flags = GENL_UNS_ADMIN_PERM,
15718 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15719 	},
15720 	{
15721 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15722 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15723 		.doit = nl80211_remain_on_channel,
15724 		.flags = GENL_UNS_ADMIN_PERM,
15725 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15726 	},
15727 	{
15728 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15729 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15730 		.doit = nl80211_cancel_remain_on_channel,
15731 		.flags = GENL_UNS_ADMIN_PERM,
15732 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15733 	},
15734 	{
15735 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15736 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15737 		.doit = nl80211_set_tx_bitrate_mask,
15738 		.flags = GENL_UNS_ADMIN_PERM,
15739 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15740 	},
15741 	{
15742 		.cmd = NL80211_CMD_REGISTER_FRAME,
15743 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15744 		.doit = nl80211_register_mgmt,
15745 		.flags = GENL_UNS_ADMIN_PERM,
15746 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15747 	},
15748 	{
15749 		.cmd = NL80211_CMD_FRAME,
15750 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15751 		.doit = nl80211_tx_mgmt,
15752 		.flags = GENL_UNS_ADMIN_PERM,
15753 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15754 	},
15755 	{
15756 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15757 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15758 		.doit = nl80211_tx_mgmt_cancel_wait,
15759 		.flags = GENL_UNS_ADMIN_PERM,
15760 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15761 	},
15762 	{
15763 		.cmd = NL80211_CMD_SET_POWER_SAVE,
15764 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15765 		.doit = nl80211_set_power_save,
15766 		.flags = GENL_UNS_ADMIN_PERM,
15767 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15768 	},
15769 	{
15770 		.cmd = NL80211_CMD_GET_POWER_SAVE,
15771 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15772 		.doit = nl80211_get_power_save,
15773 		/* can be retrieved by unprivileged users */
15774 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15775 	},
15776 	{
15777 		.cmd = NL80211_CMD_SET_CQM,
15778 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15779 		.doit = nl80211_set_cqm,
15780 		.flags = GENL_UNS_ADMIN_PERM,
15781 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15782 	},
15783 	{
15784 		.cmd = NL80211_CMD_SET_CHANNEL,
15785 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15786 		.doit = nl80211_set_channel,
15787 		.flags = GENL_UNS_ADMIN_PERM,
15788 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15789 	},
15790 	{
15791 		.cmd = NL80211_CMD_JOIN_MESH,
15792 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15793 		.doit = nl80211_join_mesh,
15794 		.flags = GENL_UNS_ADMIN_PERM,
15795 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15796 	},
15797 	{
15798 		.cmd = NL80211_CMD_LEAVE_MESH,
15799 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15800 		.doit = nl80211_leave_mesh,
15801 		.flags = GENL_UNS_ADMIN_PERM,
15802 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15803 	},
15804 	{
15805 		.cmd = NL80211_CMD_JOIN_OCB,
15806 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15807 		.doit = nl80211_join_ocb,
15808 		.flags = GENL_UNS_ADMIN_PERM,
15809 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15810 	},
15811 	{
15812 		.cmd = NL80211_CMD_LEAVE_OCB,
15813 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15814 		.doit = nl80211_leave_ocb,
15815 		.flags = GENL_UNS_ADMIN_PERM,
15816 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15817 	},
15818 #ifdef CONFIG_PM
15819 	{
15820 		.cmd = NL80211_CMD_GET_WOWLAN,
15821 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15822 		.doit = nl80211_get_wowlan,
15823 		/* can be retrieved by unprivileged users */
15824 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15825 	},
15826 	{
15827 		.cmd = NL80211_CMD_SET_WOWLAN,
15828 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15829 		.doit = nl80211_set_wowlan,
15830 		.flags = GENL_UNS_ADMIN_PERM,
15831 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15832 	},
15833 #endif
15834 	{
15835 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15836 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15837 		.doit = nl80211_set_rekey_data,
15838 		.flags = GENL_UNS_ADMIN_PERM,
15839 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15840 				  0 |
15841 				  NL80211_FLAG_CLEAR_SKB,
15842 	},
15843 	{
15844 		.cmd = NL80211_CMD_TDLS_MGMT,
15845 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15846 		.doit = nl80211_tdls_mgmt,
15847 		.flags = GENL_UNS_ADMIN_PERM,
15848 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15849 	},
15850 	{
15851 		.cmd = NL80211_CMD_TDLS_OPER,
15852 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15853 		.doit = nl80211_tdls_oper,
15854 		.flags = GENL_UNS_ADMIN_PERM,
15855 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15856 	},
15857 	{
15858 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
15859 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15860 		.doit = nl80211_register_unexpected_frame,
15861 		.flags = GENL_UNS_ADMIN_PERM,
15862 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15863 	},
15864 	{
15865 		.cmd = NL80211_CMD_PROBE_CLIENT,
15866 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15867 		.doit = nl80211_probe_client,
15868 		.flags = GENL_UNS_ADMIN_PERM,
15869 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15870 	},
15871 	{
15872 		.cmd = NL80211_CMD_REGISTER_BEACONS,
15873 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15874 		.doit = nl80211_register_beacons,
15875 		.flags = GENL_UNS_ADMIN_PERM,
15876 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15877 	},
15878 	{
15879 		.cmd = NL80211_CMD_SET_NOACK_MAP,
15880 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15881 		.doit = nl80211_set_noack_map,
15882 		.flags = GENL_UNS_ADMIN_PERM,
15883 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15884 	},
15885 	{
15886 		.cmd = NL80211_CMD_START_P2P_DEVICE,
15887 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15888 		.doit = nl80211_start_p2p_device,
15889 		.flags = GENL_UNS_ADMIN_PERM,
15890 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15891 				  NL80211_FLAG_NEED_RTNL,
15892 	},
15893 	{
15894 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
15895 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15896 		.doit = nl80211_stop_p2p_device,
15897 		.flags = GENL_UNS_ADMIN_PERM,
15898 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15899 				  NL80211_FLAG_NEED_RTNL,
15900 	},
15901 	{
15902 		.cmd = NL80211_CMD_START_NAN,
15903 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15904 		.doit = nl80211_start_nan,
15905 		.flags = GENL_ADMIN_PERM,
15906 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15907 				  NL80211_FLAG_NEED_RTNL,
15908 	},
15909 	{
15910 		.cmd = NL80211_CMD_STOP_NAN,
15911 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15912 		.doit = nl80211_stop_nan,
15913 		.flags = GENL_ADMIN_PERM,
15914 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15915 				  NL80211_FLAG_NEED_RTNL,
15916 	},
15917 	{
15918 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
15919 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15920 		.doit = nl80211_nan_add_func,
15921 		.flags = GENL_ADMIN_PERM,
15922 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15923 	},
15924 	{
15925 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
15926 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15927 		.doit = nl80211_nan_del_func,
15928 		.flags = GENL_ADMIN_PERM,
15929 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15930 	},
15931 	{
15932 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
15933 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15934 		.doit = nl80211_nan_change_config,
15935 		.flags = GENL_ADMIN_PERM,
15936 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15937 	},
15938 	{
15939 		.cmd = NL80211_CMD_SET_MCAST_RATE,
15940 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15941 		.doit = nl80211_set_mcast_rate,
15942 		.flags = GENL_UNS_ADMIN_PERM,
15943 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15944 	},
15945 	{
15946 		.cmd = NL80211_CMD_SET_MAC_ACL,
15947 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15948 		.doit = nl80211_set_mac_acl,
15949 		.flags = GENL_UNS_ADMIN_PERM,
15950 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15951 	},
15952 	{
15953 		.cmd = NL80211_CMD_RADAR_DETECT,
15954 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15955 		.doit = nl80211_start_radar_detection,
15956 		.flags = GENL_UNS_ADMIN_PERM,
15957 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15958 	},
15959 	{
15960 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
15961 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15962 		.doit = nl80211_get_protocol_features,
15963 	},
15964 	{
15965 		.cmd = NL80211_CMD_UPDATE_FT_IES,
15966 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15967 		.doit = nl80211_update_ft_ies,
15968 		.flags = GENL_UNS_ADMIN_PERM,
15969 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15970 	},
15971 	{
15972 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
15973 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15974 		.doit = nl80211_crit_protocol_start,
15975 		.flags = GENL_UNS_ADMIN_PERM,
15976 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15977 	},
15978 	{
15979 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
15980 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15981 		.doit = nl80211_crit_protocol_stop,
15982 		.flags = GENL_UNS_ADMIN_PERM,
15983 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15984 	},
15985 	{
15986 		.cmd = NL80211_CMD_GET_COALESCE,
15987 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15988 		.doit = nl80211_get_coalesce,
15989 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15990 	},
15991 	{
15992 		.cmd = NL80211_CMD_SET_COALESCE,
15993 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15994 		.doit = nl80211_set_coalesce,
15995 		.flags = GENL_UNS_ADMIN_PERM,
15996 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15997 	},
15998 	{
15999 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
16000 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16001 		.doit = nl80211_channel_switch,
16002 		.flags = GENL_UNS_ADMIN_PERM,
16003 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16004 	},
16005 	{
16006 		.cmd = NL80211_CMD_VENDOR,
16007 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16008 		.doit = nl80211_vendor_cmd,
16009 		.dumpit = nl80211_vendor_cmd_dump,
16010 		.flags = GENL_UNS_ADMIN_PERM,
16011 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16012 				  0 |
16013 				  NL80211_FLAG_CLEAR_SKB,
16014 	},
16015 	{
16016 		.cmd = NL80211_CMD_SET_QOS_MAP,
16017 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16018 		.doit = nl80211_set_qos_map,
16019 		.flags = GENL_UNS_ADMIN_PERM,
16020 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16021 	},
16022 	{
16023 		.cmd = NL80211_CMD_ADD_TX_TS,
16024 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16025 		.doit = nl80211_add_tx_ts,
16026 		.flags = GENL_UNS_ADMIN_PERM,
16027 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16028 	},
16029 	{
16030 		.cmd = NL80211_CMD_DEL_TX_TS,
16031 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16032 		.doit = nl80211_del_tx_ts,
16033 		.flags = GENL_UNS_ADMIN_PERM,
16034 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16035 	},
16036 	{
16037 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
16038 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16039 		.doit = nl80211_tdls_channel_switch,
16040 		.flags = GENL_UNS_ADMIN_PERM,
16041 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16042 	},
16043 	{
16044 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
16045 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16046 		.doit = nl80211_tdls_cancel_channel_switch,
16047 		.flags = GENL_UNS_ADMIN_PERM,
16048 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16049 	},
16050 	{
16051 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
16052 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16053 		.doit = nl80211_set_multicast_to_unicast,
16054 		.flags = GENL_UNS_ADMIN_PERM,
16055 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16056 	},
16057 	{
16058 		.cmd = NL80211_CMD_SET_PMK,
16059 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16060 		.doit = nl80211_set_pmk,
16061 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16062 				  0 |
16063 				  NL80211_FLAG_CLEAR_SKB,
16064 	},
16065 	{
16066 		.cmd = NL80211_CMD_DEL_PMK,
16067 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16068 		.doit = nl80211_del_pmk,
16069 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16070 	},
16071 	{
16072 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
16073 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16074 		.doit = nl80211_external_auth,
16075 		.flags = GENL_ADMIN_PERM,
16076 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16077 	},
16078 	{
16079 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
16080 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16081 		.doit = nl80211_tx_control_port,
16082 		.flags = GENL_UNS_ADMIN_PERM,
16083 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16084 	},
16085 	{
16086 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
16087 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16088 		.doit = nl80211_get_ftm_responder_stats,
16089 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16090 	},
16091 	{
16092 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
16093 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16094 		.doit = nl80211_pmsr_start,
16095 		.flags = GENL_UNS_ADMIN_PERM,
16096 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16097 	},
16098 	{
16099 		.cmd = NL80211_CMD_NOTIFY_RADAR,
16100 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16101 		.doit = nl80211_notify_radar_detection,
16102 		.flags = GENL_UNS_ADMIN_PERM,
16103 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16104 	},
16105 	{
16106 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
16107 		.doit = nl80211_update_owe_info,
16108 		.flags = GENL_ADMIN_PERM,
16109 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16110 	},
16111 	{
16112 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
16113 		.doit = nl80211_probe_mesh_link,
16114 		.flags = GENL_UNS_ADMIN_PERM,
16115 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16116 	},
16117 	{
16118 		.cmd = NL80211_CMD_SET_TID_CONFIG,
16119 		.doit = nl80211_set_tid_config,
16120 		.flags = GENL_UNS_ADMIN_PERM,
16121 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16122 	},
16123 	{
16124 		.cmd = NL80211_CMD_SET_SAR_SPECS,
16125 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16126 		.doit = nl80211_set_sar_specs,
16127 		.flags = GENL_UNS_ADMIN_PERM,
16128 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16129 				  NL80211_FLAG_NEED_RTNL,
16130 	},
16131 	{
16132 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
16133 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16134 		.doit = nl80211_color_change,
16135 		.flags = GENL_UNS_ADMIN_PERM,
16136 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16137 				  NL80211_FLAG_NEED_RTNL,
16138 	},
16139 	{
16140 		.cmd = NL80211_CMD_SET_FILS_AAD,
16141 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16142 		.doit = nl80211_set_fils_aad,
16143 		.flags = GENL_UNS_ADMIN_PERM,
16144 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16145 	},
16146 };
16147 
16148 static struct genl_family nl80211_fam __ro_after_init = {
16149 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
16150 	.hdrsize = 0,			/* no private header */
16151 	.version = 1,			/* no particular meaning now */
16152 	.maxattr = NL80211_ATTR_MAX,
16153 	.policy = nl80211_policy,
16154 	.netnsok = true,
16155 	.pre_doit = nl80211_pre_doit,
16156 	.post_doit = nl80211_post_doit,
16157 	.module = THIS_MODULE,
16158 	.ops = nl80211_ops,
16159 	.n_ops = ARRAY_SIZE(nl80211_ops),
16160 	.small_ops = nl80211_small_ops,
16161 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
16162 	.mcgrps = nl80211_mcgrps,
16163 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
16164 	.parallel_ops = true,
16165 };
16166 
16167 /* notification functions */
16168 
16169 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
16170 			  enum nl80211_commands cmd)
16171 {
16172 	struct sk_buff *msg;
16173 	struct nl80211_dump_wiphy_state state = {};
16174 
16175 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
16176 		cmd != NL80211_CMD_DEL_WIPHY);
16177 
16178 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16179 	if (!msg)
16180 		return;
16181 
16182 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
16183 		nlmsg_free(msg);
16184 		return;
16185 	}
16186 
16187 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16188 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16189 }
16190 
16191 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
16192 				struct wireless_dev *wdev,
16193 				enum nl80211_commands cmd)
16194 {
16195 	struct sk_buff *msg;
16196 
16197 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16198 	if (!msg)
16199 		return;
16200 
16201 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
16202 		nlmsg_free(msg);
16203 		return;
16204 	}
16205 
16206 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16207 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16208 }
16209 
16210 static int nl80211_add_scan_req(struct sk_buff *msg,
16211 				struct cfg80211_registered_device *rdev)
16212 {
16213 	struct cfg80211_scan_request *req = rdev->scan_req;
16214 	struct nlattr *nest;
16215 	int i;
16216 	struct cfg80211_scan_info *info;
16217 
16218 	if (WARN_ON(!req))
16219 		return 0;
16220 
16221 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
16222 	if (!nest)
16223 		goto nla_put_failure;
16224 	for (i = 0; i < req->n_ssids; i++) {
16225 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
16226 			goto nla_put_failure;
16227 	}
16228 	nla_nest_end(msg, nest);
16229 
16230 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
16231 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
16232 		if (!nest)
16233 			goto nla_put_failure;
16234 		for (i = 0; i < req->n_channels; i++) {
16235 			if (nla_put_u32(msg, i,
16236 				   ieee80211_channel_to_khz(req->channels[i])))
16237 				goto nla_put_failure;
16238 		}
16239 		nla_nest_end(msg, nest);
16240 	} else {
16241 		nest = nla_nest_start_noflag(msg,
16242 					     NL80211_ATTR_SCAN_FREQUENCIES);
16243 		if (!nest)
16244 			goto nla_put_failure;
16245 		for (i = 0; i < req->n_channels; i++) {
16246 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
16247 				goto nla_put_failure;
16248 		}
16249 		nla_nest_end(msg, nest);
16250 	}
16251 
16252 	if (req->ie &&
16253 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
16254 		goto nla_put_failure;
16255 
16256 	if (req->flags &&
16257 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
16258 		goto nla_put_failure;
16259 
16260 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
16261 		&rdev->scan_req->info;
16262 	if (info->scan_start_tsf &&
16263 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
16264 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
16265 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
16266 		     info->tsf_bssid)))
16267 		goto nla_put_failure;
16268 
16269 	return 0;
16270  nla_put_failure:
16271 	return -ENOBUFS;
16272 }
16273 
16274 static int nl80211_prep_scan_msg(struct sk_buff *msg,
16275 				 struct cfg80211_registered_device *rdev,
16276 				 struct wireless_dev *wdev,
16277 				 u32 portid, u32 seq, int flags,
16278 				 u32 cmd)
16279 {
16280 	void *hdr;
16281 
16282 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
16283 	if (!hdr)
16284 		return -1;
16285 
16286 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16287 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16288 					 wdev->netdev->ifindex)) ||
16289 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16290 			      NL80211_ATTR_PAD))
16291 		goto nla_put_failure;
16292 
16293 	/* ignore errors and send incomplete event anyway */
16294 	nl80211_add_scan_req(msg, rdev);
16295 
16296 	genlmsg_end(msg, hdr);
16297 	return 0;
16298 
16299  nla_put_failure:
16300 	genlmsg_cancel(msg, hdr);
16301 	return -EMSGSIZE;
16302 }
16303 
16304 static int
16305 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
16306 			    struct cfg80211_sched_scan_request *req, u32 cmd)
16307 {
16308 	void *hdr;
16309 
16310 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16311 	if (!hdr)
16312 		return -1;
16313 
16314 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
16315 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
16316 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
16317 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
16318 			      NL80211_ATTR_PAD))
16319 		goto nla_put_failure;
16320 
16321 	genlmsg_end(msg, hdr);
16322 	return 0;
16323 
16324  nla_put_failure:
16325 	genlmsg_cancel(msg, hdr);
16326 	return -EMSGSIZE;
16327 }
16328 
16329 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
16330 			     struct wireless_dev *wdev)
16331 {
16332 	struct sk_buff *msg;
16333 
16334 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16335 	if (!msg)
16336 		return;
16337 
16338 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16339 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
16340 		nlmsg_free(msg);
16341 		return;
16342 	}
16343 
16344 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16345 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16346 }
16347 
16348 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
16349 				       struct wireless_dev *wdev, bool aborted)
16350 {
16351 	struct sk_buff *msg;
16352 
16353 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16354 	if (!msg)
16355 		return NULL;
16356 
16357 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16358 				  aborted ? NL80211_CMD_SCAN_ABORTED :
16359 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
16360 		nlmsg_free(msg);
16361 		return NULL;
16362 	}
16363 
16364 	return msg;
16365 }
16366 
16367 /* send message created by nl80211_build_scan_msg() */
16368 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
16369 			   struct sk_buff *msg)
16370 {
16371 	if (!msg)
16372 		return;
16373 
16374 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16375 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16376 }
16377 
16378 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
16379 {
16380 	struct sk_buff *msg;
16381 
16382 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16383 	if (!msg)
16384 		return;
16385 
16386 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
16387 		nlmsg_free(msg);
16388 		return;
16389 	}
16390 
16391 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
16392 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16393 }
16394 
16395 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
16396 					  struct regulatory_request *request)
16397 {
16398 	/* Userspace can always count this one always being set */
16399 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
16400 		goto nla_put_failure;
16401 
16402 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
16403 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16404 			       NL80211_REGDOM_TYPE_WORLD))
16405 			goto nla_put_failure;
16406 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
16407 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16408 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
16409 			goto nla_put_failure;
16410 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
16411 		   request->intersect) {
16412 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16413 			       NL80211_REGDOM_TYPE_INTERSECTION))
16414 			goto nla_put_failure;
16415 	} else {
16416 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16417 			       NL80211_REGDOM_TYPE_COUNTRY) ||
16418 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
16419 				   request->alpha2))
16420 			goto nla_put_failure;
16421 	}
16422 
16423 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
16424 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
16425 
16426 		if (wiphy &&
16427 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
16428 			goto nla_put_failure;
16429 
16430 		if (wiphy &&
16431 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
16432 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
16433 			goto nla_put_failure;
16434 	}
16435 
16436 	return true;
16437 
16438 nla_put_failure:
16439 	return false;
16440 }
16441 
16442 /*
16443  * This can happen on global regulatory changes or device specific settings
16444  * based on custom regulatory domains.
16445  */
16446 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
16447 				     struct regulatory_request *request)
16448 {
16449 	struct sk_buff *msg;
16450 	void *hdr;
16451 
16452 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16453 	if (!msg)
16454 		return;
16455 
16456 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
16457 	if (!hdr)
16458 		goto nla_put_failure;
16459 
16460 	if (!nl80211_reg_change_event_fill(msg, request))
16461 		goto nla_put_failure;
16462 
16463 	genlmsg_end(msg, hdr);
16464 
16465 	rcu_read_lock();
16466 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16467 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16468 	rcu_read_unlock();
16469 
16470 	return;
16471 
16472 nla_put_failure:
16473 	nlmsg_free(msg);
16474 }
16475 
16476 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
16477 				    struct net_device *netdev,
16478 				    const u8 *buf, size_t len,
16479 				    enum nl80211_commands cmd, gfp_t gfp,
16480 				    int uapsd_queues, const u8 *req_ies,
16481 				    size_t req_ies_len, bool reconnect)
16482 {
16483 	struct sk_buff *msg;
16484 	void *hdr;
16485 
16486 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
16487 	if (!msg)
16488 		return;
16489 
16490 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16491 	if (!hdr) {
16492 		nlmsg_free(msg);
16493 		return;
16494 	}
16495 
16496 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16497 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16498 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16499 	    (req_ies &&
16500 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
16501 		goto nla_put_failure;
16502 
16503 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
16504 		goto nla_put_failure;
16505 
16506 	if (uapsd_queues >= 0) {
16507 		struct nlattr *nla_wmm =
16508 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
16509 		if (!nla_wmm)
16510 			goto nla_put_failure;
16511 
16512 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
16513 			       uapsd_queues))
16514 			goto nla_put_failure;
16515 
16516 		nla_nest_end(msg, nla_wmm);
16517 	}
16518 
16519 	genlmsg_end(msg, hdr);
16520 
16521 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16522 				NL80211_MCGRP_MLME, gfp);
16523 	return;
16524 
16525  nla_put_failure:
16526 	nlmsg_free(msg);
16527 }
16528 
16529 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
16530 			  struct net_device *netdev, const u8 *buf,
16531 			  size_t len, gfp_t gfp)
16532 {
16533 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16534 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
16535 				false);
16536 }
16537 
16538 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
16539 			   struct net_device *netdev, const u8 *buf,
16540 			   size_t len, gfp_t gfp, int uapsd_queues,
16541 			   const u8 *req_ies, size_t req_ies_len)
16542 {
16543 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16544 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
16545 				req_ies, req_ies_len, false);
16546 }
16547 
16548 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
16549 			 struct net_device *netdev, const u8 *buf,
16550 			 size_t len, bool reconnect, gfp_t gfp)
16551 {
16552 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16553 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
16554 				reconnect);
16555 }
16556 
16557 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
16558 			   struct net_device *netdev, const u8 *buf,
16559 			   size_t len, bool reconnect, gfp_t gfp)
16560 {
16561 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16562 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
16563 				reconnect);
16564 }
16565 
16566 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
16567 				  size_t len)
16568 {
16569 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16570 	struct wiphy *wiphy = wdev->wiphy;
16571 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16572 	const struct ieee80211_mgmt *mgmt = (void *)buf;
16573 	u32 cmd;
16574 
16575 	if (WARN_ON(len < 2))
16576 		return;
16577 
16578 	if (ieee80211_is_deauth(mgmt->frame_control)) {
16579 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
16580 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
16581 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
16582 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
16583 		if (wdev->unprot_beacon_reported &&
16584 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
16585 			return;
16586 		cmd = NL80211_CMD_UNPROT_BEACON;
16587 		wdev->unprot_beacon_reported = jiffies;
16588 	} else {
16589 		return;
16590 	}
16591 
16592 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
16593 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
16594 				NULL, 0, false);
16595 }
16596 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
16597 
16598 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
16599 				      struct net_device *netdev, int cmd,
16600 				      const u8 *addr, gfp_t gfp)
16601 {
16602 	struct sk_buff *msg;
16603 	void *hdr;
16604 
16605 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16606 	if (!msg)
16607 		return;
16608 
16609 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16610 	if (!hdr) {
16611 		nlmsg_free(msg);
16612 		return;
16613 	}
16614 
16615 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16616 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16617 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16618 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16619 		goto nla_put_failure;
16620 
16621 	genlmsg_end(msg, hdr);
16622 
16623 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16624 				NL80211_MCGRP_MLME, gfp);
16625 	return;
16626 
16627  nla_put_failure:
16628 	nlmsg_free(msg);
16629 }
16630 
16631 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16632 			       struct net_device *netdev, const u8 *addr,
16633 			       gfp_t gfp)
16634 {
16635 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16636 				  addr, gfp);
16637 }
16638 
16639 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16640 				struct net_device *netdev, const u8 *addr,
16641 				gfp_t gfp)
16642 {
16643 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16644 				  addr, gfp);
16645 }
16646 
16647 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16648 				 struct net_device *netdev,
16649 				 struct cfg80211_connect_resp_params *cr,
16650 				 gfp_t gfp)
16651 {
16652 	struct sk_buff *msg;
16653 	void *hdr;
16654 
16655 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16656 			cr->fils.kek_len + cr->fils.pmk_len +
16657 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16658 	if (!msg)
16659 		return;
16660 
16661 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16662 	if (!hdr) {
16663 		nlmsg_free(msg);
16664 		return;
16665 	}
16666 
16667 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16668 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16669 	    (cr->bssid &&
16670 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16671 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16672 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16673 			cr->status) ||
16674 	    (cr->status < 0 &&
16675 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16676 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16677 			  cr->timeout_reason))) ||
16678 	    (cr->req_ie &&
16679 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16680 	    (cr->resp_ie &&
16681 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16682 		     cr->resp_ie)) ||
16683 	    (cr->fils.update_erp_next_seq_num &&
16684 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16685 			 cr->fils.erp_next_seq_num)) ||
16686 	    (cr->status == WLAN_STATUS_SUCCESS &&
16687 	     ((cr->fils.kek &&
16688 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16689 		       cr->fils.kek)) ||
16690 	      (cr->fils.pmk &&
16691 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16692 	      (cr->fils.pmkid &&
16693 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16694 		goto nla_put_failure;
16695 
16696 	genlmsg_end(msg, hdr);
16697 
16698 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16699 				NL80211_MCGRP_MLME, gfp);
16700 	return;
16701 
16702  nla_put_failure:
16703 	nlmsg_free(msg);
16704 }
16705 
16706 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16707 			 struct net_device *netdev,
16708 			 struct cfg80211_roam_info *info, gfp_t gfp)
16709 {
16710 	struct sk_buff *msg;
16711 	void *hdr;
16712 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16713 
16714 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16715 			info->fils.kek_len + info->fils.pmk_len +
16716 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16717 	if (!msg)
16718 		return;
16719 
16720 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16721 	if (!hdr) {
16722 		nlmsg_free(msg);
16723 		return;
16724 	}
16725 
16726 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16727 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16728 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16729 	    (info->req_ie &&
16730 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16731 		     info->req_ie)) ||
16732 	    (info->resp_ie &&
16733 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16734 		     info->resp_ie)) ||
16735 	    (info->fils.update_erp_next_seq_num &&
16736 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16737 			 info->fils.erp_next_seq_num)) ||
16738 	    (info->fils.kek &&
16739 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16740 		     info->fils.kek)) ||
16741 	    (info->fils.pmk &&
16742 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16743 	    (info->fils.pmkid &&
16744 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16745 		goto nla_put_failure;
16746 
16747 	genlmsg_end(msg, hdr);
16748 
16749 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16750 				NL80211_MCGRP_MLME, gfp);
16751 	return;
16752 
16753  nla_put_failure:
16754 	nlmsg_free(msg);
16755 }
16756 
16757 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16758 				  struct net_device *netdev, const u8 *bssid)
16759 {
16760 	struct sk_buff *msg;
16761 	void *hdr;
16762 
16763 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16764 	if (!msg)
16765 		return;
16766 
16767 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16768 	if (!hdr) {
16769 		nlmsg_free(msg);
16770 		return;
16771 	}
16772 
16773 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16774 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16775 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16776 		goto nla_put_failure;
16777 
16778 	genlmsg_end(msg, hdr);
16779 
16780 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16781 				NL80211_MCGRP_MLME, GFP_KERNEL);
16782 	return;
16783 
16784  nla_put_failure:
16785 	nlmsg_free(msg);
16786 }
16787 
16788 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
16789 			       struct net_device *netdev, u16 reason,
16790 			       const u8 *ie, size_t ie_len, bool from_ap)
16791 {
16792 	struct sk_buff *msg;
16793 	void *hdr;
16794 
16795 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
16796 	if (!msg)
16797 		return;
16798 
16799 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
16800 	if (!hdr) {
16801 		nlmsg_free(msg);
16802 		return;
16803 	}
16804 
16805 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16806 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16807 	    (reason &&
16808 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
16809 	    (from_ap &&
16810 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
16811 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
16812 		goto nla_put_failure;
16813 
16814 	genlmsg_end(msg, hdr);
16815 
16816 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16817 				NL80211_MCGRP_MLME, GFP_KERNEL);
16818 	return;
16819 
16820  nla_put_failure:
16821 	nlmsg_free(msg);
16822 }
16823 
16824 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16825 			     struct net_device *netdev, const u8 *bssid,
16826 			     gfp_t gfp)
16827 {
16828 	struct sk_buff *msg;
16829 	void *hdr;
16830 
16831 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16832 	if (!msg)
16833 		return;
16834 
16835 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16836 	if (!hdr) {
16837 		nlmsg_free(msg);
16838 		return;
16839 	}
16840 
16841 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16842 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16843 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16844 		goto nla_put_failure;
16845 
16846 	genlmsg_end(msg, hdr);
16847 
16848 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16849 				NL80211_MCGRP_MLME, gfp);
16850 	return;
16851 
16852  nla_put_failure:
16853 	nlmsg_free(msg);
16854 }
16855 
16856 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
16857 					const u8 *ie, u8 ie_len,
16858 					int sig_dbm, gfp_t gfp)
16859 {
16860 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16861 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16862 	struct sk_buff *msg;
16863 	void *hdr;
16864 
16865 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
16866 		return;
16867 
16868 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
16869 
16870 	msg = nlmsg_new(100 + ie_len, gfp);
16871 	if (!msg)
16872 		return;
16873 
16874 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
16875 	if (!hdr) {
16876 		nlmsg_free(msg);
16877 		return;
16878 	}
16879 
16880 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16881 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16882 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16883 	    (ie_len && ie &&
16884 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
16885 	    (sig_dbm &&
16886 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
16887 		goto nla_put_failure;
16888 
16889 	genlmsg_end(msg, hdr);
16890 
16891 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16892 				NL80211_MCGRP_MLME, gfp);
16893 	return;
16894 
16895  nla_put_failure:
16896 	nlmsg_free(msg);
16897 }
16898 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
16899 
16900 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
16901 				 struct net_device *netdev, const u8 *addr,
16902 				 enum nl80211_key_type key_type, int key_id,
16903 				 const u8 *tsc, gfp_t gfp)
16904 {
16905 	struct sk_buff *msg;
16906 	void *hdr;
16907 
16908 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16909 	if (!msg)
16910 		return;
16911 
16912 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
16913 	if (!hdr) {
16914 		nlmsg_free(msg);
16915 		return;
16916 	}
16917 
16918 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16919 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16920 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
16921 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
16922 	    (key_id != -1 &&
16923 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
16924 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
16925 		goto nla_put_failure;
16926 
16927 	genlmsg_end(msg, hdr);
16928 
16929 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16930 				NL80211_MCGRP_MLME, gfp);
16931 	return;
16932 
16933  nla_put_failure:
16934 	nlmsg_free(msg);
16935 }
16936 
16937 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
16938 				    struct ieee80211_channel *channel_before,
16939 				    struct ieee80211_channel *channel_after)
16940 {
16941 	struct sk_buff *msg;
16942 	void *hdr;
16943 	struct nlattr *nl_freq;
16944 
16945 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
16946 	if (!msg)
16947 		return;
16948 
16949 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
16950 	if (!hdr) {
16951 		nlmsg_free(msg);
16952 		return;
16953 	}
16954 
16955 	/*
16956 	 * Since we are applying the beacon hint to a wiphy we know its
16957 	 * wiphy_idx is valid
16958 	 */
16959 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
16960 		goto nla_put_failure;
16961 
16962 	/* Before */
16963 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
16964 	if (!nl_freq)
16965 		goto nla_put_failure;
16966 
16967 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
16968 		goto nla_put_failure;
16969 	nla_nest_end(msg, nl_freq);
16970 
16971 	/* After */
16972 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
16973 	if (!nl_freq)
16974 		goto nla_put_failure;
16975 
16976 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
16977 		goto nla_put_failure;
16978 	nla_nest_end(msg, nl_freq);
16979 
16980 	genlmsg_end(msg, hdr);
16981 
16982 	rcu_read_lock();
16983 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16984 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16985 	rcu_read_unlock();
16986 
16987 	return;
16988 
16989 nla_put_failure:
16990 	nlmsg_free(msg);
16991 }
16992 
16993 static void nl80211_send_remain_on_chan_event(
16994 	int cmd, struct cfg80211_registered_device *rdev,
16995 	struct wireless_dev *wdev, u64 cookie,
16996 	struct ieee80211_channel *chan,
16997 	unsigned int duration, gfp_t gfp)
16998 {
16999 	struct sk_buff *msg;
17000 	void *hdr;
17001 
17002 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17003 	if (!msg)
17004 		return;
17005 
17006 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17007 	if (!hdr) {
17008 		nlmsg_free(msg);
17009 		return;
17010 	}
17011 
17012 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17013 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17014 					 wdev->netdev->ifindex)) ||
17015 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17016 			      NL80211_ATTR_PAD) ||
17017 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
17018 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
17019 			NL80211_CHAN_NO_HT) ||
17020 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17021 			      NL80211_ATTR_PAD))
17022 		goto nla_put_failure;
17023 
17024 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
17025 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
17026 		goto nla_put_failure;
17027 
17028 	genlmsg_end(msg, hdr);
17029 
17030 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17031 				NL80211_MCGRP_MLME, gfp);
17032 	return;
17033 
17034  nla_put_failure:
17035 	nlmsg_free(msg);
17036 }
17037 
17038 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
17039 			       struct ieee80211_channel *chan,
17040 			       unsigned int duration, gfp_t gfp)
17041 {
17042 	struct wiphy *wiphy = wdev->wiphy;
17043 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17044 
17045 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
17046 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
17047 					  rdev, wdev, cookie, chan,
17048 					  duration, gfp);
17049 }
17050 EXPORT_SYMBOL(cfg80211_ready_on_channel);
17051 
17052 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
17053 					struct ieee80211_channel *chan,
17054 					gfp_t gfp)
17055 {
17056 	struct wiphy *wiphy = wdev->wiphy;
17057 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17058 
17059 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
17060 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17061 					  rdev, wdev, cookie, chan, 0, gfp);
17062 }
17063 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
17064 
17065 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
17066 					struct ieee80211_channel *chan,
17067 					gfp_t gfp)
17068 {
17069 	struct wiphy *wiphy = wdev->wiphy;
17070 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17071 
17072 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
17073 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
17074 					  rdev, wdev, cookie, chan, 0, gfp);
17075 }
17076 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
17077 
17078 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
17079 		      struct station_info *sinfo, gfp_t gfp)
17080 {
17081 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17082 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17083 	struct sk_buff *msg;
17084 
17085 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
17086 
17087 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17088 	if (!msg)
17089 		return;
17090 
17091 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
17092 				 rdev, dev, mac_addr, sinfo) < 0) {
17093 		nlmsg_free(msg);
17094 		return;
17095 	}
17096 
17097 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17098 				NL80211_MCGRP_MLME, gfp);
17099 }
17100 EXPORT_SYMBOL(cfg80211_new_sta);
17101 
17102 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
17103 			    struct station_info *sinfo, gfp_t gfp)
17104 {
17105 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17106 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17107 	struct sk_buff *msg;
17108 	struct station_info empty_sinfo = {};
17109 
17110 	if (!sinfo)
17111 		sinfo = &empty_sinfo;
17112 
17113 	trace_cfg80211_del_sta(dev, mac_addr);
17114 
17115 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17116 	if (!msg) {
17117 		cfg80211_sinfo_release_content(sinfo);
17118 		return;
17119 	}
17120 
17121 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
17122 				 rdev, dev, mac_addr, sinfo) < 0) {
17123 		nlmsg_free(msg);
17124 		return;
17125 	}
17126 
17127 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17128 				NL80211_MCGRP_MLME, gfp);
17129 }
17130 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
17131 
17132 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
17133 			  enum nl80211_connect_failed_reason reason,
17134 			  gfp_t gfp)
17135 {
17136 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17137 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17138 	struct sk_buff *msg;
17139 	void *hdr;
17140 
17141 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
17142 	if (!msg)
17143 		return;
17144 
17145 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
17146 	if (!hdr) {
17147 		nlmsg_free(msg);
17148 		return;
17149 	}
17150 
17151 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17152 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
17153 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
17154 		goto nla_put_failure;
17155 
17156 	genlmsg_end(msg, hdr);
17157 
17158 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17159 				NL80211_MCGRP_MLME, gfp);
17160 	return;
17161 
17162  nla_put_failure:
17163 	nlmsg_free(msg);
17164 }
17165 EXPORT_SYMBOL(cfg80211_conn_failed);
17166 
17167 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
17168 				       const u8 *addr, gfp_t gfp)
17169 {
17170 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17171 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17172 	struct sk_buff *msg;
17173 	void *hdr;
17174 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
17175 
17176 	if (!nlportid)
17177 		return false;
17178 
17179 	msg = nlmsg_new(100, gfp);
17180 	if (!msg)
17181 		return true;
17182 
17183 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17184 	if (!hdr) {
17185 		nlmsg_free(msg);
17186 		return true;
17187 	}
17188 
17189 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17190 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17191 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17192 		goto nla_put_failure;
17193 
17194 	genlmsg_end(msg, hdr);
17195 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17196 	return true;
17197 
17198  nla_put_failure:
17199 	nlmsg_free(msg);
17200 	return true;
17201 }
17202 
17203 bool cfg80211_rx_spurious_frame(struct net_device *dev,
17204 				const u8 *addr, gfp_t gfp)
17205 {
17206 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17207 	bool ret;
17208 
17209 	trace_cfg80211_rx_spurious_frame(dev, addr);
17210 
17211 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17212 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
17213 		trace_cfg80211_return_bool(false);
17214 		return false;
17215 	}
17216 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
17217 					 addr, gfp);
17218 	trace_cfg80211_return_bool(ret);
17219 	return ret;
17220 }
17221 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
17222 
17223 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
17224 					const u8 *addr, gfp_t gfp)
17225 {
17226 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17227 	bool ret;
17228 
17229 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
17230 
17231 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17232 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
17233 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
17234 		trace_cfg80211_return_bool(false);
17235 		return false;
17236 	}
17237 	ret = __nl80211_unexpected_frame(dev,
17238 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
17239 					 addr, gfp);
17240 	trace_cfg80211_return_bool(ret);
17241 	return ret;
17242 }
17243 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
17244 
17245 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
17246 		      struct wireless_dev *wdev, u32 nlportid,
17247 		      int freq, int sig_dbm,
17248 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
17249 {
17250 	struct net_device *netdev = wdev->netdev;
17251 	struct sk_buff *msg;
17252 	void *hdr;
17253 
17254 	msg = nlmsg_new(100 + len, gfp);
17255 	if (!msg)
17256 		return -ENOMEM;
17257 
17258 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17259 	if (!hdr) {
17260 		nlmsg_free(msg);
17261 		return -ENOMEM;
17262 	}
17263 
17264 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17265 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17266 					netdev->ifindex)) ||
17267 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17268 			      NL80211_ATTR_PAD) ||
17269 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
17270 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
17271 	    (sig_dbm &&
17272 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17273 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17274 	    (flags &&
17275 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
17276 		goto nla_put_failure;
17277 
17278 	genlmsg_end(msg, hdr);
17279 
17280 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17281 
17282  nla_put_failure:
17283 	nlmsg_free(msg);
17284 	return -ENOBUFS;
17285 }
17286 
17287 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
17288 				    const u8 *buf, size_t len, bool ack,
17289 				    gfp_t gfp, enum nl80211_commands command)
17290 {
17291 	struct wiphy *wiphy = wdev->wiphy;
17292 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17293 	struct net_device *netdev = wdev->netdev;
17294 	struct sk_buff *msg;
17295 	void *hdr;
17296 
17297 	if (command == NL80211_CMD_FRAME_TX_STATUS)
17298 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
17299 	else
17300 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
17301 
17302 	msg = nlmsg_new(100 + len, gfp);
17303 	if (!msg)
17304 		return;
17305 
17306 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
17307 	if (!hdr) {
17308 		nlmsg_free(msg);
17309 		return;
17310 	}
17311 
17312 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17313 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17314 				   netdev->ifindex)) ||
17315 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17316 			      NL80211_ATTR_PAD) ||
17317 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17318 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17319 			      NL80211_ATTR_PAD) ||
17320 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
17321 		goto nla_put_failure;
17322 
17323 	genlmsg_end(msg, hdr);
17324 
17325 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17326 				NL80211_MCGRP_MLME, gfp);
17327 	return;
17328 
17329 nla_put_failure:
17330 	nlmsg_free(msg);
17331 }
17332 
17333 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
17334 				     const u8 *buf, size_t len, bool ack,
17335 				     gfp_t gfp)
17336 {
17337 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17338 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
17339 }
17340 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
17341 
17342 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
17343 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
17344 {
17345 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17346 				NL80211_CMD_FRAME_TX_STATUS);
17347 }
17348 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
17349 
17350 static int __nl80211_rx_control_port(struct net_device *dev,
17351 				     struct sk_buff *skb,
17352 				     bool unencrypted, gfp_t gfp)
17353 {
17354 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17355 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17356 	struct ethhdr *ehdr = eth_hdr(skb);
17357 	const u8 *addr = ehdr->h_source;
17358 	u16 proto = be16_to_cpu(skb->protocol);
17359 	struct sk_buff *msg;
17360 	void *hdr;
17361 	struct nlattr *frame;
17362 
17363 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
17364 
17365 	if (!nlportid)
17366 		return -ENOENT;
17367 
17368 	msg = nlmsg_new(100 + skb->len, gfp);
17369 	if (!msg)
17370 		return -ENOMEM;
17371 
17372 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
17373 	if (!hdr) {
17374 		nlmsg_free(msg);
17375 		return -ENOBUFS;
17376 	}
17377 
17378 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17379 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17380 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17381 			      NL80211_ATTR_PAD) ||
17382 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17383 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
17384 	    (unencrypted && nla_put_flag(msg,
17385 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
17386 		goto nla_put_failure;
17387 
17388 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
17389 	if (!frame)
17390 		goto nla_put_failure;
17391 
17392 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
17393 	genlmsg_end(msg, hdr);
17394 
17395 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17396 
17397  nla_put_failure:
17398 	nlmsg_free(msg);
17399 	return -ENOBUFS;
17400 }
17401 
17402 bool cfg80211_rx_control_port(struct net_device *dev,
17403 			      struct sk_buff *skb, bool unencrypted)
17404 {
17405 	int ret;
17406 
17407 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
17408 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
17409 	trace_cfg80211_return_bool(ret == 0);
17410 	return ret == 0;
17411 }
17412 EXPORT_SYMBOL(cfg80211_rx_control_port);
17413 
17414 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
17415 					    const char *mac, gfp_t gfp)
17416 {
17417 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17418 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17419 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17420 	void **cb;
17421 
17422 	if (!msg)
17423 		return NULL;
17424 
17425 	cb = (void **)msg->cb;
17426 
17427 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
17428 	if (!cb[0]) {
17429 		nlmsg_free(msg);
17430 		return NULL;
17431 	}
17432 
17433 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17434 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17435 		goto nla_put_failure;
17436 
17437 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17438 		goto nla_put_failure;
17439 
17440 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
17441 	if (!cb[1])
17442 		goto nla_put_failure;
17443 
17444 	cb[2] = rdev;
17445 
17446 	return msg;
17447  nla_put_failure:
17448 	nlmsg_free(msg);
17449 	return NULL;
17450 }
17451 
17452 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
17453 {
17454 	void **cb = (void **)msg->cb;
17455 	struct cfg80211_registered_device *rdev = cb[2];
17456 
17457 	nla_nest_end(msg, cb[1]);
17458 	genlmsg_end(msg, cb[0]);
17459 
17460 	memset(msg->cb, 0, sizeof(msg->cb));
17461 
17462 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17463 				NL80211_MCGRP_MLME, gfp);
17464 }
17465 
17466 void cfg80211_cqm_rssi_notify(struct net_device *dev,
17467 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
17468 			      s32 rssi_level, gfp_t gfp)
17469 {
17470 	struct sk_buff *msg;
17471 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17472 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17473 
17474 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
17475 
17476 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
17477 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
17478 		return;
17479 
17480 	if (wdev->cqm_config) {
17481 		wdev->cqm_config->last_rssi_event_value = rssi_level;
17482 
17483 		cfg80211_cqm_rssi_update(rdev, dev);
17484 
17485 		if (rssi_level == 0)
17486 			rssi_level = wdev->cqm_config->last_rssi_event_value;
17487 	}
17488 
17489 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17490 	if (!msg)
17491 		return;
17492 
17493 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
17494 			rssi_event))
17495 		goto nla_put_failure;
17496 
17497 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
17498 				      rssi_level))
17499 		goto nla_put_failure;
17500 
17501 	cfg80211_send_cqm(msg, gfp);
17502 
17503 	return;
17504 
17505  nla_put_failure:
17506 	nlmsg_free(msg);
17507 }
17508 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
17509 
17510 void cfg80211_cqm_txe_notify(struct net_device *dev,
17511 			     const u8 *peer, u32 num_packets,
17512 			     u32 rate, u32 intvl, gfp_t gfp)
17513 {
17514 	struct sk_buff *msg;
17515 
17516 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17517 	if (!msg)
17518 		return;
17519 
17520 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
17521 		goto nla_put_failure;
17522 
17523 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
17524 		goto nla_put_failure;
17525 
17526 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
17527 		goto nla_put_failure;
17528 
17529 	cfg80211_send_cqm(msg, gfp);
17530 	return;
17531 
17532  nla_put_failure:
17533 	nlmsg_free(msg);
17534 }
17535 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
17536 
17537 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
17538 				 const u8 *peer, u32 num_packets, gfp_t gfp)
17539 {
17540 	struct sk_buff *msg;
17541 
17542 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
17543 
17544 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17545 	if (!msg)
17546 		return;
17547 
17548 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
17549 		goto nla_put_failure;
17550 
17551 	cfg80211_send_cqm(msg, gfp);
17552 	return;
17553 
17554  nla_put_failure:
17555 	nlmsg_free(msg);
17556 }
17557 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
17558 
17559 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
17560 {
17561 	struct sk_buff *msg;
17562 
17563 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17564 	if (!msg)
17565 		return;
17566 
17567 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
17568 		goto nla_put_failure;
17569 
17570 	cfg80211_send_cqm(msg, gfp);
17571 	return;
17572 
17573  nla_put_failure:
17574 	nlmsg_free(msg);
17575 }
17576 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
17577 
17578 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
17579 				     struct net_device *netdev, const u8 *bssid,
17580 				     const u8 *replay_ctr, gfp_t gfp)
17581 {
17582 	struct sk_buff *msg;
17583 	struct nlattr *rekey_attr;
17584 	void *hdr;
17585 
17586 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17587 	if (!msg)
17588 		return;
17589 
17590 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
17591 	if (!hdr) {
17592 		nlmsg_free(msg);
17593 		return;
17594 	}
17595 
17596 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17597 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17598 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17599 		goto nla_put_failure;
17600 
17601 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
17602 	if (!rekey_attr)
17603 		goto nla_put_failure;
17604 
17605 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
17606 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
17607 		goto nla_put_failure;
17608 
17609 	nla_nest_end(msg, rekey_attr);
17610 
17611 	genlmsg_end(msg, hdr);
17612 
17613 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17614 				NL80211_MCGRP_MLME, gfp);
17615 	return;
17616 
17617  nla_put_failure:
17618 	nlmsg_free(msg);
17619 }
17620 
17621 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
17622 			       const u8 *replay_ctr, gfp_t gfp)
17623 {
17624 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17625 	struct wiphy *wiphy = wdev->wiphy;
17626 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17627 
17628 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
17629 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
17630 }
17631 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17632 
17633 static void
17634 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17635 			       struct net_device *netdev, int index,
17636 			       const u8 *bssid, bool preauth, gfp_t gfp)
17637 {
17638 	struct sk_buff *msg;
17639 	struct nlattr *attr;
17640 	void *hdr;
17641 
17642 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17643 	if (!msg)
17644 		return;
17645 
17646 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17647 	if (!hdr) {
17648 		nlmsg_free(msg);
17649 		return;
17650 	}
17651 
17652 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17653 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17654 		goto nla_put_failure;
17655 
17656 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17657 	if (!attr)
17658 		goto nla_put_failure;
17659 
17660 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17661 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17662 	    (preauth &&
17663 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17664 		goto nla_put_failure;
17665 
17666 	nla_nest_end(msg, attr);
17667 
17668 	genlmsg_end(msg, hdr);
17669 
17670 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17671 				NL80211_MCGRP_MLME, gfp);
17672 	return;
17673 
17674  nla_put_failure:
17675 	nlmsg_free(msg);
17676 }
17677 
17678 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17679 				     const u8 *bssid, bool preauth, gfp_t gfp)
17680 {
17681 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17682 	struct wiphy *wiphy = wdev->wiphy;
17683 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17684 
17685 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17686 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17687 }
17688 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17689 
17690 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17691 				     struct net_device *netdev,
17692 				     struct cfg80211_chan_def *chandef,
17693 				     gfp_t gfp,
17694 				     enum nl80211_commands notif,
17695 				     u8 count, bool quiet)
17696 {
17697 	struct sk_buff *msg;
17698 	void *hdr;
17699 
17700 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17701 	if (!msg)
17702 		return;
17703 
17704 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17705 	if (!hdr) {
17706 		nlmsg_free(msg);
17707 		return;
17708 	}
17709 
17710 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17711 		goto nla_put_failure;
17712 
17713 	if (nl80211_send_chandef(msg, chandef))
17714 		goto nla_put_failure;
17715 
17716 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
17717 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
17718 			goto nla_put_failure;
17719 		if (quiet &&
17720 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
17721 			goto nla_put_failure;
17722 	}
17723 
17724 	genlmsg_end(msg, hdr);
17725 
17726 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17727 				NL80211_MCGRP_MLME, gfp);
17728 	return;
17729 
17730  nla_put_failure:
17731 	nlmsg_free(msg);
17732 }
17733 
17734 void cfg80211_ch_switch_notify(struct net_device *dev,
17735 			       struct cfg80211_chan_def *chandef)
17736 {
17737 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17738 	struct wiphy *wiphy = wdev->wiphy;
17739 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17740 
17741 	ASSERT_WDEV_LOCK(wdev);
17742 
17743 	trace_cfg80211_ch_switch_notify(dev, chandef);
17744 
17745 	wdev->chandef = *chandef;
17746 	wdev->preset_chandef = *chandef;
17747 
17748 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
17749 	    !WARN_ON(!wdev->current_bss))
17750 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
17751 
17752 	cfg80211_sched_dfs_chan_update(rdev);
17753 
17754 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17755 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
17756 }
17757 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
17758 
17759 void cfg80211_ch_switch_started_notify(struct net_device *dev,
17760 				       struct cfg80211_chan_def *chandef,
17761 				       u8 count, bool quiet)
17762 {
17763 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17764 	struct wiphy *wiphy = wdev->wiphy;
17765 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17766 
17767 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
17768 
17769 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17770 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
17771 				 count, quiet);
17772 }
17773 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
17774 
17775 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
17776 			      enum nl80211_commands cmd, u8 count,
17777 			      u64 color_bitmap)
17778 {
17779 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17780 	struct wiphy *wiphy = wdev->wiphy;
17781 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17782 	struct sk_buff *msg;
17783 	void *hdr;
17784 
17785 	ASSERT_WDEV_LOCK(wdev);
17786 
17787 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
17788 
17789 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17790 	if (!msg)
17791 		return -ENOMEM;
17792 
17793 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17794 	if (!hdr)
17795 		goto nla_put_failure;
17796 
17797 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17798 		goto nla_put_failure;
17799 
17800 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
17801 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
17802 		goto nla_put_failure;
17803 
17804 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
17805 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
17806 			      color_bitmap, NL80211_ATTR_PAD))
17807 		goto nla_put_failure;
17808 
17809 	genlmsg_end(msg, hdr);
17810 
17811 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
17812 				       msg, 0, NL80211_MCGRP_MLME, gfp);
17813 
17814 nla_put_failure:
17815 	nlmsg_free(msg);
17816 	return -EINVAL;
17817 }
17818 EXPORT_SYMBOL(cfg80211_bss_color_notify);
17819 
17820 void
17821 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
17822 		     const struct cfg80211_chan_def *chandef,
17823 		     enum nl80211_radar_event event,
17824 		     struct net_device *netdev, gfp_t gfp)
17825 {
17826 	struct sk_buff *msg;
17827 	void *hdr;
17828 
17829 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17830 	if (!msg)
17831 		return;
17832 
17833 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
17834 	if (!hdr) {
17835 		nlmsg_free(msg);
17836 		return;
17837 	}
17838 
17839 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17840 		goto nla_put_failure;
17841 
17842 	/* NOP and radar events don't need a netdev parameter */
17843 	if (netdev) {
17844 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
17845 
17846 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17847 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17848 				      NL80211_ATTR_PAD))
17849 			goto nla_put_failure;
17850 	}
17851 
17852 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
17853 		goto nla_put_failure;
17854 
17855 	if (nl80211_send_chandef(msg, chandef))
17856 		goto nla_put_failure;
17857 
17858 	genlmsg_end(msg, hdr);
17859 
17860 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17861 				NL80211_MCGRP_MLME, gfp);
17862 	return;
17863 
17864  nla_put_failure:
17865 	nlmsg_free(msg);
17866 }
17867 
17868 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
17869 				       struct sta_opmode_info *sta_opmode,
17870 				       gfp_t gfp)
17871 {
17872 	struct sk_buff *msg;
17873 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17874 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17875 	void *hdr;
17876 
17877 	if (WARN_ON(!mac))
17878 		return;
17879 
17880 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17881 	if (!msg)
17882 		return;
17883 
17884 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
17885 	if (!hdr) {
17886 		nlmsg_free(msg);
17887 		return;
17888 	}
17889 
17890 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17891 		goto nla_put_failure;
17892 
17893 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17894 		goto nla_put_failure;
17895 
17896 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17897 		goto nla_put_failure;
17898 
17899 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
17900 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
17901 		goto nla_put_failure;
17902 
17903 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
17904 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
17905 		goto nla_put_failure;
17906 
17907 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
17908 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
17909 		goto nla_put_failure;
17910 
17911 	genlmsg_end(msg, hdr);
17912 
17913 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17914 				NL80211_MCGRP_MLME, gfp);
17915 
17916 	return;
17917 
17918 nla_put_failure:
17919 	nlmsg_free(msg);
17920 }
17921 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
17922 
17923 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
17924 			   u64 cookie, bool acked, s32 ack_signal,
17925 			   bool is_valid_ack_signal, gfp_t gfp)
17926 {
17927 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17928 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17929 	struct sk_buff *msg;
17930 	void *hdr;
17931 
17932 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
17933 
17934 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17935 
17936 	if (!msg)
17937 		return;
17938 
17939 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
17940 	if (!hdr) {
17941 		nlmsg_free(msg);
17942 		return;
17943 	}
17944 
17945 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17946 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17947 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17948 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17949 			      NL80211_ATTR_PAD) ||
17950 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
17951 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
17952 						ack_signal)))
17953 		goto nla_put_failure;
17954 
17955 	genlmsg_end(msg, hdr);
17956 
17957 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17958 				NL80211_MCGRP_MLME, gfp);
17959 	return;
17960 
17961  nla_put_failure:
17962 	nlmsg_free(msg);
17963 }
17964 EXPORT_SYMBOL(cfg80211_probe_status);
17965 
17966 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
17967 				     size_t len, int freq, int sig_dbm)
17968 {
17969 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17970 	struct sk_buff *msg;
17971 	void *hdr;
17972 	struct cfg80211_beacon_registration *reg;
17973 
17974 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
17975 
17976 	spin_lock_bh(&rdev->beacon_registrations_lock);
17977 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
17978 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
17979 		if (!msg) {
17980 			spin_unlock_bh(&rdev->beacon_registrations_lock);
17981 			return;
17982 		}
17983 
17984 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17985 		if (!hdr)
17986 			goto nla_put_failure;
17987 
17988 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17989 		    (freq &&
17990 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
17991 				  KHZ_TO_MHZ(freq)) ||
17992 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
17993 				  freq % 1000))) ||
17994 		    (sig_dbm &&
17995 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17996 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
17997 			goto nla_put_failure;
17998 
17999 		genlmsg_end(msg, hdr);
18000 
18001 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
18002 	}
18003 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18004 	return;
18005 
18006  nla_put_failure:
18007 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18008 	nlmsg_free(msg);
18009 }
18010 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
18011 
18012 #ifdef CONFIG_PM
18013 static int cfg80211_net_detect_results(struct sk_buff *msg,
18014 				       struct cfg80211_wowlan_wakeup *wakeup)
18015 {
18016 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
18017 	struct nlattr *nl_results, *nl_match, *nl_freqs;
18018 	int i, j;
18019 
18020 	nl_results = nla_nest_start_noflag(msg,
18021 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
18022 	if (!nl_results)
18023 		return -EMSGSIZE;
18024 
18025 	for (i = 0; i < nd->n_matches; i++) {
18026 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
18027 
18028 		nl_match = nla_nest_start_noflag(msg, i);
18029 		if (!nl_match)
18030 			break;
18031 
18032 		/* The SSID attribute is optional in nl80211, but for
18033 		 * simplicity reasons it's always present in the
18034 		 * cfg80211 structure.  If a driver can't pass the
18035 		 * SSID, that needs to be changed.  A zero length SSID
18036 		 * is still a valid SSID (wildcard), so it cannot be
18037 		 * used for this purpose.
18038 		 */
18039 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
18040 			    match->ssid.ssid)) {
18041 			nla_nest_cancel(msg, nl_match);
18042 			goto out;
18043 		}
18044 
18045 		if (match->n_channels) {
18046 			nl_freqs = nla_nest_start_noflag(msg,
18047 							 NL80211_ATTR_SCAN_FREQUENCIES);
18048 			if (!nl_freqs) {
18049 				nla_nest_cancel(msg, nl_match);
18050 				goto out;
18051 			}
18052 
18053 			for (j = 0; j < match->n_channels; j++) {
18054 				if (nla_put_u32(msg, j, match->channels[j])) {
18055 					nla_nest_cancel(msg, nl_freqs);
18056 					nla_nest_cancel(msg, nl_match);
18057 					goto out;
18058 				}
18059 			}
18060 
18061 			nla_nest_end(msg, nl_freqs);
18062 		}
18063 
18064 		nla_nest_end(msg, nl_match);
18065 	}
18066 
18067 out:
18068 	nla_nest_end(msg, nl_results);
18069 	return 0;
18070 }
18071 
18072 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
18073 				   struct cfg80211_wowlan_wakeup *wakeup,
18074 				   gfp_t gfp)
18075 {
18076 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18077 	struct sk_buff *msg;
18078 	void *hdr;
18079 	int size = 200;
18080 
18081 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
18082 
18083 	if (wakeup)
18084 		size += wakeup->packet_present_len;
18085 
18086 	msg = nlmsg_new(size, gfp);
18087 	if (!msg)
18088 		return;
18089 
18090 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
18091 	if (!hdr)
18092 		goto free_msg;
18093 
18094 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18095 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18096 			      NL80211_ATTR_PAD))
18097 		goto free_msg;
18098 
18099 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18100 					wdev->netdev->ifindex))
18101 		goto free_msg;
18102 
18103 	if (wakeup) {
18104 		struct nlattr *reasons;
18105 
18106 		reasons = nla_nest_start_noflag(msg,
18107 						NL80211_ATTR_WOWLAN_TRIGGERS);
18108 		if (!reasons)
18109 			goto free_msg;
18110 
18111 		if (wakeup->disconnect &&
18112 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
18113 			goto free_msg;
18114 		if (wakeup->magic_pkt &&
18115 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
18116 			goto free_msg;
18117 		if (wakeup->gtk_rekey_failure &&
18118 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
18119 			goto free_msg;
18120 		if (wakeup->eap_identity_req &&
18121 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
18122 			goto free_msg;
18123 		if (wakeup->four_way_handshake &&
18124 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
18125 			goto free_msg;
18126 		if (wakeup->rfkill_release &&
18127 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
18128 			goto free_msg;
18129 
18130 		if (wakeup->pattern_idx >= 0 &&
18131 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
18132 				wakeup->pattern_idx))
18133 			goto free_msg;
18134 
18135 		if (wakeup->tcp_match &&
18136 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
18137 			goto free_msg;
18138 
18139 		if (wakeup->tcp_connlost &&
18140 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
18141 			goto free_msg;
18142 
18143 		if (wakeup->tcp_nomoretokens &&
18144 		    nla_put_flag(msg,
18145 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
18146 			goto free_msg;
18147 
18148 		if (wakeup->packet) {
18149 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
18150 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
18151 
18152 			if (!wakeup->packet_80211) {
18153 				pkt_attr =
18154 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
18155 				len_attr =
18156 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
18157 			}
18158 
18159 			if (wakeup->packet_len &&
18160 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
18161 				goto free_msg;
18162 
18163 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
18164 				    wakeup->packet))
18165 				goto free_msg;
18166 		}
18167 
18168 		if (wakeup->net_detect &&
18169 		    cfg80211_net_detect_results(msg, wakeup))
18170 				goto free_msg;
18171 
18172 		nla_nest_end(msg, reasons);
18173 	}
18174 
18175 	genlmsg_end(msg, hdr);
18176 
18177 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18178 				NL80211_MCGRP_MLME, gfp);
18179 	return;
18180 
18181  free_msg:
18182 	nlmsg_free(msg);
18183 }
18184 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
18185 #endif
18186 
18187 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
18188 				enum nl80211_tdls_operation oper,
18189 				u16 reason_code, gfp_t gfp)
18190 {
18191 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18192 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18193 	struct sk_buff *msg;
18194 	void *hdr;
18195 
18196 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
18197 					 reason_code);
18198 
18199 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18200 	if (!msg)
18201 		return;
18202 
18203 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
18204 	if (!hdr) {
18205 		nlmsg_free(msg);
18206 		return;
18207 	}
18208 
18209 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18210 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18211 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
18212 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
18213 	    (reason_code > 0 &&
18214 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
18215 		goto nla_put_failure;
18216 
18217 	genlmsg_end(msg, hdr);
18218 
18219 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18220 				NL80211_MCGRP_MLME, gfp);
18221 	return;
18222 
18223  nla_put_failure:
18224 	nlmsg_free(msg);
18225 }
18226 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
18227 
18228 static int nl80211_netlink_notify(struct notifier_block * nb,
18229 				  unsigned long state,
18230 				  void *_notify)
18231 {
18232 	struct netlink_notify *notify = _notify;
18233 	struct cfg80211_registered_device *rdev;
18234 	struct wireless_dev *wdev;
18235 	struct cfg80211_beacon_registration *reg, *tmp;
18236 
18237 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
18238 		return NOTIFY_DONE;
18239 
18240 	rcu_read_lock();
18241 
18242 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
18243 		struct cfg80211_sched_scan_request *sched_scan_req;
18244 
18245 		list_for_each_entry_rcu(sched_scan_req,
18246 					&rdev->sched_scan_req_list,
18247 					list) {
18248 			if (sched_scan_req->owner_nlportid == notify->portid) {
18249 				sched_scan_req->nl_owner_dead = true;
18250 				schedule_work(&rdev->sched_scan_stop_wk);
18251 			}
18252 		}
18253 
18254 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
18255 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
18256 
18257 			if (wdev->owner_nlportid == notify->portid) {
18258 				wdev->nl_owner_dead = true;
18259 				schedule_work(&rdev->destroy_work);
18260 			} else if (wdev->conn_owner_nlportid == notify->portid) {
18261 				schedule_work(&wdev->disconnect_wk);
18262 			}
18263 
18264 			cfg80211_release_pmsr(wdev, notify->portid);
18265 		}
18266 
18267 		spin_lock_bh(&rdev->beacon_registrations_lock);
18268 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
18269 					 list) {
18270 			if (reg->nlportid == notify->portid) {
18271 				list_del(&reg->list);
18272 				kfree(reg);
18273 				break;
18274 			}
18275 		}
18276 		spin_unlock_bh(&rdev->beacon_registrations_lock);
18277 	}
18278 
18279 	rcu_read_unlock();
18280 
18281 	/*
18282 	 * It is possible that the user space process that is controlling the
18283 	 * indoor setting disappeared, so notify the regulatory core.
18284 	 */
18285 	regulatory_netlink_notify(notify->portid);
18286 	return NOTIFY_OK;
18287 }
18288 
18289 static struct notifier_block nl80211_netlink_notifier = {
18290 	.notifier_call = nl80211_netlink_notify,
18291 };
18292 
18293 void cfg80211_ft_event(struct net_device *netdev,
18294 		       struct cfg80211_ft_event_params *ft_event)
18295 {
18296 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18297 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18298 	struct sk_buff *msg;
18299 	void *hdr;
18300 
18301 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
18302 
18303 	if (!ft_event->target_ap)
18304 		return;
18305 
18306 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
18307 			GFP_KERNEL);
18308 	if (!msg)
18309 		return;
18310 
18311 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
18312 	if (!hdr)
18313 		goto out;
18314 
18315 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18316 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18317 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
18318 		goto out;
18319 
18320 	if (ft_event->ies &&
18321 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
18322 		goto out;
18323 	if (ft_event->ric_ies &&
18324 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
18325 		    ft_event->ric_ies))
18326 		goto out;
18327 
18328 	genlmsg_end(msg, hdr);
18329 
18330 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18331 				NL80211_MCGRP_MLME, GFP_KERNEL);
18332 	return;
18333  out:
18334 	nlmsg_free(msg);
18335 }
18336 EXPORT_SYMBOL(cfg80211_ft_event);
18337 
18338 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
18339 {
18340 	struct cfg80211_registered_device *rdev;
18341 	struct sk_buff *msg;
18342 	void *hdr;
18343 	u32 nlportid;
18344 
18345 	rdev = wiphy_to_rdev(wdev->wiphy);
18346 	if (!rdev->crit_proto_nlportid)
18347 		return;
18348 
18349 	nlportid = rdev->crit_proto_nlportid;
18350 	rdev->crit_proto_nlportid = 0;
18351 
18352 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18353 	if (!msg)
18354 		return;
18355 
18356 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
18357 	if (!hdr)
18358 		goto nla_put_failure;
18359 
18360 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18361 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18362 			      NL80211_ATTR_PAD))
18363 		goto nla_put_failure;
18364 
18365 	genlmsg_end(msg, hdr);
18366 
18367 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18368 	return;
18369 
18370  nla_put_failure:
18371 	nlmsg_free(msg);
18372 }
18373 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
18374 
18375 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
18376 {
18377 	struct wiphy *wiphy = wdev->wiphy;
18378 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18379 	struct sk_buff *msg;
18380 	void *hdr;
18381 
18382 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18383 	if (!msg)
18384 		return;
18385 
18386 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
18387 	if (!hdr)
18388 		goto out;
18389 
18390 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18391 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
18392 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18393 			      NL80211_ATTR_PAD))
18394 		goto out;
18395 
18396 	genlmsg_end(msg, hdr);
18397 
18398 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
18399 				NL80211_MCGRP_MLME, GFP_KERNEL);
18400 	return;
18401  out:
18402 	nlmsg_free(msg);
18403 }
18404 
18405 int cfg80211_external_auth_request(struct net_device *dev,
18406 				   struct cfg80211_external_auth_params *params,
18407 				   gfp_t gfp)
18408 {
18409 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18410 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18411 	struct sk_buff *msg;
18412 	void *hdr;
18413 
18414 	if (!wdev->conn_owner_nlportid)
18415 		return -EINVAL;
18416 
18417 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18418 	if (!msg)
18419 		return -ENOMEM;
18420 
18421 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
18422 	if (!hdr)
18423 		goto nla_put_failure;
18424 
18425 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18426 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18427 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
18428 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
18429 			params->action) ||
18430 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
18431 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
18432 		    params->ssid.ssid))
18433 		goto nla_put_failure;
18434 
18435 	genlmsg_end(msg, hdr);
18436 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
18437 			wdev->conn_owner_nlportid);
18438 	return 0;
18439 
18440  nla_put_failure:
18441 	nlmsg_free(msg);
18442 	return -ENOBUFS;
18443 }
18444 EXPORT_SYMBOL(cfg80211_external_auth_request);
18445 
18446 void cfg80211_update_owe_info_event(struct net_device *netdev,
18447 				    struct cfg80211_update_owe_info *owe_info,
18448 				    gfp_t gfp)
18449 {
18450 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18451 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18452 	struct sk_buff *msg;
18453 	void *hdr;
18454 
18455 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
18456 
18457 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18458 	if (!msg)
18459 		return;
18460 
18461 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
18462 	if (!hdr)
18463 		goto nla_put_failure;
18464 
18465 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18466 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18467 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
18468 		goto nla_put_failure;
18469 
18470 	if (!owe_info->ie_len ||
18471 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
18472 		goto nla_put_failure;
18473 
18474 	genlmsg_end(msg, hdr);
18475 
18476 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18477 				NL80211_MCGRP_MLME, gfp);
18478 	return;
18479 
18480 nla_put_failure:
18481 	genlmsg_cancel(msg, hdr);
18482 	nlmsg_free(msg);
18483 }
18484 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
18485 
18486 /* initialisation/exit functions */
18487 
18488 int __init nl80211_init(void)
18489 {
18490 	int err;
18491 
18492 	err = genl_register_family(&nl80211_fam);
18493 	if (err)
18494 		return err;
18495 
18496 	err = netlink_register_notifier(&nl80211_netlink_notifier);
18497 	if (err)
18498 		goto err_out;
18499 
18500 	return 0;
18501  err_out:
18502 	genl_unregister_family(&nl80211_fam);
18503 	return err;
18504 }
18505 
18506 void nl80211_exit(void)
18507 {
18508 	netlink_unregister_notifier(&nl80211_netlink_notifier);
18509 	genl_unregister_family(&nl80211_fam);
18510 }
18511